OpenSSH Gets Even More Suspicious

If you remotely administer any computers, or need to check your email over an untrusted network, odds are you're already familiar with the wonders of OpenSSH. Markus Friedl yesterday posted a release announcement for the newest version, OpenSSH 3.3. Privilege separation in OpenSSH is now enabled by default, another sign of the entire OpenBSD project's appropriate paranoia.

C: A Dead Language?

[egg+troll]

Gentlemen, the time has come for a serious discussion on whether or not to continue using C for serious programming projects. As I will explain, I feel that C needs to be retired, much the same way that Fortran, Cobol and Perl have been. Furthermore, allow me to be so bold as to suggest a superior replacement to this outdated language.

To give you a little background on this subject, I was recently asked to develop a client/server project on a Unix platform for a Fortune 500 company. While I've never coded in C before I have coded in VB for fifteen years, and in Java for over ten, I was stunned to see how poorly C fared compared to these two, more low-level languages.

C's biggest difficulty, as we all know, is the fact that it is by far one of the slowest languages in existance, especially when compared to more modern languages such as Java and C#. Although the reasons for this are varied, the main reasons seems to be the way C requires a programmer to laboriously work with chunks of memory.

Requiring a programmer to manipulate blocks of memory is a tedious way to program. This was satisfactory back in the early days of coding, but then again, so were punchcards. By using what are called "pointers" a C programmer is basically requiring the computer to do three sets of work rather than one. The first time requires the computer to duplicate whatever is stored in the memory space "pointed to" by the pointer. The second time requires it to perform the needed operation on this space. Finally the computer must delete the duplicate set and set the values of the original accordingly.

Clearly this is a horrendous use of resources and the chief reason why C is so slow. When one looks at a more modern (and a more serious) programming language like Java, C# or - even better - Visual Basic that lacks such archaic coding styles, one will also note a serious speed increase over C.

So what does this mean for the programming community? I think clearly that C needs to be abandonded. There are two candidates that would be a suitable replacement for it. Those are Java and Visual Basic.

Having programmed in both for many years, I believe that VB has the edge. Not only is it slightly faster than Java its also much easier to code in. I found C to be confusing, frightening and intimidating with its non-GUI-based coding style. Furthermore, I like to see the source code of the projects I work with. Java's source seems to be under the monopolistic thumb of Sun much the way that GCC is obscured from us by the marketing people at the FSF. Microsoft's "shared source" under which Visual Basic is released definately seems to be the most fair and reasonable of all the licenses in existance, with none of the harsh restrictions of the BSD license. It also lacks the GPLs requirement that anything coded with its tools becomes property of the FSF.

I hope to see a switch to VB very soon. I've already spoken with various luminaries in the *nix coding world and most are eager to begin to transition. Having just gotten off the phone with Mr. Alan Cox, I can say that he is quite thrilled with the speed increases that will occur when the Linux kernel is completely rewritten in Visual Basic. Richard Stallman plans to support this, and hopes that the great Swede himself, Linux Torvaldis, won't object to renaming Linux to VB/Linux. Although not a C coder himself, I'm told that Slashdot's very own Admiral Taco will support this on his web site. Finally, Dennis Ritchie is excited about the switch!

Thank you for your time. Happy coding.

Egg Troll

Re:C: A Dead Language?

Top 10 Reasons to Upgrade to Visual Basic .NET

Microsoft Visual Basic® .NET, included in Microsoft Visual Studio .NET Professional, Enterprise Developer and Enterprise Architect editions, is the latest version of Visual Basic built specifically for existing Visual Basic developers who want to get the most out of the software development experience.

In addition to more power, productivity, and application stability, Visual Basic .NET provides key enhancements that solve the most pressing challenges that Visual Basic developers face today. From the new integrated development environment (IDE) to a modern, streamlined Visual Basic language, Visual Basic .NET delivers the top requested features built for today's Visual Basic developer:
Number 1

Seamless Deployment
Visual Basic .NET solves the most pressing issues around Windows-based application deployment and makes "DLL Hell" and component versioning issues a thing of the past. New XCOPY deployment enables developers to install a Windows-based application simply by copying files to a directory. With Visual Basic .NET and new auto-download deployment, Windows-based applications can be installed and executed simply by pointing a Web browser to a URL.

Number 2

More Robust Code
Visual Basic .NET delivers the feature most requested by existing Visual Basic developers--fewer bugs in the code they write. Features in the new Visual Studio .NET IDE, such as the real-time background compiler and the task list, keep Visual Basic developers up-to-date on any coding errors as they occur, enabling quick and effective error resolution. Enhancements to the Visual Basic language, such as strict type checking and structured exception handling, enable developers to write code that is more robust, maintainable, and less prone to run-time errors.

Number 3

Powerful Windows-based Applications
Visual Basic .NET is the most productive tool for constructing powerful Microsoft Windows®-based applications. The new Windows Forms Designer enables developers to get their desktop applications to market in less time. New features include control anchoring and docking to eliminate the need for complex resize code, the in-place menu editor to deliver WYSIWYG menu creation, and the tab order editor to provide rapid application development (RAD) organization of controls.

Number 4

Powerful, Flexible Data Access
Visual Basic .NET provides developers with both the ActiveX Data Objects (ADO) data access programming model that they know and love, plus the new XML-based Microsoft ADO.NET. With ADO.NET, developers gain access to more powerful components, such as the DataSet control and a new, strongly typed programming model that provides Microsoft IntelliSense® statement completion within data access code.

Number 5

Simplified Component Creation
Visual Basic .NET brings RAD to component development. Developers can use non-visual toolbox and server explorer components to easily incorporate resources such as message queues, event logs, and performance counters into their applications without writing a single line of code.

Number 6

Enhanced Control Creation
Visual Basic .NET provides unprecedented flexibility in building customized user controls. Developers can easily extend preexisting user controls and Windows Forms controls as well as design their own controls that generate custom user interfaces.

Number 7

Complete, Direct Access to the Platform
Visual Basic .NET provides complete, direct access to the Microsoft .NET Framework, enabling Visual Basic developers to quickly access the registry, event log, performance counters, and file system. Visual Basic .NET also eliminates the need for declares statements for access to the operating system. In addition, the new Windows service project template enables rapid application development of real Microsoft Windows NT® Services.

Number 8

Integrated Reporting with Crystal Reports
Upgrading to Visual Studio .NET Professional Edition (or later) provides Visual Basic developers with the power of Crystal Reports directly within the IDE. Crystal Reports delivers the most productive, integrated, and RAD experience for creating highly graphical and interactive relational data reports. These reports can be generated for the entire array of Visual Basic .NET application types, including Windows, Web and mobile applications.

Number 9

Easy Web-based Application Development
Visual Basic .NET delivers "Visual Basic for the Web." Using new Web Forms, you can easily build true thin-client Web-based applications that intelligently render on any browser and on any platform. Web Forms deliver the RAD programming experience of Microsoft Visual Basic® 6.0 forms with the full power of Visual Basic .NET rather than limited scripting capacity. The new HTML designer delivers IntelliSense statement completion for HTML tags and the separation of user interface (UI) and code enable more efficient team-based development.

Number 10

Existing Investments Carry Forward
Visual Basic .NET enables developers to leverage their existing investments in code and skills. Windows Forms provides a robust container for Microsoft ActiveX® controls. Component Object Model (COM) Interoperability provides bi-directional communication between existing Visual Basic applications and those written with Visual Basic .NET. The upgrade wizard enables developers to seamlessly migrate up to 95 percent of existing code to Visual Basic .NET.

Put these top 10 features to work in the applications you are building today with Visual Studio .NET and Visual Basic .NET.

Re:C: A Dead Language?

GENtl3M3n, +HE tim3 H@S CoMe FoR a 5er1OUS di5cu$$I0n oN wHeTH3R 0R NOT To cOnT1NU3 Using C Ph0r s3R1Ou5 PrO9r4Mm1n9 pr0jec+$. @5 1 Will eXPlAiN, i f33l +hA+ c nEEDS +o 83 R3T1r3D, muCH +EH $4M3 wAY tH4+ PH0RTrAn, cO80l 4nD PERl H4v3 8E3n. Fur+H3RM0R3, aLLOW M3 +o BE $0 boLd 4$ t0 sU9G35+ @ $upER1oR REPl@C3meN+ t0 tH15 0u+d4T3D L@ngU49e.

+o 9iv3 J00 4 liT+lE b4ckGrOUnd 0n +h15 5UBJEC+, I w@S r3cEN+lY @sKed to D3v3LOP @ CLIent/5erv3r PROjECt 0N 4 uNIX Pl4tpH0Rm PH0R @ ph0rtUn3 500 COMP4NY. wH1le I'Ve nEveR cOdEd iN c bepHor3 1 h@vE c0DeD iN vb FOr phIPH+3en y34r$, 4Nd in J@V4 ph0r oV3r Ten, I w45 5TunNED +0 $3E h0w P0ORly C f4REd cOMP@r3D TO the5e +wo, M0R3 LoW-L3v3l l@ngU4G35.

c'5 B1gg35t diPhF1cUl+y, 4$ We @ll kn0w, I$ +hE f4c+ +H4+ 1t 1$ bY F4R ON3 oPh +he 5lOw3ST L4N9U4gE$ 1N 3x1s+4nc3, 35pec1ALly wh3N CoMP4r3d To moRE moDERn l4N9U49E5 5UcH 45 J4V@ @Nd C#. AlTH0UGh Th3 R3@5oN$ pH0R tH1$ @RE V4R13D, THE m4IN r3@SONS $3em$ +0 83 +3h W@y c R3KW1R35 a PR09R4mM3R +0 l4Bor1OU5LY work W1+h cHuNk5 0f MemoRY.

R3kw1rin9 4 prOGR4mMEr T0 m@niPulAte bl0cK$ Oph m3mOrY 1$ A +EdI0u5 waY +O pRogr@M. thi$ W@5 s@ti5F4ct0Ry BACK 1n +eH 34RlY D4y$ Of COD1ng, Bu+ Th3n 49aIn, 5O W3r3 PUNcHcArd5. BY U5In9 wH4+ @re C@lLeD "P01nt3r$" @ C pRO9r4Mmer i$ b4$1c@LLy R3KWIrIN9 TH3 c0MPU+3R To D0 +Hr33 53T$ of W0rK R4+Her TH4N 0ne. TEH F1r$+ t1ME ReKW1R3S +h3 c0mpU+3r t0 dUplIC4t3 WH@t3VEr I5 s+0r3d in T3h mEMORY $paC3 "pOiNt3D TO" 8Y tHE p0intEr. +He 53C0nD +1ME REKwiRE$ 1t +o P3RF0rm th3 n33dED Op3RaTiOn on +H1$ 5P4c3. phIN4LlY th3 comPut3r mU5t DeL3+E +h3 duPlIC@t3 5ET @nD $e+ t3h v4LUE5 0f T3h 0R191N@L 4cc0RDIN9lY.

CL34rlY +H1$ 15 4 H0rreNdoU5 u$E 0f r3$0UrcE5 4Nd +H3 cHieF r34S0N wHY c I5 $0 5l0W. wH3N On3 L00k5 @t @ MOrE MOdeRn (And @ m0r3 53RIOU5) PR0Gr@MMing l@n9U@G3 l1KE J4v4, c# OR - eVEn B3t+3R - vISu4l 8a51C tH4+ L4CK$ 5Uch ARCh41c codin9 5+YLeS, One w1LL 4L50 n0T3 4 53r10u5 5pEED InCREA$e ov3r c.

5O wH@T D03$ tH1$ mE4N FoR tHE Pro9Ramm1nG cOMmunity? I th1nk ClE4RlY THa+ c NE3d5 +o 83 @8@ND0nD3d. +heR3 4r3 +W0 C@nd1d4+e5 +HA+ W0UlD 83 a $u1+@bl3 r3PL@ceMENT For I+. THO5e @rE J@v4 4ND v1Su@l B@$1C.

h4V1n9 Pr09r@MMed IN 80+H F0r m@ny y34r5, 1 83l13VE THaT V8 h45 TH3 3DG3. no+ only 15 it 5L19htLy F45+3R th4N J4v4 1+$ @l$o mUCH e@5I3r +o C0DE in. i PH0uNd c to B3 COnfu51Ng, PHrI9H+3n1nG aNd IN+iMIDA+1NG wi+h 1+5 Non-Gu1-8@$eD cOdiNG $+yLe. Fur+heRmOrE, 1 l1KE T0 53E +3h $0URC3 c0d3 OPH +eh PRoJ3Ct5 1 W0rK W1+h. J4vA's 50UrcE $e3m5 +O B3 unDER +EH M0N0P0Li5T1c thuM8 Of 5UN MUcH THE w@Y Th@T gCc is 085cUrEd frOm u5 8y +hE M4RK3+1Ng PE0pl3 4+ +hE f$F. miCRo50F+'5 "$H4red S0URCE" UndeR whicH v15u4l Ba$1c I5 REL34$eD dEPH1Na+3LY s33m$ +O 8e t3h m0$+ Ph41r @ND REAson4bl3 0ph @LL t3H lIc3N5e$ 1N 3Xi$+ANC3, W1+h N0ne 0Ph +Eh h4r5h R35+RIcT10n5 oF THE bSd l1C3n5E. 1+ 4l50 L4ck5 THe 9PL5 rekWiremENT +Hat 4NYtH1NG Cod3D w1+H I+$ +o0L$ 8eCOME5 pROPEr+y Of +EH pH5Ph.

1 HOp3 +0 s3E 4 5WitCH +0 vb VeRY $oon. i'V3 ALre4dy 5p0Ken W1+H V@rIou5 LUmIN4ri3$ 1N THE *n1x Cod1N9 WOrlD and m05+ @re 34G3R t0 BeG1n +o +R4N$iTiON. H@V1n9 JU5+ 9O+TeN 0FPH t3H phON3 W1th mR. @L4n c0x, I c@n 5aY Th4t hE I5 Kw1+E +hRiLLED wI+h +eH 5p3eD 1NCr3a$35 tH@+ w1Ll OCcUR wh3n TH3 L1NUx K3rnel i$ C0mplE+elY REWritt3n in V1$u4l B4sIc. r1CH4rd $T4Llm4N pL@n5 T0 SupPORT THI5, @nD H0pe5 th4+ TEH GrEat 5w3d3 H1M53lPH, l1nuX T0Rv@Ld15, woN'+ oBJ3cT t0 Ren4miNg L1nUX t0 V8/L1nux. 4l+H0UGh N0+ @ C C0D3R h1MseLPH, 1'm +0LD +h4T 5L45HD0+'$ V3ry 0WNzoR 4dM1R4L T4c0 w1LL $uPpORt tH15 0N H1$ w38 5i+3. pHIN4LLY, d3NN15 ri+cH13 I$ 3xc1t3D AbOut Th3 $wI+cH!

+H@NK j00 F0r yOUR +iMe. H@PPy C0D1Ng.

3gG Tr0ll

Re:C: A Dead Language?

NIGGAH PLEASE!

got kfc?

Re:C: A Dead Language?

[jjeffrey]

>I feel that C needs to be retired, much the same way that Fortran, Cobol and Perl have been

What makes you say Perl has been retired? From the number of scripts I write using it, the number of systems I see glued together by it and the sheer volume of Websites using it, I would say it is anything but a retired language.

Re:C: A Dead Language?

[egg+troll]

Oh. Perhaps you didn't get the notice but Larry Wall has asked all Perl developers to migrate to Python. You are right that there currently are sites using Perl. However, no more will be built and those that are using Perl will be retrofitted with the vastly superior python.

Re:C: A Dead Language?

hellotest

Re:C: A Dead Language?

testtesttest

Some words from an AOL member about hell

[Genghis+Troll]

The Terrors of

"So it will be at the end of the age; the angels shall come forth, and take out the wicked from among the righteous, and will cast them into the furnace of fire; there shall be weeping and gnashing of teeth" (Matthew 13:49-50).
The doctrine of hell is one of the most neglected doctrines in all of Scripture. When hell is mentioned today, it is generally ridiculed, as if the whole idea of hell were so old-fashioned that only the naive and ignorant would really believe that such a place actually exists. This is not hard to understand. Natural men hate the idea of being held accountable for their lives to a holy God, because they love sin and do not wish to part with it. The carnal mind throws up objection after objection to the idea of hell because it does not want to face the reality of it. Men live their lives thinking that maybe if they ignore a difficulty long enough, it will go away. Even conservative religious leaders are now attacking hell. Let men do what they will, the frivilous objections of the foolish will not do away with hell.
Amid the clamour to annihilate hell, those who believe the Bible to be true must stand and speak. Your consideration of the terrors of hell may be one of the most important things you can do in this life. "Then he who hears the sound of the trumpet, and does not take warning, and a sword comes and takes him away, his blood will be on his own head" (Ezekiel 33:4). Please, I implore you, invest the time it takes to read this chapter and book to the end.

Why should we be so concerned about hell? Why should we spend time reading about hell? There are several reasons why it is profitable to do so:
1) Hearing about the terrors of hell may shock your conscience and awaken you out of your false security.
2) Hearing about hell helps to deter men from committing sin. Both the godly and the ungodly are persuaded not to sin as much when they are regularly reminded of the terrors of hell.
3) Hearing about the terrors of hell may help to awaken those among us who may think they are saved because they believe in Christ or the facts of the gospel, but who are not really saved and are on their way to hell, but don't know it.
4) Preaching the doctrine of hell is profitable to both the godly and the ungodly alike, as will be demonstrated.
Why aren't people fearful of hell? There seems to be a real lack of fear today of the reality of hell. This applies to both those who are in the church and those who are in the world. People are not afraid of hell. Why?
You would not be afraid of a lion when it is only painted in a picture upon a wall. Why is this? Because it is only a picture. You know that it is not real. But if you were left alone in a jungle and came face to face with a real lion that growled ferociously at you, you would be terrified. The consciences of men are much like the man who only views the painted lion. We hear of hell in the Bible. We know that the Lord Jesus spoke of hell. In fact, Christ spoke more of hell than anyone else in the Scriptures. Why do men not believe hell is real? Because they do not hear enough about it. We don't study what the Scriptures say about hell. It is not just what we hear which makes up what we believe, it is what we don't hear as well which helps to form our belief system. Only the Spirit of God can present the terrors of hell to our hearts in such a way as to see them alive before us. The doctrine of hell has been used by God more often to the conversion of sinners than any other doctrine in the Scriptures. Pray now that as you read this chapter the Holy Spirit will set hell before you as real indeed.

THE NECESSITY OF HELL
Most who scoff at hell today probably do so for several reasons. Primary among them is a desire to pursue their own paths of sin without having their consciences troubled about the consequences of their actions. They do not want to hear that what they are doing is wrong. They do not want to hear that their sin will be punished. I can hear someone say, "But isn't eternal torment in hell inconsistent with a merciful and loving God? How could a good God punish people in hell forever?" A misunderstanding of the character of God and the nature of sin can easily lead to such questions. Why is hell necessary? Let us examine several reasons for the necessity of hell.
1) The Great Evil in Sin and the Holiness of God. The difficulty most people have in understanding the necessity of hell is related to an incomplete and inadequate understanding of both how awful sin is and how glorious God is. We do not see what a great evil is in the least sin, nor do we understand God's holiness, His justice, and His wrath. If we saw sin as the greatest evil in the world and realized that every sin is a rejection of God's rule over us, a sneering at Him, a shaking of our fist in His face, and a hurling of dung at Him, we would begin to understand a small bit of what our sin is like to God. Every time we sin, we either set ourselves, or a pet lust, up in our hearts as a rival god. Sin rejects the Creator as God and sets up the creature in His place.
If we could comprehend God's holiness and what it means to be holy, pure, perfect, upright, and untainted by the least sin, we would have a better idea of why God hates sin so much. Absolute holiness cannot tolerate the least sin, "Thine eyes are too pure to approve evil, and Thou canst not look on wickedness with favor" (Habakkuk 1:13). If we could understand the glorious holiness and purity of God and also the abominable nature of sin more, then we would have no problem with the absolute necessity of hell.
"The heart is more deceitful than all else and is desperately sick; who can understand it?" (Jeremiah 17:9). The human heart is sick. The human heart is wicked. The human heart is deceitful. The corruption in the heart causes us to be deceived about the awfulness of sin as well as many other things.
2) God's Infinite Nature. In understanding what our sin is really like, we must view it through the eyes of God. God is an infinite, eternal being. Every act of sin is committed against an infinite, holy God. In every act of sin we dethrone God and set ourselves above God. In every sin this question is the issue, "Whose will shall be done, God's will or man's? Now, man by sin sets his own will above the Lord's, and so kicks God as filth under his feet."1 A single act of sin committed against a holy, infinite God deserves infinite punishment. It is an infinite evil to offend an infinite God even once.
3) Divine Justice. Even one sin against God calls for God to vindicate His name and His justice by punishing it as fully as it deserves. God can and will vindicate His justice. He promises to do so in Romans 12:19 where it says, "leave room for the wrath of God, for it is written, `Vengence is mine, I will repay, says the Lord.'" One of the greatest preachers that ever lived, Jonathan Edwards, wrote, "The glory of God is the greatest good; it is that which is the chief end of creation; it is of greater importance than anything else. But this is one way wherein God will glorify Himself, as in the eternal destruction of ungodly men He will glorify His justice. Therein He will appear as a just governor of the world. The vindictive justice of God will appear strict, exact, awful, and terrible, and therefore glorious."2

