OpenBSD is not "300MB of source" that Theo thought up. There's quite a bit--likely a majority--of stuff brought in from other coders *WHICH RETAIN IDENTICAL VERSION INFORMATION*.
Go query Perl. Or vi. Or httpd. They're all external packages, with their own internal version. If Theo wanted to reversion them to "Perl OBSD 2.8" and "Apache OBSD 2.8" and so on, that's fine. But that Perl ain't 5.6.0 unless it was built from the 5.6.0 tree.
bash-2.04#./cvs -v
Concurrent Versions System (CVS) 1.10.7 (client/server)
[vi:ve]
Version 1.79 (10/23/96) The CSRG, University of California, Berkeley.
bash-2.04#./tcpdump -V
tcpdump version 3.4.0
libpcap version 0.5
bash-2.04#./httpd -v
Server version: Apache/1.3.12 (Unix)
Server built: May 5 2000 14:44:59
Look. Some of these you modified. Maybe all of em. Maybe one of em(I *know* you touched Perl.) Lets take the example of tires, why don't we. If I've got Firestone Model X432LFR tires on my car, and I run down to the dealership asking why I'm driving a deathtrap, is he allowed to laugh at me because "Of course *we'd* never put the deadly X432LFR tires on your car, we'd only put the *good* X432LFR tires on! Stupid customer."
That's essentially what happened with Debian a while back, and it was infuriatingly unfair.
I'm not asking you to do more work, Theo--you've *done* the work. I'm asking you to admit it, mark it, brand it in such a way that we know you've been forced to do something to it to make it secure. And then all of us can bitch and moan to the author's of whatever package you've taken and say, "Heh, he changed your stuff, maybe there's something you should look at." Maybe we'll be ignored. But, in the end, *you* did the right thing.
Theo: You and your team rewrote much of an early build of SSH. Technically, you could have said, "Here's SSH1.2.1x, as part of the OpenBSD system." But then nobody would have known what you had pulled off, and people would have had trouble finding your specific improvements. I'm not saying you need to rename every package to show how much you've added. But to keep the original version numbers is to conflate your secure and solid version with whatever bugs you *know* lurk in other people's code. When Foobar 1.2 comes out with a remote root, and OpenBSD ships with Foobar 1.2, do you like--or enjoy--when system administrators frantically upgrade your *already fixed version* of Foobar 1.2 with the original author's possibly broken Foobar 1.3?
Because that's what your version numbers cause.
They're easy to fix, Theo. It's just a tag to let us know you fixed something. It's something for us to differentiate your code with. (Incidentally--what does little on my 2.7 Sparc build.) Consider this: As much as you say you've only dealt with the system, I *know* many of the packages from Ports have had patches that didn't modify version numbers--and I have *no* idea if anything's been modified in your packages section. I just don't know.
This is not a problem specific to you, but I think OpenBSD is in the right place to change what I consider to be a particularly pernicious industry practice. I believe in your systems approach, but a secure system cannot be built from insecure parts. If you've secured your parts--show this, and perhaps let us know where to look to find out how.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
I've been a Speakeasy.Net customer for a few months now, and for everybody who wants an ISP with a "Press 2 If You Have A Clue Button"...all those techs appeared to have went there. It's such a disorientingly wonderful thing to be able to converse about firewall rulesets, buggy ARP tables, and routing infrastructure hiccups with your *front line support* ISP provider.
They're not particularly expensive either. For $200/mo, they offer you flat rate 1.1/1.1 SDSL that actually works at full speed. They have, of course, plans with more standard pricing, but ya gotta spend your money on something, eh?
You can always save $10/mo by running a game server. No, I'm not joking.
Among other nice things, they'll actually talk to you when a spurious port scan spamgram appears to come from your host. I just went through what could have been a nightmare with any other provider--and worked with them to debug that nothing actually happened.
So, yeah. If you're tired of burnt out powerless cluebies, go hit Speakeasy.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
I'm actually pretty confident that OpenBSD tracks the changes they make, but those changes(I believe) are to the overall package that is OpenBSD, not to the individual files.
You wrote:
===
I don't think you understand how they package up their releases. It isn't like Red Hat or Debian, i.e. there are no individual packages like perl-5.003-666 or nethack-23-skiddoo.
===
To which I reply:
ftp://ftp.openbsd.org/pub/OpenBSD/2.7/packages/s pa rc/
That being said, it may very well be that anything that Theo directly touches is considered a critical component and is kept out of the "packages" tree. This would be somewhat surprising to me(given the amount of energy Theo et al puts into creating a "high quality package archive"), but wouldn't be unimaginable. However, it remains unclear what has been touched and what hasn't. Is that really Perl 5.6.0? What about Netcat 1.1.0? I can't even compare binaries; I have to diff source trees.
Not too long ago, one security guru got taken to task *HARD* for assuming that the version of Debian he had downloaded possessed the same security holes as...uh, that version actually had. Except it was the Debian unmarked modified patched version, and he didn't know. He submitted a total mea culpa...but I'm just not sure he should have.
This is actually the topic of a paper I've been considering writing, but I think it'd be much more interesting to hear what Theo has to say on the matter first.
Yours Truly,
Dan Kaminsky, CISSP
Cisco Systems, Advanced Network Services
http://www.doxpara.com
First of all, I want to thank you for the hard work you've done building OpenBSD. It truly is a wonderful package.
Much of the security in OpenBSD lies under the hood in the work you've done cleansing the source of unsafe library calls. While this work is appreciated, I've become more and more concerned lately about the fact that these changes are not necessarily documented and certainly not reflected in the version number of an application or utility.
Version numbers reflect a snapshot in the life of a codebase. They're used to reference unsafe editions or particularly stable builds. Major number reflect code branches, but minor numbers reflect specific states of the code--such is the expectation of a user or an administrator when a version number is detected. Without granularity of versioning, I have no reason to trust or distrust a given application by its number; I must personally audit its source--and end up giving it a number of my own.
