Messages

I'm not sure I've ever touched the right shift key on my keyboard. I can't type numbers.

I'm not sure if you're all aware, but the Authors of the Shellcoders Handbook are releasing a revised edition with some (apparently %40) new material in April, 2007.

"# New material addresses the many new exploitation techniques that have been discovered since the first edition, including attacking "unbreakable" software packages such as McAfee's Entercept, Mac OS X, XP, Office 2003, and Vista
# Also features the first-ever published information on exploiting Cisco's IOS, with content that has never before been explored
"

I thought it sounded interesting, anyways.

So yea, I was just thinking I should probably append some sort of a link.

http://www.amazon.com/Shellcoders-Handbook-Discovering-Exploiting-Security/dp/047008023X/sr=8-2/ref=pd_bbs_2/102-1326124-1044129?ie=UTF8&s=books

Did you see this yet ? HDM is planning on releasing kernel mode exploits (via poor 802.11b proto implementation) in the next Metasploit release...

http://www.eweek.com/article2/0,1895,2040914,00.asp

I think that's getting a little bit unnecessary. It's one thing to develop tools that make operating in a specialized field (pen testing) more effective/efficient, it's another to release point-and-click, easy-to-use exploits to the public. Sure we need trained people who can (and should) perform pen testing so we can all be ensured by secure data networks. To make an analogy, we also need trained government soldiers to protect from global threats. It doesn't mean the tools/training provided for the trained soldier should be widely available to every Jon, Dick, and Harry who feels like becoming a lethal weapon. Compsec IS important, HDM is correct there. But that's all the more reason an individual  should have to perform the necessary training before they know how to operate within the field.

There are many industries that practice a sense of confidentiality in the tools that are deemed 'sensitive' in the hands of the masses. A Doctor would be severely chastised for releasing the tools to create a potentially harmful virus and thoroughly publishing and documenting usage. It's interesting how such a similarly parallel situation can sway so far to the other side of the moral spectrum.

Or, should engineers widely distribute sensitive information regarding our aeroplanes, along with very specific, detailed, step-by-step HOW-TOs on how to circumvent the security features? They'd be doing us a favor by allowing us to know how insecure the system is, and letting us choose for ourselves. Awareness, right? And in HDMs case, not only is the engineer releasing the information to create awareness (which is a highly questionable practice), he's handing over the tools needed to exploit the insecurities to the general public. There just isn't a good reason for that.


As far as I'm concerned, he's personally/corporately irresponsible.

A getopt() exploit would present more alluring targets than the ping binary.

I'm looking at buying a laptop. Any suggestions on good vendors, where to buy, etc ? I know very minimal amounts about laptops. Price isn't my principal concern. I'm willing to pay reasonably more for quality. I plan on running Slackware linux on it. Any input appreciated.

x86] link=topic=7013.msg87510#msg87510 date=1155636975]
I'm not indirectly implying that Windows is better *because* it has marketshare.  I'm saying, flat-out, that Windows has marketshare *because* it's better.  You're reversing my cause and effect statements.

I'm not reversing your cause and effect, you're confusing correlation and causality.
I'll finish your sentence for you:

I'm not indirectly implying that Windows is better *because* it has marketshare.  I'm saying, flat-out, that Windows has marketshare *because* it's better for Ma and Pa, who make up the majority of the market. 

Which is true. Not a very interesting point to the non-average user though.

As far as your question goes, I've answered it too many times. Here's the last one I posted on this forum (and the ensuing melee):
http://www.x86labs.org:81/forum/index.php/topic,4467.msg49300.html#msg49300

I was reading some material for work and stumbled upon this which turned out to be a semi-decent read:

http://www.amazon.com/gp/reader/0374292795/ref=sib_dp_top_toc/104-0504079-8892722?ie=UTF8&p=S00D#reader-link

Chapter 2, "Flattener #4" is really all that's pertaining to this discussion, though the book was good in general.

