As usual the slashdot editors have gotten it completely wrong. The flaw is NOT in the protocol. It is in the implementation. When checking CBC (Cyclic Block Chaining) packets for errors (i.e. the kind created by a man in the middle attack) two error checks are done. If the first one fails a reply is sent, if the first one passes and the second one fails the same error is sent, but of course it takes a bit longer then if the error had been triggered by the first error check. This allows an attacker to replay data from another users session against the server, creating errors, by knowing which of these errors occured they can mount an adaptive attack and home in on the data. This attack requires an attacker to be able to monitor data between a client and server, as well as establish a connection with the server.
The fix is pretty trivial, the second error check is done even if the first fails, thus removing any time based information (i.e. data takes about the same time to traverse both checks whether it fails the first or second one), thus denying the attacker the needed information. Fixed versions of OpenSSL have already been released. For more information please see OpenSSL Security Advisory [19 February 2003].
As a further note the BBC article is wrong, the quote "It is the first time we have noticed a security problem in the SSL protocol itself and not in how we use it or how we implement it" is either a misquote or flaw. If the flaw were in the protocol itself the solution would not consist of a 30 line patch to OpenSSL's error checks.
Actually 64 bit memory space + 128 bit ip address +64 bits for the port number, you don't send data to IP's, you send data to IP:port combinations (even with ICMP folks, you have a type code). So in a way yes that would sort of make sense in a twisted way.
Most major vendors (with the notable exception of Debian =( ) sign packages using GNuPG. You can check these signatures using rpm. There is no need to get Eric raymond to sign stuff (and he's supposed to read all the source code, then build all the packages on his own machines? excuse me?). I suggest reading the following two security advisories, which point out some mistakes that have been made, and one possible attack, but also largely corrected by vendors, and can be easily verified by users with minimal effort.
Well, the Internet for one. Wouldn't really exist or work that well without BIND (opensource), Sendmail (the killer app, opensource), NCSA httpd and mosaic (the next killer app, you know, all that "web enabled" stuff).
OpenSource has more then a few times created new markets, like UNIX (if bell hadn't shipped source code around no-one would have improved it much and it would have stagnated). Like the Internet, imagine if we were stuck trying to use protocols like DECNET to try and network a few hundred million machines together. Like all these nifty information transfer protocols such as email, www, and so on.
AES is another good source, the development was done as an open call, everything had to be out in public, license free so it could be widely adopted if it won, etc. DES on the other hand was developed by IBM (as a 128 bit originally) and later gutted by the NSA to 56 bits, as well as having the S-boxes modified (making them stronger we are told...). This time around AES is done completely out in the open and people have a lot more trust in the process, and the resulting algorithm. AES is going to be encrypting data communications from money transfers to your network traffic for the next 20-40 years, a decidedly non trivial responsibility.
Well there are programs like visio which will do discovery and generate pretty maps, but they use strange formats. XML is a good candidate, you could define various network objects like hosts and links and then have a parser tie them together. Of course things may get "messy" if you have a complicated diagram, rendering it based on XML data could be difficult, whereas simply defining a picture looks nicer. The advantage of XML defined data is that automatically generating it would be relatively simple (feed in multiple traceroutes for example).
Yes, so he can run the business side of ARIS and their other products. They are not "quiting", they are simply not working on the free side of securityfocus anymore (imagine that, a.com company that places a degree of importance on making money).
Bugtraq is probably the best security mailing list around. However while the quasi-founder (technically Aleph1 didn't start Bugtraq as I was surprised to find out) is quite prominent online I wasn't able to find any detailed information about him or Bugtraq (except for one old interview). So here for you to enjoy is an interview with Aleph1.
Kurt: Where does the name Aleph1 come from?
Elias: Its comes from transfinite mathematics. There exists many "infinite" numbers or sets. The first infinite number is small omega or alef null. It is also called countable infinity. Many infinite sets can be mapped one-to-one with each other. For example, the set of all natural numbers can be mapped one-to-one with the set of odd natural numbers. Yet one is a subset of the other. Both these sets are said to have a cardinality of alef null. Alef One is the first cardinal number after alef null (i.e. the first set that cannot be mapped one-to-one to a set of cardinality alef null).
