Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[jmerkey]

LKML,

Several News Agencies have contacted me about the atached email as the 
result of Simon Best and others
distributing it around the internet and to news agencies in Utah.  For 
the record, James Mooney had access as
well as did his associates to the timpanogas offices in 2001 during this 
time period and these comments apparently were
posted by one of them using my linux desktop system since the Utah NAC 
also operated out of the TRG
officesa at that time.

During TRG's operations, several people used my email account to post 
bugs to the list.  I did not
write this particular email or post it, and I do not know who did.  I do 
not want it removed nor I am
asking for it to be removed from LKML or the archives.  I am clarifying 
that I did not write or author this content.

Please attach this email to the parent thread from 2001 for the 
permanent record.   I have and had no objection
to TRG employees using my master account to post bugs or development 
questions to LKML, but I did not
author the content of this email.

Sincerely,

Jeff V. Merkey





Date 	Mon, 24 Sep 2001 18:29:39 -0700
>From 	"Jeff V. Merkey" <>
Subject 	Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by 
life in prison

On Mon, Sep 24, 2001 at 08:37:11PM -0300, Rik van Riel wrote:

When people are crashing planes into buildings and killing people
by the thousands, hacking laws should be tough.  The US has shut off
internet access from Cyprus and several other places, and I've 
noticed a fall-off of hacking on my servers -- GOOD!.  

Maureen O'Gara at Client Server News is based in NY, and from what she 
describes, the entire city is in a terrible state.  Let anyone in New 
York know who is our friend on this list that the Utah Native American 
Church has sent James Mooney to New York City to conduct ceremonies for 
the victims and their families.   The mayor's office has given us 
permission to conduct our ceremonies there for these people without 
fear of police harassment.

I am sending him enough peyote to trip out half the city.  Anyone in NY 
who needs to find healing who is a member of our linux "Family" is 
welcome at these ceremonies.  These people involved in this terrifying 
ordeal need to sit in a tepee and go somewhere else for a couple of days
with the sacred medicine.  

New York folks who wish to be involved in these ceremonies can call 
212-755-0968 or 212-929-9396 to find out where and when.  We have so far
hosted thousands of the victims in these ceremonies.  All are welcome and 
their families.  The laws in New York allow non-Indians to use peyote 
for religious purposes of any race, unlike Utah.  Tell our brothers we 
open our doors to those in need of spiritual and emotional healing for 
the people of New York.

These ceremonies are **FREE**.  The Utah NAC is picking up the tab.

Do-na-da Go-hv-e

Wa-do

Jeff


> On Mon, 24 Sep 2001, Paul G. Allen wrote:
> 
> > If this passes, everyone working in computer security can be
> > arrested and thrown in prison for life. In addition, people such
> > as Kevin Mitnick can be thrown back in prison even though they
> > have already paid for their crime (double jeopardy?).
> >
> > http://www.securityfocus.com/news/257
> 
> So, would anybody have a nice piece of real estate in the
> free world where silicon valley could be evacuated to ?
> 
> (time to find volunteers to maintain thefreeworld.net ?)
> 
> cheers,
> 
> Rik
> --
> IA64: a worthy successor to the i860.
> 
> 		http://www.surriel.com/
> http://www.conectiva.com/	http://distro.conectiva.com/
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

      

	
<http://www.isp-services.nl>
<http://validator.w3.org/check/referer> 		  	
<http://jigsaw.w3.org/css-validator/check/referer> 	  	Last update: 
2005-03-22 13:03    [W:0.259 / U:4.943 seconds]
©2003-2005 Jasper Spaans <http://jsp.vs19.net/> 	 

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Alejandro Bonilla]

jmerkey wrote:

>
>
> LKML,
>
> Several News Agencies have contacted me about the atached email as the 
> result of Simon Best and others
> distributing it around the internet and to news agencies in Utah.  For 
> the record, James Mooney had access as
> well as did his associates to the timpanogas offices in 2001 during 
> this time period and these comments apparently were
> posted by one of them using my linux desktop system since the Utah NAC 
> also operated out of the TRG
> officesa at that time.

Why are you sending this things after 4 years. This looks like sexual 
pills spam. And I can't believe, "agencies" are contacting you for this 
thread for the last 4 years... If they are, REALLY ask for the thread to 
be removed or something like that.

Also, this email only showing your username without the Full name, looks 
like if someone is trying to use your account again... ;-)

If they are really harassing you, ask for the thread to be removed. (I 
dunno the policy about this)

.Alejandro

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[jmerkey]

OK.  I ask for this thread and associated posts to be removed, is this 
is allowed.  The Provo Daily Herald and KSL Channel 5
news asked me questions about it.  I did not author it. 

Jeff

Alejandro Bonilla wrote:

> jmerkey wrote:
>
>>
>>
>> LKML,
>>
>> Several News Agencies have contacted me about the atached email as 
>> the result of Simon Best and others
>> distributing it around the internet and to news agencies in Utah.  
>> For the record, James Mooney had access as
>> well as did his associates to the timpanogas offices in 2001 during 
>> this time period and these comments apparently were
>> posted by one of them using my linux desktop system since the Utah 
>> NAC also operated out of the TRG
>> officesa at that time.
>
>
> Why are you sending this things after 4 years. This looks like sexual 
> pills spam. And I can't believe, "agencies" are contacting you for 
> this thread for the last 4 years... If they are, REALLY ask for the 
> thread to be removed or something like that.
>
> Also, this email only showing your username without the Full name, 
> looks like if someone is trying to use your account again... ;-)
>
> If they are really harassing you, ask for the thread to be removed. (I 
> dunno the policy about this)
>
> .Alejandro
> -
> To unsubscribe from this list: send the line "unsubscribe 
> linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[randy_dunlap]

On Fri, 01 Jul 2005 19:43:31 -0600 jmerkey wrote:

| 
| 
| OK.  I ask for this thread and associated posts to be removed, is this 
| is allowed.  The Provo Daily Herald and KSL Channel 5
| news asked me questions about it.  I did not author it. 
| 
| Jeff

Removed from where?  kernel.org doesn't maintain email archives.
Each archive site would have to be contacted for removal.
E.g., see 
http://vger.kernel.org/vger-lists.html#linux-kernel

~Randy

| Alejandro Bonilla wrote:
| 
| > jmerkey wrote:
| >
| >>
| >>
| >> LKML,
| >>
| >> Several News Agencies have contacted me about the atached email as 
| >> the result of Simon Best and others
| >> distributing it around the internet and to news agencies in Utah.  
| >> For the record, James Mooney had access as
| >> well as did his associates to the timpanogas offices in 2001 during 
| >> this time period and these comments apparently were
| >> posted by one of them using my linux desktop system since the Utah 
| >> NAC also operated out of the TRG
| >> officesa at that time.
| >
| >
| > Why are you sending this things after 4 years. This looks like sexual 
| > pills spam. And I can't believe, "agencies" are contacting you for 
| > this thread for the last 4 years... If they are, REALLY ask for the 
| > thread to be removed or something like that.
| >
| > Also, this email only showing your username without the Full name, 
| > looks like if someone is trying to use your account again... ;-)
| >
| > If they are really harassing you, ask for the thread to be removed. (I 
| > dunno the policy about this)
| >
| > .Alejandro

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Jesper Juhl]

On 7/2/05, jmerkey <jmerkey@utah-nac.org> wrote:
> 
> 
> OK.  I ask for this thread and associated posts to be removed, is this
> is allowed.  The Provo Daily Herald and KSL Channel 5
> news asked me questions about it.  I did not author it.
> 
[...]

