They would probably just tap his upstream provider (qwest) and the coop probably wouldn't have a clue.
That's pretty much the same assumption we have made. It does mean that the feds will have more data to sift through, and that they will have a more difficult time picking out individual users where they use shared resources (mail relay, http proxy, etc).
And for the truly paranoid, there's always SMTP/TLS and anonymizing SSL proxies.
Crack cocaine is illegal, but can be found everywhere. In many states, anal sex is illegal, but people do it in the privacy of their own homes, and seldom face prosecution. In part, this is because these are perceived as "victimless crimes", even though "practically everyone can agree that it is wrong", few people press for strict enforcement.
Murder is illegal because practically everyone can agree that it is wrong. Those that don't agree have the threat of imprisonment to stop them.
Murder is illegal for many reasons -- partly because most people have a visceral sense that they would not like it if they themselves were murdered:)
And for the psychopaths, it's rather difficult to get away with murder -- there's the body to get rid of, people will notice the victim is missing, and then there's all that screaming and blood and such...
Murder is the ultimate opposite of a "victimless crime".
Copying data, on the other hand, is something that a lot of people like to do.
The real difference is that most people do not personally see any harm in copying data -- all but the psychopaths can see that there is some real harm if I "pirate" original software and sell it to somebody who would have otherwise purchased a legitimate copy, but many people have a hard time feeling sympathy for the owners of a sequence of bits when they dub a copy from a friend.
There's a difference not just in degree, but a real difference in kind between "duplication" and "theft". If I steal a wheel from a car, the owner cannot drive it. If I steal a design for a slick mag wheel and make identical wheels to use on my own car, the "owner" loses "control" over their "intellectual property", but they did not lose the use of the original.
Social systems at work may take a while to correct, but they will correct, and the tryanny of a few trying to get more money by selling less will end.
Social systems have failed to stop anal sex -- the majority may believe that it is wrong (or at least disgusting), but not believe strongly enough to go into people's homes and search for evidence of wrong-doing, or to support such actions by their agents (the police).
Social systems work very well on a small scale where people cannot hide their activities from the rest of their social group. They tend to fail when the same mechanism is applied on a grand scale, succeeding only in the extreme casees (murder) but failing elsewhere (anal sex).
Disclaimer: IANALA (I Am Not A "Legal Anthropologist")
Titanium seems fitting to me because it is so strong and tarnish/corrosion resistant, as one wants their love to be.
Another major advantage of titanium, it is much less likely to cause an allergic reaction than other jewelry metals. The worst offender is nickel, found in most gold (with the exception of 24-carat aka "pure" gold) and many other alloys.
One drawback to Titanium -- it shows scratches more readily than other metals. This was discussed to death in the thread a few months back about titanium wristwatches.
My experience in the past few years has been an increasing work load with the same pay. Most companies don't fully understand how much work and responsibility IT has, even in non tech related businesses.
We may be preaching to the choir, but I agree with you 100%.
The only thing worse than "increasing work load with the same pay" is the recent trend for employers to cut out benefits and perks, and freeze salaries (no annual raise). In effect, this becomes "increase work load for LESS pay".
In IT, "job hopping" is much more acceptable than in other careers, and often changing employers is the only way to increase your salary as you increase your skill level.
Of course "job hopping" worked much better when there were plenty of real job openings to choose from. Today's market is like playing Arcade Frogger at level 29, with most of the logs removed and the rest replaced by alligators and turtles...
A major gripe I have seen at a number of large corporations is that the in-house "IT" groups (web development, server administration, software engineering,etc) become:
Greedy.
Lazy.
Incompetent.
Greedy. I constantly see internal web development groups quote even a tiny, simple web site as dozens of hours and thousands of dollars, a price that would have been outrageous even in the pre dot-bomb days. Then they have the never to say "Why do you care how much we bill? It's all internal chargebacks, so it's really just 'play money'!"
Lazy. All too often, in order to complete a project on time, I end up building and maintaining my own servers instead of handing off server installs and maintenance to the in-house "server management group". Why should the internal sysadmins be pro-active when there is no penalty for slow response time, no competition for customers, and when they know that by doing nothing, the most demanding customers will eventually just go away and solve their own problems?
