Indeed - the presentation I linked talked about how to find hosts otherwise than scanning (DNS, Sequential order, guessing MAC addresses for EUI-64 notation, etc). Never said that it would provide security, just that you cannot necessarily brutefocescan it:)
"Today we learned, that lots of people who have thought of NAT as a security mechanism, are getting a hit with cluebat when they find out that the IPv4 NAT also implements a stateful firewall as a byproduct. Since there is no NAT with IPv6, you only have to implement stateful firewall without address translation."
Sigh.
This is a non-issue.
What IS an issue are the new IPv6-specific things related to security. You cannot do a network scan anymore since even a/64 is a huge address space to scan and so on. The presentation I watched at IETF Prague was quite interesting: http://www3.ietf.org/proceedings/07mar/slides/v6op s-1/sld1.htm
There are some implementation issues, such as anycast addresses and stuff like that you need to take into account.
However, this "getting rid of connectivity issues due to no longer having to NAT" has NEVER been expected by anyone who knows even a bit about networking. Because we're not returning to an un-firewalled world.
Already solved in Estonia. You can vote as many times as you want online, only your latest vote count. So if someone peers over your shoulder making sure you vote right, you can just change your vote as soon as he's gone. Also, by going to the actual physical voting booth you can also override any online votes if all else fails.
The parallels to the Olympics of 1936 are kind of eerie -- then it was Hitler attempting to show off German might and industry, his neat and orderly Aryan society, and the superiority of the German race. Perhaps this is not as sinister, but it is certainly disturbing.
For this reason, I've been using Con Kolivas' patches to replace the scheduler. http://members.optusnet.com.au/ckolivas/kernel/ - very helpful especially if you don't have the fastest computer around. Also seems to help a bit with I/O - if my hard drive is trashing for whatever reason, interactive stuff still remains reasonably responsive. Or at least it doesn't make my mouse cursor skip...
Even so, I'd prefer to have IO better scheduled - ionice doesn't really seem to work at least for me.
AFAIK, Atheros drivers aren't even in main kernel tree yet. For the last few years they have seemed to be in perpetual pre-release (0.xx) versions..
Does this still depend on weak IVs?
on
WEP Broken Even Worse
·
· Score: 3, Interesting
For some reason I can't get the paper to load, but anyway, does this still depend on weak initialization vectors?
I know that the original attack did depend on that, and most software and basestations have since been configured to avoid those weak IVs. I know that some stuff (like Nokia's basestations) are still weak agains the original attack (at least when tested with Kismet), however, against Cisco Aironets and almost any newer hardware I haven't been able to see this weakness in action when trying out if it really works...
AI does not cheat if that's what you mean. For most part, increasing difficulty level actually does mean that the AI switches to more advanced algorithms - only the two highest levels (or so) actually give some economy bonuses to the AI.
Well, one of the greatest experiences (And still is), AI wise, is Stardocks XXXX-type space strategy game, Galactic Civilizations 2. I especially like, when on easier levels, you do something, and the AI race sends a message "It seems that you are making a massive buildup for war. However, with this difficulty level, I pretend not no notice it until you actually make your strike." or something to that effect.
Needed to send a Linux-running Omnibook to RMA (bad Combo drive - couldnt read DVD's or burn CDs). Solved the problem by using sysrescue-liveCD (which it could read), and just doing an image from the harddrive to another computer over NFS. Then punched in the original WinXP "restoration CD"s and shipped the thing away. When it came back, just restored the images.
I always liked the Hurin's Children story, the one in Silmarillion, and also the version with more details in the collection "Unfinished tales of Númenor and Middle-Earth".
Anyway, the story has quite a lot of similarities with the Finnish folklore Kalevala, spefically Kullervo's story. Knowing how much Tolkien liked Finnish, some of the stuff might be intentionally taken:)
From the wiki article:
Cantos 31-36: The Kullervo cycle: Untamo kills his brother Kalervo's people except for the wife who begets Kullervo; Untamo gives Kullervo several tasks but he sabotages them all; Kullervo is sold as a slave to Ilmarinen; after being tormented by Ilmarinen's wife, he exacts revenge and the wife gets killed; Kullervo runs away and finds his family unharmed near Lapland; Kullervo seduces a maiden and later finds out she is his sister; Kullervo destroys Untamola (the realm of Untamo) and upon returning home finds everyone killed; Kullervo kills himself.
I have only completed the written test - going for lab exam this July (they sure don't have too many open slots...).
