What makes you think its over? It took 6 days to get to 359,000 infected hosts last time around, and you want the Internet to be choked within 14 hours?!? This time around, it will have 19 days to spread.
Microsoft estimates there were 6 million vulnerable servers when the hole was announced. They said last night that they've had 1 million downloads of the patch. How many of you think half of them were home users of Win2k? There are millions of vulnerable hosts still out there. Keep an eye on www.incidents.org. While there were only 157 hosts infected by 1am ET, there were over 22,000 infected ten hours later.
I have always had a very tight dialup Linux firewall with IPChains (only ssh open inbound), but I wanted to setup my own monitoring station to see how this thing affects me over the next couple of weeks. I hung netcat on port 80 using xinetd, installed snort, and then opened inbound port 80 in ipchains just to see how many probes will come my way. So far, no one has guessed my IP address.
At the beginning of this month, Code Red is supposed to start out with about 200,000 existing infected, unpatched machines and grow from there
This was proven to be untrue by the 31st. I scored a 5, Insightful mentioning this on July 23rd, but by the end of the month the security firms had tried repeatedly to move clocks forward and to get the worm to reawaken, but it *never did*. Therefore, all the hype was unwarranted with respect to 8PM ON TUESDAY, TUESDAY TUESDAY!!
During the first infection it took 6 days to get to 359,000 hosts, not 12 hours like CNN would say. If you check incidents.org, you'll see that 22,000 new infections have already happened by 11am ET on the 1st. While it's not as bad as you and I thought it was going to be.. restarting with 200,000 infected hosts, it is BY NO MEANS over.
Please people, do NOT jump the gun, comparing this to Y2K. Besides, I think all the media coverage helped thwart all the y2k problems, but that's for another post.:)
I have yet to receive a *single* piece of Sircam-inspired email. I can see over a gig coming in at some poor bastard's company that runs Outlook. Imagine your entire company's roster being in your Outlook address book? Jee-zus. My sister got well over 300 copies of ILOVEYOU and my Mom's company got slammed so bad they turned off the Exchange servers for 2 days. I got 3 copies of that one, and 1 copy of PrettyPark.exe.
Hey, maybe my circle-of-friends really is that much smarter. Cool. -- Steve Jackson
Service Pack 6 knocked out email for 5,000 users of NTWS at my company because MS decided to ship out a patch that forced the logged in user to have **Admin** privileges just to use TCP/IP. Lotus Notes? Dead in the water. IE? Shot. Logins? Nope. Drive mappings? Forget it.
Didn't we test it? Of course we did. Unfortunately our "user" accounts were also domain admins, so it didn't appear in our extensive testing.
That was a bad day at the office. We definitely regretted finally getting software delivery working under CA TNG (another pain in the ass software manufacturer). -- Steve Jackson
The exploit works even if the Indexing Service is not running. The key is to remove the dll mapping for.ida. What's worse is that just about any action in modifying your IIS configuration will reenable the offending mapping if you have disabled it.
The patch from Microsoft allows that mapping to remain permanently removed. -- Steve Jackson
I *really* appreciate your recognition of my post. Unfortunately, my thoughts were discredited yesterday when I first got the ISS alert stating that several security firms have tried the clock-forwarding test, and they were *never* able to get the worm to reawaken. I guess I didn't deserve the "5; Insightful" after all:)
I never did think that it could be rereleased tonight at 8ET to get started again, but even with the 2,000 hosts with the misconfigured clocks still trying to spread the worm, the first few hours won't be as devastating as the image I painted -- a hundred thousand hosts or more kicking it into high gear all within a few minutes of each other.
I'm excited, so I'll be up late tonight to see how it's going. Thanks again for the recognition. Most appreciated!:) -- Steve Jackson
Perhaps I should have said BIND and Sendmail together give IIS a run for the money in the vulnerability list.:)
At least there are viable secure alternatives to Sendmail in Qmail and Postfix. With BIND, you can reduce the privileges, but you really need to chroot jail it. I didn't want to go TOO long on the post, so I chose to bash BIND the hardest:)
And just a reminder: click here for the ten worst and most abused vulnerabilities.. lisitng BIND *and* Sendmail holes. -- Steve Jackson
Back before I knew what I was doing, a Linux host I had up on the net got hacked by the Ramen worm. BIND has got to be the closest open source product to IIS with respect to massive numbers of vulnerabilities that give "immediate root access" to quote SANS.
I feel UNIX/Linux will always beat Microsoft hands down because of chroot jails. If you chroot Apache or BIND running as a non-privileged user and they get cracked, the cracker will have nothing more to fark with than the individual service they cracked. Not to downplay the severity of that situation, but at least they won't get root access on your box. Furthermore, if you script nightly overwrites of the directories hosting those services from protected locations, the hack won't be long lived.
Add to that web programming that uses protected connections to Java servlet engines (i.e. Tomcat listens on localhost-only), and you can easily and frequently rebuild your websites the moment Tripwire detects that something has changed.
