Interview: The L0pht Answers 99
1) Which do you consider more dangerous
by Gleef
Which do you consider more dangerous to personal liberties on the Internet,
national governments or multinational corporations, and why?
L0pht
While both Governments and multinational corporations are detrimental to
personal liberties on the Internet, one must not overlook the greatest
danger of them all. The uninformed citizen. In democracies, this is
problematic, where governmental policy typically follows public
opinion. In the case of the Internet, one will find that most citizens of
the world are willing to give up personal liberties in exchange for
perceived safety and piece-of-mind. For the safety of the children, is
cited commonly.
Many people believe that anonymous access to the Internet is criminal behavior. Government would like you to think privacy is an "anti-social" behavior. You should have nothing to hide, should you? You wouldn't be reading up on the consecration of explosives, looking up security holes in various operating systems, or possibly downloading the latest crypto software, would you? Only terrorists do that.
Governments are lobbied by uninformed citizens, or citizens which are easily manipulated and swayed by various groups across the gambit of our modern civilization. Multinational corporations have their hand in the fray by funding these groups or by participation in Associations which provide counsel to government officials on technical matters. Often recommending legislation which will better the profit taking over the sanctity of "personal liberties."
Multinational corporations are problematic in that they operate in a proprietary world. Often outside parties will scrutinize the technological fabric of a communciations service being provided. Should a flaw be found, and published, the corporation claims that the flaw itself is detrimental to the service being provided and litigation is dispatched on the party disclosing the flaw. This has been the case in the Cellular communications venue. Cloning a cellular telephone was a real thorn in the side of the Cellular Industry. They took their gripes to the US Government. The CTIA and their ilk successfully swayed Washington to pass legislation to combat the cellular fraud. Result: A portion of the radio spectrum was made _forbidden_ to reception. Possession of an eprom programmer, a computer, and a cellular telephone became a crime. Meanwhile, the cellular network REMAINS open to eavsdropping. Money is power, and with power comes influence. However, in the end it was the Government, sucking up to industry, which passed the law.
Law Enforcement and Intelligence gathering communities dwell within the governmental domain. Both are lobbying lawmakers to pass laws to give them greater powers to combat crime in this high tech world. Surveillance is paramount. They will convince the lawmakers that without the keys to all communications, a bomb may be set outside Parliment or Congress or .
The government pursuades the people, the people pursuade the government. Who planted the seed first? Those who understand the technology are too busy working on the next cool widget. Meanwhile the technological world rushes toward a global dictatorship and the populace embraces it under the guise of security.
2) The net: strip mall or unlimted human potential?
by garagekubrick
The halcyon days of the net are gone. With ubiquity - the underground
vanishes. Is it well on its way, with people like the CEO of Amazon being
worshipped by the mainstream press, to becoming an enormous cyber strip
mall, marketing tool, PR exercise in control of perception...
Or is there still an underground? Does it still have a potential to be the one true medium with liberation? Will governments and coroporations end up controlling it? Cause they are winning small, important victories relentlessly...
L0pht
The Internet has changed dramatically over the last year or two and with
it the underground has also changed. Back in the good ole days (1995+6)
every web site was underground, hell the entire internet was underground.
As the web increasingly encroaches onto the mainstream and large portal and corporate sites take over feeding you only the information they want you to see, the underground will evolve and change and morph to suit its surroundings.
There is definitely still an underground. In some aspects it is a lot larger than it used to be and in others it seems to be much much smaller. I think labeling the underground as 'the one true medium with liberation' is laying it on a little thick. The internet underground has been nothing but the exploration for knowledge, if you are looking to it to save mankind from itself your looking in the wrong place.
Governments are increasingly encroaching on personal liberties and freedoms of the average citizen, this is unfortunate. How much longer before the population as a hole realizes what is going on and says enough? Maybe they will never wake up. Will the governments eventually control the internet? Possibly. It is hard to tell but there will always be those who will resist that control and the underground will continue in one form or another.
While the web, as you put it, may become 'an enormous cyber strip mall' I can't help but think of the trash dumpsters behind that mall and what secrets they may hold.
3) Internet Worm II
by tilly
Several months ago I began predicting that someday someone would find a
buffer overflow in the various Windows TCP-IP stacks and use it to write
a worm that would bring down the Microsoft part of the Internet and cause
so much traffic as to effectively shut down everything else. I further
predict that until an event of this magnitude happens, the general public will
not really learn the basic lessons about security that the *nix world was
forced to learn from the first worm.
What are your thoughts on this prediction? (Timeline, reasonableness, etc.)
L0pht:
I believe your prediction is right on track. However, I don't feel that an
Internet Worm II is necessary to teach Microsoft, its customers, or its
vendors, about security. There are three ways to implement a security
model, the slow way, the fast way, and the right way. The slow way
involves making a bunch of little mistakes and fixing them over time as
you find them, correcting your policies and implementations. The fast way
involves having a major disaster occur, after which the faulty parts of
the system are completely torn apart and reimplemented. In practice, the
slow way often leads to the fast way.
Which brings us to the right way: To design software with a security policy in mind, and with extra caution, care, and expenditure during the implementation. OpenBSD's model of proactive security measures is a classic example of 'the job done right'. Retroactively applied security measures are a recipe for disaster.
Rant off.
As for when Microsoft is going to learn about these things, they'll first have to learn that 'bigger isn't necessarily better'. They need to stop believing their own FUD before they can actually make change over there. When I read things like the article at http://www.microsoft.com/ntserver/nts/news/msnw/LinuxMyths.asp, particularly the parts about Linux being less 'secure' than Windows NT, I'm appalled at the ridiculous 'facts' that are being used to back up their claims. For example, they claim that:
"Linux only provides access controls for files and directories. In contrast, every object in Windows NT, from files to operating system data structures, has an access control list and its use can be regulated as appropriate."
While this statement is true, they neglect to mention the fact that under a unix operating system, most things that correspond to Windows NT kernel objects, file, data structures, etc, are represented as files. Hence, the coverage of the security model for Linux is just as extensive, even more so, than Windows NT. This is a particularly bad statement, simply because it's not only incorrect, but the converse is true. Linux is more flexible in terms of permission management. Try setting the access controls on who can bind to a particular port under Windows NT, with the ease of chmod and portfs under Linux, and you'll fail miserably. And the list goes on.
(And as for 'access control lists', we've noticed that Windows can't seem to get the right default ACLs anyway, and that the complexity of managing them has outweighted the value of their 'flexibility'.)
As for your comments on the Windows NT TCP/IP stack being vulnerable to attack (possibly, who knows :P) and the possibility of a worm destroying Windows systems, the possibility is very real. And again, this possiblity is not unique to Windows. They're just a likely target at this point in time.
