This reminds me of when Register.com faced delisting. I wondered what would happen to my domains which were registered their at the time should they have gone under... At one point in time, they (register.com) were the only ones next to then Network Solutions who had the accreditation to register domain names (1998-1999ish) -- and shortly afterwards others were allowed to become registrars... Anyhow, back then - even now perhaps - there was little one could do in matters to moving domain names between registrars. I've had to move domains back and forth and it was a nightmare. There was no oversight, no set rules for a registrar to follow, nor any mention of failover should a situation like this happen. And I don't mean failover in the server sense. I mean failover in the registrar going under sense. Its a dual edged sword makes you kind of wish there was one sole registrar... In matters of this article, I wonder why they gave control of the domains to solely one registrar. Why not split them up evenly or give domain owners a choice of who they want managing their domains... Perhaps there should be an Open Source registrar...
Again, it was a theoretical based study for security labs... Its possible but highly complicated and only a matter of time before someone throws something together to do that and worse
What would QoS do at this level except overwhelm your processor? Unicast Reverse Path Forwarding would be the better solution nowadays. Cat 6500 info... If networks were built correctly from the ground up, these attacks wouldn't even happen as much. If three networks were connected and all had uRPF or filtering in place, no three networks would be able to spoof addresses and cause attacks. They'd be forced to attack using a valid address on their network which would make tracking easier...
You know... I thought about the possibility of a Multicast worm/attack... Just haven't had time to document it... Would work similar to the following... For those who use IM clients that have annoying streaming advertisements... If you didn't know, those are multicasted to your machine... My theory was to re-inject packets at the router level (avoiding Reverse Path Forwarding when possible) to make your machine believe my spoofed host is a valid source to get your images from... Only thing is, the image would be corrupted forcing an infection on your machine... This would in turn replicate via broadcast from the infected hosts... It was a theory of mine while studying DoS attacks for the CCIE security exam and a lot of variables would have to be met... Anyhow, the reason for this post is, I believe those committing DoS attacks are halfclued as to what a real attack could potentially do... For instance Border Router Attack Tool is another theoretical tool to break BGP neighboring. You of course have to know enough about a topology to even get it to work but under a unified stream, you could cause massive route flaps which lead to neighbors disconnecting. Its only a matter of time before someone takes it to the extreme and breaks connectivity between huge AS'
Funny how politicians will throw anything into the political arena during crunch time (races...). Just how do they propose to keep track of "name changes" from a sex offender. For starters they can't even maintain their own equipment, can't secure the FBI infrastructure, a company for MySpace is already reporting false positives.... Should we wait for the FBI's new and improved Carnivore?... Or maybe Hack our Kids' brains'... I got it... How about government sponsored Parenting Classes that teach parents how to get involved with their kids' lives...
How about a reverse fake ap MAC address generator/packet injector whereas instead of Fake AP's, fake MAC addresses were injected into the wifi routers...... Wait no... One million more students detected may make them call in the military...
SCO Attorney: Your honor, we'd like to rectify the use of our patents but since they are propietary information we cannot disclose them publicly. Novell Attorney: Your honor there are no infringements. If SCO could present the infringments they would. Their use of the word "propietary" is solely FUD based manipulations Prosecutor Attorney: Did you say Fud? Juror Attorney: *whispers to another juror* I didn't even know they infringed on Warner Bros, patented Looney Tune character Elmer Fudd" Judge Attorney: *Watching Judge Judy in the background*
Its obvious Microsoft has better things to do like look for which politician, judge, and other luser who's pocket they could grease before they post their findings. I wonder if someone from the old Xerox days(daze) cares to look in their dusty file cabinets and slap a nice one on Billy Goat
Now back to a response... My point is that you responded to a request from an end user with the wrong solution. It's not a solution for a single end user running WP in a shared hosting environment or virtual machine
You must be kidding? I have about 15 other sites hosted on the same box and my rules affect no one but my own site.
Plus mod security requires you know how the web app works before you can write the rules at that point it's as easy to patch the software itself for a single install.
So let me put this in logical terms via way of analogy... You want someone to just point and click run an application without them knowing a shizzle about how it works and why... They just want it up and running... Then at the same time you expect them to be savvy enough to 1) monitor for updates, 2) install those updates... So how different is this from me stating... By the way, here is an even SLICKER method for making SURE no one is going to touch your machine. Heck I could have avoided using mod_security and used.htaccess with a proxy server set to only allow localhost then do updates via ssh and links... Thats the fullproof method.
