When they say they found a way to "curb piracy" they really mean they found a way to stop people from reselling non-subscription games. If you can't get a subscription out of people you can at least force everyone to buy a new copy of their very own. Battlenet accounts contain all your games similar to steam, so the only way to sell one would be to only have one game on it. Aside from that, trying to sell something that requires more than just the physical media is enough to stop most of the casual sales - there might be some but it would be rare. (not sure if gamestop type stores would even try to deal with that kind of hurdle)
You know the "pirates" will be the ones who actually supply people with a patch that allows LAN play. Not necessarily for people who want to steal the game, just for people who don't want to be gimped/monitored.
I think - not having played the game - that the point he was trying to make is that it can be used to make farming missions that give you xp or gold or whatever way faster than the real game. People would then play these repeatedly in order to advance much farther/faster than their peers. This would obviously be considered an exploit by the company and result in a nerf to the mission builder.
Sure as you said there will be good content, but his concern was with the missions that throw PvP balance out of whack by making your character super powerful. The easy fix for this would obviously be to make player created content rewards not carry into the live game.
I don't really have an issue with instances being hard - the thing I find annoying is that they make lots of encounters based on your gear rather than your skill. "Hardcore" raiders aren't better than many casual raiders, they just had more time to grind that gear up.
I realize gear is the whole philosophy behind WoW so I don't see a real problem with it - but I get tired of people acting like they're so much better at the game when they might actually be worse players when put in equivalent gear.
Sounds to me like the motivation is to figure out why he outed them so they can screen out anyone who fits that criteria in the future. It's a good idea if you're the department perpetrating such an act - but kind of scary when you look at it from where I'm standing.
Boot times of 5 minutes wouldn't really bother me all that much - I reboot *maybe* once a month, other than that my computer is either on or suspended (and it only takes two seconds to return to life from suspend). The easy solution is make sure that Windows defaults to suspend/hibernate rather than shut down, since the normal user generally sticks with the default settings.
The things that matter to me are: Cheaper hardware More efficient software Major technology improvements
I'm not at all an environmentalist, but I'd even put making a pc more power efficient, or making the manufacturing more environmentally friendly as more important than shaving a few more seconds off my boot time.
They didn't even get that. A journalist from Europe gave the talk for them, essentially. Apparently systems over there use the same insecure cards, so he gave a pretty detailed presentation about those. Needless to say the crowd at Defcon laughed and applauded when it was announced that he would be giving a talk since the students couldn't.
It would be nice if there was actually content displayed without turning on javascript. Maybe it wouldn't allow you to rate articles without JS on, or something of that sort. It's an instant turn off to go to a site and see no content without javascript. Unless that site has content that can't be obtained elsewhere there is little reason to even bother turning it on to inspect the site and see if it is worthwhile.
I can verify that at a certain point torrents stopped working completely for me on Comcast, but then I checked the box to encrypt connections and they started working again. (I first noticed it trying to bittorrent a linux distro)
Also, another weird and possibly related phenomenon - BT clients used to freeze up my computer. It was random and didn't matter if I had the rates throttled (though it seemed worse if I didn't throttle). Any client would do it. Since turning on encrypted connections BT has not frozen my computer a single time. Maybe they've been inhibiting the transfers in other ways for a long time and no one realized it. (or it could just be a freak technical coincidence - who knows)
If anyone can think of reasons why that would happen, I'd be quite interested. I thought maybe it was a router issue but it doesn't seem like that should cause the entire computer to hang even with hung/dropped connections.
Isn't the described method basically a slight variation on the whole IDS scheme? Establish a baseline and compare to it...? For some reason they don't seem to have thought of the baseline part yet though - apparently they didn't do their research well. Granted I think the baseline is usually bandwidth usage or something of that sort, but this is basically the same thing.
