Slashback: Highness, Hominess, Hole-ines

Slashback tonight with updates on SSH vulnerabilities, the Queen's web server, the European answer to GPS (in danger, it seems) and your ever-thinner rights to use software for anything you don't have specific permission for.

Sometimes being British means self-flagellation. Ferox writes: "The November Web Site Survey from Netcraft reveals something interesting: 'Two years ago the Queen of England became an unlikely icon for the Linux revolution when her webmaster replaced Solaris as the platform for the Royal Family's site, citing the better price/performance of the Dell/Linux platform over the previous incumbent, Sun/Solaris. The open source community celebrated and speculated on when the Apache web server might receive the "By Royal Appointment" moniker. This week the site has changed platforms again, this time to Microsoft-IIS.'"

Keep your hands and passwords inside the car at all times. Niels Provos passed along word of his ongoing research into network security, with some slightly depressing news about the state of Internet security.

Even though the CRC32 bug has been found over a year ago, over 30% of all servers are still vulnerable today. Graph at http://www.citi.umich.edu/u/provos/ssh/crc32.png.

In February 2001, Razor Bindview released their "Remote vulnerability in SSH daemon crc32 compensation attack detector" advisory, which outlined a gaping hole in deployed SSH servers that can lead to a remote attacker gaining privileged access.

In November 2001, Dave Dittrich published a detailed analysis of the "CRC32 compensation attack detector exploit." This exploit is currently widely in use. CERT released Incident Note IN-2001-12.

At the Center for Information Technology Integration, Niels Provos and Peter Honeyman have been scanning the University of Michigan for vulnerable SSH server software to identify and update vulnerable SSH servers. However, scans of the Internet show that system and security administrators must react and update their SSH servers. At this writing, over 30% of all SSH servers appear to have the CRC32 bug.

A simple solution is to remove support for Version One of the SSH protocol. The majority of servers on the Internet support the SSH v2 protocol. To test whether your network has vulnerable SSH servers, you might use the ScanSSH tool.

References: "ScanSSH - Scanning the Internet for SSH Servers", Niels Provos and Peter Honeyman, 16th USENIX Systems Administration Conference (LISA). San Diego, CA, December 2001. This information is also available at http://www.citi.umich.edu/u/provos/ssh/

Don't play with your food, or your games. janolder writes "In the matter of the Civilization III translation project (articles on slashdot, apolyton and heise), the fans have gotten the short end of the stick. The project web site (translation.civ3.de) has been down for a while. Earlier this week, both the web site operator and Kai Fiebach, the project leader, signed Infogrames' cease and desists out of fear of further legal action. The legal position (not to mention the moral postion) of the fans did not appear to be too weak - EULA's are not binding in Germany and supplying patches to a program is certainly not the same as translating a book and distributing the translated manuscript.

Infogrames Germany has issued another press release (translation and my comments) justifying their legal action and position. It makes for an interesting peek into the mindset of a game publisher.

The good news is that Infogrames is considering a more timely release of Civilzation III in Germany.

The bad news is that the cease and desists apparently forbid any modification of Civ3 in any way, shape or form. So no more custom maps for your friends, custom rules or any such copyright infringing activity, please! Is it just me, or has the world suddenly become a less interesting place?"

Not as if Americans always know where we are, either. ByTor-2112 writes "Hate to be the bearer of bad news so soon after a story is posted, but as I commented on the previous story, it appears that galileo has some funding issues. Honestly, did anyone really expect the EU to go through with it? It took them long enough to agree on a common currency!"

Slashdotted already?

[lhand]

Or is the royal web site down? Hmm. Maybe they should have stuck with Linux.

Re:Slashdotted already?

[RogrWilco]

Not to be a M$ advocate, but /. has /.'ed Linux servers as well. Hell even /. has been /.'ed. What I'd like to see is a "Hacked by Chinese... F&cK PoizonBox" on the main page. That's more of a testament.

IIS Uptime Record???

[slugfro]

Hey, the data about the Royal Page says that the Windows 2000 server has been up 5.56 days since the last reboot.
Is that a World Record for IIS?

Copyright

[Have+Blue]

I disagree with the argument that translating and distribution Civ 3 is not the same as translating and distributing Harry Potter. A better analogy would be the translation and distribution of only the first chapter of Harry Potter: It would not be the complete work and it may stimulate sales, but it's still a copyright violation (hence the "in whole or in part" bit in licenses).

Re:Copyright

[Tosta+Dojen]

Except that this seems to be providing a patch, not the entirety of the translated work. In which case, only those who have purchased the full version will have the translation. Without the original work, the patch is just a useless file.

