Slashdot Mirror

Okay, let's get the "this is a dupe" comments out of the way. This book (ISBN 1931836361) was already reviewed on slashdot. It seems like it's the same editor (timothy) in both cases. Then again, the two reviews are different, so I suppose it's not an exact duplication?

Oh, and I found the previous slashdot story by searching "slashdot google hacking for penetration testers" on Google. It's the first hit. Some people may find that ironic.

I just made some screenshots of enabling the nude cheat in Sims 2. Here, see for yourself. The only thing there is some disturbingly asexual smooth models.

I think this is just something Timothy is interested in: http://www.monkey.org/~timothy/dialup.html.

OpenBSD's weakness' list (just a TINY sampling of what is/was possible to penetrate OpenBSD):

1.) OpenBSD False syslogd Source IP Reporting Weakness:

http://www.securityfocus.com/bid/6219

2.) OpenBSD's mysql security weakness:

http://www.monkey.org/openbsd/archive2/bugs/200103 /msg00022.html

(Seems OpenBSD isn't as "secure out of the box" as I stated most all OS' are w/out tweaking it)

3.) PAM Authentication Execution Path Timing Information Leakage Weakness:

http://securityfocus.com/bid/7342

(Funny, I see OpenBSD on THAT list also)

4.) systrace in OpenBSD:

http://www.informit.com/articles/article.asp?p=363 731&seqNum=7&rl=1

"Despite its many features, systrace has a number of limitations that bear mentioning. First, it lacks a facility to specify that you can permit once for a system call, such as binding to a socket. This can allow an attacker to recycle a system call, potentially at elevated privilege.

Second, system calls have no exclusive or. For example, an application might be permitted to open a le or a device, but not both. This weakness could ultimately be leveraged by an attacker who seeks to do more than a program was intended to do.

Lastly, the parent process has no control over spawned processes. For example, if you allow /bin/sh to be executed, you cannot control it beyond its own systrace policy. One way to get around this limitation is to specify a policy for the child process to inherit if it is to be less liberal than the normal system policy. This would be done via systrace"

5.) OpenBSD lprm(1) exploit:

Code is right there:

http://security.opennet.ru/base/bsd/1047145087_128 9.txt.html

For an exploit into OpenBSD...

*****

Need I go on? I don't think so but I easily could... OpenBSD's not some "magically secure system" any more than any other is and new holes get found on them all every month.

So, DrSkwid?

Please: Don't try to tell others that your OpenBSD is 'impregnable out of the box', because like most other OS'? It isn't.

(Sure, some of that may or may not have been patched above from my lists by this point, but you try to make it seem as if OpenBSD is some 'security panacea' magical formula, & it's clearly not).

And, it most certainly isn't as flexible, ubiquitous, & powerful as Windows Server 2003 is with as any applications surrounding it in both commercial and freeware implementations as Windows has a tremendous wealth of and most certainly does not run on as many types of hardware.

6.) This is not just myself stating it, here is another one regarding that:

http://geodsoft.com/opinion/server_comp/security/l inux.htm

"The default OpenBSD install is much more secure but also much less functional than a Windows NT or 2000 default install and most"

Keyword = DEFAULT! AND, less functional. BIG sticking points vs. Windows Server 2003.

Which is WHY I put up my list for Windows 2000/XP/2003 server users.

To teach them how to REALLY secure these Os' from MS, far above the DEFAULT security settings they ship with and how + why.

Give it up DrSkwid about OpenBSD being 'so great' when clearly, it's not by comparison. And, having to call me names?

Not too intelligent, nor fact based. The sign of the loser in forums online. It's right up there with spelling and grammar checking.

Above all - It's easy to secure

timothy, meet Zonk. He works at Slashdot too. Like you, he's interested in France's fusion reactor. In fact, he posted a story about it seven hours before you did.