Carrier also adds some other nice features besides that. The one that was most critical to me was the ability to turn off the "inline typing notifications". Basically pidgin displays text in your IM box telling you your buddy is typing (appended after the last IM in the box)... I can't figure out why anyone would want that - not only is it distracting, but we already have a nice little icon in the corner that shows a typing keys picture when they're typing.
Why would anyone think it was a good idea to add a distracting, redundant feature that you can't disable? Oh right, the same people who gave us a text box we couldn't resize.
I wouldn't even be using the new version except that I upgraded to Ubuntu 8.04 and it forced a pidgin upgrade on me. (The Gutsy Gibbon Ubuntu release came with the previous version of pidgin I was using, and it didn't have all these trash "features" - they've really destroyed Pidgin recently)
Oh, not to mention they broke the AIM encoding in the new version too - so if you're sending messages to people on the official AIM client, they will often get errors, rather than your full messages.
I see some shiny belts and shoes, but really - I'd call it fake more on the basis of every single tribe member being head to toe in red, orange, or black paint. (You can tell the black is paint if you look at the hands - way different color)
I just don't see a bunch of natives hanging around in the forest all painted up with no where to go.
only 80Gbps with 5 million subscribers? If my math isn't way off, that's about 16kbps - which is pretty pitiful speed. You'd have to throttle a lot just to be able to use one of these machines at max subscribers per machine.
Welcome to Comcast - our new TOS allows you to view text-only web pages with your *high speed* internet connection!
Sure I'd like to move the company to linux if I could - but there are some major considerations:
1. If I leave, does my back up admin feel comfortable with it? (no)
2. Will users like it (no because all their little non-work toy programs won't work on it - they'd be grumpy until they got used to it, which would take a while. We migrated some workstations to Vista and those users were even a little grumpy with their new interface and the new ribbon interface for office. It took a month or so for them to get used to everything)
3. Will it run the programs that administration is telling us to use? (not natively - wine might do it, but you just threw your tech support on the software out the door if you go that route)
Keep in mind, 'users' refers to your executives and bosses - not just Joe in accounting... although if Joe in accounting can't get his accounting programs to work, there's going to be hell to pay as well. So the long and short is that even though I'd love to do that, it just isn't realistically possible for a lot of companies at this point, even if their admins have the know-how to get it done.
They would do it pretty quickly if they realized that they could charge you by device connected easier that way... you know, get rid of all those pesky routers NATing the traffic
Actually they're trying. I remembered reading about the rooftop gardens they were implementing a few years ago. I didn't realize at the time that they were for the olympics, but I googled and found a few articles about them.
Yes, I am posting this from Ubuntu, and I'll admit they've come a long way in the past few releases - but there are still some major issues that you wouldn't see with a normal retail O/S:
(these are on gutsy, fresh install)
1. The search function doesn't work (yes there are other functions to search, but the main search button on every window.. that one doesn't work, at all.)
2. The network manager freezes up my computer when I switch saved networks, or from one wireless network to another (this happens maybe 20% of the time?)
3. The power functions (suspend/hibernate, etc) do not work.
4. The splash screen incorrectly detected my resolution and caused boots to take literally 5 minutes.
This is on a Dell Inspiron 9300, fairly standard laptop hardware.
#2 I can write off as a bug, although I don't see any good reason that my network manager should make my mouse and keyboard stop working (music/video etc keeps playing - but caps lock and any other key/mouse button stops working)
#1,3, & 4 would be unacceptable for a commercial OS going through normal quality control. I think the main problem is that there are so many people working on disparate parts that one fix or feature over here inadvertently breaks something over there.
As far as the support goes - I've posted on http://ubuntuforums.org/ (ubuntu's official forums) 3-4 times on issues I can't find previous answers to, and never receive any response. Since I read other fairly helpful responses to others I assume that the main problem is there aren't enough knowledgeable people to assess the complicated problems I've run into - which is where something like corporate tech support would help - they would escalate your issue till you got an answer.
All in all I'm fairly happy with Ubuntu, but some of the problems I've run into, and fixes I had to apply manually would be a deal breaker for a novice user.
