Hack Proofing Your Network, Second Edition

Total Page:16

File Type:pdf, Size:1020Kb

Hack Proofing Your Network, Second Edition 194_HP_Net2e_FC 2/22/02 10:01 AM Page 1 1 YEAR UPGRADE BUYER PROTECTION PLAN ™ The Only Way to Stop a Hacker is to Think Like One David R. Mirza Ahmad Dan “Effugas” Kaminsky Ido Dubrawsky F. William Lynch Hal Flynn Steve W. Manzuik Joseph “Kingpin” Grand Ryan Permeh Robert Graham Ken Pfeil Norris L. Johnson, Jr. Rain Forest Puppy K2 Ryan Russell Technical Editor UPDATED BESTSELLER! 194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page i [email protected] With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening. Readers like yourself have been telling us they want an Internet-based ser- vice that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations. [email protected] is an interactive treasure trove of useful infor- mation focusing on our book topics and related technologies. The site offers the following features: I One-year warranty against content obsolescence due to vendor product upgrades. You can access online updates for any affected chapters. I “Ask the Author” customer query forms that enable you to post questions to our authors and editors. I Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material. I Regularly updated links to sites specially selected by our editors for readers desiring additional reliable information on key topics. Best of all, the book you’re now holding is your key to this amazing site. Just go to www.syngress.com/solutions, and keep this book handy when you register to verify your purchase. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there’s anything else we can do to help you get the maximum value from your investment. We’re listening. www.syngress.com/solutions 194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page ii 194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page iii 1 YEAR UPGRADE BUYER PROTECTION PLAN David R. Mirza Ahmad F. William Lynch Ido Dubrawsky Steve W. Manzuik Hal Flynn Ryan Permeh Joseph “Kingpin” Grand Ken Pfeil Robert Graham Rain Forest Puppy Norris L. Johnson, Jr. Ryan Russell Technical Editor K2 Dan “Effugas” Kaminsky 194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page iv Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” and “Ask the Author UPDATE®,” are registered trademarks of Syngress Publishing, Inc. “Mission Critical™,”“Hack Proofing™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 D7Y4T945T5 002 AKTRT4MW34 003 VMB663N54N 004 SGD34B39KA 005 87U8Q26NVH 006 N4D4RNTEM4 007 2HBVHTR46T 008 ZPB9R5653R 009 J6N5M4BRAS 010 5T6YH2TZFC PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Hack Proofing Your Network, Second Edition Copyright © 2002 by Syngress Publishing, Inc.All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-928994-70-9 Technical Editor: Ryan Russell Cover Designer: Michael Kavish Acquisitions Editor: Catherine B. Nolan Page Layout and Art by: Shannon Tozier Developmental Editor: Kate Glennon Indexer: Robert Saigh Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada. 194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page v Acknowledgments We would like to acknowledge the following people for their kindness and support in making this book possible. Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight into the challenges of designing, deploying and supporting world-class enterprise networks. Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Kevin Votel, Kent Anderson, Frida Yara, Bill Getz, Jon Mayes, John Mesjak, Peg O’Donnell, Sandra Patterson, Betty Redmond, Roy Remer, Ron Shapiro, Patricia Kelly,Andrea Tetrick, Jennifer Pascal, Doug Reil, and David Dahl of Publishers Group West for sharing their incredible marketing experience and expertise. Jacquie Shanahan and AnnHelen Lindeholm of Elsevier Science for making certain that our vision remains worldwide in scope. Annabel Dent and Paul Barry of Harcourt Australia for all their help. David Buckland,Wendi Wong, Marie Chieng, Lucy Chong, Leslie Lim,Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Ethan Atkin at Cranbury International for his help in expanding the Syngress program. Jackie Gross, Gayle Voycey,Alexia Penny,Anik Robitaille, Craig Siddall, Darlene Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their help and enthusiasm representing our product in Canada. Lois Fraser, Connie McMenemy, Shannon Russell and the rest of the great folks at Jaguar Book Group for their help with distribution of Syngress books in Canada. From Ryan Russell I would like to dedicate my work to my wonderful wife and children, without whom none of this would be worth doing. I love you Sara, Happy Valentine’s Day! I would also like to thank Brian Martin for his assistance in tech editing, and of course the authors who took the time to write the book. Special thanks go out to those authors who worked