126 posts • joined 15 Sep 2009
Was it a MITM or what?
Was it a MITM job, or were the social security numbers taken from server memory by exploiting the bug? How can they know how many (and which) numbers where taken?
Yeas, sure, it was a suicide. Just like Roberto Calvi. http://en.wikipedia.org/wiki/Roberto_Calvi
Telecom Italia had such junk before...
Telecom Italia, in years 2000-2003, gave their BUSINESS users a router from "Telindus" that exposed its password in plain text to anyone that sent the right "request" to it. Both on LAN and on WAN. So hacking Telecom Italia business users was as simple as sending the right request packet (simple and identical for every router, no MAC address hash involved) to every Telecom Italia public IP address, and you could collect all of the router's passwords in plain text. Then you telnet to the router and you are in.
I discovered this vulnerability while trying to access a router (locally) for a customer who lost the password. (http://archives.neohapsis.com/archives/bugtraq/2002-06/0028.html)
When I told Telecom Italia (and then Telindus) about it, they asked me if I was going after a ransom, if I was some sort of criminal. I just wanted to warn them. Anyway, 6 months later, they changed the firmware so that now you needed to apply a XOR to have the password in plain text.
Re: So something like $400M-$500M has been spent on this website....
So we italians are not alone. Our government spent 45 millions Euros on the useless "italia.it" website.
I have had a lot of bad experiences with Asus mainboards (and with quite every consumer mainboard I have happened to use under heavy load). These mainboard are usually slow. Their buses are full of bottlenecks, so you don't get to use all fo the speed of the CPU or of the disks or of the RAM you are installing. I know that this is not a proper techical description of the issues I had, but I am no more "up to date" with modern hardware design. What I know is that I have seen more than one Asus-based "very fast workstation" perform very poorly at various I/O intensive tasks. I have seen the latest and greatest hardware (Asus mainboard) run terribly slow when compared to hardware that was 5 years old (Intel mainboard) at the same task (mechanical 3D CAD that needed to load hunderds of little files to create the entire project in RAM). It was not a video card issue, but definitely an I/O issue.
How does your setup feel? Does it feel fast enough, considering the CPU and RAM you are using? Have you tried using different mainboards?
PTT could have been a great idea...
... but it was a failure in Europe because of the greediness of the operators, I suppose.
Belize, stormy night, homicide, lunatic millionaire, home-made drugs... it really seems to be the beginning of a Call of Cthulhu RPG session.
Bing had malware sites as sponsored pages!
Some time ago (six months, maybe) I was installing some new Windows machines (which I usually don't, because I am a Linux sysadmin) and after installing them I wanted to install "security essentials", so I opened up Explorer, and searched (in Bing, it is the default search engine) for "microsoft security essentials". The first two links (sponsored, I suppose, because they were on some gray or blue background) where for malware sites, the first non sponsored link was for some dodgy download site that puts spyware in every download, and the fourth result was for the right site.
If I run the same search in Firefox (same windows box, same day, just installed Firefox and tried the search on Bing using Firefox) , the sponsored links do not appear at all.
I have confirmed this behaviour for at least four or five times. I don't know if they have fixed it now.
Now I don't trust Cisco anymore. They have lost a customer. Maybe more than one, since I am a consultant.
Re: I do use Facebook
You are a wise man. But a lot of idiots happily abuse their contact's data (phone numbers, email addressess) by giving them away to every spammer and every dodgy app in the world.
Re: Nice game, but...
Not only to play Diablo, but we also play Diablo. We eat, chat, drink, then someone goes to sleep and someone pulls a Diablo all-nighter.
Nice game, but...
... but I like to play Diablo 2 offline in coop mode with some friends, on a LAN with no internet connection (at a cottage with flaky cellular connection and no phone and dsl line). This "online only" mode, that is not actually required (except for DRM purposes) when playing solo or in a LAN environment will spoil our Diablo nights at the cottage.
So I', not buying it, at least not until we find a way to play offline in our LAN, which may be possible by cracking the DRM, or may not be possible at all, if the game can only talk to its servers to setup a multiplayer coop game, instead of talking to the other local installations.
