Pest Control

should be quickly and implement it, or we need to decide whether it is expedient to send out an interim mail to any potential TWiki admins that we can find addresses for. The latter would mean an additional one shot (unsolicited) mail so I'd prefer to get the mailing lists sorted out as quick as possible.-- SamHasler - 25 Nov 2004We are still getting visitors to TWikiIRC asking about the "new threat" and telling us that they were not notified. There is significant loss of confidence in the process and thus the software. I am with Clauss: we must notify ALL REGISTERED USERS not just the 500 on WebNotify . Else we all look incapable of taking decisive, corrective action.Two lines of questions:I am concerned for the credibility of this project - like many of you, I have invested a significant proportion of my working career in this software product.If anyone received the said email, please attach it here. I will then email all registered TWiki.org users with the notice by midday tomorrow. (I will check here first to see whether anyone else has done it).-- MartinCleaver - 25 Nov 2004There is as yet no action on the email list... Unfortunately I can't set up the announce email list myself at SourceForge but I have emailed Peter and the CoreTeam to try to get this done ASAP. I would prefer to get the SourceForge email list set up first (with zero members) and then mailshot everyone one-off re the current hole, inviting them to the announce list. My idea is that this list should be for security alerts and new release announcements only.If we can't get the email list set up today, I think we should do the one-shot email today anyway, and mention that we will mail them again soon about the announce list. Obviously, it's preferable to email only once but the fact is that it's been almost 2 weeks since the vulnerability was posted widely to security email lists, yet the TWiki user community not on such lists has not been informed - in this case some additional email is less important than getting the word out.-- RichardDonkin - 25 Nov 2004We now have a SecurityTeam .-- SamHasler - 25 Nov 2004Interesting history of this vulnerability from point of view of one of the people who found it - probably several sides to this story, but it was sat on for several months when it could have been fixed, rather than going out to the full disclosure lists as quickly as it did.The common vulnerability (CVE) code for this hole is CAN-2004-1037 - Google:CAN-2004-1037 will find the various reports on the web, as well as the exploit code. However, this Google finds the Nov 19th incarnation of the alert, from Roman Medina-Heigl Hernandez, who claims priority - the Nov 12th Bugtraq entry does not have the CVE code but is equivalent.-- RichardDonkin - 25 Nov 2004-- MattWilkie - 25 Nov 2004I sent 500+ e-mail to known site administrators on Fri, 12 Nov. This happended 6 hours after I got notified of the issue. I am aware that it did not reach every public TWiki installation. The security advisory got released uncoordinated and was not in line with our process, published since ages in BugReport .It is the wish of the community to establish a TWiki announce mailing list and to invite everyone who looked at TWiki in the past. The mailing list is not ideal since crackers will get on the list, but reaching not all interested parties is also not ideal. So lets establish a mailing list. It is very important to coordinate the efforts , uncoordinated efforts just cause frustration as we have seen. Lets avoid multiple e-mails, everyone has enough of Spam. Again, nobody should harvest e-mail addresses on TWiki.org to send out an uncoordinated e-mail. The goal is to send out a mass mailer no later then Sat, 27 Nov 2004. This is to (a) invite people to subscribe to the announce mailing list, (b) alert of the SecurityAlertExecuteCommandsWithSearch issue. This is a big mass-mailer to over 20K people. Actions to take: -- PeterThoeny - 25 Nov 2004Out of interest, what was the ratio of opt-in to opt-out for the download form?If the number of opt-outs was large I would consider sending them a mail as well as we're only going to do it this one time (unless the checkbox was opt-out. Sending to people who deliberatly opted out is different from sending mails to people who overlooked or decided not to opt-in).I'm still interested in what the ratio is even if we decide not to mail them.I'd think it would be a good idea to do a google search to pull the e-mail address from the WIKIWEBMASTER TWikiPreferences setting as suggested above and add these to the list as they are the most likely to be affected by any security issues (and they are publicly available addresses after all.)-- SamHasler - 25 Nov 2004Now that the email list is set up at TWikiAnnounceMailingList , and apparently working, I hope that the TWikiSecurityAlertEmail can be sent out on Fri 26 Nov. Good to see things moving forward.-- RichardDonkin - 25 Nov 2004 SueLocke pointed out in TWikiIRC that TWikiInstallations would be "a first port of call as to where the public TWiki sites are" for a hacker.I think we should consider moving them to a web of their own so we can lock them down while we are dealing with security issues.-- SamHasler - 25 Nov 2004I think it is overkill to remove TWikiInstallations, crackers can Google public sites as easily. This has high priority: Who can help out and compile the e-mail addresses of public TWiki site admins? E.g. a Google search on TWikiWebPreferences, and automated extract of the e-mail address from the WIKIWEBMASTER preferences setting. This list should not be posted on TWiki.org for obvious reasons, please send it to me via e-mail.I do not want to send out separate e-mails to TWiki.org registered users, users of legacy download form, and public site admins. The three lists will be combined/sorted/uniqued into one list so that the mass-mail does not spam people more then once.Also, the e-mail list needs to be treated with great care, it must not get into the hands of organizations with commercial interests. We also cannot afford to be stamped as spammers.