on the first edition, before anyone had any idea that it would do well or how it would come out. v 194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page vi Contributors Dan “Effugas” Kaminsky (CISSP) worked for two years at Cisco Systems designing security infrastructure for large-scale network monitoring systems. Dan has delivered presentations at several major industry conferences including Linuxworld, DEF CON, and the Black Hat Briefings, and he also contributes actively to OpenSSH, one of the more significant cryptographic systems in use today. Dan founded the cross-disciplinary DoxPara Research (www.doxpara.com) in 1997, seeking to integrate psychological and techno- logical theory to create more effective systems for non-ideal but very real environments in the field. He is based in Silicon Valley, presently studying Operation and Management of Information Systems at Santa Clara University in California. Rain Forest Puppy is a security research and development consultant for a Midwest-based security consulting company. RFP has been working in R&D and coding in various languages for over seven years.While the Web is his primary hobby focus point, he has also played in other realms including: Linux kernel security patches, lockdown of various Windows and UNIX operating systems, and the development of honeypots and other attack alert tools. In the past he’s reported on SQL tampering and common CGI prob- lems, and has contributed security tools (like whisker) to the information security community. Ken Pfeil is the Security Program Manager for Identix Inc.’s information technology security division. Ken started with Identix following his position as Chief Information Security Officer for Miradiant Global Network, Inc. Ken has over 14 years of IT and security experience, having served with such companies as Microsoft, Dell, and Merrill Lynch.While employed at Microsoft, Ken co-authored Microsoft’s “Best Practices for Enterprise Security” whitepaper series, and is the founder of “The NT Toolbox”Web site. He currently covers new security risks and vulnerabilities for Windows and .Net magazines’ Security Administrator publication, and was the resident expert for multiplatform integration and security issues for “The Windows 2000 Experts Journal.” vi 194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page vii Joseph “Kingpin” Grand is a Boston-based electrical engineer and product designer. His pioneering hardware and security research has been published in various academic and industry journals. He has lectured widely on security product design and analysis, portable devices, and digital foren- sics. In addition to testifying before the United States Senate Governmental Affairs, Joseph has presented his research at the United States Naval Post Graduate School Center for INFOSEC Studies and Research, the USENIX Security Symposium, and the IBM Thomas J.Watson Research Center. Joseph was a long-time researcher with the L0pht hacker think tank.
Recommended publications
  • Reducing the Window of Exposure
    Surviving 0-days reducing the window of exposure Andreas Lindh, VB2013 About me • Security analyst/architect • Used to work for Volvo IT • Defender by profession • @addelindh on Twitter So what’s this about? • Software vulnerabilities, exploits and the current defense model • A suggested way of improving that model Defense Legacy implementation • Perimeter protection • Access controls • System hardening • Antivirus Evolution • All the legacy and more: – SIEM – DLP – Application firewalls – Etc. • Basically, more tools Client-side attacks Got protection? What does this mean? • The perimeter changed • Our defenses didn’t • Antivirus to the rescue? The New York Times hack So how did we get here? • Human nature – Easier to buy tools than to work hard – Bad prioritization • Defense isn't sexy "Put another way, n people want to fix security holes, 10n people want to exploit security holes, and 100000n want Tetris.” (Dan Kaminsky) But we patch, right? Well, sort of but... • We do it slowly • Sometimes we can’t patch – Legacy systems – 3rd party systems HD Moore’s law What about 0-days? The Microsoft report This can’t be good... • 46% of Remote Code Execution vulnerabilities exploited before patch available in 2012 Source: Software Vulnerability Exploitation Trends ...and remember this? • Dec 2012 – Jan 2013 • The watering hole attack Wait a minute, wasn’t this supposed to be a talk about flashy 0-day defense? There is no flashy fix. Priorities, priorities Back to basics • Get re-acquainted with our environments • Start using the tools we already have • Focus on what matters Hardening • Usually only done high level • Not that effective anymore • Why don’t we do it to software? Learning from history • Where? • What? • Exploitability? • Protection? Software hardening • Exploit mitigation – ASLR, DEP, EMET, etc.
