As long as my computer and the server I connect to are malware free asymmetric cryptography (public-private keys) prevents an attacker from eavesdropping on the session.
False assumption. The endpoint PC is compromised in way more cases than the middleman router.
Encryption alone buys us nothing. Or wait -- it buys us key manangement hell.
How does that relate to DRM? Even if it was pacman and even if *you* didn't like it the point is that there's now another company -- EA -- that adopted this DRM. They even sell it as one of the advantages of the game: "your experience points are constantly uploaded to our servers and travel with your profile where-ever you play the game".
It's no longer about Ubisoft, the other companies want it and they want it bad. No matter how many people whine about it, somehow they think this is necessary.
That's why you set a screen password.
Control + A, : password ENTER
The attach cannot proceed without typing the password.
The password cannot be changed (for an already running session) without attaching first.
From the screen man page:
password [crypted_pw]
Present a crypted password in your ".screenrc" file and screen will ask
for it, whenever someone attempts to resume a detached. This is useful
if you have privileged programs running under screen and you want to
protect your session from reattach attempts by another user masquerad-
ing as your uid (i.e. any superuser.) If no crypted password is speci-
fied, screen prompts twice for typing a password and places its encryp-
tion in the paste buffer. Default is `none', this disables password
checking.
So what does screen actually do to protect the programs inside? I mean with the privileges to attach the screen and not knowing the pw, you usually also have the privileges to debug the bastard and skip the pw check altogether.
Fear of heights is influenced by your cognitive process. As a kid you did not fully realize the consequences of falling down, but as your age progressed, you have learnt of them. The kid's mind is generally much more free due to lack of negative experience.
How true. In transport crypto is almost futile nowadays (original SSH was deployed on coax ethernet networks where anybody could see your pw, today it's another story).
Authentication crypto has the burden of certificate management (do you verify fingerprints of each https site you visit?)
In the light of botnet compromises, crypto achieves precisely nothing (bot controlled agent can do/see exactly the same stuff as local user).
Consumer crypto has mixed success stories (see GSM and satellite TV smartcards).
Static data crypto (on-disk) brings key management hassle (crypt the daily backup, but backup the keys to a different place) and opens a field for legislative battles (i give my disk key to my lawyer).
Finally, crypto of any kind itself is hard to get done right and bad crypto is worse than no crypto (Debian openssl epic fail). It requires powerful hardware. And of course, some enlightenment of the staff, tighter procedures, etc.
So crypto deployment is always to be weighed against these (and other) downsides.
If a public traceroute server is tracing to a private block, it won't be my private block, but some other use of the same range.
The point of that exercise is to see that not all of the routers are so vigilant. Plus there's things like source routing, ipip tunnels, and what not, all of those just begging you to abuse them. On some broadband/cable ISPs you can target your neighbor victim directly if you are lucky. Some time ago there was a presentation about hijacking cisco vpns (i can't remember more about it)... point being that there are lots of unforseen ways to sneak into 'private address space'. A pure NAT router (without fw or source route checks) will just route packets to 10.0.0.0 like any other ones.
Most devices that do NAT would have to be specifically configured to allow this, by default they have an inbound deny rule. Even if they do, you've lowered your attack surface to things local to your ISP's router.
I don't know what is the status quo of today but about a year ago I was still seeing ISP's giving out routers will very sick defaults. Wifi-able ones with even criminally sick defaults. Want free 'net? Go to some apartment building and ride someone's well-NATed connection.
Say I have 200 PC's behind a NAT box. Six of them have remote vulnerabilities. How can somebody in North Korea exploit those?
Well he can try one of the hacks above, maybe he gets lucky. If not, then the packet was dropped, which is a work of a firewall, not a NAT. He will then proceed to zombifying one of your secretarys' boxes (or worse, one of your executives' laptops) and then pwn the target from there, because the internal network will be insecure and open. What you should do is to put all devices that can't defend on their own onto a separate network segment and place at least a very restrictive firewall between that network and the rest of the world, including your corporate internal network. If you've already done that, then good work! You don't need NAT anymore, except if your ISP is not willing to give you enough IP.
but also introduces a complexity in address rewriting and therefore might introduce a whole bunch of security issues on its own.
That's plausible. Do you happen to know of any examples?
Just google for 'nat vulnerability linux' for some. No piece of code is perfect and I would be very surprised if address rewriting ever worked flawlessly. In fact, Linux might be on the better side due to FLOSS, many commercial boxes might be even more emental-ish.
And of course the N:1 property alone of the NAT opens its own field of problems.
Quite so. But that doesn't mean NAT doesn't add to the total security.
