D.B. COOPER REDUX

IF you guys who have watched PRISON BREAK would know what I mean,right?

fellow as:
http://www.fbi.gov/page2/dec07/dbcooper123107.html



12/31/07

Artist rendering of D.B. Cooper
Have any information on D.B. Cooper? Then e-mail us at fbise@leo.gov.
On a cold November night 36 years ago, in the driving wind and rain, somewhere between southern Washington state and just north of Portland, Oregon, a man calling himself Dan Cooper parachuted out of a plane he’d just hijacked clutching a bag filled with $200,000 in stolen cash.

Who was Cooper? Did he survive the jump? And what happened to the loot, only a small part of which has ever surfaced?

It’s a mystery, frankly. We’ve run down thousands of leads and considered all sorts of scenarios. And amateur sleuths have put forward plenty of their own theories. Yet the case remains unsolved.

Would we still like to get our man? Absolutely. And we have reignited the case—thanks to a Seattle case agent named Larry Carr and new technologies like DNA testing.

You can help. We’re providing here, for the first time, a series of pictures and information on the case. Please look it all over carefully to see if it triggers a memory or if you can provide any useful information.

Cooper's black tie (left); $20 bills stolen by Cooper and recovered in 1980 (right)

Left: During the hijacking, Cooper was wearing this black J.C. Penney tie, which he removed before jumping; it later provided us with a DNA sample. Right: Some of the stolen $20 bills found by a young boy in 1980.



A few things to keep in mind, according to Special Agent Carr:

  • Cooper was no expert skydiver. “We originally thought Cooper was an experienced jumper, perhaps even a paratrooper,” says Special Agent Carr. “We concluded after a few years this was simply not true. No experienced parachutist would have jumped in the pitch-black night, in the rain, with a 200-mile-an-hour wind in his face, wearing loafers and a trench coat. It was simply too risky. He also missed that his reserve chute was only for training and had been sewn shut—something a skilled skydiver would have checked.”
  • The hijacker had no help on the ground, either. To have utilized an accomplice, Cooper would’ve needed to coordinate closely with the flight crew so he could jump at just the right moment and hit the right drop zone. But Cooper simply said, "Fly to Mexico," and he had no idea where he was when he jumped. There was also no visibility of the ground due to cloud cover at 5,000 feet.
  • We have a solid physical description of Cooper. “The two flight attendants who spent the most time with him on the plane were interviewed separately the same night in separate cities and gave nearly identical descriptions,” says Carr. “They both said he was about 5'10" to 6', 170 to 180 pounds, in his mid-40s, with brown eyes. People on the ground who came into contact with him also gave very similar descriptions.”

And what of some of the names pegged as Cooper? None have panned out. Duane Weber, who claimed to be Cooper on his deathbed, was ruled out by DNA testing (we lifted a DNA sample from Cooper’s tie in 2001). Kenneth Christiansen, named in a recent magazine article, didn’t match the physical description and was a skilled paratrooper. Richard McCoy, who died in 1974, also didn’t match the description and was at home the day after the hijacking having Thanksgiving dinner with his family in Utah, an unlikely scenario unless he had help.

Parachute and parachute bag used by Cooper

One of the parachutes left behind by Cooper and the canvas bag it came in. Cooper asked for four chutes in all; he jumped with two (including one that was used for instruction and had been sewn shut). He used the cord from one of the remaining parachutes to tie the stolen money bag shut. See a larger version.



As many agents before him, Carr thinks it highly unlikely that Cooper survived the jump. “Diving into the wilderness without a plan, without the right equipment, in such terrible conditions, he probably never even got his chute open.”

Still, we’d all like to know for sure, and Carr thinks you can help.

“Maybe a hydrologist can use the latest technology to trace the $5,800 in ransom money found in 1980 to where Cooper landed upstream. Or maybe someone just remembers that odd uncle.”

Map showing Cooper's possible landing area

This map was made to help investigators figure out where Cooper landed. See a larger version.


If you have any information: please e-mail our Seattle field office at fbise@leo.gov. And for more details on the case, see our story of November 24, 2006.

0 评论

新年好!

真快呀,又到新年了。
也该有新的计划了呀,不管怎样,加油吧!

0 评论

{转载}应用程序在linux上是如何被执行的

发信人: pthread (美女如云), 信区: linux
标 题: [温故知新] 应用程序在linux上是如何被执行的
发信站: 兵马俑BBS (Wed Dec 26 09:22:44 2007), 本站(bbs.xjtu.edu.cn)

上次讲了如何从源文件得到可执行文件。这次聊聊可执行文件是如何在shell中被"执行"的。本文中尽可能少用一些源码,免得太过于无聊,主要讲清这个过程,感兴趣的同学可以去查看相应的源码了解更多的信息。

