Slashback: Highness, Hominess, Hole-ines

Slashback tonight with updates on SSH vulnerabilities, the Queen's web server, the European answer to GPS (in danger, it seems) and your ever-thinner rights to use software for anything you don't have specific permission for.

Sometimes being British means self-flagellation. Ferox writes: "The November Web Site Survey from Netcraft reveals something interesting: 'Two years ago the Queen of England became an unlikely icon for the Linux revolution when her webmaster replaced Solaris as the platform for the Royal Family's site, citing the better price/performance of the Dell/Linux platform over the previous incumbent, Sun/Solaris. The open source community celebrated and speculated on when the Apache web server might receive the "By Royal Appointment" moniker. This week the site has changed platforms again, this time to Microsoft-IIS.'"

Keep your hands and passwords inside the car at all times. Niels Provos passed along word of his ongoing research into network security, with some slightly depressing news about the state of Internet security.

Even though the CRC32 bug has been found over a year ago, over 30% of all servers are still vulnerable today. Graph at http://www.citi.umich.edu/u/provos/ssh/crc32.png.

In February 2001, Razor Bindview released their "Remote vulnerability in SSH daemon crc32 compensation attack detector" advisory, which outlined a gaping hole in deployed SSH servers that can lead to a remote attacker gaining privileged access.

In November 2001, Dave Dittrich published a detailed analysis of the "CRC32 compensation attack detector exploit." This exploit is currently widely in use. CERT released Incident Note IN-2001-12.

At the Center for Information Technology Integration, Niels Provos and Peter Honeyman have been scanning the University of Michigan for vulnerable SSH server software to identify and update vulnerable SSH servers. However, scans of the Internet show that system and security administrators must react and update their SSH servers. At this writing, over 30% of all SSH servers appear to have the CRC32 bug.

A simple solution is to remove support for Version One of the SSH protocol. The majority of servers on the Internet support the SSH v2 protocol. To test whether your network has vulnerable SSH servers, you might use the ScanSSH tool.

References: "ScanSSH - Scanning the Internet for SSH Servers", Niels Provos and Peter Honeyman, 16th USENIX Systems Administration Conference (LISA). San Diego, CA, December 2001. This information is also available at http://www.citi.umich.edu/u/provos/ssh/

Don't play with your food, or your games. janolder writes "In the matter of the Civilization III translation project (articles on slashdot, apolyton and heise), the fans have gotten the short end of the stick. The project web site (translation.civ3.de) has been down for a while. Earlier this week, both the web site operator and Kai Fiebach, the project leader, signed Infogrames' cease and desists out of fear of further legal action. The legal position (not to mention the moral postion) of the fans did not appear to be too weak - EULA's are not binding in Germany and supplying patches to a program is certainly not the same as translating a book and distributing the translated manuscript.

Infogrames Germany has issued another press release (translation and my comments) justifying their legal action and position. It makes for an interesting peek into the mindset of a game publisher.

The good news is that Infogrames is considering a more timely release of Civilzation III in Germany.

The bad news is that the cease and desists apparently forbid any modification of Civ3 in any way, shape or form. So no more custom maps for your friends, custom rules or any such copyright infringing activity, please! Is it just me, or has the world suddenly become a less interesting place?"

Not as if Americans always know where we are, either. ByTor-2112 writes "Hate to be the bearer of bad news so soon after a story is posted, but as I commented on the previous story, it appears that galileo has some funding issues. Honestly, did anyone really expect the EU to go through with it? It took them long enough to agree on a common currency!"

Securing OpenSSH

[krogoth]

Keeping up to date with the latest OpenSSH releases always helps, but if you want to put an end to those SSH1 attacks (which can affect OpenSSH 2 and above in some cases, and may do so again in the future), add this line to your sshd_config (in /etc or /usr/local/etc):

Protocol 2

This will deny all SSH1 connections and force everyone to use SSH2 to connect.

Re:Securing OpenSSH

[gorgon]

Unfortunately, it also blocks all Debian users. At least it looks like somebody *finally* packaged ssh2 for woody

Uhm, you're kind of confused. The main ssh packages in Debian are:

• ssh - OpenSSH port of BSD's version of ssh that branched off the last free version of ssh put out by ssh's original developers. It has supported ssh protocol version 2 since roughly August of 2000, and versions supporting ssh2 made it into Debian soon there after. Currently version 3.01p is in Debian, and I think its pretty much equivalent to to the non-free ssh3.
• ssh-nonfree - non-free version of ssh from its original developers. It only supports ssh protocol version 1.
• ssh2 - Version of ssh supporting ssh protocol 2 from the makers of ssh-nonfree. License is more restrictive than ssh-nonfree's license.
• ssh3 - As far as i can tell its not packaged yet. Is the license more restrictive than ssh3? Regardless, there is no ssh protocol version 3.

Anyway, Debian has had ssh protocol version 2 support for a long time,.

Re:Securing OpenSSH

[Craig+Davison]

SSHWinClient at ftp://ftp.ssh.com/pub/ssh is free as in $0 for non-commercial use. It includes a good SSH terminal and the best SFTP/SCP client out there.

There's also OpenSSH for cygwin and a crappy piece of software called telneat which I used before I installed cygwin. Apparently new versions of telneat are commercial now anyway.

See http://ssh.gatordog.com/ for a bazillion others.

