Slashdot Mirror


User: khasim

khasim's activity in the archive.

Stories
0
Comments
5,818
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 5,818

  1. That is called "omniscience". on "Port Knocking" For Added Security · · Score: 1

    "Yes, it has. The hole you refer to was found and patched 5 months ago."

    True. But that demonstrates that SSH has had vulnerabilities. Therefore, having SSH running on your machine violates the original statement:

    "The point the grandparent is making is that you shouldn't be running insecure services on a public interface to start with."

    "Notice that I specified "PROPERLY CONFIGURED"."

    Notice that you will NOT always know whether there is a vulnerability. The day PRIOR to that announcement, you would have thought you were "PROPERLY CONFIGURED".

    "Even without the patch, a chrooted configuration would have limited the damage to denial of service at worst." :)

    And this is the justification for running port knocking. Because, to get the same level of security, you have to jump through all those hoops you mentioned.

    Instead, you could just use port knocking.

    "IPWrappers and IPTables are two other elements that should be used to restrict access to a critical ssh instance."

    And those are useful with port knocking as well.

    "Installing port-knocking software might guard against a hole in SSH, but it also opens up the possibility for a new hole in the port-knocker itself."

    Read the article. You'll see that the port knocking daemon doesn't face the outside. It reads the logs generated by the firewall.

    "While defense in depth is a good thing, adding additional layers also create the opportunity for new holes, especially when the new layer is unproven and experimental."

    While that is correct, in a general sense, it does not necessarily apply to port knocking in the specific sense. Port knocking is a very simple concept with a very simple implementation.

    It's all covered in the articles.

  2. Oooooh, you didn't read the article. on "Port Knocking" For Added Security · · Score: 1
    From the article:
    A user attempts to connect from IPC to the following firewall ports in sequence: 102,100,100,103. From the point of view of the user, the connections fail silently. On the firewall, though, the 102,100,100,103 number sequence has been recorded.

    Feb 12 00:13:26 ... input DENY eth1 PROTO=6 IPC:64137 IPF:102 ...
    Feb 12 00:13:27 ... input DENY eth1 PROTO=6 IPC:64138 IPF:100 ...
    Feb 12 00:13:27 ... input DENY eth1 PROTO=6 IPC:64139 IPF:100 ...
    Feb 12 00:13:28 ... input DENY eth1 PROTO=6 IPC:64140 IPF:103 ...

    The knock sequence appears in the firewall log, and the user has transmitted data across the closed ports.


    "SSH can be vulnerable to the same things - the point is you have to have something listening to the outside world if you want remote access, so either way you have to choose software that you trust. It's your choice to choose port-knocking."

    That was the whole point of the article. It is possible to transmit information ACROSS CLOSED PORTS. Your firewall is what is "listening". If your firewall is insecure then you have bigger problems.
  3. How do they attack it? on "Port Knocking" For Added Security · · Score: 1

    Okay, if it is insecure, how is it attacked?

    "The only real use for this is hiding the existence of ssh, if for some reason that is important to you. After that you can use ssh to hide everything else, since that is effective against sniffing."

    Or any other service that you don't want to be open to attack. Although running any other service through SSH would be a good idea.

  4. That's great. As long as SSH is secure. on "Port Knocking" For Added Security · · Score: 1

    "The point the grandparent is making is that you shouldn't be running insecure services on a public interface to start with."

    But you will never know whether any service is insecure or not. Even SSH has had vulnerabilities.

    http://www.nwfusion.com/news/2003/0917certwarns. ht ml

    "Security through obscurity is never a good choice."

    No, that isn't "security through obscurity". "Security through obscurity" refers to hiding how something is done, not the password (in this case, the knock sequence). The method for port knocking is known. What is not known is the password.

    "The only thing a port knocking scheme is good for is for concealement -- hiding the fact from a port-scanner that a port is open."

    It hides the fact that a service is running on the server by keeping the port closed until the password is issued. What's wrong with concealment? If they can't scan you, they probably won't try to attack you.

    "This makes is much more valuable for grey-hat and black-hat scenerios than it does for legitimate purposes."

    Rather, it makes it much easier and safer to remotely administer your machine than running that service with that port open.

    "If all you want is secure remote access, a properly configured SSHD on port 22 is secure enough."

    I've already shown that SSH has had vulnerabilities. You should not believe that SSH is secure.

  5. Slightly different. on "Port Knocking" For Added Security · · Score: 1

    Because, with this method, a scanner might not see anything there.

    No large concrete block to even indicate that something might be there.

    Just a featureless plain. You don't even know if there is something interesting there. You don't even know if there is ANYTHING there.

    Statistically, you'd more often be trying secret passwords where there wasn't even a server to hear you.