And I still prefer OpenBSD pf over PIX or IOS inspect features. And so far the training material has failed to convert me (granted, routing&switching exam's security features are mostly limited to reflexive access-lists...)
The point in the summary is number 6 in the article. Anyway, this is just bollocks.
You authenticated yourself to the phone on your desk with building and room access-controls.
You authenticate yourself to your cellphone with a PIN code.
I don't know what's the thing about "smart" phones - the argument in the article works with any normal phone. Anyway, you still authenticate yourself to the phone. Oh, someone is coming in with a leadpipe and steals the phone from you? Well, if someone wants your precious off-band password that bad they'd probably force you to log into the system anyway. Otherwise, if it's just some street junking running off, you'll have plenty of time to call the operator and tell them about the theft.
Sometimes the phone may even request additional PIN numbers when going for more sensitive areas. My company uses mobile phone as an off-band authentication token for signing in to VPN - when you connect, your phone beeps at the same time and asks you to type in (different) PIN number. No more carrying around that SecurID-key. (And no, this doesn't require anything special, it's a service on the SIM card).
Other arguments are also dubious at best:
3. Communications are encrypted from end to end.
BlackBerry and Sidekick users may have heard that their communications are encrypted "end to end," but e-mail and other communications are encrypted only from the phone to the phone company or service provider's servers.
So who has configured your e-mail client not to use SSL? If you are using webmail, it's encrypted. If you are using IMAP, Pop3, or SyncML, those have encryption options as well.
And bloody well you can also use VPN (yes, latest Nokia E-series phones are quite compatible with Cisco VPN concentrators).
As for their server security...well, WHO IN THEIR BRIGHT MIND would store corporate or state secrets on a Hotmail account?
9. Spying on my smart phone is hard.
Think spying on your activities is hard? Think again. Most smart phones have no equivalent of Bluetooth authentication when plugged in -- they just become slave USB devices and give up all of your data.
Oh phleeze. What does USB and Bluetooth have to do with each other anyway? In anycase, yes, there were phones in the past that didn't include any sort of Bluetooth authentication (such as Nokia 6310i), but that is hardly the case now.
Of all the fearmongering, this is the only even remotely valid argument (with physical access you can of course do almost anything, as with any device, so the USB point is valid), and using a Pointsec or some other file-system encryption in your phone is a good idea.
All the other stuff mostly concern stuff about any backend systems where your precious e-mails are stored. Has nothing to do with phone. If Hotmail leaks my e-mails, it's Hotmail's fault. If I access Hotmail with my phone, it doesn't magically become the phones fault.
I kinda liked the "Shrouders universe", consisting of Revelation Space, Redemption Ark and Absolution gap (and also separate story Chasm city). Take a look at the writer's own site. He's a former ESA astrophysicist so most of the basics are correct (granted, at Absolution gap you get to some pretty weirdish ideas about superstring theory, but...)
I don't understand what's wrong with national ID cards as such. It's just a method of authentication, just like your passport is, to tell that you are who you claim you are.
Why the paranoia? Nordic countries have had such cards (and citizen registrars) at least since WW2...to help with issues such as arranging voting (no need to "Register as a voter"), social security, taxes, etc.
The biometrics part of the UK id card is of course another issue - fingerprints, retinal scans, DNA and all that is not proven secure. Unique to every human being, yes, but hardly secure. You leave your fingerprints all over the place. You leave your DNA all over the place. Somehow the advocates of biometrics seem to be lulled into a sense that biometrics is absolutely secure method of authentication - this is the primary problem.
USians demand right for ultra-violence in media, get upset about female anatomy being shown (e.g. Janet Jackson's boob on tv). Europeans get upset about kids getting exposed to violence
Heh. I remember that once they had this commentary on some softporn show (might have been Playboy late night or something) about ads in Europe. The narrator was all fussed up "how can you actually remember the product when watching this commercial"....and it was a Rexona ad, with two women taking a shower after a workout in gym. I had seen that same ad and never thought there was anything sexual in it...but hey, being a Finn and frequently visiting a sauna I have never thought that nudity automatically implies sex.
At least in Finland, in cooperation with a Finnish hearing-impaired association, there's been some projects with 3G video-phones. Yes - selling a phone to deaf people opens up a nice new market:). Anyway, as far as I know the experiences have been overall positive - and no fancy sign-language-specific codecs or anything, just a normal 64kbps video phone call and a camera phone.
Plus, considering how breakable 64bit and 128bit WEP were, and WPA original is, well, I just can't trust anymore wireless encryption. Go hardcore or go home!
