...with a few thousand unpatched Linux boxes? There's no magic bullet that suddenly makes a given server safe for eternity out there, now or ever. As the lifetime of a server unpatched and unmanaged (as all these hypothetical NT4 boxes in your example are) reaches infinity, you can be damned sure that the probability that ANY box gets rooted out reaches 100% as well. Or will running SELinux and forgetting about those patches be different from running NT4 and forgetting to run well-publicized best practices checklists?
So I'm listening to WFMU while Station Manager Ken has another of his little tirades about the RIAA and how they're screwing the world over (and they are, unless owing the RIAA $500 a year for webcasting a station with no music on it makes sense to you), and it hits me: what about VoIP? I can't decipher the legalese on the page, but it doesn't strike me as particularly far-fetched that after quashing webcasters, Rosen et al will sic the attack lawyers on businesses who have the audacity to play hold music on their VoIP phone systems. If not, hello loophole!
It's a gorgeous game engine. I don't know why people act like it's an atrocity that this game looks beautiful and plays like a dream simply because there's no attempt at putting on a backstory or developing a character for them. Jeebus christ. Here's the backstory: you're a geek, you can remember playing Doom and Doom 2 single-player and being in awe of how cool it was to run around when you weren't jumping out of your skin because a cacodaemon popped out of nowhere in the strobe light to chomp your ass and you remember how cool it was to deathmatch your friends over a 2400 bps modem. Almost a decade after (has it really been that long?) you blew the shit out of Carmack's head, he's back with a JAW-DROPPINGLY GORGEOUS engine. You want backstory and character development? Read a fucking book. You want innovation in the FPS world (what sort of goddamned criticism is that?)? No one's stopping you from making your own game. Serious Sam has showed us that there's something to be sead for giving us a mindless adrenaline rush and who am I to argue with an even prettier mindless adrenaline rush? Sign me the fuck up.
...any more than gcc is "fundamentally" flawed because it allows the use of sprintf() and sprintf()s have been the cause of countless buffer overflows. Good developers use the tools, bad developers end up getting abused by them. The concepts of how to properly use them have been kicked around for years; if a programmer decides to use an inherently insecure protocol as a security mechanism, whose fault is it? I suppose it depends on whether we're developing for Microsoft or *nix, eh?
Funny, I'd say the implementations are flawed and they're insecure. If the adhered to the RFC as it was written (rather than glossing over one little step), millions of users wouldn't be in a bind here. That said, calling SSL insecure is about as sane as calling email insecure because flawed implementations are plagued with problems or http insecure because some web servers choke on archaic flags and such. The moral of the story? Read your RFCs and then re-read them with a friend or two to make sure you read them right the first time.
...if you're a webcaster, if you don't play a single bit of music, under the new "agreement", you still owe the RIAA $500. If you play nothing but independent labels not affiliated with the RIAA or foreign labels (also not covered)? Still owe them $500. They get more money from webcasters who play their property, but they also get money from webcasters who don't. How does that make sense?
In order to be able to pass Hayes commands to the modem, you first have to establish a terminal session to the modem itself; if you can do this, it's already game over. Otherwise, knowing about ATH0, ATA, ATDT and ATM0 (well, the last is useful if you're dialing late at night and don't want to wake others) isn't so much l33t as having paged through the manual while waiting to get an open line. OTOH, figuring out that you can down a BBS you don't like by requesting a file named COM1:? That's getting warmer...
Maybe so, but read some of L0pht's papers about the widely insecure remote access to power grids, city works (traffic controls, etc.), and other such things which are probably very hackable and not connected to the internet.
I must be out of the loop: the L0pht never released any white papers on infrastructure insecurity. They merely, at the behest of the NIPC, testified before Congress something to the effect of "if we wanted to, we could hack the nation inside of an hour" or some ridiculous hyperbole like that. They're good hackers and all, but the sane mind looks to the reasons why they said what they did without any proof as they'd be wont to provide in any other situation: the almighty buck. The FBI got its "cybercrimes" division and the L0pht merged with @Stake, who now performs federal contract work for... guess who? Judges take intent into consideration. If I steal a car and intentionally run someone down, it will be treated differently than if I steal a car and accidentally hit someone; these laws handcuff the human element, turning judges from arbiters of law into life-sentence machines.