P.S. I have everything except the network manager issue fixed myself
I'd be interested to know what information you thought would justify them issuing a take-down request (especially more than a year after the fact).
As far as the name, if you look at my discussion with the Layeredtech rep I specifically addressed that point, and he could have easily verified it by browsing a few topics. It was not a 'hacking' site by any means, unless you use it in the old fashioned 'I like to learn about stuff' sense.
In the end, I think they just handled the whole situation badly and without good reason. Would you like your host to kowtow to any large company that requested something of them - regardless of whether the request had any legal basis or not?
DO NOT buy from Layeredtech or any SAVVIS reseller if you can help it!
I would have recommended them, until they shut off my server because they didn't approve of one of my websites (which wasn't in any way illegal) - and would only turn it back on if I would remove the offending website. Not only the content, the entire site. They wouldn't even let me put an index page up explaining to visitors what had happened to the site!
Read on if you want the long explanation. Proof via saved web pages are links at the end
--
I hosted a forum (think PHPBB type) on my server, among other things. At one point it was a fairly popular hang out for kids on AOL Instant Messenger - and in one thread they were discussing social engineering as a way to obtain screen names. No explicit details, just in general. Eventually I re-purposed the forum and moved these threads to an 'Archive' section in case anyone wanted information at a later date. The last post in the offending thread was July 8, 2005.
On October 5, 2006 - over a year later - I get an email from Layeredtech, saying I have violated the SAVVIS AUP (SAVVIS is their upstream host - Layeredtech is just a reseller basically). AOL had emailed SAVVIS and claimed the thread was hosting confidential AOL information. SAVVIS then incompetently classified it as a "phishing site" and passed it on to Layeredtech. The Layeredtech rep looked at the site and changed the description to "hack site". Now keep in mind this has all happened in the space of less than 3 hours, before they decide to disconnect the server completely from the network until I respond. I notice the site is down/check my email 30 minutes later and see what has happened - asking them to reevaluate and also verify that the takedown request was from AOL and not from a malicious 3rd party.
After a few more back and forth replies I am told that the server will be put back online if I make the entire site resolve to a 404 error - nothing else will suffice. (Remember, the only offending material is one year old thread in an entire forum) I finally agree as I have no other way to get the most recent database backups off the server. At this point I'm thinking that the 404 request is just 'letter of the law' and maybe the rep just has to say that. I make my backups just to be safe, and replace the entire forum with an index page announcing why it was down.
A week later I get an email saying that I must remove this index page and make it resolve to a 404 or they will shut down the server again. At this point I cancel my account with them and move my data elsewhere.
Now, this is just conjecture on my part - but at the time I did some research and found an article about AOL and SAVVIS doing some business together, so it's possible that's why they dealt with it so harshly - but I wouldn't want to risk it, and wouldn't give my business to anyone who handled a matter so entirely incompetently as those two did (Layeredtech and SAVVIS).
Before AIM6 the servers did accept a hash for login, but that's all you can do with it. (You can send a change email request with it, but that takes 72 hours and the user can cancel it during that time)
AIM6 decrypts the password each time you log in and sends it plaintext over an SSL connection. I'd venture that storing a hash is more secure, because at least you have to crack that before you can change the user's password.
I can't think of any situation where a password stored plaintext or encrypted would be a better option than some type of stored hash.
It's worse than they make out. Back in December 06 I posted a synopsis of how the password hashing on AIM works. They ALSO remove all the 'weird' (read: non-alphanumeric) characters. So your "eight characters" may actually be only six or four - since it cuts the password down to eight before it removes the weird ones.
They also don't hash passwords anymore in your registry from AIM6 onward. They encrypt them, but that's a lot easier to get around than hashing.
If you really want a more detailed explanation you can take a look at the 12/29/06 and 12/30/06 posts on this page - http://tsourceweb.com/ - but what I already mentioned is the crux of the issue. (We all know people on Slashdot dont like to read articles anyway;)
Not hiring them, at least initially - more like community service - the cracker would have to spend a certain amount of time helping the company. After that point, if the company felt they could trust the person, sure they could actually offer to hire them.
