I had to part with my 15 inch titanium powerbook Sunday and they said it would take two weeks to get it back. It's a really slick process when you have something wrong with your machine. I called support and said um.... ya it doesn't turn on and he said you live close to an apple store would you like to drop it off for them to diagnose it. So I said sure and he set me up a "Genius Bar" appointment while I was on the phone. I showed up and they called my name ran a bunch of diagnostics and said yep... it's broke. So I cried a little bit until he pried it out of my hands.
But I didn't let that stop my Mac fever, oh no! I have been wanting a Mac Mini for awhile and now had a perfect reason/excuse! So I bought the Core Duo and headed home to set it up and continue feeding my addiction.
It's really funny, I used to make fun of Mac users because it was so cult like, but then OS X came out and all the suck went away and I got drawn towards the light. I guess long story short, you can put me on the list of people that wouldn't want to be without mine for an extended period. All my windows boxes are gone, it's just my PB and my linux firewall/fileserver/proxy/dev/dhcp/ntp/Myth Tv/asterisk server. And I guess the new family member my Mac Mini.
I remember back when Netscape was what you used on Linux or the alternative.... lynx, ya right. I had a Sun Ultra 5 in my lab that I installed IE for Solaris on and pulled x sessions from it so that I could surf on what at the time, was the best browser out there. Ah memories... now I avoid IE like the plague, interesting how things have changed.
Now I use firefox on my PowerBook and all is happy in the world, except for a couple of websites that I have to pull TS sessions and use IE for, because IE for the mac doesn't work with them. So this announcement is just the final nail in the coffin for a browser fork that has been slowly dying for years.
I am wondering if somehow you have slept through slammer, blaster, and all the ones in-between, there is no magic flag in ANY compiler that will protect you from security flaws. Microsoft has always had these little feel good buttons in their products, just like the "safe for scripting" option that you can set when writing active x components... Well it must be safe, the guy that wrote it clicked the box...
The only answer to these problems is developer education, always always always vet input from outside sources, don't trust "client" input.
Another thing that will help is heavier use of either loosly types languages where you don't set your buffer length or languages that have very flexible array and string memory management that happens behind the scene, no more malloc.
And as for your comment on code reuse is not good for security, that is a very narrow and IMHO ignorant view. I understand the concept of defense in depth but I don't think your infinite monkey's approach to software bugs is it. You would rather have hundreds of independant implementations of an algorithm floating around your enterprise which will all have their own unknown (to you) flaws which could be exploited by any teenager with some spare time (summer break) and a book on smashing the stack.
My preference would be a handful of implementations (not everyone is going to use the norm) so that I can better understand the threat posture posed by the released flaw and formulate a sensible remediation plan.
Actually you are wrong. Many of the pieces of malware I have reverse engineered have had a "self-destruct" mechanism built in which basically just deleted the exe and any registry entries associated with starting the malware. Not exactly massive amounts of code...
As soon as you find the magic word to make the bots respond to you (which can be difficult at times, some of the malware writers are pretty sneaky) shutting a botnet down can be as simple as logging into the irc server and appropriate channel and typing a couple of words. The problem comes in when the botnet owners are keeping close tabs on the channels and ban any clients that don't behave just right. At that point you have to go to the trouble of having your irc client mimmic the behavior of the botnet clients so that you will go unnoticed long enough to get the information you need to shutdown the botnet.
Having worked on very large networks, you can tap feeds where millions of emails go by per hour, do you really think anybody is going to take the time to track down your email? The key word in that quote is flows if you are going to try and get anything useful out of high speed links something like NetFlow is one of the best ways. Botnets are very easy to track this way as you are looking for lots of sources contacting a few destinations. There are not alot of systems on the network that maintain tens of thousands of sustained connections from remote systems scattered around the globe. They would stand out for that reason, email, web etc... they are all connect, grab what you want, and disconnect. With most of the botnets the compromised hosts "idle" in the botnet channels either providing information from the compromised hosts or waiting for commands from the owners of the network.