Can't think of any genius reason why a person would need this when you can just sift through pages and pages of legalese to find out the same thing. I feel bad for these folks because they'll approve (or not, but either way they're eating their lives away studying (and debating) bleeping license legalese!) any license that's thrown at them. Worse yet, licenses change and components can be closed sourced (right, Source Forge?) so I don't see much but big bad headaches for these folks in return for something that really doesn't add much to the community. So it goes.
Well, maybe not in the plural sense of the word (maybe...), but the disturbingly new-agey folks over at Slimeworld I know were working on building a FPS that's vision-impaired-friendly. The point of a purely transient visual medium catering to the blind eludes me, but then again I can slip on glasses to fix what's wrong with me...
> Very few sites are running Slash from CVS, as the CVS tree is a pre-alpha version. We have not yet even stamped it with a development release number (which will be 2.3.0 as soon as we feel it is stable enough for bleeding-edge users).
In spite of the fact that you haven't "stamped" the version with a release number, you had gone ahead and deployed a version of software which was open to and was, in fact, visibly exploited by XSS flaws. You then pretended that it never happened. No "whoops, we screwed up, here's what we did wrong so the rest of you can avoid our pitfalls" on the front page of the site that was exploited, no note on slashcode.com that people who have deployed the same version that you deployed are open to exploitation as well.
> Sites running CVS should stay as current as possible at all times, of course. The courageous admins of those sites should probably hang out on the IRC channel given on the slashcode.com homepage (#slash on irc.openprojects.net).
This doesn't reflect reality. Many people pull down a CVS snapshot and run with it, but it's nice to know that you think that admins should spend what little free time they've got idling in IRC just in case there's another bug that you don't feel like publicizing is exploited. Now that I think about it, doesn't that sound a whole lot like "security through obscurity"?
There is a nasty Cross Site Scripting(XSS) vuln in Slashcode. This was used a day or so go on slashdot.org and resulted in most of the site being taken down for an hour or so. The maintainers of slashcode have patched the problem in CVS but have not even mentioned it anywhere that I can find. This leaves all sites using slash vulnerable to this exploit.
An example exploit (incomplete) is as follows:
I am dissapointed that the slachcode maintainers have silently fixed this on slashdot.org yet made no mention of the problem elsewhere so that other sites can patch themselves. No wonder there are so many "trolls" on slashdot.org...ah well.
If you run a site using slashcode, get the latest CVS.
That is all. Move along.
Looks and feels like a poor rip-off of LiteStep.
on
GNOME 2.0 Released
·
· Score: 0, Troll
It's pretty sad when your best and brightest are put to shame by a bored college student's one-off class project to re-do Windows' shell to make it more customizable, isn't it?
They original poster probably has very good reasons for using Apache 1.3. If I take my car to the mechanic for a tune-up, the answer I'm not looking to hear is "forget about the tune-up. why don't you just buy a BMW M1?". In the meantime, I've got an otherwise perfectly fine car just like the original poster likely has a perfectly fine setup (perhaps with apps built and tested under Apache 1.3) and the latest and greatest isn't the answer for them.
What they did (unilaterally going ahead and releasing a bug they discoverd) is shady, but you should instead point the finger of blame at the Apache group for distributing a buggy product (IIS had a similar problem with chunking way back when... what's that cliche about forgetting history?) and, if you're the one who's pimping open source as the best thing since sliced bread to anyone who will or won't listen, point the finger right back at yourself for blindly trusting the code you're running.
Re-education + buying new hardware (because there's no driver support for that, RTFM) + administrators to run your new servers + well... you get the picture. Plus what state manager in their right mind is going to take an arable system and scrap it? This is why mainframes live on even though there's "better" technology out there: they may not be pretty, but they just work.
