Slashdot Mirror

OpenBSD's weakness' list (just a TINY sampling of what is/was possible to penetrate OpenBSD):

1.) OpenBSD False syslogd Source IP Reporting Weakness:

http://www.securityfocus.com/bid/6219

2.) OpenBSD's mysql security weakness:

http://www.monkey.org/openbsd/archive2/bugs/200103 /msg00022.html

(Seems OpenBSD isn't as "secure out of the box" as I stated most all OS' are w/out tweaking it)

3.) PAM Authentication Execution Path Timing Information Leakage Weakness:

http://securityfocus.com/bid/7342

(Funny, I see OpenBSD on THAT list also)

4.) systrace in OpenBSD:

http://www.informit.com/articles/article.asp?p=363 731&seqNum=7&rl=1

"Despite its many features, systrace has a number of limitations that bear mentioning. First, it lacks a facility to specify that you can permit once for a system call, such as binding to a socket. This can allow an attacker to recycle a system call, potentially at elevated privilege.

Second, system calls have no exclusive or. For example, an application might be permitted to open a le or a device, but not both. This weakness could ultimately be leveraged by an attacker who seeks to do more than a program was intended to do.

Lastly, the parent process has no control over spawned processes. For example, if you allow /bin/sh to be executed, you cannot control it beyond its own systrace policy. One way to get around this limitation is to specify a policy for the child process to inherit if it is to be less liberal than the normal system policy. This would be done via systrace"

5.) OpenBSD lprm(1) exploit:

Code is right there:

http://security.opennet.ru/base/bsd/1047145087_128 9.txt.html

For an exploit into OpenBSD...

*****

Need I go on? I don't think so but I easily could... OpenBSD's not some "magically secure system" any more than any other is and new holes get found on them all every month.

So, DrSkwid?

Please: Don't try to tell others that your OpenBSD is 'impregnable out of the box', because like most other OS'? It isn't.

(Sure, some of that may or may not have been patched above from my lists by this point, but you try to make it seem as if OpenBSD is some 'security panacea' magical formula, & it's clearly not).

And, it most certainly isn't as flexible, ubiquitous, & powerful as Windows Server 2003 is with as any applications surrounding it in both commercial and freeware implementations as Windows has a tremendous wealth of and most certainly does not run on as many types of hardware.

6.) This is not just myself stating it, here is another one regarding that:

http://geodsoft.com/opinion/server_comp/security/l inux.htm

"The default OpenBSD install is much more secure but also much less functional than a Windows NT or 2000 default install and most"

Keyword = DEFAULT! AND, less functional. BIG sticking points vs. Windows Server 2003.

Which is WHY I put up my list for Windows 2000/XP/2003 server users.

To teach them how to REALLY secure these Os' from MS, far above the DEFAULT security settings they ship with and how + why.

Give it up DrSkwid about OpenBSD being 'so great' when clearly, it's not by comparison. And, having to call me names?

Not too intelligent, nor fact based. The sign of the loser in forums online. It's right up there with spelling and grammar checking.

Above all - It's easy to secure

I thought its been a part of Photoshop since version 6, IIRC? Here is just a quote from a SAM's PHOTOSHOP guide on the Sumi-e filter. There is also a filter in GIMP. My camcorder also had a Sumi-e filter built into it, but it tends to smear the image too much resulting in loss of texture quality and improved image compression storage.

Yes, but that's what they do anyway, claims of purported intent notwithstanding.

Going beyond specific applications and examining the operating system itself, use of Windows violates SOX and HIPAA Storing personal financial or patient data on a Windows machine and connecting it to the network puts you on the wrong side of the law. Common Criteria Certification is fine with Windows itself, but only as long as it is a standalone machine without network.

As for concerns about 'hash security', isn't that what john-the-ripper is used for? Just because you can brute-force a password algorithm doesn't make it insecure. From the data provided, this is the equivalent of a 15-character password hash. The best password crackers can take months to crack 10-character password hashes. Then, even if they do figure out that a certain sequence of fingerprint identities matches up a specific hash - what? They somehow clone a finger and alter the dna to create your fingerprint so they can use the computer at the library?

Heh, insightful my ass. Sure, brute-forcing the hash of a 10 character password might take a while, but what if someone chose a poor hashing algorithm (check out the FMS attacks on WEP? What if I have a dictionary of precalculated hashes for known passwords (FBI fingerprint database anyone)? Using a modern computer, I can do a hash-to-hash comparison of hundreds of thousands of entries a second. Check out my other posts as to how this could be used.

