I have to disagree a bit here. Granted it is a site that contains pictures of women in various states of undress, and yes they do charge a fee. But saying they are a 'straight up porn site' and implying that they are in it for the money (as I believe your post does) is a bit misleading.
I think if they were trying to separate people from their money they would charge more than $18 for 3 months and they probably would stop throwing parties and events. I might be able to concede that the Burlesque tour was started in part to drum up business for the site (though I don't think this was/is the only reason and it was a fantastic idea). They also would probably jack the prices of the merchandise up a bit (you know, if they were in it for just the money).
The pictures on the site are not what anyone would consider hardcore (at least I seriously would hope not). Only a few of the girls have pictures that show all the goods (I can still picture Mary's String of Pearls set in my mind, but I digress), most are artistic in flavor. More along the lines of the older Pin-Up style, not your typical 'pr0n' (you will not find a 'money shot', 'perl necklace' or penetration type of picture, though this can of course change). They also allow the girls to choose there own photographer and they don't have to be a professional, this is great for someone that is learning how to take pictures (nudes are perfectly acceptable subject for photography, painting, drawing and must other art forms). The site also has interviews (the latest being with Danny Glover), that include a wide range of people. There is also a section for news stories, with the current top story being Yasser Arafat's health. I just can't say this fits the profile of a 'straight up porn site'. The message boards and groups convey more of a sense of community then a 'sleazy' site.
Also some of the posts in this particular thread speak as if these women are giving up some part of there humanity. I think this is flat out wrong. These girls are not 'whoring' themselves out (I don't mean literal prostitution either) or debasing themselves in anyway (at least in my opinion). To quote from one of the posts in this thread:
Um, a lot of things. Like your sense of self-worth being dependent upon sexually arousing the opposite sex. In this case, they try and hide that by claiming they pose naked for more respectable reasons, but the truth is when you make yourself out to be an object of lust you soon get all of the problems that come with actually being one.
I frankly pity women that choose to pay the bills by selling their bodies.
Now I could be wrong, and I know I can't speak for any/all the girls on the site but I highly doubt that any of them tie there self worth around being able to arouse the opposite sex. For each member (and not all members have picture sets uploaded), there is a list of questions that describe various aspects of that person. For example, favorite movie, 5 things you can't live without, body modifications, and why I did SG. Some girls answer with, I like to try things at least once, others answer that they are exhibitionist. Accusing them of trying to 'hide' the truth about why they posed is inaccurate and rude. Sure, some of them did it for nothing but the money, others because they wanted to feel sexy, and attractive. For me whatever motivated them isn't really relevant. I enjoy the 50's style pin-ups (Bettie Page style) and this is more in line with what the site offers (instead of the typical pornographic images that are floating around). I also like that the site doesn't enforce the typical stereotype of what makes a women beautiful (long legs, blonde hair, thin enough to see through, etc.). Most of the girls don't fit that mold. They have tattoos and piercing's, some of them are even into scarification (basically designer scars), yet they all are beautiful in there own right. I have to agree with some of the posts that describe it as empowering. The site throws conventional beauty out the door, and shows t
You can always go to Fry's and pick up one of the old ones. When Apple came out with the new display's, I picked up one of the older 23" ones from there ($1799). They usually discount the price a bit since they are(or will be) discontinued. Another route would be to go through the Apple store. They have some refurbished ones at a discounted price (and here comes the long url. It has been my experience that the refurb's sell quickly, so buy now.
Maybe its just been my experience but most if not all of the mac users I know would be labled computer experts. For the majority of them, we used Mac's in high school when creating the school newspaper and have continued to use them since then (yup, even through the dark years). The others are all Unix Admins who have recently gone over to using OS X as their main desktops (though using things like the gimp and mutt instead of there OS X counterparts). Mac's are super easy to run and maintain but when tools like netcat, snort, nessus and nmap all complie cleanly from source, they are extremely powerful as well.
As for Windows users, they are clueless (obviously not all but most), even with their MCSE's. Having done security for a corporate customer while having a primary focus on securing the companies that came to us for outsourcing (we were a large supposed to be the next best thing hosting company - and NO not exedus, we handled it soup to nuts). I have seem users do some of the stupidest things.
"I clicked on the pictures from some party and now my machine isn't working."
"Did you know the user that sent you the email?" I ask.