Regardless of the software I throw up, its UP TO ME as a USER to make sure MY IMPLEMENTATION of software is secure enough for ME. No vendor, FOSS developer person on the planet will release a patch in quick enough time for me. Hence security being pre-emptive and proactive. So I could care less if product_foo has updated versions or not. And one would have to be an ass to wait for a vendor to release a patch if there is something they could do to protect themselves in the interim... So analogy... Your house is starting to burn... You have a fire extinguisher near you and you dial 911... Do you a) wait for 911 to get their or b) try to do something in the interim. I don't know about you but I'm trying to put that fire out before my house burns. Fire department can get here when they do.
Your ubuntu article overstates itself, sandboxing grannies activities and protecting sudoers/wheel is a good idea. You wrote an alarmist article that is almost indistinguishable from FUD.
You're free to prove me wrong... Show factual information. I gave facts and proof.
Your words are contradictory... You state Mod security is an even bigger joke than your ubuntu article! blah blah cry cry.. Then state keeping upto date with the latest stable versions... blah blah So does that mean if you kept up to date with mod_security its still a joke. A system is only as secure as you make it, and FYI I'm very aware of the pros and cons with modsecurity, PHP and most CMS systems in general. So your point is what.
Not always the case. Depending on which PHP CMS you use, many reference admin.php which means you would have to do something like... find . -name "*.php" | perl -pi -e 's/admin.php/newname_of_page.php/g'
You know, it's disgusting how this country has become for a dollar....
Phillips, TRW, and Koch have more in common than a history of repeatedly violating workplace and environmental laws. They also rank among the nation's largest government contractors. Between 1995 and 2000, the three corporations received a combined total of $10.4 billion in federal business-at the same time that regulatory agencies and federal courts were citing the companies for jeopardizing the safety of their employees, polluting the nation's air and water, and even defrauding the government.
That's not supposed to happen. Federal contracting officers are charged with reviewing the record of companies that do business with the government and barring those that fail to demonstrate "a satisfactory record of integrity and business ethics." But officials are given no guidelines to follow in making such decisions, and there's no centralized system they can consult to inform them of corporate wrongdoing. As a result, a government report concluded in 2000, those responsible for awarding federal contracts are "extremely reluctant" to take action, even when they are aware of violations. And in the rare instances when the rule is enforced, it is almost always employed against small companies with little clout in Washington.
There is little incentive for any company to follow laws of the law. Why should they when they can get a slap on the wrist and a wink of the eye... "You don't go doing that again now you here... By the way, we really like those HP notebooks and I was thinking about my son's classmates". Jesus christ this country is a scam in itself
http://www.infiltrated.net/docs/modsecips.html step by step... If its your own server... If not have the admin slap on mod_security for you and add the same rules in my previous post on this page... www.infiltrated.net/admin.php go for it... That's how I add content. There are a lot of variables to prevent against injections, etc.
Too many times there are clueless admins (not you per se). But this also tends to be one of the grips on the Ubuntu Document people flame me for. If *semi* even experienced admins can't lock a machine down... Imagine when Ubuntu on Dell becomes the next hot thing. Flame as much as you'd like facts are facts
One of the problems I could foresee with this will be an issue of credibility and a lot of mishmashed news. E.g. (US version) "Military personnel targeted and destroyed a terrorist training camp"... (Arabic version) "US Military personnel bombed innocent children today..."
Who's going to determine which view of the news is correct and incorrect. Its different when you can read and infer as opposed to having someone verbally tell you their representation. PsyOps/Intelligence personnel from any country could/would have a field day with this video idea.
On body armor... Israeli researchers at one company, ApNano Materials Inc. in New York, have shown off a breastplate of nanometals said to be five times as strong as steel. (source source)
One of the coolest thing I recall seeing - I forget if it was on the Military Channel or Discovery - was body armor made from a material (sorry forgot what it is/was might have been spider silk) that would act as a body of water and ripple off the impact of a bullet to reduce the point of entry thereby leaving the target (person wearing the armor) safe. I personally think we are maybe 10 years away from finding an impenetrable body armor solution. My wonders are, how much will it cost when it does come out. Sadly instead of attempting to assist military and LEO's, the makers will let greed get in the way.
So how long should we count down to until someone embeds the backdoor from hell in not only Linux, but Solaris, then the BSD's... As an FYI... I've got a functional backdoor-worm for Free and Open... Just makes no sense to even post it. Many don't even get what I mean when I state "there is a world of pain coming your way if you do that"... Mark the calendars, I give it about 9 months before something ala SOBig/Blaster hits the *nix scene...
