Sure there would be problems, but I think most people would opt for watching TV or going outside.
Do you realize how much the TV networks rely on the Internet?
Actually, most of the content (syndicated shows, etc.) is distributed using satellite feeds and some "Internet Protocol" connections over private peering, so that would not be disrupted immediately.
OTOH, quite a bit of the newsgathering, commercials, and general business operations are handled using the public Internet as a transport, and if these fail, the stations might still stay on the air, but all they'd be able to afford to broadcast would be a bunch of talking heads whining about how the Internet is down.
The original story does not say what number is shown for Caller-ID. I'd be interested to know if this call shows up as originating from India, or Out-Of-Area, or Unavailable, or what?
Now what I REALLY want to see, is a filtering system for telephone calls. For example, I want to have the ability to be able to block ALL calls using a white/blacklist, or perhaps automatically reject all calls from a certain area / country. I also want to be able to filter SMS text messages.
For GSM cellular on the Treo 600, the CallFilter application can filter both calls and SMS messages.
Of course, just switching to a cell phone instead of a landline pretty much solves the telemarketing call problem -- in the US it is a violation of federal law to make an unsolicited sales call to a mobile phone or any other recipient-pays telephone (ship to shore, etc).
Couldn't the same effect also be achieve by a simple spark-gap generator?
Yes, a spark gap transmitter could do this, building a spark gap with a 2Ghz+ resonant frequency is not difficult, all you need is a HV supply and some basic analog HF electronics textbook knowledge...
The primary difference is that the 802.11 PCMCIA card is an FCC-accepted device, and therefore legal.
The FCC is considering type acceptance for ultrawideband (UWB) transmitters which could incidentally act as 802.11 jamming devices.
There's a ton of stuff this great little box does that are beyond it's original intentions. I'm talking a modded XBox here so everything in the list will be of questionable legality.
Is that really the case, even in the US?
IANAL, but it appears to me that modifying an XBOX to load a free unencumbered BIOS so you can install an alternative operating system in place of the Microsoft OS is 100% legal.
The "questionable" part comes into play only when you:
load a hacked version of the Xbox copyrighted BIOS or
Use the hack to copy copyright protected material (aka "backup games to the hard drive)
Use the hack to play copies of copyrighted material.
Hacking an Xbox to load a legitimate replacement BIOS and install a new legitimate OS in place of the original is not a DMCA violation.
OTOH, the hardware isn't all that impressive, you could do better with a mini ITX system built from parts, price would be about the same and you wouldn't be adding to the "consoles sold" statistics for Microsoft.
How was Slashdot different in the late nineties? Would anyone care to compare the differences between then and now?
Well, the goatse guy wasn't around to torture us, but without the help of "Display Link Domains" you had to be more careful about clicking links in comments.
What I remember best about Slashdot in the late nineties is that the Linux zealots were out in force, and would gleefully mod down anything I posted just based on distaste for my.sig:)
Sounds like this could be useful for training up my cow-orkers.
I encounter a broad spectrum of BSD-derived and SYSV-derived operating systems, (as well as hybrids such as Solaris), and even in going back and forth between FreeBSD and OpenBSD can bring confusion, particularly with the very different way the two handle system startup scripts.
I would like to see somebody publish a book that does include information on using OpenBSD with X-windows as a secure desktop OS. Everybody focuses on the security of Open as a server OS for infrastructure, but it can be usable (if not user friendly, at least not user hostile) on the desktop.
It does not support ringtones, logos or other kiddie nonsense.
Actually, I find distinctive ring to have real business utility, particularly combined with profiles, I can know from the moment the phone first chirps if a call is from a major customer or from a friend who wants to know if I want to grab a pint after work.
Depending on the time of day, I ignore either one or the other.
I really can't see any use for a smart phone.
Prior to getting a Treo 600, I carried my personal cell phone, my work cell phone, my work pager, and a PDA. Now I carry one device that does the work of all four.
For somebody who wouldn't use a PDA if you had one, you probably don't want a smartphone. For myself, being able to check my email, pull up a web page, ssh into a server and fix a problem without having to ditch my friends and go find a PC, makes it more than worth the cost.