So, an even better analogy would be a reading translator that would read the Harry Potter book to you in German. Copyright violation? No. Fair use? Definitely.

Securing OpenSSH

[krogoth]

Keeping up to date with the latest OpenSSH releases always helps, but if you want to put an end to those SSH1 attacks (which can affect OpenSSH 2 and above in some cases, and may do so again in the future), add this line to your sshd_config (in /etc or /usr/local/etc):

Protocol 2

This will deny all SSH1 connections and force everyone to use SSH2 to connect.

Re:Securing OpenSSH

[gorgon]

Unfortunately, it also blocks all Debian users. At least it looks like somebody *finally* packaged ssh2 for woody

Uhm, you're kind of confused. The main ssh packages in Debian are:

• ssh - OpenSSH port of BSD's version of ssh that branched off the last free version of ssh put out by ssh's original developers. It has supported ssh protocol version 2 since roughly August of 2000, and versions supporting ssh2 made it into Debian soon there after. Currently version 3.01p is in Debian, and I think its pretty much equivalent to to the non-free ssh3.
• ssh-nonfree - non-free version of ssh from its original developers. It only supports ssh protocol version 1.
• ssh2 - Version of ssh supporting ssh protocol 2 from the makers of ssh-nonfree. License is more restrictive than ssh-nonfree's license.
• ssh3 - As far as i can tell its not packaged yet. Is the license more restrictive than ssh3? Regardless, there is no ssh protocol version 3.

Anyway, Debian has had ssh protocol version 2 support for a long time,.

Re:Securing OpenSSH

[Craig+Davison]

SSHWinClient at ftp://ftp.ssh.com/pub/ssh is free as in $0 for non-commercial use. It includes a good SSH terminal and the best SFTP/SCP client out there.

There's also OpenSSH for cygwin and a crappy piece of software called telneat which I used before I installed cygwin. Apparently new versions of telneat are commercial now anyway.

See http://ssh.gatordog.com/ for a bazillion others.

quick way to check your openssh

[mwillis]

If you are worried about your machine being out of date, just do this:

% telnet 127.0.0.1 22
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
SSH-1.99-OpenSSH_2.9p2

if you see OpenSSH before version 2.3, you may be vulnerable (iff you have fallback to ssh1)

Queen's web server on IIS (assorted comments)

[Tsar]

Is it running on a tower server?
The enemy is [at the] Gates!
Is HRH trying to upstage Diana's famous crash?
I'd have thought QE version II wouldn't have this bug.
Wait until they cut her off after three Windows Product Activations.
Already /.ed? See, royal inbreeding does cause DNA problems.

And finally...
"Your highness, the people have no open source..."
"Well, let them run DRDOS!"

OK, so a double-double standard?

[The+Bungi]

Color me silly here and all, but most of the time the teeming masses are not criticizing Microsoft for releasing a buggy web server they're banging on the IIS SysAdmins for not patching their systems. And here we have 30% of all scanned SSH servers wide open due to a dumb bug that has been documented for ages and ages?

C'mon guys. Either clean up your act or stop being the first ones to throw the stone.

Uh, ZERO steps to fixing your OSX box

[ehintz]

Only OpenSSH versions prior to 2.3.0 are vulnerable. OS X 10.1 uses 2.9p2; IIRC no version of OS X which included OpenSSH was EVER vulnerable to begin with. So, you can of course turn off ssh 1 if you desire, but you need not do so because of this exploit.

Civ 2 and Civ 3

[proxima]

I don't think the cease and desist order prevents innocent modification of components that Firaxis intended for people to make and distribute. I don't have Civ III (yet), but Civ II was purposely designed so that it could be easily modified by fans. It also included a map editor - I can't imagine that Civ III is any different, but perhaps an owner of the game would like to comment.

Things like rulesets were laid out in simple configuration text files, so that patches could be applied to change the nature and look of the game - right down to individual units and map squares. Civ: CTP 2 (a game I own) also has easily moddable rulesets (the game is so buggy you simply MUST install Apolyton's patch).

Beating down on fans and modding is stupid , the most successful games are those that have been modded (Halflife, StarCraft). Until I see firm evidence of something other than this translation case, I still want Civ III and will enjoy playing it.

The reason royal.gov.uk has switched server...

[Jon+Chatow]

... is that the site is no longer an internal government one (i.e., one handled by the CCTA), but has been contracted out to the combined developers (such is said in the FAQ in the site, wherever that is), and is now hosted on the UK branch of PIPEX, sorry, UUNET. This can be seen on this ppage. All CCTA sites are still hosted on *NIX systems, as you can see.

