Agreed. A balance has to be struck in these things. The internal politics of *why* the audit is happening can have a huge effect on the point of the whole exercise.
But, unfortunately, many (less than reputable) companies will refuse to let you see what they're doing at all...usually (in my experience) this is for one of two reasons: 1) they're going to simply run a commercial vuln scanner against you, and then re-package the results. In this case, they don't want you to realize that you can do this yourself. (and for free if you're not alergic to Nessus) A real audit will use a scanner (no reason not to), but then use that as a base point for further exploration. 2) they're actually totally incompetant, and having you watch them flail about will make you realize this. I've watched auditors try to talk their way out of an audit where they audited the wrong machine...it wasn't a typo, it wasn't a nearby range, they just went somewhere else to audit. Those folks really didn't like getting questions...we learned why very quickly.
I'm not saying that your group is doing either one of these. In fact, since you're allowing spectators, you're clearly one of the clueful ones. But, unfortunately, some others are not, and you have to be aware of that when looking for auditors.
There are a couple things you want from an audit (I've seen a couple from the recieving end, both really good and absolutely terrible): 1) you want a complete report, not just a management summary. Make sure there's guidance in the report on how to fix the problems they find, or at least a pointer to where to find the information to fix them. 2) black-box "we can hack anything" audits are sexy, but won't show you the whole picture. Make sure they're looking at both the external settings and any local policy security settings on the machine. 3) Ask to have some of your staff sit in on the audits...you want to learn from this audit as much as possible. If they say "no", ask why. If they're just trying to protect their "script-fu", run...they're probably fake. 4)Get a contract in place that makes it very clear what they are supposed to audit, what they are not supposed to audit, and how they are allowed to do it...get that in place *before* the audit starts. (a "terms of engagement"). This includes what IPs to audit, and what techniques (DoS, social engineering, etc) are allowed. 5) as others have mentioned above, ask for references. If they can't provide them, worry.
I'll stop now. I'm sure there's more, but that's what occurred off the top of my head.
Code Red was over-hyped?! jesus, give me some of that crack...it must be really good. Instead of my ranting, allow me to quote from caida's analysis:
On July 19, 2001 more than 359,000 computers were infected with the Code-Red (CRv2) worm in less than 14 hours. At the peak of the infection frenzy, more than 2,000 new hosts were infected each minute.
That was "over-hyped?" what would it take for it to be "valid concern?" Yes, Code-Red didn't do the damage it intended to...but it still did a heck of a lot of damage. Claiming that some anti-virus nonsense "top 10" has any bearing on the actual amount of damage done is just stupid.
Better yet, I'd like to see one of the big Linux vendors set up a "strike force" to do panic roll-outs like this. (Heck, it sounds kinda fun...I'd apply for a job to do this.)
Think about it: you're faced with a huge audit, that you know you're going to fail. Do you a) pay the huge license & know you'll have to pay it again next year? or b) call in the Linux-install swat team to put Linux on every machine that you can't *prove* is legally a Windows machine, thus avoiding the whole issue for ever?
If the support & panic install costs are low enough (and the guys who do it leet enough), you may very well be able to get a *lot* of people (like the ones in the article) calling for this kind of short-notice Linux migration.
That depends on the style of Taiji you're studying.
Yang style (the most popular) has (in my opinion) been so polluted by New Age nonsense as to be almost totally unrecognizable.
If you want to see Taiji as a martial art, look for Chen style. Much more variation in the movements (there's even a jump-kick...whee), and it seems to make much more philosophic sense (at least to me).
True. In fact, one thing I'd like to make sure this law does *not* do is to override the protections put in place for medical information by HIPAA. The privacy protections put in by HIPAA are actually pretty well done. I'd rather they not be weakened by a "We got you to click ok, so we're spamming the globe with your surgery results now" rule.
My first thought: Better to use the CPU than rely on disk I/O.
Let's face it: if you don't compress the audio file, you're going to be relying on disk I/O to get the file out. That's going to suck in a fast-paced game. If you can minimize the disk I/O, you stand a good chance of speeding up the game.
Actually, I've done this w/a bot trap on my site at home. It's a perl script that generates a bunch of weird-sounding text w/some fake email addresses at the bottom and a bunch of database-query-looking links back to the original page.
The bots don't fall for it anymore. Some dorks in Washington state decided to make a couple requests a second to it once, but in the two years I've had it up, they're the only ones.