Blackberry devices can have more functionality than is immediately apparent. They come with a web browser, and an SSH client is also available, along with a few other third-party applications, but in general developers for Blackberry platform are rare, and freeware/sharware is all but nonexistent.
Research in Motion (RIM), maker of the Blackberry, licensed their keyboard design to Handspring for the Treo, and has also issued licenses for the Blackberry "push" email software for PalmOS. No software has been released, but a Treo client application for Blackberry may not be far off.
I use a Treo 600, though I'm really just waiting for the mythical 610 to be released (adding Bluetooth, a real digital camera, and a higher resolution screen, or so the rumors say).
While the T600 does a better job of integrating wireless voice and data into a PalmOS^WHandSpring PDA, it is still an imperfect union of the two.
To really get "smart" phone behavior, you need to load third-party applications.
Unfortunately, many third-party applications make the device unstable (causing random resets), and certain types of resets cause the Treo to come back up with wireless mode disabled, disabling the phone functions until you manually re-establish communication.
Actually, that appears to be the only US mirror that is ready with a complete i386 directory.
My best guess is that all of the hardcore OpenBSD users already have a 3.4 installation and only need to do a source upgrade, so the mirror sites focus on getting a fresh copy of the sources, then take their time about the binary install sets for various platforms.
want a tarpit option for FreeBSD's ipfw, the same way there is for Linux. It'd be nice to do something to slow this thing down...
LaBrea runs on FreeBSD too.
I use the "redirect" feature of the packet filter to do the equivalent of proxy transparency on ports 135,139,445,4444,9996 to local ports with a local listener.
The Sasser worm starts 128 scanning threads to pseuod-random destinations, and on a fast machine can really pump out the packets. If you give it something to talk to on ports 445 and 9996, that considerably slows the scanning behavior.
Unfortunately, since I chose to run my own mailsever, I've now earned the ire of the same anti-spammers, because I'm not using a corporate controlled mail server. Spam is a problem, but it's not worth destroying email over!
Please explain where you've "earned the ire of the same anti-spammers"? I really would like to know.
I know many individuals who run their own mail servers, and in fact many of them are themselves anti-spammers, they chose to run their own server because they wanted stricter spam controls than a commercial ISP would provide.
The only case I know of where you'd run into problems with anti-spammers by running your own (correctly configured) mail server would be if you are using a mail server hosted in dynamic-IP space assigned by your ISP.
In that case, outbound SMTP mail that is not sent via your ISP's mail server will likely be rejected by DUL (dynamic/dialup RBLs). But you are also almost certainly violating the ToS for your ISP by running a mail server on a dynamic home-user account.
For a while, AOL decided that we were spammers, althought that has just as mysteriously subsided.
BTW, I recently stumbled across the AOL web site where they describe their IP based whitelist and how large-volume email sending sites (legitimate mailers) can be added to the whitelist:
While the AOL users may have a reputation for being clueless, the postmasters at AOL.com do some cool things. As I recall, AOL was the first major ISP to start rejecting SMTP connections from hosts that did not have PTR records (reverse DNS).
There is still a good market for new Sun servers, they make highly reliable servers for both telco and general IT deployments, and customers who care more about the long term than about the price and CPU speed still spend the extra bucks for the Sparc hardware platform.
Let the hardward dry up and die. They just don't seem to be able to compete in that market and, unless they have a real ringer in the works, it's an anchor that will sink the boat. It's really too bad, I always liked Sun and it was a first class Unix box...
A primary reason the Solaris operating system has a reputation for stability and scalability is the Sparc platform. Because Sun only has a limited number of variations on the Sparc processor, motherboard, and peripherals to support, the OS is more stable, and they can focus their development on the areas that are important to their customer base.
Personally, I'd really hate to see the low end UltraSparc IIi line die out, as I deploy those with OpenBSD Sparc64 on a rather large scale...
Configure your mail servers to drop mails from ip addresses that do not have associated valid MX records. That would take care of 99% of the hacked boxes, which are typically end-user computers that have some reverse DNS at best.
Ie. if a 1.2.3.4 host contacts your mailserver and wants to give you something, accept it only if 1.2.3.4 is listed as an MX for a domain.
