But they didn't do anything illegal. They're basically just using their own download application that comes with extra stuff.
Yes, but Download.com still assures users that they will never bundle that "extra stuff". Their Adware & Spyware Notice says:
In your letters, user reviews, and polls, you told us bundled adware was unacceptable--no matter how harmless it might be. We want you to know what you're getting when you download from CNET Download.com, and no other download site can promise that.
Also, they make it look like a download link for the real installer (which it used to be), and then the user gets this CNET crap. But they still used our name liberally in the trojan installer as if we were somehow responsible for or involved in this abomination. I've got screen shots on my Download.com fiasco page.
Also, this "apology" rings hollow because they aren't fixing the problem along with it. In particular:
1) He claims that bundling malware with Nmap was a “mistake on our part” and “we reviewed all open source files in our catalog to ensure none are being bundled.” Either that is a lie, or they are totally incompetent, because tons of open source software is still being bundled. You can read the comments below his post for many examples.
2) Even if they had removed the malware bundling from open source software, what about all of the other free (but not open source) Windows software out there? They shouldn't infect any 3rd party software with sketchy toolbars, search engine redirectors, etc.
3) At the same time that Sean sent the “apology” to users, he sent this very different note to developers. He says they are working on a new expanded version of the rogue installer and “initial feedback from developers on our new model has been very positive and we are excited to bring this to the broader community as soon as possible”. He tries to mollify developers by promising to give them a cut (“revenue share”) of the proceeds from infecting their users.
4) You no longer need to register and log in to get the small (non-trojan) “direct download” link, but the giant green download button still exposes users to malware.
5) The Download.Com Adware & Spyware Notice still says “every time you download software from Download.com, you can trust that we've tested it and found it to be adware-free.” How can they say that while they are still adding their own adware? At least they removed the statement from their trojan installer that it is “SAFE, TRUSTED, AND SPYWARE FREE”.
We just today released Nmap 5.30BETA1, which contains the version detection signature described in this post for detecting the Energizer trojan. It also includes a detection and exploitation script for a major Mac OS X vulnerability which Nmap developer Patrik Karlsson found last month and Apple finally patched this morning. There are about 100 other changes as well, including 37 new NSE scripts. You can download it free here.
Pardon the Nmap promotion, but it seemed on-topic for the story.
When the submitter referenced "open source alternatives that go by similar names", he was referring to ophcrack. Similar features are also available from Cain and Abel, and John the Ripper.
Have they included a network mapping function yet? They announced it as a GSoC project last year I think, did they get around to hack some graphical map output?
Good question--and yes, we have! Full details on this feature, including screen shots, are provided in Section 12.5, "Surfing the Network Topology" starting on page 317. That section is also available free online. The code has been integrated into the latest version (4.76) of Nmap, available here.
Yeah, Nmap has actually been in a surprising number of major movies.
I created the Nmap in the
Movies page to document them with screen shots. The Matrix
Reloaded was the most exciting and really started the trend. I guess
the rest of Hollywood just followed along and decided that the command
shell was the new way to portray hacking, rather than ridiculous 3D
animated eye-candy scenes from the era of Hackers and Swordfish. So we
got Nmap in Bourne Ultimatum, Die Hard 4, etc.
I wanted to include a screen shot of Trinity hacking the Matrix
with Nmap for this book, but a then-potential publisher said I needed
permission from Time Warner first. It took many unanswered requests,
but Time Warner finally replied with basically "hell no, you IP
pirate!" Of course they phrased it politely like "we would love to
allow that, but our policies prohibit us from granting that
permission". Funny, they didn't mind using Nmap in their movie
without permission, credit, notification, etc. Then they say I can't
even include a screen shot of them using Nmap?
So I dumped the potential publisher and added the screen shots anyway (page 8):).
This is a major problem for my upcoming book documenting the Nmap Security Scanner. I was planning to print Nmap Network Scanning with Lightning Source POD and sell it through Amazon. Now Amazon says I need to use their own BookSurge company instead. Leaving aside the anti-competitive nature of this, there is the issue of BookSurge's terrible quality reputation. They are known for missing pages, printing covers upside-down, etc. So people who buy my book through Amazon will be stuck with the shitty BookSurge version, and they will surely blame me for this. I really hope Amazon relents, or I will have to rethink my whole distribution plan. I'm now against using BookSurge on principle.
If Amazon keeps playing these anti-competitive games, at least there is always online distribution. Almost half of the book chapters are already online for free:
And I hope to free more chapters in the coming week. Amazon may not care about losing my Nmap book, but I hope enough people stand up to Amazon that they really feel the effect!