It would take a feat of dedication and great skill, but the possibility is there. My advice to anyone who's worried about this, is this: If you're going to use Windows NT, you should probably keep that firewall in place between those Windows service ports and the rest of the world. Microsoft loves to add services and open ports to your computer when you're not looking. And it's probably not going to be the IP stack, it'll probably be some goofy listening service, like anonymous share enumeration or something. Or maybe remote access to NetDDE. Or some authentication protocol that doesn't like large Netbios fields. Or possibly even some undocumented functionality in the named pipe filesystem used for RPC. Who knows. Personally, I'm not going to wait around to find out.
4)The Public's Perception of Hacking
by dmuth
First, I should probally preface this geek for several years, and love playing with technology, so I feel I am able to relate to the hacking community.
Anyway, my question is, how do you deal with the way the public (including the media) percieves "hackers"? I've seen some clueless people use the term to describe *anyone* who does anything with a computer that they find > objectionable. I've even heard the term applied to spammers!
Needless to say, the misue of the term makes my blood boil, because I feel a certain respect towards the real hackers, such as yourselves, because you guys do know what you're doing, unlike all of the script kiddies out that that either have the term applied by clueless reporters, or they use it on themselves.
So, I'd be interested in knowing how you cope with this sort of problem, as I've noticed this sort of perception of the hacking communtiy for some time.
L0pht:
The first thing you need to do is refer to yourself as a hacker and be
prepared to educate the person you are talking to what you mean by
that. It doesn't matter if you are talking to someone from the media, or
the government, or the business world. People need to know the real
meaning of hacking, its history, and what a positive thing it is.
A lot of the time we talk to the media just because we are afraid that if we don't there will be no one they talk to who will describe hacking in a positive light. No one to describe it as other than defacing web pages or breaking into .mil sites. This was one of the reasons we wanted to talk to MTV. We were afraid their story would be all about criminal hackers. If you saw the MTV show you saw that sometimes resistance against the media memes is futile. The show was 95% about illegal activity.
Yet the world of hackers is 95% non-criminal. Probably a better percentage of people behaving positively than most segments of society. It is a world of people exploring the edges of technology and building things. The crazy thing is the government is making more and more of that exploration illegal.
Reverse engineering security mechanisms is being considered a crime. Receiving digital radio signals is a crime. We can't let them wall off part of the world we inhabit from investigation.
Hackers have a positive role to play both as builders and critics of the digital world. Unless we speak up and refer to ourselves in that light we have only ourselves to blame. Everyone who can should educate. Its not easy changing perceptions. But sometimes a passionate personal explanation of what hacking means to you can make someone change their mind.
5)security of capability-based operating systems
by sethg
What do you think of capability-based systems, such as EROS? The folks who
are working on these systems say they are fundamentally more secure
(against both malicious code and heisenbugs) than Unix derivatives, Windows NT,
and other ACL-based operating systems. Do you agree with this assessment? Do
these systems have security weaknesses that Unix-like systems don't
have?
L0pht:
It's nice to see work such as EROS comming out of DARPA funded
projects. Capability-based systems are quite interesting. However, one
must be quite careful when making statements such as the one that these
systems are more fundamentally secure that others. One has to keep in mind
that Windows NT made a similar claim. Was NT fundamentally more secure
that Unix as was presented to the general public? Well, it did have a
security model that Unix lacked and it's internals were much more akin to
VMS which had various strengths that Unix lacked. Yet we all saw that the
implementation is where it matters.
In reality the implementation is key. Things can look great on paper and be a real bear to implement (look at communism for example). Another key component that is often overlooked is the functionality. This is a double edged sword. If the system is not universal and generic enough in nature to exist in a plethora of environments then it is difficult, if not impossible, to gain wide scale acceptance and use. Of course, this notion is directly opposed to creating a secure operating system. If it has to work in a multitude of environments then it needs to be relatively open and flexible or else the skill set and support for integrating it into one specific environment is beyond most peoples abilities (ie it won't get used). Sun Microsystems ran in to this problem with older versions of SunOS (now retroactivly named Solaris 1.x) when they used to consistently ship with a '+' in /etc/hosts.equiv. After several years they received enough requests to take it out of the distribution for security reasons. Unfortunately, taking it out caused so many installations to not be "plug-n-play" that they promptly put it back in.
When I look at an operating system such as EROS the following pops out at me when thinking security (this should not be viewed as condemnation by any means).
. RTOS modeled.
Real Time Operating Systems can be very useful for directed applications
but suffer in general use often times. In addition, certain security
notions at extremely low levels of a system (ie hash signing memory blocks
that are passed between processors or ASICS) incur overhead that is quite
unwelcomed in most of the "general public's" acceptance in RTOS.
. Emulated POSIX and Unix environments
I love Unix. However, it's difficult for someone to maintain the claim
that they are more secure than another operating system and then emulate
it's behaviour. A good emulation is going to have the good and bad aspects
on the security front or many things won't work.
. implementation from the ground up can be painful
Often times it is required. But heaven help the "vendor" that decides
that in order to be their own maker they will do it from scratch without
looking at the mistakes that others have made. We see it all too often
that people decide to reinvent the wheel and foist square versions on
people the first time around.
With all of that being said I believe that in the future, should people start to wake up and really appreciate the notion of security and privacy in a way that really influences the market... we will see more dedicated systems and fewer general purpose ones. In order to go that route projects such as EROS are invaluable.
6)Security Through...Unpredictability?
by Effugas
Would you agree that security and stability are but different sides of
the same coin? In other words, a security exploit is truly nothing more than
an expertly controlled failure?
If so, how much stock can we put into the "metadesign" of limiting the damage an exploit can create by attacking the ability of a failure to be controlled? Should operating systems incorporate such "unpredictability engines" when being run in a production, non-debugging manner? Or is such a design not worth pursuing, for various reasons?
L0pht:
You must be a kindred spirit :) We have been preaching the approach that
most stability problems are security problems that have not been looked
into enough for quite some time. By fixing security problems you enhance
the stability.
Now, with that said, it is important to shoot for the pinultimate solution to problems and this ends up being a wonderful academic excercise (out of which great things come). Do we shun any notions that merely raise the bar instead of being the silver-bullet? No. Each elevation in design is a step in the right direction. It is apparent that we have many steps in front of us but this does not mean we should stop progressing until a magic cure is found.
Unpredictability in systems, such as loaders or interpreters that recurse random times to throw off "static" frame location and other mechanisms (ie canary values) etc. are some of the finer points that I see coming out of the security approach to implementations. Are they ready for production systems? It all depends upon what your production system must be capable of. In many cases the answer is yes. In some cases the answer is no.
