Slashback: Disclosure, Maricopa, Telecoms

Slashback tonight with another round of updates and errata regarding recent Slashdot stories. Read on for more on domain slamming, the process behind fixing and revealing the recent OpenSSH vulnerability, early photography, and a special note for residents of Maricopa County, Arizona.

Quick work by smart people. ciaweb writes "The OpenSSH group has revised its security advisory about the recent OpenSSH vulnerabilities. In it, they describe their decision-making process for releasing the bug information. It is interesting to contrast their procedure, which appears designed to maximize user protection, against Microsoft's, which appears to maximize Microsoft's protection."

Pardon me, sir, would you mind if I SLAMMED THIS HAMMER ON YOUR FINGERS?! D0wnsp0ut writes "I thumbed through my mail today and found what appeared to be a renewal notice for my domain. This one came from "Domain Registry of America." Verisign attempted something similar back in March and Bulkregister.com fought back and won an injunction, against the mailings. So watch out if your domain is getting close to expiring. I talked to my registrar (Register.com) and they're aware of it.
I'll scan the letter but have no place to post the pictures. Can anyone lend some bandwidth?"

Half the world has never eaten a Krispy Kreme donut, either. cshirky writes "I've just written an essay on the phrase ' Half the world has never made a phone call'. It's more 'voice telephony-y' than the usual telecom stories here, but after seeing the interest in media and the market that surfaced during my /. interview, I thought it might be of some interest."

Please stop sending my money to Redmond, OK? TrumpetPower! writes "All that brouhaha over Maricopa County's policy prohibiting companies or persons convicted of antitrust violations has had an effect. I just received the following note announcing a public forum scheduled for this coming Monday.

You recently inquired about the County's use of Microsoft products and the manner in which we license their software. We appreciate your interest in the County's technology plans. To provide a forum in which to discuss our technology direction and address any questions you may have, we will have Information Technology staff members available to meet with citizens at 8:30 am on Monday July 8th. The meeting location will be the County Administration Building at 301 W. Jefferson in Suite 420. Please RSVP your attendance so we can ensure that adequate facilities are available for the meeting.

Thank you for your inquiry,
Paul Allsing
Deputy CIO
Maricopa County
301 W Jefferson, Suite 420
Phoenix, AZ 85003"

Ah, but what about the first annoying family photographer? 7h3_B055 writes: "Contrary to this article on Slashdot claiming the first photograph was created in 1826, much evidence is pointing to the fact that the Shroud of Turin may have been an earlier example (substantially earlier) of photography using ingredients as basic as egg-white for treating cloth (the photopaper) and urine for developing it. The camera itself could have been a simple box with a hole in it and the exposure time would have been lengthy."

Of course, there are a lot of theories about the Shroud of Turin, and a google search is likely to intrigue you for days.

if i were a county office,

[RumGunner]

i certainly wouldn't have my offices in suite 420.

or maybe i would.

Re:if i were a county office,

[commonchaos]

a quick google search found a page on the meaning of 420.

Domain Registery of America Letter

[Masem]

I've gotten both the Verisign and the DRA letter, and after reading both in light of the Veresign suit, the DRA letter is VERY clear that submitting the form back to them will switch your registry to them; this is printed on the front of the letter in the same type as the rest of the page. In the Verisign case, the transfer statement was printed on the back of the letter in fine print (with no indication there was something on the back). While somewhat tacky, I don't think DRA is in the wrong here, compared to Verisign.

Re:Domain Registery of America Letter

[Dr.Dubious+DDQ]

I don't think DRA is in the wrong here

Actually, I think they very well may be. Where did they get the address to send the advertisement to? I'm assuming the same place they got the expiration information - whois.

Most whois servers have a notice like the following, I've noticed:

"Any use of this data for any other purpose, including, but not limited to, allowing or making possible dissemination or collection of this data in part or in its entirety for any purpose, such as the transmission of unsolicited advertising and solicitations, is expressly forbidden without the prior written permission of (Registrar). By submitting an inquiry, you agree to these terms of usage and limitations of warranty."

My registrar's whois database has this notice. I got one of verisign's sleazy notes as well (though I knew what it was, at least.) If I get one from DRA, I'll be complaining...

Shroud evidence: Jesus underwent nuclear fission

[ashitaka]

From the linked evidence website...

One theory is that Jesus became pure energy and the radiation burned the image into the cloth. This isn't a far fetched theory really. We don't know how He resurrected. As the theory suggests, He could have transformed into a form of energy. Einstein's famous equation E=mc2 tells that matter can become pure energy. In fact this is the same concept of an atom bomb - matter becoming pure energy using radioactive material as a catalyst.

This is evidence???????

Exactly!

