Maneuvering to challenge the results is one thing. Being completely unable to handle those challenges is quite another. Diebolds system has no real way to audit for vote tampering. If someone alleges election fraud, there is no way to prove or disprove it within Diebold's system. And god help the situation if they do a recount and it comes up with *different* numbers than it did on election night (these are supposed to be database queries of data that doesn't change after election day, right?).
Actually, it was reported to Apple in June/July, according to the @stake folks. Quoting Chris Wysopal's post to Bugtraq: "The DMG file issue was reported in June, 2003 and the core overwrite issue was reported on 7/25/2003. I don't have a recorded notification date for the long argv issue."
What's interesting (and/or disappointing) about this story is that all of the quotes I could see in the actual article were pulled straight from the Bugtraq thread about this. It appears that the reporter did no actual work besides paraphrasing and cut/paste from public emails.
"Suzie, we think you were skipping school. But, we'll let you off the hook if you can answer this question for us: why was your tag within a few inches of Dave's for most of 6th period?"
Oh, I heard about it...my point was that a man who came to notice in the media by trailblazing for Jerry Springer is certianly not a "fallen" journalist. He's a hack (pardon the pun).
That's not the problem. There's another option, "root-delegation-only exclude", which makes all the DNS roots (except the list provided) delegation-only. The problem is, they left out a few common registries that are *not* delegation only when they first released the patch for that option.
Honestly, though, I do agree that the debate is overblown...change the defaults, and move on. Not using insurance against Verisign's nastiness because someone left a zone off a default list (since fixed), is crazy.
Hey, Dave,
I just won security buzzword Bingo with the parent post. You owe me $20.
Re:Knee-jerk Alarmists
on
NYT on RFID
·
· Score: 1
. Businesses keep a database of my purchases and spending habits. What do I care? Maybe they will keep stocking and producing more of what I want to buy. Maybe they will use this to market stuff to me that I am actually interested in. What is the problem with that? The grocery stores already do it with the cards they issue and I am happy to have them do it.
A co-worker of mine, on AZT for AIDS, had this fact sold to marketers by his Pharmacist...about 2 weeks after he had his first perscription filled, he started getting sales pitches for Graveyard plots. Still think there's no problem with this? (Hint: He was pretty sure there was a problem with this. In fact, he was furious. Unfortunately this all happened before HIPAA came into effect, so he had no legal recourse against the dorks.)
2. Bad guys will drive by and scan my house to see what there is worth stealing. This is not a credible threat, as someone else has pointed out, these are passive tags that can't be read easily at a distance.
Nah, they'll just scan for the money in your wallet to see if you're worth mugging. Again, still think this isn't a problem?
What the telemarketers count on is the ability to sell things to people who have a hard time saying "no." These people do not want to be called, but they also lack the willpower to tell someone to go away. Those folks *love* the idea of a do-not-call list, because it keeps them from having to deal with the confrontation of saying "no." But, it's exactly those people that the telemarketers make the most money off of, so the telemarketers desperately want to keep access to them.
I'm sorry, bullshit. Register.com has no responsibility to keep you from being an idiot (which is exactly what you're being in your example). If you honestly promised someone that you could register a domain, and have everything up and running in 2 days, you're a fool. That isn't Register's fault.
I bought a domain from them during the time in question, so I know exactly what happens. When I bought the domain, I immediately pointed my domain to my own nameservers...Register handled that fine, and the DNS propogated without problems. There was no hangup about getting it off their "coming soon" setup.
The fact is, this isn't about them hijacking anyone's domain...this is really about someone being unhappy that Register.com put a default page up. If you made any modifications to the defaults to point your domain somewhere else, the default page never showed up.
The fact that they put advertising for themselves in the default is no different from Microsoft putting MSN as the homepage for IE installs. Does this mean that Dell has the right to sue Microsoft for interference in business?
To sum up: nothing you said above convinces me that this lawsuit is anything other than a massive waste of money and time.
He didn't win. It was a settlement. Register decided to settle, rather than fight this stupid lawsuit. Note: the lawyer made more money than anyone else in this stupid little charade.
