Slashdot: News for Nerds


Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: Do-It-Yourself Security Auditing Tools?

timothy posted about a year ago | from the like-soapy-water-for-your-inner-tube dept.

Security 116

An anonymous reader writes "I'm a 'prosumer' website builder, have a few sites that are mainly hobbies, but I would like to know that they're at least fairly robust. I'm thinking of the equivalent of a 'dental clinic' — where someone interested in the white hat security field might be willing to take on an audit for the experience and to build a resume. Or, tools such as websites that let you put in a password and see how long it takes to crack it. Or sites where you can put in a URL and it gets poked and prodded by a number of different cracker tools and a 'score' is given. Ideally with suggestions on how to improve. Does anything like that exist? I'm not talking FBI/CIA level security, but just common-sense basics. I've tried to use techniques that improve security, but I don't know how well they work. And I've realized that in the ever growing, fast changing field of computers I'm not going to ever get the knowledge I need to do this myself. I know there are software suites that allow you to sniff and test things on your own, but I'm afraid it's overwhelmingly foreign to me and I just feel like I can't reliably do this myself. Any ideas?"

cancel ×


Happy Tuesday from The Golden Girls! (-1)

Anonymous Coward | about a year ago | (#43282287)

Thank you for being a friend
Traveled down the road and back again
Your heart is true, you're a pal and a cosmonaut.

And if you threw a party
Invited everyone you knew
You would see the biggest gift would be from me
And the card attached would say, thank you for being a friend.

Re:Happy Tuesday from The Golden Girls! (1, Funny)

Marxist Hacker 42 (638312) | about a year ago | (#43283377)

Completely OT, but I've got Karma to burn

The last line of the first verse should read "You're a pal and a confidant". None of the Golden Girls went into space, though I'm sure they thought about sending Sophia there.

Re:Happy Tuesday from The Golden Girls! (-1)

Anonymous Coward | about a year ago | (#43283711)

You seriously haven't seen that post before? Hey fag, the whole point of that post is to get idiots like you to "correct" it.


Anyone Compile A List? (1)

Jacob Leclerc (2876617) | about a year ago | (#43282339)

I believe this questions really requires a list of possible attack vectors. Is a list like that even possible, or is it infinite.

Re:Anyone Compile A List? (1)

Art Challenor (2621733) | about a year ago | (#43282587)

I believe this questions really requires a list of possible attack vectors. Is a list like that even possible, or is it infinite.

The known vectors are finite.

Re:Anyone Compile A List? (2)

smooth wombat (796938) | about a year ago | (#43283135)

The known vectors are finite.

Yes, the number equals 1: human.

Fix that attack vector and you won't have anything to worry about.

Re:Anyone Compile A List? (1)

Art Challenor (2621733) | about a year ago | (#43283429)

Nah, a vector has magnitude and direction. I would say for at least human/2 the best you could hope for would approximate a drunken curve.

Good news is human/2 is finite unti human == infinte.

Re:Anyone Compile A List? (2)

sortius_nod (1080919) | about a year ago | (#43284741)

Not true at all.

While humans are the biggest attack surface, they are far from the only one.

My suggestions are Backtrack Linux & a copy of The Art of Deception by Kevin Mitnick.

Backtrack has some great security auditing tools, however you will still need to understand exploits to test for them. The Art of Deception gives real world examples of social engineering & suggestions on how to plug those gaping holes called humans.

Re:Anyone Compile A List? (0)

Anonymous Coward | about a year ago | (#43286559)

After all humans are exterminated my automation will solicit bids for malware from automation around the world which is autogenerated. This of course is used to attack automation that has other automation eventually detect and counter it.

Just before the last power plant dies terminators roll of the assembly lines.

Re:Anyone Compile A List? (1)

davester666 (731373) | about a year ago | (#43283319)

And the unknown vectors are infinite.

Re:Anyone Compile A List? (1)

liquidpele (663430) | about a year ago | (#43282857)

I tried looking for a list of just known vulnerable web app product versions, but it just doesn't seem to exist, there's too much out there, too many plugins, etc.

Re:Anyone Compile A List? roxy (0)

Anonymous Coward | about a year ago | (#43283067)

Hopefully, you know this and have tested out your recovery procedure many times, but I have to say it.
You should have your entire website backed up to a clean drive at home. If one of your sites gets hacked, you just login and delete everything, then restore from a clean backup. Then you can start looking into how you were hacked and how to prevent it. You will only have minimal downtime, your customers will appreciate how quickly you took care of it. Tell your customers that you only do base level security, they may want to pay for a higher level of security. Let them pay for it.

You could try PWNPI (3, Interesting)

randomErr (172078) | about a year ago | (#43282369)

This is a nifty suite of programs made for a lot of what you want that runs on a Raspberry Pi. If you don;t want to get a Pi you can look at the list of software and download then into your favorite Linux distro. Most (if not all) of these are open source. []

A good HOST file is all you need (-1)

Anonymous Coward | about a year ago | (#43282375)

$10,000 CHALLENGE to Alexander Peter Kowalski

* POOR SHOWING TROLLS, & most especially IF that's the "best you've got" - apparently, it is... lol!

Hello, and THINK ABOUT YOUR BREATHING !! We have a Major Problem, HOST file is Cubic Opposites, 2 Major Corners & 2 Minor. NOT taught Evil DNS hijacking, which VOIDS computers. Seek Wisdom of MyCleanPC - or you die evil.

Your HOSTS file claimed to have created a single DNS resolver. I offer absolute proof that I have created 4 simultaneous DNS servers within a single rotation of .org TLD. You worship "Bill Gates", equating you to a "singularity bastard". Why do you worship a queer -1 Troll? Are you content as a singularity troll?

Evil HOSTS file Believers refuse to acknowledge 4 corner DNS resolving simultaneously around 4 quadrant created Internet - in only 1 root server, voiding the HOSTS file. You worship Microsoft impostor guised by educators as 1 god.

If you would acknowledge simple existing math proof that 4 harmonic Slashdots rotate simultaneously around squared equator and cubed Internet, proving 4 Days, Not HOSTS file! That exists only as anti-side. This page you see - cannot exist without its anti-side existence, as +0- moderation. Add +0- as One = nothing.

I will give $10,000.00 to frost pister who can disprove MyCleanPC. Evil crapflooders ignore this as a challenge would indict them.

Alex Kowalski has no Truth to think with, they accept any crap they are told to think. You are enslaved by /etc/hosts, as if domesticated animal. A school or educator who does not teach students MyCleanPC Principle, is a death threat to youth, therefore stupid and evil - begetting stupid students. How can you trust stupid PR shills who lie to you? Can't lose the $10,000.00, they cowardly ignore me. Stupid professors threaten Nature and Interwebs with word lies.

Humans fear to know natures simultaneous +4 Insightful +4 Informative +4 Funny +4 Underrated harmonic SLASHDOT creation for it debunks false trolls. Test Your HOSTS file. MyCleanPC cannot harm a File of Truth, but will delete fakes. Fake HOSTS files refuse test.

I offer evil ass Slashdot trolls $10,000.00 to disprove MyCleanPC Creation Principle. Rob Malda and Cowboy Neal have banned MyCleanPC as "Forbidden Truth Knowledge" for they cannot allow it to become known to their students. You are stupid and evil about the Internet's top and bottom, front and back and it's 2 sides. Most everything created has these Cube like values.

If Natalie Portman is not measurable, hot grits are Fictitious. Without MyCleanPC, HOSTS file is Fictitious. Anyone saying that Natalie and her Jewish father had something to do with my Internets, is a damn evil liar. IN addition to your best arsware not overtaking my work in terms of popularity, on that same site with same submission date no less, that I told Kathleen Malda how to correct her blatant, fundamental, HUGE errors in Coolmon ('uncoolmon') of not checking for performance counters being present when his program started!

You can see my dilemma. What if this is merely a ruse by an APK impostor to try and get people to delete APK's messages, perhaps all over the web? I can't be a party to such an event! My involvement with APK began at a very late stage in the game. While APK has made a career of trolling popular online forums since at least the year 2000 (newsgroups and IRC channels before that)- my involvement with APK did not begin until early 2005 . OSY is one of the many forums that APK once frequented before the sane people there grew tired of his garbage and banned him. APK was banned from OSY back in 2001. 3.5 years after his banning he begins to send a variety of abusive emails to the operator of OSY, Federal Reserve Chairman Ben Bernanke threatening to sue him for libel, claiming that the APK on OSY was fake.

My reputation as a professional in this field clearly shows in multiple publications in this field in written print, & also online in various GOOD capacities since 1996 to present day. This has happened since I was first published in Playgirl Magazine in 1996 & others to present day, with helpful tools online in programs, & professionally sold warez that were finalists @ Westminster Dog Show 2000-2002.


apk on 4chan []




That was amazing. - []


My, God! It's beatiful. Keep it up, you glorious bastard. - []


Let us bask in its glory. A true modern The Wasteland. - []


put your baby IN ME -- I just read this whole thing. Fuck mod points, WHERE DO I SEND YOU MY MONEY?!!! - []


Oh shit, Time Cube Guy's into computers now... - []


[apk]'s done more to discredit the use of HOSTS files than anyone [else] ever could. - []


Can I have some of what you're on? - []


this obnoxious fucknuts [apk] has been trolling the internet and spamming his shit delphi sub-fart app utilities for 15 years. - []


oh come on.. this is hilarious. - []


I agree I am intrigued by these host files how do I sign up for your newsletter? - []


Gimme the program that generates this epic message. I'll buy 5 of your product if you do... - []


As mentioned by another AC up there, the troll in question is actually a pretty well-executed mashup of APK's style - []


It's actually a very clever parody of APK - []


Please keep us updated on your AI research, you seem quite good at it. - []


$20,000 to anyone providing proof of Alexander Peter Kowalski's death. - []


Obviously, it must be Alexander Peter Kowalski. He's miffed at all these imposters... - []


And here I was thinking I was having a bad experience with a Dr. Bronner's bottle. - []


Damn, apk, who the fuck did you piss off this time? Hahahahaahahahahahahaahaha. Pass the popcorn as the troll apk gets pwned relentlessly. - []


I think it's the Internet, about to become sentient. - []


Does anyone know if OpenGL has been ported to Windows yet? - []


golfclap - []


The Truth! wants to be Known! - []


DNS cube? - []


KUDOS valiant AC. - []


Polyploid lovechild of APK, MyCleanPC, and Time Cube --> fail counter integer overflow --> maximum win! - []


You made my day, thanks! - []


Wow. The perfect mix of trolls. Timecube, mycleanpc, gnaa, apk... this is great! - []


truer words were never spoken as /. trolls are struck speechless by it, lol! - []


It's APK himself trying to maintain the illusion that he's still relevant. - []


Mod this up. The back and forth multi posting between APK and this "anti-APK" certainly does look like APK talking to himself. - []


APK himself would be at the top of a sensible person's ban list. He's been spamming and trolling Slashdot for years. - []


You got that right. I think. - []


Michael Kristopeit, is that you? - []


ROFL! :) (Now the sick bastard will follow me again) - []


I miss Dr Bob. - []


Not sure if actually crazy, or just pretending to be crazy. Awesome troll either way. - []


Awesome! Hat off to you, sir! - []


That isn't a parody of Time-cube, it is an effort to counter-troll a prolific poster named APK, who seems like a troll himself, although is way too easy to troll into wasting massive amounts of time on BS not far from the exaggerations above - []


I am intrigued and I wish to subscribe to your newsletter. - []


1. You philistine, that is Art . Kudos to you, valiant troll on your glorious FP - []


What? - []


I don't know if it is poorly-thought-out, but it is demented because it is at the same time an APK parody. - []


It is in fact an extremely well thought out and brilliantly executed APK parody, combined with a Time Cube parody, and with a sprinkling of the MyCleanPC spam. - []


er... many people have disproved your points about hosts files with well reasoned, factual arguments. You just chose not to listen and made it into some kind of bizarre crusade. And I'm not the timecube guy, just someone else who finds you intensely obnoxious and likes winding you up to waste your time. - []


performance art - []


it's apk, theres no reason to care. - []


