Slashdot Mirror

GPG (GNU PGP workalike) for your email, and OpenSSH for your secure shell needs (ssh, scp, sftp, spop, https, ...).

Farid's Publications

say, which one of those papers listed on the page you mention talks about Farid's steganographic detection work?

The best part about Neil Provos' work is that he goes both ways, working on both OutGuess and stegdetect.

While i'm singing the praises of Neil Provos, thanks for your work on OpenSSH and pf, as well as the rest of the OpenBSD work you've contributed.

-f
http://www.blackant.net/

How about a little wrap up:

Part I - Using ssh

Part II - ssh suite: Sftp, scp and ssh-agent

Part III - Using ssh-agent for SSH1 and OpenSSH

Abbreviated Version

The authoritative source

Mmmnnkay? Mnnnkay.

Actually OpenSSH wasn't developed in the U.S. As part of the OpenBSD project, it was developed internationally (much of it here in Canada) *because* of American restrictions on encryption exports. Take a look at openssh.org for some more info, specifically their history page.

"Intelligence is the ability to avoid doing work, yet getting the work done".

Actually OpenSSH wasn't developed in the U.S. As part of the OpenBSD project, it was developed internationally (much of it here in Canada) *because* of American restrictions on encryption exports. Take a look at openssh.org for some more info, specifically their history page.

"Intelligence is the ability to avoid doing work, yet getting the work done".

Why of why do people use MS BS? No insult to the fine folks above, especially freedos, but the alternatives are better used together rather than piece wise. Openssh on a PC with IE and Outlook is not secure in anyway. Don't throw your computer out the window, throw windows out of your computer!

I sure hope that he knows a bit more what he's doing and uses SSH instead of telnet...

Bah humbug!!

When are people going to learn to use SSH???

I use it on my own local network at home, even behind my "invinsable" linux masq gate.

Don't confuse this with the SSLeay.Org situation, where the old links to the encryption info on the original SSLeay site became invalid when someone else registered the site.

ssh is kinda an encrypted telnet, with extra features see http://www.ssh.org and http://www.openssh.org

A while ago Slashdot had an article on the OpenSSH dot org controversy. Emmet would write a follow up to it. But it never came. I would very much like to know how it ended and if the openbsd com site now finally supports other platforms (like GNU/Linux) or links to other free implementations.

• Moving all networked computers off Windows (will viruses eventually do this job?)
  
• Securing all (restricted) networks with Open SSH
  
• Developing/studying systems that can be proved secure (buffer overflow wrapper where?)
  
• Packaging all software in a safe default installation.
  

The whole OpenSSH saga is sad. Unfortunately the only response I got from the OpenSSH/OpenBSD crew on my rebuttal/offer at org-vs-com was a changed index page at openssh.com.

But you need two to Tango as the saying goes ..

X can tunnel over ssh (in fact, ssh usually sets this up automatically for you), providing compression, encryption and authentication. Session management is normally handled by xsm, which has been around for years.

Good show. You got to most of the dreadfully incisive commentary I was going to make first. This does seem more like an attempt to use /.'s well-known proclivities to evoke pressure against Mr. de Joode.

I want to add my own voice to the din, though, and say quite strongly that I find Mr. Bertrand's position in thie matter untenable at best, quite despicable at worst. And to add to Mr. de Joode has published his his own stance on the subject.

Domains are a first-come/first-served biz. Even if Mr. Bertrand's claim that Mr. de Joode grabbed the .org domain before they registered the .com (which seems flaky in light of the information returned by whois) is factual, he loses out. He does not have some sort of Goddess-granted right to the domain. Next case.

Just by grepping what was already said here is what I think of this situation... How about reading what the legal owner of openssh.org has to say about the whole deal? We have no idea what the .org guy plans to do. The OpenSSH people planned to use the .org domain.. after all it's an open source project so it belongs on .org. However like anyone prepaired to deal with net squatters they grap .com,.net and .org.. Here comes the nasty part... Yes we do, if we in fact read his text. Someone else notices the .com domaim go up and for reasons yet unknown (Let me hazard a guess.. he thinks he is seeing a domain squater in progress) he grabs the .org... It is not clear how or why the .org guy got his domain BEFORE OpenSSH got it.. No, wrong. Even the whois records show that the .org was registered TEN DAYS before the .com. The .org guy was working on something like OpenSSH, and registered the .org, before he knew that the OpenBSD folks were working on something similar. It seems to me that the person to blame here is Theo De Raadt, acting VERY bluntly and childishly towards Alex De Joode, after being contacted by him, and being offered various solutions to the problem. Now the OpenSSH people make contact with the .org guy... He dosn't respond. Why? There are a number of posable reasons. Wrong, he got in contact with them first, receiving a whole lot of bs. Fair?

