Donate Now
We've Moved! Check out our new boards.
  New Poll  
my profile | directory login | search | faq | forum home

  next oldest topic   next newest topic
» Scarleteen Boards: 2000 - 2014 (Archive) » SCARLETEEN CENTRAL » Sexual Ethics and Politics » Government mandated hacking? Into YOUR computer? (Page 1)

 - UBBFriend: Email this page to someone!   This topic comprises 2 pages: 1  2   
Author Topic: Government mandated hacking? Into YOUR computer?
lemming
Scarleteen Volunteer
Member # 33

Icon 1 posted      Profile for lemming     Send New Private Message       Edit/Delete Post 
This may not be sexual ethics or politics, but we're all on computers right now, and I'm willing to bet that almost every one of us has at least one .mp3.

From Slashdot:
"According to Wired, the recording industry wants the right to hack into your computer and delete your stolen MP3s." From the article: "It's no joke. Lobbyists for the Recording Industry Association of America (RIAA) tried to glue this hacking-authorization amendment onto a mammoth anti-terrorism bill that Congress approved last week. A copy of an RIAA-drafted amendment obtained by Wired News would immunize all copyright holders -- including the movie and e-book industry -- for any data losses caused by their hacking efforts or other computer intrusions 'that are reasonably intended to impede or prevent' electronic piracy."

Here's the Wired article.

So, basically, the RIAA wants the right to A) hack into your system and B) not be sued if they screw anything up on your 'puter in the meantime.

What do you think?

------------------
~lemming, Scarleteen Advocate

want to know the inner lemming? read her diary at http://innerlemming.diaryland.com.
"Did you see my friend? He couldn't believe it, 'The girls are holding hands, the girls are holding hands!' Don't be a fool, it's 1995, the girls are just friends." --Belle and Sebastian, "Photo Jenny"

[This message has been edited by lemming (edited 10-15-2001).]


Posts: 3156 | From: Austin, Texas | Registered: Jun 2000  |  IP: Logged | Report this post to a Moderator
Confused boy
Activist
Member # 1964

Icon 13 posted      Profile for Confused boy     Send New Private Message       Edit/Delete Post 
There is evidence that the US and UK governments already hack into our systems. They have this program called Echelon that they used to spy on the Soviets but now they use it to spy on the net. They will pick up sensitive e-mails shuch as ones that refer to terrorism or such like. Possibly even message board posts!

This is something slightly different and something that is completely impractical as what they want to do is remove all illegal copies of MP3s. That is simply impossible as many people keep hard copies of them now so the only way would be to be constantly hacking into systems to delete MP3s. And surely it would just be possible to change some of the flags of the files and the system would no longer be able to pick them up!

------------------
'An Anarchist is a Liberal with a bomb' Trotsky


Posts: 711 | From: England | Registered: Nov 2000  |  IP: Logged | Report this post to a Moderator
Celtic Daisy
Scarleteen Volunteer
Member # 2971

Icon 1 posted      Profile for Celtic Daisy     Send New Private Message       Edit/Delete Post 
I think that's a really stupid idea. And like was already said, it would be impossible, lots of people, including myself keep hard copies of their MP3's.

Anyways, that's a total invasion of privacy!

------------------
"where'ths my mommy?"
-Shawna

Akimsa (non-violence)

~Erin~


Posts: 1747 | From: Winnipeg, Manitoba, Canada | Registered: Mar 2001  |  IP: Logged | Report this post to a Moderator
DC_WillowFan
Activist
Member # 631

Icon 1 posted      Profile for DC_WillowFan     Send New Private Message       Edit/Delete Post 
What garranty we have they'll only delete mp3 ? There's no such thing.

And they don't wanna be sued if they screw up. Well, they better learn before playing with me. I might want to know what would happen if I screwed up theirs just for fun. I don't think they'd like that, and they'd sue me. So why shouldn't I be allowed to do the same ?

There's no sense in all of that, and yes most people start keeping hard copies of their mp3s and might just start doing something like I think: having a second computer, not connected to anything else than power. Who could hack into that ?

David

------------------
- I hope I shall be able to confide in you completely, as I have never been able to do in anyone before, and I hope that you will be a great support and comfort to me.

Anne Frank to her journal
(1929-1945)


Posts: 201 | From: Montreal, Qc, Canada | Registered: Jul 2000  |  IP: Logged | Report this post to a Moderator
sapphirecat
Activist
Member # 5317

Icon 1 posted      Profile for sapphirecat     Send New Private Message       Edit/Delete Post 
Okay. First off, from the government's point of view, they've got a big company throwing lots of money at them to do something wrong.

AFAIK, Echelon is more of a phone monitoring system, and the FBI was trying to get Carnivore (renamed DCS-2000 or something dumb like that; DCS=digital collection system) installed on many ISP's networks for email tracking. I'm not sure how far they got with that.

Back to MP3s. This is a great reason to install a firewall--ZoneAlarm*
can be downloaded in a free-for-personal-use version. Note that you have to allow MSN and other chat programs to act as a server if you want to send files with ZoneAlarm running. This will make it a lot tougher for anyone to get into your computer, because they can only get in the doors you're expecting traffic on... such as when you fetch a web page.

I think the government is a problem here... but so is the Microsoft monopoly. MS has already claimed to support "digital rights management" in future (post-XP, I think) versions of Windows.
I also remember someone lobbying for forced inclusion of rights management on every PC... which would probably virtually outlaw Linux, my favorite operating system.

* This link is the actual download page. (added in edit)

------------------
-- Sapphire Cat

Condense soup, not books!