I really HOPE that there will be an IP bubble, with patent trolls paying millions for patents and then going bakrupt in the most gruesome way.
... does it mean that you have to enter www.something.com/smut/ instead of www.something.com?
How technically difficult. How hard to explain. It must be kept secret and undisclosed. Just say "follow a particular digital path", do not help criminals understand this technology.
If the operators were willing to share all of the informations gathered with the users, then I'd consider installing such a spyware on my phone, because it would be useful to me, too.
If they don't, or they just share half of what they gather, then it's a big "NO, THANKS" for me.
Software Patents: a complete failure. That's all.
Not just lock-in...
While such a solution can be nice for a fibre patch cable (that you buy already "terminated" with such opto-electronic integration), it is quite useless for longer runs where you have to lay the fibre for hundreds of meters (or feet, o furlongs, or whatever) and then cut it and connect it. You should have the fibre pre-cut and pre-terminated at the right lenght, before you buy it.
A little too late
It's a little too late, isn't it?
A great game
One of the best games I have ever played.
Canonical will not be missed
Well, when someone really thinks that a big non-touch monitor needs to run the same interface as a small touch one, I think it's time to say "sure, go on with this madness" and promptly choose another distro or another desktop manager.
I like the Android touch-friendly interface on my phone and on my tablet, but I DON'T WANT the same interface on my 28 inch non-touch monitor.
Interface designers in commercial products think that users are stupid, suffer from attention disorder, and cannot focus on more that one simple task on one big window that covers all of the screen, with no more that two big buttons at a time. Everything more complex is absolutely too hard to use. And while there are smarter users in the commercial software world, there are also a lot of brain damaged users.
But, if we keep helping the brain damaged users, sooner or later the smart users will die of boredom.
Have you seen the movie "Idiocracy"? It is a perfect example of where we are headed.
Those pesky disk manufacturers...
What we need is reliable disks, not 10-terabytes disks. They should focus on reliability, and the do exactly the opposite.
Uhm... too much crapware, and too low screen resolution.
Here in Italy, too.
My wife went to the just opened Apple Store in Bologna, Italy and she also told me that it stinks. Too much people, not enough air conditioning. An enormous, new and beautiful store, very nice to see, not very nice to smell.
Fixing IT problems is boring?
If you have a severe failure, a day or so of data that could be lost, and 150 workers that cannot work, well, this is NOT so boring.
I believe that being a BOFH is like being a passenger airline pilot. You get months of boring work and then some really terrifying minutes (or hours) now and then.
I'm sorry for being italian. Please, come and conquer us, and hang all of these idiots.
I hope not so pointless
Good and cheap(ish) e-readers other than the Kindle series do not exist, and I'm really happy to see that someone is trying to offer some alternative product. I'm just waiting for the first touch screen e-readers to decide which suites me best. And I am taking into account the flexibility of the reader, as opposed to the closeness of the market that Amazon is trying to obtain. (sorry if I express myself as a monkey, my mother tongue is not English)
So, if I can buy an e-book reader that is as good as the Kindle, but with added extra formats support (epub, mobi, html, pdf, rtf, text...) then that is my preferred choice.
So badly written...
... that it is likey made by a government! LOLLASTIC!
By the way, do terrorist still use Windows?
Bing sucks soo much...
Try also to search for "microsoft security essentials" on Bing using IE. The first two links are malware sites. If you use Firefox it behaves differently...
So Debian it is...
I have always run Debian on servers, and I have run Ubuntu on my desktop since 6.04 if I remember correctly. Now, given the fact that EVERY new interface looks like Barbie's kid computer, it's time to switch to Debian also on the desktop. Maybe I'll look at KDE4, but it's time do say bye bye to Ubuntu anyway, I don't like its philosophy any more.
I'd need an EXTRA-FAIL icon...
So ribbon is OK for disabled people...
So what you are saying is that the ribbon interface is OK for people with cognitive problems, and is annoying for "normal" people. This post says it all about what Microsoft thinks about its customers.