A DESCRIPTION OF HELL
Hell is a furnace of unquenchable fire, a place of everlasting punishment, where its victims are tormented in both their bodies and their minds in accordance with their sinful natures, their actual sins committed, and the amount of spiritual light given to them, which they rejected. Hell is a place from which God's mercy and goodness have been withdrawn, where God's wrath is revealed as a terrifying, consuming fire, and men live with unfulfilled lusts and desires in torment forever and ever.
In Matthew 13:47-50 the Lord Jesus tells a parable relating to the judgment. In verses 49-50, the Lord describes the fate of the wicked: "So it will be at the end of the age; the angels shall come forth, and take out the wicked from among the righteous, and will cast them into the furnace of fire; there shall be weeping and gnashing of teeth."
In examining these words of the Lord Jesus we should first notice that hell is described as being a furnace of fire. Nebuchadnezzar's furnace was heated seven times hotter than normal and is described as "a furnace of blazing fire" (Daniel 3:23). John the Baptist spoke of "unquenchable fire" and Revelation describes hell as "a lake of fire burning with brimstone" (Revelation 19:20). Can we really imagine the horror of which these words speak? Imagine every part of your body on fire at the same time, so that every fiber of your being felt the intense torment of being burned. How long could you endure such punishment? Christ tells us that "there shall be wailing and gnashing of teeth." The lost will wail and gnash their teeth from having to endure the most intense pain and suffering they have ever felt as the flames consume them and constantly burn every part of their bodies. And there will be no relief.
Jonathan Edwards describes in graphic language what the fires of hell will be like: "Some of you have seen buildings on fire; imagine therefore with yourselves, what a poor hand you would make at fighting with the flames, if you were in the midst of so great and fierce a fire. You have often seen a spider or some other noisome insect, when thrown into the midst of a fierce fire, and have observed how immediately it yields to the force of the flames. There is no long struggle, no fighting against the fire, no strength exerted to oppose the heat, or to fly from it; but it immediately stretches forth and yields; and the fire takes possession of it, and at once it becomes full of fire. Here is a little image of what you will be in hell, except you repent and fly to Christ. To encourage yourselves that you will set yourselves to bear hell-torments as well as you can, is just as if a worm, that is about to be thrown into a glowing furnace, should swell and fortify itself, and prepare itself to fight the flames."3
Hell is also described as a place of darkness. The Lord tells us of the guest without wedding clothes who was cast "into outer darkness" (Matthew 22:13). Jude writes of those in hell "for whom the black darkness has been reserved forever" (Jude 13). Christopher Love says in his work Hell's Terrors: "darkness is terrible, and men are more apt to fear in the dark then light: hell is therefore set forth in so terrible an expression, to make the hearts of men tremble; not only darkness, but the blackness of darkness".4
Hell is compared to Tophet in Isaiah 30:33. Tophet was the place where the idolatrous Jews sacrificed their children to the heathen god Molech by casting them into the fire. Day and night shrieks and howls were heard in that place, as day and night shrieks, howls, and wailing are heard in hell.
Isaiah speaks of "the breath of the Lord, like a stream of brimstone" setting hell ablaze. There is good evidence from the Scriptures that God Himself will be the fire in hell. Hebrews 12:29 says, "Our God is a consuming fire." The ungodly on earth ignorantly dance for joy when they hear pastors speak about the love and mercy of God, but they will be the beneficiaries of neither, unless they repent. To them God will be an all consuming fire. Hebrews 10:30-31 warns: "For we know him who said, `Vengence is Mine, I will repay,' And again, `The Lord will judge His people.' It is a terrifying thing to fall into the hands of the living God." It is a fearful thing, it is a terrible thing to fall into the hands of the living God! You shall not escape hell, sinner. God will be your hell and His wrath will consume you and be poured upon you as long as He exists. "Who understands the power of Thine anger?" (Psalm 90:11). It is because God Himself will be the fire in hell that words cannot possibly express the terrors of the damned in hell. "There is no reason to suspect that possibly ministers set forth this matter beyond what it really is, that possibly it is not so dreadful and terrible as it is pretended, and that ministers strain the description of it beyond just bounds...We have rather reason to suppose that after we have said our utmost, all that we have said or thought is but a faint shadow of reality."5
In Luke 16:19-26 Christ tells us of two men. One of them was rich (he has traditionally been called Dives); the other man was poor (his name was Lazarus). Both men died. The poor man was carried by angels to heaven and the rich man went to hell. The rich man did not go to hell because he was rich, nor did the poor man go to heaven simply because he was poor. The Lord shows us through this contrast that our circumstances may change drastically when we pass from time into eternity. We are not to be fooled that just because God may not have dealt harshly with us here, that he will not do so after death. The eternal abiding place of both men resulted from the condition of their hearts before God, while they were on earth. Lazarus was a true follower of God. Dives was not. We want to carefully note what the Scriptures tell us about Dives and his condition, for from that we may learn much about hell. Verses 23-24 indicate to us that Dives is "in torment." What does it mean to be "in torment?" This torment refers to both torment in body and torment in soul as well. As we have seen, men's bodies will be tormented in a furnace of fire. Every part of the body will feel the pain of that fire. Men with severe stomach pains can be in great agony from that alone, but this pain will be far greater. Death from cancer is sometimes said to cause extreme pain in the body, but the pain of hell will be far worse. If your body were afflicted with many different and painful diseases all at the same time, you still would not begin to approach the pain of the damned in hell.
Men's consciences shall be in torment in hell as well. Conscience is the worm that will not die which the Scriptures speak of (Mark 9:48; Isaiah 66:24). Dives is told to "remember that during your life." Men will be tormented with extreme pain, but they will also be tormented by their own memories. They will remember hearing of hell and scoffing at it. They will remember being warned and told to repent or told that accepting the blessings of heaven without submitting to Christ as Lord falls short of salvation, but they took no heed to those warnings. They will be tormented by seeing at a distance the glories of heaven (as Dives was able to do), and knowing that for all eternity they will be damned. They will be tormented by unfulfilled desires and unfulfilled lusts (Dives is not able to receive even a drop of water to cool his tongue). They will be tormented by the knowledge that they will never escape from hell (Dives is told that "neither can you pass to us"). They will be tormented by the cries, shrieks, and curses of the damned around them. The most extreme torments a man can experience on earth will be like flea bites compared to the torments of hell.
Jonathan Edwards speaks of men unable to find even a moment of relief in hell in his sermon on The Future Punishment of the Wicked: "Nor will they ever be able to find anything to relieve them in hell. They will never find any resting place there; any secret corner, which will be cooler than the rest, where they may have a little respite, a small abatement of the extremity of their torment. They never will be able to find any cooling stream or fountain, in any part of that world of torment; no, nor so much as a drop of water to cool their tongues. They will find no company to give them any comfort, or do them the least good. They will find no place, where they can remain, and rest, and take breath for one minute: for they will be tormented with fire and brimstone; and they will have no rest day nor night forever and ever."6

THE ETERNITY OF HELL
The most terrifying aspect of all about hell is its length or duration. Hell is eternal. Hell will last forever. Can you comprehend eternity? No mathimatical equation or formula can explain it. Your mind cannot conceive of eternity, but it is none the less real. This aspect of hell alone should cause men to cry out in repentance. It is not surprising that skeptics of all ages have attacked the eternal nature of hell, substituting doctrines like the annihilation of the wicked in its place. Let us look at the Scriptures to verify the eternal nature of hell and to try and understand eternity better. Then we will explore why hell must be eternal.
"And the devil who deceived them was thrown into the lake of fire and brimstone, where the beast and the false prophet are also; and they will be tormented day and night forever and ever" (Revelation 20:10). This verse clearly gives us the duration of hell. Hell is forever and ever. How could a stronger, more certain expression be used? If the Spirit of God wanted to communicate the eternal nature of hell to men what could communicate it better than the expression "forever and ever?" The Scripture has no higher expression which is used to denote eternity than "forever and ever" for it is the very phrase used to tell us of the eternal existence of God Himself, as in Revelation 4:9: "to him who sits on the throne, to Him who lives forever and ever." Does anyone doubt that God will live to all eternity? How then can you doubt that hell will not last to all eternity when the same expression is used for both?
"We can conceive but little of the matter; but to help your conception, imagine yourself to be cast into a fiery oven, or a great furnace, where your pain would be as much greater than that occasioned by accidentally touching a coal of fire, as the heat is greater. Imagine also that your body were to lie there for a quarter of an hour, full of fire, and all the while full of quick sense; what horror would you feel at the entrance of such a furnace! and how long would that quarter of an hour seem to you! And after you had endured it for one minute, how overbearing would it be to you to think that you had to endure the other fourteen! But what would be the effect on your soul, if you knew you must lie there enduring that torment to the full for twenty-four hours...for a whole year...for a thousand years! Oh, then, how would your hearts sink, if you knew, that you must bear it forever and ever! that there would be no end! that after millions of millions of ages, your torment would be no nearer to an end, and that you never, never should be delivered! But your torment in hell will be immensely greater than this illustration represents."7
Christ, describing the great day of judgment, tells of the separation of the wicked and the righteous using these words: "And these will go away into eternal punishment, but the righteous into eternal life" (Matthew 25:46). Is there anyone who would deny that heaven exists eternally? Will the lives of the blessed in heaven be brought to an end one day? Of course not. But the same Greek word is used here in this verse to speak of the eternal life of the righteous and the everlasting punishment of the wicked. Hell will last as long as heaven does.
In hell there will be different degrees of torment appointed to men as indicated by a number of Scriptures. Luke 12:47-48 says: "And that slave who knew his master's will and die not get ready or act in accord with his will, shall receive many lashes, but the one who did not know it, and committed deeds worthy of a flogging, will receive but few." Christ says in Matthew 11:24: "Nevertheless I say to you that it shall be more tolerable for the land of Sodom in the day of judgment, than for you." The verses in Matthew indicate that the people in Capernaum will receive a greater punishment on judgment day than those who had lived in Sodom. The verses in Luke speak of a differentiation in judgment based on the amount of light received: some will receive many stripes and others will receive few.
Those who commit greater sins than others or more sins than others will receive greater punishment in hell (John 19:11). Religious hypocrites, those who profess Christianity but are not real Christians, will be punished more severely than others (Matthew 23:14-15). The Lord said of Judas Iscariot, "It would have been good for that man if he had not been born" (Matthew 26:24). How could any of these things be said to be true if annihilation were what awaited men after death? The presence of different degrees of punishment only makes sense in light of the ability to sensibly feel the torment. Could it be said that it would have been better for Judas if he had never been born if annihilation was all that awaited him? Annihilation is like no punishment at all.
Each time the unbeliever sins he is adding to his torment in hell. The person who sins twice as much as another with similar light will receive twice as much punishment. Every day that sinners continue to live and breathe here on earth without repenting, they are adding to their torments in hell. Romans 2:5 tells us: "But because of your stubborness and unrepentant heart you are storing up wrath for yourself in the day of wrath and revelation of the righteous judgment of God." The Lord Jesus encouraged the righteous to lay up treasures in heaven rather than on earth. The wicked are increasing their future wrath and torment in hell every day by their continued sinning. They add to their punishment daily. In hell men will wish that they had never been born.
Charles Haddon Spurgeon said: "In hell there is no hope. They have not even the hope of dying--the hope of being annihilated. They are forever--forever--forever lost! On every chain in hell, there is written "forever". In the fires there, blaze out the words, "forever". Above their heads, they read, "forever". Their eyes are galled and their hearts are pained with the thought that it is "forever". Oh, if I could tell you tonight that hell would one day be burned out, and that those who were lost might be saved, there would be a jubilee in hell at the very thought of it. But it cannot be--it is "forever" they are cast into the outer darkness."8
Christopher Love uses an illustration to try and help us understand what eternity means: "Suppose all the mountains of the earth were mountains of sand, and many more mountains still added thereto, till they reached up to heaven, and a little bird should once in every thousand years take one (grain of) sand of this mountain, there would be an innumerable company of years pass over before that mass of sand would be consumed and taken away, and yet this time would have an end; and it would be happy for man, if hell were no longer than this time; but this is man's misery in hell, he shall be in no more hope of coming out after he hath been there millions of years, then he was when he was first cast in there; for his torments shall be to eternity, without end, because the God that damns him is eternal."9
Earlier we looked at the necessity of hell or why there must be a place like hell. Now we will look at why hell must not only exist, but why it must exist eternally. Why is it necessary that hell be eternal? There are several answers to this which we shall explore briefly.
The first reason we will look at is the one mentioned by Christopher Love in the passage just quoted. The God who damns men is an eternal God. "Ultimately the eternality of hell is based upon the nature of God."10 Is God's Word eternal? Is God's nature eternal? The Scripture tells us: "Jesus Christ is the same yesterday and today, yes and forever" (Hebrews 13:8). "His righteousness endures forever" (Psalm 111:3). "The Word of the Lord abides forever" (I Peter 1:24). If God's Word is eternal, if God's righteousness is eternal, if God Himself is eternal, then why shouldn't His wrath be eternal as well? As eternally existent, all of God's attributes are eternal and immutable; therefore, hell, as an expression of God's wrath, must be eternal.
Hell must be eternal because God's justice could never be satisfied by the punishment of sinners no matter how long it lasts. Christ makes this clear when He speaks about settling with your accuser before you get to court, otherwise you shall be cast into prison and "I tell thee, thou shalt not depart thence, till thou hast paid the very last mite" (Luke 12:59). Man can do nothing to pay for his sins. No amount of punishment in hell, no matter how long, can ever atone for sins. It is impossible; therefore, hell must be eternal.
Thirdly, hell must be eternal because the Scriptures tell us that the worm which gnaws the conscience of men in hell never dies. "For their worm shall not die, and their fire shall not be quenched" (Isaiah 66:24). If the worm never dies, then those being tormented by the worm shall never die.
Lastly, hell will be eternal because men continue to sin in hell. They increase and compound their guilt there. Hell is a place where tormented men curse God, curse themselves, and scream and wail with blasphemous language at their fellow men around them. Wicked men will increase each other's torments as they accuse, blame, and condemn one another. Men will not repent in hell because the character of sinners does not change. They remain sinners. Men will sin to eternity, therefore, God will punish them eternally.

APPLICATION TO BELIEVERS AND UNBELIEVERS
The Old Testament prophets warn us repeatedly of the dangers of hell: "Who among us can dwell with everlasting burnings?" (Isaiah 33:14, KJV). "Who can stand before His indignation? And who can endure the burning of His anger? His wrath is poured out like fire" (Nahum 1:6). Sinner, are you so arrogant as to think you can bear the wrath of God poured out in full measure upon you? You may think that hell is not so hot and that you will be able to bear it quite well. If you believe that you are more than a fool. The terrors of hell cause the devils to tremble and are you so foolish as to be unmoved by them or make light of them?
Do not think that simply because you go to church, or believe in God, or believe intellectually in the truths of Christianity that you will escape hell. The majority of those who regularly attend churches every week, all over the world, will go to hell. Thomas Shepard, pastor and founder of Harvard University, wrote: "Formal professors and carnal gospelers have a thing like faith, and like sorrow, and like true repentance, and like good desires, but yet they be but pictures; they deceive others and themselves too...most of them that live in the church shall perish."11
You who profess to be Christians, but do not read your Bible much and pray little: how shall you escape the damnation of hell? You who are not especially bothered by little sins or troubled by the vain and filthy thoughts which you have: are you ready to go to hell? You who think the kingdom of God consists in a verbal profession of Christ or intellectually believing that Jesus died for your sins, but who are not concerned with living a holy, godly life and give little or no thought to God during the week: are you prepared to endure the torments of hell, day and night, forever and ever? You had better be, because if these things are true of you, you are headed straight for hell, unless you repent. Do not delude yourself! Christianity does not consist in words, or pious statements, or mere intellectual belief, but in a new heart and a new life dedicated to not sinning and living for the glory of God. If your heart and life have not been changed by God, you are still in your sins. If you are living in known disobedience to the word of God and are unconcerned about it, you have no right to assume you are going to heaven: you are on your way to hell! Repent of all your sins and turn to Jesus Christ and surrender to Him as Lord. Listen to the words of Christ: "If your eye causes you to stumble, pluck it out, and throw it from you. It is better for you to enter life with one eye, than having two eyes, to be cast into the fiery hell" (Matthew 18:9). "Nothing short of the complete denying of self, the abandoning of the dearest idol, the forsaking of the most cherished sinful course--figuratively represented under the cutting off of a right hand and the plucking out of a right eye--is what He claims from every one who would have true communion with Him."12 But remember, the difficulty involved in forsaking all for Christ is nothing compared to spending eternity in hell.
I do not believe anyone can be scared into heaven, but I do believe they can be scared away from hell, so that they might begin to seek God with all their hearts, and to beg Christ to have mercy on them. Men stand on the brink of the pit of hell and are ready to fall headlong into it and yet they are completely unaware they are in any danger. If hearing about hell can cause otherwise senseless men to consider eternal truths, then preaching about hell is valuable indeed. It is better to view hell now, while you are living, and be terrified by it, than to have to endure hell forever when you die.
I would not have you to be more afraid of hell than of sin. Sin is your real enemy. Sin is worse than hell because sin gave birth to hell. Would you be willing to go to hell for all eternity for the enjoyment of a little pleasure and lust here on earth? Flee from sin! Flee from living for self and self-pleasing to Jesus Christ. When you die it will be to late. All opportunity to repent ends at death.
This doctrine is useful to the godly as well as the ungodly. The doctrine of hell should stir up within the righteous a fear of God. A godly fear is useful in many ways. The one who has a fear of God in his heart has a greater respect for the commandments of God. He who truly fears God will not fear men and would rather displease men than God (Isaiah 8:12-13). This doctrine should increase your faithfulness and joy in Christ that you have been delivered from the torments of hell and should likewise increase your love for Christ who endured the wrath of God upon the cross for you.
The doctrine of hell should stir up within you a fear of sin. It should cause us to fear even little sins and be careful to confess and forsake sins of the heart and thought life also. Let the doctrine of hell keep you from the practice of sin.
The doctrine of hell should help the godly to be patient under all outward, temporary afflictions which come to them. No matter how great your afflictions are in this world, they are far less than the torments of hell from which the Lord has freed the godly. You may have to undergo lessor torments while on earth, but remember they are only temporary and you have been freed from the greatest of all torments so you may rejoice even in a time of affliction.
This doctrine is useful to motivate you to tell others of the message of Christ. Eryl Davies wrote in his book The Wrath of God: "The eternity of hell's sufferings should make us the more zealous and eager to tell people of the only One who is able to rescue them. Do we shrink from declaring these solemn truths? Does the thought of hell displease us? Remember that God will be glorified even through the eternal sufferings of unbelievers in hell. His injured majesty will be vindicated...What is supreme in the purpose of God in the election and reprobation of men is His own glory, and hell also will glorify the justice, power, and wrath of God throughout eternity. In the meantime it is our responsibility to pray and work for the salvation of sinners before such awful punishment overtakes them."13
I cannot leave without one final word to those who think they are converted, but are not; and also, to those who know themselves to be unconverted. Can you conceive of eternity? Stop now and try to imagine being tormented unceasingly, forever, without end. Does this not terrify you? Never a chance for a moment's rest. Never a drop of water to cool your parched throat. Think again of how long eternity is. Try to imagine it: day and night, forever and ever, burned with fire like a spider in a furnace of flames. Shrieking, howling, wailing, cursing the day you were born, and being cursed by the devils and damned souls around you eternally. Remembering, forever remembering, how you were warned on earth and how you ignored those warnings: self-satisfied and self-deceived that all was well with your soul. Job's wife told him to curse God and die. Unless you repent and flee to Jesus Christ, who is your only hope, you shall curse God eternally and be tormented by Him in His presence in the awful fullness of His wrath, and you shall never die. You shall never die. You shall never die! Eternity is forever!

1 Thomas Shepard, The Works of Thomas Shepard, Volume 1, (New York: AMS Press, 1967), p. 94.
2 Jonathan Edwards, The Works of Jonathan Edwards, Volume 2, (Edinburgh: Banner of Truth, 1974) p. 87.
3 Ibid, p. 82.
4 Christopher Love, Hell's Terrors, (London: T. M., 1653), p. 19.
5 Jonathan Edwards, The Works of Jonathan Edwards, Volume 2, (Edinburgh: Banner of Truth, 1974) p. 884.
6 Ibid, p.80.
7 Ibid, p. 81.
8 Charles Haddon Spurgeon, The New Park Street Pulpit, Volume 1, (Grand Rapids: Baker Book House, 1990), p. 308.
9 Christopher Love, Hell's Terrors, (London: T. M., 1653), pp. 54-55.
10 John Gerstner, Heaven and Hell, (Grand Rapids: Baker Book House, 1991), p. 77.
11 Thomas Shepard, The Works of Thomas Shepard, Volume 1, (New York: AMS Press, 1967), p. 58.
12 A. W. Pink, Studies in the Scriptures, January 1932, p. 18.
13 Eyrl Davies, The Wrath of God, (Mid Glamorgan, Wales: Evangelical Press of Wales, 1984), p. 59.

The Terrors of Hell is copyrighted 1992 by William C. Nichols. You may download this text for your own personal use. Should you desire additional printed copies of The Terrors of Hell you may obtain them from: International Outreach, Inc., P. O. Box 1286, Ames, Iowa 50014 for $25/100 copies+ $5 postage. We also have other tracts and books available. Also please visit our other sites The Torments of Hell, The Narrow Way, Revival Sermons of Jonathan Edwards, The Glory of Heaven, and Suicide: Gateway to Peace?

International Outreach, Inc.
P. O. Box 1286, Ames, Iowa 50014 USA
e-mail: wnichint@aol.com

My first post on slashdot is first post. .. HA!

God ... don't we wish we were all this lame...

Re:My first post on slashdot is first post. .. HA!

[FreshPondPhil]

It is official; Netcraft confirms: Cum Guzzeling AC's are dying

One more crippling bombshell hit the already beleaguered Cum Guzzeling AC's community when IDC confirmed that Cum Guzzeling AC's market share has dropped yet again, now down to less than a fraction of 1 percent of all trolls. Coming on the heels of a recent Netcraft survey which plainly states that Cum Guzzeling AC's have lost more market share, this news serves to reinforce what we've known all along. Cum Guzzeling AC's are collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Sys Admin comprehensive networking test.

You don't need to be a Kreskin to predict Cum Guzzeling AC's future. The hand writing is on the wall: Cum Guzzeling AC's face a bleak future. In fact there won't be any future at all for Cum Guzzeling AC's because Cum Guzzeling AC's are dying. Things are looking very bad for Cum Guzzeling AC's. As many of us are already aware, Cum Guzzeling AC's continue to lose market share. Red ink flows like a river of blood.

First Post Cum Guzzeling AC's are the most endangered of them all, having lost 93% of their core trolls. The sudden and unpleasant departures of long time First Post Cum Guzzeling ACs I'm going to kick your ass when I see you guy and Post Frist only serve to underscore the point more clearly. There can no longer be any doubt: First Post Cum Guzzeling ACs are dying.

Let's keep to the facts and look at the numbers.

Chode swallowing AC leader AC states that there are 7000 Chode swallowing ACs. How many ass reaming ACs are there? Let's see. The number of Chode swallowing ACs versus ass reaming AC posts on Slashdot are roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 Ass reaming ACs. Ball licking AC posts on Slashdot are about half of the volume of Ass reaming ACs. Therefore there are about 700 Ball licking ACs. A recent article put Chode swallowing ACs at about 80 percent of the Cum Guzzeling AC's market. Therefore there are (7000+1400+700)*4 = 36400 Chode swallowing ACs. This is consistent with the number of Chode swallowing ACs Slashdot posts.

Due to the troubles of Walnut Creek, abysmal sales and so on, Chode swallowing ACs went out of business and was taken over by Shit eating ACs who post more worthless drivel. Now Shit eating ACs is also dead, its corpse turned over to yet another charnel house.

All major surveys show that Cum Guzzeling AC's has steadily declined in market share. Cum Guzzeling AC's are very sick and their long term survival prospects are very dim. If Cum Guzzeling AC's are to survive at all it will be among troll dilettante dabblers. Cum Guzzeling AC's continue to decay. Nothing short of a miracle could save them at this point in time. For all practical purposes, Cum Guzzeling AC's are dead.

Fact: Cum Guzzeling AC's are dying

ssh is great

[dcstimm]

to bad that its not default on EVERY **nix

Re:ssh is great

[The_Final_Word]

??????? What about the portable version ???????

http://www.openssh.com/portable.html

Re:ssh is great

[Sc00ter]

uhh, -DEFAULT- is the key word. If it's not the default remote shell, installing it doesn't make it any more the default.

Re:ssh is great

ssh is installed and enabled by default on solaris 9.

Re:ssh is great

you meant to spell "too" not "to" cause "too" means also and "to" is like if you're going "to work"

you are the stupidest motherfucker on earth

Re:ssh is great

[Shanep]

If your *nix doesn't use ssh by default for remote logins, maybe it's not worth using that *nix, if that is a measure of their security policies.

Re:ssh is great

ssh is in solaris 9

Re:ssh is great

[Tuck]

to bad that its not default on EVERY **nix

It's not there yet but it's heading that way. Of the platforms I work with regularly:

Redhat have shipped OpenSSH since 7.0
Sun ships a modified OpenSSH with Solaris 9.
IBM ship OpenSSH on the AIX5 bonus pack CD (also downloadable)
HP provide a native OpenSSH package for HP-UX 11+

They're all native packages and they're all supported.

Re:ssh is great

It is with great sadness that I bring you this news: *BSD is dead.

It was at 4:25am on the morning of April 15th 2002 that, after many failed attempts to resuscitate the dying OS, *BSD finally passed away. While *BSD has been in it's death throes for many months now and it's death has been foreseen for many years, this is still a very sad moment; a great loss for OS dilettante dabblers and *BSD lovers the world over. Though *BS has passed away, it will surely be fondly remembered for years to come by users, developers, and trolls alike. Even if you didn't enjoy using *BSD, there's no denying it's contributions to popular OS culture. Truly a Berkeley icon. It will be missed :(

OpenSSH?