[PhysicsGenius]

There's also a very shallow learning curve! And I'd like to reiterate your point about the upgrade treadmill--I've had my kernel installed since...gosh, it must have been mid-June when I d/l'd and compiled this baby. And XP's latest patch came out what, last week? HAHA, M$ SUXORS!

It'll also be pretty sweet when all that GPL'd, SouthWest-oriented county management software can finally get used. It's been ramping up in usability on SourceForge for literally months and it's time to give that stuff a spin around the block!

It's a great time to be a Linux fanatic!

Re:Shroud evidence: Jesus underwent nuclear fissio

[Wildcat+J]

The paragraph that follows amuses me too:

What makes this theory eerily realistic is that when the cities of Hiroshima and Nagasaki were bombed in World War II, there were some walls left standing. Etched on those walls were shadows of spiral staircases, statues, and even people. Hypothesis is that the atomic explosion etched the shadows of images onto the walls. So if matter becoming pure energy, such as an atomic blast, can etch images onto a wall, it is not far-fetched that Jesus's resurrection could have done the same thing to The Shroud - if he produced some kind of energy of some sort in the process of resurrection.

Hypothetically speaking (because I find the idea, to quote Mike Tyson, "ludacrisp") if Jesus were the energy source that etched this image on the linen, he wouldn't cast a shadow, now would he?

-J

I am *truly* sorry about that...

[realgone]

The shroud article's paraphrase of one Dr. Nicholas Allen:

He said all one had to do was suspend a corpse for three to four days in sunlight.

I'd like to formally apologize to Sears Photo Studio for ever having complained while sitting through those family portraits back in the '70s. In retrospect, you were surprisingly gentle with me.

Re:Shroud evidence: Jesus underwent nuclear fissio

[_Sprocket_]

One theory is that Jesus became pure energy and the radiation burned the image into the cloth.

...

In fact this is the same concept of an atom bomb - matter becoming pure energy using radioactive material as a catalyst.

"Yea. I knew Jesus. Nice guy. Real concern for his fellow man. Kinda quiet. But boy... once you set him off... what a temper!"

Vermeer: First Photographer

[sjbrown]

...or perhaps first "camera"

I recently saw a TV segment about research showing that he quite likely projected an image onto canvas using a lens, then painted or sketched the projected image.

He probably wasn't the inventor of the technique. I believe it was called a 'camera obscura'.

Just found a link, thanks to Google:
Vermeer's Camera

Re:Shroud evidence: Jesus underwent nuclear fissio

[i_am_nitrogen]

Wow, that's really inane. Now I know why people some peole call some Christians morons... I'm a Christian myself, but I have had little awareness of all the hilarious "evidence" out there... Amazing that people think a big ball of radiation could walk out of the tomb and talk to Mary Magdalene...

Detailed analysis of the exploit?

[MrHat]

Disclaimer: I don't want to know this so I can run around and r00t a bunch of machines. I'm genuinely interested, since the flaw wasn't immediately apparent to me when I glanced at the patch a few days ago.

With that said - does anyone have an analysis/description of where in the source the overflow was actually exploitable? I followed the auth_chall2.c call path fairly far, and didn't manage to find where nresp > 100 would actually overflow. It doesn't seem to be exploitable in the xmalloc() immediately following the patch, unless I really missed something. I didn't trace into openssl, so if it's an interaction between the two libraries, I wouldn't have hit it.

Hints, pointers, source snippets? All are appreciated. :)

Re:Detailed analysis of the exploit?

[BJH]

My take on the problem (no guarantees, this may make you bald, blind and impotent, etc. etc.).

The problem lies with the xmalloc line in:

if (nresp > 0) {
response = xmalloc(nresp * sizeof(char*));
for (i=0; i < nresp; i++)
response[i] = packet_get_string(NULL);
}

Basically, the sizeof(char*) will return 4 on a normal x86 machine... which means that if nresp is greater than one-fourth of 0xffffffff (UINT_MAX), i.e. over 0x4000000, then you overflow xmalloc(), which is just a wrapper function for standard malloc().

I know I can't be the only who thought of it

[aTMsA]

I think the first thing(s) i would try to clone if i could would be anything resembling human DNA in the shroud. It would be hilarious if some blond/black chinese guy(or even girl) come out of the clonation!

SuSE on the OpenSSH Vulnerability.

[AgTiger]

Anyone who runs SuSE Linux from version 6.4 through version 8.0 inclusive may be interested in this.

SuSE's "SuSE-Security-Announce" mailing list released this post today regarding their response to the OpenSSH vulnerability. It contains a ton of information, and FTP links to update your OpenSSH packages for the aforementioned versions of SuSE's distribution.