I agree that exposing the extent of this could definitely help. When I received multiple FBI subpoenas in 2004 for Insecure.Org web logs, I notified Nmap users and it was posted to various web sites, including Slashdot.
After all of that press four years ago, the subpoenas stopped and I haven't received another one since. Maybe it is just a coincidence, but I'm happy about it nonetheless.
In other Nmap news, version 4.60 was just released. You might want to download it with Tor though, just to be on the safe side in case the subpoenas resume:).
The Nmap Security Scanner project has now participated in Summer of Code all three years—and mentored 25 students. So I'm pleased that Google has accepted us for a fourth year. This really is a great program, so I hope many Slashdotters apply (or at least spread the word to your student friends who may be too busy with school to read Slashdot). There aren't many opportunities available to get paid to work on free software of your choice. Your work makes a big difference for projects and their users as well. You can read about the successful Nmap SoC students in
2007, 2006, and 2005. No Nmap user can read those lists without recognizing features and improvements they use.
Of course part of the purpose of this post is to shamelessly plug the Nmap SoC ideas page for people trying to choose a project. We'd love to have you. But honestly, I recommend applying for multiple projects if you really want to get in. Don't just spam a bunch of crappy boilerplate applications, but submit as many carefully-considered ones as you have time to write. Also, I've written up some tips for preparing a great SoC application.
Thanks for the notes, and I'm delighted to hear about the successes that OLPC is having (even if you haven't yet met your initial distribution goals). It is great to read articles like this one about improving the lives of thousands of kids in Peru.
Given the network capabilities of this machine, we are working to ensure that the Nmap Security Scanner continues to work well on the OLPC. Maybe someday it can be included, though that raises the issue of kids using it responsibly. Still, it can be quite useful for debugging network connectivity issues as well as testing that their own machines are secure. A side effect of this work is that keeps Nmap lean and working well on low-resource PCs, phones, and PDAs besides the OLPC.
On Friday we received the three units we ordered through give-one-get-one and I've been playing with mine ever since! Yesterday I took and posted a bunch of pictures of the device.
The article title says he "faces 20 years in prison" to be sensational, and maybe that is the theoretical maximum. But the last line of the article says that "the plea agreement contemplates a sentence ranging from probation to six months in custody". The judge gets the final decision, but he is much more likely to get probation than a 20yr sentence.
As the author of Nmap, I'm more than a little concerned about this law. It could mean that I can never again visit Germany, which is a shame because I have many friends there. But I don't want to risk a year in prison or the Halvar treatment. Many of these articles state as a matter of fact that the creation or distribution of Nmap (mentioned by name in TFA) is illegal now. If true, what does that mean for all the Linux distributors who include Nmap and other security tools?
Does anyone have a link to a good English translation and legal analysis of the new law? The Phenoelit page translates the law as affecting "computer programs whose aim is to commit a crime". That doesn't cover Nmap, which I designed for security professionals. But of course some blackhats use it too, and I don't want to bet my freedom on being able to convince a technologically illiterate judge in Germany of my intent.
I hope groups like the CCC (which is apparently quite powerful in Germany) are able to get this overturned! If legitimate German admins are afraid to use Nmap and other security tools while the crackers retain full access to them, that won't be a pretty sight!
Absolutely right! Halvar is extraordinarily talented and it will be a terrible shame if his class is canceled. But it starts on Monday, so unless they do it by video conference I can't see him making it. I still hope to see him when I fly to Vegas on Thursday, but the odds aren't good:(.
I'd like to know just what the immigration department expects US conferences to do when bringing in foreign speakers. Halvar says they wanted to treat him like an "employee" of BlackHat and get an H1-B visa. But that is a ridiculous as it is a multi-year process. Halvar thinks coming as a representative of his own German company will help, but we shouldn't have to require that foreigners incorporate just to give a simple presentation or training class here.
I'm an American who has been paid to give presentations and training in many countries, including Germany. And I've never been hassled by their immigration dept. or received any special visas. So its embarrassing and harmful that the US subjects visitors to our country to all of this crap (including the fingerprinting and pushing other countries toward RFID passports). Its no wonder that many conference producers, including BlackHat, have been increasing the number of cons held offshore. The US just isn't seen as a welcoming place.
Pardon the long rant, but I hate seeing my friends put through this. And I'm sure similar things happen to thousands of people we don't know every day. Also, if those of us in the US don't fix our system, other countries might copy it and then we'll have to deal with this shit when we travel.
I have been participating as a mentor for the SoC program since it started, and I highly recommend it. It is a great way to get paid, gain valuable experience and a great resume booster, and write code which will be used by thousands or millions of people! Your can read about the successful creations of Nmap SoC students in 2005 and 2006.
