Slashdot Mirror

Wellenreiter only received 6 votes (even after correcting for poor spelling :) and 10 were needed to place #75. But since it is clearly a useful free tool, I just added a link to it in the Kismet entry.

Thanks for the suggestion,
-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner

Wellenreiter only received 6 votes (even after correcting for poor spelling :) and 10 were needed to place #75. But since it is clearly a useful free tool, I just added a link to it in the Kismet entry.

Thanks for the suggestion,
-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner

Yet I didn't sue. I just got a chuckle at the sick mind who would create such a thing! AG should take note.

-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner. Version 3.27 was released today

Yet I didn't sue. I just got a chuckle at the sick mind who would create such a thing! AG should take note.

-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner. Version 3.27 was released today

That is certainly true in the stock market, but I would be careful about applying it to network security. Adding a new stock to your portfolio does not place your other stocks at greater risk. Yet every new network service/machine you add _does_ increase the risk to the rest of your network. If an attacker manages to get a foothold into one of your machines, there are a myriad of ways that she can leverage that access to further compromise your network.

Adding a new service is like having to defend a new front in a war. You have to divide your administrative effort into securing all of your systems, while the bad guys need only break through one of the defenses. So I would generally recommend standardizing on (say) a locked-down qmail, rather than putting out a "diverse" network that includes qmail, postfix, sendmail, exim, etc. Choosing one of those (even if you have instances on many machines) allows you to put more effort into locking it down, learning about it, and watching for & patching vulnerabilities. Meanwhile, attackers must have an exploit for that exact server rather than for any one of the mail servers you are running. Remember that even if you somehow manage to patch every announced vulnerability within 12 hours, there is still some window of exposure there. And many bugs will still float around underground for months before you hear about them - take a look at the recent SAMBA exploit for just one example.

I'm certainly not saying that diversity is always bad. In some cases it makes sense. But don't treat it as a tenet of secure network design like "deny by default" or "defense in depth".

-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner. Version 3.27 was released today.

That is certainly true in the stock market, but I would be careful about applying it to network security. Adding a new stock to your portfolio does not place your other stocks at greater risk. Yet every new network service/machine you add _does_ increase the risk to the rest of your network. If an attacker manages to get a foothold into one of your machines, there are a myriad of ways that she can leverage that access to further compromise your network.

Adding a new service is like having to defend a new front in a war. You have to divide your administrative effort into securing all of your systems, while the bad guys need only break through one of the defenses. So I would generally recommend standardizing on (say) a locked-down qmail, rather than putting out a "diverse" network that includes qmail, postfix, sendmail, exim, etc. Choosing one of those (even if you have instances on many machines) allows you to put more effort into locking it down, learning about it, and watching for & patching vulnerabilities. Meanwhile, attackers must have an exploit for that exact server rather than for any one of the mail servers you are running. Remember that even if you somehow manage to patch every announced vulnerability within 12 hours, there is still some window of exposure there. And many bugs will still float around underground for months before you hear about them - take a look at the recent SAMBA exploit for just one example.

I'm certainly not saying that diversity is always bad. In some cases it makes sense. But don't treat it as a tenet of secure network design like "deny by default" or "defense in depth".

-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner. Version 3.27 was released today.

And oh yeah, if you want to use those RSS's, they're at djeaux.com. Free & free of advertising!

Read this.

Patches have been submitted for Ethereal and Nmap as well.

There now exists a patch for nmap which sets the evil bit on by default, available here
also, more discussion on when the evil bit should be set.

There now exists a patch for nmap which sets the evil bit on by default, available here
also, more discussion on when the evil bit should be set.

There now exists a patch for nmap which sets the evil bit on by default, available here
also, more discussion on when the evil bit should be set.

The reason Perl needs taint mode at all is because it does so many things in a blatantly insecure way...In most compiled languages, a taint mode is not necessary because the language and libraries don't do 'useful' things based on magic characters in strings you happen to pass.

Have you ever used a SQL library that lets you build and pass queries to the server? There are plenty of SQL injection vulnerabilities that would have been thwarted by taint checking in the language. Applications are filled with lots of other "little languages" that can be made to interpret unchecked input dangerously.