Open misshapen asshole

*BSD is dying

[MMMMMMMMMMMMMMMMMMMM]

Netcraft has now confirmed: *BSD is dying

Yet another crippling bombshell hit the beleaguered *BSD community when recently IDC confirmed that *BSD accounts for less than a fraction of 1 percent of all servers. Coming on the heels of the latest Netcraftsurvey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as further exemplified by failing dead last [samag.com] in the recent Sys Admin comprehensive networking test.

You don't need to be a Kreskin to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying . Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood. FreeBSD is the most endangered of them all, having lost 93% of its core developers.

Let's keep to the facts and look at the numbers.

OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are 7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet
posts.

Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead,
its corpse turned over to yet another charnel house.

All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS hobbyist dabblers. *BSD continues to decay. Nothing short of a miracle could save it at
this point in time. For all practical purposes, *BSD is dead.

*BSD is dying

[ Reply to This ]

Slashdot to English

[ReluctantBadger]

1st Official Slashdot to English Translator-matic

• "There's a sourceforge project creating just what you're looking for..."
  "Me and a bunch of people got drunk, thought we could code, submitted the idea and produced a fancy web page. It's now two years later and the project has no files to download and is STILL on Stage 1, Planning."
  
  
• "That's the beauty of UNIX - Lots of little tools which can be used together. Far more flexible!"
  "I've been reading UNIX in a Nutshell for SVR4 and fuck knows what any of this flags stuff is about"
  
  
• "Linux is far more secure than Windows. My box has never been hacked."
  "I can install Red Hat from a bootable CD. The machine is not connected to a network and all I do all day is type ps, pwd and ls. I'm so l33t."
  
  
• "You might want to try going to college and learning about this stuff!"
  "My folks are rich enough to send me off for further education. I am now in an uber-elite crowd of know-it-alls and I am here to belittle you. Fear me."
  
  
• "Microsoft products are soooo insecure!"
  "I've spent the last two years being subjected to biased slashdot propaganda. I couldn't hack into a properly configured windows system if my life depended on it."
  
  
• "We should file an antitrust lawsuit against Sony"
  "I've spent far too much time absorbing bullshit ideals from anarchists. The truth of the matter is, I just don't want to pay for anything whatsoever. Britney CDs should be free because I think that somehow the constitution protects my illegal copying and distribution under some freedom of speech law or fair use act. Even though I don't have to go out and buy luxury items, I'm gonna whinge and bitch anyway"
  
  
• "Have you considered using Linux?"
  "I've only been using it for a week, and now my hardcore wannabe techno friends think I'm a guru. I now recommend it to everybody based upon what I've read at slashdot."
  
  
• "Don't you find that parsing this bitset through the compliation alogirithm that is piped out through GCC on a command line echo really works well for logarithmically sound sine wave matcher?"
  "Somebody please shoot me several times in the head. I am fucking clueless."
  
  
• "If they join all the state drivers licence databases together, they'll be able to track me! How do I change my identity?"
  "I'm too fucking dense to realise that this has been going on for over 15 years already, and I've just finished reading 1984. Go figure."
  
  
  

Re:Slashdot to English

[zootread]

That was actually really funny, you should put it in your journal.

"Microsoft products are soooo insecure!"
"I've spent the last two years being subjected to biased slashdot propaganda. I couldn't hack into a properly configured windows system if my life depended on it."

That's true. If I'm going to hack a system, I'm going to hack *NIX, because its what I know. I wouldn't know what to do if I even got into a Windows system. Though I once remotely got to the "C:\>" prompt on an NT box. I ended up accidentally crashing the box by running a command that wouldn't display over telnet.

Re:Slashdot to English

[ceejayoz]

Seems to me format c: would do just fine for hacking a Windows box, if you managed to get the DOS prompt...

Re:Slashdot to English

[netsharc]

We managed to get the Win3.1 Program Manager open on a Windows ME that was running IE in kiosk mode in a museum. After that it was easy to get the DOS prompt open, but after typing format C: and answering the Are you sure(Y/N)? with >Y, the program ended saying, "Cannot format drive C: There are shared files."

That answered my age old wonder of what would happen if one tried to format the drive one was running Windows out of.

We wondered how to download and install Linux on the box too, but gave up on the problem. Later, I thought it could be done like so: we could download a distro install disk and loadlin and make loadlin load the setup program through a line in autoexec.bat. It was quite funny considering we were visitors of a Linux event being held in the museum.

Re:Slashdot to English

[zootread]

Seems to me format c: would do just fine for hacking a Windows box, if you managed to get the DOS prompt...

I don't consider wiping a systems drive hacking a box. That's not the kind of thing I'd want to do, its just totally malicious and attracts too much attention. What I like to do is maintain control of a machine, being able to monitor connections (e.g. to sniff login/passwords) and to use the machine for my own purposes such as allowing me get control of other machines. I couldn't even get telnet or ftp to work from this NT box I was using (so I couldn't run my own tools). With UNIX its is easy once you're in cause all the tools you need are already installed.

Re:Slashdot to English

Or you could try fdisk and delete the partition. It's a bit faster.

Re:Slashdot to English

[archen]

Actually (as said above) you'll get a "shared files" error. Generally you'll just need to do a listing of interesting directories, and insert a deltree for each of them in autoexec.bat - provided that you put "echo off" and "echo updating files ..." in there too. Also has the advantage that ther person probably won't associate problems with what you did to their computer at that time, but instead will think something happened during reboot. Much more fun to randomly use recover.exe (if on the system) if you ask me...

Re:Slashdot to English

I was thinking along those lines too. If you managed to blow the partitions or format they would just restore or reinstall.

If you go your route they would waste countless hours tracking troubleshooting and trying to "fix" it. Much more of a time waster. While I don't such things(seriously), I do spend time thinking about them to keep myself sharp at what someone could do to me if I get sloppy.

Re:Slashdot to English

[SN74S181]

That's an excellent way of getting the Museum to continue to hold Linux events.

Re:Slashdot to English

Not that I would ever do this...

But why not place format, or any other deltree in the Autoexec.bat file. Do nasty damage on next reboot.

Other options, kill the command.com, make it a text file. Edit the MSDOS.SYS file, delete the io.sys, rename win.com, run fdisk and remove the boot flag, or kill the partitions.

Many, Many ways to disable a Windows machine.
Also, if debug is available, you can do some nice FUBAR damage.

But I'm not malicious, just many years of MSDOS/Win experience.

:)

Re:Slashdot to English

[BlueUnderwear]

That's an excellent way of getting the Museum to continue to hold Linux events.

Linux doesn't belong into a Museum. Windows does!

Re:Slashdot to English

Hmmmf. You're a sick and demented man, and I like you.

Boot.ini isn't available for editing on systems running NTFS where you lack "Administrator" privilege. But you already knew that....

Re:Slashdot to English

try putting this in autoexec.bat:

echo y | format c:

Re:Slashdot to English

actually, to be a little more stealthy:

@echo off
echo y | format c: > goodbye.txt

Re:Slashdot to English

Weall know that *BSD is dying. It is common knowledge that *BSD is dying, that *BSD is mired in a mortifying tangle of fatal trouble. It is perhaps anybody's guess as to which *BSD is the worst off of an admittedly suffering *BSD community. The numbers continue to decline for *BSD but NetBSD may be hurting the most. Look at the numbers. The loss of user base for NetBSD continues in a head spinning downward spiral. OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts. Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Major marketing surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS hobbyists (i.e. those who dabble with Minix, Xinu, etc). *BSD is already dead. It is a dead man walking.

Re:Slashdot to English

I think that illustrates the point quite well.

You can't format C: if you booted off of it.

Re:Slashdot to English

[Grax]

"If they join all the state drivers licence databases together, they'll be able to track me! How do I change my identity?"

Currently there is no data to join on. They're using silly stuff like first name, last name, and birth date. Joining all the databases together will increase their ability to track you but it will also cause tons of headaches as license records for separate individuals will be joined because politicians aren't smart enough to realize that name and birth date aren't distinct across 250 million US citizens.

I'm too fucking dense to realise that this has been going on for over 15 years already, and I've just finished reading 1984. Go figure.

First of all, lack of awareness does not make one dense.

The "Problem Driver Pointer System" was created 20 years ago but some states did not become involved until the mid to late 90s. So the fact that the system doesn't work and hassles a lot of innocent people doesn't seem to have been worked out yet. If your name is rare enough you may never have a problem but my first name is in the top 10 of male first names and my last name in the top 30 (http://www.census.gov/genealogy/names/). My sister's first name is in the top 10 female names and she has also had problems with false matches.

The current system doesn't work. Trying to join all those databases together will cause tons of problems. If they do work out the kinks a single database will result in an increased ability to track individuals across state lines.

As far as changing your identity, I say just be happy with who you are.

Re:Slashdot to English

I used a hexeditor to change the first 5 bytes of command.com to EA F0 FF FF F0, or i'm not really sure, it was ~5 years ago. Translates to JMP F000:FFF0 = reboot. The teacher had a very bad day trying to figure out why every computer in the computer class was rebooting continuosly :)

Re:Slashdot to English

too long. only one-liners will do...

@echo y | format C: >nul 2>nul

Necessary and useful

[l33t-gu3lph1t3]

One of the primary tenets of OpenBSD and NetBSD is security, correct? This is just another little bit of bytecode that improves security even more...

Re:Necessary and useful

Isn't portability the primary tenet of NetBSD?

Re:Necessary and useful

[TMLink]

I think you mean OpenBSD.

Re:Necessary and useful

[GreenHell]

Yes, portability is...

Of the 3 major BSD's, NetBSD's goal is to run on as many platforms as possible, FreeBSD's goal is to create a reliable, free UNIX (it may not meet your definition of free, but that's another story), and OpenBSD's goal is to provide the most secure distro possible.

Re:Necessary and useful

The Linux user's idea of freedom is warped and irrelevant. Pay no attention to any Linux user when the topic of "freedom" comes up.

Re:Necessary and useful

And Microsft's idea of freedom is freedom to leevrage their monopoly. Which is even worse.

Re:Necessary and useful

[__past__]

FreeBSD's goal is to create a reliable, free UNIX (it may not meet your definition of free, but that's another story)

I know it's probably unwise to make this up, but how exactly do you define "free" in a way it doesn't match FreeBSDs license?

The usual complaint from people favoring the GPL is that it's not Copyleft, so it's free even for people not interested in freedom for anyone but themselves, but I think nobody - from the FSF to Microsoft - would say it is not free itself.

Re:Necessary and useful

[Jeremi]

but how exactly do you define "free" in a way it doesn't match FreeBSDs license? The usual complaint from people favoring the GPL is that it's not Copyleft, so it's free even for people not interested in freedom for anyone but themselves

I think the GPL people would say that FreeBSD isn't Free in the "Free Willy" sense... GPL software cannot be captured back into proprietary software and made non-free again, whereas BSD licensed software can be (and often is). So while Linux code will always roam the wild plains, BSD code spends some of its time laboring in the Microsoft prison camps.... or something like that. :^)

Re:Necessary and useful

Code that's already out there will always be free to "roam the wild plains" ... it can't be made non-free again. People can base non-free derivative products off it but that still doesn't "un-free" the original code....

Re:Necessary and useful

Not really. They don't pretend what they give me provides me with freedom, they clearly view me as customer licensing their wares.

His point was in reference to GPL vs BSD or perhaps even public domain, where the GPL proposes to be free but is "free as in not free."

Re:Necessary and useful

[Jeremi]

Code that's already out there will always be free to "roam the wild plains" ... it can't be made non-free again. People can base non-free derivative products off it but that still doesn't "un-free" the original code...

Technically, you're correct, but in the larger view, there is a historical pattern where free code gets 'adopted' by a company, and the company adds lots of functionality to the free code, so that eventually the free code is no longer competitive, and everyone switches over to using the closed-source product. At that point, the code is no longer free (except for the "old" code which is no longer useful or used, and thus doesn't count). This is what happened to Unix in the 70's and 80's, leading to Unix's fragmentation and irrelevance as a platform. With GPL code, you don't have to worry so much about v2.0 coming out as closed-source, leaving you with a choice between staying with v1.0 or losing the benefits of open source.

Re:Necessary and useful

This is wrong on so many levels.

1. NetBSD's emphasis is not security.
2. Byte code != object code.
3. It doesn't improve your security. It improves my security. I run OpenBSD. You run, what? Linux? Windows?

Re:Necessary and useful

[einhverfr]

One of the primary tenets of OpenBSD and NetBSD is security, correct? This is just another little bit of bytecode that improves security even more...

Absolutely. Now if only we can get Microsoft to use unprivilaged children for IIS, we might be getting somewhere.

Not that I am advocating child labor (well, children of Daemons maybe ;))

Re:Necessary and useful

Technically, you're correct, but in the larger view, there is a historical pattern where free code gets 'adopted' by a company, and the company adds lots of functionality to the free code, so that eventually the free code is no longer competitive, and everyone switches over to using the closed-source product.
That may happen with some projects, but not any that I use. OpenSSH is based on ssh code that went commercial. The OpenSSH team added SSH 2 support to the BSD licensed ssh, fixed numerous bugs, and have continued to improve it since. The original author of the OpenSSH code wasn't happy (you should be able to Google for it), but it has been great for the community, and he isn't starving AFAIK.

Tcl is another great BSD licensed tool. It has been used by so many companies (too numerous to mention) over the years for commercial (closed-source) projects. Most of them contribute back some changes eventually, because updating a proprietary version to have all the latest patches is too much work. Even GE has a Tcl core team member working on improvements now.

Re:Necessary and useful

[tigga]

Technically, you're correct, but in the larger view, there is a historical pattern where free code gets 'adopted' by a company, and the company adds lots of functionality to the free code, so that eventually the free code is no longer competitive, and everyone switches over to using the closed-source product. At that point, the code is no longer free (except for the "old" code which is no longer useful or used, and thus doesn't count). This is what happened to Unix in the 70's and 80's, leading to Unix's fragmentation and irrelevance as a platform. With GPL code, you don't have to worry so much about v2.0 coming out as closed-source, leaving you with a choice between staying with v1.0 or losing the benefits of open source.


1. It's not happened to Unix - AT&T version was proprietary and BSD used some code from it (anybody who used BSD should also had obtained license from AT&T).
BSDi and Regents of the University of California got sued because of it and was forced to reissue code without AT&T-written parts.

Most of Unix clones was licensed from AT&T (which also included BSD code though).

2. If company added features to code and there are
too many of them so code could not be rewritten - it means it just could be never written using GPL licence.

So in your examle we'd be stuck forever with version 1.0 and nobody would have written version 2.0.

3. And it's irony that "free" GPL code couldn't be used inside BSD code because then BSD code became non-BSD code (GPL infection). Then included code should be rewritten from scratch, as it's proprietary - it defeats purpose of "free" GPL license.

Re:Necessary and useful

Thoseemail headers were traced back to a student at Texas&M. See the mailing list. Go Aggies!

Sheesh. We all got burned on that one. I guess we all should've looked a little closer at those headers, but we OpenSD folks get so little good news that we jumped th gun on this one. Oh, well, live and learn. BUT to be spoofed by an Aggie, oh that's the real killer. The indignity of it all!

Re:Necessary and useful

[Mark+Bainter]

This is what happened to Unix in the 70's and 80's, leading to Unix's fragmentation and irrelevance as a platform.

Ok...this is just wrong. Early unix was proprietary, not free software.

With GPL code, you don't have to worry so much about v2.0 coming out as closed-source, leaving you with a choice between staying with v1.0 or losing the benefits of open source.

This is not entirely correct. Granted, someone can't just take GPL'd code and make a new proprietary version of it w/out the original author's permission, but it /can/ be done by the author, or it could happen through the author dual-licensing the product.

Example: Author writes Software and licenses version 1.0 under the GPL. Six months later, he releases version 2 binary only, new proprietary license.

Or: he dual licenses it under BSD and GPL. Now it is subject to the same risks as BSD software.

Or: He licenses it under some custom license to a specific company in exchange for some compensation.

Obviously, using the GPL doesn't guarantee a free version 2.0. Just a free version 1.0, and the ABILITY to have a free 2.0 through someone else forking the code if nothing else. Guess what, a BSD 1.0 guarantees the same thing.

Re:Necessary and useful

FreeBSD's emphasis is also performance. Vastly superior to OpenBSD in many ways performance-wise.

Ah, BSD!

Making heap overflows as easy as possible in the default install!

Great work there.

Slashdot Karma HOWTO

[ReluctantBadger]

It is 10pm. Do you know where your karma is?
Right! Let us get started... In order to get maximum karma from Slashdot posting, you can follow a few simple guidelines.

• The University you go to. Regardless of where you actually study, saying that you're at MIT automagically gains you +2. Slashdot, like the glorified student notice board that it is, has a special place in its heart for anything from MIT - whether it be a teddy bear stuffed with a switch, or some wankers wrapping a yellow banner with elvish text around the main dome. Even if you didn't go to university, qualify every comment with a "My professor told me" to bask in the warm fuzzy glow of +2, Insightful.
  
  
• Linux. The basis of the "Slashdot Experience". Claiming you run Linux also gets you +1, Interesting. It doesn't really matter if you've never actually installed it, or your Red Hat box still doesn't have PPP running after 2 years of reading FAQs. The important bit is - You're part of the community. You can bathe in the refelected glory of years of shoddy, buggy code. You are exempt from the Microsoft penalty (see below) as, of course, your Win 98 install is only used for playing games. And reading Slashdot. And using MS Word. And Photoshop. And....
  
  
• Microsoft. Slashbots and the editors hate Microsoft. Period. Use of a $ symbol in every iteration of their trademarks gets you a +4, Funny. Even though it is far from original, it still manages to raise a grin in those people reading Slashdot between episodes of Cowboy Bebop. You will get a -1, Flamebait or Troll for any post even hinting that Microsoft products are any good / useful / intuitive / user friendly. You will also quickly be shot down with replies about how good GNOME and KDE are, which will then in turn erupt into a flame war.
  
  
• Freedom / Privacy / YRO. The bread and butter of Slashdot. It fits in sublimely with the whole "Linux" thing. You'll get a +3, Informative for any post containing the Ben Franklin quote about sacrificing essential liberty. It makes no difference that the quote is totally irrelevant in the modern world - Hey, you've got karma! Mis-credting the quote will not end up in a karma penalty, as has been demonstrated countless times. You will gain extra karma if you make reference to your experiences of being wire-tapped by the NSA, and throwing in a vague link to Echelon, black helicopters or Tin Foil Hat Linux. Include a link to the First Amendment for a +1, Interesting mod. Give yourself a pat on the back if you manage to include some extra raging paranoia with no evidence to back it up. Nice!
  
  
• BSD. If you use it, don't mention it on Slashdot. Most of the Linux-using friendless wonders that inhabit Slashdot wouldn't know quality and stability if it strolled up and kicked them in the throat with a size 13 HiTec Magnum boot. Any mention of how a Firewall running OpenBSD with pf is far superior to Linux's pathetic offering will soon see you as -1, Troll. Much like the post you're reading now.
  
  
• Yearning for yester-year. Although most comments are written by first year "wannabe-CS-guru" students or links to goatse.cx, there is still the fallout dregs of the dot com boom lurking around slashdot. You can get +5, Insightful for telling how you were so badly treated after the bubble burst. Whining about the lack of jobs where you get paid to fire foam darts at colleagues is a good start. Don't forget to mention how you've now been out of work for months - It starts a "I'm about to graduate and there's nothing going" fuckfest which can spill over into hundreds of comments. Although all the staff who were any good simply got hired into another company, it makes "Good Karma Sense"&reg to hide the fact that your passing familiarity with Perl and C simply can't get you a job. This is also a prime opportunity to show your egregious personality, as Slashdot rewards arrogance and elitism.
  
  

DON'T FORGET TO MOD ME DOWN!

More suspicious of OpenSSH?

[jamus]

The way I read the headline, "OpenSSH Gets Even More Suspicious", it sounded like we're supposed to be more suspicious of OpenSSH.

What has the world come to, where we can't even trust OpenSSH?

Oh, OpenSSH is more suspicious of its environment! That makes more sense! :P

Re:More suspicious of OpenSSH?

Don't tell me you actually expected the staff here to form a proper English sentence.

Re:More suspicious of OpenSSH?

[neuroticia]

I read that too and my mind quickly said to me "Oh great, time to turn off SSH and only allow shell access to people who physically sit down at the computer.

Then I realized that it's "suspicious" as in "the suspicious wife accused her husband of sneaking another computer into the house" and not "the actions of the husband were suspicious, leading his wife to accuse him of sneaking another computer into the house."

Should have said "Open SSH has just become even more paranoid."

THIS is why computers don't speak English. =]

-Sara

Re:More suspicious of OpenSSH?

No, this is American stupidity.

Re:More suspicious of OpenSSH?

[GhostseTroll]

I agree even more with this comment than the last one I agreed with.

Re:More suspicious of OpenSSH?

How is it American stupidity? The more common usage (and the one listed first in most dictionaries) is "tending to arouse suspicion:questionable", after that is the meaning which the writer intended- "disposed to suspect".

But perhaps this is just my American dictionary.

-Sara

Re:More suspicious of OpenSSH?

[vsprintf]

Complete agreement. When I read the headline, there was a sudden pang of fear. If we had to close down SSH, there wouldn't be any more working-from-home Fridays. :)

Re:More suspicious of OpenSSH?

Um, you should be suspicious of OpenSSH? Or are you one of those /. kiddies who screams for the source, but then never looks at it and installs rpms?
Have a look at the OpenSSH source. Be skeptical. If you do anything important with it (perhaps you do nothing important), you should distrust what others have given you, and find your own answers.

Re:More suspicious of OpenSSH?

[pvera]

Hell, it happened to me too. MAybe next time we want to say "OpenSSH gets yet more paranoid, not that there is anything wrong with that."

Re:More suspicious of OpenSSH?

I read that too and my mind quickly said to me "Oh great, time to turn off SSH and only allow shell access to people who physically sit down at the computer.

and this is proof that there are too many sysadmins who think they know everything because they read slashdot

Re:More suspicious of OpenSSH?

[Darby]

If we had to close down SSH, there wouldn't be any more working-from-home Fridays. :)

Sure there would.
Telnet isn't that bad.
You just have to have your login script change your password as soon as you log in remotely.
If you can't remember to *always* log in to the console before you go to work, then the reinstall will prove a useful lesson.

Re:More suspicious of OpenSSH?

[Paradise+Pete]

Considering that the way the word is used is its primary definition, I'd say the problem lies more with the reader. Had the author intended it the other way he may well have written "becomes even more suspect."

This is an example of how imprecise use of a word over time leads to a weakening of that word. Things of which one would be suspicious should be called suspect, not suspicious. The sloppy use has become an accepted definition, and because of that the word has lost some of its power to properly communicate, as is demonstrated here.

Re:More suspicious of OpenSSH?

[urdak]

Yes, it should have been "OpenSSH Gets Even More Suspecting", not "Suspicious"... Maybe "Paranoid" would fit even better :)

Re:More suspicious of OpenSSH?

[neuroticia]

Hm. Which dictionary are you using? =] The one I've been using for several years has the "sloppy use" as the primary definition.

A google search for "suspicious" brings up MANY pages where the word is used "incorrectly" before you'll hit one in which it is used in the manner you insist is correct, and even then it's not in a sentence such as the one that confused quite a few of us.

The onus is on the writer, when a word can be interpreted in any number of ways to ensure either that the placement of the word gives context clues, or that the "several definitions" are all very similar and that the meaning of the word cannot be mistaken.