I don't use the term "straight". It implies its opposite is "crooked".

[This message has been edited by sapphirecat (edited 10-15-2001).]


Posts: 235 | From: Louisville KY (St. Matthews) | Registered: Sep 2001  |  IP: Logged | Report this post to a Moderator
ThisGuy
Activist
Member # 968

Icon 1 posted      Profile for ThisGuy     Send New Private Message       Edit/Delete Post 
The downside of Zonealarm, as in most firewalls, is that the applications and operating system of your computer then become a weak point. For instance, if you send malicious data to ICQ, it can be crashed - without triggering Zonealarm. (This is an extremely childish trick, for any of you elite hackers out there. It's about as intelligent as flooding.)

Such attacks can not only crash programs or your computer, but provide an entry point into your PC. For instance, MS Outlook at one point had a hole in it that allowed an email message with a specially modified date stamp to take over your PC.

As to Carnivore, I see it as a farce. There are numerous encryption or steganography tools available that the FBI are unlikely to be able to crack. Such an eavesdropping system would only catch the inept or the innocent.

My understanding is that the English were installing a nation-wide surveillance system into their Internet backbones?

On a side note, I recall reading somewhere that an Internet privacy company (www.safeweb.com) was partially funded by the CIA. They're hoping it will help Chinese dissidents to escape government controls on the Internet.

------------------
I like to Carson at least once Daly, otherwise I'd need this!


Posts: 915 | From: Australia | Registered: Aug 2000  |  IP: Logged | Report this post to a Moderator
lemming
Scarleteen Volunteer
Member # 33

Icon 1 posted      Profile for lemming     Send New Private Message       Edit/Delete Post 
You mean Safeweb *isn* just for surfing porn at work? *gasp*

But really, that's great information, ThisGuy. Thanks for that info.

------------------
~lemming, Scarleteen Advocate

want to know the inner lemming? read her diary at http://innerlemming.diaryland.com.
"Did you see my friend? He couldn't believe it, 'The girls are holding hands, the girls are holding hands!' Don't be a fool, it's 1995, the girls are just friends." --Belle and Sebastian, "Photo Jenny"


Posts: 3156 | From: Austin, Texas | Registered: Jun 2000  |  IP: Logged | Report this post to a Moderator
sapphirecat
Activist
Member # 5317

Icon 1 posted      Profile for sapphirecat     Send New Private Message       Edit/Delete Post 
quote:
The downside of Zonealarm, as in most firewalls, is that the applications and operating system of your computer then become a weak point.

Well, yes. That's why I said it makes it tougher. Part of the upside is that it blocks pings, so that nobody really knows you're there unless they've got some way of getting traffic from you already. For instance, with Carnivore sniffing the packets. You can't encrypt an IP header.

Another thing to note, part of ZoneAlarm sits between the Internet and Windows, catching dumb stuff like WinNuke attempts.

------------------
-- Sapphire Cat

Condense soup, not books!

I don't use the term "straight". It implies its opposite is "crooked".


Posts: 235 | From: Louisville KY (St. Matthews) | Registered: Sep 2001  |  IP: Logged | Report this post to a Moderator
Milke
Activist
Member # 961

Icon 1 posted      Profile for Milke     Send New Private Message       Edit/Delete Post 
The Tiny firewall's another excellent one, though it's interface isn't wuite as nice, and it's also freeware.
Posts: 5122 | From: I *came* from the land of ice and snow | Registered: Aug 2000  |  IP: Logged | Report this post to a Moderator
ThisGuy
Activist
Member # 968

Icon 1 posted      Profile for ThisGuy     Send New Private Message       Edit/Delete Post 
11 September and Carnivore

Winnuke and Teardrop et al are outdated anyway - I'm betting 0.1% of Windows PC's or less are vulnerable, even without a firewall.

But I take your point - it does provide some protection. However, with software as poorly written and insecure as Windows, Outlook, IE, ICQ, etc...a firewall is useful, but not perfect protection.

Good to know there's yet another techno-geek roaming these boards! We must breed like rabbits.

My question is: if I create an image, and someone steals it off my web site, can I then hack into theirs and delete said image? I'd say no, under both existing, and any proposed laws. Why should I be treated differently?

My other question is: the RIAA has finite resources. My best estimate is there are tens or a hundred million PC's out there with MP3's. How can they possibly reach them all?

Should we be expecting their intrusions to be automated/mechanised? This would take one of two forms: servers launching continuous, individual cracking attacks against PC's, and Code red style worms. (Code red is a worm that spreads by attacking a computer, then using that computer to attack others. Traditionally, such worms have spread through email alone, and not through such cracking attempts.)

The first case is easily defeated - block the IP addresses involved. Block their networks. Block 'em til the cows come home!

The second is problematic: apart from the computer industry backlash against such methods, and the wastage of network capacity, such worms have a short lifespan. What's the point of investing so much money in a worm that generates so much hate, for so little gain?

Perhaps these guys are aiming at destroying any neo-Napsters? If so, then bootlegging will reduce in scale slightly, but other systems will appear. For instance, Gnutella is invulnerable to Napster-style copyright lawsuits, and too distributed for this sort of action.

Whoever thought this up probably gave it as much thought as they did Napster. It's just a big game of Whack-A-Mole.

------------------
Rap music: keeping the black man down since 1991


Posts: 915 | From: Australia | Registered: Aug 2000  |  IP: Logged | Report this post to a Moderator
Jeffrey
Activist
Member # 5304

Icon 1 posted      Profile for Jeffrey     Send New Private Message       Edit/Delete Post 
1) "Hacking" is pretty much a myth, at least for end users. Firewalls are pretty much worthless to the end user (at least in terms of security). There is no magic way for someone to somehow "enter" your computer. Granted, a hacker could send you a malicious file disguised as a harmless document... but there's nothing you can do about that, and you guys are internet literate enough not to open weird files sent to you by weird people right?