I'd say that that request is damn near impossible. First of all, as
Randy has already pointet out kernel.org does not maintain email
archives, secondly, the thread will be archived on a number of
different sites outside kernel.org's control - there are *many* lkml
archives on the 'net. In addition to LKML archives you'd also have to
contact news sites that may have written articles on the thread and
copied the message(s) in part or in full, and then there is any number
of search engines that may have cached the thread and sites like The
Wayback Machine that may have cached the lkml archives or the news
sites etc etc etc... And finally you have a huge number of unknown
people who may have kept personal LKML archives on their private
machines going back several years - there's no way to identify those
people and certainly no way to get them to remove a specific thread
from their personal archives.
Once a message is posted to a public mailing list (especially one as
widely archived & commented on as LKML) it is practically impossible
to get rid of - there's always going to be someone somewhere that has
a copy.

-- 
Jesper Juhl <jesper.juhl@gmail.com>
Don't top-post  http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please      http://www.expita.com/nomime.html

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[jmerkey]

It's in the archives now, so the purpose is served. The sociopaths using 
the parent thread have just lost their toy.

J

Jesper Juhl wrote:

>On 7/2/05, jmerkey <jmerkey@utah-nac.org> wrote:
>  
>
>>OK.  I ask for this thread and associated posts to be removed, is this
>>is allowed.  The Provo Daily Herald and KSL Channel 5
>>news asked me questions about it.  I did not author it.
>>
>>    
>>
>[...]
>
>I'd say that that request is damn near impossible. First of all, as
>Randy has already pointet out kernel.org does not maintain email
>archives, secondly, the thread will be archived on a number of
>different sites outside kernel.org's control - there are *many* lkml
>archives on the 'net. In addition to LKML archives you'd also have to
>contact news sites that may have written articles on the thread and
>copied the message(s) in part or in full, and then there is any number
>of search engines that may have cached the thread and sites like The
>Wayback Machine that may have cached the lkml archives or the news
>sites etc etc etc... And finally you have a huge number of unknown
>people who may have kept personal LKML archives on their private
>machines going back several years - there's no way to identify those
>people and certainly no way to get them to remove a specific thread
>from their personal archives.
>Once a message is posted to a public mailing list (especially one as
>widely archived & commented on as LKML) it is practically impossible
>to get rid of - there's always going to be someone somewhere that has
>a copy.
>
>  
>

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Paul Jakma]

On Fri, 1 Jul 2005, Alejandro Bonilla wrote:

> spam. And I can't believe, "agencies" are contacting you for this 
> thread for the last 4 years... If they are, REALLY ask for the 
> thread to be removed or something like that.

http://lwn.net/Articles/140157/

regards,
-- 
Paul Jakma	paul@clubi.ie	paul@jakma.org	Key ID: 64A2FF6A
Fortune:
There is a natural hootchy-kootchy to a goldfish.
 		-- Walt Disney

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Alejandro Bonilla]

Paul Jakma wrote:

> On Fri, 1 Jul 2005, Alejandro Bonilla wrote:
>
>> spam. And I can't believe, "agencies" are contacting you for this 
>> thread for the last 4 years... If they are, REALLY ask for the thread 
>> to be removed or something like that.
>
>
> http://lwn.net/Articles/140157/

Nice URL. It made my night. Is funny.

It definitely looks like someone needs a clean start. Leave the pride 
back and start all over. After all, if one stops or starts to help in 
Linux, nobody cares.

Jeff,

    I'm not aware of your "issues" or "rights", but it really looks like 
you should drop whatever you have in hands. It's not worth to battle.

.....

    The topic of this email is missleading, the "hacking" done in the 
Linux Kernel, is not the "hacking" that is punishable with prison.

    I hope this topic drops. Sorry for mentioning about it. I had no 
idea on what this was about cause I have only been reading LKML for a year.

.Alejandro

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Jesper Juhl]

On 7/2/05, jmerkey <jmerkey@utah-nac.org> wrote:
> 
[...]
> 
> Please attach this email to the parent thread from 2001 for the
> permanent record.

And how exactely do you propose for someone to do that for you?  The
only way to "attach this email to the parent thread from 2001" would
be for you to dig up the old thread from your personal mailbox
archives and then post a reply to a message in the original thread.


-- 
Jesper Juhl <jesper.juhl@gmail.com>
Don't top-post  http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please      http://www.expita.com/nomime.html

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Kurt Wall]

On Fri, Jul 01, 2005 at 06:07:38PM -0600, jmerkey took 0 lines to write:
> 
> 
> LKML,
> 
> Several News Agencies have contacted me about the atached email as the 
> result of Simon Best and others
> distributing it around the internet and to news agencies in Utah.  For 
> the record, James Mooney had access as
> well as did his associates to the timpanogas offices in 2001 during this 
> time period and these comments apparently were
> posted by one of them using my linux desktop system since the Utah NAC 
> also operated out of the TRG
> officesa at that time.

Hey, Merkey, you're a mentally unbalanced, lying, thieving crackpot.
Whatever you're taking, please take less or more. If you're not taking
anything, please take something.

Does this mean you'll sue me for libel, too? I'm eager to join that
exclusive club.

Kurt
-- 
TV is chewing gum for the eyes.
		-- Frank Lloyd Wright

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Nicholas Berry]

All Linux hackers should implement the following:

ln -sf /dev/null /osama/bin/laden

Nik Berry

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Dr. Kelsey Hudson]

On Tue, 25 Sep 2001, Nicholas Berry wrote:

> All Linux hackers should implement the following:
>
> ln -sf /dev/null /osama/bin/laden

A funnier one is:

rm -rf /bin/laden

[OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Paul G. Allen]

"Paul G. Allen" wrote:
> 
> If this passes, everyone working in computer security can be arrested and thrown in prison for life. In addition, people such as Kevin Mitnick can be thrown
> back in prison even though they have already paid for their crime (double jeopardy?).
> 
> http://www.securityfocus.com/news/257
> 
> PGA
> 
> --
> Paul G. Allen
> UNIX Admin II/Programmer
> Akamai Technologies, Inc.
> www.akamai.com
> Work: (858)909-3630
> Cell: (858)395-5043
> 
>         
-- 
Paul G. Allen
UNIX Admin II/Programmer
Akamai Technologies, Inc.
www.akamai.com
Work: (858)909-3630
Cell: (858)395-5043

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Alan Cox]

> > If this passes, everyone working in computer security can be arrested and thrown in prison for life. In addition, people such as Kevin Mitnick can be thrown
> > back in prison even though they have already paid for their crime (double jeopardy?).
> > 
> > http://www.securityfocus.com/news/257

Cuba is within small boat distance. I thought it was going to be twenty
years before the direction changed, now Im not so sure

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Michael Rothwell]

On 25 Sep 2001 00:35:46 +0100, Alan Cox wrote:

> Cuba is within small boat distance. I thought it was going to be twenty
> years before the direction changed, now Im not so sure

My economics prefessor liked to say that the best test of a
socioeconomic system (vs. otehr systems) was the "Gates Test" -- open
the gates and see which way people run.

