Before I start, I've never had anything to do with this project so I'm taking a lot of what you say at face value.
>* They (Jim Starkey) revealed the backdoor to the
>public before a fix was in place. They didn't
>reveal the actual username/password, but they
>made it very clear where, how and what to look >for. After that most people found it in no time.
Where is there any reference to this? They actually waited until after Christmas and a patch in place before releasing any information and after repeated attempts to contact Borland.
>Either they panicked or saw this as their chance
>for 15 minutes of fame. Given that this backdoor
>has gone unnoticed, and presumably unexploited,
>for years they could have worked with Borland to
>come up with a solution and had this
>solution distributed to the customers before the
>problem was publicised.
And if someone had found the exploit while the patch was being distributed (not unlikely, You get a patch from Borland with instructions to install it urgently. Your database works fine now. Why bother)? Or if someone had noticed it in the unpatched source?
>The majority of Interbase sites are end-users
>who do not read CERT alerts,/. or the Interbase
>and Firebird newsgroups and mailing lists. These
>sites are screwed now.
And that's the firebird teams fault how? If there are still people out there who aren't willing to take the effort to watch the accepted security advisary mailing lists then they deserve what they get.
>Presumably they *did* try to work with Borland,
>but who did they send to make the contact; The
>people in the IBPhoenix/Firebird community who
>hates Borland the most and who uses every chance
>they get to harm Borland; Ann and Jim.
They hated them sooo much they went out of their way to provide binary patches when the patch that was released by Borland was a non-patch. And they even attempted to contact them at all. They could have just gone to CERT with the advisory, Borland be damned. Borland looks like a criminal for putting a backdoor in their software and the firebird team look like saviours. No extra effort needed.
>That Borland refused to speak with them can
>hardly come as a surprise to them given their
>common history during the last year. If my
>company where the target of Ann and Jim's
>attacks, I too would forbid all contact with
>them.
So petty bickering is more important to Borland than their customers security. There's a customer attitude to be proud of. If you received an email from someone that explained the discovery of a major security hole in one of your products would you think "Now the boss said not to talk to these bad people so I'm just going to delete this email". I think not.
> They (Jim again) repeatedly insult and slander
> Borland and....
[snip]
I can't argue with you here I don't know the full story but petty bickering vs huge security hole. Weigh it up.
> They have made sure that Borland will think
> twice before they ever release...
[snip]
I should think Borland would. Or atleast they will remove the back doors in their source before releasing it. But of course this was an isolated incedent. I think Borland have done more damage than any of the firebird team could have possibly done by having a back door in their software. Whats the bet that sys admins around the globe are considering ditching all Borland software because it can no longer be considered trustworthy.
Your attempts to hack a Borland database show more you lack of knowledge than any real proof that the security hole wasn't all that bad. I think I would trust the knowledge of people who actually hack the software over a poster on slashdot with a very large user id (=> recently registered) and having only posted once (=> someone from Borland with sour graphs?).
As the other poster said, it'll probably mean Microsoft select. We're talking big companies here (university size at least).At a guess, maybe 5% of all companies have a select agreement and it definately wont be based on need for no registration (that's just about everybody), it'll be based on how much you buy from MS.
> If you will obviously stick out as a foreigner,
> there are other countries you may want to stay
> away from.
If you are an American, then there is a good chance you will stick out "as a foreigner" where ever you go. Basically because a significant number of Americans are rude, ignorant and stupid, unfortunatly for you they also tend to be the loud portion of the population as well. It's not just the accent, although that helps (I pity Canadians for having a similar accent). I've sat next to someone on a plane and talked for several hours before realising her accent was American simply because she wasn't self important and ignorant (she wasn't American either but had spent alot of time in schools with americans).
Basically it's not a question of where you would go but a matter of who would take you. I'm not saying every American is like this but as a group this tends to be how Americans act.
Ways to piss RMS off in one sentence, a new record
on
Hacking The City
·
· Score: 1
Lets see,
1) "the widely-esteemed guru of the "open source" software movement", nuff said
2) "the Linux operating system", where's the GNU?
3) the whole behind schedule thing
4) what, emacs just a text editor? in which alternate reality is this guy living in?
And most open source advocates are quite happy RMS has nothing to do with open source.
