- prev
- 1
- next
AT&T caused a flurry of fury when it blocked a server from the online forum, 4chan. We'll look at the DoS attack against 4Chan and how and why AT&T reacted.
The trouble started with neither AT&T nor 4Chan. A third-party attacker, possibly a rival forum, started a Denial of Service attack known as TCP SYN flooding, or SYN attack. First let's look at what's supposed to happen when you request a Web page.
Your computer--let's call it HOME--sends a SYN request to the Web Server (SYN for synchronize sequence numbers). In this case the server is img.4chan.org. 4Chan's server responds with an ACK flag (short for "acknowledge") and then your computer responds with a SYN-ACK and from there the connection is made.
In 4Chan's case, the attacker sent SYN requests with spoofed IP addresses. In other words, the requests appeared to come from some other computer or computers, for this example let's call it 127.55.55.127.
4Chan's server responded with an ACK, but since 127.55.55.127 never sent the SYN in the first place, it either sends an RST flag or more likely, nothing at all. And if 4CHAN gets nothing at all, it may send four or five ACKs for every SYN it receives. This whole scenario can take around 3 minutes to play out.
So, now you can see the problem. If the attacker is sending a bunch of SYN's from a bunch of spoofed addresses, the attacked server is going to run out of resources responding to them. The flood of traffic not only fills up 4Chan, but also floods innocent bystanders.
In 4Chan's case, some of these bystanders were in the AT&T network. Some were in other networks, like unWired Broadband. But since AT&T is the big kahuna, it got all the attention.
AT&T blocked all traffic coming from the 4Chan server sending out the ACK flags. This stopped the ACKs from flooding into AT&T's network, but also prevented any legitimate requests from its network to that 4Chan server.
A few AT&T subscribers who suddenly couldn't get to 4Chan figured AT&T was blocking the often controversial site. So they started grumbling.
4Chan complained that AT&T should have only filtered its server for the sites that had been spoofed. However, if AT&T had done that, and the attackers had caught on, they could have spoofed different IP addresses. AT&T was taking the rather cautious approach of blocking the entire server, making it irrelevant what IP addresses were spoofed.
4Chan did filter the DoS attack so that it didn't bring down its site, but it was still passing along the ACK requests that caused the trouble. Once it stopped that from happening, AT&T lifted the ban on img.4chan.org, and all went back to the peaceful happy land it had been before. Sort of. Well, except for the CNN iReport 4Chan users put up claiming the AT&T CEO was dead.
If you log-in to your Gmail account on computers that aren't yours, you're probably very responsible about logging out afterward so that no one can steal your e-mail account. But what about that one time you were drinking too much at the library (again) and you can't remember if you logged out of the public terminal?
Here's how to find out if you're logged in anywhere else, and what to do if you are. Scroll down to the bottom of your screen and click details.
You'll get a pop-up window listing all the other IP addresses that have logged into your account. If they're all the same, they're probably just the computer you're on, and you're OK. However, if you see a different one, you may have a problem.
To be sure, click "Sign out all other sessions" and all but the account you're currently using will be kicked out. If you're worried at all that someone may have figured out how to access your account, be sure to change the password right away.
The employee most likely thought they had proper security protections in place. We'll show you how the Gmail account got cracked, and how you can take better care to protect your Gmail account.
Obviously, you should start by picking a strong password that's not a dictionary word or easily guessable. But that password is only as strong as Google's password recovery system. Google allows three methods to recover your password. E-mail, SMS, and the vaunted "security question." Three methods an attacker could use to gain entry to your account.
To check your password recovery options, go to settings, choose Accounts, and click on Google Account Settings. Then click "Change password recovery options."
The e-mail recovery method tripped up the Twitter employee. In this method, if you forget your password, you can specify an e-mail account where a password-reset link can be sent. This is common practice in Web services.
Allegedly, the Twitter employee had their recovery account set to a Hotmail account that was deactivated. The hacker was able to guess what the e-mail had been, reregister the account, and was able to get the password reset link sent to the Hotmail account.
How do you protect yourself against that? Well make sure you have a valid e-mail account listed as your secondary account, and make sure that account has solid security protection. Or better yet, don't use this method. Just leave the secondary e-mail account blank.
You have two other methods to choose from.
Method two is SMS. This is fairly secure, since any attacker would have to get access to your phone, or at least be near enough to intercept text messages to your phone number to steal your password. While this isn't impossible, it's a taller order. Of course, it also means you have to have a phone with a text messaging plan. Still this is my favored method.
Method No. 3 is my least favorite. The Security Question. This is where a lot of people fail. If you make the answer to your security question something guessable or easy to find out, then the strength of your password won't matter. Google suggests a few hard to guess things like your first phone number or Dad's middle name. But while they may be hard, all of these are discoverable. Thankfully, Google lets you write your own question.
I think you should treat this security question like another password. Write your own question and make the answer something entirely unguessable. Like What have you never told anyone else about? Answer: 5623break. Yes, that may be hard to remember, but it's very secure. Unfortunately, they don't let you leave this field blank, so at best you can fill it with nonsense information.
No system is 100 percent secure and obviously the most secure method here would be to provide no way to recover your password. However, if that's too strict for you, now you have some information to help you choose where in that balance between protection and convenience you land.
Thanks to garysimmons on Twitter who pointed to a Lifehacker article from the awesome Gina Trapani on how to force your old add-ons to work in the beta version of Firefox.
Big warning! You're removing a safety net when you do this. Be prepared to deal with bugs, crashes, and security risks if you do this.
