In other news "retired Air Force officer, Stanley A. Fulham", whoever that guy might be, "predicts October 13, 2010 as the date for a massive UFO display over the world’s principal cities".;-) Given the distance, can we really be sure it is an asteroid ?
Of course, they must have been talking about capacity instead of speed. Sending more information concurrently using the same pipe. Every bit of information would still travel at pretty much the same speed obviously.
> Please use UTC when dealing with security issues > like this.
Bah, for historical reasons, the server was set to local time back in the nineties although the system clock is set to UTC. I am too lazy to correct this.
Note that most abuse desks only ask you to specify the timezone your log timestamps refer to. I have never seen one that required UTC to answer a complain although, as you say, it may help by making the abuse staff life easier when using UTC timestamps.
The truth is that I don't care if they take action or not. I am only sending them reports to help in a good Samaritan spirit. I wouldn't rely on remote parties to deploy countermeasures, I do it myself. Also, I do not really send the abuse reports myself, my script does. I am also too lazy to modify the script to edit timestamps.
I fully understand you point although. Things are much simpler when everything is set to UTC. Only adjust a date/time when comes the time to present data to the user if needed.
Answers from Remote IP-1 port 80 connects back to port 32001 on the NAT router and is forwarded to 10.10.10.1
Answers from Remote IP-1 port 25 also connects back to port 32001 on the NAT router and is forwarded to 10.10.10.2
Answers from Remote IP-2 port 80 also connects back to port 32001 on the NAT router and is forwarded to 10.10.10.3
Answers from Remote IP-2 port 25 also connects back to port 32001 on the NAT router and is forwarded to 10.10.10.4
Answers from Remote IP-3 port 80 also connects back to port 32001 on the NAT router and is forwarded to 10.10.10.5
Answers from Remote IP-3 port 25 also connects back to port 32001 on the NAT router and is forwarded to 10.10.10.6
etc.
See, only one port (32001) is needed on the NAT router to maintain multiple remote connections.
You can reuse a port over and over as long as it is to connect to a different remote IP/port combination. Do not forget that what uniquely identifies a connection is the remote IP/port combination + the local IP/port combination taken together. Otherwise web servers could only serve one client at a given time...
Nowadays, not that many people give. It is also pretty rare that corporations give to their customer base. As well, it is rare that governments give since in the end we are paying for every dime they spend.
So in the end, the most competitive solution will prevail. Read the cheapest one. If it is using a dual stack with natted IPv4 plus IPv6 well during the transition, this is what's going to happen.
I would sure enjoy having IPv6 fully deployed right now but I have to be realist.
Of course it could fit most people needs who, by the way, don't even know what having a unique IPv4 address means, forget about knowing what a fixed IP address is. My only concerns would be towards people hosting services, even if they only host a gaming server.
Before getting a fixed IP address, I remember using services like dyndns before I setup my own private dyndns server on a fixed IP address server that I had access to. I could always reach my system even if it changed address every 6 hours on the first dialup provider I registered to back then.
So yes, it could, my only concerns is that it may cause prices to have a unique address or a fixed address to rise.
Well, at least it seems to beat Comcast waiting on reports like this one before taking action with an infected customer. Maybe they realized that all that unwanted traffic cost them money after all.
From abuse-report@myhost Thu Sep 2 08:52:54 2010 Date: Thu, 2 Sep 2010 08:52:03 -0400 From: abuse-report@myhost To: abuse@comcast.net Subject: Report of abuse from one of your IP: 75.149.85.71
Hello,
An IP from your network is scanning one of our machine Culprit IP on YOUR network: 75.149.85.71 Victim IP on OUR network: X.X.X.X
Here is the data used to file this abuse report:
% This is Whois 78.26
[ Informations about 75.149.85.71 ]
IP range : 75.144.0.0 - 75.151.255.255
Network name : CBC-CM-5
Infos : Comcast Business Communications, Inc.
Infos : 1800 Bishops Gate Blvd.