"No, I didn't even look, just clicked away"
"But don't you remember when we told you just earlier this week not to open up attatchments that come from unknown users and when in doubt call us. This is our job and we don't mind responding to questions, its what we do."
"Yup." I her response.
Sheesh. How can these people function? I just don't get it.
Re:Why not seem like a cease and desist gnome?
on
Dealing with Intruders?
·
· Score: 2, Informative
In some (these days it may even be most) cases the machine that is doing the attacking has been compromised and hijacked by the cracker. So the 'owner' of that machine may not know that there machine is contributing to global chaos that is the internet. So you might not want to send them a note blasting them (though they are or were running a machine that wasn't patched, whatever). Sometimes machines slip through the cracks and sites with really good security policies and dedicated security people get 0wned, so being polite is generally a good policy. How would you like to get a note that insults berates, humiliates you, instead of someone saying that your machine appears to have been attacking thier machine and could you look into it. This way the person is grateful for you pointing out that there machine was compromised and is more likely to let you know what happened. At least this has been my experience.
The project is meant to provide reliable exploits (among other things) for people that are performing pen-tests, IDS signature development and research. Its not meant to be a tool that people can download and start cracking machines all over the internet with the latest 'leet sploit'. It serves as a framework that allows people to create there own exploits or use the shellcode they have created.
Right now it may only have 34 exploits but they are solid and work very well. Along with that they have created a CLI, a curses'ish and a web interface (I think I may have missed one) that allows you to select the shellcode, select the exploit, select just about every option you could possible want.
If there is an exploit that you don't see but want, code it up and add it to the project. As for the kernel exploits, how would you use a remote tool to exploit a local vulnerability? I can see if you cracked the machine using an exploit that got you nobody, or some other non-privileged account and then uploaded a local root exploit and executed that. Perhaps that should be a module you should code?
Well more than likely the devel will contain 0-day's, up until the point that they release them. There have been a few (at least I seem to remeber a couple) of exploits that were released as part of the Framework. So it would seem to make sense that if they have an exploit that hasn't been released publicly (still waiting on companies or what not) and is coded as a module then it would be in the dev version, though, I doubt that there would be a large number of people that would have access. Otherwise they would just release it to the public.
I doubt they would go the pay route since they are basically the free version of Canvas (http://www.immunitysec.com/) and Core's Impact (http://www1.corest.com/products/coreimpact/index. php). So I think it will remain open source and free for some time to come.
I think it is a bit inaccurate to say that it is time for the forensics folks to look for new jobs. Metasploit is not doing any voodoo or launching ram out of the exploited computer to blind the admin/user from seeing or detecting that the machine is compromised or that there is somehting 'fishy' going on. Just because something is not written to disk doesn't mean that it has some sort of magic shield around it, that protects it from the eyes of people that don't have the secret decoder ring. People have been dumping and analysing the contents of RAM for ages. Most (if not all) of the forensics tools I have played with include this ability and automate a large part of this. Granteed when the machine shutdowns that data is lost but while you are performing forensics on a live machine, it's there for you to access. You can also look at the network and detect that there are odd things afoot. You can tune your IDS to look for packets that resemble VNC traffic (though I would only suggest this if you don't use it yourself) or any number of things.
As for the parent of this particular tangent. No there isn't anything 'new' in this but comparing Metasploit to things like NetBus and BO2K is completely wrong. Those were tools that allowed you to control a machine and hide your presence while doing it. Metasploit gives you the chance to get the access that you would need to install your NetBus, etc.. Metasploit does this in a way that makes it easy for the average person, no more loops trying to brute force memory address's, no more trying to reverse engineer some piece of software while trying to crack it, or searching all your various stash points looking for you copy of VNC that is all set up to install on some machine you 'borrowed'. This tool has a slick interface (actually several) and it works extremelly well. I personally think it is a fantastic tool, now I don't have to spend the time I used to trying to create an exploit to prove to some bone headed manager that a vulnerability is important and should be patched. Valuable time can be saved by using this tool.
"How often does IP spoofing really happen these days on the Internet? Not very often, if ever. Any ISP running routers that don't prevent this should be de-linked."
