Comment: Re:Yep (Score 1) 835
You can restrict what a particular user is allowed to execute with sudo.
Comment: Re:That's because security warnings are stupid. (Score 1) 432
You could indeed get a cert for s1ashdot.org, but if you don't mind my saying, that's a pretty crappy attack mate :)
A lot of people might notice the blatant "1" in your domain name; many more might never visit that domain at all. Which is really the point here.
Let's pretend for the sake of this example that slashdot actually supports SSL :) When I visit the real https://slashdot.org/, with their valid CA-signed cert, I still have confidence I'm communicating with their server not yours.
If you were in a position to intercept my packets to slashdot - ie. the situation in which SSL is of some value - then you still couldn't do much. You can send fake replies to me, pretending to be slashdot.org - classic MITM attack - but your self-signed certificate is a dead giveaway. Good luck getting a CA to issue you a cert for slashdot.org, I doubt they're interested in issuing a duplicate while there's already a valid one out there.
This is the problem trusted certs are designed to solve. Your problem is a different one; it's called phishing (terrible name huh?).
Actually, they've kludged something something together to help with that problem also: big institutions that really need it (eg. banks) can pay a ton of money to a CA for an "extra special cert", which gives them eg. that nice green address bar in firefox, indicating a higher level of identity trust to the user.
Yes, it's probably a cash cow. But hopefully they do a few background checks before issuing those at least, and the high fee presents a barrier that Joe Random Phisher may be unwilling to pay.
A lot of people might notice the blatant "1" in your domain name; many more might never visit that domain at all. Which is really the point here.
Let's pretend for the sake of this example that slashdot actually supports SSL
If you were in a position to intercept my packets to slashdot - ie. the situation in which SSL is of some value - then you still couldn't do much. You can send fake replies to me, pretending to be slashdot.org - classic MITM attack - but your self-signed certificate is a dead giveaway. Good luck getting a CA to issue you a cert for slashdot.org, I doubt they're interested in issuing a duplicate while there's already a valid one out there.
This is the problem trusted certs are designed to solve. Your problem is a different one; it's called phishing (terrible name huh?).
Actually, they've kludged something something together to help with that problem also: big institutions that really need it (eg. banks) can pay a ton of money to a CA for an "extra special cert", which gives them eg. that nice green address bar in firefox, indicating a higher level of identity trust to the user.
Yes, it's probably a cash cow. But hopefully they do a few background checks before issuing those at least, and the high fee presents a barrier that Joe Random Phisher may be unwilling to pay.
Comment: Re:I would probably do the same thing (Score 1) 432
This is a misconception. DNS poisoning is certainly not required.
If somebody is in a position to read your packets, they are also very likely to be in a position to intercept / modify those packets.
Any point on the route between you and the destination host could be sending those reply packets you receive and failing to pass yours along to the next hop; you really have no way of knowing.
This could be fully automated and, for example, enabled by default for data going to a particular destination host. The initial implementation is non-trivial, I'll grant you, but it only needs to be written once and then every script kidding from here to Timbuktu can pass it around amongst themselves. The attacker requires no more resources than regular plaintext sniffing, excluding a little cpu time to handle the crypto. You think these things don't exist? :)
Encryption is nothing without trust.
If somebody is in a position to read your packets, they are also very likely to be in a position to intercept / modify those packets.
Any point on the route between you and the destination host could be sending those reply packets you receive and failing to pass yours along to the next hop; you really have no way of knowing.
This could be fully automated and, for example, enabled by default for data going to a particular destination host. The initial implementation is non-trivial, I'll grant you, but it only needs to be written once and then every script kidding from here to Timbuktu can pass it around amongst themselves. The attacker requires no more resources than regular plaintext sniffing, excluding a little cpu time to handle the crypto. You think these things don't exist?
Encryption is nothing without trust.
Comment: Re:Well... yeh. (Score 1) 661
Wow brave post; looks like you were really inviting trouble with these kind of statements :) I used to hold similar views, and I know it can be a hard position to defend. It's not my fault / I have a slow metabolism / I exercise all the time and don't lose weight / some people are just built differently / etc.
Back then I weighed 132kg and had been fat all my life. Today I weigh 91.5kg, fit into ordinary size clothes (read: M, L), and feel springy & full of energy after climbing a couple flights of stairs, instead of puffed & out of breath. The change came only after I saw through all of these excuses and changed my own attitude.
