If an attacker manages to get onto your network, they'll probably be able to sniff someone's password
within about 5 minutes since Windows will use plain text unless you're in an all-NT/2000 environment.
I'm certainly not a Microsoft fan, but I have to stop FUD when I see it. The above is false. The SMB side of my network is 95/98/NT/2000, and there are no clear-text SMB passwords floating around. The Win 95/98 machines authenticate against the NT domain, and do it without plain-text passwords. Same thing when the Linux machines need to connect to an SMB share. So, sorry, but that's just not true.
They do pass around password information that L0phtcrack can work with, though, so if the passwords are weak, they'll be easily broken. It's essentially the equivalent of sending out/etc/shadow entries unencrypted on the network.
To whoever posted that first reply, grow up! The reason why Linux has had such trouble entering the
market is because of short sited users such as yourself that have nothing more to say that "M$ sucks,
Linux Rocks."
You need to go back and read that post again. It was a joke. It was predicting what the rest of the thread would boil down to, making fun of your average./ post.
The incredible thing is that post was originally modded (+3, Informative).
Gum "Can't PAM communicate with Active Directory via carrier pigeon?" bo
Iron Chef's theme music is from the movie Backdraft and it's composed by Hans Zimmer.
I was actually just looking that up earlier, after watching the first Morimoto/Flay battle. While much of it is from Backdraft, there's some other music mixed in.
And notice that I accidently hit the 'post anoymously' button... now, if that were a mission critical
button, I would have screwed some mission critical server. Luckily, I was reading./ , and my
servers were once again spared an untimely demise.
Sounds like I could make a killing by selling Ren and Stimpy-inspired "DO NOT PUSH" stickers to put on all the buttons on mission critical servers. I hate it when people push mission critical buttons.
Gum "mission critical, if you know what I mean" bo
I'd like to know why microsoft.com hasn't been cracked or DDoSed yet. After all, its
official that everyone, especially the geeks capable of such cracks, hate Microsoft. You'd
think it would get attacked every day.
1. Several microsoft.com.?? sites have been cracked; their main sites in other countries. (Yes, by "other" I mean non-US...) Check the Attrition archives for the details. I think it's up to about 8 different cracks of non-US Microsoft sites.
2. I'm sure Microsoft does get attacked daily.
3. It's really not that hard to keep things secure, especially if you've got the money to have many sets of eyes checking over every change. (Or maybe they don't, 'cause how else can you explain their DNS fiasco of a few months ago...)
I'd like to know what's broken, I wonder who else is vulnerable.
Sounds like he got into 1 ISP server somewhere (most likely through an old, well-known vulnerability that wasn't patched), trojaned the SSH client on there, and collected passwords. Someone from there SSH's to SourceForge and su's to root, and bingo, he's root on SourceForge's machines. Trojan SSH client on there, collect more passwords, etc...
I used to hate seeing "everyone's vulnerable" and "its only a matter of time" messages, and
typically passed them off as paranoia, this, though, is scary. Apache.org got broken into as
well? Damn...
Yeah, but in this case apache.org probably didn't have any security problems, other than letting admins SSH in from shell accounts on other systems that they didn't control, so they couldn't trust the SSH client on there. Just my guess based on what I can see so far, though...
The site's "shell server" was compromised May 22 after a SourceForge employee logged on to
an outside Internet service provider that had already been taken over by the intruder, said Pat
McGovern, site director of SourceForge.net. When the staff member logged on to SourceForge
remotely, the intruder captured the password.
[snip...]
Although illicit modifications to the programming projects are a concern, McGovern said the
intruder didn't get that far.
From this, I'd have to guess that SourceForge allowed telnet in, and the cracker was sniffing on the cracked ISP's box. It's also possible that the admin was tricked into using a trojaned ssh client from the ISP's box, but the former sounds a little more likely from the limited details in the article. If so, I'd have to blame SourceForge for allowing incoming telnet.
If it's the latter, it gets harder to blame SourceForge, but we still can.:) If the admin was doing admin-type functions, he shouldn't have been using an ssh client that he didn't have complete control over.