This year I am involved with three projects which have been accepted for SoC this year:
UMIT (SoC Ideas Page). This is an Nmap graphical front end which started out as a student's Nmap-SoC project, and now he has been accepted by Google to run it as an independent SoC project!
And even if none of those projects float your boat, there are 128 others to choose from. Remember that you can apply for multiple projects, and doing so can (with sufficient care and detail for each application) be a good way to increase your odds.
The government issued over 140,000 of these letters with gag orders. We should have 140,000 people in jail right now for talking about them, nothing else could demonstrate how abusive these letters are.
When I received numerous subpoenas (these weren't NSLs) from different branches of the FBI in 2004, I notified my users on nmap-hackers and that led to coverage on Slashdot and elsewhere. Perhaps because of the publicity, the FBI has not sent me a single subpoena since then.
I agree with the majority of the comments here that restrictive NSL gag orders as described in TFA are an outrage!
I wouldn't call it a cover up. I would say its a case of overconfidence.
That could be. And don't get me wrong -- I'm a big OpenBSD fan and even have one of their posters framed and hanging in my home. But I think they could have handled this better. Given that security is their main selling point, I'd like to see the OpenBSD guys treat all buffer overflows as potentially exploitable. In this case, it appears that the fix to 3.9 and 4.0 branches was delayed for an extra week until Core produced a working remote root exploit. The problem with requiring a working exploit from bug reporters is that most of them lack the ability or inclination (or both) to produce one. This bug just happened to be reported by some of the best exploit writers in the world.
Also, even if the bug did only allow anyone to cause remote kernel panic on your OpenBSD firewall or server with a single packet, that is still a security vulnerability. They can call it a DoS vulnerability if they are sure one cannot lead to code execution.
I'm a bit surprised that the summary didn't mention the rather interesting timeline in the Core advisory, which implies an attempted cover up. I don't know all the facts, so I'll let the document speak for itself:
2007-02-20: First notification sent by Core.
2007-02-20: Acknowledgement of first notification received from the
OpenBSD team.
2007-02-21: Core sends draft advisory and proof of concept code that
demonstrates remote kernel panic.
2007-02-26: OpenBSD team develops a fix and commits it to the HEAD
branch of source tree.
2007-02-26: OpenBSD team communicates that the issue is specific to
OpenBSD. OpenBSD no longer uses the term "vulnerability" when
referring to bugs that lead to a remote denial of service attack,
as opposed to bugs that lead to remote control of vulnerable systems
to avoid oversimplifying ("pablumfication") the use of the term.
2007-02-26: Core email sent to OpenBSD team explaining that Core
considers a remote denial of service a security issue and therefore
does use the term "vulnerability" to refer to it and that although
remote code execution could not be proved in this specific case,
the possibility should not be discarded. Core requests details about
the bug and if possible an analysis of why the OpenBSD team may or
may not consider the bug exploitable for remote code execution.
2007-02-28: OpenBSD team indicates that the bug results in corruption
of mbuf chains and that only IPv6 code uses that mbuf code, there is
no user data in the mbuf header fields that become corrupted and it
would be surprising to be able to run arbitrary code using a bug so
deep in the mbuf code. The bug simply leads to corruption of the mbuf
chain.
2007-03-05: Core develops proof of concept code that demonstrates
remote code execution in the kernel context by exploiting the mbuf
overflow.
2007-03-05: OpenBSD team notified of PoC availability.
2007-03-07: OpenBSD team commits fix to OpenBSD 4.0 and 3.9 source
tree branches and releases a "reliability fix" notice on the project's
website.
2007-03-08: Core sends final draft advisory to OpenBSD requesting
comments and official vendor fix/patch information.
2007-03-09: OpenBSD team changes notice on the project's website to
"security fix" and indicates that Core's advisory should reflect the
requirement of IPv6 connectivity for a successful attack from outside
of the local network.
2007-03-12: Advisory updates with fix and workaround information and
with IPv6 connectivity comments from OpenBSD team. The "vendors
contacted" section of the advisory is adjusted to reflect more
accurately the nature of the communications with the OpenBSD team
regarding this issue.
2007-03-12: Workaround recommendations revisited. It is not yet
conclusive that the "scrub in inet6" directive will prevent
exploitation. It effectively stops the bug from triggering according
to Core's tests but OpenBSD's source code inspection does not provide
a clear understanding of why that happens. It could just be that the
attack traffic is malformed in some other way that is not meaningful
for exploiting the vulnerability (an error in the exploit code rather
than an effective workaround?). The "scrub" workaround recommendation
is removed from the advisory as precaution.