And when they cap down this sinister 1% that's using 16% of their bandwidth, charging exorbitant rates, how long will it be before they decide to clamp down on the next 5% that's using 30% of their bandwidth? And the next 10%? And the next x%? Lovely divide and conquer trying to get us to buy the concept, but it's purely political. They know what they want to do (start building in unilateral price hikes to "meet a need") and they just had to find a laughable reason to do it. Cable modems/DSL aren't gas or electricity, but thanks for the inept analogy anyway. If the per-capita bandwidth was set at what the mean that 95% of the service's users use and speed caps were removed, I'd be the first to jump on that puppy. But since we're talking greedy monopolies here I've no such rosy vision of sensibility here.
Simplicity can be elegant, but it isn't in your case. Isn't there actual case law (not UDRP) granting copyright holders preferential treatment when it comes to overlapping web site names? Also, good luck getting "www." deprecated, champ.
Once upon a time, there was a thriving black market for arable credit card numbers. Then the FBI got hip to it, made some busts and things settled down. Looks like the kids don't even need to go through all the trouble of phishing for cardz anymore; fire up Kazaa or Morpheus or Gnutella or... and search for *.doc or *.xls (or *.mdb, even) a few times a day. Done and done. Brilliant! This will be even more fun for me to do than scanning people's hard drives and finding pictures of their dongs alongside resumes listing them as Young Republicans. Ha ha.
What's next? Laptoppers are really into glitches? Will the life and times of Jan Jelinek and kid606 make the front page of Wired? Because I sure hope so! If this barely-there variation on minimalist techno is all the rage, it's high time that I auctioned off my microstoria CD. The bugger's so goddamned quiet I can't make much out of it even with my headphones on. Infintely more aggravating than even the power electronics that I've got. Speaking of which, Wired should slap together an article on MSBR and Government Alpha. At any rate, since Mouse on Mars' brilliant _Iaora Tahiti_, glitch and its variants (looking at you, Vladislav Delay) has been downhill with few exceptions.
Boo hoo. They fought for deregulation and now they're feeling the bite in a purportedly free market of monopolies. Fuck them all. They made their bed, now sleep in it. Am I supposed to lose sleep knowing that they've gotta pay their indies $10K/song/station to get an add because the stations are all owned by the same conglomerate when the record labels have joined into a conglomerate and engaged in price fixing? I don't listen to radio (except for the independent, supersuave WFMU) and I can't wait until inevitability catches up with the RIAA.
Well, will there? The Sims seem to be awfully popular with this Linux-savvy crowd, so it would logically follow that they'll release a Linux version for everyone, right?
kurthanson.com is the homepage for the Radio and Internet Newsletter (RAIN), a fine spot for up-to-date information on what's going on in the world of webcasting. Found both of these links at WFMU, aka numero uno webcasting radio station in the world. Gotta love the fact that the RIAA wants to see that webcasters pay fees on top of the ASCAP/BMI fees that "real" radio stations do without getting any of the payola. At any rate, it'll be interesting to see what the Librarian of Congress does in the next 30 days.
The guy sounds like a world-class sleazeball.
on
Hacking Web Services
·
· Score: -1, Redundant
1) he talked about countermeasures instituted against hackers, but doesn't want them openly published (security through obscurity, anyone?) 2) In an effort to thwart mass account creation, they're thinking of instituting arithmetic questions to "be able to get the abusers to perform distributed computing tasks for him." Except that this affects users as well... shady and they'll be approximating the power of an XT to boot. 3) "He also wants obfuscated HTML, which is particularly ironic since, in his days in academia, Manber wrote one of the first screen-scrapers. He wants the ability to detect passive vulnerabilities in a system. And he wants better ways to fight back. 'I have huge pipes,' he laughed. 'It's very easy for me to go after them. Unfortunately, it's not legal.'" Good luck Balkanizing the web, champ.
