Slashdot Mirror
TCP/IP Sequence Number Analysis
johnwbyrd writes "Upon connection via TCP/IP to a host, the host generates an Initial Sequence Number (ISN). It's important to design ISN generation sequences so remote attackers can't predict an ISN (this is called a "blind spoofing" attack). Using phase space analysis you can check the quality of ISNs generated on various OSes. Windows 98's graph is quite pretty."
nothing.
http://216.239.39.100/search?q=cache:sJUlrsbgsJ4C: razor.bindview.com/publish/papers/tcpseq.html+&hl= en&ie=UTF-8&e=619
...at ~4 comments!
I think that's a new record low.
...
I can't get in and there's only like 6 comments! Can't believe this.
4 C: razor.bindview.com/publish/papers/tcpseq.html+&hl= en&ie=UTF-8
No worries. Google cache saves the day:
http://216.239.33.100/search?q=cache:sJUlrsbgsJ
There are links in the article. Just change the url in the google cache address accordingly and voila!
eTrade SUCKS
Click here. Of course, it won't have all the pretty pictures, but you'll get the idea.
Let's see. Mitnick used this what, 8 years ago now? That's how he got into that guy's login session that was pre-existing between the two machines, or something to that effect.
Plus, various folks were using this on big IRC networks after that, but still many years ago.
That "emmanuel-" in #2600 that says he gave the subscription list to the FBI and ran over Walter was a spoof. So was billg in #windows95. That's just the tip of the iceberg.
Everything old is new again.
Maybe because it's the OS family used by the vast majority of people, regardless of suckage?
"Oh no... he found the
that one appears to be already /.ted
C :r azor.bindview.com/publish/papers/tcpseq.html+&hl=e n&ie=UTF-8
you can get a copy in google's cache:
http://www.google.be/search?q=cache:sJUlrsbgsJ4
Here is the correct Google cache:
: razor.bindview.com/publish/papers/tcpseq/print.htm l
http://216.239.51.100/search?q=cache:pIKhdPlNqPYC
wasn't this already posted here like a year ago?
Slashdot is pretty fast. When was it published and hit BUGTRAQ, one year ago?
This is the main reason Dept of Defense said windows cannot be secured.It's a sad story. Maybe people will not be so open minded about windows anymore and realize they don't understand security, or if they do they work for the hackers/crackers. At least by action.
Pictures are bettererer.
r azor.bindview.com/publish/papers/tcpseq.html
http://web.archive.org/web/20020124085843/http://
Its too farkin' slow. I wanna see the pretty pictures!
Keep in mind it's still remarkably hard to spoof with each successive packet, even if you can predict sequence numbers.
The first is easy, the second likey, the third less likely, and so on. Spoofing a long conversation would be very difficult, if not practically impossible.
I guess the pix don't work cuz they wern't cached. Oh well. I bet it looks nice regardless. What we need a a DL so we can see if there is any "Ghost in the Machine" in our comp when it gets analyzed.
I tried to think of a good sig, and this wasn't it.
Windows NT4 SP3
Attack feasibility: 97.00%
Operating system: Windows 98 SE
Attack feasibility: 100.00%
Operating system: Windows 95
Attack feasibility: 100.00%
Fault loves the past, worry loves the future, but content enjoys the present.
This is terribly old news. Most people in a security role have aware of sequence number prediction and attacks based on them for years, if not decades.
Now what does that tell us about the majority of people.. but you already knew that..
Comment removed based on user account deletion
Ok, I've mirrored the HTML and most of the images(still downloading) HERE. Please only download this to mirror it! My bandwidth is limited!
I wonder how it came to be that you didn't publish the only meaningful indications of Microsoft's security? Oh, I know. It's because they are about 1/6th as bad as the outdated versions you impartially decided to cite.