Infos : Mount Laurel
Infos : NJ
Infos : 08054-4628
Country : United States (US)
Abuse E-mail : abuse@comcast.net
Source : ARIN
Here is our log file, note that timestamps are AMERICA/NEW YORK time:
75.149.85.71 count: 29/var/log/messages:Sep 2 08:44:53 myhost sshd[4767]: Did not receive identification string from 75.149.85.71/var/log/messages:Sep 2 08:51:46 myhost sshd[5256]: Invalid user agent from 75.149.85.71/var/log/messages:Sep 2 08:51:46 myhost sshd[5256]: Failed password for invalid user agent from 75.149.85.71 port 45944 ssh2/var/log/messages:Sep 2 08:51:46 myhost sshd[5260]: Invalid user alan from 75.149.85.71/var/log/messages:Sep 2 08:51:46 myhost sshd[5260]: Failed password for invalid user alan from 75.149.85.71 port 46020 ssh2/var/log/messages:Sep 2 08:51:47 myhost sshd[5264]: Invalid user alex from 75.149.85.71/var/log/messages:Sep 2 08:51:47 myhost sshd[5264]: Failed password for invalid user alex from 75.149.85.71 port 46033 ssh2
(truncated to post to/.)
Report sent to remote system admin on Thu Sep 2 08:52:03 EDT 2010
I just play a message telling the caller to press 1 to speak to me, wait 3 seconds then send them to the fax if they don't press any key. Actually, pressing any key routes the call to me. I swear, it is pretty efficient.
Playing the SIT tone (Zapateller) as you suggest might cause you to miss legitimate calls. In my case, the worst that happens is that legitimate callers have to call twice if they were distracted and not quick enough to punch in a key the first time.
If you do not have a fax, you could always put the caller on hold forever, if you are nice, you could even supply background music;-)
I keep my cell phone number private, people dial my unique number to ring my home phone and cell phone at the same time so, in many years, the only phone spam I got was from my cell phone company dialing my cell phone number to offer me new features. Oh, I also got a few phone calls from small, local non for profit organizations that actually have a human dialing with a conventional phone.
It depends, I wouldn't say I am sure about this. Some believe that special conditions are needed in order for life to happen. Some even believe that some "special intervention" is needed, like in seeding a sterile environment with external input.
Look at this picture from Genesis "The trick of the tail". You can see a little flying creature spreading magic powder. That concept is also present in many religions and other old beliefs.
It depends on your definition of "human habitable". If you do not consider the moon human habitable nor any other planet where we would need artificial life support for us to survive there then: I believe some other forms of life should be needed for things like renewing the oxygen supply or otherwise, the planet would be habitable for a shorter period of time.
Without an ecosystem or an artificially generated environment to live in, I can't see how a planet could support human life for extended period of time.
Of course a colonization strategy could be valid too. We could bring with us other forms of life like plants, fishes, insects etc. in order to implant an ecosystem on a suitable planet.
> Plus, all intelligent races call their planet something > that translates literally to "dirt" anyhow.
In English maybe...
But then again, some intelligent races do not speak English and I know a few languages where Earth doesn't translate to "dirt". Those languages are spoken right here on this very planet.
So please do not give any false impression about planet Earth to our new low gravity overlords.
I should have replied to parent but I try to avoid conflicts;-)
So anyways; you were basically right in your GGP post. Never mind the RPC topic.
I have learned around 1990 (from people who had learned it before that date ) that RPC access should be filtered at the firewall + host level.
I am still using RPC because it is just to handy for some tasks and other people are doing it too.
Oh, and by the way, as I speak today; same goes for SMB shares and services (ports 137, 139, 445) even in a Microsoft only implementation environment. I made some money out of it (fixing things, of course).
So, I believe that it is fair to say that the two most prevalent alternatives are at par with regards to this topic (RPC vs SMB).
> but can affect other frameworks that use similar mechanisms.
Yep, JSF included apparently;-)
Some people tend to forget rule 1...
I mean it must be just too easy to store a meaningless token in a cookie or hidden form field and to map it to something meaningful on the server. Why adopt the easy way when we can do more complicated stuff some would say ?
I remember freaking out when servlets and jsps came out and I realized that web.xml was by default right under the root directory of the site, right under WEB-INF. I thought back then that some implementation would screw up and make it readable.
The natural approach I was used to back then was to put httpd.conf in a directory that only root could read while apache would run under a different uid.
Still, never mind my fears from 10 years ago but I have never heard about a remote attacker managing to read web.xml although I would bet some implementation must have had that security hole.
So, short story, I was really looking for a case where a remote attacker managed to read web.xml although my quick search didn't reveal anything;-)
> not a cookie, rather a hidden, encrypted field for storing state across postbacks
Thanks a lot for the clarification, it seriously helps me understand the problem better and I really mean it.
Now I will re-phrase my post:
WTF ?