7) Future of Hardware Hacking?
by Tackhead
Two questions (Well, three, really, but I'm a hardware geek, and I love trying to squeeze three things in the space of two):
A) Wireless.
Lots of folks have been asking today about the wireless network project. "Me
too"; the page has been up for years, it's a fascinating and extremely
powerful idea, but for those of us who aren't RF engineers...
> When do we get to see some hardware projects to build, or is it the case that -- due to regulatory restrictions on what can and cannot be transmitted on US airwaves -- work is being done independently on the notion of a secure wireless IP-based network but isn't being released so that those of us who aren't RF engineers can't gum up the works by screwing things up before it's ready? :-)
L0pht:
The Gnet project has been in progress for many years now. Mainly the
problem had been lack of funds, but now time allocation and lack of
dedicated participants hold back expansion.
There is a lot of interest, but no one seems to be willing to put up the nodes. There are 2 sites currently on the network. One at l0pht and one at a residence. This has been the state of the network for the past 2 years. Unfortunately no one with enough initiative in either state has been found to setup other nodes. There has been interest in other states but the long haul capability has yet to be worked out. Encrypted tunneling over the Internet may help span the network over long distances. Once the fabric of the network expands, landlines could be replaced with wireless links/nodes.
High-density, low-power networks sound great in theory, but until the interest level rises above its present state, the cellular structure will remain the dominant topology.
To get the network off the ground, we have been trying to go the Amateur radio route. Going this route does have its drawbacks. Encryption is forbidden, however compression is not. I have been running ssh in compression-only mode for years. The initial ssh authentication is allowed under FCC guidelines, as long as the communications is not encrypted, you are within the rules.
The move off the Amateur frequencies will be made once the cost of National Information Infrastructue (NII) part-15 devices drop under $500 dollars for a pair of nodes. These devices fall operate in the 5Ghz frequency range. The breakdown is as follows:
- 200 milliwatts EIRP (5.15-5.25 GHz) - indoor
- 1 watt EIRP (5.25-5.35 GHz) - inter-campus/neighborhood
- 4 watts EIRP (5.725-5.825 GHz) - Point-to-point, few miles, terrain permitting.
The path to build custom equipment is equally as challenging. For example, the TAPR (Tucson Amateur Packet Radio) group has been in the forefront of Amateur packet radio for the past 15 years. While they have an established base of dedicated users, they continue to have problems developing new hardware. They have been prototyping a Frequency Hopping Spread Spectrum (FHSS) system for 3 years now, with still a protoype just passing a design review. Hopefully this project will come to fruition soon!
Some very talented folks over in Slovenia have developed some BPSK transceivers and a no IF SSB transceiver which will work on 1296, 2304 and 5760MHz. None are in kit form but the schematics, theory, construction notes, and equipment checkout is available in english. (schematics are not in english.). These radios are not for beginners or even intermediate kit builders. It would be nice if someone could kit these units. I started to convert the 23cm BPSK design to utilize a chipset family put out by RF Microdevices, but then my time got sucked into other projects. I may find the time to persue this once again, but I would like to get some semblence of a network greater than 2 nodes up and running first. *sigh*
B) The future of hardware hacking.
With the trend towards more and more functionality becoming embedded
into ASICs and single-chip solutions, the golden age of "just desolder this",
or "reverse-engineer the schematics and jumper that", or "replace [PROM| EPROM| EEPROM| PIC| FPGA] with one with the following special
programming, and here's the [CPU| microcontroller]'s instruction set and a memory map of the embedded system" appears to be drawing to a close. Anyone can
desolder a 24-pin DIP EPROM and hack it, but trying to desolder a 100-pin PQFP is a real bear without $500+ worth of specialized equipment, and knowing what to
do with the chip after you've desoldered it is well-nigh impossible.
Do you see a time when "hardware hacking" (as we've traditionally known it) will have to fall by the wayside? If so - what, if anything, do you see as taking its place? (Perhaps users taking advantage of the vastly more-powerful gear out there today and building their own hackable hardware, eliminating the need to hack other people's hardware?)
I suppose that's tangentially related to the wireless.net question - for mass distribution of the tools needed to build such a network, for instance, it seems to me that re-purposing cheap, widely-available stuff that others have junked is a better path than having to build things from scratch. But if the cheap, widely-available stuff of the future isn't gonna be re-usable... where does one go from there?
L0pht:
It is true that the Electronics industry is moving toward much denser
Multi-chip module like IC's. System-on-a-chip (SOC) is beginning to make
inroads in communications equipment. Celluar/GSM/PCS phones are
beginning to sport such technology. SOC will also revolutionize the
security coprocessor industry.
What we see here is the bar being raised in the HW hacking arena. Remember cost still drives much of the industry and you will continue to see many devices still using microcontrollers. There are many, many internet appliances using standard Embedded Processors and peripheral IC's. The hackers are just going to have to bone up on thier FPGA hacking skillz. Monitoring the inputs of an FPGA and then the outputs, and hacking together an FPGA to drop inbetween isn't unheard of.
Hardware hacking today does require a bit more than the standard weller solding iron, a 50Mhz scope, and a multimeter. With processor speeds moving up into the 800Mhz range, you fall flat on your face with those stoneage tools. The trend in general is hardware which is becoming more and more abstracted and described by high-level programming languages such as verilog and VHDL. One must stay abreast of the latest tools in his trade. There are also relatively inexpensive "soft" tools, in that a spectrum analyzer, logic analyzer or a scope utilizes the modern PC as the guts of the device and an inexpensive physical interface module is purchased along with software for the host. The interface is typically a data acquisition pod for converting the sampled analog data into the host PC for processing and the presentation.
The security of FPGA's is definately going to become more of a target in the future. I can't think of anyone that doesn't set the security bit of FPGA before programming a device. Ummm.. Hmmm.. maybe I shouldn't say that. ;^) It does happen. There are also some not so well known ways around "securty bits" on FPGA's. Also, most FPGA's will allow you to reprogram them in circuit whether or not the security bit is blown. You just better be sure you can reproduce what you monitored before squirting in your own code.
Remember there are many more ways to fry an egg, such as voltage margining, or operating a circuit over/under current and temperature specifications. Hitting HW with various RF emissions (above and beyond what stantard emissions/immunities tests test for.) can also produce interesting results and insights.
And as you alluded to in your question, hackers will build their own hardware which will interface to the service/system under attack, which will allow for variable, marginable, modules to provide the flexibilty which the stock standard HW didn't provide. Study communications test equipment. Many secrets lie inside.