I bet people would like to be able to read it or even search it off of the DVDs, which means storing it in bz2 format on the DVD is probably a BAD idea... So yes it's only 585 megs when bzip2'd but that isn't a very friendly format to deal with.
Re:Both statements are fine -- salt explained
on
SHA-1 Broken
·
· Score: 4, Insightful
Actually most implementations store the salt along with the hash, so that you can move passwords from system to system, systems like nis, certain ldap implementations (read: not Active Directory), etc... wouldn't function if it was a per server salt. It is also much better to come up with a new salt for each password. The main purpose for this is to prevent pre-computed hash tables from being effective. Long live LANMAN:)
Re:May be a big deal...
on
SHA-1 Broken
·
· Score: 1
This may be my ignorance showing but if someone is really worried about secure signatures, couldn't they just throw out a hash from 5 of your favorite algorithims to store as the signature? What are the chances that you could find a collison that would work in MD5, SHA-1, Whirlpool, HAVAL256 and Tiger?
Re:Not a problem (yet)
on
SHA-1 Broken
·
· Score: 0
You have a bit of a logic flaw in your comment.
Snippet 1: The attack does only one thing: allows an attacker to generate two streams of data which hash to the same value Summary: It lets you make up bogus data with an identical hash
Snippet 2: this attack does not allow an attacker to... generate another password that would hash to the same value as yours. Summary: You can't come up with data that will hash to the same value
Those two statements don't go together either it does let you create identical hashes for different data or it doesn't.
If your password
foobizbang
hashes to <insert long string here> and I find a collision using this attack then I can enter my collision
a@#K$jjfksl
at the login prompt and gain entry as the hash of my password will match the stored hash of your real password.
Actually alot of times it's not about feel the need, it can actually be against code. The kill switches in raised floor space are supposed to do exactly that. Kill ALL power in the room in the case of an emergency. If you have in rack UPSs that are not hooked into that kill circuit, you have made that emergency off ineffective.
I am sorry if this is a stupid question, but, what is the ribbon made out of? I know there has been much talk about carbon nanotubes being used for the ribbon material in the real deal. I guess where I am really going with this is, what is the signifigance of this goal? I am not trying to downplay any part of what you have done, I just simply don't know enough about the project as it stands today.
I'm not Microsoft so I can't say there is no problem for OWA but the whole idea behind OWA is that it uses the user's kerberos ticket and is "trusted for delegation" and contacts exchange with that kerberos ticket to retrieve the mailbox requested. Just "exploiting" the pathing problem won't give you access to anything within exchange.
At least this is how I remember it working, someone please correct me if I am wrong.
P.S. - I am not a microsoft supporter, I am a security guy by profession, and they have caused numerous headaches for me. But this doomsday talk is just silly. Do we need to stop and enumerate the vulns that have been seen in open source alternatives? How about back when php didn't make you distinguish between user variables and server side variables, ya that was secure. And if you tried to look up info on any of the frameworks that are within light years of asp.net (good luck finding them) you would find vulns in them as well. ASP.NET so far has fared really well, do I think this is an amature mistake to miss, yes, do I think it's as dramatic as you make it out to be, no.
My first thought when I was reading that was "Why is it a news story that somebody trained 600 white people? And I wonder what they trained them to do?" Silly me...
Yes, they may take a little longer to type, but they are virtually uncrackable and if people would settle on an authentication method, wouldn't have to be typed very often. A passphrase as simple as "I love my children" is unbelievably hard to break compared to l0vch1ldn. Most modern systems are capable of very long "passwords" which we should start calling "pass phrases" and move the expiration time up to 3-6 months. As long as you are not passing them in the clear or writing them down, which is alot easier when you are using a phrase, there isn't much chance of it being compromised.
