Go here: http://wikileaks.org/the-gifiles.html (or any one of their leak pages) Click on any one of the articles on the left hand side. Enjoy your paywall.
And in case you want to be super pedantic about this, youll note that my quote was I didnt say THEY were unauthorized Which is plural, referring to the plural part of my original post, which again was clearly the two Bush wars.
Appreciate the misplaced ridicule, however, it brings political discussion to a whole new level.
Im still torn on it, but have no problems with the action in Libya; the issue was the lack of approval, and moreso because of Obama's years of complaining about unauthorized actions and the Constitution and his expertise in constitutional law. After all that, he says "to hell with congress, the UN says lets go so lets go."
Re check your post-- you complained about the second part of my quote: "after years of complaining about unauthorized military actions" Which was clearly referring to Bush's wars, which WERE authorized-- it is Obama who called them unauthorized, and I was citing him.
If you were referring to the FIRST part of my post, that is referring to Libya, which was NOT authorized by congress. All Obama had in Libya was UN approval, which I understand from his cabinet is seen to trump congressional approval.
You missed the entire part where for 10 years now the sequence numbers have been randomized and are no longer predictable. Mitnicks attack is simply not feasible, and has not been for 10+ years depending on the tcp stack.
Wait wait wait, Obama complained for years about the military action in afghanistan and Iraq, calling them unauthorized and unconstitutional: The President does not have power under the Constitution to unilaterally authorize a military attack in a situation that does not involve stopping an actual or imminent threat to the nation. (from here) How then can you defend his continuing the fight in Afghanistan? Dont get me wrong, I dont have a problem with that per say-- but by his own words HE did. And how then can one even REMOTELY justify the action in Libya?
The big problem is that it utterly shreds his credibility. This isnt some stretching the truth or exaggeration thing, Obama called Bush's actions unconstitutional to help get himself elected, and then went on to one-up them with a completely unauthorized military excursion.
After fighting to the edge of default a budget was passed that no one liked. Obama has tried multiple times to close Gitmo.
They had TWO YEARS to pass a budget while they controlled both houses of congress AND the executive. And dont say "filibuster", because you cant filibuster budgetary issues.
All the excuses in the world fall flat on their face when Obama had every opportunity in the world for two whole years.
So you want nvidia to create new FOSS drivers that open up use in co-processing, but that have no OpenGL support, no shader support, none of the stuff that would actually make it useful for gaming or acceleration?
That may serve them well, but it sucks for anyone who wants to dual boot.
The binary blob they ship works quite well and for years was basically the only game in town if you wanted to game on linux. As I recall, I got better performance on an nvidia 9300m under linux / wine / nvidia binary blob than I did under Windows in World of Warcraft, even when I set it to DirectX mode.
For the record, they dont release the source code of their Windows driver either.
A little bit more.... From http://lcamtuf.coredump.cx/newtcp/, which did some tests on TCP sequence prediction in what looks like 2001 (Win2k SP2 was current), IOS (Cisco), BSD, Mac OSX, and Windows were all fairly secure-- only on windows were they able to guess any of the sequence numbers, and only 12% of the time.
Dunno about you, but Im not really aware of a protocol that will work with 88% packet loss, even assuming you can find a Win2k SP2 machine to attempt attacking.
That simply wont work. Telnet is TCP, which means a single packet wont work-- there will be acknowledgements sent back and forth with sequence numbers. You cant simply have your client shout at the server without ever receiving data back, because you will be unable to complete the 3 way handshake.
From wikipedia:
SYN: The active open is performed by the client sending a SYN to the server. The client sets the segment's sequence number to a random value A. SYN-ACK: In response, the server replies with a SYN-ACK. The acknowledgment number is set to one more than the received sequence number (A + 1), and the sequence number that the server chooses for the packet is another random number, B. ACK: Finally, the client sends an ACK back to the server. The sequence number is set to the received acknowledgement value i.e. A + 1, and the acknowledgement number is set to one more than the received sequence number i.e. B + 1.
That third part is where your plan fails: You will never get the SYN-ACK from the server, and will thus not know what sequence number the server chose, and will thus be unable to generate an ACK that would be acceptable to the server.
Generally the client isnt even going to send more than a few packets before stopping to wait for the servers ACKs, which will never arrive.
Its possible that at one point sequence numbers were easier to guess; if you have used nmap any time in the recent past you will notice that basically every target you scan lists "sequence number prediction" as "good luck". As I say, Im no history guru, but it seems to me that at one point it may have been easier to predict, but that (obvious) hole that allowed IP spoofing of TCP connections has been closed.
That article you link corroborates what Im saying:
Two different attack mechanisms were used. IP source address spoofing and TCP sequence number prediction were used
I didnt say they were unauthorized, I said that Obama complained about unauthorized military activity.
On a pedantic note however they were not declared wars, they were authorized military actions. One gives the president some pretty big powers, the other does not. I do not believe, for example, that the authorizations would allow the president to declare martial law.
He also started a new (unauthorized!) military action, after years of complaining about unauthorized military actions.
Going to Libya I might have possibly been able stomach, if it hadnt been for the utter hypocrisy of it all and the declaration that "UN approval is enough".