Scarier is that this Slashdot discussion is refreshingly civil compared to what I've encountered the last few days! Last Sunday I released a version of Nmap and included a very short peace plea at the top of the announcement. I received well over 50 replies. While a few people such as Ilan Meller of Israel and Amir Safayan from Iran for presenting reasoned cases for preemptive action against Iraq, most of the replies were the worst flamage I've seen in years!

For suggesting that perhaps Bush could have been a little more patient with the UN & weapons inspectors, one person said I am "obviously a terrorist". Another concluded that Nmap "is spyware to spy on the american people." Chet from Hotmail explained that we must attack because "the religion of Islam seeks to destroy the USA". Jason from CMITexas said "Stick it up your ass! .... You are another resentful European loser. I demand an answer now asshole!!!!" Another crazy Texan said "Iraq will bow to the most powerful nation in the world and you will stand by and observe. Your representatives are powerless against gods chosen nation. No country has the power or the intellect to do anything about it." Guys: I am a proud US Citizen residing in California -- please tailor your invective appropriately.

Fortunately I sent out a second mail yesterday which noted the flames above and also clarified my points. I was quite gratified that this one already has elicited more than 220 replies, with 95% being civil! Many still disagree with me, but at least they respected my right to have and express my beliefs. It restored some of my faith in humanity (or at least in Nmap users). I can appreciate alternative views too. What frustrates me are the people who believe Saddam is linked with Al Qaeda or a bigger threat to the US than North Korea only because Bush says so.

I wish I had time right now to go through the hundreds of mails and piece together some of the very best arguments on each side. But I guess /. has no dearth of comments already :). So I'll just leave you with a few links I found interesting or funny ;).

• A very relevant and insightful quote from Hermann Goering at the Nuremberg Trials.
• One of the few web site defacements I find amusing ;)

And on a completely different (and much happier) note, I am pleased to announce just-released version 3.20 of the Nmap Security Scanner. It is the first "stable" release since last July and contains hundreds of improvements (release notes))

--Fyodor

Scarier is that this Slashdot discussion is refreshingly civil compared to what I've encountered the last few days! Last Sunday I released a version of Nmap and included a very short peace plea at the top of the announcement. I received well over 50 replies. While a few people such as Ilan Meller of Israel and Amir Safayan from Iran for presenting reasoned cases for preemptive action against Iraq, most of the replies were the worst flamage I've seen in years!

For suggesting that perhaps Bush could have been a little more patient with the UN & weapons inspectors, one person said I am "obviously a terrorist". Another concluded that Nmap "is spyware to spy on the american people." Chet from Hotmail explained that we must attack because "the religion of Islam seeks to destroy the USA". Jason from CMITexas said "Stick it up your ass! .... You are another resentful European loser. I demand an answer now asshole!!!!" Another crazy Texan said "Iraq will bow to the most powerful nation in the world and you will stand by and observe. Your representatives are powerless against gods chosen nation. No country has the power or the intellect to do anything about it." Guys: I am a proud US Citizen residing in California -- please tailor your invective appropriately.

Fortunately I sent out a second mail yesterday which noted the flames above and also clarified my points. I was quite gratified that this one already has elicited more than 220 replies, with 95% being civil! Many still disagree with me, but at least they respected my right to have and express my beliefs. It restored some of my faith in humanity (or at least in Nmap users). I can appreciate alternative views too. What frustrates me are the people who believe Saddam is linked with Al Qaeda or a bigger threat to the US than North Korea only because Bush says so.

I wish I had time right now to go through the hundreds of mails and piece together some of the very best arguments on each side. But I guess /. has no dearth of comments already :). So I'll just leave you with a few links I found interesting or funny ;).

• A very relevant and insightful quote from Hermann Goering at the Nuremberg Trials.
• One of the few web site defacements I find amusing ;)

And on a completely different (and much happier) note, I am pleased to announce just-released version 3.20 of the Nmap Security Scanner. It is the first "stable" release since last July and contains hundreds of improvements (release notes))

--Fyodor

Scarier is that this Slashdot discussion is refreshingly civil compared to what I've encountered the last few days! Last Sunday I released a version of Nmap and included a very short peace plea at the top of the announcement. I received well over 50 replies. While a few people such as Ilan Meller of Israel and Amir Safayan from Iran for presenting reasoned cases for preemptive action against Iraq, most of the replies were the worst flamage I've seen in years!