You and your team are code auditing masters. Rather than pollute the namespace by making indistinguishable your securely built modified code and the original(and, by extension, your secure code and numerous unnamed distributions' "just get it to compile" modifications), wouldn't it be appropriate for OpenBSD to apply a name extension to any package which it has modified, and in the interests of full disclosure, to provide a reasonable CHANGELOG of the fixes contained therein?
Yours Truly,
Dan Kaminsky, CISSP
DoxPara Research
http://www.doxpara.com
What's really cool is somebody *noticed* I credited Memepool. I discovered the site from one of the rare times they were credited, and I've been impressed beyond words ever since.
Mind you, I didn't flat out copy the Memepool story--but I'd have never found out about the Color Kinetics product line without 'em.
Plastic isn't. Rubber isn't. Most materials aren't. But at least in industrialized nations, water, particularly in the quantities required for a sculpture, is essentially free. That means, with mere application of a moderate amount of electricity *any* reasonably large object can be synthesized at minimal per unit cost.
This is extraordinarily significant. One-offs that might not justify the cost of materials can now be made for the cost of electricity. Energy-only weaponry has been a long term goal of the US Army--the supply lines that feed mechanized operations have long been a problematic weakness. While this obviously doesn't have much of a lethal aspect(ice-daggers aside), using these temporary models as the sources for cheaper and more permanent molds could be moderately viable. More importantly, it allows more "experimentation" with shape, allowing possibly better final products.
Make no mistake--the fact that the per-unit cost of each mold is near-zero *is* the most significant part of this system, though the transparency of the material is a close second.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Actually, I'm curious how this court reconciles their decision with the Supreme Court's relatively recent rulings directly supporting the right to speak anonymously. To quote Justice Stevens:
"quite apart from any threat of persecution, an advocate may believe her
ideas will be more persuasive if her readers are unaware of her
identity. Anonymity thereby provides a way for a writer who may be
personally unpopular to ensure that readers will not prejudge her
message simply because they do not like its proponent." Stevens
concluded "Under our Constitution, anonymous pamphleteering is not a
pernicious, fraudulent practice, but an honorable tradition of
advocacy and of dissent. Anonymity is a shield from the tyranny of
the majority. "
See the above link for further details; essentially, it's rather difficult for the courts to ban anonymous speech when some of the founding papers of this country(the Federalist Papers) were released anonymously, in an environment that was intensely harsh against such speech. To wit:
The obnoxious press licensing law of England, which was also
enforced on the Colonies was due in part to the knowledge that
exposure of the names of printers, writers and distributors would
lessen the circulation of literature critical of the government. The
old seditious libel cases in England show the lengths to which
government had to go to find out who was responsible for books that
were obnoxious to the rulers. John Lilburne was whipped, pilloried
and fined for refusing to answer questions designed to get evidence
to convict him or someone else for the secret distribution of books
in England. Two Puritan Ministers, John Penry and John Udal, were
sentenced to death on charges that they were responsible for writing,
printing or publishing books.
(If you haven't noticed--England has retained some of the more brutally harsh and heavily enforced Libel laws in the industrialized world. Tradition.)
I'm actually pretty intensely interested in what the appeals court had to say that would appear to contravene established precedent. Is the court saying it's OK to call the government inept, but not a corporation? Consider what that implies.
Yours Truly,
Dan Kaminsky
DoxPara Reseach
http://www.doxpara.com
Sarchasm: The distance in understanding between a person who makes a sarcastic remark, and the person who completely fails to grasp the slightest clue of what the speaker meant.
I don't usually flame Slashdot commenters en masse.
I'll make an exception for every single one of you who paid way too much attention in Stats class and far too little attention in English.
Jamie's point wasn't that we need more violence. I don't care what he said; it doesn't take more than a few moments of reflection to realize Jamie's point was to brutally shred the conjecture that A) Video games have turned our kids into bloodthirsty murderous beasts and B) The people wishing to blame everything on violent games have any legitimate intention of truly protecting our children(as opposed to just trying to make a quick political buck).
Seriously, folks. Figure it out.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Security and GPL Considerations Of User Mode Linux
on
User Mode Linux
·
· Score: 5
I've actually been talking up User Mode Linux since I first heard about it some time ago. The project's goal is essentially to re-implement Linux in its own system call interfaces, so the entire operating system can be executed as Just Another Application.
It's actually pretty cool code, and it has some pretty interesting implications as time goes on.
Among other things, it's actually a surprisingly good hack for making IPSec on Linux rather more usable. It's pretty obvious that IPSec code belongs in the kernel(after all, it's built off of IP, which *is* kernel code), but the difficulty and potential instablitity of IPSec, when it's not exactly a critical application for many users, precludes the deployment of the code. User mode Linux, with a stripped down FreeSWAN distribution, could give a much less risky and far simpler method for users and administrators to test and perhaps even deploy simple IPSec endpoints.
IPSec may become only marginally more awkward to experiment with than SSH.
Of course, this would require raw access to the network interface--not something generally given user level processes. That illustrates the #1 caveat of User Mode Linux--if the environment runs as root under the parent kernel, the child kernel doesn't particularly lose those root permissions. Granted, control over the operating environment can be much, much finer grained per virtual OS instantiation. But if that environment is broken, the attacker gains all capabilities of the user parent. When the user parent is root...sure, there's a layer of obfuscation, but that's about it.
Of course, if I was attacking a machine, I wouldn't particularly expect that the machine I had taken over was just a temporarily instantiated OS image.
A more troubling question is how much of "User Mode Linux" can be run entirely independent of root. Even creating a new SLIP device for the virtualized OS requires non-user priviledges, so the best case scenario remains that an attacker, knowing they're behind a false root, attempts to corrupt or attack the parent kernel by feeding bad bytes down the network interface. Luckily, that's generally a pretty untrusted interface--and even better, there's absolutely nothing that says you have to give the client a direct network link(slirp, once again, comes in incredibly useful.)