RSA uses Windows (fail), does not have enough in-depth security (fail), has never trained staff about basic security (fail). Or worse, a top manager opened that email. A manager of the kind that WANT to have admin access to everything, and is so dull and gullible that he is the perfect target for every phishing scam in the world. Either way, this is an EXTRA SUPER DUPER FAIL.
Apps for what?
Apps for a dead OS? Why bother?
Citizen, be paranoid!
I can see that quite all of the comments are from paranoid enough people. I keep the fingers on random keys while waiting for the ATM to show me a lot of useless information that cannot be skipped, then enter the pin at lightning speed (I am good at typing fast), and then I keep the fingers on random keys again. I do all of this while keeping my wallet over the keypad with my other hand. (I suppose that we can all enter the pin without looking at the keys, do we?)
If my atm pin is hard to get, and everyone else's is easy to get, guess who will lose his money? Everyone else. It's "security by being such a bitch". If stealing from me is hard, and stealing from someone else is easy, why should the thief steal from me?
I happen to know a little about the history of pinball machines (a friend of mine is one of the bigger pinball collectors in Italy). In the fifties, pinball machines had scores that advanced by one when you hit some target. In the sixties, they advanced by ten. In the seventies, by one hundred. The latest ones, by thousands. I call this the "score inflation". It's psychologically pleasing for the player to score "1 billion, 234 millions and 9 thousands" points instead of "12.349" points. But if you look at the pinball machine code (or mechanical relays, depending on the year) you will see that the two scores need the same effort to be reached.
Now, it seems a little silly, but I believe that later on we will see version numbers increase by ten, then by a hundred, and so on.
Now we have Firefox 6. In 6 months we will have firefox 12, then Opera could switch from 12 to 22 to play "catch up" with Firefox, and IE from 9 to 19... then Firefox will release version 23, and Opera version 40 (to make it even, they will jump over version 32), and eventually Firefox vill release version 100, and so on.
I suppose I will see somebrowers release "345K" (as in 345.000) before I die.
Well, it all depends on the meaning...
It all depends on the meaning of "hack". I think that changing the clock is still a hack, expecially when dealing with internet-connected, part-server and part-client-side software. If the programmes is a fool and trusts the client's clock, then it's a hack. An easy, stupid hack, but still a hack.
Then there are really clever hacks, like takign control of the firmware of a NIC remotely and use it to mess wit OS memory using DMA.
I unserstand that changing the clock is easy and messing with NIC firmware is a truly cool hack, buth I still stand that both are hacks.
Yes, it is.
Yes, setting the clock forward to gain an advantage in online gaming is a (simple) hack. If you can make the program behave in an unintended way, you are hacking it. It is hacking as is setting the clock backward to fool "trial" software into a "forever trial" status, for example. Easy, stupid, but still a hack.
Now, if she could find a way to nuke farms...
Now, if she could find a way to nuke farms (from orbit, eventually) I'd sign up to farmville just to nuke my friend's farms and make them stop bothering me with "please click here to give me more cows" idiocy.
We are all doomed!
Now, seriously... our IT industry runs on some very wrong assumptions. ("ass" is the word)
We assume that software has to be insecure and prone to bugs and crashes, and that nothing can be done to fix it. We have to thank Microsoft for this. And after them, every software maker has decided that it was OK to sell bug-ridden and insecure software, to maximize profit. And since software crashed a lot, hardware vendors began selling crap hardware, no one will notice anyway, since the computers keep crashing all the time.
And here we are, running crap software on crap hardware. Oh, sure, it costs less than a half (or maybe far less than a half) of good software and good hardware, but would you bet your life on it?
Well, if you use crap software and crap hardware to run critical infrastructure, you are actually betting your life on it.
I mean, come on... windows should only be used to play videogames, and any software that has blatant security issues like a hard-coded root password (which is not a bug, it's by fucking design) should be just laughed at and thrown away.
PS: Please excuse me for my poor english.
Yes, uninstall the targets, if you can!
AC has got a point. If you can live without the "most targetted applications" (which maybe also means "the motu buggy applications") just uninstall them. And before yelling "I can't live without flash/adobe/office/windows" just think twice. You *REALLY* can't, or you just don't want to try?