For suggesting that perhaps Bush could have been a little more patient with the UN & weapons inspectors, one person said I am "obviously a terrorist". Another concluded that Nmap "is spyware to spy on the american people." Chet from Hotmail explained that we must attack because "the religion of Islam seeks to destroy the USA". Jason from CMITexas said "Stick it up your ass! .... You are another resentful European loser. I demand an answer now asshole!!!!" Another crazy Texan said "Iraq will bow to the most powerful nation in the world and you will stand by and observe. Your representatives are powerless against gods chosen nation. No country has the power or the intellect to do anything about it." Guys: I am a proud US Citizen residing in California -- please tailor your invective appropriately.

Fortunately I sent out a second mail yesterday which noted the flames above and also clarified my points. I was quite gratified that this one already has elicited more than 220 replies, with 95% being civil! Many still disagree with me, but at least they respected my right to have and express my beliefs. It restored some of my faith in humanity (or at least in Nmap users). I can appreciate alternative views too. What frustrates me are the people who believe Saddam is linked with Al Qaeda or a bigger threat to the US than North Korea only because Bush says so.

I wish I had time right now to go through the hundreds of mails and piece together some of the very best arguments on each side. But I guess /. has no dearth of comments already :). So I'll just leave you with a few links I found interesting or funny ;).

• A very relevant and insightful quote from Hermann Goering at the Nuremberg Trials.
• One of the few web site defacements I find amusing ;)

And on a completely different (and much happier) note, I am pleased to announce just-released version 3.20 of the Nmap Security Scanner. It is the first "stable" release since last July and contains hundreds of improvements (release notes))

--Fyodor

Scarier is that this Slashdot discussion is refreshingly civil compared to what I've encountered the last few days! Last Sunday I released a version of Nmap and included a very short peace plea at the top of the announcement. I received well over 50 replies. While a few people such as Ilan Meller of Israel and Amir Safayan from Iran for presenting reasoned cases for preemptive action against Iraq, most of the replies were the worst flamage I've seen in years!

For suggesting that perhaps Bush could have been a little more patient with the UN & weapons inspectors, one person said I am "obviously a terrorist". Another concluded that Nmap "is spyware to spy on the american people." Chet from Hotmail explained that we must attack because "the religion of Islam seeks to destroy the USA". Jason from CMITexas said "Stick it up your ass! .... You are another resentful European loser. I demand an answer now asshole!!!!" Another crazy Texan said "Iraq will bow to the most powerful nation in the world and you will stand by and observe. Your representatives are powerless against gods chosen nation. No country has the power or the intellect to do anything about it." Guys: I am a proud US Citizen residing in California -- please tailor your invective appropriately.

Fortunately I sent out a second mail yesterday which noted the flames above and also clarified my points. I was quite gratified that this one already has elicited more than 220 replies, with 95% being civil! Many still disagree with me, but at least they respected my right to have and express my beliefs. It restored some of my faith in humanity (or at least in Nmap users). I can appreciate alternative views too. What frustrates me are the people who believe Saddam is linked with Al Qaeda or a bigger threat to the US than North Korea only because Bush says so.

I wish I had time right now to go through the hundreds of mails and piece together some of the very best arguments on each side. But I guess /. has no dearth of comments already :). So I'll just leave you with a few links I found interesting or funny ;).

• A very relevant and insightful quote from Hermann Goering at the Nuremberg Trials.
• One of the few web site defacements I find amusing ;)

And on a completely different (and much happier) note, I am pleased to announce just-released version 3.20 of the Nmap Security Scanner. It is the first "stable" release since last July and contains hundreds of improvements (release notes))

--Fyodor

The only comment I see is a first post!!! and it's already slow as hell.
Also read it here for another mirror

Of course, the spoofers will then update their software to recognize the new fingerprinting technique and the cycle begins anew. Ah well. I enjoyed Berrueta's paper, by the way.

-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner

Of course, the spoofers will then update their software to recognize the new fingerprinting technique and the cycle begins anew. Ah well. I enjoyed Berrueta's paper, by the way.

-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner

Of course, the spoofers will then update their software to recognize the new fingerprinting technique and the cycle begins anew. Ah well. I enjoyed Berrueta's paper, by the way.