I barely work 8 hours a day, if that, when various distractions are included. I don't make as much
as those who work in the private sector, but I do get to go home at 5:00 and have a life outside of
work.
Me Too.
I work for the federal government, doing various geeky things at a fairly small agency. I get a decent amount of money, but definitely less than I could be making in the private sector. On the other hand, I have mind-bogglingly flexible hours, I hardly ever work more than 35-40 hours a week, and I know my company isn't going to go belly-up next month.
We're small, so I have the flexibility to do almost any facet of geekdom that I want (play with routers one day, Linux admin the next, do some webcasting, do penetration testing, kick the Netware machines, do graphics and web design, administer the firewall, etc.).
But like many others have said, I don't work long weeks. I'd rather spend my time having fun. And really, only a small fraction of that 35-40 hours a week is spent doing real work, unless we're in some emergency mode.
Of course, if you want to pay me $120k, I'll be more than happy to put in 45 hours weeks for you...:)
I have material to which I own the copyright which is entered into the CDDB.
So now I'm blocked from distributing my own music over napster because someone who bought a CD
typed the information into Napster?
Of course Napster isn't going to block everything that's in the CDDB; they'll use it to cross-reference, to find out that CD #7410473 track #3 is likely to be misspelled in N ways.
And how can anyone complain about this? "Oh, CDDB is turning on me and is now evil!" Come on, if you're downloading music from Napster that the artists/labels own and don't think you should get for free, why should you be getting it for free? Grow up and stop being so selfish!
I'm wondering, why is it necessary to encode song names? Since the vast majority of Slashdot are law
abiding citizens who would only use Napster to trade non-copyrighted music this should be an issue.
Ok, this really bugs me. You'd think that on Slashdot, such a hotbed of Open Source activism, people would understand the difference between "copyrighted" and "freely distributable."
Linux is copyrighted. That doesn't mean you couldn't trade copies of the Linux kernel on Gnutella or any other filesharing system. There's plenty of music that's copyrighted, but which you can freely trade on Gnutella or other filesharing systems.
I thought the most interesting part of the
article (and the part I mentioned when I submitted the story) was that Microsoft would let the chipmakers modify the WinCE source to use with their chips.
According to the story, selected developers have been able to see source before (naturally) but have never had permission to modify and redistribute their own versions of it.
Finally, having a little bot to monitor the files you have is an invasion of privacy. Those files could be legitimate rips from CD's
Exsqueeze me? If you decide to share some music
you have so anyone can download it, it's an
invasion of privacy for someone to look at what
you're sharing?
And if you have legitimate rips from your
CD's, that's fine. If you're sharing those
so anyone in the world can download them from
you, that's not fine.
And anyway, emusic is going after people who've
bought files from them and are now sharing them
to the world. Any legitimate rips you have from
CD are going to be encoded differently and
have different a MD5 checksum, so they wouldn't
even notice those.
It really is kind of funny to watch everyone
try to figure out reasons to defend Napster and
say that they should be allowed to download any music that they want to...
I'm not trying to imply that Linux is bug-free by any means, however I think it's rather interesting that despite the bugs, holes
(everybody remember NSA_KEY ?), etc., it doesn't really stop anybody from using IIS.
I don't understand. You say that you agree that Linux has it's share of bugs, but people should keep using it? And you're surprised that people continue to use Windows even though dugs are found? That doesn't make sense.
Also, NSA_KEY was pretty conclusively determined to be something harmless, unrelated to the NSA we know and love but with the same acronym.
I'm certainly not a fan of Microsoft, and I definitely prefer to use Linux, but your reasoning here just doesn't make sense...
The single biggest reason Linux isn't used more in the DoD, regulations notwithstanding, is the lack of knowledgeable
sysadmins. NT is often used when Linux or *BSD would make more sense simply because that's all they know how to use
Exactly! I do sysadmin stuff for the
government (as well as pretty much every other
computer-related function you can imagine, since
we're a pretty small agency).