Re:Securing OpenSSH

[drsoran]

Or you can just use PuTTY which is distributed under the MIT license and includes the complete source code. $0 for non-commercial use and $0 for commercial use. $0 for a site license, and $0 for a developer license to integrate it into your product.

quick way to check your openssh

[mwillis]

If you are worried about your machine being out of date, just do this:

% telnet 127.0.0.1 22
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
SSH-1.99-OpenSSH_2.9p2

if you see OpenSSH before version 2.3, you may be vulnerable (iff you have fallback to ssh1)

Uh, ZERO steps to fixing your OSX box

[ehintz]

Only OpenSSH versions prior to 2.3.0 are vulnerable. OS X 10.1 uses 2.9p2; IIRC no version of OS X which included OpenSSH was EVER vulnerable to begin with. So, you can of course turn off ssh 1 if you desire, but you need not do so because of this exploit.

Re:Copyright

[innocent_white_lamb]

I disagree.

The difference between Harry Potter and a computer game is simply that with Harry Potter, the text is the product. Period. Whether that text is read on a computer screen, off of a sheet of paper or off of microfilm, the text is the product that is being sold.

In the case of a computer game, the product is the game, which includes the text, the gameplay, the graphics, music, sound effects, what-have-you.

In the case of someone "ripping off" Harry Potter, the "ripped-off" product would be the complete text of the book, and that's what the publisher is trying to sell. In the case of Civ3, a patch to change the language to something else is nowhere near to being the entire product. In fact, it could be argued that the actual wording of the text is not really part of the game at all - for an example of this, does the fact that a football referee calls a game penalty in Spanish make the penalty any different than if he called it in English or used sign language? The language is not the game. Since it's the game that this outfit wants to sell (though they have a funny way of promoting it, I must say) a language patch is not a violation of "their property".

Which brings up an interesting point. If I am paying my money for "their property", then why can't I do what I want to with it? If I pay money for any other kind of property I'm allowed to do what I choose with the product that I've purchased. Computers are about the only industry where the business revolves around "You pay for my product but I still own it."

The reason royal.gov.uk has switched server...

[Jon+Chatow]

... is that the site is no longer an internal government one (i.e., one handled by the CCTA), but has been contracted out to the combined developers (such is said in the FAQ in the site, wherever that is), and is now hosted on the UK branch of PIPEX, sorry, UUNET. This can be seen on this ppage. All CCTA sites are still hosted on *NIX systems, as you can see.

Re:Netcraft weirdness

[Vince]

The servers are running on Windows machines behind some sort of proxy, load balancer, redirector, whatever. Thus, a query of the IP stack gives one OS, but the server is from another OS.

SSH Vulnerability Overview

[rbeattie]

Okay - so I had slacked and wasn't sure if I was up to date with my patches. I read the Razor link above and if you're lazy like I am here's the meat (and this isn't fscking redundant, there's like 30 links above):

** Vulnerable:

SSH 1.2.24 - 1.2.31 (ssh.com) -- all versions to date of release of this advisory

F-SECURE SSH 1.3.x -- all recent releases

OpenSSH prior to 2.3.0 (unless SSH protocol 1 support is disabled)

OSSH 1.5.7 (by Bjoern Groenvall) and other ssh1/OpenSSH derived daemons

** Not vulnerable:

SSH2 (ssh.com): all 2.x releases NOTE: SSH2 installations with SSH1 fallback support are vulnerable

OpenSSH 2.3.0 (problem fixed)

SSH 1.2.32 (ssh.com, released 10/22/2001)

SSH1 releases prior to 1.2.24 (vulnerable to crc attacks)

Cisco SSH (own implementation)

LSH (SSH protocol 1 not supported)

** Other SSH daemons: not tested

To test your server, do this:

$ ssh -v -l `perl -e '{print "A"x88000}'` localhost

if you get a seg fault like below, you need to upgrade:

Program received signal SIGSEGV, Segmentation fault.
0x806cfbd in detect_attack ( ..., len=88016, IV=0x0) at deattack.c:138
136 for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED;

Now, happily for me, I didn't have this problem. This is good since I'm logging in remotely to my box in California from Spain, VIA SSH!! I'm an idiot as I've also shut off Telnet and if it DID segfault, I would've been completely screwed.

-Russ

Re:Queen's web server on IIS (assorted comments)

wrong monarchy, country whatever.
that was france.

It was obvious, you dolt, that he was making a joke, and besides it was never really said anyway.

"Let them eat cake" (or "Qu'ils mangent de la brioche") was attributed to a "great princess" in the sixth book of Jean-Jacques Rousseau's Confessions, which he wrote in 1767-68. Marie-Antoinette (the name for which your addled brain was likely groping) did not arrive in France until 1770, and when famine later struck Paris she worked arduously to relieve the suffering of her subjects.

Later, illiterate goofs such as yourself connected her to the quote in Rousseau's posthumously-published work, and the rest, as they say, is fallacy.

Re:IIS Uptime Record???

[q-soe]

Ye
One of my nt4 file servers here provides file and login for 200 staff and has an uptime of 267 days solid

Uptime discussions are invalid when comparing file app and print servers, availability is how we measure this and that means an uptime is bull - you have to reboot servers of ANY ilk for hotfixes and general maintenance.

OpenSSH under Cygwin

[Col.+Klink+(retired)]

The latest Cygwin includes openSSH 3.0.1 and supports Protocol 2 (you can even run sshd on a Windows box and ssh into it).

Debian Backports Security Fixes

[John+Hasler]

"To test whether your network has vulnerable SSH servers, you might use the ScanSSH tool."

Which apparently just checks the version number and will therefor falsely identify Debian stable machines as vulnerable despite their being up to date on security patches.