http://web.archive.org/web/20010605064202/http://r azor.bindview.com/publish/papers/tcpseq/funct.jpg / r azor.bindview.com/publish/papers/tcpseq/mix.jpg
h ttp://web.archive.org/web/20010605045958/http://r azor.bindview.com/publish/papers/tcpseq/mix2.jpg
http://web.archive.org/web/20010605035655/http://r azor.bindview.com/publish/papers/tcpseq/linux.jpg / r azor.bindview.com/publish/papers/tcpseq/win2k.jpg / r azor.bindview.com/publish/papers/tcpseq/winnt.jpg / r azor.bindview.com/publish/papers/tcpseq/win95.jpg / r azor.bindview.com/publish/papers/tcpseq/win98.jpg / r azor.bindview.com/publish/papers/tcpseq/cisco2.jpg / /r azor.bindview.com/publish/papers/tcpseq/cisco.jpg / r azor.bindview.com/publish/papers/tcpseq/aix.jpg
h ttp://web.archive.org/web/20010605063344/http://r azor.bindview.com/publish/papers/tcpseq/freebsd.jp g: //r azor.bindview.com/publish/papers/tcpseq/openbsd.jp g: //r azor.bindview.com/publish/papers/tcpseq/obsdnew.jp g: //r azor.bindview.com/publish/papers/tcpseq/hpux11.jpg / /r azor.bindview.com/publish/papers/tcpseq/sol7.jpg
http://web.archive.org/web/20010605062854/http://r azor.bindview.com/publish/papers/tcpseq/sol8.jpg
http://web.archive.org/web/20010605055059/http://r azor.bindview.com/publish/papers/tcpseq/sol2.jpg
http://web.archive.org/web/20010605060640/http://r azor.bindview.com/publish/papers/tcpseq/sol2ip.jpg / /r azor.bindview.com/publish/papers/tcpseq/bsdi.jpg
http://web.archive.org/web/20010605070105/http://r azor.bindview.com/publish/papers/tcpseq/irix.jpg
http://web.archive.org/web/20010605042650/http://r azor.bindview.com/publish/papers/tcpseq/macos1.jpg / /r azor.bindview.com/publish/papers/tcpseq/macos.jpg / r azor.bindview.com/publish/papers/tcpseq/dnslibc.jp g: //r azor.bindview.com/publish/papers/tcpseq/dnswin.jpg / /r azor.bindview.com/publish/papers/tcpseq/dnssol.jpg / /r azor.bindview.com/publish/papers/tcpseq/comp.jpg
http://web.archive.org/web/20010605053816/http://r azor.bindview.com/publish/papers/tcpseq/random.jpg / /r azor.bindview.com/publish/papers/tcpseq/data.jpg
http://web.archive.org/web/20010605044549/http://r azor.bindview.com/publish/papers/tcpseq/mix.jpg
h ttp://web.archive.org/web/20010824145421/http://r azor.bindview.com/publish/papers/tcpseq/linc.jpg
http://web.archive.org/web/20010605064500/http://r azor.bindview.com/publish/papers/tcpseq/ttime.jpg
http://web.archive.org/web/20010605044549/http:/
http://web.archive.org/web/20010605064823/http:/
http://web.archive.org/web/20010605040907/http:/
http://web.archive.org/web/20010605070134/http:/
http://web.archive.org/web/20010824220456/http:/
http://web.archive.org/web/20010605051434/http:/
http://web.archive.org/web/20010828165152/http:
http://web.archive.org/web/20010604211355/http:/
http://web.archive.org/web/20010605052241/http
http://web.archive.org/web/20010605050747/http
http://web.archive.org/web/20010605064736/http
http://web.archive.org/web/20010605061712/http:
http://web.archive.org/web/20010605044904/http:
http://web.archive.org/web/20010605041254/http:
http://web.archive.org/web/20010605054335/http:/
http://web.archive.org/web/20010605061755/http
http://web.archive.org/web/20010605060741/http:
http://web.archive.org/web/20010605051819/http:
http://web.archive.org/web/20010605053140/http:
Remove the spaces, copy-and-paste. We don't want to take the Internet Archive down, as well.
Withdrawal before climax is very ineffective and those who try this are usually called "parents."
Comment removed based on user account deletion
Yeah.
Only a use of this attack is to get around IP filters, or to hide the origin of a communication.
And you can't receive data.
So attack is feasible.. but not that useful.
yah because none of us know how easy it is to hack a windows box.
Thanks for pointing out something NONE of us realized already.
"For those wondering how insecure Microsoft is," please thank the troll above.