You are obviously proud of the self control you have developed thus far, and you should be, but I would suggest you need to develop it a little further. You can't prevent your brain telling you that you feel hungry, but you can recognise that it is malfunctioning and choose to ignore the signal; nobody is holding a gun to your head compelling you to eat large portions. Eat nutritious food in "moderate" (look it up, it's smaller than you think!) size portions, and enjoy the feeling of being "hungry" - that's your body running low on fuel and burning the reserves!
It's not a terrible thing to feel "hungry". Not the way people in rich western countries use the word (I'm from New Zealand). There are many people in the world who live with real hunger on a daily basis. Do not mistake "I feel like eating" for *hunger* - in your case & in mine it's really not that serious that it can't be overlooked :) After you get used to eating less, your brain will catch on and stop sending the "hunger" signals.
Also, don't knock weight training. Firstly, any kind of exercise is better than none. Secondly, if your body converts fat into muscle you may not initially lose weight (muscle weighs more), but you're already more healthy. Thirdly, having more muscle is like having a bigger engine in a car; you need more juice to run it, even just during daily tasks. In other words more muscle means your metabolism rises and you burn fat more easily, plus you feel like you have more energy and exercise becomes easier. Cardio training is important too, but you've gotta start somewhere - it's a momentum thing. The more you do, the easier it gets.
In short: you have to eat less (esp. less fat; going crazy with fruit & veg can't hurt) and exercise more. That's the only way, and it's damn tough, but it does work and when you get to the other side you realise it's really really worth it :-)
Your body simply can't construct fat cells out of thin air - you have to put the right things in to it to enable it to become fat. Whatever your makeup predisposes you to, what food you put inside your body is your always your own choice.
My 2 cents.
Back then I weighed 132kg and had been fat all my life. Today I weigh 91.5kg, fit into ordinary size clothes (read: M, L), and feel springy & full of energy after climbing a couple flights of stairs, instead of puffed & out of breath. The change came only after I saw through all of these excuses and changed my own attitude.
You are obviously proud of the self control you have developed thus far, and you should be, but I would suggest you need to develop it a little further. You can't prevent your brain telling you that you feel hungry, but you can recognise that it is malfunctioning and choose to ignore the signal; nobody is holding a gun to your head compelling you to eat large portions. Eat nutritious food in "moderate" (look it up, it's smaller than you think!) size portions, and enjoy the feeling of being "hungry" - that's your body running low on fuel and burning the reserves!
It's not a terrible thing to feel "hungry". Not the way people in rich western countries use the word (I'm from New Zealand). There are many people in the world who live with real hunger on a daily basis. Do not mistake "I feel like eating" for *hunger* - in your case & in mine it's really not that serious that it can't be overlooked
Also, don't knock weight training. Firstly, any kind of exercise is better than none. Secondly, if your body converts fat into muscle you may not initially lose weight (muscle weighs more), but you're already more healthy. Thirdly, having more muscle is like having a bigger engine in a car; you need more juice to run it, even just during daily tasks. In other words more muscle means your metabolism rises and you burn fat more easily, plus you feel like you have more energy and exercise becomes easier. Cardio training is important too, but you've gotta start somewhere - it's a momentum thing. The more you do, the easier it gets.
In short: you have to eat less (esp. less fat; going crazy with fruit & veg can't hurt) and exercise more. That's the only way, and it's damn tough, but it does work and when you get to the other side you realise it's really really worth it
Your body simply can't construct fat cells out of thin air - you have to put the right things in to it to enable it to become fat. Whatever your makeup predisposes you to, what food you put inside your body is your always your own choice.
My 2 cents.
The Growth Of The Pirate Bay As A Political Movement->
From feed
by
techdirtfeed
Tim Lee points us to an LA Times article on the growing success of The Pirate Bay's political movement, noting that its membership is growing in Sweden and is nearly equal to that of the country's Green Party. This is ironic for a few reasons -- most of all being that the entertainment industry was so proud over the raids on the Pirate Bay's servers last year, insisting that it had killed off the site. Instead, the site was back up in days, and the attention propelled what had been a fairly minor search engine for BitTorrent trackers into the limelight -- helping to get it many more users and to get the political movement some traction. In fact, we've now seen other political parties take on some of the Pirate Bay's platform. To be honest, I have mixed feelings about this. I don't support the Pirate Bay's position that unauthorized downloads are defensible. Instead, I think that copyright holders need to come to the realization that they're actually better off by letting people download content -- not that it needs to be forced upon them by users taking matters into their own hands. That said, by taking such an extreme position (and having it get some attention), perhaps it's more likely that content holders will come to this realization. They'll simply be forced to adapt and will start coming up with more successful business models that actually benefit from free downloads rather than trying to block them and sue their best customers.