-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner

As for the paper, I found it interesting and amusing enough to announce to the nmap-hackers. I'm all for doing this to your personal machines for entertainment and experimental value, but would almost never recommend it as a serious security hardening technique. Your time is almost always better spent working on fundamental security improvements such as applying patches, tightening firewalls, installing IDS systems, removing unnecessary services and setuid binaries, auditing system logs, etc. And sometimes this type of spoofing can actually increase security risk. Nmap expects many modern UNIX operating systems to offer nearly-unpredictable generation of TCP initial sequence numbers and the IP ID field. Crippling the generators to appear as a printer can make you vulnerable to TCP connection spoofing and a plethora of vulnerabilities related to the new Nmap Idle Scan technique.

And remember that many or most worms and script kiddies simply spew their exploit code to every listening server rather than bothering with fingerprints. All the attempted IIS exploits in my Apache log are testament to that! And if you attract a more competent attacker, you probably won't fool them for long anyway.

-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner

As for the paper, I found it interesting and amusing enough to announce to the nmap-hackers. I'm all for doing this to your personal machines for entertainment and experimental value, but would almost never recommend it as a serious security hardening technique. Your time is almost always better spent working on fundamental security improvements such as applying patches, tightening firewalls, installing IDS systems, removing unnecessary services and setuid binaries, auditing system logs, etc. And sometimes this type of spoofing can actually increase security risk. Nmap expects many modern UNIX operating systems to offer nearly-unpredictable generation of TCP initial sequence numbers and the IP ID field. Crippling the generators to appear as a printer can make you vulnerable to TCP connection spoofing and a plethora of vulnerabilities related to the new Nmap Idle Scan technique.

And remember that many or most worms and script kiddies simply spew their exploit code to every listening server rather than bothering with fingerprints. All the attempted IIS exploits in my Apache log are testament to that! And if you attract a more competent attacker, you probably won't fool them for long anyway.

-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner

As for the paper, I found it interesting and amusing enough to announce to the nmap-hackers. I'm all for doing this to your personal machines for entertainment and experimental value, but would almost never recommend it as a serious security hardening technique. Your time is almost always better spent working on fundamental security improvements such as applying patches, tightening firewalls, installing IDS systems, removing unnecessary services and setuid binaries, auditing system logs, etc. And sometimes this type of spoofing can actually increase security risk. Nmap expects many modern UNIX operating systems to offer nearly-unpredictable generation of TCP initial sequence numbers and the IP ID field. Crippling the generators to appear as a printer can make you vulnerable to TCP connection spoofing and a plethora of vulnerabilities related to the new Nmap Idle Scan technique.

And remember that many or most worms and script kiddies simply spew their exploit code to every listening server rather than bothering with fingerprints. All the attempted IIS exploits in my Apache log are testament to that! And if you attract a more competent attacker, you probably won't fool them for long anyway.

-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner

As for the paper, I found it interesting and amusing enough to announce to the nmap-hackers. I'm all for doing this to your personal machines for entertainment and experimental value, but would almost never recommend it as a serious security hardening technique. Your time is almost always better spent working on fundamental security improvements such as applying patches, tightening firewalls, installing IDS systems, removing unnecessary services and setuid binaries, auditing system logs, etc. And sometimes this type of spoofing can actually increase security risk. Nmap expects many modern UNIX operating systems to offer nearly-unpredictable generation of TCP initial sequence numbers and the IP ID field. Crippling the generators to appear as a printer can make you vulnerable to TCP connection spoofing and a plethora of vulnerabilities related to the new Nmap Idle Scan technique.

And remember that many or most worms and script kiddies simply spew their exploit code to every listening server rather than bothering with fingerprints. All the attempted IIS exploits in my Apache log are testament to that! And if you attract a more competent attacker, you probably won't fool them for long anyway.

-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner

As for the paper, I found it interesting and amusing enough to announce to the nmap-hackers. I'm all for doing this to your personal machines for entertainment and experimental value, but would almost never recommend it as a serious security hardening technique. Your time is almost always better spent working on fundamental security improvements such as applying patches, tightening firewalls, installing IDS systems, removing unnecessary services and setuid binaries, auditing system logs, etc. And sometimes this type of spoofing can actually increase security risk. Nmap expects many modern UNIX operating systems to offer nearly-unpredictable generation of TCP initial sequence numbers and the IP ID field. Crippling the generators to appear as a printer can make you vulnerable to TCP connection spoofing and a plethora of vulnerabilities related to the new Nmap Idle Scan technique.