Interestingly enough, User Mode Linux (as noted on the page) will probably eventually be used to port Linux apps en masse to alternate platforms that implement the Linux System Call APIs. lxrun *does* this on Solaris to some degree; this does mean that sometime down the line, Linux IPSec code may function on a non-free OS.
This really shouldn't be a big deal, with everything GPL and open--but RMS and Becker have made some pretty loud noises about kernel functionality being intrinsically separated from the intent of the GPL. User Mode Linux reduces the entire kernel to Just Another Application, no different than anything else. This is, in a technical sense, a beautiful, fascinating example of encapsulation--one that could never have come about without the openness that the GPL grants.
I'd keep an eye on User Mode Linux if I were you. This is among the most interesting work being done with the OS, period.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
The core nature of the Carnivore system is that it forces an ISP to grant the Government both raw and remote access to all data flows coming in and out of the ISP. This data is ostensibly filtered and selected out by the Carnivore system, but this is pretty clearly a classic case of "trusting the client" not to extract more information than its otherwise authorized to by the spec.
However pristine the code may be that you've been asked to evaluate, could you ever deny that the capability exists for a remote administrator to add new code which extracts additional information--or perhaps even spoofs new information onto ISP networks from the trusted perch of the Carnivore station?
Indeed, given the precarious and difficult growth of secure remote access protocols over the years, can you really determine in a closed environment that only authorized U.S. government administrators, and not foreign agents, corporate spies, or even 15 year old children will not be handed the keys to an NT machine with direct access and control over all inbound and outbound network traffic for the Internet's major ISPs?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
I've generally liked RMS for most of what he's said and much of what he believes in.
However, this permanent forfeiture nonsense is so nauseatingly offensive, it truly stretches my ability to suspend disbelief to imagine that it came from the (often poison) pen of Richard M. Stallman.
Yes, it is true that violating the GPL reverts your rights upon the code back to what you had before you accepted the terms of the copyright, i.e. basic copyright.
And, yes, this of course means that your rights revert back to the situation where you may once again relicense the code under the GPL, unless the FSF put a "Scarlet Letter" clause into the GPL. Not to mention, the fact that you can do whatever you like in the privacy of your own system--including linking GPL code to completely unfree and unreleased libraries--pretty much insulates every end user who didn't release a distribution. That all does happen to make RMS's "beg for forgiveness" exhortations rather...extreme.
But, what the hell is RIAA-style power mongering doing coming from one of the leaders of free software? Don't get me wrong--unlike those that complain about the GPL, I'm fully aware that the control-or-be-controlled hard line that FSF takes with its licenses is fully valid, and that the strength and correctness of the GPL can only exist with its refusal to suborn itself to less rigorous licenses.
But this tripe about forgiveness, as if users of KDE were under some moral obligation to bow down, tail between their legs, and beg for absolution from their great Free Software Masters fills me with absolute disgust. Even if Stallman had the legal right to call for such behavior--which, mind you, he doesn't--that he'd even ask for it smacks of the arrogance we all detest so much in the post-sale content control industry.
Ugh. I'm sorry for the flamage. Shocked and dismayed doesn't even begin to cover it.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Unfortunately, putting something on the Internet is being legally interpreted as "publishing" - and this applies to e-mail as well. (much e-mail ends up forwarded and put on e-mail list archives, etc)
That a conversation can be recorded doesn't mean it automatically is.
Do you have a responsibility, as a business owner, to see what you are "publishing"?
Unfortunately, the answer seems to be "yes".
You're beginning to touch upon why business is starting to fight for effective instant messaging.
But, people don't resent an "open" solution if they know it's there. Nobody minds a camera posted over their head if it's obvious, especially if they can SEE what's being/has been recorded.
Your grasp of reality fails here. Several unions have been known for "accidentally" destroying biometric readers because they didn't even want their *fingerprints* recorded, let alone their words, thoughts, and actions.
Look up the wars, incidentally, regarding audio recordings on security videos.
This presumption that all emails can and should be logged comes from the presumption that emails are equivalent to official memos from the corporation.
They're not, and shame on anyone who would argue differently.
The fact that harassing comments may be spoken at the water cooler does not obligate the company to install an audio recorder at that cooler. The fact that harassing comments often are spoken over telephone lines assuredly does not obligate a company to record all calls made to and from the office building. The fact that E-Mail can occasionally lead to harassing comments as well does not obligate the company to violate the privacy of its workers.
Now, given an active suspicion(usually brought upon by an aggrieved party commenting to his or her manager), it's justified ethically to verify the charge by watching traffic in a limited manner. We wouldn't want someone to lose their job without their sins being proven.
But to say that employers are mandated by government to spy on everything their workers do obscures the fact that the government itself is mandated a privacy violation infrastructure be built into every single workplace in the name of "protecting us from ourselves."
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
This is an awful bug, to be sure, but it's not invisible to the recipient. This is not a full fledged kleptographic attack, i.e. one where the added key material is invisible to anyone but the attacker.
ADKs *have* to leave additional encrypted content within the final package--somewhere, they've got to leave the decryption key in a detectable form for an attacker to come in and use to decrypt the one-time 3DES/Twofish/Other Symmetric Cipher Key. Now, it's possible that this internal key material could be stripped from the entire message and a valid hash reconstructed, much as the ADK can be added to a key without changing the overall key hash. But this would surprise and disappoint me--at that point, intent becomes a real question.
I have not intensively analyzed the PGP block format--I've been too busy working on SSH as of late--but it's necessary that *something* new is going to be added to the overall package, and that it's is going to be detectable, possibly without decryption, possibly without even the original public key. Whether it's strippable or not is a question mark, but people shouldn't be saying this is an invisible attack. It can't be.
Brutal, yes. Invisible, no.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
The "Private" context of a VPN is much more important than the virtualized network presence of a transferred network link.
Privacy and cryptography are intimately linked in Virtual Private Networks; it's the cryptography that makes people willing to use the link at all.
So, from that I have to ask a simple question: Does @Home plan to monitor my traffic for information they can't decrypt? Is @Home saying that if I would use an unencrypted link to my work email, they'd have no problem with my working from home?