Frankly, hiring crackers would be the best thing AOL could do, considering their incompetent programmers and security procedures. I'm familiar with AOL, and although their security has gotten better in some slight ways over the past 7 years, it's remained mostly the same, and in some ways is even worse.
Here's a perfect example: they used to store encoded md5 hashes in your registry - now they just encrypt them. Why would you store someone's password unhashed client side, that's just asking for a worm with a password stealer. That's the least of their problems. When a kid can VPN into your internal network, and actually use it for something 'useful' you need some major outside security help from whoever you can get it from.
That may be true, but it doesn't change the messed up nature of how our society treats people who crack their systems. Yes, there should be consequences - but part of those conseqences should be requiring the crackers to help the victims clean up and secure their systems. What good does it do if a kid hacks government agencies, then just gets thrown in jail. It isn't a productive use of his skills, and the government servers sit there unfixed for the most part. (government is just the extreme example - AOL and pretty much any other situation could fit into the same boat - especially when they are corporations/governments with pathetic security, not just some zero-day that happened to get through before it was patched)
You either leave the net as the wild west, and let every man fend for himself, or you set up concrete rules about hacking, etc and enforce them fairly.
I'm not defending the 'ebay hacker', but I think if he's in trouble then the sysadmin should be as well. There are a lot of physical solutions to cut off someone's net access if you have control of their building, in the event that you can't handle it on the technological side. The responsible thing to do if neither of those options were available would be to remove your server from the net, or actually make your system secure, and report the attacker through the proper channels.
And to all the people defending the sysadmin as justified, I would like to know why - if he thought blackholing the first ip was enough at the time - did he bother to find a working password on the system in question, and what methodology did he use to do that? Seems like he's just using the second attack as a CYA to hide his proclivity to hacking students machines when he wants to. (If you RTFA it says that he used a password from the first time to log in the second time and snoop around to verify it was the same computer)
About six months ago I had a dedicated server with Layeredtech. Apparently AOL didn't like some of the posts on a forum I was hosting - so they complained to SAVVIS, calling the forum a "phishing" site. Even the rep who was checking into the complaint saw that it was not a phishing site, and decided to change the complaint to "Other" - filling in "Hacking site" on the report. Now just to clarify, the content they were complaining about was one thread with people discussing social engineering in general, but mostly just bragging about suspending or unsuspending AOL screennames.
This was apparently enough for layeredtech to label the entire forum as a hacking site, and insist that I remove the domain or have my entire server turned off. I didn't even see the email until they had shut off the server (they only gave me a few hours). Keep in mind this is a thread posted on a forum in the ARCHIVE section - threads that hadn't been posted on in months...
Long and short of it, I complained but they refused to change their stance or even be reasonable about it, so I moved my server out of the country to avoid more issues with AOL making unreasonable demands of my hosting providers. I now colo with PRQ in Sweden - and I've had a very good experience with them.
Please don't comment that I must have had illegal stuff on my forum, because I was very careful about removing warez and porn - file uploads weren't even allowed. It was a blatant quashing of free speech because they were asked to by a large corporation.
Terra already released a CD (a few months ago at least) - it was fairly decent, a few fun songs. (I'm not a musician or an audiophile, but it's at least better than most of the mass produced pop out there) She reminds me of Alanis Morissette a bit. At the time I bought it I put in my 2c against going the standard route of taking a record contract.. now she has a contract with Island Records (Owned by BMG - one of the big RIAA members). Too bad, won't be buying any more of her music.