简短的说,整个在shell中键入./test执行应用程序的过程为:当前shell进程fork出一个子进程(子shell),并wait这个 子进程结束。子进程使用execve来脱离和父进程的关系,加载test文件(ELF格式)到内存中。如果test使用了动态链接库,就需要加载动态链接 器(或者叫程序解释器),进一步加载test使用到的动态链接库到内存,并重定位以供test调用。最后从test的入口地址开始执行test。

下面详细讲解一下:
1.父进程的行为: 复制,等待
执行应用程序的方式有很多,从shell中执行是一种常见的情况。交互式shell是一个进程(所有的进程都由pid号为1的init进程 fork得到,关于这个话题涉及到Linux启动和初始化,以及idle进程等,有空再说),当在用户在shell中敲入./test执行程序时, shell先fork()出一个子进程(这也是很多文章中说的子shell),并且wait()这个子进程结束,所以当test执行结束后,又回到了 shell等待用户输入(如果创建的是所谓的后台进程,shell则不会等待子进程结束,而直接继续往下执行)。所以shell进程的主要工作是复制一个 新的进程,并等待它的结束。

2.子进程的行为: "执行"应用程序
2.1 execve()
另一方面,在子进程中会调用execve()加载test并开始执行。这是test被执行的关键,下面我们详细分析一下。
execve()是操作系统提供的非常重要的一个系统调用,在很多文章中被称为exec()系统调用(注意和shell内部exec命令不一样),其实在Linux中并没有exec()这个系统调用,exec只是用来描述一组函数,它们都以exec开头,分别是:
  #include
  int execl(const char *path, const char *arg, ...);
  int execlp(const char *file, const char *arg, ...);
  int execle(const char *path, const char *arg, ..., char *const envp[]);
  int execv(const char *path, char *const argv[]);
  int execvp(const char *file, char *const argv[]);
  int execve(const char *path, char *const argv[], char *const envp[]);
  这几个都是都是libc中经过包装的的库函数,最后通过系统调用execve()实现(#define __NR_evecve 11,编号11的系统调用)。
  exec函数的作用是在当前进程里执行可执行文件,也就是根据指定的文件名找到可执行文件,用它来取代当前进程的内容,并且这个取代是不可逆 的,即被替换掉的内容不再保存,当可执行文件结束,整个进程也随之僵死。因为当前进程的代码段,数据段和堆栈等都已经被新的内容取代,所以exec函数族 的函数执行成功后不会返回,失败是返回-1。可执行文件既可以是二进制文件,也可以是可执行的脚本文件,两者在加载时略有差别,这里主要分析二进制文件的 运行。
  
2.2 do_execve()
在用户态下调用execve(),引发系统中断后,在内核态执行的相应函数是do_sys_execve(),而do_sys_execve()会调用 do_execve()函数。do_execve()首先会读入可执行文件,如果可执行文件不存在,会报错。然后对可执行文件的权限进行检查。如果文件不 是当前用户是可执行的,则execve()会返回-1,报permission denied的错误。否则继续读入运行可执行文件时所需的信息(见struct linux_binprm)。

2.3 search_binary_handler()
接着系统调用search_binary_handler(),根据可执行文件的类型(如shell,a.out,ELF等),查找到相应的处理函数(系 统为每种文件类型创建了一个struct linux_binfmt,并把其串在一个链表上,执行时遍历这个链表,找到相应类型的结构。如果要自己定义一种可执行文件格式,也需要实现这么一个 handler)。然后执行相应的load_binary()函数开始加载可执行文件。

2.4 load_elf_binary()
加载elf类型文件的handler是load_elf_binary(),它先读入ELF文件的头部,根据ELF文件的头部信息读入各种数据 (header information)。再次扫描程序段描述表,找到类型为PT_LOAD的段,将其映射(elf_map())到内存的固定地址上。如果没有动态链接 器的描述段,把返回的入口地址设置成应用程序入口。完成这个功能的是start_thread(),start_thread()并不启动一个线程,而只 是用来修改了pt_regs中保存的PC等寄存器的值,使其指向加载的应用程序的入口。这样当内核操作结束,返回用户态的时候,接下来执行的就是应用程序 了。

2.5 load_elf_interp()
如果应用程序中使用了动态链接库,就没有那么简单了,内核除了加载指定的可执行文件,还要把控制权交给动态连接器(program interpreter,ld.so in linux)以处理动态链接的程序。内核搜寻段表,找到标记为PT_INTERP的段中所对应的动态连接器的名称,并使用load_elf_interp ()加载其映像,并把返回的入口地址设置成load_elf_interp()的返回值,即动态链接器入口。当execve退出的时候动态链接器接着运 行。动态连接器检查应用程序对共享连接库的依赖性,并在需要时对其进行加载,对程序的外部引用进行重定位。然后动态连接器把控制权交给应用程序,从ELF 文件头部中定义的程序进入点开始执行。(比如test.c中使用了userlib.so中函数foo(),在编译的时候这个信息被放进了test这个 ELF文件中,相应的语句也变成了call fakefoo()。当加载test的时候,知道foo()是一个外部调用,于是求助于动态链接器,加载userlib.so,解析foo()函数地址, 然后让fakefoo()重定向到foo(),这样call foo()就成功了。)


PS: 现代的动态链接器因为性能等原因都采用了延迟加载和延迟解析技术,延迟加载是动态连接库在需要的时候才被加载到内存空间中(通过页面异常 机制),延迟解析是指到动态链接库(以加载)中的函数被调用的时候,才会去把这个函数的起始地址解析出来,供调用者使用。动态链接器的实现相当的复杂,为 了性能等原因,对堆栈的直接操作被大量使用,感兴趣的可以找相关的代码看看。

---
※ 来源:.兵马俑BBS http://bbs.xjtu.edu.cn [FROM: 221.221.157.26]

0 评论

10分钟...