You do realize that this is a misguided approach at best?
This might happen to block spam, but it's also going to drop quite a bit of legitimate mail from large sites. Many large organizations (ISP, university, corporation, etc) have chosen to split their inbound SMTP (MX hosts) from their outbound SMTP (sending hosts), for a number of very good technical reasons.
Now, rejecting email from hosts that do not have valid DNS (no matching forward and reverse entries) or based on Sender-Permitted-From, that's at least an accepted practice.
But blocking source hosts that are not MX hosts? Bad idea.
But could make a bit more sense to block dynamic IP ranges, or ip ranges where is not supposed to be mail servers (if IPs are fixed and source of spam, could be blocked individually or reported to their ISP).
Sure blocking dynamic IP blocks is a solution (I use the Pan-Am Dyanmic List (PDL) for this, but blocking an entire country?
If they are blocking the entire Telefonica range, including their mail server or other "official" mail servers that are there, their users could lose not only mails with individuals there, but also more "automated" things like mailing lists, announcements from web sites, or things like that.
It should be interesting to see how this plays out -- I predict that the AHBL will discover that the number of sites using their block list drops precipitously...
Actually they latest big worms (netsky etc) to hit the front news pages are spreading through Kazaa and through vulnerabilities in BlackIce. Nothing to do with open ports at all.
You make a good point.
The Netsky virus can in certain cases infect a machine without user interaction (worm-like behavior) and while it hasn't had all that much impact in the real world, it has been getting a lot of press lately.
The line between "worm" (automated infection) and "virus" (requires human intervention) continues to blur.
How fast would the last half dozen MS-RPC worms have spread if Microsoft had chosen to ship their workstation OS releases with TCP ports 135,139 and 445 bound to 127.0.0.1 instead of IN_ADDR_ANY?
obeythefist writes:
So does it then follow that if 90% of the severs and clients on the internet were Linux... people would be complaining about how insecure linux was because people could hack it or spam it or DOS it or infect it with virii through unpatched vulnerabilities?
How many listening ports do Windows workstations ship with by default?
4 - 6
How many listening ports do MacOS X workstations ship with by default?
0
What percentage of recent Windows worms spread by attacking default listening services on these ports?
100%
You cannot attack a service that isn't listening. "Secure by Default" is how OpenBSD can claim "Only one remote hole in the default install, in more than 7 years!" with a straight face -- by not blindly leaving ports and services open in the default installed system.
OpenBSD does get attacked, mostly because it has a reputation as a hardened target (and because some people just cannot stand Theo).
OpenBSD has that reputation not because there aren't 300 million installed hosts (like Microsoft claims), but rather because the primary focus of development is security. To quote the first page of OpenBSD.org "Our efforts emphasize portability, standardization, correctness, proactive security and integrated cryptography.".
Meanwhile Apple doesn't make the same claims (and doesn't publish their source code), but does take a similar approach to remotely accessible services, and the result is one (rather silly, DHCP client) remote exploit in Jaguar/Panther.
Wireless (at least in its current form) is a simply awful idea from a security standpoint. I've never been able to figure out how vendors manage to sell it to companies.
Well, one vendor's "good wireless is better than no wireless" sales pitch almost worked!
I've had a lot of requests come in for wireless, always from middle management, local site "IT Directors" who read about WiFi in a magazine, just got a super lightweight Centrino notebook, and figure that their new $4K notebook came with wireless, so they might as well get some use out of it.
So far I have been more successful at stemming the tide by pushing the drawbacks regarding reliability and performance and scalability than just simply pounding the security drum.
I use GPRS to check slashdot headlines, works fine, and unlike taking a phone call, doesn't disturb the people around me, or at least not since I turned the backlight down from the default "tanning salon" setting.
Our Cisco sales rep had just about convinced management that the enterprise would be more secure deploying WLSE (List price: $9K) than if we just continued the current policy of "No WiFi no way no how".
The logic was that having no wireless network at all is less secure than deploying a Cisco wireless network with the Wireless LAN Solution Engine, with the enhanced logging features and ability to monitor RF and detect rogue APs and the like.