This is the first section:
Table of Contents:
0. Abstract
1. Introduction
1.1 TCP Sequence generation and PRNGs
1.2 Spoofing Sets
2. Phase Space Analysis, Attractors and ISN Guessing
2.1 Introduction to Phase Space Analysis
2.2 Using Attractors for Spoofing Set Construction
2.3 Real-Life Attack Algorithms
3. Review of Operating Systems
3.1 Linux
3.2 Windows
3.3 Cisco IOS
3.4 AIX
3.5 FreeBSD and NetBSD
3.6 OpenBSD
3.7 HP/UX
3.8 Solaris
3.9 BSDI
3.10 IRIX
3.11 MacOS
3.12 Multiple Network Devices
3.13 Other PRNG issues
4. Risk Analysis
5. Conclusions
6. References
7. Credits
Appendix A: Phase Space Images of Known Generating Functions
Hopefully now only people who want to read it will click on the link!
Video Game cheats, hints a
it is not the only use. read carefully.
Which would provide somewhat random ISNs. What we are seeing here is the fact that compuers today are faster than they where twenty years ago, and thus better random (or psuedo-random) ISN generators are needed. Still it's nice to see vendors getting called out on bad implementations.
"In my values, freedom is more important than 'serving users' in a mere practical sense." -- RMS
it was here.
:wq
--I'm intered in this, although this sort of tech is not my forte, I just had such SUPER good fortune with mac classic over the years as regards "security" in general. As in "never got hacked or any virus never ever in many years on the net with a default install" of mac classic.
caveat, ONE time I got a virus that was easy to get rid of. It was my fault, I stuck in a floppy with some small progs on it that someone gave me. prog included some virus. duh, my bad for l7m3n355 But that's IT. years and years.
EG. I have an OpenBSD firewall behind nat and I'm using "modulate state" on tcp packets. One would then assume that the sequence numbers would be rewriten by the NAT gateway. Comments?
Cisco Sequence Numbers Bug.(600 Series)
This could then make the random sequence numbers mute.
And also, I happened notice how you specifically failed to mention the reasonable improvements made in recent versions of Windows - specifically how its around ~10% attack feasability compared to 100% with older versions.
well, to be honest, it's not the most uptodate thing in the world. the freebsd tested was 4.2. and there have been significant improvements in tcp sequencing since then (being as we're at 4.6 now) and there is even a kernel compilation flag for random sequences.
so it's probably a year out of date, don't feel so singled out
dave
This report was published over a year ago, examining vulnerabilities that have been well-understood for >6 years. How is this news?
It might be useful if it was up to date, however as it stands most of the OSes listed there have had non-trivial revisions and new releases since then: WinXP isn't mentioned; Linux testing is limited to some version of 2.2, with no mention of 2.4; it refers to OpenBSD 2.9 coming out "soon" (3.1 is now available); OS X has had many major improvements since its first release; etc.
I'll be the first to admit that some of that articale was a little beyond me at this time. However, for anyone running a server, it would seem that OpenBSD still is the best choice for anything on the 'net. OpenBSD had the best TCP/IP random number generation (recently re-written). It has also been developed with security in mind. After about 4 years of linux experience it took me an hour to get an openbsd machine running, natting, and pf'ing. It was really that simple - as long as you have the experience. Want httpd installed? "make install" in the ports directory.
What really suprised me in this article is that some of the commercial unices were so poor in their implementation. Solaris was only secured after tweaking, Mac OS X, while not 100% attackable, still wasn't much better. Same for IRIX and AIX. I didn't notice version numbers however, does anyone know if the state has changed for newer version of IRIX? It was also disappointing the the 2.2 series kernel was used - have things changed in 2.4? If not, is there work being done in 2.5/6 ?
And if anyone has ANY insight as to why Window98 is much worse than windows95 I'd love to hear it.
S.t.e.v.e.
All the pictures are included in this pdf mirror: http://www.mirrors.wiretapped.net/security/info/pa pers/networking/strange-attractors-and-tcpip-seque nce-number-analysis.pdf [1MB].
It doesn't display correctly with my version of KDE's PS/PDF Viewer, but good old ghostview works great.
HIV Crosses Species Barrier... into Muppets
He didn't say insecure, but just that win98 makes a pretty graph...
And it does, really! (Although I think Cisco IOS 12.0 makes an even prettyer one).
Relax Bill, we're not out to get you....
Mirror: http://ralph.cx/tcpseq/
Im missing 3 images... for now...
Cybie! aka Ralph Bonnell
The author should be hit with a stick.
Hard.
Several times.