Ditto, but like GP Im having a hard time finding a reason to care. People I DONT want calling me generally already have my phone number, the least I can do is put it out there for those I do want to contact me.
2. Ever heard of regression testing? (That's okay, judging by Google's perpetual beta status for everything, they haven't either.)/quote? And yet Google's betas tend to be far more reliable and generally better than most competitor's releases.
Theyve moved to Chrome's dev model, which as an end user is awesome (especially now that their autoupdater actually WORKS). Bugs get fixed faster, and I dont have to wait 6-12 months for them to add a feature that everyone's been clamoring for for months (as back in the 1.0, 1.5 etc days).
You miss my point. If you are using WPA or even WEP, there is a threshold to breaking past it. That threshold is so much higher than the one for spoofing a MAC, that it gains you no security whatsoever. Anyone who could break the WEP, MUST have the capability to spoof MACs (so he can issue the deauth commands and capture the re-auth traffic).
Its sort of like, you deadbolt your front door, and then use masking tape to secure the door a bit more securely to its frame. Anyone getting thru the deadbolt probably wont notice that you put the masking tape up.
Its not about accurately guessing anything. If you spoof your IP as 78.77.76.75, and send that traffic, there MIGHT be a response if your ISP doesnt block it, but you sure arent going to get the response. Someone elses firewall will see this strange, unsolicited SYN-ACK traffic, and silently block it.
For TCP, no, IPs cannot be spoofed, because the connection would never complete. The only time you would / could spoof an IP address with TCP is if you simply dont care / want return traffic, and even then theres a high chance that the ISP is just going to drop your traffic as bogus. If youre actually trying to do something meaningful like transfer files over TCP, you have to be using an IP in the proper subnet, and for all intents and purposes its going to be your IP.
It is true however that a static IP really doesnt identify a person; when NAT is involved, you really cant know who's behind an IP unless lots and lots of logging data was stored on both ends of the connection.
Go here: http://wikileaks.org/the-gifiles.html (or any one of their leak pages)
Click on any one of the articles on the left hand side.
Enjoy your paywall.
Everyone has security flaws. Or did you not see the issue that Chrome just had to deal with recently?
And in case you want to be super pedantic about this, youll note that my quote was
I didnt say THEY were unauthorized
Which is plural, referring to the plural part of my original post, which again was clearly the two Bush wars.
Appreciate the misplaced ridicule, however, it brings political discussion to a whole new level.
Im still torn on it, but have no problems with the action in Libya; the issue was the lack of approval, and moreso because of Obama's years of complaining about unauthorized actions and the Constitution and his expertise in constitutional law. After all that, he says "to hell with congress, the UN says lets go so lets go."
Re check your post-- you complained about the second part of my quote:
"after years of complaining about unauthorized military actions"
Which was clearly referring to Bush's wars, which WERE authorized-- it is Obama who called them unauthorized, and I was citing him.
If you were referring to the FIRST part of my post, that is referring to Libya, which was NOT authorized by congress. All Obama had in Libya was UN approval, which I understand from his cabinet is seen to trump congressional approval.
Does that clarify things?
You missed the entire part where for 10 years now the sequence numbers have been randomized and are no longer predictable. Mitnicks attack is simply not feasible, and has not been for 10+ years depending on the tcp stack.
Re read my post above:
....Which is a lot less feasible now that sequence numbers are pseudorandomly generated:
(from http://www.symantec.com/connect/articles/ip-spoofing-introduction [symantec.com])
Today, most OSs implement random sequence number generation, making it difficult to predict them accurately.
(and again, that quote is 10 years old)
Before attacking me for not understanding TCP, you might want to read the entirety of my post.
Filibusters cant be used on budget issues by the senate rules. Trying to claim that the filibuster was used to hold the economy hostage is just myth.
Source
Wait wait wait, Obama complained for years about the military action in afghanistan and Iraq, calling them unauthorized and unconstitutional:
The President does not have power under the Constitution to unilaterally authorize a military attack in a situation that does not involve stopping an actual or imminent threat to the nation. (from here)
How then can you defend his continuing the fight in Afghanistan? Dont get me wrong, I dont have a problem with that per say-- but by his own words HE did.
And how then can one even REMOTELY justify the action in Libya?
The big problem is that it utterly shreds his credibility. This isnt some stretching the truth or exaggeration thing, Obama called Bush's actions unconstitutional to help get himself elected, and then went on to one-up them with a completely unauthorized military excursion.
Budgets cant be filibustered. Whats the excuse there for not passing one?
After fighting to the edge of default a budget was passed that no one liked. Obama has tried multiple times to close Gitmo.
They had TWO YEARS to pass a budget while they controlled both houses of congress AND the executive. And dont say "filibuster", because you cant filibuster budgetary issues.
All the excuses in the world fall flat on their face when Obama had every opportunity in the world for two whole years.
So you want nvidia to create new FOSS drivers that open up use in co-processing, but that have no OpenGL support, no shader support, none of the stuff that would actually make it useful for gaming or acceleration?
That may serve them well, but it sucks for anyone who wants to dual boot.