I doubt if a script kiddie would have recognised important source code if it flew out their arse (it the Microsoft case it probably did come out their arse). Also they weren't detected for 3 months and they haven't made a big noise about it. Not typical script kiddie behaviour.
You crack some elses machine, install it on there.
I'm sure there are thousands of clueless linux users out there who have the requirements for a suitable host,
1) fast, always on internet access
2) rant about how secure linux is and have a box an eight year old could get root on
Nooo... (s)he got mod-ded down because the post was offtopic. But I'm sure this was the first time that's happened. Hell with a username of TrollBoy3 and an email address of Troll@moderators.kiss.my.ass, I'm sure they post lot's of meaningful discussion.
Some of these points of confusion sound as though they are API related. Do you know how frustrating it is to work out after hours of stuffing around that the API documentation is wrong?
A lot of ppl here seem to be saying that commercial DVD players can't read the hidden section. AFAIK this is really wrong.
My understanding of how DVD encryption works: 1 Make movie in digital form(duh) 2 Get randomly generated session key and encrypt movie 3 Encrypt session key with all 400 or so of the software and hardware player keys 4 Put movie and all 400 encrypted keys on the DVD and sell (last part not actually part of encryption system)
If this is how it works then the keys need to be readable by the player otherwise they can't decode the movie either. It may be possible that writers can't write to that section.
People who actually know how this works feel free to correct me (I know how shy people are here on/.:)
First a bit of background is needed. For those of you who have used dvorak and qwerty on a Microsoft operating system you know how awkward it is. With windows you can have multiple keyboard layouts and change between them with an icon in the systray. Most programs when they start up or open a new window seem to request the default keyboard rather than the current keyboard and some programs refuse to change to any keyboard that isn't the default. Dvorak works fine so long as it is the default.
A friend of mine is a convert and he runs an NT network (and hates it). The domain controller/fileserver with 20+ gigs of NTFS raid 0 disk in it had both qwerty and dvorak keyboard layouts set up on it. His clueless boss needed to log in after the screen was locked so he pressed ctrl-alt-delete, typed in the domain administrators password. Wrong password. Mmmm. Try again. Nope still wrong password. Try really carefully. Wrong password. Machines obviously fallen over. Switch off, switch back on again.... Wait nearly an hour and a half for chkdsk to finish and still have no clue as to what went wrong.
BTW I also use dvorak after having learned to touch type qwerty at high school. Using dvorak in the hunt and peck style (even if it is really fast) is a total waste of time, you may as well be using qwerty. As previous posters have said, dvorak just feels better and IMHO seems to put less strain on wrists and hands.
I've tutored a first year university programming unit and also would consider myself a mapper. I can only make assumptions about what I've seen but what the lecturers say back this up.
Most people (first years especially) have difficulty in applying knowledge to different problems. It is amazingly difficult to teach some people the concept of functions, when to use them and when not to. Come to think of it, that whole flow of control thing is quite tricky for some:P
Then we get to the whole *genetic algorithm* approach to programming as employed by some students. They (occasionally) think of what needs to be done and then implement something. It doesn't work so the swap some code around. It still doesn't work so they add some code. And so on until they end up with a monstrosity of a program that they have no idea how it works.
Occasionally, when they are given test data, you get code along these lines (example of doing something to a linked list, exactly what is not important):
if an item is two items from the end of the list and it's value is 4 and the list is 12 items long then...
Our machine learning teacher regularily compares the programing styles of some students to genetic algorithms. Start with something that vaugly works, make changes in a random manner and occasionaly add some new code.
End up with something that works on the test data only.:)
When you know the root password! For all of you out there who seem to have missed the point of having the root password a little recap. If you are root then you have access to all files on the system. It's a no-brainer to add some javascript to a few pages or a redirect to a different site. This doesn't mean that the site has been hacked, it means some script kiddies have nothing better to do with their time and want to make a name for themselves.
The goal here is to get root access by some other means. I'm assuming the idea of giving out the root password was so that everybody could know what was running on the server.
I couldn't log on as root so either some genius has changed the root password or the sys admins are fixing the redirect on the guestbook and the various bits of javascript.
Linus doesn't have a PhD. He has a masters degree that had something to do with Linux. Couldn't find anything about if that was what he initally wanted to do (google failed me:-( ). He started coding linux from Andrew Tanumbaum's minix because he didn't like any other OS that he could afford at the time (read windows/dos and Mac).