Slashdot Mirror
When they say they found a way to "curb piracy" they really mean they found a way to stop people from reselling non-subscription games. If you can't get a subscription out of people you can at least force everyone to buy a new copy of their very own. Battlenet accounts contain all your games similar to steam, so the only way to sell one would be to only have one game on it. Aside from that, trying to sell something that requires more than just the physical media is enough to stop most of the casual sales - there might be some but it would be rare. (not sure if gamestop type stores would even try to deal with that kind of hurdle)
You know the "pirates" will be the ones who actually supply people with a patch that allows LAN play. Not necessarily for people who want to steal the game, just for people who don't want to be gimped/monitored.
I think - not having played the game - that the point he was trying to make is that it can be used to make farming missions that give you xp or gold or whatever way faster than the real game. People would then play these repeatedly in order to advance much farther/faster than their peers. This would obviously be considered an exploit by the company and result in a nerf to the mission builder. Sure as you said there will be good content, but his concern was with the missions that throw PvP balance out of whack by making your character super powerful. The easy fix for this would obviously be to make player created content rewards not carry into the live game.
I don't really have an issue with instances being hard - the thing I find annoying is that they make lots of encounters based on your gear rather than your skill. "Hardcore" raiders aren't better than many casual raiders, they just had more time to grind that gear up.
I realize gear is the whole philosophy behind WoW so I don't see a real problem with it - but I get tired of people acting like they're so much better at the game when they might actually be worse players when put in equivalent gear.
Sounds to me like the motivation is to figure out why he outed them so they can screen out anyone who fits that criteria in the future. It's a good idea if you're the department perpetrating such an act - but kind of scary when you look at it from where I'm standing.
Boot times of 5 minutes wouldn't really bother me all that much - I reboot *maybe* once a month, other than that my computer is either on or suspended (and it only takes two seconds to return to life from suspend). The easy solution is make sure that Windows defaults to suspend/hibernate rather than shut down, since the normal user generally sticks with the default settings.
The things that matter to me are:
Cheaper hardware
More efficient software
Major technology improvements
I'm not at all an environmentalist, but I'd even put making a pc more power efficient, or making the manufacturing more environmentally friendly as more important than shaving a few more seconds off my boot time.
They didn't even get that. A journalist from Europe gave the talk for them, essentially. Apparently systems over there use the same insecure cards, so he gave a pretty detailed presentation about those. Needless to say the crowd at Defcon laughed and applauded when it was announced that he would be giving a talk since the students couldn't.
It would be nice if there was actually content displayed without turning on javascript. Maybe it wouldn't allow you to rate articles without JS on, or something of that sort. It's an instant turn off to go to a site and see no content without javascript. Unless that site has content that can't be obtained elsewhere there is little reason to even bother turning it on to inspect the site and see if it is worthwhile.
I can verify that at a certain point torrents stopped working completely for me on Comcast, but then I checked the box to encrypt connections and they started working again. (I first noticed it trying to bittorrent a linux distro)
Also, another weird and possibly related phenomenon - BT clients used to freeze up my computer. It was random and didn't matter if I had the rates throttled (though it seemed worse if I didn't throttle). Any client would do it. Since turning on encrypted connections BT has not frozen my computer a single time. Maybe they've been inhibiting the transfers in other ways for a long time and no one realized it. (or it could just be a freak technical coincidence - who knows)
If anyone can think of reasons why that would happen, I'd be quite interested. I thought maybe it was a router issue but it doesn't seem like that should cause the entire computer to hang even with hung/dropped connections.
Isn't the described method basically a slight variation on the whole IDS scheme? Establish a baseline and compare to it...? For some reason they don't seem to have thought of the baseline part yet though - apparently they didn't do their research well. Granted I think the baseline is usually bandwidth usage or something of that sort, but this is basically the same thing.
Carrier also adds some other nice features besides that. The one that was most critical to me was the ability to turn off the "inline typing notifications". Basically pidgin displays text in your IM box telling you your buddy is typing (appended after the last IM in the box)... I can't figure out why anyone would want that - not only is it distracting, but we already have a nice little icon in the corner that shows a typing keys picture when they're typing.