Exactly how breakable "WPA original" is? If you mean with "WPA" 802.11i draft 4 (as commonly meant), it supports both TKIP and AES encryptions (as does "WPA2", the final version of 802.11i). And neither is particularly weak - of course TKIP has not been scrutinized so much as AES.
Even WEP is not so vulnerable these days, since most equipment avoids the vulnerable IVs.
The problem is that once you've done a ping sweep of the IPv6 network, the first lot of snowflakes have melted (along with the DHCP server).
That's why you use IPv6 stateless autoconfiguration. Then the snowflakes can melt each other when checking if the address is already reserved. And if it is, you've found two snowflakes that are identical (as far as MAC Addressing goes)!
Think about it. ..BGP routes based on the least number of hops.
No they are not. BGP routes are based on the least number of traversed autonomic systems (ie. networks) - it's a path vector protocol. And you can still attach a metric value to specific peers when distributing the routes to your whatever you are running internally (IS-IS, OSPF, etc).
Of course you cannot tell anything from the internal state of your peering network (unless the peer is smart enough to stop advertising if, say, half of it's core network goes down even though connectivity is still possible). But hey, I'm nitpicking here...
But they really liked usenet. The web forum has supplanted it, but they didn't really see that.
I for one still prefer Usenet. Most web forums (phpbb, etc) don't support even the most basic functionalities of Usenet: Threads(!), Cross-posting, etc. One of the few exceptions are Slashdot (in a sense) and Gmane which allows you to see same content via Web-browser interface, your favorite newsreader, or as a mailing list.
Web forums are worse than Usenet 25 years ago. Of course, for most people, they are "adequate". Still, I'm glad that Usenet has not yet died (well, the alt.* hierarchy is a pain...). Kudos to Google for getting Dejanews archives!
Slashdot Mirror
Indeed - the presentation I linked talked about how to find hosts otherwise than scanning (DNS, Sequential order, guessing MAC addresses for EUI-64 notation, etc). Never said that it would provide security, just that you cannot necessarily brutefocescan it :)
And I linked the wrong presentation. I meant this one:
p s-6/sld1.htm
http://www3.ietf.org/proceedings/07mar/slides/v6o
"Observations of IPv6 firewall and IDS".
Sorry about karmawhoring, but I'm at karmacap anyway.
"Today we learned, that lots of people who have thought of NAT as a security mechanism, are getting a hit with cluebat when they find out that the IPv4 NAT also implements a stateful firewall as a byproduct. Since there is no NAT with IPv6, you only have to implement stateful firewall without address translation."
/64 is a huge address space to scan and so on. The presentation I watched at IETF Prague was quite interesting: http://www3.ietf.org/proceedings/07mar/slides/v6op s-1/sld1.htm
Sigh.
This is a non-issue.
What IS an issue are the new IPv6-specific things related to security. You cannot do a network scan anymore since even a
There are some implementation issues, such as anycast addresses and stuff like that you need to take into account.
However, this "getting rid of connectivity issues due to no longer having to NAT" has NEVER been expected by anyone who knows even a bit about networking. Because we're not returning to an un-firewalled world.
Already solved in Estonia. You can vote as many times as you want online, only your latest vote count. So if someone peers over your shoulder making sure you vote right, you can just change your vote as soon as he's gone. Also, by going to the actual physical voting booth you can also override any online votes if all else fails.
The parallels to the Olympics of 1936 are kind of eerie -- then it was Hitler attempting to show off German might and industry, his neat and orderly Aryan society, and the superiority of the German race. Perhaps this is not as sinister, but it is certainly disturbing.
So who's going to be the Jesse Owens of 2008?
For this reason, I've been using Con Kolivas' patches to replace the scheduler. http://members.optusnet.com.au/ckolivas/kernel/ - very helpful especially if you don't have the fastest computer around. Also seems to help a bit with I/O - if my hard drive is trashing for whatever reason, interactive stuff still remains reasonably responsive. Or at least it doesn't make my mouse cursor skip...
Even so, I'd prefer to have IO better scheduled - ionice doesn't really seem to work at least for me.
AFAIK, Atheros drivers aren't even in main kernel tree yet. For the last few years they have seemed to be in perpetual pre-release (0.xx) versions..
For some reason I can't get the paper to load, but anyway, does this still depend on weak initialization vectors?