Incompetent. As firms cut down on staff and cut out the perks, their most qualified web developers and sysadmins are recruited by headhunters or flee to better, more stable positions as each round of downsizing takes it's toll on morale. In the end, with very few exceptions, the only staff who remain are those not talented enough (or too apathetic) to move on to a better job.
In my experience, in many larger organizations, IT staff might once have been an undervalued asset, but in the past year, most of the valuable staff have fled for greener pastures.
There were rumors that the Indiana Toll Road authority would issue speeding tickets to drivers based on the time taken to get from your on-ramp (where you are issued a ticket showing where you entered the system) to your exit ramp (where your toll fee is calculated based on the distance from where you entered.
We avoided the issue by always "losing" the ticket between where we entered and the exit ramp. The "lost ticket" penalty was that you pay the maximum toll fee, which was fine by us, as that was the toll we would be paying even if we hadn't "lost" the ticket.
My theory is that the rumors were started to increase toll revenues:)
dutky from the Toll Collection Agency writes:
Even on a closed loop system, you can only calculate the average speed in the system. Under heavy traffic conditions, the
average speed is likely never to exceed the posted speed limit! (this is the sad truth about speeding: it rarely benefits the speed but, occasionally, it is a great harm to an innocent bystander) You can pretty easily wipe out the extra time you gained by
speeding while waiting to at the exit toll plaza.
Faulty logic.
Yes, I "wipe out the extra time... gained by speeding" from the wait to exit at the toll plaza.
Except, the guy who doesn't speed is going to have taken that much longer to arrive at the exit, and will have exactly the same wait as I did!
So if I drive 85 on the toll road and wait five minutes to exit my average speed for the trip drops below 55. But the guy who drove 55 for the same distance waits the same five minutes...
By the "speed kills" logic, we should just set the maximum speed on all public roads to 5 MPH so as to all but eliminate deaths from pedestrian-vehicle accidents.
It is? Please cite the specific law that states this?
SendaCrush is based in California:
California's anti-spam law requires
unsolicited messages to include a
viable return address or a toll-free
phone number that recipients can
use to tell the sender to stop
sending documents. The statute
also requires unsolicited e-mail to
include "ADV:," for advertisement, in the subject line of the message--or in cases where the advertisements relate to adult material, "ADV:ADLT." Violating the law is a misdemeanor.
So assuming SendaCrush follows these guidelines, their spam is legal under California law.
Therefore it is technically possible to create your own ACE clone server.
However, I'm sure that if you tried to distribute it that RSA would come after you with a big stick.
You hit the nail on the head.
Yes, it is technically possible. But it would take a lot of work, and all you would get for your effort is civil/criminal persecution from RSA.
RSA/SecurID has a lock on the "time synchronous" authentication token. But aside from some ease of use issues, time sync isn't really the best way to do authentication tokens. There are plenty of free open source and less-expensive commercial implementations of "event synchronous" tokens (SafeWord, CryptoCard, Axent, etc) to choose from.
Your real practical problem, however, is that even if you coded a clone authentication server, you need the seed for your
particular token in order to make it work. Unless you are good friends with the ACE administrator at your work, this is unlikely
to happen.
And if he did give you the seed, he should be fired.
The seed is not only sufficient information for you to clone the token into your server, but, in combination with the PIN, would provide enough information for a hacker to log into your employer's server as you.
This would not be true of a "public key" crypto system, but
basically, SecurID is a 'shared secret' system, with one copy of the secret stored in the server, and the other copy embedded into your hardware token or encrypted in the software token.
If you can obtain a copy of the shared secret (for example, the various known attacks against the software token), the token is compromised. The hardware tokens do a reasonably good job of protecting the secret.
why use this stuff when I can offer the CEO's secetry $10k in cash and get any information I want...
Part of the reasoning behind any "hardware authentication token" deployment is usually to generate a strong audit trail. If sensitive records are accessed with the CEO's token, then the timestamped record of who generated the report is going to be available if we later determine there is an exposure.
Unlike a password, the hardware token cannot be shared/cloned/copied without destroying the original.
