Some areas of the US were served by a CLEC, not a Bell. I guess Bell wasn't a monopoly, either, cause I had GTE before they merged with Bell Atlantic and became Verizon...
We moved all the data over to a hot swap physical machine then replaced the disk in the original machine later. Everyone else was trying to just suspend this customer for resource abuse. It's not that his shit was/that/ bad, but it was just bad in a way that made him swap to disk about once every 2 hours, with a 75% chance that his shit would hit the bad blocks. The machine needed to be moved, no doubt about it. When I found that out, I also noticed a few other indicators of impending disk failure that none of the other people in my department had noticed. I like my new job, though. we don't have any idiots here and I'm not in ops anymore. It's totally money.
No, the re-imaging is more like if you have cancer and you decide to commit suicide in hopes that you get re-born in a body less suceptible to cancer, with the intention of using past-life regression hypnosis to remember everything from before. Re-imaging means shit when the problem turns out to be bad sectors in the swap partition causing read errors and spiking CPU load due to IO waits. I've seen that before.
Traditionally? College. Way back when, long before I was born, system admins tended to be graduate students in computer science or other department staff, and those in industry did it in college first. System administration itself wasn't taught, but that's not the point. The point is several technologies grew up together and are generally described in terms of one another: Unix, C, TCP/IP, etc. -- You don't really get what's going on with one without the others in most cases.
C, of course, is the foundational building block. Unix is the cathedral and TCP/IP is the road that connects each building together. Most of the so-called system admins I've seen in the past have been "web developers" who have been put in over their head and forced to deal with things they don't fully understand. I learned C and Unix concurrently, starting by teaching myself in jr. and high school. Try explaining an mbuf to some kid who only knows PHP some time -- it's painful.
The lack of fundamental understanding which would enable them to be competent admins is the same lack of fundamental understanding which keeps them from writing secure code, debugging network issues, etc. But, because there is a large influx of semi-skilled people who think that the fact they installed Ubuntu on their PC at home makes them a sever admin, employers are less willing to offer up the salaries necessary to attract competent admins, and frankly the salaries need to be even higher to make dealing with idiots less of a hassle.
I'm so glad I'm not in web hosting anymore I can't possibly overstate it.
Possibly, the fact that large numbers of corporate desktops still have IE 6 means that a non-trivial number of Web programmers code to where IE6 will still work, whereas no one is using old Netscape, even for fun, except for this dude.
I don't even particularly care for Ubuntu (as if my nick name wouldn't be a tip off), but even I think this is probably the most flamebait summary I've seen on Slashdot in a while... wtf?
I interned in the instrumentation and control group of the Jefferson Lab FEL the summer I graduated from high school. My main project was working with the optics guys to write some spot-size detection software in C. Until my current job, it was definitely the most fun I've ever had in my life that didn't involve rafting. Of course, back in 2002, they had just started the 10kW upgarde project from 1kW, so a little over 10 years to get it working at 10x that capacity is pretty sweet.
the project website for all the real, nerdy, details is here if anyone is interested.
Maybe because its easier to feel like Robbin Hood from their mom's basement while they're doing battle against the great Satan, Microsoft. They want their pet OS to have every advantage in making them feel superior to all the infidels who haven't been enlightened. But, do note, there's a difference between those who are capable of discovering and exploiting a memory corruption vulnerability by sifting through decompiled binaries, and dumb-ass kids who copy and paste SQL injections until one works with the ultimate goal of putting goatse on someone's wordpress site. to the latter, its nearly irrelevant what operating system is being run.
Yes. Russians have already colonized Space after creating the United States as a useful myth to justify the expense. In fact, the Mayflower landing was faked in a sound stage on the banks of the Volga.
That's still missing the point. The point is to be able to crack the passwords held in the database back-end of the webapp. There are other ways to get at the customer data if you're already that far in, but as the gawker incident shows, many people re-use passwords across multiple web accounts, so depending on the nature of your caper you'll want to know what those passwords are so you can try them in other locations as well./etc/shadow doesn't even have to come into play here, and shouldn't.
Well, seeing as how the article is about web authentication, hacking the passwd binary probably isn't that useful, depending on how the devs implemented their stuff. Probably they just take the text, pass it through a hashing function that likely punts to something like crypt() in the libc on the system, possibly picks a a salt, then stores the hashed password in a database table.
crypt() putting out des, for example, usually only uses a 2-character salt, so if you have the hashed password you can knock the first 2 chars off, pass those back into crypt() as the salt value, the brute force the rest of the key space. Compare the result of the current iteration to the hash you're trying to crack, etc. or use rainbow tables, or other methods for doing this.
Getting access to the database through a flaw in a web app is going to be a lot easier than getting a shell on the system then getting a local privilege escalation to root and replacing system binaries.
Only a few governments who have large commercial backing will ever get out of beta. Most of the rest will languish due to petty squabbles between project leaders and the voices of the community will lately be ignored. When the community members aren't blown off they will be told to submit a path. Or quit bitching.
