Quasi.dot

What’s your “Go-to” Joke? | The Best Article Every day

2012-02-02T11:18:00.001+01:00

What’s your “Go-to” Joke?
Collected by reddit
There were two sisters, one called Petal and one called Fridge. One day, Petal asks her parents, “Why did you call me Petal?” and they replied “Because when you were a baby, a petal fell on you.” And then Fridge says “bllaaarrarararraraaarg”.
A man goes to the doctor for his annual check-up, and the doctor tells him, “You need to stop masturbating.”
The man asks, “Why?”
The doctor replies, “Because I’m trying to examine you”
A polar bear walks into a bar, sits down and order a “Bicardi and………………………………………… cola”
Bartender asks, whats with the huge pause??? Polar Bear says “These? Born with’em….”
A horse walks into a bar. Several people get up and leave because they realize the potential danger of the situation.
Three nuns are sitting on a park bench. Then a man comes up and exposes himself to them. Two of them have a stroke. But the third one couldn’t reach.
What did the buffalo say to his son when he dropped him off at school? …….Bison.
Two whales walk into a bar. The bartender asks them what they want.
The first whale replies: WOOOOOOWWWWWW WOOOOOOOEEEEEEEEEEE WOAAAAAAAAAAHHHHHHHHHHHH OOOOOOOOOOOOOOOOOOOOOOAAAAAAAAAAAAA WOOOOO
The second whale says: “Frank, you’re drunk”.
A man sits down at a bar and says to the bartender: “I bet you 300 dollars that I can piss into the cup all the way over there on the other side of the bar and not miss a single drop.”
The bartender said: “There is no way you can do that. Sure, I’ll bet you 300 dollars.”
The man then begins to undo his pants and begins pissing. He starts pissing all over the bar, the bottles, the floor and the bartender, not making a single drop in the cup.
The bartender starts laughing and says: “You fucking idiot! You owe me 300 dollars!”
The man gets up and walks over to the pool table and starts laughing and shaking hands with the men standing there. He walks back to bar laughing, sits down and hands the bartender the $300 dollars.
The bartender asks: “Why are you laughing? You just lost the bet.”
The man said: “I’m laughing because I bet those guys over there one thousand dollars that I could piss all over you and your bar and not only would you not be mad, you’d be happy about it.”
Why does Santa have such a large sack? Because he only comes once a year! Kids love that joke
A magician was walking down the street, then he turned into a grocery store.
An old lady at the bank asked me if I could help her check her balance. So I pushed her over.
A lady walks into a bar and sees a really cute guy sitting at the counter. She goes over and asks him what he is drinking.
“Magic Beer”, he says
She thinks he’s a little crazy, so she walks around the bar, but after that there is no one else worth talking to,goes back to the man sitting at the bar and says,”That isn’t really Magic Beer, is it?”
“Yes, I’ll show you.” He takes a drink of the beer, jumps out the window,flies around the building 3 times and comes back in the window.
The lady can’t believe it: “I bet you can’t do that again.”
He takes another drink of beer, jumps out the window, flies around the building three times, and comes back in the window.
She is so amazed that she says she wants a Magic Beer, so the guy says to the bartender, “Give her one of what I’m having.”
She gets her drink, takes a gulp of the beer, jumps out the window, plummets 30 stories, breaks every bone in her body, and dies.
The bartender looks up at the guy and says, “You know, you’re a real asshole when you’re drunk, Superman!”
My favorite knock knock joke from The Office.
‘Knock Knock”
“Who’s there?”
“The KGB”
“The KGB wh–” SLAP
“We are the ones asking the questions!”
What did batman say to robin before they got into the car?
Robin! Get in the car!
I have this horrible joke from like middle school about some fruit going up your ass. It’s so stupid, but every time I tell it I start laughing so hard I tear up. It’s embarrassing honestly. And it’s kind of vulgar, so it never seems appropriate.
Edit: Added joke, thanks to request + downvotes. Found it online!
Three men who were lost in the jungle were captured by cannibals. The cannibal king told the prisoners that they could live if they pass a trial.
The first step of the trial was to go to the forest and get ten pieces of the same kind of fruit. So all three men went separate ways to gather fruits. The first one came back and said to the king, “I brought ten apples.” The king then explained the trial to him.”You have to shove the fruits up your butt without any expression on your face or you’ll be eaten.” The first apple went in… but on the second one he winced out in pain, so he was killed. The second one arrived and showed the king ten berries. When the king explained the trial to him he thought to himself that this should be easy. 1…2…3…4…5…6…7…8… and on the ninth berry he burst out in laughter and was killed.
The first guy and the second guy met in heaven. The first one asked, “Why did you laugh, you almost got away with it?” The second one replied,”I couldn’t help it, I saw the third guy coming with pineapples.”
Two antennas meet on a roof and fall in love. The wedding wasn’t much but the reception was excellent.
Why don’t blind people skydive?
It scares the hell out of the dog.
What do you call a fake noodle?
An impasta.
Nice try Carlos Mencia
Not mine, but a coworkers.
My two lesbian neighbours got me a Rolex for my birthday. They misunderstood when I said “I wanna watch.”
He’s been telling this since Christmas.
Lady goes to her doc.
“Doc, I have quite the problem. I can’t control my gas. All day long I’m farting and farting. The only good news is they are the ‘silent but deadly’ type.
The Doc pauses for a moment and replies, “first let’s get you fitted for a hearing aid.”
A guy walks into a bar, orders six jägermeister shots.
The bartender asks him if it’s a special occation?
The guy answers “yes indeed, my very first blowjob”.
The bartender gets excited and says “Congratulations, I’ll give you the seventh shot on the house”.
The guy answers “Nah, if six jäger shots isn’t enough to get rid of the taste, the seventh wont make much of a difference”.
A man is sitting at the bar when he notices a beautiful woman walk in and sit down at a table across the room. After 30 minutes the man finally builds up enough courage to walk up to her and offer her a drink, but before he can finish his sentence she yells “NO I WILL NOT HAVE SEX WITH YOU!”. Confused and embarrassed, the man quietly returns to his seat while the rest of the bar stares at him. Shortly after the woman approaches him and says “I’m sorry to yell at you like that. You see, I’m a grad student and I’m studying peoples reactions to embarrassing situations”. The man shouted “WHAT DO YOU MEAN 200 DOLLARS?!”
What’s the hardest part of eating a vegetable? The wheelchair

via bspcn.com

Understanding the bin, sbin, usr/bin , usr/sbin split

2012-01-27T22:50:00.001+01:00

Understanding the bin, sbin, usr/bin , usr/sbin split

Rob Landley rob at landley.net
Thu Dec 9 15:45:39 UTC 2010

Previous message: Applet for detecting the filesystem type.
Next message: Understanding the bin, sbin, usr/bin , usr/sbin split
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tuesday 30 November 2010 15:58:00 David Collier wrote: > I see that busybox spreads it's links over these 4 directories. > > Is there a simple rule which decides which directory each link lives > in..... > > For instance I see kill is in /bin and killall in /usr/bin.... I don't > have a grip on what might be the logic for that. You know how Ken Thompson and Dennis Ritchie created Unix on a PDP-7 in 1969? Well around 1971 they upgraded to a PDP-11 with a pair of RK05 disk packs (1.5 megabytes each) for storage. When the operating system grew too big to fit on the first RK05 disk pack (their root filesystem) they let it leak into the second one, which is where all the user home directories lived (which is why the mount was called /usr). They replicated all the OS directories under there (/bin, /sbin, /lib, /tmp...) and wrote files to those new directories because their original disk was out of space. When they got a third disk, they mounted it on /home and relocated all the user directories to there so the OS could consume all the space on both disks and grow to THREE WHOLE MEGABYTES (ooooh!). Of course they made rules about "when the system first boots, it has to come up enough to be able to mount the second disk on /usr, so don't put things like the mount command /usr/bin or we'll have a chicken and egg problem bringing the system up." Fairly straightforward. Also fairly specific to v6 unix of 35 years ago. The /bin vs /usr/bin split (and all the others) is an artifact of this, a 1970's implementation detail that got carried forward for decades by bureaucrats who never question _why_ they're doing things. It stopped making any sense before Linux was ever invented, for multiple reasons: 1) Early system bringup is the provice of initrd and initramfs, which deals with the "this file is needed before that file" issues. We've already _got_ a temporary system that boots the main system. 2) shared libraries (introduced by the Berkeley guys) prevent you from independently upgrading the /lib and /usr/bin parts. They two partitions have to _match_ or they won't work. This wasn't the case in 1974, back then they had a certain level of independence because everything was statically linked. 3) Cheap retail hard drives passed the 100 megabyte mark around 1990, and partition resizing software showed up somewhere around there (partition magic 3.0 shipped in 1997). Of course once the split existed, some people made other rules to justify it. Root was for the OS stuff you got from upstream and /usr was for your site- local files. Then / was for the stuff you got from AT&T and /usr was for the stuff that your distro like IBM AIX or Dec Ultrix or SGI Irix added to it, and /usr/local was for your specific installation's files. Then somebody decided /usr/local wasn't a good place to install new packages, so let's add /opt! I'm still waiting for /opt/local to show up... Of course given 30 years to fester, this split made some interesting distro- specific rules show up and go away again, such as "/tmp is cleared between reboots but /usr/tmp isn't". (Of course on Ubuntu /usr/tmp doesn't exist and on Gentoo /usr/tmp is a symlink to /var/tmp which now has the "not cleared between reboots" rule. Yes all this predated tmpfs. It has to do with read- only root filesystems, /usr is always going to be read only in that case and /var is where your writable space is, / is _mostly_ read only except for bits of /etc which they tried to move to /var but really symlinking /etc to /var/etc happens more often than not...) Standards bureaucracies like the Linux Foundation (which consumed the Free Standards Group in its' ever-growing accretion disk years ago) happily document and add to this sort of complexity without ever trying to understand why it was there in the first place. 'Ken and Dennis leaked their OS into the equivalent of home because an RK05 disk pack on the PDP-11 was too small" goes whoosh over their heads. I'm pretty sure the busybox install just puts binaries wherever other versions of those binaries have historically gone. There's no actual REASON for any of it anymore. Personally, I symlink /bin /sbin and /lib to their /usr equivalents on systems I put together. Embedded guys try to understand and simplify... Rob -- GPLv3: as worthy a successor as The Phantom Menace, as timely as Duke Nukem Forever, and as welcome as New Coke.

via lists.busybox.net

Internet Against SOPA, PIPA | The Onion - America's Finest News Source

2012-01-27T17:11:00.001+01:00

January 26, 2012

Internet Against SOPA, PIPA

Last week, several websites, including Google and Wikipedia, raised awareness of the prohibitive measures included in the Stop Online Piracy Act (SOPA) and the Protect IP Act (PIPA). Here are some of the legislation's controversial provisions:

Music review sites can only allude to a song's title and content in vague terms

All pirated material available only at the Commerce Department's new site, Torrent.gov

Government will actively encourage people to download only public-domain music, such as Pipey Lester's "That Cat's a-Mewing!" or Ukulele Ted's "Nickel For Your Hat"

Denies future generations the ability to watch hilarious scene from Dirty Work where Chris Farley yells at the Asian hooker anytime, free of charge, which is a fundamental right of being an American

Does absolutely nothing to get rid of goddamn Lolcats

Makes the MPAA and RIAA feel better, which, if you have any shred of a soul, causes pure rage to swell through your very being

Any person suspected of Photoshopping bill sponsor Rep. Lamar Smith (R-TX) in an unflattering manner shall be subject to a minimum sentence of two months in prison; sentence will be increased by an additional two months if MS Paint is used

No longer legal to steal Ryan Gosling's credit card information

Email

Print

Share

Share

Facebook

Digg

Stumble

Reddit

Recent Infographic

Romney Facing Flak For Turn As Venture Capitalist

01.19.12 | ISSUE 48•03

Detroit Ending 24-Hour Police Station Access

01.12.12 | ISSUE 48•02

Best Debate Moments

01.05.12 | ISSUE 48•01

More Infographic

Kmart's Woes

03.27.02 | ISSUE 38•11

American Secrets For Sale

09.15.11 | ISSUE 47•37

Exotic Pet Fever

02.25.98 | ISSUE 33•07

via theonion.com

Security Onion Intrusion Detection System Basic Setup Tutorial « CYBER ARMS – Computer Security

2012-01-25T22:36:00.001+01:00

Security Onion is one of my favorite tools. Doug Burks did an amazing job pulling many of the top open source Network Security Monitoring (NSM) and Intrusion Detection System (IDS) programs. You can run Security Onion in Live CD mode, or you can install it and run it off of your hard drive.