However, I'm not aware of any virus problem on a Windows Mobile device.

Then you don't seem to know jack shit...

http://www.informit.com/articles/article.asp?p=337 069

It's been known since last september.

This is not intended in any way as a troll (merely informative to other readers who may not have come across him yet and wonder what we are talking about), but I take it from the UID you do this with the full knowledge that Theo is, on all apparent evidence, a bit of a nutter, a bullshitter (with reference to his utter bollocks about 'Linuxes'), and that rather than OpenBSD being founded out of some earnest devotion to security of his[1], it was because his access to the NetBSD CVS repository was pulled, on the grounds that he was being a class jerk to both users and other developers (not a exactly an isolated incident).

[1] In fact, he originally intended it to be called NextBSD, because he seemed he was basically intent on running his own show all along (which seems to me to be due to him 'not playing well with others').

While the development of OpenSSH remains a much valued contribution, from a security standpoint OpenBSD really has a long way to go to catch up to Linux as far as meaningful features go (the security hype being primarily based on (a) the contribution of OpenSSH - which Theo said he didn't want to make for any OS other than OpenBSD! - and (b) simply having all the services turned off on a default installation).

Specifically (and unlike Linux) OpenBSD doesn't support MAC (Mandatory Access Control) restriction on files, nor does it allow the restriction of access to raw devices, memory or sockets for any user (including processes executed as root), hell it doesn't even have ACL's (Access Control Lists) support without a 3rd party patch (e.g. with patches based on FreeBSD 5's implementation), and they don't seem to 'get' why anyone would want it. In fact, they have *actively* decided not to even attempt to implement POSIX.1e (according to this book, endorsed by Theo).

These are features that have been supported by Linux for years. If (and I honestly think it's going to be 'if' rather than 'when' now), OpenBSD begins work to implement these features, then it might start to be considered useful as a secure platform. Until then, it's very lacking in meaningful features indeed. In fact, other BSD variants are already ahead of OpenBSD in so far as implementing them (such as FreeBSD and TrustedBSD).

I realise it's considered easier to criticise than give due credit by some, but in the case of Theo De Ratt I can't see that the amount of credit he gets from some quarters is warranted.

In conclusion, this is why I find the inference that he is 'very wise and well intentioned' at best riotously amusing. ;-)

( YMMV. :)

Another nice spot to bookmark (which is updated as new books in the series are released) is Bruce Peren's Open Source Series:

http://www.informit.com/promotions/promotion.asp?p romo=1041&rl=1

The books are published in print by Prentice Hall PTR, but are also released after a few months freely under the Open Publiction License (more about the license in the link below).

http://www.informit.com/content/downloads/perens/o pencontent_org.html


-geoff313

Another nice spot to bookmark (which is updated as new books in the series are released) is Bruce Peren's Open Source Series:

http://www.informit.com/promotions/promotion.asp?p romo=1041&rl=1

The books are published in print by Prentice Hall PTR, but are also released after a few months freely under the Open Publiction License (more about the license in the link below).

http://www.informit.com/content/downloads/perens/o pencontent_org.html


-geoff313

Another nice spot to bookmark (which is updated as new books in the series are released) is Bruce Peren's Open Source Series:

http://www.informit.com/promotions/promotion.asp?p romo=1041&rl=1

The books are published in print by Prentice Hall PTR, but are also released after a few months freely under the Open Publiction License (more about the license in the link below).

http://www.informit.com/content/downloads/perens/o pencontent_org.html


-geoff313

"There is a list called spamhaus I can't E-mail. Unless you know the individuals, you can't get to them to submit or complain. As much as I don't want to see government run a black list, a government would have checks and balances. These are kids playing God."

http://www.informit.com/articles/article.asp?p=344 239

(Below just a sample of the hundreds of purilent messages aimed at ISP's who request entries be removed from these blocklists)

"I have called for entire null routing of all ThePlanet's IPs until they clean up. If the rest of the world did so, the spammers would be gone by sunup. " -- referring to ISP theplanet.com

"you host with the planet of spam, a nasty unrepentant spam haus. They are block on sight here, and will remain so until they go chapter 7. Get a new isp or smart host, as planet of spam ip addresses (all of em) are tarpitted here." - more of the same

"1, 68.22.0.0 - 68.22.63.255, sbc.com / swbell.net / ameritech.net / pacbell.net

I'd say there's just two chances of that: No WAY, and No HOW. But there is perhaps a way to get the whole block unblocked.

