To me this sounds like the main problem is the "security" device that's generating a lot of noise.
My solution would be to put something (very low power gear will do) running a recent OpenBSD and a PF ruleset with overflow rules modeled on the ones outlined here in front of that whiny device. The ruleset would need to be modified to fit the observed traffic, of course. Then anyone who fits the profile of unwanted traffic simply auto-LART themselves into the table of blocked addresses.
With a properly placed adaptive firewall like that, the noisemaker would likely not see enough of the traffic to trigger any of the useless warnings.
In a country where law enforcement seems quite eager to use lethal force agains perceived threats, why are death threats like those mentioned numerous times here not at least investigated by relevant law enforcement agencies?
In all seriousness, violence or threats of the same are not part of 'debate'. If anyone is laboring under that illusion, it's high time grownups stepped in, preferably with law enforcement of the anti-terrorist kind in tow. In civilized countries, death threats could easily lead to jail time.
Most societies would be more than willing to help ease the terrible burden of an abundance of assets. Raising the taxes on high incomes and capital gains would help reverse the Reagan-era onwards trend of wealth redistribution towards the higher income and wealth segments of society. We now know that wealth did not start trickling downwards, and grownups need to step in to correct the mistakes.
It's now August, the conference where they'll be presenting their work is in October, and the article is a tad short on specifics. They've done a formally verified formal verification of a filesystem. if it works, that's excellent news of course, but I'd wait until we have seen the thing work and with actual code to examine before making any comments or bets on how useful this is going to be. And this being an open source-oriented site, we should be asking whether the code will indeed be available under any kind of usable open source license.
Some very simple tests based on cut and paste from http://arstechnica.com/securit... indicate that on a default install of OpenBSD with a randomly picked username, you'll get 3 tries only before the connection shuts down.
we hit the max title length, but the second part is "and so is the existence of bugs in any non-trivial piece of software".
Re-using the existing connection is of course useful to fend off the traditional killing techniques for rapid-fire password guessers (such as http://home.nuug.no/~peter/pf/... and similar), but you still have to come up with the set of bytes that will let you authenticate. Which leads to the other thing --
The clowns I have been writing about ("The Hail Mary Cloud" -- http://bsdly.blogspot.ca/2013/... and links therein) used a totally different approach, but the general advice re passwords and other issues given in the conclusions apply here too.
See the review over at The Economist - when even that venerable paper calls you "reactionary", that's a clear indication that this is excactly what you are.
If I remember correctly, the OOXML ISO standard that was rushed through some years back included specifications for a clipart library not entirely unlike the Microsoft Office one. I suppose this move means that Microsoft has give up on adhering to its wholly-owned ISO standard.
A non-violent mass die-off could suggest something along the lines of a population's first exposure to a new disease (as in one nobody in the population has any immunity for) of some sort, perhaps several. Slightly more modern examples include native american populations that essentially disappeared during the early days of European exploration and settlement of north america.
Unfortunately the summary gets several important facts wrong, including the status of support from the linux fooundation -- last status is ongoing discussions, not total ignore as the post summary says. And you can see what Bob actually said in the video jason Tubnor uploaded to youtube The real Bob Beck on OpenSSL talk
The work by the OpenBSD developers happens in the OpenBSD tree. Whether or not the OpenSSL project chooses to merge back the changes into their tree is yet to be seen. Given the activity level in the OpenSSL tree lately I find it more likely that the primary source of a maintained open source SSL library shifts to the OpenBSD project. To the extent that portability goo is needed it will likely be introduced after the developers consider the code base stable enough.
This is actually the OpenBSD developers diving in because the upstream (OpenSSL) was unresponsive. If you look at the actual commits, you will see removal of dead code such as VMS-specific hacks, but also weeding out a lot of fairly obvious bugs, unsafe practices such as trying to work around the mythical slow malloc, feeding your private key to the randomness engine, use after free, and so on.