    [Show full text]
  • This Is No Laughing Matter: How Should Comedians Be Able to Protect Their Jokes?
    Hastings Communications and Entertainment Law Journal Volume 42 Number 2 Summer 2020 Article 3 Summer 2020 This is No laughing Matter: How Should Comedians Be Able to Protect Their Jokes? Sarah Gamblin Follow this and additional works at: https://repository.uchastings.edu/hastings_comm_ent_law_journal Part of the Communications Law Commons, Entertainment, Arts, and Sports Law Commons, and the Intellectual Property Law Commons Recommended Citation Sarah Gamblin, This is No laughing Matter: How Should Comedians Be Able to Protect Their Jokes?, 42 HASTINGS COMM. & ENT. L.J. 141 (2020). Available at: https://repository.uchastings.edu/hastings_comm_ent_law_journal/vol42/iss2/3 This Article is brought to you for free and open access by the Law Journals at UC Hastings Scholarship Repository. It has been accepted for inclusion in Hastings Communications and Entertainment Law Journal by an authorized editor of UC Hastings Scholarship Repository. For more information, please contact [email protected]. 2 - GAMBLIN_CMT_V42-2 (DO NOT DELETE) 4/8/2020 11:18 AM This is No laughing Matter: How Should Comedians Be Able to Protect Their Jokes? by SARAH GAMBLIN1 The only honest art form is laughter, comedy. You can’t fake it . try to fake three laughs in an hour—ha ha ha ha ha—they’ll take you away, man. You can’t.2 – Lenny Bruce Abstract This note will discuss the current state of protection for jokes and comedy. As it is now, the only protection comics have is self-help, meaning comedians take punishing thefts into their own hands. This note will dive into the reasons why the current legislature and courts refuse to recognize jokes as copyrightable.
    [Show full text]
  • Spring 2009 Edition of Genesis V Alumni Magazine
    theGenesis alumni magazine of saint ignatius college preparatory Vspring 2009 1 Joe Boswell ’02 and Kate Brandt ’03, who both work in the Obama Administration, are pictured here in the historic Indian Treaty Room in the Eisenhower Office Building with the White House in the background. Read about them on pages 35 and 38. AttleePhotography.com. genesis v A Report to Concerned Individuals Vol. 46, No. 1 Spring 2009 Administration Rev. Robert T. Walsh, S.J. President Mr. Joseph A. Vollert Vice President for Development Mr. Patrick Ruff Principal Rev. Thomas H. O’Neill, S.J. Superior Mr. John J. Ring Director of Alumni Relations Ms. Marielle A. Murphy Associate Director of Development Mrs. Cynthia Fitzgibbon Director of Special Events Mr. Fred L. Tocchini Director of Special Projects Mr. John J. Grealish Business Manager Editorial Staff Mr. Paul J. Totah Editor Arthur Cecchin Sports Editor Nancy Barisic Layout & Design Douglas A. Salin Photo Editor GENESIS V (USPS 899-060) is published quarterly by St. Ignatius College Preparatory, 2001 37th Avenue, San Francisco, CA 94116-9981. Periodicals Postage Paid at San Francisco, CA, and at additional mailing offices. POSTMASTER: Send address changes to GENE SIS V, 2001 37th Avenue, San Francisco, CA 94116-9981. CONTACT US: You can send e-mail to [email protected] or reach us at (415) 731-7500 ext. 206. You can also read the issue on our web site at www.siprep.org/genesis. ST. IGNATIUS, mindful of its mission to be witness to the love of Christ for all, admits students of any race, color and national and/or ethnic origin to all the rights, privileges, programs and activities generally accorded to or made available to students at this school.
