Slashdot Mirror
Slashback: Highness, Hominess, Hole-ines
Sometimes being British means self-flagellation. Ferox writes: "The November Web Site Survey from Netcraft reveals something interesting: 'Two years ago the Queen of England became an unlikely icon for the Linux revolution when her webmaster replaced Solaris as the platform for the Royal Family's site, citing the better price/performance of the Dell/Linux platform over the previous incumbent, Sun/Solaris. The open source community celebrated and speculated on when the Apache web server might receive the "By Royal Appointment" moniker. This week the site has changed platforms again, this time to Microsoft-IIS.'"
Keep your hands and passwords inside the car at all times. Niels Provos passed along word of his ongoing research into network security, with some slightly depressing news about the state of Internet security.
Even though the CRC32 bug has been found over a year ago, over 30% of all servers are still vulnerable today. Graph at http://www.citi.umich.edu/u/provos/ssh/crc32.png.
In February 2001, Razor Bindview released their "Remote vulnerability in SSH daemon crc32 compensation attack detector" advisory, which outlined a gaping hole in deployed SSH servers that can lead to a remote attacker gaining privileged access.
In November 2001, Dave Dittrich published a detailed analysis of the "CRC32 compensation attack detector exploit." This exploit is currently widely in use. CERT released Incident Note IN-2001-12.
At the Center for Information Technology Integration, Niels Provos and Peter Honeyman have been scanning the University of Michigan for vulnerable SSH server software to identify and update vulnerable SSH servers. However, scans of the Internet show that system and security administrators must react and update their SSH servers. At this writing, over 30% of all SSH servers appear to have the CRC32 bug.
A simple solution is to remove support for Version One of the SSH protocol. The majority of servers on the Internet support the SSH v2 protocol. To test whether your network has vulnerable SSH servers, you might use the ScanSSH tool.
References: "ScanSSH - Scanning the Internet for SSH Servers", Niels Provos and Peter Honeyman, 16th USENIX Systems Administration Conference (LISA). San Diego, CA, December 2001. This information is also available at http://www.citi.umich.edu/u/provos/ssh/
Don't play with your food, or your games. janolder writes "In the matter of the Civilization III translation project (articles on slashdot, apolyton and heise), the fans have gotten the short end of the stick. The project web site (translation.civ3.de) has been down for a while. Earlier this week, both the web site operator and Kai Fiebach, the project leader, signed Infogrames' cease and desists out of fear of further legal action. The legal position (not to mention the moral postion) of the fans did not appear to be too weak - EULA's are not binding in Germany and supplying patches to a program is certainly not the same as translating a book and distributing the translated manuscript.
Infogrames Germany has issued another press release (translation and my comments) justifying their legal action and position. It makes for an interesting peek into the mindset of a game publisher.
The good news is that Infogrames is considering a more timely release of Civilzation III in Germany.
The bad news is that the cease and desists apparently forbid any modification of Civ3 in any way, shape or form. So no more custom maps for your friends, custom rules or any such copyright infringing activity, please! Is it just me, or has the world suddenly become a less interesting place?"
Not as if Americans always know where we are, either. ByTor-2112 writes "Hate to be the bearer of bad news so soon after a story is posted, but as I commented on the previous story, it appears that galileo has some funding issues. Honestly, did anyone really expect the EU to go through with it? It took them long enough to agree on a common currency!"
Or is the royal web site down? Hmm. Maybe they should have stuck with Linux.
What do you want to bet that a Microsoft Rep walked in and said, "here's free software and hardware if you switch to IIS".
This sig has been temporarily disconnected or is no longer in service
Hey, the data about the Royal Page says that the Windows 2000 server has been up 5.56 days since the last reboot.
Is that a World Record for IIS?
-- Find the Truth...
I disagree with the argument that translating and distribution Civ 3 is not the same as translating and distributing Harry Potter. A better analogy would be the translation and distribution of only the first chapter of Harry Potter: It would not be the complete work and it may stimulate sales, but it's still a copyright violation (hence the "in whole or in part" bit in licenses).
Keeping up to date with the latest OpenSSH releases always helps, but if you want to put an end to those SSH1 attacks (which can affect OpenSSH 2 and above in some cases, and may do so again in the future), add this line to your sshd_config (in /etc or /usr/local/etc):
Protocol 2
This will deny all SSH1 connections and force everyone to use SSH2 to connect.
