Create an Account
username: password:
  MemeStreams Logo

I'm amused aren't you?


My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

wilpig's topics
   TV Comedy
   SciFi TV
  PC Video Games
Health and Wellness
Home and Garden
Current Events
Local Information
   (Computer Security)
   PC Hardware
   Computer Networking
   Microsoft Windows
   Web Design
  High Tech Developments

support us

Get MemeStreams Stuff!

Current Topic: Computer Security

The Register | Slammer worm crashed Ohio nuke plant net
Topic: Computer Security 10:58 am EDT, Aug 21, 2003

] The Slammer worm penetrated a private computer network at
] Ohio's Davis-Besse nuclear power plant in January and
] disabled a safety monitoring system for nearly five
] hours, despite a belief by plant personnel that the
] network was protected by a firewall, SecurityFocus has
] learned.

Luckily the plant was offline due to other problems and has been since Feb 2002. But systems like this really should have better protection than what is described here.

The Register | Slammer worm crashed Ohio nuke plant net

'Good' Worm Fixes Infected Computers (
Topic: Computer Security 10:49 pm EDT, Aug 19, 2003

] A new Internet worm emerged today that is designed to
] seek out and fix any computer that remains vulnerable to
] "Blaster," the worm that attacked more than 500,000
] computers worldwide last week.

'Good' Worm Fixes Infected Computers (

SecurityFocus HOME Columnists: The Sad Tale of a Security Whistleblower
Topic: Computer Security 5:20 pm EDT, Aug 18, 2003

] Bret McDanel was dissatisfied with his former employer,
] Tornado Development, Inc. Tornado provided internet
] access and web-based e-mail to its clients. However,
] McDanel apparently discovered a flaw in the web-mail that
] would permit malicious users to piggyback a previous
] secure session

I hate hearing about people getting fines and having to serve jailtime for discovering a hole. In this case though he may have stepped over the line by informing all of their customers.

SecurityFocus HOME Columnists: The Sad Tale of a Security Whistleblower

SecurityFocus HOME News: RPC DCOM Worm Hits the Net
Topic: Computer Security 10:14 am EDT, Aug 12, 2003

] A malicious worm that exploits last month's RPC
] DCOM vulnerability struck the Internet Monday
] afternoon, targeting unpatched Windows 2000 and
] Windows XP machines.
] The worm, dubbed "Blaster" and "LovSan" by security
] and anti-virus companies, attacks vulnerable
] machines over TCP port 135, then spawns a shell
] and initiates a TFTP file transfer to retrieve the
] worm's code.

Well get ready the worm is set to DoS starting this Saturday, 09/15/2003. For more information Symantec has a good write up on the worm at

SecurityFocus HOME News: RPC DCOM Worm Hits the Net

Disclosure of Major Software Exploits by Students?
Topic: Computer Security 5:34 pm EDT, Aug 11, 2003

] "I am a U.S. university student who has recently come
] across 2 remote exploits for a homework program used by
] colleges nationwide. Both vulnerabilities allow students
] to give themselves arbitrary scores, and possibly execute
] arbitrary code. To further emphasize the scope of this
] vulnerability, I have written and -selftested
] proof-of-concept exploit code. Naturally, I want to share
] this information with their software engineers, and would
] even be nice enough and suggest a means to fixing it.
] However, with the state of current intellectual property
] and reverse-engineering laws, I hesitate to do so out of
] fear of litigation or academic disciplinary action. As an
] ethical geek, what do -you- do?"

this sounds familiar.

Disclosure of Major Software Exploits by Students?

Interz0ne Press Release - re: Blackboard Settlement
Topic: Computer Security 8:15 pm EDT, Jul 20, 2003

From Wed Jul 16 10:59:47 2003
Date: Wed, 16 Jul 2003 06:14:52 -0400
From: Rockit []
Subject: [se2600] Interz0ne Press Release re: Blackboard Settlement

Interz0ne Press Release:

Censorship via lawsuit wins again.

Lawyers working for Blackboard Inc., the maker of a card transaction, vending and ID system used by approximately 275 colleges and universities globally, as well as an undiscosed number of government and military installations, succeeded in silencing two college students who have found numerous flaws in Blackboard's flagship product over the last two years.

Georgia Tech student Billy Hoffman, along with University of Alabama student Virgil Griffith, initially kept the discoveries quiet while attempting to report them to Blackboard engineers, along with possible fixes. Traditionally, the discoverers of such flaws allow the vendors time to fix problems before going public; this provides the vendors with essentially free quality control labor while the discoverers get later bragging rights and items to pad their resumes. This unofficial system has worked well in the past, to the extent that Blackboard even boasts of working with the hacker community on their website.

Instead of taking an interest in news of these flaws, however, Blackboard engineers first dismissed Hoffman as a know-nothing "kid", then attempted to have him expelled from Georgia Tech after he voiced his concerns about Tech's Blackboard system to campus administrators and student organizations. Hoffman responded by first publishing his (and later Griffith's) findings, and then updating his articles via talks at various vendor and security conferences.

It was at such a conference, Interz0ne II in Atlanta, that Hoffman and Griffith were planning to discuss the most severe problems they had uncovered to date, including a demonstration of several easy-to-assemble hardware devices that could supposedly allow anyone with malicious intent free reign on a Blackboard system.

Hoffman and Griffith never gave their talk.

Instead, they and the convention organizers were served with both restraining orders and cease and desist orders. Court dates soon followed, along with legal threats. Several months after the convention, both Hoffman and Griffith settled out of court. They refuse to discuss the issue, so one can assume that the settlement includes an NDA.