It’s based on Xubuntu 10.04 and contains a ton of programs including Snort, Suricata, Sguil, Squert, argus, Xplico, tcpreplay, scapy, hping, and many other security tools. Sounds complicated right? Well, Doug has done the hard work in pulling all these tools together into an easy to use Linux distribution.

Run this on a system that has two network cards and you have a complete NSM/IDS system. One NIC connects to your network or the internet side of your traffic and records and monitors every packet that comes in or goes out of your system. The second NIC connects to your LAN side and can be used to remotely view and monitor intrusion attempts and security threats.

The exceptional basic setup video above was created by Adrian Crenshaw aka “Irongeek”. Adrian has always done an amazing job passing on information on the latest security tools and techniques. Irongeek.com has a ton of videos and security how too’s, check it out!

Share this:
StumbleUpon
Digg
Reddit
Twitter2
Like this:
Like
One blogger likes this post.

~ by D. Dieterle on January 24, 2012.

Posted in Computer Security
Tags: intrusion attempts, Intrusion Detection, intrusion detection system, intrusion detection system ids, Intrusion Prevention, Linux Security, Network Security Monitoring, scapy, Security Onion, squert

via cyberarms.wordpress.com

Happy New Year! | The Best Article Every day

2012-01-02T08:53:00.001+01:00

via bspcn.com

To Infinity and Beyond - Horizon - BBC - YouTube

2011-11-30T23:42:00.001+01:00

via youtube.com

everyday_i_show: photos by Robert Doisneau

2011-10-10T15:11:00.001+02:00

via everyday-i-show.livejournal.com

Log In

2011-10-03T22:01:00.001+02:00

via niemann.blogs.nytimes.com

Genius!

The Making of Blade Runner | Open Culture

2011-09-01T16:35:00.001+02:00

via openculture.com

Network Dictionary – powerpointalism — My Etherealmind

2011-07-19T23:34:00.001+02:00

Rough term for an event where PowerPoint presentations are occurring in multiple rooms. You might call it a conference, but really it’s a powerpointalism experience. The definition of a conference —a formal meeting for discussion — doesn’t really apply since only the people up the front are talking and everyone else is listening. Generally, you want to be involved.

Note that powerpointalism can also be a noun “I’m experiencing powerpointalism” or more simply, setting one’s status to “powerpointalism” explains your current status.

Note that powerpointalism is how you experience marketecture.

Compare with PowerPoint Waterboarding which tends to occur in much smaller groups that you can’t escape from.

With reference to @aneel during Cisco Live Conference in Las Vegas, 2011.

Share this:
Email
-->

via etherealmind.com

LulzSec Went After Qakbot, Mariposa Bots - Dark Reading

2011-06-28T23:31:00.003+02:00

Had the now-defunct LulzSec hacking group had its demands met earlier this month for getting botnet intelligence from startup Unveillance, it could have wrested control of a portion of the infamous Qakbot's command-and-control infrastructure that's under the purview of the security firm.
The bots Unveillance had sinkholed are Qakbot-infected machines as well as some Mariposa-infected machines, which could have been a treasure trove of botnet firepower for the hacking group, security experts say. Qakbot is a Trojan that spreads like a worm, and its goal is to steal financial accounts and ultimately help siphon money. The botnet has been spotted on the rise, most recently infecting 1,500 Massachusetts state PCs and possibly exposing personal information of some 250,000 state residents.
Karim Hijazi, CEO and president at Unveillance, which uses sinkhole servers to pose as botnet servers that capture communique from orphaned bots, says his firm controls a large portion of the Qakbot botnet's command-and-control infrastructure via its sinkhole servers. "I believe [LulzSec] wanted it for use for a variety of reasons," Hijazi says. "Fraud, information-stealing, reverse-proxy, [etc.]."
In addition, Unveillance sinkholed some Mariposa bots, which LulzSec was also interested in obtaining. Although law enforcement controls the Mariposa command-and-control servers themselves, there are still plenty of machines worldwide infected with the bot malware. "We still see over 4 million events/communications from infected machines part of Mariposa per hour and over 100,000 unique IP addresses an hour," Hijazi says.
LulzSec wanted Mariposa for DDoS purposes, says Pedro Bustamante, senior research adviser for Panda Security. "It’s important to note that even if LulzSec [was able] to completely hack Unveillance and take over their systems, this will not have an impact on LulzSec getting access to the Mariposa botnet," Bustamante says. "The reason is that the DNS records for the Mariposa command-and-control servers are under the control of law enforcement, and are only being redirected to Unveillance for sinkholing purposes ... we can change the DNS records for the main C&C domains and point them somewhere else as to minimize the impact" of any theft of those existing Mariposa bots, he says.
Clues to LulzSec's botnet intentions began to surface last month, when Unveillance discovered some unusual traffic patterns around its network. On May 25, Hijazi noticed something funny was going on with his email account as well. "An email I saw on my phone was showing as already-read on my computer," even though he had not opened the message yet, he recalls.
Minutes later, he witnessed an email in his inbox go from "unread" to "read" and then back to "unread" again. "That was a really compelling event," he says. Between that and the unusual traffic trying to get past Unveillance's firewalls, something was definitely going amiss: "It was lockdown time," he says.
In the wee hours of the morning, Hijazi received an email with his Infragard password in the subject line, and a message asking if he wanted "to talk," and signed "Love, Friends." He gathered his team at 4:30 a.m., and they began brainstorming and shoring up security.
It wasn't until later in an online chat with the hackers that Hijazi learned what the attackers really wanted: "They ... [were] saying, 'We want your botnet information' or they would 'dox' us," he says. Among their demands was Qakbot information and its sinkholes: "They wanted [me] to convey ownership of the domain for DDoS'ing. They wanted command and control of those DDoS botnets," Hijazi says.
When Hijazi refused, they demanded money, but he replied that his firm was a start-up and didn't have any money. "On Friday, they dumped my emails online, and InfraGard was taken down," he says.
While Anonymous -- from which LulzSec originally spun off -- has been best known for using "crowdsource" distributed denial-of-service (DDoS) attacks using the Low Orbit Ion Cannon (LOIC) tool, the group also has relied on established botnets to take down websites it targets.
Meanwhile, Hijazi says the AntiSec operation headed by Anonymous is hosting a new hacker training school via an IRC chat room for new recruits. "New information about their 'new' AntiSecPro hacker training school shows intent to use the ZeuS source code to train new recruits [bot-herders] how to compile and deploy a ZeuS botnet," Hijazi says.
Aside from the Zeus training and offering source code for Zeus 2.0.8.9, the "#school4lulz" training includes language injection via HTTP, IDS evasion, SQL injection techniques, botnet C&C protocol selection, takeover mitigation, social engineering skills, war-driving, and how to find an individual's personal information online, Unveillance says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

via darkreading.com

Breach Patrol: When Should Customers Be Told? - Dark Reading

2011-06-28T23:31:00.001+02:00

E-mail this page

| Print this page

|

Breach Patrol: When Should Customers Be Told?
Speed of notifications seems to be a key question now
Jun 17, 2011 | 02:24 PM | 0 Comments
By Mathew J. Schwartz, InformationWeek
Special to Dark Reading
Dark Reading

Are companies notifying consumers quickly enough after their personal data has been exposed via a security breach?
The speed of such notifications seems to be a key question now. Earlier this month, the House Committee on Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade peppered representatives from two breached companies with questions ranging from how they'd secured their data, to how quickly they'd notified affected customers.
Read the full article here.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

via darkreading.com

ISC Diary | Deja-Vu: Cisco VPN Windows Client Privilege Escalation

2011-06-28T23:29:00.001+02:00

-->
Deja-Vu: Cisco VPN Windows Client Privilege Escalation
-->

Share |

Published: 2011-06-28,
Last Updated: 2011-06-28 20:14:39 UTC
by Johannes Ullrich (Version: 1)

1 comment(s)

Cisco released earlier today a bulletin regarding a vulnerability in the Cisco VPN client for Windows 7. The vulnerability is pretty simple: The client runs as a service, and all users logged in interactively have full access to the executable. A user could now replace the executable, restart the system and have the replacement running under the LocalSystem account.

The fix is pretty simple: Revoke the access rights for interactive users.

The interesting part : NGS Secure Research found the vulnerability, and released the details after Cisco released the patch [1]. The vulnerability is almost identical to one found in 2007 by the same company in the same product [2]

Very sad at times how some vendors don't learn. Lucky that at least companies like NGS appear to be doing some of the QA for them.

[1] http://www.securityfocus.com/archive/1/518638
[2] http://www.securityfocus.com/archive/1/476812

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: cisco vpn
1 comment(s)

via isc.sans.org

Always Have an Answer on Hand with the IT Service Desk Wheel of Responses [Humorous Image] - How-To Geek ETC

2011-06-09T23:13:00.001+02:00

via howtogeek.com

Silvio Berlusconi's record: The man who screwed an entire country | The Economist

2011-06-09T23:11:00.001+02:00

via economist.com

China confirms deployment of online army - People's Daily Online

2011-05-28T14:13:00.001+02:00

via english.peopledaily.com.cn

(this is not The Onion!)

Allied Telesis divulges secret backdoor - The H: Security news and Open source developments

2011-05-27T21:49:00.001+02:00

via h-online.com

Zentyal As A Gateway: The Perfect Setup | HowtoForge - Linux Howtos and Tutorials

2011-05-23T22:09:00.001+02:00

via howtoforge.com

Come raggiungerla | Wittgenstein

2011-05-23T22:08:00.001+02:00

via wittgenstein.it

“Inside Apple” Reveals Steve Jobs Anecdotes, Apple’s Little Known Facts

2011-05-07T23:21:00.001+02:00

via macstories.net

CIA's 'Facebook' Program Dramatically Cut Agency's Costs | Onion News Network

2011-05-03T21:43:00.001+02:00

via theonion.com

Facebook and Twitter Valuations May Show a New Tech Bubble

2011-03-29T11:25:00.001+02:00

via nytimes.com

Facebook and Twitter Valuations May Show a New Tech Bubble

2011-03-28T00:28:00.001+02:00

via nytimes.com

[C#] Another proof of Hack from Comodo Hacker

2011-03-28T00:14:00.001+02:00

Check out this website I found at pastebin.com

A message from Comodo Hacker

2011-03-28T00:13:00.001+02:00

Check out this website I found at pastebin.com

MySQL.com compromised | Sucuri

2011-03-27T21:15:00.003+02:00

Share

MySQL.com (the official site for the MySQL database) was compromised via (shocking!) blind SQL injection. A post was sent today to the full disclosure list explaining the issue and dumping part of their internal database structure.

Vulnerable Target : http://mysql.com/customers/view/index.html?id=1170
Host IP : 213.136.52.29
Web Server : Apache/2.2.15 (Fedora)
Powered-by : PHP/5.2.13
Injection Type : MySQL Blind
Current DB : web

So their customer view application was used as the entry point, where the attackers were able to list the internal databases, tables and password dump…

What is worse is that they also posted the password dump online and some people started to crack it already. Some of the findings are pretty bad, like that the password used by the MySQL director of product management is only 4 numbers (6661).

We will post more details as we learn more about it.