-- PeterThoeny - 25 Nov 2004I just posted this to CoffeeBreak :Here's a much more conservative google search for twiki installations. (It finds around 800) http://www.google.com/search?q=inurl:TWikiPreferences+inurl:view+-intitle:Main+-inurl:rev+-inurl:skin+-inurl:raw+-inurl:sortcol&hl=en&lr=&c2coff=1&safe=off&as_qdr=all&filter=0 inurl:TWikiPreferences inurl:view -intitle:Main -inurl:rev -inurl:skin -inurl:raw -inurl:sortcol Note:I can't think of a way to easily isolate installations using ShorterURLs other than doing a -inurl:scriptname for every bin script. (haven't had time to try that yet and I'm going to bed soon)-- SamHasler - 26 Nov 2004People who rename their TWikiPreferences topic won't be found using any of these approaches. I don't have anything constructive about how to work around it, I just didn't want them to be completely unthought of.There are a number of unremedied security issues I'm aware of which have already been published in one form or another on twiki.org but are not tagged as a known issue or in the alerts. Should this email a core team member process be followed to get them in the queue? Or is a BugReport a better idea?-- MattWilkie - 26 Nov 2004We will soon have a 'mail the SecurityTeam ' email list set up - until then, if you could email any critical ones (remote holes) to a CoreTeam member that would be great. I'm hoping there are no more pending remote holes just yet...-- RichardDonkin - 26 Nov 2004Not sure we should worry about people renaming TWikiPreferences - does anyone really do that?Since ShorterURLs are fairly high-tech, I'd expect more of those site admins are active on TWiki.org anyway.I've refined the query slightly - this query gets the WIKIWEBMASTER setting in the Google preview text, so it should be possible using the Google API to grab all the email addresses without visiting every page. Of course, that means some may be out of date if we are unlucky, but seems like a good idea for the first pass.I've now run this query, giving 619 results, and done some post-processing - have passed the results onto Peter, Sven, and a few others in hopes someone can pick this up. The email list should be passed by email and not sent to lists that are archived.-- RichardDonkin - 26 Nov 2004I renamed TWikiPreferences in a couple of my first largely experimental twikis to the more descriptive SystemPreferences. I gave up because of the extra hassle when upgrading. (just found at least one other with non-standard prefs topic. seems to be a dead wiki. I forwarded him the Nov12th alert already).Also the search string uses -intitle:Main but really old installs won't have a twiki web, just a Main. And, a few collapse all their webs into a single web, which could be named anything. Can "Set WIKIWEBMASTER" be used as the canonical key search phrase instead?I'm not suggesting at all that no message should go out until each and every twiki has been identified. I'm just trying to think of who might get missed in this first pass.I've noticed something else suspicious: ZhiXiongkang is registered in an awful lot of twikis, doesn't post anything, and all the registrations happen in the same day (either Nov 15th or Oct 15th).-- MattWilkie - 26 Nov 2004'nother observation: we're gonna have to use the google cache since a fair number of those wiki sites are now "you don't have permission to access this resource".-- MattWilkie - 26 Nov 2004Richard already sent me the list of site admins. I am currently cleaning it up. Some manual work involved due to incomplete e-mail addresses.-- PeterThoeny - 27 Nov 2004A lot of work was involved in fixing the incomplete addresses, e.g. from someone@xyz to someone@xyz.edu by checking the site URL and visiting the site.10% duplicates could be removed by combining the three lists into one, e.g. less chance of reaching s single user more then once.-- PeterThoeny - 27 Nov 2004The Parrot VM wiki can be added to the list of twiki's hit. Apparently around 15 Nov. The compromised server was then apparently used in an ebay scam. The server, and my entire domain, was then disabled by the web hosting provider. The twiki was googleable, but not I think listed on twiki.org. Fyi.-- MitchellNCharity - 28 Nov 2004It would be nice to have it on something like LWN. LWN, for example, carried recent security alerts for Apache and MoinMoin . Hint Hint.-- TomOehser - 28 Nov 2004It doesn't help that a notice went out November 12th - but not to me - and that I was hacked on November 15th. Probably the November 12th notice led to my being hacked...?-- TomOehser - 28 Nov 2004The Nov 12th announcement went to a range of security lists such as BugTraq , read by a wide range of people. Unfortunately at that point the TWiki community did not have the TWikiAnnounceMailingList for such security alerts - PeterThoeny did send email to about 500 people registered in TWikiInstallations , but inevitably many people were not notified. We have now sent out a TWikiSecurityAlertEmail to a much wider range of people, which will also help to ensure they sign up for the twiki-announce email list. Clearly, the TWiki world was not ready for this sort of large-scale attack on TWiki sites, publicised on these lists with a handy exploit script - however, we are a lot better prepared for this sort of thing now.I've also updated the process above to reflect that emails should now go to the new TWiki SecurityTeam .-- RichardDonkin - 28 Nov 2004It is also worth pointing out that the public advisory got released uncoordinated, around the same time I sent the first big alert to known site administrators. This was not in line with our published process.