Paranoid, distrustful, careful, cautious, leery, wary, watchful... All of these words can only be taken one way. They are always the feeling and never the stimuli that arouses the feeling.

If you want to talk about grammar, words, and the sloppy use of... Look back at the sentence. "gets". "Gets" implies that someone or something is drawing something towards them or attracting something. In this sentence the word 'gets' is what causes 'suspicious' to be misconstrued. "Becomes" would have been the proper word to use in this situation, and would have cast a different light on the word "suspicious". "OpenSSH becomes even more suspicious", "OpenSSH becomes more suspicious of the world", and so on. These sentences would not typically be misunderstood.

-Sara

Re:More suspicious of OpenSSH?

[ArtDent]

Maybe that was the idea.

Isn't a headline supposed to make you want to read the article?

Re:More suspicious of OpenSSH?

[CowbertPrime]

Well yeah. Statistically, OpenSSH has had 2x more serious security related bugs since it forked from commercial SSH. Apparently in their zest to fix what isn't necessarily broken, OpenSSH has ended up with more holes than it started with. This might be a legitimate explanation as to why they are going to separate privileges: when a month-old freenix weenie is given commit access to openssh and writes a patch but forgets to make sure he is using dynamic buffers, everyone who likes being on the bleeding edge doesn't get rooted after they upgrade.

At one institution I am aware of, the new administration policy has been to convert from openssh over to commercial ssh because of paranoia. Furthermore, when core server software is written such that you must upgrade every few months due to vulnerabilities in the latest-and-greatest, it hinders deployment of autonomous and/or embedded systems that rely on software such as SSH. Basically, if I wanted to build either an autonomous server or embedded system today, and decided to use OpenSSH 3.1.2 - which is supposedly stable, and a remotely exploitable vulnerability is found next month, the box is pretty much screwed, especially if no one is there to administer that machine and to appropriately upgrade it.

Re:More suspicious of OpenSSH?

[Boiled+Frog]

Usually it is the submitter, not the staff, who write the headlines.

Re:More suspicious of OpenSSH?

Okay, we know that Debian was named after some girl named Debby. Her boyfriend was named Ian
and they combined their names to call the distribution ``Debian''. Ok so far. But riddle me this:

• Where is Debby now?
• Are Debby and Ian still together?
• What does Debby look like (jpg, if possible).
• Does Debby do Linux or is she really a Windows gal?
• Where was Debby from originally (town, high school, etc)?

I'd sort of like to start a Debby fan club for this unsung heroine of Free Software.

Hey Debby, wherever you are -- we love ya, baby!

Re:More suspicious of OpenSSH?

[vsprintf]

Well, no, it's policy, telnet isn't an option. It would be dress-up Fridays. :)

Re:More suspicious of OpenSSH?

[vsprintf]

Um, yeah, maybe, but I usually hope the headline is somewhat factual rather than just provocative. :)

Re:More suspicious of OpenSSH?

[packeteer]

your point makes sense but it doesn't matter because you DONT have to close down SSH...

Re:More suspicious of OpenSSH?

[Darby]

your point makes sense

Well, it was more of a joke than a point really.

Re:More suspicious of OpenSSH?

[packeteer]

well persaonlly i think this entire thread should be modded down as offtopic ;) because we DONT have to turn off SSH so we are speculating about something thats not going to happen...

Impressive

[dybdahl]

Open Source software continues to impress me after so many years. This again proves, how much better software can be, if you remove management, lawyers, sales department etc. and make good programmers work together without short-term profit in mind.

Re:Impressive

[RebelTycoon]

"how much better software can be, if you remove management, lawyers, sales department etc. and make good programmers work together without short-term profit in mind."

What you smoking.. Wanna share?

Management and a Sales Department are necessary, have you ever tried to get a geek to explain what they built in English?

Programmers do not make good sales people usually, it takes a lot of practice to talk to people in the appropriate language and level of technicallity.

And programmers left alone would be responsible for even more feature-creep then sales or management. We always like kwel stuff, a what if we do this.. Unfortunately we must be restrained.

As a side note, at least we usually don't change the scope of the project or promise the undeliverable..

Lawyers... This I'll agree with you... Same goes for Politicians, etc.

Re:Impressive

[speaker4thedead]

"This again proves, how much better software can be, if you remove management, lawyers, sales department etc. and make good programmers work together without short-term profit in mind."(emphasis mine)

When I read that scentence, I got the image of a darkly lit slave-pit filled with coders where the corporate entities you listed had been replaced by two or three dark-overlords whipping their slaves into submission. Why don't replace the word "make" with "allow." It is a much more pleasant term. Other than that, I wholeheartedly agree with sentiment you expressed.

Re:Impressive

I don't really see how the addition of one minor feature to one "Open Source" program proves much of anything. It did get you modded up, though, so congrats!

Re:Impressive

[zootread]

What you smoking.. Wanna share?
Cannabis sativa. Sure I'll share. Bring some papers or a pipe and we'll spark one up.

Management and a Sales Department are necessary, have you ever tried to get a geek to explain what they built in English?

Its true that for a typical business you need all these extra people. But I think what he was trying to say is that when your only purpose is to code some good software, all you need is a few good coders working together to turn out something of quality.

Re:Impressive

[Abreu]

And programmers left alone would be responsible for even more feature-creep then sales or management. We always like kwel stuff, a what if we do this.. Unfortunately we must be restrained.

Mozilla's XUL user interface, anyone?

No offense meant, but how long would it had take to make 3 gecko-based browsers (Win,Lin,Mac) using native widgets instead of spending so much time with the kewl "write-once-bugs-everywhere" interface.

Re:Impressive

[DavidTC]

Um, like K-Meleon, Galeon, and Q.BATi?

Re:Impressive

[Abreu]

What about one using native Win32 widgets?

What about making that one just after finishing Gecko, instead of waiting for IE to dominate web designers until most of the web is broken?

Capitalism is dying

Marxism has now confirmed: Capitalism is dying.
Yet another crippling bombshell hit the beleaguered bourgeoisie when
Das Kapital confirmed that the rate of profit tends to fall
leading to crisis, war and the ultimate destruction of the capitalism
system. Coming on the heels of the latest economic data showing that
the US is entering a deep recession, this news serves to reinforce
what we've know all along. Capitalism is collapsing in complete disarray,
as further exemplified by failing dead last in the recent Sys Admin
comprehensive networking test.
You don't need to be a Lenin to predict capitalism's future. The hand
writing is on the wall: capitalism faces a bleak future. In fact there
won't be any future at for capitalism because capitalism is dying. Things
are looking very bad for capitalism. As many of us are already aware
surplus value (S) is redistributed among individual capitals by
competition leading to an average rate of profit (r) relative to the
organic composition of capital. In order to improve their position
individual capitalism must increase their production of surplus value;
either by increasing the length of working day, but this has
physiological limits or by increasing the constant capital used but
this leads to a fall in the average rate of profit.
Let's keep to the facts and look at the numbers.
Capitalist leader George W Bush states that there 7000 capitalists.
How about members of the proletariat are there? Let's see. The number
of proletariats in America is roughly 200 million. Therefore
there are about 100000 workers which for each person with an
interest in capitalism. A recent article put the petty bourgeoisie at
a rapidly declining proportion of the population. This is consistent
with the predictions of the communist manifesto.
Due to the troubles of British imperialism, two world wars and so on,
European capitalism went out of business and was taken over by Yankee
imperialism who were also in trouble. Now US imperialism is also dead,
its venality and corruption exposed by its own creation, radical
Islam.
All major surveys show that capitalism has steadily declined in credibility.
Capitalism is very sick and its long term survival prospects are very
dim. If capitalism is to survive at all it will be as a fascist
dictatorship. Capitalism continues to decay. Nothing short of a miracle could
save it at this point in time. For all practical purposes, capitalism is
dead.
Capitalism is dying

Re:Capitalism is dying

Now US imperialism is also dead,
its venality and corruption exposed by its own creation, radical
Islam.

You had it going pretty good for a while there. But the "turned over to yet another charnel house" bit really is the crux of the original BSD troll, taking it out just robs it of all of its life.

Re:Capitalism is dying

Except for the networking test part, very well done!

+5, Amazingly Fucking Insightful

[egg+troll]

This is the funniest thing I've read on Slashdot in a long time...after my own posts, of course.

About time

[RTFA+Man]

Previously any corruption in the sshd could lead to an immediate remote root compromise if it happened before authentication, and to local root compromise if it happend after authentication. Privilege Separation will make such compromise very difficult if not impossible.

Re:About time

[RebelTycoon]

Very good... You can cut and paste.

+1 for using left hand to press [Ctrl-C/V]

+1 for using right hand to move mouse

-3 for redundancy and trying to act clever.

Re:About time

[CableModemSniper]

I just select and middle-click.

oxymoronic

[Smelly+Jeffrey]

Open Secure Shell? Is that like Passive Agression?

Re:oxymoronic

> Open Secure Shell? Is that like Passive Agression?

No, it's the opposite of Closed Secure Shell, any SS product that you must trust to be secure, because no one but the vendor can verify the sources.

It's actually *more* secure due to being open. No oxymoron at all.

Re:oxymoronic

[groomed]

Open source means that source code is available for modification and use.

Open source does not mean:

1. more secure
   
2. more reliable
   
3. morally superior
   

If only because we cannot reliably quantify any of these things.

Re:oxymoronic

[NoMercy]

You can't quantify how much more secure or how much more reliable or how much more morally superior, but it is more secure, it is more reliable and it tends to be morally superior, who cares if you can't measure the size of X and Y, you can tell that X > Y in the majority of cases :)

Re:oxymoronic

[Shanep]

If you are going to make a blanket statement comparing security and reliability of open vs. closed source software, then I think you should compare the best of both Worlds.

I'll start with the open source World and suggest OpenBSD, 5 years without a remote hole in the default install. You can read that as, an extremely secure kernel, with an extremely secure network stack and general system layout.

I'll leave the closed source contender up to you to present to us. ; )

Anyone idiot can look at "Open Source Done Wrong (tm)" and then say look, OSS is shite, but then any idiot can be a source of open source (or closed for that matter).

The best of breeds should be shown before the average and worst.

Re:oxymoronic

[groomed]

If you are going to make a blanket statement comparing security and reliability of open vs. closed source software, then I think you should compare the best of both Worlds.

Hey Pavlov, I'm saying no such thing. The only thing I would like to impress on you is the fact that despite all the propaganda on all sides, source availability has little to do with the security or reliability of software. Source availability means that the source is available. Source availability says nothing about the quality of the source.

OpenBSD is secure because Theo and friends are obsessed with security. Not because the source code is available. Otherwise, you need to explain to me why not ALL open source projects are as secure as OpenBSD.

Open source is nice in the way it fulfills demand that is otherwise too expensive for the market to bear. In the case of OpenBSD for instance the audience is too small to support a business. That is not to say that people are not interested in security, just that they recognize that this security comes at a steep cost ((re)training, missing features, maintenance).

Finally, two points.

1) The "default install" that you are referring to is very austere. Very few machines can be made useful running only the "default install". This is a direct result of OpenBSD favoring security over features. Maybe it's better to be safe than sorry but in the real world safety costs money too.

2) Most programming is propriety, closed-source in-house development. Every application is different. Wholesale comparisons such as "best of both worlds" just don't make sense. Compare, what? The security of an Internet fridge to that of an embedded control system?

Re:oxymoronic

Try IBM PC DOS -- 21 years without a remote hole in the default install -- for the exact same reason as OpenBSD, nothing's running by default.

Re:oxymoronic

[Shanep]

Security? A comparison of 2001 CERT advisories shows that closed source software constituted 72%.

Stability? Netcraft shows that the web servers with the top 10 average and the top 19 maximum uptimes are Open Source.

Open source allows people who are passionate about coding to code great things in large groups. They get great stability and security through honest desire and mass co-operation.

Closed source allows people who are passionate about money to code profitable things in small groups. They get money through marketing. Being closed allows them to brush problems under the carpet in the hope that they won't get noticed until after that products lifetime. Or even claim that problems are merely "theoretical", until someone posts a "BeSysAdm.exe".

source availability has little to do with the security or reliability of software.

I have been supporting closed source software for the past 9 years and I've been using open source software for about 5 years, supporting for about 3.

Linux, FreeBSD and OpenBSD has NEVER crashed on me in normal circumstances (I have managed to make Linux crash when tweaking and building custom kernels). I could never say this about any closed source software I've supported. Netware is pretty stable, but can't touch FreeBSD from what I've seen.

OpenBSD is secure because Theo and friends

Of course, but plenty of fixes and alerts come from people who are simply able to read the source and "friends" come into the stable due to being able to read it in the first place.

this security comes at a steep cost ((re)training, missing features, maintenance).

Learning OpenBSD for someone who is knowledgable about network security is far from steep learning.

Very few machines can be made useful running only the "default install".

Even in light of the recent vulnerability, Apache actually has a good security history. The last time it was mentioned in a CERT advisory was 1996. IIS has been mentioned 8 times since. Then there's Qmail...

Compare, what?

Oh I don't know, compare the comparative?

IIS? NT/2000?

Open source also allows fixes to come very quickly. Often the person who was able to find the exploit, also supplies a patch to fix it. If not, it often comes within a day or even hours. Can you find a closed source hole that was fixed in hours?

Re:oxymoronic

[groomed]

Security? A comparison of 2001 CERT advisories shows that closed source software constituted 72%.

So what? That might mean that closed source software has wider deployment. It might mean that closed source software is scrutinized more closely. It might even mean that closed source software is used in more places where security matters.

alldas.org defacement statistics per OS place Linux, an open source OS, at 22%, while Solaris, which is closed source, clocks in at 4%.

I also note that you failed to answer my question: if open source makes for secure software, then why do we need something like OpenBSD at all? Why are not all open source OS's as secure as OpenBSD?

The bottom line is that the distinction closed/open should make very little difference when evaluating the security aspect of any particular installation.

Stability? Netcraft shows that the web servers with the top 10 average [netcraft.com] and the top 19 maximum [netcraft.com] uptimes are Open Source.

Again, irrelevant. It might mean that open source people will go to great lengths to avoid rebooting their machines. It might even mean that open source software is conservative/stagnant. Unless the reboots actually hurt business there is no inherent advantage to long uptimes.

They get great stability and security through honest desire and mass co-operation.

Great stability and security are achieved by paying a lot of attention to stability and security. The development method is strictly secondary.

Linux, FreeBSD and OpenBSD has NEVER crashed on me in normal circumstances

What can I say. Try harder. For example take a look at how Linux MM will happily let a process run amok with a high probability of wrecking the box.

Learning OpenBSD for someone who is knowledgable about network security is far from steep learning.

That might be true, but is hardly any consolation if OpenBSD does not do what you need it to do.

Even in light of the recent vulnerability, Apache actually has a good security history. The last time it was mentioned in a CERT advisory was 1996. IIS has been mentioned 8 times since.

What about the 13 Apache vulnerabilities since 1999?

Can you find a closed source hole that was fixed in hours?

Easy. Ping of death was fixed within 48 hours on Windows. I'll grant that the Linux fix got there faster. So what?

Re:oxymoronic

[Shanep]

So what? That might mean that closed source software has wider deployment.

It is actually a statistic of holes, not a statistic of reported exploits.

It might mean that closed source software is scrutinized more closely.

Open source is an easier target to find holes but also to fix holes. Closed source gets security via the wrong reasons. Obscurity.

It might even mean that closed source software is used in more places where security matters.

Once again, it is a statistic of holes, not a statistic of reported exploits.

The bottom line is that the distinction closed/open should make very little difference when evaluating the security aspect of any particular installation.

And guns don't kill people, it just makes it easier for people to kill people. Open source doesn't make security, it just makes it easier for people to make secure code. Do you think hundreds of thousands of eyes reviewing code is not better than a typical corporate team of eyes?

alldas.org defacement statistics [alldas.org] per OS place Linux, an open source OS, at 22%, while Solaris, which is closed source, clocks in at 4%.

These are incidents and worst case ones at that. Anyone can baddly admin a server and chances are that those that do are doing it with Linux more than Solaris. You can after all, accidentally get into Linux from a visit to your local newsagent.

The numbers I have been giving show capabilities of software. Unless the admins fixed broken code without giving it back, the admins here are irrelevant. You are showing worst cases which can easily be bad admin.

I also note that you failed to answer my question: if open source makes for secure software, then why do we need something like OpenBSD at all? Why are not all open source OS's as secure as OpenBSD?

Not all open source projects are focused on security to those levels. I firmly beleive that the average open source software is more secure and has less bugs than closed source, it does not need OpenBSD, some people do though because OpenBSD takes security to a step above everything else. OpenBSD is an extra move forward in security.

The bottom line is that the distinction closed/open should make very little difference when evaluating the security aspect of any particular installation.

Any particular installation that uses open source, has the source to scrutinize and fix. Any particular installation that uses closed source, has to hope there are no holes and then when holes do become apparent they have to hope for a quick fix, which rarely happens.

Again, irrelevant. It might mean that open source people will go to great lengths to avoid rebooting their machines.

If those systems were exploitable, they would have been exploited. A server with almost 4 years uptime shows stability if you ask me.

It might even mean that open source software is conservative/stagnant.

Conservative as in putting security before features? They get the jobs done. Mail gets relayed, web pages get served, files get downloaded. Yet they don't get owned anywhere near as much.

Unless the reboots actually hurt business there is no inherent advantage to long uptimes.

Some installations required stable systems 24/7.

Great stability and security are achieved by paying a lot of attention to stability and security.

Of course.

The development method is strictly secondary.

The development method can either make the job easy or hard.

What can I say. Try harder. For example take a look at how Linux MM will happily let a process run amok with a high probability of wrecking the box.

Are we still speaking comparitively? If you choose a worst case I will choose Microsoft. But please, look at my .sig for my opinion of Linux MM. My primary OS of choice is OpenBSD, but Linux has been very reliable for me, even with occasional broken MM, much more reliable than I have experienced with closed source OS'.

That might be true, but is hardly any consolation if OpenBSD does not do what you need it to do.

OpenBSD is a secure foundation for running some open source services that have shown to be more secure than their closed source counterparts.

What about the 13 Apache vulnerabilities [apacheweek.com] since 1999?

33% were Win32 specific, how interesting that an open source project has a hard time becoming secure running in a closed source environment.
40% were specific to modules or other support programs.
27% were Apache itself.

Easy. Ping of death was fixed within 48 hours on Windows. I'll grant that the Linux fix got there faster.

Most people take "hours" to mean hours less than 24, since 24 becomes "days".

So what?

You're either exposed or out of action until the hole is fixed. Thats what.

Re:oxymoronic

[groomed]

Do you think hundreds of thousands of eyes reviewing code is not better than a typical corporate team of eyes?

Totally unsubstantiated claim. I have every reason to believe that this kind of review never actually happens. The person most likely to fix a bug in code is the person who wrote that code. It also does not explain why Linux, which has far more people working on it than OpenBSD, is not more secure than OpenBSD.

The numbers I have been giving show capabilities of software. Unless the admins fixed broken code without giving it back, the admins here are irrelevant. You are showing worst cases which can easily be bad admin.

Which shows that proper administration is much more important to the security of a system than the question whether that system runs open or closed source software.

I firmly beleive that the average open source software is more secure and has less bugs than closed source

I know you believe that. Personally I believe that even if this were true, closed source software easily makes up for it in features and support (e.g. documentation).

Also "average open source software" is a bit vague isn't it. Does that "average" include all the stillborn projects at Sourceforge?

Conservative as in putting security before features?

Yes. Sometimes features are more important than security. And not all security is equal.

You want to posit this kind of argument that there is such as thing as "perfect security", and that OpenBSD (and other open source software) exemplifies this.

But that is bunk. Unix security is lackluster at best. It is the typical "good enough" type system. Windows NT, Solaris and AIX offer far more flexible and powerful security models -- if you need them. But if you don't need that kind of security, you can get by without it. In fact most people do.

If you choose a worst case I will choose Microsoft

So choose Microsoft. Does Windows crash when you load <font size="1666666"> in Mozilla?

You're either exposed or out of action until the hole is fixed.

Like, such as, irony of ironies, with the current OpenSSH hole? Did you check the source to see where the alleged vulnerability is at? Do you know people who did? I'd be interested to hear.

Furthermore it is interesting to note that SSH, the topic under discussion, was originally conceived and delivered as a commercial product. Not a strictly "open source" one.

Personally I use almost exclusively open source software. And I use it because the source is available. Not because I "believe" it to be secure, or even because I necessarily think it is "best of breed".

Re:oxymoronic

THE SECRET OF ADOLF HITLER

What was Adolf Hitler's secret? The secret that enabled an unknown soldier, with no money or influence, and only a few friends from his army days, to triumph against all the odds and become the leader of Germany after only 14 years of struggle? What is this secret which we in these dark days for our race might learn and use to help us in our own struggle?

His secret was really very simple. His secret was that he genuinely cared for, and loved, his people in a selfless way. So it was that he devoted the whole of his adult life to his people and lived by the principles which he, and the political organization he created and led, propounded in public.

In his own private life he was frugal; he was always spontaneous with people and never once tried to cultivate or uphold any sort of 'public' image. He really was "a man of the people".

He triumphed against all the odds because over the years of his struggle more and more of his people liked him, and felt he was a good man who had their interests at heart. He did have some extraordinary gifts - such as his ability to speak in public; his resolute determination and his superb memory. But most of all he was a simple, unspoilt and uncomplicated man. He won his victory because of his own personal character, and the foundation of his personal character was this simple love of his people. Indeed, his very reason for living was to care for and help his people.

The love which Adolf Hitler felt and expressed for his own people is what made him so popular and so loved by the German Folk of the time. And it is the truth about and memory of his love that his Zionist enemies have striven so hard to destroy with their ignoble and hateful lies about him, his Movement and his Government. If we want to express the truth about Adolf Hitler we must express the genuine and selfless love and concern he felt for his own people.

The secret we can and indeed must learn from him is this simple, uncomplicated and genuine love for our people.

This love comes before any political programme. This love comes before any rhetoric and before any 'propaganda'. This love comes before any political demonstration. This loves comes before any thought or mention of "hating enemies". Above all, it is this simple, genuine and uncomplicated love for our own people which should and must motivate us to act in a political way.

If we feel and try to express this love, this concern and care for our own people we can and will win. For it is the lack of this love which has made us fail for the past sixty years.

David Myatt July 109 yf

Re:oxymoronic

Some common names for Negroes:

nigger, jig, nig, jigaboo, spade, burr-head, spear chucker, porch monkey, sambo.

Re:oxymoronic

[Shanep]

I have every reason to believe that this kind of review never actually happens.

I watch it happen regularly in the mailing lists I am subscribed to.

Linux, which has far more people working on it than OpenBSD, is not more secure than OpenBSD

You are comparing two open source systems, one which is focused on security and the other which is not. Two very different code bases. You need to ask why Linux is not as secure as OpenBSD? You should be asking why the Microsoft World is regularly damaged by viruses and exploits and the open source World is less so.

Which shows that proper administration is much more important to the security of a system than the question whether that system runs open or closed source software.

Of course admin is the most important aspect of any sites security and stability. But choosing systems that you need to assume to be secure is not a good admin choice.

Personally I believe that even if this were true, closed source software easily makes up for it in features and support (e.g. documentation).

OpenBSD has great docco. Pitty people don't use it.

Does that "average" include all the stillborn projects at Sourceforge?

Obviously it includes mature projects that mirror closed source applications.

You want to posit this kind of argument that there is such as thing as "perfect security", and that OpenBSD (and other open source software) exemplifies this.

I have never stated anything that slightly suggests that I beleive there is any such thing as "perfect security". There is no such thing.

But that is bunk. Unix security is lackluster at best. It is the typical "good enough" type system. Windows NT, Solaris and AIX offer far more flexible and powerful security models -- if you need them.