2) What's the big deal about this anyways? It's ok to steal from a record company but all of a sudden when they decide to steal from you... "Oh no!@!#!@ This is terrible!" Please.

3) Slashdot, as usual, totally butchered the point of the potential law. Obviously no one is going to personally hack your computer... If anything, this would simply grant companies the right to DoS illegal sites serving up their music. Think of it this way. If you spent a lot of work making some music and then "Site A" starts giving it out for free, illegally, really pissing you off... And you ask them nicely to stop, but they refuse... Wouldn't you like the option to shut them down? By opposing this law, you're saying that people should be able to illegally serve up music and whatnot with no repercussions. It has nothing to do with privacy, it's about stopping piracy.

4) The government hacking into your computer.... LOL!!!! That's classic. Seriously, there's no need for the paranoia. If the government was hacking perfectly innocent citizen's computer's there'd be HUGE scandals. As for the paranoia about the government reading your email, etc. You think if the FBI contacted AOL and every single other major ISP to "secretly" (lol again) install traffic loggers, every single person involved in this huge conspiracy would keep quiet? Do you know how many email providers there are? Guess what... I'm running my own right now! A lot of people are simply unclear about how the internet works and think there's a single email database that the government can tap into. Well there's not.

So in summary: No, no one can "hack" your computer in the stereotypical sense. It's not like in the movies where a couple swift keystrokes will magically get you into any computer. For a good laugh watch Hackers :P. The law would be used to DoS illegal sites and whatever, basically forcing them off the web. And the whole "government monitoring everyone" stuff is utterly outrageous.

Oh yeah, and don't install a firewall unless you're a server or something. It just wastes system resources.


Posts: 107 | Registered: Sep 2001  |  IP: Logged | Report this post to a Moderator
Milke
Activist
Member # 961

Icon 1 posted      Profile for Milke     Send New Private Message       Edit/Delete Post 
Jeffrey, considering that through a simple cable I can right now move files on the computer behind me, which could be a majorly scary thing if I wanted it to be, how can you tell me that hacking doesn't exist? It's basically involuntarily networking a computer to yours, and it's most certainly possible. I'm quite happy with my firewall, don't find it a drain on my system, and don't want anyone affecting my computer without my explicit permission. And really, shouldn't every computer user be working that way? We're no longer in the age of PETs and Lisas.

BTW, very few of my MP3's are ones I'd consider stolen. They're either out of print, not otherwise available in this country, or bootlegs that the artists encourage the distribution of. If they were easy to get I'd just buy the records.


Posts: 5122 | From: I *came* from the land of ice and snow | Registered: Aug 2000  |  IP: Logged | Report this post to a Moderator
Confused boy
Activist
Member # 1964

Icon 1 posted      Profile for Confused boy     Send New Private Message       Edit/Delete Post 
I am not much of a fan of copyright laws and it seems that many music artists dont like them much either. That is why many encourage the distribution of their music. Its only these large very rich businesses that publish them that are worried. They are being silly anyway since record buying has continued to increase throughout the rise of MP3!

But would anyone shed a tear if these companies were forced to change or shut down. If a far better way of distributing music was invented (MP3 isnt quite there since the sound quality isnt perfect) then why not simply cut out the middle men. Any musician worth their salt isn't composing for the money but for the love of it.

Oh and on Echelon or whatever it is called now. It has leaked out enough and it has been described in many newspapers. Whether it looks at all emails or just specific people who might be enemies of the state is not known. However, people seem to believe it enough to have organised a "jam Echelon day" in which everyone involved is supposed to send out as many emails as possible with words such as "bomb", "primeminister", "guns, lots of guns" and "operation mayhem." This should apparently disrupt the working of Echelon or whatever it is!

------------------
'An Anarchist is a Liberal with a bomb' Trotsky


Posts: 711 | From: England | Registered: Nov 2000  |  IP: Logged | Report this post to a Moderator
John Doe
Activist
Member # 3836

Icon 1 posted      Profile for John Doe     Send New Private Message       Edit/Delete Post 
So all musicians worth their salt should starve or be forced to rely on charity? What about authors, should they also have to work for free? artists? How are they to feed their families? I get the impression that most succesful musicians enjoy their wealth. There are relatively few who actively encourage bootlegging. The only ones who pop to mind are the Greatful Dead, and well Jerry's Dead.
I don't like the idea of government being able to intrude into my computer. However, the recording industry was perfectly right to sue Napster and put them out of business. They have this remidy and it worked, so why not just leave it at that.

Posts: 475 | From: ohio | Registered: May 2001  |  IP: Logged | Report this post to a Moderator
sapphirecat
Activist
Member # 5317

Icon 1 posted      Profile for sapphirecat     Send New Private Message       Edit/Delete Post 
I never said I was pro-MP3 sharing, and I don't think anyone else mentioned it either. I am anti-theft, whether it is intellectual property theft from record companies (who in turn steal from artists, but two wrongs don't make a right) or data theft from my computer.

On the paranoia issue, please review Moore's Law. It's getting easier all the time, and you don't need to care who's connected to scan a netblock. Have a look at Code Red; despite the lifespan, it can still do a lot of damage while it survives.