A lot of today's "hardware hacking" isn't strictly limited to hardware, due to the fact that most products are embedded systems - meaning there is a union of hardware and software. Those who are strictly "hardware guys" will fall by the wayside and those who are strictly "software guys" will also fall. You will need to have a decent knowledge of both the software and the hardware environment you are programming for. I have seen companies struggle because they hire CS folks to write firmware for a product. These particular folks could not grasp that they were writing for a platform other than a PC or desktop. They didn't understand how interrupts worked, how to write to a port, how to write low-level drivers to control external memory or other devices on an SPI, I2C or other inter-chip protocol. What ended up happening is the company called in the hardware engineer (me) to write all the low-level functionality. In order to properly design a product (and reverse engineer the product), you need to be able to grasp all facets...
The industry today is really in a sad state and I am fearful of the quality of the products that are due to come out on the market - the hardware and circuitry is sound and well-structured, but the software will have major fault and, because of this, many possibilities for vulnerabilities.
C) The future of l0pht.
(At least publicly), there's been a lot more activity on the software
side of l0pht than on the hardware side.
To the extent that you can discuss it openly, do you see l0pht's main activities over the next 3-5 years as continuing to revolve around the "expose weaknesses in software" side or the "work on next-generation hardware projects" side?
L0pht:
Both. Hardware projects, since the beginning of time, are more costly,
require more tools than software, and mroe often than not, more time
consuming. Due to this, the amount of publicly-known activity appears to
be less. As mentioned before, there will be more and more projects that
require the knowledge of both hardware and software sides, where L0pht
fits the bill perfectly. There are so many products and technologies to
look at, there is no way we can limit ourselves by saying what activities
we will and will not do. If something comes out, be it hardware or
software, that we want to attack, we will.
8)What engines/sites do you use to scour the 'Net?
by Bacteriophage
Seriously, I would like to know. When you sometimes don't have all the
answers (I assume that would be more than never), where do you guys go on
the 'Net to find what you need concerning computer security, **/*acking, or
even just news? Do you ever come to /.? This answer shouldn't take very long,
and it'd be nice to get the seperate preferences of each crew member, as well
as the general preferences of the group.
L0pht:
Generic search:
Altavista or NorthernLight for a spider based search Yahoo for a topic search.
Ask Jeeves when I don't really know what it is I am looking for.
security/hacking: altavista - word sequences work well. A recent example would be a search for the PCI specification by looking for "pci spec".
yahoo - when altavista doesn't help
Hacker search:
- The Hacker News Network Search Engine Page - Lots of undergound spiders http://www.hackernews.com/search.html
- attrition stats - http://www.attrition.org/mirror/attrition/stats.html
- eEye stats - http://www.eeye.com/html/Databases/Statistics/os.html
- NMRC - Good Novell NT and Unix info. www.nmrc.org
- counterpane - for books (through amazon) and lots of free information on crypto too.
- www.jya.com/crypto.htm - for the good cypherpunk info
Next week: Steve Wozniak (and a special pair of *surprise* guests Tuesday).
Re:RPC - huge problem (Score:1)
--
Re:I don't know how many times we're going to... (Score:1)
Re:Warm fuzzy feeling. (Score:3)
Agreed. It's nice to see an educated and well articulated piece on
No one argues that hackers are mis-portrayed in the media.
I disagree. Supposedly reputable news establishments generally attribute report break-ins, defacements, and theft (eg _cracking_ behavior, or malicious hacking) to hackers. Unlike most hackers, I'm not particularly concerned about the "hacker" label. What I am concerned about is the implicit message the media is sending to the uninformed: that learning and privacy are analagous to criminal behavior merely because knowledge regarding either could be used to exploit badly designed or implemented security models. Correlation is not causation. Just because an apple is a fruit does not mean it's an orange.
Tell them what it means. It's a fine line between informative and over zealous
It is extremely difficult to convince most people to sacrifice convenience for security (witness the hundred of thousands of unprotected and unpatched Windows 9X and Windows NT systems accessible by any other machine via internet). Even though connecting a Windows 9X machine to internet is akin to hang gliding in a military no-fly zone, attempting to explain this to the masses will automatically place you in the "paranoid security nut" category. I'm not saying you shouldn't try (I've been trying to move my users from telnet to ssh for monthes), but noone should expect a chocolate coated, overnight change.
--
odds of being killed by lighning and
Re:I hate you Roblimo :) (Score:1)
I am trying to swear of
It's a pity we don't have any real way of honoring all the quiet garage-shop hackers who have paved the way for today's progress. Sure the general public is somewhat aware of Moore's Law and Metcalf's Law but what about all the people who make significant advances but shunn the celebrity limelight (note the distinction between fame and celebrity). Scientists had one advantage in that they can name stellar or planetary features after famous scientists. What do hackers do to honor the quiet heros (e.g. Postel) who have contributed so such, yet are unknown outside their specialty? Perhaps autographed designer chips/cases might become collectable memorabilia in a few decades time
To end on a philosophical note, a great society can be measured by how well it treats the least of its members, not by the self-awarded laurels of the elite. Respect the source of knowledge and cite their inspirations for one day, others too may stand on your shoulders to reach for heights unimaginable.
LL
I hate you Roblimo :) (Score:4)
I think the good old (childish
Apologies for both OT and "dittohood".
I hate you Roblimo.
I am trying to swear of
Coding on Apple 2 changed my life in drastic ways.
I doubt I can come up with any insightful questions for Woz beyond the "You have been the greatest hero in my life since I was a teenage girl. What you have done made such a huge difference to me and people like me. What do I need to accomplish such that I can meet you? Then what more do I need to accomplish such that I can earn your respect?"
Why such a temptation, Roblimo?
P.S. flamebait
Corrinne Yu
3D Game Engine Programmer
Garagekubrick sez... (Score:1)
Thanks, Lopht, kickass reply to my inane bantering.
Just a slight clarificiation though, since I worded it badly. I meant does THE NET itself still have the potential to be the singluar, defining, medium of liberation - not the underground itself. With such talk as taxes on the Internet, and courts deciding linking itself can be illegal, then there are serious threats to the idea of an open medium - and your repeated analogy of democracies undermined by uniformed people is particularly telling. Think about how many people use the Net just to read corporate owned portal sites on Entertaiment and fashion news.
Anyways, signing off - It's 2 AM here in Central London. No civil disruption. My puter is working fine. Had an amazing view on the rooftop of The Savoy hotel shooting with a mini DV camera and a 16mm Canon Scopic - next to a bunch of Int'l news crews - now that's the kind of hack I can pull off. The Hotel staff told me off for bringing a skateboard into their building. Suckers.