It hardly does in the light of the hassle, the inherent issues, and potential can of worms effect.
Such an admin will then be horrified by the mere thought of having IPv6, since that would put all of his naked boxes right on the evil Internet without the condom of NAT, OMG!
And IPv6 has an abysmal adoption rate...
Well this is going to be a "me" comment; I have adoped as early as circa 2000 (I still got the ip6.int file from those days;), and it hardly can be any problem today for a determined person. If your ISP sucks at IPv6, pick anoter one or dig a tunnel. Besides the original statement was not concerning IPv6 as such, but the fact that its implementation will expose the network to the 'net and thus drop any hopes for NAT being a security measure. North Korea can suddenly connect to your microwave, scary eh?
Actually there is one more common mentality problem here: "my OS supports ipv6, but i dont have ipv6 connectivity, so i need not bother with securing ipv6. right?"... wrong.;)
You can. I can. Aunt Myrtle can't. I for one am glad that most home users are behind NAT these days. It's better than nothing.
No. Aunt Myrtle is fine at her home with the modem in BRIDGE mode and with the default settings of her vi$ta PC. (Just as she clicks on the bench icon in the network setup wizard.)
And probably she's far better than a lot of the corporate users with their own "professional" IT staff.
That's great - your network is properly configured. Most aren't.
NAT isn't required, it just makes up for poor administration.
Bah. You just gotta love that attitude. Actually the most plain view of the NAT security is not the inbound firewall but the persumably unroutable private block that's behind it. "We can't do our work properly so we stick our gear where they can't attack it. After all, our network has private addresses so the evil asian guys can't get to it. Right? RIGHT?" Wrong.
Wrong in oh so many ways.
First off, private addresses are NOT unroutable, they just happen to be dropped on their way through your ISP (if they do their job properly). Just try a traceroute to a private address and see how far the trace gets. (And try it from a public traceroute server;) Try putting a server on the other side of your beloved NAT and you might just discover that you can ping into your private network.
Second, even if this works as advertised it does not pose any great advantage over a stateful firewall. To the contrary, NAT not only tends to fuck up many L4 protocols, but also introduces a complexity in address rewriting and therefore might introduce a whole bunch of security issues on its own.
The third problem is the NAT admin's typical mentality. People tend to satisfy themselves with such a global protection shield (tm) and neglect going into the detail of securing their private network properly. "LAN hosts" are often left with their own firewall off, with simple or even default admin passwords, a lot of non-pc appliances (printers, phones) left to their own fate etc. That just makes a perfect base for the all-or-nothing principle, which goes so against any security reasoning. Such an admin will then be horrified by the mere thought of having IPv6, since that would put all of his naked boxes right on the evil Internet without the condom of NAT, OMG!
Finally AND MOST IMPORTANTLY please ask yourself how much of the total security is provided by blocking inbound traffic. Most client boxes run absolutely no services (maybe ssh), even windows can have a great deal of its server capability disabled. Further, service exploits were the music of the early 2000's, by now almost all of the services can withstand direct exposure to the Internet (with the exception of silly newcomers). The real security threat comes from outbound connections, people going to nasty sites, or people going to legit sites (banks) with silly passwords, flipped staff, and so on and so on. The vast majority of compromised zombie machines is on broadband, which means a router with NAT or "stateful firewall".
Exactly. I have observed many times how even technical support people, admins, etc., that should be skilled at this, just dismiss any dialog window with the OK button without even reading it. You can't then wonder that the browser's security warnings are treated the same way. Hiding the OK button in dust like it has been done in FF3 is just futile.
TFA suggests countering brute force attacks with lockout mechanisms. I'm sure the users will be happy about not being able to log in just because their password was recently brute-forced. Any lockout mechanism is vulnerable to DoS, please remember that forever. And don't argument with IP address restrictions.
It's easy for people to compare things based on just one number, preferably in the bigger-is-better fashion. So cameras have megapixels, screens have diagonal size, CPUs have gigaherz or core count, and well, if all else fails, we can always return to the basics, ie. penis length.
Slashdot Mirror
The patch mentioned in TFA does not fix the bug. The patches at the bottom of http://sota.gen.nz/compat2 are the correct ones.
Look at things they have done! Not just the outside, check the code, look at the database structures etc.
Especially look at how they write the automated tests, if they do so at all.
As long as my computer and the server I connect to are malware free asymmetric cryptography (public-private keys) prevents an attacker from eavesdropping on the session.
False assumption. The endpoint PC is compromised in way more cases than the middleman router. Encryption alone buys us nothing. Or wait -- it buys us key manangement hell.
60 Check for typos 70 Check for grammar mistake
You must be new here...