Factual information you may not be aware of. A large number of rats are cooperating in attempts to save their asses and will feed anything, anyone to prosecutors to save their asses. Many times they will lie and when those lies are told what about the innocent people that are hurt. You never hear about the prosecution coming clean. Look at the feds and Whitey Bulger. In fact dig up information on over 85% of snitches and they almost always make things up (anything) to save their ass.
This site has been around for a little while so it is not news and I fail to understand why it is causing such an uproar. Here are the US Today article counterpoints I would throw out there...
Since then, it has grown into a clearinghouse for mug shots, court papers and rumors. All publicly available anyway (mug shots, papers, etc.). Rumors... Rumors will always be rampant no matter what.
Federal prosecutors say the site was set up to encourage violence, and federal judges around the country were recently warned that witnesses in their courtrooms may be profiled online. Where is the proof of the federal prosecutors' claim. Do they have substantial evidence that states "This crime happened specificially because of this site". If not then its speculation. Thats like saying "this shooting happened because there was a gun store in town"
"My concern is making sure cooperators are adequately protected from retaliation," Isn't that the job of the US Marshalls who offer snitches protective custody. They turned snitch most often under the agreement of something either financially motivated, or under the notion they would be protected. Not your problem Judge.
"Stop Snitching" T-shirts have been sold in cities around the country What does one have to do with the other. So what T Shirts are being sold across the city. Would it be correct for me to say... "And their is a car dealer in town. So it must be so that those who are committing drive by shootings buy their cars here since its the only car dealer in town." BS.
There is so much crapaganda on this discussion it is disgusting, and if the website is removed, like it or not the government is hindering free speech. Bottom line
Slashdot Mirror
Teh Brits affecting the accounts of a Hong Kong based business eh... What Would Hong Kong Phoeey Do?
This reminds me of when Register.com faced delisting. I wondered what would happen to my domains which were registered their at the time should they have gone under... At one point in time, they (register.com) were the only ones next to then Network Solutions who had the accreditation to register domain names (1998-1999ish) -- and shortly afterwards others were allowed to become registrars... Anyhow, back then - even now perhaps - there was little one could do in matters to moving domain names between registrars. I've had to move domains back and forth and it was a nightmare. There was no oversight, no set rules for a registrar to follow, nor any mention of failover should a situation like this happen. And I don't mean failover in the server sense. I mean failover in the registrar going under sense. Its a dual edged sword makes you kind of wish there was one sole registrar... In matters of this article, I wonder why they gave control of the domains to solely one registrar. Why not split them up evenly or give domain owners a choice of who they want managing their domains... Perhaps there should be an Open Source registrar...
Give me some DARPA funds... I'd throw together the mother of all attacks to take out that great wall of China ;)
Again, it was a theoretical based study for security labs... Its possible but highly complicated and only a matter of time before someone throws something together to do that and worse
What would QoS do at this level except overwhelm your processor? Unicast Reverse Path Forwarding would be the better solution nowadays. Cat 6500 info... If networks were built correctly from the ground up, these attacks wouldn't even happen as much. If three networks were connected and all had uRPF or filtering in place, no three networks would be able to spoof addresses and cause attacks. They'd be forced to attack using a valid address on their network which would make tracking easier...
You know... I thought about the possibility of a Multicast worm/attack ... Just haven't had time to document it... Would work similar to the following... For those who use IM clients that have annoying streaming advertisements... If you didn't know, those are multicasted to your machine... My theory was to re-inject packets at the router level (avoiding Reverse Path Forwarding when possible) to make your machine believe my spoofed host is a valid source to get your images from... Only thing is, the image would be corrupted forcing an infection on your machine... This would in turn replicate via broadcast from the infected hosts... It was a theory of mine while studying DoS attacks for the CCIE security exam and a lot of variables would have to be met... Anyhow, the reason for this post is, I believe those committing DoS attacks are halfclued as to what a real attack could potentially do... For instance Border Router Attack Tool is another theoretical tool to break BGP neighboring. You of course have to know enough about a topology to even get it to work but under a unified stream, you could cause massive route flaps which lead to neighbors disconnecting. Its only a matter of time before someone takes it to the extreme and breaks connectivity between huge AS'
Ban on name changes by sex offenders.
... Or maybe Hack our Kids' brains'... I got it... How about government sponsored Parenting Classes that teach parents how to get involved with their kids' lives...
Funny how politicians will throw anything into the political arena during crunch time (races...). Just how do they propose to keep track of "name changes" from a sex offender. For starters they can't even maintain their own equipment, can't secure the FBI infrastructure, a company for MySpace is already reporting false positives.... Should we wait for the FBI's new and improved Carnivore?
In other news, I quote: 'Microsoft wants royalties from the open source world, according to Roger Parloff of Fortune'.