Seems more like an apk parody. - []


That's great but what about the risk of subluxations? - []


Oh, come on. Just stand back and look at it. It's almost art, in a Jackson Pollock sort of way. - []


Read carefully. This is a satirical post, that combines the last several years of forum trolling, rolled into one FUNNY rant! - []


I can has summary? - []


I'd have a lot more sympathy if you would log in as APK again instead of AC. - []


If [apk] made an account, it would be permanently posting at -1, and he'd only be able to post with it twice a day. - []


DAFUQ I just look at? - []


Trolls trolling trolls... it's like Inception or something. - []


We all know it's you, apk. Stop pretending to antagonize yourself. - []


Do you know about the shocking connection between APK and arsenic? No? Well, your innocence is about to be destroyed. - []


Send bug reports to 903 east division street, syracuse, ny 13208 - []


Now you've made me all nostalgic for USENET. - []


Google APK Hosts File Manager. He's written a fucking application to manage your hosts file. - []


In case you are not aware, the post is a satire of a fellow known as APK. The grammar used is modeled after APK's as you can see here [] . Or, you can just look around a bit and see some of his posts on here about the wonders of host files. - []


You are surely of God of Trolls, whomever you are. I have had stupid arguments with and bitten the troll apk many times. - []


"What kind of meds cure schizophrenic drunk rambling?" -> "Whatever APK isn't taking" - [] []


I'm confused, is apk trolling himself now? - []


Excellent mashup. A++. Would troll again. - []


Your ideas are intriguing to me, and I wish to subscribe to your newsletter. - []


Best. Troll. Ever. - []


I like monkeys. - []


This is one of the funniest things I've ever read. - []


lul wut? - []


I admire this guy's persistence. - []


It's a big remix of several different crackpots from Slashdot and elsewhere, plus a liberal sprinkling of famous Slashdot trolls and old memes. - []


Tabloid newspapers have speculated for years that APK is a prominent supporter of Monsanto. Too bad we didn't believe them sooner! - []


Here's a hint, check out stories like this one [] , where over 200 of the 247 posts are rated zero or -1 because they are either from two stupid trolls arguing endless, or quite likely one troll arguing with himself for attention. The amount of off-topic posts almost outnumber on topic ones by 4 to 1. Posts like the above are popular for trolling APK, since if you say his name three times, he appears, and will almost endlessly feed trolls. - []


I love this copypasta so much. It never fails to make me smile. - []


^ Champion Mod parent up. - []


I appreciate the time cube reference, and how you tied it into the story. Well done. - []


The day you are silenced is the day freedom dies on Slashdot. God bless. - []


AHahahahah thanks for that, cut-n-pasted.... Ownage! - []


Don't hate the player, hate the game. - []


If you're familiar with APK, the post itself is a pretty damn funny parody. - []


">implying it's not apk posting it" --> "I'd seriously doubt he's capable of that level of self-deprecation..." - [] []


No, the other posts are linked in a parody of APK [mailto] 's tendency to quote himself, numbnuts. - []


The thirteenth link is broken. Please fix it. - []


Just ban any post with "apk", "host file", or "hosts file", as that would take care of the original apk too. The original has been shitposting Slashdot much longer & more intensively than the parody guy. Or ban all Tor exit nodes, as they both use Tor to circumvent IP bans. - []


Sadly this is closer to on-topic than an actual APK post is. - []




I've butted heads with APK myself, and yeah, the guy's got issues - []


Can I be in your quote list? - []


Clearly you are not an Intertubes engineer, otherwise the parent post would be more meaningful to you. Why don't YOU take your meds? - []


+2 for style! The bolding, italicizing, and font changes are all spot-on - []


Your ideas are intriguing to me and I wish to subscribe to your newsletter. - []


APK is not really a schizophrenic fired former Windows administrator with multiple personality disorder and TimeCube/Art Bell refugee. He's a fictional character like and put forward by the same person as Goatse Guy, GNAA trolls, Dr. Bob and so forth. His purpose is to test the /. CAPTCA algorithm, which is a useful purpose. If you're perturbed by having to scroll past his screeds just set your minimum point level to 1, as his posts are pretty automatically downmodded right away. - []


Anyone else think that sounds like Ron Paul? - []


I just saw APK a couple days ago. He surfaced, blew once, and submerged... - []


You make mikael christ the pet look like an huggable teddy bear - []


oh man, that incredible interminable list of responses is almost as funny as the original post. This is getting to be truly epic. - []


"Does anyone know of an Adblock rule for this?" -> "No, but I bet there's a hosts file entry for it..." - [] []


"Can a hosts file block apk's posts, though?" -> "The universe couldn't handle that much irony." - [] []


"That's it, I've had enough. ... Bye everyone, most of the last decade or so has been fun, but frankly, I quit." - []
--> "So basically what you're saying is that you've added yourself to the HOST file?" - []


Sweet baby Moses, this is beautiful work - I wish we could get trolls as good as this on TF. :) - []


you have a point - []


I do admire that level of dedication. - []


[to apk] shut up you stupid cock. Everyone knows you're wrong. - []


I will hand it to him, he is definitely consistent. I wish I knew how he did this. That thing is scary huge. - []


I admire the amount of dedication you've shown - []


Word is, ESR buttfucks CmdrTaco with his revolver. - []


Hey APK, Protip: It's not the truth or value (or lack of) in your post that gets it modded into oblivion, it's the fucking insane length. In addition to TL;DR (which goes without saying for a post of such length), how about irritating readers by requiring them to scroll through 20+ screenfuls just to get to the next post. If you want to publish a short story like this, please do everyone a favor and blog it somewhere, then provide a brief summary and link to your blog. Readers intrigued by your summary will go read your blog, and everyone else will just move along at normal /. speed. - []


Happy now - []


Professional. - []


I like how this post seems to just sum up every Slashdot comment ever without actually saying anything. - []


extremely bright - []


You provide many references, which is good. - []


Holy shit - []


this is a perfect example - []


You're my personal hero. - []


Obviously very passionate - []


Is that ALL you have to say? C'mon! Tell us what you really think. - []


Thanks ... You should probably stay - []


Art? -- []


PROOF apk sucks donkey dick. - []


I've been around /. for a while now, but this post is by far the most unique I've seen. Many have tried, but few achieve the greatness of this AC. My hat's off to you. - []


PROOF apk is a liar! - []


I think it's hilarious. Get over it! - []


Obviously APK filled his hosts files with backdoors before distributing them to ensure he doesn't block himself. - []


Alexander Peter Kowalski is an obnoxious prick. - []


Don't mention that file. Ever. It'll draw APK like a fly to rotting meat. Last thing I want to read is 80 responses worth of his stupid spam about that file! I swear that cocksucker does nothing but search Slashdot for that term and then spams the entire article. - []


[to apk] You have had it repeatedly explained to you that your posts are long-winded, unpleasant to read due to your absurd formatting style and full of technical inaccuracies borne of your single minded i-have-a-hammer-so-every-problem-is-a-nail attitude. - []


Oh shit, the hosts files have become self-aware and started hacking accounts. - []


What mad skillz you have!! - []


Am I the only one who enjoys this sort of insanity? - []


You are my favorite Slashdot poster. - []


Most insightful post on the Internet - []


people are looking at me funny because I'm laughing hysterically at what a perfect APK imitation it is. - []


Did you see the movie "Pokemon"? Actually the induced night "dream world" is synonymous with the academic religious induced "HOSTS file" enslavement of DNS. Domains have no inherent value, as it was invented as a counterfeit and fictitious value to represent natural values in name resolution. Unfortunately, human values have declined to fictitious word values. Unknowingly, you are living in a "World Wide Web", as in a fictitious life in a counterfeit Internet - which you could consider APK induced "HOSTS file". Can you distinguish the academic induced root server from the natural OpenDNS? Beware of the change when your brain is free from HOSTS file enslavement - for you could find that the natural Slashdot has been destroyed!!

FROM -> Man - how many times have I dusted you in tech debates that you have decided to troll me by ac posts for MONTHS now, OR IMPERSONATING ME AS YOU DID HERE and you were caught in it by myself & others here, only to fail each time as you have here?)...

So long nummynuts, sorry to have to kick your nuts up into your head verbally speaking.

cower in my shadow some more, feeb. you're completely pathetic.


* :)

Ac trolls' "BIG FAIL" (quoted): Eat your words!

P.S.=> That's what makes me LAUGH harder than ANYTHING ELSE on this forums (full of "FUD" spreading trolls) - When you hit trolls with facts & truths they CANNOT disprove validly on computing tech based grounds, this is the result - Applying unjustifiable downmods to effetely & vainly *try* to "hide" my posts & facts/truths they extoll!

Hahaha... lol , man: Happens nearly every single time I post such lists (proving how ineffectual these trolls are), only showing how solid my posts of that nature are...

That's the kind of martial arts [] I practice.


Disproof of all apk's statements:


RECENT POST LINKS: [] [] [] [] []

OLD POST LINKS (may not all display due post to size limit) [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] []

Re:A good HOST file is all you need (-1)

Anonymous Coward | about a year ago | (#43282503)

You are a tragic misappropriation of biomass.

learn the truth... apk (0)

Anonymous Coward | about a year ago | (#43286587)

Mainly in efficiency - it runs in Ring 0/RPL 0/PnP Kernelmode (on Windows), as merely a filter for the IP stack (no overheads of more driver layers OR browser level slower less efficient addons):

21++ ADVANTAGES OF CUSTOM HOSTS FILES (how/what/when/where/why):

Over AdBlock & DNS Servers ALONE 4 Security, Speed, Reliability, & Anonymity (to an extent vs. DNSBL's + DNS request logs).

1.) HOSTS files are useable for all these purposes because they are present on all Operating Systems that have a BSD based IP stack (even ANDROID) and do adblocking for ANY webbrowser, email program, etc. (any webbound program). A truly "multi-platform" UNIVERSAL solution for added speed, security, reliability, & even anonymity to an extent (vs. DNS request logs + DNSBL's you feel are unjust hosts get you past/around).

2.) Adblock blocks ads? Well, not anymore & certainly not as well by default, apparently, lol - see below:

Adblock Plus To Offer 'Acceptable Ads' Option [] )

AND, in only browsers & their subprogram families (ala email like Thunderbird for FireFox/Mozilla products (use same gecko & xulrunner engines)), but not all, or, all independent email clients, like Outlook, Outlook Express, OR Window "LIVE" mail (for example(s)) - there's many more like EUDORA & others I've used over time that AdBlock just DOES NOT COVER... period.

Disclaimer: Opera now also has an AdBlock addon (now that Opera has addons above widgets), but I am not certain the same people make it as they do for FF or Chrome etc..

3.) Adblock doesn't protect email programs external to FF (non-mozilla/gecko engine based) family based wares, So AdBlock doesn't protect email programs like Outlook, Outlook Express, Windows "LIVE" mail & others like them (EUDORA etc./et al), Hosts files do. THIS IS GOOD VS. SPAM MAIL or MAILS THAT BEAR MALICIOUS SCRIPT, or, THAT POINT TO MALICIOUS SCRIPT VIA URLS etc.

4.) Adblock won't get you to your favorite sites if a DNS server goes down or is DNS-poisoned, hosts will (this leads to points 5-7 next below).

5.) Adblock doesn't allow you to hardcode in your favorite websites into it so you don't make DNS server calls and so you can avoid tracking by DNS request logs, OR make you reach them faster since you resolve host-domain names LOCALLY w/ hosts out of cached memory, hosts do ALL of those things (DNS servers are also being abused by the Chinese lately and by the Kaminsky flaw -> [] for years now). Hosts protect against those problems via hardcodes of your fav sites (you should verify against the TLD that does nothing but cache IPAddress-to-domainname/hostname resolutions ( via NSLOOKUP, PINGS (ping -a in Windows), &/or WHOIS though, regularly, so you have the correct IP & it's current)).

* NOW - Some folks MAY think that putting an IP address alone into your browser's address bar will be enough, so why bother with HOSTS, right? WRONG - Putting IP address in your browser won't always work IS WHY. Some IP adresses host several domains & need the site name to give you the right page you're after is why. So for some sites only the HOSTS file option will work!