And so long as Linux and UNIX run neck-and-neck in vulnerabilities, I have no interest in running a commercial UNIX. And no, BSD is not an option for me so long as I wish to run commercial (or even current) apps. I found out last night that FreeBSD is just now getting Java **1.2** in Beta. Forget about Jakarta Tomcat and Cocoon. Gimme a break. Looks like BSD is best for static HTML or perl CGI. -- Steve Jackson
There's a difference between web servers and web sites.. I've been searching and searching but I can't find the article right now.. I recall reading a recent/. article linking to Netcraft, but I can't seem to locate it.. anyway, here's the gist of it.. now follow me here..
1/4th of the world's web SITES run under IIS on 2/3ds of the world's web SERVERS. And the opposite is true for Apache.. 2/3ds of the world's web SITES (the 62% you always hear about) run on just 1/4th of the world's web SERVERS. In short, IIS (or its admins) are not very good at virtual hosting (running more than one totally independent website on one box), while one beefy Apache box can host 50 or 100 different web sites.
Again, TONS of vulnerable servers host a small portion of the Internet's web sites (and can cripple the net with traffic), while the VAST MAJORITY of the world's web sites run on far fewer servers running non-vulnerable Apache servers.
Imagine if Sourceforge ran on IIS? That would be one way to get a free co-lo! Open a project, get a free server all to yourself! At least until they figure out how to add a second virtual domain to the server they gave you. -- Steve Jackson
Another Junkbuster user here. For those who want to know more before clicking, it's a small daemon that uses a flat file called a blocklist on a weekly basis. They include a script to automatically update the blocklist, but it appears the blocklist hasn't updated since September. At least its easily updatable.
The original version apparently replaces all blocked ads with a "broken image icon", but the version at www.waldherr.org/junkbuster actually replaces blocked ads with a 1x1 transparent gif resized to fill the adspace perfectly. Much nicer.
It also includes instructions for installing junkbuster in front of squid, which is awesome. My cablemodem isn't coming until November, and I share some five PCs over my v.90, so I need all the help I can get in speeding up my surfing. This combination has helped a lot, and while I get the separate X10 windows, they are never populated. The flash in-article Yahoo! ads are starting to get through, though.
I highly recommend Junkbuster and Squid on perimeter firewalls. I would use port forwarding on the firewall, but I prefer to be able to selectively shut off the sequence by loading up on "do not use proxy on" directives at the browser level. -- Steve Jackson
I firmly believe that. At my last job, my manager actually handed out PGP warez to the "inner circle" and we could right-click-to-encrypt our files and email. I also reloaded my workstation over a weekend early on to make sure there was nothing funky running in the "power user" load.
As for personal email, I found an old 486 laying around in the server room, and loaded linux on it. He ran some script-kiddie stuff against it for his personal satisfaction, and I had it locked down really well. He would call me and ask, "is dead yet? now? how about now? now?"
My personal email host is only for friends-of-friends, and they have ssh listening on 443, so I could ssh out to it, even when port 22 ssh outbound was blocked. I would occasionally surf on that host with lynx, and would rarely xfer files up to my account using scp. My boss hated the machine with a passion, but I was literally one of the three people who built that place, and he would never get rid of me.
Come to think of it, I could have just used an SSH port forward to setup my own offsite Squid proxy server. Of course I think of that now, now that I've been gone a year!!! -- Steve Jackson
Steganography will be where it's at. They say Usama bin Laden is the king of stego right now. Check out this site for stego tools.
One tool alone, "snow", allows you to hide text in other text via random white space being appended to each line. It would therefore become very easy to hide uuencoded binaries in postings in all USENET groups. Much higher bandwidth than just a few dozen groups.
You could also stego mp3's into alt.binaries.pictures.fractals or alt.binaries.pictures.furniture. There's another tool, who's name escapes me right now, that I think holds a lot of promise. It's very raw right now, but provides a very good starting point for allowing peer-to-peer connections by hiding data in TCP header fields. It even supports bounces.
If I wanted to transmit a file to you using this software, I would send a SYN packet to a web server on port 80, setting the TCP initial sequence number to the byte I'm sending and spoofing your IP address and the high port your listener is on as the source. The web server would reply to you with a SYN ACK and the ISN+1. Your listener would subtract 1 from the ISN and store the byte. The listener could drop all SYN packets on the floor, defeating port scanners.
Does anyone really think that Yahoo! logs half-open connections on port 80? Nope. You can even spread the half-open connections over dozens or hundreds of web servers. I hope someone who knows a lot more than I do builds on this starting point. And yes, I do realize that transmitting one byte at a time is painfully slow, and I suppose routers could drop unsolicited SYN ACK packets. Not to mention, ISP's may one day block outbound packets with spoofed source IP addresses.