How about a reverse fake ap MAC address generator/packet injector whereas instead of Fake AP's, fake MAC addresses were injected into the wifi routers...... Wait no... One million more students detected may make them call in the military...
You trying to jedi mind trick me to believe I was a kid when this came out... We'll I've been using wifi since... since... since...
SCO Attorney: Your honor, we'd like to rectify the use of our patents but since they are propietary information we cannot disclose them publicly.
Novell Attorney: Your honor there are no infringements. If SCO could present the infringments they would. Their use of the word "propietary" is solely FUD based manipulations
Prosecutor Attorney: Did you say Fud?
Juror Attorney: *whispers to another juror* I didn't even know they infringed on Warner Bros, patented Looney Tune character Elmer Fudd"
Judge Attorney: *Watching Judge Judy in the background*
Its obvious Microsoft has better things to do like look for which politician, judge, and other luser who's pocket they could grease before they post their findings. I wonder if someone from the old Xerox days(daze) cares to look in their dusty file cabinets and slap a nice one on Billy Goat
I should have included the fix for the ASCIIZ bypass... So here goes..
.htaccess with a proxy server set to only allow localhost then do updates via ssh and links... Thats the fullproof method.
SecRule REQUEST_BODY "@validateByteRange 1-255" "log,deny,phase:2,t:none,msg:'ModSecurity ASCIIZ Evasion Attempt'"
Now back to a response... My point is that you responded to a request from an end user with the wrong solution. It's not a solution for a single end user running WP in a shared hosting environment or virtual machine
You must be kidding? I have about 15 other sites hosted on the same box and my rules affect no one but my own site.
Plus mod security requires you know how the web app works before you can write the rules at that point it's as easy to patch the software itself for a single install.
So let me put this in logical terms via way of analogy... You want someone to just point and click run an application without them knowing a shizzle about how it works and why... They just want it up and running... Then at the same time you expect them to be savvy enough to 1) monitor for updates, 2) install those updates... So how different is this from me stating... By the way, here is an even SLICKER method for making SURE no one is going to touch your machine. Heck I could have avoided using mod_security and used
Regardless of the software I throw up, its UP TO ME as a USER to make sure MY IMPLEMENTATION of software is secure enough for ME. No vendor, FOSS developer person on the planet will release a patch in quick enough time for me. Hence security being pre-emptive and proactive. So I could care less if product_foo has updated versions or not. And one would have to be an ass to wait for a vendor to release a patch if there is something they could do to protect themselves in the interim... So analogy... Your house is starting to burn... You have a fire extinguisher near you and you dial 911... Do you a) wait for 911 to get their or b) try to do something in the interim. I don't know about you but I'm trying to put that fire out before my house burns. Fire department can get here when they do.
Your ubuntu article overstates itself, sandboxing grannies activities and protecting sudoers/wheel is a good idea. You wrote an alarmist article that is almost indistinguishable from FUD.
You're free to prove me wrong... Show factual information. I gave facts and proof.
Your words are contradictory... You state Mod security is an even bigger joke than your ubuntu article! blah blah cry cry.. Then state keeping upto date with the latest stable versions... blah blah So does that mean if you kept up to date with mod_security its still a joke. A system is only as secure as you make it, and FYI I'm very aware of the pros and cons with modsecurity, PHP and most CMS systems in general. So your point is what.
Not always the case. Depending on which PHP CMS you use, many reference admin.php which means you would have to do something like... find . -name "*.php" | perl -pi -e 's/admin.php/newname_of_page.php/g'
You know, it's disgusting how this country has become for a dollar....
Phillips, TRW, and Koch have more in common than a history of repeatedly violating workplace and environmental laws. They also rank among the nation's largest government contractors. Between 1995 and 2000, the three corporations received a combined total of $10.4 billion in federal business-at the same time that regulatory agencies and federal courts were citing the companies for jeopardizing the safety of their employees, polluting the nation's air and water, and even defrauding the government.
That's not supposed to happen. Federal contracting officers are charged with reviewing the record of companies that do business with the government and barring those that fail to demonstrate "a satisfactory record of integrity and business ethics." But officials are given no guidelines to follow in making such decisions, and there's no centralized system they can consult to inform them of corporate wrongdoing. As a result, a government report concluded in 2000, those responsible for awarding federal contracts are "extremely reluctant" to take action, even when they are aware of violations. And in the rare instances when the rule is enforced, it is almost always employed against small companies with little clout in Washington.