And right now my firewalling against the Outernet is free, since the college does it. And the firewall on this machine is just a few simple netfilter rules that accept everything on loopback and log+deny all SYN packets from ppp0. (The campus firewall does that for the Outernet, but doesn't bother inter-student connections.) You would not believe how many people are looking for Netbus and Sub7 still.

------------------
Sapphire Cat
You can love me or hate me, but it won't change who I am.


Posts: 235 | From: Louisville KY (St. Matthews) | Registered: Sep 2001  |  IP: Logged | Report this post to a Moderator
Jeffrey
Activist
Member # 5304

Icon 1 posted      Profile for Jeffrey     Send New Private Message       Edit/Delete Post 
"Jeffrey, considering that through a simple cable I can right now move files on the computer behind me, which could be a majorly scary thing if I wanted it to be, how can you tell me that hacking doesn't exist?"

I believe that there is no way you, Kevin Mitnick, or anyone at all for that matter, could possibly remotely enter my computer (without tricking me into installing extra software). I don't consider walking over to another computer, plugging an ethernet cord into it, turning on AppleShare (or whatever software you use), and connecting to it locally, hacking. Besides, what good would a firewall do if you have physical access to a computer? Sorry if that's not what you were implying by your post but it's really vague so I can only guess.

Anyways, if you honestly think that my computer is at risk without using a firewall, please explain to me how a hacker could possibly connect to my computer. Not even exactly... Just give me a vague idea. Not even an idea... Just give me a link to any information either about how to do it, or an article simply stating that it simply can be done (no firewall propaganda please). I don't want this to come out the wrong way, but I've done huge amounts of TCP/IP programming. I know how the system works, and there is simply no way that a hacker can somehow access your computer remotely with or without a firewall (again, with the exception of plain trickery). It doesn't matter how brainy you are... It's a simple system and no matter how hard you look, you won't find a 'magical' way to somehow jump into another person's computer. If you know a way, then you might want to email apple, microsoft, linux developers, etc. directly. I'm sure they'd hire you on the spot.

"Oh and on Echelon or whatever it is called now. It has leaked out enough and it has been described in many newspapers."

Link please?


Posts: 107 | Registered: Sep 2001  |  IP: Logged | Report this post to a Moderator
Confused boy
Activist
Member # 1964

Icon 1 posted      Profile for Confused boy     Send New Private Message       Edit/Delete Post 
http://cipherwar.com/echelon/press_release.htm

I would not have believed this were it not for an article I saw in the Sunday Times (its old news now so it will take me time to find it if it is online at all anymore).

------------------
'An Anarchist is a Liberal with a bomb' Trotsky


Posts: 711 | From: England | Registered: Nov 2000  |  IP: Logged | Report this post to a Moderator
sapphirecat
Activist
Member # 5317

Icon 1 posted      Profile for sapphirecat     Send New Private Message       Edit/Delete Post 
Proof of concept:

Buffer overflow:
Some sort of fixed-size buffer exists in a program. Sending data longer than that size cheerfully writes past the end of the buffer, which isn't protected from execution. http://www.cert.org/advisories/CA-2001-21.html

String formatting bugs:
A string is sent such that it contains some of printf's format specifiers, such as %s; since printf doesn't pay attention to how many arguments it receives, it cheerfully pops the correct return address off the stack and uses it to print data; then returns the wrong address, putting the program somewhere it doesn't expect to be. Not as generally fatal as buffer overflows.
http://www.securiteam.com/unixfocus/5SR090A1TI.html

Extrapolation:

Experience shows these types of bugs are extremely common; one code audit of OpenBSD fixed several hundred string formatting bugs. It is interesting to see that these bugs existed in an operating system with its focus on security.

True, a firewall can't protect against buffer overflows in ICQ or IIS (*spit spit*), but it will protect the OS from silly bugs like Teardrop and Winnuke and the Ping of Death.

If you have a real OS, this can limit the damage or slow down the attacker by forcing them to break in through a non-privileged application. Even if you have a fake OS, a firewall can put your computer in stealth mode, causing the attacking computer to wait a while for a reply that never comes.

Back to the hacking thing. I'd like to point you at Code Red again... it broke into systems without even requiring a human to poke and kick at it first. Also remember BubbleBoy--it didn't even require you to open the email, merely preview it. You lose any accumulated Guru Points if you're using Outlook and IE.

Consider also the next Latest And Greatest(tm) Microsoft OS. Do you know what's in there? Why couldn't there be an application in there to open a certain port to Option White? Blind trust will hurt more than blind paranoia.

As a final point, my mom is absolutely clueless when it comes to computers. Just because you can defend yourself, you have no obligation to defend others? Think for a moment about how much you interact with that's safe. Is it because you made it safe, or because others made it safe for you?

------------------
Sapphire Cat
You can love me or hate me, but it won't change who I am.


Posts: 235 | From: Louisville KY (St. Matthews) | Registered: Sep 2001  |  IP: Logged | Report this post to a Moderator
Jeffrey
Activist
Member # 5304

Icon 1 posted      Profile for Jeffrey     Send New Private Message       Edit/Delete Post 
Again, I'm not talking about hacking into web servers and things, I'm talking about "hacking" into your everyday iMac or whatever. My statement stands, no one, no matter how brainy they are, could possibly get into my G4 Cube running MacOS 9. I have no firewall or anything.

Why am I so confident about this fact? Because there is simply no way to even connect to my computer. I would give you my IP but I'm not sure I'm allowed to so you could see for yourself. You could scan it for ports, etc. etc. and I guarantee you there's no way you can get in. Not because I'm overconfident in Apple's programmers, but simply because there is no way to remotely exploit the "Finder" as it doesn't even have anything to do with the internet!!