Until then, this is pretty sneaky. -- Steve Jackson
I agree. I absolutely feel that Microsoft can set any price they want for their products. And with the annual pricing fee schedule on the way, they *are* approaching $1,000 for XP depending on how long businesses keep the product.
Personally, I'm happy about XP coming out. With its extreme anti-piracy measures, it should shut down the Chinese distribution channels, forcing them to use Linux as recommended by the government. I'll still welcome those users, even if they do violate the GPL. XP's anti-piracy features should also put an end to the "casual piracy" so many of us are guilty of.
I hope the Linux community takes full advantage of this opportunity we have in front of us to help make Linux desktops usable for the general community. I think by Summer 2002, that many businesses are going to look to Linux for specialized, replicated desktops, not unlike X terminals, and power home users are going to be tired of getting burned by having their copies of XP shut down when they upgrade their video card. We should get ready for a massive influx of disenfranchised (there's that word again) Microsoft users looking for freedoms we've enjoyed for years. They're about to get burned big time. -- Steve Jackson
Are there any distros with security tools installed by default?
Actually, RedHat 7.1 has some pretty good firewall options available at install time. Even when installing a server, its a good idea to set the firewall security to 'high' to buy some time while customizing it and downloading updates. Then to erase the install-time IPChains rules when you feel safe, enter
ipchains -F
service ipchains save
One thing I *love* about the RH7.1 workstation install is that sendmail is installed, BUT the sendmail.cf is actually missing a line to bind the sendmail listener to the public interface. It only includes a line to bind a listener to the loopback interface. Perfect for pointing Netscape Communicator, pine, or mutt to localhost, and even to support fetchmail without hanging sendmail out on a public interface.
It made me a little nervous when I had to research and explain the situation to my RHCE instructor when none of us in class could route mail to each other.:)
Finally, I swear by PMFirewall at www.pointman.org. Even for single interface hosts. That's been my firewall-building script for a couple of years. It configures masquerading as needed, and even knows about NTP's needs. Awesome script. -- Steve Jackson
I still think AOL should build their own "AOL Kiosk" based on Linux. Instead of trying to push nichy Internet Appliances, I think they should build their own distro and start sending out CD's geared towards older, unused PCs laying around people's houses. "Requirements: P100 or higher, 16MB RAM or higher, 500MB hard drive or larger, modem or ethernet card". "Warning: This CD will completely erase all contents of your computer, and convert it into an easy-to-use AOL Internet Station".
What would be nice is that since the target users of the kiosk would be consumers, they could build the distro to be extremely secure on the Internet side. No Outlook viruses. No NetBIOS hacks. No DDOSes. "Screen names" would translate to users, but now with separate, completely customizable desktops with minimal office suites.
Imagine the contributions AOL would be able to make to Linux WRT device drivers. Those pesky "please wait while we update your system" messages may actually be linux kernel module updates.
And who knows, maybe even AOL/TW would open the AUP on their RoadRunner service to allow these kiosks to share their internet connection with other PCs in the same home. Doubtful, but it would be a way for them to guarantee the security of systems attached directly to their cable modems, and therefore minimize abuse of the connected clients. I haven't performed any true forensics, but the last time I installed AOL6 for my Mom, it looked like the native AOL connection was extremely close to a traditional PPP connection. -- Steve Jackson
95 Rockefeller Center.. saw the building again on CNBC this morning, and noticed the address for the first time.
I remember just an hour after the merger was approved, CNN was showing a crew on ladders adding the letters "AOL" to beginning of the name over the main entrance.
I work at 43rd and 5th and was wondering where the building was. Now I know. -- Steve Jackson
I'm surprised that no one is mentioning that the random infection part of Code Red is programmed to restart on the 1st of *every month*. Sure, by changing the IP of whitehouse.gov and short circuiting packets destined for the old IP to the bit bucket, the attack phase will never be a problem.
However, since it appears the number of infections capped at about 359,000 machines, I would venture that at least a quarter of those machines will not be repaired/rebooted by August 1st. If the number of infections went from zero to 359,000 in a couple of days at most, imagine what kind of storm is going to kick off on August 1st when nearly 100,000 machines restart the infection phase of the worm! How long will it take for the estimated 6 *million* vulnerable IIS servers to be patched?
Just for the sake of gloom-and-doom, how long will it take before the Internet only becomes usable between the 20th and the end of each month, due to Code Red infection storms between the 1st and the 19th? I don't think the core Internet routers can perform stateful-enough inspection as to route "Code Red infection" attacks to/dev/null. Perhaps that would drive enough white hat hackers to spread a repair worm, and start that whole argument all over again. -- Steve Jackson
Pennsylvania's new non-specialized license plates actually use "www.state.pa.us" as their tagline! It also appears on all the border-crossing "Welcome to Pennsylvania" signs.
And they have a great website, too. I recently used it to print out a pdf of the handicapped parking placard application. Pennsylvania appears to be very pro-technology.