I am surprised at the sheer amount of outdated advice regarding firewalling and security design. The days of static firewall rules/ACLs are long over. It used to be sufficient to block the *duh* ports: telnet, SMB/CIFS, your basic LAN traffic that no one from the Internet should ever be connecting to. This is the approach you take with a router ACL, M$ IPSec client, IPtables, PF, etc. None of these technologies help much anymore. The vast majority of attacks are not at the firewall, or looking for open ports that shouldn't be open.

The vast majority of attacks are directed at the applications behind the firewalls. To defend against these types of attacks you need something that goes deeper than layer 3 and 4 (address, port). Modern firewalls are able to look into the payload and determine what type of traffic it is passing. Remember everyone allows port 80, and 443 to be open. Guess what ports the attackers are exploiting? That's right, the port that you leave open to access your web app. That's where they fire off buffer overflows, SQL/LDAP/Command injection, cross site scripting, etc. How is a Cisco ACL, Cisco reflexive ACL, IP Chains, PF, Smoothwall (read legacy) firewall going to protect your environment? It won't. You need something with more intelligence built into it: Deep packet inspection and IPS are the technologies. OSS falls pretty short when it comes to firewalling. The days of the sub $100 firewall doing anything useful are long over. People stop kidding yourselves.

AFA zombies, those are installed (unknowingly) by the end user. How do you address these? Two approaches: the endpoint, and the perimeter. From an endpoint you need to rely on anti-virus, and a personal firewall that capable of identifying malware on the host. The personal firewall needs to identify the malware and control the TCP/IP stack to the point that it does not allow that malware to 'phone home' with the user's acount information (username/password). I am not aware of an OSS project that can do this on the endpoint.

From a perimeter standpoint, the firewall has to (again) be able to identify the traffic in the payload: the good from the bad. You may have some luck with a product like SNORT which will be able to identify some forms of malware. If you want, you could even put something like this inline as an IPS. You are relying on signatures, but it is certainly better than a legacy firewall. There are several commercial firewall products that perform this function quite well, but they are fairly expensive (or are they when you consider the cost of a work/break-in/disaster?). IPtables, PF, Smoothwall, ACLs will do nothing to stop zombie traffic. They will simply allow it out with all of the other legitimate HTTP/DNS/HTTPS traffic. You hope is that the legacy firewall could be quickly (manually) reconfigured to block on src/dst/port. Remember though, these attacks are mostly automated now, and happen at the speed of light. You cannot react that fast.

Several people have mentioned looking at Cisco's designs. Give me a break. Cisco is a connectivity company, not a security company. Anyone in the security industry know what a complete joke the SAFE is. It isn't a security architecture, rather it is a scam to convince people to buy 6500s and utilize VLANs as a way to 'safely' segment their network. What the networkers failed to realize was that the segmentation was virtual, and defeatable. VLAN spoofing, MAC spoofing, VLAN hopping (etc) are very real exploits http://www.monkey.org/ For guaranteed segmentation, you need physical separation: different switches for each segment. SAFE is a series of commercials and ads whereby Cisco attempts to calm your VP or CIO by claiming their products are secure simply by including 'Cisco' and 'Secure' in the same breath. your management sees this enough and they start to believe it. Information security professionals do not use Cisco or Microsoft products: networkers and sysadmins do. Stop kidding yourself with the VLAN and ACL approa

Yes, it really does baffle me as to what the criteria is for an acceptable /. article. It seems to depend on whatever mood the moderator is in. Which leads me to believe that timothy just got laid because this is some of the worst crap I've ever seen.

Things like this get my -1 in an uproar!

What I heard from the developer responsible for the bug (crap, I have to start saving these links) is that it is too poorly specified, and this could lead to accidental implementation bugs. Besides that, the overcomplicated design opens avenues for errors and loopholes, including just having a weak auth system right next to your strong one that makes the latter rather useless. Since most admins won't know how to go about configuring a PAM rig, that's a Pretty Bad Thing.