Now that "Capital Requisition" (WLSE, APs, antennas) is headed for the circular file...
This comment is definately worthy of an Informative, I have been saying for a long time that there should be a standard DNS record for SMTP servers to simplify blocking them from mail exchangers
Thanks... anything I can do to help reduce spam is time well spent.
There are actually two different competing standards for DNS records for indicating which source IP addreses can legitimately source email for a given domain, both were covered on Slashdot not long ago.
does anyone reading this know of other solutions (aside from write one) to block dynamic IP addresses from the mail exchangers?
I use rate-limiting. I've seen a few hacks that try to do string matches on the remote hostname for "dhcp" or "dialup" hostname patterns, but that really is a hack.
I use qmail-spamthrottle, with exceptions (high limits) for just a few mailing list servers. You can even populate the cdb file from the PDL and basically restrict the entire Cox cablemodem network to sending you one message per minute if you'd like.
Sendmail 8.13 (currently in Alpha testing) offers a very simplistic version of rate-limiting by source IP address. I've heard rumors of similar enhancements to Postfix.
There have been worms for Linux, but the installed userbase of unprotected systems has not been sufficient to let them obtain a good foothold on the Internet. Same goes for Solaris worms.
The "saving grace" of unpopular Unix operating systems is not so much the small installed base (the Microsoft claim) as it is the fact that generally these systems are installed by users with half a clue.
In the case of MacOS, it doesn't hurt that the default OS X installation has no remotely accessible listening ports.
When I took a peek at linuxsecurity.com all I found were vulnerabilities in server services like Open SSL, Squid and etc. Though I know those services are important to Linux's current most successful market (Enterprise Server Market). As a user running Fedora and runing services like: X server, cups, vmware and not having any other users but myself. Do I even need to patch
If you have network services visible to the Internet (listening ports not behind a strong firewall and/or filter policy) you need to patch.
If you run clients (web browser,mail reader, ftp, etc) that communicate out to the Internet, you need to patch.
Lastly, you will want to stay up-to-date with patches for vulnerabilities in the kernel (particularly the IP stack) as well as the most common libraries (OpenSSL, etc).
I mean, like X-server has been around for 20 yrs, can't I assume that it pretty much is safe from an external network attack?
No.
You'd want to take all possible steps to protect your X services from external attack. This includes not only keeping updated on patches, but also potentially taking steps to ensure that the server is only accessible (only ever accessed) through an encrypted tunnel.
If that tunnel is ssh (the most common method for X forwarding) then you'd also need to stay up to date on client and server vulnerabilities in both SSH and the underlying SSL libraries.
For a MS-Windows users, this is as simple as clicking "Windows Update" and hitting "Accept" a few times. I'm not sure if any of the Linux distros have gotten the process simplified to that extent?
Slashdot Mirror
Actually, most of the content (syndicated shows, etc.) is distributed using satellite feeds and some "Internet Protocol" connections over private peering, so that would not be disrupted immediately.
OTOH, quite a bit of the newsgathering, commercials, and general business operations are handled using the public Internet as a transport, and if these fail, the stations might still stay on the air, but all they'd be able to afford to broadcast would be a bunch of talking heads whining about how the Internet is down.
Of course, just switching to a cell phone instead of a landline pretty much solves the telemarketing call problem -- in the US it is a violation of federal law to make an unsolicited sales call to a mobile phone or any other recipient-pays telephone (ship to shore, etc).
The primary difference is that the 802.11 PCMCIA card is an FCC-accepted device, and therefore legal.
The FCC is considering type acceptance for ultrawideband (UWB) transmitters which could incidentally act as 802.11 jamming devices.
IANAL, but it appears to me that modifying an XBOX to load a free unencumbered BIOS so you can install an alternative operating system in place of the Microsoft OS is 100% legal.
The "questionable" part comes into play only when you:
- load a hacked version of the Xbox copyrighted BIOS or
- Use the hack to copy copyright protected material (aka "backup games to the hard drive)
- Use the hack to play copies of copyrighted material.