Can you imagine if a *telephone* company tried to specify who you were and weren't allowed to call, and what you were allowed to say, and that they needed to be able to understand every word you spoke?
What part of "Common Carrier" doesn't @Home understand?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
It shouldn't, I'm happy it's not, it's excellent that they've pulled out yet another layer of headaches, huzzah.
The problem--and it's a real one--is that they're preventing DOS from loading at all.
There's *no good reason* for F8 not to allow a DOS session to start up. Yes, there's a good reason for DOS not to load when Windows is loading--but from a pure troubleshooting point of view, access to the core filesystem is inordinately useful for system repair and there is no benefit to the customer for such functionality to be removed.
It's sad, really. This is yet another example of Microsoft's technological achievements(successful migration of the PC industry from DOS/Win16 to Win32, excavation and elimination of DOS legacy code) being marred by the relentless drive of their business side to quell competition. DOS is not just a lower operating system--it's a basic environment that can be entirely overwritten by whatever code happens to run underneath it. Much has been said about the ability to run alternative operating systems being quelled by this design; the faults generated are actually much more devious. DOS lets the user replace anything with everything; under the Windows model, Microsoft holds the final say on what calls you're allowed to issue, what memory you may rewrite, what partitions you may generate. Even the simple requirement to rewrite applications such as Partition Magic in full Win32 code--and that's presuming a hard drive partitioner could be allowed to function through the API--at minimum makes the code much less portable across OS's, and gives Microsoft leverage over yet another critical element of system configurations.
The philosophy of the DVD contracts was to achieve restrictions over consumers in excess of what the law would impose by preventing any vendor from being able to legally provide entire realms of fair use functionality to consumers. By doing an end run around the law, the studios hoped to effectively reverse entire swaths of public policy. Considering the anticompetitive and intrusive charges against Microsoft, this code extraction is similarly an end run around the technological capability of the generally open PC platform to run operating systems and environments other than those prescribed by Microsoft.
I don't like it, I'm not happy, and I do believe formal complaints should be issued in this circumstance. This isn't just about Microsoft making it harder for their users to run alternative operating systems; it's about Microsoft closing off direct access to a user's own system to the point of forcing the OS to crash before giving the user a command prompt.
Crashing is not a feature.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
The industry doesn't trust their customers not to pirate their music.
Customers, in turn, don't trust the industry not to sell "scientifically derived profiles" of your psychological state to your bosses, your friends, and eachother, based on the music you buy. It only needs to be accurate enough to sell; nobody in the industry's going to get fired when you do.
So you've got a watermark. What's in it? If it ain't the identity of the licensed listener, in some form, the watermark might as well not be there at all.
That's why MP3 has been allowed to spread so far, incidentally. The end result desired is per-user tracking. A few years of piracy should have worked to make the public accept per-user tracking. But the piracy was too good, and the privacy was too lacking.
They're reaping what they've sowed. Greed in fighting privacy regulation has decimated the inviolate personality(one of the better concepts trumpeted by Slashdot recently); the widespread support for that atrocious e-signature bill is simply disturbing.
Show me an industry that supports touch-tone phone presses as legal signatures in a court of law and I'll show you an industry that's losing touch.
What a tragedy, a soap opera, or a comedy of errors, depending on your perspective.
Suppose for a moment that, indeed, many universes inhabited this specific multiversee.
Also suppose that certain extreme events would lead to cross universal leakage.
We wouldn't need to wait for a particle accelerator to be built to witness such effects--those stellar furnaces known as stars should be a constant source of evidence for reactions so extreme that they violate the bounds of this 3D environment.
In fact, stellar reactions should be the most mysterious, because they'd contain the most missing energy by far. It's not unimaginable, to be sure. Where I think some things start to break down is that, if there *is* leakgage, the events that cause such things as Gamma Ray bursts would *need* to involve cross universal effects.
A bigger problem actually with cross universal gravity is that it would cause real problems for universal integrity. In order for multiple universes to to exist in parallel to eachother without any kind of "reinforced wall" between those universes, they must grow in parallel to one another and never blur together. But if gravitation in one universe can extend out towards another, there'd be no way for the parallel universes to remain separate--particularly if the forces equated at short distances, the universes would draw together into one.
Thoughts?
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
I've got a system I've been sitting on for a while that gives you the network isolation of Windows PPTP with the trustable crypto of SSH. I haven't done much development work on it in quite some time; anyone out there who'd like to hack on this and get it up to 1.0, toss me a note.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
I can't read the actual story(it's not responding) but I have the feeling that nobody believes this company's rationale for scanning the net--demographics simply are not retrieved by traceroutes, unless you're trying to get a map organized by available bandwidth growth over time.
I don't think people trust that these guys aren't looking to distribute vulnerability profiles of major companies--what if the psychographics are regarding the IT staffs of major companies?
The Internet Auditing Project detected bugs, but did not identify those who were specifically vulnerable. If this startup goes under, who buys their *ahem* Customer Database?
That being said, they're in a nasty situation. They probably have something innocuous and cool and can't explain what they're doing or why because it'll spark off competition. They should NDA Mudge and let him say whether or not we should be worried.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
"Oh dear God, can you imagine the anticompetitive, anticonsumer, antirecording, pro government manipulation("go bribe that senator with a junket") style messages that fly around the RIAA?"
Looks like I'm about to find out, eh?
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Discs cost $50 there so you can see why they are concerned about gray marketing the US discs back to Japan. Also the article says there aren't many players in Japan, so disc sellers need to keep the prices high to recoup production costs.
Either the market is large enough to support selling the discs legitimately, or it's so small that they won't lose much money from the few people who actually watch DVD's in Japan.
It's one of the two. Neither justifies this ridiculous position that Japan is in right now.
Slashdot Mirror
You are very much misssing the point.
OpenBSD is not "300MB of source" that Theo thought up. There's quite a bit--likely a majority--of stuff brought in from other coders *WHICH RETAIN IDENTICAL VERSION INFORMATION*.