-- PeterThoeny - 30 Nov 2004Great. I am glad we finally had notification, even if it was too late to save many sites.My point has never been to create discontent - only to serve customers and get both direction and movement. As the project accelerates we need priorities to ensure we tackle big issues, but we also need listening, agreement, vision and planning.With respect to your request: I've put the internet deployment spider up again, and I have set it to automatically update every couple of days. Here's WIKIWEBMASTER:-- MartinCleaver - 28 Nov 2004Now that the big mailing is out we can do some final touches on the alert process. I changed the timing on the alert process, open for comments:Comments:-- PeterThoeny - 30 Nov 2004I appreciate what you are trying to do, but I think you are at risk of promising what you can't deliver. You can't guarantee those response times, so better not to advertise them. Also, grace periods and suchlike need to be decided on a case-by-case basis. Maybe I'm just too simple, but it seems to me that the process can be stated more simply, just hitting the key points:Steps 1 through 4 may be merged if a hotfix is immediately available.BTW can someone please generate a testcase for the recent alert, so we can't fall prey to it again!-- CrawfordCurrie - 30 Nov 2004I agree with the idea of grace periods - the aim is to give people time to fix the issue (i.e. elongating step 4 by mailing people who are definitely TWiki administrators). However, we have advertised the TWikiAnnounceMailingList as getting security alerts immediately, so I think we should just send the alert to both twiki-dev and twiki-announce - since twiki-dev is archived, there's a risk Google picks it up, or someone forwards it on to X then Y then Z. As long as there's no exploit attached to the alert (I think Apache are quite good at doing this) I think the degree of hacking would be less.Lots of people don't want to be on twiki-dev, only on the twiki-announce list, due to volume, so it seems unfair to delay the twiki-announce email.The 'typical' timeline according to one security person I talked to is:While having exploits makes hacking easier, it also makes it easier for administrators to test if their system is truly vulnerable or proof against the vulnerability. The real world is not as well structured as this.Also worth noting that time from step 1 to step 4 was 10 hours in the case of the recent search hole, giving Peter little time to create and distribute fix, and TWiki admins little time to apply fix. The behaviour of the security researchers involved was not exactly pristine in this case, since the exploit came out so fast (on a Friday evening as well), leading to lots of cracked TWiki systems.-- RichardDonkin - 30 Nov 2004Not that it matters, but my twiki was compromised and I've written a report about the incident, of which you might want to read the second paragraph, in which I take half the blame. The report is at http://www.itia.ntua.gr/twiki/bin/view/Main/ReportOnTwikiCompromise .But that's not the reason I'm writing. I want to give my 2 cents to the security process. I'm not a security expert, but it doesn't seem that anyone in this discussion is, so here we go:How fast you send a public alert depends on whether the problem is already public or being actively exploited. It is important to keep in mind that twiki may be distributed by operating system vendors. The forthcoming release of the Debian OS will have a prepackaged twiki.Now administrators who have installed their vendor's prepackaged version rather than the original version will normally not want to be subscribed to the twiki mailing list, but only to the vendor's security alert service, and they will prefer to wait for the vendor's patch. For this reason, if the discovered problem is not publicly known or actively exploited, you normally keep it secret and only notify CERT, I believe (although I'm not sure about the details). CERT has an established procedure of notifying the vendors, and each one prepares/adapts, but does not announce, the needed patch and advisory. When everyone's ready or it is thought that the problem can no longer wait, CERT tells to all interested parties "OK, release now", and they issue their advisories altogether. This way there is minimal delay between the original advisory/patch and the vendor advisory/patch.When the problem is publicly known or exploited, I believe you announce as soon as possible, but still have to notify vendors or CERT.The thing is, rather than reinvent the wheel, you should find some security experts to help you setup the process similarly to what must have already been done for hundreds of programs. What you do when it's secret, or when it's public, or when you don't know how many people know, or when you know the hole but don't have a patch yet, or when the researcher's behaviour hasn't been optimal, and so on and so on; it's certain there already exist good procedures and experience about all such questions. Maybe the Debian security team would help, if they have the time. SvenDowideit may know whom to talk to.-- AntoniosChristofides - 02 Dec 2004Antonios thank you very sharing your well written report on the comprimise. It, or a good portion of it, should be part of the documentation here on twiki.org I think.There is a mispelling of twiki in the first line of the second paragraph (tiki). And I think a typo in the find command example. I get the message "find: paths must precede expression" when running it.I get "Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request." on a failed authentication (it should go to a twiki oops page). Probably your bin/.htaccess does not the correct path for ErrorDocument 401 -- MattWilkie - 02 Dec 2004Thanks, I fixed the typos. The other problem shall remain, I'm afraid, until my queue is empty (around 2019 :-).-- AntoniosChristofides - 02 Dec 2004Re my posting above on security report / fix timelines - this security alert policy for some useful guidelines on how researchers should report security alerts to maintainers.-- RichardDonkin - 10 Jan 2005Update on security process: Discussing with Kenneth, we felt that it is sufficient to alert twiki-dev and twiki-announce, and no longer alert the admins listed in the TWikiInstallation directory and the ones found by a Google search. This is because it is well publicised to subscribe to twiki-announce. We also change the grace period from 4 days to 3 days to make it less likely that alerts go out on a weekend.-- PeterThoeny - 13 Jun 2006