"In my Finance course, I learn how to balance a corporate stock portfolio, but I have no clue how to start a business or pay my employees.
Ask how to do it. As far as stock goes if you are even reasonably succesful chances are you will own stocks. This kind of education will be invaluable later on.
In my System Analysis & Design course, I spend 3 hours constructing data-flow diagrams, entity-relationship diagrams, and Ghantt charts for programs that take around an hour to code!
And of course you code this in an hour with no logic or symantic mistakes, etc. Do you always want to be a programmer doing the gruntwork? I doubt that. Learning how to design and document programming tasks will get you a lot farther then just being a code monkey. Plus I rather doubt you can find a job that consists of programming tasks that all take an hour or so.
In my Management course, my professor discusses techniques for being an effective CEO, but I don't even know how to manage a few subordinates, much less an entire company.
You have to start somewhere (macro to micro verses micro to macro, most techs seem to prefer micro to macro oritnetation). Plus knowing how management manages will give you a much better understanding of why they do things. You will not be a manager for some time, and managing is also heavily dependant on people skills, something that cannot be taught, they must be practiced.
In my MIS course, we learn about client-server technology, but when I ask if my peers have tested their web pages on Macintosh, they reply, "Why would I have to do that?" Most of them don't even think of Linux as an operating system, but more as a hacker's toy. Forget about asking them to make it Mozilla or Lynx compatible. They don't want to waste their time. But the University will make sure it is ADA compliant, since any institution that receives federal funding must require this...
I fail to see what testing webpages on a mac has to do with client-server (maybe in a UI design course..). Did you verify your posting to make sure people could read it right to left? No. As for Linux as an OS I also fail to see what that has to do with a client-server course. Technology changes, a lot. It is much more important to understand the concepts behind it, once you do udnerstanding a specific technology will be easy.
Don't most "big picture" lessons come with experience, through person's journey from entry-level employee to a skilled IT/business professional?
Yes, but it's a lot easier to learn something by experience if you have a basic understanding of it. This is why military officers go to military academies and most professionals go to university/college/etc.
Wouldn't it make more sense to teach things that will help students early in their careers, like technical skills and other trade/foundation skills that are often required of entry-level, non-management employees?
So you do not want to advance, or be able to do something else? If you want to work on an assembly line doing the same thing forever I suggest you drop out of school now and "start getting real experience" at some low paying job.
Does the average entry-level IT person need to make the sort of decisions a CEO or CIO needs to make?
No but it helps to understand it. If you ever have to interface with the CEO (i.e. be avice pres) you'll appreciate it.
Do companies really want me to spend more time diagramming a program than I need to program it in the first place?
Yes. I would like to make sure you are doing it correctly, or at least something resembling correctly. Plus you may not be the person programming it/maintaining it.
(What about just documenting the code?) Knowing the big picture is good, but how do you get to that level if you don't have any skills?
You will have those skills if you pay attention to your programming classes.
It is rather obvious that you are new to the game of college and the corporate environment. If I wanted to hire someone who just programs I'd get some Indian company to do it for $5 a day. If that's all you want then you can skip the education and get right to it.
My question for Slashdot readers is: Is this really what companies want of today's graduates?"
The article is long, why? Because I had to explain what SSL and SSH are, most people do not know how public key crypto/etc works. If I do not explain this trying to explain the security problems and why it's an issue would be pointless.
Before it was hard to attack SSL/SSH connections and do man in the middle. You'd have to write your own software or find some, which as a rule wasn't publically available (you could see it demo'ed at security conferences/etc but I don't remember anyone ever putting it up for anon ftp or on the web). Well now it is trivally easy to find, and the entry level for attacks just got a lot lower. Users should be aware of this.
Unfortunately I can't offer any really good solutions (go get software package foo and everything will be better). For now dsniff only does SSH1 attacks, so going to SSH2 should help (until somone modifies dsniff, as I point out in the article). How can you verify SSH keys, print out lists of key signatures and tape them to every workstation and teach users to verify them? Not likely. Ditto for SSL, how many of you actually look at the certs servers hand to you, and how many of you have clicked on OK or Continue when the cert is out of date or issued by a non trusted entity (i.e. a self signed cert).