Does this mean that you put OpenBSD and/or Linux under the umbrella of "Unix" but not Solaris and AIX?

Would you like to elaborate on these more flexible and powerful security models?

Does Windows crash when you load in Mozilla?

Windows networks come crashing to their knees when a user receives an infected email. You have got to be joking.

Like, such as, irony of ironies, with the current OpenSSH hole? Did you check the source to see where the alleged vulnerability is at? Do you know people who did? I'd be interested to hear.

Rare occurance. Yes. Yes. And it has been fixed quick smart too.

Furthermore it is interesting to note that SSH, the topic under discussion, was originally conceived and delivered as a commercial product. Not a strictly "open source" one.

And looking at the track record, perfected by the OpenBSD crew via open source.

Not because I "believe" it to be secure, or even because I necessarily think it is "best of breed".

Closed systems at my local stock exchange proved to be unreliable while I supported their backup site. I don't think or believe (in the religious sense) in OSS security or stability, I know it from experience.

Re:oxymoronic

[groomed]

Anonymous? Why would you do that?

Re:oxymoronic

[groomed]

You are comparing two open source systems, one which is focused on security and the other which is not. Two very different code bases. You need to ask why Linux is not as secure as OpenBSD?

You are the one who claimed security and open source go hand in hand. But apparently they don't. Thanks for clearing that up.

Does this mean that you put OpenBSD and/or Linux under the umbrella of "Unix" but not Solaris and AIX?

It means that there is no open source software that is certified for use in some of the most security-conscious environments, despite your insistence that open source development must lead to more secure software.

Would you like to elaborate on these more flexible and powerful security models?

No. I'd have to look things up, or you'll accuse me of getting minor details wrong, and you'll manage to dredge up a lame comeback such as SELinux or some sort of ACL support anyway.

Windows networks come crashing to their knees when a user receives an infected email. You have got to be joking.

The point is, what is the cost of having your network go down once every so often, versus lacking all the features Outlook & Office provide in the mean time. I'm dead serious.

Rare occurance. Yes. Yes. And it has been fixed quick smart too.

Well, tell me about it. This is all about sharing, right?

And looking at the track record, perfected by the OpenBSD crew via open source.

No, it was perfected via painstaking attention to detail. In all those years nobody ever found the bug, which pretty much kills your "hundreds of thousands of eyes" theory.

I know it from experience.

Good for you. Your logic and your arguments need work though.

Re:oxymoronic

[Shanep]

You are the one who claimed security and open source go hand in hand. But apparently they don't.

I never said OSS is a guarantee of security. My stance is that open source allows security and stability to be easier to implement than closed source. Unless you include obscurity as a security measure, which I don't.

It means that there is no open source software that is certified for use in some of the most security-conscious environments, despite your insistence that open source development must lead to more secure software.

Yeah, and NT4 was certified to the point where it could not be connected to any network, must have no removable media and have the POSIX layer removed! Software gets certified through payment for that certification. Who has paid to have a free BSD or a Linux distro certified? Lack of this does not show lack of security.

The point is, what is the cost of having your network go down once every so often,

It's not just network downtime, it could be corporate IP loss or exposure, public embarassment, loss or exposure of customer property leading to liability, etc.

versus lacking all the features Outlook & Office provide in the mean time.

People and companies serious about security, who use MS products for example, end up disabling and avoiding many of these "features".

Well, tell me about it. This is all about sharing, right?

I actually do read through source, along with books like Applied Cryptography (I've been into digital electronics since the 80's, starting with Navy Weapon systems) and have an unhealthy interest in building hardware pseudo random number generators. I read the source because I am interested. I didn't find the hole because software security is not my forte, but I am but one person. Someone did find the hole, which is easy to close.

No, it was perfected via painstaking attention to detail. In all those years nobody ever found the bug, which pretty much kills your "hundreds of thousands of eyes" theory.

But it was found, outside of the OpenBSD developers. We are looking at a single uncommon incident here too. Though the hole is uncommon, the discovery, quick workaround and subsequent fix is not.

Here's a single incident that also proves nothing... Windows NT Cripples US Navy Cruiser

My stance is that open source makes finding and fixing bugs easier and I have seen it first hand as a beta tester of open source video card drivers. Where people outside of the developers where submitting code or pointers to broken code. John Carmack made an extended visit to our list, fixed code and made the drivers faster. He was not invited personally, he just dived in to open code. Something he or anyone else would not have been able to do if they were not a part of it as a closed source project. I've heard he did this for other cards which have open source drivers also.

Re:oxymoronic

[groomed]

I never said OSS is a guarantee of security. My stance is that open source allows security and stability to be easier to implement than closed source. Unless you include obscurity as a security measure, which I don't.

I don't think you provided any compelling examples of that being the case, but it is your opinion. I think you might have had a point if there was an open source equivalent for every closed source product and vice versa. In that case the open source variant might always be preferable. But there is not always such an alternative.

Lack of this does not show lack of security.

Maybe not, but the lack of even fairly rudimentary auditing and event monitoring tools and the lack of software to make sense of this data does.

It's not just network downtime, it could be corporate IP loss or exposure, public embarassment, loss or exposure of customer property leading to liability, etc.

Yes, all of that may happen. But it is not very likely nor is it easy to put a dollar value on those costs. Ultimately the question is whether those costs outweigh the costs of "living on the fringe": retraining, document interchange problems, insurance requirements, etc. Without much information either way the costs might as well cancel eachother out.

People and companies serious about security, who use MS products for example, end up disabling and avoiding many of these "features".

Yes, I understand that. But I believe a much larger group of people simply swallows the costs of occassional breach because they need the features. What's more, when (if) open source developers ever get around to implementing similar features, and get their software as widely deployed as MS, I am confident that they will initially run into similar security issues.

I actually do read through source, along with books like Applied Cryptography

I didn't mean to question your credentials, but I am curious to learn about the precise nature of the exploit so that I can fix it. So maybe you can point me in the right direction.

Carmack

Carmack is of course a special figure with great coding skills and a lot of sympathy for open source. People like him are exceptional, not the norm. But yeah, good stuff happens with open source. The point is it happens on the closed source side of the fence as well, and there is less of a dependance on Great Leaders there.

Re:oxymoronic

[Shanep]

Maybe not, but the lack of even fairly rudimentary auditing and event monitoring tools and the lack of software to make sense of this data does.

SWATCH, NOCOL/NetConsole, LogSurfer, Netlog, Analog, Snort, HostSentry, Shadow, MOM, The Hummingbird System, AAFID.

Are you serious?

"living on the fringe"

Have you used Star Office 6 or open office? I have used SO6 beta, it is pretty amazingly just about there. All we need now is decent groupware and I think an MS free World will be much easier to swallow for people who "need" the features.

I am confident that they will initially run into similar security issues.

You are confident. I am confident. I don't think the open guys will fall into traps that allow a document to execute (via interpretation or otherwise) code not related to the app that document is intended for.

So maybe you can point me in the right direction.

I'm sure you've seen the goings on by now.

People like him are exceptional, not the norm.

Yes, however there are a lot of exceptional coders in this World who do look at open source. The types who tend to read code and contribute patches, tend to be above the norm anyway. There are plenty of them.

The point is it happens on the closed source side of the fence as well, and there is less of a dependance on Great Leaders there.

The point is, that the exceptional video driver developers who normally write closed drivers for Windows of one of the largest most respected video card makers, had their open source driver improved by an uninvited outsider, thanks to the driver being open source.

It wasn't just Carmack stamping out bugs either.

Re:oxymoronic

[groomed]

SWATCH, NOCOL/NetConsole, LogSurfer, Netlog, Analog, Snort, HostSentry, Shadow, MOM, The Hummingbird System, AAFID.

Are you serious?

Uh, I would say you just proved my point. This is just a bag of disjointed tools that might, with effort, be coaxed into doing what needs to done -- I say this as a user of some of the tools you've mentioned.

For example, Windows NT (just to give an example) allows you to monitor the behaviour of virtually every kernel object and graph them against time. Sort of like xload on steroids. I am not aware of similar capabilities in any of the tools you have mentioned -- definitely not through an equally universal interface, with the understanding that parsing a logfile is notoriously unreliable and wasteful. Or what about auditing trails, such as who accessed what how when?

You are confident. I am confident. I don't think the open guys will fall into traps that allow a document to execute (via interpretation or otherwise) code not related to the app that document is intended for.

It's already happened. We started the whole #!/bin/sh thing after all. All we need now is a a convenient way of preserving file attributes and a convenient way of opening email attachments and we are in a world of hurt.

The point I am trying to make is that convenience and security are often hard to reconcile. Features that were added for convenience often cause security problems and features added for security often cause inconvenience. Even a transition from doubleclick-to-open to singleclick-to-open constitutes a small security risk, seeing how easy it is to misclick accidentally.

I maintain that if open source software is more secure than closed source software, this is in large part because the open source community as a whole values security over convenience.

As such it makes no sense in my mind to say "if MS Outlook had been open source, then it would have been more secure". Because if MS Outlook had been open source then it would have been a totally different product or it would not have existed at all.

In short, I'll believe your claim that open source leads to more secure programs when I see the programs; e.g. a secure Word document interpreter. So far, all I can see is that it leads to very different programs.

The point is, that the exceptional video driver developers who normally write closed drivers for Windows of one of the largest most respected video card makers, had their open source driver improved by an uninvited outsider, thanks to the driver being open source.

Yes, I like open source as well. But whether it leads to better products in any particular aspect depends on a person's needs and wants -- to be sure, it prevents some products from existing at all, because the open source cabal deems them insecure, stupid or otherwise undesirable.

Re:oxymoronic

[Shanep]

Yes, I like open source as well. But whether it leads to better products in any particular aspect depends on a person's needs and wants

As an example I'm sure you've probably already seen, here is an example of open source software being more secure than closed source, where convenience is not hurt.

Open source on top.

Security here, is basically ranked as highest to lowest, which turns out to be open to closed. Naturally, as one would expect, the open source project which focuses on security is at the top of the lot.

In the open source world, someone might implement a PRNG thinking it is strong. One day, someone discovers that it is not very strong by looking at the source or looking at the output statistically. They might complain that it is not strong, leading to a better PRNG being written by the original author, or as is typical with open source, someone with greater expertise may submit code that is stronger, which gets used.

In the closed source world, someone (or a team) might typically be hired to program a PRNG as an "expert" of math programming. So his expertise is trusted, he implements his expertise, his random streams turn out to be VERY pseudo, as analysed, spoofing attack tools become available and the admins and closed source programmers scratch their heads in wonder at these attacks. Finally, after it becomes publicly known that the closed source is weak (usually through open source advocates who present analytical evidence), the closed source programmers embrace the BSD license as a "God send" and then proclaim industry leadership through innovation. ; )

This is just a bag of disjointed tools that might, with effort, be coaxed into doing what needs to done -- I say this as a user of some of the tools you've mentioned.

Because most of them do an excellent job without graphs? : ) I kinda prefer getting SMS paged with critical alerts and emailed with all alerts greater than "odd behaviour". Sitting looking a graphs 24/7, or having some team paid to do this is not my idea of effective event monitoring.

For example, Windows NT (just to give an example) allows you to monitor the behaviour of virtually every kernel object and graph them against time. I am not aware of similar capabilities in any of the tools you have mentioned

Some people who go further than waiting for the next service pack, don't need graphs. Where they are useful, they are usually present.

Or what about auditing trails, such as who accessed what how when?

Proper admin would advocate the usage of sudo, which logs nicely and proper usage of file permissions. If you're sufficiently concerned about security then logs can be made impossible to tamper with electronically. Printing logs to line printers is very common in Bank and Stock Exchange data centers. Been there, done that. Or if this is over the top for your systems, you might like to log to an OpenBSD syslog server which is configured to only allow appending to logs even for the root user. Doing that via a serial connection that does not accept logins for that little extra security? Or perhaps logging to WORM is more your style?

It's already happened. We started the whole #!/bin/sh thing after all. All we need now is a a convenient way of preserving file attributes and a convenient way of opening email attachments and we are in a world of hurt.

If a Unix user logs in as a normal user on a system that has been kept up to date with security patches, little can be damaged. Perhaps some of their own files will be lost or exposed if they use an insecure mail reader. If they're logging in as root, on a system that is not up to date security wise, while reading mail with an insecure mail reader, then they deserve what they get. I'm guess the point between discovery of this weak mail reader and the fix would be a very thin slice of time if the history of open source security is anything to go by.

Copy n' Paste "Ask Slashdot" : Volume 1

[ReluctantBadger]

HEY KIDS!!
Avoid wasting time typing out "Ask Slashdot" questions. Select one of the framework questions from below and modify as necessary! Sweet!

• I'm researching a paper on fluid dynamics. I haven't done any work all semester as I have been playing Quake on my Windows ME machine and watching Cowboy Bebop on Cartoon Network. My paper is due in tomorrow. Could any Slashdot readers shed some light onto a topic which I clearly know nothing about.
• I have just installed Linux in my company. It took months of pestering and annoying senior managers for them to let me do it. Seeing as I've only ever installed Red Hat from a bootable CD and X won't start, I feel that this is the right solution for my company as they are using evil MS products now. Could anybody please come over and help me install this because now I'm in a really embarassing situation. Thank you.
• Hi! I've recently been using Linux. I've used Red Hat and Debian. Which distribution is better? In fact, I've even been considering which O/S is better out of Linux and FreeBSD. Could anybody out there in slashdot land offer some advice? Your thoughts on emacs and vi are also appreciated.
• Greetings fellow slashdotters. I'v recently just graduated from university. I reckon I know everything about computers and unix and micro$oft (tee hee funny dollar symbol!), and now I'm going to ask you a question. Not because I really want help or advice, but because I want to show off. Me and a buddy just got huge paying jobs with some pissy little startup that'll be bust in a year, and now we're in over our heads 'cos we told them we could do programming in C.
• I'm really interested in kernel hacking. I'm not going to tell you which kernel, because you will all assume I mean Linux. I've never done any programming, I'm not quite sure what a CPU is and I don't know if I'm going to have time as it's my 13th birthday next week. Can any slashdot readers advise me of the way to go?
• I've just been assigned a task to secure all communications between our fleet of oil tankers. I'm going to use Linux but I'm not sure how. Can anyone offer some thoughts or experiences of computers, RF, cryptography or being on a boat. God only knows how I got this job.

And there you have it! Please post suggestions or requests below, and moderate me down for wasting your time. Thank you.

Re:Copy n' Paste "Ask Slashdot" : Volume 1

[SirRichardPumpaloaf]

Not bad. I'd go even further, and assert that almost every "Ask Slashdot" follows this template:

Q: I can do task T in Windows, but Linux seems to lack this feature/program/whatever. How do I do T in Linux?

A: Only a dumbass Windoze luser would want to do T.

Re:Copy n' Paste "Ask Slashdot" : Volume 1

[gotak]

Q: Dear Bill I like that blue screen with the weird numbers and letter that I get every so often from windows. How do I get that with linux?

A: Install Windows it's the only way to get our patent pending BSO!

Even OpenBSD developers can be vain...

[Bollie]

You've heard of the recent apache bug. Apparently, the OpenBSD team is announcing it as a "possible remote crash".

Since a remote exploit already exists, shouldn't they detail the severity on their front page?

Nothing against the OpenBSD team... I believe they do excellent work, but heck, people, PLEASE patch up those systems! It's only a matter of days before someone is going to drop a new worm! This is horribly serious!

Re:Even OpenBSD developers can be vain...

[The_Final_Word]

upgrade to Apache 1.3.26 or 2.0.39, it's an Apache problem and it is on their home page.

http://httpd.apache.org/

The OpenBSD folks gave a patch for the OS before the new Apache binaries were released as a work around.

Re:Even OpenBSD developers can be vain...

[neuroticia]

You mean they didn't accept the patch you wrote for them!? Ludicrous. Maybe they're too busy being whipped along by people who don't give anything back to the OS community to evaluate your code. ;) I mean... You obviously feel strongly about it so you HAVE to have written a patch, no?

If they KNOW about it, and I'm sure they do, then they'll patch it. They're not Microsoft, afterall. In the meantime, if you're not a developer, lay off the whip. Like you said- the bug is recent, if they let a few months fly by without doing anything then you can start complaining.

-Sara

Re:Even OpenBSD developers can be vain...

[swillden]

Apparently, the OpenBSD team is announcing it as a "possible remote crash"... It's only a matter of days before someone is going to drop a new worm!

Wow. If you can figure out how to exploit a remote crash to spread a worm, you're a lot smarter than I am, dude.

Re:Even OpenBSD developers can be vain...

Since a remote exploit [securityfocus.com] already exists, shouldn't they detail the severity on their front page?
Apache is not enabled by default.
As Theo would put it...

Re:Even OpenBSD developers can be vain...

Typical slashdot fare.

Some guy makes semi-insulting commentary and an observation showing how clueless he is, and concludes with backpeddling. Moderators give it a 4.

A followup to the parent shows that it has already been patched. Moderators give it a 3.

Proof this all works real well...

Re:Even OpenBSD developers can be vain...

[Styx]

Trouble is, it isn't just a remote crash. See http://online.securityfocus.com/news/493

Re:Even OpenBSD developers can be vain...

If they KNOW about it, and I'm sure they do, then they'll patch it. They're not Microsoft, afterall.

You're either very lonely or dumb or both. Bet you fancy yourself neither.

Re:Even OpenBSD developers can be vain...

[__past__]

Um, you do realize that a patch is available?

Re:Even OpenBSD developers can be vain...

[ostiguy]

The problem is that it doesn't appear that anyone has been able to make the alleged remote root exploit work. I haven't read misc@openbsd.org this weekend, but the consensus of the list as of yesterday was that it was not a legitimate root exploit.

And generally, since apache is not running by default, the OpenBSD team would tend to be of the mindset that if you are going to turn it on, you better stay up to speed on it.

not speaking for the team of course,
ostiguy

Re:Even OpenBSD developers can be vain...

Typical slashdot fare.

Well of course, this is Slashdot we're posting on, no?

What did you expect? People knowing what they're talking about?

Re:Even OpenBSD developers can be vain...

[neuroticia]

Let's see. BSD==known as being (one of the) most secure OS(es) on the planet... Nope nope nope... You're right, the BSD folks have no interest in writing patches.

;)

-Sara

Re:Even OpenBSD developers can be vain...

[Shanep]

1. OpenBSD does not start httpd by default.
2. The exploit opens up a terminal that appears to be a root term, but is actually a fake. It only has nobody privs.

If you don't read the lists, then look at the archives. The exploit is humorous, but against Apache. The OpenBSD crew don't write Apache, they just fix it when it breaks.

The most stable OS to be running it on, would be OpenBSD.

Re:Even OpenBSD developers can be vain...

[Shanep]

Yeah, a fake root term that is actually run as nobody via a service they don't enable by default.

No thanks

I'll stick with trusty old telnet. OpenSSH just hasn't been around long enough to be trusted as the sole point of entry to any of my machines. Sure, it's been through a code audit, but let's talk about number of cpu years running. Telnet wins hands down. Just use a difficult password, and change it frequently. OpenSSH, with its occassion stack overruns and buffer overflows, is just a compromise waiting to happen.

-Charles

Re:No thanks

That was a superb troll. Well done!

Re:No thanks

dude you are so gonna get flamed for that

Re:No thanks

[kevinqtipreedy]

Trust old telnet works fine, unless you are worried about people seeing your passwords, and everything you are doing. That is the point of ssh; it encrypts what you do, including passwords so it can not be seen by people on the same network segment. Telnet send your password and everything you do right over the wire without encoding it at all. A difficult password is just as important on telnet as in is on ssh because they can still be cracked either way.

Re:No thanks

[DarkSkiesAhead]

but let's talk about number of cpu years running. Telnet wins hands down.

By that measure, Win 95 beats pretty much all other OS's. And I take it that you still use Netscape 2.0?

Re:No thanks

[Admiral+Burrito]

Telnet wins hands down. Just use a difficult password, and change it frequently.

Except telnet does zero encryption. It is a trivial matter to sniff passwords from an unencrypted link, and inserting data is not much harder. Changing passwords frequently is kind of pointless if you are setting your new password over an insecure link.

One-time passwords are better, but they are still vulnerable to TCP insertion attacks.

Yes, these things have been exploited in the wild. SSH exists for a reason.

If security problems in SSH itself worry you (and they should), privilidge-seperated ssh is the answer. By seperating the privilidged code from the code that talks to the client and defining a good interface between them, it limits the amount of stuff that can go wrong and the quantity of code that needs to be audited.

Re:No thanks

It is a trivial matter to sniff passwords from an unencrypted link, and inserting data is not much harder

How many passwords have you sniffed? And ho much data have you inserted?

Or are you just a blowhard souting drivel you've seen elsewhere.

Re:No thanks

It is a trivial matter to sniff passwords from an unencrypted link

Yes. But the hard part is getting into a position where you can even start to sniff.

Yes, these things have been exploited in the wild. SSH exists for a reason.

Kevlar and underground bunkers exist for a reason as well. Puh-lease.

it limits the amount of stuff that can go wrong and the quantity of code that needs to be audited.

Bullshit. Of course the code will still need to be edited. A bug is a bug is a bug. It just so happens that most security problems are bugs.

Re:No thanks

Dude, it's easy to do. Get over it.

Many people around Slashdot are fully capable of both sniffing passwords and data insertion.

Re:No thanks

[zootread]

Yes. But the hard part is getting into a position where you can even start to sniff.

Umm.. do you really think this is true? How much do you really trust the systems you're going through? I'll give you a real obvious example: if you're using a computer at work or at a lab at school, how hard do you think these systems are to compromise? If you didn't say "very easy" you overestimate the abilities of the people administrating these systems. I used to crack systems, and believe me, there were some very incompetant sysadmins out there (and still are these days). After the trivial matter of getting root, it was then a trivial matter of sniffing login/passwords and gaining access to even more systems. On a nice active system, I'd get dozens of new accounts every day.

Re:No thanks

Yeah, but I doubt if much Internet traffic is routed through a 13-year-old's bedroom.

Re:No thanks

Good thing everyone uses switches. And for that matter, there is encrypted telnet. You people are truly retarded.

Re:No thanks

It depends on whether you already have a login somewhere. In which case you would simply be abusing the trust put in you by someone else.

I trust most systems very much. I routinely connect to other computers without knowing whether there is a bug in the software that I am using that might let the other computer cause harm. The reverse happens as well.

That is not to say that I don't use SSH (or some such) if it is available. However lab computers or other publicly accessible computers may not have SSH installed. Besides, it wouldn't matter even they had. Because if you cannot trust public computers, then you can also not trust SSH on public computers.

I trust foreign systems as much as you used to trust that your hacks would not be discovered.

Re:No thanks

[Mr.+Flibble]

No, you are out to lunch.

Sorry, but Telnet is a severe security hole.

Take a look at this link. The program Hunt can crash through a Telnet session and steal it. It is also possible to use a simililar attack on systems using SSH 1, which is why you should not use it.

Also, if you have ever heard of anything such as dsnifff you know that Telnet is practically useless in terms of security. Combine dsniff and hunt and you have one crappy method of defense. I don't care how strong your password is if I can:

1) Read it and capture it. (dsniff)

or

2) Simply steal the sesion, and thus have no need to type the password at all. (hunt)

Don't take anything in security for granted. For example I know of an admin who recently decided to implement backups to a remote NFS system, thus he opened up NFS, and thus portmap (port 111) to the world through his firewall. He still has no idea why this is bad, which explains why I will be completely reinstalling his servers in a few days.

You might not know why portmap is bad - but it is - you might also assume Telnet is ok. It is not. I have watched over 25 machines get compromised by Telnet, and I was the one who had to fix them. (I always get called in AFTER the fact - never before which I think is dumb.)