How does that relate to DRM? Even if it was pacman and even if *you* didn't like it the point is that there's now another company -- EA -- that adopted this DRM. They even sell it as one of the advantages of the game: "your experience points are constantly uploaded to our servers and travel with your profile where-ever you play the game". It's no longer about Ubisoft, the other companies want it and they want it bad. No matter how many people whine about it, somehow they think this is necessary.
Everyone focuses on Ubisoft but it should be noted that EA's latest Command & Conquer 4 has the same kind of DRM.
And they removed all the complains from the said page.
RTFM.
That's why you set a screen password. Control + A, : password ENTER
The attach cannot proceed without typing the password. The password cannot be changed (for an already running session) without attaching first.
From the screen man page:
So what does screen actually do to protect the programs inside? I mean with the privileges to attach the screen and not knowing the pw, you usually also have the privileges to debug the bastard and skip the pw check altogether.
A change in velocity just changes the ellipse, but a constant acceleration will make you spiral outward.
With enough change your ellipse will break up into parabolic and then hyperbolic shape. You will not be orbiting anymore, instead you will fly away.
Fear of heights is influenced by your cognitive process. As a kid you did not fully realize the consequences of falling down, but as your age progressed, you have learnt of them. The kid's mind is generally much more free due to lack of negative experience.
is not the whole solution.
How true. In transport crypto is almost futile nowadays (original SSH was deployed on coax ethernet networks where anybody could see your pw, today it's another story).
Authentication crypto has the burden of certificate management (do you verify fingerprints of each https site you visit?)
In the light of botnet compromises, crypto achieves precisely nothing (bot controlled agent can do/see exactly the same stuff as local user).
Consumer crypto has mixed success stories (see GSM and satellite TV smartcards).
Static data crypto (on-disk) brings key management hassle (crypt the daily backup, but backup the keys to a different place) and opens a field for legislative battles (i give my disk key to my lawyer).
Finally, crypto of any kind itself is hard to get done right and bad crypto is worse than no crypto (Debian openssl epic fail). It requires powerful hardware. And of course, some enlightenment of the staff, tighter procedures, etc.
So crypto deployment is always to be weighed against these (and other) downsides.
I drop them at my firewall too.
If a public traceroute server is tracing to a private block, it won't be my private block, but some other use of the same range.
The point of that exercise is to see that not all of the routers are so vigilant. Plus there's things like source routing, ipip tunnels, and what not, all of those just begging you to abuse them. On some broadband/cable ISPs you can target your neighbor victim directly if you are lucky. Some time ago there was a presentation about hijacking cisco vpns (i can't remember more about it) ... point being that there are lots of unforseen ways to sneak into 'private address space'. A pure NAT router (without fw or source route checks) will just route packets to 10.0.0.0 like any other ones.
Most devices that do NAT would have to be specifically configured to allow this, by default they have an inbound deny rule. Even if they do, you've lowered your attack surface to things local to your ISP's router.
I don't know what is the status quo of today but about a year ago I was still seeing ISP's giving out routers will very sick defaults. Wifi-able ones with even criminally sick defaults. Want free 'net? Go to some apartment building and ride someone's well-NATed connection.
Say I have 200 PC's behind a NAT box. Six of them have remote vulnerabilities. How can somebody in North Korea exploit those?
Well he can try one of the hacks above, maybe he gets lucky. If not, then the packet was dropped, which is a work of a firewall, not a NAT. He will then proceed to zombifying one of your secretarys' boxes (or worse, one of your executives' laptops) and then pwn the target from there, because the internal network will be insecure and open. What you should do is to put all devices that can't defend on their own onto a separate network segment and place at least a very restrictive firewall between that network and the rest of the world, including your corporate internal network. If you've already done that, then good work! You don't need NAT anymore, except if your ISP is not willing to give you enough IP.
but also introduces a complexity in address rewriting and therefore might introduce a whole bunch of security issues on its own.
That's plausible. Do you happen to know of any examples?
Just google for 'nat vulnerability linux' for some. No piece of code is perfect and I would be very surprised if address rewriting ever worked flawlessly. In fact, Linux might be on the better side due to FLOSS, many commercial boxes might be even more emental-ish.
And of course the N:1 property alone of the NAT opens its own field of problems.
Quite so. But that doesn't mean NAT doesn't add to the total security.
It hardly does in the light of the hassle, the inherent issues, and potential can of worms effect.
Such an admin will then be horrified by the mere thought of having IPv6, since that would put all of his naked boxes right on the evil Internet without the condom of NAT, OMG!
And IPv6 has an abysmal adoption rate...