The moment leading up - such exhilaration. I just have a feeling like I'm walking on other people's hopes. 1999 years without annhiliation, new challenges, but there's people out there working on them, at least.
Just want to say, babbling here, that I for one have a strange sense of hope. May you all have a safe and emotionally reflective New Year.
Internet Worm 2 may do trillions of damage... (Score:1)
A few ideas from myself:
- Randomize the registry
- Insert errors in every file residing on accessable network shares
- Flash the BIOS incorrectly
- Burn graphics chips by overlocking them
- Crash harddisks
- Damage Monitors/Graphics-cards
I'm sure a good terrorist could come up with a few more tricks. If only some of these tricks work, and about 25% of NT/Win 9x boxes are hit (which isn't too unrealistic), you can prepare for some _serious_ damage.
It would cost billions alone in hardware damages, but these would be dwarfed by the costs in work and lost productivity.
Re:An uninformed citizenry (Score:1)
Most poor people are too poor to afford a luxury computer, and most senior citizens tend to care less about the internet, or especially about privacy or things like that.
I don't exactly know how that problem can be remedied. There's no point asking someone what they didn't understand about a James Joyce novel if they don't even know how to read.
Zack "Vorro" Adgie
---------------------------
A wise man speaks because he has something to say.
A foolish man speaks because he has to say something.
Re:L0hpt != hackers (Score:2)
the l0pht website. They have links to 'hacked' pages. Displayed very prominently
If this is where you stopped "browsing" then I feel sorry for you.
L0pht has been giving to both sides of the security community for a long time.
Maybe you should read the web site instead of "browsing" it.
Unstable Boy
P.S. the web pages were "hacked"...as in the code in the page was changed...that is a hack...
the servers they were on were "cracked", maybe YOU should learn the real meaning of those two words.
Re:Language police strike again (Score:1)
Don't forget the instruction book.
"...and three is the number thou shall count..."
Unstable "1...2...5" Boy
Re:An uninformed citizenry (Score:1)
We all should at least get our friends practicing safe computer practices. I have several friends that are not and probably will not be "computer literate" but I try to at least help them make the right desicions (you should hear me rant on opening e-mail attachements).
Even if you only help a little at a time.. it adds up quickly. Unstable Boy
Re:An uninformed citizenry (Score:2)
This really confused me for a long time. Her usual response was "But I don't know macs, I know my computer." I finally realized that she doesn't know any computer, she knows at most, a little about outlook express. Furthermore, she doesn't want to learn anything, which is why all my attempts to upgrade her equipment or to teach her anything haven't worked.
Now my mom can't be swayed by her own son, a definate windows hater, and someone she would readily admit knows about a billion times more about computers than her. Take some guy off the street with no knowledge, no desire to gain knowledge, and no child to constantly assult you with that knowledge anyways, and you've got a permenently uniformed citizen. They don't want to learn, trying to teach them isn't going to help, we just need to minimize their impact as much as possible, and wait for the world to pass them over. It won't be much longer.
Re:Whats the definition of Irony? (Score:2)
Hmm. I don't know where you've been lurking, but on the Linux newsgroups, there are an enormous number of newbies looking for help, and a smaller population of people trying valiantly to help them. I personally visit comp.os.linux.hardware and comp.os.linux.misc every day, looking for questions that I know the answers to and trying to help people even if they don't know what button 2 on their mouse is for. And I know I'm not alone.
I think part of the problem is that Linux/the "geek society" is more of a meritocracy than anything. Anyone can be an expert; all it takes is time and effort. This is not common in the real world, where money/birth/social position/physical appearance are more important. Long-time Linuxers are more used to the "if it works, use it no matter who it comes from" attitude, while others worry about the endless political maneuverings more common in normal human relationships. ("Should I use Person 1's code? It works better than Person 2's code, but Person 2 is influential and maybe I should suck up to Person 2...")
Representative democracies have an inner circle of politicians and Pocket Filler corperations...There is not currently a method of government that has been invented to inform the uninformed, give power to the powerless, and lead the scattered in a manner that is truely their own motive.
"Democracy is the worst form of government, except for all the others."
The problem is that most people don't want to think and make decisions on their own; they want to do the easiest thing, even if that means bowing down to Big Brother. This tendency is probably impossible to conquer. Til everyone on the planet is capable of thinking for themselves and willing to do that most of the time, there will be a minority that will control many aspects of society.
Thing is, in the Linux community, I think those in the "elite minority" encourage independent thought/action/learning. "Study the source, and you too can hack device drivers someday." When was the last time you saw a large media conglomerate encouraging ordinary people to set up their own small private radio stations?
Re:The lopht personally (Score:1)
I run RedHat 6.1 on a separate partition. I tried Corel but didn't think much of it. I can't run my modem under Linux because it's a Rockwell HCF (why, Rockwell, why?) - otherwise, I'd probably move. I use Windows [a Beta 2 version, guess which project I'm on] mostly for games and MSWord. I'm trying to learn C and C++ in a UNIX context. I spent days trying to make svgalib work under Linux, eventually discovering I needed to download v1.4 (RedHat 5.2 had supplied v1.2.1.)
My online service provider is now using a modified version of the AOL software, with new graphics. (I'm typing this using a Freeserve account, as it regularly refuses access to USENET or to
I agree with several points here: AOL does indeed want to [EDITED] you over for ad revenue, and the OS is indeed second rate compared to Linux or even MacOS. But I need to keep it, because the world does not run on Linux, or MacOS, or even UNIXes as a whole. 70% of computers in the world (I'm not sure about this) run on MSFT software. If I want a computing job, I have to work with it.
And that is the saddest thing of all, as people like l0pht help to advance our knowledge of computer security systems and inner workings of computers, things which would really help the rest of us. But instead, most of the world's population just wants to play several rounds of Solitaire and write a letter to their grandmother on MSFT software, and this is why they are on top. Not because of any interesting reason, but because people have placed them there.
Re:An uninformed citizenry (Score:1)
quiet hackers (Score:1)
// Pity
"It's a pity we don't have any real way of honoring all the quiet garage-shop hackers who have paved the way for today's progress."
It is sad that the only way I can think of are people like you and I who keep their contribution, achievement, talent, ingenuity, work ethic close to our appreciative hearts.
// way of honoring
I was a home computer hobbyist before being apple 2 fanatic, so I do remember and appreciate the same heroes you hold dear to your heart.
I think a start would be to post, publicize, and factually append and correct various faqs in early home computer hobbyist development. Would you like to do this with me? (I saw you did not post your email address.) corrinney@3drealms.com
I "act locally" by "publicizing" and mention various "less-sung" heroes in my life.