They that quote Benjamin Franklin on liberty and safety deserve neither.
If you are worried about your machine being out of date, just do this:
% telnet 127.0.0.1 22
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
SSH-1.99-OpenSSH_2.9p2
if you see OpenSSH before version 2.3, you may be vulnerable (iff you have fallback to ssh1)
Is it running on a tower server? /.ed? See, royal inbreeding does cause DNA problems.
The enemy is [at the] Gates!
Is HRH trying to upstage Diana's famous crash?
I'd have thought QE version II wouldn't have this bug.
Wait until they cut her off after three Windows Product Activations.
Already
And finally...
"Your highness, the people have no open source..."
"Well, let them run DRDOS!"
where the config files are slightly different than on other unixes:
/Applications/Utilities folder and open Terminal
/etc/sshd_config at the shell prompt and enter the admin user password when prompted
/etc/ssh_config
/etc/hostconfig to determine whether SSH is enabled on your machine
/var/run/sshd.pid` to restart it
1. log in to Mac OS X as an admin user
2. navigate to the
3. type sudo perl -i.bk -p -e 's/#Protocol 2,1/Protocol 2/g'
4. type sudo perl -i.bk -p -e 's/2,1/2/g'
5. type grep SSH
6. if the response is "YES", type sudo kill -HUP `cat
7. Quit the Terminal program
I use Macs for work, Linux for education, and Windows for cardplaying.
Color me silly here and all, but most of the time the teeming masses are not criticizing Microsoft for releasing a buggy web server they're banging on the IIS SysAdmins for not patching their systems. And here we have 30% of all scanned SSH servers wide open due to a dumb bug that has been documented for ages and ages?
C'mon guys. Either clean up your act or stop being the first ones to throw the stone.
Maybe someone can explain this to me, because it doesn't make any sense. Whenever I try to make a ssh2 connection and the server can't reverse-dns my host, it refuses to authenticate me, regardless of whether I supply the correct keys or passwords. My (minimal) survey seems to indicate that this is construed as a "feature". what's up?
Only OpenSSH versions prior to 2.3.0 are vulnerable. OS X 10.1 uses 2.9p2; IIRC no version of OS X which included OpenSSH was EVER vulnerable to begin with. So, you can of course turn off ssh 1 if you desire, but you need not do so because of this exploit.
ehintz
I don't think the cease and desist order prevents innocent modification of components that Firaxis intended for people to make and distribute. I don't have Civ III (yet), but Civ II was purposely designed so that it could be easily modified by fans. It also included a map editor - I can't imagine that Civ III is any different, but perhaps an owner of the game would like to comment.
Things like rulesets were laid out in simple configuration text files, so that patches could be applied to change the nature and look of the game - right down to individual units and map squares. Civ: CTP 2 (a game I own) also has easily moddable rulesets (the game is so buggy you simply MUST install Apolyton's patch).
Beating down on fans and modding is stupid , the most successful games are those that have been modded (Halflife, StarCraft). Until I see firm evidence of something other than this translation case, I still want Civ III and will enjoy playing it.
"The universe seems neither benign nor hostile, merely indifferent." --Carl Sagan
... is that the site is no longer an internal government one (i.e., one handled by the CCTA), but has been contracted out to the combined developers (such is said in the FAQ in the site, wherever that is), and is now hosted on the UK branch of PIPEX, sorry, UUNET. This can be seen on this ppage. All CCTA sites are still hosted on *NIX systems, as you can see.
James F.
Well, as much as www.royal.gov.uk may have turned to Win2k and IIS, www.parliament.uk is runnning...Microsoft-IIS/4.0 on Solaris???
Even more bizarre is that site's history:
Solaris
Microsoft-IIS/4.0
13-Sep-2001
194.60.38.75
Houses of Parliament
NT4/Windows 98
Microsoft-IIS/4.0
2-Apr-2001
194.60.38.75
Houses of Parliament
Solaris
Microsoft-IIS/4.0
4-Jan-2001
194.60.38.75
Houses of Parliament
BSD/OS
Microsoft-IIS/4.0
2-Nov-2000
194.60.38.75
Houses of Parliament
So, not only does Parliament seem to like changing their minds (sometimes radically) every few months, they also like using impossible combinations of OS and server. Hmm....maybe it's symbolic of something...(just kidding!)