It will be interesting to see how the "land of the free" will treat its
own citizens in the next year or so.

Alan, how are things in the U.K. shaping up because of the WTC/Pentagon
events?

I wonder if I could be put in jail next week because of all that stupid
cuecat stuff I was involved in? 

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Dan Hollis]

On 24 Sep 2001, Michael Rothwell wrote:
> I wonder if I could be put in jail next week because of all that stupid
> cuecat stuff I was involved in?

The "WEP crack" fallout will be interesting to watch also.

In theory under the new law anyone whos computer was infected by
nimda/codered could be imprisoned for life -- the new law says nothing
about intent. So basically we would have a few million microsoft windows
users serving life sentences...

-Dan

-- 
[-] Omae no subete no kichi wa ore no mono da. [-]

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Pavel Machek]

Hi!

> > I wonder if I could be put in jail next week because of all that stupid
> > cuecat stuff I was involved in?
> 
> The "WEP crack" fallout will be interesting to watch also.
> 
> In theory under the new law anyone whos computer was infected by
> nimda/codered could be imprisoned for life -- the new law says nothing
> about intent. So basically we would have a few million microsoft windows
> users serving life sentences...

It would be fun to try to enforce that. Few million windows users in jail
-- that sounds like bad enough to kill stupid law.
								Pavel
-- 
Philips Velo 1: 1"x4"x8", 300gram, 60, 12MB, 40bogomips, linux, mutt,
details at http://atrey.karlin.mff.cuni.cz/~pavel/velo/index.html.

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Luigi Genoni]

On Tue, 25 Sep 2001, Alan Cox wrote:

> > > If this passes, everyone working in computer security can be arrested and thrown in prison for life. In addition, people such as Kevin Mitnick can be thrown
> > > back in prison even though they have already paid for their crime (double jeopardy?).
> > >
> > > http://www.securityfocus.com/news/257
>
> Cuba is within small boat distance. I thought it was going to be twenty
> years before the direction changed, now Im not so sure
> -
I have been told of people covering this destance by swin, I do not know
if it is true, but a seawolf told me that from USA to cuba should
be easier to go. :).

I was thinking to  Richelieau princip:
Fare una legge e non farla rispettare significa
autorizzare il contrario.
(sorry, unable to translate in english, it is something like if you say a
law, and you are not
forcing people to respect it, people are allowed by law to do the
countrary).
Do you think Americans are considering this moral aspect?

Luigi

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Rik van Riel]

On Mon, 24 Sep 2001, Paul G. Allen wrote:

> If this passes, everyone working in computer security can be
> arrested and thrown in prison for life. In addition, people such
> as Kevin Mitnick can be thrown back in prison even though they
> have already paid for their crime (double jeopardy?).
>
> http://www.securityfocus.com/news/257

So, would anybody have a nice piece of real estate in the
free world where silicon valley could be evacuated to ?

(time to find volunteers to maintain thefreeworld.net ?)

cheers,

Rik
--
IA64: a worthy successor to the i860.

		http://www.surriel.com/
http://www.conectiva.com/	http://distro.conectiva.com/

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Jeff V. Merkey]

On Mon, Sep 24, 2001 at 08:37:11PM -0300, Rik van Riel wrote:

When people are crashing planes into buildings and killing people
by the thousands, hacking laws should be tough.  The US has shut off
internet access from Cyprus and several other places, and I've 
noticed a fall-off of hacking on my servers -- GOOD!.  

Maureen O'Gara at Client Server News is based in NY, and from what she 
describes, the entire city is in a terrible state.  Let anyone in New 
York know who is our friend on this list that the Utah Native American 
Church has sent James Mooney to New York City to conduct ceremonies for 
the victims and their families.   The mayor's office has given us 
permission to conduct our ceremonies there for these people without 
fear of police harassment.

I am sending him enough peyote to trip out half the city.  Anyone in NY 
who needs to find healing who is a member of our linux "Family" is 
welcome at these ceremonies.  These people involved in this terrifying 
ordeal need to sit in a tepee and go somewhere else for a couple of days
with the sacred medicine.  

New York folks who wish to be involved in these ceremonies can call 
212-755-0968 or 212-929-9396 to find out where and when.  We have so far
hosted thousands of the victims in these ceremonies.  All are welcome and 
their families.  The laws in New York allow non-Indians to use peyote 
for religious purposes of any race, unlike Utah.  Tell our brothers we 
open our doors to those in need of spiritual and emotional healing for 
the people of New York.

These ceremonies are **FREE**.  The Utah NAC is picking up the tab.

Do-na-da Go-hv-e

Wa-do

Jeff


> On Mon, 24 Sep 2001, Paul G. Allen wrote:
> 
> > If this passes, everyone working in computer security can be
> > arrested and thrown in prison for life. In addition, people such
> > as Kevin Mitnick can be thrown back in prison even though they
> > have already paid for their crime (double jeopardy?).
> >
> > http://www.securityfocus.com/news/257
> 
> So, would anybody have a nice piece of real estate in the
> free world where silicon valley could be evacuated to ?
> 
> (time to find volunteers to maintain thefreeworld.net ?)
> 
> cheers,
> 
> Rik
> --
> IA64: a worthy successor to the i860.
> 
> 		http://www.surriel.com/
> http://www.conectiva.com/	http://distro.conectiva.com/
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Crutcher Dunnavant]

++ 24/09/01 18:29 -0700 - Jeff V. Merkey:
> On Mon, Sep 24, 2001 at 08:37:11PM -0300, Rik van Riel wrote:
> 
> When people are crashing planes into buildings and killing people
> by the thousands, hacking laws should be tough.  The US has shut off
> internet access from Cyprus and several other places, and I've 
> noticed a fall-off of hacking on my servers -- GOOD!.  

Why? In what way has the recent violent acts differed significantly from
acts which have been ongoing world-wide for, well, always? Is it that
"it doesn't happen here!"? This is an increadibly US centric world view.