Why would anyone think it was a good idea to add a distracting, redundant feature that you can't disable? Oh right, the same people who gave us a text box we couldn't resize.
I wouldn't even be using the new version except that I upgraded to Ubuntu 8.04 and it forced a pidgin upgrade on me. (The Gutsy Gibbon Ubuntu release came with the previous version of pidgin I was using, and it didn't have all these trash "features" - they've really destroyed Pidgin recently)
Oh, not to mention they broke the AIM encoding in the new version too - so if you're sending messages to people on the official AIM client, they will often get errors, rather than your full messages.
I see some shiny belts and shoes, but really - I'd call it fake more on the basis of every single tribe member being head to toe in red, orange, or black paint. (You can tell the black is paint if you look at the hands - way different color)
I just don't see a bunch of natives hanging around in the forest all painted up with no where to go.
only 80Gbps with 5 million subscribers? If my math isn't way off, that's about 16kbps - which is pretty pitiful speed. You'd have to throttle a lot just to be able to use one of these machines at max subscribers per machine.
Welcome to Comcast - our new TOS allows you to view text-only web pages with your *high speed* internet connection!
Sure I'd like to move the company to linux if I could - but there are some major considerations:
1. If I leave, does my back up admin feel comfortable with it?
(no)
2. Will users like it
(no because all their little non-work toy programs won't work on it - they'd be grumpy until they got used to it, which would take a while. We migrated some workstations to Vista and those users were even a little grumpy with their new interface and the new ribbon interface for office. It took a month or so for them to get used to everything)
3. Will it run the programs that administration is telling us to use?
(not natively - wine might do it, but you just threw your tech support on the software out the door if you go that route)
Keep in mind, 'users' refers to your executives and bosses - not just Joe in accounting... although if Joe in accounting can't get his accounting programs to work, there's going to be hell to pay as well. So the long and short is that even though I'd love to do that, it just isn't realistically possible for a lot of companies at this point, even if their admins have the know-how to get it done.
They would do it pretty quickly if they realized that they could charge you by device connected easier that way... you know, get rid of all those pesky routers NATing the traffic
Actually they're trying. I remembered reading about the rooftop gardens they were implementing a few years ago. I didn't realize at the time that they were for the olympics, but I googled and found a few articles about them.
http://www.msnbc.msn.com/id/7911618/
http://www.treehugger.com/files/2005/01/beijing_to_plan.php
They're missing tech support and quality control.
Yes, I am posting this from Ubuntu, and I'll admit they've come a long way in the past few releases - but there are still some major issues that you wouldn't see with a normal retail O/S:
(these are on gutsy, fresh install)
1. The search function doesn't work (yes there are other functions to search, but the main search button on every window.. that one doesn't work, at all.)
2. The network manager freezes up my computer when I switch saved networks, or from one wireless network to another (this happens maybe 20% of the time?)
3. The power functions (suspend/hibernate, etc) do not work.
4. The splash screen incorrectly detected my resolution and caused boots to take literally 5 minutes.
This is on a Dell Inspiron 9300, fairly standard laptop hardware.
#2 I can write off as a bug, although I don't see any good reason that my network manager should make my mouse and keyboard stop working (music/video etc keeps playing - but caps lock and any other key/mouse button stops working)
#1,3, & 4 would be unacceptable for a commercial OS going through normal quality control. I think the main problem is that there are so many people working on disparate parts that one fix or feature over here inadvertently breaks something over there.
As far as the support goes - I've posted on http://ubuntuforums.org/ (ubuntu's official forums) 3-4 times on issues I can't find previous answers to, and never receive any response. Since I read other fairly helpful responses to others I assume that the main problem is there aren't enough knowledgeable people to assess the complicated problems I've run into - which is where something like corporate tech support would help - they would escalate your issue till you got an answer.
All in all I'm fairly happy with Ubuntu, but some of the problems I've run into, and fixes I had to apply manually would be a deal breaker for a novice user.