OpenBSD does what Net did until 3.0: relatively monolithic password auth, with options for MD5, DES (legacy), Blowfish 2^7, etc. Although they don't bother with many of the fancy auth systems PAM has (e.g. auth with USB bar, run cryptsetup on login, etc.) the security is essentially flawless. And, since that is consistent with their primary goal, there is absolutely no reason to change at this point in time.

I wouldn't say it 'offers any alternatives', unless you were to install OpenPAM (which Free and NetBSD have now adopted) yourself and use that. The implementation is known to be secure and has been reviewed by the other projects.

Well, here's something: http://www.monkey.org/openbsd/archive/tech/0305/ms g00213.html

Don't pay attention to Russ, he supports non-free software.

We do not object to use of this slang term to describe UCE, although we do object to the use of the word "spam" as a trademark and to the use of our product image in association with that term. Also, if the term is to be used, it should be used in all lower-case letters to distinguish it from our trademark SPAM, which should be used with all uppercase letters.

On that subject, I always look for inspiration to my heroes in open source, like D.J. Bernstein and Theo De Raadt!

Come to think of it, with the liberal BSD license, I'm surprised there aren't a lot of pf-based appliances out there.

Hmmm /googles

http://www.monkey.org/openbsd/archive/misc/0407/ms g01116.html

Check out trickle. I've had mixed success with it, but it does sound like it is the sort of thing you're looking for.

http://monkey.org/~marius/pages/?page=trickle

Learn more about queueing at the pf FAQ.

See my previous post here for a pf.conf recipe to implement traffic shaping based on packet type. You could also prioritize via IP, require a ssh session to gain higher priorities for a specific IP (authpf), based on time of day, or any other number of factors.

THE guide to pf (packet filter) can be found here. pf will run on FreeBSD as well as, I believe, a few other open OSs. I think it's really the best. Almost any reader here could surely benefit from at least a partial working knowledge of packet filters ("firewalls") in general.

=======
EXTRA CREDIT
=======
Got a few connections you'd like to tie together into one? Read more about Address Pools and Load Balancing with pf.

Another Bandwidth management HOWTO for Linux systems (last revised in '03 - may be better for concepts than router config recipes)

bittorrent traffic shaping

A nice K5 article about packet filtering with OpenBSD firewalls

Prioritizing empty TCP ACKs with pf and ALTQ

Making the most out of a busy connection

Turn that old P5 and two network cards into an OpenBSD firewall and learn to setup your own router. You will learn a TON about TCP/IP, how to protect your internal network, and BSDs in general (they're pretty neat in the way that they don't have as much "cruft" as usually found in your typical - yeah, that works :) - Linux distro. The simplicity, if you've never experienced it before, can feel both constraining and liberating at the same time. Give it a try if you've got a spare box. It's hard to experiment without learning SOMETHING - and if you're here I'm sure you're into learning, right? So give it a whirl. If you're not sure what BSD to try, give this a read. If you just want to buy a router, learn from the recent Ask Slashdot - Home Routers w/ Decent QoS Performance?. Best of luck!

If you're going to use OpenBSD (which I'd recommend for a firewall/NAT box), be sure to support the OS which strives for portability, standardization, correctness, proactive security and integrated cryptography by ordering a CD, T-shirt, book, or hacker bunker enhancing poster. OpenBSD supports binary emulation of most programs from SVR4 (Solaris), FreeBSD, Linux, BSD/OS, SunOS and HP-UX. Development is active and it won't let you down as a gatekeeper or internal server.

Puffy says "Stay off my computer!" and means it. I sleep well at night knowing "puffy" (the name of my box) is standing guard just behind my cable modem and in front of the 5+ computers my roommates and I are running inside. Has never let me down and doesn't get in my way. Keeps Freenet and torrents from introducing lag into my ssh sessions as well..... Good luck finding a solution to keeping your pipes clean :)

5 minutes ago:
Slashback: Electioneering, Blimps, Shuffling
Posted by pudge on Thursday April 07, @10:20AM
from the like-a-rolling-stone dept.