Is it obvious that I'm not exactly impressed with this? Register initially pointed his domain to a "coming soon" page when he registered his domain, and they should have put that they would do this in their contract, fair enough. Is that worthy of a lawsuit? Hell no. Is that worthy of hundreds of thousands of dollars in "damages"? Hell no.
Ummm...I think you have this backwards. The advantage of a "plane" design is that you can (to a limited extent) fly to where you want to land the thing, which is nice when you have people to pick up. Capsules just drop like stones (okay, you can add parachutes, but still, not exactly nimble vehicles). Also, capsules fit nicely on top of big rockets, which makes them ideal for moving materials. So, generally, if you've got both a capsule and a plane program, the plane program will be for people, and the capsule for stuff. If you've only got the one program, then you can make it work for both, but it'll be inefficient at one or the other.
Also, why would you want a space plane to go to the moon? What possible use would wings be out that far? Any moon-bound vehicle is going to be a deep-space design, likely a variant on a cylinder.
Ever try to connect two computers behind the same firewall to something like Battle.net? It doesn't work, unless you know ahead of time (which most don't) to change the client port on one of the computers. Battle.net and the like work through the Linksys-type firewalls today not because the protocols that are getting cleaned up...the firewalls are becoming protocol-aware, instead. It's incomplete (and probably always will be), though.
As for p2p, if anyone tries to download from you, they are inititating the data steam, and from possibly arbitrary IPs, so you can't have that session open ahead of time through teh firewall...it has to act as a server.
And for chat, ever try doing file transfer between clients? You need to be able to initiate an unsolicited connection between the two machines if you want that to work.
My point in saying all this is that there are some apps (many fairly popular) that blur the line between the client/server dichotomy. Firewalls break that. If you want to use those services, you either have to update your firewall, which is always going to be a kludge, or use the Internet like it was designed (every host on the internet is equal, and equally capable of being a server or client).
The fact that Microsoft's Network Services folks screwed the pooch, and kept it that way for years, is no reason to screw up the Internet for the rest of us.
And the users should know which port they need opened to run counterstrike? How about Everquest? If they don't know, how do they get the port opened? Do you expect your ISP's NOC to know all those ports? If they don't know, is the user just screwed?
That's my point here. Yes, I know you can open ports easily....knowing which ones to open for users who are not admins, but want to use online games and the like, is the hard part.
How do you know ahead of time what ports people need? Do you buy every online game, to make sure their new implementation of game protocols over UDP works in your system, or do you wait until your users are complaining (and leaving) because you don't have time to keep up, and you're blocking their game? If your ISP suddenly blocked all P2P (which is what your proposal would do), would you move ISP's? If your answer was "yes," why do you think anyone else would stay, and why would anyone in their right mind run an ISP that way?
You may *think* you know what users need. You're probably wrong, though.
Okay, so you're telling me that 99% of the users in the world have no need for p2p, some online chat features, online games, and a few other things I'm too lazy to look up? (all of these require incoming ports to be opened on the client, in case it wasn't obvious.)
As they say on the mailing lists: I encourage my competitors to run their networks this way.
One of the advantages of a DNS-based system (like the rbl, sbl, etc) is that it doesn't take any updating on the part of the client to keep up with the spammers movements...as long as the DNS server for the Blacklist updates their entries, everyone gets the updates. Any system where you're actually moving a full list around is going to have all sorts of problems with people not getting updates, timeliness of updates, etc.
Basically, it moves anti-spam to the anti-virus signature model (and we've all seen in the past few weeks how effective that is). I like the idea of DNS blacklists...we just need stronger infrastructure to handle the SOB's who want it shut down.
Wait, you're using the fact that a totally government-supported group (Russian space agency) will do something cheaper than a public-private consortium (shuttle) as evidence that the *private* sector does this better? Funny, your example seems to prove the exact opposite.
That is not entirely right. at least, not in the US (not sure what the rules are elsewhere). Packetsniffing traffic you are not entitled to legally monitor is a violation of federal wiretap laws (and therefore a federal felony).