    [Show full text]
  • Computer Security
    CSE 40567 / 60567: Computer Security Network Security 1 !1 Homework #5 is due tonight at 11:59PM (your timezone) See Assignments Page on the course website for details !2 Live Tuesday in Class RC Johnson (PayPal) (Will not be recorded) !3 Course Roadmap Basics The Web (weeks 1 & 2) (weeks 15 & 16) 3 Core Areas (weeks 3 - 6) (weeks 6 - 10) (weeks 11 - 15) !4 Heartbleed What is it? Serious input validation vulnerability in OpenSSL Bug introduced: OpenSSL version 1.0.1 on March 14, 2012 Bug disclosed: April 7th, 2014 Protocol affected: TLS • Successor to SSL • Meant to secure network traffic from eavesdropping attacks • Good example of security software making things less secure http://heartbleed.com/ !5 Heartbleed bug explained A depiction of Heartbleed BY-SA 3.0 FenixFeather !6 The bug in OpenSSL p is a pointer to start of message /* Read type and payload length first */ hbtype = *p++; No bounds checking to enforce n2s(p, payload); consistency between pl = p; payload_length and the actual payload The fix: hbtype = *p++; n2s(p, payload); if (1 + 2 + payload + 16 > s->s3->rrec.length) return 0; /* silently discard per RFC 6520 sec. 4 */ pl = p; !7 Scope of the vulnerability 700 525 350 175 0 8 April, 2014, 4PM UTC 9 April, 2014, 7:30AM UTC 10 April, 2014, 12:30AM UTC Vulnerable Websites Among the Top 10,000 Among the Top Websites Vulnerable !8 Response from the community "OpenSSL is not developed by a responsible team." - Theo de Raadt Large mistake: OpenSSL developers wrote their own memory management routines, circumventing library protections
    [Show full text]
  • UNIVERSITY of CALIFORNIA Los Angeles Misery Is the True Script For
    UNIVERSITY OF CALIFORNIA Los Angeles Misery is the True Script for Comedy: A Study of Italian Film Comedy in the 1950s A dissertation submitted in partial satisfaction of the requirements for the degree Doctor of Philosophy in Italian by Christopher Burton White 2014 © Copyright by Christopher Burton White 2014 ABSTRACT OF THE DISSERTATION Misery is the True Script for Comedy: A Study of Italian Film Comedy in the 1950s by Christopher Burton White Doctor of Philosophy in Italian University of California, Los Angeles, 2014 Professor Thomas J. Harrison, Chair This dissertation fills a lacuna in the history of Italian cinema, formally analyzes a selection of significant film comedies from the 1950s, and challenges many of the assumptions that have been made about postWar Italian cinema. The conservative atmosphere of the fifties, the detrimental effects of censorship on Italian cinema, and the return of popular genres after the end of the widely-acclaimed neorealist period have led to assumptions about a limited engagement With contemporary Italian society in the motion pictures produced in Italy during the 1950s. While most critics and film historians vieW these years in Italian cinema as the disappointing aftermath of neorealism, a decade in Which conservative elements in Italian society pushed national cinema in the direction of facile optimism and escapism, this dissertation demonstrates that many comedies in fact engaged with Italian society, ii offering incisive critiques of contemporary Italy that pinpoint and satirize hypocrisy, inequality, and a host of other ills of the Italian republic in the 1950s. This study considers existing scholarship on Italian cinema and reevaluates films starring the popular Neapolitan actor Antonio De Curtis (Totò), Renato Castellani’s Due soldi di speranza (Two Cents Worth of Hope, 1952) and other examples of neorealismo rosa (rosy or pink neorealism), and the movies directed by Federico Fellini featuring Alberto Sordi, both in terms of aesthetics as well as subject matter.