This has been enough of a problem for the Nmap Security Scanner that we warn about McAfee specifically and suggest better alternatives on the Nmap Download Page (See the Windows section). More details about the problems we've encountered are posted here. I've spoken with McAfee executives at conferences and they say they want to fix the problem, but then it just gets lost in their bureaucracy. Sigh.
Also, it is annoying when free software gets wrongly listed on spyware databases. For example, check out the "Spyware Encyclopedia" entry on Nmap, which says "NMap belongs to the Port Scanner spyware category. It's[SIC] presense[SIC] means that your computer is infected with malicious software and is insecure." WTF? Similarly, Nmap has an entry in the "CA Spyware Information Center". If they want to warn about Nmap because it can be used for network discovery, fine. But it shouldn't be called spyware, adware, or anything like that.
Just a few days ago, I launched a noncommercial site dedicated to this exact purpose -- encouraging and helping people move away from GoDaddy. The site is at NoDaddy.Com (I'm sure Bob Parsons loves the domain name;).
I launched the site after GoDaddy shut down my domain SecLists.Org, as noted in this/. article summary. The site includes a list of alternative registrars that readers have recommended. It is rather sparse on details right now, but I'm working on that. I'll go through all your comments in this article tomorrow to fish out good ideas for the registrar section of the site. I'm trying to fill up the site as much as possible before GoDaddy's big SuperBowl ads air on Sunday. We are currently seeking a volunteer to set up and run the NoDaddy forums -- write me if you're interested. We're also looking for "NoDaddy girl" models, but perhaps Slashdot isn't the best place to recruit for that:).
Just today, CNET News.Com posted an article where they interviewed many registrars about there takedown policies. Unfortunately, many registrars refused or didn't bother to respond. Of those who did, the authors "found that the French registrar Gandi.net and New Orleans-based DirectNIC offered the most extensive guarantees against unnecessary domain name suspension."
If someone uses the card locally, big deal. I call Chase and tell them that the card was stolen and the charge wasn't mine. Not many questions asked.
It certainly can be a big deal if you don't notice the fraudulent charge quickly, if Chase decides to investigate extensively, if you have to file police reports, dealing with card reissuance when you're travelling, if the episode makes its way onto your credit history, if the criminals continue to steal your identity in other ways, etc. Plus, the costs of credit card fraud end up being passed back to consumers as a group anyway. So you might not want to be quite so blasé about it.
But honestly, my main reason for using these systems is that I don't trust the vendor. Not 3rd party fraud. For
example, many online media sites put in the fine print that they will
retain your credit card number and try to charge you their
then-current rates every year unless you remember in time to jump
through all their AOL-style cancellation hoops. This isn't just porn sites --
the Wall Street Journal Online, Morningstar.Com, and various other
sites try to do this to me. So I just make a temporary number for
$120 or whatever the annual charge is. Then the "auto renewal" will fail in
a year and they will have to actually ask me whether I wish to
renew at their then-current prices.
I've been using MBNA's system, but I'm not so happy with them for other reasons. I'd be interested in hearing what other banks offer this feature in a convenient manner with a standard web-based UI. I'm certainly not going to run IE to use PayPal's system!
Also, it is probably true that I'm more paranoid than your average user.
anyone who's been in academia knows that she's flat-out rejected as being a highly derivative, illogical (her work is based in fallacy) nutjob unworthy of serious attention.
You suspect "a large biased mob of editors trying to keep the article biased" in favor of Ayn Rand. The admins you have contacted all refused to "help", and you suspect that Jimbo himself is behind the edits. Have you considered the possibility you are the one who is biased -- against this "nutjob" Ayn Rand?
Debian's problem has always been that its handlers place users and the usability of their distribution far below very petty internal arguments intended to frame the distro as some sort of legal pioneer
Debian did not choose this battle. They have been distributing Firefox for years in the same way they distribute other open source software. It was Mozilla who forced the issue by threatening legal action if Debian doesn't change the name or start submitting all patches (even security patches) to Mozilla for permission before they are applied. Mike Conner of Mozilla says "you should consider this, as I previously said, notice
that your usage of the trademark is not permitted in this way, and we
are expecting a resolution. If your choice is to cease usage of the
trademark rather than bend the [Debian Free Software Guidelines] a little, that is your decision
to make."
Debian asked "could we at least get a stay of execution?
Etch is going into deep freeze in less than a month. Would it be
possible to resolve this after the release?" and Mozilla responded that "If we were forced to revoke
your permission to use the trademark, freeze state would not matter, you
would be required to change all affected packages as soon as possible.
Its not a nice thing to do, but we would do it if necessary, and we have
done so before."