Now:
Slashback: Electioneering, Blimps, Shuffling
Posted by timothy on Thursday April 07, @10:20AM
from the like-a-rolling-stone dept.

Who is this mysterious pudge? And why was he quickly and quietly removed as the author?

does that implies to him as well?

Considering this, and especially Theo's view on Free Software; i.e. that it isn't anywhere close to real freedom, a stance I agree with btw; I'm quite surprised, pleasantly surprised.

Anyway, go Theo!

I'd probably start using Safari if I could get away from my favorite feature, type-ahead =/

Well I've got great news for you: check here

Find While Typing works great, and there's more goodness on that little page.

1. APSL
2. http://www.monkey.org/openbsd/archive/misc/0411/ms g04049.html

It's this twat

Send him a message.

there is no sig.....

my email is timothy@monkey.org

tcpkill from dsniff: it's less "clean" (send RST to both side of the connection) but works fine in most cases. Runs on most (all ?) Unices. There is a Windows port but it looks like tcpkill is not part of it.

This is EXTREMELY old news, shame on you, timothy for approving this story!

FYI, there has been so much discussion going on about this topic in all sorts of forums that what you are likely to find on Google now using such queries is discussions on this topic rather than actual credit cards numbers or other sensitive info.

Posted by timothy on 1:43 Wednesday 04 August 2004
from the new-age-of-mankind dept.
ug writes "The Stone Age Times is reporting that the Aegeans have discovered a new malleable metal substance they're calling "Bronze.".'

Other plans include replacing BIND with djbdns, and integrating SPF+ with sendmail.

If you think it would make any difference, you might try emailing timothy (or daddypants@slashdot.org) and see if they'll remove the link.

Just a thought...

This post by Marius Amodt Eriksen is most insightful.

I spent all of April and much of May away from my home in Seattle, and worked from my car quite a few times. (802.11 is wonderful stuff.)

A useful item, I found, and one which applies in your case, is a velcro-attached sun-shade. I've seen ones that look both more functional and more durable than the cheap-n-cheerful one I picked up from a MicroCenter in Columbus or Cleveland (it was a long trip -- this map is largely accurate, just misses a dip I ended up making to the Four Corners area), but even the one I bought -- $15 on sale -- was a big help. It may also let you get away with *less* than the maximum brightness on your screen, so if battery life is a concern it's an important addition.

Cheers,

timothy

But I do agree that Debian is quite political. You may want to use the *BSDs or Gentoo Linux which are much more relax.

Oh well, at least someone provided information on how to fix that..

this is a manual post. the bot is still in progress (Perl blows anus cheese)

Posted by timothy in The Mysterious Future!
from the spy-v-spy dept.
RetroGeek writes "Falk eSolutions AG is claiming it can detect and defeat pop-up and pop-under ad blockers. The best quote is that when they detect an ad blocker they will 'replace a pop-up or pop-under ad with what are called "floating" ads, or ads that appear as transparent images over Web-site content.' As far as I am concerned they can place as many transparent images as they want. He probably meant translucent. It should be easy to defeat the detection, after all visit a web site, the pop-up blocker detects a Javascript command, then doesn't run it. Replace this with: the pop-up blocker detects the Javascript command, runs it, then places the result into a bit-bucket. Any Mozilla devs here?" WebGangsta adds "While this may ignite another round of online advertising purchasing, this news doesn't affect anybody who uses a customized HOSTS file to stop the majority of ads from appearing anyway."

For Sale: Lycos.com

Posted by
timothy
in The Mysterious Future!

from the make-an-offer dept.

prostoalex writes "Terra Lycos is planning to sell Lycos.com. The price, quoted by News.com.com.com, is in the $200 mln range, while the original acquisition amounted to $12.5 bln. Lycos is currently re-inventing itself as a portal for the new generation with the link to Playboy affiliate placed right on the front page (click on "Adults 18+ only")."