In many enterprises and government agencies, security is not only in place to control access, but to provide a reliable record of who accessed what, when. Accountants go wild for that stuff.
In my case, on the systems I have access to (including the authentication server), no C** executives have direct access to the server. There are three people who can run reports. In theory, if we all died from Ebola then somebody could obtain access to the data center (no easy task), and use physical access to the critical servers to extract the data directly from the drives (boot CD, etc).
Yes, the CEO, CTO, or the directors of Finance or HR can request that we generate specific reports, and can conceivably ask for any/all of the computer records, but any such request creates a paper trail. I do about 5 reports a year from my records, usually after an incident that might make the news, if only as a 15-second sound bite.
So yes, you might be able to bribe a secretary with $10K to hand over the records, but when the leak is discovered, the threat of 10 years in prison will work just as well to convince her to hand over your name.
so how do you prove its secure ?
How do you prove anything is secure? At some point you have to trust somebody. In the case of authentication services, you look for outside review from experts (under NDA regarding technical details) and then do your own testing for functionality, reliability, and security.
Anything less is irresponsible. Anything more is a waste of time and money.
I have no illusions about my own importance. I'm just a gatekeeper...
none of the data I work with has any impact on National Security, and exposure of the data I maintain is never a life-or-death matter. We could do a less thorough job, and the worst case scenario might be a half-billion dollar loss. No big deal, right?
S/Key is now OPIE, & built into *BSD, other Un
on
Free/Open ACE Servers?
·
· Score: 3, Informative
When deploying a S/Key derived OTP, you will want to take care in the selection of crypto algorithms. The original MD4 S/Key implementation has serious known weaknesses. MD5 is suspect.
The paranoid admin will deploy OPIE with SHA1 or RIPEMD-160, but there are very few clients/servers with support for anything beyond MD5.
"One-time Passwords In Everything" (OPIE) is a freely distributable software package originally developed at and for the US Naval
Research Laboratory (NRL). Recent versions are the result of a cooperative effort between of NRL, several of the original NRL
authors, The Inner Net, and many other contributors from the Internet community.
OPIE is an implementation of the One-Time Password (OTP) System that is being considered for the Internet standards-track. OPIE
provides a one-time password system. The system should be secure against the passive attacks now commonplace on the Internet (see
RFC 1704 for more details). The system is vulnerable to active dictionary attacks, though these are not widespread at present and can
be detected through proper use of system audit software.
OPIE is primarily written for UNIX-like operating systems, but work is underway to make applicable portions portable to other
operating systems. The OPIE software is derived in part from and is fully interoperable with the Bell Communications Research
(Bellcore) S/Key Release 1 software. Because Bellcore claims "S/Key" as a trademark for their software, NRL was forced to use a
different name (they picked "OPIE") for this software distribution.
All of the known attacks against SecurID are based on either stealing the secrets from the ACE/Server or from a software client.
If you deploy the SecurID hardware tokens, extracting the key from a token is a difficult and destructive process. No uber-hacker is going to be able to take a quick glance at the display on a key fob (or the serial number on the back) and then turn around and break into your systems five minutes later.
If you are feeling really paranoid, you can talk SecurID into selling you the "PINpad" hardware token.
Only need "closed" OS box for server, not clients
on
Free/Open ACE Servers?
·
· Score: 2
The ACE/Server software application runs on Windows NT or Solaris. It includes a proprietary database, license key validation, and the "secret" SecurID hash algorithm. I can't see any of these components being open-sourced.
You need one or two servers, then your clients can be just about any operating system. SecurID offers ACE agents for a number of platforms, or you can use RADIUS authentication.
There are PAM modules to do RADIUS authentication for every free/commercial Unix I've tried.
SpamCop does more harm than good.
on
Meet the Spammers
·
· Score: 0, Flamebait
MeNeXT writes:
Yesterday I received a funny email that one of my clients was spamming. This email seemed to come from spamcop.net. What
was starnge it was close to but not exeactly the warning typically sent by spamcop. So I sent them an email and here is the reply:
I've had no end of trouble from Spamcop.
"SpamCop" does not project a professional image -- the email they send to the target of complaints itself looks a lot like SPAM, complete with bogus-looking "Received" headers.