Share0 0share0shareNew

via blog.sucuri.net

Full Disclosure: MySQL.com Vulnerable To Blind SQL Injection Vulnerability

2011-03-27T21:15:00.001+02:00

Full Disclosure mailing list archives

MySQL.com Vulnerable To Blind SQL Injection Vulnerability From: Jack haxor <jackh4xor () h4cky0u org>
Date: Sun, 27 Mar 2011 05:46:30 +0000

--------------------------------------------------------------------------------------- [+] MySQL.com Vulnerable To Blind SQL Injection vulnerability [+] Author: Jackh4xor @ w4ck1ng [+] Site: http://www.jackh4xor.com ---------------------------------------------------------------------------------------  About MySQL.com : --------------------------------------------------------------------------------------------------------------------  The Mysql website offers database software, services and support for your business, including the Enterprise server,  the Network monitoring and advisory services and the production support. The wide range of products include: Mysql  clusters, embedded database, drivers for JDBC, ODBC and Net, visual database tools (query browser, migration toolkit)  and last but not least the MaxDB- the open source database certified for SAP/R3. The Mysql services are also made  available for you. Choose among the Mysql training for database solutions, Mysql certification for the Developers and  DBAs, Mysql consulting and support. It makes no difference if you are new in the database technology or a skilled  developer of DBA, Mysql proposes services of all sorts for their customers.  --------------------------------------------------------------------------------------------------------------------    Vulnerable Target  :   http://mysql.com/customers/view/index.html?id=1170 Host IP                  :   213.136.52.29 Web Server           :   Apache/2.2.15 (Fedora) Powered-by           :   PHP/5.2.13 Injection Type        :   MySQL Blind Current DB             :   web  Data Bases:      information_schema bk certification c?ashme cust_sync_interim customer dbasavings downloads feedback glassfish_interface intranet kaj license_customers manual manual_search mem mysql mysqlforge mysqlweb news_events partner_t?aining partners partners_bak phorum5 planetmysql qa_contribution quickpoll robin rp sampo sampo_interface sessions softrax softrax_interim solutions tco test track track_refer wb web web_control web_projects web_training webwiki wordpress zack  Current DB: web  Tables  xing_validation         v_web_submissions       userbk  user_extra       user  Columns: cwpid version lead_quality sfid industry address2 created last_modified lang notify newsletter gid title  fax cell phone country zipcode state city address business company position lastname firstname passwd verified bounces  email user_id  us_zip_state    us_area_state   unsub_log       trials  trial_external_log      trial_data      trial_alias     training_redirect       tag_blacklist   tag_applied     tag     support_feeds_DROP      support_entries_DROP    states  snapshots_builds        snapshots       sakilapoints    regions         quote_customer  quote   quicklinks      promo   product_releases        position        partner         paper_lead      paper_details_options   paper_details_old       paper_details   paper   newsletter_unsub        nav_sites       nav_items       mysql_history   mirror_status   mirror_country  mirror_continent        mirror  mailing_list_member     mailing_list    locks   lead_validity_rules     lead_source_xref        lead_source_external    lead_source     lead_routing_rule       lead_rep        lead_old        lead_note       lead_extra_old  lead_extra_new  lead_extra      lead_companies  lead_campaign_member    lead    language_strings        language_modules        imagecache      hall_of_fame    g_search_term   g_search_data   g_blog_data     forum_comment   forms   field_xref      field_options   field_match     email_blacklist         email_a_friend  drpl_manual_review      drpl_denied     drpl_check_log  drpl_cache      customer_meta_sets      customer_meta_set       customer_meta   customer        coupon_product  coupon_campaign_attribute       coupon_campaign         coupon  country         countries       campaign_type   campaign_topic  campaign_score  campaign_listdata       campaign_detail         business        bounces          Database : mysql Table:  user_info      user     Column: Update_pri Insert_priv Select_priv Password User Host  time_zone_transition_type     time_zone_transition     time_zone_name     time_zone_leap_second     time_zone     tables_priv     slow_log     ?ervers     procs_priv     proc     plugin     ndb_binlog_index     inventory     host     help_topic     help_relation     help_keyword     help_category     general_log     func     event     db     columns_priv   # mysql.user Data  Password                                      User            Host wembaster     % monitor     10.% sys             % sys             localhost *06581D0A5474DFF4D5DA3CE0CD7702FA52601412     forumread     % *0702AEBF8E92A002E95D40247776E1A67CD2CA3F     wb             % *2A57F767D29295B3CB8D01C760D9939649483F85     flipper     10.% *32F623705BFFFE682E7BD18D5357B38EF8A5BAA9     wordpress     % *66A905D4110DF14B41D585FDBCE0666AD13DD8C1     nagios             % *704EB56151317F27573BB4DDA98EDF00FFABAAF8     root             localhost *ED1BDC19B08FD41017EE180169E5CEB2C77F941A     mysqlforge     % *FD75B177FFEC3590FE5D7E8459B3DDC60AE8147B     webleads     10.% 00680dd718880337                             olof             % 077f61a849269b62     qa_r     % 077f61a849269b62     qa_rw     % 077f61a849269b62     qa_adm     % 0c2f46ba6b87d4ea     trials_admin     10.% 1856b9b03b5a6f47     cacti     % 19519e95545509b5     certification     % 1a39dcad63bbc7a6     gf_mschiff     % 2277fd7d562ec459     webslave     localhost 2277fd7d562ec459     webslave     % 304404b114b5516c     planetmysql_rw     % 35e376451a87adb0     planetmysql_ro     % 4e203d581b756a93     webmaster     localhost 4e203d581b756a93     webmaster     % 4e93479179a8ec93     sysadm     % 575ec47e16c7e20e     phorum5     % 575ec47e16c7e20e     lenz     % 5f340ec40a706f64     robin     % 61113da02d2c97a5     regdata     % 616075f256f111ba     myadmin     10.100.6.44 61711eea3de509ac     merlin     127.0.0.1 6302de0909a369a1     ebraswell     % 6b72b2824cc7f6fe     mysqlweb     % 6ffd2b17498cdd44     zack     % 70599cf351c6f591     repl     % 740284817e3ed5a8     webwiki     % 74c5529b41a97cc2     web_projects      Databsae: web_control  Table: system     system_command     service_request     run_control     request_daemon     rebuild_server     rebuild_queue     rebuild_control     quarterly_lead_report     newsletter_log     newsletter_control     ips     hosts  Columns:notes description name dns_servers Columns: name internal ip   Database: certification  Tables: signup     corpcustomers     certexamdata     certcandidatedata     certaccess   Database: wordpress  Tables:  wp_4_term_taxonom     wp_4_term_relationships     wp_4_posts     wp_4_postmeta     wp_4_options     wp_4_links     wp_4_comments     wp_3_terms     wp_3_term_taxonomy     wp_3_term_relationships     wp_3_posts     wp_3_postmeta     wp_3_options     wp_3_links     wp_3_comments     wp_2_terms     wp_2_term_taxonomy     wp_2_term_relationships     wp_2_posts     wp_2_postmeta     wp_2_options     wp_2_links     wp_2_comments     wp_1_terms     wp_1_term_taxonomy     wp_1_term_relationships     wp_1_posts     wp_1_postmeta     wp_1_options     wp_1_links     wp_1_comments     wp_11_terms     wp_11_term_taxonomy     wp_11_term_relationships     wp_11_posts     wp_11_postmeta     wp_11_options     wp_11_links     wp_11_comments     wp_10_terms     wp_10_term_taxonomy     wp_10_term_relationships     wp_10_posts     wp_10_postmeta     wp_10_options     wp_10_links     wp_10_comments     remove_queries    Database: bk  Table: wp_backupterm_taxonomy     wp_backupterm_relationships     wp_backupposts     wp_backuppostmeta     wp_backupoptions     wp_backuplinks     wp_backupcomments   ----------------------------------------------------------------------------------- Signed : Jackh4xor !   Greetz : rooto, Mr.52, zone-hacker, w4ck1ng  (In)Security -------------------------------------------------------------------------------------

_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

By Date

By Thread

Current thread:

MySQL.com Vulnerable To Blind SQL Injection Vulnerability Jack haxor (Mar 27)

via seclists.org

BBC News - Tsunami hits Japan after large earthquake

2011-03-11T10:04:00.001+01:00

via bbc.co.uk

Worst Automatic Garage Door Opener Installation Ever Video

2011-03-11T09:55:00.001+01:00

via break.com

Facebook Is AOLifying the Internet—and That Sucks

2011-03-09T11:13:00.001+01:00

Sam Biddle —
When an entire generation of computer users first poked our doe-eyed faces onto a young internet, many of us were greeted with a single, encompassing, monolithic face peering back: the AOL Home Screen. To call it a young internet isn't even fair—it was a mature, thriving AOL. It was ubiquitous, it was powerful, it was everything—and it ended up destroying itself, too flawed by design to last. And someone's trying to rebuild the Death Star.

How do we know nobody's learned shit since the days of the 56k Hindenburg? News like Warner Bros' decision to rent movies—starting with The Dark Knight—directly through Facebook. News like Rovio putting Angry Birds onto perhaps the only platform other than my dead grandfather's typewriter that doesn't yet support it—yup, Facebook. Which is just, really, wonderful! If there's one thing the internet is lacking right now, it's yet another fucking place to rent a movie for 48 hours for several bucks or play god damned Angry Birds. And it adds up—Facebook is reaching its tendrils into every single thing we like about the internet, far, far beyond the actual reasons we rolled up to Zuckerberg's site in the first place. IMing? Check. Email? Check. Photo sharing? Check. Apps? Check. Location check-ins? Yup. Twitter ripoff status updates? But of course! What Facebook hasn't stuffed into its maw by its own will, it's given developers plenty of incentive to do so themselves. The consequence? Over a decade after the web portal stopped making sense, Facebook is trying to assemble itself, like some ill-conceived Voltron, into the next.

After AOL began its decade-long implosion, gradually descending out of relevance, the real internet sprang up in the fertile mush that'd been left behind. AOL was hemorrhaging money like a hemophilic boxer, but the rest of us were having too much fun with the tools we'd be introduced to by this collapsing corpse to notice. IMing, emailing, video, websites, games—AOL didn't invent any of these things from thin air, but it brought them all together in one convenient (when you had a dial tone), hideously-90s Mecca. It was easy! It was slow! It was familiarly and comforting—and stifling. AOL's vision of the online world was what AOL deemed worthy of its walled topiary garden. It was closed—locked up tight. Integrated tightly, but, in retrospect, really pretty mediocre.

Now, I hear you: Facebook is different from AOL in at least two major ways. We're not saying these two things are exactly the same. Facebook is social, and we believe in a social internet because you can't fake the kind of content and recommendations that come from your friends. That's the engine in Facebook's growth. And secondly, Facebook is far from being as closed as AOL was, since it's a platform other companies can use. AOL didn't have either of those. But Facebook's still mediocre! Even if they're outsourcing a lot of that mediocrity (Dark Knight movie rentals) while keeping some of it in house (All of Facebook's messaging and whatever clones of popular services they're currently building). Even if it's your friends who are spamming you with next generation super pokes.

It's also mediocre, because no company online can be good at everything and so it's always ugly when they try. Which is why the the internet is great—we get to choose! Sites specialize! Want a trillion clips of obscura? YouTube! Want gorgeous music videos and mini-docs? Vimeo! Want to stream moves to every box and handset under the sun? Netflix is terrific!

But no. Facebook, realizing it has at least a few daily minutes of the attention of the most attention-impoverished step in our species' history, wants to be everything. It wants to be Netflix, it wants to be your Xbox, it wants to be Foursquare, it wants to be Gmail—Facebook wants to be the internet. Will you let it?

Illustration by Contributing Illustrator Sam Spratt. Become a fan of his Facebook Artist's Page and follow Sam on Twitter

via gizmodo.com

French Ministry hit by hacker attack, targeting secret G20 plans | Naked Security

2011-03-08T21:01:00.001+01:00

The French Ministry of Finance has reportedly confirmed that it has become the victim of an internet attack, targeting documents related to the French presidency of the G20 and international economic affairs.

Paris Match magazine, which broke the story, claims that more than 150 computers at the ministry have been infilitrated by hackers since December, and numerous documents stolen.

Budget Minister Francois Baroin confirmed in a radio interview that an investigation was taking place into the attacks, claiming that it was "probably the first time" that the French government's computer systems had been hit on such a scale. He told Europe-1 that it was documents about the G20 that especially interested the hackers.

France holds the rotating leadership of the G20 this year and is hosting a series of meetings aimed at improving relations among the world's top economies, including the US and China.

France holds the presidency of the G20 this year, and is hosting meetings designed to improve relationships between the world's top economies. No doubt such hacking reports are sending a shiver down the spine of staff who work at the ministry building known to most people as Bercy.

According to the report, hackers were able to break into the Ministry's computers after emailing a malicious Trojan horse to users. Once the users were fooled into running the dangerous code, the hackers could access the computers remotely via a backdoor.

Inevitably the finger of suspicion is likely to point towards China for the hacking attack, but I think it's dangerous to conclude that a hack was state-endorsed unless there's definitive proof.

The truth is that proving the origin of a hack attack is complicated by the fact that cybercriminals can use compromised PCs owned by innocent people to act as a go-between when trying to break into someone's computer. In other words - yes, a Chinese computer might have tried to connect to yours, but it may be under the control of someone in, say, Great Britain.

We'd be naive to think that the Chinese (and just about every other country around the world) isn't using the internet for its political, commercial and military advantage, but we should be very cautious about making assumptions without having all the proof in front of us.