When the world seems to be at peace, it is easy to ask for your rights.
It is when the war comes to you that you really need them, and that they
are hardest to request.

This was a violent crime, commited by men who were willing to die. It
was a failure of physical security; and massive databases will not make
it harder for someone who is willing to sacrifice themselves.

But they will affect the ability of the population to conduct acts of
civil disobediance and rebellion, upon which this and many other
contries are founded.

The war in the world is not new, we are simply used to ignoring it. And
for this, we are widely hated and scorned.

I will not grant the statement that "This sort of thing must be
prevented at all costs". There are some prices I will not pay, and some
that I will immediately distrust anyone who asks me to pay them.

I know that I am not making friends with this post, but my conscience
demands that I respond to your blind aquescense of rights. I want a
world in which my children can choose their life, even if the cost is
a reduction in 'security'.

Mr. Franklin had much to say on this topic, but he said it better.


And the term is 'cracking'.

-- 
Crutcher        <crutcher@datastacks.com>
GCS d--- s+:>+:- a-- C++++$ UL++++$ L+++$>++++ !E PS+++ PE Y+ PGP+>++++
    R-(+++) !tv(+++) b+(++++) G+ e>++++ h+>++ r* y+>*$

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[David S. Miller]

E-fucking-nough people.  Stop this thread now, it is off topic.

There are many places out there where constructive conversations on
this topic can be had, but vger is not one of them.

Please don't make Matti and I add more keyword filters to vger's list
system to prevent this.

Franks a lot,
David S. Miller
davem@redhat.com

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Rik van Riel]

On Mon, 24 Sep 2001, Jeff V. Merkey wrote:

> When people are crashing planes into buildings and killing people
> by the thousands, hacking laws should be tough.

I guess people who believe terrorists will be deterred
by software licenses and laws about computer programs
probably have the politicians they deserve.

cheers,

Rik
-- 
IA64: a worthy successor to i860.

http://www.surriel.com/		http://distro.conectiva.com/

Send all your spam to aardvark@nl.linux.org (spam digging piggy)

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Pavel Machek]

Hi!

> When people are crashing planes into buildings and killing people
> by the thousands, hacking laws should be tough.  The US has shut off

What do hacking laws have in common with planes crashing?

It was not hackers who crashed the planes, right?
								Pavel
-- 
Philips Velo 1: 1"x4"x8", 300gram, 60, 12MB, 40bogomips, linux, mutt,
details at http://atrey.karlin.mff.cuni.cz/~pavel/velo/index.html.

RE: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[M. Edward Borasky]

While I don't want to get involved in a comparison between the loss of some
7000 human lives in a terrorist attack on buildings with productivity lost
due to Code Red and Nimda attacks on the world's businesses, I'd like to
make two points:

1. The losses to businesses from just these two virus attacks are
*significant*, and people are angry about the fact. They're looking for
someone to blame, someone to propose a solution and tools to prevent future
attacks. I personally think stiff fines and long prison sentences for
releasing attack software into the world's business network should have been
instituted a long time ago. Life without parole seems to me quite reasonable
under the circumstances.

2. The Linux community should *not* believe that we are less vulnerable than
Microsoft! We are less vulnerable *now* only because Linux is not as
widespread as Windows. Were Linux, say, half of the market, the
vulnerability would be equal. The difference is strictly the number of
available hosts for these parasitic codes, not anything inherent in the
details of Windows or Linux, or in the organizational mechanisms (corporate
giant vs. "brutal meritocracy", closed source vs. open source, etc.).

In fact, I suspect that the open source for Linux gives creators of vicious
attack codes a *slight* advantage, since the vulnerabilities are there for
anyone to read and exploit before they are found by an alert Linux
community. And if Linux is to succeed in the enterprise, we in the community
owe it to ourselves to *enhance* that alertness -- indeed, to be more
vigilant on security issues -- even if it's at the expense of some of our
more favorite activities, like performance tweaking.
--
M. Edward (Ed) Borasky, Chief Scientist, Borasky Research
http://www.borasky-research.net  http://www.aracnet.com/~znmeb
mailto:znmeb@borasky-research.net  mailto:znmeb@aracnet.com

Q: How do you tell when a pineapple is ready to eat?
A: It picks up its knife and fork.

> -----Original Message-----
> From: linux-kernel-owner@vger.kernel.org
> [mailto:linux-kernel-owner@vger.kernel.org]On Behalf Of Pavel Machek
> Sent: Thursday, September 27, 2001 7:23 AM
> To: Jeff V. Merkey
> Cc: Rik van Riel; Paul G. Allen; linux-kernel@vger.kernel.org;
> jmerkey@utah-nac.org
> Subject: Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by
> life in prison
>
>
> Hi!
>
> > When people are crashing planes into buildings and killing people
> > by the thousands, hacking laws should be tough.  The US has shut off
>
> What do hacking laws have in common with planes crashing?
>
> It was not hackers who crashed the planes, right?
> 								Pavel

[OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[J Sloan]

"M. Edward Borasky" wrote:

> 2. The Linux community should *not* believe that we are less vulnerable than
> Microsoft! We are less vulnerable *now* only because Linux is not as
> widespread as Windows.

OK, the obvious question:

If apache is 60% of the market and IIS is 25%
(and I have heard that apache on Linux is about
33% of the web server market) how do you see
that as windows/iis being more popular than the
linux/apache platform? and yet, windows/iis has
the lions share of vulnerabilities - your arguments
lie in tatters....


> Were Linux, say, half of the market, the
> vulnerability would be equal. The difference is strictly the number of
> available hosts for these parasitic codes, not anything inherent in the
> details of Windows or Linux, or in the organizational mechanisms (corporate
> giant vs. "brutal meritocracy", closed source vs. open source, etc.).

I think Unix's long history of multiuser, networked
operation gives it quite a bit more sophistication in
areas of security, as opposed to windows, a single
user system which has in the past few years
become widely networked.

I'm not saying Linux/Unix users should rest on their
laurels or be lulled into a sense of false security, but
come on, let's at least be realistic about the very real
advantages of Unix OSes over PC OSes in this area.

cu

jjs

RE: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[M. Edward Borasky]

> -----Original Message-----
> From: linux-kernel-owner@vger.kernel.org
> [mailto:linux-kernel-owner@vger.kernel.org]On Behalf Of J Sloan
> Sent: Sunday, September 30, 2001 2:42 PM

[snip]

> OK, the obvious question:
>
> If apache is 60% of the market and IIS is 25%
> (and I have heard that apache on Linux is about
> 33% of the web server market) how do you see
> that as windows/iis being more popular than the
> linux/apache platform? and yet, windows/iis has
> the lions share of vulnerabilities - your arguments
> lie in tatters....

We need to distinguish between Linux/Apache and other-UNIX/Apache.
Specifically, there's at least Solaris, Tru64 and AIX besides Linux in this
market. It isn't just IIS; the Nimda beast exploited, IIRC, 18 separate
vulnerabilities in the Windows / IIS complex, including shared files.

