Re: [Full-Disclosure] Bios programming...
Randall Perry wrote: The program in question is quite legitimate in nature and already exists in several forms. So does porn. Infarct one can replace `program' with `porn' above and make the same kind of hollow point. Mere existence and availability doesn't make it right, even if you make the personal choice to do so. In some instances, it sends the data to 'accountability partners' who are your chosen peers that monitor your activity. Sounds benign enough at first glance, and I like the group portion. But do you have a study that backs up this method as mentally or emotionally sound? Or is this just geeks making up pseudo-science to peddle their code? Think of it as AA for online porn. Online porn has become a real problem for males age 12 to early 40's. Porn is a human problem mainly due to society's variety in accepting and/or suppressing sexual matters in daily life. Religion has done as much harm in this area as it has done good. Re-modeling that system of "eye-in-the-sky" accountability and personal emotional suppression makes me feel we've learned little these past N-thousand years. And no, this program (alone) is not like AA or NA. I am familiar with their methods and it places more open responsibility on the individual to learn to control themselves and respond face to face with a group. This is having someone remotely MONITOR your activity and aggregate it however they choose. The direct human contact factor is out of the equation, which probably part of the clients original problem to begin with! To accept that as long-term positive treatment of a condition should be appalling to a discriminating scientific mind. Combine this with planned therapy by a professional (not just some divinity grad) and you /may/ make a better case to those of us who disagree. Properly implemented, solutions to combat porn are good business. That statement alone is enough to make me pause about your good intentions. How is it exactly that you intend to separate this type of exploitation of the individual from the exploitation they are trying to be rid of? You & the Porn supplier are both doing it for a profit. Since the client says they want it it's ok then? That's what got them into their mess isn't it? (mind you, this is not 'spyware' for parents. this is targeted at adults who are trying to curb their own behavior). True. But I would *NEVER* trust a programmer to address a (possible) psychological/behavioral problem, that's just silly. A xx$ program to "monitor" them is no replacement for Professional Psychotherapy, period. Those who are not aware of that epidemic should sit quietly and not scoff at the efforts of others. (I was going to bite my lip until you said that.) No, one should not just be quiet Randy; _especially_ because I disagree that what you are doing is good for the individual or the society that they live within. Though I like how you softly framed the statement to reinforce that speaking implied ignorance. I'm rather surprised you've the gall to actually type this on a Full-Disclosure list. Whether this is an "epidemic" as you call it, is debatable as well. This just smells like more pious, pseudo-religious proselytizing & labeling that I've had to endure in America all my life. Must it infect 'net too? Silly question, I know. That the Internet (post '95) has cast a wide net to surprise the unprepared with pornography is true enough. But that's a problem of how each society teaches it's members. Calling it an epidemic just sensationalizes it and makes it good for marketing and evangelizing. I've a feeling social piety and taboo play a large role in the individuals dysfunction and attraction to porn. So social treatment and education is a better path than hacking up some code over night to make a buck. That just stinks Randy. Good luck with the project, it sounds noble at root. The root of many human endeavors seem noble. Yet the unforeseen consequences keep bubbling up through history, no? -- dk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Bios programming...