There will be fragmentation, personality cults and holy wars all the time.
Actually, that sounds about like how the world at large works now, anyway.
No, the Brown Shirts were the SA. They were basically violent, drunken, out-of-work soldiers used as street muscle to fight Communists up to the point where the NSDAP attained State power. These people are more like the Gestapo, part of the SD, which was part of the SS. They worse black uniforms.
I for one an shocked that the department which started ARPA then built the Internet around open standards and Berkeley Unix would be friendly to open source software. This is big news! Seriously though, I am slightly surprised that DOE didn't take the top slot.
Because people hope that they can hold onto it juts long enough for it to get really, super expensive and then sell off for a huge payout. Also, maybe it'd split? Some day Apple may offer dividends, so some people will likely hold onto it, however since a lot of people seem to look at dividends as a sign that a company has no more growth potential that'd kill them right now.
I'm not sure that's fair. For instance, having your upstream provider set a null route on a core router and just send the traffic to the bit bucket, if under a massive attack, is going to be more efficient than attempting to do packet inspection, stream reassembly, etc, to know whether or not traffic is safe to pass. This is even more true for IPS than for a "normal" firewall, since the processing overhead of the application is a lot greater.
Of course, depending on the device you have, the software you're running, what rules are in place, etc, your mileage may vary. However, I would say, as a general rule of thumb, that the fewer bottlenecks you place in-line, the harder it will be to choke the pipe.
I saw this last week. There were all kinds of hilarious inabilities to properly change directories or find scripts, which is why he kept downloading the same crap over and over again. Just for fun, my boss here (at a well-known company that makes security products involving pigs) fetched some of the files that the kid was trying to use. Half of the scripts were just fucking awful, such as hard-coding repetitive actions rather than using loops. The so-called "hacker" also left clues to his identity all over the crappy "sploits", too.
I honestly have a hard time believing the douchebag in the video was able to get a shell, even on a honeypot, and then fail to be able to change directories. However, the kits he was fetching were also so terrible I don't think that even if this hadn't been a honeypot he'd ever have gotten any local privilege escalations anyway.
Slashdot Mirror
There's a difference between "conflict of interest" and "we know what we're talking about," although the two do sometimes overlap.
Because this is Monoculture 2.0!!!
Some areas of the US were served by a CLEC, not a Bell. I guess Bell wasn't a monopoly, either, cause I had GTE before they merged with Bell Atlantic and became Verizon...
We moved all the data over to a hot swap physical machine then replaced the disk in the original machine later. Everyone else was trying to just suspend this customer for resource abuse. It's not that his shit was /that/ bad, but it was just bad in a way that made him swap to disk about once every 2 hours, with a 75% chance that his shit would hit the bad blocks. The machine needed to be moved, no doubt about it. When I found that out, I also noticed a few other indicators of impending disk failure that none of the other people in my department had noticed. I like my new job, though. we don't have any idiots here and I'm not in ops anymore. It's totally money.
No, the re-imaging is more like if you have cancer and you decide to commit suicide in hopes that you get re-born in a body less suceptible to cancer, with the intention of using past-life regression hypnosis to remember everything from before. Re-imaging means shit when the problem turns out to be bad sectors in the swap partition causing read errors and spiking CPU load due to IO waits. I've seen that before.
Traditionally? College. Way back when, long before I was born, system admins tended to be graduate students in computer science or other department staff, and those in industry did it in college first. System administration itself wasn't taught, but that's not the point. The point is several technologies grew up together and are generally described in terms of one another: Unix, C, TCP/IP, etc. -- You don't really get what's going on with one without the others in most cases.
C, of course, is the foundational building block. Unix is the cathedral and TCP/IP is the road that connects each building together. Most of the so-called system admins I've seen in the past have been "web developers" who have been put in over their head and forced to deal with things they don't fully understand. I learned C and Unix concurrently, starting by teaching myself in jr. and high school. Try explaining an mbuf to some kid who only knows PHP some time -- it's painful.
The lack of fundamental understanding which would enable them to be competent admins is the same lack of fundamental understanding which keeps them from writing secure code, debugging network issues, etc. But, because there is a large influx of semi-skilled people who think that the fact they installed Ubuntu on their PC at home makes them a sever admin, employers are less willing to offer up the salaries necessary to attract competent admins, and frankly the salaries need to be even higher to make dealing with idiots less of a hassle.
I'm so glad I'm not in web hosting anymore I can't possibly overstate it.
How do people that naive get all that money in the first place?
credit cards?
Possibly, the fact that large numbers of corporate desktops still have IE 6 means that a non-trivial number of Web programmers code to where IE6 will still work, whereas no one is using old Netscape, even for fun, except for this dude.
I don't even particularly care for Ubuntu (as if my nick name wouldn't be a tip off), but even I think this is probably the most flamebait summary I've seen on Slashdot in a while... wtf?