    [Show full text]
  • The Bad-Attitude Guide to Computer Security
    The Bad-Attitude Guide to Computer Security Keith Winstein Stanford University https://cs.stanford.edu/~keithw Bad (-attitude?) advice 1. 2. 3. 4. 5. 6. 7. 8. Bad (-attitude?) advice 1. Do build your own cryptographic protocol. 2. 3. 4. 5. 6. 7. 8. Mosh (mobile shell) Mosh deployment I Impetus: SSH for bad Wi-Fi I + intermittent connectivity I + roaming I + local echo I + security against forged RST I First release: 2012 I Today: appx. 2{20 million users Mosh protocol I Every datagram wrapped with AES-OCB I Every datagram represents idempotent operation I No TLS, no DTLS, no public-key crypto I No timestamps, no replay cache, no daemon I No cipher negotiation, no file IO, no root I Roaming: server replies to source address of highest-numbered authentic incoming datagram Hacker News \One man band by the looks of it. Implements its own private crypto protocol (has it been vetted for replay attacks? padding attacks? [insert 20 years of perplexing bugs confounding the greatest minds in computer science]?)" Slashdot \Welcome to Yet Another Protocol Devised By Academics Who Have Not Been Near a Real Network in Twenty Years, If Ever." Twitter Dan Kaminsky: \Mosh being outside of SSH Transport makes academic perf code unauthenticated. Love MoSH, would love it much more if it operated inside SSH's channel" Q: \any particular reason? Since quick recovery from packetloss is one of its main goals, UDP+OCB is needed." Kaminsky: \It's *tricky* to build new secure channels. Look at DTLS's long and painful dev cycle." Twitter (cont.) Moxie Marlinspike: \I dunno, from a semantic sec perspective, it'd be hard to do worse than SSH.
    [Show full text]
  • Death on the Mississippi, an Archetypal Analysis Of
    DEATH ON THE MISSISSIPPI, AN ARCHETYPAL ANALYSIS OF HARK TWAIN'S HUCKLEBERRY FINN A Thesis Presented to the Faculty of the Department of English Kansas State Teachers College In Partial Fulfillment of the Requirements for the Degree Master of Arts by Robert Greg-ory 1-atterson July 197J PREFACE Actual and metaphorical deaths recur frequently in Twain's Huckleberry Finn. However, the patterns of these death incidents are not so easily deciphered as one might expect, for while there are indeed many deaths in Huckle­ berry Finn, to study everyone in detail would not necessarily prove that death itself is an important motif in the work. When one examines the circumstances sur­ rounding these deaths, however, a number of distinct and rather curious, even bizarre, patterns appear. It seems that a surprising number of deaths in Huckleberry Finn are accompanied by superstitious ritual, grotesque social pro­ tocol, and/or graphic demonstrations of the awesome power of natural forces. These deaths assume many forms; some are human demises, some are non-human expirations, and many are purely fie-urative "deaths." The theory posited here is not entirely new, nor is it without critical precedent and support. Richard P. Adams, 1n his "Introduction to Hark Twain" in American Literary Masters, sees the pattern of death and rebirth as the largest struc­ tural element in Huckleberry Finn. Bernard DeVoto, in ~ T\vain at \~ork, recognizes the death imagery in Huckleberry Finn as evidence of Twain's death-oriented thinking and observes that additional critical research must be conducted "to determine why death, the images and humors and disgusts 11 of death, the fear of death, and the threat of death colored his phantasy from childhood on." Selected death-incidents in Twain's life which might have influenced his art will be mentioned in this study, but the major focus \iill be upon an examination of and evaluation of recurrent death patterns in Hucl<leberry Finn, based on a Juneian archetypal critical approach.