Go query Perl. Or vi. Or httpd. They're all external packages, with their own internal version. If Theo wanted to reversion them to "Perl OBSD 2.8" and "Apache OBSD 2.8" and so on, that's fine. But that Perl ain't 5.6.0 unless it was built from the 5.6.0 tree.
--Dan
Theo:
./troff -v
/usr/lib/gcc-lib/sparc-unknown-openbsd2.7/2.95.2/s pecs
./cvs -v
:ve]
./tcpdump -V
./httpd -v
I don't think it's fair to say, as you did, that "ftpd is ftpd" or "tar is tar" for all of OpenBSD. Examples from version lines throughout OpenBSD:
spork# perl -v
This is perl, v5.6.0 built for sparc-openbsd
bash-2.04#
GNU troff version 1.15
bash-2.04# nawk -V
awk version 19990620
bash-2.04# gcc -v
Reading specs from
gcc version 2.95.2 19991024 (release)
bash-2.04#
Concurrent Versions System (CVS) 1.10.7 (client/server)
[vi
Version 1.79 (10/23/96) The CSRG, University of California, Berkeley.
bash-2.04#
tcpdump version 3.4.0
libpcap version 0.5
bash-2.04#
Server version: Apache/1.3.12 (Unix)
Server built: May 5 2000 14:44:59
Look. Some of these you modified. Maybe all of em. Maybe one of em(I *know* you touched Perl.) Lets take the example of tires, why don't we. If I've got Firestone Model X432LFR tires on my car, and I run down to the dealership asking why I'm driving a deathtrap, is he allowed to laugh at me because "Of course *we'd* never put the deadly X432LFR tires on your car, we'd only put the *good* X432LFR tires on! Stupid customer."
That's essentially what happened with Debian a while back, and it was infuriatingly unfair.
I'm not asking you to do more work, Theo--you've *done* the work. I'm asking you to admit it, mark it, brand it in such a way that we know you've been forced to do something to it to make it secure. And then all of us can bitch and moan to the author's of whatever package you've taken and say, "Heh, he changed your stuff, maybe there's something you should look at." Maybe we'll be ignored. But, in the end, *you* did the right thing.
Theo: You and your team rewrote much of an early build of SSH. Technically, you could have said, "Here's SSH1.2.1x, as part of the OpenBSD system." But then nobody would have known what you had pulled off, and people would have had trouble finding your specific improvements. I'm not saying you need to rename every package to show how much you've added. But to keep the original version numbers is to conflate your secure and solid version with whatever bugs you *know* lurk in other people's code. When Foobar 1.2 comes out with a remote root, and OpenBSD ships with Foobar 1.2, do you like--or enjoy--when system administrators frantically upgrade your *already fixed version* of Foobar 1.2 with the original author's possibly broken Foobar 1.3?
Because that's what your version numbers cause.
They're easy to fix, Theo. It's just a tag to let us know you fixed something. It's something for us to differentiate your code with. (Incidentally--what does little on my 2.7 Sparc build.) Consider this: As much as you say you've only dealt with the system, I *know* many of the packages from Ports have had patches that didn't modify version numbers--and I have *no* idea if anything's been modified in your packages section. I just don't know.
This is not a problem specific to you, but I think OpenBSD is in the right place to change what I consider to be a particularly pernicious industry practice. I believe in your systems approach, but a secure system cannot be built from insecure parts. If you've secured your parts--show this, and perhaps let us know where to look to find out how.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
All--
I've been a Speakeasy.Net customer for a few months now, and for everybody who wants an ISP with a "Press 2 If You Have A Clue Button"...all those techs appeared to have went there. It's such a disorientingly wonderful thing to be able to converse about firewall rulesets, buggy ARP tables, and routing infrastructure hiccups with your *front line support* ISP provider.
They're not particularly expensive either. For $200/mo, they offer you flat rate 1.1/1.1 SDSL that actually works at full speed. They have, of course, plans with more standard pricing, but ya gotta spend your money on something, eh?
You can always save $10/mo by running a game server. No, I'm not joking.
Among other nice things, they'll actually talk to you when a spurious port scan spamgram appears to come from your host. I just went through what could have been a nightmare with any other provider--and worked with them to debug that nothing actually happened.
So, yeah. If you're tired of burnt out powerless cluebies, go hit Speakeasy.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
> Huh? You know what CVS is, isn't it ?
Yes, I can find out what's been changed historically, if I *really* go looking. I have no way of knowing easily that:
bash-2.04# perl -v
This is perl, v5.6.0 built for sparc-openbsd
was compiled from a different codebase than:
bash-2.04# perl -v
This is perl, v5.6.0 built for i386-linux
My point is, if you change the source, change the version. That I can hunt something down in CVS is pretty meaningless if I don't know that I need to.
--Dan
Xenophon:
s pa rc/
I'm actually pretty confident that OpenBSD tracks the changes they make, but those changes(I believe) are to the overall package that is OpenBSD, not to the individual files.
You wrote:
===
I don't think you understand how they package up their releases. It isn't like Red Hat or Debian, i.e. there are no individual packages like perl-5.003-666 or nethack-23-skiddoo.
===
To which I reply:
ftp://ftp.openbsd.org/pub/OpenBSD/2.7/packages/
That being said, it may very well be that anything that Theo directly touches is considered a critical component and is kept out of the "packages" tree. This would be somewhat surprising to me(given the amount of energy Theo et al puts into creating a "high quality package archive"), but wouldn't be unimaginable. However, it remains unclear what has been touched and what hasn't. Is that really Perl 5.6.0? What about Netcat 1.1.0? I can't even compare binaries; I have to diff source trees.
Not too long ago, one security guru got taken to task *HARD* for assuming that the version of Debian he had downloaded possessed the same security holes as...uh, that version actually had. Except it was the Debian unmarked modified patched version, and he didn't know. He submitted a total mea culpa...but I'm just not sure he should have.
This is actually the topic of a paper I've been considering writing, but I think it'd be much more interesting to hear what Theo has to say on the matter first.