Re:SSH 2

[osu-neko]

A lot of people are under the mistaken impression that this is a useful security check. In fact, it means jack-diddly-squat, as (a) DNS is not a security protocol, so a positive result on this test means nothing, and (b) half the ISP's in the world can't get reverse-DNS set up correctly, so a negative result also means nothing.

If you have known incoming IP's, I believe adding them to /etc/hosts fixes the problem. Complaing to your ISP may help, but if your ISP's DNS admin has a clue, he'll probably point out that this is a really stupid test to be performed to begin with so he doesn't consider it a high priority to fix things on his end so it'll work, but he may get around to it eventually...

Netcraft weirdness

[Grond]

Well, as much as www.royal.gov.uk may have turned to Win2k and IIS, www.parliament.uk is runnning...Microsoft-IIS/4.0 on Solaris???
Even more bizarre is that site's history:
Solaris
Microsoft-IIS/4.0
13-Sep-2001
194.60.38.75
Houses of Parliament

NT4/Windows 98
Microsoft-IIS/4.0
2-Apr-2001
194.60.38.75
Houses of Parliament

Solaris
Microsoft-IIS/4.0
4-Jan-2001
194.60.38.75
Houses of Parliament

BSD/OS
Microsoft-IIS/4.0
2-Nov-2000
194.60.38.75
Houses of Parliament

So, not only does Parliament seem to like changing their minds (sometimes radically) every few months, they also like using impossible combinations of OS and server. Hmm....maybe it's symbolic of something...(just kidding!)

Re:Netcraft weirdness

[Vince]

The servers are running on Windows machines behind some sort of proxy, load balancer, redirector, whatever. Thus, a query of the IP stack gives one OS, but the server is from another OS.

Re:Netcraft weirdness

[larien]

Probably not so much a load balancer as a server that checks which server in the farm hasn't crashed yet :)

BTW, this nugget is in the Netcraft FAQ

OpenSSH under Cygwin

[Col.+Klink+(retired)]

The latest Cygwin includes openSSH 3.0.1 and supports Protocol 2 (you can even run sshd on a Windows box and ssh into it).

Debian Backports Security Fixes

[John+Hasler]

"To test whether your network has vulnerable SSH servers, you might use the ScanSSH tool."

Which apparently just checks the version number and will therefor falsely identify Debian stable machines as vulnerable despite their being up to date on security patches.

Good analogy, but...

[fm6]

a reading translator that would read the Harry Potter book to you in German. Copyright violation? No. Fair use? Definitely.

A very good analogy. If we push it a little further, we see what's wrong your your other assertions.

Suppose Voldemort Publications sells you an PDF of Black Magic for Beginners on CD. The text is copyrighted, but that's not enough for VP. So they make you accept a license agreement that specifies that you can only read the book directly off the CD and you may not manipulate the text in any way.

You pop the CD in your computer and discover that the text is in Ancient Etruscan. When you call up to complain, they explain that the English translation is licensed to Massively Manipulative Monopolies. No they don't know when it will come out.

No problem. You go to the Hogwarts web site and download a translation spell. But as soon as you begin to incant Logos Anglicia! a VP legal troll appears in a puff of yellow-green smoke. He accuses you of violating the no-manipulation clause in your license agreement. You try to tell him that such a clause is unenforceable, but he just shrugs and says, "We think it will stand up in court. You're welcome to consult your own lawyer, of course."

"This is ridiculous!" you say. "I acquired the book legitimately, and I have a right to read it."

"Well, we have a right to maximize our return on our investment. That's why MMM is handling the English version -- they're much better at marketing to muggles than we are. Now cut it out. This agreement is enforcable in the Court of Giant Warts!"

The Royal Family would like to thank Microsoft

[CaptainCarrot]

I'm not an acutal Brit, but I play one at the Renaissance Faire...

...she still held the title Queen of England, as well as quite probably numerous others (anyone got a full list somewhere)?

Indeed she does still hold that title. I used to know her full grand gitre but it's slipped out of my mind for some reason. The natural place to look it up is on the Royal Family's website, but, oddly enough since they moved to IIS (another fine Microsoft product) it's down right now. Funny, I never can remember it going down before...

(I think it highly unlikely that it's slashdotted. Government servers designed for worldwide access are generally well able to handle this kind of load.)

OK, so I found it at the alt.talk.royalty FAQ. In the UK, she's called "United Kingdom: Elizabeth the Second, by the Grace of God of the United Kingdom of Great Britain and Northern Ireland and Her other Realms and Territories Queen, Head of the Commonwealth, Defender of the Faith". In her other realms and territories, she's styled slightly differently. The full list is rather lengthy, so check the FAQ to see it. Although "Queen of England" isn't found in there, it's certainly not incorrect to call her that.