Again, if I'm wrong, please disprove me.

As for Confused boy and echelon. Do you have any links from more reliable sources? If this thing really exists, and it's provable, etc. it would be plastered everywhere. You'd think that newspapers might even mention the fact that our own government has a tap on every single ISP and is unconstitutionally secretly monitoring everything we do on the internet in a huge conspiracy.


Posts: 107 | Registered: Sep 2001  |  IP: Logged | Report this post to a Moderator
Confused boy
Activist
Member # 1964

Icon 1 posted      Profile for Confused boy     Send New Private Message       Edit/Delete Post 
From the Guardian (a respected newspaper in the UK) http://www.guardian.co.uk/Archive/Article/0,4273,4269707,00.html

and
http://www.guardian.co.uk/Archive/Article/0,4273,4214840,00.html

the links appear to only turn up some of the time due to dodgy archiving so if you cant get them simply go to www.guardian.co.uk and search for Echelon.

------------------
'An Anarchist is a Liberal with a bomb' Trotsky


Posts: 711 | From: England | Registered: Nov 2000  |  IP: Logged | Report this post to a Moderator
sapphirecat
Activist
Member # 5317

Icon 1 posted      Profile for sapphirecat     Send New Private Message       Edit/Delete Post 
*tries not to flame*

I did some heavy searching, and there don't seem to be any well-known remote exploits for MacOS 9. Which is, interestingly enough, obsolete. There are quite a few holes in OS X, because it's a BSD derivative.

There. You're right. You might be immune. Now let the people who are not in your situation protect themselves. After all, MacOS is not the most popular OS on the planet. Last I checked, the Wintel monopoly has a deathgrip on 90% or better of the desktop market. Your computer's security is not going to help them, and your claim that all firewalls are worthless because they won't help you is a gross overgeneralization.

Now, I am going to stop reading this thread, because constantly hearing my chosen career is irrelevant is just pissing me off, and we're not going to get much of anywhere arguing about it.

------------------
Sapphire Cat
You can love me or hate me, but it won't change who I am.


Posts: 235 | From: Louisville KY (St. Matthews) | Registered: Sep 2001  |  IP: Logged | Report this post to a Moderator
Jeffrey
Activist
Member # 5304

Icon 1 posted      Profile for Jeffrey     Send New Private Message       Edit/Delete Post 
"Now, I am going to stop reading this thread, because constantly hearing my chosen career is irrelevant is just pissing me off, and we're not going to get much of anywhere arguing about it."

That's really unfortunate, I hope you come back and read it so I can get this cleared up... I'm also somewhat offended that you called my chosen career "obsolete" (your MacOS 9 comment) but rather than leaving, I'd like to discuss it (that's what forums are for... Especially a political one, right?)

"There are quite a few holes in OS X, because it's a BSD derivative."

Sorry, I don't have many 'underground' connections. Could you please give me a link where I could find out how to "root someone's box". Considering Apple releases auto-updates as soon as they locate and fix a security hole, I really doubt your sources. Look at the minor exploit two days ago... It was fixed and auto-updated almost same day that it was brought to Apple's attention. And as I said, that was a minor, local exploit.

I'm also curious about your Windows claims. If I run Windows (which I do... WindowsME and 95), your saying that anyone can easily hack into, disable, etc. my computer since I don't have a firewall? Can I get any instructions on that, also? I know Microsoft products are generally buggy and weird... But major exploits like that still haven't even been fixed? So oh well, if that's honestly true and Windows is that insecure, yeah, I support Windows firewalls 100%. But if you're using MacOS, my statement stands, firewalls are a joke.

Oh well, I hope you come back and answer my questions. I didn't mean any offense like I hope you didn't mean to me.


Posts: 107 | Registered: Sep 2001  |  IP: Logged | Report this post to a Moderator
Jeffrey
Activist
Member # 5304

Icon 1 posted      Profile for Jeffrey     Send New Private Message       Edit/Delete Post 
Hmm, I read those articles on Echelon (and some others). Apparently it's a military spy network in Europe although it's US run. It's not exactly the worldwide privacy atrocity that many people think it is. It's like the phone tapping system in use now. They don't simply archive absolutely all traffic on the internet which would not only be impossible, but useless (among other things). How would you distinguish between a kid downloading naughty pictures and a terrorist sending a simple encrypted message, for example? The system allows for certain people (or computer's rather) to be tapped. Not sure what the big deal about it is... Personally I have no problem seeing additional terrorists arrested and having countless lives saved. In fact now that I know what it is in more detail, I find those "jam echelon" sites not only offensive, but utterly pointless.
Posts: 107 | Registered: Sep 2001  |  IP: Logged | Report this post to a Moderator
sapphirecat
Activist
Member # 5317

Icon 1 posted      Profile for sapphirecat     Send New Private Message       Edit/Delete Post 
Alright, I lied. I'm back, against my better judgement.

As soon as Apple finds the hole, it's fixed. Which leaves a window of opportunity from the time it was released until then for the black hats to use it. A patched hole was still a hole.

I'm lazy right now. Go search Google for "Mac OS exploit" and look at how much more OSX stuff comes up.

Interestingly, I don't see you providing any links proclaiming the security of OS9. Are you right until proven wrong, or is this argument pointless because there is really no evidence either way?