Wow! What a rosy world you must live in. Spoofing happens ALL the time. Those korean networks are really on top of the egress/ingress acl'ing, that's why nobody ever sees attacks/spoofed traffic coming from them. No, sorry to burst your bubble but spoofing is very frequent and happens all the time. You would think that the big shops would deploy ACL's on there border routers but they all don't. I used to be amazed at the number of spoof attempts we block on our core routers (people pretending to be us, people sending out traffic from bogon lists). It happens all the time, which is why something like this is just (IMHO) wrong. I can't see a realistic way to guarentee that you know the true originator of the traffic (unless it just automatically attacks the Asia-Pacific networks =).
Saddly it has already happened. There has been a story in Las Vegas about a group (aprox. 9) or so boys and girls that had there own fight club. They have been running the video tape seized as evidence on the news. These kids are beating the crap out of each other in the parks at 1 am. Eventually they found someone they didin't like and seriously injured him. These were all upper/middle class kids, living in a 'good' area of town. My question is where were the parents while this was happening?
Article asside. Firewalls, in this case Pix's running the latest 6.x.x code (I think it's 6.2.3), implement a type of SYN-cookie into the IOS. I refer to it as a type, since they seem to be storing a little more information than the traditional SYN-cookie would (almost defeats the purpose). In testing this under fire it seems to work. My pixs that used to fall over or run away when the slightest blip in the network happened have been able to stand up to some fairly aggresive attacks.
While this may have nothing to do with the article (I haven't read it yet, saving it to read at the dentist office), your comment about firewalls not being able to help during [D]DOS attacks is flat out wrong.
I tried calling a few providers, but they're completely dense when you say "someone on your network is attacking one of my servers." Somehow they manage to get the stupidest people handling their support desk, who can't even comprehend what a server is. If you do manage to get to an abuse department, they'll rarely do much.
The sad part is that there are some many people sending in abuse complaints that are incorrect or false that it makes sifting through them very tough. Not to mention that these people are making crap wages (although the way things are now most of them are lucky to have a job).
For example, a user connects to a website and spends some time reading the content. Later when he clicks on a link, zone alarm or whatever other pc based firewall starts freaking out from a port scan. So he fires off a letter to abuse at every where, calls the NOC staff (often times being very hostile), who then create a trouble ticket for a security guy or some sysadmin. The Sec(sys) admin spend time to track it down, ask the person for a log since he didn't send any with his complaint and figure out that the connection timed out and he was surfing the site and not being attacked. It happens way to often, usually (and I don't mean to pick on the older generations) it is an older person who doesn't understand how things work. Which is fine but they take up time that can/should be spent solving other problems or looking into real abuse cases.
Granted the OP seemed to have a clue and was willing to work with the ISP. There response is sad to see. Not all NOC's are filled with idiots who don't care. There is no real excuse for an abuse department to not pay attention, that is what they are paid for. I can only speak to the company (and only my tiny little slice of it) that I work for and perhaps a bit from the startup that I originally worked at. But our Security group takes all cases seriously (since our customers sites are on the line and our jobs).
There is also another article about this topic. Also here is a direct link to a discussion as well. The article is mostly the same old thing but some of the comments are well thought out and argued *gasp* intelligently.
From digitaloffense:
A new worm which exploits a vulnerability in MS SQL Server is bringing the core routers to a grinding halt. The speed of the propagation can be attributed to the attack method and simplicity of the code. The worm sends a 376-byte UDP packet to port 1434 of each random target, each vulnerable system will immediately start propagating itself. Since UDP is connection-less, the worm is able to spread much more quickly than those using your standard TCP-based attack vectors (no connect timeouts). Some random screen shots and information about the worm can be found HERE.
Hmm I don't remember mentioning my programming skills (or lack thereof) nor did I mention that mistakes don't happen. However, when a program has one buffer overflow and the author fixes that one but doesn't look through the rest of his code for more. Is he really learning security? Or is he just being lazy and not caring.
We are talking about (in this thread at least) web server vulnerabilities. How many people are still running there servers as root? How many people aren't doing input validation (which is poor programming) in their cgi's? All of these things have been ducomented in the security community and there are plenty of free guides on how to avoid these pitfalls and mistakes (hmm I think a google search would help).
There is no perfect security but there are solutions that help mitigate a majority of them. Sadly you cannot easily mitigate lazyness or people that just don't care.
I guess that you can break these down but to me it seems that the top vulnerabilities are:
Crappy Code - Some of the people that are writting applications today either never learned about security or just don't care. This spans both the closed and open source world (there are examples in both).