OK. Here's how to do it.
Go to the Firefox address bar and type about:config.
Click the button promising to be careful.
You're promising to be careful...RIGHT?
Right-click anywhere on the screen, choose new, then Boolean.
Name your new preference extensions.checkCompatibility. Press OK. Then set it to false and press OK again.
Now right-click again anywhere choose New and Boolean and make the name of this one extensions.checkUpdateSecurity and set the value of that one to false.
Great! You've just instructed Firefox not to check the validity of the extension and to tell update security to go take a flying leap.
If you're sure you want to do that, restart Firefox.
Now all your add-ons should load quite nicely. At least if they don't crash the whole browser. Don't forget you turned off the capability to ensure secure updates. So do be careful.
One last tip, several people wrote to me about the Add-on called Nightly Tester Tools. It allows you to use otherwise incompatible add-ons in beta versions, although it doesn't seem to get Firefox 2 add-ons to work in Firefox 3.
But to hook them up you need to buy that aux cable. They only cost around six or seven bucks, but let's say you're really cheap. I mean, there's the time to drive to the store, wait in line, etc... Even buying online has it's own hazards of identity theft. You can avoid all this hassle if you have one common problem: old, unused headphones. Here's how to make a free stereo aux cable out of a pair of old earbuds you don't use anymore. Watch our video to follow along while I demonstrate.
Ideally, the headphones still work. If they have one of the ears broken, they're not ideal, but it might be OK. Just make sure you use only cable you know doesn't have a short in it. Not all headphones have the same wires inside. Some have three, and some four. If the headphones you're cannibalizing both have the same number of wires, then you just need to match them up. If they don't...we'll get to that.
If you open up a pair of iPod headphones, you'll find four wires. Some of them are red green copper and a red-green combo. Some are red blue copper and a red-green combo. Off brands will also often have red green and copper. Red usually means right and green or blue means left. These are the wires that carry the audio. The other two wires carry the ground.
With a four-wire system, it's important to make sure the grounds are connected to the correct ground. Otherwise you don't complete the circuit and the audio won't pass through. Two three-wire headphones are easier in that way, because you only have one ground. If you're going to try hooking up three to four wires, you'll need to hook both grounds from one wire to the single ground. This is harder to make work, though.
If this is getting too complicated, you may be better off buying an aux cable. Or you can get serious and borrow somebody's continuity tester to make sure all the right currents are flowing the right way. If you go that far, you might as well just rip off the jack and wire right into that.
For the video, I used two iPod cables. Going four wires to four wires. Here's what you do.
First decided how long of a cable you want and cut the wire on both headphones accordingly.
Then *carefully* strip back the insulation. Make sure to wear protective cover.
Wire strippers are best for this, but if you're steady, you can do it with regular old scissors.
The color on the wires is a lacquer insulation. You'll want to strip it away either with a little sandpaper or just burn it off with a lighter. Either way be careful and wear protective goggles.
Heat-shrink tubing will make the wires look a little neater afterward, but a bag costs about 3 bucks. I bring it up now, because you want to put any tubing on *before* you reconnect the wires.
Twist the wires together nice and tight so they have the least chance of separating. This can be made difficult if you come across some white fibers. I just burned them off.
Now we have a choice: The quick and dirty way is to just wrap it all up with electrical tape. You may experience a lot of shorts in your connection if you do that. The sturdiest way is to grab a soldering iron--a cheap one will do for something like this--then paint a bit of solder on each wire. Let it cool. Remember that solder contains lead and you should wear proper protective coverings at all times.
If you're not using shrink tubes, THEN wrap each wire in electrical tape. Make sure to cover any part of the exposed wire where there's a short. And wrap the whole thing in electrical tape.
For shrink tubes, just bring a bit of heat on them to make them shrink. Some folks use hair dryers or lighters or even a soldering iron.
Now take it back to the car. Plug one end into the aux jack, the other into the MP3 player. And enjoy your music.
Remember, it's not just that you're saving $6.36--it's the sense of self-reliance you get from using tools and electrical tape that matters.
This link is unwarranted and only for geeks folks, but if you want to see how it works, check out Brian Tong's video on CNET TV.
Here's the link : http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4955.20080710.bgt53/iPhone1,2_2.0_5A347_Restore.ipsw
Update: Many people are reporting problems with the unofficial iPhone firmware. If you're having issues or just want to avoid them, here's how to upgrade your iPhone to the official firmware update (via MacRumours).
1. Sync your iPhone with iTunes 7.7 to make sure all data is backed up.
2. Download iPhone1,1_2.0_5A347_Restore.ipsw (Official firmware). You should get a single ".ipsw" file. If your browser renames it to a .zip file, you should rename it to ".ipsw"
3. In iTunes click on the "Check for Updates" while holding the Option key on the Mac (Shift key on Windows)
4. Select the firmware you downloaded in step #2
5. Wait for your iPhone to update and restore.
Watch the show on CNET TV.
Things we Crave
Water-cooled Panasonic projector.
Get a free hands-free headset.
First Look
Download of the Week
Insider Secrets
Best of the Web
Your calls
Play real media files in Linux with Helix and in Linux and OS X with MPlayer
You should be able to get Verizon or Sprint to unlock a CDMA phone for you but if you want to DIY it, try looking around at CellPhoneHacks.
Transfer data between two hard drives
- prev
- 1
- next
Would you like a wrap-up of the week's hottest CNET TV videos delivered directly to your in-box? Then sign up for the weekly CNET TV newsletter, delivered every Friday.