And remember that many or most worms and script kiddies simply spew their exploit code to every listening server rather than bothering with fingerprints. All the attempted IIS exploits in my Apache log are testament to that! And if you attract a more competent attacker, you probably won't fool them for long anyway.

-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner

I read this article a few days ago and bookmarked most of the links I thought valueable. If anyone else is interested add some more to this thread so I can grab them :)

Exported bookmarks Fingerprint
blackhole(4) - a sysctl(8) MIB for manipulating TCP
Help Net Security OS-FngrPrint article in PDF
Honeyd - Network Rhapsody for You
http://ojnk.sourceforge.net/stuff/iplog.readme
http://www.insecure.org/nmap/nmap-fingerprinting-a rticle.txt
IP Personality - Home
Kernel Options
p0f file listing
PhoneBoys FireWall-1 FAQs: Blocking queSO packets
s0ftpr0ject 2000 Fingerprint Fucker
Security Technologies
SourceForge.net: Project Info - SING
Sys-Security.com - Because Security is not Trivial
USENIX Technical Program - Abstract - Security Symposium - 2000

Did something new happen in the ME/XP/2k versions of windows? I don't use those, but on my win98 and winNT boxes the netbios ports are 137,138, and 139. Did Microsoft kerberize these services or something?

In /etc/services on all my *nix boxen port 445 is undefined, but IANA says Microsoft does indeed own 445. My samba boxes and NT servers don't show the port live with nmap, though.

The smoothwall firewall SSL admininstration application runs on 445. That's the only thing I know of offhand that uses it.....

Check out this page for the basics, this thread over at insecure.org, and the Honeypot page at sourceforge.net has an interesting article on monitorting such honeypots. Good luck!

Oh yeah? Well, They have. In satire of genuinely stupid advisories, I think. Although it's hard to tell the difference between this one and some others I've seen...

Here's an excerpt:

Section 2 [Preface]:

Usually, Team Leet keeps our code and research quite private until we spew our diarrhea all over your computer monitor. But, what really annoys us, is when a very big figure in the computer security community lies to the people who make him who he is. The person I speak of is Bob Dobbs. Bob Dobbs claims that OpenBSD hasn't experienced a local root hole in the default install for many years. Yet, during his internal audits, he regularly finds unfaithfulness to the church, and he never notifies the public. I think you guys are lame. You have demonstrated sins, transgressions, intemperances, vices, errors, failings, personal faults, indiscretions, lapses, trespasses, and crimes agsinst man, woman, child, law, nature and god. What worries Team Leet is that our servers might be hacked. We have found many other exploitable holes in previous OpenBSD distributions, that have miraculously been patched and never revealed. Next, there is the "Three years without a remote hole in the default install." I hope this advisory breaks that aswell, because, techinically:

• Walk up to the machine
• Turn it off
• Unplug it
• Take it with you

Although we have not confirmed it, we believe this bug is also exploitable via NFS, RSH, TELNET, and SSH.

Three years without a remote hoe? Strike that.

Quotes from Zimmerman regarding developing technology that might be used by criminals and terrorists:

What are your feelings about the fact that your tool can be used by people with intentions that are opposed to your original idea?

I can't think at one way to make this technology available to everyone, without also making it available to criminals. I thought about it a lot. This has been the focus of the debate in the '90s: many cryptographers tried to think about the way to make this technology available to good people without making it available to bad people, but nobody could find a solution.

Like the telephone?

Yes. For example: after 11 September there were some speculations about the terrorists using some GPS technology. I don't think there is any evidence that they did, they were only speculations that I read in an article at that time. Well, if they did, they were applying technology directly to kill people. You know, it's difficult to fly a plane. It's difficult even to fly it to the airport, it's even more difficult to fly it against the World Trade Centre. It's not a normal path, it would help to have a GPS. This is just speculation. Anyway, the manufacturers could stop making GPS receivers. But what about the rest of us: we benefit from GPS receivers.

By the way, the U.S. Military is not the bad guy here, and by no means do I want anyone to think that I feel that way. Should we go to war, it's our kids that will be the targets of bullets and most likely gas and bio shit, all because in the 50s, 60s, 70s, 80s, and 90s, our elected leaders sowed the seeds of discontent around the world, and ignored the crop.

I hope our military uses whatever they can, however they can, legally. If you have a problem with the war, run for the PTA, the local council, state government, or federal government. Did you remember to vote?