Well this is going to be a "me" comment; I have adoped as early as circa 2000 (I still got the ip6.int file from those days ;), and it hardly can be any problem today for a determined person. If your ISP sucks at IPv6, pick anoter one or dig a tunnel. Besides the original statement was not concerning IPv6 as such, but the fact that its implementation will expose the network to the 'net and thus drop any hopes for NAT being a security measure. North Korea can suddenly connect to your microwave, scary eh?
Actually there is one more common mentality problem here: "my OS supports ipv6, but i dont have ipv6 connectivity, so i need not bother with securing ipv6. right?" ... wrong. ;)
Most client
You can. I can. Aunt Myrtle can't. I for one am glad that most home users are behind NAT these days. It's better than nothing.
No. Aunt Myrtle is fine at her home with the modem in BRIDGE mode and with the default settings of her vi$ta PC. (Just as she clicks on the bench icon in the network setup wizard.)
And probably she's far better than a lot of the corporate users with their own "professional" IT staff.
That's great - your network is properly configured. Most aren't.
NAT isn't required, it just makes up for poor administration.
Bah. You just gotta love that attitude. Actually the most plain view of the NAT security is not the inbound firewall but the persumably unroutable private block that's behind it. "We can't do our work properly so we stick our gear where they can't attack it. After all, our network has private addresses so the evil asian guys can't get to it. Right? RIGHT?" Wrong.
Wrong in oh so many ways.
First off, private addresses are NOT unroutable, they just happen to be dropped on their way through your ISP (if they do their job properly). Just try a traceroute to a private address and see how far the trace gets. (And try it from a public traceroute server ;) Try putting a server on the other side of your beloved NAT and you might just discover that you can ping into your private network.
Second, even if this works as advertised it does not pose any great advantage over a stateful firewall. To the contrary, NAT not only tends to fuck up many L4 protocols, but also introduces a complexity in address rewriting and therefore might introduce a whole bunch of security issues on its own.
The third problem is the NAT admin's typical mentality. People tend to satisfy themselves with such a global protection shield (tm) and neglect going into the detail of securing their private network properly. "LAN hosts" are often left with their own firewall off, with simple or even default admin passwords, a lot of non-pc appliances (printers, phones) left to their own fate etc. That just makes a perfect base for the all-or-nothing principle, which goes so against any security reasoning. Such an admin will then be horrified by the mere thought of having IPv6, since that would put all of his naked boxes right on the evil Internet without the condom of NAT, OMG!
Finally AND MOST IMPORTANTLY please ask yourself how much of the total security is provided by blocking inbound traffic. Most client boxes run absolutely no services (maybe ssh), even windows can have a great deal of its server capability disabled. Further, service exploits were the music of the early 2000's, by now almost all of the services can withstand direct exposure to the Internet (with the exception of silly newcomers). The real security threat comes from outbound connections, people going to nasty sites, or people going to legit sites (banks) with silly passwords, flipped staff, and so on and so on. The vast majority of compromised zombie machines is on broadband, which means a router with NAT or "stateful firewall".
I'm not quite sure why the body doesn't recognize these cells as "invaders" in the first place.
I'm not an immunologist, but I would guess it's because the cancer cells don't cause violent death (necrosis) of normal cells.
What's the point of zillion times zillion pixels when all you get is ugly polygons?
Exactly. I have observed many times how even technical support people, admins, etc., that should be skilled at this, just dismiss any dialog window with the OK button without even reading it. You can't then wonder that the browser's security warnings are treated the same way. Hiding the OK button in dust like it has been done in FF3 is just futile.
TFA suggests countering brute force attacks with lockout mechanisms. I'm sure the users will be happy about not being able to log in just because their password was recently brute-forced. Any lockout mechanism is vulnerable to DoS, please remember that forever. And don't argument with IP address restrictions.
I won't buy it, then. Really, fuck US products. I don't need your music, software, cars, or internet. In fact, that includes Slas[NO CARRIER]
Actually what we don't need is another version of windows.
Leaves me wonder. How much did they pay for the IP rights and how much would they cost if the company didn't bankrupt?
This website is such a hack-job.
... and the jpeg artifacts, ouch!
First it was the space mirror/shade, then it was some reflective shit in the oceans, ... finally it will be to wearing silvery hats!
It's easy for people to compare things based on just one number, preferably in the bigger-is-better fashion. So cameras have megapixels, screens have diagonal size, CPUs have gigaherz or core count, and well, if all else fails, we can always return to the basics, ie. penis length.
I wonder how much of the 16K went to teh windows license ;)
Hmm, it works for 5+ years for us, so I believe it's not so sucky as portraited. Also note graphs is not the same as graphics.