P.S. I have everything except the network manager issue fixed myself
I'd be interested to know what information you thought would justify them issuing a take-down request (especially more than a year after the fact).
As far as the name, if you look at my discussion with the Layeredtech rep I specifically addressed that point, and he could have easily verified it by browsing a few topics. It was not a 'hacking' site by any means, unless you use it in the old fashioned 'I like to learn about stuff' sense.
In the end, I think they just handled the whole situation badly and without good reason. Would you like your host to kowtow to any large company that requested something of them - regardless of whether the request had any legal basis or not?
DO NOT buy from Layeredtech or any SAVVIS reseller if you can help it!
I would have recommended them, until they shut off my server because they didn't approve of one of my websites (which wasn't in any way illegal) - and would only turn it back on if I would remove the offending website. Not only the content, the entire site. They wouldn't even let me put an index page up explaining to visitors what had happened to the site!
Read on if you want the long explanation. Proof via saved web pages are links at the end
--
I hosted a forum (think PHPBB type) on my server, among other things. At one point it was a fairly popular hang out for kids on AOL Instant Messenger - and in one thread they were discussing social engineering as a way to obtain screen names. No explicit details, just in general. Eventually I re-purposed the forum and moved these threads to an 'Archive' section in case anyone wanted information at a later date. The last post in the offending thread was July 8, 2005.
On October 5, 2006 - over a year later - I get an email from Layeredtech, saying I have violated the SAVVIS AUP (SAVVIS is their upstream host - Layeredtech is just a reseller basically). AOL had emailed SAVVIS and claimed the thread was hosting confidential AOL information. SAVVIS then incompetently classified it as a "phishing site" and passed it on to Layeredtech. The Layeredtech rep looked at the site and changed the description to "hack site". Now keep in mind this has all happened in the space of less than 3 hours, before they decide to disconnect the server completely from the network until I respond. I notice the site is down/check my email 30 minutes later and see what has happened - asking them to reevaluate and also verify that the takedown request was from AOL and not from a malicious 3rd party.
After a few more back and forth replies I am told that the server will be put back online if I make the entire site resolve to a 404 error - nothing else will suffice. (Remember, the only offending material is one year old thread in an entire forum) I finally agree as I have no other way to get the most recent database backups off the server. At this point I'm thinking that the 404 request is just 'letter of the law' and maybe the rep just has to say that. I make my backups just to be safe, and replace the entire forum with an index page announcing why it was down.
A week later I get an email saying that I must remove this index page and make it resolve to a 404 or they will shut down the server again. At this point I cancel my account with them and move my data elsewhere.
Now, this is just conjecture on my part - but at the time I did some research and found an article about AOL and SAVVIS doing some business together, so it's possible that's why they dealt with it so harshly - but I wouldn't want to risk it, and wouldn't give my business to anyone who handled a matter so entirely incompetently as those two did (Layeredtech and SAVVIS).
Here are the pages from the whole fiasco:
the offending forum thread:
http://www.tsourceweb.com/files/ltserver/post.htm
the entire support ticket exchange with layeredtech:
http://www.tsourceweb.com/files/ltserver/layered.htm
my temporary announcement page:
http://www.tsourceweb.com/files/ltserver/index.html
Before AIM6 the servers did accept a hash for login, but that's all you can do with it. (You can send a change email request with it, but that takes 72 hours and the user can cancel it during that time)
AIM6 decrypts the password each time you log in and sends it plaintext over an SSL connection. I'd venture that storing a hash is more secure, because at least you have to crack that before you can change the user's password.
I can't think of any situation where a password stored plaintext or encrypted would be a better option than some type of stored hash.
It's worse than they make out. Back in December 06 I posted a synopsis of how the password hashing on AIM works. They ALSO remove all the 'weird' (read: non-alphanumeric) characters. So your "eight characters" may actually be only six or four - since it cuts the password down to eight before it removes the weird ones.
;)
They also don't hash passwords anymore in your registry from AIM6 onward. They encrypt them, but that's a lot easier to get around than hashing.