Define "art" in this context. Personally, I look at Warhol's Campbells Soup Can & think that, given the right presentation, anything can be art.
If it were presented as "this is our product, as music", then I'd probably agree that it's just corporate game-playing with IP. But what if a performance artist had themselves sequenced, and made the sequence into music? Would that be art? If so, what's the difference between the two, besides just presentation?
I called both of my states (MD) Senators earlier today to make sure that I got in my "Don't you dare vote for this" early.
Neither office even knew the bill had been presented to the Senate.
This isn't on everyone's radar yet. We need to make sure it *gets* on their radar, though. Call them. Bug them. Make them realize just how unpopular voting for this will make them. (But, as I'm sure others will say, don't be rabid about it...just firm.)
Someone's already found a way to exploit this over ssh. There's hints (I stopped reading the thread to see if they finished it) of it working for ftp. The code with the problem is used in a huge number of places in multiple OS's.
How big does it have to get before we acknowledge that it's a serious risk and start the patch run? I've been following the security lists about this, and I don't think the coverage is overdone at all.
All these articles that rave about millions of systems being vulnerable seem to forget the fact that nobody has been affected.
and you think this is bad? Why?
If all the vulnerable machines get patched before anyone's affected, I'd think the system worked just as it should. I"d rather not wait until there's some nasty reprise of Nimda before starting to patch my systems.
Nonono. You need the rocket...that's the easiest way to get him up there. What you *don't* need is the re-entry capsule, food, water, air, heating, cooling...heck, we don't even need much telemetry.
Just get him up...away from me. Where he lands...who cares?
Sorry, no. Many operating systems (and most cards these days) allow you to change the MAC address of the card. Given that you're broadcasting your MAC with all the rest of your traffic, someone could just change their card to your MAC address & be on your network.
Prediction: they won't find anything big. Or, if they do, they won't admit it.
My reasoning: Let's presume that they succeed in finding a big problem, and let's presume that they issue a patch for it (possibly mixed in with others). Now, the security folks are going to be curious as to what exactly was changed, and will back-engineer the original vulnerabilities. Now the vulnerability is out in the open.
Once that's happened, I think it's only a matter of time before someone decides it'd be fun to go after the vulns that Microsoft announced with yet another net-thrashing worm. Given the public's record of applying patches from Microsoft before they get hammered, this worm will likely go very far, and make more headlines.
It's actually not in Microsoft's interest to find anything big, both because folks don't actually apply patches, and because admitting it's a big problem will cause PR nightmares.
But I guess we'll see. I'm trying not to be cynical, but it's clearly not working.
Domain names in the.com,.net, and.org domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: TEENSPANKING.COM
Registrar: TUCOWS, INC.
Whois Server: whois.opensrs.net
Referral URL: http://www.opensrs.org
Name Server: NS.ZF.NET
Name Server: DNS.ZF.NET
Updated Date: 05-nov-2001
>>> Last update of whois database: Tue, 1 Jan 2002 16:59:30 EST
The Registry database contains ONLY.COM,.NET,.ORG,.EDU domains and
Registrars.
[whois.opensrs.net]
Registrant:
NewPic.com Inc.
9 East Loockerman Street
Dover, DE 19901
US
Not true. See the link to an affidavit in my earlier post. One of the passwd files he was running the crack against belonged to a company that he was no longer employed by (his contract had run out several months before).
Yes, they left his account active, which was their mistake. No, that does not give him the right to log in & crack their passwords.
Basically, he cracked more than one companies passwd file without permission...one of them was a company he'd been dismissed from earlier (he was still logging into their machines and was cracking their passwd file,too).
Personally, I'm not at all surprised that they threw the book at him.
Well, unfortunately, the definition of "moron" is a bit of a moving target. Something that was fine yesterday may not be such a good idea today (this situation's a great example of that).
For the most part, the general canon of "don't run things you don't absolutely need, and keep the ones you need up to date" will take you pretty far. If you can prevent your machine from accepting incoming connections (ipchains/iptables/ipf/whatever, assuming you're not running a server from your "personal use" box), that helps a lot.
Slashdot Mirror
Agreed. A balance has to be struck in these things. The internal politics of *why* the audit is happening can have a huge effect on the point of the whole exercise.
But, unfortunately, many (less than reputable) companies will refuse to let you see what they're doing at all...usually (in my experience) this is for one of two reasons:
1) they're going to simply run a commercial vuln scanner against you, and then re-package the results. In this case, they don't want you to realize that you can do this yourself. (and for free if you're not alergic to Nessus) A real audit will use a scanner (no reason not to), but then use that as a base point for further exploration.
