Slashdot is powered by your submissions, so send in your scoop


Forgot your password?

Comment Not a bad idea at all (Score 1) 55

Seems like a nice easy way to make a bit of cash in your spare time without any particularly rare skills needed. Just find a vulnerability from CVE that doesn't have a corresponding Metasploit module, write a Metasploit module and put it up in Exploit Hub.

Since it's not a 0-day, there's nothing to be gained by getting an exclusive purchase so the prices will be reasonable. There's less risk of being sued too because it's not a 0-day; just a bit of code that you can use to test for an already disclosed vulnerability.

  • The company who wrote the vulnerable software will want it to put into their QA cycle to guard against regressions.
  • Anyone who writes penetration testing software will want it to integrate into their product... unless the price is higher than just having their own coders do it.
  • Penetration testers will want it in their arsenal to make sure they get the maximum coverage possible.

The "bad guys" probably won't want it. It's already known and getting patched and they'll have to rewrite it anyway because it will have an easily identifiable signature as it comes from Exploit Hub.

There will still be a market for 0-day exploits, but as the article mentions, it's a finicky market. Setting up a market for turning disclosed vulnerabilities into Metasploit modules is smart.

Comment More problems (Score 1) 486

Yet another potential problem that no one seems to have mentioned yet is that of shared houses. If my flatmate has a virus (which he doesn't any more because I cleaned it off last night) then the whole house is going to be seen as "infected" and four innocent people will be cut off the internet due to the indiscretions of one person. This could be made all the worse if the person owning the infected computer is on holiday for a week.

ISPs are in a great position to significantly impact bot activity but the first adopters of this kind of policy will lose customers to more forgiving ISPs as customers get angry about being cut off, whether this anger is justified or not. ISPs will have to ease their way into this kind of policy, being very careful not to alienate their customers.

Comment Re:so true (Score 1) 228

WoW has two instances of this sort of thing I can think of. The first is that as a rogue, I can pick almost any lock in the game... but certain locks I have to get the right key to open. It would have been simple just to raise the lockpicking skill required for that lock high enough that no one can attain it, but they didn't. They just said "No. You need the right key."

The other one is cold weather flying. One of the four continents requires a new skill to be learned before you can fly there, even if you have learned flying already. The talent is called "Cold weather flying" but there are warm areas of the continent. There are also cold areas of other continents. It's inconsistent and, as the article talks about, it breaks the immersion in the game. It's not quite as easy a fix as the lock one, but given enough thought, I'm sure they could have come up with a way of making it work and still be consistent.

I'd love to see game developers spend more time making games better.

Comment Re:It's not what it would seem. (Score 1) 154

The only sentence in that entire post I wrote myself is the first one. The rest of them are quoting Bill Hicks, the sadly departed comedian.

Although I will grant you that the reason the word "dinosaur" doesn't appear in the bible is because it hadn't been invented yet, I will not grant you that the one use of the word "behemoth" and the one mention of the word "leviathan" and the dubious references to a dragon are actually evidence that dinosaurs existed at the same time as man. If dinosaurs and man co-existed, the bible would talk about practically nothing else. They would be mentioned on every second page. There would probably be would a mention of them in the chapter about Noah for instance.

As for your assertion that I spend my days glued to Comedy Central; Bill Hicks will never be shown on Comedy Central, I have read significant parts of the bible and I don't own a TV.

Comment Re:It's not what it would seem. (Score 3, Funny) 154

The good man is not a troll and was indeed quoting one of funniest comedians of our time who is also conveniently mentioned in his sig. The follow up line was:

Bill: "I think God put you here to test my faith, Dude. You actually believe that?"
Young earth creationist: "Uh huh."
Bill: "Does that trouble anyone here? The idea that God.. might be...fuckin' with our heads? I have trouble sleeping with that knowledge. Some prankster God running around: "Hu hu ho. We will see who believes in me now, ha HA.”

And now, for some more dinosaur based humour from Bill:

Bill: “You believe the world's 12 thousand years old?"
YEC: "That's right."
Bill: "Okay I got a question to ask you."
YEC: "Okay"
Bill: "It's a one word question."
YEC: "Uh huh."
Bill: "Dinosaurs."

Bill: " You know the world's 12 thousand years old and dinosaurs existed, they existed in that time, you'd think it would have been mentioned in the fucking Bible at some point. "And lo Jesus and the disciples walked to Nazareth. But the trail was blocked by a giant brontosaurus...with a splinter in his paw. And O the disciples did run a shriekin': 'What a big fucking lizard, Lord!' But Jesus was unafraid and he took the splinter from the brontosaurus's paw and the big lizard became his friend.”