Now if I could just get the contract to enable the aforementioned MTA website to support refilling MetroCards by credit card. That would save me TONS of time in the MetroCard machine line. -- Steve Jackson
If we end with only one Linux company, prices are going to skyrocket(unless for some reason their ideology keeps the prices low(not likely))
Don't forget about the GPL. Thanks to it, prices can never skyrocket.. at least for the software. No matter how you get a copy (of the freely redistributable versions), you are free to redistribute copies and charge however much (or little) as you wish. The software will always be free. Which brings me to what I wanted to talk about anyway. Services.
I work for IBM e-business. IBM Global Services has always added value for customers with service offerings. Now by strongly embracing Linux, we can sell our own hardware, charge an install fee for a free OS, and optionally sell our own non-free Linux software. The big gain is in the services. From what I understand, RedHat now sells multimillion dollar support contracts. They may even turn a real profit within a year or so. They "get" Linux. You can make a little money selling CDs, a little more building a better distro, or a lot more providing consulting services. -- Steve Jackson
That's the point. They ALREADY block outgoing Port 25 traffic so, yes, that is why this is such a big deal.
No they don't. I'm a Verizon user in Pennsylvania and I can connect on port 25 to any SMTP server on the net that will allow me to. I'm not an Earthlink customer, but several posts above indicate that Earthlink blocks all outbound port 25 connections to all servers except for their own outbound SMTP servers. Your high-port solution applies to Earthlink users.
I've been a Verizon customer since 8/96 and I barely ever use their DNS, SMTP, or POP3 servers. Yes, I'm a horrible netizen, in that my Linux firewall uses world root DNS servers, and updates the list once a month with 'dig'. I alternate my diald between prodigy and verizon sessions. Work pays for my unlimited Prodigy account, but it disconnects after 7 hours of connect time, and Verizon limits monthly usage to 150 hours. So I leave diald on Verizon for normal surfing periods, but switch over to Prodigy when I'm doing multi-day, restartable downloads.
I personally agree with this policy. If you still want to spam you can, but you can't tie up their SMTP servers. If you want to forge an alternate, legitimate From: address, you still can, too, with a little more work. I'm not sure if I think hosting companies should offer this same type of restricted service for their own hosted domains (without SMTP-AUTH or POP-before-SMTP), because I understand that it forces spammers to select valid 'From' domains, thereby releasing wrath of spam fighthers upon already over-worked sysadmins.
So far, it seems POP-before-SMTP or that XTND XMIT feature are best to me. -- Steve Jackson
No boiling water, huh? I use those coffee bags for ultimate convenience, and find that when I let the kettle scream nice and loud, the coffee tastes better. -- Steve Jackson
I "grew up" on pine, but started with joe before moving to pico. Yes, I know vi, but no I don't like it. I just love the ctrl-j, ctrl-k, ctrl-y/v and ctrl-u way too much. Pair it up with putty's "highlight = copy, right click = paste" and I just *love* it!
But back to the subject.. I've had a BOFH say to me, "when you grow up, you'll use Mutt". So I ask, never having used Mutt, can it be configured to automatically detect a gpg-encrypted email and prompt me for my gpg passphrase like pine can?
If so, I just might consider switching to it. Oh, and before I go, can mutt also double as a newsreader? pine's newsreading features may be the most basic out there, but I like having it all in one piece of software. I often spend a half hour a day "cell mobile" @ 14.4 ssh'd into a well-connected host, and pine is my personal jesus. -- Steve Jackson
I started with BBS'es and prodigy on my c64 in the mid-80's, and used BITNET from '88 to '89. I first got on the net in '92 with email and nn. In late 94, I had xrn up on my sparcstation for about 45 hours a week. I remember having to compile Mosaic to get on the web. I commuted 4 hours a day to NYU in NYC, and probably printed a ream's worth of FAQ's each month. I studied for my ham radio license, wrote my papers in LaTeX, and learned about Linux. Usenet really planted the seeds for my technical career.
Then came Deja, which has been easily the most important all-time tool I've used. After using Linux for 3 years, I started training friends on it. Once I helped them get under way, I taught them how to use Deja. I would even tell them that when they come to me with questions, I'm always going to reply first with, "what did Deja say?" The first guy I trained is now running 1,000 hosts in a Qwest facility.
I still go to Deja/Google every single day when I want to know *anything*. Lately, it's been "who plays the song for such-and-such commercial?" and I usually find my answer within seconds, and have the mp3 within minutes (although I'm still trying to identify the music in the Boeing ads:). I used to try to spend time each week answering q's in comp.os.linux.setup or #linuxhelp, but I hardly have time to keep up with the sheer volume anymore.
Usenet has been a major influence in my life, and any website that sports threaded discussions will always look like a second-rate Usenet to me. -- Steve Jackson
Slashdot Mirror
What makes you think its over? It took 6 days to get to 359,000 infected hosts last time around, and you want the Internet to be choked within 14 hours?!? This time around, it will have 19 days to spread.