lotuspond imc video and voice communication control xp

lasagna gardening: a new layering system for bountiful gardens: no digging

queue theory calculations for operations research

metal detector dvd! getting to know the minelab e-trac!

graco pack 'n play playard with newborn napper, broadstreet

who sells aquaphor original ointment in beirut lebanon

telecharger des musiques vec sony mp4 mp5 made in japan

what is the tri-band selector on the airhogs avenger for

driver para window vista del pirelli discus multiplay ag

youtube new lawn grass settings scotts® turf builder® edgeguard® mini broadcast spreader

Japan readies defence for North Korea rocket launch

Reuters - ?22 minutes ago?

By Yoko Nishikawa TOKYO, March 27 (Reuters) - Japan on Friday ordered its military to prepare to intercept any dangerous debris that might fall on its territory if a missile launch planned by Pyongyang goes wrong.

Japan Gives Order to Destroy Any North Korean Missile Bloomberg

Recently purchased a mosquito repellent device from Thermacell and am wondering if anyone else has used a similar device, and how effective they really are.

I searched the web for reviews and the ones I came up with all seemed to be worded a little too similarily to not raise some flags about them coming from the manufacturer. It is not cheap to buy refills for these devices, and living in the Canadian prairies there are a lot more mosquitos than hours in a refill cartridge.

Gli hacker o meglio i cracker utilizzano delle stringhe su Google per trovare vulnerabilità sul web.

Possiamo consultare un vastissimo Database per il Google hacking al link di GHDB.

Vi ricordo che la legge italiana punisce la penetrazione nei sistemi informatici altrui quindi non fate cavolate.

Okey!!! hello, i just skip my thesis just to right in this, so this is a serius matter.

First i am thinking of attacking your choice of best card, because most of your best card are simply common sense in my area. Haler...(",). But i change my mind since evryone is intitle of his opinion.

Here what i think are the best card base on, playabilty, strategy concept, support to other cards, counterability ( condition of this card in different meta, the rush, aggro, control, etc) and power, manaand effect ratio, not to mention luck and availabilty in the market.

This program is written to show vulnerability of some FTP servers

then establish passive ftp connection.

You MAY use this program or any part of it to test your ftp server

for this vylnerability. You MUST NOT use this program or any part

of it against another FTP server.

The program distributed "AS IS" without any guarantees.

to Scare Them Out of Their Wits!

Here's a scary prank practical joke I think you'll enjoy as much as I do. It's one of my favorites because it's so easy to set-up, very versatile, and extremely effective! ;-)

Place a realistic-looking fake snake like this Rattlesnake where your "victim" is least likely to expect it and then just wait! For a co-worker (or boss?), you can simply place the prop in their desk drawer either while they are out to lunch, before they get in or after they leave for the day. It's even better if you get one of those "rattlesnake" sound gimmicks and rig it to go off when the drawer is opened.

Una confusión bastante común en el cine, es tomar los términos terror, misterio y suspenso como sinónimos. En realidad, si bien pueden mezclarse en ocasiones, y tener varias semejanzas, se trata en realidad de géneros distintos. A continuación, haremos una pequña revisión de los tres.

◦Terror: Es cuando el o los protagonistas están amenazados por un peligro actual, ineludible e invencible, y del que tienen que huir antes de que el fin – que usualmente es la muerte, pero no siempre – caiga sobre ellos.