Slashdot Mirror
...with a few thousand unpatched Linux boxes? There's no magic bullet that suddenly makes a given server safe for eternity out there, now or ever. As the lifetime of a server unpatched and unmanaged (as all these hypothetical NT4 boxes in your example are) reaches infinity, you can be damned sure that the probability that ANY box gets rooted out reaches 100% as well.
Or will running SELinux and forgetting about those patches be different from running NT4 and forgetting to run well-publicized best practices checklists?
So I'm listening to WFMU while Station Manager Ken has another of his little tirades about the RIAA and how they're screwing the world over (and they are, unless owing the RIAA $500 a year for webcasting a station with no music on it makes sense to you), and it hits me: what about VoIP? I can't decipher the legalese on the page, but it doesn't strike me as particularly far-fetched that after quashing webcasters, Rosen et al will sic the attack lawyers on businesses who have the audacity to play hold music on their VoIP phone systems.
If not, hello loophole!
It's a gorgeous game engine. I don't know why people act like it's an atrocity that this game looks beautiful and plays like a dream simply because there's no attempt at putting on a backstory or developing a character for them.
Jeebus christ. Here's the backstory: you're a geek, you can remember playing Doom and Doom 2 single-player and being in awe of how cool it was to run around when you weren't jumping out of your skin because a cacodaemon popped out of nowhere in the strobe light to chomp your ass and you remember how cool it was to deathmatch your friends over a 2400 bps modem. Almost a decade after (has it really been that long?) you blew the shit out of Carmack's head, he's back with a JAW-DROPPINGLY GORGEOUS engine.
You want backstory and character development? Read a fucking book. You want innovation in the FPS world (what sort of goddamned criticism is that?)? No one's stopping you from making your own game. Serious Sam has showed us that there's something to be sead for giving us a mindless adrenaline rush and who am I to argue with an even prettier mindless adrenaline rush? Sign me the fuck up.
...any more than gcc is "fundamentally" flawed because it allows the use of sprintf() and sprintf()s have been the cause of countless buffer overflows.
Good developers use the tools, bad developers end up getting abused by them. The concepts of how to properly use them have been kicked around for years; if a programmer decides to use an inherently insecure protocol as a security mechanism, whose fault is it? I suppose it depends on whether we're developing for Microsoft or *nix, eh?
Funny, I'd say the implementations are flawed and they're insecure. If the adhered to the RFC as it was written (rather than glossing over one little step), millions of users wouldn't be in a bind here.
That said, calling SSL insecure is about as sane as calling email insecure because flawed implementations are plagued with problems or http insecure because some web servers choke on archaic flags and such.
The moral of the story? Read your RFCs and then re-read them with a friend or two to make sure you read them right the first time.
...if you're a webcaster, if you don't play a single bit of music, under the new "agreement", you still owe the RIAA $500. If you play nothing but independent labels not affiliated with the RIAA or foreign labels (also not covered)? Still owe them $500.
They get more money from webcasters who play their property, but they also get money from webcasters who don't. How does that make sense?
In order to be able to pass Hayes commands to the modem, you first have to establish a terminal session to the modem itself; if you can do this, it's already game over.
Otherwise, knowing about ATH0, ATA, ATDT and ATM0 (well, the last is useful if you're dialing late at night and don't want to wake others) isn't so much l33t as having paged through the manual while waiting to get an open line.
OTOH, figuring out that you can down a BBS you don't like by requesting a file named COM1:? That's getting warmer...
Maybe so, but read some of L0pht's papers about the widely insecure remote access to power grids, city works (traffic controls, etc.), and other such things which are probably very hackable and not connected to the internet.
I must be out of the loop: the L0pht never released any white papers on infrastructure insecurity. They merely, at the behest of the NIPC, testified before Congress something to the effect of "if we wanted to, we could hack the nation inside of an hour" or some ridiculous hyperbole like that. They're good hackers and all, but the sane mind looks to the reasons why they said what they did without any proof as they'd be wont to provide in any other situation: the almighty buck. The FBI got its "cybercrimes" division and the L0pht merged with @Stake, who now performs federal contract work for... guess who?