Hacking an Xbox to load a legitimate replacement BIOS and install a new legitimate OS in place of the original is not a DMCA violation.OTOH, the hardware isn't all that impressive, you could do better with a mini ITX system built from parts, price would be about the same and you wouldn't be adding to the "consoles sold" statistics for Microsoft.
Well, the goatse guy wasn't around to torture us, but without the help of "Display Link Domains" you had to be more careful about clicking links in comments.
Slashdot does Archive early stories.
What I remember best about Slashdot in the late nineties is that the Linux zealots were out in force, and would gleefully mod down anything I posted just based on distaste for my .sig :)
I encounter a broad spectrum of BSD-derived and SYSV-derived operating systems, (as well as hybrids such as Solaris), and even in going back and forth between FreeBSD and OpenBSD can bring confusion, particularly with the very different way the two handle system startup scripts.
I would like to see somebody publish a book that does include information on using OpenBSD with X-windows as a secure desktop OS. Everybody focuses on the security of Open as a server OS for infrastructure, but it can be usable (if not user friendly, at least not user hostile) on the desktop.
Depending on the time of day, I ignore either one or the other.
Prior to getting a Treo 600, I carried my personal cell phone, my work cell phone, my work pager, and a PDA. Now I carry one device that does the work of all four.
For somebody who wouldn't use a PDA if you had one, you probably don't want a smartphone. For myself, being able to check my email, pull up a web page, ssh into a server and fix a problem without having to ditch my friends and go find a PC, makes it more than worth the cost.
Research in Motion (RIM), maker of the Blackberry, licensed their keyboard design to Handspring for the Treo, and has also issued licenses for the Blackberry "push" email software for PalmOS. No software has been released, but a Treo client application for Blackberry may not be far off.
While the T600 does a better job of integrating wireless voice and data into a PalmOS^WHandSpring PDA, it is still an imperfect union of the two.
To really get "smart" phone behavior, you need to load third-party applications.
Unfortunately, many third-party applications make the device unstable (causing random resets), and certain types of resets cause the Treo to come back up with wireless mode disabled, disabling the phone functions until you manually re-establish communication.
My best guess is that all of the hardcore OpenBSD users already have a 3.4 installation and only need to do a source upgrade, so the mirror sites focus on getting a fresh copy of the sources, then take their time about the binary install sets for various platforms.
I use the "redirect" feature of the packet filter to do the equivalent of proxy transparency on ports 135,139,445,4444,9996 to local ports with a local listener.
The Sasser worm starts 128 scanning threads to pseuod-random destinations, and on a fast machine can really pump out the packets. If you give it something to talk to on ports 445 and 9996, that considerably slows the scanning behavior.
I do not see any information on whitelisting anywhere on the Hotmail web site.
I know many individuals who run their own mail servers, and in fact many of them are themselves anti-spammers, they chose to run their own server because they wanted stricter spam controls than a commercial ISP would provide.
The only case I know of where you'd run into problems with anti-spammers by running your own (correctly configured) mail server would be if you are using a mail server hosted in dynamic-IP space assigned by your ISP.
In that case, outbound SMTP mail that is not sent via your ISP's mail server will likely be rejected by DUL (dynamic/dialup RBLs). But you are also almost certainly violating the ToS for your ISP by running a mail server on a dynamic home-user account.
http://postmaster.aol.com/tools/whitelist_guides.h tml.
While the AOL users may have a reputation for being clueless, the postmasters at AOL.com do some cool things. As I recall, AOL was the first major ISP to start rejecting SMTP connections from hosts that did not have PTR records (reverse DNS).
Personally, I'd really hate to see the low end UltraSparc IIi line die out, as I deploy those with OpenBSD Sparc64 on a rather large scale...
This might happen to block spam, but it's also going to drop quite a bit of legitimate mail from large sites. Many large organizations (ISP, university, corporation, etc) have chosen to split their inbound SMTP (MX hosts) from their outbound SMTP (sending hosts), for a number of very good technical reasons.
Now, rejecting email from hosts that do not have valid DNS (no matching forward and reverse entries) or based on Sender-Permitted-From, that's at least an accepted practice.
But blocking source hosts that are not MX hosts? Bad idea.
