I was forgetting the specifics of how UDP works (I don't do much socket level work anymore). The ICMP port unreachable message was, of course, what I meant by sending back NAK -- the idea is that you want the system to respond as if the port were actually closed.
Port knocking is a very simple concept with a very simple implementation.
And very limited applicability. It's a cool hack, but that's all. I can think of cooler hacks working along similar lines to accomplish the same ends more securely. The problem with using a firelog wall is it only tells you who tried to talk to you; it doesn't (usually) tell you what they tried to say. As an off-the-cuff example, you could do the same thing by looking for a specific 404 error in the httpd error log. This way you could have authentication information as well as instruction on what port to open. You could encode a cryptographically signed instruction into the bogus URL that means "open port 22 for client at 10.4.69.42 for 5 minutes starting at 12:34".
Absoloutely:-) Quantum mechanics is good for fucking with your perceptions of reality. It's so counter-intuitive that it makes you head want to explode.
I too wonder about the inexplicable popularity of MySQL. It fills the microscopic niche between a lightweight ISAM database and a real full-featured relational database. I've yet to see MySQL used for something that couldn't have be done better with another tool.
Postgres is pretty good, but still (IMHO) not yet up to the level of a commercial RDBMS. If you want a full-featured free-as-in-beer datacenter grade database, use Sybase 11.0.3.3. It doesn't come with source, but come on now, how many MySQL zealots have ever even compiled from source, let alone modified something?
His post was kind of accurate. When you look at the quantumn level, everything is digital. That "continuous" movement on that "analog" speaker cone is really a bunch of discrete quantumm jumps too small for you to notice.
I've already shown that SSH has had vulnerabilities.
Yes, it has. The hole you refer to was found and patched 5 months ago. Notice that I specified "PROPERLY CONFIGURED". Proper configuration includes applying security patches promptly. Even without the patch, a chrooted configuration would have limited the damage to denial of service at worst. IPWrappers and IPTables are two other elements that should be used to restrict access to a critical ssh instance.
OpenSSH is one of the most well-audited pieces of software around, and as you noted, it still has some holes. Installing port-knocking software might guard against a hole in SSH, but it also opens up the possibility for a new hole in the port-knocker itself. While defense in depth is a good thing, adding additional layers also create the opportunity for new holes, especially when the new layer is unproven and experimental.
Security is only as strong as the weakest link in the chain. Hiding a port doesn't increase security unless the fact that the port was visible *was* the weak link in the chain. If that's the case, hiding an insecure port still isn't giving you any real security, it's just providing the illusion of security. IT would be less effort and more effective to secure the port properly rather than obfuscating it's presence.
The point the grandparent is making is that you shouldn't be running insecure services on a public interface to start with. Hiding an insecure service does not make it secure. Security through obscurity is never a good choice.
Let's use a real world example. Say you want to have SWAT running on your box so you can admin your samba server remotely. However, your ISP uses DHCP, so you can't use xinetd to restrict connections from a trusted IP address. So what do you do? You could set up a port knocking scheme so that port 301 only opens up after you give it the secret knock. This is security through obscurity. Or you could do it the right way: set up xinetd so port 301 only accepts connections from localhost, then from home type:
Now you can browse to http://localhost:3301 from the home box and use SWAT securely. SSH port forwarding is designed for this kind of thing, and provides real security.
The only thing a port knocking scheme is good for is for concealement -- hiding the fact from a port-scanner that a port is open. This makes is much more valuable for grey-hat and black-hat scenerios than it does for legitimate purposes. If all you want is secure remote access, a properly configured SSHD on port 22 is secure enough. Now, if you need to conceal your rogue SSHD instance from the PHB/BOFH, something like this is good. Sometimes you have to work around obstructionist pricks so that you can get your job done. Of course it's also useful for hiding the sshd you installed on the box you just r00ted.
I set my server to "not listen" on udp port 2000. When someone connects they recieve no reply (UDP is connectionLESS) but I accept their datastream. If the data they sent is correct (matches my password) then I open the port.
I had a very similar idea. In my scheme, the UDP listener throws back a NAK response regardless of the datgram's content. This way, it always appears as if the UDP port is closed. However, if the UDP datagram has the proper payload (say like a cryptographically signed message saying "open port 22 for 5 minutes starting at 13:42 for client at 192.168.123.45"). This way, port 22 would be closed most of the time, and would only open up for a limited amount of time for the requested address.