Is this serious ? I thought rule 1 of using hidden form fields was to only put meaningless (OK: or already submitted data by the user) data into one. I am still having a hard time to believe this is occurring out of the box in an enterprise platform like ASP.NET.
A hidden form field in more or less the request scoped version of a cookie, never ever store your guts into one, no matter how well it is encrypted !;-)
Is this serious ? I thought rule 1 of using cookies was to only put meaningless data into one. I am still having a hard time to believe this is occurring out of the box in an enterprise platform like ASP.NET.
Being an equal opportunity fan and enjoying playing the devil advocate, I went to search for an instance where a remote attacker could read web.xml to no avail.
web.xml is used by multiple application server implementations offering the most prevalent alternative to ASP.NET.
So did anybody ever heard of a security hole that allowed a remote attacker to read web.xml ?
Of course because 90% of routers, firewalls and mail servers have SPF built-in into them and hardwired in a way that it is impossible to disable.
Seriously about 50% of all domains use SPF.
On my small domains with a few machines, I do publish SPF records with a "-all" (dash) record but I do not use SPF directly to filter email. I give a small weight when SPF records do not match amongst a lot of other factors in order to make a decision whether an email is spam or not but I never block an email based only on SPF.
For big domains with multiple machines and customers who access the net in many different ways. Having an SPF record with "-all" is a guaranteed way to have your legitimate customer emails blocked at some point.
Slashdot Mirror
In realty, we are called the Asgards, how dare you doubt our existence ?
We continue to exist and influence things long after the last of us has left its primitive physical body ;-)
In other news "retired Air Force officer, Stanley A. Fulham", whoever that guy might be, "predicts October 13, 2010 as the date for a massive UFO display over the world’s principal cities". ;-) Given the distance, can we really be sure it is an asteroid ?
http://www.disclose.tv/forum/october-13-2010-worldwide-ufo-display-t33304.html
OK then, to be more specific: Network bandwidth capacity.
I just thought the "Network bandwidth" part was implicit.
http://en.wikipedia.org/wiki/Bandwidth_(computing)#Network_bandwidth_capacity
FTFS: > to double or quadruple current speeds.
Of course, they must have been talking about capacity instead of speed. Sending more information concurrently using the same pipe. Every bit of information would still travel at pretty much the same speed obviously.
> Please use UTC when dealing with security issues
> like this.
Bah, for historical reasons, the server was set to local time back in the nineties although the system clock is set to UTC. I am too lazy to correct this.
Note that most abuse desks only ask you to specify the timezone your log timestamps refer to. I have never seen one that required UTC to answer a complain although, as you say, it may help by making the abuse staff life easier when using UTC timestamps.
The truth is that I don't care if they take action or not. I am only sending them reports to help in a good Samaritan spirit. I wouldn't rely on remote parties to deploy countermeasures, I do it myself. Also, I do not really send the abuse reports myself, my script does. I am also too lazy to modify the script to edit timestamps.
I fully understand you point although. Things are much simpler when everything is set to UTC. Only adjust a date/time when comes the time to present data to the user if needed.
Not necessarily:
Answers from Remote IP-1 port 80 connects back to port 32001 on the NAT router and is forwarded to 10.10.10.1
Answers from Remote IP-1 port 25 also connects back to port 32001 on the NAT router and is forwarded to 10.10.10.2
Answers from Remote IP-2 port 80 also connects back to port 32001 on the NAT router and is forwarded to 10.10.10.3
Answers from Remote IP-2 port 25 also connects back to port 32001 on the NAT router and is forwarded to 10.10.10.4
Answers from Remote IP-3 port 80 also connects back to port 32001 on the NAT router and is forwarded to 10.10.10.5
Answers from Remote IP-3 port 25 also connects back to port 32001 on the NAT router and is forwarded to 10.10.10.6
etc.
See, only one port (32001) is needed on the NAT router to maintain multiple remote connections.
You can reuse a port over and over as long as it is to connect to a different remote IP/port combination. Do not forget that what uniquely identifies a connection is the remote IP/port combination + the local IP/port combination taken together. Otherwise web servers could only serve one client at a given time...
Come on, give the guy a break. He is only protecting himself against potential lawsuits.
> Give us...
Nowadays, not that many people give. It is also pretty rare that corporations give to their customer base. As well, it is rare that governments give since in the end we are paying for every dime they spend.
So in the end, the most competitive solution will prevail. Read the cheapest one. If it is using a dual stack with natted IPv4 plus IPv6 well during the transition, this is what's going to happen.