  6. Mod parent up! on "Port Knocking" For Added Security · · Score: 1

    Excellent description.

  7. Services listen on ports. on "Port Knocking" For Added Security · · Score: 4, Insightful

    It isn't the port. It's the service listening on that port.

    If the port is closed, then it is impossible to attack that service through that port.

    This process closes those ports.

  8. It is more secure. on "Port Knocking" For Added Security · · Score: 1

    Because instead of running the port open ALL THE TIME TO THE ENTIRE WORLD, it is only open for a short time to the address that correctly knocked.

    Which means that someone attacking your system has to have compromised your upstream so they can sniff your traffic.

  9. Neither. on "Port Knocking" For Added Security · · Score: 4, Insightful

    #1. DoS attacks - how is this different from any other DoS attack?

    #2. Sniffing the port knocks - to do this, you would already have to have the upstream compromised or be on some shared network.

  10. I agree, there is no problem. on Armoring Spam Against Anti-Spam Filters · · Score: 4, Informative

    He managed to, randomly, find words that were high in _HIS_ "ham" list.

    He could have saved himself a lot of time and trouble and just looked in that file.

    And that file will be different for EVERY installation. So the words he found ("Berkshire", "Marriott", "wireless", "touch" and "comment") would NOT get spam past MY filter.

    So, the spammers have to keep (and update) a word list for EVERY PERSON on their lists.

    Which means that, with an incredible amount of effort, the spammers will be able to get spam to the people least likely to purchase a product from a spammer.

    There is no problem.

  11. The easiest explanation. on Trojan Horse Caused A Siberian Explosion · · Score: 1

    "Yeah, that's exactly right: you don't work for the KGB, and have little idea what the paranoia of the Cold War was like, especially among the intelligence community. In any case, what do you think the KGB could say to their bosses? Yeah, we screwed up, and our own billion dollar pipeline created the largest non-nuclear explosion in history, OR those damn capitalist bourgeois pig Americans are responsible!!!! Which explanation will let you keep your life and your job?"

    Or the third option of finding some nobody working on the pipeline and blaming him for the explosion. If it even came back to the KGB to be investigated.

    The KGB seems to have been very effective. They turned a lot of US citizens. I don't see why they'd have to resort to blaming the US (even if, in this case, it was the US) for an error that might not even be associated with the KGB.

    Again, if a pipeline blew, I'd suspect user error first. No matter how paranoid I was. It was rather common for materials to be stolen or replaced with inferior ones.

    Anyone who was so paranoid as to suspect the US in such things would not be a very effective spy. He'd be seeing US activity in simple blackouts.

  12. Why did the Soviets suddenly suspect all tech? on Trojan Horse Caused A Siberian Explosion · · Score: 2, Interesting

    Even if true, they have ONE explosion and they suddenly suspect ALL the technology they've "stolen" from us?

    ""The pipeline software that was to run the pumps, turbines and valves was programmed to go haywire," writes Reed, "to reset pump speeds and valve settings to produce pressures far beyond those acceptable to the pipeline joints and welds."

    They even "stole" the software?

    "But all the software it had stolen for years was suddenly suspect, which stopped or delayed the work of thousands of worried Russian technicians and scientists."

    Personally, I would have suspected user error or home-grown sabotage first. But that's probably why I don't work for the KGB.

    "Farewell stayed secret because the blast in June 1982, estimated at three kilotons, took place in the Siberian wilderness, with no casualties known."

    Something blows up in the wilderness and they suspect stolen US technology was the culprit.

    "Now is a time to remember that sometimes our spooks get it right in a big way."
    -compare/contrast-
    "Col. Vladimir Vetrov provided what French intelligence called the Farewell dossier. It contained documents from the K.G.B. Technology Directorate showing how the Soviets were systematically stealing -- or secretly buying through third parties -- the radar, machine tools and semiconductors to keep the Russians nearly competitive with U.S. military-industrial strength through the 70's. In effect, the U.S. was in an arms race with itself."

    So, we have the FRENCH to thank for this success?

  13. Here are the ways you are wrong. on UserLinux Will Support KDE · · Score: 1

    "It doen't nessecarily have to fail, but corel already tried the same thing, with xandros continuing. History tends to repeat itself. I simply stated that having debian as a base is an old base, which you choose not to address."

    You are wrong about UL using an old base. Currently, it is using Debian Unstable. As I stated, Bruce has funding to continue development of UL. There is no reason (other than your claims) for Debian not to have current packages.

    "Desktop users like the latest, and debian isn't that."

    Yet corporations don't deploy the latest software. It seems that you're switching positions. A secretary will use whatever is put on her machine by the IT staff.