I've actually heard of cases where *Linux* systems exporting filesystems
with Samba had Nimda code stuffed down their throats! If this code had been
Linux-executable rather than Windows-executable -- if the virus had been
smart enough to know it was dealing with a Samba rather than a Windows share
and had been able to differentiate between Windows executables and Linux
executables -- hmmm ... do you see what I'm getting at??? In other words,
UNIX systems of *all* stripes that export filesystems with Samba need to
track mods to executables just like a virus scanner does on a Windows
system. *That's* what I mean by vigilance.

[snip]

> I think Unix's long history of multiuser, networked
> operation gives it quite a bit more sophistication in
> areas of security, as opposed to windows, a single
> user system which has in the past few years
> become widely networked.

The security features are there in Windows if the users and sysadmins are
willing to implement them. Windows NT has had C2 available for quite some
time; they couldn't sell to DOD if they didn't. A good MSCE / security
specialist makes a lot of money. It's for the most part laziness on the part
of Windows users that allows malicious code to circulate, not any inherent
weakness in the Microsoft tool set. The technology exists.

> I'm not saying Linux/Unix users should rest on their
> laurels or be lulled into a sense of false security, but
> come on, let's at least be realistic about the very real
> advantages of Unix OSes over PC OSes in this area.

I don't see any such advantage. C2 is C2; crypto is crypto; authentication
is authentication; vigilance is vigilance.

Here, for your amusement, is a snippet of Perl code:

$stuff = `uname`;
if ($stuff =~ /is not recognized as an internal or external command,/ {
	# execute malicious Windows code
}
else {
	# look at the uname stuff and figure out what OS we're running
	# then execute OS-specific malicious code
}

Do you see what I'm saying?
--
M. Edward (Ed) Borasky, Chief Scientist, Borasky Research
http://www.borasky-research.net  http://www.aracnet.com/~znmeb
mailto:znmeb@borasky-research.net  mailto:znmeb@aracnet.com

Q: How do you tell when a pineapple is ready to eat?
A: It picks up its knife and fork.

[OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[J Sloan]

"M. Edward Borasky" wrote:

> We need to distinguish between Linux/Apache and other-UNIX/Apache.
> Specifically, there's at least Solaris, Tru64 and AIX besides Linux in this
> market.

Yes, IIRC total apache = 60%, linux/apache = 33%

> It isn't just IIS; the Nimda beast exploited, IIRC, 18 separate
> vulnerabilities in the Windows / IIS complex, including shared files.

Sure are a lot of vulnerabilities there...

> I've actually heard of cases where *Linux* systems exporting filesystems
> with Samba had Nimda code stuffed down their throats!

Define "stuffed down their throats".

We have samba servers here (Linux, Solaris, HPUX)
and while the windows clients stored infected files on
the samba fileservers, the servers themselves were
totally unaffected.

> If this code had been
> Linux-executable rather than Windows-executable -- if the virus had been
> smart enough to know it was dealing with a Samba rather than a Windows share
> and had been able to differentiate between Windows executables and Linux
> executables --

Yes, the command most likely would fail, since
it would run as the remote samba user, not
root.

> hmmm ... do you see what I'm getting at??? In other words,
> UNIX systems of *all* stripes that export filesystems with Samba need to
> track mods to executables just like a virus scanner does on a Windows
> system. *That's* what I mean by vigilance.

Oh yes, vigilance is indeed due, but please let's
not lump all OSes together and pretend there
are no differences!

> The security features are there in Windows if the users and sysadmins are
> willing to implement them.

Shipped very unsecure, and most windows
programs would cease to operate or could
not be installed if the security measures
were implemented.

> Windows NT has had C2 available for quite some
> time; they couldn't sell to DOD if they didn't.

Ah yes, the checklist item - C2, as long as there is
no floppy disk, and no network interface - you install
either of those items, and no more C2 for windows.

The difference is, there are Unix systems that are
both secure, and fully functional.

> I don't see any such advantage.

OK, then.

We are not living in the same world.

cu

jjs

RE: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Gerhard Mack]

On Sun, 30 Sep 2001, M. Edward Borasky wrote:
> The security features are there in Windows if the users and sysadmins are
> willing to implement them. Windows NT has had C2 available for quite some
> time; they couldn't sell to DOD if they didn't. A good MSCE / security
> specialist makes a lot of money. It's for the most part laziness on the part
> of Windows users that allows malicious code to circulate, not any inherent
> weakness in the Microsoft tool set. The technology exists.

Ok I'll bite .. and only because I'm stuck dealing with W2k on occasion..
Yea look and drool at the fined grained access controls MS has .. then go
try getting IIS to run as anything other than administrator.. 

Access controls are good only when used.  MS security doesn't ever seem to
take possible flaws in daemons into account.

Now add the fun of things mysteriously breaking when hotfixes are applied.
Wonder why admins are afraid to apply them?  I have a W2k Machine that now
crashes twice weekly since the latest updates were applied. That's up from
a crash every 1 or 2 months.

Off hand I'd call that an inherent weakness.

Meanwhile Apache on my boxes either runs as "nobody" or as a user
dedicated to the web server.  Linux may not have the cool access controls
but at least the existing security controls are actually USED.
 
> 
> > I'm not saying Linux/Unix users should rest on their
> > laurels or be lulled into a sense of false security, but
> > come on, let's at least be realistic about the very real
> > advantages of Unix OSes over PC OSes in this area.
> 
> I don't see any such advantage. C2 is C2; crypto is crypto; authentication
> is authentication; vigilance is vigilance.
> 

C2 is only a standard for user permissions and access tracking .. it is
NOT security. Same goes for crypto.. I'm very sick of people telling me
they can't be "hacked" because they have "encryption"

Unix and clones tend to be more secure not because of some whiz bang
buzzword compliant toy but because on the whole it's designers have tended
to look at *why* a given hack was done or *why* a given worm spread and
chased the problem instead patching the current bug and relying on band
aid software that attempts to track a given problem based on it's
signature.  

I'm honestly surprised more exploits aren't polymorphic for the express
purpose of evading the anti virus programs.

patches and AV -vs- buffer overflow detecting libraries and compilers not
to mention the principal of least privilege.

	Gerhard

--
Gerhard Mack

gmack@innerfire.net

<>< As a computer I find your faith in technology amusing.

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Jan Harkes]

On Sun, Sep 30, 2001 at 03:40:27PM -0700, M. Edward Borasky wrote:
> Here, for your amusement, is a snippet of Perl code:
> 
> $stuff = `uname`;
> if ($stuff =~ /is not recognized as an internal or external command,/ {
> 	# execute malicious Windows code
> }
> else {
> 	# look at the uname stuff and figure out what OS we're running
> 	# then execute OS-specific malicious code
> }
> 
> Do you see what I'm saying?

You run untrusted snippets of perl-code as root?