Any chance you can talk one of the biggest spam-havens in the universe into totally cleaning up?" -- referring to a collateral blocklisting victims post to news.admin.net-abuse.email subject: "kindly unblock 68.22.232.249"

"yep your screwed, 68.248.0.0/13 is firewalled here for massive unending spam attacks. Smart host your mail or move to a new isp."

"Spews listing S684 (http://www.spews.org/html/S684.html) is out of date, and contains incorrect information.

CWIE should be firewalled at all ISPs until the universe implodes. You've knowingly and deliberately harbored spamemrs since at least 1996, to my *personal* certain knowledge.

FOAD"

">SPEWS, please de-list these Qwest IP addresses. Qwest encourages the responsible use of its networks, systems, services,

On what planet? On this one, Qwest assists spammers and other criminals in relentless abuse. Unplug your servers. Retrain your employees to do something useful like donating their organs.

William R. James"

Point your newsreaders to news.admin.net-abuse.email and observe * "kids playing god"*

Been there, done that

All the most amusing viruses emerge on the first day of April...

... but he can't even afford a decent Husky micro screwdriver as apparent in the bottom right corner of this picture.

http://www.informit.com/articles/printerfriendly.a sp?p=380915

Go on, mod me redundant.

http://www.informit.com/articles/printerfriendly.a sp?p=380915

The main problem that I've had with the PSP is that games which I already own are not playable on the PSP. The disks are different sizes. There is no current easy way to get a hold of blank PSP disks and copy my current games to it for play.

That and the PSP disks look just like birth contol pill disks.

Anyway, these things have been out forever, just not in the U.S., I guess.

Here's a link to the whole article without having to click Next every 5 paragraphs.

http://www.dcs.ed.ac.uk/home/stg/pub/P/par_alg.htm l/

http://www.informit.com/articles/article.asp?p=366 887&rl=1/

http://static.cray-cyber.org/Documentation/Vector_ P.pdf

Here are a few links that I found while googling around. They should be of some help.
Quite a few Wireless Network Links
Long Distance Wireless Network Project
Wireless Network Security Article
Forum discussion concerning long range wireless routers

An article on InformIT.com looks at the current state of haptic technologies: "In the consumer realm, two companies dominate the field in the creation of tactile I/O devices: Immersion Corporation and SensAble Technologies. Right now, each seems interested in consolidating a position in the marketplace.

Interoperability and sharing are all kinds of nice for the interchange of information, but what happens when a third-party developer comes up with something that can also plug-in, so it gets access to the data, but has some kind of big open hole in other parts of its code, so everyone's records are available to anyone?

One can make a very secure network by keeping an air gap between the LAN and the Internet. Encrypted connections, IPv6, and locked down workstations won't hurt either. All data partitions must be mounted no-exec and all executable partitions mounted read-only. Using the restricted mode of bash or zsh prevents workarounds like "source trojan.sh ". Furthermore, KDE has a kiosk mode or there are other customizable options like Fluxbox.

From there, you just have to be careful about what applications are installed and limit any scripting/macro problems. e.g. keeping the document templates free of macros.

This article at InformIT.com is another interview with a 29A member (Ratter). Much of the same content and statements.

And now we are going to trust them to make anti-spyware software that DOESNT GIVE THEM AND THEIR AFILLIATES A BACKDOOR? O_o Sorry but no.

Certain types of games are better-suited to touchpads, trackballs, mice, cameras, etc. I am surprised that no aftermarket trackball controllers are available for home game consoles. Two types of games suffer from this limitation, and they are both types of games that do better on PCs than consoles:

1) Resource management / icon-based / menu-based games
- It is easier to move and click a mouse/trackball than with a joystick or d-pad.
- Examples: The Sims, Black and White, Warcraft, etc.

2) FPS games
- The ability to quickly aim and
- The ability to move with a different hand than the aiming hand
- Examples: Doom, Quake, Half-life, Unreal, and probably 50% of PC games

In general, a mouse/trackball offers higher-precision, greater feedback, and an infinite range of speeds over a d-pad or trackball. But it is bad with simple forward, backward, left, and right. But fewer games today use that model. Why do we continue to use these old-style inputs?