It would look like it's been a while since anybody did much of anything besides half hearted scratching in very limited parts of the code. This is a very much needed effort which is likely to end up much like OpenSSH, maintained mainly as part of OpenBSD, but available to any takers. We should expect to see a lot more activity before the code base is declared stable, but by now it's clear that the burden of main source maintainership moved to a more responsive and responsible team.
Apple's main interface to the opensource world is through the FreeBSD project, which is how they also drew in PF, the OpenBSD packet filter and most likely shipped more copies of that code than any other consumer. However, they made some changes that they contributed back to the world #ifdef'ed with their own incompatible license. I wrote about that a couple of years back for Call for Testing magazine, see http://callfortesting.org/macp...
I completely fail to see why this is supposed to be a good idea.
Whether it's port knocking, fingerprint reading or palm reading as in this case, can anybody point out why this is a more 'secure' authentication method than anything else?
I tend to think that a fingerprint or similar may possibly serve as a substitute for a user name, but would you want to let people sign in using usernames only, no password, ssh key or a generated one time pad? Other than that it was probably fun to make, I don't see any advantage at all to using a known constant as a substitute for the familiar user name plus password and/or other changeable secret.
My money is on OpenBSD for projects like this. You get very compact base system that still has all the stuff you need in there for a project like this. And even my old PF tutorial has enough info to get you up and running.
But with the man pages and the OpenBSD FAQ you really have all the information you need at your fingertips.
There's a slight hope that they either did not include tech authors in the ban or just didn't get around to us techies just yet. When I checked just now my review of Michael W. Lucas' SSH Mastery was still available.
Much like I assume a lot of other/. readers, my trust in the equipment I use to do what it's supposed to do comes from my access and ability to read the source code. There have been minor dust-ups in the open source world about allegations that other governments than China inserted back doors in widely used software, and we still see those allegations surfacing from time to time, but never with anything solid to back them up. I believe searches on the obvious keywords will turn up stories linked from here, as well as links to source code repositories of very high quality indeed.
So my advice for Huwaei is, let the world see your source code, and please set up a mechanism for reviewing your own code and patches.
If you can set up your gateway to export Netflow data, you get excellent data for tracking your traffic (connection metadata) without all the bulk of keeping a full copy of the traffic.
There's a large number of tools available for collecting, analyzing and otherwise dissecting collected Netflow data, with a good number most likely available via your favorite free Unix-like operating system's packages collection. My favorite combo is to set up an OpenBSD box as the gateway, have it export traffic data via the pflow(4) facility and do the collection and analysis bits somewhere via nfdump/nfsen (see eg nfsen.sourceforge.net for info).
There are various resources available within direct reach of web search, but I would also recommend taking a look at Michael W. Lucas' book Network Flow Analysis for a nice treatment of Netflow in general (it uses flow-tools, but most of what he writes will be useful in the context of other tools too).
I think it's worth mentioning to anybody who enjoyed this article that Michael W. Lucas has a fresh SSH book out called 'SSH Mastery'. Initially an ebook, but becoming available right about now in a paper version too.
Amazon will have it, or if you're shopping for OpenBSD stuff anyway (as you should, OpenSSH which is almost certainly the ssh and sshd on your system, is essentially an in-tree development at OpenBSD), www.openbsd.org/books.html and tentacles of the ordering system will show you where to get it.
I think the main problem here is that at least a s significant subset of the suits (and probably other non-techies) tend to think of Microsoft Exchange and its obnoxious client as the only way to handle email. Keep in mind that the main design smells appointment book not messaging. My longish rant on the topic can be found at http://bsdly.blogspot.com/2011/02/problem-isnt-email-its-microsoft.html , enjoy!
I'm pretty sure that embracing the root zone poisoning.xxx domain wankers is not ever going to earn them enough cash to help a single animal in need. This is a total waste of time and money IMNSHO.
The kind of story you'd expect to see in very-late March or very-early April, but that doesn't fit the calendar in that particular universe I inhabit.