Microsoft estimates there were 6 million vulnerable servers when the hole was announced. They said last night that they've had 1 million downloads of the patch. How many of you think half of them were home users of Win2k? There are millions of vulnerable hosts still out there. Keep an eye on www.incidents.org. While there were only 157 hosts infected by 1am ET, there were over 22,000 infected ten hours later.
I have always had a very tight dialup Linux firewall with IPChains (only ssh open inbound), but I wanted to setup my own monitoring station to see how this thing affects me over the next couple of weeks. I hung netcat on port 80 using xinetd, installed snort, and then opened inbound port 80 in ipchains just to see how many probes will come my way. So far, no one has guessed my IP address.
At the beginning of this month, Code Red is supposed to start out with about 200,000 existing infected, unpatched machines and grow from there
:)
This was proven to be untrue by the 31st. I scored a 5, Insightful mentioning this on July 23rd, but by the end of the month the security firms had tried repeatedly to move clocks forward and to get the worm to reawaken, but it *never did*. Therefore, all the hype was unwarranted with respect to 8PM ON TUESDAY, TUESDAY TUESDAY!!
During the first infection it took 6 days to get to 359,000 hosts, not 12 hours like CNN would say. If you check incidents.org, you'll see that 22,000 new infections have already happened by 11am ET on the 1st. While it's not as bad as you and I thought it was going to be.. restarting with 200,000 infected hosts, it is BY NO MEANS over.
Please people, do NOT jump the gun, comparing this to Y2K. Besides, I think all the media coverage helped thwart all the y2k problems, but that's for another post.
I have yet to receive a *single* piece of Sircam-inspired email. I can see over a gig coming in at some poor bastard's company that runs Outlook. Imagine your entire company's roster being in your Outlook address book? Jee-zus. My sister got well over 300 copies of ILOVEYOU and my Mom's company got slammed so bad they turned off the Exchange servers for 2 days. I got 3 copies of that one, and 1 copy of PrettyPark.exe.
Hey, maybe my circle-of-friends really is that much smarter. Cool.
--
Steve Jackson
Service Pack 6 knocked out email for 5,000 users of NTWS at my company because MS decided to ship out a patch that forced the logged in user to have **Admin** privileges just to use TCP/IP. Lotus Notes? Dead in the water. IE? Shot. Logins? Nope. Drive mappings? Forget it.
Didn't we test it? Of course we did. Unfortunately our "user" accounts were also domain admins, so it didn't appear in our extensive testing.
That was a bad day at the office. We definitely regretted finally getting software delivery working under CA TNG (another pain in the ass software manufacturer).
--
Steve Jackson
The exploit works even if the Indexing Service is not running. The key is to remove the dll mapping for .ida. What's worse is that just about any action in modifying your IIS configuration will reenable the offending mapping if you have disabled it.
The patch from Microsoft allows that mapping to remain permanently removed.
--
Steve Jackson
Patrick,
:)
:)
I *really* appreciate your recognition of my post. Unfortunately, my thoughts were discredited yesterday when I first got the ISS alert stating that several security firms have tried the clock-forwarding test, and they were *never* able to get the worm to reawaken. I guess I didn't deserve the "5; Insightful" after all
I never did think that it could be rereleased tonight at 8ET to get started again, but even with the 2,000 hosts with the misconfigured clocks still trying to spread the worm, the first few hours won't be as devastating as the image I painted -- a hundred thousand hosts or more kicking it into high gear all within a few minutes of each other.
I'm excited, so I'll be up late tonight to see how it's going. Thanks again for the recognition. Most appreciated!
--
Steve Jackson
Perhaps I should have said BIND and Sendmail together give IIS a run for the money in the vulnerability list. :)
:)
At least there are viable secure alternatives to Sendmail in Qmail and Postfix. With BIND, you can reduce the privileges, but you really need to chroot jail it. I didn't want to go TOO long on the post, so I chose to bash BIND the hardest
And just a reminder: click here for the ten worst and most abused vulnerabilities.. lisitng BIND *and* Sendmail holes.
--
Steve Jackson
Back before I knew what I was doing, a Linux host I had up on the net got hacked by the Ramen worm. BIND has got to be the closest open source product to IIS with respect to massive numbers of vulnerabilities that give "immediate root access" to quote SANS.
I feel UNIX/Linux will always beat Microsoft hands down because of chroot jails. If you chroot Apache or BIND running as a non-privileged user and they get cracked, the cracker will have nothing more to fark with than the individual service they cracked. Not to downplay the severity of that situation, but at least they won't get root access on your box. Furthermore, if you script nightly overwrites of the directories hosting those services from protected locations, the hack won't be long lived.
Add to that web programming that uses protected connections to Java servlet engines (i.e. Tomcat listens on localhost-only), and you can easily and frequently rebuild your websites the moment Tripwire detects that something has changed.