Oh Ya! well I have a n 8.1 system.... we could go on with this all night, seriously. What other than stroking your ego did your post do? I think I will re-iterate the previous posters point and while I am at it add 2.0 and put a $$ figure on mine. *ugh*
You can't be ignoring the crucial detail that there must be a reason they are spamming from China right? As with most things in life, the path of least resistance is often chosen. If China ISPs cared, they could reduce the attractiveness of their IP space to spammers. And it seems that that is now the case. Also, you realize you are talking to people who can't actually effect change right? While I wish there was currently a better solution than massive iptables scripts on my mailservers, there just isn't... The numbers don't lie, here is the count of spams blocked since May 23rd on my smallest mailserver:
grep "DPT=25"/var/log/messages |wc -l
932
I will be VERY pleased when I don't have to segregate port traffic based on it's country of origin, but until I see some change, the blocks are staying in place. Luckily I log all dropped connections from those IP ranges to port 25, so I will know when it's safe to open the doors again.
Cisco is far from the #1 security company. There has been very little emphasis on security at Cisco until the last few years. As would be evident if you have used any of their products. 90% of their products don't come standard with SSH, they all still use telnet. But for an extra fee you can install SSH, that is if you buy enough ram for the router to support that code load...
I think Cisco is working to change their security stance but, that takes time and lots of money. The money part they have covered, Cisco has an over 3 billion dollar R/D budget and if I remember correctly 2 billion of that is focused on security right now.
Yes, it's true that it has that many transistors BUT, only 29 million of them are part of the core, the rest is memory. The transistor count on the video cards does not count the ram.
Writing the virus itself, or the glue if you will, isn't the hard part. It's getting the exploit right so it will work on all SP levels and across multiple platforms (XP, 2K, etc...) The universal exploit code was made public either late night on the 28th or sometime early on the 29th.
So the turnaround time on wrapping that public exploit code into this worm was far from 18 days.
Many people here are talking about the length of time it takes to brute the password. I saw a demonstration of the asleap tool about 1/2 a year ago and it took 15 seconds to reveal the password. Something you need to keep in mind is the fact that there is no salt involved in the password hash for LEAP. So a precached hash of the possible passwords is very easy. All you need is lots of disk space and a well written index of the hashes.
There are quite a few others that are saying well thats only if you let your users pick bad passwords... Come on guys, have you actually worked in the real world? Normal users can't remember crazy passwords, they are going to pick their dog and their favorite football player's number put together. Or their aniversary and the current food they are eating.
Keeping a dictionary of enough passwords to get into the network would be trivial. All you need is one user with a weak password to get in, after that who cares how strong the rest are.
Slashdot Mirror
I had to part with my 15 inch titanium powerbook Sunday and they said it would take two weeks to get it back. It's a really slick process when you have something wrong with your machine. I called support and said um.... ya it doesn't turn on and he said you live close to an apple store would you like to drop it off for them to diagnose it. So I said sure and he set me up a "Genius Bar" appointment while I was on the phone. I showed up and they called my name ran a bunch of diagnostics and said yep... it's broke. So I cried a little bit until he pried it out of my hands.
But I didn't let that stop my Mac fever, oh no! I have been wanting a Mac Mini for awhile and now had a perfect reason/excuse! So I bought the Core Duo and headed home to set it up and continue feeding my addiction.
It's really funny, I used to make fun of Mac users because it was so cult like, but then OS X came out and all the suck went away and I got drawn towards the light. I guess long story short, you can put me on the list of people that wouldn't want to be without mine for an extended period. All my windows boxes are gone, it's just my PB and my linux firewall/fileserver/proxy/dev/dhcp/ntp/Myth Tv/asterisk server. And I guess the new family member my Mac Mini.
I remember back when Netscape was what you used on Linux or the alternative.... lynx, ya right. I had a Sun Ultra 5 in my lab that I installed IE for Solaris on and pulled x sessions from it so that I could surf on what at the time, was the best browser out there. Ah memories... now I avoid IE like the plague, interesting how things have changed.
Now I use firefox on my PowerBook and all is happy in the world, except for a couple of websites that I have to pull TS sessions and use IE for, because IE for the mac doesn't work with them. So this announcement is just the final nail in the coffin for a browser fork that has been slowly dying for years.
R.I.P.
