D'oh! Didn't think about that. Didn't see any mention of it in the article either, though.
Question is, does sshd know when echo is turned off on the terminal? If so, here's a possible solution:
1. Patch sshd so that whenever echo is turned off, instead of not echoing anything to the client it echoes a SSH_MSG_IGNORE message for each byte recieved.
2. You could also make it buffer input for a short amount of time whenever echo is turned off. Wait until timeout or when you recieve a newline, then send the input. Since you can't see what you're typing it won't feel sluggish. This has the additional benefit that it can defeat the attack I mentioned in my previous post where you had untrusted local users on the host machine, however it's less transparent than method 1.
This is about passwords that you type in the course of an SSH session, NOT the initial password that logs you into SSH
And how do you suggest the attacker would know when you're entering a password, except the first time you do it? The point with using SSH is that the attacker won't know when you type 'su' or 'passwd'.
There is however the possibility of having untrusted local users continously logging when someone runs su or passwd, while another machine logs all traffic, but that's much further fetched.
The line was made up by British Comedian Marcus Brigstock. It's been going around the Net unattributed for a while, which always seems to make people randomly attribute it to someone rather than admit that they don't know. I've previously seen it in a print magazine attributed to Bill Gates.
.. even the DMCA hasn't made it illegal to figure out how to decrypt encrypted copyright material, but rather has
made the trafficking in devices using that knowledge illegal.
I refer you to US Code Title 17 section 1201, AKA the Digital Millennium Copyright Act:
(2) No person shall manufacture, import, offer to the public, provide, or otherwise
traffic in any technology, product, service, device, component, or part thereof, that -
(A) is primarily designed or produced for the purpose of
circumventing a technological measure that effectively controls
access to a work protected under this title;
Note the word manufacture. If he cracked the encryption, as opposed to just figuring out that it was possible, it's a crime under the DMCA even if he didn't distribute anything.
Free Software does not mean GPL software. According to the FSF's license list, both the BSD license and the Apache license are free software licenses. --
Niklas Nordebo | niklas at nordebo.com
I do think you raise an interesting point though, which is whether or not someone other than the copyright owner can sue under the DMCA. I suspect a judge would throw such a case out, but you never know since the DMCA itself doesn't specify what type of injurement are need to have.
No, they can't. No one can sue under the DMCA. The DMCA is criminal law, not civil law, and Adobe didn't sue Sklyarov, they told the FBI "hey, this evil haxx0r d00d is breaking federal law (viz. the DMCA)".
There is no question of whom the original copyright belongs to, I'm not even sure what copyright you're talking about - Sklyarov hasn't been accused of copyright infringement. Under the DMCA, there needn't be any copyright infringement involved at all, and in this case, there isn't. The DMCA makes it a federal crime for Sklyarov to distribute a tool that could theoretically be used to circumvent an access control device, even if the tool in question is never used at all. --
Niklas Nordebo | niklas at nordebo.com
Can I use Microsoft Shared source in a commercial product?
"No way, how do you dare asking?"
"Yes, definitely! Sign here, give us the money, and off you go!", rather. And you won't have to redistribute the source to your changes, either. I'm pretty sure all CE manufacturers have had access to the source, and I know that SGI had a deal to sell a modified version of NT with the Visual Workstations.
--
Niklas Nordebo | niklas at nordebo.com
Re:I think you should read the article anyway
on
Search Engine Payola
·
· Score: 1
The reason the first three links on a search for "packet sniffer" on Altavista looks like normal search results is that they are just that - normal search results. No one has bought the keywords "packet sniffer" on Altavista. Compare this with a search for "books": see the first two hits, clearly labeled "Featured sites?" Those are the payed for links Nader is complaining about, since he wants to protect people who are so stupid they shouldn't be allowed near a computer anyway from believeing those "Featured sites" are normal search results. --
Niklas Nordebo | niklas at nordebo.com
If the US Gov. had 24 Men in Black running Linux back in 1947, I bet no one would have heard about any UFOs... --
Niklas Nordebo | niklas at nordebo.com
Hell, I say we go further than that - let's kill all people on earth! People are getting murdered all the time, and there is no chance in hell we can stop all murders. Murder victims aren't more deserving to die than someone else, so if they're going to get murdered all should be subject to murder. It's all or nothing, guys! --
Niklas Nordebo | niklas at nordebo.com
a
license without any documentation isn't worth the paper it's printed on.