To return to your original argument,

If a company sells me a car that has a rust-proof guarantee under the
conditions that I keep it garaged 24/7 (similar to the Windows NT C2
rating). And when I take it for a spin someone sprays it with a garden
hose. The car falls apart from the rust. Do I have the right to lock
_any guy with a garden hose_ up in prison because they could cause
irrepairable damage to cars? Or maybe that car shouldn't have left the
factory in the first place.

Any further discussion can go to /dev/null.

Jan

RE: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Alexander Viro]

On Sun, 30 Sep 2001, M. Edward Borasky wrote:

> 1. The losses to businesses from just these two virus attacks are
> *significant*, and people are angry about the fact. They're looking for
> someone to blame, someone to propose a solution and tools to prevent future
> attacks. I personally think stiff fines and long prison sentences for
> releasing attack software into the world's business network should have been
> instituted a long time ago. Life without parole seems to me quite reasonable
> under the circumstances.

Let's start with conslutants who kept pushing crap into said network.
And continue with those who had bred tons of worthless "certified"
wankers pretending to be sysadmins, driving the wages down and replacing
clued people with illiterate trash.  Getting rid of script kiddies is
nice, but fsckwits who are directly responsible for current situation
should be first against the wall.
 
> 2. The Linux community should *not* believe that we are less vulnerable than
> Microsoft! We are less vulnerable *now* only because Linux is not as
> widespread as Windows. Were Linux, say, half of the market, the
> vulnerability would be equal. The difference is strictly the number of

Like, say it, in case of apache?  It's _more_ widespread than target of
Code Red and Nimda.

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[John Gluck]

Hi

While I can agree with most of your points, the "life without parole" is
extreme.
Yes, I agree that loss of money is significant but is is just money. It's
similar but not the same as someone digging into a bank vault and availing
himself of the contents.
The difference is that in the virus case, the perpetrator does not make money (
unless of course someone pays him).

There is also a marked difference between a script kiddie who may be
irresponsible and malicious, and a terrorist bent on causing destruction and
bringing the world to its knees.
In the same manner that banks have dealt with the problem of robbery by taking
stonger security measures. The computer / communication communities need to
beef up prevention. Excessive punishment will not solve the problem. It is
merely a way of saying "we can't protect ourselves so let's kill the
messengers". Yes, the attacks until now have been messages. They say "you are
vulnerable fix the vulnerabilities. Instead of being in such a rush to beat
your competition to the market with a crappy product, bring out a good
product".

I have long felt that most of the products on the market are deliberately
released with serious known defects just to bring in revenue. The problem isn't
with the developers, in many cases they would love to do a better product. It
rests with marketers and ultimately stockholders who often make unrealistic
demands for growth and sales.

Once some terrorist organisation hacks into the GPS satellites and uses them to
misguide planes into a assortment of buildings, oil refineries and such, it
will be too late to save those who died. Code Red upsets you, call it a wake up
call. These are just kids. It's not a concerted terrorist attack by fanatics.
In a sense we should perhaps be thanking these kids. They are saying "Hey, you
idoits, wake up. Your systems are incredibly vulnerable. Fix them now before
something really serious happens. Up to now you've only lost money."

As long as kids can screw up your computers and communication network with
relatively simple tools, I submit that the real problem isn't the kids, it's
the crap that's being used to run the networks. Fix the real problem before the
fact and you won't need to scream about the costs of cleanup after the fact.

OK I've repeated myself quite a few times, I hope it sinks in.

John

"M. Edward Borasky" wrote:

> While I don't want to get involved in a comparison between the loss of some
> 7000 human lives in a terrorist attack on buildings with productivity lost
> due to Code Red and Nimda attacks on the world's businesses, I'd like to
> make two points:
>
> 1. The losses to businesses from just these two virus attacks are
> *significant*, and people are angry about the fact. They're looking for
> someone to blame, someone to propose a solution and tools to prevent future
> attacks. I personally think stiff fines and long prison sentences for
> releasing attack software into the world's business network should have been
> instituted a long time ago. Life without parole seems to me quite reasonable
> under the circumstances.
>
> 2. The Linux community should *not* believe that we are less vulnerable than
> Microsoft! We are less vulnerable *now* only because Linux is not as
> widespread as Windows. Were Linux, say, half of the market, the
> vulnerability would be equal. The difference is strictly the number of
> available hosts for these parasitic codes, not anything inherent in the
> details of Windows or Linux, or in the organizational mechanisms (corporate
> giant vs. "brutal meritocracy", closed source vs. open source, etc.).
>
> In fact, I suspect that the open source for Linux gives creators of vicious
> attack codes a *slight* advantage, since the vulnerabilities are there for
> anyone to read and exploit before they are found by an alert Linux
> community. And if Linux is to succeed in the enterprise, we in the community
> owe it to ourselves to *enhance* that alertness -- indeed, to be more
> vigilant on security issues -- even if it's at the expense of some of our
> more favorite activities, like performance tweaking.
> --
> M. Edward (Ed) Borasky, Chief Scientist, Borasky Research
> http://www.borasky-research.net  http://www.aracnet.com/~znmeb
> mailto:znmeb@borasky-research.net  mailto:znmeb@aracnet.com
>
> Q: How do you tell when a pineapple is ready to eat?
> A: It picks up its knife and fork.
>
> > -----Original Message-----
> > From: linux-kernel-owner@vger.kernel.org
> > [mailto:linux-kernel-owner@vger.kernel.org]On Behalf Of Pavel Machek
> > Sent: Thursday, September 27, 2001 7:23 AM
> > To: Jeff V. Merkey
> > Cc: Rik van Riel; Paul G. Allen; linux-kernel@vger.kernel.org;
> > jmerkey@utah-nac.org
> > Subject: Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by
> > life in prison
> >
> >
> > Hi!
> >
> > > When people are crashing planes into buildings and killing people
> > > by the thousands, hacking laws should be tough.  The US has shut off
> >
> > What do hacking laws have in common with planes crashing?
> >
> > It was not hackers who crashed the planes, right?
> >                                                               Pavel
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[D. Stimits]

John Gluck wrote:
> 
> Hi
> 
> While I can agree with most of your points, the "life without parole" is
> extreme.
> Yes, I agree that loss of money is significant but is is just money. It's
> similar but not the same as someone digging into a bank vault and availing
> himself of the contents.
> The difference is that in the virus case, the perpetrator does not make money (
> unless of course someone pays him).
> 
> There is also a marked difference between a script kiddie who may be
> irresponsible and malicious, and a terrorist bent on causing destruction and
> bringing the world to its knees.
> In the same manner that banks have dealt with the problem of robbery by taking
> stonger security measures. The computer / communication communities need to
> beef up prevention. Excessive punishment will not solve the problem. It is
> merely a way of saying "we can't protect ourselves so let's kill the
> messengers". Yes, the attacks until now have been messages. They say "you are
> vulnerable fix the vulnerabilities. Instead of being in such a rush to beat
> your competition to the market with a crappy product, bring out a good
> product".