How is a guy in Russia going to sniff and find the right port combo if the server is in Seattle
Compromise a peer machine on the same net. Set this machine to promiscuous mode. The usefulness of this technique is limited on a switched ethernet, but can still be effective (other machines can be spoofed into using the compromised machine as thier gateway)
Compromise a machine through which the target machine's traffic is routed
Compromise the routing tables of the target machine or an upstream machine to route traffic through a machine you control
Of course there are always the old standbys of social engineering and physical intrusion.
The ONLY value I see in this is defeating (or at least raising the bar) on port scanning. The only time this would prove to be useful is if you want to conceal the fact that a given port is actually open.
A grey hat use of this would be to evade a TOS/AUP restriction against running servers on your cable modem detection. A black hat use would be to conceal the fact that you've backdoored a box. I'd be hard-pressed to think of a practical white hat use for this technique.
If you're really interested in having a stealthy back door, a UDP based listener is probably a better choice. Send a cryptographically signed datagram to port X. The listener send back a NAK, just as if the port were actually closed; but if the payload is valid, it opens up the requested port for a few seconds.
I think both wings of the Rupublicrat party can claim prior art for misleadingly named laws.
Still, giving laws cutsie, forced acronyms is a pretty new phenominon. "ATBOR" (Abolish The Bill Of Rights) doesn't have the same ring as "USA-PATRIOT".
Exactly. Statistics are always tailored to support whatever point you are trying to push. There are lots of different measurements you can take of a P2P network: number of files, size of files, number of users requesting a given file, number of users providing a file, number of transferrs, bytes transferred, and so on.
With some creative interepretation, you can produce statistics all day long that support any conclusion you want to make.
That's in line with what I was remembering: in the early first century middle, the "lingua franca" was Aramaic. Jews would be speaking Hebrew amongst themselves, but would almost definately know at least 1 other language for dealing with gentiles.
T-1 is 1.5M down/1.5M up, on a dedicated connection. Comcast's standard offering is currently 3M down/256K up on a shared connection, which is more or less typical for cable modem. Remember that a basic T-1 package will almost invariably have a SLA guaranteeing that you won't have more than N minutes of downtime per month, at least 5 static IP addresses, and a noticable absence of draconian/asinine AUP terms. Of course it's going to cost roughly 10X as much as a cable modem connection, but it's well worth it if you really need those extra features. Of course there's SDSL if you're close enough to your CO, which can give you the same features as a T-1 for about 1/2 the cost. The Covad web site has rates posted, if you want to see real numbers.
don't buy a $100,000 dollar sun when a 1500 dollar linux PC will do the job
Which do you think is better for running a critical infrastructure server: A new $1500 white-box PC running Linux or Solaris x86, or a $1500 refurbished and recertified Sun E450 running Linux SPARC or Solaris? (And yes, you can get a E450 for that little if you shop around.) Which is going to last longer? Which is going to be more reliable? Which is going to be more responsive when 40 people are all banging on it at once? If you said the PC, you need to grow a clue.
There are really great deals on recertified used equipment out there, and you can get gear that was top-of-the-line 3 years ago for pennies on the dollar. That $100,000 Sun server someone bought 3 years ago can now be found for $2500 (including a warranty) if you know where to look.
The network operators will then implement IPv6 out of having no choice to deliver the services their customers want
Again, I disagree. Network operators will eventually have to adopt IPv6 to control the costs of managing their own infrastructure; the customer will get it whether they want it or not because it will (eventually) be the most cost-effective way for the network provider to offer service. Call it supply-side network economics.
The on-topic part: Sure you can network a 4-storey building for 7Kilobucks, easy. Assuming everyone buys their own NIC, your initial hardware outlay for the inside network is going to be something like one switch, a box of Cat5, and a WAP for every floor. To connect to the outside world, figure adding a good router (business grade; a SOHO router probably won't cut it) and a DSL modem. If you want to go the full ISP route and provide email and webspace, add in the cost of a pair of real servers (not desktop PCs running a server OS). With some smart eBay shopping you should be able to do the whole thing for well less than 1/2 your budget.
The expensive part is going to be getting the building on the internet. You're going to need something like a 1.5Mbit business SDSL or T-1 with 64 or so IPs and a SLA. This is probably going to wind up being around $600-$800/mo depending on your provider.
If you really want to honor her memory, why not donate the money to a school (college or private HS). Then you can have a nice plaque with her name on it put up in the computer lab. That's a lot better way to honor someone's memory than throwing a year-long LAN party for your neighbors. Networking your building, while a fun geek project, probably isn't the best way to honor her memory. If you want to do that, get your neighbors to pitch in (labor, $, or equipment) and make it a community project.
More to the point, Cat5 != Ethernet != TCP/IP. Remember the NSI model:
Physical layer: Basically if it exists in meatspace, it's part of the Physical Layer. This would include Cat5 cable and any kind of interface card/dongle/whatever.