There is little incentive for any company to follow laws of the law. Why should they when they can get a slap on the wrist and a wink of the eye... "You don't go doing that again now you here... By the way, we really like those HP notebooks and I was thinking about my son's classmates". Jesus christ this country is a scam in itself
http://www.infiltrated.net/docs/modsecips.html step by step... If its your own server... If not have the admin slap on mod_security for you and add the same rules in my previous post on this page... www.infiltrated.net/admin.php go for it... That's how I add content. There are a lot of variables to prevent against injections, etc.
Block Spam injections
Directory traversal attacks SecFilter "\.\./"
XSS attacks
SecFilter "<(.|\n)+>"
SecFilter "<[[:space:]]*script"
SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
Too many times there are clueless admins (not you per se). But this also tends to be one of the grips on the Ubuntu Document people flame me for. If *semi* even experienced admins can't lock a machine down... Imagine when Ubuntu on Dell becomes the next hot thing. Flame as much as you'd like facts are facts
Securing LAMP Mod Security Its so simple a fix with mod_security...
/admin.php chain
SecFilterSelective REQUEST_URI
SecFilterSelective REMOTE_ADDR "!^YOUR.IP.ADDRESS$" redirect:http://www.infiltrated.net/sorry.jpg
SecFilterSelective ARG_username YOURUSERNAME chain
SecFilterSelective REMOTE_ADDR "!^YOUR.IP.ADDRESS$" redirect:http://www.infiltrated.net/sorry.jpg
Where your IP address and your username are the only ones to allow anything to the admin page. Anything else gets redirected elsewhere.
One of the problems I could foresee with this will be an issue of credibility and a lot of mishmashed news. E.g. (US version) "Military personnel targeted and destroyed a terrorist training camp" ... (Arabic version) "US Military personnel bombed innocent children today..."
Who's going to determine which view of the news is correct and incorrect. Its different when you can read and infer as opposed to having someone verbally tell you their representation. PsyOps/Intelligence personnel from any country could/would have a field day with this video idea.
On body armor... Israeli researchers at one company, ApNano Materials Inc. in New York, have shown off a breastplate of nanometals said to be five times as strong as steel. (source source)
One of the coolest thing I recall seeing - I forget if it was on the Military Channel or Discovery - was body armor made from a material (sorry forgot what it is/was might have been spider silk) that would act as a body of water and ripple off the impact of a bullet to reduce the point of entry thereby leaving the target (person wearing the armor) safe. I personally think we are maybe 10 years away from finding an impenetrable body armor solution. My wonders are, how much will it cost when it does come out. Sadly instead of attempting to assist military and LEO's, the makers will let greed get in the way.
Is not the move...
So how long should we count down to until someone embeds the backdoor from hell in not only Linux, but Solaris, then the BSD's... As an FYI... I've got a functional backdoor-worm for Free and Open ... Just makes no sense to even post it. Many don't even get what I mean when I state "there is a world of pain coming your way if you do that" ... Mark the calendars, I give it about 9 months before something ala SOBig/Blaster hits the *nix scene...
Factual information you may not be aware of. A large number of rats are cooperating in attempts to save their asses and will feed anything, anyone to prosecutors to save their asses. Many times they will lie and when those lies are told what about the innocent people that are hurt. You never hear about the prosecution coming clean. Look at the feds and Whitey Bulger. In fact dig up information on over 85% of snitches and they almost always make things up (anything) to save their ass.
This site has been around for a little while so it is not news and I fail to understand why it is causing such an uproar. Here are the US Today article counterpoints I would throw out there...
Since then, it has grown into a clearinghouse for mug shots, court papers and rumors. All publicly available anyway (mug shots, papers, etc.). Rumors... Rumors will always be rampant no matter what.
Federal prosecutors say the site was set up to encourage violence, and federal judges around the country were recently warned that witnesses in their courtrooms may be profiled online. Where is the proof of the federal prosecutors' claim. Do they have substantial evidence that states "This crime happened specificially because of this site". If not then its speculation. Thats like saying "this shooting happened because there was a gun store in town"
"My concern is making sure cooperators are adequately protected from retaliation," Isn't that the job of the US Marshalls who offer snitches protective custody. They turned snitch most often under the agreement of something either financially motivated, or under the notion they would be protected. Not your problem Judge.
"Stop Snitching" T-shirts have been sold in cities around the country What does one have to do with the other. So what T Shirts are being sold across the city. Would it be correct for me to say... "And their is a car dealer in town. So it must be so that those who are committing drive by shootings buy their cars here since its the only car dealer in town." BS.
There is so much crapaganda on this discussion it is disgusting, and if the website is removed, like it or not the government is hindering free speech. Bottom line
Man I've been using wifi since... since... since...