Many legal squabbles are instigated by Debian, but this isn't one of them. Mozilla has forced the issue. Linux Weekly News wrote a good summary of the situation.
So the security world used to be pretty hostile to MS, before, you know, XPSP2, MSRC got taken seriously, etc.
Used to be? Maybe you see a different view of them when they hire you
for security consulting and fly you out for their Blue Hat conferences
and such. But from my outsider perspective, Microsoft is still a
security disaster. Not only have we continued to see hundreds of
serious vulnerabilities throughout 2006, but MS has in many cases made
us wait weeks or months before patching widely exploited bugs. Heck,
another actively exploited MS Office vulnerability was just discovered in the wild. If we're lucky, MS will
cough up a patch on September 12, otherwise they'll probably leave
users vulnerable until the next "patch Tuesday" on October 10.
Meanwhile, Microsoft recently re-issued MS06-042 with a fix for a
vulnerability introduced by their first attempted fix. And they openly admit
that they excluded eEye from the advisory credits because eEye
embarrassed MS by making their incompetence public. MS is more interested in petty vendetas against researches than actually fixing the flaws.
Microsoft has made a few positive steps toward securing their products
in that last couple of years, but I think most of their efforts and
successes are more in the PR realm than anything with technical merit.
They have spent so much money sponsoring conferences (their money
does come with strings attached) and paying off security
researches, that many people seem reluctant to criticize them.
OK, enough anti-MS ranting from me for now:). My main point in
replying is actually to agree with you about Window. She is extremely
smart and talented, and her defection to Mozilla is great news for a
product which really needs more security
attention. We had lunch last week to discuss Mozilla security and Window has some great ideas. Mozilla may already be much more secure than IE, but we should set a much higher bar than that! Best of luck at your new position, Window!
I don't know why you think eEye has such close ties to MS. They have been embarrassing and exploiting the hell out of MS for years. They drive MS crazy by releasing powerful exploit code and giving conference presentations such as "Remote Windows Kernel Exploitation" (BlackHat 2005). I like these guys a lot:).
Slashdot Mirror
The summary links to four different commentaries but not Asimov's original article. I'd rather get it from the source.
But they didn't do anything illegal. They're basically just using their own download application that comes with extra stuff.
Yes, but Download.com still assures users that they will never bundle that "extra stuff". Their Adware & Spyware Notice says:
In your letters, user reviews, and polls, you told us bundled adware was unacceptable--no matter how harmless it might be. We want you to know what you're getting when you download from CNET Download.com, and no other download site can promise that.
Also, they make it look like a download link for the real installer (which it used to be), and then the user gets this CNET crap. But they still used our name liberally in the trojan installer as if we were somehow responsible for or involved in this abomination. I've got screen shots on my Download.com fiasco page.
Also, this "apology" rings hollow because they aren't fixing the problem along with it. In particular:
1) He claims that bundling malware with Nmap was a “mistake on our part” and “we reviewed all open source files in our catalog to ensure none are being bundled.” Either that is a lie, or they are totally incompetent, because tons of open source software is still being bundled. You can read the comments below his post for many examples.
2) Even if they had removed the malware bundling from open source software, what about all of the other free (but not open source) Windows software out there? They shouldn't infect any 3rd party software with sketchy toolbars, search engine redirectors, etc.
3) At the same time that Sean sent the “apology” to users, he sent this very different note to developers. He says they are working on a new expanded version of the rogue installer and “initial feedback from developers on our new model has been very positive and we are excited to bring this to the broader community as soon as possible”. He tries to mollify developers by promising to give them a cut (“revenue share”) of the proceeds from infecting their users.
4) You no longer need to register and log in to get the small (non-trojan) “direct download” link, but the giant green download button still exposes users to malware.
5) The Download.Com Adware & Spyware Notice still says “every time you download software from Download.com, you can trust that we've tested it and found it to be adware-free.” How can they say that while they are still adding their own adware? At least they removed the statement from their trojan installer that it is “SAFE, TRUSTED, AND SPYWARE FREE”.
We just today released Nmap 5.30BETA1, which contains the version detection signature described in this post for detecting the Energizer trojan. It also includes a detection and exploitation script for a major Mac OS X vulnerability which Nmap developer Patrik Karlsson found last month and Apple finally patched this morning. There are about 100 other changes as well, including 37 new NSE scripts. You can download it free here.
Pardon the Nmap promotion, but it seemed on-topic for the story.
When the submitter referenced "open source alternatives that go by similar names", he was referring to ophcrack. Similar features are also available from Cain and Abel, and John the Ripper.
I maintain a list of top password crackers and sniffers as part of my SecTools.Org site.
