That's not quite true. While it may be harder for a normal account to hose the entire system with *nix, local root exploits are a dime a dozen. A cleverly written trojan *can* take down your system from a normal user account if you aren't up-to-date on the latest security patches.
Perhapse you could also explain why Linux kernels are still being released with glaring security and system bugs in them? (Every single 2.4.x release)? Hm? Maybe it's the SAME reason?
I don't recall buffer overflow problems in 2.4.x off the top of my head, so it's probably not the same reason. But in any case, it's moot, because I wasn't talking about linux kernels, I was talking about UPNP buffer overflows. Please pack up your straw man and leave.
The first vulnerability, within Microsoft's implementation of the UPNP
protocol, can result in an attacker gaining remote SYSTEM level access to
any default installation of Windows XP. SYSTEM is the highest level of
access within Windows XP.
During testing of the UPNP service, we discovered that by sending malformed
advertisements at various speeds we could cause access violations on the
target machine. Most of these were due to pointers being overwritten. The
following describes one instance.
If a buffer is incremented in the protocol, port, and uri fields of the
Location URL and send sessions with 10,000 microsecond intervals, access
violations will begin to be observed. In one situation, The EAX and ECX
registers will contain addresses that are pulled from memory that was
overwritten and the svchost.exe process will access an invalid memory
address at a "mov" instruction. It throws and access violation due to the
fact that the destination address is an overwritten pointer, and there's
nothing interesting at 0x41414141.
During our testing we found that there were multiple points of exploitation.
In our testing we found instances of stack overflows and heap overflows,
both of which were exploitable. In the case of the heap overflow we saw
pointers being overwritten for both buffers and functions.
The SSDP service also listens on Multicast and Broadcast addresses.
Therefore gaining SYSTEM access to an entire network of XP machines is
possible with only one anonymous UDP SSDP attack session.
Comments: First, don't mod me up as "informative"; I didn't write any of that. If you're considering modding me up as informative, consider unchecking "willing to moderate" or at least read the moderator guidelines. Second, does MS put out products with such glaring, horrible security flaws *on purpose*? As far as I know, the UPNP feature is brand new, so it shouldn't be based on any existing code base, yet MS programmers are *still* using unsafe commands (presumably) and not doing bounds checking. This is a buffer overflow vulnerability in a new product, for fuck's sake.
Skin deep or not, money-grubbing assholes or not, the point is these people will bring the RIAA's abuses to light. Slashdot certainly hasn't. Is Joe Sixpack more likely to get his news from Slashdot or from the Eagles?
So even though it's one group of rich bastards against another, "fuck the RIAA" is about to become a household phrase.
You think they had the permission of every software vendor whose programs passed through these sites?? not to mention the permission of the artists whose music was disseminated.
Maybe it's because they figure the copyright owners aren't being deprived of actual merchandise, since the programs were copies and not actual physical disks and box sets.
If such a law were to be proposed, it would have to respect not only the rights of the individual, but the ability for the business to conduct itself in a fair and efficient manner.
What, exactly, is "fair" about companies using my resources to tell me what they're selling?
If I'm interested in what they're selling, I'll seek it out. They have absolutely no right to send me unwanted ads. I already pay for my DSL connection, my ISP, and the phone lines the data travel over. If these spamming assholes want to play "fair" they'll reimburse me for the use of resources I pay for. Otherwise they can go fuck themselves.
I really want to see this movie, but I'm not giving the RIAA another penny of my hard-earned cash because of all the shit they've pulled. What to do, what to do?
On December 11, 2001, the longest-running of the undercover operations
culminated with the execution of over 30 search warrants across the United
States and Canada. This undercover operation, code-named 'Bandwidth,' was a
two-year covert investigation established as a joint investigative effort to
gather evidence to support identification and prosecution of entities and
individuals involved with illegal access to computer systems and the piracy of
proprietary software utilizing 'warez' storage sites on the Internet.