Bad Configuration - How many times do we hear about Joe (no offense if your name is Joe and you are an admin) admin configure a webserver (or application) and leave some huge wide open hole because they either couldn't understand the directions in the README or never bothered to look. Then they whine about it when they get 0wn3d.
Securityfocus's mailing list Vuln-Dev is where the original post came through. There has been an interesting thread on the subject since the posting. You may want to check it out:
This guy has a masters (political science) and a bachelor's (business management) degree. Yet he works at the local supermarket? Unless he owns the place the going to college was not worth it for this guy (even then perhaps not).
These things are a requirement for some of there customers. Most financial and government customers will have all these questions and demands on security. Things like: Are your windows bullet proof? What are your plans if there is a bomb threat? There are many security certifications that place requirements on where your servers are placed and what/who protects them.
Perhaps if they hadn't racked up a 3.5 billion dollar debt, bought Global Center and every thing else under the sun they would be in a better position. It was estimated that 80% of the data center space will go empty next year. Exodus owns a very large chunk of that. When times started getting tough for them a large number of customers pulled out. That had to hurt to hurt there bottom line a bit.
I have seen in the past web servers that will send the request back to the client if that page is not found. For example if you send a bogus request to thttpd it just sends the request string back to you and says it could not be found. This causes all hell to break loose with IDS systems. So it appears that the attempted victim is an attacker even though it is a patched (or more likely not vulnerable at all). If they just start shutting down peoples connections they could be killing valid users, granted this would probably be a small percentage of users though.
I would suggest using Snort (http://www.snort.org). It is not very hard to setup and the footprint on the box is pretty light weight. Also the user community around Snort is very responsive, there is a mailing list that is heavy traffic but good answers to questions can be found there (http://lists.sourceforge.net/mailman/listinfo/sno rt-users). Also Dragos Ruiu has written a FAQ located at: http://www.snort.org/FAQ.html
As for a distro that has security built in? There is always OpenBSD (http://www.openbsd.com). Also Linux-Mandrake contains Bastille (http://www.bastille-linux.org/) which is a Linux hardening script.
I am also against censorship but you have an immposible task. I looked at the comercial software out there a little bit and one of the down falls is they try and block key words and what not. A different approach is Apples (?) KidSafe. I can't remember if Apple developed or is just partnering with KidSafe but they take the approach of not blocking but allowing only "approved" sights. This would limit the amount of sites your customers could view but it might also help keep the school kids from surfing porn.
Great, another reactionary response to a well reasoned post. Most of us don't want to take your precious guns. What most of us want is some form of regulation that governs the ownership of all types of firearms. We want these regulations to help keep guns OUT of the hands of criminals. If all manufacturers and gun dealers were held accountable for all of the guns that they sell and manufacture, you can be sure that the guns in the hands of criminals will be greatly reduced.
If I use a car, knife, spoon to commit a crime should the manufacturers of these objects be held accountable because I am a criminal?
Many legal gun owners feel that regulation is to keep THEM in check, and have some paranoid notion that the government will someday roam the country, dumping everyone's guns in a big dumpster. Wrong. The logistics of such a suggestion will never be possible.
I am sure the residents of Australia thought the same thing until they had to watch there guns being destroyed by the thousands. Legal gun owners think the regulations are there to keep them in check because they are the ones that will follow the law. Which makes them the only ones that will be affected.
In any major city in the US, criminals buy guns from two sources. Disreputable-but-licensed gun dealers, and pawn shops. There is no Miami Vice-style gun dealer pulling up in the 'hood in a Ferrari to show off the latest rocket launcher. In nearly every case, it is Billy the Hoodrat who buys a trashbag full of $50 guns from some disreputable licensed dealer.
It is clear that regulation, licensure, and recording of all sales through a licensed dealer, will create a trail from a gun's manufacture to disposal, which can only serve to keep the guns out of the hands of criminals, while hardly impacting the right to own a gun.
I don't know first hand how most criminals get the guns they use, I would however guess it was by breaking one of the many laws that are already in effect. I have seen first hand that criminals will break into a house and steal only a firearm. It always amazes me that people think passing a new law will magically make criminals behave and stop breaking the laws. We call them criminals for a reason. We don't we enforce the laws that already exist. Let some harmless pot-heads out of jail to make room for real criminals.
Slashdot Mirror
I have to disagree a bit here. Granted it is a site that contains pictures of women in various states of undress, and yes they do charge a fee. But saying they are a 'straight up porn site' and implying that they are in it for the money (as I believe your post does) is a bit misleading.