Share

via nakedsecurity.sophos.com

Wordpress Denial of Service Attack Also Reveals New Economies of Scale Impacts - Haydn Shaughnessy - Re:thinking Innovation - Forbes

2011-03-04T14:28:00.001+01:00

The lessons any business can learn: There is a new kind of scale out there. The historical mix of resources – capital, people, raw materials, knowledge are giving way to platforms that introduce new economies of scale as well as new vulnerabilities. People continue to speculate about the source of the denial of service attack – an emerging view is that it is a pro-Government attack from a regime where protesters are using Wordpress to gather support and distribute information. The impact of new economies of scale however is becoming more visible. Platform-based businesses, business that enable people (developers, customers, opinion formers) at low cost, are having a huge effect on the world around us.

via blogs.forbes.com

The Origin of Unix Pipes

2011-03-01T15:39:00.001+01:00

October 11, 1964

via doc.cat-v.org

London Stock Exchange in historic Linux go-live

2011-02-14T14:16:00.001+01:00

UPDATED The London Stock Exchange has successfully set into live trading a new matching engine based on Novell SUSE Linux technology, following successful last-step setup procedures on Saturday.

The move has been billed as one of the LSE's most significant technological developments since the increasing prevalence of electronic trading led to the closure of the traditional exchange floor in 1986. LSE chief executive Xavier Rolet has insisted that the exchange, once a monopoly, will deliver record speed and stable trading in order to fight back against the fast erosion of its dominant marketshare by specialist electronic rivals.

Also in this channel

News

In Depth

How-Tos

Blogs

Slideshows

Related Articles

London Stock Exchange SUSE Linux choice based on HFT capacityNovell supporting key systems that replace Microsoft .Net environment >>

London Stock Exchange Linux system at forefront of proposed Toronto mergerExchanges promise £40m technology investment as IT centre is created in London >>

Red Hat, Verizon and HP defend Microsoft in i4i patent disputeThe group joined forces to file a brief that challenges poor quality software patents >>

Canonical starts catalogue of Linux friendly hardwareUnbuntu maker aims to ease device compatibility >>

Five open source network management apps to watchFree and open software for keeping track of your enterprise network >>

Five open source project management apps to watchTop free solutions for staying on top of complex situations >>

"The London Stock Exchange Group is pleased to confirm that Millennium Exchange is now operational," the LSE said in a statement to clients ahead of the main market trading opening on Monday. "We would like to thank all clients for their support during this migration."

London Stock Exchange Linux system at forefront of proposed Toronto merger

London Stock Exchange 'under major cyberattack' during Linux switch

London Stock Exchange traders concerned over network capacity around new Linux system

At 8am today, the exchange’s main venue went into live trading with the Millennium IT matching engine, which is based in a C++ environment. Weekend work included setting live all gateways from clients to its network and data centres.

The switchover is being closely watched as the new system will replace the existing TradElect platform, based around .Net architecture and upgraded by Accenture in 2007 at a cost of £40 million. The decision to scrap TradElect was made in 2009, after several high profile outages and as rivals beat the LSE on messaging latency.

While the LSE's alternative venue, Turquoise, has already been running Millennium Exchange for four months, the rollout on the main exchange has been delayed several times. The delays came after problems occurred on Turquoise and following testing by main venue clients.

Initially, capacity concerns were raised: even though Millennium Exchange was processing messages at a round trip latency of only 126 microseconds, clients were apparently unsure of its ability to handle the scale of messages on the main market.

Register
Subscribe to Newsletters

After this, in November last year a major incident occurred on Turquoise, forcing the LSE to take the market offline for two hours and bringing a grinding halt to the main venue migration. The exchange said the problem occurred in "suspicious circumstances", and while it later attributed human error as the cause, newspaper reports claimed the LSE was in close discussions with the Cabinet Office over major ongoing attempted attacks on its network.

Observers watching today's Linux-based launch will likely note that such a large change could bring about some teething problems, as with any technology overhaul. But for the LSE and its customers, a system that is stable and can handle the millions of simultaneous messages on its network while running faster than its growing competitors' technology, will be seen as the barometer of success.

The one-day TradElect outage in 2007, which angered clients, is a scenario the LSE will strive to avoid. And as it mulls the idea of placing all major systems onto Linux in a merger with Toronto exchange parent TMX, the success of its data centres and networks is of the utmost importance.

Now read: London Stock Exchange SUSE Linux choice based on HFT capacity

via computerworlduk.com

Agenda digitale: L'Italia riparte da Internet e dalla... - Eventbrite

2011-02-04T17:48:00.001+01:00

Dopo il lancio dell'iniziativa Agenda Digitale, sottoscritto da oltre 10 mila persone, prima occasione di incontro tra alcuni personaggi che hanno sottoscritto l'appello e politici che intendono rispondere con proposte concrete.

Programma:

10:30 – welcome – “Cos’è e come nasce Agenda Digitale”

11:00 – “L'Italia riparta da Internet e dalla tecnologia?”

Layla Pavone, Oscar Giannino, Vittorio Zambardino, Francesco Sacco, Juan Carlos De Martin

12:00 – “E’ l’ora di una politica per lo sviluppo digitale”

Paolo Gentiloni, Luca Barbareschi, Mario Valducci, Linda Lanzillotta modera Peter Kruger

13:00 chiusura evento

via agendadigitale.eventbrite.com

Investigation into black market prices for stolen online banking data - The H Security: News and Features

2011-02-04T17:47:00.003+01:00

The returns are clearly enormous – criminals are charged $700 for access details for one bank account with a guaranteed balance of $82,000. According to a report from anti-virus vendor Panda Security, less creditworthy accounts can be picked up for just $80.

Panda reports that it infiltrated a criminal network for trading stolen data and hawking services. The vendor explored a total of 50 such online forums and shops, discovering many interesting prices. Costs for credit card details, for example, range from $2 to $90, depending on the card's credit limit.

Criminals interested in a bit more than just online shopping can also get physical credit cards made up. The cost? About $30 for a single colour card or a less suspicious full colour card for $90, plus the cost of the credit card details.

Users who are too timid to use their stolen data to do their online shopping themselves can use a transaction service for between $30 and $300. According to Panda, to purchase a television from a stooge using stolen data and get it sent to your own address will set you back $100.

The shops also offer accessories for card skimmers – card cloners for attaching to Diebold and NCR ATMs cost around €3,000. A complete fake ATM, for erection in a popular shopping centre for example, can be yours for just $35,000.

According to Panda, criminal online shops operate just like normal online shops. As well as a price list, they include special offers, bulk discounts, try and buy offers and individual services for which a quote can be provided. Exchanges and returns are also apparently possible. Where the transactions do differ from the norm is in the payment process, The criminals don't take plastic, instead relying on money transfer services such as Western Union, Liberty Reserve and WebMoney.

The online mafia can be contacted via IM or social media. Germany's carders.cc underground forum, the subject of multiple hacks in the past, has its own Twitter account and even has a fan page on Facebook.

(crve)

via h-online.com

Survey: The best privacy advisers of 2010

2011-02-04T17:47:00.001+01:00

Survey: The best privacy advisers of 2010

This year's survey finds law firms still tops

Jay Cline

February 3, 2011 (Computerworld)
Who are the best people and firms at providing privacy advice? It's a question I've been asking since 2006, before privacy was cool. Since then, a plethora of new privacy rules and penalties and a tsunami of new technologies and risks have placed privacy among the top handful of corporate concerns. Doing privacy wrong now takes a bigger bite off the bottom line than it did when I first started asking this question. So have the answers changed?

Not when the question is which type of outside privacy practice you prefer. Lawyers are still the top choices, with law firms grabbing six of the top 10 spots in the survey. And for the fourth consecutive time, Hunton & Williams garnered the most votes. This may be a case of success breeding more success: Hunton attracted more than twice as many votes as its nearest challenger.

Second-place Morrison & Foerster still is highly regarded, followed by Foley & Lardner and Privacy & Information Management Services. Hogan Lovells and Covington & Burling round out the law firms ranking in the top 10 of all firms.

What does this say about the corporate privacy agenda? Two things, I think: Regulatory compliance is still the first step to take for many companies, and the firms that were the best at assisting with this first step five years ago are still the go-to destinations for in-house privacy officers.

Other firms gaining ground

Even though law firms took six of the top 10 places, that was down from the last survey, in 2008, when they accounted for eight spots. Indeed, consulting firms now account for half of the top 12.

Which were the top consultancies? As in past years, it was a mix of large audit and accounting firms, such as PriceWaterhouseCoopers and Ernst & Young, and boutique shops.

The stronger showing of consultancies may reflect the emerging consensus in the privacy profession that doing privacy right is bigger than regulatory compliance. Particularly for industries such as healthcare and technology, which involve an intensive use of personal information, creating privacy-friendly products and services involves meeting customer and social expectations. "Organizations need to 'do' privacy better, faster and cheaper," noted Brian Tretick, managing director for Athena Privacy, a new boutique firm. "That means more formal, repeatable processes, automation and active monitoring."

The survey also showed that firms may be looking for services beyond traditional advice from experts. New entrants to the list of top vote-getters include service providers, a certification firm and a professional association. Among them:

• San Francisco-based Truste is the provider of the popular Web-privacy seal and a number of other privacy-verification products and services.

• Portland, Ore.-based ID Experts and Austin-based Debix provide data-breach response services.

• Toronto-based Nymity provides an information portal for privacy content.

•Seattle-based MediaPro offers computer-based training for privacy and security.

The International Association of Privacy Professionals organizes the best-attended privacy conferences and offers the CIPP certification for the privacy profession.

Table 1: Top firms for privacy advice
In the table below, law firms are marked with a dagger symbol (†), and consulting firms with a double dagger (‡).The firms are ranked in order of the number of votes received, but banded into three tiers to compensate for statistical margin of error. Tier 1 firms garnered more than 10% of total votes, Tier 2 firms received 3% to 10%, and Tier 3 firms achieved 1 to 2% of votes.
In the interest of full disclosure, Minnesota Privacy Consultants, the author's firm, finished behind Foley & Lardner.

Mozilla Labs » Blog Archive » Prism is now Chromeless

2011-02-02T12:40:00.001+01:00

we now want to Make it possible to build desktop applications with Web technologies. This change emphasizes two things: first we’re interested in ultimately building Chromeless into something that can be used to ship real products. Second, we want it to be possible to build standalone desktop applications in addition to browsers.

via mozillalabs.com

RSI Telegiornale - Allarme Powerpoint

2011-02-02T11:10:00.001+01:00

via la1.rsi.ch

EFF Uncovers Widespread FBI Intelligence Violations | Electronic Frontier Foundation

2011-01-31T10:19:00.001+01:00

EFF Uncovers Widespread FBI Intelligence Violations

News Update by Mark Rumold

EFF has uncovered widespread violations stemming from FBI intelligence investigations from 2001 - 2008. In a report released today, EFF documents alarming trends in the Bureau’s intelligence investigation practices, suggesting that FBI intelligence investigations have compromised the civil liberties of American citizens far more frequently, and to a greater extent, than was previously assumed.

Using documents obtained through EFF's Freedom of Information Act (FOIA) litigation, the report finds:

• Evidence of delays of 2.5 years, on average, between the occurrence of a violation and its eventual reporting to the Intelligence Oversight Board

• Reports of serious misconduct by FBI agents including lying in declarations to courts, using improper evidence to obtain grand jury subpoenas, and accessing password-protected files without a warrant

• Indications that the FBI may have committed upwards of 40,000 possible intelligence violations in the 9 years since 9/11

EFF's report stems from analysis of nearly 2,500 pages of FBI documents, consisting of reports of FBI intelligence violations made to the Intelligence Oversight Board — an independent, civilian intelligence-monitoring board that reports to the President on the legality of foreign and domestic intelligence operations. The documents constitute the most complete picture of post-9/11 FBI intelligence abuses available to the public. Our earlier analysis of the documents showed the FBI's arbitrary disclosure practices.

EFF's report underscores the need for greater transparency and oversight in the intelligence community. As part of our ongoing effort to inform the public and elected officials about abusive intelligence investigations, we are distributing copies of the report to members of Congress.

A pdf copy of the report can be downloaded here.

Related Issues: FOIA Litigation for Accountable Government, National Security Letters, PATRIOT Act, Transparency

Related Cases: FOIA: Intelligence Agencies' Misconduct Reports

[Permalink]

via eff.org

Hackers break US government smart card security

2011-01-31T10:01:00.001+01:00

The US government has been stepping up its use of smart cards to help lock down its computer networks, but hackers have found ways around them.

Over the past 18 months, security consultancy Mandiant has come across several cases where determined attackers were able to get onto computers or networks that required both smart cards and passwords. In a report set to be released Thursday, Mandiant calls this technique a "smart card proxy."

The attack works in several steps. First, the criminals hack their way onto a PC. Often they'll do this by sending a specially crafted email message to someone at the network they're trying to break into. The message will include an malicious attachment that, when opened, gives the hacker a foothold in the network.

After identifying the computers that have card readers, the bad guys install keystroke logging software on those computers to steal the password that is typically used in concert with the smart card.

Then they wait.