The fundamental security model is an onion: you have to peel away many layers to get to the core. (Why didn't I think of this before?) To break into a system usually requires gathering information about it, and one of the ways to do this is by a port scan. If someone has no idea what's there, they try connecting to some ports to see what's there... 0, 6, 21, 22, 23, 25, 79, 12345, 23456, 65000, etc. A firewall can detect a port scan and deny sending information to the scanner, even if a port is open (since it sits between the clients and the Outernet.) But that's only one layer... if they simply go looking for ICQ instead and decide to exploit the old (pre-2000? can't remember) URL buffer overflow, the firewall isn't going to help. You need another layer of security--an up-to-date client. But in the port scan, the firewall prevented them from finding ICQ in the first place.

I'm still lazy. I'd guess offhand that the best way to get into a Windows system is by exploiting NetBIOS; I recall a man-in-the-middle attack where the attacker makes the computer authenticate against itself. I remember another exploit where there was no password length checking; so if the password was "Aardvark", "A" would match.

Go ask a real hacker (not 1337 sKr1p7 k1ddez, or Bugtraq lurkers like me) to break into your system. My Intro to LAN professor boasted that he could break into any system, but he was arrested/fired (rumors are sketchy) before he could demonstrate that for the class.

Maybe you should just give up and assume I have a pro-firewall agenda.

In an attempt to push this back on topic, I'd like to point out that the RIAA is lobbying for the ability to attack and immunity from their mistakes. If the SSSCA goes through, no PCs will be sold without "rights management" capabilities. If Bill A allows the RIAA to work with impunity, and Bill B provides an infrastructure for it, what will happen?

------------------
Sapphire Cat
You can love me or hate me, but it won't change who I am.


Posts: 235 | From: Louisville KY (St. Matthews) | Registered: Sep 2001  |  IP: Logged | Report this post to a Moderator
lemming
Scarleteen Volunteer
Member # 33

Icon 1 posted      Profile for lemming     Send New Private Message       Edit/Delete Post 
Sapph, is that going to be retroactive? (required that all PCs sold have these capabilities?) The first thing I heard was that it *would* be retroactive. That's scary, especially in light of all this legal-breaking-and-entering.

Link, please?

------------------
~lemming, Scarleteen Advocate

want to know the inner lemming? read her diary at http://innerlemming.diaryland.com.
"Did you see my friend? He couldn't believe it, 'The girls are holding hands, the girls are holding hands!' Don't be a fool, it's 1995, the girls are just friends." --Belle and Sebastian, "Photo Jenny"


Posts: 3156 | From: Austin, Texas | Registered: Jun 2000  |  IP: Logged | Report this post to a Moderator
sapphirecat
Activist
Member # 5317

Icon 2 posted      Profile for sapphirecat     Send New Private Message       Edit/Delete Post 
It seems that it would only affect future products sold. That is not a reason to support it, since hardware breaks and is made obsolete by larger software (even without Microsoft; the open-source Mozilla browser asks for a 233MHz or faster processor and 64MB of RAM.) Legislating what technology is allowed to do is going to limit future development, as well as being unprecedented and unparalleled. Nobody's banned knives, even though they can be used to slit someone's throat. We have banned some guns, but I've never seen one of those used other than to force one's way upon the world, so that isn't a parallel.

That wasn't arguing with anyone, that was just stating my view. Cheers!

Linkage:
Wired: http://www.wired.com/news/politics/0,1283,46655,00.html
EFF:
http://www.eff.org/alerts/20010921_eff_sssca_alert.html
Quite possibly, a draft of the bill (~2.5MB; I don't have acrobat handy):
http://www.parrhesia.com/sssca-draft.pdf

------------------
Sapphire Cat
You can love me or hate me, but it won't change who I am.


Posts: 235 | From: Louisville KY (St. Matthews) | Registered: Sep 2001  |  IP: Logged | Report this post to a Moderator
TheCagedOne
Activist
Member # 3746

Icon 1 posted      Profile for TheCagedOne     Send New Private Message       Edit/Delete Post 
Just my two cents on all this...

1) The MP3 file type in itself is not illegal, I back up all my legally purchased music this way. How would one tell the difference between legal and illegal MP3's?

2) As far as U.S. laws go, have we forgotten about our unreasonable search and seizure amendment? Just because I have a computer, with an internet connection, making it possible for me to download illegal music, does that mean I'm guilty of it? Seems like a very obvious invasion of privacy. For this reason alone, I really don't see anything like this becoming government mandated. A supreme court case would come about so fast it would make your head spin.

------------------
"A wise monkey never monkeys with another monkey's monkey"
----
"Recycle, stay in school, and fight the power ~ SSX


Posts: 52 | From: Usually somewhere between MI & FL - currently KY | Registered: May 2001  |  IP: Logged | Report this post to a Moderator
sapphirecat
Activist
Member # 5317

Icon 1 posted      Profile for sapphirecat     Send New Private Message       Edit/Delete Post 
My viewpoint is that the lobbies are paying Congress to ignore the unreasonable search and seizure amendment.

------------------
Sapphire Cat
You can love me or hate me, but it won't change who I am.


Posts: 235 | From: Louisville KY (St. Matthews) | Registered: Sep 2001  |  IP: Logged | Report this post to a Moderator
Jeffrey
Activist
Member # 5304

Icon 1 posted      Profile for Jeffrey     Send New Private Message       Edit/Delete Post 
"I'm lazy right now. Go search Google for "Mac OS exploit" and look at how much more OSX stuff comes up.

Interestingly, I don't see you providing any links proclaiming the security of OS9. Are you right until proven wrong, or is this argument pointless because there is really no evidence either way?"