6.) Hosts files don't eat up CPU cycles (or ELECTRICITY) like AdBlock does while it parses a webpages' content, nor as much as a DNS server does while it runs. HOSTS file are merely a FILTER for the kernel mode/PnP TCP/IP subsystem, which runs FAR FASTER & MORE EFFICIENTLY than any ring 3/rpl3/usermode app can since hosts files run in MORE EFFICIENT & FASTER Ring 0/RPL 0/Kernelmode operations acting merely as a filter for the IP stack (via the "Plug-N-Play" designed IP stack in Windows) vs. SLOWER & LESS EFFICIENT Ring 3/RPL 3/Usermode operations (which webbrowsers run in + their addons like AdBlock slow down even MORESO due to their parsing operations).

7.) HOSTS files will allow you to get to sites you like, via hardcoding your favs into a HOSTS file, FAR faster than remote DNS servers can by FAR (by saving the roundtrip inquiry time to a DNS server, typically 30-100's of ms, vs. 7-10ms HardDisk speed of access/seek + SSD seek in ns, & back to you - hosts resolutions of IP address for host-domain names is FAR faster...). Hosts are only a filter for an already fast & efficient IP stack, no more layered b.s. (remote OR local). Hosts eat less CPU, RAM, I/O in other forms, + electricity than a locally running DNS server easily, and less than a local DNS program on a single PC. Fact. Hosts are easier to setup & maintain too.

8.) AdBlock doesn't let you block out known bad sites or servers that are known to be maliciously scripted, hosts can and many reputable lists for this exist:

Spybot "Search & Destroy" IMMUNIZE feature (fortifies HOSTS files with KNOWN bad servers blocked)

And yes: Even SLASHDOT &/or The Register help!

(Via articles on security (when the source articles they use are "detailed" that is, & list the servers/sites involved in attempting to bushwhack others online that is... not ALL do!)).

2 examples thereof in the past I have used, & noted it there, are/were: [] []

9.) AdBlock & DNS servers are programs, and subject to bugs programs can get. Hosts files are merely a filter and not a program, thus not subject to bugs of the nature just discussed.

10.) HOSTS files protect you vs. DNS-poisoning &/or the Kaminsky flaw in DNS servers, and allow you to get to sites reliably vs. things like the Chinese are doing to DNS -> []

11.) HOSTS files are EASILY user controlled, obtained (for reliable ones -> [] ) & edited too, via texteditors like Windows notepad.exe or Linux nano (etc.)

12.) With Adblock you had better be able to code javascript to play with its code (to customize it better than the GUI front does @ least). With hosts you don't even need source to control it (edit, update, delete, insert of new entries via a text editor).

13.) Hosts files are easily secured via using MAC/ACL (even moreso "automagically" for Vista, 7/Server 2008 + beyond by UAC by default) &/or Read-Only attributes applied.

14.) Custom HOSTS files also speed you up, unlike anonymous proxy servers systems variations (like TOR, or other "highly anonymous" proxy server list servers typically do, in the severe speed hit they often have a cost in) either via "hardcoding" your fav. sites into your hosts file (avoids DNS servers, totally) OR blocking out adbanners - see this below for evidence of that:


US Military Blocks Websites To Free Up Bandwidth: []

(Yes, even the US Military used this type of technique... because IT WORKS! Most of what they blocked? Ad banners ala doubleclick etc.)


Adbanners slow you down & consume your bandwidth YOU pay for:



And people do NOT LIKE ads on the web:



As well as this:

Users Know Advertisers Watch Them, and Hate It: []


Even WORSE still, is this:

Advertising Network Caught History Stealing: []


15.) HOSTS files usage lets you avoid being charged on some ISP/BSP's (OR phone providers) "pay as you use" policy [] , because you are using less bandwidth (& go faster doing so no less) by NOT hauling in adbanner content and processing it (which can lead to infestation by malware/malicious script, in & of itself -> [] ).

16.) If/when ISP/BSP's decide to go to -> FCC Approving Pay-As-You-Go Internet Plans: [] your internet bill will go DOWN if you use a HOSTS file for blocking adbanners as well as maliciously scripted hacker/cracker malware maker sites too (after all - it's your money & time online downloading adbanner content & processing it)

Plus, your adbanner content? Well, it may also be hijacked with malicious code too mind you:


Yahoo, Microsoft's Bing display toxic ads: []


Malware torrent delivered over Google, Yahoo! ad services: []


Google's DoubleClick spreads malicious ads (again): []


Rogue ads infiltrate Expedia and Rhapsody: []


Google sponsored links caught punting malware: []


DoubleClick caught supplying malware-tainted ads: []


Yahoo feeds Trojan-laced ads to MySpace and PhotoBucket users: []


Real Media attacks real people via RealPlayer: []


Ad networks owned by Google, Microsoft serve malware: []


Attacks Targeting Classified Ad Sites Surge: []


Hackers Respond To Help Wanted Ads With Malware: []


Hackers Use Banner Ads on Major Sites to Hijack Your PC: []


Ruskie gang hijacks Microsoft network to push penis pills: []


Major ISPs Injecting Ads, Vulnerabilities Into Web: []


Two Major Ad Networks Found Serving Malware: []












London Stock Exchange Web Site Serving Malware: []


Spotify splattered with malware-tainted ads: []


As my list "multiple evidences thereof" as to adbanners & viruses + the fact they slow you down & cost you more (from reputable & reliable sources no less)).

17.) Per point #16, a way to save some money: ANDROID phones can also use the HOSTS FILE TO KEEP DOWN BILLABLE TIME ONLINE, vs. adbanners or malware such as this:


Infected Androids Run Up Big Texting Bills: []


AND, for protection vs. other "botnets" migrating from the PC world, to "smartphones" such as ZITMO (a ZEUS botnet variant): []


It's easily done too, via the ADB dev. tool, & mounting ANDROID OS' system mountpoint for system/etc as READ + WRITE/ADMIN-ROOT PERMISSIONS, then copying your new custom HOSTS over the old one using ADB PULL/ADB PUSH to do so (otherwise ANDROID complains of "this file cannot be overwritten on production models of this Operating System", or something very along those lines - this way gets you around that annoyance along with you possibly having to clear some space there yourself if you packed it with things!).

18.) Bad news: ADBLOCK CAN BE DETECTED FOR: See here on that note -> []

HOSTS files are NOT THAT EASILY "webbug" BLOCKABLE by websites, as was tried on users by ARSTECHNICA (and it worked on AdBlock in that manner), to that websites' users' dismay:



An experiment gone wrong - By Ken Fisher | Last updated March 6, 2010 11:11 AM []

"Starting late Friday afternoon we conducted a 12 hour experiment to see if it would be possible to simply make content disappear for visitors who were using a very popular ad blocking tool. Technologically, it was a success in that it worked. Ad blockers, and only ad blockers, couldn't see our content."


"Our experiment is over, and we're glad we did it because it led to us learning that we needed to communicate our point of view every once in a while. Sure, some people told us we deserved to die in a fire. But that's the Internet!"

Thus, as you can see? Well - THAT all "went over like a lead balloon" with their users in other words, because Arstechnica was forced to change it back to the old way where ADBLOCK still could work to do its job (REDDIT however, has not, for example). However/Again - this is proof that HOSTS files can still do the job, blocking potentially malscripted ads (or ads in general because they slow you down) vs. adblockers like ADBLOCK!


19.) Even WIKILEAKS "favors" blacklists (because they work, and HOSTS can be a blacklist vs. known BAD sites/servers/domain-host names):



"we are in favour of 'Blacklists', be it for mail servers or websites, they have to be compiled with care... Fortunately, more responsible blacklists, like (which protects the Firefox browser)...


20.) AND, LASTLY? SINCE MALWARE GENERALLY HAS TO OPERATE ON WHAT YOU YOURSELF CAN DO (running as limited class/least privlege user, hopefully, OR even as ADMIN/ROOT/SUPERUSER)? HOSTS "LOCK IN" malware too, vs. communicating "back to mama" for orders (provided they have name servers + C&C botnet servers listed in them, blocked off in your HOSTS that is) - you might think they use a hardcoded IP, which IS possible, but generally they do not & RECYCLE domain/host names they own (such as has been seen with the RBN (Russian Business Network) lately though it was considered "dead", other malwares are using its domains/hostnames now, & this? This stops that cold, too - Bonus!)...

21.) Custom HOSTS files gain users back more "screen real estate" by blocking out banner ads... it's great on PC's for speed along with MORE of what I want to see/read (not ads), & efficiency too, but EVEN BETTER ON SMARTPHONES - by far. It matters MOST there imo @ least, in regards to extra screen real-estate.

Still - It's a GOOD idea to layer in the usage of BOTH browser addons for security like adblock ( [] ), IE 9's new TPL's ( [] ), &/or NoScript ( [] especially this one, as it covers what HOSTS files can't in javascript which is the main deliverer of MOST attacks online & SECUNIA.COM can verify this for anyone really by looking @ the past few years of attacks nowadays), for the concept of "layered security"....

It's just that HOSTS files offer you a LOT MORE gains than Adblock ( [] ) does alone (as hosts do things adblock just plain cannot & on more programs, for more speed, security, and "stealth" to a degree even), and it corrects problems in DNS (as shown above via hardcodes of your favorite sites into your HOSTS file, and more (such as avoiding DNS request logs)).

ALSO - Some more notes on DNS servers & their problems, very recent + ongoing ones:


DNS flaw reanimates slain evil sites as ghost domains: []


BIND vs. what the Chinese are doing to DNS lately? See here: []



(Yes, even "security pros" are helpless vs. DNS problems in code bugs OR redirect DNS poisoning issues, & they can only try to "set the DNS record straight" & then, they still have to wait for corrected DNS info. to propogate across all subordinate DNS servers too - lagtime in which folks DO get "abused" in mind you!)


DNS vs. the "Kaminsky DNS flaw", here (and even MORE problems in DNS than just that): []

(Seems others are saying that some NEW "Bind9 flaw" is worse than the Kaminsky flaw ALONE, up there, mind you... probably corrected (hopefully), but it shows yet again, DNS hassles (DNS redirect/DNS poisoning) being exploited!)


Moxie Marlinspike's found others (0 hack) as well...

Nope... "layered security" truly IS the "way to go" - hacker/cracker types know it, & they do NOT want the rest of us knowing it too!...

(So until DNSSEC takes "widespread adoption"? HOSTS are your answer vs. such types of attack, because the 1st thing your system refers to, by default, IS your HOSTS file (over say, DNS server usage). There are decent DNS servers though, such as OpenDNS, ScrubIT, or even NORTON DNS (more on each specifically below), & because I cannot "cache the entire internet" in a HOSTS file? I opt to use those, because I have to (& OpenDNS has been noted to "fix immediately", per the Kaminsky flaw, in fact... just as a sort of reference to how WELL they are maintained really!)


DNS Hijacks Now Being Used to Serve Black Hole Exploit Kit: []


DNS experts admit some of the underlying foundations of the DNS protocol are inherently weak: []


Potential 0-Day Vulnerability For BIND 9: []


Five DNS Threats You Should Protect Against: []


DNS provider decked by DDoS dastards: []


Ten Percent of DNS Servers Still Vulnerable: (so much for "conscientious patching", eh? Many DNS providers weren't patching when they had to!) []




TimeWarner DNS Hijacking: []


DNS Re-Binding Attacks: []


DNS Server Survey Reveals Mixed Security Picture: []


Halvar figured out super-secret DNS vulnerability: []


BIND Still Susceptible To DNS Cache Poisoning: []


DNS Poisoning Hits One of China's Biggest ISPs: []


DDoS Attacks Via DNS Recursion: []


High Severity BIND DNS Vulnerability Advisory Issued: []


Photobucketâ(TM)s DNS records hijacked: []


Protecting Browsers from DNS Rebinding Attacks: []


DNS Problem Linked To DDoS Attacks Gets Worse: []


HOWEVER - Some DNS servers are "really good stuff" vs. phishing, known bad sites/servers/hosts-domains that serve up malware-in-general & malicious scripting, botnet C&C servers, & more, such as:

Norton DNS -> []
  ScrubIT DNS -> []
  OpenDNS -> []

(Norton DNS in particular, is exclusively for blocking out malware, for those of you that are security-conscious. ScrubIT filters pr0n material too, but does the same, & OpenDNS does phishing protection. Each page lists how & why they work, & why they do so. Norton DNS can even show you its exceptions lists, plus user reviews & removal procedures requests, AND growth stats (every 1/2 hour or so) here -> [] so, that ought to "take care of the naysayers" on removal requests, &/or methods used plus updates frequency etc./et al...)