We use Linux
for a handful of things (DHCP server, intrustion
detection, web search engine, backups...) and
my boss would love to use Linux (or a *BSD) more,
but the fact is that I'm the only one who can
support it. We have additional IT people who
can do NT and Netware, so even if Linux or BSD
would be a cheaper and more stable solution, I'd
be the only one who could set it up and administer
it. As a result, there's a definite resistance
to doing more things on Linux.
And I don't want that either. They don't pay
me enough (and can't, really) so I'm planning on
leaving, and don't want to leave them floundering
when that happens. I know that the guy who'll
become the Linux admin when I leave will screw
things up royally and then bitch all over about
how much Linux sucks because it didn't do what
he wanted.
I also know that when they post a vacancy
announcement to replace me, Linux admin won't
be a huge requirement (since they already have
the clueless admin who thinks he knows enough.)
They'll have a hard enough time finding someone
who'll do web design and user support
and firewalls and NT and Netware
admin and Cisco router admin and
computer hardware support, without trying to
get someone who can do Linux also, especially
for this salary range.
Sorry, needed to rant. I don't make enough
money here. Which is part of the problem too:
the government just doesn't pay well enough
to get cluefull sysadmins. Most of the people
I run into here say I really know my stuff, and
so they're surprised I'm still in the government.
It's kind of sad, really.
So if it doesn't compile for you, you must be doing something wrong.
The very first response to Linus's post was someone who got compilation errors, and many other people responded with the same problem. Apparently gcc 2.7.2.3, which is listed in the docs as the recommended compiler, won't compile it.:)
What is happening here is the people who made money out of old technology are trying to hold back the tide and stop new technology being used to full advantage. The fact that the law has to be changed to allow this is irrelevant. Artists will still get paid, somehow.
Huh? Artists will still get paid, somehow? How do you expect them to get paid? Some dumb teenagers trade MP3 files and the artists just magically get some money?
I don't see any of these people trying to stop new technology. They just don't want to be ripped off. How can anyone object to that, unless they feel entitled to get someone else's hard work for free? Frankly, Jon Katz and everyone who supports his view just piss me off whenever they say that Metallica is evil for not wanting people to steal from them. Come on people, that's just ridiculous.
Personally, I don't really care. I don't trade music via MP3. I doubt I'd find anything on other people's hard drives using Napster that I'd want to hear anyway. If I want to hear a commercial release, I'll buy the friggin' CD. I download a crapload of losslessly compressed CD-quality live concerts from bands who allow taping (which I then burn to CD), but that's all completely legal and therefore no one is interested in coming after us.
So this doesn't really affect me. But it just really upsets me to see everyone act like the artists' copyrights are worthless. Grow up.
It does NOT all come down to theft. The fact is that MP3's are gaining popularity with local musicians who want a method to distribute their music without getting bent over by a major record label in the process. Stopping the distribution of MP3's is the only way for the big labels to insure their dominance. In case you haven't been paying attention, piracy by MP3 has not hurt them. The threat is music that is distributed by MP3 that is NOT pirated.
Oh, come on. Is anyone actually attacking all MPEG audio files out there? The labels and copyright holders are going after people that are illegally duplicating and distributing their music. They aren't just blindly going after people who happen to be using the MPEG format.
The fact that the MP3's we will produce in the coming month will face hurdles getting onto college campuses due to the efforts of the RIAA helps no one but the members of the RIAA.
There should be no reason that MPEG files that you make and give people permission to distribute would have any difficulty getting onto college campuses. They may very well want to limit that sort of thing to keep their network usage to reasonable levels, but that's it.
There's lots of music distribution going on right now from servers on college campuses which is completely legal. Sometimes it's MPEG audio files, sometimes it's much better sounding losslessly compressed CD quality audio. (Sorry, but I just don't like the sound of MPEG.) Very rarely, the college may send the server operator a letter asking what they're up to. Once the student explains that it's music which they have permission to distribute, they are free to continue. They may be asked to throttle back the bandwidth somewhat, but they're not going to be asked to stop just because the RIAA is complaining about all the pirates stealing the latest crappy pop songs.
