Archive for March, 2006

Misconfigured!!!1!

Tuesday, March 28th, 2006

This is hilarious and just goes to show you how ineffective some of the people we vote into office can be. Article here.

“Get this web site off my home page!!!!! It is blocking access to my
website!!!!~!,” Taylor responded, clearly excited about the situation and
sensing that Bin Laden was near.
[…]
“I am computer literate! I have 22 years in computer systems engineering
and operation. Now, can you tell me how to remove ‘your software’ that you
acknowledge you provided free of charge? I consider this ‘hacking.'”

The tilde is a nice effect, but where are the 1’s?

And to think that we elect some of these incompetent weenies into office. To explain it more clearly, it’s like this city manager opening up microsoft internet explorer to see it automatically opening up www.msn.com. My favorite part is where he realizes that he is wrong, but STILL does not accept blame. In fact, he STILL places the blame on CentOS developers even though it was the city’s internet service provider that was at fault…even though the CentOS developer had went out of his way to help the city manager.

TEH HAX0R3D!!!!11…wait….TEH HAX0R3D!!~!!~!~~~~!!!!

Sendmail flaw

Monday, March 27th, 2006

A new flaw in Sendmail has been announced, but apparently it’s very difficult to exploit. From the web site (rapturesecurity.org) that first reported the Proof of Concept code and instructions:

—snip—
step 1)
connect to sendmail server say something like
helo me\r\n
mail from: myemail@hotmail.com
rcpt to: root data

step 2)
wait for server to say go ahead
send about 32767 characters inside a header
note what time it is

step 3)
wait until you get:
451 4.4.1 timeout waiting for input during message collect

step 4)
note what time it was when that message happened

step 5)
youll be dropped back into smtp command mode, now there is a static pointer inside sm_syslog thats your attack vector, youll need to recreate the collect timeout and race into sm_syslog
resend the helo crap

step 6)
wait for server to say go ahead
send about 32767 characters inside a header
and wait the time delta from the earlier 2 measurements

step7)
send more header data (so that its now greater than 32768 bytes)

hopefully sendmail will now race and crash inside sm_syslog because:
a) we just sent sendmail into sm_syslog due to the fact that we sent > the max amount of header data
b) we have a timeout (SIGALARM, longjmp thingy) that should be pending about the same exact time that we entered sm_syslog
—/snip—

Also posted is a Proof of Concept to test if you are vulnerable. This needs a lot more work, and is not an exploit, but is a start:
http://rapturesecurity.org/jack/sendmail_tester_thingy.tar.gz

Quote of the week: March 27th

Monday, March 27th, 2006

“I never let my schooling get in the way of my education.” — Mark Twain

IRS to allow tax preparers to sell of YOUR information?

Friday, March 24th, 2006

I am worried about someone with my same name trying to pass their credit card debt off on me

This isn’t really much of a problem if you keep an eye on your credit reports. If something shows up that isn’t yours, force the credit reporting agency to verify the entry. They’ll try to avoid doing this because its troublesome for them and they don’t really care if the info is right or not (as long as is right enough across millions of people to be useful to businesses). Force them to actually verify with the reporting creditor. If they verify it, contact that creditor (Via mail) and force them to verify that the debit is yours. They’ll try to get out of that too, and may send you improper verification. Keep after them and force them to send proper verification and proof that they are authorized by the original creditor to collect the debit. If the debit is not yours, at this point you win.

Details about these processes and the laws that make them work can be found on the creditboards.com forums. In particular read about “Debit Verification” and the “The One-Two Punch”. These are extremely effective techniques for getting inaccurate items off your credit record (or getting rid of reports from debit collectors who are not properly authorized to collect valid debits).

FBI soon to get access to email

Wednesday, March 22nd, 2006

Welcome to 1995, FBI!

http://www.cnn.com/2006/LAW/03/20/fbi.email.ap/index.html?section=cnn_topstories

While I can understand security concerns, they’re saying “As ridiculous as this might sound, we have real money issues right now, and the government is reluctant to give all agents and analysts dot-gov accounts,”.

Oh please! They can’t afford a server dedicated to email? For 2,000 email accounts, they could buy a couple of the nicer desktops you can buy at Best Buy, throw Linux and Postfix on there and enable SSL for SMTP so there’s encryption of the messages and/or use a PGP key. All for the cost of two standard desktops.

