Jumbo Frame

转自CB的12月最新Windows Live邮箱注册漏洞及分析

从2006年6月18日@live邮箱爆出注册漏洞开始,其实微软一直没有关闭注册live邮箱的数据库,Windows live ID有关的页面,一直都能访问包括**@live.com/cn/de/fr/jp/..在内的数据库,这可以很好的解释,为什么你的LIVE邮箱能正常登陆收发邮件.新方法又来了!

既然这样，为什么我们现在不能这注册了，这是因为微软把注册
@live的页面入口给封了，
就像一个房子虽然有空间但是把大门给关上了，你当然不能进去了。

基于这个原理，
2006年11月网上第2次暴出@live漏洞，简单的在注册页面远行一脚本就打开了这个大门，可由于传播太快微软很快用一个错误提示关上了这个大门。

到这里我们可以想一下LIVE.COM下有“成千上万”个与@live数据库相连的页面.
微软能够全部堵上吗？答案是否定了。
打开http://domains.live.com开始-进入-选中"使用已有域"-随便输入一个域名，点使用新的ID，这个时候如果你网速快，你不会有什么收获，但是如果你网速够慢(我就是这样，我上的是教育网)，你会发现@live.cn的下拉框，不一会等网页完全打开的时候，这个@live.cn的下拉框就会消失不见，这说明这个网页可以访问live邮箱的数据库，只是网页最后执行的时候屏蔽了@live.cn的下拉框。

所以头脑聪明的同学应该知道我们要怎么做了吧。脚本?。。不我们有更方便的方法

二：注册方法

首先必须安装opera浏览器，到http://www.opera.com/下载opera9 安装的时候选中文。安装后如果你要注册@live.com就把语言换成英文，方法是“工具-首选项-语言”下拉为English然后点确定 (如果要注册@live.cn就不用换了)

1. 打开http://domains.live.com/点击get started(开始)按纽，

2. 在新页面中选中Use a domain I already own(使用已有域 )后随意填入一个域名，
如3X.COM或55.com..等，接着点Continue(继续)按纽

3. 在新网页中，选中第二个在Create a new Windows Live ID in your domain(在域中创建一个新的 Windows Live ID)接着点Continue(继续)按纽

4. 这个就是注册页面了。看到了没*Windows Live ID那里有一个@live.com(@live.cn)了吧，赶紧填你要抢的用户名吧！

5. 最后点I accept(接受)按纽，就注册成功了，可以关掉页面去http://mail.live.com/激活你的@live邮箱了(注意有的时候他会提示密码错误，并转到hotmail页面，这个不用管，再登陆就可以了)

此方法由xuybin原创发表于CNBETA.COM上，转载请注明
已成功注册COM和CN的邮箱,理论是可以注册所有国家的LIVE邮箱 (换语言)
特别是一些小国域名的LIVE邮箱可能没有人注册过，应该可以注册到2位的ID哦
 

**************************************************

很是郁闷，在我转这个文章之前(2006-12-12晚上21:45左右)，我在网吧好不容易突破下载限制，装了opera，可我得到的结果是：

We are working to fix a temporary problem with our sign-up service.
Please try again.
  If you continue to get this error try again later.
OK
Error code:20

微软动作真快呀``````看CB网友的回复，18：30的时候还可以注册.....
 

Hardening Linux: a 10 step approach to a secure server （转载）

The Internet has become a far more dangerous place than it was 20 years ago. Nowadays, Operating System and application security is an integral part of a server configuration and, while firewalls are very important, they are not the panacea.

This list of steps is intended as a guideline with a practical approach. We’ll try to provide a complete picture without getting into unnecesary details. This list won’t replace a good book on secure systems administration, but it will be useful as a quick guide.

Before we get started it’s worth to mention that security is not a status: it’s just a process. The correct initial setup of the server only provides a good start and helps you get half the way through. But you actually need to walk the other half of the road, by providing proper security vigilance, monitoring and updating.

These are the ten steps to secure a new installation of a Linux server (or to improve security in an existing server). We’ll go through them with some examples and comments:

1. Choose a widely used Linux distribution that releases security updates in a timely manner.

   It’s not a matter if there will be new vulnerabilities in your Operating System: it’s just a matter of when they will be found. And when that happens you want to be among the first ones to obtain and apply the fix (or the compensatory control, should a fix not be initially available).

   And the more people using your distribution, the sooner the vulnerabilities will be found and corrected. The worst thing that could happen to you is a vulnerability only known by a few, with a so called “zero day exploit” being used in the wild.