There's lots of good music that's being legally distributed on the Internet these days, and the only resistance is the huge amount of bandwidth it takes up (we're talking 400 MB for one CD (74 min) of losslessly compressed music.) Anyone who says that this will kill legal online music distribution is either completely deluded, or just wants their fix of illegal MPEG audio.
Well, Ford's giving a computer out is nice I'm sure, and expected from the sub-$1000 boom, but I know the government Labs, or at least LLNL, has been loaning out computers/equipment for home use for ages.
Yup. We (a government agency) lend people computers to take home as well. Generally ones that are a bit too slow to run Windows 95 comfortably in the office (e.g., Pentium 120s) or slightly faster machines that are too proprietary to support easily.
In fact, I don't actually own any computers myself. My home machine is one that I borrowed from the government.
It is really nice to see that an institution as regulated as government is allowing use of Linux. My company (a large bank) has outlawed its use since it is a "hacker OS." I'm pleasantly surprised to see the government taking an interest.
The government's never put any restrictions on what operating systems we (federal IT folks) can use. There are already Linux installations all over the federal government (I run two of them). I'm sure there are some agencies where they want to exert more centralized control and try to dictate what OS's can be used, but luckily I'm not in one of those. If we need to set something up, and Linux is the easiest/best/fastest/cheapest way to do it, then we use Linux.
The only thing holding us back from using it more than we are is that I'm the only one who knows enough to set things up correctly.
Slashdot Mirror
I'm certainly not a Microsoft fan, but I have to stop FUD when I see it. The above is false. The SMB side of my network is 95/98/NT/2000, and there are no clear-text SMB passwords floating around. The Win 95/98 machines authenticate against the NT domain, and do it without plain-text passwords. Same thing when the Linux machines need to connect to an SMB share. So, sorry, but that's just not true.
They do pass around password information that L0phtcrack can work with, though, so if the passwords are weak, they'll be easily broken. It's essentially the equivalent of sending out /etc/shadow entries unencrypted on the network.
Gumbo
You need to go back and read that post again. It was a joke. It was predicting what the rest of the thread would boil down to, making fun of your average ./ post.
The incredible thing is that post was originally modded (+3, Informative).
Gum "Can't PAM communicate with Active Directory via carrier pigeon?" bo
I was actually just looking that up earlier, after watching the first Morimoto/Flay battle. While much of it is from Backdraft, there's some other music mixed in.
You can get information about pretty much every bit of music that's ever been used at the unofficial Iron Chef site's music page.
Gum "mmm, Chocolate Moose..." bo
Sounds like I could make a killing by selling Ren and Stimpy-inspired "DO NOT PUSH" stickers to put on all the buttons on mission critical servers. I hate it when people push mission critical buttons.
Gum "mission critical, if you know what I mean" bo
1. Several microsoft.com.?? sites have been cracked; their main sites in other countries. (Yes, by "other" I mean non-US...) Check the Attrition archives for the details. I think it's up to about 8 different cracks of non-US Microsoft sites.
2. I'm sure Microsoft does get attacked daily.
3. It's really not that hard to keep things secure, especially if you've got the money to have many sets of eyes checking over every change. (Or maybe they don't, 'cause how else can you explain their DNS fiasco of a few months ago...)
Gumbo
Sounds like he got into 1 ISP server somewhere (most likely through an old, well-known vulnerability that wasn't patched), trojaned the SSH client on there, and collected passwords. Someone from there SSH's to SourceForge and su's to root, and bingo, he's root on SourceForge's machines. Trojan SSH client on there, collect more passwords, etc...
Yeah, but in this case apache.org probably didn't have any security problems, other than letting admins SSH in from shell accounts on other systems that they didn't control, so they couldn't trust the SSH client on there. Just my guess based on what I can see so far, though...
Gumbo
Ok, I read more details about this on the bus on the way home at 6:30 this evening , and 5 hours later no one's mentioned them? Slackers... :)
From C|NET:
From this, I'd have to guess that SourceForge allowed telnet in, and the cracker was sniffing on the cracked ISP's box. It's also possible that the admin was tricked into using a trojaned ssh client from the ISP's box, but the former sounds a little more likely from the limited details in the article. If so, I'd have to blame SourceForge for allowing incoming telnet.