If you really want a more detailed explanation you can take a look at the 12/29/06 and 12/30/06 posts on this page - http://tsourceweb.com/ - but what I already mentioned is the crux of the issue. (We all know people on Slashdot dont like to read articles anyway
Not hiring them, at least initially - more like community service - the cracker would have to spend a certain amount of time helping the company. After that point, if the company felt they could trust the person, sure they could actually offer to hire them.
Frankly, hiring crackers would be the best thing AOL could do, considering their incompetent programmers and security procedures. I'm familiar with AOL, and although their security has gotten better in some slight ways over the past 7 years, it's remained mostly the same, and in some ways is even worse.
Here's a perfect example: they used to store encoded md5 hashes in your registry - now they just encrypt them. Why would you store someone's password unhashed client side, that's just asking for a worm with a password stealer. That's the least of their problems. When a kid can VPN into your internal network, and actually use it for something 'useful' you need some major outside security help from whoever you can get it from.
That may be true, but it doesn't change the messed up nature of how our society treats people who crack their systems. Yes, there should be consequences - but part of those conseqences should be requiring the crackers to help the victims clean up and secure their systems. What good does it do if a kid hacks government agencies, then just gets thrown in jail. It isn't a productive use of his skills, and the government servers sit there unfixed for the most part. (government is just the extreme example - AOL and pretty much any other situation could fit into the same boat - especially when they are corporations/governments with pathetic security, not just some zero-day that happened to get through before it was patched)
You either leave the net as the wild west, and let every man fend for himself, or you set up concrete rules about hacking, etc and enforce them fairly.
I'm not defending the 'ebay hacker', but I think if he's in trouble then the sysadmin should be as well. There are a lot of physical solutions to cut off someone's net access if you have control of their building, in the event that you can't handle it on the technological side. The responsible thing to do if neither of those options were available would be to remove your server from the net, or actually make your system secure, and report the attacker through the proper channels.
And to all the people defending the sysadmin as justified, I would like to know why - if he thought blackholing the first ip was enough at the time - did he bother to find a working password on the system in question, and what methodology did he use to do that? Seems like he's just using the second attack as a CYA to hide his proclivity to hacking students machines when he wants to. (If you RTFA it says that he used a password from the first time to log in the second time and snoop around to verify it was the same computer)
About six months ago I had a dedicated server with Layeredtech. Apparently AOL didn't like some of the posts on a forum I was hosting - so they complained to SAVVIS, calling the forum a "phishing" site. Even the rep who was checking into the complaint saw that it was not a phishing site, and decided to change the complaint to "Other" - filling in "Hacking site" on the report. Now just to clarify, the content they were complaining about was one thread with people discussing social engineering in general, but mostly just bragging about suspending or unsuspending AOL screennames.
This was apparently enough for layeredtech to label the entire forum as a hacking site, and insist that I remove the domain or have my entire server turned off. I didn't even see the email until they had shut off the server (they only gave me a few hours). Keep in mind this is a thread posted on a forum in the ARCHIVE section - threads that hadn't been posted on in months...
Long and short of it, I complained but they refused to change their stance or even be reasonable about it, so I moved my server out of the country to avoid more issues with AOL making unreasonable demands of my hosting providers. I now colo with PRQ in Sweden - and I've had a very good experience with them.
Please don't comment that I must have had illegal stuff on my forum, because I was very careful about removing warez and porn - file uploads weren't even allowed. It was a blatant quashing of free speech because they were asked to by a large corporation.
Terra already released a CD (a few months ago at least) - it was fairly decent, a few fun songs. (I'm not a musician or an audiophile, but it's at least better than most of the mass produced pop out there) She reminds me of Alanis Morissette a bit. At the time I bought it I put in my 2c against going the standard route of taking a record contract.. now she has a contract with Island Records (Owned by BMG - one of the big RIAA members). Too bad, won't be buying any more of her music.