While the submitter is correct that they have much more competition now, I still wish to congratulate the former L0pht guys on the new release!
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]
For more details, see the announcement at http://insecure.org.
-Fyodor
Have they included a network mapping function yet? They announced it as a GSoC project last year I think, did they get around to hack some graphical map output?
Good question--and yes, we have! Full details on this feature, including screen shots, are provided in Section 12.5, "Surfing the Network Topology" starting on page 317. That section is also available free online. The code has been integrated into the latest version (4.76) of Nmap, available here.
-Fyodor
Insecure.Org
I wanted to include a screen shot of Trinity hacking the Matrix with Nmap for this book, but a then-potential publisher said I needed permission from Time Warner first. It took many unanswered requests, but Time Warner finally replied with basically "hell no, you IP pirate!" Of course they phrased it politely like "we would love to allow that, but our policies prohibit us from granting that permission". Funny, they didn't mind using Nmap in their movie without permission, credit, notification, etc. Then they say I can't even include a screen shot of them using Nmap?
So I dumped the potential publisher and added the screen shots anyway (page 8)
-Fyodor
Insecure.Org
And I hope to free more chapters in the coming week. Amazon may not care about losing my Nmap book, but I hope enough people stand up to Amazon that they really feel the effect!
-Fyodor
I agree that exposing the extent of this could definitely help. When I received multiple FBI subpoenas in 2004 for Insecure.Org web logs, I notified Nmap users and it was posted to various web sites, including Slashdot.
After all of that press four years ago, the subpoenas stopped and I haven't received another one since. Maybe it is just a coincidence, but I'm happy about it nonetheless.
In other Nmap news, version 4.60 was just released. You might want to download it with Tor though, just to be on the safe side in case the subpoenas resume :).
-Fyodor
The Nmap Security Scanner project has now participated in Summer of Code all three years—and mentored 25 students. So I'm pleased that Google has accepted us for a fourth year. This really is a great program, so I hope many Slashdotters apply (or at least spread the word to your student friends who may be too busy with school to read Slashdot). There aren't many opportunities available to get paid to work on free software of your choice. Your work makes a big difference for projects and their users as well. You can read about the successful Nmap SoC students in 2007, 2006, and 2005. No Nmap user can read those lists without recognizing features and improvements they use.
Of course part of the purpose of this post is to shamelessly plug the Nmap SoC ideas page for people trying to choose a project. We'd love to have you. But honestly, I recommend applying for multiple projects if you really want to get in. Don't just spam a bunch of crappy boilerplate applications, but submit as many carefully-considered ones as you have time to write. Also, I've written up some tips for preparing a great SoC application.
-Fyodor
Thanks for the notes, and I'm delighted to hear about the successes that OLPC is having (even if you haven't yet met your initial distribution goals). It is great to read articles like this one about improving the lives of thousands of kids in Peru.
Given the network capabilities of this machine, we are working to ensure that the Nmap Security Scanner continues to work well on the OLPC. Maybe someday it can be included, though that raises the issue of kids using it responsibly. Still, it can be quite useful for debugging network connectivity issues as well as testing that their own machines are secure. A side effect of this work is that keeps Nmap lean and working well on low-resource PCs, phones, and PDAs besides the OLPC.
On Friday we received the three units we ordered through give-one-get-one and I've been playing with mine ever since! Yesterday I took and posted a bunch of pictures of the device.
Keep up the good work!
Fyodor
The article title says he "faces 20 years in prison" to be sensational, and maybe that is the theoretical maximum. But the last line of the article says that "the plea agreement contemplates a sentence ranging from probation to six months in custody". The judge gets the final decision, but he is much more likely to get probation than a 20yr sentence.
Fyodor
Does anyone have a link to a good English translation and legal analysis of the new law? The Phenoelit page translates the law as affecting "computer programs whose aim is to commit a crime". That doesn't cover Nmap, which I designed for security professionals. But of course some blackhats use it too, and I don't want to bet my freedom on being able to convince a technologically illiterate judge in Germany of my intent.
I hope groups like the CCC (which is apparently quite powerful in Germany) are able to get this overturned! If legitimate German admins are afraid to use Nmap and other security tools while the crackers retain full access to them, that won't be a pretty sight!
-Fyodor
Insecure.Org
Absolutely right! Halvar is extraordinarily talented and it will be a terrible shame if his class is canceled. But it starts on Monday, so unless they do it by video conference I can't see him making it. I still hope to see him when I fly to Vegas on Thursday, but the odds aren't good :(.