Judges take intent into consideration. If I steal a car and intentionally run someone down, it will be treated differently than if I steal a car and accidentally hit someone; these laws handcuff the human element, turning judges from arbiters of law into life-sentence machines.
Can't think of any genius reason why a person would need this when you can just sift through pages and pages of legalese to find out the same thing. I feel bad for these folks because they'll approve (or not, but either way they're eating their lives away studying (and debating) bleeping license legalese!) any license that's thrown at them.
Worse yet, licenses change and components can be closed sourced (right, Source Forge?) so I don't see much but big bad headaches for these folks in return for something that really doesn't add much to the community. So it goes.
Well, maybe not in the plural sense of the word (maybe...), but the disturbingly new-agey folks over at Slimeworld I know were working on building a FPS that's vision-impaired-friendly. The point of a purely transient visual medium catering to the blind eludes me, but then again I can slip on glasses to fix what's wrong with me...
> Very few sites are running Slash from CVS,
as the CVS tree is a pre-alpha version. We have not yet even
stamped it with a development release number (which will be 2.3.0
as soon as we feel it is stable enough for bleeding-edge users).
In spite of the fact that you haven't "stamped" the version with a release number, you had gone ahead and deployed a version of software which was open to and was, in fact, visibly exploited by XSS flaws. You then pretended that it never happened. No "whoops, we screwed up, here's what we did wrong so the rest of you can avoid our pitfalls" on the front page of the site that was exploited, no note on slashcode.com that people who have deployed the same version that you deployed are open to exploitation as well.
> Sites running CVS should stay as current as possible at all times,
of course. The courageous admins of those sites should probably
hang out on the IRC channel given on the slashcode.com homepage
(#slash on irc.openprojects.net).
This doesn't reflect reality. Many people pull down a CVS snapshot and run with it, but it's nice to know that you think that admins should spend what little free time they've got idling in IRC just in case there's another bug that you don't feel like publicizing is exploited.
Now that I think about it, doesn't that sound a whole lot like "security through obscurity"?
Slashcode. This was used a day or so go on
slashdot.org and resulted in most of the site being
taken down for an hour or so. The maintainers of
slashcode have patched the problem in CVS but have not
even mentioned it anywhere that I can find. This
leaves all sites using slash vulnerable to this
exploit.
An example exploit (incomplete) is as follows:
I am dissapointed that the slachcode maintainers have
silently fixed this on slashdot.org yet made no
mention of the problem elsewhere so that other sites
can patch themselves. No wonder there are so many
"trolls" on slashdot.org...ah well.
If you run a site using slashcode, get the latest CVS.
That is all. Move along.
It's pretty sad when your best and brightest are put to shame by a bored college student's one-off class project to re-do Windows' shell to make it more customizable, isn't it?
They original poster probably has very good reasons for using Apache 1.3.
If I take my car to the mechanic for a tune-up, the answer I'm not looking to hear is "forget about the tune-up. why don't you just buy a BMW M1?". In the meantime, I've got an otherwise perfectly fine car just like the original poster likely has a perfectly fine setup (perhaps with apps built and tested under Apache 1.3) and the latest and greatest isn't the answer for them.
What they did (unilaterally going ahead and releasing a bug they discoverd) is shady, but you should instead point the finger of blame at the Apache group for distributing a buggy product (IIS had a similar problem with chunking way back when... what's that cliche about forgetting history?) and, if you're the one who's pimping open source as the best thing since sliced bread to anyone who will or won't listen, point the finger right back at yourself for blindly trusting the code you're running.
Re-education + buying new hardware (because there's no driver support for that, RTFM) + administrators to run your new servers + well... you get the picture.
Plus what state manager in their right mind is going to take an arable system and scrap it? This is why mainframes live on even though there's "better" technology out there: they may not be pretty, but they just work.