Spamcop makes no real efforts to check out the validity of the complaints they receive before sending a form letter to the accused spammer. I've received numerous messages from them regarding spam that were obvious, incompetent forgeries -- for example, a spammer forging one of my domain names in the 'From'. The least bit of cursory examination would show that while that domain "looks cute" to spammers, it is never is used to send or receive email, with the only DNS entry in the zone being for the 'www' address (no A record for the domain, no MX records at all).
Pop-up (and pop-under) advertising was the primary reason I entirely switched to Google for all web searches. I entirely gave up on Altavista after the "Audio enabled" Planet Project ad fiasco.
I switched to Google primarily based on their Policy on Pop-ups.
I only stuck with Altavista as long as I did because I had grown accustomed to their "NEAR" search keyword. Google has no equivalent.
Since switching, I've found that Google gives better search results -- but I wouldn't have discovered this if Altavista had not actively driven me to the competition through their obnoxious advertising policies.
Real world applications? (Was "Academic Value?")
on
Tracking Hackers
·
· Score: 2
Can the study of the behavior of attackers ever NOT be of value to the defenders?
Detectives study the behavior of criminals, The FBI studies the behavior of terrorists, ROTC students study the behavior of attacking armies, and network security analysts study the behavior of crackers.
Not every cop is a "Criminologist", not every sysadmin needs to be a "Security Analyst".
The concept is not new. It is interesting that the cost of hardware capable of such a task is much lower, and the use of a gaming console is a novel idea.
I see two major drawbacks to the use of a "Dreamcast" in this role-
Moving parts. Stick a dreamcast above the suspended ceiling (often also an air plenum) not only violates fire codes, but will fail prematurely due to dust.
In a corporate environment, a big boxy dreamcast is going to stick out like a sore thumb.
To all the people who said I was being too paranoid in running statically-linked 'stunnel' chrooted to an otherwise empty (no/bin/sh, etc) subdirectory, containing only the client public keys...
I told you so.
To the guy who said that my running SSHd behind stunnel to protect from SSH bugs (such as the recent OpenSSH advisory) was not paranoid enough:
You were right, I wasn't paranoid enough
Time to wrap everything in IPSEC, then wait for a new hole in that?
This can work, but I find that a lot of clients are more comfortable working with somebody when you can have live, in-person meetings at the outset and then as project status and progress indicate. This tends to limit the potential customer base.
I've had a number of long-term remote host/site administration gigs and a few short "web development" projects that worked out very well, even though the client was several time zones away.
A friend referred the client, we discuss the project on the phone, fax a contract back and forth to set rates, duration, and scope, then mostly just do status updates by email.
This works for web development and for system administration because the client is more likely to be accustomed to everything being online and remote, and in thise case, they trust me because of the personal referral. I'm not sure this approach would work as well for other types of projects.
IMHO, remote freelancing has many of the same drawbacks as corporate telecommuting -- most managers just aren't ready for this.
I agree. I don't buy the statement that they are using it to figure out the "tricks of the trade." Anyone can figure out the tricks of the trade by browsing a couple websites. I found netstumbler after doing very little research into this matter.
However, the real 'black hats' are not going to be using Windows-based laptops with Netstumbler.
If I were after a specific target, I would use less-publicized software that supports a true 'passive' mode, sniff traffic (need several megabytes of captured traffic to crack WEP), then clone the MAC from a valid but not-currently-active client node to use for active probing. Attackers with criminal intent most likely have this whole process automated and scripted.
One purpose of honeypots is to detect new, unpublished exploits and tools 'in the wild'. This goal includes new WiFi intrusion tools.
They are laying the groundwork for controlling and making precedent for what is "unauthorized access." Don't be suprised when someone is arrested for browsing/. from a public transportation bench in the near future. Its a shame that so many sysadmins can't do their job that people like this have to do it for them.
Disclaimer: IANAL.
That a network was not adequately secured is no excuse for connecting and using their bandwidth without permission. Criminal "trespass to chattel" is not excusable by virtue of the victim not having taken extreme measures to protect their assets.
please remember to proceed with caution when confronting the nerd.