I can't believe I fell for it. The site is such an obvious fake. These guys are laughing their collective butts off at our readiness to don the tinfoil hat and march into battle.

Mod me down... after replying to such a fake, I don't deserve Karma.

Now, what do we do about Timothy, the editor, and gbjbaanb, the submitter?

Despite the fact that I am an editor for a technology-oriented website, I do not understand the complexities of "HTML."

--
Timothy

Let's not forget that Ethereal does not "see" everything in a switched environment. If you really want to watch everything even in a switched environment use dsniff. Now if you have a managed switch that can direct all traffic to a monitoring port ethereal will work just fine. But, you will have more fun with dsniff.

I've found that dsniff suits my needs perfectly when I'm diagnosing peoples^H^H^H^H^H^H^Hmy networks

dsniff and ethereal. If you're talking windows, just install cygwin and you'll be able to build all your own tools from source. doesn't get cheaper than Free.

".reteiuq senigne tej gnikam :dnuorgkcab s'rosseforp eht nevig yllaicepse ,gnisimorp eb dluoc ti ekil skool ti tub -- hsoohw eht ton ,enihw eht sexin ylno ti -- tey detcefrep t'nsi tI .esion nwo sti tuo lecnac ot srekaeps dna senohporcim llams sesu taht naf UPC wen a detaerc sah UYB ta rosseforp a ,saw retupmoc sih ysion woh gnizilaer retfA" setirw yenekalB_ycreP

.tped smrala-rac-rof-eno-deen eht morf

MP33:80@ ,51 hcraM yadnoM no yhtomit yb detsoP

Someone forgot to tell the FBI about dsniff?

then my advice isn't worth much :)

However, a lot of newish micromachines still have serial ports, like the (sorry, brand forgotten) Mini-ITX shoebox style one next to me. The serial port refuses to die peacefully!

I have heard that USB Serial adapters work well for other people in connecting to various devices, dunno about modems specifically though, having never done this.

With no serial port, there's at least one other situation where an external serial modem might still be a good idea -- if you hook a cheap wireless base-station up to the modem and connect to it wirelessly via a (PCI, USB, PCMCIA, USDA, LSD) 802.11 card. (Though the prices and model names may be way out-dated, I described my reasoning in doing this on a low-frills webpage of mine.)

Too bad my prediction of cheap combo boxes from Linksys and similar companies was totally wrong ...

Wallwarts are annoying, it's true, but there are worse things (like having no modem connectivity when you want some ...). And the annoyance comes in three parts: 1) an extra cord. No way around that. 2) using an outlet at all and 3) using an outlet in an annoying fashion, blocking spaces in a powerstrip, or refusing to stay in a wall outlet. I recently bought from the Seattle Fry's a couple of tiny (12") extension cords similar to this (can't find the exact item on Fry's website), and they also had a version for a dollar or so more that had a passthrough power outlet. So, it's possible for a couple of bucks to a) not lose a power outlet spot and b) turn the wallwart power supply into the much-better cordlump power supply.

timothy

It cites GCC as an example of how destructive OS can be in that it removed the market for any other type of compiler

What a crock of an "article" that is. It's a group of posts on an OpenBSD mailing list. There is no response to the particular posting made (which, btw, is here, two levels down from what the poster linked to) because the mailing list maintainers shut down the thread as off-topic (appropriately). There are some funny, and valid, points raised by the article you linked to, but "GCC is destructive" isn't one of them.

There are still numerous other C/C++ compilers available. Yes, gcc comes with most distros. So? You can install a different one easily enough. And there are several available -- Intel, Watcomm, Borland, etc. Some are free, some are not. Most outperform gcc in various areas, sometimes in all areas. And, contrary to the post, there is still choice of compilers on Unix -- generally you can choose either the vendor's own compiler or gcc. Which is a vast improvement over the old situation -- you got to use the vendor's compiler. Which usually sucked (they've improved greatly, but we use g++ here because xlC v5 does an amazingly bad job at handling templates).