I think if they were trying to separate people from their money they would charge more than $18 for 3 months and they probably would stop throwing parties and events. I might be able to concede that the Burlesque tour was started in part to drum up business for the site (though I don't think this was/is the only reason and it was a fantastic idea). They also would probably jack the prices of the merchandise up a bit (you know, if they were in it for just the money).
The pictures on the site are not what anyone would consider hardcore (at least I seriously would hope not). Only a few of the girls have pictures that show all the goods (I can still picture Mary's String of Pearls set in my mind, but I digress), most are artistic in flavor. More along the lines of the older Pin-Up style, not your typical 'pr0n' (you will not find a 'money shot', 'perl necklace' or penetration type of picture, though this can of course change). They also allow the girls to choose there own photographer and they don't have to be a professional, this is great for someone that is learning how to take pictures (nudes are perfectly acceptable subject for photography, painting, drawing and must other art forms). The site also has interviews (the latest being with Danny Glover), that include a wide range of people. There is also a section for news stories, with the current top story being Yasser Arafat's health. I just can't say this fits the profile of a 'straight up porn site'. The message boards and groups convey more of a sense of community then a 'sleazy' site.
Also some of the posts in this particular thread speak as if these women are giving up some part of there humanity. I think this is flat out wrong. These girls are not 'whoring' themselves out (I don't mean literal prostitution either) or debasing themselves in anyway (at least in my opinion). To quote from one of the posts in this thread:
Um, a lot of things. Like your sense of self-worth being dependent upon sexually arousing the opposite sex. In this case, they try and hide that by claiming they pose naked for more respectable reasons, but the truth is when you make yourself out to be an object of lust you soon get all of the problems that come with actually being one. I frankly pity women that choose to pay the bills by selling their bodies.
Now I could be wrong, and I know I can't speak for any/all the girls on the site but I highly doubt that any of them tie there self worth around being able to arouse the opposite sex. For each member (and not all members have picture sets uploaded), there is a list of questions that describe various aspects of that person. For example, favorite movie, 5 things you can't live without, body modifications, and why I did SG. Some girls answer with, I like to try things at least once, others answer that they are exhibitionist. Accusing them of trying to 'hide' the truth about why they posed is inaccurate and rude. Sure, some of them did it for nothing but the money, others because they wanted to feel sexy, and attractive. For me whatever motivated them isn't really relevant. I enjoy the 50's style pin-ups (Bettie Page style) and this is more in line with what the site offers (instead of the typical pornographic images that are floating around). I also like that the site doesn't enforce the typical stereotype of what makes a women beautiful (long legs, blonde hair, thin enough to see through, etc.). Most of the girls don't fit that mold. They have tattoos and piercing's, some of them are even into scarification (basically designer scars), yet they all are beautiful in there own right. I have to agree with some of the posts that describe it as empowering. The site throws conventional beauty out the door, and shows t
You can always go to Fry's and pick up one of the old ones. When Apple came out with the new display's, I picked up one of the older 23" ones from there ($1799). They usually discount the price a bit since they are(or will be) discontinued. Another route would be to go through the Apple store. They have some refurbished ones at a discounted price (and here comes the long url. It has been my experience that the refurb's sell quickly, so buy now.
Maybe its just been my experience but most if not all of the mac users I know would be labled computer experts. For the majority of them, we used Mac's in high school when creating the school newspaper and have continued to use them since then (yup, even through the dark years). The others are all Unix Admins who have recently gone over to using OS X as their main desktops (though using things like the gimp and mutt instead of there OS X counterparts). Mac's are super easy to run and maintain but when tools like netcat, snort, nessus and nmap all complie cleanly from source, they are extremely powerful as well.
As for Windows users, they are clueless (obviously not all but most), even with their MCSE's. Having done security for a corporate customer while having a primary focus on securing the companies that came to us for outsourcing (we were a large supposed to be the next best thing hosting company - and NO not exedus, we handled it soup to nuts). I have seem users do some of the stupidest things.
"I clicked on the pictures from some party and now my machine isn't working."
"Did you know the user that sent you the email?" I ask.
"No, I didn't even look, just clicked away"
"But don't you remember when we told you just earlier this week not to open up attatchments that come from unknown users and when in doubt call us. This is our job and we don't mind responding to questions, its what we do."