The principal logical fallacy that I notice in these discussions (open source vs closed source, windows vs linux, etc, whatever you want to call it) is one that seems to work both ways. For some reason, the Windows supporters seem to think that Linux users should want more market share. And for some reason, most Linux users think we should too, and so argue that we will somehow obtain that market share. I sincerely doubt a non-profit organization is going to dominate any market, especially since market domination (nor profit) is the objective of the organization. I also don't know why anyone cares if Linux gets the market share or not.

Personally, I've preferred Linux for years now. I couldn't care less what the rest of you are running, or how much you're paying for it. The way you guys push the market share thing it seems like I should go buy a Chevy Cavalier, because the majority of people use them, therefore they must be the best. That is a stupid premise for purchasing cars, and even so, cars are much less ambiguous in terms of personal use and application. A one OS/software foundation fits all idea is just a little bit far-fetched. You guys are indirectly implying that Windows must be better because the majority of people use it. We believe you that the majority of people do, stop trying to argue that. However, I definitely do not use my PC to the same ends as Ma and Pa 150 million AOL users, so it would be surprising to me if I used the same OS/software. I'm also not the least bit surprised that Windows is, in fact, "better" for Ma and Pa 150 million. It's not better for me though. Quite frankly, I think it sucks. Sort of like Chevy Cavaliers. Anyways...

Basically, if you touch on the policy vs mechanism aspect, Windows is always going to have problems as long as it tries to combine all of that functionality into one OS, then instill enough policy to keep Ma and Pa happy. I think either you're a family car, or you're a race car. Not a mini-van with 400hp. Note that many Linux distributors are worse than Windows for this.

I personally like how the BSD's are meant to be distributed as an OS, whereas Linux is just the kernel and the distributions of them are focued on programs and the like.

That's my least favourite part about BSD. What's the point ? I find it just creates more confusion. tcpdump, ssh, BIND are all parts of the BSD base system. But they're not real copies of tcpdump, ssh, or BIND. They're actually BSD tcpdump, BSD ssh, and BSD BIND all of which were modified (by Makefiles, probably) to operate on BSD, whereas on Linux you're using the real tcpdump, real ssh, real BIND, etc as distributed by the vendor.

Also, to make matters worse, BSD base systems vary from distribution to distribution. OBSD and NBSD include X in their base system (because of console driver integration), whereas FBSD does _not_. That's just bloody confusing. What's BSD base system now ? KDE ? xterm ? Mozilla ? Any of them ? If one is, is it on both distributions ?? But none of them are base on FBSD...

Compare that with Linux... X, KDE, xterm, Mozilla, none of them are base system/need to be cross-compiled for your system. You could go on any Linux verison and know wether or not xterm is part of your base system (it's obviously not, as there is no Linux 'base system') and compile it right out of the box. That being said, having a 'base system' just doesn't seem to simplify matters at all.

I'm alright. I got a computer again. Where do ya'll hang out nowadays ?

Evening gents. Krazed, I haven't talked to you in a while and I saw this the other day and was wondering...

"According to prosecutors, McKeage (AKA Krazed) broke in a computer run by police in Port Orange, Florida and used stolen credentials from this systems to access Accurint, a law enforcement database service, maintained by Seisint, a local subsidiary of LexisNexis." -- the register

Is that you ?? You crazy son of a bitch. Paris is a sweetheart, leave her out of your schemes.

aye

If it's a network thing, I'd put it in one of the network rc files. rc.local isn't run on every boot level.

Pull the RAM out. Put new RAM in.

Out of curiousity, iago, how many routers/switches/etc does your workplace/school use that aren't Cisco?  I know they're widely used, but my school uses almost entirely Cisco.  We have a few Linksys switches (a gig switch runs the pipe between our file servers and another one somewhere else in our MDF), but there aren't many other things that aren't Cisco.

From my understanding, Cisco networking gear is the best in the industry, but you really pay for it.

I believe Linksys is owned by Cisco. If not, there is some affiliation there.

Mind posting your solution ?