FYI: This is called multimodal input, where each device complements the abilities of the other. The keyboard/mouse paradigm is the most generally powerful multimodal combination discovered thus far.

I think they got the files from the same place this guy got his. Or was it this guy?

I think they all got it from these guys or maybe these guys over here or maybe it was these guys.

Nordstrom. You can take anything back there.

Very true. I remember this story from a while ago. It says that linux is worth roughly over 1 Billion dollars. Check out the math with me...

but that's totaling all the software on the disc you'd be getting from a distro. I can't find the article that origionally said this.

careers involving handling sewage, manure or garbage are actually BETTER than being an IT manager?

Depends upon the criteria, of course, but overall, I'd agree that IT is indeed worse than those jobs. My background has been in IT and telecom for over 15 years; I'm now finishing a finance MBA and will be going into law school.

At the same time, two of my friends meet the above category - one is part of a rural three-person trash collection/disposal business, and the other handles public utility maintenance in my town (and has to maintain the septic plant, as well as water and snow removal).

They love their jobs. Yes they stink at times, but they have plenty of time with their families and get home at a decent hour. Me? Telecom and IT management has been one non-stop death march project. After working for four different companies in 15 years, every single one (regardless of size) sees IT the same: users wish for absurd miracles, users have no money, and users demand it done yesterday.

I read Ed Yourdon's Death March Projects book and laughed till I was crying. A death march project is defined as one whose "project parameters" exceed the norm by at least 50 percent. ONLY ONE? Haha!

And what's worse than having nonstop death march projects? When you happen to keep pulling off miracles, they complain about it! (Course, if you don't, they fire you) This is because, once again, the users don't have a freaking clue about "details" and other technical things. Truly a Rodney Dangerfield "no respect" occupation. What opened my eyes and led to the finance and pending law degree was that several companies I had left had reverted from a highly secure, well-engineered open source shop to completely insecure Microsoft shop (stumble from the parking lot, see that they've got server shares wide open, no wifi encryption, and don't even apply service patches). They hired cheap managers and only care if the report gets out. Security, scale and reliability don't matter.

Was I being a perfectionist? Is security unnecessary? Is accuracy in IT at all important, or can we (like one national cell company that is being investigated for serious billing fraud) just cut corners and hope we don't get caught on sloppy billing?

I don't know and don't care. In IT, when a user screws up, I paid. As counsel, when my client screws up, they pay. Want me after hours and on weekends? Add a few zeros to the check please or don't call me. Oh, and now I get to hang out with my sewer and trash collecting friends...

You also may want to consider Rapid Application Development with Mozilla instead. It's more recent and a better read, I think. You can also download the entire book (PDFs) from the above mentioned link (hint: see Downloads). If you like it, don't forget to buy it.

Unless you like being the scapegoat when someone breaks into your boss's notebook, you should strive for real security. With WPA it is possible to implement reasonable security about as easily as it is to screw up with WEP.

Here is a good article detailing various attacks against WEP. Choice quote: Tim Newsham discovered that there are a number of problems with the key generators for several vendors. [...] This reduced the actual entropy of the PRNG seed to 21 bits. Using a PIII/500 MHz laptop performing 60,000 guesses per second, Newsham was able to crack a 40-bit WEP key from a key generator in 35 seconds.

this is pretty, but unreadable

I just wanted a show

this is pretty, but unreadable

I just wanted a show

this is pretty, but unreadable

I just wanted a show

this is pretty, but unreadable

I just wanted a show

this is pretty, but unreadable

I just wanted a show

Points of interest:

"Besides a graphics chip like the ATI Radeon, the program requires the .NET Framework (available from Windows Update) and DirectX 9. A pre-installation panel reviews your system and tells you whether you can continue setup."

"I discussed this with Don Brittain, the CEO of Instant Effects, and he said that in his view the product is 18 months ahead of the hardware cycle. This means that you need the very latest laptop to make sure you can show an OfficeFX show. But here's how it works."

The Register and others linked to a Geekzone thread where the program was first reported. One of our users wrote a report that was later posted on Informit with complete analysis including debug information and posted a reference on Geekzone too.

I wonder why they did not disclose the source.

Something like that actually happened in Japan recently:

The rest of the article talks about many of the different cell phone malwares out there.

Something like that actually happened in Japan recently:

The rest of the article talks about many of the different cell phone malwares out there.