Bandwidth, through the joint efforts of the Defense Criminal Investigative
Service (DCIS), the Environmental Protection Agency Office of Inspector
General (EPA-OIG), and the Federal Bureau of Investigation (FBI), supervised
by the U.S. Attorney's Office for the District of Nevada, created a 'warez'
site, controlled and monitored by the undercover operation, as a means of
attracting predicated targets involved with the distribution of pirated
software. The undercover 'warez' site has been accessed to transfer over
100,000 files, including over 12,000 separate software programs, movies and
games.
If it looks like entrapment, walks like entrapment, and quacks like entrapment....
What is "locally"? Because Qwest fucked us around for over a month after the promised hookup date for DSL going through a local ISP (not Qwest.net, and not MSN). This was in addition to the router coming two months late due to multiple cases of stupidity at their warehouse, then getting charged full price for the router in one payment, though they told me I would get the promo price spread out over 12 months.
Yep, I love Qwest. I get to call them every week to argue about new DSL charges they told me I wouldn't see.
Last time I called the billing office and told them I had an issue with a DSL charge, they gave me another number to call. I called the number and got MSN customer support. Thanks, Qwest! You incompetent morons.
If only it were that simple. Though the game uses no 3D graphics, it requires OpenGL (GLX extensions in X).
-Legion
Re:Could this 'game' be linked to the real world?
on
Uplink
·
· Score: 2
*clicks on "Monitor Bypass"*
*clicks on "Firewall bypass"*
*clicks on "Proxy bypass"*
*plays admin's voice sample*
*clicks on "Decypher"*
*clicks on "Password Breaker"*
*transfers 1,000,000 dollars*
*cleans up logs*
If I could break into banks that easily in real life, I certainly wouldn't be wasting my time doing it in the game.:)
I was going to submit a review of this to Slashdot. Oh well, now I can review it quick and dirty and not worry about proofreading or getting facts straight:
Strong points:
Lots of fun
Intriguing backstory
Sound basic principals (don't connect directly to the system you're breaking into; be careful and erase your tracks)
Choose your own path--script kiddie or security professional
Weak points:
GLX/OpenGL requirement--this game uses *no* 3D, yet I can't play it in linux because my video cards (Voodoo 2, Riva 128) aren't supported by GLX
Logical errors--when I'm caught hacking into Uplink's own mainframe, I shouldn't get the generic endgame message "A large company has informed us that [etc.]"
If you progress too far into the game without performing a certain action, you miss the entire backstory and must start over from the beginning to catch it
Extremely repetitive after awhile--just like real [h,cr]acking!
Once you have enough money (and hacking banks is pitifully easy) you can afford equipment good enough to ensure you'll never be caught, and the game becomes way too easy
All in all, this is a good game. It's easy to get immersed in the gameplay. The sound effects are just right. The music gets repetitious after awhile (only 5 songs or so), but it's good old.mod and.s3m stuff from the likes of Skaven (attention, Introversion: did you credit the music creators? If so, I missed it).
To address peoples' complaints: yes, the IP addresses aren't real. They aren't supposed to be. It's a game. No, it isn't like real [h,cr]acking, apart from the basic principals of "bounce your connection and clean up after yourself." It isn't supposed to be. It's a game. It isn't going to teach anyone how to hack. It isn't supposed to. It's a game.
I think the best part of the game is that you can choose how you want to play it. You can accept the script-kiddie "give this system a virus" or "delete all files" missions, or you can accept the much more complicated "track down this hacker using log trails which may have been modified" missions. Just like real life--do you want to be a scum-sucking script-kiddie, or do you want to learn a thing or two? Your choice....
I would recommend that *anyone* at least download the demo and give it a try. $25 for a fun game that runs on linux (assuming you have recent hardware) is a goddamn steal.
Isn't it about time the college radio stations said, "Piss off, RIAA, we're only playing non mafia-sponsored music from now on"?
"KBBL: RIAA free and damned proud of it."
The first radio station that has the balls to do this will get as much donation money as I can afford.