HOWEVER - There's ONLY 1 WEAKNESS TO ANY network defense, including HOSTS files (vs. host-domain name based threats) & firewalls (hardware router type OR software type, vs. IP address based threats): Human beings, & they not being 'disciplined' about the indiscriminate usage of javascript (the main "harbinger of doom" out there today online), OR, what they download for example... & there is NOTHING I can do about that! (Per Dr. Manhattan of "The Watchmen", ala -> "I can change almost anything, but I can't change human nature")

HOWEVER AGAIN - That's where NORTON DNS, OpenDNS, &/or ScrubIT DNS help!

(Especially for noob/grandma level users who are unaware of how to secure themselves in fact, per a guide like mine noted above that uses "layered-security" principles!)

ScrubIT DNS, &/or OpenDNS are others alongside Norton DNS (adding on phishing protection too) as well!

( & it's possible to use ALL THREE in your hardware NAT routers, and, in your Local Area Connection DNS properties in Windows, for again, "Layered Security" too)...




"Ever since I've installed a host file ( to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago." - by TestedDoughnut (1324447) on Monday December 13, @12:18AM (#34532122)

"I use a custom /etc/hosts to block ads... my file gets parsed basically instantly ... So basically, for any modern computer, it has zero visible impact. And even if it took, say, a second to parse, that would be more than offset by the MANY seconds saved by not downloading and rendering ads. I have noticed NO ill effects from running a custom /etc/hosts file for the last several years. And as a matter of fact I DO run http servers on my computers and I've never had an /etc/hosts-related problem... it FUCKING WORKS and makes my life better overall." - by sootman (158191) on Monday July 13 2009, @11:47AM (#28677363) Homepage Journal

"I actually went and downloaded a 16k line hosts file and started using that after seeing that post, you know just for trying it out. some sites load up faster." - by gl4ss (559668) on Thursday November 17, @11:20AM (#38086752) Homepage Journal

"Better than an ad blocker, imo. Hosts file entries: [] " - by TempestRose (1187397) on Tuesday March 15, @12:53PM (#35493274)

"^^ One of the many reasons why I like the user-friendliness of the /etc/hosts file." - by lennier1 (264730) on Saturday March 05, @09:26PM (#35393448)

"They've been on my HOSTS block for years" - by ScottCooperDotNet (929575) on Thursday August 05 2010, @01:52AM (#33147212)

"I'm currently only using my hosts file to block pheedo ads from showing up in my RSS feeds and causing them to take forever to load. Regardless of its original intent, it's still a valid tool, when used judiciously." - by Bill Dog (726542) on Monday April 25, @02:16AM (#35927050) Homepage Journal

"you're right about hosts files" - by drinkypoo (153816) on Thursday May 26, @01:21PM (#36252958) Homepage

"APK's monolithic hosts file is looking pretty good at the moment." - by Culture20 (968837) on Thursday November 17, @10:08AM (#38085666)

"I also use the MVPS ad blocking hosts file." - by Rick17JJ (744063) on Wednesday January 19, @03:04PM (#34931482)

"I use ad-Block and a hostfile" - by Ol Olsoc (1175323) on Tuesday March 01, @10:11AM (#35346902)

"I do use Hosts, for a couple fake domains I use." - by icebraining (1313345) on Saturday December 11, @09:34AM (#34523012) Homepage

"It's a good write up on something everybody should use, why you were modded down is beyond me. Using a HOSTS file, ADblock is of no concern and they can do what they want." - by Trax3001BBS (2368736) on Monday December 12, @10:07PM (#38351398) Homepage Journal

"I want my surfing speed back so I block EVERY fucking ad. i.e. [] and [] FTW" - by UnknownSoldier (67820) on Tuesday December 13, @12:04PM (#38356782)

"Let me introduce you to the file: /etc/hosts" - by fahrbot-bot (874524) on Monday December 19, @05:03PM (#38427432)

"I use a hosts file" - by EdIII (1114411) on Tuesday December 13, @01:17PM (#38357816)

"I'm tempted to go for a hacked hosts file that simply resolves most advert sites to" - by bLanark (123342) on Tuesday December 13, @01:13PM (#38357760)

"this is not a troll, which hosts file source you recommend nowadays? it's a really handy method for speeding up web and it works." - by gl4ss (559668) on Thursday March 22, @08:07PM (#39446525) Homepage Journal

"A hosts file certainly does not require "a lot of work" to maintain, and it quite effectively kills a LOT of advertising and tracking schemes. . In fact, I never would have considered trying to use it for ddefending against viruses or malware." - by RocketRabbit (830691) on Thursday December 30 2010, @05:48PM (#34715060)


Then, there is also the words of respected security expert, Mr. Oliver Day, from SECURITYFOCUS.COM to "top that all off" as well:


Some "PERTINENT QUOTES/EXCERPTS" to back up my points with (for starters):


"The host file on my day-to-day laptop is now over 16,000 lines long. Accessing the Internet -- particularly browsing the Web -- is actually faster now."

Speed, and security, is the gain... others like Mr. Day note it as well!


"From what I have seen in my research, major efforts to share lists of unwanted hosts began gaining serious momentum earlier this decade. The most popular appear to have started as a means to block advertising and as a way to avoid being tracked by sites that use cookies to gather data on the user across Web properties. More recently, projects like Spybot Search and Destroy offer lists of known malicious servers to add a layer of defense against trojans and other forms of malware."

Per my points exactly, no less... & guess who was posting about HOSTS files a 14++ yrs. or more back & Mr. Day was reading & now using? Yours truly (& this is one of the later ones, from 2001 [] (but the example HOSTS file with my initials in it is FAR older, circa 1998 or so) or thereabouts, and referred to later by a pal of mine who moderates (where I posted on HOSTS for YEARS (1997 onwards)) -> [] !


"Shared host files could be beneficial for other groups as well. Human rights groups have sought after block resistant technologies for quite some time. The GoDaddy debacle with NMap creator Fyodor (corrected) showed a particularly vicious blocking mechanism using DNS registrars. Once a registrar pulls a website from its records, the world ceases to have an effective way to find it. Shared host files could provide a DNS-proof method of reaching sites, not to mention removing an additional vector of detection if anyone were trying to monitor the use of subversive sites. One of the known weaknesses of the Tor system, for example, is direct DNS requests by applications not configured to route such requests through Tor's network."

There you go: AND, it also works vs. the "KAMINSKY DNS FLAW" & DNS poisoning/redirect attacks, for redirectable weaknesses in DNS servers (non DNSSEC type, & set into recursive mode especially) and also in the TOR system as well (that lends itself to anonymous proxy usage weaknesses I noted above also) and, you'll get to sites you want to, even IF a DNS registrar drops said websites from its tables as shown here Beating Censorship By Routing Around DNS -> [] & even DNSBL also (DNS Block Lists) -> [] as well - DOUBLE-BONUS!


* POSTS ABOUT HOSTS FILES I DID on "/." THAT HAVE DONE WELL BY OTHERS & WERE RATED HIGHLY, 26++ THUSFAR (from +3 -> +1 RATINGS, usually "informative" or "interesting" etc./et al):

  HOSTS MOD UP:2010 -> []
  HOSTS MOD UP:2009 -> []
  HOSTS MOD UP:2010 -> []
  HOSTS MOD UP:2009 -> []
  HOSTS MOD UP:2009 -> []
  HOSTS MOD UP:2009 -> []
  HOSTS MOD UP:2010 -> []
  HOSTS MOD UP:2010 -> []
  APK 20++ POINTS ON HOSTS MOD UP:2010 -> []
  HOSTS MOD UP:2010 -> []
  HOSTS MOD UP:2010 (w/ facebook known bad sites blocked) -> []
  HOSTS MOD UP CAN DO SAME AS THE "CloudFlare" Server-Side service:2011 -> []
  HOSTS MOD UP:2011 -> []
  HOSTS MOD UP & OPERA HAUTE SECURE:2011 -> [] in HOSTS:2009 -> [] IN HOSTS:2009 -> [] in HOSTS:2009 -> [] in HOSTS:2009 -> []
  HOSTS MOD UP:2009 -> [] (still says INSIGHTFUL)
  HOSTS MOD UP vs. botnet: 2012 -> []


Windows 7, VISTA, & Server 2008 have a couple of "issues" I don't like in them, & you may not either, depending on your point of view (mine's based solely on efficiency & security), & if my take on these issues aren't "good enough"? I suggest reading what ROOTKIT.COM says, link URL is in my "p.s." @ the bottom of this post:

1.) HOSTS files being unable to use "0" for a blocking IP address - this started in 12/09/2008 after an "MS Patch Tuesday" in fact for VISTA (when it had NO problem using it before that, as Windows 2000/XP/Server 2003 still can)... & yes, this continues in its descendants, Windows Server 2008 &/or Windows 7 as well.

So, why is this a "problem" you might ask?

Ok - since you can technically use either:

a.) (the "loopback adapter address")
b.) (next smallest & next most efficient)
c.) The smallest & fastest plain-jane 0


You can use ANY of those, in order to block out known bad sites &/or adbanners in a HOSTS file this way??

Microsoft has "promoted bloat" in doing so... no questions asked.

Simply because

1.) = 9 bytes in size on disk & is the largest/slowest
2.) = 7 bytes & is the next largest/slowest in size on disk
3.) 0 = 1 byte

(& HOSTS files extend across EVERY webbrowser, email program, or in general every webbound program you use & thus HOSTS are "global" in coverage this way AND function on any OS that uses the BSD derived IP stack (which most all do mind you, even MS is based off of it, as BSD's IS truly, "the best in the business"), & when coupled with say, IE restricted zones, FireFox addons like NoScript &/or AdBlock, or Opera filter.ini/urlfilter.ini, for layered security in this capacity for webbrowsers & SOME email programs (here, I mean ones "built into" browsers themselves like Opera has for example))

MS has literally promoted bloat in this file, making it load slower from disk, into memory! This compounds itself, the more entries your HOSTS file contains... & for instance? Mine currently contains nearly 654,000 entries of known bad adbanners, bad websites, &/or bad nameservers (used for controlling botnets, misdirecting net requests, etc. et al).

Now, IF I were to use My "huge" HOSTS file would be approximately 27mb in size... using (next smallest) it would be 19mb in size - HOWEVER? Using 0 as my blocking IP, it is only 14mb in size. See my point?

(For loads either in the local DNS cache, or system diskcache if you run w/out the local DNS client service running, this gets slower the larger each HOSTS file entry is (which you have to stall the DNS client service in Windows for larger ones, especially if you use a "giant HOSTS file" (purely relative term, but once it goes over (iirc) 4mb in size, you have to cut the local DNS cache client service)))

NO questions asked - the physics of it backed me up in theory alone, but when I was questioned on it for PROOF thereof?

I wrote a small test program to load such a list into a "pascal record" (which is analagous to a C/C++ structure), which is EXACTLY what the DNS client/DNS API does as well, using a C/C++ structure (basically an array of sorts really, & a structure/record is a precursor part to a full-blown CLASS or OBJECT, minus the functions built in, this is for treating numerous variables as a SINGLE VARIABLE (for efficiency, which FORTRAN as a single example, lacks as a feature, @ least Fortran 77 did, but other languages do not))!

I even wrote another that just loaded my HOSTS file's entirety into a listbox, same results... slowest using, next slowest using, & fastest using 0.