I think you'll find that a license without any documentation actually isn't worth the paper it's not printed on. --
Niklas Nordebo | niklas at nordebo.com
So, if you run a webserver it OK for me to try to access your port 80 to see whether you run a web server, but if you don't then I shouldn't be allowed to do it?
I want some of what you're smoking. --
Niklas Nordebo | niklas at nordebo.com
Using Xine or any other unauthorized solution is stealing. Don't steal videos.
Please explain to me who is stealing what from whom if I use Xine with a DeCSS plugin to watch my own legally bought DVD. Even if I would accept that copyright violation is theft, which I don't, there's no copyright violation involved. As for other possible legal issues I doubt that the DCMA would cover using a DVD player to watch a DVD either, since unlike DeCSS it should be pretty clear even to a law professional that it has substantial non-infringing uses. --
Niklas Nordebo | niklas at nordebo.com
Re:Maybe we need a standard GPL-violation Form Let
on
AOL And The GPL
·
· Score: 1
The DivX;) codec is illegal because it contains Microsoft's MPEG4 code, and MS hasn't given their permission for anyone to redistribute modified versions their proprietary software, thus distributing the DivX;) codec is a copyright violation. There might also be problems with the EULA not allowing reverse engineering of the original software, but that boils down to the validity of clickwrap agreements and other less clear-cut stuff. --
Niklas Nordebo | niklas at nordebo.com
Why not report Sony to the Business Software Alliance? These guys are distributing pirated software, namely POSE.
The GPL isn't a contract, so breaking the GPL isn't a breach of contract. Breaking the GPL is a copyright violation, since you have no right to distribute someone elses copyrighted work without permission. If you don't accept the GPL you have no permission to copy the software. --
Niklas Nordebo | niklas at nordebo.com
Nope - you can release your changes alone as BSD, but you can't release someone elses stuff without permission. This is the same no matter if it's a piece of GPL code you've changed or the latest Microsoft OS. --
Niklas Nordebo | niklas at nordebo.com
Those who will use the server services in OS X on public servers will have to open those services to the net, so I don't see how the built-in firewall is going to help... --
Niklas Nordebo | niklas at nordebo.com
Root login may be disabled, but that doesn't mean much. Getting root on a box involves subverting a process running under UID 0 into doing your bidding, often through buffer overflows, much more often than getting the root password on the box. Once you've gotten you own code to run under UID 0 you can install all kinds of backdoors without ever bothering to find out the root password.
/etc/passwd is only accessed if the machine is booted into single-user mode
No well adminstered UN*X box has had non-shadowed passwords for years anyway, and exploits doesn't commonly concentrate on getting the passwd file these days - that's sooo 20th century:) --
Niklas Nordebo | niklas at nordebo.com
I'm pretty sure this is a troll, but munging has nothing to do with data mining. This is what the Jargon File has to say on the word 'munge':
munge/muhnj/ vt. 1. [derogatory] To imperfectly transform
information. 2. A comprehensive rewrite of a routine, data structure or
the whole program. 3. To modify data in some way the speaker doesn't
need to go into right now or cannot describe succinctly (compare
{mumble}). 4. To add {spamblock} to an email address.
In this case Dave means 'doing stuff with data' akin to the Jargon File's third definition of the word. --
Niklas Nordebo | niklas at nordebo.com
THIS ISN'T ABOUT ILLEGAL COPYING. This is about being able to print a copy of a document for your own use, something that is covered by fair use. Committing a crime by stealing GPL code is a whole different kettle of fish, and a very bad analogy.
However, it might be a good idea to put a separate package in non-us since the DMCA might make it a crime for Americans to exercise their fair use rights (but remember that it's still not a copyright violation). --
Niklas Nordebo | niklas at nordebo.com
Dropping support for Netscape is a very bad business decision, since it doesn't address your core problem: that your website sucks. 95% of all web sites that require the latest IE/Netscape does it for useless eye candy that costs money to develop, makes the site harder to use and makes the site harder to maintain.