   And avoid exotic or custom configurations as much as possible: standarization is a big advantage. It’s much easier and faster to apply a security fix by just installing a default package through an standard tool (rpm, yast, apt-get, emerge, etc.) than to reconfigure and recompile from source a whole set of applications and libraries.
   

2. Plan the filesystem layout beforehand.

   Avoid using a single partition approach. Create, at least different partitions for /, /tmp, /home, /usr and /var. Mount /tmp, /home and /var with, at least, the following options: noexec, nodev and nosuid (why would anybody need to create a device, an executable or, even worse, a setuid executable in these three directories anyway?).
   

3. Don’t install unnecesary packages.

   If you don’t have a need for package xyz, just don’t install it. You can always install it later if you find out that you really need it. The more software that you have installed, the more likely you will be impacted by a vulnerability, and the more software you will need to keep up to date.

   Avoid compilers and developer tools. Avoid network tools. Avoid packages that have binaries setuid root (some of them are really needed, but don’t get carried away).
   

4. Change default passwords and create regular users

   Never forget to review /etc/passwd and /etc/shadow looking for default users. Lock out non interactive accounts (a simple ‘!!’ in the password field in /etc/shadow will do it – for extra protection replace the shell in those accounts by ‘/bin/false’ in /etc/passwd).

   Create regular users for normal system administration. Abusing the root account for system administration is not only dangerous but also silly: root mistakes can be very expensive (root can wipe out the whole filesystem with a simple command).

   Install and configure sudo. If you need to run anything as root, just precede the command by ‘sudo’. It has the double advantage of making you conscious of running that command as root, and also keeping track (audit trail) of which commands are run as root and by whom.

5. Disable unnecesary daemons and network services

   Run a ‘ps -ax’ and review each line. Think if you really need that daemon. If you don’t, remove it from the startup scripts and kill it.

   Run a ‘netstat -anp’ and see which applications are listening to network ports. Disable all network services that you won’t use.

6. Disable remote root logins over ssh

   Edit the sshd configuration file (usually /etc/ssh/sshd_config). Make sure that the line ‘PermitRootLogin no’ is present and not commented out. Anyway, you will always login as yourself and use sudo to run commands as root, won’t you?.

7. Set up and enable iptables

   Configure and enable iptables with a deny by default policy for incoming and outgoing traffic. These are the basic rules that you should have for a web server running on port 80 (use it as a guideline, don’t copy it literally):

   iptables -P INPUT DROP
   iptables -P OUTPUT DROP
   iptables -A OUTPUT -i lo -j ACCEPT #accept internal connections
   iptables -A OUTPUT -d your_dns_server -p udp—dport 53 -j ACCEPT #DNS/UDP
   iptables -A OUTPUT -d your_dns_server -p tcp—dport 53 -j ACCEPT #DNS/TCP
   iptables -A OUTPUT —state ESTABLISHED, RELATED -j ACCEPT #established and related connections
   iptables -A INPUT -i lo -j ACCEPT #accept internal connections
   iptables -A INPUT -p tcp—dport 80 -j ACCEPT #HTTP on port 80
   iptables -A INPUT -s your_administration_box -p tcp—dport 22 -j ACCEPT #ssh from your administration workstation
   iptables -A INPUT -m state—state ESTABLISHED, RELATED -j ACCEPT #established and related connections

   You may need extra rules if you are sending your logs somewhere else (a very good idea as nobody will be able to alter the logs, even if the server gets compromised).

   An outgoing deny by default policy is almost as important as an incoming deny by default policy. The least thing that you want is to let a hacker use your compromised server as a jumpbox to attack something else. And he will be already inside your network.

8. Configure security related kernel parameters

   Enable syncookies, disable responses for pings to the broadcast, enable ip spoof protection, disable ICMP redirects and disable source routing. You can do so by adding the following lines to /etc/sysctl.conf

   net.ipv4.tcp_syncookies = 1
   net.ipv4.icmp_echo_ignore_broadcasts = 1
   net.ipv4.conf.all.rp_filter = 1
   net.ipv4.conf.all.accept_redirects = 0
   net.ipv4.conf.all.accept_source_route = 0

9. Install a host based Intrusion Detection System (HIDS)

   If you can afford the effort of walking the extra mile, install an HIDS system. A well known one is Samhain.

   Or at least use an integrity verification system like AIDE or Tripwire™ .

   But if you feel really corageous, you could improve general Operating System security with Role Based Access Control and multilevel security (as in SELinux or in grsecurity ), but both of these will require kernel patches and substantial modifications to the system.