Comment Re:Is it just me? (Score 1) 45

The company I work for sells books. One of our developers created a Chrome addon in his own time that looks for ISBNs in every page you view and displays the price for the same book on our website.

No one knew that was going to happen when the API was developed. In fact, Chrome didn't even exist back then. (Although one of the other developers has made a Firefox addon and Firefox certainly did exist.) Companies just provide the API and let the developers come up with the good ideas. They don't expect anything in particular.

Comment Well, of course. (Score 1) 45

The company I work for developed an API the minute we saw the first bot scraping our prices straight off the website. It's crazy not to. The bots are nearly always managed by someone who runs a price comparison website that drives traffic straight to us. The easier we make it for them, the more sales we get.

The hard-working 3rd party developers are going to get the info anyway by scraping the HTML designed for browsers but it will be hard work for them and it will break every time we re-jig the site. The API uses much less bandwidth and much fewer resources for both them and us and has the benefit for them of always being in a defined format.

Frankly, I'm surprised developing an API isn't the first thing every retailer does after finishing version 1.0 of their site.

Warning: The following paragraph may contain traces of a shameless plug.

A more recent API we have developed ties our products to semantically tagged data about the products. We aren't really sure what people are going to do with this data yet but the possibilities seem broad. If you feel like having a play with semantically tagged book data, the new API is at BibDib. (Yes, we have an affiliate program.)

Comment Re:Ummm, no (Score 1) 228

He didn't say "high prices", he said "valuable". He also didn't say "buy things", he said "80%-90% reduction in numbers"

The high value causes more fishermen to go out and hunt the Bluefin Tuna and attempt to sell them for high prices at the market. The prices go up because the demand exceeds the supply. The high prices cause the perceived value to go up and even more fishermen decide that Bluefin Tuna are the best choice of fish for them to catch. If the price goes high enough, some of the Bluefin Tuna won't be sold and will simply go to waste, but that still contributes to the 80%-90% reduction in numbers even though nobody bought anything.

Any misjudgements about the levels of supply and demand end up with dead fish and poor fishermen.

The supply and demand dynamics are circular so it's very easy to get confused about cause and effect when the effect is, in turn, the cause of the original cause.

Comment Re:Skipfish vulnerability scanner (Score 1) 65

No, he wants the rules moved out of the source code for the same reason that anti-virus definitions are not compiled-in to anti-virus products and Nessus plugins are not compiled-in to Nessus.

New attacks are developed all the time, new vulnerabilities are discovered all the time. Having to write C code for this and re-compile the entire scanner is a massive pain and waste of time. Writing a rule should be quick and easy. And yes, even non-coders (say, sysadmins who may have never touched C or maybe anything other than Perl) should be able to do it successfully.

Even changing it to be a compiled-C plugin would be better than having it compiled in to the main application.

I see this being an improvement for the near future.

Comment Re:Move to a higher order port and use denyhosts (Score 1) 497

My thoughts on these suggestions:

  1. The purpose of changing the port is not security (a simple portscan will undo that) but reduction of logged error messages while still allowing all IP addresses anywhere to SSH to the machine.
  2. The port you choose is important. At one place I worked we used port 10000. This is already used for Webmin (although we never used Webmin) and hence we got thousands of Webmin brute force attacks against our SSH port. They could never have been successful but it didn't cut down on the logged error messages very much.
  3. Denyhosts and Fail2ban both have the ability to be quite nasty on false positives and are rather prone to them. Amongst all the suggestions above to use these products, I would also add to make sure you whitelist a place you can always get access to. You should also have an out-of-band communication method with your servers. That way, when you do finally get locked out of your own server by your security tool, you know how to get in and fix the problem. The same goes for an IPS if you install one. Make sure you can still access it when it decides you are an intruder.
  4. Check your SSH error log to make sure something like denyhosts or fail2ban would even be of any use. I have seen plenty of brute force attempts where each IP address only tries three different username/password combinations and then moves on to another server. Then another picks up where the first one left off. These guys wouldn't even notice if you were using fail2ban. Sharing your denyhosts with the denyhosts site might help. You could use the shared denyhosts block lists to configure fail2ban if you preferred it.

And to the original poster who gets a million per year across 50 or so domains... I got a new box installed a few weeks ago that had 45,000 attempts in the three days it was online before my ISP gave me the IP address. That's a million attempts about every two months. Per server. You have only yet seen the tip of the iceberg.

Slashdot Top Deals

Vax Vobiscum