And so long as Linux and UNIX run neck-and-neck in vulnerabilities, I have no interest in running a commercial UNIX. And no, BSD is not an option for me so long as I wish to run commercial (or even current) apps. I found out last night that FreeBSD is just now getting Java **1.2** in Beta. Forget about Jakarta Tomcat and Cocoon. Gimme a break. Looks like BSD is best for static HTML or perl CGI.
--
Steve Jackson
There's a difference between web servers and web sites.. I've been searching and searching but I can't find the article right now.. I recall reading a recent /. article linking to Netcraft, but I can't seem to locate it.. anyway, here's the gist of it.. now follow me here..
1/4th of the world's web SITES run under IIS on 2/3ds of the world's web SERVERS. And the opposite is true for Apache.. 2/3ds of the world's web SITES (the 62% you always hear about) run on just 1/4th of the world's web SERVERS. In short, IIS (or its admins) are not very good at virtual hosting (running more than one totally independent website on one box), while one beefy Apache box can host 50 or 100 different web sites.
Again, TONS of vulnerable servers host a small portion of the Internet's web sites (and can cripple the net with traffic), while the VAST MAJORITY of the world's web sites run on far fewer servers running non-vulnerable Apache servers.
Imagine if Sourceforge ran on IIS? That would be one way to get a free co-lo! Open a project, get a free server all to yourself! At least until they figure out how to add a second virtual domain to the server they gave you.
--
Steve Jackson
Another Junkbuster user here. For those who want to know more before clicking, it's a small daemon that uses a flat file called a blocklist on a weekly basis. They include a script to automatically update the blocklist, but it appears the blocklist hasn't updated since September. At least its easily updatable.
The original version apparently replaces all blocked ads with a "broken image icon", but the version at www.waldherr.org/junkbuster actually replaces blocked ads with a 1x1 transparent gif resized to fill the adspace perfectly. Much nicer.
It also includes instructions for installing junkbuster in front of squid, which is awesome. My cablemodem isn't coming until November, and I share some five PCs over my v.90, so I need all the help I can get in speeding up my surfing. This combination has helped a lot, and while I get the separate X10 windows, they are never populated. The flash in-article Yahoo! ads are starting to get through, though.
I highly recommend Junkbuster and Squid on perimeter firewalls. I would use port forwarding on the firewall, but I prefer to be able to selectively shut off the sequence by loading up on "do not use proxy on" directives at the browser level.
--
Steve Jackson
I firmly believe that. At my last job, my manager actually handed out PGP warez to the "inner circle" and we could right-click-to-encrypt our files and email. I also reloaded my workstation over a weekend early on to make sure there was nothing funky running in the "power user" load.
As for personal email, I found an old 486 laying around in the server room, and loaded linux on it. He ran some script-kiddie stuff against it for his personal satisfaction, and I had it locked down really well. He would call me and ask, "is dead yet? now? how about now? now?"
My personal email host is only for friends-of-friends, and they have ssh listening on 443, so I could ssh out to it, even when port 22 ssh outbound was blocked. I would occasionally surf on that host with lynx, and would rarely xfer files up to my account using scp. My boss hated the machine with a passion, but I was literally one of the three people who built that place, and he would never get rid of me.
Come to think of it, I could have just used an SSH port forward to setup my own offsite Squid proxy server. Of course I think of that now, now that I've been gone a year!!!
--
Steve Jackson
Cool idea. I never thought of it. I Googled for pam-ssh and got a hit on this project at SourceForge.
--
Steve Jackson
Steganography will be where it's at. They say Usama bin Laden is the king of stego right now. Check out this site for stego tools.
One tool alone, "snow", allows you to hide text in other text via random white space being appended to each line. It would therefore become very easy to hide uuencoded binaries in postings in all USENET groups. Much higher bandwidth than just a few dozen groups.
You could also stego mp3's into alt.binaries.pictures.fractals or alt.binaries.pictures.furniture. There's another tool, who's name escapes me right now, that I think holds a lot of promise. It's very raw right now, but provides a very good starting point for allowing peer-to-peer connections by hiding data in TCP header fields. It even supports bounces.
If I wanted to transmit a file to you using this software, I would send a SYN packet to a web server on port 80, setting the TCP initial sequence number to the byte I'm sending and spoofing your IP address and the high port your listener is on as the source. The web server would reply to you with a SYN ACK and the ISN+1. Your listener would subtract 1 from the ISN and store the byte. The listener could drop all SYN packets on the floor, defeating port scanners.
Does anyone really think that Yahoo! logs half-open connections on port 80? Nope. You can even spread the half-open connections over dozens or hundreds of web servers. I hope someone who knows a lot more than I do builds on this starting point. And yes, I do realize that transmitting one byte at a time is painfully slow, and I suppose routers could drop unsolicited SYN ACK packets. Not to mention, ISP's may one day block outbound packets with spoofed source IP addresses.
Until then, this is pretty sneaky.