OpenBSD has had remote holes, for example in their ftp server and the DHCP client, they however claim that since these are not turned on by default, they are "Secure by default". Realistically however most people using OpenBSD that need an ftp server were using the default one, and presto, they were vulnerable. Ditto for anyone using DHCP, which is extremely common on workstations, however the OpenBSD people argued that "no sane admin uses DHCP, it has to many security problems", while this is true to a degree (a "rogue" DHCP server can do quite a bit of damage) realistically unless you want to waste a lot of time configuring and maintaining network settings you use DHCP.
OTOH OpenBSD does have by far the best track record when it comes to exploits in the core distro, I should know, I write a weekly Linux digest and a weekly BSD digest, the BSD one takes a lot less effort.
Choice is good, to much choice can be overwhelming. One thing that is begining to bother me about Linux is the sheer number of distributions, especially since I need to keep up with all of them (doing weekly security digests and all). There is even a local distribution made by some guys who used to (no kidding) do tractor related hardware (like farmer stuff), but decided to make the switch. Right now barely anyone is really adhering to the Linux Standards Base, versions of GCC are all over the place, file placement is a crapshoot;/usr/man?/usr/share/man? It definetely wouldn't hurt to lose a few of the smaller players. I don't see how Linux can shrink to
What will happen is the big players will get bigger, making money through support, branding, and so forth. The little guys will get gobbled up, or fall by the wayside. And hopefully more people will adher to the Linux STandards Base.
Note to slashdot crew: you complain when journo's bash Linux/distroi's needlessly (I took a lot of flack on that Debian article, remember?) and I find the redhat bashing way lame. In response to an earlier article (RedHat has 1000's of bugs) you not only got the Bugzilla URL totally wrong, but the number of bugs as well. I was able to find less then 300 in total (open, closed, verified, you name it), and of those I'd say less then half were real problems. Slashdot seems to be getting sloppier and sloppier.
Slashdot Mirror
The fix is pretty trivial, the second error check is done even if the first fails, thus removing any time based information (i.e. data takes about the same time to traverse both checks whether it fails the first or second one), thus denying the attacker the needed information. Fixed versions of OpenSSL have already been released. For more information please see OpenSSL Security Advisory [19 February 2003].
As a further note the BBC article is wrong, the quote "It is the first time we have noticed a security problem in the SSL protocol itself and not in how we use it or how we implement it" is either a misquote or flaw. If the flaw were in the protocol itself the solution would not consist of a 30 line patch to OpenSSL's error checks.
Actually 64 bit memory space + 128 bit ip address +64 bits for the port number, you don't send data to IP's, you send data to IP:port combinations (even with ICMP folks, you have a type code). So in a way yes that would sort of make sense in a twisted way.
Most major vendors (with the notable exception of Debian =( ) sign packages using GNuPG. You can check these signatures using rpm. There is no need to get Eric raymond to sign stuff (and he's supposed to read all the source code, then build all the packages on his own machines? excuse me?). I suggest reading the following two security advisories, which point out some mistakes that have been made, and one possible attack, but also largely corrected by vendors, and can be easily verified by users with minimal effort.
Devil in the details - why package signing matters
Red Hat 7.2 GnuPG signed RPM verification fails on distribution files
RPM PGP/GnuPG verification bug
Well, the Internet for one. Wouldn't really exist or work that well without BIND (opensource), Sendmail (the killer app, opensource), NCSA httpd and mosaic (the next killer app, you know, all that "web enabled" stuff).
OpenSource has more then a few times created new markets, like UNIX (if bell hadn't shipped source code around no-one would have improved it much and it would have stagnated). Like the Internet, imagine if we were stuck trying to use protocols like DECNET to try and network a few hundred million machines together. Like all these nifty information transfer protocols such as email, www, and so on.
AES is another good source, the development was done as an open call, everything had to be out in public, license free so it could be widely adopted if it won, etc. DES on the other hand was developed by IBM (as a 128 bit originally) and later gutted by the NSA to 56 bits, as well as having the S-boxes modified (making them stronger we are told...). This time around AES is done completely out in the open and people have a lot more trust in the process, and the resulting algorithm. AES is going to be encrypting data communications from money transfers to your network traffic for the next 20-40 years, a decidedly non trivial responsibility.