It appears many people would pay a fair price for a USB RGB LED light with USB brightness control on each of the three color components.
I did find this: http://www.delcom-eng.com/products_USBLMP.asp. Prices start at $80 (ouch).
There's a linux driver with rudimentary support for the earlier fixed-brightness products from Delcom.
The Netsky virus can in certain cases infect a machine without user interaction (worm-like behavior) and while it hasn't had all that much impact in the real world, it has been getting a lot of press lately.
The line between "worm" (automated infection) and "virus" (requires human intervention) continues to blur.
obeythefist writes:
How many listening ports do Windows workstations ship with by default? 4 - 6
How many listening ports do MacOS X workstations ship with by default? 0
What percentage of recent Windows worms spread by attacking default listening services on these ports? 100%
You cannot attack a service that isn't listening. "Secure by Default" is how OpenBSD can claim "Only one remote hole in the default install, in more than 7 years!" with a straight face -- by not blindly leaving ports and services open in the default installed system.
OpenBSD does get attacked, mostly because it has a reputation as a hardened target (and because some people just cannot stand Theo). OpenBSD has that reputation not because there aren't 300 million installed hosts (like Microsoft claims), but rather because the primary focus of development is security. To quote the first page of OpenBSD.org "Our efforts emphasize portability, standardization, correctness, proactive security and integrated cryptography.".
Meanwhile Apple doesn't make the same claims (and doesn't publish their source code), but does take a similar approach to remotely accessible services, and the result is one (rather silly, DHCP client) remote exploit in Jaguar/Panther.
I've had a lot of requests come in for wireless, always from middle management, local site "IT Directors" who read about WiFi in a magazine, just got a super lightweight Centrino notebook, and figure that their new $4K notebook came with wireless, so they might as well get some use out of it.
So far I have been more successful at stemming the tide by pushing the drawbacks regarding reliability and performance and scalability than just simply pounding the security drum.
I use GPRS to check slashdot headlines, works fine, and unlike taking a phone call, doesn't disturb the people around me, or at least not since I turned the backlight down from the default "tanning salon" setting.
The logic was that having no wireless network at all is less secure than deploying a Cisco wireless network with the Wireless LAN Solution Engine, with the enhanced logging features and ability to monitor RF and detect rogue APs and the like.
Now that "Capital Requisition" (WLSE, APs, antennas) is headed for the circular file...
There are actually two different competing standards for DNS records for indicating which source IP addreses can legitimately source email for a given domain, both were covered on Slashdot not long ago.
I use rate-limiting. I've seen a few hacks that try to do string matches on the remote hostname for "dhcp" or "dialup" hostname patterns, but that really is a hack.I use qmail-spamthrottle, with exceptions (high limits) for just a few mailing list servers. You can even populate the cdb file from the PDL and basically restrict the entire Cox cablemodem network to sending you one message per minute if you'd like.
Sendmail 8.13 (currently in Alpha testing) offers a very simplistic version of rate-limiting by source IP address. I've heard rumors of similar enhancements to Postfix.
The "saving grace" of unpopular Unix operating systems is not so much the small installed base (the Microsoft claim) as it is the fact that generally these systems are installed by users with half a clue.
In the case of MacOS, it doesn't hurt that the default OS X installation has no remotely accessible listening ports.
If you have network services visible to the Internet (listening ports not behind a strong firewall and/or filter policy) you need to patch.If you run clients (web browser,mail reader, ftp, etc) that communicate out to the Internet, you need to patch.
Lastly, you will want to stay up-to-date with patches for vulnerabilities in the kernel (particularly the IP stack) as well as the most common libraries (OpenSSL, etc).
No.You'd want to take all possible steps to protect your X services from external attack. This includes not only keeping updated on patches, but also potentially taking steps to ensure that the server is only accessible (only ever accessed) through an encrypted tunnel.
If that tunnel is ssh (the most common method for X forwarding) then you'd also need to stay up to date on client and server vulnerabilities in both SSH and the underlying SSL libraries.
For a MS-Windows users, this is as simple as clicking "Windows Update" and hitting "Accept" a few times. I'm not sure if any of the Linux distros have gotten the process simplified to that extent?