There is a standard definition for an attractor in mathematics.
If the author wants to use mathematics, then he should use the well-agreed mathematical definitions and not vague pseudo-mathematical babble.
And yes, I am a mathematician.
What they basically do is to guess the (internal) dimension of the system and trying to get non-trivial attracting set out of it. It's a rather trivial fact that if you get both things right, you can attack the PRNG. However, a decent PRNG won't have any non-trivial attractors.
Owner of a Mensa membership card.
The article is not trying to report the idea of predicting the ISN as a new vulnerability.
The goal of the article is to compare how vulnerable various current operating systems are to this type of spoofed ISN attack. It discusses phase space analysis as a worthy means of doing this, and then the article presents handy feasibility charts and pretty pictures.
So please, let's have no more posts discussing how this attack is really old, man. I think most people here know this already.
1. Sensationalism
"OMG Someone can guess the ISN number, We are all on our way to destruction"
2. Geekiness
"Wtf is an ISN number"
3. M$ Bashing (Note the $ $ign it means I dissaprove of Microsofts Money Grubbing Ways (TM) [OMG another funny!!])
... at http://www.mirrors.wiretapped.net/security/info/pa pers/networking/strange-attractors-and-tcpip-seque nce-number-analysis.pdf
hardcode
--
It's 106 light-years to Chicago, we've got a full chamber of anti-matter,
a half a pack of cigarettes, it's dark, and we're wearing visors. Engage.
- Paul Tomblin in asr
You mean, like this improvement?
Seriously, the post was entitled "for those wondering how insecure Microsoft is", not "for those wondering how Microsoft stacks up against other systems" which, as you point out, would indicate that consumer OSes are pathetic, while 'professional' OSes like NT and 2000 are making modest improvements, and that while the *BSDs are pretty good, and GNU/Linux quite good, there are plenty of older UNIX implimentations that were quite poor, and even pathetic, as well, not to mention CISCO, which makes up much of the internet backbone.
But, since Microsoft is conducting a wholesale attack on our very freedom of choice through it Palladium and DRM efforts, pointing out additional, purely technical reasons for moving away from Microsoft to *BSD and GNU/Linux alternatives and thereby protecting your security as well as your freedom isn't such an ignoble thing to be doing at all.
The Future of Human Evolution: Autonomy
Other systems failed, including FreeBSD which is rated "medium to high risk". OpenBSD fared very poorly also, as did BSDI, both exhibiting highly predictable behaviour.
Solaris, HPUX, AIX, Mac OSX well -- they failed to measure up, with HPUX particularly shameful.
Windows? What is there to say -- it ran with the losers.
Mac OS 9 is a Unix?
Those bastards didn't tell us!!@!
What the heck are you talking about. The numbers don't lie. You obviously do. Read the story again. OpenBSD stumbled badly in this test.
The point is thought that this is a larger issue than a single isse: major operating systems, as well as "consumer" versions (aka Windows) are not doing well in this regaurd. Furthermore, all kinds of embedded "smart" devices use NO randomness at all.
Just trolling and pointing out that outdated unsupported versions of Windows have extremely insecure ISN generation is a waste of time.
The thing I don't understand is... why do people continue to compare nowadays linux (or IRIX, Solaris, *BSD) etc... to things like Win98, which is _over 4 years_ old by now... Shouldn't we compare to things like XP (which is the replacement Windows for both the DOS^H^H^HWin9x/ME line and NT/2k) instead?
Just my 2 eurocents
And also, I happened notice how you specifically failed to mention the reasonable improvements made in recent versions of Windows - specifically how its around ~10% attack feasability compared to 100% with older versions.
So your saying when they ganked the FreeBSD network stack w/o even a tip of the hat, they improved thier non-existant security?
Wow, who'da thunk.
I live in a giant bucket.
Actually this is a case of "You Get What You Don't Pay For" -
HPUX, Windows and AIX are all expensive and suck.
Linux, OpenBSD, FreeBSD are all free and work wonderfully.
So in this case, your level of protection is determined by your inteligence and not by the amount of money you sepend.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
what a lame job of baiting... better, right?
are there 100s of thousands of old windows boxes
with lame tcp/ip or are people running hpux on
their dsl and cable modem boxes now?
Is it just me, or do these pictures look just like the X-ray defraction of a crystal? I suppose it goes to show the symmetry in the universe.