So, operate like OpenBSD - trust no one. Trust no protocol until you have a reason to trust it to some degree. And if you don't know why portmap / port 111 is bad, you may want to look that up at the same time.

Re:No thanks

[zootread]

It depends on whether you already have a login somewhere. In which case you would simply be abusing the trust put in you by someone else.

Remote attacks make it irrelevant whether you have a login or not. I'm not an expert on modern attacks, but I'm sure some people around here can talk about these things. I can give you an old example: YP/NIS used to allow anyone to download the /etc/passwd file, you didn't need to have a login to exploit this. There are many others, but that was a common one I saw everywhere. And the simple fact is people abuse trust and also people run trojan horses they receive in e-mail.

Besides, it wouldn't matter even they had. Because if you cannot trust public computers, then you can also not trust SSH on public computers.

That's true. There are many situations where you don't need to worry, but many situations where you should worry and take precautions. Here is another example: You take your laptop to a public facility (e.g. wireless network) where you connect to the network. You are going through a firewall to get to the Internet. You remote access your home computer through the Internet. A cracker has setup a sniffer on the firewall. SSH makes it difficult for the cracker to sniff anything useful from your session.

I trust foreign systems as much as you used to trust that your hacks would not be discovered.

Actually I sometimes waited for my hacks to be discovered and then laughed at the little traps the sysadmins left behind (yet they often didn't find everything and often left their systems unpatched). It was all in good fun and I tried to help 'em along sometimes (such as scare away other crackers with messages that their phone line has been traced). There were some sysadmins who reacted quick, and I actually helped them realize they needed to patch their system. I wasn't that great of a cracker, but I learned much from the experience, and appreciate the knowledge even more now that I am on the other side. Good times.

I actually don't worry that much most of the time. But there are times when you really should take some precautions. To automatically assume that there is no possibility of a threat is foolish.

Re:No thanks

By that measure, Win 95 beats pretty much all other OS's

I'm not sure what you are thinking if you think a 7 year old OS can beat all the other 20+ year old OSes out there. I mean you could even say DOS beats win95. You don't sound very experienced if you think Win95 is old. I had been online for 10 years before it was released.

Re:No thanks

[DarkSkiesAhead]

I'm not sure what you are thinking if you think a 7 year old OS can beat all the other 20+ year old OSes out there.

Sir, please locate a dictionary (ask mom for one) and look up sarcasm.

I mean you could even say DOS beats win95. You don't sound very experienced if you think Win95 is old.

I too was online long before 95 was a twinkle in Bill's eye. The difference between you and I is not experience, but the ability to read.

The original poster refered to "cpu years running" as the measure of software. This is not the same as the number of years it has been around. VMS has been around a long time too, but hasn't racked up nearly as many cpu cycles as 95. I chose 95 as a rather arbitrarily example because it was so rampantly popular and widely used. It stuck around longer than any other single version of Windows.

Anyway, please find a sense of humor and report back when you do.

Re:No thanks

My old but faithful TRS-80 still runs... I still occasionally power it up and play a few games of 'Galaxy Invasion' (aka Galaxian) on it. Vintage 1979, when I got the machine...

Re:No thanks

[Mark+Bainter]

Good thing everyone uses switches.

Considering your later name-calling one would think you'd take the time to get a clue before spouting off.

First, not everyone uses switches. And even when they do, it is largely only at the local and remote points. intermediate hops happen at ROUTERS. Regardless, it is not all that difficult to sniff on a switched network either. Switches are not impervious to network attacks. Do some research.

And for that matter, there is encrypted telnet.

Encrypted telnet doesn't even come close to providing the features ssh does. Encrypted telnet is better that straight telnet, but not by much.

SSH is magnificent!

[dmarien]

When I first started using linux, I was absolutely blown away by telnet, and the capabilities for remote administration.

Then came SSH... Not only is the grade of encryption absolute phenomenal, but the extras above and beyond remote shell's are astounding!

X Forwarding, SCP, FTPs, etc... they all rock! I can't remember the last time I coped a file over any protocol other than SSH's scp command. WinSCP has replaced puTTY as my favorite WIN32 application, and combined with puTTY and secure shells it's now wonder how I've managed to keep my home router/server up for 180 days w/o even having a monitor plugged into it!

Thanks OpenSSH team!

Re:SSH is magnificent!

[Apreche]

absolutely. When the cs lab at school is full of Sun Ultra 10s running Solaris, and I got win2k/Mandrake at home, nothing quite does the job like ssh. I prefer the basic ssh applications available free at www.ssh.com.
You know our cs department has gone so far as to disable telnet, so you can ONLY use SSH, smart eh?

Re:SSH is magnificent!

[p3d0]

Just remember to use the "blowfish" cypher for large files. It's much faster than the default 3DES.

I use: alias scp="scp -c blowfish-cbc".

Re:SSH is magnificent!

[paraax]

Yes, my isp also disabled all telnet access (though not ftp, which seemed interesting) to the machine... The problem with this, is that... since I still need access to my ISP from work, and work only has MS Telnet on it, I end up telnetting, via untrusted network to my home machine, and then ssh'ing from there.

Hopefully default OS distributions will start including some basic SSH terminal functionality at some point.

Re:SSH is magnificent!

Hopefully default OS distributions will start including some basic SSH terminal functionality at some point.

Default OS distributions do contain full SSH! Redhat, Debian, and the other major Linux distributions do. It's the commercial operating systems which are severely lagging behind in this case.

Re:SSH is magnificent!

[demaria]

Does it exist or is anyone working on AES for scp?

Re:SSH is magnificent!

[Sircus]

SCP runs over the standard SSH protocol (either SSH1 or SSH2). All SSH security features therefore apply to SCP.

128-bit AES/Rijndael is one of the "recommended" ciphers for SSH2, but is not supported by SSH1. 192 and 256 bit AES/Rijndael are "optional" for SSH2.

Re:SSH is magnificent!

[neuroticia]

You're right, it is smart. But so is locking your door in NYC. It's not so much "smart" as it is that the alternatives (telnet) are dumb. =]

-Sara

Re:SSH is magnificent!

[demaria]

Thanks for the info. Something else cool, SSH with Tokens. I saw a demo at N+I on the commercial SSH 3.0 by SSH Communications. You need to have a token (such as an e-Aladdin USB eToken) plugged in during the entire session. If the token is removed, the shell instantly drops.

Re:SSH is magnificent!

[zootread]

As someone who used to go around cracking *NIX systems, and sniffing out login/passwords with ridiculous ease back in the early to mid 90s, I can say yes SSH is a very good thing. It was good to see sysadmins shut down their telnet daemons for good and require that people download and use a SSH client to connect to systems.

Re:SSH is magnificent!

What good is WinSCP if I can't connect to their server for the download?

Re:SSH is magnificent!

No, it depends on what you are doing.

Re:SSH is magnificent!

You can't download?

or do you have the problem I do. Too much ssh traffic gets automatically blocked at the firewall.

Re:SSH is magnificent!

[archen]

How about this: Why not put PuTTY on the machine in question since ftp is open, and download it onto whatever windows PC you're using? I'd think that would be safer than allowing telnet on your home pc.

Re:SSH is magnificent!

[thogard]

Because TeraTerm Pro w/ TTSSH is much better?

Re:SSH is magnificent!

[evilviper]

An alias is not the best idea.

Best thing to do, edit your ~/.ssh/config and stick your options in there (or machine-wide if you edit /etc/ssh/ssh_config).

So, enter something like:

host *
Compression no
Ciphers Blowfish-cbc,3des-cbc
Protocol 2,1


Additionally, use DSA/RSA auth, (NOT PASSWORD), and use ssh-agent so that you only need to enter your key's pass-phrase once in a while.

Anyone that uses SSH (and doesn't yet know about scp, port forwarding, ssh-agent, key-based auth & configuration like above) should buy the O'reilly SSH book.

Re:SSH is magnificent!

[rweir]

X Forwarding, SCP, FTPs
You think that's impressive? Have a look at the -D flag to OpenSSH >3.0: That's right, ssh can now run an encrypted forwarding SOCKS4 server!
Goddamn!

Re:SSH is magnificent!

[archen]

Correct me if I'm wrong, but TeraTerm doesn't do full screen does it? I don't know since I haven't used it in a few years.

Re:SSH is magnificent!

[Shanep]

Hey, that is neato. Can you supply it with your own random stream for the keys? I was think of something like this recently.

I would like a real, strong key that I could plug in and out as I need to use my machines and sessions.

Can you supplement it's usage with an extra password to avoid the usage of that key if it gets stolen?

Re:SSH is magnificent!

[demaria]

I don't recall completely all the details about how it works, and it was about a month ago. However I thought it was pretty spiffy at the show. I'm not sure about the random stream for the keys and would rather not guess an answer, especially with security :). In the demo I saw there was a password that needed to be entered for it to work, which would affirmatively answer your second question. Check their website or call. Keep in mind this setup requires each machine to have an accessible USB port (assuming you use a USB token of course), and the commercial SSH (not OpenSSH).

Re:SSH is magnificent!

[thogard]

No, but it copes with windows of any size you can use that clicky thing to make it as big as your screen and font size will let you.

Re:SSH is magnificent!

[p3d0]

But I only want blowfish for file transfers. 3des is better (I understand) for interactive shell sessions.

What's wrong with an alias?

Re:SSH is magnificent!

[dasunt]

Monitor plugged into it? You have a video card in the machine? /me boggles at the thought.

Re:SSH is magnificent!

I am rabbi with a gun...I will be victim of no one
So you terrorists are warned, don't mess with me

I will shoot you if I must...you'll be the one who's turned to dust
On the streets of Brooklyn, you are gonna see

So you can bet the whole farm...there won't be another Holocaust
This time we'll stand up...too many people we've lost
We're committed, we will defend ourselves
We are strong...I'm set to lock and load...I am rabbi

I am rabbi with a gun and...I am never gonna run and
It is time you terrorists should be afraid

We will hunt you day and night and...you're the ones who'll feel frightened
In your stinking countries you will wish you stayed

So you can bet the whole farm...there won't be another Holocaust
This time we'll stand up...too many people we've lost
We're committed, we will defend ourselves
We are strong...I'm set to lock and load...I am rabbi

I am rabbi with a gun and...I am set to get it done and
For the scum among us we've a big surprise

If attacks you will be trying...you're the ones who will be dying
And around your bodies soon will come the flies

So you can bet the whole farm...there won't be another Holocaust
This time we'll stand up...too many people we've lost
We're committed, we will defend ourselves
We are strong...I'm set to lock and load

And so, it's a promise not a dare
Behave or please be aware
Bullets will fly through the air

Re:SSH is magnificent!

[evilviper]

But I only want blowfish for file transfers.

Well, you could set up seperate config entries like so:

host mercury-scp
hostname mercury.domain.com
cipher blowfish-cbc
Compression Yes

host mercury
hostname mercury.domain.com
Cipher 3des-cbc
Compression No

3des is better (I understand) for interactive shell sessions.

I not only don't agree, but I fail to even see any logic behind that. Blowfish is a quicker alogrithm any way you look at it... Myself, and many others, regard it as amply strong, very unlikely to be cracked (as DES was), etc. Perhaps you'd clarify why one form of encryption would be better than another for extremely similar uses.

What's wrong with an alias?

It's just not a clean way to do it. Perhaps if you use something like the TCL/TK frontend in the future, your alias will not work... I'm sure there are other situations where a shell alias won't work, so I say: why not just do it the proper way in the first place? Of course you can do *much* more with the ~/.ssh/config file. Or, you could make the change machine-wide by editing /etc/ssh/ssh_config.

Re:SSH is magnificent!

[p3d0]

Thanks for the advice!

As for the strength of 3DES, I have no idea of the relative strengths of the algorithms. I suppose I had just assumed that the ssh people wouldn't have picked a slow algorithm to be the default unless there was a reason.

If blowfish is strong enough, I guess I might as well use that for everything.

Re:SSH is magnificent!

I am not smart enough to explain it, but I understand that 3DES is more resistant to a man-in-the-middle attack (also woman-in-the-middle).

I think Stanford's SRP was developed to address this.

Blowfish is awesome (fast & strong). Maybe Twofish is even better. But I think it is known that the randowm key exchange is stronger in 3DES, when it sets up the connection.

Re:SSH is magnificent!

"I've managed to keep my home router/server up for 180 days..."

That tells me that you haven't bothered patching anything in six months.

Re:SSH is magnificent!

[seaan]

3DES is better (I understand)...

and a responding post about Blowfish:

Myself, and many others, regard it as amply strong, very unlikely to be cracked (as DES was)

To answer these questions, first define "better". Blowfish is faster, and for some people that is enough. When it comes to the security of 3DES vs. Blowfish, I think it is safe to say that the jury is still out on this one. Although evilviper claims DES is cracked, I don't think this is an accurate term.

There are only two attacks on DES that come even somewhat close to being an "crack": (1) exhaustive search and (2) an obscure oracle attack. The oracle attack has not received much mention recently, but requires a million+ carefully chosen plain-text trials before reducing DES's strength below exhaustive search levels.

I believe evilviper was referring to the EFF's DES-cracker which performs exhaustive searches on the DES algorithm. The exhaustive search attack is based on the key length, not the algorithm. If you use a 56-bit key for Blowfish, a Blowfish cracker would exhaustively search all possible keys even faster (since Blowfish is quicker to run than DES). 3DES key lengths are 168-bits, but their effective strength is less (probably getting close to 112-bits given lots of storage for a meet-in-the-middle attack).

So if they have comparable key lengths, is Blowfish better then DES when it comes to design? There is no easy way to tell. One way to judge is by the number of hours it has been examined, and what problems have been discovered. DES is the most publicly examined algorithm, and has stood up very well. It is hard to say, but I'm willing to bet that DES has undergone 2 to 4 orders of magnitude more scrutiny than Blowfish.

Does that mean DES is more secure than Blowfish? No! But a cautious person could believe DES was more reliable, because it has been scrutinized so much more than Blowfish. This is the primary reason banks are moving to 3DES instead of AES. 3DES may not be fast, but it is very reliable.

Re:SSH is magnificent!

[evilviper]

I think you have your terms mixed. When I say DES, I do not refer to 3DES... Indeed, the fact that DES was cracked is exactly why 3DES is so popular.

Here's why I say DES was cracked:

http://www.wired.com/news/technology/0,1282,1380 0, 00.html
The Electronic Frontier Foundation said in a statement today that its "EFF DES Cracker," built for under US$250,000, had cracked an encoded message in fewer than three days. The old record, established using a huge network of computers, was 39 days.

Additionally, even with a much longer key (as 3DES has), I still would not put much faith in 3DES. Just as with WEP, if one version has been found excessively vulnerable, why put faith in an updated version? ESPECIALLY, when MANY other very good encryption methods exist: Blowfish, AES (up to 256-Bit in SSH2), CAST, ARCFour (RC4) etc.

Of course, you're welcome to disagree.

Re:SSH is magnificent!

[seaan]

The EFF "DES CRACKER" is a brute force attack, which has nothing to do with the strength of the algorithm. It consists of a whole bunch of parallel processors that can try different key ranges. Right now they are programmed to perform DES, but they could just as easily be programmed to perform some other algorithm.

The lesson you should get from the EFF's DES CRACKER is not that something is wrong with the DES algorithm; rather it is that 56-bit keys are weak when you take into account today's computing power. If you are encrypting something important enough, you should choose an algorithm that has a larger key size.

The 3DES algorithm uses DES 3 times (hence the "triple-DES" label), and as I mentioned before provides a key strength somewhere between 112 through 168-bits. There are a number of reasons to avoid 3DES, but so far the strength of the algorithm is not one of them.

* Performance is one reason, DES is fairly slow by itself, and 3DES requires 3 iterations.

* 3DES key management is comparable to other algorithms where keys are longer than the data block size, but is trickier than single-DES (because single-DES has the property that keys can be encrypted with a single data block). Naïve upgrades from DES to 3DES render many protocols vulnerable (correcting those problems contributes to how I make my living).

* It is also important that 3DES be performed in an atomic manor, since the ability to separate the DES calls would leak information. This is just a difference in implementation (where 3DES may be more likely to have a sloppy implementation), since most algorithms would leak similar types of information if internal states were revealed.

* You might decide that you should avoid 3DES because it is being attacked the most, and therefore is more likely to fail. Of course that would only be a benefit if the attack did not work on other algorithms. Also it may be more likely that a DES break would be made public, while breaks against lesser-known algorithms are more likely to be kept private.

Another thing to consider is key size. DES is kind of lumpy, and does not allow a smooth set of choices (40-bit, 128-bit, 129-bit, etc.). But right now I think some of these key size differences are fairly academic (history will eventually make this statement wrong, but it will apply for a number of years). Once you start getting beyond a certain point, say 110-150 bits, exhaustive search is beyond any technology currently dreamed of. When you are looking at searches that are larger than the estimated number of atoms in the universe, it is going to take a completely different tack to break those types of algorithms.

There are a whole bunch of ways, in theory, to break these large key algorithms without doing an exhaustive search. The most straightforward method is an algorithmic "break", where a weakness in the algorithm is found that allows it to be broken faster than exhaustive search. That is why DES (and 3DES) is popular, because this type of breaking is considered less likely to occur in this very well studied algorithm. Most likely the weakness will come in the form of a new attack type, which today's expert designers did not protect against. But there are other problems with larger key sizes, like lack of entropy. It is very difficult to obtain the high-entropy random numbers required by 256-bit keys. With today's technology, it would be much quicker (and possibly even practical) to attack the randomness of the key generator, rather that trying an exhaustive search.

In summary, concluding 3DES is weak, merely because an exhaustive search attack has been performed against 56-bit single-DES is misguided. There are a number of good reasons to avoid 3DES, but you have not mentioned the ones I would consider valid (see above). It is interesting that you should bring up WEP, since the problems with WEP are: it was naively designed, and it was not subject to the widespread review that contributes to our state-of-the-art cryptographic designs. DES is in precisely the opposite position, because it has withstood the most rigorous reviews of any cryptographic algorithm.

PS: Another interesting point is that 2 of the 4 algorithms you mentioned as an alternative to DES need to be approached with a bit of caution. I would recommend careful study of the current cryptographic academic research before using RC4 or CAST for important uses.

Re:SSH is magnificent!

So why now? Why did *BSD fail? Once you get past the fact that *BSD is fragmented between a myriad of incompatible kernels, there is the historical record of failure and of failed operating systems. *BSD experienced moderate success about 15 years ago in academic circles. Since then it has been in steady decline. We all know *BSD keeps losing market share but why? Is it the problematic personalities of many of the key players? Or is it larger than their troubled personalities?

The recordis clear on one thing: no operating system has ever come back from the grave. Efforts to resuscitate *BSD are one step away from spiritualists wishing to communicate with the dead. As the situation grows more desperate for the adherents of ths doomed OS, the sorrow takes hold. An unremitting gloom hangs like a dath shroud over a once hopeful *BSD community. The hope is gone; a mournful nostalgia has settled in. Now is the end time for *BSD.

Re:SSH is magnificent!

[evilviper]

The EFF "DES CRACKER" is a brute force attack, which has nothing to do with the strength of the algorithm.

Well, that's a borderline statement. The DES CRACKER is possible because of chips that are specially designed to go through the DES keys quicker than would otherwise be possible. It's been quite some time since I read the technical details, so I'm not in a possition to reiterate the information. I'm sure it would not take much searching to find more information.

I would recommend careful study of the current cryptographic academic research before using RC4 or CAST for important uses.

I am quite well aware of RC4's history and potential problems, and would still be willing to trust it with sensitive data (as a matter of fact, an encryption system that I use on my handheld, uses a 256-bit RC4 algorithm). However, I do not have extensive knowledge of CAST, and would be far more reluctant to make use of it (*especially* considering that there are many other very good methods available).

Re:SSH is magnificent!

[seaan]

The EFF DES CRACKER did not do anything special with the DES engine in their chips (http://www.eff.org/descracker.html). Since DES is a popular algorithm, they had a good selection of hardware library routines to choose from. The main design difficulties were packing many execution engines onto a single chip, and setting up an efficient dispatching/testing architecture that coordinates and manages the parallel processing.

In the last few years, quite a few efficient implementations of other algorithms have become more common (probably due in part to the proliferation of SSL and IPSEC accelerators). As I mentioned before, the "hard work" of managing the parallel processing has already been done, and they could easily switch the design to use some other crypto engine.

Re:SSH is magnificent!

[OzeBuddha]

You know our cs department has gone so far as to disable telnet, so you can ONLY use SSH, smart eh?

That's a good move, except when you consider that passwords are sent in plaintext when using ftp ;)

I like this idea.

I'm hoping that this technique leads to fewer remote-root scares involving OpenSSH... it's one of those must-have tools, and I'll bet a lot of people don't update it every time a security fix comes out. This type of split-mode authentication would work well for things like remote X and ftp as well, I think.

I'm a fan of anything that promises to reduce the susceptibility of Unix/Unix workalikes to worms.

Hard Times for *BSD

Sure, we all know that *BSD is a failure, but why? Why did *BSD fail? Once you get past the fact that *BSD is fragmented between a myriad of incompatible kernels, there is the historical record of failure and of failed operating systems. *BSD experienced moderate success about 15 years ago in academic circles. Since then it has been in steady decline. We all knw *BSD keeps losing market share but why? Is it the problematic personalities of many of the key players? Or is it larger than their troubled personalities?

The record is clear on one thing: no operating system has ever come back from the grave. Efforts to resuscitate *BSD are one step away from spiritualists wishing to communicate with the dead. As the situation grows more desperate for the adherents of this doomed OS, the sorrow takes hold. An unremitting glom hangs like a death shroud over a once hopeful *BSD community. The hope is gone; a mournful nostalgia has settled in. Now is the end time for *BSD.

Re:Hard Times for *BSD

[trybywrench]

yeah right

Insider's scoop: Why BSD is dying

The End of FreeBSD

[ed. note: in the following text, former FreeBSD developer Mike Smith gives his reasons for abandoning FreeBSD]

When I stood for election to the FreeBSD core team nearly two years ago, many of you will recall that it was after a long series of debates during which I maintained that too much organisation, too many rules and too much formality would be a bad thing for the project.

Today, as I read the latest discussions on the future of the FreeBSD project, I see the same problem; a few new faces and many of the old going over the same tired arguments and suggesting variations on the same worthless schemes. Frankly I'm sick of it.

FreeBSD used to be fun. It used to be about doing things the right way. It used to be something that you could sink your teeth into when the mundane chores of programming for a living got you down. It was something cool and exciting; a way to spend your spare time on an endeavour you loved that was at the same time wholesome and worthwhile.

It's not anymore. It's about bylaws and committees and reports and milestones, telling others what to do and doing what you're told. It's about who can rant the longest or shout the loudest or mislead the most people into a bloc in order to legitimise doing what they think is best. Individuals notwithstanding, the project as a whole has lost track of where it's going, and has instead become obsessed with process and mechanics.

So I'm leaving core. I don't want to feel like I should be "doing something" about a project that has lost interest in having something done for it. I don't have the energy to fight what has clearly become a losing battle; I have a life to live and a job to keep, and I won't achieve any of the goals I personally consider worthwhile if I remain obligated to care for the project.

Discussion

I'm sure that I've offended some people already; I'm sure that by the time I'm done here, I'll have offended more. If you feel a need to play to the crowd in your replies rather than make a sincere effort to address the problems I'm discussing here, please do us the courtesy of playing your politics openly.

From a technical perspective, the project faces a set of challenges that significantly outstrips our ability to deliver. Some of the resources that we need to address these challenges are tied up in the fruitless metadiscussions that have raged since we made the mistake of electing officers. Others have left in disgust, or been driven out by the culture of abuse and distraction that has grown up since then. More may well remain available to recruitment, but while the project is busy infighting our chances for successful outreach are sorely diminished.