I'd like to know just what the immigration department expects US conferences to do when bringing in foreign speakers. Halvar says they wanted to treat him like an "employee" of BlackHat and get an H1-B visa. But that is a ridiculous as it is a multi-year process. Halvar thinks coming as a representative of his own German company will help, but we shouldn't have to require that foreigners incorporate just to give a simple presentation or training class here.
I'm an American who has been paid to give presentations and training in many countries, including Germany. And I've never been hassled by their immigration dept. or received any special visas. So its embarrassing and harmful that the US subjects visitors to our country to all of this crap (including the fingerprinting and pushing other countries toward RFID passports). Its no wonder that many conference producers, including BlackHat, have been increasing the number of cons held offshore. The US just isn't seen as a welcoming place.
Pardon the long rant, but I hate seeing my friends put through this. And I'm sure similar things happen to thousands of people we don't know every day. Also, if those of us in the US don't fix our system, other countries might copy it and then we'll have to deal with this shit when we travel.
-Fyodor
Insecure.Org
I have been participating as a mentor for the SoC program since it started, and I highly recommend it. It is a great way to get paid, gain valuable experience and a great resume booster, and write code which will be used by thousands or millions of people! Your can read about the successful creations of Nmap SoC students in 2005 and 2006.
This year I am involved with three projects which have been accepted for SoC this year:
And even if none of those projects float your boat, there are 128 others to choose from. Remember that you can apply for multiple projects, and doing so can (with sufficient care and detail for each application) be a good way to increase your odds.
-Fyodor
Insecure.Org
When I received numerous subpoenas (these weren't NSLs) from different branches of the FBI in 2004, I notified my users on nmap-hackers and that led to coverage on Slashdot and elsewhere. Perhaps because of the publicity, the FBI has not sent me a single subpoena since then.
I agree with the majority of the comments here that restrictive NSL gag orders as described in TFA are an outrage!
-Fyodor
Insecure.Org
That could be. And don't get me wrong -- I'm a big OpenBSD fan and even have one of their posters framed and hanging in my home. But I think they could have handled this better. Given that security is their main selling point, I'd like to see the OpenBSD guys treat all buffer overflows as potentially exploitable. In this case, it appears that the fix to 3.9 and 4.0 branches was delayed for an extra week until Core produced a working remote root exploit. The problem with requiring a working exploit from bug reporters is that most of them lack the ability or inclination (or both) to produce one. This bug just happened to be reported by some of the best exploit writers in the world.
Also, even if the bug did only allow anyone to cause remote kernel panic on your OpenBSD firewall or server with a single packet, that is still a security vulnerability. They can call it a DoS vulnerability if they are sure one cannot lead to code execution.
-Fyodor
I'm a bit surprised that the summary didn't mention the rather interesting timeline in the Core advisory, which implies an attempted cover up. I don't know all the facts, so I'll let the document speak for itself:
-Fyodor
Insecure.Org
This has been enough of a problem for the Nmap Security Scanner that we warn about McAfee specifically and suggest better alternatives on the Nmap Download Page (See the Windows section). More details about the problems we've encountered are posted here. I've spoken with McAfee executives at conferences and they say they want to fix the problem, but then it just gets lost in their bureaucracy. Sigh.
Also, it is annoying when free software gets wrongly listed on spyware databases. For example, check out the "Spyware Encyclopedia" entry on Nmap, which says "NMap belongs to the Port Scanner spyware category. It's[SIC] presense[SIC] means that your computer is infected with malicious software and is insecure." WTF? Similarly, Nmap has an entry in the "CA Spyware Information Center". If they want to warn about Nmap because it can be used for network discovery, fine. But it shouldn't be called spyware, adware, or anything like that.
-Fyodor
Insecure.Org
Just a few days ago, I launched a noncommercial site dedicated to this exact purpose -- encouraging and helping people move away from GoDaddy. The site is at NoDaddy.Com (I'm sure Bob Parsons loves the domain name ;).
I launched the site after GoDaddy shut down my domain SecLists.Org, as noted in this /. article summary. The site includes a list of alternative registrars that readers have recommended. It is rather sparse on details right now, but I'm working on that. I'll go through all your comments in this article tomorrow to fish out good ideas for the registrar section of the site. I'm trying to fill up the site as much as possible before GoDaddy's big SuperBowl ads air on Sunday. We are currently seeking a volunteer to set up and run the NoDaddy forums -- write me if you're interested. We're also looking for "NoDaddy girl" models, but perhaps Slashdot isn't the best place to recruit for that :).
Just today, CNET News.Com posted an article where they interviewed many registrars about there takedown policies. Unfortunately, many registrars refused or didn't bother to respond. Of those who did, the authors "found that the French registrar Gandi.net and New Orleans-based DirectNIC offered the most extensive guarantees against unnecessary domain name suspension."