Link to Original Source
Link to Original Source
Dell will pre-install Ubuntu Linux
Submitted
by
atamyrat
atamyrat writes "http://www.fabianrodriguez.com/blog/archives/2007/ 04/30/its-d-day/
It's now official. That's it, the embargo is over. We can talk.
Many people have been involved in this and I can only say I am excited to be a tiny small part of it: Ubuntu will be officially supported on Dell computers. Any other details will come on www.ubuntu.com, check it for the official press release, but we can now all put the matter to rest and go about our normal lives — or can we ? :) This from your humble servant at Canonical Global Support Services.
http://www.desktoplinux.com/news/NS8661763902.html
http://www.boingboing.net/2007/04/30/dell_will_pre install.html"
It's Official. Ubuntu and Dell.
Submitted
by
Anonymous Coward
Anonymous Coward writes "It's now official. That's it, the embargo is over. We can talk.
Many people have been involved in this and I can only say I am excited to be a tiny small part of it: Ubuntu will be officially supported on Dell computers."
Dell to choose Ubuntu
Submitted
by
Anonymous Coward
An anonymous reader writes "DesktopLinux reports that source from Dell unofficially confirm that Ubuntu 7.04 will be the distribution of choice for Linux preloaded computers. "While unable to confirm this through official Dell channels, we have heard the same story now from several internal Dell sources. They tell us that the Austin, Texas, computer giant will be preinstalling the newly released Ubuntu 7.04. These systems will be released in late May 2007. According to our sources, Ubuntu will be released on a Dell e-series "Essential" Dimension desktop, an XPS desktop, and an e-series Inspiron laptop.""
Social Engineer Proves Major Insecurity At Banks
Submitted
by
ApocalypseXP
ApocalypseXP writes "Story from: http://www.protokulture.net/?p=79
the life of a social engineer
April 15th, 2007 by applekid
I enter the first branch at approximately 9:00AM. Dressed in Dickies coveralls, a baseball cap, work boots and sunglasses I approach the young lady at the front desk.
"Hello," I say. "Jarred White with XYZ Pest Control, here to perform your pest inspection." I flash her the smile followed by the credentials. She looks at me for a moment, goes "Uhm... okay... let me check with the branch manager..." and picks up the phone. I stand around twiddling my thumbs and wait while the manager is contacted and confirmation is made. If all goes according to plan, the fake emails I sent out last week notifying branch managers of our inspection will allow me access.
It does.
The manager greets me and brings me into the secured area behind the teller line. She never asks for identification. She says she received an email from the bank's facilities supervisor saying that we would be by on Monday. I force myself not to laugh, and nod understandingly. I explain the procedure. "Awww no ma'am," I say in a deeply Southern voice, "We don't do sprayin' on this visit. We're just here to see if there's a problem to begin with. Y'know, check for signs of rodents and crap like that." She nods, relieved that I won't be spraying pesticides. The bag that I carry is, for the most part, empty. It contains a flash light, a paper mask, a pair of work gloves, a tiny wireless access point disguised as a pager, two key loggers and lots of space to store stuff. My clipboard is also full of goodies. I sling the bag off my shoulder and get to work, as the lady wanders off. As she begins to leave, she says "Well, I guess you know what you need to do. I'll be in my office. Let me know if you need anything." I don't look up from my "work" as I thank her.
As soon as she disappears I move into the next room. The room is a work room where documents are stored, the printers are kept and various other supplies are stored. I look around the area for anything of interest. A stack of checks for deposit catches my eye, so I grab them and shove them into my clipboard. Each check has a name and account number on it. Nothing else here, but I hear a familiar humming; warm and pleasing to the ears. I walk back to the manager's office, and ask her if she could please grant me entry into "this back room, whatever's in there." She explains that this room houses their computer equipment. I nod and say that rodents are known to bed up in warm areas, and in my experience, computer rooms generate heat. I see the gears turning inside her head, and once she decides that this answer makes perfect sense, she unlocks the door. She asks only that I notify her when I am finished so that she may lock it again. I nod and tell her I would be happy to.