Slashdot Mirror
And for that whirlwind tour of what's good in that system, take a peek at my OpenBSD and you slides.
To me this sounds like the main problem is the "security" device that's generating a lot of noise.
My solution would be to put something (very low power gear will do) running a recent OpenBSD and a PF ruleset with overflow rules modeled on the ones outlined here in front of that whiny device. The ruleset would need to be modified to fit the observed traffic, of course. Then anyone who fits the profile of unwanted traffic simply auto-LART themselves into the table of blocked addresses.
With a properly placed adaptive firewall like that, the noisemaker would likely not see enough of the traffic to trigger any of the useless warnings.
In a country where law enforcement seems quite eager to use lethal force agains perceived threats, why are death threats like those mentioned numerous times here not at least investigated by relevant law enforcement agencies?
In all seriousness, violence or threats of the same are not part of 'debate'. If anyone is laboring under that illusion, it's high time grownups stepped in, preferably with law enforcement of the anti-terrorist kind in tow. In civilized countries, death threats could easily lead to jail time.
Most societies would be more than willing to help ease the terrible burden of an abundance of assets. Raising the taxes on high incomes and capital gains would help reverse the Reagan-era onwards trend of wealth redistribution towards the higher income and wealth segments of society. We now know that wealth did not start trickling downwards, and grownups need to step in to correct the mistakes.
It's now August, the conference where they'll be presenting their work is in October, and the article is a tad short on specifics. They've done a formally verified formal verification of a filesystem. if it works, that's excellent news of course, but I'd wait until we have seen the thing work and with actual code to examine before making any comments or bets on how useful this is going to be. And this being an open source-oriented site, we should be asking whether the code will indeed be available under any kind of usable open source license.
Some very simple tests based on cut and paste from http://arstechnica.com/securit... indicate that on a default install of OpenBSD with a randomly picked username, you'll get 3 tries only before the connection shuts down.
Re-using the existing connection is of course useful to fend off the traditional killing techniques for rapid-fire password guessers (such as http://home.nuug.no/~peter/pf/... and similar), but you still have to come up with the set of bytes that will let you authenticate. Which leads to the other thing --
The clowns I have been writing about ("The Hail Mary Cloud" -- http://bsdly.blogspot.ca/2013/... and links therein) used a totally different approach, but the general advice re passwords and other issues given in the conclusions apply here too.
See the review over at The Economist - when even that venerable paper calls you "reactionary", that's a clear indication that this is excactly what you are.
If I remember correctly, the OOXML ISO standard that was rushed through some years back included specifications for a clipart library not entirely unlike the Microsoft Office one. I suppose this move means that Microsoft has give up on adhering to its wholly-owned ISO standard.
For UK and European readers, "the size of Delaware" is just a tad more than a fourth of "the size of Wales".
A non-violent mass die-off could suggest something along the lines of a population's first exposure to a new disease (as in one nobody in the population has any immunity for) of some sort, perhaps several. Slightly more modern examples include native american populations that essentially disappeared during the early days of European exploration and settlement of north america.
Unfortunately the summary gets several important facts wrong, including the status of support from the linux fooundation -- last status is ongoing discussions, not total ignore as the post summary says. And you can see what Bob actually said in the video jason Tubnor uploaded to youtube The real Bob Beck on OpenSSL talk
Take a look at the actual commits. Quite a bit of 'KNF', but far from all of it. There's a lot of bugs removal that will benefit everyone.
The work by the OpenBSD developers happens in the OpenBSD tree. Whether or not the OpenSSL project chooses to merge back the changes into their tree is yet to be seen. Given the activity level in the OpenSSL tree lately I find it more likely that the primary source of a maintained open source SSL library shifts to the OpenBSD project. To the extent that portability goo is needed it will likely be introduced after the developers consider the code base stable enough.