I wouldn't say that at all. DNS spoofing is sadly still feasible in many situations and easily gives you this capability. It is trivial if the attacker is on the same layer 2 network (insider attacks are extremely common, and so are outsiders who own one machine on the network and then leverage that for more.) Remember that the SSL certificate validation process won't protect you from this attack, since that part of the protocol is proxied through unmolested.

-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner

Great! And for those of us in the States (especially California), Hurricane Electric offers a free tunnel broker with these characteristics that I would recommend.I have been using it for more than 6 months, and find it quite stable. You do lose your /64 if HE can't ping you for 24 hours, but a new one is only a mouse click away. And what kind of geek would leave their computer inaccessible for that long anyway? ;). Initial activation does take a day or so.

-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner

Apparently not yet:
felix/home/fyodor> ping6 slashdot.org.sixxs.org PING slashdot.org.sixxs.org(3ffe:4007:1:1:210:dcff:fe20 :7c7c) 56 data bytes
64 bytes from 3ffe:4007:1:1:210:dcff:fe20:7c7c: icmp_seq=0 hops=56 time=266.762 msec
64 bytes from 3ffe:4007:1:1:210:dcff:fe20:7c7c: icmp_seq=1 hops=56 time=257.366 msec
64 bytes from 3ffe:4007:1:1:210:dcff:fe20:7c7c: icmp_seq=2 hops=56 time=258.530 msec

Of course, authentication cookies won't work in that domain (unless they've hacked around that). And the login form uses a relative URL, so it posts your password to the .sixxs.org gateway. Whoever runs that will have a lot of low-UID accounts if he wants 'em :).

-Fyodor
Concerned about your network security? Try the Free Nmap Security Scanner

In order of usefulness:

• nmap
• WMAP
• ???
• BMAP

A ton of useful IPv6 information is available from Kame.Net -- once your setup is working, the turtle on the top of that page starts to dance :). I also found the Linux IPv6 HOWTO to be incredibly helpful.

-Fyodor
Concerned about your network security? Try the Free Nmap Security Scanner

A ton of useful IPv6 information is available from Kame.Net -- once your setup is working, the turtle on the top of that page starts to dance :). I also found the Linux IPv6 HOWTO to be incredibly helpful.

-Fyodor
Concerned about your network security? Try the Free Nmap Security Scanner

A ton of useful IPv6 information is available from Kame.Net -- once your setup is working, the turtle on the top of that page starts to dance :). I also found the Linux IPv6 HOWTO to be incredibly helpful.

-Fyodor
Concerned about your network security? Try the Free Nmap Security Scanner

...and anyone voting to keep the current Bush administration, must be insane.

Yeah, because Gore's record on stuff like this is SO good. To say nothing of the fact that the Bush-Ashcroft justice department has yet to approach the (shock warning - this link is disturbing)Reno body count, much less Clinton's.

I suppose, therefore, that according to your interpretation of this problem, our choice is between insanity and amnesia.

The real reason a simple counter IPID is dangerous is because it allows zombie scans. These are scans that are "bounced" off of your machine: attacker A scans machine C using machine B, and user C only sees a scan coming from machine B (HP JetDirect printers work great for such zombies, and are often connected directly to the Internet). Lots of fun stuff you can do with that IPID field :)

The Linux kernel was written using gcc extensions.

I'm not going to say that gcc and the kernel sources are bug free, but writing a kernel requires making use of things that the standards have not specified or will not allow.

For example, No C standard defines that a pointer should fit in some integer type, but the kernel needs to assume that on several places. In such cases, it's safe to expect that it fits in unsigned long and it does hold on all current Linux ports.

Linux Kernel: [PATCH] fixes for building kernel using Intel compiler

Remote OS detection via TCP/IP StackF ingerPrinting

TCP/IP Stack Fingerprinting Principles

Graphing Randomness in TCP Initial Sequence Numbers

Security Problems in the TCP/IP Protocol Suite

System Fingerprinting With Nmap

Remote OS detection via TCP/IP Stack FingerPrinting

But I only use debuggers for two purposes.

Purpose 1. Segmentation Fault (core dumped). Uhm, now where did that happen? Whip out gdb, find the line that generated SIGSEGV, and it's usually obvious how it happened. If not, I have it print out a stack backtrace. If I really can't figure it out then, a 5 minute walk around the block and I'll have figured it out as soon as I sit back down.