Login | Register
Follow us on Twitter
Get Widget

Subscribe to Techworld newsletters

When the victim inserts the smart card into the hacked PC, the criminals then try to log into the server or network that requires the smart card for authentication. When the server asks for a digital token from the smart card, the bad guys simply redirect that request to the hacked system, and return it with the token and the previously stolen password.

This is similar to the techniques criminals have been using for several years now to get around the extra authentication technologies used in online banking.

Mandiant is the kind of company that businesses and government agencies call to clean up the mess after they've been hacked. It has done investigations at about 120 organisations overt the past year and a half. Most of them get hacked via a targeted email. But in many cases, they were actually hacked years earlier, but never managed to remove the malicious software from their network, according to the report.

Companies or government agencies that assume that they are secure just because they use smart cards to authenticate, could be in for a nasty surprise some day, said Rob Lee, a director with Mandiant. "Everything is circumventable in the end," he said.

via news.techworld.com

From the Archive: Historic NASA Photos | Plog — World news photography, Photos — The Denver Post

2011-01-31T10:00:00.001+01:00

via blogs.denverpost.com

collision detection: Study: Teams work best when members are physically close together

2011-01-31T09:40:00.001+01:00

Generally, people think of “brainstorming” as gathering everyone in a room so they can yell out ideas, with one person writing down the ideas on a whiteboard. But studies show that can shut people down: They get nervous about speaking out loud, or they think their idea isn’t interesting, or one person dominates the brainstorming and drags the center of gravity, for good or ill, in one direction. In contrast, a 1958 study found that if you take the members of your team, put them in different rooms, and ask each to brainstorm solutions to a problem, they’ll produce more and better ideas. That’s because the problems of face-to-face dynamics go away: The “virtual” group is better.

via collisiondetection.net

The Inside Story of How Facebook Responded to Tunisian Hacks - Technology - The Atlantic

2011-01-30T17:33:00.001+01:00

It was on Christmas Day that Facebook's Chief Security Officer Joe Sullivan first noticed strange things going on in Tunisia. Reports started to trickle in that political-protest pages were being hacked. "We were getting anecdotal reports saying, 'It looks like someone logged into my account and deleted it,'" Sullivan said.

For Tunisians, it was another run-in with Ammar, the nickname they've given to the authorities that censor the country's Internet. They'd come to expect it.

In the days after the holiday, Sullivan's security team started to take a closer look at the data, but it wasn't entirely clear what was happening. In the US, they could look to see if different IP addresses, which identify particular nodes on the network, were accessing the same account. But in Tunisia, the addresses are commonly reassigned. The evidence that accounts were being hacked remained anecdotal. Facebook's security team couldn't prove something was wrong in the data. It wasn't until after the new year that the shocking truth emerged:

Ammar was in the process of stealing an entire country's worth of passwords.

* * *

Here's what's at stake. December of 2010 saw the most substantial civil unrest in Tunisia in the reign of Zine El Abidine Ben Ali, which began with a bloodless coup in November 1987. Beginning with street protests in the country's poor interior region of Sidi Bouzid, the calls for change were soon echoed by more powerful civil society organizations, notably the country's only labor union, the UGTT. But despite the turmoil, it wasn't clear what exactly might happen.

"It is too early to know if these protests signal the beginning of the end for Ben Ali," wrote Christopher Alexander in Foreign Policy on January 3. "However, Tunisia's current political scene looks a bit like it did in 1975 and 1976, the beginning of the long slide for Ben Ali's predecessor, Habib Bourguiba."

That is to say, even expert analysts of the country couldn't tell if Ben Ali would remain in power for a few more weeks or a decade. It did not feel inevitable that Ben Ali would be deposed. People had protested in the streets before. Revolution had been in the air. It wasn't clear that this time would be different.

There has been a lot of debate about whether Twitter helped unleash the massive changes that led Ben Ali to leave office on January 14, but Facebook appears to have played a more important role in spreading dissent.

"I think Facebook played a bigger role in this case," said Jillian York of the Berkman Center for the Internet and Society, who has been tracking the Tunisian situation closely. "There are a lot more Facebook users than Twitter users. Facebook allows for strong ties in a way that Twitter doesn't. You're not just conversing."

One early sign that Tunisians felt Facebook could be useful: Back in July, bloggers Photoshopped a picture of Mark Zuckerberg to show him holding up a sign that read, "Sayeb Sala7, ya 3ammar," the slogan for a freedom of expression campaign late in 2010. Later, Zuckerberg popped up on a sign outside the Saudi Arabian embassy carried by Tunisian protesters demanding the arrest of Ben Ali.

York said that Tunisian bloggers and activists had told her that the ability to upload video to Facebook drove its usage because many other video-sharing sites had been blocked by the government.

The videos -- shot shakily with cameraphones -- created a link between what was happening on the streets in the poor areas of the country and the broader Tunisian population. Many are graphic. In one video -- since taken down, apparently -- a young man is lying on a gurney with his skull cracked open. Brain oozes out. Cries are heard all around. The video focuses in on the man's face and as the camera pulls back, we see that there are two other people with cameraphones recording the injury. Video after video of the revolutionary events captures other people videoing the same event. Those videos, and the actions they recorded, became the raw material for a much greater online apparatus that could amplify each injury, death, and protest.

But it wasn't just videos that people were sharing. All kinds of information passed between Tunisians. For activists as well as everyday people, Facebook became an indispensable resource for tracking the minute-by-minute development of the situation. By January 8, Facebook says that it had several hundred thousand more users than it had ever had before in Tunisia, a country with a few more people than Michigan. Scaled up to the size to the U.S., the burst of activity was like adding 10 million users in a week. And the average time spent on the site more than doubled what it had been before.

Rim Abida, a Tunisian-born, Harvard-educated development consultant now living in Rio de Janeiro, said that over the course of the events, her "relationship to Facebook changed entirely."

"It basically went from being a waste of time or procrastination tool, to my go-to source on up-to-date information," Abida wrote in a Facebook message to me. "My mom is back in Tunisia on her own, and my Tunisian network on Facebook was posting the most up-to-date info on what was happening on the ground. It was stuff the major media channels weren't reporting, such as numbers to call to reach the military and what was happening when in what specific neighborhood."

In between the scenes of local unrest and people like Abida, there was a whole stratum of bloggers, writers, and social media sharers who watched and shared important videos.

While clashes with security forces took place in the streets, Rim, who asked we not use her last name, was in her bed in her apartment in Tunis. Like the blogger cliché, Rim sat in her pajamas sharing videos. In her hands, small protests that reached 50 people could suddenly reach another 50, who would share it with another 50. The idea that it might be time for the regime to change spread from city to city faster than street protests and even middle class places got involved.

Rim doesn't think the Tunisian revolution was a "Facebook revolution," but it was sufficiently important that when rumors started to fly on the 13th about what kind of retaliation the government was prepared to take, it took this form:

"There were rumors that Facebook or electricity was going to be shut down," Rim IM'd me from Tunis. "Or both."

* * *

After more than ten days of intensive investigation and study, Facebook's security team realized something very, very bad was going on. The country's Internet service providers were running a malicious piece of code that was recording users' login information when they went to sites like Facebook.

By January 5, it was clear that an entire country's worth of passwords were in the process of being stolen right in the midst of the greatest political upheaval in two decades. Sullivan and his team decided they needed a country-level solution -- and fast.

Though Sullivan said Facebook has encountered a wide variety of security problems and been involved in various political situations, they'd never seen anything like what was happening in Tunisia.

"We've had to deal with ISPs in the past who have tried to filter or block our site," Sullivan said. "In this case, we were confronted by ISPs that were doing something unprecedented in that they were being very active in their attempts to intercept user information."

If you need a parable for the potential and pitfalls of a social-media enabled revolution, this is it: the very tool that people are using for their activism becomes the very means by which their identities could be compromised. When the details are filled in on the abstractions of Clay Shirky and Evgeny Morozov's work on the promise (former) and danger (latter) of Internet activism, the ground truth seems to be that both had their visions play out simultaneously.

At Facebook, Sullivan's team decided to take an apolitical approach to the problem. This was simply a hack that required a technical response. "At its core, from our standpoint, it's a security issue around passwords and making sure that we protect the integrity of passwords and accounts," he said. "It was very much a black and white security issue and less of a political issue."

The software was basically a country-level keystroke logger, with the passwords presumably being fed from the ISPs to the Ben Ali regime. As a user, you just logged into some part of the cloud, Facebook or your email, say, and it snatched up that information. If you stayed persistently logged in, you were safe. It was those who logged out and came back that were open to the attack.

Sullivan's team rapidly coded a two-step response to the problem. First, all Tunisian requests for Facebook were routed to an https server. The Https protocol encrypts the information you send across it, so it's not susceptible to the keylogging strategy employed by the Tunisian ISPs.

The second technical solution they implemented was a "roadblock" for anyone who had logged out and then back in during the time when the malicious code was running. Like Facebook's version of a "mother's maiden name" question to get access to your old password, it asks you to identify your friends in photos to complete an account login.

They rolled out the new solutions to 100% of Tunisia by Monday morning, five days after they'd realized what was happening. It wasn't a totally perfect solution. Most specifically, ISPs can force a downgrade of https to http, but Sullivan said that Facebook had not seen that happen.

Though Sullivan is the unflappable type, the Tunisian situation seemed to force him into a bit of reflection. "When you step back and think about how Internet traffic is routed around the world, an astonishing amount is susceptible to government access," he noted.

And if governments around the world can, at least hypothetically, compromise users, it makes you wonder, as the Berkman Center's Jillian York has, why Facebook hasn't implemented special tools or processes for activists. The biggest issue is that political dissidents often do not want to use their real names in places where activism can get you killed. Facebook has adamantly opposed activists attempts to use pseudonyms.

"We get requests all the time in a few different contexts where people would like to impersonate someone else. Police wanting to go undercover or human rights activists, say," Sullivan said. "And we, just based on our core mission and core product, don't want to allow that. That's just not what Facebook is. Facebook is a place where people connect with real people in their lives using their real identities."

Does Facebook have to go the extra mile to support activists? Sullivan said that preliminary work has been done to create a special complaint reporting process for NGOs and other activists, a move that would address one long-time complaint.

More generally, though, Facebook certainly don't seem to be under any obligations to provide special treatment. But if Facebook really is becoming the public sphere -- and wants to remain central to people's real sociopolitically embedded lives -- maybe they're going to have to think beyond the situational technical fix. Facebook needs to own its position as a part of The Way the World Works and provide protections for political speech and actors.

Because the protests and overthrow of Ben Ali were just the beginning of this story. Hopes are high, but as we've seen so many times in the global south, the exit of one corrupt dictator usually means the entrance of another. To avoid that fate, politically active Tunisians will be using all of the tools at their disposal, including and maybe especially, Facebook. In fact, Rim said, it's already being used to debate how to create a new government and a better Tunisia.

Illustrations by Alex Hoyt.

This article available online at:

http://www.theatlantic.com/technology/archive/2011/01/the-inside-story-of-how...

via theatlantic.com

Sunday Fun: How To Keep Up With the Latest News on Egypt : The Disciplined Investor

2011-01-30T16:50:00.001+01:00

Sunday Fun: How To Keep Up With the Latest News on Egypt

January 30, 2011

With all of the activity in Egypt, there I plenty of news to be found. Here is a list of some of the best ways that I gather information, with up to the minute updates.

Have a few to share? Apps perhaps? Add those to the comments area.

BBC Latest Updates

YouTube – Last Hour

Twitter

Mashable

Google News

CNN – iReports

Live Map of Tweets about Egypt

Updated Google Map of Protest Sites

Huffington Post Updated

Google REALTIME Cairo

Egypt’s Internet Traffic Updates

Breaking News Updates – Egypt

Haaretz Breaking News

Related Posts:
Sunday Fun: Chinese News Site – Good Stuff Here is a great way to keep up with news from China....

Sunday Fun: Google/Apple Phone War – Who Wins? Which one wins? Already Apple has won, but we are talking about...

Sunday Fun: Shove the Fish In – YUCK! Just some random weirdness for a Sunday. Visit msnbc.com for breaking news,...

Sunday Fun: Apple Contortionist Reception The Apple iPhone has been under attack for the poor planning on...

Sunday Fun: Sex Takes Backseat During Recession Well, it appears that the stats room is in high gear, looking...

Disclosure: This material is provided for information only and is not intended as a recommendation or an offer or solicitation for the purchase or sale of any security or financial instrument. This material is not a complete analysis of all material facts respecting any issuer, industry or security or of your investment objectives, parameters, needs or financial situation, and therefore is not a sufficient basis alone on which to base an investment decision. Horowitz & Company clients may hold positions (long or short) in investments discussed. Please click for detailed disclosures and additional information about our stock ratings and scoring.