Blackboard spokesdrone Michael Stanton stated to AP reporters on Monday, July 14th (a day before the settlement was officially filed) that "...the claims [Hoffman and Griffith] were making were silly," that "...they really didn't do a lot of the things they were claiming to [have done]" and that the settlement reaffirms that Blackboard's systems are secure.


The settlement does nothing of the sort.

If Hoffman and Griffith's clai... [ Read More (0.4k in body) ]

Interz0ne Press Release - re: Blackboard Settlement

Group claims Linux advance on Xbox | CNET
Topic: Computer Security 1:56 pm EDT, Jun 30, 2003

] A group of Xbox security researchers say they have found
] a way to run Linux on the Xbox game console without a
] so-called mod chip and will go public with the technique
] if Microsoft won't talk to them about releasing an
] official Linux boot loader.

] Muir says the release of the claimed series of exploits,
] one of which is in the Xbox Dashboard utility, factory-
] installed on the Xbox hard drive, could be disastrous for
] games companies intent on preventing piracy. If genuine,
] the exploits would let anyone with even a slight technical
] knowledge "reflash" the Xbox BIOS, allowing users to
] pirate games. The only hardware modification necessary is
] a dollop of solder on the write-enable pads on the
] motherboard.

Very interesting..

This is a nightmare situation for Microsoft. If they do nothing, exploits will be released enabling mass-piracy of their games. If they release a Linux bootloader, then they have allowed Linux onto their platform. They sell these consoles at below cost and make their money on games. Razors and blades. From an economic standpoint, either presented option is totally unacceptable.

Also, if Microsoft plays along, there is no guarantee that the exploits will not get released, or more likely, discovered by others.. Infact, I believe they are only being baited, and these exploits will be released anyway. I can't envision Microsoft giving into any demands, of any type, let alone a signed linux bootloader for the XBox..

Expect Microsoft to create a third option. Expect lawsuits. Expect someone to get arrested. The DMCA will play an obvious role. I could see them attacking Huang just for drill.. This will be a developing story..

Group claims Linux advance on Xbox | CNET

Secret Handshakes from Pairing-Based Key Agreements
Topic: Computer Security 3:29 pm EDT, Jun 11, 2003

This scheme allows Alice to ask Bob if Bob is a warez site, but if it turns out that Bob is the RIAA he cannot prove that Alice asked for warez, and if it turns out that Alice is the RIAA she cannot prove that Bob is a warez site.

Secret Handshakes from Pairing-Based Key Agreements

Secunia - Advisories - Microsoft Browser Fall Down Go Boom 5 Line HTML Funfun
Topic: Computer Security 11:45 pm EDT, May  4, 2003

] A vulnerability identified in a library included in
] Windows XP and Internet Explorer version 4.0 and newer
] can be exploited to cause a DoS (Denial of Service) on
] certain applications.
] The vulnerability is caused due to a NULL pointer
] dereference bug in Microsoft Shell Light-Weight Utility
] Library ("shlwapi.dll"). A malicious person can exploit
] the vulnerability by constructing a special HTML
] document, which will crash applications using the
] vulnerable library.
] An example was provided in the original advisory:

Secunia - Advisories - Microsoft Browser Fall Down Go Boom 5 Line HTML Funfun

Harvard Crimson | Swipe Card Hack Prompts Complaint
Topic: Computer Security 11:40 am EDT, Apr 21, 2003

From: Joe Klein [jsklein@x]
To: SE2600 List [root at don't-you-dare]
Subject: RE: [se2600] RE: Swipe Card Hack Prompts Complaint
Date: Thu, 17 Apr 2003 13:42:46 -0400

Response send to author:

Ms. Kicenuik,

Thank you for the article, but I think you have been misinformed.

Fact 1: Banks and other financial institutes are required by law to secure financial transactions between and over networks. Even on the Internet, financial transactions are secured using ssl encryption. Blackboard, now acting like a financial network, is not using secure communications.

Fact 2: BlackBoard has other products which have had vulnerabilities over the last 4 years. Apparently, they have a history of slow response to security problems.

Fact 3: Harvard signed a contract, releasing BlackBoard of all liability, in the used of their product. Any financial loss because of the lack of security in the BlackBoard systems, will be absorbed by Harvard.

Fact 4: This problem was reported to the BlackBoard company 6 months ago. This delay of addressing the security vulnerability only exposes blackboard customers and not Blackboard company.

Fact 5: The majority of hackers are not caught, so focusing on prosecution of the crime and not securing the system, would be considered a lack of due diligence. There for holding the Blackboard customers again, liable for all loss.

Here is the backup information which substantiates the above facts.

Fact 1:
Fact 2:
2003-01-25: Blackboard Learning System SQL Injection
Variant Vulnerability
2003-01-21: Blackboard Learning System SQL Injection
2002-07-01: Blackboard Cross-Site Scripting Vulnerability
2000-07-18: Blackboard CourseInfo 4.0 Database Modification
2000-07-10: Blackboard CourseInfo 4.0 Plaintext Administrator
Password Vulnerability

Fact 3:

Fact 4:

Fact 5:

Now here is the challenge to you, how about writing an article which
addresses the facts.

Snagged from the SE2600 mailing list.

Harvard Crimson | Swipe Card Hack Prompts Complaint

(Last) Newer << 1 - 2 - 3 >> Older (First)
Powered By Industrial Memetics