2) they're actually totally incompetant, and having you watch them flail about will make you realize this. I've watched auditors try to talk their way out of an audit where they audited the wrong machine...it wasn't a typo, it wasn't a nearby range, they just went somewhere else to audit. Those folks really didn't like getting questions...we learned why very quickly.
I'm not saying that your group is doing either one of these. In fact, since you're allowing spectators, you're clearly one of the clueful ones. But, unfortunately, some others are not, and you have to be aware of that when looking for auditors.
There are a couple things you want from an audit (I've seen a couple from the recieving end, both really good and absolutely terrible):
1) you want a complete report, not just a management summary. Make sure there's guidance in the report on how to fix the problems they find, or at least a pointer to where to find the information to fix them.
2) black-box "we can hack anything" audits are sexy, but won't show you the whole picture. Make sure they're looking at both the external settings and any local policy security settings on the machine.
3) Ask to have some of your staff sit in on the audits...you want to learn from this audit as much as possible. If they say "no", ask why. If they're just trying to protect their "script-fu", run...they're probably fake.
4)Get a contract in place that makes it very clear what they are supposed to audit, what they are not supposed to audit, and how they are allowed to do it...get that in place *before* the audit starts. (a "terms of engagement"). This includes what IPs to audit, and what techniques (DoS, social engineering, etc) are allowed.
5) as others have mentioned above, ask for references. If they can't provide them, worry.
I'll stop now. I'm sure there's more, but that's what occurred off the top of my head.
On July 19, 2001 more than 359,000 computers were infected with the Code-Red (CRv2) worm in less than 14 hours. At the peak of the infection frenzy, more than 2,000 new hosts were infected each minute.
That was "over-hyped?" what would it take for it to be "valid concern?" Yes, Code-Red didn't do the damage it intended to...but it still did a heck of a lot of damage. Claiming that some anti-virus nonsense "top 10" has any bearing on the actual amount of damage done is just stupid.
Better yet, I'd like to see one of the big Linux vendors set up a "strike force" to do panic roll-outs like this. (Heck, it sounds kinda fun...I'd apply for a job to do this.)
Think about it: you're faced with a huge audit, that you know you're going to fail. Do you a) pay the huge license & know you'll have to pay it again next year? or b) call in the Linux-install swat team to put Linux on every machine that you can't *prove* is legally a Windows machine, thus avoiding the whole issue for ever?
If the support & panic install costs are low enough (and the guys who do it leet enough), you may very well be able to get a *lot* of people (like the ones in the article) calling for this kind of short-notice Linux migration.
That depends on the style of Taiji you're studying.
Yang style (the most popular) has (in my opinion) been so polluted by New Age nonsense as to be almost totally unrecognizable.
If you want to see Taiji as a martial art, look for Chen style. Much more variation in the movements (there's even a jump-kick...whee), and it seems to make much more philosophic sense (at least to me).
Now, back to your regularly-scheduled rant....
True. In fact, one thing I'd like to make sure this law does *not* do is to override the protections put in place for medical information by HIPAA. The privacy protections put in by HIPAA are actually pretty well done. I'd rather they not be weakened by a "We got you to click ok, so we're spamming the globe with your surgery results now" rule.
"What's next to drive people to upgrading?"
Two words: interactive porn.
That alone will justify the graphics, sound and bandwidth growth we've seen. c'mon, you know it's coming.
(ooh, sorry, didn't mean the pun.)
My first thought: Better to use the CPU than rely on disk I/O.
Let's face it: if you don't compress the audio file, you're going to be relying on disk I/O to get the file out. That's going to suck in a fast-paced game. If you can minimize the disk I/O, you stand a good chance of speeding up the game.
Actually, I've done this w/a bot trap on my site at home. It's a perl script that generates a bunch of weird-sounding text w/some fake email addresses at the bottom and a bunch of database-query-looking links back to the original page.
The bots don't fall for it anymore. Some dorks in Washington state decided to make a couple requests a second to it once, but in the two years I've had it up, they're the only ones.
HP-UX, SCO-Unixware, AIX...and these are just the ones in use at my office...there are others.
Define "art" in this context. Personally, I look at Warhol's Campbells Soup Can & think that, given the right presentation, anything can be art.