Written by Andrew Horowitz · Filed Under Markets

-->
Comments

Login

This blog post

All blog posts

Subscribe to this blog post's comments through...

RSS Feed

Subscribe via email
Subscribe

Follow the discussion

Comments

Logging you in...

Close
Login with your OpenID

Or create an account using OpenID

Back
Cancel Login

Dashboard | Edit profile | Logout

Logged in as

There are no comments posted yet. Be the first one!

Post a new comment

Comment as a Guest, or login:

Login to IntenseDebate

Login to WordPress.com

Login to OpenID

Go back

Posting anonymously.

Tweet this comment

Submit Comment

--> Subscribe to

Comments by IntenseDebate

via thedisciplinedinvestor.com

OECD’s Cyber Report Misses Key Facts - Jeffrey Carr - Digital Dao - Forbes

2011-01-30T16:03:00.001+01:00

Image via Wikipedia

Professors Sommer and Brown wrote a paper for the OECD entitled “Reducing Systemic Cybersecurity Risk“. They sought to answer the question “How far could cyber-related hazards be as devastating as events like large-scale pandemics and the 2007-10 banking crisis?“. Their conclusion: “very few single cyber-related events have the capacity to cause a global shock.” The authors identify only two events that would qualify:

a successful attack on one of the underlying technical protocols upon which the Internet depends, such as the Border Gateway Protocol

a very large-scale solar flare which physically destroys key communications components such as satellites, cellular base stations and switches.

It’s important to note that the professors have taken care to only address “pure” cyber war, not hybrid or multi-modal warfare where cyber is one component of a kinetic attack. Personally I think that greatly diminishes the value of the project because it ignores the evolving nature of cyber warfare, particularly as it has been conducted since late 2009 in favor of a theoretical academic exercise. And that’s really the crux of my problem with this report – it’s more “ivory tower” than “street” and while parts of their work are well-researched, other parts show little to no research at all. Here are a few of their biggest flaws.

- Reasons given for why there will never be a true cyber war:

(1) many critical computer systems are protected against known exploits and malware so that designers of new cyberweapons have to identify new weaknesses and exploits;

(2) the effects of cyberattacks are difficult to predict

(3) there is no strategic reason why any aggressor would limit themselves to only one class of weaponry.

I can’t imagine any Information Security professional accepting (1) as valid. In fact, the notion that USCYBERCOM, Israel’s Unit 8200, and Germany’s Bundeswehr’s Strategic Reconnaissance Unit would throw up their hands in the face of “having to identify new exploits and weaknesses” is utterly laughable.

The author’s point (2) could work both ways.

And point (3) as it applies to cyber warfare, makes me wonder if the authors consulted with any military strategists in writing this report, particularly Western military officers who read Sun Tzu:

The skillful leader subdues the enemy’s troops without any fighting; he captures their cities without laying siege to them; he overthrows their kingdom without lengthy operations in the field.”

There are many strategic reasons for achieving the objectives of a war without the enormous costs incurred through massive destruction of the enemy’s infrastructure, work force, and economic base. Operations against an adversary state conducted in cyberspace may be one of the few ways to achieve that goal.

- Analysis Of The Likelihood Of Cyber-Related Events

Appendix 1 of the report lists tables which “illustrate feasible cyber-related events and analyses them for likelihood, duration and propagation”. Here are a few examples provided by the authors:

Event: “Zero day fundamental flaw in popular operating system”

Likely Duration/Recovery Factors – immediate: “News of the exploit would appear within 24-48 hours, together with initial (and probably partial) advice on evasion. A fuller remedy might take 7 or more days and would be in the form of a patch. Advice would need to be disseminated about acquiring and applying the patch safely.”

Potential For Global Impact: Low

There are so many exceptions to this statement that I hardly know where to begin. US CERT gives vendors 45 days to fix a publicly disclosed vulnerability whereas Google has set their number at 60 days. Stuxnet is a great example of how long patching critical vulnerabilities can take. The .LNK vulnerability had been known since November 2008 while the patch came out in August, 2010. The print spooler exploit used by Stuxnet was first known in April 2009 while the patch was released in September 2010. The Privilege Escalation Via Task Scheduler vulnerability went un-patched until Dec 14, 2010.

Another important factor not addressed by Summer and Brown is that companies don’t immediately push patches released by Microsoft onto their networks. They have to be tested first to ensure that it doesn’t break anything and that can take another month or longer. Bottom line- this event’s entire “proof” by the authors needs to be thrown out.

Event: “Large Scale Failure Of Electricity Supply”

Likely Duration/Recovery Factors – immediate: “Electricity is usually supplied via a grid so that some service can be restored in hours. More remote locations may have to wait days, but not much longer.”

Potential For Global Impact: Low

This one category of risk was grossly under-researched. It made me wonder if the authors had ever personally experienced living in a region without power for two days or more. “Low impact” is not what immediately comes to mind for those times when my neighbors and I have endured that experience. Even worse, however, is that the authors didn’t address the more serious risks posed by the rapid implementation of the Smart Grid.

David Baker wrote the following assessment in his article “Making A Secure Smart Grid A Reality” for the Journal of Energy Security:

If a truly malicious worm were to infect meters in a given area, there would be a best- and a worst-case scenario. Under the best-case scenario, the utility would simply push a firmware update across the standard wireless network to all the affected meters, overwrite the worm, and return the meters to normal operation. This assumes the attacker had not damaged the remote flashing capabilities, changed the frequency on which the meter operates, or changed the calibration of the meter.

Unfortunately, during malicious attacks the worst-case scenario is more likely to be true. In this case, the normal wireless update mechanisms would no longer be intact, or the calibration of the meters would have been changed. If meters supported remote disconnect capability they could be instructed to simultaneously or individually disconnect service to customers’ homes. To return power to affected homes, the utility would need to take time to understand the vulnerability and develop a patch. Then the utility would need to physically repair or replace each meter to return it to normal operation. Restoring power to homes would likely be an expensive and long process, detrimental to the utility and frustrating to the costumers.

CONCLUSION

Call it what you will, cyber operations with hostile intent are being conducted every day while cyber warfare tactics, techniques, and procedures are being researched, drafted, debated, and implemented by both developed and developing nation states. Summers and Brown really bit off more than they could chew with this research project. A proper evaluation of just the impact of attacking the vulnerabilities present in Smart Grid technology and its potential global effects would have been a much wiser investment of their time and OECD’s budget. In my opinion, this paper did not answer the question assigned to it. It’s a Fail.

via blogs.forbes.com

How Egypt did (and your government could) shut down the Internet

2011-01-30T12:29:00.001+01:00

via arstechnica.com

Unremote Security » Kaspersky Antivirus Source code leak (KAV 8 – 2009)

2011-01-30T11:31:00.001+01:00

So the rumor i post months ago on twitter was right , kaspersky antivirus source code were leaked :/ , i take a quick look on the source and it seems legit and to be Kaspersky 2009 Edition by the design sheets on it.

To compile it is recommended you to use Visual Studio C++ 2008 , i try with VC2010 its kinda hard.

I will not host the source in one of my web servers then i give you a torrent link

Have fun .
Size uncompressed : ~1Gb
Size zipped : ~300Mo

btw i recommend people to use Bitdefender instead of KAV , Bitdefender rox

Download

if for a legal issue i must delete this thread then i’m waiting for a mail with a copy of the law that saying “it is illegal to post a torrent containing the source code of a private app that wasn’t leaked by me but by an ex employee years ago ”
Here is my mail : DarkCoderSc@Unremote.org

Get Shareaholic for Firefox

via unremote.org

What you didn’t know about Nintendo | The Best Article Every day

2011-01-30T11:20:00.001+01:00

via bspcn.com

Exclusive: Tunisia Internet Chief Gives Inside Look at Cyber Uprising | Danger Room

2011-01-29T22:42:00.001+01:00

A security guard stands outside a Tunisian Internet Agency. Photo: Mikel Ayestaran

TUNIS, Tunisia –- When Zine El Abidine Ben Ali’s dictatorship began unraveling here last month amid violent street protests, Tunisia’s internet administrators saw a massive spike in the number of sites placed on government block lists. But, in contrast to the embattled Egyptian government, the Ben Ali regime never ordered internet and cellphone communications shut off or slowed down, the head of the Tunisian Internet Agency says.

“I think Ben Ali did not realize where the situation was going or that he could be taken down,” Tunisian Internet Agency (French initials: ATI) director Kamel Saadaoui tells Wired.com. “Maybe if he had known that, he would have cut the internet. But the number of blocked sites did grow drastically when the revolution started. They were trying desperately to block any site that spoke about Sidi Bouzid. In a few weeks the number doubled.”

Egypt’s blackout, confirmed Thursday by internet-monitoring company Renesys, shut down four out of five of the country’s ISPs, with one connection left open to Noor Group, which hosts the Egyptian stock exchange, Rensys reported. The move signals an unprecedented clampdown on communications as activists, apparently inspired by Tunisia’s successful uprising, are taking to the streets in massive numbers.

During its 15-year existence, the ATI had a reputation for censoring the internet and hacking into people’s personal e-mail accounts. All Tunisian ISPs and e-mail flowed through its offices before being released on the internet, and anything that the Ben Ali dictatorship didn’t like didn’t see the light of day.

Saadaoui, its director of three years, complains that the perception of the ATI as an oppressive cyber-nanny is undeserved. He was just following the regime’s orders, he insists. Now that the government has changed, he’s following those new policies, helping open up Tunisian internet access as never before.

“We are computer and electronic engineers, not policemen,” Saadaoui says at his office in the ATI headquarters, a handsome, white bungalow near Pasteur Square in a high-end neighborhood of Tunis. “We don’t check e-mail and we don’t filter websites, even though we have filtering engines on our network. We run the engines technically, but we don’t decide to block your blog. We don’t even know you have a blog.”

‘It’s useless to block. Whatever we do, there are ways to get around it.’

“But,” he adds, “we give access to these engines to other institutions that have been mandated by the government to choose which websites should be blocked. They have the gateway that has all the mail to be read.”

In other words: don’t blame us. We just work here.

Saadaoui described the governmental oversight of the internet as an encrypted interface built and maintained by the ATI. Only the government can manipulate it.

“We gave them an interface where they can go in and add anything they want to block,” he says. “We don’t even know what they were banning because the list is encrypted. We can only see the number of blocked sites and some other technical aspects, such as CPO load, how much traffic … things like this. Sometimes we learn about the blocked sites when people call in and ask why their blog has been blocked. Then we know.”

At first, the regime banned around 300 websites, but as internet use grew throughout the country –- from 1 percent of the population in 2000 to 37 percent as of last November –- the blacklist bloated to more than 2,000. When the government started going after proxies, Saadaoui said, the number jumped to many thousands. He estimated that around a thousand of the blocked sites were political, and the rest were proxies.

The revolution began Dec. 17 in the central Tunisian town of Sidi Bouzid, when 26-year-old fruit vendor Mohammed Bouazizi set himself on fire to protest the humiliating tactics of local officials. The suicide jolted Tunisians. They began to protest in the streets — and clash with police.

Around 100 people died throughout the country. The media, controlled by Ben Ali’s advisers, reported only that criminals were looting.

But videos of the protests, riot police and their victims appeared on Facebook, and bloggers began reporting the daily events with first-hand accounts, photographs and videos. This information helped drive the uprising, and the government responded by allegedly hijacking Tunisian Facebook passwords.

At the same time, hackers began to attack the Tunisian government’s control over the internet. They bombed the ATI’s DNS and website, and tried to bomb the e-mail centipede gateway. The National Computer Security Agency — which fights hacking, phishing, viruses and fraud — took on the activists who tried to overload government websites with distributed denial-of-service attacks.

“When the hackers did DDOS they did a good job, and Anonymous did a good job,” Saadaoui says, smiling. “But not on everything. They weren’t able to take down the DNS, they weren’t able to take down the main servers or the network, but they were able to DDOS websites. They were able to bomb Ben Ali’s website.”

Open, But Uncertain, Future

Since Ben Ali fled the country Jan. 14, the transitional government has removed several restrictions on internet use while the 60-person ATI aims to focus on tasks more befitting an internet regulator: providing bandwidth and IP numbers, DNS management, IP addresses, research and development, electronic commerce, and web hosting. The agency is also the ISP for all public institutions.

How the dictator-less Tunisia will rebuild its internet architecture is still being discussed, Saadaoui says. But one optimistic sign is that 33-year-old blogger and activist Slim Amamou, who was arrested during the revolt, is now the secretary of state for youth and sports. The Ministry of Communications and Technology has announced that anyone who has a SMTP server can have direct access to the internet without going through the governmental post office.