    [Show full text]
  • Colloquium Poster 32 Series
    THIRTY SECOND SERIES Spring 2010 Thursdays at 12:00 noon Salazar 2016 FEB. 11 Joe Dupre, Sonoma State University, IT Information Security Management in the Enterprise Information and knowledge are valuable and worth protecting. We need efficient methods of protection in large homogenous environments. How do you get smart people with divergent ideas moving in the same direction on information security? Do the following: strategic alignment, risk management on all issues, provide value - reduce support costs, enhance competitive stance, assure success of strategy deployment resource management - people, technology, process assurance process integration - get connected and involved with other security groups in your enterprise. Performance measures - Did we do what we set out to do, does the data indicate we should be doing something else? Multiuse of metrics. This talk is based on the curriculum for the ISACA.org Certified Information Security Manager (CISM) certification. Pizza after talk in Darwin 28 FEB. 18 John Davis, Microsoft Research, Mountain View BEE3: Silly Putty for Computer Scientists! Parallel computing for the masses has arrived. Unfortunately, software, tools, research, and pedagogy are lagging behind with only niche successful parallel applications existing, print statements still being used for debugging, research limited to using existing platforms, and few colleges and universities offering parallel programming and computer architecture classes for undergraduates. Let me present BEE3, the Berkeley Emulation Engine, version 3. BEE3 is a reconfigurable computing platform that we are using to target three main research areas: Computer Architecture, Systems, and Application Acceleration. Using these examples, I will demonstrate how we are using reconfigurable computing systems to help build parallel software and tools, conduct fundamental research, and provide a pedagogical platform.
    [Show full text]
  • Full Metal Jhacket
    Full Metal Jhacket Full Metal Jhacket Matthew Derby University of Michigan Press Ann Arbor Copyright © 2015 by Matthew Derby All rights reserved This book may not be reproduced, in whole or in part, including illustrations, in any form (beyond that copying permitted by Sections 107 and 108 of the U.S. Copyright Law and except by reviewers for the public press), without written permission from the publisher. Published in the United States of America by the University of Michigan Press Manufactured in the United States of America 2018 2017 2016 2015 4 3 2 1 DOI: http://dx.doi.org/10.3998/tfcp.13240730.0001.001 ISBN 978-0-472-03615-8 (paper : alk. paper) ISBN 978-0-472-12096-3 (e-book) For William Derby Contents Acknowledgments ix 1. January in December 1 2. Dokken 18 3. The Snipe 29 4. Full Metal Jhacket 46 5. The Past, Uncorrected 68 6. Thirty Years of Prosperity for Every Fifteen Years of 79 Hard Work 7. Yeti 93 8. How the Rebels Took Port Harcourt 102 9. Heightmap of Her Countenance 117 10. KraftMark 127 11. Walden Galleria Prayer 138 Books in the Series 145 Acknowledgments “January in December” originally appeared in ; “The Snipe” originally Guernica appeared as a JR Van Sant Chapbook Series selection; “Dokken” and “Heightmap of Her Countenance” originally appeared in ; “Full Metal Unstuck Jhacket” originally appeared in ; “The Past, Uncorrected” origi- The Collagist nally appeared in ; “Thirty Years of Prosperity for Every Fif- Caketrain Journal teen Years of Hard Work” originally appeared in ; “Yeti” The Columbia Journal originally appeared in Ben Marcus’s ; “How The Rebels Took Port Smallwork Harcourt” originally appeared in ; “KraftMark” originally The Columbia Journal appeared in anthology; and “Walden Galleria Prayer” The Apocalypse Reader originally appeared in anthology.
    [Show full text]
  • Good Practice Guide on Vulnerability Disclosure from Challenges to Recommendations
    Good Practice Guide on Vulnerability Disclosure From challenges to recommendations NOVEMBER 2015 www.enisa.europa.eu European Union Agency For Network And Information Security Good Practice Guide on Vulnerability Disclosure Creation date: November 15 About ENISA The European Union Agency for Network and Information Security (ENISA) is a centre of network and information security expertise for the European Union (EU), its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu. Authors This document was created by the CERT Capability team at ENISA in consultation with RAND Europe Project officer Cosmin Ciobanu Contact To contact the authors please use [email protected] For media enquiries about this report, please use [email protected]. Acknowledgements The project team wishes to thank all the interviewees, and those who provided written input for the project, for their time and invaluable insights. Their contribution to this project has been essential. 02 Good Practice Guide on Vulnerability Disclosure Creation date: November 15 Legal notice Notice must be taken that this publication represents the views and interpretations of the authors and editors, unless stated otherwise.