Data link layer: this is the protocol defining how the signal is sent over the physical layer. 100baseTX is a common Data Link protocol; KVM over Cat5 use their own propriatary Data Link protocols. Hubs and switches work at the DL layer.
Network layer: The IP part of TCP/IP is a network layer, likewise (IIRC) the IPX portion of IPX/SPX is also a network layer protocol. The network layer controls things like connection management and routing; hence, routers are (mostly) network layer devices
Transport layer: TCP and UDP are transport layer protocls. Transport layer moves the actual data back and forth.
Application layer: Application layer protocols produce and consume data. HTTP, FTP, etc are all Application layer protocols.
IMHO, widespread IPv6 adoption isn't going to come from customers forcing it on ISPs, it will come from ISPs forcing it on customers. IPv6 benefits the people in charge of managing really large networks, which isn't end users. Right now, ISPs can keep going using NAT, DHCP, and private networks to avoid switching over, but eventually they'll switch to IPv6 when the pain of the switchover is less than the pain of maintaining the system.
Why would Linksys be upset about a thing like this? It does no damage whatsoever to their business model; in fact, it helps it. Linksys sells inexpensive networking gear for primarily the small business and home markets. They don't make any money selling updates or service contracts (At least, I can't find anything on their website that shows that they even sell service contracts). They make their money selling hardware, period. Any support they have to provide after the sale, including firmware updates, costs them money.
The fact that their hardware can be upgraded with an unauthorized firmware image actually helps their business. First off, the fact that their hardware is customizable helps sell more hardware to geeks (who in turn recommend their hardware to friends, family, and clients). Secondly, using an unauthorized firmware voids the warranty, which saves them money -- if you flash it and break it, you're screwed. If you flash it and a component fails for a totally unreleated reason, they don't have to give you a free replacement; you'll have to buy a new one, so they still come out ahead.
This is a very different situation than things like the Dakota Digital camera hack or the i-opener hack. In those cases, the companies involved were/are selling the hardware at a loss as an incentive to get you to use a paid service. In these cases, hacking the hardware eliminates the need to use the service, thereby disrupting their business plan and letting you use the subsidised hardware for an unintended purpose. Linksys sells their hardware for a profit. Hacking it does nothing to disrupt their business plan, because they already made all the money they planned to make when the wholesaler bought a truckload of their hardware.
Slashdot Mirror
I was forgetting the specifics of how UDP works (I don't do much socket level work anymore). The ICMP port unreachable message was, of course, what I meant by sending back NAK -- the idea is that you want the system to respond as if the port were actually closed.
Postgres is pretty good, but still (IMHO) not yet up to the level of a commercial RDBMS. If you want a full-featured free-as-in-beer datacenter grade database, use Sybase 11.0.3.3. It doesn't come with source, but come on now, how many MySQL zealots have ever even compiled from source, let alone modified something?
His post was kind of accurate. When you look at the quantumn level, everything is digital. That "continuous" movement on that "analog" speaker cone is really a bunch of discrete quantumm jumps too small for you to notice.
OpenSSH is one of the most well-audited pieces of software around, and as you noted, it still has some holes. Installing port-knocking software might guard against a hole in SSH, but it also opens up the possibility for a new hole in the port-knocker itself. While defense in depth is a good thing, adding additional layers also create the opportunity for new holes, especially when the new layer is unproven and experimental.
Security is only as strong as the weakest link in the chain. Hiding a port doesn't increase security unless the fact that the port was visible *was* the weak link in the chain. If that's the case, hiding an insecure port still isn't giving you any real security, it's just providing the illusion of security. IT would be less effort and more effective to secure the port properly rather than obfuscating it's presence.
Let's use a real world example. Say you want to have SWAT running on your box so you can admin your samba server remotely. However, your ISP uses DHCP, so you can't use xinetd to restrict connections from a trusted IP address. So what do you do? You could set up a port knocking scheme so that port 301 only opens up after you give it the secret knock. This is security through obscurity. Or you could do it the right way: set up xinetd so port 301 only accepts connections from localhost, then from home type:
Now you can browse to http://localhost:3301 from the home box and use SWAT securely. SSH port forwarding is designed for this kind of thing, and provides real security.The only thing a port knocking scheme is good for is for concealement -- hiding the fact from a port-scanner that a port is open. This makes is much more valuable for grey-hat and black-hat scenerios than it does for legitimate purposes. If all you want is secure remote access, a properly configured SSHD on port 22 is secure enough. Now, if you need to conceal your rogue SSHD instance from the PHB/BOFH, something like this is good. Sometimes you have to work around obstructionist pricks so that you can get your job done. Of course it's also useful for hiding the sshd you installed on the box you just r00ted.