// devil's advocate
I am one of the "celebrity limelight" shunner myself who stay away from being a "Time's money-churning poster boy/gal", and have several friends and peers in that category.
Sometimes I think: Why is Person A who contributed more and Person B lauded more (or get mentioned in Time more)?
And sometimes my answer is the same for why Woz is influential. While there may have been several technically laudable home computers, the Apples, and specially the Apple II's, are the ones that directly propelled many onto the path of hobbyist coding. To those coders, their lives were more directly affected by Woz.
There may have been several to many laudable computer games, 3D engines (I was working on those myself in the same time frame), but celebrity/popularity it is Doom and Quake and Duke Nukem itself that reach the largest number of players, not the various technically interesting projects we coded. To those players, their lives were more affected by id, though there are many other fine and great coders then.
So in that way id et al. *deserve* having the celebrity limelight and Time articles, not necessarily for being technically most advanced in all issues, but for having impact to the largest number of players.
It is indeed a worthy topic (and worthy of action), and I would be glad to discuss with you on this off-line.
Corrinne Yu
3D Game Engine Programmer
Re:An uninformed citizenry (Score:2)
----------------
"Great spirits have always encountered violent opposition from mediocre minds." - Albert Einstein
How much were those kits in USD? (Score:2)
Amazing (Score:1)
[Sarcasm off]
Re:I hate you Roblimo :) (Score:2)
But you shouldn't feed the troll, simply ignore him (or her).
Re:The lopht personally (Score:3)
Let's give these guys a break. They don't want to learn the command-line. They don't want to edit config files. And they don't want to play around with dial-up settings. Sure, it's a trade off. They get a second-rate operating system and an ISP that basically just wants to fuck them over for Ad revenue. BFD, but don't say that those who aren't "in-the-know" are the biggest danger to personal liberties.
-----------
"You can't shake the Devil's hand and say you're only kidding."
Re:internet worm and linux? (Score:1)
Sure, but you're assuming that MS has the skill and expertise to write such a worm, bugfree, before releasing it.
Relax. That'll NEVER happen!
Re:internet worm and linux? (Score:1)
CCIIAW(c'rect me if I am wrong) but doesn't the way *nix in general handles file permissions pretty much prevent most malicious code such as worms from getting in and trashing things? With Windows it's fairly easy for a program to get in and trash the TCP/IP stack, however unless I run something as root or someone else *gets* root most system files should remain in good shape. Of course I think most folks running Linux would be a little hesitant to run an attachment from a message that read "A cool kernel patch from me 2u".
mcrandello@my-deja.com
rschaar{at}pegasus.cc.ucf.edu if it's important.
Re:Happy New Year (Score:1)
mcrandello@my-deja.com
rschaar{at}pegasus.cc.ucf.edu if it's important.
Re:fuck these retards (Score:1)
Hey fucknut, we will not be moving into a new centure for more than 366 days.
LK
Re:Whats the definition of Irony? (Score:1)
Re:Language police strike again (Score:1)
Kids growing up with Tech... (Score:2)
I would just like to inform you that yes, that is absolutely correct. I'm 17, I've been pounding at keyboards since I could reach one (sometime when I was 6 or so, I'm not totally sure anymore... ;). At the moment, I'm the anomaly (from looking at my peers in HS), but the immersion in tech early on is what I think has fueled my current interests.
Just FYI.
Jeff
Re:On the topic of H.W. hacking (Score:3)
My software/hardware interest was sparked when I started poking around an Apple ][ (cue next interview: "Thanks Woz, for including a ROM disassembly in your docs!") with CALL -151, and discovered that I could talk right down to the bare metal.
From there, it was a question of learning to reverse-engineer 6502 with the built-in disassembler, and later on, dumping data from other machines (e.g. 1980s video games!) into the magic Apple box and seeing what I could glean from the disassembly. It was immediately obvious that I had to match the schematics of the hardware I was playing with against the addresses I was seeing in the code, and from then on, I became a hardware geek.
I mention this because the concern I had with the barrier to entry is that when I got into it, any 12-year-old with enough time on his hands and brains in his skull could get started. Likewise with programming today - thank the Gods for Linux and open source because a 12-year-old can still get started in software by typing "man foo" and picking up a copy of K&R. (*shudder* - imagine a world without Free Software - what 12-year-old, however brainy, would get anywhere with an M$ system, where the very notion of "development tools" implies "very expensive add-on", rather than being part of the core distribution...)
I guess the interesting question - and the one that can probably only be answered by the next 10 years of hacker history - is gonna be how today's 12-year-old is gonna make the jump between taking apart a computer and putting it back together again, typing "make foo", learning how to write good code that'll be properly optimized for the compiler, and {then the miracle happens} and he's in college poking around with a logic analyzer and a DVD-RAM drive in the lab off-hours.
Having read L0pht's reply however, I realize that online auctions are bringing surplus electronic equipment availability to an all-time high. If you need a single-user SMT rework station, you can get one for a few hundred bucks. And the costs - like EPROM burners in the past 10 years from $800 to $150, are falling at the same rate. As for expensive VHDL software, I mean no disrespect to those who write such software when I say that for the hobbyist, if there were ever an ethical justification for piracy, "hobby use" just might be it. (And I note in passing that much electronic software is issued on a "try-before-you-buy, limited to 500 pads per board" basis :-)
Someone else spoke about getting "warm fuzzies" from L0pht in the context of being glad the media are turning to them when they have questions. Count me in on the "warm fuzzies" too, but for a very different reason: in response to my hardware hacking question, they didn't just stop at saying "the bar's been raised, but don't worry, the hardware scene's alive and well".
Where others might have stopped there, L0pht went - as they always have - one step further. In addition to the warm fuzzies mentioned above, they also managed to give me, and everyone else reading, a set of practical, concrete things to do today - bone up on VHDL, invest in new equipment, make that old 20 MHz scope available to someone still learning the basics, poke around presently-available wireless technologies, and network with fellow geeks who share your interest.
Thanks, L0pht - not just for the idea of "Making the theoretical practical since 1992", but for living up to it and setting the standard in the years to come.
ruff ryder (Score:1)
bling bling
Re:Warm fuzzy feeling. (Score:1)
No one argues that hackers are mis-portrayed in the media.
I disagree. Supposedly reputable news establishments generally attribute report break-ins, defacements, and theft (eg _cracking_ behavior, or malicious hacking) to hackers.
I think you agree with each other. Sometimes "argue" gets misused, and I think the original poster meant "No one disputes that hackers are mis-portrayed in the media."