Now, it is true that companies can monitor traffic that passes over a network they own (your ISP can sniff your traffic if you're using them), specifically if they are doing it for standard business reasons (like tracking abuse, troubleshooting network problems, IDS', etc)...but that script kiddy listening to your traffic is committing a federal felony, and your ISP can not just randomly sniff your traffic for giggles.
Sure, there aren't enough Feds on the planet to investigate and prosecute the violations of this setup, but that doesn't make it legal. If Vonage is sniffing your calls for any non-business-defined reason (and they'd better have documentation as to what those reasons are), they're committing a federal offense.
You have clearly never been in charge of a few thousand machines. When you're dealing with that many machines, no matter how much of a BOFH you are, some will slip through the cracks. In those situations, any little thing that will keep that one wacky machine in the corner from taking down an entire division is a good thing. And don't even get me started on machines that you can't patch because some lame third-party vendor has no regression-testing plan, and won't support patched systems.
Because the worm spoofs traffic from it's local subnet to the windowsupdate address. What this means is that any infected machine would spoof traffic to itself from its local subnet, and then flood the local lan with RSTs, presuming it wasn't actually running a webserver, in which case it would flood the local lan with ACKs. Either way, bad.
The worm doesn't sanity check the DNS result, though, so if the name doesn't exist, gethostbyname() returns -1, which translates to an IP of 255.255.255.255. The reports I'm reading say that the windows stack won't allow you to send traffic to that IP, so the machine will just drop it. (that could be wrong, though. We'll find out soon.)
Don't connect to the net while making these changes. (yeah, I know, you're only getting this info by connecting to the net...sorry.) The problem is that the exploit that's floating around will still cause unprotected windows 2k and xp machines to reboot, even if they are patched. Microsoft hasn't released a patch to deal with the reboot issue yet, just the overflow attack. Since your machine is getting pounded by the exploit once you dial in to the net, you're not going to last long before getting rebooted. If you have access to install media for ZoneAlarm (or the internet connection filter in XP), use that to keep the machine up while on the net.
Slashdot Mirror
Yeah, but what if Jar Jar won? Oh, the horror...
"Meesa hang up dissa phone now. Meesa show deesa people what youssa hide from dem. Where wese go from dere choice meesa giva you."
Maneuvering to challenge the results is one thing. Being completely unable to handle those challenges is quite another. Diebolds system has no real way to audit for vote tampering. If someone alleges election fraud, there is no way to prove or disprove it within Diebold's system. And god help the situation if they do a recount and it comes up with *different* numbers than it did on election night (these are supposed to be database queries of data that doesn't change after election day, right?).
Actually, it was reported to Apple in June/July, according to the @stake folks. Quoting Chris Wysopal's post to Bugtraq: "The DMG file issue was reported in June, 2003 and the core overwrite issue was reported on 7/25/2003. I don't have a recorded notification date for the long argv issue."
What's interesting (and/or disappointing) about this story is that all of the quotes I could see in the actual article were pulled straight from the Bugtraq thread about this. It appears that the reporter did no actual work besides paraphrasing and cut/paste from public emails.
"Suzie, we think you were skipping school. But, we'll let you off the hook if you can answer this question for us: why was your tag within a few inches of Dave's for most of 6th period?"
*Suzie blushes*
*Dave's friends start giving him high-fives*
Oh, I heard about it...my point was that a man who came to notice in the media by trailblazing for Jerry Springer is certianly not a "fallen" journalist. He's a hack (pardon the pun).
Wait, Geraldo Rivera is a *fallen* journalist? Where'd he fall from, Mars?
That's not the problem. There's another option, "root-delegation-only exclude", which makes all the DNS roots (except the list provided) delegation-only. The problem is, they left out a few common registries that are *not* delegation only when they first released the patch for that option.
Honestly, though, I do agree that the debate is overblown...change the defaults, and move on. Not using insurance against Verisign's nastiness because someone left a zone off a default list (since fixed), is crazy.
Hey, Dave,
I just won security buzzword Bingo with the parent post. You owe me $20.