you also notice that he tried to arrange a settlement with OpenSSH, which they rejected.

i personally find the letter to slashdot to be in poor taste. this was an affair that was between two groups, and now OpenSSH has tried to bring a bunch of people against Alex de Joode by using slashdot as a forum.

this is not a site to fight your personal wars. this should have remained between mr. de Joode and the OpenSSH group.

and a note to people posting here, try to read all the info at the sites before unleashing your flames on someone. you might miss something important.

----------------
"All the things I really like to do are either immoral, illegal, or fattening."

On the openssh.org site, I found a link at the bottom to Mr. Joode's side of the story. I think everyone should read it, it clears up some things. He seems like a pretty reasonable guy.. I think I'm going to have to side against the majority here and I don't think Mr. Joode has done anything wrong, if anything, Mr. Raadt is trying to stir up trouble with this malicious advisory, and is clearly in the wrong. Mr Joode's side of the story.

The other side of this is also available.

Honestly, as soon as Theo "the Fork" is mentioned the likelihood of this being more about personalities than anything else goes way up.

It's worth reading what the guy has to say on his web page about this mess. Sounds like he's been pretty nice about the whole thing and that he has offered a pile of options to the OpenSSH team.
You can read the page here

It is on his site, so if you worry about what was said: "This is more than just a request to boycott: there could be privacy issues, possibly data mining or building a mailing list of security conscious users. We simply don't know Mr. de Joode's motives, and we recommend caution."

Personally I find the letter from Louis Bertrand a bit reckless, and the use of Slashdot as a tool to apply political pressure in bad taste.

It is similar to how etoy manipulated public opinion to influence the courts to get one over on etoys. There is no representation from the other side, and the wording in Louis Bertrand's letter is inflammatory, and unduly fear causing. (at least on the surface)

This thing is being handled very poorly by slashdot. They should have written up something with links to both sides of the story (i'm guessing personal politics got in the way).

This is not news for nerds, it is an electronic soapbox for friends and family of slashdot.

(Just because the message it comes from a developer of a respectable project, does not mean the developer is respectable himself.)

Just a warning...

If I were Mr. de Joode, I'd be offended -- he simply doesn't appear to be squatting.

Take a look at http://www.openssh.org/org-vs-com/. This seems to outline his position very well, without resorting to name-calling.

Alex de Joode has posted a well reasoned reply.
It's a good read.

And, isn't an unconditional boycott a pretty good way to prevent people from actually looking at the site and deciding for themselves if it was set-up with bad intention?

Big deal. Now he links to plenty of (more or less) open ssh implementations, and anyone that visits www.openssh.org can easily find a link to www.openssh.com. Who says they are more official open than him?

Come on, why don't we get an interview with the ".org" man and the ".com" guys here on /. (or geeks in space ?) - Let them discuss it ?

On a side note, maybe the free-software community should offer to buy www.open.org and use it as a central link point to every major open/gnu/free/bsd project?

Big deal. Now he links to plenty of (more or less) open ssh implementations, and anyone that visits www.openssh.org can easily find a link to www.openssh.com. Who says they are more official open than him?

Come on, why don't we get an interview with the ".org" man and the ".com" guys here on /. (or geeks in space ?) - Let them discuss it ?

On a side note, maybe the free-software community should offer to buy www.open.org and use it as a central link point to every major open/gnu/free/bsd project?

Unless something extremely world-shattering has happened and Alex de Joode is now a radically different person from who I remember from years ago during my involvement with the Cypherpunks, I find it extremely difficult to imagine that he would set up a web site to do any of what the OpenSSH developers claim he is doing. De Joode would not collect viewer data. De Joode would not collect addresses for spamming. That's just not what the guy is all about.

The OpenSSH advisory says that they don't know his motives. They're absolutely correct; they don't know his motives at all. They correctly identify de Joode as the one who started xs4all.nl, and they correctly identify him as someone who advocates widespread use of cryptography, but they fail to mention that he is a privacy advocate. They also fail to give any rationale for their accusations other than that de Joode refused to sell them his property, which is meaningless.