The movie isn't very good, but I have a huge thing for Claire Forlani so the movie always seems ok when I watch it :)
I saw this movie once...
I am wondering if somehow you have slept through slammer, blaster, and all the ones in-between, there is no magic flag in ANY compiler that will protect you from security flaws. Microsoft has always had these little feel good buttons in their products, just like the "safe for scripting" option that you can set when writing active x components... Well it must be safe, the guy that wrote it clicked the box...
The only answer to these problems is developer education, always always always vet input from outside sources, don't trust "client" input.
Another thing that will help is heavier use of either loosly types languages where you don't set your buffer length or languages that have very flexible array and string memory management that happens behind the scene, no more malloc.
And as for your comment on code reuse is not good for security, that is a very narrow and IMHO ignorant view. I understand the concept of defense in depth but I don't think your infinite monkey's approach to software bugs is it. You would rather have hundreds of independant implementations of an algorithm floating around your enterprise which will all have their own unknown (to you) flaws which could be exploited by any teenager with some spare time (summer break) and a book on smashing the stack.
My preference would be a handful of implementations (not everyone is going to use the norm) so that I can better understand the threat posture posed by the released flaw and formulate a sensible remediation plan.
Actually you are wrong. Many of the pieces of malware I have reverse engineered have had a "self-destruct" mechanism built in which basically just deleted the exe and any registry entries associated with starting the malware. Not exactly massive amounts of code...
As soon as you find the magic word to make the bots respond to you (which can be difficult at times, some of the malware writers are pretty sneaky) shutting a botnet down can be as simple as logging into the irc server and appropriate channel and typing a couple of words. The problem comes in when the botnet owners are keeping close tabs on the channels and ban any clients that don't behave just right. At that point you have to go to the trouble of having your irc client mimmic the behavior of the botnet clients so that you will go unnoticed long enough to get the information you need to shutdown the botnet.
Having worked on very large networks, you can tap feeds where millions of emails go by per hour, do you really think anybody is going to take the time to track down your email? The key word in that quote is flows if you are going to try and get anything useful out of high speed links something like NetFlow is one of the best ways. Botnets are very easy to track this way as you are looking for lots of sources contacting a few destinations. There are not alot of systems on the network that maintain tens of thousands of sustained connections from remote systems scattered around the globe. They would stand out for that reason, email, web etc... they are all connect, grab what you want, and disconnect. With most of the botnets the compromised hosts "idle" in the botnet channels either providing information from the compromised hosts or waiting for commands from the owners of the network.
I bet people would like to be able to read it or even search it off of the DVDs, which means storing it in bz2 format on the DVD is probably a BAD idea... So yes it's only 585 megs when bzip2'd but that isn't a very friendly format to deal with.
Actually most implementations store the salt along with the hash, so that you can move passwords from system to system, systems like nis, certain ldap implementations (read: not Active Directory), etc... wouldn't function if it was a per server salt. It is also much better to come up with a new salt for each password. The main purpose for this is to prevent pre-computed hash tables from being effective. Long live LANMAN :)
This may be my ignorance showing but if someone is really worried about secure signatures, couldn't they just throw out a hash from 5 of your favorite algorithims to store as the signature? What are the chances that you could find a collison that would work in MD5, SHA-1, Whirlpool, HAVAL256 and Tiger?
Snippet 1:
The attack does only one thing: allows an attacker to generate two streams of data which hash to the same value
Summary: It lets you make up bogus data with an identical hash
Snippet 2:
this attack does not allow an attacker to
Summary: You can't come up with data that will hash to the same value
Those two statements don't go together either it does let you create identical hashes for different data or it doesn't.
If your password hashes to <insert long string here> and I find a collision using this attack then I can enter my collision at the login prompt and gain entry as the hash of my password will match the stored hash of your real password.
Actually alot of times it's not about feel the need, it can actually be against code. The kill switches in raised floor space are supposed to do exactly that. Kill ALL power in the room in the case of an emergency. If you have in rack UPSs that are not hooked into that kill circuit, you have made that emergency off ineffective.