Bill Humphries wrote: 1) It is easily circumvented. 2) It violates the privacy of other users. 3) It can easily generate false positives. 5) It could be exploited. 6) Who decides what is a 'suspect site'? 7) Trustworthiness of the Monitoring Organization 8) Trust vs. Pervasive Surveillance I agree completely with 1-8. This project seems very short-sighted and ill conceived. Fraught with social and moral repercussions well beyond "those who are helped"... I don't care that other projects have claimed to provide similar solutions. Emulation does not imply correctness any more than a talking myna bird espouses Truth. I also question that the knowledge/skill set of the O.P is not up to task, but that's solely based on his verbiage and lackadaisical sentences regarding CMOS, BIOS and the like. Several people said they felt a legitimate need for this software citing "pornography addiction." I've emailed a few friends who are in grad programs and clinical practice to confirm if there's an actual diagnosis of "pornography addiction". Sorry, the term feels loaded, like something tossed about during a congressional hearing. I spoke with two Psych PhD. friends about this over lunch today, one male one female. They both expressed concern over this approach; likening it to medicating a client without proper diagnosis or therapy. One commented that if such an observable "pornography addiction" exists, is it likely part of a much larger sexual dysfunction that could actually be exacerbated by this type of behavior modification. Not to mention what it could possibly grow into once the conditions feeding the behavior change. i.e. the electronic chastity belt is removed or breaks; or the "addiction" takes on a different expressive form; or... Personally I find outrageous that we continually mis-classify and over simplify cultural problems and try to devise such technological solutions to limit human behavior. The fact that this was honestly posted to Full-Disclosure as a serious question demonstrates the already flawed approach being taken. [snip very good AA comparison] And when, if ever, do you build trust with the person who you have said you have harmed? It strikes me as too easy to leave the secret policeman on forever. But now there's a third pillow in that bed, and I get the feeling that you do not condone polyamory. I get the feeling that this may be motivated by a religious association with an agenda besides just specific sexual dysfunctions, then again perhaps not. The site at www.dynamicanswers.com seems very MS/Win32 centric, so while I expect the O.P. to be well versed in win32/mfc solutions, I do no suspect much else. Which is what this undertaking would require. Either way, people tend to over step their bounds of experience when providing solutions. To them I would say: Most times you are not there 5 or 10 years later to clean up the mess you helped make; albeit with misguided good intentions. How does that old quote go? That's why I made those remarks comparing your plan to the abuses of Mao's Cultural Revolution. You privatize the intrusive, something which, until recently, was the domain of totalitarian states. "Privatize the intrusive" that's very excellent and succinct Bill. Though in a way, I'd submit that The Church has had their hands in this too (God is watching you, etc...) Though "privatize" may not exactly fit that, they construct systems for similar goals: Control. -- dk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Bios programming...
Matt Marooney wrote:
{snip}
> I'll disregard the troll comment as this
is the first time I've NEEDED to post anything to this list. I've been
reading it for years now. Thanks.
Aww then, you really have no excuse for this post Matt. It's off-topic
and the scope of your "problem" covers too much ground. :)
That said: I think you need get off a mailing list, throw down some hard
cash, hire a EET and someone that can /really/ write code for an OS,
*PROM chips, embedded systems, etc. But I think this is a rather
involved scenario that is gonna take a lot to provide a real working
solution, so I hope you have some funding and patients. Just go hit up a
hungry DeVry/ITT grad or something if you need a shoe-string budget.
While you do sound sincere Matt -- though a bit naive, if you don't mind
me saying -- I think the business model for this device is morally &
socially bankrupt and sets a bad precedent all around. I don't care if
other people have done it already, it doesn't make it right (see precedent).
I question any ethics of monitoring a person, even with their leave &
even if it is for an *evil* addiction. They obviously don't have good
judgment about the consequence of their actions to begin with, no? Why
do we assume that they are of sound mind about the choice of giving this
type of consent?
In a light hearted tone:
This sounds much like all the variety of exercise equipment that is
pandered out to Fat Americans who just want a quick fix to their
problem. A but later the expensive machine ends up sitting in a garage,
unused, until it's thrown away & the person remains fat.
In a heavier tone:
I ask you to please, _please_ question who you are working for and how
else they could use this after you are gone. Swords cuts both ways Matt,
as I'm sure you know. Would you like this used against you to stop you
from practicing religion online? Politics? What if the technology gets
exported and helps a regime to monitor it's citizens to maintain control?
Anyway. I think this is the wrong solution to the actual problem. I
would much rather these clients spend money on a good psychoanalyst than
some half-baked technological chastity-belt solution. Especially if this
money is derived from Tax's. The problem lies WITHIN THE PERSON, not
within the device delivering the porn. Do you have hard stats that this
approach really works for the client and community? Or do you just want
to profit off of their problems while believing you are helping?
It smacks of like letting a recovering Alcoholic keep beer in his/her
house, but with some $3000 filter on the lid to only provide H20 when
drank? AA would be cheaper and more effective.