I enter the computer room and immediately begin to see networking equipment. A few tower servers rest on the floor beneath the rack. I could plug any number of items into the switch at this point. If they use DHCP, my rogue access point, which has been preconfigured, will provide me access to the internal network from the parking lot. My key loggers come in two flavors: USB and PS2. I decide to save the goodies for another locale. I take stickers with my company logo and place them on the networking equipment to prove that I have been there. I rummage around the area looking for confidential items. I find a company phone directory and take it. This might come in useful later, I think to myself. Near one of the terminals, I see a pink sticky note. "Bingo," I say aloud. Written on the sticky note are login credentials to the core processor. This information should allow me to query the bank's core processing software for account numbers, names and social security numbers; once I have determined its IP address. I note the credentials in my clipboard.
I fetch the manager and she locks the door. I thank her, and ask if I may inspect some of the offices out in the lobby. I let her know that I don't want to interfere, so I point to an empty office and ask if I may inspect that one. "Oh yes, that's Tom's office. He's one of our loan officers, but he's at another branch today. Sure, go right ahead." I'm already walking toward the open office before she finishes. Satisfied that I'm completing my work, she turns around and goes back to her office. Once inside Tom's office, I get down on my hands and knees and retrieve my flashlight. I pretend to inspect the area around his desk. The walls are made of glass, and everyone can see in. I try to keep an eye out for what's going on, who is watching me, and who might be coming my way, but it's difficult to tell. I decide that I had better make quick work of this place and get out.
I pull a CD from my clipboard and place it in Tom's computer. This CD contains a virus which contacts our company's Network Operations Center and provides us with information about the workstation. It's intended as a proof of concept, and nothing more. The software doesn't hurt the victim's computer. I also rummage through his filing cabinets, which are not locked, and recover a folder full of loan applications. Loan applications are great. They contain social security numbers, names, and sometimes a photo copy of the drivers license. These are no exception.
I get to my feet and return to the manager's office. I smile as I let her know I'm finished, and they have a clean bill of health. "Welp, we didn't find anything ma'am," I tell her, "Now if you'd just sign this here invoice for me just to prove to my dispatcher that I was here, I'd be much obliged." Yes, sometimes I do lay it on quite thick. She signs the fake invoices we had printed up at a local printing company. I date it and sign my initials as well. I thank her for her time and cooperation and leave the building.
I enter my vehicle and realize that I'm sweating. It's Minnesota, so it's not exactly hot outside. I nervously drive to a parking lot across the street, thinking the entire time that somebody must be on to me. Somebody must have figured out my ruse. Somebody has called the police, noted my license plate, and they must be on their way. But they aren't. As I start to calm, I inspect the items I have collected.
* 27 account names and numbers
* 13 loan applications complete with socials, names, birthdays and drivers license
* 1 phone directory with (what appears to be) extensions for everyone in the bank
* 1 login to the AIX Core Processor
This should be enough to start some new eBay accounts. I seal the information in an evidence bag, date it, sign it and place it in a secure bag. I call home base and report that the first job is done, and that I'm moving to the main branch. I light a cigarette and turn up the music as I drive to the next target."
the life of a social engineer
April 15th, 2007 by applekid
I enter the first branch at approximately 9:00AM. Dressed in Dickies coveralls, a baseball cap, work boots and sunglasses I approach the young lady at the front desk.
"Hello," I say. "Jarred White with XYZ Pest Control, here to perform your pest inspection." I flash her the smile followed by the credentials. She looks at me for a moment, goes "Uhm... okay... let me check with the branch manager..." and picks up the phone. I stand around twiddling my thumbs and wait while the manager is contacted and confirmation is made. If all goes according to plan, the fake emails I sent out last week notifying branch managers of our inspection will allow me access.
It does.
The manager greets me and brings me into the secured area behind the teller line. She never asks for identification. She says she received an email from the bank's facilities supervisor saying that we would be by on Monday. I force myself not to laugh, and nod understandingly. I explain the procedure. "Awww no ma'am," I say in a deeply Southern voice, "We don't do sprayin' on this visit. We're just here to see if there's a problem to begin with. Y'know, check for signs of rodents and crap like that." She nods, relieved that I won't be spraying pesticides. The bag that I carry is, for the most part, empty. It contains a flash light, a paper mask, a pair of work gloves, a tiny wireless access point disguised as a pager, two key loggers and lots of space to store stuff. My clipboard is also full of goodies. I sling the bag off my shoulder and get to work, as the lady wanders off. As she begins to leave, she says "Well, I guess you know what you need to do. I'll be in my office. Let me know if you need anything." I don't look up from my "work" as I thank her.