I have tried, and I can. I run Linux, and I suggest my customers that need windows to run openoffice, some other pdf viewer, some other browser, no flash, no silverlight, and so on.
Why do we need to change?
Why do we need to change the way the UI works? I want to to WORK with my computer, not waste my time trying to guess where I have to click or what key combination I have to use to do what I need to do.
Unity is a complete loss, useful for a kiosk, useless for a PC.
Maybe it's time to use Debian also for desktop use, and not only for server use?
A sort of MOVIE OS interface?
This seems to be a sort of "Movie OS" (as in every computer you see in a movie) interface. A lot of "oooh, cool!" but no usability at all. Should I give up graphical interface and move to a text-only shell, to get some usability back?
Oh, what a glorious FAILURE!
I have always used Debian on servers (without X) and I am currently using Ubuntu on desktops, but if Ubuntu goes on in this nonsense of changing the UI just to taste like an Apple, I will go Debian for the desktops, too.
I own an N900. It's a geeky phone that only geek people (like me) would like. And it's still buggy, and Nokia abandoned it, so bugs are here to stay, forever.
I surely won't buy the first (and last) meego device, I have already spent 500 Euros in a phone that could have been good, but actually is not. I will not spend more on a phone that we all know is dead even before being born.
Come on, Nokia, you failed and failed and failed again. You changed course a million times (symbian, maemo, symbian, meego, symbian, windows, maybe meego again?) Do you think I will put my faith and my money in your next failure?
Uhm... Symbian, then Maemo and also Symbian, then they said "no more Symbian", then a single Maemo phone, then more Symbian, then Meego (the "Duke Nukem Forever" of phone operating systems) , and now Win7?
I spy, with my little eye, something beginning with F. **CAPITAL FAIL**
So now we have the two losers of the phone market, one of which has been the leader for years, that think that joining their forces they can fly again. I bet they will simply sink faster.
Even if my icon does not show a coat, mine is the one with a new Android phone in the pocket.
so that, being loud and slow...
So thatm being loud AND slow, they will disturb you for a longer time.
While this seems obvious to you...
it does not seem so obvious to a lot of people. And Stallman is just explaining this to people who don't think about it by themselves. He is actually doing something useful, and I'd like to see him on TV, telling everyone how things work. Because a lot of us reader of ElReg do not need such an explanation, but quite everyone else in fact does.
I don't agree.
While I understand the whole "the user is the first security problem", I think that Stallman is right. Pushing incompetent or lazy people to store their data out of their computers makes for a perfectly wrong world, where we own nothing. Think Apple, only bigger. The phone (you can insert "computer" here) that I have paid for requires a subscription to be useful, and then I can only install the apps that Apple (you can insert "Google" here) wants me to install. I have to pay, if required to do so. I cannot install any free alternative app. I have to accept that Google (or you can insert "Apple" here) has access to all of my data, can disable or enable apps at their like (even easier when the apps are not actually loaded on my computer). I have basically no enforceable rights on anything. Anything I have bought, installed, or written by myself. All of the apps and data "are belong to Google" (if you pardon my nerdy reference here).
Stallman is absolutely right. While "commodity computing" is a great thing in terms of usability, it surely is not in terms of privacy and civil rights.
Come on, please. Stop trolling. We all know that nothing is 100% secure.
Patched 25 servers yesterday
I have just patched 25 servers yesterday, I believe (but I have not tested it) that if you cannot patch Exim itself, you can try to avoid being vulnerable by using these 3 settings:
smtp_banner="something ESMTP server ready"
smtp_accept_max_per_connection = 1
The idea is:
- do not log rejected email headers (AFAIK, this is part of the buffer overflow)
- do not announce yourself as Exim, maybe script kiddies will skip you.
- do not accept more tha one email per connection, as this is part of the attack too. (The attacker overwrites ACL tables memory with the first enormous mail, then sends a second email on the same connection, having your code executed. If he cannot send a second email in the same connection, the attack should fail)
I HAVE NOT TESTED THESE SETTINGS!
A costly failure, I suppose
How much money did these geniuses get for this highly professional job?