Yours Truly,
Dan Kaminsky, CISSP
Cisco Systems, Advanced Network Services
http://www.doxpara.com
Theo--
First of all, I want to thank you for the hard work you've done building OpenBSD. It truly is a wonderful package.
Much of the security in OpenBSD lies under the hood in the work you've done cleansing the source of unsafe library calls. While this work is appreciated, I've become more and more concerned lately about the fact that these changes are not necessarily documented and certainly not reflected in the version number of an application or utility.
Version numbers reflect a snapshot in the life of a codebase. They're used to reference unsafe editions or particularly stable builds. Major number reflect code branches, but minor numbers reflect specific states of the code--such is the expectation of a user or an administrator when a version number is detected. Without granularity of versioning, I have no reason to trust or distrust a given application by its number; I must personally audit its source--and end up giving it a number of my own.
You and your team are code auditing masters. Rather than pollute the namespace by making indistinguishable your securely built modified code and the original(and, by extension, your secure code and numerous unnamed distributions' "just get it to compile" modifications), wouldn't it be appropriate for OpenBSD to apply a name extension to any package which it has modified, and in the interests of full disclosure, to provide a reasonable CHANGELOG of the fixes contained therein?
Yours Truly,
Dan Kaminsky, CISSP
DoxPara Research
http://www.doxpara.com
Nah, Hemos didn't miss anything. I screwed up--and that's pretty infuriating, because I put *alot* of energy into testing my links.
Ah-duh. Sorry.
--Dan
What's really cool is somebody *noticed* I credited Memepool. I discovered the site from one of the rare times they were credited, and I've been impressed beyond words ever since.
Mind you, I didn't flat out copy the Memepool story--but I'd have never found out about the Color Kinetics product line without 'em.
--Dan
...is that water is free.
Plastic isn't. Rubber isn't. Most materials aren't. But at least in industrialized nations, water, particularly in the quantities required for a sculpture, is essentially free. That means, with mere application of a moderate amount of electricity *any* reasonably large object can be synthesized at minimal per unit cost.
This is extraordinarily significant. One-offs that might not justify the cost of materials can now be made for the cost of electricity. Energy-only weaponry has been a long term goal of the US Army--the supply lines that feed mechanized operations have long been a problematic weakness. While this obviously doesn't have much of a lethal aspect(ice-daggers aside), using these temporary models as the sources for cheaper and more permanent molds could be moderately viable. More importantly, it allows more "experimentation" with shape, allowing possibly better final products.
Make no mistake--the fact that the per-unit cost of each mold is near-zero *is* the most significant part of this system, though the transparency of the material is a close second.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
See the above link for further details; essentially, it's rather difficult for the courts to ban anonymous speech when some of the founding papers of this country(the Federalist Papers) were released anonymously, in an environment that was intensely harsh against such speech. To wit:
(If you haven't noticed--England has retained some of the more brutally harsh and heavily enforced Libel laws in the industrialized world. Tradition.)
I'm actually pretty intensely interested in what the appeals court had to say that would appear to contravene established precedent. Is the court saying it's OK to call the government inept, but not a corporation? Consider what that implies.
Yours Truly,
Dan Kaminsky
DoxPara Reseach
http://www.doxpara.com
Sarchasm: The distance in understanding between a person who makes a sarcastic remark, and the person who completely fails to grasp the slightest clue of what the speaker meant.
I don't usually flame Slashdot commenters en masse.
I'll make an exception for every single one of you who paid way too much attention in Stats class and far too little attention in English.
Jamie's point wasn't that we need more violence. I don't care what he said; it doesn't take more than a few moments of reflection to realize Jamie's point was to brutally shred the conjecture that A) Video games have turned our kids into bloodthirsty murderous beasts and B) The people wishing to blame everything on violent games have any legitimate intention of truly protecting our children(as opposed to just trying to make a quick political buck).
Seriously, folks. Figure it out.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
I've actually been talking up User Mode Linux since I first heard about it some time ago. The project's goal is essentially to re-implement Linux in its own system call interfaces, so the entire operating system can be executed as Just Another Application.
It's actually pretty cool code, and it has some pretty interesting implications as time goes on.
Among other things, it's actually a surprisingly good hack for making IPSec on Linux rather more usable. It's pretty obvious that IPSec code belongs in the kernel(after all, it's built off of IP, which *is* kernel code), but the difficulty and potential instablitity of IPSec, when it's not exactly a critical application for many users, precludes the deployment of the code. User mode Linux, with a stripped down FreeSWAN distribution, could give a much less risky and far simpler method for users and administrators to test and perhaps even deploy simple IPSec endpoints.
IPSec may become only marginally more awkward to experiment with than SSH.
Of course, this would require raw access to the network interface--not something generally given user level processes. That illustrates the #1 caveat of User Mode Linux--if the environment runs as root under the parent kernel, the child kernel doesn't particularly lose those root permissions. Granted, control over the operating environment can be much, much finer grained per virtual OS instantiation. But if that environment is broken, the attacker gains all capabilities of the user parent. When the user parent is root...sure, there's a layer of obfuscation, but that's about it.
Of course, if I was attacking a machine, I wouldn't particularly expect that the machine I had taken over was just a temporarily instantiated OS image.
A more troubling question is how much of "User Mode Linux" can be run entirely independent of root. Even creating a new SLIP device for the virtualized OS requires non-user priviledges, so the best case scenario remains that an attacker, knowing they're behind a false root, attempts to corrupt or attack the parent kernel by feeding bad bytes down the network interface. Luckily, that's generally a pretty untrusted interface--and even better, there's absolutely nothing that says you have to give the client a direct network link(slirp, once again, comes in incredibly useful.)
Interestingly enough, User Mode Linux (as noted on the page) will probably eventually be used to port Linux apps en masse to alternate platforms that implement the Linux System Call APIs. lxrun *does* this on Solaris to some degree; this does mean that sometime down the line, Linux IPSec code may function on a non-free OS.
