Liudvikas Bukys

Jakob Nielsen: “To design an easy-to-use interface, pay attention to what users do, not what they say.” [Scripting News]

A particularly insidious kind of spam. It looks like a friend sent a greeting card. Click on the link and you go to a page where it says you need to upgrade in order to get the card. They walk you through the install process. Don’t do it — this puts code on your machine, certainly adware, maybe spyware, maybe worse. Now for experienced programmers this is pretty transparent, but what about less technical users. Oy what a mess. What does the future hold? [Scripting News]

The Register, Aug 11 2001 12:11PM ET:
Hacking IIS — how sweet it is.

We’ve looked over a few recent credit-card database compromises brought to our attention by CardCops (formerly AdCops), an organization which tries to get the straight dope on e-commerce hacks directly from the blackhat community to better inform merchants of threats to their systems.

The most recent victims CardCops has seen are on-line perfumery StrawberryNet.com; computer retailer mWave.com; and a very large Texas ISP called Stic.net, which gave up many thousands of credit card details, along with the records of 500 businesses and their FTP logins. All of the victims are running IIS 4 or 5 over Win-NT or 2K.

Not surprisingly, Microsoft IIS is quite popular among carders, because its got lots and lots of holes, and because its often used by people who lack the technical know-how to bung them. It’s easy to use, which makes it particularly attractive for those who want to break into e-commerce on a shoestring, and particularly attractive as well for those who just want to break in.

[via Computer security news]

XMLRPC-J is a “Java-based implementation of the XML-RPC protocol.” [Scripting News]

Code Red II Cleaner 1.0 [Security Focus]

Third Version Of Code Red Detected. ZDNet Aug 10 2001 10:24AM ET [Computer security news]

Code Red v3 (aka Code Red II) Fix 1.3 [Security Focus]

Internet Week: Arrest Of Computer Researcher Is Arrest Of First Amendment Rights. Bruce Schneier. Yet now here we are in 21st-century America, where the profits of the major record labels, movie houses and publishing companies are more important than First Amendment rights. In many ways, we’re seeing the legacy of the NSA’s long war against cryptographic information. [Tomalak’s Realm]

EE Times: Intern proves WLAN encryption protocol vulnerable. Stubblefield, working as an intern at AT&T Labs with AT&T research staff members John Ioannidis and Aviel Rubin, used the $100 Prism II-based Linksys PC card and a Linux driver that could capture encrypted WEP packets to perform the attack.

Links:

• The attack, described in a recent paper by Fluhrer, Mantin & Shamir , is the most deadly to date on the embattled protocol, allowing for the rapid retrieval of the network key through passive means — regardless of the key bit length.
• A copy of Stubblefield’s report can be found online through the Rice University Web site.

Quote from Stubblefield’s report:

Given this attack, we believe that 802.11 networks should be viewed as insecure.
We recommend the following for people using such wireless networks.

• Assume that the link layer offers no security.
• Use higher-level security mechanisms such as IPsec [3] and SSH [8] for
  security, instead of relying on WEP.

• Treat all systems that are connected via 802.11 as external. Place all access
  points outside the firewall.

• Assume that anyone within physical range can communicate on the network
  as a valid user. Keep in mind that an adversary may utilize a sophisticated
  antenna with much longer range than found on a typical 802.11 PC card.

[via Tomalak’s Realm]

Coyote Linux 2.0.2 (GUI Disk Creator). A single-floppy distribution for sharing an Internet connection. [freshmeat.net]