--
dk
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New Internet Explorer Beta
William Lefkovics wrote: --[snip of Gartner babble]-- Will, You know (as a comparison) one could argue that much of what gartner says is a good "backup source" for the masses to listen to when one lacks the experience to form their own opinion. Of course I'm joking a bit here; but personal experimentation reveals more than corporate quotation for sure, no? I'm absolutely delighted that the decision to tie IE releases to Windows has been reversed. As I'm sure we all are... But do not confuse this with a good faith corporate gesture, or a dedication to improve the quality of their development for the community. This was purely a business decision with the consumers "quality-of-use" only weighed in $$'s. And Firefox is no panacea. Very true, but it was not the goal of the project to be one. It is self-evident that no piece of software has ever been, nor ever will be completely bug-free. Aside from serving the needs on the individual user better, the Mozilla Foundation seems to have help effect a policy change in our planet's wealthiest & most ambivalent corporation; no small task. Besides, I'd rather help a local farmer pick the bugs off his crops than blindly eat the bugs of Monsanto's. > It is just another browser with a different set of issues. A good backup browser, really. Bah, I've used many other browsers on many OS's since ~94. IE has never been a first choice for many people. It did not facilitate the creation of the WWW & the web's purpose shall outlive it & others no doubt. IE's problems have always been exacerbated because of it's designed context & end purpose; making it easy for site developers & windows developers to deliver content with as little thought or time as possible. Depriving them from learning valuable lessons on responsibility and consequence. Naturally this ease of use applies to the malware authors as well. Hence this constant use of IE as an exploitation vector, regardless of market share held. I believe the latter is demonstrated well enough through the spam phenomena we all suffer. Though the perpetrator clearly knows only a small share will ever even see the spam, they continue in mass-volume to reach those few until true diminishing returns are hit. One thing that can help you distinguish a similar program from another is the developers timely response to bug reports, vulnerabilities, and the vested interest in the use/creation of the software to begin with. Not to mention the availability to easily read & modify the source code. Little is hidden from you with some breed of apps; you can be in full control if you so desire. In this, IE and Firefox diverge greatly. In the end, things can thrive with diversity. I welcome a future where many browsers, servers, programs, os's (etc) are used by the internet populace... If merely for an aesthetic reason, mono-culture is rice cake drab. :) -- dk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Slackware Security updates
KF (lists) wrote: There is nothing yet for this year but this would be a good start... [snip] This is not to say that all of the slack packages are updated, or secure of course. Just nothing has been released recently. :) Slack is mainly a one-man-show these days. As it seems that Pat's been pretty sick recently, the distro has slowed down on patch releases a lot. I have always read other distro's announcements and then rebuilt the affected apps on slack from source if there was to "official" patch. But recently I've been moving mission critical servers to more "active" distros to better follow security fixes on stock packages ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] 2 vulnerabilities combine to auto execute received files in Nokia series 60 OS
Paul Kurczaba wrote: Wouldn't the phone try to open the jpg file as a picture, and not execute it. Just like on desktop PCs: if you rename a .exe (application/program) to a jpg (picture file), and try to open the file, your image program will open the file, thinking it is a image file. The application code will not be executed. Just because one peculiar desktop OS for PC's (MS' variety) chooses this action does not indicate that others do; especially where embedded systems are concerned. There are many ways it can be done. -- dk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] harddisk encryption
dk wrote:
Indeed, crypto, sans re viewable source, is questionable if for no other
reason. Am I (or you) personally capable of reviewing all that source?
Maybe, maybe not. But it offers that opportunity to a community that I
can become familiar with to make and informed decision.
Forgot to mention:
http://sourceforge.net/projects/loop-aes/
...if you ever decide to use Linux as a host OS.
No kernel patches required (optional).
Just the stipulation of module loading & the internal LOOP driver
(loop.c) to be a module. So a Kernel recompile is necessary if this is
not set already and a patch-n-recompile of some net-utils files
{mount,umount,losetup & swapon)
Very nice, very flexible, well maintained.