The binary blob they ship works quite well and for years was basically the only game in town if you wanted to game on linux. As I recall, I got better performance on an nvidia 9300m under linux / wine / nvidia binary blob than I did under Windows in World of Warcraft, even when I set it to DirectX mode.
For the record, they dont release the source code of their Windows driver either.
A little bit more....
From http://lcamtuf.coredump.cx/newtcp/, which did some tests on TCP sequence prediction in what looks like 2001 (Win2k SP2 was current), IOS (Cisco), BSD, Mac OSX, and Windows were all fairly secure-- only on windows were they able to guess any of the sequence numbers, and only 12% of the time.
Dunno about you, but Im not really aware of a protocol that will work with 88% packet loss, even assuming you can find a Win2k SP2 machine to attempt attacking.
That simply wont work. Telnet is TCP, which means a single packet wont work-- there will be acknowledgements sent back and forth with sequence numbers. You cant simply have your client shout at the server without ever receiving data back, because you will be unable to complete the 3 way handshake.
From wikipedia:
SYN: The active open is performed by the client sending a SYN to the server. The client sets the segment's sequence number to a random value A.
SYN-ACK: In response, the server replies with a SYN-ACK. The acknowledgment number is set to one more than the received sequence number (A + 1), and the sequence number that the server chooses for the packet is another random number, B.
ACK: Finally, the client sends an ACK back to the server. The sequence number is set to the received acknowledgement value i.e. A + 1, and the acknowledgement number is set to one more than the received sequence number i.e. B + 1.
That third part is where your plan fails: You will never get the SYN-ACK from the server, and will thus not know what sequence number the server chose, and will thus be unable to generate an ACK that would be acceptable to the server.
Generally the client isnt even going to send more than a few packets before stopping to wait for the servers ACKs, which will never arrive.
Its possible that at one point sequence numbers were easier to guess; if you have used nmap any time in the recent past you will notice that basically every target you scan lists "sequence number prediction" as "good luck". As I say, Im no history guru, but it seems to me that at one point it may have been easier to predict, but that (obvious) hole that allowed IP spoofing of TCP connections has been closed.
That article you link corroborates what Im saying:
Two different attack mechanisms were used. IP source address spoofing and
TCP sequence number prediction were used
....Which is a lot less feasible now that sequence numbers are pseudorandomly generated:
(from http://www.symantec.com/connect/articles/ip-spoofing-introduction)
Today, most OSs implement random sequence number generation, making it difficult to predict them accurately.
Note that that article was written in 2003, a full 9 years ago (back before symantec became awful!)
The stack of bugs is smaller because the release is smaller. Thats the whole point.
I didnt say they were unauthorized, I said that Obama complained about unauthorized military activity.
On a pedantic note however they were not declared wars, they were authorized military actions. One gives the president some pretty big powers, the other does not. I do not believe, for example, that the authorizations would allow the president to declare martial law.
He also started a new (unauthorized!) military action, after years of complaining about unauthorized military actions.
Going to Libya I might have possibly been able stomach, if it hadnt been for the utter hypocrisy of it all and the declaration that "UN approval is enough".
Pretty bummed I didnt see this before the debate.
Ditto, but like GP Im having a hard time finding a reason to care. People I DONT want calling me generally already have my phone number, the least I can do is put it out there for those I do want to contact me.
2. Ever heard of regression testing? (That's okay, judging by Google's perpetual beta status for everything, they haven't either.)/quote?
And yet Google's betas tend to be far more reliable and generally better than most competitor's releases.
I must have missed the part where Google is making bank off of their free browser.
The trunk snapshots have a name, Aurora.
Theyve moved to Chrome's dev model, which as an end user is awesome (especially now that their autoupdater actually WORKS). Bugs get fixed faster, and I dont have to wait 6-12 months for them to add a feature that everyone's been clamoring for for months (as back in the 1.0, 1.5 etc days).
You miss my point. If you are using WPA or even WEP, there is a threshold to breaking past it. That threshold is so much higher than the one for spoofing a MAC, that it gains you no security whatsoever. Anyone who could break the WEP, MUST have the capability to spoof MACs (so he can issue the deauth commands and capture the re-auth traffic).
Its sort of like, you deadbolt your front door, and then use masking tape to secure the door a bit more securely to its frame. Anyone getting thru the deadbolt probably wont notice that you put the masking tape up.
Its not about accurately guessing anything. If you spoof your IP as 78.77.76.75, and send that traffic, there MIGHT be a response if your ISP doesnt block it, but you sure arent going to get the response. Someone elses firewall will see this strange, unsolicited SYN-ACK traffic, and silently block it.
For TCP, no, IPs cannot be spoofed, because the connection would never complete. The only time you would / could spoof an IP address with TCP is if you simply dont care / want return traffic, and even then theres a high chance that the ISP is just going to drop your traffic as bogus. If youre actually trying to do something meaningful like transfer files over TCP, you have to be using an IP in the proper subnet, and for all intents and purposes its going to be your IP.
It is true however that a static IP really doesnt identify a person; when NAT is involved, you really cant know who's behind an IP unless lots and lots of logging data was stored on both ends of the connection.