The dogcow says "Moof!"
I wonder how it came to be that you didn't publish the only meaningful indications of Microsoft's security? Oh, I know. It's because they are about 1/6th as bad as the outdated versions you impartially decided to cite.
That may be, but probably isn't, true.
If you read the article carefully you'll notice that the versions of *BSD and the Linux kernel (2.2.x) are also outdated. This isn't some neferious plot to diss Microsoft (hell, that isn't all that hard to do with cold, hard, factual data in the first place, so there is no need for anyone to cook the data, least of all this study), it is a result of the fact that research and study take time.
I'm sure if the author had looked at Linux 2.4.x and current versions of the BSDs the results would have been significantly better (Mac OS X as well, being a BSD derivative).
As for whether or not the various Windows versions would have been better, that is an assumption we really cannot make. Not for any prejudicial reasons, but because historically they generally haven't always improved, and indeed on at least one occasion (95->98) got considerably worse. We can hope that the security of Windows 2k has improved since then, but there is no real historical precendence to support that hope, in contrast with most other competitors products including the BSDs and Linux products cited here.
The comparison was fair: it was a snapshot of the state of the art taken a couple of years ago, then studied and analized in detail over those past two years. This is how every study that bases itself on factual research works, as opposed to corporate marketing drivel purchased to look like research, as has come from the Microsoft camp on numerous occasions in the last couple of years, and has in every case been thoroughly, and utterly obliterated in public rebuttal.
The Future of Human Evolution: Autonomy
Why not start looking for a better job instead of bitching and whinning on slashdot all day.
Try finding, especially in this depressed economy, an IT job that does not require you to use Microsoft software at least sometimes. I would estimate that this describes less than one tenth of one percent of jobs. It is virtually impossible to avoid. Switching jobs is not a solution to this problem.
Predictable ISNs are only a problem against a machine which has been configured to allow another machine privileges based solely on that second's machine IP address. Then pedictable ISNs allow a third machine to 'spoof' it's address, claiming to be the seond machine by using it's IP address, even though the third machine can't see the responses from the first machine, because the third machine doesn't have the IP address it's claiming.
If you don't configure this 'trust' relationship based on IP address alone, this is not an issue.
Example: SSH allows one machine to trust another, but requires that the trusted machine be at the right IP addresss AND posess the correct private key or keys - so no issue.
Any one who, in this time, configures a machine to trust another, based solely on the IP address in the frames received, is crazy. It's a very unwise practice.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
The thing I don't understand is... why do people continue to compare nowadays linux (or IRIX, Solaris, *BSD) etc... to things like Win98, which is _over 4 years_ old by now
The data that was studied for the last two or three years was collected prior to the study commencing, i.e. at least two or three years ago. If you'd bothered to read the paper, you would have noticed that the versions of *BSD and Linux being compared are equally as old (kernel 2.2.x of Linux, for example).
When you conduct a scientific study (not to be confused with the marketing drivel often sold as science and frequently purchased by the likes of Microsoft, and just as frequently disgraced and utterly rebutted a few days later by the scientific community) you collect the data, then you analize the data and draw conclusions from that data. All of that takes time, so any rigorous study conducted is going to be working with data collected at some time in the past.
[opinion]
I'm sure a study will come out showing the appalling weaknesses of Windows XP, but such a study will likely be reviled by Microsoft enthusiasts because, by the time the rigorous work is done, there will be some newer, even more invasive and buggy release of Windows out. That will not, however, make the study any less valid or accurate, any more than it would the study conducted here.
[/opinion]
The Future of Human Evolution: Autonomy
The results are given in the article, and they are ~1/6th as vulnerable. The original poster strangely seemed to read straight past those results though...
(Although its worth reposting of course, see your reason #3)
Predictable ISNs are only a problem against a machine which has been configured to allow another machine privileges based solely on that second's machine IP address.
Are you willing to bet that this is the *only* kind of attack possible using sequence number prediction? Someone with a sick imagination may find other novel and destructive uses for it.
In fact, I can already think of some...
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
--if 1% of script kiddies (and older hackers) who are the grief and cause behind these attacks got the shit beat out of them and chucked in jail for ten years, 99% of the honest users of the internet would be at least 50% happy that this occurred. This geek community here is blaming the door on someones home for the cause of breaking and entering. Lookit at the partisan bickering here --"it's all microsofts fault, no it's apples fault, no it's blah blah blahs fault". BZZT wrong answer.