Visit http://www.openssh.org/ and judge his motives for yourself. Other posters have already discussed the ludicrousy of boycotting the web site so I won't repeat all of it here, but have a little think: Why would the OpenSSH group want you to think that openssh.org, who points to openssh.com and to one other site, is evil?

Well, this is a refreshing way to look at the Free Software community. Get that knee-jerk reaction we are so known for, and put it to your use. Now, I'd like to look at Mr. Bertrand's letter.

The name was taken by a someone not affiliated with the OpenSSH development team when news of OpenSSH was first leaked to the community.

Hmm, "when news of OpenSSH was first leaked." Let's look at those seven words, shall we? When was this news leaked?

Performing a search on this here web site (Slashdot for those not in the know) for "openssh" yieds two results. This very article, and one from November 18, 1999, entitled, "OpenSSH Project Now at openssh.com."

Next I moved to LinuxTod ay.com. They have articles for everything under the sun. Their first article mentioning OpenSSH is one at Security Portal dated October 27, 1999.

I search Google (both plain Google and the Linux subsearch), and they have never heard of openssh.

Finally, I visted the very site for this project, openssh.com. Looking for an "about this project" sort of link, I clicked on the Project Goals link right up at the top of the left column of links. What's that it says at the very bottom? "OpenBSD: goals.html,v 1.4 1999/11/17 14:14:15 provos Exp $" That looks much like a cvs (or related) entry. That date is November 11, 1999. I also visited the link to the devel mail list archives, and the earliest date there is November 16, 1999.

Looking at all these, I'd guess their formal announcement was around November 17. But the "leak" award goes to Security Portal on October 27, 1999. I'm sure they got their information from somewhere else, but I'm tired of searching. :) Back on track, when did openssh.org register it's domain? Whois gives me the date of November 4, 1999. I count eight days from that "leak." That's not an extremely brief time, but it is before their formal announcement.

Back to the letter, Mr. Bertrand says, "The OpenSSH developers wanted to register under the .ORG top level domain,[...] but the name had already been taken. They settled for the .COM in the interim."

Ok. Well that sure sounds unfortunate. Let's take a look at when they registered openssh.com, shall we? Returning to my favorite domain searching services, whois, it yields October 25, 1999, as the date the record was created. What's this, I see? That looks a lot like a date before the openssh.org was registered. It's even two days before the slight mention by Security Portal. So, they "settled" on the COM top level domain ten days before the ORG one was "taken by a someone not affiliated with the OpenSSH development team." Uh huh, sure thing buddy.

Next Mr. Burtrand discusses the owner of openssh.org, "Mr. de Joode has repeatedly refused requests to sell or turn the .ORG name over to the OpenSSH developers.

Since when must anyone turn over a domain to anyone who asks for it? In my book, domain names are a first-come, first-served service. The OpenSSH group had plenty of time to register any domains they wanted. What if the real SSH group wants the openssh.com domain? Would you, Mr. Bertrand, be so giving and just surrender it?

Now comes the discussion of openssh.org's web site, "The OpenSSH.ORG web site currently is a blank page with a link to the official site."

Ok, this is somewhat true. Going to openssh.org, you are presented with a link to www.openssh.org. But Mr. Bertrand, did you really stop reading there and not see a few blank lines below (9 lines if you telnetted to port 80)? From openssh.org's page I quote, "For information about OpenBSD' OpenSSH implementation please goto..." and they link to the OpenSSH group's web site, openssh.com. This ommission is purely ridiculous, Mr. Bertrand.

Finally, Mr. Bertrand pushes one of the hottest buttons in the community, privacy. "This is more than just a request to boycott: there could be privacy issues, possibly data mining or building a mailing list of security conscious users. We simply don't know Mr. de Joode's motives, and we recommend caution." Hmm, a very strong accusation. None of us like being spammed, tracked where we go, etc. So, I asked myself, "What data mining is openssh.org doing?"

Let's take a gander at the HTML source code. This site is afterally a mere two pages. There could be some JavaScript performing some hidden actions users won't see when just using Netscape (or other JavaScript enabled browsers). And there it is, plain HTML. What?! No fancy, shmancy Netscape Composer, FrontPage or other editor META tags? No META tags at all to con search engines to pointing to them instead of openssh.com. I find it refreshing that someone else codes HTML in plain, simple HTML. But I see nothing hidden here.