-Fyodor
Insecure.Org
It certainly can be a big deal if you don't notice the fraudulent charge quickly, if Chase decides to investigate extensively, if you have to file police reports, dealing with card reissuance when you're travelling, if the episode makes its way onto your credit history, if the criminals continue to steal your identity in other ways, etc. Plus, the costs of credit card fraud end up being passed back to consumers as a group anyway. So you might not want to be quite so blasé about it.
But honestly, my main reason for using these systems is that I don't trust the vendor. Not 3rd party fraud. For example, many online media sites put in the fine print that they will retain your credit card number and try to charge you their then-current rates every year unless you remember in time to jump through all their AOL-style cancellation hoops. This isn't just porn sites -- the Wall Street Journal Online, Morningstar.Com, and various other sites try to do this to me. So I just make a temporary number for $120 or whatever the annual charge is. Then the "auto renewal" will fail in a year and they will have to actually ask me whether I wish to renew at their then-current prices.
I've been using MBNA's system, but I'm not so happy with them for other reasons. I'd be interested in hearing what other banks offer this feature in a convenient manner with a standard web-based UI. I'm certainly not going to run IE to use PayPal's system!
Also, it is probably true that I'm more paranoid than your average user.
-Fyodor
Insecure.Org
You suspect "a large biased mob of editors trying to keep the article biased" in favor of Ayn Rand. The admins you have contacted all refused to "help", and you suspect that Jimbo himself is behind the edits. Have you considered the possibility you are the one who is biased -- against this "nutjob" Ayn Rand?
-Fyodor
Insecure.Org
Debian did not choose this battle. They have been distributing Firefox for years in the same way they distribute other open source software. It was Mozilla who forced the issue by threatening legal action if Debian doesn't change the name or start submitting all patches (even security patches) to Mozilla for permission before they are applied. Mike Conner of Mozilla says "you should consider this, as I previously said, notice that your usage of the trademark is not permitted in this way, and we are expecting a resolution. If your choice is to cease usage of the trademark rather than bend the [Debian Free Software Guidelines] a little, that is your decision to make."
Debian asked "could we at least get a stay of execution? Etch is going into deep freeze in less than a month. Would it be possible to resolve this after the release?" and Mozilla responded that "If we were forced to revoke your permission to use the trademark, freeze state would not matter, you would be required to change all affected packages as soon as possible. Its not a nice thing to do, but we would do it if necessary, and we have done so before."
Many legal squabbles are instigated by Debian, but this isn't one of them. Mozilla has forced the issue. Linux Weekly News wrote a good summary of the situation.
-Fyodor
Insecure.Org
So the security world used to be pretty hostile to MS, before, you know, XPSP2, MSRC got taken seriously, etc.
Used to be? Maybe you see a different view of them when they hire you for security consulting and fly you out for their Blue Hat conferences and such. But from my outsider perspective, Microsoft is still a security disaster. Not only have we continued to see hundreds of serious vulnerabilities throughout 2006, but MS has in many cases made us wait weeks or months before patching widely exploited bugs. Heck, another actively exploited MS Office vulnerability was just discovered in the wild. If we're lucky, MS will cough up a patch on September 12, otherwise they'll probably leave users vulnerable until the next "patch Tuesday" on October 10.
Meanwhile, Microsoft recently re-issued MS06-042 with a fix for a vulnerability introduced by their first attempted fix. And they openly admit that they excluded eEye from the advisory credits because eEye embarrassed MS by making their incompetence public. MS is more interested in petty vendetas against researches than actually fixing the flaws.
Microsoft has made a few positive steps toward securing their products in that last couple of years, but I think most of their efforts and successes are more in the PR realm than anything with technical merit. They have spent so much money sponsoring conferences (their money does come with strings attached) and paying off security researches, that many people seem reluctant to criticize them.
OK, enough anti-MS ranting from me for now :). My main point in
replying is actually to agree with you about Window. She is extremely
smart and talented, and her defection to Mozilla is great news for a
product which really needs more security
attention. We had lunch last week to discuss Mozilla security and Window has some great ideas. Mozilla may already be much more secure than IE, but we should set a much higher bar than that! Best of luck at your new position, Window!
-Fyodor
Insecure.Org
I don't know why you think eEye has such close ties to MS. They have been embarrassing and exploiting the hell out of MS for years. They drive MS crazy by releasing powerful exploit code and giving conference presentations such as "Remote Windows Kernel Exploitation" (BlackHat 2005). I like these guys a lot :).
-Fyodor (Insecure.Org)