Well there are programs like visio which will do discovery and generate pretty maps, but they use strange formats. XML is a good candidate, you could define various network objects like hosts and links and then have a parser tie them together. Of course things may get "messy" if you have a complicated diagram, rendering it based on XML data could be difficult, whereas simply defining a picture looks nicer. The advantage of XML defined data is that automatically generating it would be relatively simple (feed in multiple traceroutes for example).
Didn't mean to imply that (but on second reading it does look that way, doh).
Yes, so he can run the business side of ARIS and their other products. They are not "quiting", they are simply not working on the free side of securityfocus anymore (imagine that, a .com company that places a degree of importance on making money).
Interview with Elias Levy (Alpeh1)
Bugtraq is probably the best security mailing list around. However while the quasi-founder (technically Aleph1 didn't start Bugtraq as I was surprised to find out) is quite prominent online I wasn't able to find any detailed information about him or Bugtraq (except for one old interview). So here for you to enjoy is an interview with Aleph1.
Kurt: Where does the name Aleph1 come from?
Elias: Its comes from transfinite mathematics. There exists many "infinite" numbers or sets. The first infinite number is small omega or alef null. It is also called countable infinity. Many infinite sets can be mapped one-to-one with each other. For example, the set of all natural numbers can be mapped one-to-one with the set of odd natural numbers. Yet one is a subset of the other. Both these sets are said to have a cardinality of alef null. Alef One is the first cardinal number after alef null (i.e. the first set that cannot be mapped one-to-one to a set of cardinality alef null).
Click here (http://www.seifried.org/security/articles/2001101 5-elias-levy-interview.html) for more.
"In my Finance course, I learn how to balance a corporate stock portfolio, but I have no clue how to start a business or pay my employees.
Ask how to do it. As far as stock goes if you are even reasonably succesful chances are you will own stocks. This kind of education will be invaluable later on.
In my System Analysis & Design course, I spend 3 hours constructing data-flow diagrams, entity-relationship diagrams, and Ghantt charts for programs that take around an hour to code!
And of course you code this in an hour with no logic or symantic mistakes, etc. Do you always want to be a programmer doing the gruntwork? I doubt that. Learning how to design and document programming tasks will get you a lot farther then just being a code monkey. Plus I rather doubt you can find a job that consists of programming tasks that all take an hour or so.
In my Management course, my professor discusses techniques for being an effective CEO, but I don't even know how to manage a few subordinates, much less an entire company.
You have to start somewhere (macro to micro verses micro to macro, most techs seem to prefer micro to macro oritnetation). Plus knowing how management manages will give you a much better understanding of why they do things. You will not be a manager for some time, and managing is also heavily dependant on people skills, something that cannot be taught, they must be practiced.
In my MIS course, we learn about client-server technology, but when I ask if my peers have tested their web pages on Macintosh, they reply, "Why would I have to do that?" Most of them don't even think of Linux as an operating system, but more as a hacker's toy. Forget about asking them to make it Mozilla or Lynx compatible. They don't want to waste their time. But the University will make sure it is ADA compliant, since any institution that receives federal funding must require this...
I fail to see what testing webpages on a mac has to do with client-server (maybe in a UI design course..). Did you verify your posting to make sure people could read it right to left? No. As for Linux as an OS I also fail to see what that has to do with a client-server course. Technology changes, a lot. It is much more important to understand the concepts behind it, once you do udnerstanding a specific technology will be easy.
Don't most "big picture" lessons come with experience, through person's journey from entry-level employee to a skilled IT/business professional?
Yes, but it's a lot easier to learn something by experience if you have a basic understanding of it. This is why military officers go to military academies and most professionals go to university/college/etc.
Wouldn't it make more sense to teach things that will help students early in their careers, like technical skills and other trade/foundation skills that are often required of entry-level, non-management employees?
So you do not want to advance, or be able to do something else? If you want to work on an assembly line doing the same thing forever I suggest you drop out of school now and "start getting real experience" at some low paying job.
Does the average entry-level IT person need to make the sort of decisions a CEO or CIO needs to make?