This really shouldn't be a big deal, with everything GPL and open--but RMS and Becker have made some pretty loud noises about kernel functionality being intrinsically separated from the intent of the GPL. User Mode Linux reduces the entire kernel to Just Another Application, no different than anything else. This is, in a technical sense, a beautiful, fascinating example of encapsulation--one that could never have come about without the openness that the GPL grants.
I'd keep an eye on User Mode Linux if I were you. This is among the most interesting work being done with the OS, period.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
The core nature of the Carnivore system is that it forces an ISP to grant the Government both raw and remote access to all data flows coming in and out of the ISP. This data is ostensibly filtered and selected out by the Carnivore system, but this is pretty clearly a classic case of "trusting the client" not to extract more information than its otherwise authorized to by the spec.
However pristine the code may be that you've been asked to evaluate, could you ever deny that the capability exists for a remote administrator to add new code which extracts additional information--or perhaps even spoofs new information onto ISP networks from the trusted perch of the Carnivore station?
Indeed, given the precarious and difficult growth of secure remote access protocols over the years, can you really determine in a closed environment that only authorized U.S. government administrators, and not foreign agents, corporate spies, or even 15 year old children will not be handed the keys to an NT machine with direct access and control over all inbound and outbound network traffic for the Internet's major ISPs?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
I've generally liked RMS for most of what he's said and much of what he believes in.
However, this permanent forfeiture nonsense is so nauseatingly offensive, it truly stretches my ability to suspend disbelief to imagine that it came from the (often poison) pen of Richard M. Stallman.
Yes, it is true that violating the GPL reverts your rights upon the code back to what you had before you accepted the terms of the copyright, i.e. basic copyright.
And, yes, this of course means that your rights revert back to the situation where you may once again relicense the code under the GPL, unless the FSF put a "Scarlet Letter" clause into the GPL. Not to mention, the fact that you can do whatever you like in the privacy of your own system--including linking GPL code to completely unfree and unreleased libraries--pretty much insulates every end user who didn't release a distribution. That all does happen to make RMS's "beg for forgiveness" exhortations rather...extreme.
But, what the hell is RIAA-style power mongering doing coming from one of the leaders of free software? Don't get me wrong--unlike those that complain about the GPL, I'm fully aware that the control-or-be-controlled hard line that FSF takes with its licenses is fully valid, and that the strength and correctness of the GPL can only exist with its refusal to suborn itself to less rigorous licenses.
But this tripe about forgiveness, as if users of KDE were under some moral obligation to bow down, tail between their legs, and beg for absolution from their great Free Software Masters fills me with absolute disgust. Even if Stallman had the legal right to call for such behavior--which, mind you, he doesn't--that he'd even ask for it smacks of the arrogance we all detest so much in the post-sale content control industry.
Ugh. I'm sorry for the flamage. Shocked and dismayed doesn't even begin to cover it.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Unfortunately, putting something on the Internet is being legally interpreted as "publishing" - and this applies to e-mail as well. (much e-mail ends up forwarded and put on e-mail list archives, etc)
That a conversation can be recorded doesn't mean it automatically is.
Do you have a responsibility, as a business owner, to see what you are "publishing"?
Unfortunately, the answer seems to be "yes".
You're beginning to touch upon why business is starting to fight for effective instant messaging.
But, people don't resent an "open" solution if they know it's there. Nobody minds a camera posted over their head if it's obvious, especially if they can SEE what's being/has been recorded.
Your grasp of reality fails here. Several unions have been known for "accidentally" destroying biometric readers because they didn't even want their *fingerprints* recorded, let alone their words, thoughts, and actions.
Look up the wars, incidentally, regarding audio recordings on security videos.
--Dan
Stop.
This presumption that all emails can and should be logged comes from the presumption that emails are equivalent to official memos from the corporation.
They're not, and shame on anyone who would argue differently.
The fact that harassing comments may be spoken at the water cooler does not obligate the company to install an audio recorder at that cooler. The fact that harassing comments often are spoken over telephone lines assuredly does not obligate a company to record all calls made to and from the office building. The fact that E-Mail can occasionally lead to harassing comments as well does not obligate the company to violate the privacy of its workers.
Now, given an active suspicion(usually brought upon by an aggrieved party commenting to his or her manager), it's justified ethically to verify the charge by watching traffic in a limited manner. We wouldn't want someone to lose their job without their sins being proven.
But to say that employers are mandated by government to spy on everything their workers do obscures the fact that the government itself is mandated a privacy violation infrastructure be built into every single workplace in the name of "protecting us from ourselves."
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
This is an awful bug, to be sure, but it's not invisible to the recipient. This is not a full fledged kleptographic attack, i.e. one where the added key material is invisible to anyone but the attacker.
ADKs *have* to leave additional encrypted content within the final package--somewhere, they've got to leave the decryption key in a detectable form for an attacker to come in and use to decrypt the one-time 3DES/Twofish/Other Symmetric Cipher Key. Now, it's possible that this internal key material could be stripped from the entire message and a valid hash reconstructed, much as the ADK can be added to a key without changing the overall key hash. But this would surprise and disappoint me--at that point, intent becomes a real question.
I have not intensively analyzed the PGP block format--I've been too busy working on SSH as of late--but it's necessary that *something* new is going to be added to the overall package, and that it's is going to be detectable, possibly without decryption, possibly without even the original public key. Whether it's strippable or not is a question mark, but people shouldn't be saying this is an invisible attack. It can't be.
Brutal, yes. Invisible, no.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
The "Private" context of a VPN is much more important than the virtualized network presence of a transferred network link.
Privacy and cryptography are intimately linked in Virtual Private Networks; it's the cryptography that makes people willing to use the link at all.
So, from that I have to ask a simple question: Does @Home plan to monitor my traffic for information they can't decrypt? Is @Home saying that if I would use an unencrypted link to my work email, they'd have no problem with my working from home?
Can you imagine if a *telephone* company tried to specify who you were and weren't allowed to call, and what you were allowed to say, and that they needed to be able to understand every word you spoke?