10. Apply the latest updates

    Unless you are installing the latest version of a distribution that just came out yesterday (and I would recommend at least waiting a few weeks before installing a new version of any distribution), there are most likely updates available to some of the packages that you’ve just installed. So review the fixes and the caveats, and apply them. And familiarize yourself with this process because you’ll be doing this for the entire life of this server.
    
    

Now some tips to a good security conscious approach:

• Never get overconfident: never think that your server is unbreakable.


• Review the logs frequently. Understand what the errors messages and warnings mean.


• Before installing a new application, always evaluate the risk and take a conscious decision of what level of risk is acceptable. Remember that most of the remote compromise holes reside in applications, not in the OS itself.


• Pick widely used applications with good security support and promptly fixes. Install them in a chroot environment whenever possible. Run them using a non-priviledged account (not as root).


• Make backups frequently and keep them outside: they are your last resource.

And above all things: keep yourself updated in security matters (at least regarding the software that you’re running). Spend a few minutes every day reviewing security alerts, they are well worth the effort and the payback is high.

男人必看的十大电影

这10部电影确实会教你很多做男人的道理。如果在这些电影中，你只看了不到5部，甚至只听说不到5部，那说明作为一个e世代的男人你有点儿落伍了。这些电影的DVD在影碟店里一般都有，你可以一口气全买回来，算是自我教育的投资吧.

1.《阿甘正传》　课程:执着
每次想起阿甘在美国东西海岸之间的奔跑，心里都会止不住的伤感，还有振奋。
你相信一个智障儿的成功吗?你相信这世上得到最多的人正是那些不计得失的人吗?
阿甘不懂得他不能总跟着一个女人帮她打架，也不懂得一个成年人不该总把***话挂在嘴边。阿甘什么都不知道，他只知道凭着直觉在路上不停地跑，并且最终他跑到了终点。
另外，《阿甘正传》还会教给你一个男人必须具备的一种素质——困境中的幽默感


2.《东方不败》　课程:才华
男人不应该不看武侠片，如果你只能看一部武侠电影，你会选择什么?我想应该是《东方不败》.满堂花醉三千客，一剑霜寒十四州，剑客的身姿随着剑在空气中的 游走而起舞，翩若惊鸿，宛若游龙。金庸的《笑傲江湖》讲的是对自由的追求，徐克、程小东、张叔平、李连杰等一干天才用电影再现了金庸笔下这个瑰丽无比的武 侠世界。沧海一声笑的曲子传唱至今，成为我们一个幻想的凭籍，一个逃避现实的出口。


3.《美国往事》　课程:人生
《美国往事》包含了一个男人在这个世界上所能遇到的一切。友情、爱情、幻想、责任、冲突。它更像是一场让人不愿醒来的梦，当面条躺在床上，在温暖的灯　光 和的迷离的电话铃声中回到那些逝去了的岁月，这场梦便开始了，直到最后的面条终于露出笑容，我们才回到自己的人生，去继续那些不尽的故事。什么帮派，什么 仇杀，原来都不重要，印象中只有一个毛躁的少年，偷看一个美丽女孩儿跳舞;只有一个负罪的兄弟，每天早早地上床睡觉;只有一个白发苍苍的老人，面对背叛了 的友谊，语调平和，不动声色。《美国往事》带着你作了一个三小时四十五分钟的梦。人生如梦，这也许是惟一的感受


4. 《罗马假日》　课程:爱情
也许《罗马假日》有点瞎浪漫的嫌疑，但奥黛丽。赫本的出现使它真的成了一部童话。她就像是游历人间的天使，美丽得不染纤尘。记者吻过湿淋淋的公主，然后看着她慢慢地走向自己的官邸。那一刻，你是否会在心里默默地说，“别走”?
　　在罗马的宫殿里，两个人站得那样近，也离得那样远。乔只能说:“你的朋友绝不会让你失望。”而公主也只能这样回答，“罗马，当然是罗马。”在人的一生里，即便只有这样一刻心灵的相通，也会少却多少遗憾!


5.《勇敢的心》　课程:勇气
也许英雄并不是无所不能的神明，但英雄一定是无所畏惧的勇士。在你站在霓虹闪烁的街头，当你面对卑鄙委琐的笑脸，你又想起了那个让你汗颜的华莱士，这时你 收起脸上惯带的笑容，默默地向梅尔。吉布森致敬，从来没有这么庄重。因为他让我们明白，什么才是真正的英雄。“Freedom !”华莱士临死前的一声呐喊，把你的血也点燃了