Lynn closed his talk by directing the audience to his resume and asking if anyone could give him a job.

"In large part I had to quit to give this presentation because ISS and Cisco would rather the world be at risk, I guess," Lynn said. "They had to do what's right for their shareholders; I understand that. But I figured I needed to do what's right for the country and for the national critical infrastructure."

Wired News: Cisco Security Hole a Whopper

"But when there is a Windows XP bug, it's not really a big deal," Lynn said. "You can still ship (data through a network) because the routers will transmit (it). How do you ship (data) when the routers are dead?"

Lynn decided to speak now, he said, because the source code for Cisco IOS was recently stolen for the second time, and he felt he could no longer remain silent.

"Can anyone think why you would steal (the source code) if not to hack it?" Lynn asked the audience, noting that it took him six months to develop an attack to exploit the bug. "I'm probably about to be sued to oblivion. (But) the worst thing is to keep this stuff secret."

Mike Lynn telling it how it is

Even more of Abaddon being up to no good.

Ok, A couple of things

-Fuck Cisco for buying off ISS to cancel the production.

-Fuck ISS for short changing one of there top researchers.

-Mike followed the "respected disclosure procedures." Cisco has known about this for months, and has been notifying top clients about on the down low.

-This is a full compromise of the IOS. Not simply a DoS.

-Fuck this "Illegally obtained information." IOS isn't encrypted. There was no DMCA violation. Its a closed proprietary system. Its a trade secret. Mike figured it out.

Abaddon, still up to no good.

Description: This bug appeared during a few experimentations with the TCP/IP stack after which we found out that it was not, at least it is not of our knowledge, found anywhere else before. That was actually a Solaris bug that resembles this one.

After an established connection, a specially crafted packet with the ACK/FIN flags set, a corrected Sequency Number but with an incorrected Acknowledge Number will trigger a massive flush of packages with zero size and only the ACK flag set. Ethereal logs showed that the keep alive state was occuring and this flow kept going for approximately 3 minutes and a few million packets. It was clearly observed that CPU and network performance was severed decreased due to this misbehave.

Potential attacks includes DoS and DDoS. Applications and services that depends on quality of services (QoS) such as H323 applications (VoIP) and video streamming will suffer dramatic performance downgrade.

Interesting looking presentation at Phreaknic this year.

TCP/IP Keep alive exploit presentation at Phreaknic

President Bush has created a new senior level position to fight global piracy and counterfeiting that cost American companies billions of dollars in lost sales each year, Commerce Secretary Carlos Gutierrez said on Friday.

This is the other shoe that I have been dreading since the DMCA adoption.

You might that that is dramatic, but it is also true. DMCA is the weapon that the RIAA and MPAA funded to build. So far courts have not wielded it as effectively as they would like. Bush has created an executive level office to track groups/scenes/technology down and stop them, using the DMCA was one of many weapons.

This person is a single injection point into the governmental process for the MPAA and RIAA. No more dealing with 10 or 100s of piddling representatives from different warring states. This is a focus point, a legitimate mouth piece to make industry desires government standards.

Don't be fooled by this "we really just want to stop China" crap. Yes, China is a growing market that Hollywood would love to get a piece of. Piracy is exposing a whole generation of people to Hollywood franchises and culturing a desire for American goods that we will not be able to capitalize on for 10+ years. China is not hurting Hollywood, China is marketing goldmine that *fell* into Hollywood's lap.

This new post's near term goals will be recommendations/modifications of government mandidated standards for things like HDTV, IPTV, and DRM with as dash of next generation digital IP policy making. Its goals will be to protect MPAA/RIAA IP, while not losing control to the hardware vendor's *cough*Microsoft's*cough* wet dreams of set top box required to view the new generation of digital content.

Its all a question of how effective this post can be (drug czar anyone?), and if this new industry mouthpiece has anyone's ear at all.

The Other shoe: The Anti-piracy czar

teh h4x0rs R 3vi1!

Penny Arcade on GTA fluff

Apple Computer recently held discussions with major recording companies, seeking to license music videos to sell through the company’s iTunes Music Store, according to a report in Monday’s edition of The Wall Street Journal.

The talks are a possible prelude to a version of Apple’s hit iPod music player that plays video — a version of the gadget that the Journal says the Cupertino, Calif., computer and electronics company has told some entertainment-industry executives could be unveiled by September.

Hell yeah!

Apple in talks to introduce videos to iTunes - Tech News & Reviews - MSNBC.com

-----Original Message-----
From: First Last [mailto:c01n0p@yahoo.com]
Sent: Sunday, July 17, 2005 11:50 AM
To: pen-test@securityfocus.com
Subject: list of address that you don't want to scan

FYI...

Original site link -
http://professionalsecuritytester.com/modules.php?name=News&file=article&sid=70

IP address you should NOT scan
Posted by cdupuis on Thursday, April 01 @ 09:38:09 CST Contributed by cdupuis

The Government Security website at
http://www.governmentsecurity.org has produced a nice list of IP address you should be aware of as a tester.
They are mostly government agencies addresses and could quickly get you in trouble if you would scan them by mistake.

Click on Read More... below see the whole list

Enjoy!