Move along, nothing to see here.
-Legion
Okay - so I had slacked and wasn't sure if I was up to date with my patches. I read the Razor link above and if you're lazy like I am here's the meat (and this isn't fscking redundant, there's like 30 links above):
..., len=88016, IV=0x0) at deattack.c:138
** Vulnerable:
SSH 1.2.24 - 1.2.31 (ssh.com) -- all versions to date of release of this advisory
F-SECURE SSH 1.3.x -- all recent releases
OpenSSH prior to 2.3.0 (unless SSH protocol 1 support is disabled)
OSSH 1.5.7 (by Bjoern Groenvall) and other ssh1/OpenSSH derived daemons
** Not vulnerable:
SSH2 (ssh.com): all 2.x releases NOTE: SSH2 installations with SSH1 fallback support are vulnerable
OpenSSH 2.3.0 (problem fixed)
SSH 1.2.32 (ssh.com, released 10/22/2001)
SSH1 releases prior to 1.2.24 (vulnerable to crc attacks)
Cisco SSH (own implementation)
LSH (SSH protocol 1 not supported)
** Other SSH daemons: not tested
To test your server, do this:
$ ssh -v -l `perl -e '{print "A"x88000}'` localhost
if you get a seg fault like below, you need to upgrade:
Program received signal SIGSEGV, Segmentation fault.
0x806cfbd in detect_attack (
136 for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED;
Now, happily for me, I didn't have this problem. This is good since I'm logging in remotely to my box in California from Spain, VIA SSH!! I'm an idiot as I've also shut off Telnet and if it DID segfault, I would've been completely screwed.
-Russ
Me
And ours can use the Queen's English properly. :P
-Legion
Another good tip with the ssh holes, and as a general priniciple, is to restrict IPs that are allowed to connect to port 22 (or wherever you run sshd) at the firewall.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
The latest Cygwin includes openSSH 3.0.1 and supports Protocol 2 (you can even run sshd on a Windows box and ssh into it).
-- Don't Tase me, bro!
"To test whether your network has vulnerable SSH servers, you might use the ScanSSH tool."
Which apparently just checks the version number and will therefor falsely identify Debian stable machines as vulnerable despite their being up to date on security patches.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Suppose Voldemort Publications sells you an PDF of Black Magic for Beginners on CD. The text is copyrighted, but that's not enough for VP. So they make you accept a license agreement that specifies that you can only read the book directly off the CD and you may not manipulate the text in any way.
You pop the CD in your computer and discover that the text is in Ancient Etruscan. When you call up to complain, they explain that the English translation is licensed to Massively Manipulative Monopolies. No they don't know when it will come out.
No problem. You go to the Hogwarts web site and download a translation spell. But as soon as you begin to incant Logos Anglicia! a VP legal troll appears in a puff of yellow-green smoke. He accuses you of violating the no-manipulation clause in your license agreement. You try to tell him that such a clause is unenforceable, but he just shrugs and says, "We think it will stand up in court. You're welcome to consult your own lawyer, of course."
"This is ridiculous!" you say. "I acquired the book legitimately, and I have a right to read it."
"Well, we have a right to maximize our return on our investment. That's why MMM is handling the English version -- they're much better at marketing to muggles than we are. Now cut it out. This agreement is enforcable in the Court of Giant Warts!"
Indeed she does still hold that title. I used to know her full grand gitre but it's slipped out of my mind for some reason. The natural place to look it up is on the Royal Family's website, but, oddly enough since they moved to IIS (another fine Microsoft product) it's down right now. Funny, I never can remember it going down before...
(I think it highly unlikely that it's slashdotted. Government servers designed for worldwide access are generally well able to handle this kind of load.)
OK, so I found it at the alt.talk.royalty FAQ. In the UK, she's called "United Kingdom: Elizabeth the Second, by the Grace of God of the United Kingdom of Great Britain and Northern Ireland and Her other Realms and Territories Queen, Head of the Commonwealth, Defender of the Faith". In her other realms and territories, she's styled slightly differently. The full list is rather lengthy, so check the FAQ to see it. Although "Queen of England" isn't found in there, it's certainly not incorrect to call her that.