Re:Shroud evidence: Jesus underwent nuclear fissio

[Alien+Being]

Why naturally Sherman, you have heard of "Critical Mass" haven't you?

-Peabody

Not all

[jcsehak]

My domains are registered through Go Daddy. I used them because they were cheapest and a friend recommended them to me. To date (several months), I have recieved no spam from them other than a notice warning me about Verisign's nasty renewal notices, and a recent notice about how they're making domain transfer free. Also, my normal flow of spam didn't noticeably go up after registering. So while I'd agree that most registrars are scumbags, I gotta say I'm very happy with Go Daddy. So far, at least.

Maricopa going open source (or whatever)

[The+Bungi]

For all of you Linux/BSD advocates that are obviously droooling over this oh-so-cool-good-vs-evil "stuggle"... I can categorically assure everyone that this will never happen. Never.

As someone who regularly consults at the county , city and AZ state agency level, I hate to inform ya'll that this is very much a Microsoft kinda town. Yep, you heard it here first.

Further, Maricopa county is small potatoes when compared to the state and city agencies/IT budgets. Scottsdale's (one of the valley's cities) CIO probably has four times the dough than the dude that runs the county's boxen. Not to mention Phoenix city proper. And Tempe, Chandler, Mesa, etc. etc. Oh, and the state government.

And of course, government agencies are the least prepared to transition an existing employee base to a brand new technology paradigm, regardless of the cost benefits this might theoretically bring (or how supposedly easy it is to switch to Linux/KDE/OSS Office suite).

Sorry, I had to break the news.

Are you out of your fucking mind?

[Kombat]

You're obviously not a parent. Policing your children? Duh! Hello! McFly!?! That's what parenting is. What, you think kids are born knowing right from wrong, and parents are just supposed to stay out of the way and occassionally put food on the table? What friggin' world are you living in???

When will people realise that the way to help your child grow up safely is not to forbid things Gee, maybe the same time they realise that if a pair of minors wants to have unprotected sex, then that's their business. I.e., NEVER, HOPEFULLY, BECAUSE YOU'RE TALKING FUCKING STUPID.

Hey Genius, we're talking about minors here, doing illegal things. It's one thing if you want to try and make a point about the futility of the war on drugs among adults, and the government's assault on civil liberties by trying to regulate activites exclusive to one or more consenting grown ups, but geez, kid, get your head out of your ass and use some common sense. We're talking about kids here. I know in your little fantasy world it's the 10-year-olds who are hacking out the planet-saving patches keeping this fragile society together, while the Ph.d educated engineers at Microsoft scratch their heads in awe, so this may surprise you: kids DON'T know it all. Kids need guidance. They need discipline. And, to borrow a phrase from my father, as long as you're living under my roof, eating my food, and using my phone, you're going to follow MY RULES

Good Lord man, you take this all kids are good and can be trusted thing too far.

Phoenix residents-- this is your chance...

[VValdo]

If you live in the Phoenix Metro area, this is your big chance to make a great impression, show interest in your local government, and learn something too -- I mean, this is great-- the people who make important decisions about the county's technology are going to be LISTENING to you-- aside from the inevitable rips on Microsoft (easy to do), be sure to play up the cost-benefits and reliability of Linux and *bsd as viable alternatives. Have some printed materials (or CD-ROMs?) to give out.

If you seem too fanatical or "out there", you may scare them off-- it's easy to dismiss a lunatic, even when they're right. So please don't dress like Obiwan ;) A well-thought out, reasoned discussion about the benefits of open source software may make a tremendous difference if you can reach the right people and they are truly open to change.

Good luck everyone! Let us know how it works out Monday! Someone call the Arizona Republic and New Times. (And be on the lookout for a counter-offensive from Microsoft).

W

Early photography

[rnturn]

``the Shroud of Turin may have been an earlier example (substantially earlier) of photography using ingredients as basic as egg-white for treating cloth (the photopaper) and urine for developing it.''

Now while I'm wondering how someone decided that oysters were edible, I can wonder how someone figured out 2000 years ago that urinating on an egg-white soaked cloth would produce an recognizable image. I know that things like gun cotton and Bakelite were discovered by accident but this egg-white thing I'm finding a bit hard to believe. But I would sure like to see a Mel Brooks bit on that historic moment.

Re:Great news for Linux!

[Quila]

Microsoft is probably not a direct contractor to the county,

MS likes to think its EULAs are binding contracts. Therefore, if the EULAs are valid, then there is a contract between the county and MS. Conclusion: Whenever someone in the county installs any MS product, MS is de facto a contractor.

Alternate conclusion: MS wants its products used, and has to admit the EULAs aren't binding contracts in order to not be considered a contractor. All EULAs are then admitted by Microsoft to be invalid.