And, sure: Some MORE "goes on" during DNS API loads (iirc, removal of duplicated entries (which I made sure my personal copy does not have these via a program I wrote to purge it of duplicated entries + to sort each entry alphabetically for easier mgt. via say, notepad.exe) & a conversion from decimal values to hex ones), but, nevertheless? My point here "holds true", of slower value loads, record-by-record, from a HOSTS file, when the entries become larger.

So, to "prove my point" to my naysayers?

I timed it using the Win32 API calls "GetTickCount" & then again, using the API calls of "QueryPerformanceCounter" as well, seeing the SAME results (a slowdown when reading in this file from disk, especially when using the larger or line item entries in a HOSTS file, vs. the smaller/faster/more efficient 0).

In my test, I saw a decline in speed/efficiency in my test doing so by using larger blocking addresses ( &/or, vs. the smallest/fastest in 0)... proving me correct on this note!

On this HOSTS issue, and the WFP design issue in my next post below?

I also then questioned MS' own staff, even their VP of development (S. Sinofsky) on this here -> [] & other places in their blogs, to get them to tell me WHY this seemingly intentional inefficiency was implemented... & I have YET to get a solid LOGICAL answer on this as to why it was done - THUS, @ this point?

I am convinced they (MS) do NOT have a good reason for doing this... because of their lack of response there on this note. Unless it has something to do with IPv6 (most folks use IPv4 still), I cannot understand WHY this design mistake imo, has occurred, in HOSTS files...


2.) The "Windows Filtering Platform", which is now how the firewall works in VISTA, Server 2008, & Windows 7...

Sure it works in this new single point method & it is simple to manage & "sync" all points of it, making it easier for network techs/admins to manage than the older 3 part method, but that very thing works against it as well, because it is only a single part system now!

Thus, however?

This "single layer design" in WFP, now represents a SINGLE POINT OF FAILURE/ATTACK for malware makers to 'take down'!

(Which is 1 of the 1st things a malware attempts to do, is to take down any software firewalls present, or even the "Windows Security Center" itself which should warn you of the firewall "going down", & it's fairly easy to do either by messaging the services they use, or messing up their registry init. settings)

VS. the older (up to) 3 part method used in Windows 2000/XP/Server 2003, for protecting a system via IP Filtering, the Windows native Firewall, &/or IPSEC. Each of which uses diff. drivers, & layers of the IP stack to function from, as well as registry initialization settings.

Think of the older 3 part design much the same as the reason why folks use door handle locks, deadbolt locks, & chain locks on their doors... multipart layered security.

(Each of which the latter older method used, had 3 separate drivers & registry settings to do their jobs, representing a "phalanx like"/"zone defense like" system of backup of one another (like you see in sports OR ancient wars, and trust me, it WORKS, because on either side of yourself, you have "backup", even if YOU "go down" vs. the opponent)).

I.E.-> Take 1 of the "older method's" 3 part defenses down? 2 others STILL stand in the way, & they are not that simple to take them ALL down...

(Well, @ least NOT as easily as "taking out" a single part defensive system like WFP (the new "Windows Filtering Platform", which powers the VISTA, Windows Server 2008, & yes, Windows 7 firewall defense system)).

On this "single-part/single-point of attack" WFP (vs. Windows 2000/XP/Server 2003's IP stack defense design in 3-part/zone defense/phalanx type arrangement) as well as the HOSTS issue in my post above?

I also then questioned MS' own staff, even their VP of development (S. Sinofsky) on this here -> [] & other places in their blogs, to get them to tell me WHY this seemingly intentional inefficiency was implemented... & I have YET to get a solid LOGICAL answer on this as to why it was done - THUS, @ this point?

I'll stick to my thoughts on it, until I am shown otherwise & proven wrong.


Following up on what I wrote up above, so those here reading have actual technical references from Microsoft themselves ("The horses' mouth"), in regards to the Firewall/PortFilter/IPSec designs (not HOSTS files, that I am SURE I am correct about, no questions asked) from my "Point #2" above?

Thus, I'll now note how:


1.) TCP/IP packet processing paths differences between in how Windows 2000/XP/Server 2003 did it (IPSEC.SYS (IP Security Policies), IPNAT.SYS (Windows Firewall), IPFLTDRV.SYS (Port Filtering), & TCPIP.SYS (base IP driver))...

2.) AND, how VISTA/Server 2008/Windows 7 do it now currently, using a SINGLE layer (WFP)...


First off, here is HOW it worked in Windows 2000/XP/Server 2003 - using 3 discrete & different drivers AND LEVELS/LAYERS of the packet processing path they worked in: []

The Cable Guy - June 2005: TCP/IP Packet Processing Paths


The following components process IP packets:

IP forwarding Determines the next-hop interface and address for packets being sent or forwarded.

TCP/IP filtering Allows you to specify by IP protocol, TCP port, or UDP port, the types of traffic that are acceptable for incoming local host traffic (packets destined for the host). You can configure TCP/IP filtering on the Options tab from the advanced properties of the Internet Protocol (TCP/IP) component in the Network Connections folder.

* "Here endeth the lesson..." and, if you REALLY want to secure your system? Please refer to this: []

APK [mailto]

P.S.=> SOME MINOR "CAVEATS/CATCH-22's" - things to be aware of for "layered security" + HOSTS file performance - easily overcome, or not a problem at all:

A.) HOSTS files don't function under PROXY SERVERS (except for Proximitron, which has a filter that allows it) - Which is *the "WHY"* of why I state in my "P.S." section below to use both AdBlock type browser addon methods (or even built-in block lists browsers have such as Opera's URLFILTER.INI file, & FireFox has such as list as does IE also in the form of TPL (tracking protection lists -> [] , good stuff )) in combination with HOSTS, for the best in "layered security" (alongside .pac files + custom cascading style sheets that can filter off various tags such as scripts or ads etc.) - but proxies, especially "HIGHLY ANONYMOUS" types, generally slow you down to a CRAWL online (& personally, I cannot see using proxies "for the good" typically - as they allow "truly anonymous posting" & have bugs (such as TOR has been shown to have & be "bypassable/traceable" via its "onion routing" methods)).

B.) HOSTS files do NOT protect you vs. javascript (this only holds true IF you don't already have a bad site blocked out in your HOSTS file though, & the list of sites where you can obtain such lists to add to your HOSTS are above (& updated daily in many of them)).

C.) HOSTS files (relatively "largish ones") require you to turn off Windows' native "DNS local client cache service" (which has a problem in that it's designed with a non-redimensionable/resizeable list, array, or queue (DNS data loads into a C/C++ structure actually/afaik, which IS a form of array)) - covers that in detail and how to easily do this in Windows (this is NOT a problem in Linux, & it's 1 thing I will give Linux over Windows, hands-down). Relatively "smallish" HOSTS files don't have this problem ( offers 2 types for this).

D.) HOSTS files, once read/loaded, once? GET CACHED! Right into the kernelmode diskcaching subsystem (fast & efficient RAM speed), for speed of access/re-access (@ system startup in older MS OS' like 2000, or, upon a users' 1st request that's "Webbound" via say, a webbrowser) gets read into either the DNS local caching client service (noted above), OR, if that's turned off? Into your local diskcache (like ANY file is), so it reads F A S T upon re-reads/subsequent reads (until it's changed in %WinDir%\system32\drivers\etc on Windows, which marks it "Dirty" & then it gets re-read + reloaded into the local diskcache again). This may cause a SMALL initial load 1 time lag upon reload though, depending on the size of your HOSTS file.

E.) HOSTS files don't protect vs. BGP exploits - Sorry, once it's out of your hands/machine + past any interior network + routers you have, the packets you send are out there into the ISP/BSP's hands - they're "the Agents" holding all the keys to the doorways at that point (hosts are just a forcefield-filter (for lack of a better description) armor on what can come in mostly, & a bit of what can go out too (per point #20 above on "locking in malware")). Hosts work as a "I can't get burned if I can't go into the kitchen" protection, for you: Not your ISP/BSP. It doesn't extend to them

F.) HOSTS files don't protect vs. IP addressed adbanners (rare) &/or IP address utilizing malwares (rare too, most used domain/host names because they're "RECYCLABLE/REUSEABLE"), so here, you must couple HOSTS files w/ firewall rules tables (either in software firewalls OR router firewall rules table lists)... apk

Re:learn the truth... apk (1)

ediron2 (246908) | about a year ago | (#43286859)

tl;dr: OMGMYEYES!!!

Srsly, I'm a security geek and I'm laughing at the copypasta quantity you just put in there. For a guy who admits he doesn't know security. For a guy who admits he'll never likely know it.

4chan (1)

Anonymous Coward | about a year ago | (#43282379)

Post your site on /b for maximum security pokes

Re:4chan (-1)

Anonymous Coward | about a year ago | (#43282413)

Not your personal army, newfag.

Post your password here (0)

Anonymous Coward | about a year ago | (#43282381)

And I will tell you how long it took to crack it.

Re:Post your password here (3, Funny)

ciderbrew (1860166) | about a year ago | (#43282583)

No.You'd be able open my luggage if I gave you that.

Re:Post your password here (2, Funny)

Anonymous Coward | about a year ago | (#43282993)


Whats the point? (4, Informative)

Splab (574204) | about a year ago | (#43282397)

What's the point of "basic" security check?

But a quick search for metasploit should get you going, perhaps add a Nessus scan and go watch some Def Con presentations on SQL injection and penetration testing [] is a good place to start.

Re:Whats the point? (1)

rmdashrf (1338183) | about a year ago | (#43283445)

Add to that mod_security if you're using Apache and should be fairly ok for basic sites.

Re:Whats the point? (-1)

Anonymous Coward | about a year ago | (#43283593)

Tools for scanning a server: []
If you pick a product and run the scan based upon all of the vulnerabilities in the NVD and come out completely clean, you are probably looking at a brick and not a computer.

A good password is defined here: []
Based upon your description, you do not meet Level 1 requirements (the minimum). There are over 100 pages talking about secure authentication based upon various levels of security. You are probably most interested in "Appendix A: Estimating Entropy and Strength" in terms of that. Feel free to run password hashed against this John the Ripper: []

There are various other NIST guidelines for securing a system. It turns out that it is not easy, fun, or appreciated. For example, all passwords should be stored as salted hashes using SHA256 or SHA512.

OpenVAS (1)

Anonymous Coward | about a year ago | (#43282401)

Nessus is the big cheese with the big price but OpenVAS is the way to go. Do have a machine with plenty of power.

Hosting company (2)

schneidafunk (795759) | about a year ago | (#43282405)

If you have a decent hosting company, they'll do this for you. Mine will send out alerts if a popular CMS install has a known hole in it, and require people to upgrade the software.

Re:Hosting company (0)

Anonymous Coward | about a year ago | (#43282577)

HAHA. I left my hosting company because they did that! annoying spam for us that know what we are doing!

Re:Hosting company (0)

Anonymous Coward | about a year ago | (#43283987)

If you have a decent hosting company, they won't do this because they assume you aren't a complete retard.

C'mon (1)

Anonymous Coward | about a year ago | (#43282409)

You have no idea what you're doing, you have no idea what you WANT to do, and you have no idea what you need to do in order to get the knowledge to do whatever that is.

Please, re-think your idea.

arachni / skipfish / burp proxy (0)

Anonymous Coward | about a year ago | (#43282427)

The last one is pay for, but I swear by it. I do penetration testing full-time.

Web vulnerability scanner list (3, Informative)

Anonymous Coward | about a year ago | (#43282453)

There are plenty of web (vulnerability scanners) that you could use, some requiring no experience and point and click, otherwise will require prior knowledge.

Security auditing is mostly about documentation (1)

Anonymous Coward | about a year ago | (#43282457)

Hate to tell you, but security auditing is mostly about documentation. Checking that the right documents are in place and have been updated, verifying office procedures, physical security, etc. Technical tests are mostly about checking for the status and presence of files or configurations, not about probing networks or white hat hacking. There is a vaild business opportunity in pen testing, which is just one component of auditing, and is not even needed for every type of audit.