Ok, but I have my Netscape set to just accept all cookies. I could have been slipped one of those and now they have access to my whole hard drive, right (I'm kidding, of course)? Let's give the Netscape cookies file a good grepping, shall we?

316-1 Mon/11:55pm ~> grep -i ssh .netscape/cookies
317-1 Mon/11:56pm ~>

Hmm, exactly zero references to anything SSH related. I still haven't found any maliciousness. What about the "building a mailing list" bit? I've seen many sites with "Click here to receive our free newsletter" sort of links. No doubt many of them then give out your email address to every spammer in the universe. Is there any similar line in these web pages? Not that I can see, the bottom of the second page does contain a simple "For more information about freessh.org, please contact:" mailto link. I haven't sent an email to that address yet, so I can't say if it's a secret email net. But since I'm sending this analysis to Mr. Bertrand, I'll send one to that address as well with a brand new email address. If I get spammed there, I'll know who's to blame. If openssh.org really is using this link to catch people for a spam list, I must sahe's doing a poor job of it. At least claim you can get free porn if you send an email. ;)

In closing, as Mr. Bertrand says "Any help or suggestions in breaking the deadlock are appreciated.", so I say, Mr. Bertrand, I sincerely hope you recosider your position, because well, it has no leg to stand on. A) You registered the .COM ten days prior to Mr. de Joode registered the .ORG one. That is a right-out lie, never a good thing to have right out the starting gate. I will ask, how do you base your allegation of data mining and mail list gathering? If it is also a lie, that's doubly bad. B) Openssh.org is not using the domain for squatting (there isn't a "Pay $10,000US if you want this domain" message like we've all seen so many times). It is about free SSH programs, perfectly reasonable and on target. C) Mr. de Joode provides links on both of it's web pages to openssh.com. Any users looking for it will easily see that and go to the appropriate web site.

If a reasonable agreement between these two parties is made, that's great, but to seek out the outrage of the free software communities by deceiving them like this is not the way to go about it. I sincerely hope you reconsider your position Mr. Bertrand.

Thank you.
John Corey

Copies sent to both Mr. Bertrand and Mr. de Joode.

NO! Don't provide free links to the site in question because he's probably using Open Source software and the Slashdot effect won't work!!! ;)

Pope

Check out the site. Looks like Mr. de Joode just wants to make sure that freessh.org and other free (beer) ssh projects are easy to find as well. Maybe a bit unfair to be claim jumping the domain, but it's hardly evil. Odd how the warning never mentioned that he was advertising competing projects. I guess the openssh guys wanted to hide that fact. (Which is probably why they say "Don't visit, he's tracking you!")
--Shoeboy

If there's one thing to be learned, providing an actual link to http://www.openssh.org will allow us to, as a community, Slashdot them (it brings in the people to lazy to type in the address)! But on a more serious note, he does provide a link to openssh.com. He doesn't try to deceive anyone.

Why use SSH when OpenSSH is better, faster (at least at SSH 1.x stuff, which is what it does), open source, and free?

I wouldn't trust an SSH binary I didn't compile myself, particularly from an american company the NSA allows to exist.

This counts a lot in my book, even if SRP is better in some areas, how well is it going to stand up when it starts getting banged arround.

Noel

RootPrompt.org -- Nothing but Unix

OpenBSD is the most secure OS around today. You can make an excellent firewall with it. If you don't know much about your network security, you need to get working on it. DL the install disk, do an FTP install on an old machine, and get learning how to set it up.

I've been using it for five months and it is awesome. Easy to install (newbies: be sure to read the directions), everything works without a lot of messing around (something I can't say about the other freenixes I've tried), and version 2.6 now has OpenSSH to allow you to securely administer your machine (not like it needs much once you have it up and running). Just check out ipnat (network address translation) and ipf (packet filtering) on the OpenBSD website (the man pages are the place to look) for more information

It is definitely better to run a basic OpenBSD firewall than to have Linux, Windoze, Solaris, or whatever else hooked up directly to the pipe. Run it on as little as a 486 with 8MBs RAM and a 200MB HD (you could probably run it on less, but I have only used it with the above minimum hardware). And if you really wanna get funky, run it as your workstation. Lotsa of programs have been ported to it, and the rest you can run using Linux emulation.

