Re: machine language without the use of a compiler
The 'better' ones already do that, especially in cases of rootkits, buffer-overflows and return-oriented programming. using a compiler would make this work very difficult to do, if not impossible.
2513 publicly visible posts • joined 29 Jun 2009
DDoS attacks are usually mitigated with some basic logic inserted into Firewall:
1) If an IP starts sending more than a handful of ICMP or starts, but doesn't finish, a certain number of TCP sessions in a certain time, it will block them for an hour; then 2 for the second offense; 4 for the third, and so on.
2) limiting the number of active sessions in the application
3) limit number of requests of log-in pages and other pages to about 3-4 per IP
4) blocking out-of-region IPs, EG the UK branch will stop accepting packets from other nations
5) moving targeted pages to CDNs or caches
6) modify the pages so that an automated attack would have to be constantly adapted, but a normal user would be able to find everything (EG putting the login page behind another page but have the proper buttons in place)
These are just s few mitigation systems I've worked with, there are others, but the main point is to reduce the effect the DDoS has on you to the point were the attackers are just throwing money away on botnets with little effect. Once that happens, the attack stops fairly quickly as botnets get expensive fast.
I was wondering that myself. Why the hell would you use client-side data for this? At the end f the survey just generate a GUID, send the GUID to a two-column table in a database (GUID and a boolean flag for it being claimed), when the code is redeemed, validate that the GUID is in the DB and set the flag. No need to ask the client for anything. Didn't their programmers even learn "Never trust what the client tell you" in their programming classes?
Probably for the land, the area between Westlake Center and SLU is relatively cheap now, but is expected to climb in value. They have also purchased 3 sections of land nearby and are planning on a complex of 3 35-ish floor towers, they could be planning on knocking over the buildings they are buying and using the land for future expansion.
You can generate a lot of DDoS traffic from weakly-protected hosted websites: find a website with ftp enabled and a weak password (There are millions of these things), upload a simple PHP-based traffic generator and now you have a node to launch a DDoS attack that is always running, has a huge amount of bandwidth and no one will notice (if you don;t bother the OS, the host won't give a crap and if you leave the site up and running, the owner won't notice either).
Any OS can be used in a DDoS attack, the only way to stop DDoS attacks is to not have an internet...
Supermicro sells a couple 4U storage chassis:
36x 3.5"
with MoBo: http://www.supermicro.com/products/system/4U/6047/SSG-6047R-E1R36L.cfm
without: http://www.supermicro.com/products/chassis/4U/847/SC847E26-R1400U.cfm
or 72x 2.5 disks:
without MoBO: http://www.supermicro.com/products/chassis/4U/417/SC417E16-R1400LP.cfm
You can also cram standard SATA disks in the thing (With a slight performance drop, because they are SATA)
Put the server in the Lead Dev's office or some other office inside the main building, since it doesn't need network access, it can be located anywhere. It could even be a basic quad core desktop, build servers don;t need much in the way of resources when all you are building is releases.
Anyone with a clue about security knows that you never, ever connect critical machines like that to the internet.
The simplest secure method I have seen is that the dev and test network has an internal-only cert for testing code and various builds, when a build passes it gets burned to a disc and taken to the build server where it is then built and burned onto another disc which gets put uploaded as the release version.
Nearly every machine (Including servers) contains a DVD-RW drive so all its costing you is the hour or so to pay someone to make the discs and about $0.05 for the disc itself. Helps with auditing too, as you know exactly who would have access to the code-signing cert.
Especially with 200+ GB hard disk becoming the norm and internet connection well above 8 mbps, its relatively small size (compared to photos, office docs, pdfs, video clips) its a wonder it was even detected at all. Of course it being relatively quite and very targeted helped it hide quite well.
I always have a laugh when people think the government is involved in some sort of conspiracy; especially when I remember that these are the same governments where their leaders will walk around with secret documents in full view of journalists; leave USB drives full of confidential info on the bus; or even fall asleep on the train with sensitive data shown on their laptops. These people have issues literally covering their own asses, let alone conspiracies.
What exactly do they think will happen? Is the government of Uganda now going say "Drat those hackers have defaced our website, now we have to support the gays!" while twirling their collective mustaches? Now they have evidence that 'the homosexuals' commit crimes against the state and should be locked up.
really what they need to do is take both CEOs, drop them off in Las Vegas with a bunch of cash and a list of the seediest bars and 'entertainment'. By the the next day, they'll either be close fiends, or dead; Either way works.
We did this to two executives at our company that had a very vicious rivalry going on between them, they came back and immediately started to cooperate. Its probably due to mutual fear that the other will spill the beans on what happened in Vegas...
I would really like to know which Airport this is, exactly how far the attackers got and what is their motive. Or at the very least some sort of assurance from them that the important stuff wasn't modified (EG ATC computers, flight plans from the Airlines, Passenger / cargo manifests, etc.)
IArport should e concerned with their passengers safety, not hiding behind anonymity to save face. Besides, its not like they have competition, no one is going to open an airport down the street and take all their business.