--
Steve Jackson
I agree. I absolutely feel that Microsoft can set any price they want for their products. And with the annual pricing fee schedule on the way, they *are* approaching $1,000 for XP depending on how long businesses keep the product.
Personally, I'm happy about XP coming out. With its extreme anti-piracy measures, it should shut down the Chinese distribution channels, forcing them to use Linux as recommended by the government. I'll still welcome those users, even if they do violate the GPL. XP's anti-piracy features should also put an end to the "casual piracy" so many of us are guilty of.
I hope the Linux community takes full advantage of this opportunity we have in front of us to help make Linux desktops usable for the general community. I think by Summer 2002, that many businesses are going to look to Linux for specialized, replicated desktops, not unlike X terminals, and power home users are going to be tired of getting burned by having their copies of XP shut down when they upgrade their video card. We should get ready for a massive influx of disenfranchised (there's that word again) Microsoft users looking for freedoms we've enjoyed for years. They're about to get burned big time.
--
Steve Jackson
Are there any distros with security tools installed by default?
:)
Actually, RedHat 7.1 has some pretty good firewall options available at install time. Even when installing a server, its a good idea to set the firewall security to 'high' to buy some time while customizing it and downloading updates. Then to erase the install-time IPChains rules when you feel safe, enter
ipchains -F
service ipchains save
One thing I *love* about the RH7.1 workstation install is that sendmail is installed, BUT the sendmail.cf is actually missing a line to bind the sendmail listener to the public interface. It only includes a line to bind a listener to the loopback interface. Perfect for pointing Netscape Communicator, pine, or mutt to localhost, and even to support fetchmail without hanging sendmail out on a public interface.
It made me a little nervous when I had to research and explain the situation to my RHCE instructor when none of us in class could route mail to each other.
Finally, I swear by PMFirewall at www.pointman.org. Even for single interface hosts. That's been my firewall-building script for a couple of years. It configures masquerading as needed, and even knows about NTP's needs. Awesome script.
--
Steve Jackson
I still think AOL should build their own "AOL Kiosk" based on Linux. Instead of trying to push nichy Internet Appliances, I think they should build their own distro and start sending out CD's geared towards older, unused PCs laying around people's houses. "Requirements: P100 or higher, 16MB RAM or higher, 500MB hard drive or larger, modem or ethernet card". "Warning: This CD will completely erase all contents of your computer, and convert it into an easy-to-use AOL Internet Station".
What would be nice is that since the target users of the kiosk would be consumers, they could build the distro to be extremely secure on the Internet side. No Outlook viruses. No NetBIOS hacks. No DDOSes. "Screen names" would translate to users, but now with separate, completely customizable desktops with minimal office suites.
Imagine the contributions AOL would be able to make to Linux WRT device drivers. Those pesky "please wait while we update your system" messages may actually be linux kernel module updates.
And who knows, maybe even AOL/TW would open the AUP on their RoadRunner service to allow these kiosks to share their internet connection with other PCs in the same home. Doubtful, but it would be a way for them to guarantee the security of systems attached directly to their cable modems, and therefore minimize abuse of the connected clients. I haven't performed any true forensics, but the last time I installed AOL6 for my Mom, it looked like the native AOL connection was extremely close to a traditional PPP connection.
--
Steve Jackson
95 Rockefeller Center.. saw the building again on CNBC this morning, and noticed the address for the first time.
I remember just an hour after the merger was approved, CNN was showing a crew on ladders adding the letters "AOL" to beginning of the name over the main entrance.
I work at 43rd and 5th and was wondering where the building was. Now I know.
--
Steve Jackson
I'm surprised that no one is mentioning that the random infection part of Code Red is programmed to restart on the 1st of *every month*. Sure, by changing the IP of whitehouse.gov and short circuiting packets destined for the old IP to the bit bucket, the attack phase will never be a problem.
/dev/null. Perhaps that would drive enough white hat hackers to spread a repair worm, and start that whole argument all over again.
However, since it appears the number of infections capped at about 359,000 machines, I would venture that at least a quarter of those machines will not be repaired/rebooted by August 1st. If the number of infections went from zero to 359,000 in a couple of days at most, imagine what kind of storm is going to kick off on August 1st when nearly 100,000 machines restart the infection phase of the worm! How long will it take for the estimated 6 *million* vulnerable IIS servers to be patched?
Just for the sake of gloom-and-doom, how long will it take before the Internet only becomes usable between the 20th and the end of each month, due to Code Red infection storms between the 1st and the 19th? I don't think the core Internet routers can perform stateful-enough inspection as to route "Code Red infection" attacks to
--
Steve Jackson
Pennsylvania's new non-specialized license plates actually use "www.state.pa.us" as their tagline! It also appears on all the border-crossing "Welcome to Pennsylvania" signs.
And they have a great website, too. I recently used it to print out a pdf of the handicapped parking placard application. Pennsylvania appears to be very pro-technology.