Slashdot Mirror
Before I start, I've never had anything to do with this project so I'm taking a lot of what you say at face value.
/. or the Interbase
....
...
>* They (Jim Starkey) revealed the backdoor to the
>public before a fix was in place. They didn't
>reveal the actual username/password, but they
>made it very clear where, how and what to look >for. After that most people found it in no time.
Where is there any reference to this? They actually waited until after Christmas and a patch in place before releasing any information and after repeated attempts to contact Borland.
>Either they panicked or saw this as their chance
>for 15 minutes of fame. Given that this backdoor
>has gone unnoticed, and presumably unexploited,
>for years they could have worked with Borland to
>come up with a solution and had this
>solution distributed to the customers before the
>problem was publicised.
And if someone had found the exploit while the patch was being distributed (not unlikely, You get a patch from Borland with instructions to install it urgently. Your database works fine now. Why bother)? Or if someone had noticed it in the unpatched source?
>The majority of Interbase sites are end-users
>who do not read CERT alerts,
>and Firebird newsgroups and mailing lists. These
>sites are screwed now.
And that's the firebird teams fault how? If there are still people out there who aren't willing to take the effort to watch the accepted security advisary mailing lists then they deserve what they get.
>Presumably they *did* try to work with Borland,
>but who did they send to make the contact; The
>people in the IBPhoenix/Firebird community who
>hates Borland the most and who uses every chance
>they get to harm Borland; Ann and Jim.
They hated them sooo much they went out of their way to provide binary patches when the patch that was released by Borland was a non-patch. And they even attempted to contact them at all. They could have just gone to CERT with the advisory, Borland be damned. Borland looks like a criminal for putting a backdoor in their software and the firebird team look like saviours. No extra effort needed.
>That Borland refused to speak with them can
>hardly come as a surprise to them given their
>common history during the last year. If my
>company where the target of Ann and Jim's
>attacks, I too would forbid all contact with
>them.
So petty bickering is more important to Borland than their customers security. There's a customer attitude to be proud of. If you received an email from someone that explained the discovery of a major security hole in one of your products would you think "Now the boss said not to talk to these bad people so I'm just going to delete this email". I think not.
> They (Jim again) repeatedly insult and slander
> Borland and
[snip]
I can't argue with you here I don't know the full story but petty bickering vs huge security hole. Weigh it up.
> They have made sure that Borland will think
> twice before they ever release
[snip]
I should think Borland would. Or atleast they will remove the back doors in their source before releasing it. But of course this was an isolated incedent. I think Borland have done more damage than any of the firebird team could have possibly done by having a back door in their software. Whats the bet that sys admins around the globe are considering ditching all Borland software because it can no longer be considered trustworthy.
Your attempts to hack a Borland database show more you lack of knowledge than any real proof that the security hole wasn't all that bad. I think I would trust the knowledge of people who actually hack the software over a poster on slashdot with a very large user id (=> recently registered) and having only posted once (=> someone from Borland with sour graphs?).
As the other poster said, it'll probably mean Microsoft select. We're talking big companies here (university size at least).At a guess, maybe 5% of all companies have a select agreement and it definately wont be based on need for no registration (that's just about everybody), it'll be based on how much you buy from MS.
> If you will obviously stick out as a foreigner,
> there are other countries you may want to stay
> away from.
If you are an American, then there is a good chance you will stick out "as a foreigner" where ever you go. Basically because a significant number of Americans are rude, ignorant and stupid, unfortunatly for you they also tend to be the loud portion of the population as well. It's not just the accent, although that helps (I pity Canadians for having a similar accent). I've sat next to someone on a plane and talked for several hours before realising her accent was American simply because she wasn't self important and ignorant (she wasn't American either but had spent alot of time in schools with americans).
Basically it's not a question of where you would go but a matter of who would take you. I'm not saying every American is like this but as a group this tends to be how Americans act.
Lets see,
1) "the widely-esteemed guru of the "open source" software movement", nuff said
2) "the Linux operating system", where's the GNU?
3) the whole behind schedule thing
4) what, emacs just a text editor? in which alternate reality is this guy living in?
And most open source advocates are quite happy RMS has nothing to do with open source.