-Legion
If you guys didn't want your posts archived, you should have used the "X-No-Archive: yes" header. As far as I can see, Google respected those requests (they had to; Deja never archived them in the first place).
Hold the phone! *TWO* serial ports for under $5K? That's gotta be a misprint.
I was 10 in 1982, and working on Apple ][ hardware. No, scratch that, that must have been later. I think I was on a Timex Sinclair 1000. Programming graphics demos at the time, but I'd definitely never heard of unix.
If I had stuck with the programming I bet I'd have a great job by now. Oh well.
Wow, I didn't know Alan Greenspan opposed warez this strongly.
Didn't DoD have a reputation for releases that didn't work right? Maybe that's why the BSA is going after them: "You're making our software look bad, dammit!"
The FBI only gets involved if a certain amount of money has been "lost." So for free (no-cost) software, you'd be hard pressed to get them to do anything about it. Would they get involved if the loss was expensive open source software? I'd think they would.
Here's another "me too." Every time I try to read the _Fellowship_ I lose interest when the travellers get to Rivendale. Maybe next time I try reading it I'll skip straight to the part where they leave.
_The Hobbit_ was far, far better in my opinion.
Looking forward to the movie, though. It looks much more action-packed and riveting than the book.
Slashdot Mirror
-Legion
-Legion
I don't recall buffer overflow problems in 2.4.x off the top of my head, so it's probably not the same reason. But in any case, it's moot, because I wasn't talking about linux kernels, I was talking about UPNP buffer overflows. Please pack up your straw man and leave.
-Legion
Or nothing at all. Muahahahahaha!
-Legion
Comments: First, don't mod me up as "informative"; I didn't write any of that. If you're considering modding me up as informative, consider unchecking "willing to moderate" or at least read the moderator guidelines. Second, does MS put out products with such glaring, horrible security flaws *on purpose*? As far as I know, the UPNP feature is brand new, so it shouldn't be based on any existing code base, yet MS programmers are *still* using unsafe commands (presumably) and not doing bounds checking. This is a buffer overflow vulnerability in a new product, for fuck's sake.
-Legion
You're right. Dammit, that's the second time I've gotten one faceless corporate monstrosity confused with another faceless coprporate monstrosity.
From now on I'll refer to them both as AWLA: "Assholes with Lawyers of America."
-Legion
Remember, you're talking about the exact same people who fell for RIAA's "Napster is driving down sales" and "we're doing it for the artists" lines.
Frankly, I think they'll believe pretty much whatever someone famous tells them at any given point in time.
-Legion
So even though it's one group of rich bastards against another, "fuck the RIAA" is about to become a household phrase.
-Legion
Maybe it's because they figure the copyright owners aren't being deprived of actual merchandise, since the programs were copies and not actual physical disks and box sets.
Shhh, don't tell the guys who were busted.
-Legion
What, exactly, is "fair" about companies using my resources to tell me what they're selling?
If I'm interested in what they're selling, I'll seek it out. They have absolutely no right to send me unwanted ads. I already pay for my DSL connection, my ISP, and the phone lines the data travel over. If these spamming assholes want to play "fair" they'll reimburse me for the use of resources I pay for. Otherwise they can go fuck themselves.
-Legion
I know, I'll go download it and watch it here!
[3 hours later]
No one has it yet. Lazy slacker pirates....
-Legion
On December 11, 2001, the longest-running of the undercover operations culminated with the execution of over 30 search warrants across the United States and Canada. This undercover operation, code-named 'Bandwidth,' was a two-year covert investigation established as a joint investigative effort to gather evidence to support identification and prosecution of entities and individuals involved with illegal access to computer systems and the piracy of proprietary software utilizing 'warez' storage sites on the Internet.
Bandwidth, through the joint efforts of the Defense Criminal Investigative Service (DCIS), the Environmental Protection Agency Office of Inspector General (EPA-OIG), and the Federal Bureau of Investigation (FBI), supervised by the U.S. Attorney's Office for the District of Nevada, created a 'warez' site, controlled and monitored by the undercover operation, as a means of attracting predicated targets involved with the distribution of pirated software. The undercover 'warez' site has been accessed to transfer over 100,000 files, including over 12,000 separate software programs, movies and games.
