| |
``It's essentially a matter of physics...'' -- Donald Rumsfeld, Secretary of Defense |
|
Redmond | News: Opinion: Thanks, Mike Lynn -- Thanks for Nothing |
|
|
Topic: Computer Security |
5:35 pm EDT, Aug 11, 2005 |
Mike Lynn is being hailed in some quarters as a hero, but I don't buy it. I'm sure his heart was in the right place when he discussed a serious vulnerability in Cisco routers at the recent Black Hat USA conference, and his courage in quitting his job, rather than be censored by Cisco and his own employer, is admirable. But that still doesn't make what he did right. My main concern is that now, hackers are working overtime to figure out how to break into these routers and wreak their havoc. Here's what Brian Krebs, the Washington Post's excellent computer security reporter, said in a blog from the conference:
And Keith Ward is a douche-rocket. Redmond | News: Opinion: Thanks, Mike Lynn -- Thanks for Nothing |
|
ONLamp.com: A Simpler Ajax Path |
|
|
Topic: Technology |
5:38 pm EDT, Aug 9, 2005 |
Nice article on O'Reilly about writing AJAX apps (which are interactive web programs like Google Maps). Walks you through an example. ONLamp.com: A Simpler Ajax Path |
|
Topic: Recreation |
4:46 pm EDT, Aug 9, 2005 |
Have you ever noticed that the people who go to the extreme of customizing their $100,000 cars with the biggest and most blinged out wheels, custom alligator skin interiors, and even steering wheels encrusted with diamonds always seem to have the same 12” woofers as the 16 year-old kid down the street? For these people, the word “excess” doesn't cross their minds when it comes to customizing their car. So, MTX has crafted an all new, 22" SuperWoofer for anyone who's got what it takes to go to the extreme—the MTX Audio JackHammer T9922.
The bling of the boom. 22" woofers baby. Takes 6,000W RMS power to run these babies. Who cares if you can still hear when you're 80 it's all about the NOW. MTX Jack Hammer |
|
Mike Lynn's 'exploit', in plain (non-technical) English |
|
|
Topic: Technology |
9:51 am EDT, Aug 2, 2005 |
There has been an almost unbelievable amount of hubbub lately about the research that Mike Lynn gave a demonstration of at the BlackHat conference last week, and there's been a positively dizzying amount of "spin" applied to the media. Let me say one thing to everyone reading this, right up front. What Lynn uncovered is a serious issue, probably actually more serious than what the media is making it out to be. While coverage on the issue is good (and useful to both "sides") the lack of actual accurate reporting on the issue isn't helpful to anyone. Part of the problem is that apparently, outside of the list of BlackHat attendees, there's not that many people running around who truly understand what Lynn's research uncovered. Lynn did not reveal an "exploit" in the usual sense. In fact, Lynn of his own volition has been playing his cards fairly close to his chest on this, and omitted most of the technical details of the problem from his presentation in order to assure that no one would be able to easily "follow in his footsteps". Lynn, it can safely be said, was scared by what he discovered--scared enough that he has risked his livelihood not once but twice in order to be sure that should the technical aspects of what he's found not be resolved before someone with less respect for the continuation of the Internet figures it out for themselves, the network and security administrators of the world will have had time to take some steps to reduce the amount of damage done. It can no longer be thought of as a sure thing that just because a particular vulnerability could "break the Internet" that no one's going to try it just to see if it's really true. We have a rather excellent example in recent history that pretty much everyone is aware of by now... the MS Blaster worm which raged around the Internet wreaking rather unprecedented havok. Pretty much everyone on the Internet was either personally affected by this, or knows someone who was. Blaster made use of a vulnerability that had become rather common knowledge by the time it was released, but had already been known to many security professionals for months. The real problem that made things so painful and propagation of Blaster so widespread, was that for those months, Microsoft had been actively denying that there was ever a problem until Blaster forced them to admit it. Had system administrators been made aware of the issue and the meager steps needed to impede the spread of Blaster (which everyone implemented in a white-hot hurry once their networks were figuratively ablaze) the damage could have been much less indeed. Cisco is not helping the issue, or I should say, Cisco's lawyers are not helping the issue. Cisco makes some really awesome products, and their technical people can't really be faulted for this one technical flaw. The problem is that Cisco's lawyers are convinced that public knowledge of a serious issue ... [ Read More (1.3k in body) ] Mike Lynn's 'exploit', in plain (non-technical) English |
|
Mike Lynn is a Whistleblower, he should be protected |
|
|
Topic: Computer Security |
10:12 pm EDT, Jul 28, 2005 |
