> Hostname or username is longer than 255 characters.
> Does this mean it's secure?
ABSOLUTELY NOT... the message "is longer than 255 characters" was issued by your (non-openssh) client, which imposes a 255 char limit.
But based on that version alone, you need to replace your sshd. If you obtain OpenSSH and (at least) compile it, then you can use the OpenSSH version of 'ssh' to do the test.
Then, from within the source dir, run the test using the newely compiled ssh:
Tesla's energy transfer experiments were awesome in their day, but many of his AC experiments -- especially applied to the ether -- would knock our modern world on its ass.
Many of the cool devices in his workshop -- the wool powered Van de Graff treadmills to the spark gap wireless sets, on to the three-story 'God Has Spoken!' plasma lightning generator... would bring the sirens and the suits.
Unfortunately the very properties that make energy transfer possible make it 'noisy'. With our modern radio receivers and dense modulation techniques, there's little tolerance for folks who like to play with lightning.:)
The Ether is not very accomodating. Line of sight energy transfer from orbit through a Ghz/Thz beam is an option, but high-current over the horizon or through the earth stuff is too loud, and we've already committed the ether for communication. For example, most of those cold war over-the-horizon radars that used to roll over large portions of the HF band have been retired. Good riddance!
Our critical use of the spectrum reaches down to the dozens of hertz... Tesla once demonstrated an amazing ELF coupling device that used low frequency high current AC with the earth as the medium, and was able to power a light bulb miles away.
Try it today and you might disrupt maritime and aviation becons, or more exotic forms of oceanic data transfer... if the spooks lose contact with their subs every time you crank up some Big Science gizmo, you can expect a really warm reception.
It's true that we are buzzing the world big time at 50 and 60 hertz... but those throbbing fundements and their harmonics are stable, known & notched. representing a good tradeoff for civilization.
ALso, whales and elephants use the ELF band for long distance communication. Muck with their freqs and they become disoriented and cannot navigate. Even humans have been known to be disrupted low frequency high energy fields... with effects that range from mild discomfort to head banging, hysterical giggling, or dimpled chads.
In this day, singling out any single web server product that logs IP information by default -- when they all do -- carries the flavor of provocative shotgun whining. Picking on a product to call attention to a more general issue has a superior hype response payoff; your targeting of a popular product gains better news coverage and attracts more response traffic, as loyal customers speak out in its "defense."
Your server is your home and castle, your visitors are your guests. To get static pages and content they may only need to get past the moat; but if you run CGI, your front door is wide open and you must keep watch over them to make sure they stay out of the fridge and don't wander into the bedrooms.
If you put up an Internet web server, it is irresponsible not to log ip addresses. In server context, IP addresses are not people, they are merely "source vectors." Only when you serve and log cookies does that context approach the person-level -- but even then you're still logging browsers, not people.
During a transaction IP address will always be known. A log file is merely a form of persistent memory that extends beyond that moment. Therefore the real issue is not whether to log, but how long it is retained.
If anonymity is declared as part of the service you are providing, it's easy to see that you start to cross the line if you write anything but summary stats to disk.
But for all other uses, it is good practice to keep logs around for at least one "blink cycle", twice the window of time in which you regulary attend to the server. For most of us this is the time of the day when we sleep, let's be conservative and declare it to be a full 24 hours. If you awake and discover a problem, you expect to have on hand enough information to identify what, how and why even if who does not matter.
Beyond the blink cycle, at issue is how often you rotate, how many rotations you keep -- and if you include logs in your regular system backups, the timespan until you scratch them.
Internet activists regularly watch for legislation that unfairly targets the Internet medium, for crimes that are already covered by common law. In that sense, the IP logging issue is already addressed by an emerging "Internet common law" -- the "privacy statement". The idea is not to clamp down absurdly on information gathering practices that have real use and purpose, but to offer a convention where visitors are clearly informed of the information is collected so they can make their own judgement.
Slashdot Mirror
> Hostname or username is longer than 255 characters.
> Does this mean it's secure?
ABSOLUTELY NOT... the message "is longer than 255 characters" was issued by your (non-openssh) client, which imposes a 255 char limit.
But based on that version alone, you need to replace your sshd. If you obtain OpenSSH and (at least) compile it, then you can use the OpenSSH version of 'ssh' to do the test.