--
dk
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] harddisk encryption
Mike Klein wrote: but you get source code too (which is usually the case with truly proven crypto technologies). Indeed, crypto, sans re viewable source, is questionable if for no other reason. Am I (or you) personally capable of reviewing all that source? Maybe, maybe not. But it offers that opportunity to a community that I can become familiar with to make and informed decision. -- dk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Amazon.com is down
Jianqiang Xin wrote: It seems that Amazon.com is down. Is it related to any attack? FYI, to remove local routing or DNS issues you should really check things like this (via IP) from >2 geo-locations before mailing, then post the relevant trace-routes, etc. -- dk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Possible apache2/php 4.3.9 worm
DanB UK wrote: Do read the code carefully though Dan. Right off hand I can see errors that were also in the code posted to bugtraq on the 20th; K-OTik may have added more, dunno. It is probable that they have added errors in. To curb the script kiddies picking things up and modifying it and releasing it. Yeah, I think it has been mentioned here that K-otik does this with their posted code, which is fine by me. :) I have a bit of a worry about that and my talk, whether or not to release my sample code. It could be used quite evilly if the intention was there. I probably won't. I have had concern about this as well, but remain a staunch supported of the Full Disclosure concept sprinkled with some common sense. With the time to live for virii/worms/exploits this year (from disclosure of bug to malware exploiting it) it's obvious that the "bar" is getting progressively lower each year in regards to the skill set it takes to develop this code. Which is a shame, as developing that skill over time lends itself to a better understanding of the responsibility that comes with it. So a PoC or code that is missing key parts (that a skilled person could decipher), or an Advisory that informs the author(s) before the general public seems a socially responsible way to address bugs in our current climate. It /is/ hard not to share your work with others, and ultimately does everyone a disservice in the end not to disseminate the knowledge. :) There has been an interesting discussion regarding this on Bugtraq in regards to Prof D. J. Bernstein's class "MCS 494: Unix Security Holes" at UofI @ Chicago. I was a bit surprised how vocal both he and one of his students, Jonathan Rockway, were in the thread(s) concerning disclosure; but it was nice to see them participate in it (and disclose the bugs they found in the first place of course). Yet they both seemed to disassociated themselves with many of the real-world effects their disclosure decisions have. It would seem the comfort of Academia colors things to those within it's walls. It was a shame to see an obviously intelligent, skilled & adept math/cs professor miss the mark on some of the social implications his work has on the world -- outside of the constrained scope of his coursework. To me, it just highlighted the very problem he was trying to address. Namely, that some individuals or teams do not take responsibility for their actions outside of the limited issues they directly identify with; whether that be application coder or bug hunter. :( -- dk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] OpenSSH is a good choice?
Willem Koenings wrote: On Wed, 22 Dec 2004 02:40:25 -0600 (CST), Ron DuFresne <[EMAIL PROTECTED]> wrote: I'd disagree in that the tools are getting to be well enough defined that we are all targets. Best game is to restrict who has access to the ports being served whenever possible, openssh has a history that makes this a good service to limit this way. Little need to hide what's not openly allowed to all. take a recent phpBB worm Santy for an example. worm seaches automatically targets via google - it searches viewtopic.php. if, for an example, you change that file name to something else (and also all the referrings inside the phpBB so that everything still works), then Santy does not find you phpBB as a target. this is only an illustration to my point. (Hi there. sorry for butting in.) This concept does work for a little bit... As it is exactly what I did: using the same highlight hole to rename viewtopic.php to viewtopic1.php for a friend who was unreachable during the worms first hit. But it also took me only a few minutes messing with the query that the worm used to mod it to make /some/ schemes like this into account on the next google indexing - and my current perl 5killz are not uber. ;-/ I just mention it because non-std mods to anything can breed a different sort of complacently. In the end it's the same ole' game I guess. i wrote my post because you say "the non std port advice is not worth much". i have lot of cases, when non standard configuration reduces first impact greatly. of course you shouldn't rely only to non standard ports/configuration, but it is not totally worthless - it