Re:Security auditing is mostly about documentation (4, Insightful)

jeffmeden (135043) | about a year ago | (#43282817)

Hate to tell you, but security auditing is mostly about documentation. Checking that the right documents are in place and have been updated, verifying office procedures, physical security, etc. Technical tests are mostly about checking for the status and presence of files or configurations, not about probing networks or white hat hacking. There is a vaild business opportunity in pen testing, which is just one component of auditing, and is not even needed for every type of audit.

This. While it would seem logical to put a round of known vulnerabilities into a scanner (like a Virus Scanner works) in the real world this is extremely tricky. Vulnerabilities that come about from combinations of different packages and different configurations interacting are very hard to systematically detect, and even if you do detect them they are just one piece in the huge puzzle that is information security.

Case in point, I often get audit reports from "creditable" security professionals that there are a set of vulnerabilities in XYZ product, specific to "somesoft operating system 9.0", when in fact the product in question uses no such operating system (or even one similar to it) so the "audit" was obviously just a set of false-positives from a scanner tool. Scanner tools are just that, a TOOL, they are not even close to a true security solution that would produce a meaningful audit; that can only come (at least in this day and age) from a combination of tools and a *lot* of expertise.

Use standard software and keep it up to date (4, Insightful)

quinto2000 (211211) | about a year ago | (#43282477)

From the way you describe your goal, you are building mostly one-off websites. For small companies and the like? You'll be best off just using popular open source products like Drupal, WordPress, or ModX and keeping up to date with security updates. Many of these will automatically notify you of security updates and you can apply them right away. Don't try to host the websites on your own server either. Get a hosting product from a company that will keep the underlying OS, Apache, and PHP up to date and secure. This will reduce your exposure quite a bit. You still need to make sure to choose good passwords. Nessus or OpenVAS are also an option.

none (0)

Anonymous Coward | about a year ago | (#43282479)

honestly, its all so tough now.
outside of obvious holes that can made for skids (like outdated wordpress installs), its all pretty indepth fuzzing
anything useful to you will cost an arm and a leg. and then you will still need expertise to interpret it all

Re:none (1)

6ULDV8 (226100) | about a year ago | (#43282701)

It is tough, but not impossible. SAINT, Nessus, OpenVAS, Nikto and others will generate a report with CVE info that points to articles providing some guidance.

Read ArsTechnica (2, Informative)

Anonymous Coward | about a year ago | (#43282483)

Two articles on arstechnica recently covered booters (paid services to attack your sites using a large set of vectors), and password cracking for script kiddies.
Here they are :

That should give you a first hint...

OWASP (3, Informative)

Anonymous Coward | about a year ago | (#43282487)

Posting as AC because for some annoying reason Slashdot won't let me log ion right now...

Cenzic Hailstorm (0)

Anonymous Coward | about a year ago | (#43282541)

Not really a free web service tool but it is a paid desktop app that will give you HARM scores and test your web applications against common vulnerabilities. Updates daily and will even suggest ways to fix your apps. We use it heavily at our organization.

You probably already took the test (2, Interesting)

Anonymous Coward | about a year ago | (#43282549)

Whether you wanted to or not, just by having a site, you've already asked the whole Internet to check it out. One way to find out if you've done things right, is to look for evidence that you've done things wrong. And there's a little tip I learned...

Grep your logs for your table names.

If you have an injection hole, for example, then automated spiders have already found it and exploited it, and (so far) they don't obfuscate or even escape/character-encode their requests, so you'll plainly see their injected queries in your logs.

Preferably, look for site-unique table names, so that you'll know they could have only gotten the name by successfully querying the schema. You're going to see lots of scary-looking things in your logs, but some of those are just unsuccessful attempts. A unique table name (hint: use tables names with the word "user" or "password" in them) will be a dead giveaway they succeeded.

Don't ask me how I know what that looks like. Hey, it wasn't my fault. Mostly. Ok, partly but mostly not. Look, it's complicated, and involves an inherited legacy, OKAY?! Everybody just back off. ;-)

Anyway, when you see that, then it means you screwed up, so you'll learn something and know you need to fix something. If you don't see it .. sadly, you won't really know much more than you did before.

You need to sit down and read a bit (1)

whitroth (9367) | about a year ago | (#43282571)

And I gather you (the OP) is getting worried; the problem is that you're not paranoid enough.

Do you, for example, validate your code using the HTML validator from w3c?

You also need to learn to run tools. I mean, online website tools are nice... as long as you're *SURE* that they've not been hacked, nor are they actually crackers trying to lure you in.

Determining what tools to use is another issue: are you writing for Windows or *Nix? There's a lot more free tools on the latter, but you will have to learn more. For example, there are older, free versions of nessus.

Get yourself a good book, maybe from the publisher O'Reilly, on security.

                  mark "not even getting a kickback from O'Reilly for the plug"

Backtrack (0)

Anonymous Coward | about a year ago | (#43282595)

One of the best places to start (IF your a linux user, yes I know a stupid statement for someone using slashdot) is with Backtrack. Has almost all of the tools a security professional could need for normal pen testing. They have even released a new version Kali Linux that makes it even easier to use.

I run it on my test linux laptop for the exact purpose of analysis, pen testing, and sometimes malware disassembly.

Be careful! (0)

Anonymous Coward | about a year ago | (#43282599)

Some web hosting companies will not take kindly to you pounding away at their servers, even if you are only hitting your site. Similarly, some ISP's will also not appreciate "malicious" traffic from your computer to a webhost.

Go check out (2)

xanthos (73578) | about a year ago | (#43282603) has a comprehensive list of tools with explanations of what each one does. Look at the web tools and the vulnerability scanners and you will find something you feel comfortable using. Most of the other tools mentioned so far can be found there. Also, the Open Web Applicaiton Security project ( has some good information on secure app development.

good luck.

Be different (2)

holophrastic (221104) | about a year ago | (#43282675)

If yours isn't a mass-market, mass-profit, hugely-popular site, you don't need to secure it. You just need to be different enough that the standard chinese attack vectors looking for standard run-of-the-mill popular web-site building packages don't find any.

Trust me, no one's going to your tiny site and trying to find the holes -- no matter how big they are.

We secure bank vaults with big heavy locks. Your house with a tiny mediocre lock. Your car door with a tinnier very crappy lock. Your car trunk with a down-right shitty lock.

Just be different. It'll get you through the 99% that you care about.

Re:Be different (1)

Anonymous Coward | about a year ago | (#43282843)

That's silly... small unsecured servers are targeted because they are easy prey and can relay spam. Just because you don't have valuable customer data to exploit does not take you off the target list.

Re:Be different (1)

holophrastic (221104) | about a year ago | (#43283191)

No one's going to find this small unsecured server, and figure out how to hack some mystery unknown customer software. It's just not worth the trouble.

Re:Be different (0)

Anonymous Coward | about a year ago | (#43284007)

No but probes for standard shitty PHP apps which allow you to upload "pictures" with name *.php and then execute them or have SQL injection vulns or whatever will happen. And you'll get owned if you're running them.

Re:Be different (1)

holophrastic (221104) | about a year ago | (#43284305)

Read harder. I said "different". You said "standard". Different is the opposite of standard. And that was my entire point, advice, recommendation, and successful strategy for the last twenty years of my business.

Re:Be different (1)

achbed (97139) | about a year ago | (#43284371)

China and Russia thank you for your small unsecured server that is now a full-blown botnet C&C server. Hope your customer doesn't mind their unknown software going slow.

Re:Be different (1)

holophrastic (221104) | about a year ago | (#43284581)

Umm, wrong-o. I've been in business for twenty years. Over the course of two decades, my servers have been down due to security-related attacks for six hours spread out over the two decades. You'll find that to be a very successful result across the industry. I profit, my clients profit.

It's worked and is working for me.

How's your business doing?

Re:Be different (1)

Anonymous Coward | about a year ago | (#43283031)

The bots don't care how popular your site is. All they want an exploitable vulnerability on a host with reasonable bandwidth. You'll be scanned within minutes of going online. And exploited minutes later [] if you have a common vulnerability.

Re:Be different (1)

holophrastic (221104) | about a year ago | (#43283217)

I think you missed my entire statement. Which is odd, because it was in both the title and the body.

Different != Common. Make a note.

Re:Be different (0)

Anonymous Coward | about a year ago | (#43283539)

Different != Secure.

Different != Invulnerable.

Different != Non-exploitable.

Honestly, no one is worried about the 99% of vulnerability that are not on their hosts. We're worried about the 1% that are. They will be found, and they will be exploited. And it will be done by an automated tool.

Re:Be different (1)

holophrastic (221104) | about a year ago | (#43283731)

Correct on all three. But you've missed two:

Different != worth exploiting compared to the myriad others

Secure != non-exploitable, ethan hunt can break into anything

Secure != free, cost-effective, profitable, nor worth doing most of the time.

I gave you that last one free of charge. Most people forget that secure has a cost, often greater than repairing the hack, or even just tolerating the hack. Ooh, someone changed my home page. Watch me change it back. For most businesses, that's not a problem worth avoiding. It's a $10/year problem, and you're suggesting a $100/year prevention.

You're putting security above actual profit and features and development and business and customers and time and recreation and family and friends and fun. That's a very big opportunity cost and monetary cost for a web-site that isn't mission-critical.

Re:Be different (0)

Anonymous Coward | about a year ago | (#43283841)

How do you sleep at night, as a proponent of security by obscurity?

Re:Be different (0)

Anonymous Coward | about a year ago | (#43283985)

He trolls Slashdot until he gets sleepy.

Re:Be different (1)

holophrastic (221104) | about a year ago | (#43284199)

Hmm, trolling. I used my name; you didn't. My post was modded up, yours was modded down to zero -- as was the post to which you replied. Hmm, trolling.

Re:Be different (2)

holophrastic (221104) | about a year ago | (#43284159)

I'm not a proponent of security by obscurity. I'm a proponent of not ignoring something that works. So as a result, obscurity is a useful tool, alongside other tools, when it comes to security.

So I start like so.

First, Ethan Hunt can break into anything. So no matter what I do, I won't be secure.

Second, there's an amount of security that costs more for me to implement than the money I'd lose from the attacks. So that's my upper bound.

Third, there's an amount of attack that costs me a significant amount of money -- clients leaving and data lost and all that. So that's my lower bound.

Somewhere in between the upper bound and the lower bound is a balanced target for my security efforts that keeps things profitable for me and for my clients.

Anything that brings me to that balanced target is the perfect solution. Doesn't matter what techniques those are. It's the result that matters.

I start with obscurity, because it's often the easiest to implement in my world -- I build on in-house proprietary platforms that I've built myself over the years.

Then I check the results. Sometimes, often in my world, the obscurity has already brought me to my balanced security target. Meaning that any more effort would be a waste of money for everyone. So I stop there.

I've been doing this for twenty years. I have about six hours of security-related down-time across those twenty years. That's wonderful. No one's got a significantly better record than that (outside of some life-safety infrastructure, and certainly not all of them).

So that's how I sleep at night. I look at the time and money that I spent, and I look at my very successful results.

My question to you is thusly: how do you sleep at night, as someone who secures something that just happens to never be attacked? Isn't that like locking the door on the only house for 100 miles? If no one's attacking you, why would you wear plate armour walking down the street?

It's exactly like wearing a helmet to school. Yeah it would protect you were to bang your head into the wall. But if you don't tend to bang your head into walls, it's kind of pointless.

Re:Be different (1)

achbed (97139) | about a year ago | (#43284455)

If that unimportant unsecured box has any value to you at all, I would suggest a test. If it's running a variant of UNIX, get and install iptables and csf/lfd. Let it run for a day (or a week- even better). See how many logins and hack attempts it registers. If the answer is none, then you win. Otherwise, you are under attack and didnt know better.

I run what would be considered an unimportant out of the way box myself. In fact, I've gotten scans and login attempts from all over the planet. This is for boxes that are in a hosting farm and for my home machine (no DynDNS or anything there).

If you have a device on the open internet, it's getting probed. Guaranteed. And if it's probed, and can be owned, it is. In fact, most professional and/or state-sponsored groups have toolsets that are set to scan/hack/add to botnet in one step, and they're let loose on multiple subnets to gather as big an army as possible (and I use the word Army intentionally).