The EFF should support Mike Lynn in his defense against ISS and Cisco. If security researchers are not protected as Whistleblowers when they uncover major flaws, our critical communication infrastructure will be at serious risk. These are the Good Guys. Mike has taken on enormous personal risk to do the right thing. So far, the general impression in the blogs is that he is doing the right thing. The mainstream media coverage has been good as well. This is a departure from the past, and a good one at that. The headlines contain words like "Whistleblower" and "Coverup".. It is quite ironic that Cisco & ISS are taking the "Intellectual Property" tactic. Just to add some irony to it, here is a a post of Mike Lynn here on MemeStreams proving CherryOS stole OSS code from the PearPC project: just incase anyone didn't believe them already here goes the analysis (I do this sort of thing for a living) first off CherryOS.exe is what we call in the security industry "packed", that means that they have taken a compiled binary and run it through an obfuscator to make it hard to reverse engineer (or at least with hard if all you're doing is strings)...this is common for virus writers, worm writers, 31337 bot net kiddies, and on the legitimate side, game developers do this a lot...its not very common among the commercial (or free) legitimate software market (mostly because it doesn't work and doesn't do any good) so, the easiest way to defeat the packing is simply to let it start up (this one has several annoying checks for debuggers so its easiest to just attach after its loaded)... the eula for this thing says its a violation to reverse engineer it, but if you do disassemble it you find they never had the rights to license it in the first place, so I don't feel worried to put this here... I think I have made it clear beyond a shadow of a doubt that CherryOS.exe, shipped as the core of cherryos is nothing but a recompiled version of PearPC...it has at most minor changes, most to strip attribution, hide the theft, or remove debugging output...
The only way we can fault Mike's research is with petty things like not consistently using upper case letters in his posts. The technical end of his work is flawless. Both Cisco and ISS are attempting to spin Mike's research and make it look incomplete, but the truth of the matter is he demo'ed his technique in front of a room of people, and no one has found fault with it. If this tactic continues, it will approach a very transparent form of character assassination. It will backfire on Cisco. In the field of Security Research, Whistleblowing has always been a controversial issue. It is not a black and white thing. This article at CNET covers a number of the issues with disclosure of security problems that often come up. If you compare the ideas expressed in the article with what Mike actually did, you should come away thinking that Mike handled this ethically. Mike Lynn is a Whistleblower, he should be protected |
|
Topic: Physics |
6:21 pm EDT, Jul 28, 2005 |
Going into physics was the biggest mistake of my life. I should've declared CS. I still wouldn't have any women, but at least I'd be rolling in cash.
Okay science is still funny. Kovar/Hall |
|
onegoodmove: Bush Flips Out |
|
|
Topic: Events in Washington D.C. |
6:15 pm EDT, Jul 28, 2005 |
Bush Totally Flips Out! onegoodmove: Bush Flips Out |
|
Wired News: Cisco Security Hole a Whopper |
|
|
Topic: Computer Security |
3:19 pm EDT, Jul 28, 2005 |
Wired just posted the best article so far.. Here are some of the highlights:Lynn likened IOS to Windows XP, for its ubiquity. "But when there is a Windows XP bug, it's not really a big deal," Lynn said. "You can still ship (data through a network) because the routers will transmit (it). How do you ship (data) when the routers are dead?" "Can anyone think why you would steal (the source code) if not to hack it?" Lynn asked the audience, noting that it took him six months to develop an attack to exploit the bug. "I'm probably about to be sued to oblivion. (But) the worst thing is to keep this stuff secret." "There are people out there looking for it, there are people who have probably found it who could be using it against either national infrastructure or any enterprise," said Ali-Reza Anghaie, a senior security engineer with an aerospace firm, who was in the audience. During his talk, Lynn demonstrated an attack in real time using his own router, but did not allow the audience to see the steps. The attack took less than a minute to execute. "In large part I had to quit to give this presentation because ISS and Cisco would rather the world be at risk, I guess," Lynn said. "They had to do what's right for their shareholders; I understand that. But I figured I needed to do what's right for the country and for the national critical infrastructure."
Wired News: Cisco Security Hole a Whopper |
|
Topic: Science |
4:01 pm EDT, Jul 27, 2005 |
flynn23 wrote: This week's episode of scienceNOW is probably the best yet. Hydrogen fuel cells. Supercomputing art projects. And proof of global warming!
I caught this show sans tivo and it was infact fantastic. RE: NOVA scienceNOW |
|