I am sorry if this is a stupid question, but, what is the ribbon made out of? I know there has been much talk about carbon nanotubes being used for the ribbon material in the real deal. I guess where I am really going with this is, what is the signifigance of this goal? I am not trying to downplay any part of what you have done, I just simply don't know enough about the project as it stands today.
I'm not Microsoft so I can't say there is no problem for OWA but the whole idea behind OWA is that it uses the user's kerberos ticket and is "trusted for delegation" and contacts exchange with that kerberos ticket to retrieve the mailbox requested. Just "exploiting" the pathing problem won't give you access to anything within exchange.
At least this is how I remember it working, someone please correct me if I am wrong.
My first thought when I was reading that was "Why is it a news story that somebody trained 600 white people? And I wonder what they trained them to do?" Silly me...
Yes, they may take a little longer to type, but they are virtually uncrackable and if people would settle on an authentication method, wouldn't have to be typed very often. A passphrase as simple as "I love my children" is unbelievably hard to break compared to l0vch1ldn. Most modern systems are capable of very long "passwords" which we should start calling "pass phrases" and move the expiration time up to 3-6 months. As long as you are not passing them in the clear or writing them down, which is alot easier when you are using a phrase, there isn't much chance of it being compromised.
Oh Ya! well I have a n 8.1 system.... we could go on with this all night, seriously. What other than stroking your ego did your post do? I think I will re-iterate the previous posters point and while I am at it add 2.0 and put a $$ figure on mine. *ugh*
You can't be ignoring the crucial detail that there must be a reason they are spamming from China right? As with most things in life, the path of least resistance is often chosen. If China ISPs cared, they could reduce the attractiveness of their IP space to spammers. And it seems that that is now the case. Also, you realize you are talking to people who can't actually effect change right? While I wish there was currently a better solution than massive iptables scripts on my mailservers, there just isn't... The numbers don't lie, here is the count of spams blocked since May 23rd on my smallest mailserver:I will be VERY pleased when I don't have to segregate port traffic based on it's country of origin, but until I see some change, the blocks are staying in place. Luckily I log all dropped connections from those IP ranges to port 25, so I will know when it's safe to open the doors again.
Cisco is far from the #1 security company. There has been very little emphasis on security at Cisco until the last few years. As would be evident if you have used any of their products. 90% of their products don't come standard with SSH, they all still use telnet. But for an extra fee you can install SSH, that is if you buy enough ram for the router to support that code load...
I think Cisco is working to change their security stance but, that takes time and lots of money. The money part they have covered, Cisco has an over 3 billion dollar R/D budget and if I remember correctly 2 billion of that is focused on security right now.
What do you expect, he's a phd, you can't expect him to be based in the real world...
Yes, it's true that it has that many transistors BUT, only 29 million of them are part of the core, the rest is memory. The transistor count on the video cards does not count the ram.
Writing the virus itself, or the glue if you will, isn't the hard part. It's getting the exploit right so it will work on all SP levels and across multiple platforms (XP, 2K, etc...) The universal exploit code was made public either late night on the 28th or sometime early on the 29th.
So the turnaround time on wrapping that public exploit code into this worm was far from 18 days.
Many people here are talking about the length of time it takes to brute the password. I saw a demonstration of the asleap tool about 1/2 a year ago and it took 15 seconds to reveal the password. Something you need to keep in mind is the fact that there is no salt involved in the password hash for LEAP. So a precached hash of the possible passwords is very easy. All you need is lots of disk space and a well written index of the hashes.
There are quite a few others that are saying well thats only if you let your users pick bad passwords... Come on guys, have you actually worked in the real world? Normal users can't remember crazy passwords, they are going to pick their dog and their favorite football player's number put together. Or their aniversary and the current food they are eating.
Keeping a dictionary of enough passwords to get into the network would be trivial. All you need is one user with a weak password to get in, after that who cares how strong the rest are.
You mean just like msnbc which covers all the anti microsoft stories just like the rest of the media?