Well, I'm a registered Apple developer and I'm signed up for a lot of mailing lists, etc. I've been following these lists, Apple news sites, etc. since I dunno, System 7 and I have yet to see any major exploits. In fact, the largest exploit (arguably the only one worth even mentioning) was the recent one in OS X. It basically allowed people with physical access to get root access relatively easily. Considering the consumer edition of MacOS X (which this exploits) is meant to be a single user OS, and if you have physical access to a Mac (or pretty much any computer for that matter) you basically have 'root' anyways, this isn't nearly as serious as it sounds. (Keep in mind that an alternative way to get root in MacOS X _consumer_ is to insert the MacOS X CD and reset the password :P.) Anyways, this exploit was fixed through Apple's auto-update system the same day they found it. So I seriously doubt that if an exploit is available to the general public (read: findable on google) it would actually be usable.

So yeah, this is pretty pointless because since Apple programmers, their legions of QA, and their loyal userbase aren't totally clueless, there is no way that you're going to be able to somehow find an exploit in OS X (especially in OS 9). Mind you, I'm not saying that OS X is 100% secure, just that if you can find an exploit on google or any public site on the web, it's almost a guarantee that Apple knows about it and has already fixed it.

"To break into a system usually requires gathering information about it, and one of the ways to do this is by a port scan."

I'm not too concerned about port scans because, really what could they find? Maybe it's a windows thing, but if I have ICQ open on my computer, it only listens to ICQ's server. No one else should be able to see my connection. The only thing a port scan can tell you (please correct me if I'm wrong) is basically what servers you have open to the public. Personally for me, that means a hacker could find my Q3 server.

I'm not so sure about ICQ, but a while ago I programmed the first MacOS AIM client. Not sure if I can say the name since that would inadvertently give everyone access to my email address, full name, where I live, etc. which the guidelines strictly forbid. But with google and the information I've already given you, I'm sure you can find it if you really want.

Anyways, I know the AIM TOC protocol backwards and forwards. I know it's different than ICQ's but anyways, fwiw, there is absolutely no way that you can somehow detect whether or not anyone's running AIM on their computer. Even if you knew they were running it, there would be absolutely nothing you could do short of signing on and actually IMing the person (assuming you know their screen name). Granted, there are ways to "directly connect" to another client, but even that goes through the server in its rvous stages. So I'm curious about these ICQ exploits.


Posts: 107 | Registered: Sep 2001  |  IP: Logged | Report this post to a Moderator
Jeffrey
Activist
Member # 5304

Icon 1 posted      Profile for Jeffrey     Send New Private Message       Edit/Delete Post 
"1) The MP3 file type in itself is not illegal, I back up all my legally purchased music this way. How would one tell the difference between legal and illegal MP3's?"

No one would be somehow hacking into your personal computer. The law basically would allow companies to DoS sites serving up their copyrighted files illegally.

OK here's an analogy (sans rhetorical questions ):

Just compare it to bootlegging in the 20's. It's the same thing except booze is replaced by MP3s, store houses are replaced by pirated music sites, and police raids are replaced by companies DoSing sites.

Yeah at the time I bet lots of people thought it was terrible... But now that we look back on it in history, it makes a lot of sense. I predict exactly the same thing will happen here.

"2) As far as U.S. laws go, have we forgotten about our unreasonable search and seizure amendment? Just because I have a computer, with an internet connection, making it possible for me to download illegal music, does that mean I'm guilty of it? Seems like a very obvious invasion of privacy. For this reason alone, I really don't see anything like this becoming government mandated. A supreme court case would come about so fast it would make your head spin."

I dunno. See my bootlegging analogy above. Was that really an invasion of privacy? Keep in mind that no one is going to "hack" into your PC but rather forcedly shut down the servers providing the bootlegged music, etc. If that's any different than shutting down bootlegging operations in the 20's I don't see it.


Posts: 107 | Registered: Sep 2001  |  IP: Logged | Report this post to a Moderator
sapphirecat
Activist
Member # 5317

Icon 1 posted      Profile for sapphirecat     Send New Private Message       Edit/Delete Post 
[comments deleted]

You know, come to think of it, I have this feeling I'm just being led along. If you were concerned about the factualness of my statements, you could've contradicted them instead of making arrogant remarks about how you don't need a firewall without mentioning what computer you use until later...

------------------
Sapphire Cat
You can love me or hate me, but it won't change who I am.


Posts: 235 | From: Louisville KY (St. Matthews) | Registered: Sep 2001  |  IP: Logged | Report this post to a Moderator
Jeffrey
Activist
Member # 5304

Icon 1 posted      Profile for Jeffrey     Send New Private Message       Edit/Delete Post 
Hmm? Sorry... I don't understand.
Posts: 107 | Registered: Sep 2001  |  IP: Logged | Report this post to a Moderator
ThisGuy
Activist
Member # 968

Icon 1 posted      Profile for ThisGuy     Send New Private Message       Edit/Delete Post 
Just out of curiousity, have you ever considered that the "auto-update" feature might be prone to incompetence or abuse? People do make mistakes.

After all, your Herculean abilities at network security are really only as good as the guy who writes the software you use. Just because no vulnerabilities are known, doesn't mean they don't exist. Apple aren't perfect, any more than MS are. You might argue that they produce better software, but they still are not perfect.

The bottom line is there is no such thing as perfect information security. Everything has a weakness - email Guninski or Mitnick and they'll tell you the same.

To illustrate my point, here is a BSD/OS X vulnerability I found on the Apple site.

------------------
Rap music: keeping the black man down since 1991


Posts: 915 | From: Australia | Registered: Aug 2000  |  IP: Logged | Report this post to a Moderator
sapphirecat
Activist
Member # 5317

Icon 1 posted      Profile for sapphirecat     Send New Private Message       Edit/Delete Post 
The basic principle of security is to treat everything as if it is insecure. You may not know how to exploit it, but act as if it could be, even if reality attempts to convince you otherwise. The more layers someone has to go through, the less damage a broken layer can do. And if a layer is broken, it was broken, even if it was fixed later.