The interface that allows the government to block sites, however, still exists. Saadaoui promises that it will be used only to block pornography, child pornography, nudity and “hate,” using URL classifiers.

“The new government told us to keep the filtering engines where they are and to allow them to add categories that they don’t like,” Saadaoui says. “The difference now is that they will ask a judge to approve the filtering. The problem is not filtering, the problem is who filters and based on what law. Before, people would filter without applying the law, and now we will filter with a judicial mandate. And the current mandate is to block pornography, pedophilia, nudity and hate.”

Many Tunisians, such as Amamou and the hackers who fought the ATI during the revolution, prefer a completely open internet. Saadaoui disagrees. He says the current filters are necessary on a political level: “The limits are symbolic. It’s a message from the government that we are a Muslim and conservative society and that we would appreciate if you didn’t go to these [filtered] sites.

Besides, Saadaoui says, everyone knows how to sidestep the restrictions, anyway.

“Tunisia has a lot of young, open people who know how to go around filters via hotspot proxies,” he says. “So really it’s useless to block. Whatever we do, there are ways to get around it.”

See Also:

Tweeting Tyrants Out of Tunisia: Global Internet at Its Best

U.S. Had Helo Deal With Ousted Tunisian Dictator

Nuke Watchdog Wants to Lead Egypt Revolt. No, Really

Egypt’s Internet Shutdown Can’t Stop Mass Protests

What’s Fueling Mideast Protests? It’s More Than Twitter

via wired.com

20 Of The Funniest Exam Answers Of All Time

2011-01-28T17:57:00.001+01:00

via nedhardy.com

No Hacker Left Behind - Forbes.com

2011-01-28T17:34:00.001+01:00

Alan Paller's plan to defend America's cyber-infrastructure: Teach our kids to think like thieves.

via forbes.com

Low-cost SSL proxy could bring cheaper, faster security; defeat threats like Firesheep - Computerworld

2011-01-28T17:25:00.001+01:00

Based on an algorithm devised by researchers in Korea and the U.S., SSLShading is software that directs SSL traffic being proxied either to a CPU or a graphics processing unit (GPU), whichever is most appropriate to handle the current load. The researchers will discuss the algorithm in their paper "SSLShader: Cheap SSL Acceleration with Commodity Processors."

via computerworld.com

CHART OF THE DAY: Here's How Much A Unique Visitor Is Worth

2011-01-28T17:15:00.001+01:00

via businessinsider.com

Bastard child of SpyEye/ZeuS merger appears online • The Register

2011-01-25T15:34:00.001+01:00

Bastard child of SpyEye/ZeuS merger appears online

via theregister.co.uk

Toshiba's Android 3.0 tablet has swappable battery - News - Linux for Devices

2011-01-24T21:08:00.001+01:00

Toshiba launched a preview website for its 10.1-inch, "Toshiba Tablet," which runs Android 3.0 on an Nvidia Tegra 2 processor, and offers dual cameras and a swappable battery. Meanwhile, Motorola's rival Xoom Android 3.0 tablet will go on sale at Best Buy on Feb. 17, and will be offered by Verizon Wireless for a pricey $799 without a contract, say reports.

via linuxfordevices.com

Book Review - Alone Together - By Sherry Turkle - NYTimes.com

2011-01-24T12:49:00.001+01:00

In Turkle’s latest book, “Alone Together,” this optimism is long gone. If the Internet of 1995 was a postmodern playhouse, allowing individuals to engage in unbridled expression, Turkle describes it today as a corporate trap, a ball and chain that keeps us tethered to the tiny screens of our cellphones, tapping out trite messages to stay in touch. She summarizes her new view of things with typical eloquence: “We expect more from technology and less from each other.

via nytimes.com

Mantra - Free and Open Source Browser based Security Framework

2011-01-24T12:37:00.001+01:00

Mantra is a dream that came true. It is a collection of free and open source tools integrated into a web browser, which can become handy for students, penetration testers, web application developers, security professionals etc. It is portable, ready-to-run, compact and follows the true spirit of free and open source software. Mantra is a security framework which can be very helpful in performing all the five phases of attacks including reconnaissance, scanning and enumeration, gaining access, escalation of privileges, maintaining access, and covering tracks. Apart from that it also contains a set of tools targeted for web developers and code debuggers which makes it handy for both offensive security and defensive security related tasks.

Mantra is lite, flexible, portable and user friendly with a nice graphical user interface. You can carry it in memory cards, flash drives, CD/DVDs, etc. It can be run natively on Linux, Windows and Mac platforms. It can also be installed on to your system within minutes. Mantra is absolutely free of cost and takes no time for you to set up.

via getmantra.com

NewsGrange » Hacker Shows It Doesn’t Take $8 Million to Clone Qwiki – Just 321 Lines of HTML Will do the Trick

2011-01-23T22:48:00.001+01:00

In the source code, the developer clearly references that the reason for this project was to show how easy it is to implement the basic functionality of Qwiki: “This code is not pretty, but it doesn’t need to be. It’s only been 6 hours, but based on funding patterns I should be able to raise a few million off of this .” The first demo of Fqwiki you see after opening the site is its rendition of the Wikipedia entry for “snake oil.”

via newsgrange.com

Index of /~greg/stackoverflow/ebooks

2011-01-23T22:46:00.001+01:00

These books contain the top questions from a selection of the top tags on Stack Overflow. The top questions include those with a score of 10 or greater (except in the case of a high volume tag like c#). I have to limit the number of questions in each book because of the poor O(n²) performance of kindlegen.

via hewgill.com

DROMORAMA | metti (che) in moto un dromomane

2011-01-21T23:10:00.001+01:00

È ufficiale: mi son beccato il virus del viaggio, a tal punto che mi è venuta la malsana idea di provare a camparci con questa attività. Dromorama nasce non solo con l’intenzione di documentare e condividere i miei viaggi ma anche come motivatore a farne ancora di più: insomma pare un paradosso ma più mi seguite, più io viaggio.

via dromorama.com

Violent Penguins - The Daily WTF

2011-01-21T23:07:00.001+01:00

via thedailywtf.com

Ballpoint Pen review | PDA-247

2011-01-21T23:04:00.001+01:00

In summary, I would happily recommend this pen to anyone who is planning on writing on paper. If you are considering a writing implement for some other surface such as writing on a CD, or other non-porous substances then another pen might be better suited, but if it’s just plain old paper then I think you will probably be well served by this particular model

via pda-247.com

IT instratructure needs to be resilinent, because it can't be invulnerable, former DOD official says -- Government Computer News

2011-01-20T10:28:00.001+01:00

via gcn.com

Stuxnet not such a masterpiece after all? - The H Security: News and Features

2011-01-20T10:27:00.001+01:00

Some security specialists are now questioning whether Stuxnet is really as much of a masterpiece of malware programming as it has been made out to be. Although it combines a lot of knowledge from a range of disciplines, they believe that the implementation was sloppy. Security web site Threatpost, for example, cites security specialist Tom Parker. Parker believes that the worm's command and control mechanism was poorly implemented, since it sent data traffic in unencrypted form. He also points out that the worm spread via the web, which resulted in uncontrolled infection of systems other than the actual target.

Parker believes that a range of groups must have worked on the worm, and that a highly talented group must have programmed the exploits and the code for modifying control systems. A less talented group may then have added the functionality for getting the malware to its target. The quality of the Stuxnet code is reported to be low and it is said to omit modern methods for hiding on infected systems and preventing analysis by anti-virus vendors.

Security specialist Nate Lawson expresses similar views . Although Stuxnet includes some obfuscation techniques and installs a rootkit, Lawson notes that this does not make it any different from any other recent worm. Contrary to a recent report by the New York Times, Lawson even expresses the hope that the US was not involved in writing the worm. He adds that he hopes that digital weaponry developers have a little more up their sleeves than tricks used by Bulgarian teenagers to disguise viruses back in the '90s.

Parker and Lawson both come to the conclusion that the worm's authors probably just did not have enough time to improve the code and its obfuscation. However, many of the comments on Lawson's blog express the view that Stuxnet simply did not have any need for sophisticated camouflage techniques and point out that it took anti-virus specialists Siemens, and SCADA experts, months to discover and understand Stuxnet even without these mechanisms.

See also:

Report: Stuxnet code being sold on black market, a report from The H.
Stuxnet worm can control industrial systems, a report from The H.

(crve)

via h-online.com

Stuxnet Authors Made Several Basic Errors | threatpost

2011-01-19T16:58:00.001+01:00

In a talk at the Black Hat DC conference here Tuesday, Tom Parker, a security consultant, presented a compelling case that Stuxnet may be the product of a collaboration between two disparate groups, perhaps a talented group of programmers that produced most of the code and exploits and a less sophisticated group that may have adapted the tool for its eventual use. Parker analyzed the code in Stuxnet and looked at both the quality of the code itself as well as how well it did what it was designed to do, and found several indications that the code itself is not very well done, but was still highly effective on some levels.

via threatpost.com

Honey Bee Extinction | The Big Picture

2011-01-19T16:57:00.001+01:00

via ritholtz.com

Unhackable data in a box of bacteria: Future of InfoSec? - Computerworld Blogs

2011-01-19T16:56:00.001+01:00

Unhackable data in a box of bacteria: Future of InfoSec?

via blogs.computerworld.com

Autonito, Automatically Open Domains In Google Chrome’s Incognito Mode

2011-01-17T21:26:00.001+01:00

via ghacks.net

Royal Pingdom » Internet companies with few employees but millions of users

2011-01-17T19:09:00.001+01:00

Can you imagine a traditional, “offline” company managing these kinds of user numbers with a moderate number of employees? Probably not, right? These numbers only really become possible in the economy that the Internet and the World Wide Web has given us. It’s a true gift to all those tech-savvy entrepreneurs out there. You can accomplish great things with just a small team.

via royal.pingdom.com

Israel and US fingered for Stuxnet attack on Iran • The Register

2011-01-17T19:06:00.001+01:00

The US and Israel jointly developed the infamous Stuxnet worm before using the sophisticated malware to sabotage key components of Iran's controversial nuclear program, according to an investigation by the New York Times.

via theregister.co.uk

Was Stuxnet a joint US-Israeli project? - The H Security: News and Features

2011-01-17T19:05:00.001+01:00

It has long been clear that a lot of grey matter was exercised in creating Stuxnet. It is equally clear that the highly expert team behind the worm was not simply showing off Windows exploits on Siemens manufacturing control systems, but intended to destroy centrifuges used for uranium enrichment.

A New York Times report has now collected together a range of evidence which suggests that experts from the US and Israel worked together to develop Stuxnet over a two year period. Siemens is also reported to have unwittingly assisted them, in that the company collaborated with a US Department of Energy research institute on a programme for protecting against cyber-attacks. The security vulnerabilities uncovered during this programme were then utilised in developing the worm.

The fastidiousness with which the developers tailored Stuxnet to the Iranian enrichment facility in Natanz is also interesting. The New York Times quotes German security specialist Ralph Langner, whose analysis of the code showed that Stuxnet was targeted at a network of exactly 984 machines – precisely the number, according to nuclear experts – disabled in summer 2009.

Langner credits Stuxnet with two mechanisms of action: firstly it deregulates the centrifuges so that they run to destruction and secondly it delivers fake sensor data to the control panel to give the impression that everything is running normally.

From the precision with which the worm performed its function, many experts conclude that Israel must also have been involved, drawing the conclusion that live tests must have been carried out. All indications point towards Israel's Dimona project in the Negev desert, which includes a uranium enrichment facility, as the test site. All of this is of course strictly confidential and deniable – likewise US and Israeli involvement in creating Stuxnet. But, reports the newspaper, none of the American or Israeli experts were able to suppress a proud grin when noting that Iran's nuclear programme has been put back to at least 2015.

(crve)

via h-online.com

Tor project releases update to close critical hole - The H Security: News and Features

2011-01-17T19:04:00.001+01:00

via h-online.com

Cyberwar hype is obscuring real security threats • The Register

2011-01-17T19:03:00.001+01:00

The ill-informed leading the ill-informed...

via theregister.co.uk

More corruption = more collapse in earthquakes - Holy Kaw!