10分钟。
10分钟都可以干什么呢?
这一个10分钟,我敲击着键盘和朋友讲着笑话还一边喝着咖啡,似乎很充实的样子。那上一个10分钟呢?记不得了,原来记性已经好差了。但虽然如此,我想大概下一个10分钟里却是固定的事实:写完这东西。
其实不去留意,谁也没有注意这10分钟的短,或者刚刚接了个电话,又或者翻了翻桌上的资料,哇,原来10分钟又过去了呢。可是不管怎样这日子都在一如既往地前行着,我们唯一能掌控的只有自己行为的分寸。偶尔也会想一想,大概40年过去了也就不会有人再记得我了吧。也许就像我们用今天的眼光看着60年代的人,激动着他们的激动,却不懂究竟是为什么。

0 评论

OoOOoOoooh....

... ...

0 评论

看看俺的共享精神吧...


上传10G多可一点也不容易哈,累死我了...

0 评论

Linux下Maya启动时fatal error:(signal 11)解决办法

通过在网络上收集的大量资料和自己的实践,发现其实这只不过是显卡安装上面的问题而已。
现在分别说一下:
1.nvidia官方显卡驱动。其实比较好的解决方式就是安装官方的显卡驱动,这个比较简单而且不用改文件关联或者文件名之类的,但是问题是可能会有无法加载nvidia.ko的麻烦。安装过程如下:
退出x环境,终端以root运行init 3就可以了。cd到下载的nvidia*.run文件目录下,再sh nvidia*.run就开始安装了。按默认一路安装,其间它会bilud modules,也就是整nvidia.ko那玩意儿了,不过通常应该还是加载不了的。安装完了之后startx或者init 5,如果加载不了的话再输入modprobe nvidia就可以了。但要每次都整这么一下挺麻烦的,我发现其实加载不了是因为少了一文件。Fedora8下面在/lib/modules/2.6.23.8-63.fc8/kernel/drivers/video/nvidia/目录里加个nvidia.ko就能在下次启动的时候自动加载上了。那里面应该已经有个nvidiafb.ko的文件了,名字改成nvidia.ko就成了。但具体会有什么不好的后果也还没发现。记得要备份哈。这样就能开桌面效果了,挺不错的。按照官方的驱动应该是不会显示signal 11错误的,至少我在自己机子上没发现。不过倒是经常freeze...
2.livna版驱动。这个改下两个库文件名就可以了。记得是在/etc/X11/nvidia 下面把libGL.so.* 的两个文件改名就ok了。

上面只是针对nvidia来说,ati的就不知道了。总之还是觉得卡商在linux版的驱动上还有很长的路要走哈,当然,也期待着越来越多的游戏能够发行linux版,这样俺就可以彻底地甩了xp了。哈哈...

0 评论

0day

1 http://www.frsirt.com
http://www.dswlab.com/vir/v20070103.html

2 http://www.derkeiler.com
http://www.h4cky0u.org

3 http://www.security.nnov.ru/

http://governmentsecurity.org/ 4 http://pforum.pccenter.com.tw/viewthread.php?tid=67&extra=page%3D1

5 http://www.swerat.com/forums/index.php?act=Login&CODE=01

6 http://chasenet.org/

7 http://swerat.com/
http://www.neoteam.com.br
我先来几个我认为比较好的
http://packetstormsecurity.nl/
http://hack.com.ru/
http://www.hackcoza.tk/
http://www.web-hack.ru/
http://www.securiteam.com/
http://www.security.nnov.ru/
http://www.hackerzhell.co.uk/indexmain.php
http://hacktheb0x.tk/
http://neworder.box.sk/
http://www.k-otik.com/
http://www.security-corporation.com/
http://www.securityfocus.com/

8 http://metasploit.blogspot.com/


9 http://www.godexp.org/
http://www.milw0rm.com/

自己珍藏的0day漏洞发布网址

这些都是我珍藏的好的漏洞发布网址:
国外:
http://www.frsirt.com/exploits/
http://es.wikipedia.org/wiki/Exploit
http://www.securiteam.com/exploits
国内:
http://www.z1z8.com/
http://forum.eviloctal.com/simple/index.php?f22.html

0 评论
Subscribe to: Comments (Atom)