I would sure enjoy having IPv6 fully deployed right now but I have to be realist.
Of course it could fit most people needs who, by the way, don't even know what having a unique IPv4 address means, forget about knowing what a fixed IP address is. My only concerns would be towards people hosting services, even if they only host a gaming server.
Before getting a fixed IP address, I remember using services like dyndns before I setup my own private dyndns server on a fixed IP address server that I had access to. I could always reach my system even if it changed address every 6 hours on the first dialup provider I registered to back then.
So yes, it could, my only concerns is that it may cause prices to have a unique address or a fixed address to rise.
Well, at least it seems to beat Comcast waiting on reports like this one before taking action with an infected customer. Maybe they realized that all that unwanted traffic cost them money after all.
From abuse-report@myhost Thu Sep 2 08:52:54 2010
Date: Thu, 2 Sep 2010 08:52:03 -0400
From: abuse-report@myhost
To: abuse@comcast.net
Subject: Report of abuse from one of your IP: 75.149.85.71
Hello,
An IP from your network is scanning one of our machine
Culprit IP on YOUR network: 75.149.85.71
Victim IP on OUR network: X.X.X.X
Here is the data used to file this abuse report:
% This is Whois 78.26
[ Informations about 75.149.85.71 ]
IP range : 75.144.0.0 - 75.151.255.255
Network name : CBC-CM-5
Infos : Comcast Business Communications, Inc.
Infos : 1800 Bishops Gate Blvd.
Infos : Mount Laurel
Infos : NJ
Infos : 08054-4628
Country : United States (US)
Abuse E-mail : abuse@comcast.net
Source : ARIN
Here is our log file, note that timestamps are AMERICA/NEW YORK time:
75.149.85.71 count: 29 /var/log/messages:Sep 2 08:44:53 myhost sshd[4767]: Did not receive identification string from 75.149.85.71 /var/log/messages:Sep 2 08:51:46 myhost sshd[5256]: Invalid user agent from 75.149.85.71 /var/log/messages:Sep 2 08:51:46 myhost sshd[5256]: Failed password for invalid user agent from 75.149.85.71 port 45944 ssh2 /var/log/messages:Sep 2 08:51:46 myhost sshd[5260]: Invalid user alan from 75.149.85.71 /var/log/messages:Sep 2 08:51:46 myhost sshd[5260]: Failed password for invalid user alan from 75.149.85.71 port 46020 ssh2 /var/log/messages:Sep 2 08:51:47 myhost sshd[5264]: Invalid user alex from 75.149.85.71 /var/log/messages:Sep 2 08:51:47 myhost sshd[5264]: Failed password for invalid user alex from 75.149.85.71 port 46033 ssh2
(truncated to post to /.)
Report sent to remote system admin on Thu Sep 2 08:52:03 EDT 2010
I just play a message telling the caller to press 1 to speak to me, wait 3 seconds then send them to the fax if they don't press any key. Actually, pressing any key routes the call to me. I swear, it is pretty efficient.
Playing the SIT tone (Zapateller) as you suggest might cause you to miss legitimate calls. In my case, the worst that happens is that legitimate callers have to call twice if they were distracted and not quick enough to punch in a key the first time.
If you do not have a fax, you could always put the caller on hold forever, if you are nice, you could even supply background music ;-)
I keep my cell phone number private, people dial my unique number to ring my home phone and cell phone at the same time so, in many years, the only phone spam I got was from my cell phone company dialing my cell phone number to offer me new features. Oh, I also got a few phone calls from small, local non for profit organizations that actually have a human dialing with a conventional phone.
Well, also, don't forget that the impact of EVs on the environment hasn't been fully evaluated yet IMHO.
I might switch some day. I may also skip a few releases wait until the product is stable enough to upgrade to a new version ;-)
It depends, I wouldn't say I am sure about this. Some believe that special conditions are needed in order for life to happen. Some even believe that some "special intervention" is needed, like in seeding a sterile environment with external input.
Look at this picture from Genesis "The trick of the tail". You can see a little flying creature spreading magic powder. That concept is also present in many religions and other old beliefs.
http://www.freecovers.net/view/1/9b3e9710ed9a387b99634457894ab03f/Genesis_-_A_Trick_Of_The_Tail_(2007_Remaster)-back.html
It depends on your definition of "human habitable". If you do not consider the moon human habitable nor any other planet where we would need artificial life support for us to survive there then: I believe some other forms of life should be needed for things like renewing the oxygen supply or otherwise, the planet would be habitable for a shorter period of time.