2011-01-14T15:28:00.001+01:00

More corruption = more collapse in earthquakes

via holykaw.alltop.com

Ultimate Bashrc File GNOME-Look.org

2011-01-14T14:13:00.003+01:00

For those who love using the terminal, here is a '.bashrc' file I created, mainly for those who've had issues with their own. Hopefully it'll benefit those of whom love aliases, functions, and such. Probably more than you need, so modify all you want. I've organized it best I can to make it easier for using and modification. This is also for those many who've had a difficult time finding a good source for their own on the net, like it was for me.

via gnome-look.org

Intel showering employees with 4X bonuses | VentureBeat

2011-01-14T14:13:00.001+01:00

Intel is giving four times the usual bonuses for its employees thanks to its record year with $43 billion in revenues. The company is also paying its workers the equivalent of 3 extra days of work on top of that.

via venturebeat.com

Wikileaks volunteer detained and searched (again) by US agents - Boing Boing

2011-01-14T11:42:00.001+01:00

via boingboing.net

John F. Kennedy Presidential Library & Museum

2011-01-14T11:32:00.001+01:00

via jfklibrary.org

Porn Worm Extorts Money From 2,500 Victims - PCWorld

2011-01-14T11:24:00.001+01:00

Porn Worm Extorts Money From 2,500 Victims

via pcworld.com

Saying Image 111312

2011-01-13T22:17:00.001+01:00

via sayingimages.com

Minimum Route Finder Using Dijkstra Algorithm

2011-01-13T15:56:00.003+01:00

Minimum Rout Finder Using Dijkstra Algorithm

via students.ceid.upatras.gr

The Philter Lounge

2011-01-13T15:56:00.001+01:00

via thephilterlounge.com

What is my IPv6 Address?

2011-01-13T15:55:00.001+01:00

Check out this website I found at ip6.me

Mirror of GeoHot's PS3 Jailbreak

2011-01-13T14:22:00.001+01:00

via cs.cmu.edu

Microsoft sucks open source into its WebMatrix • The Register

2011-01-13T11:53:00.001+01:00

Microsoft sucks open source into its WebMatrix

via theregister.co.uk

SmuSec: Announcing Ruminate IDS

2011-01-13T11:40:00.001+01:00

Post a Comment

via smusec.blogspot.com

keys open doors

2011-01-13T11:37:00.001+01:00

erk: C0 CE FE 84 C2 27 F7 5B D0 7A 7E B8 46 50 9F 93 B2 38 E7 70 DA CB 9F F4 A3 88 F8 12 48 2B E2 1B
riv: 47 EE 74 54 E4 77 4C C9 B8 96 0C 7B 59 F4 C1 4D
pub: C2 D4 AA F3 19 35 50 19 AF 99 D4 4E 2B 58 CA 29 25 2C 89 12 3D 11 D6 21 8F 40 B1 38 CA B2 9B 71 01 F3 AE B7 2A 97 50 19
  R: 80 6E 07 8F A1 52 97 90 CE 1A AE 02 BA DD 6F AA A6 AF 74 17
  n: E1 3A 7E BC 3A CC EB 1C B5 6C C8 60 FC AB DB 6A 04 8C 55 E1
  K: BA 90 55 91 68 61 B9 77 ED CB ED 92 00 50 92 F6 6C 7A 3D 8D
Da: C5 B2 BF A1 A4 13 DD 16 F2 6D 31 C0 F2 ED 47 20 DC FB 06 70

~geohot
props to fail0verflow for the asymmetric half
no donate link, just use this info wisely
i do not condone piracy
I made a video
it's jailbreak time
open the zip, you know how to install
3.55 only
would be pirates, don't waste your time
do not mirror file, link to geohot.com
no donations accepted right now, don't get scammed
homebrew signing source
make_self_npdrm makes valid NPDRM selfs from elfs
it does not contain any info on decrypting or removing NPDRM
NPDRM is required for interoperability of our homebrew applications
package_finalize turns your debug packages into psuedoretail packages
psuedoretail packages install on a geohot jailbroken PS3
i'm excited to see what you will create
open source SDK @ PSL1GHT

via geohot.com

«Un faccino tondo e un nasetto da bambola» » Piovono rane - Blog - L'espresso

2011-01-12T22:38:00.001+01:00

via gilioli.blogautore.espresso.repubblica.it

Globish Home - Globish.com

2011-01-12T22:37:00.001+01:00

Globish allows you to:

Communicate in English, using only 1500 words.

Employ simple, but standard grammatical structure.

Learn enough pronunciation and spelling for 1500 words only.

Provide a tool for leading a conversation in business or as a tourist, anywhere in the world.

via globish.com

Venerable Rustock Botnet Is Spamming Again - Darkreading

2011-01-12T22:36:00.001+01:00

Venerable Rustock Botnet Is Spamming Again

via darkreading.com

10 Questions for John Gruber Regarding H.264, WebM

2011-01-12T22:35:00.001+01:00

10 Questions for John Gruber Regarding H.264, WebM

via osnews.com

Debunking The Myth That Wikileaks Cable Leaks Haven't Been Important | Techdirt

2011-01-12T22:33:00.001+01:00

Debunking The Myth That Wikileaks Cable Leaks Haven't Been Important

via techdirt.com

Bogus Kama Sutra presentation opens your backdoor to hackers • The Register

2011-01-12T22:32:00.003+01:00

Bogus Kama Sutra presentation opens your backdoor to hackers

via theregister.co.uk

Schneier on Security: Attacking High-Frequency Trading Networks

2011-01-12T22:32:00.001+01:00

Turns out you can make money by manipulating the network latency.

via schneier.com

ZORG

2011-01-12T21:16:00.001+01:00

Zorg is an implementation of the ZRTP protocol. ZRTP is an in-band key exchange protocol for SRTP, based on either the Diffie–Hellman (D–H) or the elliptic curve Diffie–Hellman (ECDH) algorithms, with Man-in-the-Middle protection based on human voice recognition.
Coupled with an SRTP implementation, Zorg provides VoIP security with Diffie–Hellman (up to 3072 bits) or elliptic curve Diffie–Hellman (up to 384 bits) for key exchange, AES (up to 256 bits) for confidentiality and HMAC-SHA1 for authentication.
Zorg implementations are developed in cross-platform C++ language and Java language in order to run on most mobile phones and all desktop platforms.

via zrtp.org

Kama Sutra malware threatens to put Windows users in awkward position

2011-01-12T21:11:00.001+01:00

Kama Sutra malware threatens to put Windows users in awkward position

via networkworld.com

Google To Drop Support For H.264 In Chrome - Slashdot

2011-01-12T21:10:00.001+01:00

This serves two strategic purposes for Google. First, it advances a codec that's de facto controlled by Google at the expense of a codec that is a legitimate open standard controlled by a multi-vendor governance process managed by reputable international standards bodies. ("Open source" != "open standard".) And second, it will slow the transition to HTML5 and away from Flash by creating more confusion about which codec to use for HTML5 video, which benefits Google by hurting Apple (since Apple doesn't want to support Flash), but also sucks for users.
It is, in other words, a thoroughly nasty bit of work. It's not quite as bad as selling consumers down the river to Verizon on 'net neutrality, but it's close. And if Google is actually successful in making WebM, not H.264, the standard codec for web video, they're literally going to render hundreds of billions of dollars worth of tablets, smartphones, set-top boxes, etc. with H.264 hardware support obsolete.
"But wait!", the OSS fans are saying. "Isn't Google really standing up for freedom and justice, because H.264 requires evil patent licensing?"
No. Expert opinion [multimedia.cx] is that WebM infringes on numerous patents in the H.264 pool, and will need a licensing pool of its own to be set up, just like Microsoft's VC-1 did. So the patents are a wash. This is Google manipulating the market entirely for selfish advantage here, and it's all the worse because they're pretending otherwise. And it's going to be really frustrating watching people fall for it.

via tech.slashdot.org

Researcher cracks Wi-Fi passwords with Amazon cloud • The Register

2011-01-12T14:58:00.001+01:00

Researcher cracks Wi-Fi passwords with Amazon cloud

via theregister.co.uk

AccaPì? at Quasi.dot

2011-01-11T23:27:00.001+01:00

Ci sono cose che capitano un po’ per caso. Prima un vecchio pdf ritrovato sistemando vecchi backup, poi qualche discorso più o meno casuale e qualche nota presa al volo. Alla fine ho deciso che poteva essere una buona scusa per iniziare a scrivere anche nel 2011, visto che il blog langue.

Ne hanno scritto, parlato e ci hanno pure fatto su una campagna pubblicitaria nel 1999. Le regole del garage di HP continuano a piacermi tanto e continuo ad associarle a quella Silicon Valley che è certo più nei miti e nei racconti mitizzati che in altro.

Se volete leggerne velocemente consiglio: BusinessWeek, Forbes o una ricerca su Google. Che poi è solo un’altra grande storia, come quella che si racconterà tra qualche tempo intorno all’azienda che diceva “Don’t be evil”. Storie che mi piace sentir raccontare, leggere e non dimenticare, indipendentemente da quanto siano attuali o vere.

via afhome.org

Testing posting :-)

Firm Voting Tier

† Hunton & Williams 1

† Morrison & Foerster 2

† Foley & Lardner 2

† Privacy & Information Management Services 2

‡ Samet Privacy 2

† Hogan Lovells 2

‡ PricewaterhouseCoopers 2

‡ Ernst & Young 2

† Covington & Burling 2

‡ Corporate Privacy Group 3

‡ Deloitte & Touche 3

‡ Rebecca Herold & Associates 3

† Wiley Rein 3

IAPP 3

† Infolaw Group 3

Ponemon Institute
Mirror of GeoHot's PS3 Jailbreak
January 11, 2011:
Our friends at Sony are having another bad day: i.e., doing something breathtakingly stupid, presumably because they don't know any better. This time they're suing George Hotz for publishing PS3 jailbreak information, as reported by EnGadget, Attack of the Fan Boy, and inevitably, Slashdot. Hotz's jailbreak allows PS3 owners to run the software of their choice on a machine they have legally purchased. His site is geohot.com.
Free speech (and free computing) rights exist only for those determined to exercise them. Trying to suppress those rights in the Internet age is like spitting in the wind.
We will help our friends at Sony understand this by mirroring the geohot jailbreak files at Carnegie Mellon.

GeoHot Mirror
Click here for usage instructions.
Note to Sony lawyers: no doubt you're eager to rack up another billable hour by sending legal threats to me and my university. Before you go down that unhappy road, check out what happened the last time a large corporation tried to stop the mirroring of technical information here: The Gallery of CSS Descramblers. Have you learned anything in ten years?
A reader points out that jailbreaking the iPhone is legal in the US thanks to the efforts of the Electronic Frontier Foundation. What bearing this has on the PS3 controversy remains to be seen.
Update: My light-hearted use of the editorial "we" above should not mislead anyone into thinking that I an speaking on behalf of Carnegie Mellon. On all my personal web pages hosted by CMU, including this page, I speak only for myself, as does every other faculty member. We have a PR department whose job is to speak for the university.

Firm	Voting Tier
† Hunton & Williams	1
† Morrison & Foerster	2
† Foley & Lardner	2
† Privacy & Information Management Services	2
‡ Samet Privacy	2
† Hogan Lovells	2
‡ PricewaterhouseCoopers	2
‡ Ernst & Young	2
† Covington & Burling	2
‡ Corporate Privacy Group	3
‡ Deloitte & Touche	3
‡ Rebecca Herold & Associates	3
† Wiley Rein	3
IAPP	3
† Infolaw Group	3
Ponemon Institute	Mirror of GeoHot's PS3 Jailbreak January 11, 2011: Our friends at Sony are having another bad day: i.e., doing something breathtakingly stupid, presumably because they don't know any better. This time they're suing George Hotz for publishing PS3 jailbreak information, as reported by EnGadget, Attack of the Fan Boy, and inevitably, Slashdot. Hotz's jailbreak allows PS3 owners to run the software of their choice on a machine they have legally purchased. His site is geohot.com. Free speech (and free computing) rights exist only for those determined to exercise them. Trying to suppress those rights in the Internet age is like spitting in the wind. We will help our friends at Sony understand this by mirroring the geohot jailbreak files at Carnegie Mellon. GeoHot Mirror Click here for usage instructions. Note to Sony lawyers: no doubt you're eager to rack up another billable hour by sending legal threats to me and my university. Before you go down that unhappy road, check out what happened the last time a large corporation tried to stop the mirroring of technical information here: The Gallery of CSS Descramblers. Have you learned anything in ten years? A reader points out that jailbreaking the iPhone is legal in the US thanks to the efforts of the Electronic Frontier Foundation. What bearing this has on the PS3 controversy remains to be seen. Update: My light-hearted use of the editorial "we" above should not mislead anyone into thinking that I an speaking on behalf of Carnegie Mellon. On all my personal web pages hosted by CMU, including this page, I speak only for myself, as does every other faculty member. We have a PR department whose job is to speak for the university.