If it looks like entrapment, walks like entrapment, and quacks like entrapment....
Any lawyers want to comment?
-Legion
Edit: 20 seconds between hitting Reply and posting? Fuck you, Slashcode, I can't help it if I type fast. Bah.
-Legion
Yep, I love Qwest. I get to call them every week to argue about new DSL charges they told me I wouldn't see.
Last time I called the billing office and told them I had an issue with a DSL charge, they gave me another number to call. I called the number and got MSN customer support. Thanks, Qwest! You incompetent morons.
-Legion
-Legion
-Legion
*clicks on "Firewall bypass"*
*clicks on "Proxy bypass"*
*plays admin's voice sample*
*clicks on "Decypher"*
*clicks on "Password Breaker"*
*transfers 1,000,000 dollars*
*cleans up logs*
If I could break into banks that easily in real life, I certainly wouldn't be wasting my time doing it in the game. :)
-Legion
Strong points:
Lots of fun
Intriguing backstory
Sound basic principals (don't connect directly to the system you're breaking into; be careful and erase your tracks)
Choose your own path--script kiddie or security professional
Weak points:
GLX/OpenGL requirement--this game uses *no* 3D, yet I can't play it in linux because my video cards (Voodoo 2, Riva 128) aren't supported by GLX
Logical errors--when I'm caught hacking into Uplink's own mainframe, I shouldn't get the generic endgame message "A large company has informed us that [etc.]"
If you progress too far into the game without performing a certain action, you miss the entire backstory and must start over from the beginning to catch it
Extremely repetitive after awhile--just like real [h,cr]acking!
Once you have enough money (and hacking banks is pitifully easy) you can afford equipment good enough to ensure you'll never be caught, and the game becomes way too easy
All in all, this is a good game. It's easy to get immersed in the gameplay. The sound effects are just right. The music gets repetitious after awhile (only 5 songs or so), but it's good old .mod and .s3m stuff from the likes of Skaven (attention, Introversion: did you credit the music creators? If so, I missed it).
To address peoples' complaints: yes, the IP addresses aren't real. They aren't supposed to be. It's a game. No, it isn't like real [h,cr]acking, apart from the basic principals of "bounce your connection and clean up after yourself." It isn't supposed to be. It's a game. It isn't going to teach anyone how to hack. It isn't supposed to. It's a game.
I think the best part of the game is that you can choose how you want to play it. You can accept the script-kiddie "give this system a virus" or "delete all files" missions, or you can accept the much more complicated "track down this hacker using log trails which may have been modified" missions. Just like real life--do you want to be a scum-sucking script-kiddie, or do you want to learn a thing or two? Your choice....
I would recommend that *anyone* at least download the demo and give it a try. $25 for a fun game that runs on linux (assuming you have recent hardware) is a goddamn steal.
-Legion
Isn't it about time the college radio stations said, "Piss off, RIAA, we're only playing non mafia-sponsored music from now on"? "KBBL: RIAA free and damned proud of it." The first radio station that has the balls to do this will get as much donation money as I can afford. -Legion
-Legion
-Legion
I was 10 in 1982, and working on Apple ][ hardware. No, scratch that, that must have been later. I think I was on a Timex Sinclair 1000. Programming graphics demos at the time, but I'd definitely never heard of unix.
If I had stuck with the programming I bet I'd have a great job by now. Oh well.
-Legion
Wow, I didn't know Alan Greenspan opposed warez this strongly.
Didn't DoD have a reputation for releases that didn't work right? Maybe that's why the BSA is going after them: "You're making our software look bad, dammit!"
-Legion
-Legion
_The Hobbit_ was far, far better in my opinion.
Looking forward to the movie, though. It looks much more action-packed and riveting than the book.
-Legion