Without an ecosystem or an artificially generated environment to live in, I can't see how a planet could support human life for extended period of time.
Of course a colonization strategy could be valid too. We could bring with us other forms of life like plants, fishes, insects etc. in order to implant an ecosystem on a suitable planet.
> Plus, all intelligent races call their planet something
> that translates literally to "dirt" anyhow.
In English maybe...
But then again, some intelligent races do not speak English and I know a few languages where Earth doesn't translate to "dirt". Those languages are spoken right here on this very planet.
So please do not give any false impression about planet Earth to our new low gravity overlords.
I should have replied to parent but I try to avoid conflicts ;-)
So anyways; you were basically right in your GGP post. Never mind the RPC topic.
I have learned around 1990 (from people who had learned it before that date ) that RPC access should be filtered at the firewall + host level.
I am still using RPC because it is just to handy for some tasks and other people are doing it too.
Oh, and by the way, as I speak today; same goes for SMB shares and services (ports 137, 139, 445) even in a Microsoft only implementation environment. I made some money out of it (fixing things, of course).
So, I believe that it is fair to say that the two most prevalent alternatives are at par with regards to this topic (RPC vs SMB).
> completely unbreakable
By design, they are meant to be broken so why take a risk that brings you nothing when an easy alternative is available ?
There is many stories about encryption being broken and attackers taking advantage of it.
Only rely on encryption when you have no other choices. See poster below about best practices.
I learned rule 1 15 years ago. It seems like you are the smart ass ;-)
> but can affect other frameworks that use similar mechanisms.
Yep, JSF included apparently ;-)
Some people tend to forget rule 1...
I mean it must be just too easy to store a meaningless token in a cookie or hidden form field and to map it to something meaningful on the server. Why adopt the easy way when we can do more complicated stuff some would say ?
Not really ;-)
I remember freaking out when servlets and jsps came out and I realized that web.xml was by default right under the root directory of the site, right under WEB-INF. I thought back then that some implementation would screw up and make it readable.
The natural approach I was used to back then was to put httpd.conf in a directory that only root could read while apache would run under a different uid.
Still, never mind my fears from 10 years ago but I have never heard about a remote attacker managing to read web.xml although I would bet some implementation must have had that security hole.
So, short story, I was really looking for a case where a remote attacker managed to read web.xml although my quick search didn't reveal anything ;-)
> not a cookie, rather a hidden, encrypted field for storing state across postbacks
Thanks a lot for the clarification, it seriously helps me understand the problem better and I really mean it.
Now I will re-phrase my post:
WTF ?
Is this serious ? I thought rule 1 of using hidden form fields was to only put meaningless (OK: or already submitted data by the user) data into one. I am still having a hard time to believe this is occurring out of the box in an enterprise platform like ASP.NET.
A hidden form field in more or less the request scoped version of a cookie, never ever store your guts into one, no matter how well it is encrypted ! ;-)
WTF ?
Is this serious ? I thought rule 1 of using cookies was to only put meaningless data into one. I am still having a hard time to believe this is occurring out of the box in an enterprise platform like ASP.NET.
But, but...
Being an equal opportunity fan and enjoying playing the devil advocate, I went to search for an instance where a remote attacker could read web.xml to no avail.
web.xml is used by multiple application server implementations offering the most prevalent alternative to ASP.NET.
So did anybody ever heard of a security hole that allowed a remote attacker to read web.xml ?
Of course because 90% of routers, firewalls and mail servers have SPF built-in into them and hardwired in a way that it is impossible to disable.
Seriously about 50% of all domains use SPF.
On my small domains with a few machines, I do publish SPF records with a "-all" (dash) record but I do not use SPF directly to filter email. I give a small weight when SPF records do not match amongst a lot of other factors in order to make a decision whether an email is spam or not but I never block an email based only on SPF.
For big domains with multiple machines and customers who access the net in many different ways. Having an SPF record with "-all" is a guaranteed way to have your legitimate customer emails blocked at some point.
http://en.wikipedia.org/wiki/Sender_Policy_Framework
You may be right.
Apparently, NSA designed IPSEC and I did not see it mentioned even once in the article nor in the /. comments.
Very strange...
Of course simply using IPSEC wouldn't provide faster downloads but it could be virtually close to just as safe as a private physical network ;-)
WTF ?
http://en.wikipedia.org/wiki/IPsec