Now if I could just get the contract to enable the aforementioned MTA website to support refilling MetroCards by credit card. That would save me TONS of time in the MetroCard machine line.
--
Steve Jackson
If we end with only one Linux company, prices are going to skyrocket(unless for some reason their ideology keeps the prices low(not likely))
Don't forget about the GPL. Thanks to it, prices can never skyrocket.. at least for the software. No matter how you get a copy (of the freely redistributable versions), you are free to redistribute copies and charge however much (or little) as you wish. The software will always be free. Which brings me to what I wanted to talk about anyway. Services.
I work for IBM e-business. IBM Global Services has always added value for customers with service offerings. Now by strongly embracing Linux, we can sell our own hardware, charge an install fee for a free OS, and optionally sell our own non-free Linux software. The big gain is in the services. From what I understand, RedHat now sells multimillion dollar support contracts. They may even turn a real profit within a year or so. They "get" Linux. You can make a little money selling CDs, a little more building a better distro, or a lot more providing consulting services.
--
Steve Jackson
That's the point. They ALREADY block outgoing Port 25 traffic so, yes, that is why this is such a big deal.
No they don't. I'm a Verizon user in Pennsylvania and I can connect on port 25 to any SMTP server on the net that will allow me to. I'm not an Earthlink customer, but several posts above indicate that Earthlink blocks all outbound port 25 connections to all servers except for their own outbound SMTP servers. Your high-port solution applies to Earthlink users.
I've been a Verizon customer since 8/96 and I barely ever use their DNS, SMTP, or POP3 servers. Yes, I'm a horrible netizen, in that my Linux firewall uses world root DNS servers, and updates the list once a month with 'dig'. I alternate my diald between prodigy and verizon sessions. Work pays for my unlimited Prodigy account, but it disconnects after 7 hours of connect time, and Verizon limits monthly usage to 150 hours. So I leave diald on Verizon for normal surfing periods, but switch over to Prodigy when I'm doing multi-day, restartable downloads.
I personally agree with this policy. If you still want to spam you can, but you can't tie up their SMTP servers. If you want to forge an alternate, legitimate From: address, you still can, too, with a little more work. I'm not sure if I think hosting companies should offer this same type of restricted service for their own hosted domains (without SMTP-AUTH or POP-before-SMTP), because I understand that it forces spammers to select valid 'From' domains, thereby releasing wrath of spam fighthers upon already over-worked sysadmins.
So far, it seems POP-before-SMTP or that XTND XMIT feature are best to me.
--
Steve Jackson
No boiling water, huh? I use those coffee bags for ultimate convenience, and find that when I let the kettle scream nice and loud, the coffee tastes better.
--
Steve Jackson
This guy loves coffee way too much! You'd think he'd be happy with one of those combo grinder/coffee pots and some Brita water.
--
Steve Jackson
I "grew up" on pine, but started with joe before moving to pico. Yes, I know vi, but no I don't like it. I just love the ctrl-j, ctrl-k, ctrl-y/v and ctrl-u way too much. Pair it up with putty's "highlight = copy, right click = paste" and I just *love* it!
But back to the subject.. I've had a BOFH say to me, "when you grow up, you'll use Mutt". So I ask, never having used Mutt, can it be configured to automatically detect a gpg-encrypted email and prompt me for my gpg passphrase like pine can?
If so, I just might consider switching to it. Oh, and before I go, can mutt also double as a newsreader? pine's newsreading features may be the most basic out there, but I like having it all in one piece of software. I often spend a half hour a day "cell mobile" @ 14.4 ssh'd into a well-connected host, and pine is my personal jesus.
--
Steve Jackson
I started with BBS'es and prodigy on my c64 in the mid-80's, and used BITNET from '88 to '89. I first got on the net in '92 with email and nn. In late 94, I had xrn up on my sparcstation for about 45 hours a week. I remember having to compile Mosaic to get on the web. I commuted 4 hours a day to NYU in NYC, and probably printed a ream's worth of FAQ's each month. I studied for my ham radio license, wrote my papers in LaTeX, and learned about Linux. Usenet really planted the seeds for my technical career.
:). I used to try to spend time each week answering q's in comp.os.linux.setup or #linuxhelp, but I hardly have time to keep up with the sheer volume anymore.
Then came Deja, which has been easily the most important all-time tool I've used. After using Linux for 3 years, I started training friends on it. Once I helped them get under way, I taught them how to use Deja. I would even tell them that when they come to me with questions, I'm always going to reply first with, "what did Deja say?" The first guy I trained is now running 1,000 hosts in a Qwest facility.
I still go to Deja/Google every single day when I want to know *anything*. Lately, it's been "who plays the song for such-and-such commercial?" and I usually find my answer within seconds, and have the mp3 within minutes (although I'm still trying to identify the music in the Boeing ads
Usenet has been a major influence in my life, and any website that sports threaded discussions will always look like a second-rate Usenet to me.
--
Steve Jackson