Check it out: http://www.openbsd.org/

Also, for those of you interested in OpenSSH outside of OpenBSD use: http://www.openssh.org/

For those of you with lingering doubts about ease of installation: five months ago when I first put it up, I was virtually clueless about Unix. I had muddled around with several Linux distros (Red Hat, Mandrake, Slackware, Turbo, Suse, Caldera, and Corel to be precise) but none of them worked as flawlessly as many Linux proponents say (two of them crashed on me (Mandrake and Corel), and many times library inconsistencies made my life a living hell when installing software from the Internet). It took me two weeks of spare time to figure out enough about OpenBSD to go ahead and install it with ipnat and ipf enabled. Since then I have learnt more about packet filtering in my spare time and tightened things up further. The machine has been going for 5 months strong and only came down once because I wanted to upgrade it to OpenBSD 2.6. In short, if I could get it running in two weeks, any regular moron should be able to do it in one, and any Unix knowledgable person should be able to get it going in a couple of hours.

i'm not a security expert, but i have had ample opportunity to ponder this and related questions. my (admittedly basic) research has led me to these conclusions.

• ssh 1.x - this is the most common ssh implementation, and when people say "ssh" this is most often what they mean. ssh 1.x clients are common, exist for most major platforms, many are very good, and some are even free.
• ssh 2.x - fixes a lot of the bugs in ssh 1.x, adds some nifty new features (like a secure ftp daemon), but i have never seen a functional ssh2 implementation. i beleive it is because of both the more stringent licensing than ssh 1.x and the fact that ssh 1.x is firmly entrenched.
• openssh uses the ssh 1.x protocols, and is completely compatible with ssh 1.x. you should not notice the difference between the two in regular usage.
• telnet over ssl - the actual telnet connection is still sending passwords in plaintext, and the ssl connection has to be made in a separate step.

some random notes:

• ssh (1.x and 2.x) allow for RSA authentication, where a public/provate keypair are used for authentication rather than passwords. clients can be set up to do authentication automatically using this method from specific hosts, based on signatures. this makes ssh a more attractive option for automated, secure transactions such as regular (up|down)ploads and updates. another useful feature of this type of authentication (as opposed to password authentication) is that other users can be given access to the ssh-protected machine, without having to distribute passwords and accounts, from certain controlled environments.
• ssh 1.x and ssh 2.x are incompatible. if you have ssh1 installed when you install ssh2, the ssh2 client will give you the option to fall back to ssh1 if the server you are connecting to is ssh1. without ssh1, however, ssh2 will complain and die. so, it seems that ssh2 only is not the way to go.
• i haven't used openssh, but it seems like a wonderful alternative to ssh. ssh has licensing issues which make it less attractive if you are a commercial entity, but free for non-commercial and educational use (use for a church's web server would probably qualify as non-commercial).

First off.. Do not just "Scrub" the system. Wipe the HD, LLFing if possible. Backup data files first, via the network to a known good server first (via anon FTP so any remaining sniffers, etc, will not read any important password).

Then go and reinstall a recent Linux distro. I recommend Slackware. It may not have the bells & whistles of Red Hat, but its BSD-style init scripts are easy (easy as config.sys and autoexec.bat) to learn, and tends to ship with reasonably secure daemons. Of course, OpenBSD is another possible solution :-)

Now, if you want to just give them FTP access (and nothing else), ProFTPD provides a nice solution. Granted, earlier versions had some interesting security holes (poke), recent versions have been a lot better security wise. Set it up with mod_linuxprivs (which uses the POSIX.1e interface of 2.2.x and later kernels to drop all root privs except for the ability to bind to ports less than 1024). (For the configure impaired, try "./configure --prefix=/usr --with-modules=mod_linuxprivs").. This lets them have ftp access (I'd also recommend you setup ProFTPD to chroot the various users to their homedirs). Disable telnet. Install SSH or OpenSSH and only allow your own login to use it (login.access allows this). Only allow your user to execpt su (perhaps as part of the wheel group), and have your root password as something other than your normal account password. At this point, you will have a secure system, FTP access for normal users, and secure remote access for your own administration. Of course, this doesn't get you out of your duties to monitor Bugtraq for possible advisories. I also recommend (very much so) that you read LASG -- the Linux Administrator's Security Guide. It's very good :-)
---

From the article, it sounds like NSA is "simply" contracting to have a commercial product using already patented technology ported to Linux, rather than contributing Open Source security tools. Even if that's the case, improved non-open-source tools may stimulate the development of open-source equivalents, as illustrated by the excellent OpenSSH project.