If it's the latter, it gets harder to blame SourceForge, but we still can. :) If the admin was doing admin-type functions, he shouldn't have been using an ssh client that he didn't have complete control over.
Gumbo
Me Too.
I work for the federal government, doing various geeky things at a fairly small agency. I get a decent amount of money, but definitely less than I could be making in the private sector. On the other hand, I have mind-bogglingly flexible hours, I hardly ever work more than 35-40 hours a week, and I know my company isn't going to go belly-up next month.
We're small, so I have the flexibility to do almost any facet of geekdom that I want (play with routers one day, Linux admin the next, do some webcasting, do penetration testing, kick the Netware machines, do graphics and web design, administer the firewall, etc.).
But like many others have said, I don't work long weeks. I'd rather spend my time having fun. And really, only a small fraction of that 35-40 hours a week is spent doing real work, unless we're in some emergency mode.
Of course, if you want to pay me $120k, I'll be more than happy to put in 45 hours weeks for you... :)
Gumbo
Of course Napster isn't going to block everything that's in the CDDB; they'll use it to cross-reference, to find out that CD #7410473 track #3 is likely to be misspelled in N ways.
And how can anyone complain about this? "Oh, CDDB is turning on me and is now evil!" Come on, if you're downloading music from Napster that the artists/labels own and don't think you should get for free, why should you be getting it for free? Grow up and stop being so selfish!
Gumbo
Ok, this really bugs me. You'd think that on Slashdot, such a hotbed of Open Source activism, people would understand the difference between "copyrighted" and "freely distributable."
Linux is copyrighted. That doesn't mean you couldn't trade copies of the Linux kernel on Gnutella or any other filesharing system. There's plenty of music that's copyrighted, but which you can freely trade on Gnutella or other filesharing systems.
See the Phish Audio Recording and Transfer Policy, for one example.
Gumbo
I thought the most interesting part of the article (and the part I mentioned when I submitted the story) was that Microsoft would let the chipmakers modify the WinCE source to use with their chips.
According to the story, selected developers have been able to see source before (naturally) but have never had permission to modify and redistribute their own versions of it.
Exsqueeze me? If you decide to share some music you have so anyone can download it, it's an invasion of privacy for someone to look at what you're sharing?
And if you have legitimate rips from your CD's, that's fine. If you're sharing those so anyone in the world can download them from you, that's not fine.
And anyway, emusic is going after people who've bought files from them and are now sharing them to the world. Any legitimate rips you have from CD are going to be encoded differently and have different a MD5 checksum, so they wouldn't even notice those.
It really is kind of funny to watch everyone try to figure out reasons to defend Napster and say that they should be allowed to download any music that they want to...
Gumbo
I don't understand. You say that you agree that Linux has it's share of bugs, but people should keep using it? And you're surprised that people continue to use Windows even though dugs are found? That doesn't make sense.
Also, NSA_KEY was pretty conclusively determined to be something harmless, unrelated to the NSA we know and love but with the same acronym.
I'm certainly not a fan of Microsoft, and I definitely prefer to use Linux, but your reasoning here just doesn't make sense...
Gumbo
Exactly! I do sysadmin stuff for the government (as well as pretty much every other computer-related function you can imagine, since we're a pretty small agency).
We use Linux for a handful of things (DHCP server, intrustion detection, web search engine, backups...) and my boss would love to use Linux (or a *BSD) more, but the fact is that I'm the only one who can support it. We have additional IT people who can do NT and Netware, so even if Linux or BSD would be a cheaper and more stable solution, I'd be the only one who could set it up and administer it. As a result, there's a definite resistance to doing more things on Linux.
And I don't want that either. They don't pay me enough (and can't, really) so I'm planning on leaving, and don't want to leave them floundering when that happens. I know that the guy who'll become the Linux admin when I leave will screw things up royally and then bitch all over about how much Linux sucks because it didn't do what he wanted.