A co-worker of mine, on AZT for AIDS, had this fact sold to marketers by his Pharmacist...about 2 weeks after he had his first perscription filled, he started getting sales pitches for Graveyard plots. Still think there's no problem with this? (Hint: He was pretty sure there was a problem with this. In fact, he was furious. Unfortunately this all happened before HIPAA came into effect, so he had no legal recourse against the dorks.)
2. Bad guys will drive by and scan my house to see what there is worth stealing. This is not a credible threat, as someone else has pointed out, these are passive tags that can't be read easily at a distance.
Nah, they'll just scan for the money in your wallet to see if you're worth mugging. Again, still think this isn't a problem?
What the telemarketers count on is the ability to sell things to people who have a hard time saying "no." These people do not want to be called, but they also lack the willpower to tell someone to go away. Those folks *love* the idea of a do-not-call list, because it keeps them from having to deal with the confrontation of saying "no." But, it's exactly those people that the telemarketers make the most money off of, so the telemarketers desperately want to keep access to them.
I'm sorry, bullshit. Register.com has no responsibility to keep you from being an idiot (which is exactly what you're being in your example). If you honestly promised someone that you could register a domain, and have everything up and running in 2 days, you're a fool. That isn't Register's fault.
I bought a domain from them during the time in question, so I know exactly what happens. When I bought the domain, I immediately pointed my domain to my own nameservers...Register handled that fine, and the DNS propogated without problems. There was no hangup about getting it off their "coming soon" setup.
The fact is, this isn't about them hijacking anyone's domain...this is really about someone being unhappy that Register.com put a default page up. If you made any modifications to the defaults to point your domain somewhere else, the default page never showed up.
The fact that they put advertising for themselves in the default is no different from Microsoft putting MSN as the homepage for IE installs. Does this mean that Dell has the right to sue Microsoft for interference in business?
To sum up: nothing you said above convinces me that this lawsuit is anything other than a massive waste of money and time.
He didn't win. It was a settlement. Register decided to settle, rather than fight this stupid lawsuit. Note: the lawyer made more money than anyone else in this stupid little charade.
Is it obvious that I'm not exactly impressed with this? Register initially pointed his domain to a "coming soon" page when he registered his domain, and they should have put that they would do this in their contract, fair enough. Is that worthy of a lawsuit? Hell no. Is that worthy of hundreds of thousands of dollars in "damages"? Hell no.
Ummm...I think you have this backwards. The advantage of a "plane" design is that you can (to a limited extent) fly to where you want to land the thing, which is nice when you have people to pick up. Capsules just drop like stones (okay, you can add parachutes, but still, not exactly nimble vehicles). Also, capsules fit nicely on top of big rockets, which makes them ideal for moving materials. So, generally, if you've got both a capsule and a plane program, the plane program will be for people, and the capsule for stuff. If you've only got the one program, then you can make it work for both, but it'll be inefficient at one or the other.
Also, why would you want a space plane to go to the moon? What possible use would wings be out that far? Any moon-bound vehicle is going to be a deep-space design, likely a variant on a cylinder.
No.
Ever try to connect two computers behind the same firewall to something like Battle.net? It doesn't work, unless you know ahead of time (which most don't) to change the client port on one of the computers. Battle.net and the like work through the Linksys-type firewalls today not because the protocols that are getting cleaned up...the firewalls are becoming protocol-aware, instead. It's incomplete (and probably always will be), though.
As for p2p, if anyone tries to download from you, they are inititating the data steam, and from possibly arbitrary IPs, so you can't have that session open ahead of time through teh firewall...it has to act as a server.
And for chat, ever try doing file transfer between clients? You need to be able to initiate an unsolicited connection between the two machines if you want that to work.
My point in saying all this is that there are some apps (many fairly popular) that blur the line between the client/server dichotomy. Firewalls break that. If you want to use those services, you either have to update your firewall, which is always going to be a kludge, or use the Internet like it was designed (every host on the internet is equal, and equally capable of being a server or client).
The fact that Microsoft's Network Services folks screwed the pooch, and kept it that way for years, is no reason to screw up the Internet for the rest of us.