Yet, the “Patriot Act” allows the FBI to tap into email. That’s like saying “Ok, we know you’re like only 10 years old and stuff, but we’re passing a bill to force you to drive a car”. Next thing you know, they’ll make rock, scissors, paper a freakin sport! Oh wait…they have

So let me get this straight – $9 billion goes missing in Iraq, the war has cost US taxpayers about $250 billion so far, oil companies have record profits, our national debt ceiling was raised to $9 trillion and we can’t afford to supply email to the FBI? That and I’ll bet most of us would like an employer who told us by the end of the year to get 2000 email accounts set up.

On the bright side, all FBI agents are certified in morse code and at least half of them have some training in semaphore and the next highest placing class out of quantico will be introduced to the fancy new ‘telephone’ that is rumored that a guy name Alexander Graham Bell has perfected.

One billion

Tuesday, March 21st, 2006

The next time you hear a politician use the word “billion” in a casual manner, think about whether you want the “politicians” spending your tax money.
A billion is a difficult number to comprehend, but one advertising agency did a good job of putting that figure into some perspective in one of its releases.

– A billion seconds ago it was 1959.

– A billion minutes ago Jesus was alive.

– A billion hours ago our ancestors were living in the Stone Age.

– A billion dollars ago was only 8 hours and 20 minutes, at the rate our government is spending it.

While this thought is still fresh in our brain, let’s take a look at New Orleans – It’s amazing what you can learn with some simple division.

Louisiana Senator, Mary Landrieu (D), is presently asking the Congress for $250 BILLION to rebuild New Orleans.

Interesting number, what does it mean?

Well, if you are one of 484,674 residents of New Orleans (every man, woman, child), you each get $516,528.

Or, if you have one of the 188,251 homes in New Orleans, your home gets $1,329,787

Or, if you are a family of four, your family gets $2,066,012.

Washington, D.C. are all your calculators broken? WTF?!

Maybe everyone should just flood their houses, then we can all be on the “big easy” street for the rest of our lives, and forget about working, and paying taxes and all that useless stuff!

Quote of the week: March 20th

Monday, March 20th, 2006

if [ $caller==BOSS ]
then
$call >> /dev/null
fi

Senators bringing up .xxx domain…AGAIN

Sunday, March 19th, 2006

Well, here we go again – and once again, here’s my stance on the whole .xxx idea:

– “Harmful to minors” is in the eye of the beholder. It is unconstitutional for a law to be vague, since it means people can’t know if they’re breaking the law or not. Is a warez site “harmful to minors” since it corrupts their morals? How about frank discussions of wartime atrocities? Sites that debunk Santa Claus?

– This particular proposed law would require, for instance, websites for crappy teenage hijinks movies (Dukes of Hazard, etc) to use the .xxx domain. Basically, anything sexual that has no artistic or social merit gets taggede

– Laws like this impringe on adults’ rights to free speech. Have a blog where you share your innermost thoughts? Hosted on a .com? Write about the hot sex you had last night, get fined (or go to jail).

And, of course, in addition to the blatant unconstitutionality, there’s the fact that it’s pointless: .com is an international domain.

The only solution for this kind of thing is a .kids type domain, where only content that meets certain criteria is allowed in. Trying to regulate the entire world’s speech in the .com domain “for the children” is a bad idea, totally unconstitutional, and ultimately doomed to failure anyway, since .com is an internataionl domain.

Then thinking logically about this, let’s look at it the other way around. The government has harmed more minors than any pedophile on the planet:

– They wont pass national healthcare, so millions of children do not have healthcare.

– They do not properly fund education, thus hurting millions of children

– They allow corperations to dictate our country and outsource jobs at an alarming rate, thus putting the parents of children out of work, thus taking away any healthcare they had. (if they had any)

– They send the children of parents off to die in an illegal war, started by the criminals that run our country. Bush, Cheney, Wolfiwitz, Rove, Powell, Delay, Abramof, Frist, Santorem, hatch, Leiberman, Kerry, and countless others. The ones that survive come back seriously injured and need special care their entire lives…which the government fails to provide.