Clement

--------------------------------------------------------------------------------
With kindly thanks to Mountainman, the list of dangerosly ranges is updated again!!!
-------------------------------------------------

RANGE 6
6.* - Army Information Systems Center

RANGE 7
7.*.*.* Defense Information Systems Agency, VA

RANGE 11
11.*.*.* DoD Intel Information Systems, Defense Intelligence Agency, Washington DC

RANGE 21
21. - US Defense Information Systems Agency

RANGE 22
22.* - Defense Information Systems Agency

RANGE 24
24.198.*.*

RANGE 25
25.*.*.* Royal Signals and Radar Establishment, UK

RANGE 26
26.* - Defense Information Systems Agency

RANGE 29
29.* - Defense Information Systems Agency

RANGE 30
30.* - Defense Information Systems Agency

RANGE 49
49.* - Joint Tactical Command

RANGE 50
50.* - Joint Tactical Command

RANGE 55
55.* - Army National Guard Bureau

RANGE 55
55.* - Army National Guard Bureau

RANGE 62
62.0.0.1 - 62.30.255.255 Do not scan!

RANGE 64
64.70.*.* Do not scan
64.224.* Do not Scan
64.225.* Do not scan
64.226.* Do not scan

RANGE 128
128.37.0.0 Army Yuma Proving Ground
128.38.0.0 Naval Surface Warfare Center
128.43.0.0 Defence Research Establishment-Ottawa 128.47.0.0 Army Communications Electronics Command 128.49.0.0 Naval Ocean Systems Center 128.50.0.0 Department of Defense 128.51.0.0 Department of Defense 128.56.0.0 U.S. Naval Academy 128.60.0.0 Naval Research Laboratory 128.63.0.0 Army Ballistics Research Laboratory 128.80.0.0 Army Communications Electronics Command 128.98.0.0 - 128.98.255.255 Defence Evaluation and Research Agency 128.102.0.0 NASA Ames Research Center 128.149.0.0 NASA Headquarters 128.154.0.0 NASA Wallops Flight Facility 128.155.0.0 NASA Langley Research Center 128.156.0.0 NASA Lewis Network Control Center 128.157.0.0 NASA Johnson Space Center 128.158.0.0 NASA Ames Research Center 128.159.0.0 NASA Ames Research Center 128.160.0.0 Naval Research Laboratory 128.161.0.0 NASA Ames Res... [ Read More (4.7k in body) ]

Both robots understand voice commands as well as recognise faces and gestures. They can select music or movies on an LCD screen, make appointments or read the weather to you. Ok, that's more than a remote can do.

Despite all the hoopla, Philips is still fine-tuning the technology, which at this moment fails to invoke an emotional bond with the user and exhibit a "personality". During demonstrations, iCat didn't always listen, or began to repeat itself, all things remotes won't luckily do. For the time being, Philips only sells these platforms to universities and research labs.

Robots are 1337

Ditch the remote, get a robot | The Register

After talking with Acidus the other day about Napster's revamped format, it occured to me that some common misgivings are present where their download policy is concerned. I present them for your review because I have found their service to be useful and more content-rich than iTunes in addition to having some interesting features.

Background: I skipped downloading more than about 10 songs a quarter because I hardly ever found what I wanted on the "Top 40" flavor of iTunes. I asked around about Napster, and most everyone was under the impression that the monthly fee only allows you to rent songs playable only on your PC, after cessation of which your access to the music ends. This is true, but this is only one method of accessing Napster's motley library and you are actually allowed to access your account and downloaded tracks on up to 3 PCs w/ Napster's software.

The Rest of the Story: The other two ways you can access music include a non-monthly fee, $.99 download service similar to iTunes or a slightly higher monthly fee ($14.95 vs $9.95) which allows you all the comforts of regular Napster plus unlimited downloading to a Napster approved player of which my H320 iRiver just happens to be. If you want to burn the songs to CD, however, you have to pay $.99/song no matter which of the three versions you have. It just depends on if you want to listen to full-length tracks before downloading and access downloaded tracks on up to 3 PCs (Napster), that plus transfer to portable players (Napster To Go), or just buy music for your library to keep forever (Napster Light).

Cool Stuff: The coolest thing about Napster is the ease of use. The GUI is clean and intuitive and you can easily access other users' libraries and find stuff that "you will like if you like Band X". Also, Napster's built-in recommendation agent seems pretty on target.

Unclear: I can't tell yet whether tracks downloaded through Napster To Go and transferred to my iRiver will remain playable after my membership ends. They secretively allude to expiration software built into the tracks, but I'm curious if it goes so far as to expire in a Mission Impossible this-message-will-self-destruct-in-five-seconds takeoff. I also am suspicious that not all songs will be transferrable and that I will have to pay in addition to the higher monthly fee in order to transfer songs to my iRiver.

Conclusion: The whole thing is damn well complicated and exaccerbated by the horrible explanation on Napster's FAQ. What few gritty details they provide are on the FAQ which is passably organized at best. I am also angered by the fact that you pay a monthly fee for the priveledge of basically listening to a full track before downloading. Otherwise, to play it on your PC, transfer to MP3 players or CDs, or just to keep the songs forever, you [seemingly] have to pay $.99/song regardless of your membership type.

Verdict: Membership on Napster is only really worth it if tracks transferred through Napster To Go are available to you forever on your MP3 player as an unprotected song that you can play in Winamp later on. I'll know soon enough when I cancel my one week free trial tomorrow. Even if they aren't available on your portable player, I may just switch to the $9.95 version if I determine that browsing member's collections turns out to be an efficient way to find stuff I haven't heard before. All in all, membership seems like an awfully expensive way of finding something that hasn't been Clear Channel sanitized.

-janelane, fuzzily

Napster: A User's Review