And the users should know which port they need opened to run counterstrike? How about Everquest? If they don't know, how do they get the port opened? Do you expect your ISP's NOC to know all those ports? If they don't know, is the user just screwed?
That's my point here. Yes, I know you can open ports easily....knowing which ones to open for users who are not admins, but want to use online games and the like, is the hard part.
How do you know ahead of time what ports people need? Do you buy every online game, to make sure their new implementation of game protocols over UDP works in your system, or do you wait until your users are complaining (and leaving) because you don't have time to keep up, and you're blocking their game? If your ISP suddenly blocked all P2P (which is what your proposal would do), would you move ISP's? If your answer was "yes," why do you think anyone else would stay, and why would anyone in their right mind run an ISP that way?
You may *think* you know what users need. You're probably wrong, though.
Okay, so you're telling me that 99% of the users in the world have no need for p2p, some online chat features, online games, and a few other things I'm too lazy to look up? (all of these require incoming ports to be opened on the client, in case it wasn't obvious.)
As they say on the mailing lists: I encourage my competitors to run their networks this way.
One of the advantages of a DNS-based system (like the rbl, sbl, etc) is that it doesn't take any updating on the part of the client to keep up with the spammers movements...as long as the DNS server for the Blacklist updates their entries, everyone gets the updates. Any system where you're actually moving a full list around is going to have all sorts of problems with people not getting updates, timeliness of updates, etc.
Basically, it moves anti-spam to the anti-virus signature model (and we've all seen in the past few weeks how effective that is). I like the idea of DNS blacklists...we just need stronger infrastructure to handle the SOB's who want it shut down.
Wait, you're using the fact that a totally government-supported group (Russian space agency) will do something cheaper than a public-private consortium (shuttle) as evidence that the *private* sector does this better? Funny, your example seems to prove the exact opposite.
That is not entirely right. at least, not in the US (not sure what the rules are elsewhere). Packetsniffing traffic you are not entitled to legally monitor is a violation of federal wiretap laws (and therefore a federal felony).
Now, it is true that companies can monitor traffic that passes over a network they own (your ISP can sniff your traffic if you're using them), specifically if they are doing it for standard business reasons (like tracking abuse, troubleshooting network problems, IDS', etc)...but that script kiddy listening to your traffic is committing a federal felony, and your ISP can not just randomly sniff your traffic for giggles.
Sure, there aren't enough Feds on the planet to investigate and prosecute the violations of this setup, but that doesn't make it legal. If Vonage is sniffing your calls for any non-business-defined reason (and they'd better have documentation as to what those reasons are), they're committing a federal offense.
You have clearly never been in charge of a few thousand machines. When you're dealing with that many machines, no matter how much of a BOFH you are, some will slip through the cracks. In those situations, any little thing that will keep that one wacky machine in the corner from taking down an entire division is a good thing. And don't even get me started on machines that you can't patch because some lame third-party vendor has no regression-testing plan, and won't support patched systems.
Because the worm spoofs traffic from it's local subnet to the windowsupdate address. What this means is that any infected machine would spoof traffic to itself from its local subnet, and then flood the local lan with RSTs, presuming it wasn't actually running a webserver, in which case it would flood the local lan with ACKs. Either way, bad.
The worm doesn't sanity check the DNS result, though, so if the name doesn't exist, gethostbyname() returns -1, which translates to an IP of 255.255.255.255. The reports I'm reading say that the windows stack won't allow you to send traffic to that IP, so the machine will just drop it. (that could be wrong, though. We'll find out soon.)
Don't connect to the net while making these changes. (yeah, I know, you're only getting this info by connecting to the net...sorry.) The problem is that the exploit that's floating around will still cause unprotected windows 2k and xp machines to reboot, even if they are patched. Microsoft hasn't released a patch to deal with the reboot issue yet, just the overflow attack. Since your machine is getting pounded by the exploit once you dial in to the net, you're not going to last long before getting rebooted. If you have access to install media for ZoneAlarm (or the internet connection filter in XP), use that to keep the machine up while on the net.
Good luck.