While there are many places using XP for IE6, IE isn't the only thing holding holding companies back. Windows XP was the last to include HyperTerminal, which a *lot* of old applications require, specifically banking, POS, inventory, payroll, etc. applications that were written for VAXen.
There are also many other little things that changed between XP and Vista / 2008, mostly in the way of security. I've worked with apps that would fail if ASLR or the NX bit was turned on that could only work in XP. Most of which really need to be completely rebuilt.
When Bill and the Steves were tinkering in their garage, they certainly were plagued with already-established companies with huge budgets (IBM, DEC, Compaq and Cray) in a very regulated market (regulations on Information Security, POSIX compliance, DoD and NSA Regs..)
There is nothing special about Web 2.0: we had Search Engines and Advertisers since the dawn of the internet, nothing Google is doing is new, other than blurring lines.
I'm a big fan of the 'Update and Shut down' feature in Windows and would really like others to do the same, except with 'Update Program and Exit' along side the regular 'Exit' menu item. Like when closing a web browser "There are updates available for Firefox and a couple of your plugins, Update before you exit?". And maybe add in a summary of what it does like "Fixes 3 security bugs, improves start-up performance by 10 ms, adds new feature: Foobar, reduces resource usage by %1"
Ultimately I would really like to see verified and tested updates in Windows Updates, similar to the Microsoft WHQL driver updates.
Cisco has been doing this for some time with their Nexus switches. Or what almost every Hyper-visor vendor does in their cloud management software, except for the Physical part, but I just configure the Top-of-Rack switches with Spanning tree and Trunk ports on all the uplink and VM ports. Everything other than VLAN is specified on the core switch, which everything in the Datacenter passes through anyway. Everything is secure, easy and doesn't require yet-another-protocol that every vendor will support differently (adhering to the standard, but still not work with other vendor's implementations)
But who the hell cares about serious security on a website like this? It doesn't contain much, if any, private information, its not a bank account FFS, nor is it any site where people will implicitly trust things that you say. The problem comes if a user had used the same password on more important sites and accounts.
In any case, it wasn't that the passwords weren't properly encrypted; it was that their devs were idiots and left a dev server connected to the internet and connected to their Production database. So they really should be upgrading their firewall and/or employees.
CommVault did this to attendees at VMWorld 2011. They handed out these devices that look exactly like standard thumb drives but were keyboards that sent the 'internet' special key and using accessibility functions, would type their URL into the address bar and hit enter.
I will never trust those wankers *ever* for pulling that kind of shit.
Just change the URL burned into the device and you have an instant infection vector.
They know the IPs of the infected users so why not have each ISP cut off a few people each day (just have a shell script that adds 10-15 address to the firewall each day) then deal with the calls of people that no longer have a connection. Tech support will not be overwhelmed if done properly and they will no longer have to run these servers. Done right, it will be very painless and the most they'd need is one more Support Drone for a couple months.
"This caveat, of course, only applies to operating systems that a have a crazy, fucked up, abortion of a permissions system. ie: Windows"
What do you mean? The permission system in Windows closely mirrors that of other OSes:
Administrators Group = wheel group
UAC = sudo
On every Unix and Unix-like system I have used, the first user crated has full permissions and the root account is disable for logon.
the only thing I can think that you are trying to make fun of is how Windows has much more granular permissions than other Operating Systems. Or maybe you are just spouting some FUD just because you don't like Windows.
It would be just as fair to say that Unix-like OSes are the ones with the 'abortion of a permissions system' since you can only control Read, write and Execute for Owner, one of the Owner's Groups and World; where on Windows any object (Files, directories, registry keys, processes, User objects, etc...) can have an unlimited number of users or groups that all have varying permissions assigned to them (A hell of a lot more than just RWX)
Actually installing to the user's directory causes quite a lot of issues, specifically with properly functioning Anti-Malware applications, since nothing should be running out of there on a properly managed system. And bbesides, shouldn't it ask 'Where do you want to install this? Program Files or Users?" and change the default depending on what rights the current user has.
usually pressing # or '0' will get you to a real person. Or use a TTY system, companies are required to support it and its purely text-based, so no waiting for the thing to cycle through all options until you find the one you need or having to wait for it to cycle back through because none of them did...
Buses are far cheaper to run and maintain, and you only need a moderately educated person to drive the thing. So for the price of one of these automated vehicles (Which really aren't solving the congestion problem since they don't actually decrease the amount of traffic on the road) you could run 2 buses, transporting well over 1,000 passengers a day for several years and still end up being cheaper, safer and healthier for the environment (Especially if you use electric powered buses like the ones where I live).
Sure it takes a few extra minutes to get to my office, but taking the bus only costs me about $4 a day ($5 if I decide to go shopping) plus I can take a nap, or use the WiFi and do some work.
That doesn't rule out Macs at all. Macs use standard Intel parts and can certainly run Windows on them. My work issued MacBook ran windows 7 on it naively, the hard disk died in transit so I just slapped a better disk in it and installed Windows.
Oh and there was a copy of Windows NT 4 that would run on a sparcStation, also NT 4 could also run on a Power-PC based machine, so it was possible to run on pre-intel macs after some hacking.