No but it helps to understand it. If you ever have to interface with the CEO (i.e. be avice pres) you'll appreciate it.
Do companies really want me to spend more time diagramming a program than I need to program it in the first place?
Yes. I would like to make sure you are doing it correctly, or at least something resembling correctly. Plus you may not be the person programming it/maintaining it.
(What about just documenting the code?) Knowing the big picture is good, but how do you get to that level if you don't have any skills?
You will have those skills if you pay attention to your programming classes.
It is rather obvious that you are new to the game of college and the corporate environment. If I wanted to hire someone who just programs I'd get some Indian company to do it for $5 a day. If that's all you want then you can skip the education and get right to it.
My question for Slashdot readers is: Is this really what companies want of today's graduates?"
I wrote a follow up article that addresses many more problems in the implementations.
http://www.securityportal.com/seifried/sslssh-foll owup20001222.html
Some notes to slashdotters:
The article is long, why? Because I had to explain what SSL and SSH are, most people do not know how public key crypto/etc works. If I do not explain this trying to explain the security problems and why it's an issue would be pointless.
Before it was hard to attack SSL/SSH connections and do man in the middle. You'd have to write your own software or find some, which as a rule wasn't publically available (you could see it demo'ed at security conferences/etc but I don't remember anyone ever putting it up for anon ftp or on the web). Well now it is trivally easy to find, and the entry level for attacks just got a lot lower. Users should be aware of this.
Unfortunately I can't offer any really good solutions (go get software package foo and everything will be better). For now dsniff only does SSH1 attacks, so going to SSH2 should help (until somone modifies dsniff, as I point out in the article). How can you verify SSH keys, print out lists of key signatures and tape them to every workstation and teach users to verify them? Not likely. Ditto for SSL, how many of you actually look at the certs servers hand to you, and how many of you have clicked on OK or Continue when the cert is out of date or issued by a non trusted entity (i.e. a self signed cert).
OpenBSD has had remote holes, for example in their ftp server and the DHCP client, they however claim that since these are not turned on by default, they are "Secure by default". Realistically however most people using OpenBSD that need an ftp server were using the default one, and presto, they were vulnerable. Ditto for anyone using DHCP, which is extremely common on workstations, however the OpenBSD people argued that "no sane admin uses DHCP, it has to many security problems", while this is true to a degree (a "rogue" DHCP server can do quite a bit of damage) realistically unless you want to waste a lot of time configuring and maintaining network settings you use DHCP.
OTOH OpenBSD does have by far the best track record when it comes to exploits in the core distro, I should know, I write a weekly Linux digest and a weekly BSD digest, the BSD one takes a lot less effort.
BTW there is an all Linux security mailing list available now; Click here to sign up via the web form
.Choice is good, to much choice can be overwhelming. One thing that is begining to bother me about Linux is the sheer number of distributions, especially since I need to keep up with all of them (doing weekly security digests and all). There is even a local distribution made by some guys who used to (no kidding) do tractor related hardware (like farmer stuff), but decided to make the switch. Right now barely anyone is really adhering to the Linux Standards Base, versions of GCC are all over the place, file placement is a crapshoot; /usr/man? /usr/share/man? It definetely wouldn't hurt to lose a few of the smaller players. I don't see how Linux can shrink to
What will happen is the big players will get bigger, making money through support, branding, and so forth. The little guys will get gobbled up, or fall by the wayside. And hopefully more people will adher to the Linux STandards Base.
Note to slashdot crew: you complain when journo's bash Linux/distroi's needlessly (I took a lot of flack on that Debian article, remember?) and I find the redhat bashing way lame. In response to an earlier article (RedHat has 1000's of bugs) you not only got the Bugzilla URL totally wrong, but the number of bugs as well. I was able to find less then 300 in total (open, closed, verified, you name it), and of those I'd say less then half were real problems. Slashdot seems to be getting sloppier and sloppier.
I've written an article on this topic:
UNIX (and Linux especially) viruses - the real story
A DDoS FAQ is available here.
Kurt Seifried - Senior Analyst http://www.securityportal.com/ http://www.cryptoarchive.net/ http://www.seifried.org/