Think of it as a test of maturity, whether the government knows the
difference between justice and revenge. The law hasn't passed yet,
that's why it's nice to see it scrutinized now. But it won't do any good
if people act as if it is already law...the fat lady hasn't sung yet.

D. Stimits, stimits@idcomm.com

> 
> I have long felt that most of the products on the market are deliberately
> released with serious known defects just to bring in revenue. The problem isn't
> with the developers, in many cases they would love to do a better product. It
> rests with marketers and ultimately stockholders who often make unrealistic
> demands for growth and sales.
> 
> Once some terrorist organisation hacks into the GPS satellites and uses them to
> misguide planes into a assortment of buildings, oil refineries and such, it
> will be too late to save those who died. Code Red upsets you, call it a wake up
> call. These are just kids. It's not a concerted terrorist attack by fanatics.
> In a sense we should perhaps be thanking these kids. They are saying "Hey, you
> idoits, wake up. Your systems are incredibly vulnerable. Fix them now before
> something really serious happens. Up to now you've only lost money."
> 
> As long as kids can screw up your computers and communication network with
> relatively simple tools, I submit that the real problem isn't the kids, it's
> the crap that's being used to run the networks. Fix the real problem before the
> fact and you won't need to scream about the costs of cleanup after the fact.
> 
> OK I've repeated myself quite a few times, I hope it sinks in.
> 
> John
> 
....

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Helge Hafting]

"M. Edward Borasky" wrote:
> 
> While I don't want to get involved in a comparison between the loss of some
> 7000 human lives in a terrorist attack on buildings with productivity lost
> due to Code Red and Nimda attacks on the world's businesses, I'd like to
> make two points:
> 
> 1. The losses to businesses from just these two virus attacks are
> *significant*, and people are angry about the fact. They're looking for
> someone to blame, 

And the one to blame here isn't the virus writer.  The ones to blame
are:
1. Whoever decided to install that vulnerable software.
   This one isn't popular because it is someone inside the company. 
   But that's where the problem is.  (Or possibly whoever hired
   a clueless admin.  Even less popular with the administration.)

   Someone trusted with important software ought to have the
   necessary skills.  Nobody let a clueless guy design
   _physical_ security for a bank...

2. Possibly the company making vulnerable software, although nobody
   sane should select that kind of software.  A bank don't use
   an array of piggy banks for a vault.  This is a question of 
   marketing - did they create the impression that their software
   was safe from trivial attacks?

Of course releasing a virus is bad, but we should still expect
companies to take some measures themselves.

We do expect them to lock doors etc. - Someone who leave
their office building _unlocked_ & unguarded, money in open drawers 
etc.  will usually not be able to collect insurance because of
obvious neglect.  They'll be laughed at, and nobody will cry
about more punishment for those who walks in and grabs some
stuff.


> 2. The Linux community should *not* believe that we are less vulnerable than
> Microsoft! We are less vulnerable *now* only because Linux is not as
> widespread as Windows. Were Linux, say, half of the market, the
> vulnerability would be equal. The difference is strictly the number of
> available hosts for these parasitic codes, not anything inherent in the
> details of Windows or Linux, or in the organizational mechanisms (corporate
> giant vs. "brutal meritocracy", closed source vs. open source, etc.).

Well, I believe Linux _is_ less vulnerable.  Not invulnerable of course,
but at least fixes appear a lot faster for linux.  That alone don't
usually leave enough timespan for a large-scale exploit.  
And I see many firewalls that really is a pc router running linux.
Are there any _serious_ ones running windows?


> In fact, I suspect that the open source for Linux gives creators of vicious
> attack codes a *slight* advantage, since the vulnerabilities are there for
> anyone to read and exploit before they are found by an alert Linux
> community. 

Many people read open source code looking for vulnerabilities.  Yeah,
some are exploiters.  But more of them are looking to plug the holes,
so this is a _big_ advantage for open source, not a _slight_ advantage
for crackers.  A hole only needs plugging _once_ before nobody can use
it.

And the people capable of finding a hole by looking at source will
usually report it - you can get more prestige that way than by
writing a exploit.  This boils down to who you want to impress - 
a bunch of stupid script kiddies or a bunch of security-minded
experts?  Some of the latter might even offer a paying job...

This don't work as well for closed source.  The bugs are harder to find,
but some are found anyway by disassembly or trial-and-error.  (What
happens
if I manufacture bad oversized input for this thing...)

What do you do about such a bug?  A patch is impossible without 
source.  Reports seems to go silently ignored.   A public report
might get you sued.  "You are out to get us & our customers,
and your license forbids hacking on it...."  People get bitter,
and gets incentives to make viruses.  It becomes the only
way of getting serious attention.

This incentive mostly goes away with open source, much more fun to
be among the "good guys" who stamps out bugs & get their names
immortalized in changelogs.

Helge Hafting

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Manfred Bartz]

Helge Hafting <helgehaf@idb.hist.no> writes:

> .. but at least fixes appear a lot faster for linux.  That alone
> don't usually leave enough timespan for a large-scale exploit.

I wouldn't count on time, regardless of the OS.  How about 15 minutes
to infect all vulnerable hosts on the Internet?  See:

        <http://www.cs.berkeley.edu/~nweaver/warhol.html>

-- 
Manfred Bartz

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[John Jasen]

> Helge Hafting <helgehaf@idb.hist.no> writes:
>
> > .. but at least fixes appear a lot faster for linux.  That alone
> > don't usually leave enough timespan for a large-scale exploit.

Someone forget bind and rpc.statd worms of about 6 months ago?

Or, the exploitability of ntp?

--
-- John E. Jasen (jjasen1@umbc.edu)
-- In theory, theory and practise are the same. In practise, they aren't.

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Ookhoi]

> > > .. but at least fixes appear a lot faster for linux.  That alone
> > > don't usually leave enough timespan for a large-scale exploit.
> 
> Someone forget bind and rpc.statd worms of about 6 months ago?

With bind, the admin could have patched his bind before the worms came
alive, he could have upgraded to a new major release, he could have run
bind not as root, and he could have run bind chrooted. (for 'he' you can
also read 'she').

This for sure was not the fault of the os.

	Ookhoi

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Bernd Petrovitsch]

[-- Attachment #1: Type: text/plain, Size: 3644 bytes --]

In message <HBEHIIBBKKNOBLMPKCBBIENPDNAA.znmeb@aracnet.com>, "M. Edward Borasky
" wrote:
>2. The Linux community should *not* believe that we are less vulnerable than
>Microsoft! We are less vulnerable *now* only because Linux is not as

I need not believe - I just see it now.