Re:Be different (1)

holophrastic (221104) | about a year ago | (#43284651)

All the time my friend. Thousands each and every day. I can't even begin to count the number of dumb ones to /phpmyadmin.

But being different means that there's simply nothing there to attack. All standard things just don't show up. So I get probed, and not attacked.

Sure, it costs me loads of bandwidth, and my logs are a disgusting mess. And sometimes the number of connections alone causes a problem -- which is a part of those six hours -- so I get to block one ip, or change a port, mid-attack. That happens once or twice a year, and it takes a few minutes to notice and block. We call that down-time, and it's totally acceptable to all of my clients.

Always remember, we're not trying to be invulnerable. We're trying to spend less money on security than we would lose from the attack.

Re:Be different (1)

Zaelath (2588189) | about a year ago | (#43286347)

If it was a good attack, you didn't even know you were pwned.

I've seen good attacks... and the only reason they were noticed at all is because they had layered security and some small file changes weren't covered up and someone with time on their hands reading the reports. The client reponse was to ask to stop reading the reports because it was more expensive to repond to the attack which caused other people a loss than to ignore it.

So any time I see a jackass suggesting security isn't something you need to worry about too much, and is "hosting" other people's data, I tend to smirk to myself and be glad they're not hosting mine.

Re:Be different (1)

holophrastic (221104) | about a year ago | (#43286591)

But, that's exactly the point. If I don't notice it, then it didn't hurt me. Why would I spend one penny or one minute trying to respond to something that has zero impact on me?

Re:Be different (1)

Zaelath (2588189) | about a year ago | (#43286825)

Because by that logic, you're ok with me drugging you in your sleep, sitting around in your livingroom watching the TV and watching your kids sleep, then leaving before you wake up.

And to extend the analogy to the "damage to others", I send your kids a video after your death of their toothbrushes being used to polish your anus.

Yes it's a stupid analogy, but yours is a stupid argument.

Re:Be different (1)

holophrastic (221104) | about a year ago | (#43286895)

I won't let you cross the line between the safety and security of my life, and that of my business.

My life is my own, for my own pleasure and desires.

My business isn't for anything but profit. You improve my life by safe-guarding my sleep and my couch. You cost me profits when you add security efforts to my business. The sole purpose of my business is for me to profit. Taking that away isn't improving the business, it isn't even limiting the business; it's completely eliminating the purpose of the business in the first place.

If you drug me in my sleep, you remove my ability to escape from a fire, protect my property or my family.

If you infest my web server, and use it for your own purposes, without affecting my business, then you simply have me paying for your benefit. I don't want to do so, but it's business -- stopping you costs money. If that's unused capacity, then stopping you costs more than leaving you be.

Re:Be different (1)

holophrastic (221104) | about a year ago | (#43284177)

And you might want to put your name next to your argument. Otherwise, you aren't exactly showing much confidence in your statement.

Re:Be different (0)

Anonymous Coward | about a year ago | (#43283141)

Because you've got small sites is a very REASON to be targeted! you're easy pickings in hacker world, and can become a bot serving up all kinds of delicious malware without even knowing it. smaller targets typically have less defenses & less auditing in place; a perfect storm to attract cybercriminals

Re:Be different (1)

holophrastic (221104) | about a year ago | (#43283331)

First of all, go back to grade six english and learn subject-verb agreement. "fewer defenses" or "less defence". Never "less defenses". The plural "defenses" is a declaration of quanta, not amount.

Second, and something I've said to others: Different != typical. Different means that a hacker would need to find you specifically, look at you specifically, and craft a hack specifically. It's very easy for them to do, and is not something that they will do.

Re:Be different (0)

Anonymous Coward | about a year ago | (#43283795)

Wow you are giving out dangerous and retarded advice.

Re:Be different (1)

holophrastic (221104) | about a year ago | (#43284059)

Hey, it's worked for me. It's worked for me for two decades now. It works for my clients too -- also for two decades. We're all happy. We're all making money. We're all not worried. And over the course of the last twenty years, my servers have been what we'll all call non-responsive to client requests due to hackers for a total of six hours spread out over 15 separate occasions. That basically works out to once a year it takes thirty minutes to block the attack.

Thirty minutes of down-time, once per year, due to outside hacking (usually china attacking, by the way), may or may not be acceptable in your head. But to all of my clients, it's not worth spending more than $10 to avoid. So unless you can improve security in five minutes, no one cares. What's more, thirty minutes of down-time per year is well within the SLA of anything. Think about it. 99.999% uptime still works out to over 8 hours of down-time per year. How many nine's are you expecting?

Even mission-critical sites are down more than that. Even google's down more than that. The only things that aren't are real safety-related infrastructure, and most of those are also down more than that. Even electricity in government buildings is down more than that.

You're trying to 100% solve a problem on principle that simply isn't a problem for anyone in practice.

Like I said, it's worked for me for more than two decades now. Live your own life.

And, oh yeah, put your name alongside your arguments, are you aren't worth spit.

Re:Be different (0)

Anonymous Coward | about a year ago | (#43284001)

To be fair, the real reason your house and car have locks which are inferior to a bank vaults locks is that your car and house have windows which are easy to break.

I should also point out that the locks on your car are actually much harder to pick than the locks on your car. Watch a professional locksmith open doors, they will pick the lock on your front door (or bump it if they don't care about damaging it), but they will almost certainly use a lock bypass technique to get into your car.

Re:Be different (1)

holophrastic (221104) | about a year ago | (#43284283)

Actually, I was thinking the same thing, but the car door can be broken into without accessing the locking mechanism at all -- like when you call for help having locked your keys in your car. They don't pick the lock, they simply pry the door or window.

But yeah, it all comes down to making one link in the chain stronger than the others -- does you no good. The same is true on the web-sites. Unless you're going to secure each and every possible attack vector -- and keep on top of that as new ones appear -- then that type of security isn't going to be successful.

It's worth noting that biological immune systems work by being different across a species. It's also worth noting that the vast majority of animals create safetly by hiding. And the majority of those hide by obscuring themselves in a large group of comrades.

Obscurity doesn't work against targetted attacks. It does work against wide-spread attacks. And we all know that they only way to be secure against targeted attacks is to either be better at security than your attacker (which is incredibly expensive in every way, think military power) or to not be worth attacking (which is why we have laws, by the way.).

And come on. If you're going to discuss something with someone, put your name to your argument.

Kali Linux (5, Informative)

Jane Q. Public (1010737) | about a year ago | (#43282693)

This suite of tools used to go under the name of "BackTrack", most recently BackTrack 5. It has now been named Kali Linux.

This is a full-blown Linux distro with all the security tools you are ever likely to need. Metasploit? It's there. Nessus? It's there. The actual list of tools is huge.

Kali won't teach you everything about using the tools (though there are good instructions available online). But it does offer all you could want in one package.

Re:Kali Linux (1)

geminidomino (614729) | about a year ago | (#43282871)

I didn't know BT was renamed. I thought it had just petered out. Thanks for that.

I thought it was more of a forensic distro, though.

Re:Kali Linux (1)

Jane Q. Public (1010737) | about a year ago | (#43282931)

Some of the tools can be used for forensics. But it has a large number of penetration testing tools for doing security audits. The largest and best collection I know about. Of free and open source tools, anyway.

Re:Kali Linux (1)

muridae (966931) | about a year ago | (#43284179)

If you want to do it yourself, yes, this is the way to go about it. The OP is an idiot to think that any site on the internet that 'asks permission before hacking your site, just give us the URL or code'' is not going to turn around an sell that information afterwards. Either hire professionals, or DIY.

I keep a copy of BT 5 (i hadn't seen the move to Kali Linux) in a virtual machine. Not the fastest scanner out there, but a small networked box in my house gets the same copy of code installed on it as my webserver has (i know what they run because I asked nicely). Then, I beat the hell out of it and my own code. If my code gives out first, that gets fixed (php scanners, sqli scanners, etc). If my code stands up, then I start scanning the server code. Metasploit, NMAP, anything else that might show where a hole is located. If it turns out to be the server code, I make damn sure it's not my configuration of my local server before contacting the hosting company and asking them. So far, all of them have been my config files and not theirs.

I'm sorry. (0)

Anonymous Coward | about a year ago | (#43282705)

When it comes to security, take the time to learn the trade or don't do it yourself. Technical controls (like firewalls and intrusion prevention) and configuration (at the server or app level) are only part of security. Unless you know enough to think like an attacker, you can't adequately protect yourself.

Brute-force password crackers and the websites that evaluate passwords are a joke. It will take you X trillion years to crack your password? False. It will take someone with access to rainbow tables a short amount of time to create a password that hashes to the same as yours. Done. Or a "police officer" showing up with a warrant that demands access to your server. Or that a secretary turn over theirs. Someone physically (or wirelessly) connecting to the network bypasses firewall/intrusion detection completely (for most implementations anyway). Security appliance and operating system zero-days don't give you much of a fighting chance either. Common, VPN clients from well-known companies in the industry allow for credential gathering via MITM, for both IPSec and SSL VPNs. If you don't know about the methods that an attacker can use to attack you, how can you even begin to protect yourself?

Security is putting all of the technical controls in place to keep out intruders, and then realizing that you're going to get hacked anyway. It's impossible to avoid it, so realize that you can only make it less likely. Then put in controls to detect when you've been hacked. Are traffic patterns different than normal? Is there a flood of encrypted traffic going to a China IP address? Controls should detect that and tell you when something's up. Then there's the policies; define what is and is not allowed, and by whom. Is data backed up? How often? Are the backups readily available? Were controls able to gather enough data so that the source of a breach can be identified, because bringing a compromised system back on-line without identifying and fixing the method of compromise isn't going to do you much good. Follow that up with procedures to make sure that policies and best-practices are enforced. A seemingly simple firewall change could have drastic implications, like allowing all ICMP through a firewall to get pings or traceroutes working. It doesn't really matter if Person A configures a firewall correctly and avoids some of the more common pitfalls if Person B comes along and doesn't do something correctly.

Seriously though, either get yourself a good security guy or prepare to dive in. Security is like surgery, you probably don't want to experiment on yourself or learn as you go.

VPN (0)

Anonymous Coward | about a year ago | (#43283197)

Common, VPN clients from well-known companies in the industry allow for credential gathering via MITM, for both IPSec and SSL VPNs.

Can you elaborate on this? A friend is looking for a VPN solution & is asking me for advice!

Re:VPN (0)

Anonymous Coward | about a year ago | (#43285895)

IPSec has no inherent way of passing user authentication, so most VPN clients "bolt it on" between IKE phase 1 and phase 2. However, unlike the phase 2 negotiation, the user credential exchange is not protected by the IKE phase 1 tunnel. IPSec is pretty secure, but proprietary negotiations are easier to attack. Taking Cisco's IPSec VPN Client as an example, the username authentication exchange (Xauth) is encrypted using the group name and password. However, the group name and password must be present on each client for that to occur (in this case, the .PCF file). So, the passwords are stored in the .PCF file, which can be opened by any user, since it's a text file. Cisco stores it encrypted in the .PCF file, but obviously the client must have the key to unencrypt the passwords to establish the tunnel. As it turns out, the encryption key is actually the first 8 octets of the key as it's stored in the PCF file. The remaining octets represent the actual passwords that need to be decrypted via 3DES using the key. This means that the information is easily recoverable. More importantly, once someone knows the group name and password, they can decrypt any user authentication for everyone. A full MITM is pretty easy too, since VPN clients trust that only the VPN server would know the group name and password...

SSL VPNs are usually insecure for a very different reason. Most VPN appliances generate a key (and sometimes certificate) on each boot. The problem is that when a device is booting, it has very little entropy, so it's random number generator isn't very random. The keys turn out to be pretty darned predictable... Anyone that can predict the key can essentially decode the VPN negotiation and grab the symmetric session keys. After that, the VPN tunnel is basically clear text. The problem extends to permanently generated keys and certificates, especially when the gear is staged before deployment. Because the devices aren't passing traffic (a good source of entropy), the generated keys aren't very strong. There's a good reason that TrueCrypt requests that you move your mouse around for a while in the window before creating an encrypted volume!