often helps you a lot. I too agree that it's not worthless for certain usages, especially as you mention: on first impact. But depending on context it _can_ create more burden on the admin later when you must recall what non-standard changes /you/ made to the application or source package when upgrade time comes around. Files may not be patched/removed due to name changes and could be left available for future exploits. These custom changes may also open you to other issues in the future... like putting ssh on a high port that turns into a popular p2p port in a years time and it hammers your logs or some such. Anyway - In this specific case, if the OP wanted to further restrict ssh from pre-auth bugs a system like fwknop[1] or SAdoor[2] would work better to open the std port 22 (or what ever) than simple port knocking. [1] http://www.cipherdyne.org/fwknop/ [2] http://cmn.listprojects.darklab.org/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Possible apache2/php 4.3.9 worm
Barrie Dempster wrote: On Wed, 2004-12-22 at 09:03 +, DanB UK wrote: Hi, I was wondering if anyone has a sample of this. I'm giving a talk at 21c3 and would like to provide some analysis on it. Cheers, Daniel. http://www.k-otik.com/exploits/20041222.sanityworm.pl.php Do read the code carefully though Dan. Right off hand I can see errors that were also in the code posted to bugtraq on the 20th; K-OTik may have added more, dunno. -- dk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] I'm calling for LycosEU heads and team to resign or be sacked
[EMAIL PROTECTED] wrote: On Fri, 03 Dec 2004 21:52:30 GMT, n3td3v said: I think heads should roll over this. I think its the worst act a corporation has ever undertaken in the history of the internet. Hmm.. I don't know. Verisign's hijacking of *.com wildcards and several different Microsoft stunts may very well outweigh this one.. Well put. Excellent point (verisign). -- dk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Network Sniffing
Kyle Maxwell wrote: Also etherape. Just to round the 'eth*' out. ettercap -- dk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Lycos Europe organizing a DDoS attack against spammers
Andrew Smith wrote: This seems to have annoyed quite a few people, makelovenotspam.com is randomly responding to GETs. How long untill someone gets a domain in their list and points it at the lycos servers? Yes, the site in question seems to have drawn more than a few eyes to it. ;/ It's been up & down all day. While I don't really think "lycos Europe" methods are sound or sustainable; I'm not surprised that frustration with spam leads to a measure of corporate vigilantism. I suspect we may see more of this various venues to come. Though I doubt it will really help cure whatever cause the reaction. Hopefully the p2p clients won't pick up on the scent and throw a few GETs out for each search done, etc. >:) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Lycos Europe organizing a DDoS attack against spammers
Feher Tamas wrote: Lycos Europe organizing a DDoS attack against spammers OT but: This hit slashdot 4 days ago, and it would seem many noticed that it is not "really" a DDoS as they claim to throttle the B/W. Anyway -- the expected discussion ensued This was the best to cover the point at hand. :) http://it.slashdot.org/comments.pl?sid=130908&cid=10928977 -- dk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: AW: [Full-Disclosure] Is www.sco.com hacked?
Robert Marquardt wrote: IBM court case, where SCO claimed certain rights over *periferic* parts of the A Hungarian record label contributed to the Linux Kernel? awesome... :D -- dk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Is www.sco.com hacked?
Elia Florio wrote: I remember the "Ducky Adobe" strings in the crafted JPEGs of GDI+ bugs.maybe just a coincidence? Dunnoo about that but it would lend credence to the idea that `they' are windows users (at least for image editing) or we'd see a "Created with The GIMP" or some such, no? ;) -- dk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Why is IRC still around?
james edwards wrote: It is not IRC that is the problem, it is the people on IRC that cause problems. Guns don't kill people all by by themselves; people kill people. but it's the holes they make that really do 'em in, no? %-) -- dk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Why is IRC still around?
Danny wrote: Sorry to offend those that use IRC legitimately (LOL - find something else to chat with your buddies), but why the hell are we not pushing to sunset IRC? Many people use IRC; and still do. It's a legitimate medium I've used since the 80's for it's intended purpose. Your "abolish" idea is, to be honest, a bit simplistic don't you think? Let's just cut through the proselytizing and ban this whole "Internet" thing, that'll stop 'em. :) What would IT be like today without IRC (or the like)? Am I narrow minded to say that it would be a much safer place? Path of least resistance. If not IRC another venue would be used. -- dk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: U.S. 2004 Election Fraud.