- plus.php )
I know that the original attack did depend on that, and most software and basestations have since been configured to avoid those weak IVs. I know that some stuff (like Nokia's basestations) are still weak agains the original attack (at least when tested with Kismet), however, against Cisco Aironets and almost any newer hardware I haven't been able to see this weakness in action when trying out if it really works...
(Terabeam uses the term "WEPPlus" about this - see http://www.terabeam.com/solutions/whitepapers/wep
Anyway, if this is just extension of the original attack, then it still requires those weak IVs to exist.
Or is it something completely new?
AI does not cheat if that's what you mean. For most part, increasing difficulty level actually does mean that the AI switches to more advanced algorithms - only the two highest levels (or so) actually give some economy bonuses to the AI.
Well, one of the greatest experiences (And still is), AI wise, is Stardocks XXXX-type space strategy game, Galactic Civilizations 2. I especially like, when on easier levels, you do something, and the AI race sends a message "It seems that you are making a massive buildup for war. However, with this difficulty level, I pretend not no notice it until you actually make your strike." or something to that effect.
Needed to send a Linux-running Omnibook to RMA (bad Combo drive - couldnt read DVD's or burn CDs). Solved the problem by using sysrescue-liveCD (which it could read), and just doing an image from the harddrive to another computer over NFS. Then punched in the original WinXP "restoration CD"s and shipped the thing away. When it came back, just restored the images.
I always liked the Hurin's Children story, the one in Silmarillion, and also the version with more details in the collection "Unfinished tales of Númenor and Middle-Earth".
:)
Anyway, the story has quite a lot of similarities with the Finnish folklore Kalevala, spefically Kullervo's story. Knowing how much Tolkien liked Finnish, some of the stuff might be intentionally taken
From the wiki article:
Cantos 31-36: The Kullervo cycle: Untamo kills his brother Kalervo's people except for the wife who begets Kullervo; Untamo gives Kullervo several tasks but he sabotages them all; Kullervo is sold as a slave to Ilmarinen; after being tormented by Ilmarinen's wife, he exacts revenge and the wife gets killed; Kullervo runs away and finds his family unharmed near Lapland; Kullervo seduces a maiden and later finds out she is his sister; Kullervo destroys Untamola (the realm of Untamo) and upon returning home finds everyone killed; Kullervo kills himself.
Well... parallels to Túrin are there.
I have only completed the written test - going for lab exam this July (they sure don't have too many open slots...).
And I still prefer OpenBSD pf over PIX or IOS inspect features. And so far the training material has failed to convert me (granted, routing&switching exam's security features are mostly limited to reflexive access-lists...)
The point in the summary is number 6 in the article. Anyway, this is just bollocks.
You authenticated yourself to the phone on your desk with building and room access-controls.
You authenticate yourself to your cellphone with a PIN code.
I don't know what's the thing about "smart" phones - the argument in the article works with any normal phone. Anyway, you still authenticate yourself to the phone. Oh, someone is coming in with a leadpipe and steals the phone from you? Well, if someone wants your precious off-band password that bad they'd probably force you to log into the system anyway. Otherwise, if it's just some street junking running off, you'll have plenty of time to call the operator and tell them about the theft.
Sometimes the phone may even request additional PIN numbers when going for more sensitive areas. My company uses mobile phone as an off-band authentication token for signing in to VPN - when you connect, your phone beeps at the same time and asks you to type in (different) PIN number. No more carrying around that SecurID-key. (And no, this doesn't require anything special, it's a service on the SIM card).
Other arguments are also dubious at best:
3. Communications are encrypted from end to end.
BlackBerry and Sidekick users may have heard that their communications are encrypted "end to end," but e-mail and other communications are encrypted only from the phone to the phone company or service provider's servers.
So who has configured your e-mail client not to use SSL? If you are using webmail, it's encrypted. If you are using IMAP, Pop3, or SyncML, those have encryption options as well.
And bloody well you can also use VPN (yes, latest Nokia E-series phones are quite compatible with Cisco VPN concentrators).
As for their server security...well, WHO IN THEIR BRIGHT MIND would store corporate or state secrets on a Hotmail account?
9. Spying on my smart phone is hard.
Think spying on your activities is hard? Think again. Most smart phones have no equivalent of Bluetooth authentication when plugged in -- they just become slave USB devices and give up all of your data.
Oh phleeze. What does USB and Bluetooth have to do with each other anyway? In anycase, yes, there were phones in the past that didn't include any sort of Bluetooth authentication (such as Nokia 6310i), but that is hardly the case now.