    [Show full text]
  • A Cache Poisoning Attack Targeting DNS Forwarding Devices
    Poison Over Troubled Forwarders: A Cache Poisoning Attack Targeting DNS Forwarding Devices Xiaofeng Zheng∗;†, Chaoyi Lu∗, Jian Peng∗, Qiushi Yang†, Dongjie Zhou§, Baojun Liu∗, Keyu Man‡, Shuang Hao¶, Haixin Duan∗;†∗ and Zhiyun Qian‡ ∗ Tsinghua University, † Qi An Xin Technology Research Institute, § State Key Laboratory of Mathematical Engineering and Advanced Computing, ‡ University of California, Riverside, ¶ University of Texas at Dallas Abstract However, as the DNS ecosystem has evolved dramatically, In today’s DNS infrastructure, DNS forwarders are devices the system now consists of multiple layers of servers [62]. DNS forwarders standing in between DNS clients and recursive resolvers. Specifically, refer to devices standing in be- The devices often serve as ingress servers for DNS clients, tween DNS clients and recursive resolvers. Upon receiving and instead of resolving queries, they pass the DNS requests DNS queries, the devices do not resolve the domain name to other servers. Because of the advantages and several use by themselves, but pass the requests to other servers (e.g., an cases, DNS forwarders are widely deployed and queried by upstream recursive resolver). To name a few use cases, DNS Internet users. However, studies have shown that DNS for- forwarders can serve as convenient default resolvers, load warders can be more vulnerable devices in the DNS infras- balancers for upstream servers, and gateways of access con- tructure. trol. Meanwhile, for clients in a local network, using DNS forwarders can mitigate security risks, as the devices are not In this paper, we present a cache poisoning attack target- directly exposed to Internet attackers [49]. ing DNS forwarders. Through this attack, attackers can in- ject rogue records of arbitrary victim domain names using Because of the advantages, DNS forwarders are fairly a controlled domain, and circumvent widely-deployed cache prevalent devices in the DNS infrastructure.
    [Show full text]
  • 1 No Laughter Among Thieves
    1 No Laughter Among Thieves: Authenticity and Norm Enforcement in Stand-Up Comedy Patrick Reilly UC Irvine, Paul Merage School of Business SB2 321 4293 Pereira Drive Irvine, CA 92697 [email protected] Acknowledgements: I would like to thank Gabriel Rossman, Lynne Zucker, Noah Askin, Clayton Childress, Frederic Godart, David Halle, Minjae Kim, Sharon Koppman, Kyle Nelson, Gerardo Okhuysen, Michael Siciliano, Edward Walker, and Ezra Zuckerman Sivan for their constructive comments, thoughtful advice, and kind support on this research and manuscript. An earlier version of this manuscript was presented at the 2015 Academy of Management Conference. Funding: I did not receive any grants or funding for this research. Keywords: social norms, authenticity, informal institutions, ethnography, cultural industries WORKING PAPER UNDER REVIEW: PLEASE DO NOT CIRCULATE WITHOUT PREMISSION 2 Abstract: Why may observers label an individual’s questionable act as a discreditable norm transgression, while they may ignore or excuse similar behaviors by others? To explain such inconsistency, I explore the case of joke theft through participant-observation data on stand-up comics in Los Angeles. Informal, community-based systems govern property rights covering jokes. Most cases that could constitute joke theft are ambiguous, because of the possibility of parallel thought. I find that insiders’ accusations are loosely coupled to similarity. Instead, enforcement more reflects how much insiders regard an individual as authentic to the community. Observers account of a possible transgressor’s backstage behaviors and technical expertise to discern if a transgression occurred. Comics with a track record of anti-social behavior, external reward orientation, and lackluster on-stage craft are vulnerable to accusations for even borderline acts, because these qualities conform with shared pattern of a transgressor.
    [Show full text]