Re:Internet Worm 2 may do trillions of damage... (Score:1)
Work together for the Common Geek Good:
The lopht personally (Score:5)
They answered all of the questions in the interview intelligently, and fairly. It seems that the members of the lopht are intelligent sentient beings, and not whining script kiddies.
Also they brought up a very good point "uninformed citizens are the greatest threat to personal liberties on the net". How else would you explain the dominance of AOL, and M$ operatin systems
I do have this feeling that kids that are growing up right now, ppl that are immersed in technology from day one will know better and see through the marketing crap. Ill stop becuase I am rambling now, and slightly off-topic.
BTW: Hapy New Years!!!!
Re:I wonder if this was intentional (Score:1)
Language police strike again (Score:4)
pEnultimate means *second* best... the word i think they were looking for is ULTIMATE, which is in common usage...
penultimate (p-nlt-mt)
adj.
Next to last.
Linguistics. Of or relating to the penult of a word: penultimate stress.
n.
The next to the last.
An uninformed citizenry (Score:5)
What really stands out to me from this interview is something I have felt for a long time-- that an uninformed citizenry is the biggest threat to our liberty.
The best thing we can do is to remain engaged and active in educating people about what the internet and other computational advances mean for people. One thing I see is that although we may bicker about alot, it is interesting that whether you are a self described libertarian or socialist (or anything in between), most hackers have a great deal in common.
I think that this is because knowledge of the new realities of the world and their implications itself points to good solutions for people. Small, agile corporations and governments. Privacy for individuals, publicly available information on group activities (such as governments or corporations.
So grim saying of nay, which is all I've been hearing recently, is premature. Once people know what is going on, the answers will present themselves to them. And with the web, we don't have to tell them anymore, or give them philes we've downloaded at 1200 baud from someone's C64-- we can show them in full color.
internet worm and linux? (Score:4)
Re:fuck these retards (Score:1)
NT Network Security (Score:5)
"Firewall your NT systems!" -- This bit of advice has been widely known by experienced NT admins for many years -- some existing vulnerabilities having been documented back in the OS/2 LanMan era in the late 80s. Like early Unix network protocols, the product was designed for a mostly-trusted LAN environment, and this design philosophy has been continued with even fairly new add-ons like MS Transaction Server.
Unfortunately, with the huge growth of NT as a platform, shifty or incorrect Microsoft documentation, an education program (MCSE) that completely neglects these issues, and a generally ignorant group of low-end administrators, there is a huge number of unprotected NT systems running on the Internet. (Compare this to Unix, where there exists a broad understanding of Internet security issues, and a healthy community skepticism of security claims.) As time, home broadband, and Windows 2000 goes on, I would expect that the number of unsecured hosts is going to out number the firewalled ones.
Considering the underlying culture, I doubt an "Internet Worm II - This time it's NT!" would lead to anything more than a cosmetic fix. Unfortunately, Microsoft is probably going to have to redesign the control mechanisms of the numerous RPC services that run on NT and create a nice GUI with a big "Internet (Secure) Mode" checkbox. A security blanket, but it's going to do nothing to educate the administrators or engender a culture of security consciousness, and exploits will continue.
Just as the original Internet Worm didn't shift the tide away from Unix and towards VMS, I really doubt these issues will affect marketshare seriously. Only, as the number of specialized Internet hosts grows, Unix's compartmentalized, peer-reviewed approach is going to continue to win over Microsoft's poorly understood philosophy of integrated RPC services.
--
Re:An uninformed citizenry (Score:3)
Why should a farmer be as informed about any specific topic as a pundit? As generally knowledge in general as say a librarian or a college professor? The answer is that they are not and shouldn't be. So the question is, do they have a learned person who they respect and trust to make those decisions for them? Should I not be able to trust my MD to help me make medical decisions? Of course.
This is why the founders of this country desired a REPUBLIC and not a DEMOCRACY. A democracy is the unfit to rule, ruling themselves. A Republic and the unfit to rule pick people to do for them what they cannot do for themselves.
Re:An uninformed citizenry (Score:1)
On the topic of H.W. hacking (Score:1)
VHDL software for coding FPGAs are expensive and could and probably does impede HW hacking. The skill level needed for HW hacking is high and with the convolution of many chips and complicated hardware code it could only get higher. On the positive side the high barrier of entry (in terms of skill level) does keep out the script kiddies.
I am also glad to see L0pht address the problem of many CS majors when it comes to hardware. I can't wait to see when my watch and toaster starts crashing because of poorly written code.
Re:I hate you Roblimo :) (Score:1)
Never.
For some people whose mind I respect, I will never have any relationship with them no matter what.
That way when I earn their respect of my intelligence and talent, I have the satisfaction that it is unbiased.
Besides you never know who ends up being your next co-worker.
P.S. Please moderate me down! My post is OT, ditto, and *fannish* (uninformatiave).
P.P.S. Besides, what makes you think Woz won't prefer men over women? (I don't think this question would make the grade for the interview either.) Maybe he would be more interested in you.
Corrinne Yu
3D Game Engine Programmer
guerrilla.net comments (Score:1)
As for the Slovenian radios, they exist as kits. You just need to find the right person to talk to and the right way to send money overseas. I've ordered three partial kits for the radios and 1.2 Mb SCC-DMA cards with scramblers. With any luck they should be here by the middle of January.
if you are serious about building up guerrilla.net, there are people out there willing to participate! You just need to respond when the email you!! --- eric (ka1eec)
Whats the definition of Irony? (Score:3)
Civilization has always operated with an inner circle controlling everything. For instance a Total Democracy via Technocracy would be controlled by the media. Monarchies have an inner circle of nobility, Representative democracies have an inner circle of politicians and Pocket Filler corperations, Afganistan has the Taliban. There is not currently a method of government that has been invented to inform the uninformed, give power to the powerless, and lead the scattered in a manner that is truely their own motive. Should anyone ever devise such a method of governing then it will truly be by a intellectual giant amongst men.
Such is Linux's problem. The uninformed. Truly a problem with few solutions. The solution that has been taken by most people, including many posters to
My point, kind people, is that we must fix the problems in our inner circles before we can offer, or even point out; (for risk of hipocriticism) to fix societies problems in our outer circles.
-[ World domination - rains.net ]-
Re:internet worm and linux? (Score:2)
Micro$oft is probably too large and incompetent to do anything of the sort anymore, and certainly not without any leaks getting out. And think about the timing of this with anti-trust investigations. No worries from Redmond.