I also know that when they post a vacancy announcement to replace me, Linux admin won't be a huge requirement (since they already have the clueless admin who thinks he knows enough.) They'll have a hard enough time finding someone who'll do web design and user support and firewalls and NT and Netware admin and Cisco router admin and computer hardware support, without trying to get someone who can do Linux also, especially for this salary range.
Sorry, needed to rant. I don't make enough money here. Which is part of the problem too: the government just doesn't pay well enough to get cluefull sysadmins. Most of the people I run into here say I really know my stuff, and so they're surprised I'm still in the government. It's kind of sad, really.
Gumbo
The very first response to Linus's post was someone who got compilation errors, and many other people responded with the same problem. Apparently gcc 2.7.2.3, which is listed in the docs as the recommended compiler, won't compile it. :)
The problem is in kernel/sched.c, which has
- __cache_line_aligned spinlock_t runqueue_lock = SPIN_UNLOCKED;
gcc 2.95.2 accepts that, but gcc 2.7.2.3 wants it to beGumbo
Huh? Artists will still get paid, somehow? How do you expect them to get paid? Some dumb teenagers trade MP3 files and the artists just magically get some money?
I don't see any of these people trying to stop new technology. They just don't want to be ripped off. How can anyone object to that, unless they feel entitled to get someone else's hard work for free? Frankly, Jon Katz and everyone who supports his view just piss me off whenever they say that Metallica is evil for not wanting people to steal from them. Come on people, that's just ridiculous.
Personally, I don't really care. I don't trade music via MP3. I doubt I'd find anything on other people's hard drives using Napster that I'd want to hear anyway. If I want to hear a commercial release, I'll buy the friggin' CD. I download a crapload of losslessly compressed CD-quality live concerts from bands who allow taping (which I then burn to CD), but that's all completely legal and therefore no one is interested in coming after us.
So this doesn't really affect me. But it just really upsets me to see everyone act like the artists' copyrights are worthless. Grow up.
Gumbo
Oh, come on. Is anyone actually attacking all MPEG audio files out there? The labels and copyright holders are going after people that are illegally duplicating and distributing their music. They aren't just blindly going after people who happen to be using the MPEG format.
There should be no reason that MPEG files that you make and give people permission to distribute would have any difficulty getting onto college campuses. They may very well want to limit that sort of thing to keep their network usage to reasonable levels, but that's it.
There's lots of music distribution going on right now from servers on college campuses which is completely legal. Sometimes it's MPEG audio files, sometimes it's much better sounding losslessly compressed CD quality audio. (Sorry, but I just don't like the sound of MPEG.) Very rarely, the college may send the server operator a letter asking what they're up to. Once the student explains that it's music which they have permission to distribute, they are free to continue. They may be asked to throttle back the bandwidth somewhat, but they're not going to be asked to stop just because the RIAA is complaining about all the pirates stealing the latest crappy pop songs.
There's lots of good music that's being legally distributed on the Internet these days, and the only resistance is the huge amount of bandwidth it takes up (we're talking 400 MB for one CD (74 min) of losslessly compressed music.) Anyone who says that this will kill legal online music distribution is either completely deluded, or just wants their fix of illegal MPEG audio.
Gumbo
Yup. We (a government agency) lend people computers to take home as well. Generally ones that are a bit too slow to run Windows 95 comfortably in the office (e.g., Pentium 120s) or slightly faster machines that are too proprietary to support easily.
In fact, I don't actually own any computers myself. My home machine is one that I borrowed from the government.
Actually, when Mandrake first came out they publically stated that their version numbers were the same as the version of RedHat that it was based on.
The government's never put any restrictions on what operating systems we (federal IT folks) can use. There are already Linux installations all over the federal government (I run two of them). I'm sure there are some agencies where they want to exert more centralized control and try to dictate what OS's can be used, but luckily I'm not in one of those. If we need to set something up, and Linux is the easiest/best/fastest/cheapest way to do it, then we use Linux.
The only thing holding us back from using it more than we are is that I'm the only one who knows enough to set things up correctly.
- don't let the idiots near the system, there far to stupid.
Heehee. How would you feel about mandatory minimum spelling ability before being allowed near a computer?