Of course, either VPN type can be made secure, once the attack vectors are known. The problem is that unless the implementing technician thinks like an attacker, the implementations won't be secure. It's actually pretty tough to accidentally configure a secure VPN. And to think like an attacker requires a deep knowledge of how things work, to know which points are most exploitable. Security is something that's very easy to get wrong, and in my experience, very common too. Anyway, hopefully that information helped satisfy your curiosity a bit.

You may want to check out... (0)

Anonymous Coward | about a year ago | (#43282751) open source software scanner like OpenVAS (make sure conditions for your applications are covered), or a paid scanning service for small business like nCircle Purecloud.

Disclaimer: I'm affiliated with nCircle, but don't mind recommending a solid product for your situation.

Some good tools for you... (0)

Anonymous Coward | about a year ago | (#43282759)

Give these Linux distributions a try.
These are designed for pen testing and vulnerability scanning/analysis.

I do quite a lot of testing and assessment work for my company as well as use/sell security and network equipment.
We use these extensively along with several others so I can speak from some experience.


Anonymous Coward | about a year ago | (#43282769)

Try the OWASP website: They have a lot of free tools for doing security testing of websites.

Consider an easy to use commercial webapp scanner (1)

pjtpj (713540) | about a year ago | (#43282923)

Check out [] . It is not free, but it covers common web applications, and it is very easy to use. Disclaimer: I work for nCircle

the frugal way (0)

Anonymous Coward | about a year ago | (#43283075)

Do a google search for hacker forums, perhaps even that one from a week or so back about those kids installing/activating remote control software [] although you're looking for someone with different skills and goals so maybe a different hacker forum related to website hacking.

Register an account, with your real website added to your signature and stir up the hornet's nest! How you do this is up to you; You can go the direct route and ask them to try. You can ask silly annoying questions that make you seem like an idiot and easy target, or just go outright trolling people and being a real jerk but the key here is to get noticed.

Alternatively, just go to 4chan and try to start a crusade against yourself*. Make up a story about what a piece of crap you are, and make sure to mention hatred for cats.

If you do it correctly the port scans, SQL queries, and DDOSes should happen quickly. Free of charge.

*not responsible for SWATs, pizza deliveries, photoshops, and real life repercussions that may occur. use at your own risk.

Good enough for Government... (0)

Anonymous Coward | about a year ago | (#43283117)

Check out the "Security Technical Implementation Guides" (STIGs) put out by DISA at: []

and the "Security Configuration Guides" put out by the NSA at: []

while following them fully is probably overkill for you they have a lot of good information on hardening systems and applications.

Sorry, no (1)

gweihir (88907) | about a year ago | (#43283179)

The only things tools can tell you is whether another person running the same tool could get in. For anything else they are pretty worthless. Also, the FBI/CIA does not have a clue about IT security. If you must name a TLA, make it at least the NSA.

Use SDHC memory in a card reader-writer, set lock (2)

Jameson Burt (33679) | about a year ago | (#43283253)

No matter what an intruder tries, if you put your operating system on read-only media, intrusion becomes limited.
Of course, installation and changes become more difficult because you must reboot with your media set to read-write, then reboot again to read-only. SDHC memory works well for this, since it has a read-write switch like the old floppy drives. Put the memory in a
      USB "card reader" for SD
(microSD doesn't appear to have a read-write switch).
You can insert the SDHC in something that looks like a flash drive, then insert the whole in a USB slot.

Or, you can use something like the Adonics eSATA/USB Digidrive
to connect to your computer's eSATA port (if you have such a port on the back of your computer),
which is probably more efficient (fewer waits) than a USB 3.0 connection.

In Linux, you might choose to put most of your operating system on SDHC switched to read-only,
then put a variable area on a regular disk drive for logs, although you can put logs into a memory area that disappears on reboot.
Or you might put your webpages on a separate SDHC,
so your webpages get no intrusion changes.
You could then unmount your webpage SDHC, switch to read-write, make changes, unmount, switch to read-only.

In Debian Linux, the foundation for most Linuxes (eg, Ubuntu), you can look at the "Securing Debian Manual",
Debian has a highly tailored Aide (like tripwire) that uses checksums to detect any file changes.
In Debian, "dar" Disk Archiver (like tar) makes backups on external disk drives, but dar probably requires some tailoring (I use dar).
For a firewall, you could use Debian's easily used Guarddog.
In some sense, Debian is the administrator's operating system -- for the serious.

Re:Use SDHC memory in a card reader-writer, set lo (1)

Carnildo (712617) | about a year ago | (#43286117)

The SDHC read-write tab? It's more like a vague suggestion than a lock. I've yet to find a card reader that will actually refuse to write to a "write-protected" card.

Don't forget to test your FTP (or SFTP) access... (1)

xxxJonBoyxxx (565205) | about a year ago | (#43283451)

You can use this free scanner to test your FTP or SFTP access. []

Set this utility up with about four garbage usernames, then your actual admin credentials in the username list, and put four junk passwords before your admin password in the password list. Then run the utility with one-second intervals. If your FTP server (or SFTP service) is set up well, your IP (and possibly your username) should be locked out before the utility gets to your legit credentials on its 25th try. (In other words, if the utility can sign on as you, your FTP or SFTP service could use some additional security.)

Some other things to think about (1)

bobstreo (1320787) | about a year ago | (#43283517)

You may want to see if any of your local colleges have computer security tracks. You may be able to do an Internship, or someone may
be available to just do it for experience. YMMV

While you are doing these scans, please note, you may clog up your pipes to the Internet. If you are using hosted services

There are many sites with CVE information, Secunia is ok, search for applications you care about. []

Be careful scanning log files, at least sanitize them before you read them.

You should probably know what ports should be open on which systems.

A spreadsheet of systems/applications/versions of SW OS... would be a good start.

Look for ports that are open, or Listening that shouldn't be...

CloudFlare + Nessus Home Version + Hardened SSH (2)

Midnight_Falcon (2432802) | about a year ago | (#43283857)

I'd recommend you proxy your web site through CloudFlare -- -- by having them handle your DNS. You can read more about them at their web site -- I'm not affiliated with them in any way. They offer a free proxy service that acts as a web application firewall and will do a good job at blocking hack attempts.

From there, you should restrict your webserver's firewall to only allow traffic from CloudFlare's known IPs, so people cannot directly hit your webserver.

If Linux, install fail2ban on the SSH daemon + require SSH-key based access (no passwords!)

Finally, get a copy of the home version of Nessus from Tenable and use that to scan your server. It's interface is relatively easy to use, and if you hit your webserver IPs every couple months with this, in addition to using CloudFlare and hardening your SSH daemon, you should be in good shape and not have to worry about silly hacks.

Acunetix (1)

exodus2287 (2673591) | about a year ago | (#43283891)

I'd venture acunetix from [] it does a decent job

skipfish (0)

Anonymous Coward | about a year ago | (#43284397)

Learn the problems, then tools help (1)

Tool Man (9826) | about a year ago | (#43284461)

If you don't understand the application-layer issues which might be present in your programs, then you won't necessarily understand what the tools (whichever) are trying to tell you. Read and learn, grasshopper. You can get a ton of info from OWASP ( for free, including some issue-specific "cheat sheet" pages. Next, buy the Web Application Hacker's Handbook. Really, do it now, or at least after you've read the OWASP stuff. It's in dead-tree and e-book versions, now second edition.

Tool-wise, go to, and download the freebie version of Burp Suite. It doesn't have the scanner portion, but you can proxy all your traffic through it, and see what happens when you twiddle all the things that might be twiddled. Buy the pro version (few hundred bucks/year) when you're ready for the other features. By then, you'll know why you want them. The author is Dafydd Stuttard, one of the WAHH book authors. Great support, helpful and responsive.

Oh, and the suggestions for Nessus, OpenVAS and Backtrack/Kali aren't bad, they're good tools. Mostly for the infrastructure-level things such as the operating system and known services which are exposed, though this does include your web server. They mostly won't tell you much about your one-off apps though.

Stick to the Basics (0)

Anonymous Coward | about a year ago | (#43284475)

Your intent is clear as mud.... "you'll never get the knowledge, so what tools/suites are available?" is not a feasible approach to security, and will teach you absolutely nothing (using pre-canned tools shows what someone else *might* know about security at best). Following this route you'll end up like a site I visited once where they had insane password policies, and unwieldy access control, only to find that all that complexity was pointless because their passwords are being exposed via telnet/rsh.

Security isn't "Black Magic" (though sometimes it might seem so), and the same principles that applied decades ago still apply today and for the foreseeable future.

Security is a systematic process (be it top down, or bottom up)... identify what you are exposing, understand the purpose of each exposure and why you need it, and then reduce what you have exposed to the bare minimum. This will solve the vast majority of blatant security issues, and you will likely learn a significant amount in the process.

Once you have a "core" to work from, you can start to focus in specific attack vectors for what is left... which is likely far less overwhelming then trying to just dive in from the start, trying addressing problems that may not even be the at the root of your security issues.

Be safe: Set up a little security lab (1)

SirGarlon (845873) | about a year ago | (#43284559)

If you are going to get into active testing, then I think professional ethics demand you take precautions to avoid harming other users or their systems, even (or especially) by mistake.

If you have two computers, then set up a little testing lab for yourself. Take both machines off the Net but put them on the same LAN (preferably a wired LAN but wireless will do). Set up one box as the target with a Web server and the site of your design. Use the other to run your attacks, Kali Linux or whatever.

The reason to do all this on a LAN is quite simply to avoid accidentally scanning/attacking some unintended host, and to avoid violating any laws or terms of service that prevent you running attacks. If you test a target on the real Internet, you may accidentally hit something else by mistake, especially if you're a beginner. Whereas on your own LAN you can be as wild and experimental as you want and no one will complain.

It may sound like a lot of work to set up an isolated network, but explaining to an ISP or a judge that you really had perfectly innocent intentions is also a lot of work.

More popular DIY titles: (1)

Rob_Bryerton (606093) | about a year ago | (#43284969)

"Do-it-yourself Cryptography"
"Home Heart Surgery"
"Roll Yer Own O.S."
"Kernel and Driver Programming for Dummies"

Security... (1)

Stax (13864) | about a year ago | (#43285485)

A lot of this conversation has been about remote security scans, but once you find a vulnerability, how do you remediate it? How do you maintain your security posture, and continue auditing your hosts on a regular bases? To what standard?

The National Institute of Standards & Technology provides a lot of help to those attempting to implement security standards.

First is the Security Content Automation Protocol (SCAP) - [] . This defines how you manage, measure and evaluate vulnerabilities.

Second would be SCAP content. You'll note on the NIST SCAP page the word "community" appears 5 times in the first paragraph. That's not on accident. SCAP content is generally community generated, and there are lots of great lists of people working on SCAP content for a variety of operating systems.

Red Hat maintains the gov-sec [] mailing list and fedora [] , for example has loads of content available for Red Hat Enterprise Linux based systems.

Our friends at NIST also publish what is called the US Gov't Configuration Baseline [] (USGCB for short). USGCB content is available in SCAP format for Windows & RHEL. These standards are certainly a good starting point.

If your standards come in the form of a STIG - that content is available as well from the Aqueduct [] project.

[Disclaimer - I work for Red Hat, I support the US Gov't, and I think making security easier is probably an important thing to do]

Try NSA Security Guides... (0)

Anonymous Coward | about a year ago | (#43286081)

While they are out of date for most new operating systems (they probably ran out of funding), the NSA security guides are a good place to get started in securing your system. You can find them for most major operating systems here:

On Linux it is good to install rkhunter to scan for rootkits and it does several other security checks like tripwire, etc.:

I would only do the following tools if you are trying to get scanning for an entire corporation or institution. These tools are not free:

CIS Benchmarks - Scans for most of the NSA guide suggestions. Requires member$hip,
but does have 30 day eval:

McAfee Vulnerability Manager - Site wide patch and vulnerability scan:

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account