New Zealand's biggest ISP Xtra is about it implement port 25 blocking, so making Sendmail kinda redundant unless you use the big boy's server:
http://www.geekzone.co.nz/blog.asp?blogid=22&posti d=204
'Course, a fair chunk of Xtra is owned by Microsoft, but that's got nothing to do with it right?
I somehow doubt MS are pushing Exchange at the home market by blocking 25/tcp.
It makes people's mail easier to intercept too, if you only have to get it from centralised mail servers.
So encrypt it, or change ISPs, or both
It might stop some spam, but then so would chopping the cables.
Believe me, I've been been tempted. But that wasn't me with the post-hole digger
Maybe the thing to do is to telnet to port 80 and parse the HTML in your head, but then someone will probably find an HTML trick that will drive everyone who reads it insane.
And what about posting your politicial, philosophical, or personal beliefs on the web? You write a well-thought-out essay about a woman's right to choose and your pro-life potential-employer finds it. You may think that's "good stuff" but your employer sure doesn't. You're making this way too simple. The article brings up a very good point. You are unwise to dismiss it as "someone else's problem" so easily, my friend.
Does this mean I should ask that porn site to take my photos down?
Actually they reflect reality and are the result of customer requests.
You mean MS customers suck?
In managed environments, patches are almost never applied ad-hoc, as they are released. They are collected together then tested and rolled out on a schedule, usually monthly.
Unfortunately, a lot of the (in)famous worms/exploits have appeared around the 17-25 day mark. Oops!
Disclaimer: I used to do this for a living. Scheduled monthly patches are all very well, but you have to be prepared to go for it when the risks of not rolling out are worse than the risks of rolling out not-quite-fully-tested patches.
Obviously you haven't been doing much traveling. Check out Cuba, Nicaragua, Israel, Croatia (until recently), etc. No matter where I've been the U.S. has always welcomed me back with open arms compared to some of the places I've traveled.
Try not being USAian. Hanoi airport is friendlier than LAX.
I of course mean running Nessus against a remote network... doh.
I honestly don't know - check your local computer crime laws before trying it out, and check with your service provider. They can easily give you the chop even if the action is technically legal. Don't assume it's OK just because it's not supposed to do any damage.
The "TASK" Student is to perform a remote security evaluation of one or more computer systems. The evaluation should be conducted over the Internet, using tools available in the public domain.
You can't learn very much by doing a portscan; more intrusive scanning such as a nessus scan, or even attempted exploitation (metasploit perhaps?) would be needed to write a complete report. Besides when I used to work at a Uni, we would have busted people for port-scanning other hosts. Illegal or not, it's not within acceptable use guidelines.
NULL is generally a reserved keyword in most places where it is used; apparently the designers of Verizon's email system forgot some basic computing.
I think Java would do this if you had a null java.lang.String recipient and did a recipient + "@" + domain for example. Remember, the language can save you from shooting yourself in the foot, but it can't make you do the right thing.
Want to think of another reason why no one is encrypting email?
Because unencrypted standards are firmly entrenched... thanks to RSA!
Yes, plaintext mail is there, but that doesn't mean that no-one supports encrypted. The reason hardly anyone does encrypted mail these days is because they don't think they need to, or can't be bothered. It's trivial to send encrypted mail if you and the person you're conversing with want to go there.
Encryption has been retrofitted to a good many protocols, such as POP3, IMAP, SMTP and it's very easy to take advantage of if both parties care sufficiently. HTTP was also "entrenched", but there is a clear benefit from moving to HTTPS in some situations and it is easy and expected that people do so.
This "prior art" did not count as it was unpublished. However the point about the mathematics is exactly correct. Shamir is one of the the greatest trinity of conmen to ever plauge the computer industry.
If you ever want to know why you still don't have encrypted email, this guy is 33.33333....% of the reason.
A self-signed certificate doesn't provide very good encryption, since it is vulnerable to a man-in-the-middle attack.
True, but I don't trust users to correctly respond to warnings that the browser might pop up - hence I'm inclined to believe that something like DNS hijacking might work even with a bought certificate because most people wouldn't know what the error messages mean. With most users, it would be easier to steal information directly off their computers than while it's in transit.
"A commercial CA will protect you against anyone from whom they won't take money." -- Matt Blaze
SSL certs are great for end-to-end encryption. They are not good for authentication, because people don't usually check on the certificate - however, here even a check wouldn't have done any good. I only buy SSL certs because people don't like the extra confirmation dialogue that comes with self-signed ones.
Well, it's better than no fix or for that matter, a poke in the eye with a sharp stick. But it doesn't exactly give you the warm fuzzies to know that Windows is vulnerable to a remote exploit a significant amount of the time - keep an eye on Eeye's upcoming advisories. There seems to have been at least one remote exploit on this list most times I've looked at it over the last couple of years. That's one of the reasons Windows isn't safe without a properly configured hardware firewall. (Not that it is necessarily safe with one, but that's a minimum.)
As your mother used to tell you, prevention is better than cure - remember those graphs about how much coding mistakes cost to fix at various stages of the development process? Well, it's the same for prevention, detection and response, getting increasingly expensive.