.00001% jerks out there and chuck them in jail, treat them like the felons they are.
NOPE, it's the assholes who start the attacks fault! The rape victim is NOT responsible! The car the rape victim rides in is NOT responsible! where the rape victim walks is NOT responsible! The RAPIST is responsible for the crime!
My home is MINE, don't come in unless invited, EVEN IF THE DOORS AND WINDOWS ARE WIDE OPEN. IT doesn't matter what BRAND of door I use, either, that's my choice, my HOME is still off-limits unless invited in. That's the law and the only thing every society on the planet has come up with that works, ie, "respect" for others property, even if it's "exposed".
The other 50% might not even know about it, but they could compute in peace, use their computers instead of having to fixate on security so much that the practical useages they were designed for are number 17 on the list.
Yes, I pulled these figures out of my hole, but still, it's vague enough but right-on enough to be more or less accurate.
I DO know that I'm dropping a dime to the feds if I hear of any hackers boasting about their black hat ability.
That might be after they physically "attack" me forcing me to use "self defense". The cops can deal with the beat to snot carcass then.
It's the geek community as a whole to blame, because these hackers are KNOWN to other people in the majority of the cases, who DON'T CARE, who think it's cool, or who secretly use it as an excuse to perpetuate their "security/sys admin" JOBS. There just aren't that many highly secret guys out there compared to the volume of "sport hackers" and these "security analysts" who are just trying to justify their black hat exploits by posing as white hats or greyhats, EYE EMMM OO. Dr. Jekyl/Mr. Hyde behavior is KNOWN to the community, but no one here wants to admit it out loud!
Until malicious hacking is treated as a crime exactly like home break-ins, it won't get any better. Same with spammers, by the way.
Wouldn't shed ONE tear over either a pasty faced acne scarred kid getting put in the hospital over hacking, nor some pasty faced fat old geek, if they are black hat cracking and hacking. Screw 'em! Application of the louisville slugger magic wand of justice, relocation of all the digits on both hands, and the insertion of various pieces of 1337 hardware where the sun don't shine just MIGHT get their attention that what they are doing is just plain WRONG and it's a waste of valuable communities time and money and effort to keep this 'security" deal as such an expense that it has become. If there was a rash of breakins in some neighborhood, what is better, catch the perps or make everyone buy titanium front doors and cement block over their windows? Me as joe computer user keep getting told I need the titanium door and cement blocks, that even if I apply those patches that YET AGAIN next week I'll have to add to it, but I AIN'T seeing any hackers busted, very, very, very few of them. GEE, WONDER WHY THIS IS? They *really* can't be found? Huh? I'm supposed to believe this? Phooie, a LOT of them could be found, just on this forum I bet there's hundreds of them, and I'd bet a nickel most geeks have someone in their circle of friends who IS a blackhat, at least part-time.
All that is needed mostly is to take the less than
Foreign hackers? No problem, start major internet blocking of their dns names and then their numeric domains and finally all their IP traffic in general until they police themselves. If that means entire countries like korea or china or israel or syria, so be it, CUT the cables. when the fatcat businessmen in those countries realise that business is shutdown until they stop their own citizens black hat behavior, it will stop almost entirely.
"OpenBSD had the best TCP/IP random number generation (recently re-written)."
Didn't you question anything when they said 2.2.1x, or OpenBSD 2.8 was "recent"? No? OpenBSD 3.1 is the most recently released one. They've had this for quite a few releases now (didn't you also notice that OpenSSH's default root problem affected OpenBSD 2.9-3.1?). They also had *no* data for Linux 2.4, or Windows XP.
Don't believe me? Scroll down to the bottom of the page where it mentions it was last updated in April 2001.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
why do people continue to compare nowadays linux (or IRIX, Solaris, *BSD) etc... to things like Win98, which is _over 4 years_ old by now
Maybe because lots of people are still using Win98 - for economic reasons, because of a need to support old software needed to access critical data, or because considering microsoft's track record so far we tend to assume that in a few years it will be discovered that XP has even worse holes... Or people just don't like WPA, and assume that it's a future revenue enhancement tool - in a few years when MS has a replacement for XP on the market, their site for XP WPA might suddenly have all sorts of problems until people start giving up and buying a new OS when their systems crash and have to be reloaded.