I interned in the instrumentation and control group of the Jefferson Lab FEL the summer I graduated from high school. My main project was working with the optics guys to write some spot-size detection software in C. Until my current job, it was definitely the most fun I've ever had in my life that didn't involve rafting. Of course, back in 2002, they had just started the 10kW upgarde project from 1kW, so a little over 10 years to get it working at 10x that capacity is pretty sweet.
the project website for all the real, nerdy, details is here if anyone is interested.
Either that you need quieter friends, you're autistic, or both?
That's because only the highest bidder can afford the biggest government
Yeah, but then he just hacked the no-fly list and its like it never even happened.
Maybe because its easier to feel like Robbin Hood from their mom's basement while they're doing battle against the great Satan, Microsoft. They want their pet OS to have every advantage in making them feel superior to all the infidels who haven't been enlightened. But, do note, there's a difference between those who are capable of discovering and exploiting a memory corruption vulnerability by sifting through decompiled binaries, and dumb-ass kids who copy and paste SQL injections until one works with the ultimate goal of putting goatse on someone's wordpress site. to the latter, its nearly irrelevant what operating system is being run.
Yes. Russians have already colonized Space after creating the United States as a useful myth to justify the expense. In fact, the Mayflower landing was faked in a sound stage on the banks of the Volga.
That's still missing the point. The point is to be able to crack the passwords held in the database back-end of the webapp. There are other ways to get at the customer data if you're already that far in, but as the gawker incident shows, many people re-use passwords across multiple web accounts, so depending on the nature of your caper you'll want to know what those passwords are so you can try them in other locations as well. /etc/shadow doesn't even have to come into play here, and shouldn't.
Well, seeing as how the article is about web authentication, hacking the passwd binary probably isn't that useful, depending on how the devs implemented their stuff. Probably they just take the text, pass it through a hashing function that likely punts to something like crypt() in the libc on the system, possibly picks a a salt, then stores the hashed password in a database table.
crypt() putting out des, for example, usually only uses a 2-character salt, so if you have the hashed password you can knock the first 2 chars off, pass those back into crypt() as the salt value, the brute force the rest of the key space. Compare the result of the current iteration to the hash you're trying to crack, etc. or use rainbow tables, or other methods for doing this.
Getting access to the database through a flaw in a web app is going to be a lot easier than getting a shell on the system then getting a local privilege escalation to root and replacing system binaries.
Only a few governments who have large commercial backing will ever get out of beta. Most of the rest will languish due to petty squabbles between project leaders and the voices of the community will lately be ignored. When the community members aren't blown off they will be told to submit a path. Or quit bitching.
There will be fragmentation, personality cults and holy wars all the time.
Actually, that sounds about like how the world at large works now, anyway.
No, the Brown Shirts were the SA. They were basically violent, drunken, out-of-work soldiers used as street muscle to fight Communists up to the point where the NSDAP attained State power. These people are more like the Gestapo, part of the SD, which was part of the SS. They worse black uniforms.
I for one an shocked that the department which started ARPA then built the Internet around open standards and Berkeley Unix would be friendly to open source software. This is big news! Seriously though, I am slightly surprised that DOE didn't take the top slot.
Because people hope that they can hold onto it juts long enough for it to get really, super expensive and then sell off for a huge payout. Also, maybe it'd split? Some day Apple may offer dividends, so some people will likely hold onto it, however since a lot of people seem to look at dividends as a sign that a company has no more growth potential that'd kill them right now.
Thins could always be worse. At least I've not heard anyone use the term "proggy" since like, 2000.
Hmm... way to set the bar so high, there ;-)
I'm not sure that's fair. For instance, having your upstream provider set a null route on a core router and just send the traffic to the bit bucket, if under a massive attack, is going to be more efficient than attempting to do packet inspection, stream reassembly, etc, to know whether or not traffic is safe to pass. This is even more true for IPS than for a "normal" firewall, since the processing overhead of the application is a lot greater.
Of course, depending on the device you have, the software you're running, what rules are in place, etc, your mileage may vary. However, I would say, as a general rule of thumb, that the fewer bottlenecks you place in-line, the harder it will be to choke the pipe.
I saw this last week. There were all kinds of hilarious inabilities to properly change directories or find scripts, which is why he kept downloading the same crap over and over again. Just for fun, my boss here (at a well-known company that makes security products involving pigs) fetched some of the files that the kid was trying to use. Half of the scripts were just fucking awful, such as hard-coding repetitive actions rather than using loops. The so-called "hacker" also left clues to his identity all over the crappy "sploits", too.
I honestly have a hard time believing the douchebag in the video was able to get a shell, even on a honeypot, and then fail to be able to change directories. However, the kits he was fetching were also so terrible I don't think that even if this hadn't been a honeypot he'd ever have gotten any local privilege escalations anyway.