Depending on the response time in your neighborhood, you might just want to call the cops and let them deal with the script kiddie.
Just remember to keep your low-light camcorder running, you might get some footage worthy of sale to CNN, or at least a good item for a "bloopers reel" (Or is that 8100P3R5 R331 in leet speak?) at the DEFCON film festival.
I hadn't been watching my karma score so much to get to 50, as to notice when my comments were moderated. I login and I'm up a point or two and I know one of my comments was moderated so look to see which one. Now I login, see I'm still at excellent, and have no clue if any of my comments have been moderated. I'd have to go through each comment to see if there was a change.
People like you think that the left lane is for speeders. It's not. Tickets are for speeders because speeding is dangerous. People
like you make people like me hate automobiles. People like you make me think that black boxes with certian publicly verifiable
specifications should be mandatory.
The second most beautiful thing is a cop giving somebody like you a ticket for "Obstructing Traffic" for camping out in the passing lane. I've seen it happen, and it really made my day.
The most beautiful thing would be to see the Judge chew you out when you try to fight the ticket, but since I tend to keep my speed under 100, I don't get speeding tickets.
Why is "speeding" dangerous? Around here, outside of rush hour, the average speed on the local interstate is 75MPH. The official speed limit is 55. Some accidents are caused by the teen going 105, but also by the granny in her late husband's Cadillac puttering along at 53 in the far left lane.
FYI, this highway was designed and built prior to the "oil crisis", intended to be a 75MPH highway, the current speed limit is pure politics.
Slashdot Mirror
And for the truly paranoid, there's always SMTP/TLS and anonymizing SSL proxies.
And for the psychopaths, it's rather difficult to get away with murder -- there's the body to get rid of, people will notice the victim is missing, and then there's all that screaming and blood and such...
Murder is the ultimate opposite of a "victimless crime".
The real difference is that most people do not personally see any harm in copying data -- all but the psychopaths can see that there is some real harm if I "pirate" original software and sell it to somebody who would have otherwise purchased a legitimate copy, but many people have a hard time feeling sympathy for the owners of a sequence of bits when they dub a copy from a friend.There's a difference not just in degree, but a real difference in kind between "duplication" and "theft". If I steal a wheel from a car, the owner cannot drive it. If I steal a design for a slick mag wheel and make identical wheels to use on my own car, the "owner" loses "control" over their "intellectual property", but they did not lose the use of the original.
Social systems have failed to stop anal sex -- the majority may believe that it is wrong (or at least disgusting), but not believe strongly enough to go into people's homes and search for evidence of wrong-doing, or to support such actions by their agents (the police).Social systems work very well on a small scale where people cannot hide their activities from the rest of their social group. They tend to fail when the same mechanism is applied on a grand scale, succeeding only in the extreme casees (murder) but failing elsewhere (anal sex).
Disclaimer: IANALA (I Am Not A "Legal Anthropologist")
One drawback to Titanium -- it shows scratches more readily than other metals. This was discussed to death in the thread a few months back about titanium wristwatches.
We may be preaching to the choir, but I agree with you 100%.
The only thing worse than "increasing work load with the same pay" is the recent trend for employers to cut out benefits and perks, and freeze salaries (no annual raise). In effect, this becomes "increase work load for LESS pay".
In IT, "job hopping" is much more acceptable than in other careers, and often changing employers is the only way to increase your salary as you increase your skill level.
Of course "job hopping" worked much better when there were plenty of real job openings to choose from. Today's market is like playing Arcade Frogger at level 29, with most of the logs removed and the rest replaced by alligators and turtles...
- Greedy.
- Lazy.
- Incompetent.
Greedy. I constantly see internal web development groups quote even a tiny, simple web site as dozens of hours and thousands of dollars, a price that would have been outrageous even in the pre dot-bomb days. Then they have the never to say "Why do you care how much we bill? It's all internal chargebacks, so it's really just 'play money'!"Lazy. All too often, in order to complete a project on time, I end up building and maintaining my own servers instead of handing off server installs and maintenance to the in-house "server management group". Why should the internal sysadmins be pro-active when there is no penalty for slow response time, no competition for customers, and when they know that by doing nothing, the most demanding customers will eventually just go away and solve their own problems?