What part of "Common Carrier" doesn't @Home understand?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
DOS should not be loading before Windows.
It shouldn't, I'm happy it's not, it's excellent that they've pulled out yet another layer of headaches, huzzah.
The problem--and it's a real one--is that they're preventing DOS from loading at all.
There's *no good reason* for F8 not to allow a DOS session to start up. Yes, there's a good reason for DOS not to load when Windows is loading--but from a pure troubleshooting point of view, access to the core filesystem is inordinately useful for system repair and there is no benefit to the customer for such functionality to be removed.
It's sad, really. This is yet another example of Microsoft's technological achievements(successful migration of the PC industry from DOS/Win16 to Win32, excavation and elimination of DOS legacy code) being marred by the relentless drive of their business side to quell competition. DOS is not just a lower operating system--it's a basic environment that can be entirely overwritten by whatever code happens to run underneath it. Much has been said about the ability to run alternative operating systems being quelled by this design; the faults generated are actually much more devious. DOS lets the user replace anything with everything; under the Windows model, Microsoft holds the final say on what calls you're allowed to issue, what memory you may rewrite, what partitions you may generate. Even the simple requirement to rewrite applications such as Partition Magic in full Win32 code--and that's presuming a hard drive partitioner could be allowed to function through the API--at minimum makes the code much less portable across OS's, and gives Microsoft leverage over yet another critical element of system configurations.
The philosophy of the DVD contracts was to achieve restrictions over consumers in excess of what the law would impose by preventing any vendor from being able to legally provide entire realms of fair use functionality to consumers. By doing an end run around the law, the studios hoped to effectively reverse entire swaths of public policy. Considering the anticompetitive and intrusive charges against Microsoft, this code extraction is similarly an end run around the technological capability of the generally open PC platform to run operating systems and environments other than those prescribed by Microsoft.
I don't like it, I'm not happy, and I do believe formal complaints should be issued in this circumstance. This isn't just about Microsoft making it harder for their users to run alternative operating systems; it's about Microsoft closing off direct access to a user's own system to the point of forcing the OS to crash before giving the user a command prompt.
Crashing is not a feature.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
[WARNING: Rant. Sorry.]
The industry doesn't trust their customers not to pirate their music.
Customers, in turn, don't trust the industry not to sell "scientifically derived profiles" of your psychological state to your bosses, your friends, and eachother, based on the music you buy. It only needs to be accurate enough to sell; nobody in the industry's going to get fired when you do.
So you've got a watermark. What's in it? If it ain't the identity of the licensed listener, in some form, the watermark might as well not be there at all.
That's why MP3 has been allowed to spread so far, incidentally. The end result desired is per-user tracking. A few years of piracy should have worked to make the public accept per-user tracking. But the piracy was too good, and the privacy was too lacking.
They're reaping what they've sowed. Greed in fighting privacy regulation has decimated the inviolate personality(one of the better concepts trumpeted by Slashdot recently); the widespread support for that atrocious e-signature bill is simply disturbing.
Show me an industry that supports touch-tone phone presses as legal signatures in a court of law and I'll show you an industry that's losing touch.
What a tragedy, a soap opera, or a comedy of errors, depending on your perspective.
Yours Truly,
Dan Kaminsky
"Little Caesars? You do pizza?"
I have a simple question.
Suppose for a moment that, indeed, many universes inhabited this specific multiversee.
Also suppose that certain extreme events would lead to cross universal leakage.
We wouldn't need to wait for a particle accelerator to be built to witness such effects--those stellar furnaces known as stars should be a constant source of evidence for reactions so extreme that they violate the bounds of this 3D environment.
In fact, stellar reactions should be the most mysterious, because they'd contain the most missing energy by far. It's not unimaginable, to be sure. Where I think some things start to break down is that, if there *is* leakgage, the events that cause such things as Gamma Ray bursts would *need* to involve cross universal effects.
A bigger problem actually with cross universal gravity is that it would cause real problems for universal integrity. In order for multiple universes to to exist in parallel to eachother without any kind of "reinforced wall" between those universes, they must grow in parallel to one another and never blur together. But if gravitation in one universe can extend out towards another, there'd be no way for the parallel universes to remain separate--particularly if the forces equated at short distances, the universes would draw together into one.
Thoughts?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
"Little Caesars? You do pizza?"
I've got a system I've been sitting on for a while that gives you the network isolation of Windows PPTP with the trustable crypto of SSH. I haven't done much development work on it in quite some time; anyone out there who'd like to hack on this and get it up to 1.0, toss me a note.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
"Little Caesars? You do pizza?"
I can't read the actual story(it's not responding) but I have the feeling that nobody believes this company's rationale for scanning the net--demographics simply are not retrieved by traceroutes, unless you're trying to get a map organized by available bandwidth growth over time.
I don't think people trust that these guys aren't looking to distribute vulnerability profiles of major companies--what if the psychographics are regarding the IT staffs of major companies?
The Internet Auditing Project detected bugs, but did not identify those who were specifically vulnerable. If this startup goes under, who buys their *ahem* Customer Database?
That being said, they're in a nasty situation. They probably have something innocuous and cool and can't explain what they're doing or why because it'll spark off competition. They should NDA Mudge and let him say whether or not we should be worried.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
"Little Caesars? You do pizza?"
http://slashdot.org/comm ents.pl?sid=00/06/14/1336234&cid=7
"Oh dear God, can you imagine the anticompetitive, anticonsumer, antirecording, pro government manipulation("go bribe that senator with a junket") style messages that fly around the RIAA?"
Looks like I'm about to find out, eh?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Discs cost $50 there so you can see why they are concerned about gray marketing the US discs back to Japan. Also the article says there aren't many players in Japan, so disc sellers need to keep the prices high to recoup production costs.
Either the market is large enough to support selling the discs legitimately, or it's so small that they won't lose much money from the few people who actually watch DVD's in Japan.
It's one of the two. Neither justifies this ridiculous position that Japan is in right now.
--Dan