[EMAIL PROTECTED] wrote: Depending on your state/county/whatever, your vote did count a LOT LESS than other votes. It all depends on how many electoral college votes your state has. How does that feel? Knowing that someone elses vote is more important than yours? The US is a federal republic governed by _representative democracy_, so this is they way it is /supposed/ to work it would seem. US citizens need to be more active in choosing the state Senators & Representatives that allow them electoral votes, and more careful about what types of people are choosing the actual electors. In the end though, these electors /are/ free to vote as they wish in many states, regardless of what The People voted for. :( So I could feel fine that it is working as designed... It's of course flawed, but it possibly beats a "Mob Rules" popular vote majority that a direct democracy provides, especially for a diverse nation of former immigrants like the U.S. Hell who knows... this is all OT anyway. -- dk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Moox firefox/thunderbird builds. Anyone looked at these yet?
Eric Paynter wrote: I wonder why somebody would branch just to do performance improvements? Why not just work with the mozilla team and apply the changes to the source tree? Well a cursory look at the forums suggest that there is indeed a performance gain, and a bit of a following to these builds as well. I gather then that it's a stability issue (etc) with the Official Mozilla team not using his compiler flags, etc for optimization, which makes complete sense in a number of area's (QA for one). There is also suggestions by other posts [1] that he takes patches not integrated into the "official builds", so I gather that he's adding to the code himself in places. All of which is fine and dandy by me; the guy looks respectful of Mozilla trademarks, (etc) and rather helpful in providing this resource. But as I couldn't find the source he compiles from, (post patches) or work he's done /other/ than binary files -- it just smelled a bit funny. Or maybe I'm just a super paranoid security professional. Nothing wrong with that now is there? :) [1] http://www.moox.ws/forum/viewtopic.php?t=29 -- dk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Moox firefox/thunderbird builds. Anyone looked at these yet?
Aside from all the (TM) issues with Mozilla I was wondering if anyone has scrutinized these builds from Moox? http://www.moox.ws/tech/mozilla/ -- dk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Beta Advisories
System Outage wrote: I don't think it's garbage. I bring up a valid point here. If you must, filter me out.. don't be lazy. This brings up the question of guidelines the OIS wish people to follow. Gads *I* thought filtering your "old topic" ramblings for 24 hours would be good enough. Move on and quick acting like a fscking troll already. You obviously have some skill. Use it to evangelize your belief's instead of your droning words, they're only interesting to yourself. shit.. I just fed you didn't I? Damn me. -- dk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!
mark wrote: I found the fix for it. http://tinyurl.com/37p35 Failing that, there is always the old trusty: http://www.fiftythree.org/etherkiller/ Which, like yours, is a holistic solution.. -- dk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Breaking Laws Cisco's stolen code
[EMAIL PROTECTED] wrote: Charlie... Put down the crack pipe and back away slowly. You are surely not suggesting that this issue of Cisco's code has anything...at all...remotely...in common with the people and actions you listed...seriously...you're kidding...right?? Bart Lansing Manager, Desktop Services Kohl's IT CONFIDENTIALITY NOTICE: This is a transmission from Kohl's Department Stores, Inc. and may contain information which is confidential and proprietary. If you are not the addressee, any disclosure, copying or distribution or use of the contents of this message is expressly prohibited. If you have received this transmission in error, please destroy it and notify us immediately at 262-703-7000. CAUTION: Internet and e-mail communications are Kohl's property and Kohl's reserves the right to retrieve and read any message created, sent and received. Kohl's reserves the right to monitor messages by authorized Kohl's Associates at any time without any further consent. Wow. Well Charlie's post was - at minimum - entertaining. Not to mention a bit thought provoking on where different peoples of similar ilk may take different turns on the morality (or duty) they apply to modern technical issues aside from what they are instructed to do by black-letter law. It also speaks to the wonder of issues we may have to face in the future with situations that indeed *will* have much in common with the souls mentioned. "We" always repeat the same old mistakes in each new venue we create. At some point laws & regulations should always be questioned, they don't just change themselves. These questions seem to come at the oddest times, over the oddest things sometimes... Anyway: The body of his message was filled with interesting content. In the future, perhaps you might restrain from mocking messages that are at least shorter than your overly-broad, vague, fear-clad corporate boilerplate sig. Are you actually required by corp policy to include this most droll thing *every* time you send mail? Gads, step away from the Memorial Day "Bonus Buys", get out of the cubicle and turn off the fluorescent lights. Go check out your reflection in a pond, go for a walk, stare at some fish Bart. -- dk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] A rather newbie question