    "I've worked at eds, qwest and ibm to see first hand what locked down means. And an enterprise distro is targeted at exactly at those types of places. They don't want users making updates, which is my point about how having debian as a base wouldn't typically mean just apt-get in kde."

    But they you talk about a secretary running apt-get. Again, you keep switching your position.

    Now, for the IT department, installing KDE on 1,000 desktops WILL be as easy as apt-get.

    "Third party apps take years, and ul is alienating half. The odds are long."

    Whatever.

    "If you want a distro without users, of course not. Its developers and consultants who influence purchase orders. And if you accept that you don't want the help of people reading slashdot - the only ones who have even heard of ul - god bless."

    I've already explained who is the target market for this and how Bruce is trying to foster the growth of a "cottege industry" to support it.

    If that doesn't match you, then that doesn't match you.

    Now you seem to believe that you speak for everyone. That is not the case. As was pointed out in the article, Bruce already has a customer willing to pay for enhancements.

    You do not speak for everyone. Sorry to be the one to break that to you.

    "You're ideas are only good if you can convince other people about their merit, otherwise its engineering masturbation."

    And only time will tell whether other people buy into it. It's off to a start. Bruce has one customer already willing to pay.

    "From what I seen, corporate clients want it to work out of the box, exactly the same for thousands of users."

    From what I've seen, corporations WIPE the hard disks of the workstations they get and then INSTALL their own image. UL will fit perfectly with that practice.

    "And until ul gets oracle and websphere to run on it supported, which requires users, that's a lot of customization indeed."

    Now you've gone from secretaries and their workstations to SERVERS. I've been in a few Oracle deployments. They all required massive customization. The customization costs always cost more than the software licenses.

    So, you're saying that UL won't work until it can run out of the box without customization
    -but-
    UL won't work until it can run Oracle with a lot of customization.

    "That's harder still with pissed off kde users - of which half are in the meeting selling the next distro."

    That won't be a problem. If they're that annoyed that their favourite desktop is not shipped, then Oracle will end up running on a Sun and WebSphere will end up on an AIX box.

    "That's pretty far off. The freedom is there to design whatever you want, but that doen't mean I have to use it."

    No, you don't have to use it. But whether you do or do not, you are not everyone else.

    "Which is fine for ul too, if they prefer to only be a niche player. Anything else requires a broad appeal, and instead ul chooses to divide rather than unite."

    Here's a newsflash for you. Microsoft own 95%+ of the desktop. Yet Microsoft doesn't give you much choice in the desktop. And that doesn't seem to be hurting their sales any.

  14. Ah, the wisdom of the slashdotter. on UserLinux Will Support KDE · · Score: 1

    "Good luck basing a desktop distro off of something whose stable version is typically 1 1/2 years behind."

    Ummmm, I'm not sure I understand. UL will be based upon Debian. If you already believe that it will fail then why bring up any other points?

    "You forget that ul is an enterprise distro - its locked down."

    I don't see this written anywhere. In fact, I see specific references that contradict this. Bruce is hoping that a "cottage industry" will spring up that will write apps and do support for UL. That is not possible if it is "locked down" as you claim.

    "Try trainiing secretaries how to use apt-get."

    This contradicts the sentence preceding it. UL is "locked down" but secretaries will be upgrading it? Don't corporations have "IT staff" that would be doing that?

    "Think I'll promote a distro that choosen to ignore me? That's what red hat did, and I won't make that same mistake."

    As strange as it may sound, this is not about you.

    The "stuck in the Windows world" comment was about your seeming inability to understand that it is possible for vendors to customize software for corporate clients.

    And you still seem to be stuck in that mindset. This is based upon your comments about "locked down" and secretaries using apt-get and how debian stable is so out of date and how you won't promote a distro that will ignore(?) you.

    That might fly in the Windows world, but not in the Linux world.

    Bruce releases UL with a limited set of supported apps. Anyone can use UL like this.

    Bruce also has funding to work on contiued development of UL. So updated versions will be available. And anyone can use the updated versions.

    Bruce will also sell support to any company that wants different features or packages.

    The licensing will be such that other companies can also sell support adding features or packages.

    You can even add features or packages if you want to. Just not to the core UL distribution.

    The licensing will be such that other ISV's can write and sell apps that run on UL. Those ISV's can sell support for the apps they've written that run on UL.

    Because the development is Open, those other companies and ISV's that are providing support will be able to stay current with UL.

    Now, the problem I see is that you and so many others are under the impression that if someone isn't doing the work for you and for free, that they're somehow limiting your choices.

    That isn't the case.

  15. I still don't see that. on UserLinux Will Support KDE · · Score: 1

    I do see Bruce talking about how he would like a "cottage industry" to write apps for UserLinux.

    But I do not see anywhere where he says that QT could not support this.

