You know, you may be on to something.. I have noticed recently a third ear growing on the back of my head. Perhaps I need to use a cellphone more often.
I have been in ukraine for around half a year now and can say this, if cell phone sales are skyrocketing its the Russians doing it. In a country where the average income per year if a littl less that 500 US dollars at least 90% of the population that I see not only have cell phones, but never stop using them. I personally can't see spending a 5th of my income for the year on a phone but then again I wasn't born here. If scientists discover in 10 years that cellphones cause cancer it will be because Ukraine has turned into one giant tumor.
Someone may have more experience with this than I do, but this is a bit scary. Has anyone else read the book "Stealing the Network". It goes into some detail on the subject of synthetic fingerprints and just how easy they are to make at home. The book is at home and I am at work or I would post the links that they have as refereneces. I can see the usefulness of the fingerprint perhaps replacing the signature or pin number, but the whole credit card!!! I don't know about you guys but when I realize that I left my credit card sitting around in a public place I freak out. I guess I am going to have to wear gloves from now on, or carry around a bottle of cleaning solution everywhere I go.
Someone with more experience please comment, especially if you have the links from that book, I am curious to read up.
Apparently I need to stop blindly clicking every article on slashdot and expecting an interesting topic. Although, this article has made me seriously consider what exactly would be required to take a distribution line gentoo and wrap it into a nice installer. With a kernel that probes for hardware you could in theory have a distro that works on most (or at least a lot of) systems with no problems. You would have to also write a nice front end to portage actually I need to go check whether its already been done, I'll be surprised if it hasn't). Perhaps put together a nice file manager that uses Finder's method of hiding all the ugly linux stuff, let the user see his home directory and links to the GUI software. As far as the actual GUI goes just build binaries for all the common applications into the iso. Then weed out all the crap from the KDE/foot menus. I think we should take this article as an example of what the average Joe wants and make a Linux distribution that panders to those needs. It wouldn't work on every system but it would work alot of the time. It wouldn't b something to sell but it would certainly be an option for when you are on the phone with your mother trying to explain to her what spybot is. You could simply say, "Mom, just leave the computer alone, I am putting a cd in the mail"
I wonder if any of what I just typed made any sense?
Still... For someone like this perhaps windows is the way to go, at least someone is getting use out of the computer, even if it is only to launch a DoS or run a proxy server.
Why is this on slashdot? I come here for the informed opinions and intelligent environment, not to read "linux" reviews written for the technically inept. Do I really need to spend my time reading about how the Windows XP install process is "somewhat complex". So I repeat slashdot. WTF
Honestly this whole password thing is idiotic. Companies are finally answering to the security risks of ten years ago. At this rate by 2010 they will be fixing sql queries based directly off user input.
when it comes to cracking/stealing a persons password the best method now days is always to steal. It doesn't matter if your password is 3 pages long if you give it to me I will be able to log in as you. strong passwords are only as good as the minds of those who use them. Add to that the fact that the longer and more complex a single password is, the more likely the employee is to use that password in multiple places.
Lets say I want access to a companies VPN, even if I don't know how strong the passwords are, connecting and trying a bunch of easy ones would be pretty dumb. Instead 5 minutes on google will tell me the name f Joe Blow who works there, what his email address is, and a whole bunch of things that he is interested in. So I email Boe Blow with targeted spam, tell him about this amazing new website that just happens to be a community of people with exactly the same interests as him. He goes there and finds out that he needs to set up an account to view the forum. So he has this 10 page password from work that he has already memorized anyway (he wouldn't want anyone breaking into his forum account) so he goes ahead and puts it in the password field. Turns out the forum kind of sucks so he promptly forgets about the site. TADA VPN access, and it only took 20 minutes. This works more than 50% of the time, and the average company has a few more than 2 employees.
Watch 90% of the people who see this change their slashdot passwords.:)
What a wonderful idea. Then any domain without a website won't be able to have a mail server either. Believe it or not we don't all use gmail buddy.
Seriously though the solution is in more DNS lookups instead of less. Someone put together a patch for qmail which does an MX lookup for the incoming addresses and denies if it fails. If you are really concerned about extra DNS lookups (Not exactly sure why you would be) you could even keep a list of failed domains and check against that first. Although the type of people who wrote this article in the first place will be telling me next that the 50 extra instructions this would take are going to slow down servers. If you want to see bloat look at Sendmail and stop complaining about DNS lookups.
Is this honestly a new concept to people. This is what google is for after all isn't it. If people are leaving their cameras http server open to anonymous access then they either A) want the world to see it or B) deserve to have the world watch them in the shower.
webcams and firewalls are hardly the extent of this problem. Buy any device that serves http and find a unique string in the address and you will get a ton of hits. Of the top of my head try:
inurl:"hp/device/this.LCDispatcher"
That should give you some hp printers, an excellent stepping stone to get access behind a firewall I find. They are esspecially interesting as some of them have onboard java VMs. I have a whole slew of chai java apps I have thrown together which do fun things like tunnel tcp traffic.
Given the attention this specific search has gotten you probably won't be able to find cams this way for much longer. But I'll warrant that a very small percentage of the admins out there who are told to "go put a password on the cameras" think to do the same with all their other http servers.
Slashdot Mirror
You know, you may be on to something.. I have noticed recently a third ear growing on the back of my head. Perhaps I need to use a cellphone more often.