- Compromise a peer machine on the same net. Set this machine to promiscuous mode. The usefulness of this technique is limited on a switched ethernet, but can still be effective (other machines can be spoofed into using the compromised machine as thier gateway)
- Compromise a machine through which the target machine's traffic is routed
- Compromise the routing tables of the target machine or an upstream machine to route traffic through a machine you control
Of course there are always the old standbys of social engineering and physical intrusion.A grey hat use of this would be to evade a TOS/AUP restriction against running servers on your cable modem detection. A black hat use would be to conceal the fact that you've backdoored a box. I'd be hard-pressed to think of a practical white hat use for this technique.
If you're really interested in having a stealthy back door, a UDP based listener is probably a better choice. Send a cryptographically signed datagram to port X. The listener send back a NAK, just as if the port were actually closed; but if the payload is valid, it opens up the requested port for a few seconds.
Still, giving laws cutsie, forced acronyms is a pretty new phenominon. "ATBOR" (Abolish The Bill Of Rights) doesn't have the same ring as "USA-PATRIOT".
That's in line with what I was remembering: in the early first century middle, the "lingua franca" was Aramaic. Jews would be speaking Hebrew amongst themselves, but would almost definately know at least 1 other language for dealing with gentiles.
T-1 is 1.5M down/1.5M up, on a dedicated connection. Comcast's standard offering is currently 3M down/256K up on a shared connection, which is more or less typical for cable modem. Remember that a basic T-1 package will almost invariably have a SLA guaranteeing that you won't have more than N minutes of downtime per month, at least 5 static IP addresses, and a noticable absence of draconian/asinine AUP terms. Of course it's going to cost roughly 10X as much as a cable modem connection, but it's well worth it if you really need those extra features. Of course there's SDSL if you're close enough to your CO, which can give you the same features as a T-1 for about 1/2 the cost. The Covad web site has rates posted, if you want to see real numbers.
There are really great deals on recertified used equipment out there, and you can get gear that was top-of-the-line 3 years ago for pennies on the dollar. That $100,000 Sun server someone bought 3 years ago can now be found for $2500 (including a warranty) if you know where to look.
The expensive part is going to be getting the building on the internet. You're going to need something like a 1.5Mbit business SDSL or T-1 with 64 or so IPs and a SLA. This is probably going to wind up being around $600-$800/mo depending on your provider.
If you really want to honor her memory, why not donate the money to a school (college or private HS). Then you can have a nice plaque with her name on it put up in the computer lab. That's a lot better way to honor someone's memory than throwing a year-long LAN party for your neighbors. Networking your building, while a fun geek project, probably isn't the best way to honor her memory. If you want to do that, get your neighbors to pitch in (labor, $, or equipment) and make it a community project.
IMHO, widespread IPv6 adoption isn't going to come from customers forcing it on ISPs, it will come from ISPs forcing it on customers. IPv6 benefits the people in charge of managing really large networks, which isn't end users. Right now, ISPs can keep going using NAT, DHCP, and private networks to avoid switching over, but eventually they'll switch to IPv6 when the pain of the switchover is less than the pain of maintaining the system.
Obviously, your browser must not correctly render the tag.
The fact that their hardware can be upgraded with an unauthorized firmware image actually helps their business. First off, the fact that their hardware is customizable helps sell more hardware to geeks (who in turn recommend their hardware to friends, family, and clients). Secondly, using an unauthorized firmware voids the warranty, which saves them money -- if you flash it and break it, you're screwed. If you flash it and a component fails for a totally unreleated reason, they don't have to give you a free replacement; you'll have to buy a new one, so they still come out ahead.
This is a very different situation than things like the Dakota Digital camera hack or the i-opener hack. In those cases, the companies involved were/are selling the hardware at a loss as an incentive to get you to use a paid service. In these cases, hacking the hardware eliminates the need to use the service, thereby disrupting their business plan and letting you use the subsidised hardware for an unintended purpose. Linksys sells their hardware for a profit. Hacking it does nothing to disrupt their business plan, because they already made all the money they planned to make when the wholesaler bought a truckload of their hardware.
Would that be the same John Graham-Cumming referenced in the article who figured out how to defeat said filter?
+1 informative. Thanks for the link. Just got done replaying the "Return to the Cathedral" mission in Thief Gold.
OOOh I'm so chastened: a dittohead moderated me as a troll for calling his beloved Shrub a dingbat. Bring it on, bushbaby... I've got karma to burn.