Auto-update must connect to a server. Is that server's IP resolved via DNS? What steps has Apple taken to ensure that the OS knows whether the update is real or not?

------------------
Sapphire Cat
You can love me or hate me, but it won't change who I am.


Posts: 235 | From: Louisville KY (St. Matthews) | Registered: Sep 2001  |  IP: Logged | Report this post to a Moderator
Jeffrey
Activist
Member # 5304

Icon 1 posted      Profile for Jeffrey     Send New Private Message       Edit/Delete Post 
"Just out of curiousity, have you ever considered that the "auto-update" feature might be prone to incompetence or abuse?"

No I haven't... But I'm considering it now and I'm not sure what you're getting at. Abuse, as in Apple purposefully sending you a trojan horse or something? I really can't imagine that happening. Incompetence, as in Apple accidentally sending a trojan horse, bugged software, or something? Well, Apple is well known for its legions of QA and I really doubt a major slipup would occur. Even if it did happen, Apple would simply auto-update again.

"The bottom line is there is no such thing as perfect information security. Everything has a weakness - email Guninski or Mitnick and they'll tell you the same."

There _is_ perfect security. Mind you, I'm not saying that Apple's OS' are perfectly secure, but perfectly secure systems are definitely possible. Just take a look at AIM; my expertise. I wouldn't hesitate for a second to say that it's absolutely 100% "hackproof" (although it really depends what you mean by "hack"... I'm talking about software exploitability). Why am I so confident? Because it doesn't take a genius to implement a simple protocol with no gaping exploitable holes. (Btw, please don't mistake AOL for AIM.)

Another example of a perfectly secure environment, is one that's not connected to the internet. Anyways, in MacOS, unlike Windows I guess, there is simply no way for someone to connect to your computer unless you actually set up some server software. There is no equivalent of telnet, netbios, etc. (telnet can be activated in OS X, but it's off by default). I stand by my original statement. My computer, right now, (OS 9, nothing running other than Opera and the Finder) is absolutely invincible to hackers, script kiddies, and whatnot. Not because Apple doesn't make mistakes but because there is simply nothing to hack. There is nothing to exploit. See for yourself: go on google and search for ways to hack into the finder . A Windows example would be trying to hack into Microsoft Word. It's not that Word doesn't have its share of bugs, it's that Word (like the finder) has absolutely nothing to do with the internet.

"To illustrate my point, here is a BSD/OS X vulnerability I found on the Apple site."

Ironically, that's a bug in the software "ipfw". As you might guess from the acronym, it's a firewall. Anyways, it doesn't really affect OS X. By default I don't think OS X even installs ipfw (it didn't install on my comp at least). Basically, to get to your described OS X exploit, you have to install ipfw, activate it, and customize it (i.e. add one of the bugged rules). Then the firewall won't always block the specified traffic. I can see how it might be a problem to a server trying to block certain traffic... But in MacOS X consumer? I can't imagine a situation where this even merits a mentioning.

And to sapphirecat:

"The basic principle of security is to treat everything as if it is insecure. You may not know how to exploit it, but act as if it could be, even if reality attempts to convince you otherwise."

I dunno, that sounds sort of like paranoia to me. I guess it really depends on the individual though, among other variables. Personally I don't use a firewall because Apple has an excellent track record, and even if they do slip up, as was demonstrated last week, it's immediately fixed. I think a lot of people take insecurity for granted. If you do any programming, you may see what I mean. First of all, when a program is "secure" it doesn't mean that it has all sorts of added features to foil hackers or something... (with the exception of cryptography.) It simply means that they've successfully implemented their protocol into their app without bugs. For example, I could market my AIM client by saying that it has "ultra advanced security" and it's "utterly unhackable". In fact, those would simply be fancy names for saying that I've implemented the TOC protocol without bugs... Which is not rocket science. I'm not sure why people always say "well nothing is completely unhackable... There's always exploits". (Not that you've said that, but just in general.) Well, it's no big deal when something is 'unhackable'. It simply means that the programmers didn't leave any stupid bugs behind for people to exploit.

"Auto-update must connect to a server. Is that server's IP resolved via DNS? What steps has Apple taken to ensure that the OS knows whether the update is real or not?"

I dunno... Ask Apple. I doubt DNS has anything to do with it, I'm sure it uses an IP address. I think Apple hardcodes their own DNS in the OS, anyways. Just the other day, my name servers were down so I couldn't connect to anything other than IPs. I tried apple.com and it worked.


Posts: 107 | Registered: Sep 2001  |  IP: Logged | Report this post to a Moderator
  This topic comprises 2 pages: 1  2   

  New Poll   Close Topic   Feature Topic   Move Topic   Delete Topic next oldest topic   next newest topic
 - Printer-friendly view of this topic
Hop To:


Contact Us | Get the Whole Story! Go Home to SCARLETEEN: Sex Ed for the Real World | Privacy Statement

Copyright 1998, 2014 Heather Corinna/Scarleteen
Scarleteen.com: Providing comprehensive sex education online to teens and young adults worldwide since 1998

Information on this site is provided for educational purposes. It is not meant to and cannot substitute for advice or care provided by an in-person medical professional. The information contained herein is not meant to be used to diagnose or treat a health problem or disease, or for prescribing any medication. You should always consult your own healthcare provider if you have a health problem or medical condition.

Powered by UBB.classic™ 6.7.3