And the brethren went away edified.
That's interesting, especially when you consider that the Bush campaign ran IIS. Of course they probably just inherited the contract for the Whitehouse server from the previous admin. It's hosted by Akamai, so it's possible that the administration didn't make any decision about the OS at all.
As for the Queen, well... she traded in her fancy Sparc hardware for x86 boxes and got tired of Linux. So, if you are in that situation and you want something that's nothing like Linux, what do you choose? Windows.
That in itself is interesting--if people dump Sparc hardware for Linux x86 boxes and then sour on the OS, what will they do? Install Windows.
So, once again, commercial *NIX vendors are the biggest losers to Linux, not MS.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
You may still be able to make other modifications to their software and distribute the patches, whether they like it or not.
Of course, instead of contributing to a commercial game without getting compensated for your work, why not just contribute to FreeCiv or similar games? Civilization itself seems mostly like a clone of older games anyway.
Answering everyone at once, when I do "apt-get update; apt-get upgrade" I still get (open)ssh 1.2.3.
Installing "unstable" is *not* an option at many (most?) sites. You install an unstable package on a live server, you die. Or at least you lose all root access on the live servers. The problem isn't any single unstable package, it's their tendency to pull in other unstable packages. This can get out of control real fast.
Even installing from pool is problematic, but usually acceptable since you're compiling it locally and can avoid creeping dependencies... but some Debian tools require Perl 5.5 which breaks stable systems. If you're willing to devote a system to unstable, you might be able to create an installable package... but this is not something Joe User is going to be able to do.
So I stand by my point. If you require SSH protocol 2 (supported by OpenSSH 2.x and 3.x), you will knock out most Debian users until either Woody is released or somebody takes a honking big clue-stick at the appropriate Debian maintainers and openssh 2.x is released as a Potato security bug-fix.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
I'd like to pipe up with a seconding of what you said essentially. I think that bit at the end about how people can't make custom maps or rulesets any more is either blatant exaggeration or just simply confusion and misinformation.
Seriously now, the game *comes* with an editor that is quite flexible. The one thing that bothers me is you can't tie down people to their starting locations (i.e. with say the world map, you might play the American civ and end up in the Japanese starting place). But it allows for completely new maps and changes to all the units and and even more sweeping gameplay changes if I recall correctly.
I'm willing to bet this means if you go out and do stuff that actually requires messing with the main executable, you'll likely get a lawsuit knocking at your door. Making a map will not trigger that same reaction.
As does one of Slashdot readers' favorite sites.
True, true, you're not all idiots. I've certainly known my share of stupid ass MCSE's that were exact pictures of what gave MCSE such a bad name, but I've also known a couple really smart ones.
I suppose its like women and shopping. Sure, you're right in saying that they're not ALL shopaholics, but because so many are, the two are often synonymous.
Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
Clearly, Microsoft marketting saw this move to Linux as a major threat just as they did with the city of Largo in Florida. This time, they got through... who knows how they got past the "price/performance" issue though... (maybe they paid the guy off)
Anyway, I'm sure there are enough vigilantes out there who will be targetting this IIS implementation eh? Hehehehe
(...why do I get this creepy feeling as I write this? Ah well, I'll just take a nap... Oh yeah, disclaimer -- I don't really advocate or invite illegal activities. I'm just saying in my own way that I can see it happening.)
Disclaimer: I have no idea what I am talking about.
My beliefs do not require that you agree with them.
EULA's are not legally binding in Germany.
I'll be the first to say that, all jokes aside.. as a Canadian, I find Americans, in general, to respect us as a country, and neighbor.
However.. ever heard of "manifest destiny"?
IT has long been part of the American culture tha the whole continent should be the United States.
Point is that people who sell IP want to control how it's distributed. That's what drives their decision making. And the law, be it copyright, licensing, whatever, is almost always is on their side. Given the way the law is made, that's hardly suprising.
From the POV of consumers and artists, the results are often absurd. German gamers who can't play games they've paid for is one example. Another is music and literature that you can't listen to or read because the copyright holder is sitting on it. I myself know a couple of musicians who feel damn frustrated because their work is controlled by publishers who won't release or sell it back. Unfair? Absolutely. But perfectly legal.