There's no simple solution to this. For the project to move forward, one or the other of the warring philosophies must win out; either the project returns to its laid-back roots and gets on with the work, or it transforms into a super-organised engineering project and executes a brilliant plan to deliver what, ultimately, we all know we want.

Whatever path is chosen, whatever balance is struck, the choosing and the striking are the important parts. The current indecision and endless conflict are incompatible with any sort of progress.

Trying to dissect the above is far beyond the scope of any parting shot, no matter how distended. All I can really ask of you all is to let go of the minutiae for a moment and take a look at the big picture. What is the ultimate goal here? How can we get there with as little overhead as possible? How would you like to be treated by your fellow travellers?

Shouts

To the Slashdot "BSD is dying" crowd - big deal. Death is part of the cycle; take a look at your soft, pallid bodies and consider that right this very moment, parts of you are dying. See? It's not so bad.

To the bulk of the FreeBSD committerbase and the developer community at large - keep your eyes on the real goals. It's when you get distracted by the politickers that they sideline you. The tireless work that you perform keeping the system clean and building is what provides the platform for the obsessives and the prima donnas to have their moments in the sun. In the end, we need you all; in order to go forwards we must first avoid going backwards.

To the paranoid conspiracy theorists - yes, I work for Apple too. No, my resignation wasn't on Steve's direct orders, or in any way related to work I'm doing, may do, may not do, or indeed what was in the tea I had at lunchtime today. It's about real problems that the project faces, real problems that the project has brought upon itself. You can't escape them by inventing excuses about outside influence, the problem stems from within.

To the politically obsessed - give it a break, if you can. No, the project isn't a lemonade stand anymore, but it's not a world-spanning corporate juggernaut either and some of the more grandiose visions going around are in need of a solid dose of reality. Keep it simple, stupid.

To the grandstanders, the prima donnas, and anyone that thinks that they can hold the project to ransom for their own agenda - give it a break, if you can. When the current core were elected, we took a conscious stand against vigorous sanctions, and some of you have exploited that. A new core is going to have to decide whether to repeat this mistake or get tough. I hope they learn from our errors.

Future

I started work on FreeBSD because it was fun. If I'm going to continue, it has to be fun again. There are things I still feel obligated to do, and with any luck I'll find the time to meet those obligations.

However I don't feel an obligation to get involved in the political mess the project is in right now. I tried, I burnt out. I don't feel that my efforts were worthwhile. So I won't be standing for election, I won't be shouting from the sidelines, and I probably won't vote in the next round of ballots.

You could say I'm packing up my toys. I'm not going home just yet, but I'm not going to play unless you can work out how to make the project somewhere fun to be again.

= Mike

--

To announce that there must be no criticism of the president, or that we are to stand by the president, right or wrong, is not only unpatriotic and servile, but is morally treasonable to the American public. -- Theodore Roosevelt

um, inetd?

[spoonist]

Other than the tty and authentication seperation, this doesn't sound a whole lot different than running sshd out of inetd. Or have I been smoking crack again without my knowledge?

Re:um, inetd?

[PacoTaco]

It's totally different. If you run sshd from inetd, you are still processing network data as root. If someone finds a buffer overflow (or whatever) they can execute arbitrary code as root on your system. This strategy uses an unprivileged user to do most of the network data processing, with a privileged parent process for verification and authentication. At worst, a remote attacker could only get access as the unprivileged user.

Re:um, inetd?

[Geekboy(Wizard)]

why the bloody hell would you want to run sshd fron inetd?!?!!?!? That is an evil, evil program, and should be banned. inetd=a microsoft product.

Re:um, inetd?

[cant_get_a_good_nick]

inetd=a microsoft product.

Hunh, What? Did I miss something? From the FreeBSD man page:
HISTORY
The inetd command appeared in 4.3BSD.

It's not even a XENIX thing, well before then. What are you confusing it with, or are you just a troll?

Re:um, inetd?

[spoonist]

But that's only if they find an overflow in inetd. In inetd.conf you can tell inetd to run a process as a user other than root. Then all the processing is done as, say, nobody.

Re:um, inetd?

[Geekboy(Wizard)]

I was (sorta) trolling. I was saying that it was made with the microsoft philosphy in mind (make it suck donkey balls, then tell everyone that it's great)

Re:um, inetd?

[ideut]

But then "nobody" is the only user who can log in remotely. Some part of the OpenSSH code needs to run as root so that it can setuid() to the user who is logging in. The privilege separation this article's about minimizes that part of the code.

puTTY is geh

use tera term dude

That's what mailing lists are for

Wouldn't you rather get an e-mail sent to you when a patch is out instead of constantly checking the OpenBSD homepage for patch info?

BTW, the exploit was published after the patch, that's why it's listed as "possible"

Casting Call

Rectal Impaction Following Enema with Concrete Mix

by Peter J. Stephens, M.D., and Mark L. Taff, M.D.
from the American Journal of Forensic Medicine and Pathology 8(2):179-182, 1987.

This article describes an unusual rectal foreign body resulting from homosexual anal erotic activities. The patient had used an enema containing a concrete mix which became impacted and required surgical removal. The use, abuse, and complications of enemas are reviewed.

During the last 20 years, sexual habits have changed in western society. Homosexuals have shown an increasing interest in anal erotic practices, including the use of enemas for sexual enjoyment. We report a case of a klismaphiliac who had an impacted foreign body in his rectum followin an enema with a concrete mix.

CASE REPORT

A 20-year-old man presented to the emergency room complaining of rectal pain. A well-nourished, well-developed man without signs of intoxication was admitted in no apparent distress. Digital examination of the rectum revealed a stony hard mass. Abdominal plain films showed a vertically oriented, low-lying radiopaque object in the rectum. A spherical radiolucency was noted in the upper pole of the mass. A blood alcohol level was negative. No other drug testing was performed.

Upon further questioning, the patient said that approximately 4 hrs earlier he and his boyfriend had been "fooling around." After stirring a batch of concrete mix, the patient laid on his back with his feet against the wall at a 45-degree angle while his boyfriend poured the mixture through a funnel into his rectum. After the concrete mass hardened, it became so painful that he sought medical care.

Under general anesthesia, the anus was dilated and two Foley catheters were inserted alongside the rectal mass to relieve suction. A concrete case of the rectum was delivered without incident. The rectal mucosa was intact with a hyperemic and edematous appearance.

The patient was kept overnight and discharged uneventfully the following morning. The attending physician recommended a psychiatric consultation, but the patient declined.

PATHOLOGIC EXAMINATION

Examination of the specimen revealed a perfect concrete cast of the rectum, measuring 12 X 7 X 5 cm and weighing 275 g. A thin layer of feces coated the surface and crevices. Grooves in the mass were consistent with rectal mucosal folds. A layer of concrete was chipped off the upper part of the specimen and revealed a white plastic ping-pong ball. This corresponded to the radiolucency observed in the abdominal x-ray.

Re:Casting Call

[GhostseTroll]

I agree.

Uh...?

[JanusFury]

For those of us without much experience in the encryption and networking fields, anyone mind explaining exactly what this does? I read the page but I'm not sure I understand exactly what's going on.

Re:Uh...?

[Accipiter]

To put it simply:

Encrypted Telnet.

Re:Uh...?

[PacoTaco]

Handling arbitrary data from the network as root is a bad thing. Basically, an attacker's exploits run at the same privilege level as the daemon they break in through. The new OpenSSH strategy uses a non-root user to do most of the work. That way, the attacker doesn't have immediate root access to your system if sshd is compromised.

Re:Uh...?

[LinuxGeek8]

I'm not into it that much too. But simply said it starts different processes.
The parent process starts with root priviliges, and the child processes handle the actual connections, and do not run with root priviliges.
For things like authentication the child communicates with the parent. Hmm, would that mean a new connection needs to authenticate itself twice then? (in 1 login) I assume so.
If the child gets corrupted, or someone tries to break in, he will not have the root priviliges of the parent process.

In previous ssh versions it was always running with root priviliges, even if you were logged in as user. So every exploit in openssh is immediately a remote root exploit.

This is sort of the same model that Apache has, one root parent, the rest runs as user www or whatever.
The same as postfix, the secure alternative for sendmail, which also runs only as root I believe).

Re:Uh...?

Yeah...
That reminds me of the joke about the helicopter pilot in Redmond.

Encrypted Telnet.
And that's different from OpenSSH-3.2 how?
(You don't have to answer that now, I'll read the answers below)

Re:Uh...?

[evilviper]

I know you've got responses, but I think I've got a much more simple explanation...

This is essentially like having an application (that need Root access) NOT SUID Root, and rather, having a simple application that it calls when it needs to do some privlidged action.

So, think of Apache running as a non-privlidged user, and NetCat being SUID Root, and simply calling NetCat when it needs to communicate on a privlidged port, etc.

Good!

[quasi_steller]

At my school we use SSH for accessing our UNIX accounts. I have always been impressed by the security offered by SSH. I just hope that the network administrators at my school decide to upgrade to OpenSSH.

lollol

keep m coming :]

How does this differ from Kerberos?

[Confessed+Geek]

I'm far from an expert on either system, but this seems similar to the system Keberos uses, 3rd party authentication... Am I totally misunderstanding the linked explanation?

Thanks

Re:How does this differ from Kerberos?

It's a way of isolating the priviliges of the actual daemon doing the network transfers. Old OpenSSH used a root-priv'ed daemon; the new one uses a much-less-priviliged slave so that any buffer overflows or other exploits in the slave don't result in a root exploit.

Presumably, securing the communications between the slave and main daemons is much easier to do than securing the whole main daemon. If you can only talk to the main daemon via the verified comm channel, then you're all set.

..unless the main daemon has a buffer overflow/etc in handling that comm channel. Oh well, there's always *something*.

Security of SSH

[Insount]

On related news, a basic security flaw in the SSH protocol was recently analyzed by Mihir Bellare et al.

The attack requires a carefully timed chosen-plaintext attack, but seems quite realistic in the setting of IP-over-SSH tunneling. Changes in the SSH protocol appear necessary.

Re:Security of SSH

From the link:

"Abstract: The Secure Shell (SSH) protocol is one of the most popular cryptographic protocols on the Internet. Unfortunately, the current SSH authenticated encryption mechanism is insecure. In this paper we propose several fixes to the SSH protocol and, using techniques from modern cryptography, we prove that our modified versions of SSH meet strong new chosen-ciphertext privacy and integrity requirements. Furthermore, our proposed fixes will require relatively little modification to the SSH protocol (or to SSH implementations)."

Sounds good. Nothing like a good, easily-implemented solution :-).

Re:Security of SSH

IP over SSH tunneling? Nonsense.

Re:Security of SSH

[Insount]

Clarification: by "IP-over-SSH tunneling" I refer to TCP port forwarding through SSH, and the important special case of the forwarding a PPP session through SSH.

This is what I would use to secure a Wi-Fi connection, for instance.

Re:Security of SSH

[Dwonis]

I agree. IP over SSH is a bad idea for the same reasons why TCP over TCP is a bad idea.

Re:Security of SSH

So where can I download an OpenSSH patch for this? After all, I am continually told on Slashdot that when vulnerabilities are found in Open Source programs they are fixed in days if not hours, in contrast to evil closed-source products. It's been five days now, so when can I expect a fix?

Re:Security of SSH

[fferreres]

They have already told you what modification they recomend. Go make them and patch them yourselve :) That'sanother bonus of open source. You don't have to wait for someone else, you can do it yourself.

But SSH is fine, nobody will steal your password unless they know they can profit well from it. (Furthermore, plain bugs are more easily exploitable than cryptography weaknesess).

I WHOLEHEARTEDLY AGREE WITH THIS POST COMPLETELY

[theodoliteq]

I rate this post at +5, it is amazingly insightful.

Packet sniffing

[PatJensen]

Everyone says SSH is great, because your passwords and session information cannot be sniffed and I know that - but how important is it now? You cannot sniff packets on a switched network without SPAN access or port mirroring access on the switch itself. And over multiple switches, it is not trivial to gain access to do that since multiple access ports do not receive unicast frames. Unless you were the switch administrator of all the core and access switches I don't see this happening easily.

Is there a tool that allows you to force the switch to forward ethernet frames so they can be sniffed without switch administrator access? Please offer some information on how this is done as I'd like to have a better understanding on how this works. What platforms does the tool run on, and on what switch platforms would it work against?

-Pat (a CCNP and MCSE)

Re:Packet sniffing

[GigsVT]

Who says the attack is local? Your packets cross from 5 to 20 hops before getting to their destination. Routers can be compromised, theough security weaknesses or through deliberate government interference. OpenSSH also allows for host authentication, so you know you are really talking to who you think you are. A secure transport is about more than some guy on your LAN sniffing your password.

Re:Packet sniffing

Its important if you dont want the switch administrator to see what you are doing.

Re:Packet sniffing

[sporty]

What if there is one misconfigured router somewhere.. or some chucklehead in sprint wants to collect CC numbers, and they are an admin.

Not a nice feeling, now is it. It is a bit of paranoia.. but an once of prevention is worth a pound of cure..

Re:Packet sniffing

[mlyle]

There are plenty of attacks that if you reside on the same virtual lan as one of the victims that allow you to intercept traffic.

One is sending traffic from the victim's mac address, so that the switch "learns" that MAC is out your port. Port security features on switches can help fix this but are oft-unused.

Another is ARP spoofing and using that to man-in-the-middle the session. You tell the person logging in that your MAC address is the victim host, and it cheerfully sends all packets to you. This is difficult to detect and prevent.

In conclusion: switches do not provide security against packet sniffing attacks.

Re:Packet sniffing

I've been looking at your question concerning a switched networked/spoofing myself. We had some problems with routers dialing out, and wondered if we could use snort to sort out the packets on the network.
It is possible to spoof the mac-addresses on a switched network. I do not remember the name of the program that allows this, but I found one for windows (the laptop we use has windows). And it works. I can plug the laptop in a switch, run the program, and it will spoof all mac's so that all network first comes to you and then it sends it back onward. Donnow the tech behind this. But anyway, we can use snort, set up some rules and find out what's going on

Re:Packet sniffing

[Kwikymart]

Everyone says SSH is great, because your passwords and session information cannot be sniffed and I know that - but how important is it now?You cannot sniff packets on a switched network without SPAN access or port mirroring access on the switch itself.

Well, I wouldnt want anyone knowing any password for any account on my machine at all. Also, what happens if you do remote administration with root access? I wouldn't want to take any chances whatsoever.

Though it is unlikely that any router admin would ever see an unencrypted password via telnet, the capability is still there. Besides, for a lot of people, the information they are transmitting is very sensitive and leaks could cost them money or even their job. It is still an important issue whether billions of people see your data packets or a handful of router admins have the capability of seeing them. Play it safe or one of these days your carelessness will come up and bight you in the ass.

Re:Packet sniffing

You cannot sniff packets on a switched network without SPAN access or port mirroring access on the switch itself.

Not true...check out this link.http://ettercap.sourceforge.net/

Ettercap works on switched networks, without any spanning involved. Just get the card in promisc mode and start poisoning the ARP caches and you're good as gold. Fun stuff!!

Re:Packet sniffing

or in slashdots, case, 30... yep, 30, too bad algx and exodus's peering is so shitty.

3 hgr2-core2-fa0-1-0.atlas.algx.net (165.117.61.242) 3 ms 3 ms 4 ms
4 dca6-core1-s3-0.atlas.algx.net (165.117.52.141) 4 ms 165.117.68.69 (165.117.68.69) 4 ms dca6-core1-s3-0.atlas.algx.net (165.117.52.141) 5 ms
5 dca6-core4-pos6-0.atlas.algx.net (165.117.48.106) 5 ms 8 ms 4 ms
6 jfk3-core4-pos5-0.atlas.algx.net (165.117.48.34) 13 ms 13 ms 13 ms
7 jfk3-core2-pos7-0.atlas.algx.net (165.117.48.165) 13 ms 13 ms 13 ms
8 ord2-core2-pos5-0.atlas.algx.net (165.117.48.38) 29 ms 63 ms 39 ms
9 ord2-core1-pos6-0.atlas.algx.net (165.117.48.85) 30 ms 29 ms 30 ms
10 sfo2-core2-pos5-0.atlas.algx.net (165.117.48.26) 91 ms 99 ms 91 ms
11 sfo2-core3-pos7-0.atlas.algx.net (165.117.48.10) 92 ms 99 ms 91 ms
12 sjc3-core5-pos6-3.atlas.algx.net (165.117.50.194) 94 ms 94 ms 93 ms
13 206.24.241.181 (206.24.241.181) 101 ms 93 ms 93 ms
14 ibr01-p1-0.paix01.exodus.net (216.32.132.157) 93 ms 95 ms 99 ms
15 bbr02-p0-0.sntc04.exodus.net (209.1.169.26) 95 ms 96 ms 94 ms
16 bbr01-g2-0.sntc04.exodus.net (216.34.2.3) 104 ms 96 ms 96 ms
17 bbr01-p1-0.sntc05.exodus.net (209.1.169.138) 95 ms 94 ms 94 ms
18 bbr02-p0-0.stng02.exodus.net (216.32.132.17) 173 ms 168 ms 174 ms
19 bbr01-g6-0.stng02.exodus.net (216.109.66.19) 169 ms 170 ms 176 ms
20 bbr02-p7-0.whkn01.exodus.net (216.32.132.194) 170 ms 170 ms 170 ms
21 bbr01-g5-0.whkn01.exodus.net (216.35.65.83) 169 ms 169 ms 169 ms
22 bbr02-p1-0.jrcy01.exodus.net (216.32.132.13) 171 ms 171 ms 171 ms
23 bbr01-g4-1.jrcy01.exodus.net (216.32.223.97) 173 ms 170 ms 170 ms
24 bbr02-p4-0.wlhm03.exodus.net (209.1.169.66) 175 ms 175 ms 191 ms
25 bbr01-g2-0.wlhm03.exodus.net (66.37.192.3) 214 ms 174 ms 182 ms
26 bbr01-p3-0.wlhm01.exodus.net (206.79.9.106) 178 ms 179 ms 175 ms
27 dcr03-g1-0.wlhm01.exodus.net (64.14.70.49) 174 ms 175 ms 175 ms
28 csr03-ve241.wlhm02.exodus.net (64.14.70.138) 175 ms 175 ms 174 ms
29 64.28.66.204 (64.28.66.204) 176 ms 176 ms 176 ms
30 * * *

Re:Packet sniffing

[PatJensen]

Thanks for the flame, but I don't think you understood my question. I understand the benefits and strengths of using SSH and encrypted VPN products and I use them regularly. My question was - how important is this with packet switching blocking frames that are able to be sniffed?

-Pat

Re:Packet sniffing

[pyite]

Moderation Totals: CCNP=2, MCSE=-1, Total=1.

Re:Packet sniffing

[nr]

You can sniff switched networks as the ARP querys are sent out to the broadcast address and received by all hosts on the segment, and then you send a fake ARP replie to that ARP query fooling the victim into beliving you are the real host. Poisoning the victims APR cache with your MAC address instead of the real destionation hosts MAC address.

There exists a sniffer tool called EtterTap that can do this automaticly for you.

Re:Packet sniffing

[mrmag00]

The correct conclusion would be "Any cheap switch does not provide security against packet sniffing attacks."

These things are nothing new, and cisco catalyst switches can be configured to prevent all of these. Of course, they come at a cost - about $1000 for bottom of the line.

Re:Packet sniffing

[nr]

A small correction, the sniffer tools name is Ettercap, more info about Ettercap can be found on Packet Storm security

Re:Packet sniffing

That wasn't a flame.

However, this is:

You advertised the fact that you're a MSCE, so you must be an idiot.
You advertised the fact that you're a CCNP, so you must be an arrogant f*ck who's trying to show off that you understand networking by asking lame questions designed to look smart.

I didn't mean any of that, but I just wanted to give you an example of what a flame is, since you don't appear to be familiar with the terminology.

Re:Packet sniffing

Ever put three of them in a loop? You end up getting all sorts of trafic you shouldn't.

Re:Packet sniffing

Of course things like DSL and Cable modem which are basically bridging technologies underneath can (sometimes) allow frames from other terminals on to the network.

It's just not worth taking the chance.

Re:Packet sniffing

[demon]

Can't sniff on switched connections? Right. If you ARP flood those fancy switches, most of them will eventually (if flooded with enough random ARP replies) just broadcast packets instead. There are programs that are ready-made for just that purpose. If I care about the data going across the wire, I'm not going to just trust a switch to keep it safe - strong encryption is the only real answer.

Re:Packet sniffing

[Tuzanor]

You can packet storm the switch with tons and tons of mac addresses. eventually the switch won't know where to forward packets because its database will be overflowed. The switch will then drop down to a sort of "hub mode".

For some reason this attack is common in college dormatories. ;-)

Re:Packet sniffing

[druse]

You don't need to hack the switch. All you need to do is mess with it's head. Switches operate by figuring out which computer(s) are on each port and then forwarding traffic appropriately. They mostly do this automatically by watching the traffic in and out of each port (although there are manually configurable swtiches which are immune to this kind of attack). If you set up some computers to lie about who they are, it'll eventually overload the switches ability to remember which computer is where. And then it reverts to broadcasting everything everywhere, like a hub. So, no, just because most networks are switched these days doesn't mean that it's impossible to snoop.

An of course there's the issue of connecting over the net. I don't know about you, but personally I don't really trust everyone between my home box and the various boxes I admin over the net.

Re:Packet sniffing

I am rabbi with a gun...I will be victim of no one
So you terrorists are warned, don't mess with me

I will shoot you if I must...you'll be the one who's turned to dust
On the streets of Brooklyn, you are gonna see

So you can bet the whole farm...there won't be another Holocaust
This time we'll stand up...too many people we've lost
We're committed, we will defend ourselves
We are strong...I'm set to lock and load...I am rabbi

I am rabbi with a gun and...I am never gonna run and
It is time you terrorists should be afraid

We will hunt you day and night and...you're the ones who'll feel frightened
In your stinking countries you will wish you stayed

So you can bet the whole farm...there won't be another Holocaust
This time we'll stand up...too many people we've lost
We're committed, we will defend ourselves
We are strong...I'm set to lock and load...I am rabbi

I am rabbi with a gun and...I am set to get it done and
For the scum among us we've a big surprise

If attacks you will be trying...you're the ones who will be dying
And around your bodies soon will come the flies

So you can bet the whole farm...there won't be another Holocaust
This time we'll stand up...too many people we've lost
We're committed, we will defend ourselves
We are strong..I'm set to lock and load

And so, it's a promise not a dare
Behave or please be aware
Bullets will fly through the air

Re:Packet sniffing

[jpc]

yes. arp poisoning. Unless you have static arp. It works fine.

Re:Packet sniffing

[WTFRUDOINBiotch]

See also Dsniff, by Dug Song.

For instructions, see "How do I sniff in a switched environment?" in the FAQ.

It's a nifty suite with an Arp Redirector and fragrouter, letting you forward the packets to the original recipient. It also defaults to searching for telnet/ftp/aim and other insecure passwords, so there's not a whole lot of configuring to get right to the good stuff.

While you're at it, check out the "How do I sniff / hijack SSH connections?" section, as well. If that doesn't make you use Kerberos or check your public keys, nuttin will.

DON'T LISTEN! TROJAN ADVICE!

Blowfish is inherently insecure, ANY FILE LARGER THAN 1024KB YOU TRANSFER CAN BE DECRYPTED BY ANY 13 YEAR OLD WITH A POCKET CALCULATOR!

Everyone should know better than to accept advice from random slashdot comments!