(besides, the 'ship date' of their "y2k-linux-worm" would prolly slip well into 2002, second quarter...) (G)
Melissa WAS the Internet Worm (Score:1)
The thing about it is that whoever wrote it didn't *need* to find mysterious stack overflows in the IP drivers or even in the mail programs. The mail program (Outlook, in this case) HELPED the worm work! The Power of VBA at your fingertips, as MS would say.
If there is a checkbox to "turn off" security and run scripts automatically, people are going to use it. If a message box appears to verify that the user wants to run the script, even though it may cause problems, users are going to just click OK without even reading it and the happy few who do read it are going to assume that the message is fine and click OK anyway.
This issue is not just about Microsoft either. Sun crows about how Java is "secure" because it can't get at your personal files on your local drives, since the scripts are running in the VM. What they don't say is that, in their world, no one HAS any files local because their Java apps are saving everything on the servers, which theoretical Java-based viruses *would* have access to.
Someone might want to challenge me on this, but imo, security and script-enabled applications/OS are opposites.
L0hpt != hackers (Score:2)
Hipocriticism; a diplomatic euphemism for evil (Score:1)
Recently, we have seen people from the same group, (linux users, a true miniature world of everything that is geek, of everyone who is informed of their field, and what is going on there.) insult the very people who would be educated, the very problem that has been stated in this discussion. I think it is obivous that if we do not stop the hipocriticism, which I personally see as the greatest evil ever to threaten linux, and soon to be spread to a wide variety of other intrests, then we will surely not be able to deal with the larger sickness of society as presented, (Powerfuly presented, i'll note) by L0pht in this interview.
-[ World domination - rains.net ]-
2GS? bah those were no fun (Score:1)
I was really smiling when I saw that AppleWin [asimov.net] lets you bring up a disassembly window. Almost brought a tear to my eye :-)
SEAL
Re:fuck these retards (Score:1)
>>http://slashdot.org/comments.pl?sid=99/12/31/
LK
Re:Language police strike again (Score:1)
Re:Huh? (Score:1)
cDc and l0pht don't fight much more than any other siblings.
Re:Language police strike again (Score:1)
Re:fuck these retards (Score:1)
They never made any claims that they could kill your computer. They are security experts and hackers, not the damn crackers you're talking about. Hackers do have a code of ethics that most follow. ( maybe you should look them up )
And if you're running Windows, then it'll die by itself... no help is needed!
I think you're the uninformed citizen that L0pht is talking about.
Warm fuzzy feeling. (Score:2)
But the more I think about it, I really don't mind that these guys are the ones the press run to rather than say CotDC. I don't find myself disagreeing with them, and they're far more eloquent than I could be in the situation.
No one argues that hackers are mis-portrayed in the media. I think L0pht has the right idea: pro-active re-information. Don't wait until someone misuses the word "hacker" or what not to correct them. Tell them what it means. It's a find line between informative and over zealous (as a pagan who is neither wiccan nor satanic I have that problem all the time; but my beliefs allow explaining, not converting. I don't care if you disagree, so long as you made effort to understand). The next 10-20 years are going to be pretty frightening if we don't stay on top of information, and if the hackers are evil, then who is going to listen to them?
Here's to you guys!
Bravo! (Score:2)
portfs? (Score:1)
What is portfs? It sounds interesting but I can't find anything about it. Is it known by another name, or does anyone have a URL for it? Maybe I already know about it and just don't know what it's called. :)
Re:$125.00? (Score:1)
Re:Warm fuzzy feeling. (Score:2)
>But the more I think about it, I really don't mind that these guys are the ones the press run to rather than say CotDC.
Too many people confuse the purposes of cDc (that's lowercase c, uppercase D, lowercase c. Pretty much always has been.) with the purpose of a group like l0pht. cDc is not a software/hardware or even (dare I say it?) a hacking group. cDc is a textfile group. The (supposedly) original eZine. Stuff like BO (which, IIRC was written by a guy that is actually in l0pht as well as cDc) is a side project used to further their goal of Global Domination through Media Saturation. They SHOULDN'T be consulted on hacking/cracking information. Groups like l0pht are what that's all about. Media that consult cDc on these kinds of subjects are just victims of the cDc MediaMindFuck(tm).
Re:I hate you Roblimo :) (Score:3)
And besides, you *never know* what kind of questions might get moderated up and sent to him. No law says they all have to be techie stuff.
We often get some excellent personal question in these interview. *I* sure don't discourage them!
- Robin
Re:fuck these retards (Score:2)
Get your head out of your ass.
BTW the earth revolves around the sun, NOT the other way 'round.
LK
Effect would be low. (Score:1)
That's the point of Linux - the source is open. When you can dig in and look at the exploit, it's not a mystery occurance that makes you lose faith in the OS. Exploits like these hurt NT or other closed-source OS's much worse because the sysadmin has no way of seeing what happened, thus they lose faith in the system.
Whats the definition of Irony v1.1 (Score:1)
You blithering [explicative], there is no such word as "hipocritism".
You also forgot a period at the end of hypocrisy. Thank you, have a nice day.
-[ World domination - rains.net ]-
Re:internet worm and linux? (Score:1)
Nope. The god-like powers of root supercede file, memory, and device permissions. A lot has changed since 1988, but history [software.com.pl] has a way of repeating itself.
Remember, all it takes is a badly placed sprinf(), malloc(), or strcpy() in a SUID daemon to bring a so-called bulletproof security model to it's knees.
--
odds of being killed by lighning and
RPC - huge problem (Score:5)
I would just like to back up your comment on Remote Call Procedures. Microsoft had this thing called OLE, then they moved to COM, now DCOM. The next iteration is called SOAP and it works using XML over http. Everyone accepts http, so it is a great way to get remote call procedures, right?
Wrong.
The issues with remote call procedures are inherent in the nature of what you are doing. Microsoft is addressing the mechanism of doing it, and not also the substance of the security issue. All that they will succeed in doing is make it easier to unkowingly create something with serious security holes that is sent by http. And to make it better they are also encouraging creating customized SOAP applications in Office, which just means that there are a lot of new applications wandering around there that can also be security holes.
When Sun created Java it not only addressed how you call it remotely, it also attempted to address security concerns. Microsoft has not learned that lesson, and I dread what it will take to teach people that security is inherent in what you are trying to do, and not in how you are doing it.
(See likewise some of Tom Christiansen's rants about executable content in email.)
Cheers,
Ben
PS Off to my sister's, away from the web for a bit. Glad I caught L0pht's response before I went though!
Re:hi comments ect (Score:1)
That's a joke, right? (Score:1)
Re:Language police strike again (Score:3)
After all, we'll never find the ultimate solution to any security problem, but we'll find the best one for now. Penultimate is a pretty good word to describe that state of affairs.