--
Niklas Nordebo | nino at sonox.com | +46-708-405095
Slashdot Mirror
D'oh! Didn't think about that. Didn't see any mention of it in the article either, though.
Question is, does sshd know when echo is turned off on the terminal? If so, here's a possible solution:
1. Patch sshd so that whenever echo is turned off, instead of not echoing anything to the client it echoes a SSH_MSG_IGNORE message for each byte recieved.
2. You could also make it buffer input for a short amount of time whenever echo is turned off. Wait until timeout or when you recieve a newline, then send the input. Since you can't see what you're typing it won't feel sluggish. This has the additional benefit that it can defeat the attack I mentioned in my previous post where you had untrusted local users on the host machine, however it's less transparent than method 1.
Any thoughts?
And how do you suggest the attacker would know when you're entering a password, except the first time you do it? The point with using SSH is that the attacker won't know when you type 'su' or 'passwd'.
There is however the possibility of having untrusted local users continously logging when someone runs su or passwd, while another machine logs all traffic, but that's much further fetched.
The line was made up by British Comedian Marcus Brigstock. It's been going around the Net unattributed for a while, which always seems to make people randomly attribute it to someone rather than admit that they don't know. I've previously seen it in a print magazine attributed to Bill Gates.
I refer you to US Code Title 17 section 1201, AKA the Digital Millennium Copyright Act:
Note the word manufacture. If he cracked the encryption, as opposed to just figuring out that it was possible, it's a crime under the DMCA even if he didn't distribute anything.Free Software does not mean GPL software. According to the FSF's license list, both the BSD license and the Apache license are free software licenses.
--
Niklas Nordebo | niklas at nordebo.com
No, they can't. No one can sue under the DMCA. The DMCA is criminal law, not civil law, and Adobe didn't sue Sklyarov, they told the FBI "hey, this evil haxx0r d00d is breaking federal law (viz. the DMCA)".
There is no question of whom the original copyright belongs to, I'm not even sure what copyright you're talking about - Sklyarov hasn't been accused of copyright infringement. Under the DMCA, there needn't be any copyright infringement involved at all, and in this case, there isn't. The DMCA makes it a federal crime for Sklyarov to distribute a tool that could theoretically be used to circumvent an access control device, even if the tool in question is never used at all.
--
Niklas Nordebo | niklas at nordebo.com
"No way, how do you dare asking?"
"Yes, definitely! Sign here, give us the money, and off you go!", rather. And you won't have to redistribute the source to your changes, either. I'm pretty sure all CE manufacturers have had access to the source, and I know that SGI had a deal to sell a modified version of NT with the Visual Workstations.
--
Niklas Nordebo | niklas at nordebo.com
The reason the first three links on a search for "packet sniffer" on Altavista looks like normal search results is that they are just that - normal search results. No one has bought the keywords "packet sniffer" on Altavista. Compare this with a search for "books": see the first two hits, clearly labeled "Featured sites?" Those are the payed for links Nader is complaining about, since he wants to protect people who are so stupid they shouldn't be allowed near a computer anyway from believeing those "Featured sites" are normal search results.
--
Niklas Nordebo | niklas at nordebo.com
24 MiBs in total, eh?
If the US Gov. had 24 Men in Black running Linux back in 1947, I bet no one would have heard about any UFOs...
--
Niklas Nordebo | niklas at nordebo.com
The company behind this has a homepage in English @ http://www.tric.com/
--
Niklas Nordebo | niklas at nordebo.com
Hell, I say we go further than that - let's kill all people on earth! People are getting murdered all the time, and there is no chance in hell we can stop all murders. Murder victims aren't more deserving to die than someone else, so if they're going to get murdered all should be subject to murder. It's all or nothing, guys!
--
Niklas Nordebo | niklas at nordebo.com
I think you'll find that a license without any documentation actually isn't worth the paper it's not printed on.
--
Niklas Nordebo | niklas at nordebo.com
I want some of what you're smoking.