"Yup." I her response.
Sheesh. How can these people function? I just don't get it.
In some (these days it may even be most) cases the machine that is doing the attacking has been compromised and hijacked by the cracker. So the 'owner' of that machine may not know that there machine is contributing to global chaos that is the internet. So you might not want to send them a note blasting them (though they are or were running a machine that wasn't patched, whatever). Sometimes machines slip through the cracks and sites with really good security policies and dedicated security people get 0wned, so being polite is generally a good policy. How would you like to get a note that insults berates, humiliates you, instead of someone saying that your machine appears to have been attacking thier machine and could you look into it. This way the person is grateful for you pointing out that there machine was compromised and is more likely to let you know what happened. At least this has been my experience.
The project is meant to provide reliable exploits (among other things) for people that are performing pen-tests, IDS signature development and research. Its not meant to be a tool that people can download and start cracking machines all over the internet with the latest 'leet sploit'. It serves as a framework that allows people to create there own exploits or use the shellcode they have created.
Right now it may only have 34 exploits but they are solid and work very well. Along with that they have created a CLI, a curses'ish and a web interface (I think I may have missed one) that allows you to select the shellcode, select the exploit, select just about every option you could possible want.
If there is an exploit that you don't see but want, code it up and add it to the project. As for the kernel exploits, how would you use a remote tool to exploit a local vulnerability? I can see if you cracked the machine using an exploit that got you nobody, or some other non-privileged account and then uploaded a local root exploit and executed that. Perhaps that should be a module you should code?
Well more than likely the devel will contain 0-day's, up until the point that they release them. There have been a few (at least I seem to remeber a couple) of exploits that were released as part of the Framework. So it would seem to make sense that if they have an exploit that hasn't been released publicly (still waiting on companies or what not) and is coded as a module then it would be in the dev version, though, I doubt that there would be a large number of people that would have access. Otherwise they would just release it to the public.
. php). So I think it will remain open source and free for some time to come.
I doubt they would go the pay route since they are basically the free version of Canvas (http://www.immunitysec.com/) and Core's Impact (http://www1.corest.com/products/coreimpact/index
I think it is a bit inaccurate to say that it is time for the forensics folks to look for new jobs. Metasploit is not doing any voodoo or launching ram out of the exploited computer to blind the admin/user from seeing or detecting that the machine is compromised or that there is somehting 'fishy' going on. Just because something is not written to disk doesn't mean that it has some sort of magic shield around it, that protects it from the eyes of people that don't have the secret decoder ring. People have been dumping and analysing the contents of RAM for ages. Most (if not all) of the forensics tools I have played with include this ability and automate a large part of this. Granteed when the machine shutdowns that data is lost but while you are performing forensics on a live machine, it's there for you to access. You can also look at the network and detect that there are odd things afoot. You can tune your IDS to look for packets that resemble VNC traffic (though I would only suggest this if you don't use it yourself) or any number of things.
;-)
As for the parent of this particular tangent. No there isn't anything 'new' in this but comparing Metasploit to things like NetBus and BO2K is completely wrong. Those were tools that allowed you to control a machine and hide your presence while doing it. Metasploit gives you the chance to get the access that you would need to install your NetBus, etc.. Metasploit does this in a way that makes it easy for the average person, no more loops trying to brute force memory address's, no more trying to reverse engineer some piece of software while trying to crack it, or searching all your various stash points looking for you copy of VNC that is all set up to install on some machine you 'borrowed'. This tool has a slick interface (actually several) and it works extremelly well. I personally think it is a fantastic tool, now I don't have to spend the time I used to trying to create an exploit to prove to some bone headed manager that a vulnerability is important and should be patched. Valuable time can be saved by using this tool.
Excellent tool! Well at least in my world.
"How often does IP spoofing really happen these days on the Internet? Not very often, if ever. Any ISP running routers that don't prevent this should be de-linked."
Wow! What a rosy world you must live in. Spoofing happens ALL the time. Those korean networks are really on top of the egress/ingress acl'ing, that's why nobody ever sees attacks/spoofed traffic coming from them. No, sorry to burst your bubble but spoofing is very frequent and happens all the time. You would think that the big shops would deploy ACL's on there border routers but they all don't. I used to be amazed at the number of spoof attempts we block on our core routers (people pretending to be us, people sending out traffic from bogon lists). It happens all the time, which is why something like this is just (IMHO) wrong. I can't see a realistic way to guarentee that you know the true originator of the traffic (unless it just automatically attacks the Asia-Pacific networks =).