Yes, they most certainly do hurt far more children than all the pedophiles on the planet combined. I’m not saying that porn something that should be mainstream, but come on. This is one of the worst parts of our American culture. Killing people is glorified but OH CHRIST DON’T LET ANYONE BE SEEN MAKING LOVE!

Notice to posters/commenters

Sunday, March 19th, 2006

Just an FYI as I have received a couple of emails regarding posts and comments.

Most posts/comments are manually “allowed” to be posted – in other words, I moderate all comments that go through. Not to stifle “free speech” or anything like that, it’s to prevent blog spamming. I was moderating anywhere from 40 to 70 blog spams per day until I applied a filtration system. Now the spam has increased quite a bit, however, until I get it working to prevent 99% of all spam, I will be manually moderating comments.

Basically, if your comment doesn’t show right away, don’t freak. Give it up to 12 hours (or so) to post. Yes, your post went through, it’s just in the moderation que 😉

If you have a new post to add and are a registered user, save it as a draft, and I’ll approve it for posting within 12 hours (or so).

Democrats promise broadband for all if elected

Saturday, March 18th, 2006

Link here.

Let’s see….

1) The Dept. of Homeland Security fails security tests on all counts.
2) The CIA and FBI are still suffering from bureaucratic management that has crippled field operations.
3) We’re stuck in Iraq with no easy way out.
4) Spending is wildly out of control, and no, not even getting rid of the Bush tax cuts would fix this and our economy cannot handle higher taxes at this point.
5) Our borders are out of control.
6) Jobs are being lost to countries with lower taxes and regulations.
7) Inflation is killing the dollar.

And all the Democrats can come up with at this point is the 21st century equivalent of bread and circus for the middle and upper classes. But wait, it’s “for all Americans…” so that makes it more important than having the basic security we need to protect ourselves like forcing all state governments to actually do background checks on their drivers’ licenses. Know why port security is so bad? DHS recently did a study that showed that thousands of the drivers going into the ports were illegal aliens or convicted felons. How did they get there? The states were too politically correct to do anything because that might offend the Hispanic citizens that actually want to be confused for illegal immigrants or the potential fradulent voter base of illegals that both parties court.

This is why the Democrats are out of power. They have even less national security credentials than the Republicans, and their domestic ideas amount to blatant acts of prostitution like this. This is also why I’m not voting Democrat OR Republican in the next presidential election. If Bush can barely bring himself to make a serious attempt on certain aspects of security, then how can we expect someone like Kerry to do any better? The last election, believe it or not, was decided primarily by voters concerned by national security, not morality or domestic spending.

This proposal, if enacted, would only end up being one of two things. A huge, wasteful government agency that destroys market competition by being cheaper through subsidies, or a major, almost unprecedented corporate welfare package the likes of which should make any good leftist scream in outrage. It’s going to cost a lot of money to wire up all of those small towns around America, especially in the areas outside of the coastal parts of America. It’ll cost a hell of a lot of money to wire up places like Montana or the Dakotas where the population is spread so thin.

If they actually do this, here’s what will happen (and the same would happen no matter who is in power):

1. They pass the bill for the program with about 50 riders on it. Result: Plans for broadband Internet start and vendors in the districts of the senior politicians that proposed and passed this bill get no-bid contracts for networking equipment, which they sell for 10x the market rate. Also, somebody gets a statue, a fish pond, and a bridge to nowhere in their district.

2. The funding bill for the Intrenet program gets passed, but this time with 100 riders. The *AAs get a rider that mandates TCPA, HDCP, and whatnot because their lobbyists had to be bought off so that the funding could pass and make the incumbent party look good for getting it passed. Oh, and there are still many “regular” $1000 toilet seat pork-barrel deals in this bill too.

3. The telecom companies sue the government for billions for unfair competition. The project is tied up for five years while this happens and a bunch of lawyers get rich. The outcome is that the tiered Internet proposal by BellSouth is allowed in exchange for the public broadband. The public broadband is also limited to 256K by the settlement as to not compete directly with BS and the other monopoly data providers.

4. The project gets completed ten years late at ten times the original cost. Most of us are on 20Mbps+ fiber at that time and few use the public 256K broadband. The project still gets hundreds of millions in funding every year even though it is almost never used.

Again, I’m not voting Democrat OR Republican in the next election – it’s like choosing the lesser of two evils. Not good.