And when they cap down this sinister 1% that's using 16% of their bandwidth, charging exorbitant rates, how long will it be before they decide to clamp down on the next 5% that's using 30% of their bandwidth? And the next 10%? And the next x%?
Lovely divide and conquer trying to get us to buy the concept, but it's purely political. They know what they want to do (start building in unilateral price hikes to "meet a need") and they just had to find a laughable reason to do it.
Cable modems/DSL aren't gas or electricity, but thanks for the inept analogy anyway.
If the per-capita bandwidth was set at what the mean that 95% of the service's users use and speed caps were removed, I'd be the first to jump on that puppy. But since we're talking greedy monopolies here I've no such rosy vision of sensibility here.
Simplicity can be elegant, but it isn't in your case. Isn't there actual case law (not UDRP) granting copyright holders preferential treatment when it comes to overlapping web site names?
Also, good luck getting "www." deprecated, champ.
Once upon a time, there was a thriving black market for arable credit card numbers. Then the FBI got hip to it, made some busts and things settled down.
Looks like the kids don't even need to go through all the trouble of phishing for cardz anymore; fire up Kazaa or Morpheus or Gnutella or... and search for *.doc or *.xls (or *.mdb, even) a few times a day. Done and done.
Brilliant! This will be even more fun for me to do than scanning people's hard drives and finding pictures of their dongs alongside resumes listing them as Young Republicans. Ha ha.
What's next? Laptoppers are really into glitches? Will the life and times of Jan Jelinek and kid606 make the front page of Wired? Because I sure hope so!
If this barely-there variation on minimalist techno is all the rage, it's high time that I auctioned off my microstoria CD. The bugger's so goddamned quiet I can't make much out of it even with my headphones on. Infintely more aggravating than even the power electronics that I've got. Speaking of which, Wired should slap together an article on MSBR and Government Alpha.
At any rate, since Mouse on Mars' brilliant _Iaora Tahiti_, glitch and its variants (looking at you, Vladislav Delay) has been downhill with few exceptions.
Boo hoo. They fought for deregulation and now they're feeling the bite in a purportedly free market of monopolies. Fuck them all. They made their bed, now sleep in it.
Am I supposed to lose sleep knowing that they've gotta pay their indies $10K/song/station to get an add because the stations are all owned by the same conglomerate when the record labels have joined into a conglomerate and engaged in price fixing?
I don't listen to radio (except for the independent, supersuave WFMU) and I can't wait until inevitability catches up with the RIAA.
Two different looks, two different payloads. One queries then tries the blank PW before brute-forcing, the other fires and forgets.
Well, will there? The Sims seem to be awfully popular with this Linux-savvy crowd, so it would logically follow that they'll release a Linux version for everyone, right?
kurthanson.com is the homepage for the Radio and Internet Newsletter (RAIN), a fine spot for up-to-date information on what's going on in the world of webcasting.
Found both of these links at WFMU, aka numero uno webcasting radio station in the world.
Gotta love the fact that the RIAA wants to see that webcasters pay fees on top of the ASCAP/BMI fees that "real" radio stations do without getting any of the payola.
At any rate, it'll be interesting to see what the Librarian of Congress does in the next 30 days.
1) he talked about countermeasures instituted against hackers, but doesn't want them openly published (security through obscurity, anyone?)
2) In an effort to thwart mass account creation, they're thinking of instituting arithmetic questions to "be able to get the abusers to perform distributed computing tasks for him." Except that this affects users as well... shady and they'll be approximating the power of an XT to boot.
3) "He also wants obfuscated HTML, which is particularly ironic since, in his days in academia, Manber wrote one of the first screen-scrapers. He wants the ability to detect passive vulnerabilities in a system. And he wants better ways to fight back. 'I have huge pipes,' he laughed. 'It's very easy for me to go after them. Unfortunately, it's not legal.'" Good luck Balkanizing the web, champ.