Re:DON'T LISTEN! TROJAN ADVICE!

[Psiren]

Everyone should know better than to accept advice from random slashdot comments!

Like this one? ;)

Re:DON'T LISTEN! TROJAN ADVICE!

Ever heard of twofish? It's pretty pointless to
encrypt 64-bit chunks by a 128-bit key, and
that's what blowfish does. Not exactly for
pocket calculators, but anyway, it's false sense
of security.

Re:DON'T LISTEN! TROJAN ADVICE!

Ssh, no matter what encryption is used, provides a false sense of security. Unless you live in a vault with an explosives booby trap strapped to your disk drives it wouldn't take much effort to get any information you may have.

Security is purely a matter of determining the correct effort/safety ratio for the data you have. I can't recall ever scp'ing any data that would really qualify as sensitive.

Re:DON'T LISTEN! TROJAN ADVICE!

[p3d0]

Do you have a link?

Re:DON'T LISTEN! TROJAN ADVICE!

[styrotech]

Blowfish is inherently insecure, ANY FILE LARGER THAN 1024KB YOU TRANSFER CAN BE DECRYPTED BY ANY 13 YEAR OLD WITH A POCKET CALCULATOR!

Hmmm... I tried that out, but it didn't work for me. I'm pretty sure the calculator is okay, do you think my 13 year old is faulty?

Re:DON'T LISTEN! TROJAN ADVICE!

[Shanep]

Would you like to elaborate and become the first person with cryptanalysis which shows a weakness in Blowfish and thus enjoy the spoils of your elite mental power? You are about to knock Bruce of his pedestal and render his works suspect?

No? I thought not.

PS, moderators, the parent post is not "Insightful", it is one of either "Funny" or "Troll" depending on your mood and knowledge of Blowfish and typical Slashdot Anonymous Coward posts. I would lean towards Troll and moderate him down into the rest of the noise.

Ettercap (was Re:Packet sniffing)

[Nonesuch]

Packet sniffing traffic that crosses your ISP and then the public Internet is definitely a serious and real risk.

PatJensen asks:
Is there a tool that allows you to force the switch to forward ethernet frames so they can be sniffed without switch administrator access?

There are tricks to force the switch to 'flood' ethernet frames (overflow the CAM table, etc). Two common attacks against switched segments are MAC spoofing (easily detected and protected against on Cisco) and ARP spoofing (more difficult to protect against).

There is also a tool to permit packet sniffing, see ettercap on Sourceforge.

Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.

Ettercap is actively being used by the "black hat" community, and has been found on compromised systems on switched LAN segments "in the wild".

Re:Ettercap (was Re:Packet sniffing)

[PatJensen]

Thanks for the informative response. Is there a place where I can read whitepapers on the viability of CAM overflows and MAC and ARP spoofing? Does Cisco have anything available that relates to this security? I'm aware of port security (only allowing certain MAC address to join a port) and VMPS (a centralized MAC database for VLANs, network wide).

Would either of these be helpful in prevent these types of attacks?

Thanks again.

-Pat

Re:Ettercap (was Re:Packet sniffing)

[Pahroza]

You can get some good info on ARP poisoning/spoofing in this pdf.

Re:Ettercap (was Re:Packet sniffing)

I hate niggers, spics, wogs, and jews.

I AGREE

[GhostseTroll]

Lameness filter encountered. Post aborted!
Reason: Don't use so many caps. It's like YELLING.

EVERY THING SAID IN THE PARENT POST IS COMPLETELY TRUE. I SWEAR ON THE PREVIOUS POSTER'S MOTHER'S GRAVE.

THANKS.

Lameness filter encountered. Post aborted!
Reason: Don't use so many caps. It's like YELLING.

No thanks???

[Nonesuch]

kevinqtipreedy writes:

Trust old telnet works fine, unless you are worried about people seeing your passwords, and everything you are doing.

And you're not?

That is the point of ssh; it encrypts what you do, including passwords so it can not be seen by people on the same network segment.

That is one of the many points of SSH. The protocol also supports public-key authentication, so you don't need a "shared secret" (reusable password) at all. The protocol also provides authentication that you are really talking to the remote server you think you are, preventing MITM attacks (e.g. spoofing DNS so your telnet session goes through my server). SSH also offers compression, for faster file transfers. And port forwarding, including X11. and much more.

A difficult password is just as important on telnet as in is on ssh because they can still be cracked either way.

It is unlikely that anybody is going to bother cracking your telnet password- if they don't sniff it, then there are few scenarios where somebody has the ability to obtain the shadow file from a server but does not already have root.

One issue with password cracking and sniffing is that it is critical to have a unique password for every site you have accounts at.

Under SSH, I can set up systems so that password logins only work on the physical console, not over the network. I can create a strong private key (passphrase protected) and install my public key on the remote servers, using the same key for many different servers without the security issues that come from using the same password across disparate sites.

Re:No thanks???

1: The guy you replied to was replying to an obvious troll.
2: Your reply indicates that you have no grasp of sarcasm.
3: There is no point 3.

+9999999 INSIGHTFUL. THIS IS VERY TRUE.

[GhostseTroll]

The parent post is so insightful that I shit my pants. Furthermore, it is so insightful that I would like to reward its author with the most prestigious award that the Mississippi Ghostse Redneck Goat-Fucking SUV-Driving Wanker Society has the authority bestow: a bumperdumper link

Now the aforementioned may bask in the opulent and blindingly exhuberant beauty of our dear Uncle Booger.

Thank you. Goodnight.

Timothy

[jhines]

It is Timothy that we don't trust.

BRAVO!

[GhostseTroll]

This post deserves the summit of all accolades: My Mississippi Ghostse Story. Here goes:

A professor at the University of Mississippi is giving a
lecture on the supernatural. To get a feel for his
audience, he asks: "How many people here believe in
ghostses?" About 90 students raise their hands.

"Well, that's a good start. Out of those of you who
believe in ghostses, do any of you think you've ever seen
a ghostse?" About 40 students raise their hands.

"That's really good. Has anyone here ever talked to a
ghostse?" 15 students raise their hands.

"That's great. Has anyone here ever touched a ghostse?" 3
students raise their hands.

"That's fantastic. But let me ask you one question
further... Have any of you ever made love to a ghostse?"
One student way in the back raises his hand.

The professor is astonished and says, "Son, all the
years I've been giving this lecture, no one has ever
claimed to have slept with a ghostse. You've got to come
up here and tell us about your experience."

The redneck student replies with a nod and a grin, and
begins to make his way up to the podium. The professor
says, "Well, tell us what it's like to have sex with
ghostse."

The student replies, "Ghostse?!? From ah-way back there ah
thought yuh said "goatse."

What it does - Program, not Protocol Security

[billstewart]

This isn't a change to the communications protocols or any of the encryption - it's a change to the Unix implementation of the server to make it much less likely that any bugs can let someone break in. (Initially this works for OpenBSD, should be easy to port to other BSD implementations, probably to Linux and Solaris, maybe to WinNT but maybe not.) The basic way that a communications server like this works is

• A process sits around listening to the well-known TCP port for connection requests. The process needs to be privileged for two reasons
• The port is a system resource so only the system should be able to control it
• When a user logs in (on Unix), their connection needs to operate with the permissions of that user, so the server needs to be root so it can start a session as any user who logs in (as opposed to a Web Server, which usually only needs access to publicly readable files.

When a request comes in, it hands it to a subroutine that handles requests for the server to do different functions, including authentication.

For some services, such as SSH and FTP, the server may set up multiple connections for things like transferring files, etc.You can write a server like this as one big single-threaded process, or as one big process with multiple threads if your operating system and programming environment support it, but it's more common, especially on Unix, for the main process to spin off several child processes to do the work and go back to listening for new incoming requests. In this case, it spins of one process to handle the control channel communications and that process spins off other processes to handle specific tasks like file transfers, after checking that the connection and the request are authenticated. In a simple-minded implementation, the control channel process runs as root, and any task channel processes start off as root, and maybe change their privileges to an individual user's privileges if they need to (for instance if you're using SSH to log in to a remote system.)

The problem with this is that if there are any bugs that let a remote connection send messages with unexpected data in ways that break or take over the server process, the server is running as root so it can do anything it wants, however evil or dangerous (or if it's a minor bug that doesn't lead to a complete takeover, it may still be able to burn critical resources and stall the system or do some other denial of service attack.) Two popular kinds of attacks are sending a message that overflows a field (the result of bad protection in the C language combined with careless programming), or sending a message that asks the process to do something that the programmer didn't expect and protect against, such as setting permissions on a system file or making a user's program privileged, so that it can be exploited later, either by another communication from the attacker or by routine activities by the system or the user.

What the new OpenSSH implementation does is takes the bottom two server processes (the control channel server and the task servers) and splits each of them into two parts that communicate with each other. One part of each processes is a master, that keeps running privileged if it needs to, and the other is a slave process that runs as a non-privileged user (either the user who's requesting the service, for tasks like logins, or as the "nobody" user) and does most of the actual work, passing messages back and forth to the master process to communicate about status and request anything that still requires privileges. This gives you a bunch of security advantages:

• Each part of the system is smaller, with fewer functions to perform and well-defined interfaces to other parts, so you can do a better job of checking for bugs and each part can validate incoming messages before doing anything.
• The parts of the system that need to be privileged aren't communicating directly with the remote user, only with the slave processes, so they have a much smaller set of messages to validate.
• If there's some bug in the system that lets a remote attacker take over one of the control or task processes by sending an craftily designed message, the bug is in the non-privileged slave process, which doesn't run as root, can't do as much damage, and has a limited set of messages that the master process will accept from it.

The rest of it is basically detail about which functions they separated into which programs, how they made sure that each piece has enough capabilities to do the job without giving it too much power that could be exploited by an attacker, and some stuff about how they validated the pieces. It's adding more complexity to the total system, but each piece is more limited in function, and the security-critical pieces are much easier to validate against bugs and malicious input.

I know it's offtopic but....

That shit was fucking funny!!!

The debate itself is pointless

[leereyno]

It seems to me that the entire GPL vs BSD debate is nothing more than a pastime for those with nothing better to do. Just think about it, a bunch of non programmers standing around bickering about licenses they'll never put anything out under anyway. Arm-chair quarterbacking for geeks.

As for actual developers, well there too the debate, or at least an ongoing never-ending squabble, is essentially pointless. Each programmer or team of programmers is going to choose and use the license they like best for the reasons they consider important. They have EVERY right to make this choice as they are the one's doing the work. Whether anyone else likes it or not is completely irrelevant.

Personally I like both licenses, but for different reasons. I see the GPL as a munition, a weapon. Putting high quality implementations of key tools and programs out under the GPL makes sure that the Microsofts of the world play nice by not being too greedy and/or abusing their customers. The downside to the GPL is that you're not going to obtain any financial gain from the products you release under it. There are rare exceptions such as RedHat, but then that company's product is a delivery system for GPL's software more than the software itself. Ultimately the value of GPL'd software is strategic, not directly economic. The GPL is most suitable for fundamental technologies that NEED to be kept absolutely open to ensure that incompatibilities don't creep in due to proprietary implementations. The BSD license is good because the code can be included in commercial programs. Now some people might start foaming at the mouth at the mere mention of commercial software. Of course these same people are usually in high school, college, or 35 and still living in their parent's basement.

Commercial software is what makes products that don't enjoy a wide following possible. Open Source is like socialism in a way. (Actually I don't think that my comparing Open Source to socialism was a very polite thing to do. Socialism is a system by which the abilities of one person are forcibly exploited to fulfill the needs of another. It and communism are but two points along the same continuum.) The base needs of the many are fulfilled, but what about the needs of the few? Does it make sense to try and organize a project to create an open source program to track oil deposits? How about an open source medical imaging system? There are some products for which there is a very small need in terms of how many people need the product. These same people are more often than not willing and able to pay good money to see that these products get created however. Also there is the question of expertise. Programmers are not experts on the best way to do everything possible with a computer. Imagine if someone tried to create an open source implementation of SPSS. Now what if I told you that such a project existed (PSPP) and that it hasn't gone ANYWHERE. The reason is that programmers are not statisticians. Their ability to verify the correctness of their own software's out put is next to nil.

At the end of the day both the GPL and BSD licenses have a useful function to perform. So does commerical software. Anyone who continuously argues about the role these three should play doesn't understand them in the first place.

Lee

Re:The debate itself is pointless

The downside to the GPL is that you're not going to obtain any financial gain from the products you release under it.

You can actually play games with the license, since you can release your code under multiple licenses. GPLed code is not immune to the ``embrace and extend'' that companies do, it just limits that to people who can purchase a different license from the copyright holder of the GPLed software.

And so, you can make money from the software by selling an un-encumbered license to whichever companies that you want. In fact, it is easier to make money off GPLed software than BSD-licensed software as with a BSD license you have given people more rights to the software up front.

Re: {Free|Net|Open}BSD goals.

[cant_get_a_good_nick]

Well, none of them ignore security, but OpenBSD is the most conscious. Quick and dirty comparo, a bit of a FAQ:

FreeBSD: Balls out performance on Intel.
OpenBSD: Most security conscious, most stared at source code.
NetBSD: Most portable. If it's got 32 bits and a MMU, it's got NetBSD.

There is some code sharing between these. I know the USB subsystem is shared among them (hell, it has CVS tags for NetBSD and FreeBSD) and probably some others. They talk amongst themselves too, and notify each other of problems.

There is a better way to fix one of these problems

[thogard]

You must be root to bind to any port <1024 as a form of "security" however this stupid rule has been the way in for most internet based security problems in the Unix world. Some systems (like Soalris) allow you to turn it off and that lets any process bind to any port but that has issues as well.

The correct solution is you let a process bind to any port >1024 and any port where the port number is in its group list. This means you put apache process owner in group 80 and 443 and then it can bind it its needed ports no matter who it runs as. Wiht the linux 2.0 kernal this required changing some of one line.

As far as the other problem of becoming someone else, there are no clean solutions to that but I think it would make sense to allow any process id 10 to become someone else. You also need to allow for some id's to give away files. The problem with this is that it intoduces magic numbers into the system which is bad.

Based in this, you could set up the ssh user as uid 1 in group 22 and it could bind to port 22 and then become any other user (or maybe any userid > 100). Bind would be running as user 53 with group 53 and have no special privs. The Apache user id would be in group 80 & 433 and its version of suexec would be uid 2 so it could change ownership to any user > 100 to run their cgis.

Suspicions...

Just by using OpenSSH you automatically attract the attention of certain federal authorities who assume you're up to something that requires them to poke their nose into whatever you're doing via OpenSSH.

Re:Suspicions...

You poor paranoid sack of shit;

To even attract those selfsame authorities, you would have to assume that "they" are interested in your pr0n habits or your mother's peanut butter cookie recipe, or your grade ten science project. You also have to assume that the CIA, NSA, CSIS, and any other black organization have nothing better to do than to sit around trying to crack your 1024 bit passwd algorithm [pleze excus the terrabil speling, I'm from Alberta].

Which brings me to another pet peeve about many of the posters on /. and other forums: Just because you might know something about security, doesn't automagically make you an enemy of the state[s]. Comments like "Those of us in the know", "We who have important data to protect" and "Just by using OpenSSH you automatically attract the attention of certain federal authorities" don't make you sound like 'Jack Black, Secret Agent Man', rather they make you sound like prepubescent schoolboys who read too much Ludlum for your own good.

Admit it. That computer you're using belongs to your mommy, right?

Depends on what you want.

[Kludge]

Many of us who transfer large amounts of data over the internet (TBytes worth) don't care about people decrypting our files. (To you my files would like random numbers anyway.)

We only really care about safegaurding the authentication process. In fact I would love to see a feature in scp where only the authentication is encrypted and all other data transfers are not.

Re:Depends on what you want.

[DavidTC]

In fact I would love to see a feature in scp where only the authentication is encrypted and all other data transfers are not.

Just set your encryption algorythm to none. Tada.

Re:Depends on what you want.

[Kludge]

How does one do that? I tried

$ scp -c none worksync home:/tmp
No valid ciphers for protocol version 2 given, using defaults.
sam@home's password:

Re:Depends on what you want.

[DavidTC]

Well, now I'm baffled.

I could have sworn ssh let you do non-encryted connections, that I had in fact done a non-encrypted coinnection with it, but now I can't see it anywhere in the man pages.

Just ignore me, I apparently don't know what I'm talking about.

OpenSSH 3.3

[Martinofka]

Jun 22 22:47:29 server sshd[711]: fatal: map(65536): Invalid argument

I got this on 2 machines, running RH6.2 and Slackware 7.1 (kernel 2.2.21 on both). Other two machines - Debian 3.0 & RH7.2, kernel 2.4.18, do work perfectly. WTF? I cannot find anything instructing in the source.

Re:OpenSSH 3.3

[armie]

Privilege Separation requires mmap(MAP_ANON). This doesn't exist in Linux 2.2, but it is in Linux 2.4.

For privilege separation to work on the 2.2 machines, you'll have to disable compression by putting "Compression no" into sshd_config.

Alternatively, disable privilege separation by putting "UsePrivilegeSeparation no" into sshd_config.

Re:OpenSSH 3.3

Okay, we know that Debian was named after some girl named Debby. Hr boyfriend was named Ian
and they combined their names to call the distribution ``Debian''. Ok so far. But riddle me this:

• Where is Debby now?
• Are Debby and Ian still together?
• What does Debby look like (jpg, if possible).
• Does Debby do Linux or is she really a Windows gal?
• Where was Dbby from originally (town, high school, etc)?

I'd sort of like to start a Debby fan club for this unsung heroine of Free Software.

Hey Debby, wherever you are -- we love ya, baby!

Re:OpenSSH 3.3

Hey thanks for pointing that out. I've been looking for that some time.

I'd say that the people should better drop the compression support then dropping the privsep support as it is better to have a slower connection to the machine as having a faster connection to a hacked machine.

Re:There is a better way to fix one of these probl

[tigga]

Well, it's something like Network ACLs..

And it's done, for example in MicroBSD - http://www.microbsd.net

IT'S NOT ALL THAT BAD.

The 13 year old must be teh 31337 5|<r1p7 |<1dd13 to be successful.<br>
And 5|<r1p7 |<1dd135 can be kept off your computer by washing your ears twice a day.

Garbage

[batdragon]

1. I'd rather have a 2n length key to encrypt an n length chunk, rather than an n-length key to encrypt a 2n length chunk.
   Helps spread the bits of "randomness" a little further. Why would you like it the other way around? Sounds insane.
2. What information have you found that proves blowfish is insecure? Links or your own cryptanalysis are welcome.
3. Anyone who wants some actual facts about blowfish should start here. I doubt if the AC who posted the parent will produce anything to refute the specs.

What is that smell?

Did something die?

It smells like something is dead.

How hackers turn switches into hubs

[nsayer]

Is there a tool that allows you to force the switch to forward ethernet frames so they can be sniffed without switch administrator access?

Look at how a switch works. When you transmit a frame, it associates your MAC address with the port you're on. Next time a frame is sent to that MAC address, it sends it only to that port, becuase it knows that address is going to be found only on that port. If the switch does not know where a particular MAC address is to be found, it must send the frame to every port. Therein lies the weakness.

Switches tend to have finite sized MAC tables. If you overload them, they throw away older data in a least-recently-used manner. So the way to turn a switch into a hub is to send a non-stop stream of frames with random Ethernet source addresses. Make them small frames so you don't chew up all of the bandwidth of the switch, and don't send them too frequently (unfortunately, how frequently is too frequently is dependent on how big the switches table is). Address them to a known non-existent MAC address and make them a known unused Ethernet protocol. You will flood the switch's table and it will be forced to broadcast all frames. QED.

Re:There is a better way to fix one of these probl

[DavidTC]

The first solution would have made sense, except for the fact group ids are not that changable on production systems. There probably already is a group number 80. But it's a nice start, someday you'll invent ACLs. However your second suggestion is the silliest thing I've ever heard.

The problem is that ssh can change to any user it wants. That's the PROBLEM, that's the reason that bit was seperated out and away from the network traffic bit. It's not a solution.

Making it where the process id X (Where X is supposed to be sshd), can change to anyone else, is pretty much a negative solution to the problem, because now people can get root even after it's dropped privs. Not to mention now you cannot restart sshd if you need to, because it has to be pid X. And god help you when the kernel people come up with yet another 'fake' process that runs when the kernel starts, using no memory but taking up a pid.

And there is functionally no difference between being able to change to any user except root and being able to change to root. If you can change to the sysadmin's non-root account you can get root trivially by trojaning 'su', or, if he's very paranoid, by trojaning his shell.

short summary --- Re:What it does - Program, not P

[RiC!N]

Capability-based rather than owner-based permissions.

Re: {Free|Net|Open}BSD goals.

[chrisv]

NetBSD: Most portable. If it's got 32 bits and a MMU, it's got NetBSD.

That's not neccessarily the case anymore.

Re:There is a better way to fix one of these probl

And it's done, for example in MicroBSD - http://www.microbsd.net

Actually it's done here: http://www.lucq.org/openbsd/patches.php (about halfway down the page), from where MicroBSD obtained the code...

Re:There is a better way to fix one of these probl

[funky+womble]

Or you could bind to >1024, and redirect the packets from the lower port. (Not sure how to do this with Linux, but with ipfw on FBSD you can 'add ## fwd 127.1,8080 tcp from any to me 80').

OpenSSH problems

This really is very bad news for BSD. It may be the final blow. Consider that because they use Mach, MacOS will not benefit from SMPng in the BSD kernels. The embedded systems supplier (I will not name them cause I despise them) that bought BSDi has no interest in SMP or in servers really ... and a truckload of people who loved working with Walnut Creek and BSDi as contributors will not be working with the project any longer.

Now that BSDi is dead ARE there any companies left that are dedicated to developing BSD as a kernel and OS as part of their core business activities anymore ?? No. Except Wasabi which is pretty small still only able to meet payroll by borrowing more money. Pretty heavy in debt.

The reason it's delayed a year is because BSD development has had a serious accident and needs to be hospitalized to get itself back together. With BSDi defunct relying on Apple, Wasabi and a band of merry volunteer hackers to get SMP done means it AIN'T gonna happen.

Hello Yahoo??!! Can Yahoo afford to hire a few SMPng hackers for a year??? Oh yeah I forgot Yahoo is broke too.

At this point SMP is owned by Linux and Solaris and in a distant third Microsoft .

On 4 way and 8 way machines BSD is simply not in the running at this stage and even on 2 way systems out of the box RedHat7.1 is a better choice for SMP. What's more threading work done by IBM is gonna improve Linux even more on this front - even Caldera (which bought SCO Unix a quite good SMP system up to 8 ways) admits that Linux will likely overtake the SCO kernel.

BSD dying? Quite likely.

Hard Times for *BSD

Sowhy now? Why did *BSD fail? Once you get past the fact that *BSD is fragmented between a myriad of incompatible kernels, there is the historical record of failure and of failed operating systems. *BSD experienced moderate success about 15 years ago in academic circles. Since then it has been in steady decline. We all know *BSD keeps losing market share but why? Is it the problematic personalities of many of the key players? Or is it larger than their troubled personalities?

The record is clear on one thing: no operating system has ever come back from the grave. Efforts to resuscitate *BSD are one step away from spiritualists wishing to communicate with the dead. As the situation grows more desperate for the adherents of this doomed OS, the srrow takes hold. An unremitting gloom hangs like a death shroud over a once hpeful *BSD community. The hope is gone; a mournful nostalgia has settled in. Now is the end time for *BSD.

Security through obscurity

[compudj]

It seems that while the lastest security hole found in OpenSSH is not fixed, the ISS and OpenBSD people try to keep the details of the problem for themselves.

This method is maybe good for a short time, but I hope this will be fixed soon.