>widespread as Windows. Were Linux, say, half of the market, the
>vulnerability would be equal. The difference is strictly the number of

Plain simply wrong - Linux has more than 50% in the "Internet 
server market" (even if some company's propaganda department's do not 
admit this).
Attacker choose the weakest target (this is usually also the largest, 
but not necessarily).

>available hosts for these parasitic codes, not anything inherent in the
>details of Windows or Linux, or in the organizational mechanisms (corporate
>giant vs. "brutal meritocracy", closed source vs. open source, etc.).

It is "the details" that matter in this area.
M$ sells their software with the "everyone can install it, use, etc. 
because it is user-friendly[0], it does exactly what the user needs, 
it does everything automatically, etc." argument (which is plain simply
wrong[1]). 
Therefore lots of people install and run servers on the web without really
knowing what they are doing. Apparently they think that they install 
it and it runs on its own (which is wrong).
The learning curve on a U*ix system with some appropriate server 
software on it s much steeper. So if you get such a system on the web
you are forced to know more about it (and usually at one point 
you get to people who basically force you to think about security or 
other areas).

You could run a "secure" Win*server or workstations on the Net, but his means
that
-) you install all relevant patches immediately (not ASAP - immediately).
-) you disable all kinds of automatic code execution features (which
   means disabling all the nifty features, setting all hosts to 
   "internet zone", disable Active-X and JavaScript[2] completely, etc.).
If you would do this, you could as well run the service on a U*ix 
system because the functional features are the same and you get 
patches much earlier (how long took the tear-drop patch for WinNT ?).

>In fact, I suspect that the open source for Linux gives creators of vicious
>attack codes a *slight* advantage, since the vulnerabilities are there for

You should also list the disadvantages, not only one argument if you 
you want to be serious.

>anyone to read and exploit before they are found by an alert Linux
>community. And if Linux is to succeed in the enterprise, we in the community
>owe it to ourselves to *enhance* that alertness -- indeed, to be more
>vigilant on security issues -- even if it's at the expense of some of our
>more favorite activities, like performance tweaking.

Read the usenet and you will see a significant difference.
Until then you are trolling.

[ TOFU-Mail deleted ]

	Bernd

[0] : Does anyone know why there are that much Win*-Books on the
      shelves if the software is so easy to use ?
[1] : If a server is badly administered the sysadmin of that server is
      also partly guilty (even if he didn't have a clue) - you should 
      also blame them.
[2] : This should actually be disabled on all browsers on the world.
      Actually this should be removed completely.
-- 
Bernd Petrovitsch                              Email : bernd@gams.at
g.a.m.s gmbh                                  Fax : +43 1 205255-900
Prinz-Eugen-Straße 8                    A-1040 Vienna/Austria/Europe
                     LUGA : http://www.luga.at



[-- Attachment #2: Type: application/pgp-signature, Size: 254 bytes --]

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Daniel Phillips]

On September 30, 2001 11:16 pm, M. Edward Borasky wrote:
> 2. The Linux community should *not* believe that we are less vulnerable than
> Microsoft! We are less vulnerable *now* only because Linux is not as
> widespread as Windows.

I try hard not to feed the trolls or engage in advocacy on this list, but 
this time I can't resist supplying a quote from your mail headers:

    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

I'll give you the benefit of the doubt and assume you're really just a 
half-deprogrammed dual-booter[1] rather than a genuine troll, so consider 
this please:  Linux is less vulnerable to worm attacks because our security 
is an open process in which everybody participates.  End of story.

Note that this does not give us any reason to relax: it's a process, it has 
to continue.

If you must debate this further could you please respond privately.

[1] It's not a reason to be ashamed, many of us have been there

--
Daniel

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Vojtech Pavlik]

On Sun, Sep 30, 2001 at 02:16:40PM -0700, M. Edward Borasky wrote:

> While I don't want to get involved in a comparison between the loss of some
> 7000 human lives in a terrorist attack on buildings with productivity lost
> due to Code Red and Nimda attacks on the world's businesses, I'd like to
> make two points:
> 
> 1. The losses to businesses from just these two virus attacks are
> *significant*, and people are angry about the fact. They're looking for
> someone to blame, someone to propose a solution and tools to prevent future
> attacks. I personally think stiff fines and long prison sentences for
> releasing attack software into the world's business network should have been
> instituted a long time ago. Life without parole seems to me quite reasonable
> under the circumstances.

I think the major mistake behind this law is that it doesn't take into
account that not the whole world is America. Still, virus creators from
other countries won't be scared by this law, and I don't believe it'll
stop American virus writer either - they won't believe they'll be ever
caught.

> 2. The Linux community should *not* believe that we are less vulnerable than
> Microsoft! We are less vulnerable *now* only because Linux is not as
> widespread as Windows. Were Linux, say, half of the market, the
> vulnerability would be equal. The difference is strictly the number of
> available hosts for these parasitic codes, not anything inherent in the
> details of Windows or Linux, or in the organizational mechanisms (corporate
> giant vs. "brutal meritocracy", closed source vs. open source, etc.).
> 

Linux *is* less vulnerable to worm attacks, because of diversity.

There is just a few different versions of IIS, for example, just a few
different binaries floating around. And thus it is easy to choose the
most common one and write a buffer overflow exploit for it.

On the other way, there are many many different versions of Apache and
Linux around, and even for same versions the code is compiled with
different options by every Linux maker, which gives you at least a
couple hundreds of different binaries. This won't stop a hacker from
getting into your computer, but it will slow down worm spreading a lot -
it either has to know every different binary out there and be able to
guess which one is running on the system it plans to infect before it
attacks (because otherwise the server can just crash without being
infected, which is counterproductive for the virus), or hope to be able
to attack the most common binary, which will then have a much smaller
impact on the whole 'net.

It's much like biology: When you have genetic diversity, your species
won't become extinct after just one heavy plague - some will survive. If
you're a monoculture, then you're dead.

> In fact, I suspect that the open source for Linux gives creators of vicious
> attack codes a *slight* advantage, since the vulnerabilities are there for
> anyone to read and exploit before they are found by an alert Linux
> community. And if Linux is to succeed in the enterprise, we in the community
> owe it to ourselves to *enhance* that alertness -- indeed, to be more
> vigilant on security issues -- even if it's at the expense of some of our
> more favorite activities, like performance tweaking.

Being alert is always good. :) It just becomes tiring after some time.

-- 
Vojtech Pavlik
SuSE Labs

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Pavel Machek]

Hi!

> > If this passes, everyone working in computer security can be arrested and thrown in prison for life. In addition, people such as Kevin Mitnick can be thrown
> > back in prison even though they have already paid for their crime (double jeopardy?).

Is that proposed law or did it pass through senate/president?

If it is real law... I could proably get few free places in anti-nuclear 
bunker under Prague ;-).
								Pavel
-- 
Philips Velo 1: 1"x4"x8", 300gram, 60, 12MB, 40bogomips, linux, mutt,
details at http://atrey.karlin.mff.cuni.cz/~pavel/velo/index.html.