This is actually the OpenBSD developers diving in because the upstream (OpenSSL) was unresponsive. If you look at the actual commits, you will see removal of dead code such as VMS-specific hacks, but also weeding out a lot of fairly obvious bugs, unsafe practices such as trying to work around the mythical slow malloc, feeding your private key to the randomness engine, use after free, and so on.
It would look like it's been a while since anybody did much of anything besides half hearted scratching in very limited parts of the code. This is a very much needed effort which is likely to end up much like OpenSSH, maintained mainly as part of OpenBSD, but available to any takers. We should expect to see a lot more activity before the code base is declared stable, but by now it's clear that the burden of main source maintainership moved to a more responsive and responsible team.
Apple's main interface to the opensource world is through the FreeBSD project, which is how they also drew in PF, the OpenBSD packet filter and most likely shipped more copies of that code than any other consumer. However, they made some changes that they contributed back to the world #ifdef'ed with their own incompatible license. I wrote about that a couple of years back for Call for Testing magazine, see http://callfortesting.org/macp...
heartbleed vs malloc.conf
and
analysis of openssl freelist reuse. Short articles with a lot of good information.
Whether it's port knocking, fingerprint reading or palm reading as in this case, can anybody point out why this is a more 'secure' authentication method than anything else?
I tend to think that a fingerprint or similar may possibly serve as a substitute for a user name, but would you want to let people sign in using usernames only, no password, ssh key or a generated one time pad? Other than that it was probably fun to make, I don't see any advantage at all to using a known constant as a substitute for the familiar user name plus password and/or other changeable secret.
My money is on OpenBSD for projects like this. You get very compact base system that still has all the stuff you need in there for a project like this. And even my old PF tutorial has enough info to get you up and running.
But with the man pages and the OpenBSD FAQ you really have all the information you need at your fingertips.
There's a slight hope that they either did not include tech authors in the ban or just didn't get around to us techies just yet. When I checked just now my review of Michael W. Lucas' SSH Mastery was still available.
Much like I assume a lot of other /. readers, my trust in the equipment I use to do what it's supposed to do comes from my access and ability to read the source code. There have been minor dust-ups in the open source world about allegations that other governments than China inserted back doors in widely used software, and we still see those allegations surfacing from time to time, but never with anything solid to back them up. I believe searches on the obvious keywords will turn up stories linked from here, as well as links to source code repositories of very high quality indeed.
So my advice for Huwaei is, let the world see your source code, and please set up a mechanism for reviewing your own code and patches.
If you can set up your gateway to export Netflow data, you get excellent data for tracking your traffic (connection metadata) without all the bulk of keeping a full copy of the traffic.
There's a large number of tools available for collecting, analyzing and otherwise dissecting collected Netflow data, with a good number most likely available via your favorite free Unix-like operating system's packages collection. My favorite combo is to set up an OpenBSD box as the gateway, have it export traffic data via the pflow(4) facility and do the collection and analysis bits somewhere via nfdump/nfsen (see eg nfsen.sourceforge.net for info).
There are various resources available within direct reach of web search, but I would also recommend taking a look at Michael W. Lucas' book Network Flow Analysis for a nice treatment of Netflow in general (it uses flow-tools, but most of what he writes will be useful in the context of other tools too).
I think it's worth mentioning to anybody who enjoyed this article that Michael W. Lucas has a fresh SSH book out called 'SSH Mastery'. Initially an ebook, but becoming available right about now in a paper version too.
Amazon will have it, or if you're shopping for OpenBSD stuff anyway (as you should, OpenSSH which is almost certainly the ssh and sshd on your system, is essentially an in-tree development at OpenBSD), www.openbsd.org/books.html and tentacles of the ordering system will show you where to get it.
- Peter
I'm pretty sure that embracing the root zone poisoning .xxx domain wankers is not ever going to earn them enough cash to help a single animal in need. This is a total waste of time and money IMNSHO.
The kind of story you'd expect to see in very-late March or very-early April, but that doesn't fit the calendar in that particular universe I inhabit.