Yes, some embedded platforms only have gcc available now. Why? Because it's cheaper than rolling your own... it used to be that you had to purchase a compiler for an embedded platform. While this was an additional revenue stream for the company, the cost of building your own compiler, keeping it bug free, updating it to match emerging standards, and providing support vastly outweighed the revenue coming in. Sure, you still have to submit the platform specific code to the gcc-devel group, but it's a lot less work than writing your own. And, of course, gcc provides far better code (stability, speed, and size) than most of the custom compilers.

Can it be said that Mozilla has in effect done an "Internet explorer" with the open source world?

No. There's still Konquerer and Safari (same codebase), there's Opera (commercial and closed), and several others. Don't like Mozilla? Pick another one.

The reality is, open source only destroys the market for other tools when the other tools are inferior. It may be that, eventually, the open source software is superior in every meaningful way and the other tools slide off into obsolecense. At that point you've reached the commoditization point for that group of software... it's unsurprising that the cheapest solution wins. It happens in every other market after all.

..open source has always been a controversial issue.. here is an interesting article on the debate "GPL Good, Commercial Bad..." It cites GCC as an example of how destructive OS can be in that it removed the market for any other type of compiler. Can it be said that Mozilla has in effect done an "Internet explorer" with the open source world? It is now almost an integral part of any distrib.
Thoughts?
Tim

Non-root users cannot open raw sockets to craft packets (hence nmap -sS must run as root). Non-root users cannot run the ethernet device in a promiscous mode, allowing sniffing of packets on the wire. Before you say anything about switches preventing you from getting anything interesting by sniffing, I suggest that you take a look at dsniff before showing your ignorance. A non-root user can't open a port below 1024 (Un*x), or add services (Windows), or install a r00tkit on any system, or many other things.

Basically, even on Windows, while a system can be compromised in many ways as a non-root user, it's quite a bit more difficult to hide and there are still some limitations -- the most important (IMNSHO) involving raw sockets.

</rant>

dsniff, ettercap

No, it has been outsourced. Fight with Timothy if you want to get it back.

My camera, a Kodak DX-3500, works fine with gphoto and FreeBSD. I did have to update libusb because of this bug which may affect other USB cameras.

i highly recommend IBM Thinkpads, in particular the X series (very portable). OpenBSD runs like a charm on most thinkpads -- many OpenBSD developers use thinkpads, so you know that the video card, etc will work ;)

I wrote a little thing about putting together a WiFi+modem setup nearly two years ago -- the prices have dropped since then; if you follow a site like techbargains.com, you can probably find a suitable WiFi/DHCP server/3- or 4-port router for something between free and $50 (after rebate), and a 56K hardware modem that would work fine for about $30 -- so I think you can say it's no more expensive than a linksys home router's regular price, anyhow. Hard to believe how much I paid for the same stuff a few years ago, but it's all H2O under the bridge now.

I'm surprised there aren't yet integrated modem+switch+WiFi boxes as I predict in that writeup that by now there would be.

timothy

".NET remoting is often a more appropriate solution than Web Services, and it certainly performs better and scales better when used properly."

This just in: software works better when used correctly. In related news, analysts say it is appropriate to use the tool known as .NET remoting in those situations for which it was designed. Back to you, Timothy.

-theGreater CheekTonguer.

Timothy writes "If your answer is Unique Stories, you're plain wrong. It's DUPES, a Canadian method of post generation that can be customized for any large-scale media systems. According to a popular geek news site, it is used by more than 300 story submissions each year. The article looks at the competition in this market, notably Michael, known for not even reading submissions before posting to the homepage. This last effort could lead to the eDUPE method, an encryption method that offers secure post submission across wireless networks and the Internet. One thing is sure for this market: the future is definitively open-source. This overview contains more details and external references.