... to be HIPAA compliant, your health-care organization must "reasonably safeguard protected health information from any intentional or unintentional use or disclosure." However, if SP3 is installed, Microsoft can now access your machines containing safeguarded information, such as confidential medical records. Ironically, however, you must install SP3 to be secure. Thus, every organization that needs to meet HIPAA's regulations must choose the lesser of two evils.

Oh ya, they dont want bad PR.

Riiiiiiiight.

DRDOS
Windows95 Registration Wizard
Bundling Antitrust
NSAKEY
Windows Product Activation

Etc. Etc. Etc. Me thinks their image is just a bit beyond repair at this point

Multithreading is not trivial. Parallelizing with threads is probably not trivial either. Perhaps you meant "practical," "feasible," or "do-able," but certainly not "trivial."

What can Mozilla offer that will aid its cause in the enterprise environment.

Rapid Application Development with Mozilla ;) You can download the .pdf of the book there.

I agree with Joel to a point (for Slashdot users too lazy to cut and paste, the article is here)

However, I once wrote a piece of code that I knew from the getgo was "scaffold" code; a quick-and-dirty piece of code that would work until I replaced it with something better. I made a lot of fundamental design errors with that code, since I didn't know how to solve the problem in question well when starting to work on the code, but I made the code work. And, since I made errors, I spent months debugging and re-debugging the code in question. Memory leaks, crashes, everything; I spent far more work getting that code to be fairly usable than I ever planned on doing. I did this because I knew I was responsible for the code I wrote; if I don't (mostly) fix the bugs the first time around, I wouldn't make something better the second time around.

There are times when the Linux kernel has done the same thing. The original kernel SCSI code was a bloody mess. They eventualy broke down and completely rewrote it. The Linux SCSI code is today much better.

I don't believe in complete from scratch rewrites; but I believe in "scaffolding" code: Writing a "quick and dirty" version that works, then slowly replacing the "quick and dirty" code with better code.

While on the subject of upgrades, I think it is a cardinal sin, epsecially with a program that uses text files for configuration, to require your users to change their configuration simply because you've released a new version of your program. I have made a committment to myself that I upgrade configuration via a "scaffolding" method; allow one to specify that the configuration is in a new format in the config files is OK, but having a new version unable to read old config files is not OK. If this means having two parsers side by side, so be it.

<matrix>MS Longhorn: "What's the use of a browser with soul...if you can't even surf?" </matrix>

But why are MS always trying to put all the other browsers out of business for something they get nothing back from?

Because MS wants the platform independant browser to die. As long as they have control of the browser you use to access your content (and, in the future, your applications) they are happy.

See this article.

and this /. thread: Browser Wars Mark II

Now, you mention you had trouble with boa. You're going to want to get it working unless you want to spend some money, because for $0.00 that's as good as it's going to get. Otherwise the two above are good investments. IIRC Komodo has a free version, but I'm not sure. PythonWorks had great potential but it's not being developed any more. It only supported Tkinter anyway.

That's as far as GUI designer support. If you're not having any luck you might want to try wxWorkshop. I've heard some people have luck embedding their dialogs in C++ libraries and binding them to Python programs. YMMV.

If all you want is a good Python editor with debugger support there are a bunch of them out there:

http://drpython.sourceforge.net
http://pype.sourceforge.net/ (more mature)

Personally the best Python-specialized editor I've used is IDLE, though it has no GUI capabilities. IDLE ships with the full Python distribution for Linux and Windows, and it behaves essentially the same in both platforms.

You might also want to check this article out. And of course, the clearing house.

Are we talking about the same site? I had a look at the style sheet for informit.com, and although they make some browser-specific hacks I'm not overly fond of, it seems at first glance like the background/font colors are being specified correctly.

Also, you may want to give these bookmarklets a try for your css needs.

Smoke, Mirrors and Silence: The Browser Wars Reignite

http://www.informit.com/articles/printerfriendly.a sp?p=174156

Gee, why are the pages so small? The printer version is much easier to read. Anyway, for the latest word on mozilla's support of css3, don't miss Anne Van Kesteren's report available since Wednesday May 19th, 2004.

Nope. Nothing to see here, nothing at all. Seriously RIA's is were the next battle is going to be. Look through those links and go WoW! The Laszlo systems one even has a free download if you want to try at home. That's why it's important that XUL and related technologies get up to speed (including SVG!). Luxor, might even work out. Here's the two, books, needed to understand XUL.