Do what I did to get them off your backs. Move house. That way they annoy someone else and leave you alone. Win win situation.
Isn't there a BSD work alike already? It's in OpenBSD and it's called mtree (I think).
I doubt if a script kiddie would have recognised important source code if it flew out their arse (it the Microsoft case it probably did come out their arse). Also they weren't detected for 3 months and they haven't made a big noise about it. Not typical script kiddie behaviour.
Can you send any signal to a process with one key press+pid+signal num?
And what if the process acting up is screwing up the mouse, or taking up sooo much cpu that the gui is unresponsive? Or if you're logged in remotely?
> or a metal person who talks funny.
Sounds pretty right to me.
Hayden
You crack some elses machine, install it on there.
I'm sure there are thousands of clueless linux users out there who have the requirements for a suitable host,
1) fast, always on internet access
2) rant about how secure linux is and have a box an eight year old could get root on
btw I like linux, but for security, go openBSD.
Nooo... (s)he got mod-ded down because the post was offtopic. But I'm sure this was the first time that's happened. Hell with a username of TrollBoy3 and an email address of Troll@moderators.kiss.my.ass, I'm sure they post lot's of meaningful discussion.
Hayden
But on the plus side: Notepad is unbundled from the OS, and now availble for only $99 from local retailers.
Or as the only application that's easy to make with Visual Studio for a mere $400 (ish)
Some of these points of confusion sound as though they are API related. Do you know how frustrating it is to work out after hours of stuffing around that the API documentation is wrong?
Very colourful language occurs.
A lot of ppl here seem to be saying that commercial DVD players can't read the hidden section. AFAIK this is really wrong.
/. :)
My understanding of how DVD encryption works:
1 Make movie in digital form(duh)
2 Get randomly generated session key and encrypt movie
3 Encrypt session key with all 400 or so of the software and hardware player keys
4 Put movie and all 400 encrypted keys on the DVD and sell (last part not actually part of encryption system)
If this is how it works then the keys need to be readable by the player otherwise they can't decode the movie either. It may be possible that writers can't write to that section.
People who actually know how this works feel free to correct me (I know how shy people are here on
A friend of mine is a convert and he runs an NT network (and hates it). The domain controller/fileserver with 20+ gigs of NTFS raid 0 disk in it had both qwerty and dvorak keyboard layouts set up on it. His clueless boss needed to log in after the screen was locked so he pressed ctrl-alt-delete, typed in the domain administrators password. Wrong password. Mmmm. Try again. Nope still wrong password. Try really carefully. Wrong password. Machines obviously fallen over. Switch off, switch back on again.... Wait nearly an hour and a half for chkdsk to finish and still have no clue as to what went wrong.
BTW I also use dvorak after having learned to touch type qwerty at high school. Using dvorak in the hunt and peck style (even if it is really fast) is a total waste of time, you may as well be using qwerty. As previous posters have said, dvorak just feels better and IMHO seems to put less strain on wrists and hands.
Most people (first years especially) have difficulty in applying knowledge to different problems. It is amazingly difficult to teach some people the concept of functions, when to use them and when not to. Come to think of it, that whole flow of control thing is quite tricky for some :P
Then we get to the whole *genetic algorithm* approach to programming as employed by some students. They (occasionally) think of what needs to be done and then implement something. It doesn't work so the swap some code around. It still doesn't work so they add some code. And so on until they end up with a monstrosity of a program that they have no idea how it works.
Occasionally, when they are given test data, you get code along these lines (example of doing something to a linked list, exactly what is not important):
if an item is two items from the end of the list and it's value is 4 and the list is 12 items long then ...
Makes marking a lot easier :)
Hayden
End up with something that works on the test data only. :)
The goal here is to get root access by some other means. I'm assuming the idea of giving out the root password was so that everybody could know what was running on the server.
I couldn't log on as root so either some genius has changed the root password or the sys admins are fixing the redirect on the guestbook and the various bits of javascript.
Hayden
Linus doesn't have a PhD. He has a masters degree that had something to do with Linux. Couldn't find anything about if that was what he initally wanted to do (google failed me :-( ). He started coding linux from Andrew Tanumbaum's minix because he didn't like any other OS that he could afford at the time (read windows/dos and Mac).
The gospel of Linus as I understand it
Hayden