  16. It's very simple. on UserLinux Will Support KDE · · Score: 1

    #1. UL will not include KDE.

    #2. UL will be based upon Debian.

    #3. Because UL is based upon Debian, it will be very easy to add KDE packages.

    #4. Some companies will want to pay for support to get what they want.

    You've been stuck in the Windows world for too long. In a truly competitive market, 3rd parties would be able to package the OS to meet the customer's requirements. Bruce's company (not UserLinux) is offering that service, for a price.

  17. I don't see any change in his position. on UserLinux Will Support KDE · · Score: 3, Insightful

    His COMPANY is willing to provide KDE on UL for a PAYING CUSTOMER.

    He is NOT saying that KDE will be included with UL.

    He never said that KDE could NOT support a "cottege industry". What he had said was that he wanted to give anyone setting up a "cottege industry" the option to do so without having to pay any license fees to anyone.

    He never said that QT wasn't free. He said that, in this instance, he wanted the LGPL instead of the GPL. Again, this is for his "cottege industry".

    He has still NOT changed his choice to limit the software included in UL. He still isn't including KDE, but his company will add it on FOR A PRICE.

    Hey, if you don't like UL, then don't use it. If it was based on poor choices, then it will fail.

    For my part, seeing that Bruce ALREADY has a PAYING CUSTOMER lined up for his company, it seems he has made the correct choice. Bruce will have credibility amongst the people who use UL. I'm sure he doesn't lose any sleep over what other people think.

  18. Mod parent up! on UserLinux Will Support KDE · · Score: 1

    Finally someone understands what "Open Source" means.

    If Bruce won't include KDE with UL, that does not mean that other people cannot do so.

    All that this article is saying is that a CUSTOMER will be PAYING Bruce to do some ADDITIONAL work for that customer that is above and beyond what you get with stock UL.

    And there was never ANYTHING said about UL that would have prevented anyone else from doing the same thing for any other customer.

  19. He now claims that he is. on Three Blind Phreaks · · Score: 1

    But he won't name anyone involved or show any code.

    Personally, I won't believe it until I see it. Not to mention that I would NOT trust a firewall written by a convicted criminal UNLESS it was Open Source.

  20. You don't have to be blind to do that. on Three Blind Phreaks · · Score: 1

    As long as you have normal hearing, you can learn to do so. There are only a dozen tones you need to distinguish. You can easily learn it by working on one tone a day and be done in less than 2 weeks.

  21. Mod parent up. on Three Blind Phreaks · · Score: 1

    Would they still be as cool if they were 3 blind spammers?

  22. Yep, you can. on Microsoft-Funded Linux Studies Benefit ... Microsoft · · Score: 1

    But are you going to tell me that that is a good way of fixing an app that doesn't work on Windows? Just copy the registry settings from a working machine? :)

  23. Re:The terms don't matter. on Part of Patriot Act Ruled Unconstitutional · · Score: 1

    The main issue here is what it would take to convince you that there wasn't a conspiracy.

    I don't believe that is possible.

    Therefore, you're a conspiracy nut.

    And a conspiracy nut will find "evidence" anyplace he looks. And it will all sound "reasonable" and "plausible" to him.

    "A conclusion which would also implicate the Clinton administration which made the exact same claims."

    Yep, a conspiracy nut. Who cares about Clinton?

    But, to a conspiracy nut, claiming that someone else believed something similar is "evidence".

    And nothing will ever convince a conspiracy nut that there wasn't a conspiracy.

  24. Wow, an un-named company with a pseudonym poster. on A Thoughtful Look at Indian Outsourcing · · Score: 1

    Care to identify which company and which plant?

  25. Re:The terms don't matter. on Part of Patriot Act Ruled Unconstitutional · · Score: 1

    "I did not claim such a thing, I merely said it was PLAUSIBLE and that there was a quantity of inconclusive evidence to that effect."

    Hold it. That is NOT what you said. From your FIRST post in this thread:

    And I think it is still likely that Iraq's support for terrorism included at least a nascent relationship with Al Queada.

    Nascent [adj]; coming into existence; "a nascent republic"

    "It's not that I am sure that such a thing happened, that it is a FACT, it is that I think it is something that cannot be dismissed as a possibility, even a probablity."

    Again, I will point out that that same "evidence" was used to claim that Iraq could launch "WMD's" in 45 minutes.

    With the WMD's at least it is possible to convince a reasonable person (even David Kay) that none exist nor existed.

    The lack of evidence will not convince you. The historical record will not convince you. NOTHING will convince you. To you, it will always be PLAUSIBLE and even PROBABLE to use your own words.

    And when NOTHING will convince you that you are wrong, that is the definition of a conspiracy nut.