Of all the fearmongering, this is the only even remotely valid argument (with physical access you can of course do almost anything, as with any device, so the USB point is valid), and using a Pointsec or some other file-system encryption in your phone is a good idea.
All the other stuff mostly concern stuff about any backend systems where your precious e-mails are stored. Has nothing to do with phone. If Hotmail leaks my e-mails, it's Hotmail's fault. If I access Hotmail with my phone, it doesn't magically become the phones fault.
The article is dated March 10, 2006.
I kinda liked the "Shrouders universe", consisting of Revelation Space, Redemption Ark and Absolution gap (and also separate story Chasm city). Take a look at the writer's own site. He's a former ESA astrophysicist so most of the basics are correct (granted, at Absolution gap you get to some pretty weirdish ideas about superstring theory, but...)
Yes, but it would still be kinda nice to own a Commodore (Athlon) 64.
I just wish that they'd use original C-64-like cases..
I don't understand what's wrong with national ID cards as such. It's just a method of authentication, just like your passport is, to tell that you are who you claim you are.
Why the paranoia? Nordic countries have had such cards (and citizen registrars) at least since WW2...to help with issues such as arranging voting (no need to "Register as a voter"), social security, taxes, etc.
The biometrics part of the UK id card is of course another issue - fingerprints, retinal scans, DNA and all that is not proven secure. Unique to every human being, yes, but hardly secure. You leave your fingerprints all over the place. You leave your DNA all over the place. Somehow the advocates of biometrics seem to be lulled into a sense that biometrics is absolutely secure method of authentication - this is the primary problem.
USians demand right for ultra-violence in media, get upset about female anatomy being shown (e.g. Janet Jackson's boob on tv). Europeans get upset about kids getting exposed to violence
Heh. I remember that once they had this commentary on some softporn show (might have been Playboy late night or something) about ads in Europe. The narrator was all fussed up "how can you actually remember the product when watching this commercial"....and it was a Rexona ad, with two women taking a shower after a workout in gym. I had seen that same ad and never thought there was anything sexual in it...but hey, being a Finn and frequently visiting a sauna I have never thought that nudity automatically implies sex.
At least in Finland, in cooperation with a Finnish hearing-impaired association, there's been some projects with 3G video-phones. Yes - selling a phone to deaf people opens up a nice new market :). Anyway, as far as I know the experiences have been overall positive - and no fancy sign-language-specific codecs or anything, just a normal 64kbps video phone call and a camera phone.
Plus, considering how breakable 64bit and 128bit WEP were, and WPA original is, well, I just can't trust anymore wireless encryption. Go hardcore or go home!
Exactly how breakable "WPA original" is? If you mean with "WPA" 802.11i draft 4 (as commonly meant), it supports both TKIP and AES encryptions (as does "WPA2", the final version of 802.11i). And neither is particularly weak - of course TKIP has not been scrutinized so much as AES.
Even WEP is not so vulnerable these days, since most equipment avoids the vulnerable IVs.
The problem is that once you've done a ping sweep of the IPv6 network, the first lot of snowflakes have melted (along with the DHCP server).
That's why you use IPv6 stateless autoconfiguration. Then the snowflakes can melt each other when checking if the address is already reserved. And if it is, you've found two snowflakes that are identical (as far as MAC Addressing goes)!
Unless he means this: http://www.faqs.org/rfcs/rfc1191.html. It does involve ICMP messages (MTU too large). Not "ping" though (whatever that means)
Think about it. . .BGP routes based on the least number of hops.
No they are not. BGP routes are based on the least number of traversed autonomic systems (ie. networks) - it's a path vector protocol. And you can still attach a metric value to specific peers when distributing the routes to your whatever you are running internally (IS-IS, OSPF, etc).
Of course you cannot tell anything from the internal state of your peering network (unless the peer is smart enough to stop advertising if, say, half of it's core network goes down even though connectivity is still possible). But hey, I'm nitpicking here...
But they really liked usenet. The web forum has supplanted it, but they didn't really see that.
I for one still prefer Usenet. Most web forums (phpbb, etc) don't support even the most basic functionalities of Usenet: Threads(!), Cross-posting, etc. One of the few exceptions are Slashdot (in a sense) and Gmane which allows you to see same content via Web-browser interface, your favorite newsreader, or as a mailing list.
Web forums are worse than Usenet 25 years ago. Of course, for most people, they are "adequate". Still, I'm glad that Usenet has not yet died (well, the alt.* hierarchy is a pain...). Kudos to Google for getting Dejanews archives!