Then, from within the source dir, run the test using the newely compiled ssh:
./ssh -v -l `perl -e '{print "A"x88000}'` localhost
I did that while doing a 'strace -o trace.out -fF -p xxx' (xxx was the pid of the main sshd daemon whose parent pid is 1).
The ssh client's verbose output ends with
debug: Sent encrypted session key.
debug: Installing crc compensation attack detector.
debug: Received encrypted confirmation.
Connection closed by 127.0.0.1
[uh oh, sudden disconnect!]
...and the strace log tells the rest of the gruesome story...
... After many reads encrypted gobelgook,
10951 --- SIGSEGV (Segmentation fault) ---
TILT.
SEG fault. Call key operator!
Tesla's energy transfer experiments were awesome in their day, but many of his AC experiments -- especially applied to the ether -- would knock our modern world on its ass.
:)
Many of the cool devices in his workshop -- the wool powered Van de Graff treadmills to the spark gap wireless sets, on to the three-story 'God Has Spoken!' plasma lightning generator... would bring the sirens and the suits.
Unfortunately the very properties that make energy transfer possible make it 'noisy'. With our modern radio receivers and dense modulation techniques, there's little tolerance for folks who like to play with lightning.
The Ether is not very accomodating. Line of sight energy transfer from orbit through a Ghz/Thz beam is an option, but high-current over the horizon or through the earth stuff is too loud, and we've already committed the ether for communication. For example, most of those cold war over-the-horizon radars that used to roll over large portions of the HF band have been retired. Good riddance!
Our critical use of the spectrum reaches down to the dozens of hertz... Tesla once demonstrated an amazing ELF coupling device that used low frequency high current AC with the earth as the medium, and was able to power a light bulb miles away.
Try it today and you might disrupt maritime and aviation becons, or more exotic forms of oceanic data transfer... if the spooks lose contact with their subs every time you crank up some Big Science gizmo, you can expect a really warm reception.
It's true that we are buzzing the world big time at 50 and 60 hertz... but those throbbing fundements and their harmonics are stable, known & notched. representing a good tradeoff for civilization.
ALso, whales and elephants use the ELF band for long distance communication. Muck with their freqs and they become disoriented and cannot navigate. Even humans have been known to be disrupted low frequency high energy fields... with effects that range from mild discomfort to head banging, hysterical giggling, or dimpled chads.
In this day, singling out any single web server product that logs IP information by default -- when they all do -- carries the flavor of provocative shotgun whining. Picking on a product to call attention to a more general issue has a superior hype response payoff; your targeting of a popular product gains better news coverage and attracts more response traffic, as loyal customers speak out in its "defense."
Your server is your home and castle, your visitors are your guests. To get static pages and content they may only need to get past the moat; but if you run CGI, your front door is wide open and you must keep watch over them to make sure they stay out of the fridge and don't wander into the bedrooms.
If you put up an Internet web server, it is irresponsible not to log ip addresses. In server context, IP addresses are not people, they are merely "source vectors." Only when you serve and log cookies does that context approach the person-level -- but even then you're still logging browsers, not people.
During a transaction IP address will always be known. A log file is merely a form of persistent memory that extends beyond that moment. Therefore the real issue is not whether to log, but how long it is retained.
If anonymity is declared as part of the service you are providing, it's easy to see that you start to cross the line if you write anything but summary stats to disk.
But for all other uses, it is good practice to keep logs around for at least one "blink cycle", twice the window of time in which you regulary attend to the server. For most of us this is the time of the day when we sleep, let's be conservative and declare it to be a full 24 hours. If you awake and discover a problem, you expect to have on hand enough information to identify what, how and why even if who does not matter.
Beyond the blink cycle, at issue is how often you rotate, how many rotations you keep -- and if you include logs in your regular system backups, the timespan until you scratch them.
Internet activists regularly watch for legislation that unfairly targets the Internet medium, for crimes that are already covered by common law. In that sense, the IP logging issue is already addressed by an emerging "Internet common law" -- the "privacy statement". The idea is not to clamp down absurdly on information gathering practices that have real use and purpose, but to offer a convention where visitors are clearly informed of the information is collected so they can make their own judgement.
When asked, "What do you think of Western Civilization?" . . .
Ghandi replied, "I think it would be a good idea."