When writing in high level languages, I'm finding that debuggers are wholly unnecessary. In fact, I can't remember the last time I spent more than 20 minutes trying to track down a bug. *shrug*

It'd be nice if debuggers solved my problems automatically, but I'm really finding that I don't need them. I might even go so far as saying use of debuggers encourages dependency on debuggers, which in turn discourages thinking about the program itself. Not saying that EVERYONE does this, just that some of the best work gets done remarkably well even without debuggers.

The Linux kernel, for example, was largely developed without the aid of a debugger, and the core developers seem to eschew them. Here's a good thread on why the developers don't want to include a debugger.

Purpose 2. On the other hand, debuggers are remarkably good at helping you break program code. With having almost no experience using gdb, I was able to break the license key check on Intel's C Compiler in about an hour. I was amazed at how easy it was to attach a debugger to the compiler and skip the subroutine that performed the license key check. With no debugging symbols to work with. Disassemblers rule. It took another 10 minutes to turn this into a script that could be distributed as a wrapper for icc (called xicc), so all you had to do was set CC=xicc in the Makefile.

Sure I could have used LD_PRELOAD so that time() always returned a date within the trial period, but breaking program code with a debugger is just so gosh darn fun.

Waaaaay back in 1997, there was a problem with a version of Lasso (a 3rd-party database-access CGI) that could be exploited. I believe it was discovered during a 'hack this Mac web server and get $10,000' sort of contest-- it was so long ago, I don't really remember the details, but it has been done. This hole was closed very quickly with an update to Lasso.

People just using the web service built into the Mac OS, however, have never had anything to fear. Unlike IIS, Personal Web Sharing and the AppleShare IP Web Service were always airtight.

~Philly

root@aio:~# nmap -sX -iR -p1- # Ho, ho, ho! Merry Xmas, everyone!

hey, what does the shit from your sig do?

It sends Xmas tree packets (with fin, urg, and push flags) to everyone, which is a traditional Internet Xmas Greeting. You have to download Nmap first. You may want to add a -Tinsane option (which means: set the Tin variable to "sane"). Have fun. But hurry up, because it's a tradition to send those greetings before the New Year.

I agree.
Smashing the Stack for Fun and Profit is certainly a classic.

Also, if you want to know about more obscure heap based overflows, look at http://www.w00w00.org/files/articles/heaptut.txt

How about this? According to netcraft, they are running OpenBSD.

TCP/IP Fingerprinting [insecure.org]

Most routers run a BSD variant and will return an identifiable fingergerprint.

Now that's an interesting idea I hadn't thought of. I've played around with nmap a little and it's pretty good, although for techincal people I think there are ways around it. If you've got a linux / some BSD box doing the routing you can set it up to be a halted firewall. I believe this solves that problem since only NAT and ipchains would be running. I don't believe the machine would return pings, which is one of the things nmap depends on. There was a story discussing something like this here on slashdot a while back, but I can't seem to find it.

Of course that doesn't help if someone is using a hardware router/firewall. Do you think there are (or have you heard of) any ISP's who actually do use something like nmap to see whether or not their users are running a hardware router/firewall.

However, even if they suspect, can they do anything about it? It still comes down to the issue that they would have to come into the house and check physically. I mean I could just tell them that I'm running BSD on the computer connected to the internet. They can't do anything unless their TOS says they will only provide service to Windows users. But I'm not sure if that would stand up in court.

But short of that they have no way of knowing.

TCP/IP Fingerprinting

Most routers run a BSD variant and will return an identifiable fingergerprint.

Linus writes very good code. He therefore tends to regard those of us mere mortals who need debugging tools, in this case, a crash dump and earlier, a kernel debugger as lesser mortals.

Do any of us really like kernel bloat? At the same time what do we do when it has tanked and we only have a vague idea why. Linus's view is that the kernel shouldn't have crashed. True, but in real life, even if the s/w is perfect, the hardware isn't and a cosmic ray may have flipped a bit. This is why we have crash dumps and debugging tools. Linus doesn't believe in this. This is why the kdb project has to stay as an external patch.

Most vendors consider Linus's kernel to be a little bit bleeding edge, they wait a while before upgrading and they may apply patches of their own (*sometimes* back ported from newer releases) to improve stability but normally not to add features. It certainly isn't the vendor's job to add this.