Incompetent. As firms cut down on staff and cut out the perks, their most qualified web developers and sysadmins are recruited by headhunters or flee to better, more stable positions as each round of downsizing takes it's toll on morale. In the end, with very few exceptions, the only staff who remain are those not talented enough (or too apathetic) to move on to a better job.
In my experience, in many larger organizations, IT staff might once have been an undervalued asset, but in the past year, most of the valuable staff have fled for greener pastures.
Little did I know, the answer was right in front of me, in the form of the one Verisign certificate I shelled out the cash for :-)
We avoided the issue by always "losing" the ticket between where we entered and the exit ramp. The "lost ticket" penalty was that you pay the maximum toll fee, which was fine by us, as that was the toll we would be paying even if we hadn't "lost" the ticket.
My theory is that the rumors were started to increase toll revenues :)
dutky from the Toll Collection Agency writes:
Faulty logic. Yes, I "wipe out the extra timeExcept, the guy who doesn't speed is going to have taken that much longer to arrive at the exit, and will have exactly the same wait as I did!
So if I drive 85 on the toll road and wait five minutes to exit my average speed for the trip drops below 55. But the guy who drove 55 for the same distance waits the same five minutes...
By the "speed kills" logic, we should just set the maximum speed on all public roads to 5 MPH so as to all but eliminate deaths from pedestrian-vehicle accidents.
It is? Please cite the specific law that states this?
SendaCrush is based in California:
So assuming SendaCrush follows these guidelines, their spam is legal under California law.Yes, it is technically possible. But it would take a lot of work, and all you would get for your effort is civil/criminal persecution from RSA.
RSA/SecurID has a lock on the "time synchronous" authentication token. But aside from some ease of use issues, time sync isn't really the best way to do authentication tokens. There are plenty of free open source and less-expensive commercial implementations of "event synchronous" tokens (SafeWord, CryptoCard, Axent, etc) to choose from.
And if he did give you the seed, he should be fired.The seed is not only sufficient information for you to clone the token into your server, but, in combination with the PIN, would provide enough information for a hacker to log into your employer's server as you.
This would not be true of a "public key" crypto system, but basically, SecurID is a 'shared secret' system, with one copy of the secret stored in the server, and the other copy embedded into your hardware token or encrypted in the software token.
If you can obtain a copy of the shared secret (for example, the various known attacks against the software token), the token is compromised. The hardware tokens do a reasonably good job of protecting the secret.
Unlike a password, the hardware token cannot be shared/cloned/copied without destroying the original.
In many enterprises and government agencies, security is not only in place to control access, but to provide a reliable record of who accessed what, when. Accountants go wild for that stuff.
In my case, on the systems I have access to (including the authentication server), no C** executives have direct access to the server. There are three people who can run reports. In theory, if we all died from Ebola then somebody could obtain access to the data center (no easy task), and use physical access to the critical servers to extract the data directly from the drives (boot CD, etc).
Yes, the CEO, CTO, or the directors of Finance or HR can request that we generate specific reports, and can conceivably ask for any/all of the computer records, but any such request creates a paper trail. I do about 5 reports a year from my records, usually after an incident that might make the news, if only as a 15-second sound bite.
So yes, you might be able to bribe a secretary with $10K to hand over the records, but when the leak is discovered, the threat of 10 years in prison will work just as well to convince her to hand over your name.
How do you prove anything is secure? At some point you have to trust somebody. In the case of authentication services, you look for outside review from experts (under NDA regarding technical details) and then do your own testing for functionality, reliability, and security.Anything less is irresponsible. Anything more is a waste of time and money.
I have no illusions about my own importance. I'm just a gatekeeper... none of the data I work with has any impact on National Security, and exposure of the data I maintain is never a life-or-death matter. We could do a less thorough job, and the worst case scenario might be a half-billion dollar loss. No big deal, right?
The paranoid admin will deploy OPIE with SHA1 or RIPEMD-160, but there are very few clients/servers with support for anything beyond MD5.