--
Niklas Nordebo | niklas at nordebo.com
Please explain to me who is stealing what from whom if I use Xine with a DeCSS plugin to watch my own legally bought DVD. Even if I would accept that copyright violation is theft, which I don't, there's no copyright violation involved. As for other possible legal issues I doubt that the DCMA would cover using a DVD player to watch a DVD either, since unlike DeCSS it should be pretty clear even to a law professional that it has substantial non-infringing uses.
--
Niklas Nordebo | niklas at nordebo.com
The DivX;) codec is illegal because it contains Microsoft's MPEG4 code, and MS hasn't given their permission for anyone to redistribute modified versions their proprietary software, thus distributing the DivX;) codec is a copyright violation. There might also be problems with the EULA not allowing reverse engineering of the original software, but that boils down to the validity of clickwrap agreements and other less clear-cut stuff.
--
Niklas Nordebo | niklas at nordebo.com
And if they could code HTML they might even be able to sell something. No wonder dotcoms are falling like flies.
(try looking at the LX pages in Netscape if you don't understand what I'm talking about).
The prices aren't very cheap, either, compared to the Casio's $1.999.
--
Niklas Nordebo | niklas at nordebo.com
Why not report Sony to the Business Software Alliance? These guys are distributing pirated software, namely POSE.
The GPL isn't a contract, so breaking the GPL isn't a breach of contract. Breaking the GPL is a copyright violation, since you have no right to distribute someone elses copyrighted work without permission. If you don't accept the GPL you have no permission to copy the software.
--
Niklas Nordebo | niklas at nordebo.com
Nope - you can release your changes alone as BSD, but you can't release someone elses stuff without permission. This is the same no matter if it's a piece of GPL code you've changed or the latest Microsoft OS.
--
Niklas Nordebo | niklas at nordebo.com
And two years later the Apple Newton was released.
"Hey, I want to be able to take my PS/2 with me between home and work."
The first succesful portable computer, the Osborne 1, was released 22 years ago. The PS/2 wasn't released until 1987, a mere 14 years ago.
Quote from the original story:
I expect to see something close to what I want in no more than two or three years.
That doesn't sound too far-fetched too me.
--
Niklas Nordebo | niklas at nordebo.com
Those who will use the server services in OS X on public servers will have to open those services to the net, so I don't see how the built-in firewall is going to help...
--
Niklas Nordebo | niklas at nordebo.com
Root login may be disabled, but that doesn't mean much. Getting root on a box involves subverting a process running under UID 0 into doing your bidding, often through buffer overflows, much more often than getting the root password on the box. Once you've gotten you own code to run under UID 0 you can install all kinds of backdoors without ever bothering to find out the root password.
No well adminstered UN*X box has had non-shadowed passwords for years anyway, and exploits doesn't commonly concentrate on getting the passwd file these days - that's sooo 20th century :)
--
Niklas Nordebo | niklas at nordebo.com
I'm pretty sure this is a troll, but munging has nothing to do with data mining. This is what the Jargon File has to say on the word 'munge':
/muhnj/ vt. 1. [derogatory] To imperfectly transform
munge
information. 2. A comprehensive rewrite of a routine, data structure or
the whole program. 3. To modify data in some way the speaker doesn't
need to go into right now or cannot describe succinctly (compare
{mumble}). 4. To add {spamblock} to an email address.
In this case Dave means 'doing stuff with data' akin to the Jargon File's third definition of the word.
--
Niklas Nordebo | niklas at nordebo.com
THIS ISN'T ABOUT ILLEGAL COPYING. This is about being able to print a copy of a document for your own use, something that is covered by fair use. Committing a crime by stealing GPL code is a whole different kettle of fish, and a very bad analogy.
However, it might be a good idea to put a separate package in non-us since the DMCA might make it a crime for Americans to exercise their fair use rights (but remember that it's still not a copyright violation).
--
Niklas Nordebo | niklas at nordebo.com
No, you can't, because it will be illegal for you to forward the mail.
--
Niklas Nordebo | niklas at nordebo.com
--
Niklas Nordebo | nino at sonox.com | +46-708-405095