I agree, comparing Win98 to server OS's like BSD isn't fair - there should be two separate comparisons, desktop to desktop and server to server. I gather that in server software, Win2K isn't bad in comparison to other commercial server products, but the OSS products (Linux and BSD) are far better. So Microsoft's bellyaching about OSS being insecure is proven wrong. (And if Linux has improved that much in the last 4 years, it's another indication that when security becomes important, open source can improve much faster than closed.)
As for comparing desktop to desktop, it's hard to arrange a comparison that everyone would agree is fair. First off, you don't exactly have competing desktop OS's - you have MS which writes desktop OS's and tries to upgrade them to run servers later, and you've got everything else (since Mac OS 9), which are *nix server OS's downgraded to run a desktop. It's something for MS to whine about when they lose. Anyhow, MS's latest desktop (XP Home) might have acquired a good sequence randomizer to plug this one hole, but the default installation apparently opens up a lot of others. I wonder how many other utterly brain-dead decisions like allowing Plug-n-Play to work across the network are not yet revealed...
Encryption as in e-mail, ftp, DNS and many other sensitive things we just always encrypt to be sure. yes.
And making the graphs, arguing over them, discussing them with peers, checking through again, proofreading, journal submission, proofreading, journal resubmission, proofreading. galley proofs. Non-zero time. And there's always at least 5 typos, 5 errors, 5 homonyms, and someone's name spelled incorrectly. Always.
I think the folks at Slashdot grin when a site is crushed to death with hits as soon as they get linked by Slashdot.
... other than pure laziness.
For one thing, it's sort of fun to guess which sites can handle the bandwidth and which cannot. Correcting spelling and grammar, apparently, gets very boring for Taco et al, and betting on who can handle the Slashdot effect provides some relief.
Not to mention, being the news website to have so much traffic that this effect is named after them is comforting to the ego. Why adapt the site to fix this and lose this?
Finally, the Karma system solves the Slashdot effect adequently. Users have a chance to race to post the Google cache and receive 3 to 5 mod points. Those who don't get the post in first can go on to mirror the site on their own server for some Karma.
Caching sites in a way that worked technically and legally is obviously possible and they could have done it long ago. The above reasons are the only possible explanations for why they haven't done it
Comment removed based on user account deletion
The advertisement in your signature points to www.coronahost.com, which claims to be running Microsoft IIS. So I am sure you will agree that while the theoretical discussion is interesting, in the real world there are forces that you simply can not control. The only thing that can be done is to helplessly complain.
Who cares how old it is. It's being patched constantly. It's not like the sequence # generator can't be updated 4 years after original release.
You're talking to a guy who brags about being in mensa.
Its kind of like the special olympics, but the mensa people think they're smarter somehow because they passed an IQ test with high grades.
Its more than funny, but I'll let braniac there figuire it out.
Comment removed based on user account deletion
nmap will tell you what the OS is, and give you a rough idea of how hard it would be to use the target's ISN against it.
Uptime 0.811 days (since Sat Jun 29 22:04:58 2002)
TCP Sequence Prediction: Class=random positive increments
Difficulty=2918407 (Good luck!)
IPID Sequence Generation: All zeros
There is very little future in being right when your boss is wrong.
Before everyone goes off about security.
TCP was not designed to be secure. It was designed to ensure data is put back in the proper order at the remote end, and to be able to adjust it's transmission to deal with congestion.
Yes, there is a security issue.... but any security breach through ip spoofing is really a fault of the higher layer application/protocol and NOT of the ability for a tcp session to be spoofed.
The paper talks about a n-dimensional space, but only looks at the 3-dimensional case. It is totaly possible that the picture looks different at other dimensions (even at two), and spoofing works better when you use that as a basis. Which of course doesn't make the others more secure should they have better results at other dimensions - the worst case is still the worst case.
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
if you're interested in random ISN's I'd suggest you try the grsecurity patch from grsecurity.
:
it has loads of other interesting functions and the random ISN generator seems to work fine, here's a nmap scan result
TCP Sequence Prediction: Class=random positive increments
Difficulty=4184073 (Good luck!)