Anyway, the article isn't loading right now, but the distinction between Information Gathering, Information Processing and Information Reporting is fundamentally artificial. They're all aspects of a single process, and yes, I used to do this for a living. Security's not hard - follow the lock-down guides for your host OSes and network devices. Run an IDS such as snort, and keep an eye on it. Keep abreast of current problems at isc.sans.org, frsirt and vendor's announcements. Make sure your users have good passwords and audit all logon failures. Tighten up your physical security and educate about social engineering. Then you at least have a good chance to keep the lid on things.
The real problem with security is that a lot of systems are overly complex and it's impossibly to really close off every possibile avenue of attack. Management always prefers a full feature set to the fuzzy notion of security - after all, they've never had a major incident up til now, so why change?
Slashdot Mirror
I somehow doubt MS are pushing Exchange at the home market by blocking 25/tcp.
So encrypt it, or change ISPs, or both
Believe me, I've been been tempted. But that wasn't me with the post-hole digger
an ex-NZ university mail admin
Like export as HTML from MS Office?
Rewritten by a different team, to different specifications, and without the involvement of the marketing department...
Funny - I didn't know Checkpoint was headquartered in the United Arab Emirates.
Burn, karma, burn!
Does this mean I should ask that porn site to take my photos down?
I'd rather they did it discretely.
Tried that, it's overrated.
See above.
You mean MS customers suck?
Unfortunately, a lot of the (in)famous worms/exploits have appeared around the 17-25 day mark. Oops!
Disclaimer: I used to do this for a living. Scheduled monthly patches are all very well, but you have to be prepared to go for it when the risks of not rolling out are worse than the risks of rolling out not-quite-fully-tested patches.
Try not being USAian. Hanoi airport is friendlier than LAX.
A 'no experience AT ALL' disclaimer would be more reassuring than "I've read about it on USENET."
I honestly don't know - check your local computer crime laws before trying it out, and check with your service provider. They can easily give you the chop even if the action is technically legal. Don't assume it's OK just because it's not supposed to do any damage.
From the Fine Article:
You can't learn very much by doing a portscan; more intrusive scanning such as a nessus scan, or even attempted exploitation (metasploit perhaps?) would be needed to write a complete report. Besides when I used to work at a Uni, we would have busted people for port-scanning other hosts. Illegal or not, it's not within acceptable use guidelines.
You can't 'snort' a remote network - snort is a Network Intrustion Detection System, so it looks for attacks against you on your local network.
I think Java would do this if you had a null java.lang.String recipient and did a recipient + "@" + domain for example. Remember, the language can save you from shooting yourself in the foot, but it can't make you do the right thing.
Because I always run as root.
No, wait...
Yes, plaintext mail is there, but that doesn't mean that no-one supports encrypted. The reason hardly anyone does encrypted mail these days is because they don't think they need to, or can't be bothered. It's trivial to send encrypted mail if you and the person you're conversing with want to go there.
Encryption has been retrofitted to a good many protocols, such as POP3, IMAP, SMTP and it's very easy to take advantage of if both parties care sufficiently. HTTP was also "entrenched", but there is a clear benefit from moving to HTTPS in some situations and it is easy and expected that people do so.
Dude, 2000 called. They want their excuse back.
The first copy of PGP was released in 1991 [1]
The RSA patent expired in 2000. If you're in the US. I don't believe it was patented elsewhere. [2]
I seem to remember GNU Privacy Guard working OK around 2000 [3]. Want to think of another reason why no one is encrypting email?
True, but I don't trust users to correctly respond to warnings that the browser might pop up - hence I'm inclined to believe that something like DNS hijacking might work even with a bought certificate because most people wouldn't know what the error messages mean. With most users, it would be easier to steal information directly off their computers than while it's in transit.
SSL certs are great for end-to-end encryption. They are not good for authentication, because people don't usually check on the certificate - however, here even a check wouldn't have done any good. I only buy SSL certs because people don't like the extra confirmation dialogue that comes with self-signed ones.
See also this ISC piece.
I think it's onto extended support now, which means it will get security fixes for another four and a half years or so.
Well, it's better than no fix or for that matter, a poke in the eye with a sharp stick. But it doesn't exactly give you the warm fuzzies to know that Windows is vulnerable to a remote exploit a significant amount of the time - keep an eye on Eeye's upcoming advisories. There seems to have been at least one remote exploit on this list most times I've looked at it over the last couple of years. That's one of the reasons Windows isn't safe without a properly configured hardware firewall. (Not that it is necessarily safe with one, but that's a minimum.)
Yep, certainly:
Ironically, any post with something like the above in it always gets modded +5 Funny.
If you've ever been to Coventry, you'll understand perfectly.
As your mother used to tell you, prevention is better than cure - remember those graphs about how much coding mistakes cost to fix at various stages of the development process? Well, it's the same for prevention, detection and response, getting increasingly expensive.
Anyway, the article isn't loading right now, but the distinction between Information Gathering, Information Processing and Information Reporting is fundamentally artificial. They're all aspects of a single process, and yes, I used to do this for a living. Security's not hard - follow the lock-down guides for your host OSes and network devices. Run an IDS such as snort, and keep an eye on it. Keep abreast of current problems at isc.sans.org, frsirt and vendor's announcements. Make sure your users have good passwords and audit all logon failures. Tighten up your physical security and educate about social engineering. Then you at least have a good chance to keep the lid on things.
The real problem with security is that a lot of systems are overly complex and it's impossibly to really close off every possibile avenue of attack. Management always prefers a full feature set to the fuzzy notion of security - after all, they've never had a major incident up til now, so why change?
No.