Saddly it has already happened. There has been a story in Las Vegas about a group (aprox. 9) or so boys and girls that had there own fight club. They have been running the video tape seized as evidence on the news. These kids are beating the crap out of each other in the parks at 1 am. Eventually they found someone they didin't like and seriously injured him. These were all upper/middle class kids, living in a 'good' area of town. My question is where were the parents while this was happening?
Here is one of the stories
Article asside. Firewalls, in this case Pix's running the latest 6.x.x code (I think it's 6.2.3), implement a type of SYN-cookie into the IOS. I refer to it as a type, since they seem to be storing a little more information than the traditional SYN-cookie would (almost defeats the purpose). In testing this under fire it seems to work. My pixs that used to fall over or run away when the slightest blip in the network happened have been able to stand up to some fairly aggresive attacks.
While this may have nothing to do with the article (I haven't read it yet, saving it to read at the dentist office), your comment about firewalls not being able to help during [D]DOS attacks is flat out wrong.
I tried calling a few providers, but they're completely dense when you say "someone on your network is attacking one of my servers." Somehow they manage to get the stupidest people handling their support desk, who can't even comprehend what a server is. If you do manage to get to an abuse department, they'll rarely do much.
The sad part is that there are some many people sending in abuse complaints that are incorrect or false that it makes sifting through them very tough. Not to mention that these people are making crap wages (although the way things are now most of them are lucky to have a job).
For example, a user connects to a website and spends some time reading the content. Later when he clicks on a link, zone alarm or whatever other pc based firewall starts freaking out from a port scan. So he fires off a letter to abuse at every where, calls the NOC staff (often times being very hostile), who then create a trouble ticket for a security guy or some sysadmin. The Sec(sys) admin spend time to track it down, ask the person for a log since he didn't send any with his complaint and figure out that the connection timed out and he was surfing the site and not being attacked. It happens way to often, usually (and I don't mean to pick on the older generations) it is an older person who doesn't understand how things work. Which is fine but they take up time that can/should be spent solving other problems or looking into real abuse cases.
Granted the OP seemed to have a clue and was willing to work with the ISP. There response is sad to see. Not all NOC's are filled with idiots who don't care. There is no real excuse for an abuse department to not pay attention, that is what they are paid for. I can only speak to the company (and only my tiny little slice of it) that I work for and perhaps a bit from the startup that I originally worked at. But our Security group takes all cases seriously (since our customers sites are on the line and our jobs).
The link for people who can't google or what ever: http://www.ambrosiasw.com
I remember the first time I played Escape Velocity. I lost many moons to that one.
There is also another article about this topic. Also here is a direct link to a discussion as well. The article is mostly the same old thing but some of the comments are well thought out and argued *gasp* intelligently.
From digitaloffense: A new worm which exploits a vulnerability in MS SQL Server is bringing the core routers to a grinding halt. The speed of the propagation can be attributed to the attack method and simplicity of the code. The worm sends a 376-byte UDP packet to port 1434 of each random target, each vulnerable system will immediately start propagating itself. Since UDP is connection-less, the worm is able to spread much more quickly than those using your standard TCP-based attack vectors (no connect timeouts). Some random screen shots and information about the worm can be found HERE.
Hmm I don't remember mentioning my programming skills (or lack thereof) nor did I mention that mistakes don't happen. However, when a program has one buffer overflow and the author fixes that one but doesn't look through the rest of his code for more. Is he really learning security? Or is he just being lazy and not caring.
We are talking about (in this thread at least) web server vulnerabilities. How many people are still running there servers as root? How many people aren't doing input validation (which is poor programming) in their cgi's? All of these things have been ducomented in the security community and there are plenty of free guides on how to avoid these pitfalls and mistakes (hmm I think a google search would help).
There is no perfect security but there are solutions that help mitigate a majority of them. Sadly you cannot easily mitigate lazyness or people that just don't care.
I guess that you can break these down but to me it seems that the top vulnerabilities are:
.
Crappy Code - Some of the people that are writting applications today either never learned about security or just don't care. This spans both the closed and open source world (there are examples in both).