TCP ISN Seq. Numbers: BA77562B B9B190FD BA8C8609 BA3DFEB2 BA92DBDB B9BA515C
IPID Sequence Generation: Randomized
Actually, the whole thing is more than a year old! It was primarily published on private page by the researcher. Now that he works for BindView, they "reprinted" it as a company. Nothing new to see here, move along.
The moon is not fully subjugated. I demand a second assault wave preceded by a massive nuclear bombardment.
Care to fill us in?
I'm not usually a paranoid "MS wants to rule the world type" but this is a little too convenient a coincidence to ignore.
That is the most interesting thing i have seen on Slashdot for a long time.
I gots ta ding a ding dang my dang a long ling long
See http://www.cert.org/advisories/CA-2001-09.html. Also http://www.kb.cert.org/vuls/id/498440. It has some good background about why this was news at the time. For example, assertions in this thread that ISN prediction doesn't matter if you don't use address-based authentication are just plain wrong, and the advisory tells you why.
michael sims quotes a troll... what is the world coming to
I don't explain things for simpletons.
Interesting that such a simple analysis in TCP/IP seemingly random
time series could give insight of a 1-dimensional phenomena into a
reconstructed n-dimensional geometrical body. Something that a geometric
solution of a non-linear Partial Differential Equation
is difficult to achieve. Maybe this other way around analysis
as Stephen Wolfram remarks, could give insight into other
i-D manifestations of nature with TCP/IP encryption likelihood
(i.e. seismic, encephalographic, stock markets...) where
prediction or quality of encryption could be used as a mean for
identifying determinism out of a seemingly random signal. Could be the
tool instead of the goal.
cheers
This sort of thing has been round for years. Someone (I forget who...just had a long drive...sorry) wrote a security book about seven or eight years ago and described this. Turns out by predicting the sequence numbers you can hijaak a Telnet connection (or any other sort of connection). Pretty wild stuff
In Knuth's The Art of Computer Programming, he discusses the "spectral test" at length. It is a way of testing random number generators for patterns, using 2, 3, 4 or more dimensions. He shows a couple of pictures similar in spirit to the ones in the paper we are discussing.
From Knuth, Volume 2, section 3.3.4, 3rd. ed.: "Not only do all good generators pass this test, all generators now known to be bad actually fail it. This it is by far the most powerful test known, and it deserves particular attention."
I just read the article you linked to.
It really does scare me, doubly so because I live in a small country (NZ) that is paying huge sums to this foreign vendor that is a convicted monopolist. That money should be going to the local economy. I hope NZ will be able to buy non-palladium-crippled hardware to run alternative OSen.
You make the mistake of thinking you can educate the fundamental stupidity out of people. You can't.
While ISN spoofing can be a problem, it really isn't in 99% of the machines in use today.
.rhost or other IP based authentication. Without this, this attack cannot be utilized. Also you need to be able to muzzle the spoofed machine during the attack, much easier a few years ago than today as things like SYN floods are much less effective.
ISN spoofing requires that the target machine runs
In the old days this type of authentication was commonly used, but not much anymore. An the argument about windoz boxes being insecure as ISN spoofing, really doesn't mean a thing since there not going to be running IP based authentication.
It is a fun problem to talk about, but there is much better ways to solve it than tossing compute cycles on strong hashes ala RFC1948.
mycal
connection hijacking.
even sshv1 isn't safe, though sshv2 is.
If you look at the date on the web page, it's April 2001. Linux 2.2.x was just fine back then :-)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
THANK GOD you showed up. THE defender of TRUTH has
arrived everyone. Pack up your FUD guns and go home.
Wow. The DEFENDER of TRUTH is back. Setting all
the wrongs in world right.
I feel better already.
CERT® Advisory CA-2001-09 Statistical Weaknesses in TCP/IP Initial Sequence Numbers
Many of the graphs are pretty, which is a bonus for stoners, midnight-espresso-drip-feeders, and non-TCP-gurus. Without specifically mentioning Win98's graph, the site probably wouldn't have ben /.ed...
Yeah.. but again, you can't see the response. Same boat as spoofing the connection in the first place.
yes, there are situations where you can do something nasty with it.. but they are rather specific ones, and rely on using unsecure protocols anyway.
TCP was not designed to be secure. It was designed to get packets reassembled in order, and to be able to dynamically change it's transmission properties to deal with congestion.