Marketing strategy for Palm:
Build in a damn phone already.
I have been in ukraine for around half a year now and can say this, if cell phone sales are skyrocketing its the Russians doing it. In a country where the average income per year if a littl less that 500 US dollars at least 90% of the population that I see not only have cell phones, but never stop using them. I personally can't see spending a 5th of my income for the year on a phone but then again I wasn't born here. If scientists discover in 10 years that cellphones cause cancer it will be because Ukraine has turned into one giant tumor.
the link in the article did say, No card required...
Someone may have more experience with this than I do, but this is a bit scary. Has anyone else read the book "Stealing the Network". It goes into some detail on the subject of synthetic fingerprints and just how easy they are to make at home. The book is at home and I am at work or I would post the links that they have as refereneces. I can see the usefulness of the fingerprint perhaps replacing the signature or pin number, but the whole credit card!!! I don't know about you guys but when I realize that I left my credit card sitting around in a public place I freak out. I guess I am going to have to wear gloves from now on, or carry around a bottle of cleaning solution everywhere I go.
Someone with more experience please comment, especially if you have the links from that book, I am curious to read up.
Thanks
Apparently I need to stop blindly clicking every article on slashdot and expecting an interesting topic. Although, this article has made me seriously consider what exactly would be required to take a distribution line gentoo and wrap it into a nice installer. With a kernel that probes for hardware you could in theory have a distro that works on most (or at least a lot of) systems with no problems. You would have to also write a nice front end to portage actually I need to go check whether its already been done, I'll be surprised if it hasn't). Perhaps put together a nice file manager that uses Finder's method of hiding all the ugly linux stuff, let the user see his home directory and links to the GUI software. As far as the actual GUI goes just build binaries for all the common applications into the iso. Then weed out all the crap from the KDE/foot menus. I think we should take this article as an example of what the average Joe wants and make a Linux distribution that panders to those needs. It wouldn't work on every system but it would work alot of the time. It wouldn't b something to sell but it would certainly be an option for when you are on the phone with your mother trying to explain to her what spybot is. You could simply say, "Mom, just leave the computer alone, I am putting a cd in the mail"
I wonder if any of what I just typed made any sense?
Still... For someone like this perhaps windows is the way to go, at least someone is getting use out of the computer, even if it is only to launch a DoS or run a proxy server.
Why is this on slashdot? I come here for the informed opinions and intelligent environment, not to read "linux" reviews written for the technically inept. Do I really need to spend my time reading about how the Windows XP install process is "somewhat complex". So I repeat slashdot. WTF
Honestly this whole password thing is idiotic. Companies are finally answering to the security risks of ten years ago. At this rate by 2010 they will be fixing sql queries based directly off user input. when it comes to cracking/stealing a persons password the best method now days is always to steal. It doesn't matter if your password is 3 pages long if you give it to me I will be able to log in as you. strong passwords are only as good as the minds of those who use them. Add to that the fact that the longer and more complex a single password is, the more likely the employee is to use that password in multiple places. Lets say I want access to a companies VPN, even if I don't know how strong the passwords are, connecting and trying a bunch of easy ones would be pretty dumb. Instead 5 minutes on google will tell me the name f Joe Blow who works there, what his email address is, and a whole bunch of things that he is interested in. So I email Boe Blow with targeted spam, tell him about this amazing new website that just happens to be a community of people with exactly the same interests as him. He goes there and finds out that he needs to set up an account to view the forum. So he has this 10 page password from work that he has already memorized anyway (he wouldn't want anyone breaking into his forum account) so he goes ahead and puts it in the password field. Turns out the forum kind of sucks so he promptly forgets about the site. TADA VPN access, and it only took 20 minutes. This works more than 50% of the time, and the average company has a few more than 2 employees. Watch 90% of the people who see this change their slashdot passwords. :)
Umm do you work for Apple or something. I mean seriously... They should be paying you.
What a wonderful idea. Then any domain without a website won't be able to have a mail server either. Believe it or not we don't all use gmail buddy. Seriously though the solution is in more DNS lookups instead of less. Someone put together a patch for qmail which does an MX lookup for the incoming addresses and denies if it fails. If you are really concerned about extra DNS lookups (Not exactly sure why you would be) you could even keep a list of failed domains and check against that first. Although the type of people who wrote this article in the first place will be telling me next that the 50 extra instructions this would take are going to slow down servers. If you want to see bloat look at Sendmail and stop complaining about DNS lookups.
Believe it or not Linux is useful for things other than gaming.
Excuse me??? I think you just offended a lot of people here.
Is this honestly a new concept to people. This is what google is for after all isn't it. If people are leaving their cameras http server open to anonymous access then they either A) want the world to see it or B) deserve to have the world watch them in the shower. webcams and firewalls are hardly the extent of this problem. Buy any device that serves http and find a unique string in the address and you will get a ton of hits. Of the top of my head try: inurl:"hp/device/this.LCDispatcher" That should give you some hp printers, an excellent stepping stone to get access behind a firewall I find. They are esspecially interesting as some of them have onboard java VMs. I have a whole slew of chai java apps I have thrown together which do fun things like tunnel tcp traffic. Given the attention this specific search has gotten you probably won't be able to find cams this way for much longer. But I'll warrant that a very small percentage of the admins out there who are told to "go put a password on the cameras" think to do the same with all their other http servers.