As soon as she disappears I move into the next room. The room is a work room where documents are stored, the printers are kept and various other supplies are stored. I look around the area for anything of interest. A stack of checks for deposit catches my eye, so I grab them and shove them into my clipboard. Each check has a name and account number on it. Nothing else here, but I hear a familiar humming; warm and pleasing to the ears. I walk back to the manager's office, and ask her if she could please grant me entry into "this back room, whatever's in there." She explains that this room houses their computer equipment. I nod and say that rodents are known to bed up in warm areas, and in my experience, computer rooms generate heat. I see the gears turning inside her head, and once she decides that this answer makes perfect sense, she unlocks the door. She asks only that I notify her when I am finished so that she may lock it again. I nod and tell her I would be happy to.
I enter the computer room and immediately begin to see networking equipment. A few tower servers rest on the floor beneath the rack. I could plug any number of items into the switch at this point. If they use DHCP, my rogue access point, which has been preconfigured, will provide me access to the internal network from the parking lot. My key loggers come in two flavors: USB and PS2. I decide to save the goodies for another locale. I take stickers with my company logo and place them on the networking equipment to prove that I have been there. I rummage around the area looking for confidential items. I find a company phone directory and take it. This might come in useful later, I think to myself. Near one of the terminals, I see a pink sticky note. "Bingo," I say aloud. Written on the sticky note are login credentials to the core processor. This information should allow me to query the bank's core processing software for account numbers, names and social security numbers; once I have determined its IP address. I note the credentials in my clipboard.
I fetch the manager and she locks the door. I thank her, and ask if I may inspect some of the offices out in the lobby. I let her know that I don't want to interfere, so I point to an empty office and ask if I may inspect that one. "Oh yes, that's Tom's office. He's one of our loan officers, but he's at another branch today. Sure, go right ahead." I'm already walking toward the open office before she finishes. Satisfied that I'm completing my work, she turns around and goes back to her office. Once inside Tom's office, I get down on my hands and knees and retrieve my flashlight. I pretend to inspect the area around his desk. The walls are made of glass, and everyone can see in. I try to keep an eye out for what's going on, who is watching me, and who might be coming my way, but it's difficult to tell. I decide that I had better make quick work of this place and get out.
I pull a CD from my clipboard and place it in Tom's computer. This CD contains a virus which contacts our company's Network Operations Center and provides us with information about the workstation. It's intended as a proof of concept, and nothing more. The software doesn't hurt the victim's computer. I also rummage through his filing cabinets, which are not locked, and recover a folder full of loan applications. Loan applications are great. They contain social security numbers, names, and sometimes a photo copy of the drivers license. These are no exception.
I get to my feet and return to the manager's office. I smile as I let her know I'm finished, and they have a clean bill of health. "Welp, we didn't find anything ma'am," I tell her, "Now if you'd just sign this here invoice for me just to prove to my dispatcher that I was here, I'd be much obliged." Yes, sometimes I do lay it on quite thick. She signs the fake invoices we had printed up at a local printing company. I date it and sign my initials as well. I thank her for her time and cooperation and leave the building.
I enter my vehicle and realize that I'm sweating. It's Minnesota, so it's not exactly hot outside. I nervously drive to a parking lot across the street, thinking the entire time that somebody must be on to me. Somebody must have figured out my ruse. Somebody has called the police, noted my license plate, and they must be on their way. But they aren't. As I start to calm, I inspect the items I have collected.
* 27 account names and numbers
* 13 loan applications complete with socials, names, birthdays and drivers license
* 1 phone directory with (what appears to be) extensions for everyone in the bank
* 1 login to the AIX Core Processor
This should be enough to start some new eBay accounts. I seal the information in an evidence bag, date it, sign it and place it in a secure bag. I call home base and report that the first job is done, and that I'm moving to the main branch. I light a cigarette and turn up the music as I drive to the next target."
Stab proof hoodies available in the UK
Submitted
by
Gareth Williams
Gareth Williams writes "There is a story here on stab proof hoodies.
Apparently these things are already on sale for 65 pounds a piece. I want one.""Teens beset by a violent knife culture that has gripped the front pages of newspapers across the country can now buy stab-proof hooded tops five-times stronger than steel. "