If it were presented as "this is our product, as music", then I'd probably agree that it's just corporate game-playing with IP. But what if a performance artist had themselves sequenced, and made the sequence into music? Would that be art? If so, what's the difference between the two, besides just presentation?
"Do we charge gun manufacturers with murder?"
Ummm...yes. We do. See: http://www.ncpa.org/studies/s223.html
Now, whether that's a Good Thing (tm) or not is a totally different question.
I called both of my states (MD) Senators earlier today to make sure that I got in my "Don't you dare vote for this" early.
Neither office even knew the bill had been presented to the Senate.
This isn't on everyone's radar yet. We need to make sure it *gets* on their radar, though. Call them. Bug them. Make them realize just how unpopular voting for this will make them. (But, as I'm sure others will say, don't be rabid about it...just firm.)
Ooh, I can run "cmd.exe".
and with cmd.exe, I can manage a machine. You don't really think that I GUI log into 300 machines to install a patch, do you?
Someone's already found a way to exploit this over ssh. There's hints (I stopped reading the thread to see if they finished it) of it working for ftp. The code with the problem is used in a huge number of places in multiple OS's.
How big does it have to get before we acknowledge that it's a serious risk and start the patch run? I've been following the security lists about this, and I don't think the coverage is overdone at all.
and you think this is bad? Why?
If all the vulnerable machines get patched before anyone's affected, I'd think the system worked just as it should. I"d rather not wait until there's some nasty reprise of Nimda before starting to patch my systems.
If you're a bit drunk and squint at *anything*, you can see porn. That's the wonder of being drunk.
Nonono. You need the rocket...that's the easiest way to get him up there. What you *don't* need is the re-entry capsule, food, water, air, heating, cooling...heck, we don't even need much telemetry.
Just get him up...away from me. Where he lands...who cares?
Sorry, no. Many operating systems (and most cards these days) allow you to change the MAC address of the card. Given that you're broadcasting your MAC with all the rest of your traffic, someone could just change their card to your MAC address & be on your network.
what would I do with it, you ask?
/home/archives/windows/;grep -r strcpy * | more
cd
buffer overflows, here I come...
Prediction: they won't find anything big. Or, if they do, they won't admit it.
My reasoning: Let's presume that they succeed in finding a big problem, and let's presume that they issue a patch for it (possibly mixed in with others). Now, the security folks are going to be curious as to what exactly was changed, and will back-engineer the original vulnerabilities. Now the vulnerability is out in the open.
Once that's happened, I think it's only a matter of time before someone decides it'd be fun to go after the vulns that Microsoft announced with yet another net-thrashing worm. Given the public's record of applying patches from Microsoft before they get hammered, this worm will likely go very far, and make more headlines.
It's actually not in Microsoft's interest to find anything big, both because folks don't actually apply patches, and because admitting it's a big problem will cause PR nightmares.
But I guess we'll see. I'm trying not to be cynical, but it's clearly not working.
Too late:
[g-clef@vampire g-clef]$ whois teenspanking.com
[whois.crsnic.net]
Whois Server Version 1.3
Domain names in the
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: TEENSPANKING.COM
Registrar: TUCOWS, INC.
Whois Server: whois.opensrs.net
Referral URL: http://www.opensrs.org
Name Server: NS.ZF.NET
Name Server: DNS.ZF.NET
Updated Date: 05-nov-2001
>>> Last update of whois database: Tue, 1 Jan 2002 16:59:30 EST
The Registry database contains ONLY
Registrars.
[whois.opensrs.net]
Registrant:
NewPic.com Inc.
9 East Loockerman Street
Dover, DE 19901
US
Not true. See the link to an affidavit in my earlier post. One of the passwd files he was running the crack against belonged to a company that he was no longer employed by (his contract had run out several months before).
Yes, they left his account active, which was their mistake. No, that does not give him the right to log in & crack their passwords.
Some background from the other side: an affidavit from one of the Intel folks is here:
e lrep.txt
http://www.lightlink.com/spacenka/fors/police/int
Basically, he cracked more than one companies passwd file without permission...one of them was a company he'd been dismissed from earlier (he was still logging into their machines and was cracking their passwd file,too).
Personally, I'm not at all surprised that they threw the book at him.
For the most part, the general canon of "don't run things you don't absolutely need, and keep the ones you need up to date" will take you pretty far. If you can prevent your machine from accepting incoming connections (ipchains/iptables/ipf/whatever, assuming you're not running a server from your "personal use" box), that helps a lot.