Here's the scoop on the name change:
The "primary" OPIE site is http://inner.net/opieIf you deploy the SecurID hardware tokens, extracting the key from a token is a difficult and destructive process. No uber-hacker is going to be able to take a quick glance at the display on a key fob (or the serial number on the back) and then turn around and break into your systems five minutes later.
If you are feeling really paranoid, you can talk SecurID into selling you the "PINpad" hardware token.
RSA Hardware product line: http://www.rsasecurity.com/products/securid/hardwa re_token.html
You need one or two servers, then your clients can be just about any operating system. SecurID offers ACE agents for a number of platforms, or you can use RADIUS authentication.
There are PAM modules to do RADIUS authentication for every free/commercial Unix I've tried.
I've had no end of trouble from Spamcop.
"SpamCop" does not project a professional image -- the email they send to the target of complaints itself looks a lot like SPAM, complete with bogus-looking "Received" headers.
Spamcop makes no real efforts to check out the validity of the complaints they receive before sending a form letter to the accused spammer. I've received numerous messages from them regarding spam that were obvious, incompetent forgeries -- for example, a spammer forging one of my domain names in the 'From'. The least bit of cursory examination would show that while that domain "looks cute" to spammers, it is never is used to send or receive email, with the only DNS entry in the zone being for the 'www' address (no A record for the domain, no MX records at all).
Julian Haight needs to get his act together.
I only stuck with Altavista as long as I did because I had grown accustomed to their "NEAR" search keyword. Google has no equivalent.
Since switching, I've found that Google gives better search results -- but I wouldn't have discovered this if Altavista had not actively driven me to the competition through their obnoxious advertising policies.
Detectives study the behavior of criminals, The FBI studies the behavior of terrorists, ROTC students study the behavior of attacking armies, and network security analysts study the behavior of crackers.
Not every cop is a "Criminologist", not every sysadmin needs to be a "Security Analyst".
I see two major drawbacks to the use of a "Dreamcast" in this role-
To the guy who said that my running SSHd behind stunnel to protect from SSH bugs (such as the recent OpenSSH advisory) was not paranoid enough:
Time to wrap everything in IPSEC, then wait for a new hole in that?
I've had a number of long-term remote host/site administration gigs and a few short "web development" projects that worked out very well, even though the client was several time zones away.
A friend referred the client, we discuss the project on the phone, fax a contract back and forth to set rates, duration, and scope, then mostly just do status updates by email.
This works for web development and for system administration because the client is more likely to be accustomed to everything being online and remote, and in thise case, they trust me because of the personal referral. I'm not sure this approach would work as well for other types of projects.
IMHO, remote freelancing has many of the same drawbacks as corporate telecommuting -- most managers just aren't ready for this.
If I were after a specific target, I would use less-publicized software that supports a true 'passive' mode, sniff traffic (need several megabytes of captured traffic to crack WEP), then clone the MAC from a valid but not-currently-active client node to use for active probing. Attackers with criminal intent most likely have this whole process automated and scripted.
One purpose of honeypots is to detect new, unpublished exploits and tools 'in the wild'. This goal includes new WiFi intrusion tools.
Disclaimer: IANAL.That a network was not adequately secured is no excuse for connecting and using their bandwidth without permission. Criminal "trespass to chattel" is not excusable by virtue of the victim not having taken extreme measures to protect their assets.
The second most beautiful thing is a cop giving somebody like you a ticket for "Obstructing Traffic" for camping out in the passing lane. I've seen it happen, and it really made my day.
The most beautiful thing would be to see the Judge chew you out when you try to fight the ticket, but since I tend to keep my speed under 100, I don't get speeding tickets.
Why is "speeding" dangerous? Around here, outside of rush hour, the average speed on the local interstate is 75MPH. The official speed limit is 55. Some accidents are caused by the teen going 105, but also by the granny in her late husband's Cadillac puttering along at 53 in the far left lane.
FYI, this highway was designed and built prior to the "oil crisis", intended to be a 75MPH highway, the current speed limit is pure politics.
I have never seen a legitimate business case for permitting "inside" hosts to have any direct UDP communication with "outside" hosts. Period.
I suppose you could use UDP multicast...