Bad Configuration - How many times do we hear about Joe (no offense if your name is Joe and you are an admin) admin configure a webserver (or application) and leave some huge wide open hole because they either couldn't understand the directions in the README or never bothered to look. Then they whine about it when they get 0wn3d
Securityfocus's mailing list Vuln-Dev is where the original post came through. There has been an interesting thread on the subject since the posting. You may want to check it out:
6 4/ 2002-04-29/2002-05-05/1
http://online.securityfocus.com/archive/82/2703
You can follow the thread by clicking the next article in thread link on the right.
This guy has a masters (political science) and a bachelor's (business management) degree. Yet he works at the local supermarket? Unless he owns the place the going to college was not worth it for this guy (even then perhaps not).
These things are a requirement for some of there customers. Most financial and government customers will have all these questions and demands on security. Things like: Are your windows bullet proof? What are your plans if there is a bomb threat? There are many security certifications that place requirements on where your servers are placed and what/who protects them.
Perhaps if they hadn't racked up a 3.5 billion dollar debt, bought Global Center and every thing else under the sun they would be in a better position. It was estimated that 80% of the data center space will go empty next year. Exodus owns a very large chunk of that. When times started getting tough for them a large number of customers pulled out. That had to hurt to hurt there bottom line a bit.
I have seen in the past web servers that will send the request back to the client if that page is not found. For example if you send a bogus request to thttpd it just sends the request string back to you and says it could not be found. This causes all hell to break loose with IDS systems. So it appears that the attempted victim is an attacker even though it is a patched (or more likely not vulnerable at all). If they just start shutting down peoples connections they could be killing valid users, granted this would probably be a small percentage of users though.
Just a passing thought.
An easy to install IDS?
o rt-users). Also Dragos Ruiu has written a FAQ located at: http://www.snort.org/FAQ.html
I would suggest using Snort (http://www.snort.org). It is not very hard to setup and the footprint on the box is pretty light weight. Also the user community around Snort is very responsive, there is a mailing list that is heavy traffic but good answers to questions can be found there (http://lists.sourceforge.net/mailman/listinfo/sn
As for a distro that has security built in? There is always OpenBSD (http://www.openbsd.com). Also Linux-Mandrake contains Bastille (http://www.bastille-linux.org/) which is a Linux hardening script.
I am also against censorship but you have an immposible task. I looked at the comercial software out there a little bit and one of the down falls is they try and block key words and what not. A different approach is Apples (?) KidSafe. I can't remember if Apple developed or is just partnering with KidSafe but they take the approach of not blocking but allowing only "approved" sights. This would limit the amount of sites your customers could view but it might also help keep the school kids from surfing porn.
Great,
another reactionary response to a well reasoned post. Most of us don't want to take your precious guns. What most of us want is some form of regulation that governs the ownership of all types of firearms. We want these regulations to help keep guns OUT of the hands of criminals. If all manufacturers and gun dealers were held accountable for all of the guns that they sell and manufacture, you can be sure that the guns in the hands of criminals will be greatly reduced.
If I use a car, knife, spoon to commit a crime should the manufacturers of these objects be held accountable because I am a criminal?
Many legal gun owners feel that regulation is to keep THEM in check, and have some paranoid notion that the government will someday roam the country, dumping everyone's guns in a big dumpster. Wrong. The logistics of such a suggestion will never be possible.
I am sure the residents of Australia thought the same thing until they had to watch there guns being destroyed by the thousands. Legal gun owners think the regulations are there to keep them in check because they are the ones that will follow the law. Which makes them the only ones that will be affected.
In any major city in the US, criminals buy guns from two sources. Disreputable-but-licensed gun dealers, and pawn shops. There is no Miami Vice-style gun dealer pulling up in the 'hood in a Ferrari to show off the latest rocket launcher. In nearly every case, it is Billy the Hoodrat who buys a trashbag full of $50 guns from some disreputable licensed dealer.
It is clear that regulation, licensure, and recording of all sales through a licensed dealer, will create a trail from a gun's manufacture to disposal, which can only serve to keep the guns
out of the hands of criminals, while hardly impacting the right to own a gun.
I don't know first hand how most criminals get the guns they use, I would however guess it was by breaking one of the many laws that are already in effect. I have seen first hand that criminals will break into a house and steal only a firearm. It always amazes me that people think passing a new law will magically make criminals behave and stop breaking the laws. We call them criminals for a reason. We don't we enforce the laws that already exist. Let some harmless pot-heads out of jail to make room for real criminals.