Harlan Carvey wrote: > While I think you have a point I also think Ethan has one too. It > is important to remember that users are generally clueless and/or > unconcerned with security. Of course I'm grossly generalizing but I > think you get my point. Yes, I can agree with that...I do get the point. But who are the users? Say you're an admin at a law firm...if the users are supposed to be security-conscious (face it, a great many admins lack even the most rudimentary security awareness), then shouldn't the admins be required to have a law degree, also? How about a hospital...shouldn't each admin then have to have a medical degree? Degrees? No. This is impractical for most business models. But to be motivated by the modern day necessity of user awareness and responsibility that comes with the power of our computing machines - defiantly. Barring that, they *must* be made aware of the risks they place on their organization by using technology that they can easily mishandle. If they feel this risk is acceptable, or even necessary given the current economic woes, then that is the CEO's or B.O.D's call. Our job is to make (and keep) them aware. I admin a small Architectural Firm with a mix of OS's, mailservers, webservers, specialized applications, workstations, laptops, plotters, printers... etc... Basically anything that has electrons move through it I am expected to have knowledge of or at least have the number to someone who does (I don't do Copiers). I am also to create and manage the electronic document standards for the CAD applications and electronic document submittal, research new means and methods, etc, etc, on and on. Point of my rambling here is: When I am not doing one of the above (My primary job description) I am fully expected to fill in for Architectural Design and do the job of a 1st or 2nd year Architectural Intern that has a 4 year degree in Architecture. I do all of this, for less than 30k yr and neither posses a Degree in any of the Computer Sciences nor in any of the Architecture fields. (And for bonus points, if you carefully read my sentances you will see that I do not possess a Degree in English either! :) ) I am never given time to research or practice the Architecture side of my job, but I am expected to do it to a degree FAR greater than most admins ask the users to educate themselves about "The Computer" or "Windows" when they have spare time. I would love to trade shoes with them for a week and see how we'd both fare. I agree that harmless joking is fine...but I've seen instances in which that harmless joking became part of the admin's vocabulary, even in front of those same users. Well I think this may come from the frustrations of the modern American Business outlook that the "Computer" is nothing but a big typewriter glued to a Fax machine that produces money when the right keys are pressed And perhaps in part because most "Admin's" are expected to fill many more shoes than the co-workers they support. So I've called my users, lusers for years to ease the frustrations that I must endure daily in slowly repeating attachment mantra's, how to sync your palm, how to change your background, why the "internet" is broke on their laptop (hint: plug in the blue cable Boss) If *I* handled myself in an equal but opposite manner in regards to my assumed "Architecture responcibilities", I'd be out of a job. I just want that door to swing BOTH ways. Until then, they are the Lusers and I am the Long Haired Freak giving up another Sunday evening tweaking the Bayesian filter so sweet Edna over in Accounting can get her Amway newsletter. But Edna ain't so sweet when late is my timesheet, or even incomplete. :) -- Dave ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] stenagrophy software recommendations
[EMAIL PROTECTED] wrote: hi people i'm looking for a very simple,reliable, small (certainly less the 1mb), must-have gui, windows, stenographic encryption program. i'd appreciate any recommendations. thanks xlop If your gonna go to the trouble of using steg, do it right. Drop the GUI, get a shell account and use steghide. http://steghide.sourceforge.net/ -- Dave ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
