Ebuilds can point anywhere on the web to binaries, the attacker could have changed the portage ebuild to point to a malicious emerge binary. It would have said "there is a portage update available" and would recommend downloading it immediately. Of course if this happened the Gentoo folks would have made a note of it, but it's not an implausible situation.
Ok; assuming our attacker is thorough, he's compromised an rsync server. He's got a trojanned version of Portage on ice. He also knows how to use our development tools so he's created new digest and Manifest files correctly. He uploaded these three files to the rsync server, and there's a 30 minute window during which time some people on that particular national rsync rotation could possibly sync and retreive the false copy before the tree is automatically re-synced with the master. After this, there is a minute chance that someone will upgrade (a) package(s) which could pull in the trojan. (Note that except in severe cases, the user must specify one of -u(pgrade) or -U(pgrade only) to pull in dependancies - including Portage)
So we have a breech that could have, in an extreme hypothetical situation, caused a percentage of 20 people to become trojanned out of our ~300k userbase.
That's a lot of time and trouble to (possibly) affect so few people. If someone were intending to do damage to the Gentoo community, they'd have been wiser to attack rsync1.us.gentoo.org or cvs.gentoo.org and pollute one of those trees. In all likelyhood this attacker was merely a script kiddie looking to r00t lots of machines to have a place to play, or possibly a Mitnick-esque type looking for a drop-point for files, but most likely a person attacking for a reason completely un-related to Gentoo.
You have to keep in mind that the rsync mirrors are provided by volunteers. I have enough bandwidth at home and at work that I could set up two myself.
And what if syncing to the server installed a compromised "emerge" program?
Because, save for an attacker compromising all Gentoo workstations and altering the Portage application itself, this is not plausible. `emerge sync` updates only the tree of ebuilds - text file application install scripts, analagous to Makefiles. The process is quite similar to BSD's `cvsup` process. The only files modified in this process are contained in/usr/portage/ (or another location optionally configured by the user). The `emerge` program itself is contained in/usr/bin, and is not touched by the rsync process.
Sorry to tear that nasty gash in your tin-foil hat, though.
As well, this isn't "just another exploit for Explorer/Windows/Linux/whatever," this is someone gaining access to THE source code server. I don't seem to recall too many stories where MS had their main code repository compromised, do you?
Since Gentoo doesn't have a "THE" source code repository, I'm afraid you've got some facts to get straight, Herr Coward.
The mirror had read-only rsync access to Gentoo's primary (US) mirror. Even if the tree were compromised, the changes could not propagate into the main tree. For that, one would require CVS access to the CVS repository, against which the primary rsync server is synchronized.
This was only posted as a matter of keeping our user community, and the OSS community as a whole informed.
Also, I believe the announcement gave mention of it, but the Portage tree on the primary mirror was re-created from the CVS repository immediately upon being notified that a mirror was compromised. Within 30 minutes, every Gentoo rsync mirror had a fresh copy of the tree automatically (as stated by Gentoo rsync mirror policy, mirrors are updated every 30 minutes in order to remain on the official rotation).
Sorry for the confusion, all, but there's really nothing to see here. But it was good clamouring practise for when/if a real Gentoo server is compromised.;)
the guy is trying to something on the cheap while also trying doing it right! There's nothing wrong with that!
By the sounds of the article, it sounds as if he's going to sell a few kits to recoup some cash, and/or because others are interested and he wants to share. It doesn't sound to me as if he wants to become the next Rockafeller out of the deal.
Your last bit of advice is the best... If you're not going to sell kits, you don't need your own Vendor ID. Just use nulls for everything, or make one up for your own lab purposes.... As long as this'll work for testing purposes, this should do him just fine.
People used to say the same thing about IPv4 space. "Just use whatever block you want; it's only a lab!" Suddenly companies small and large alike are finding people announcing routes for their IP space halfway across the Internet. In other words, if you're going to "make up" your vendor ID, try to find a reserved/testing block or ensure that these devices will never get into the wild.
On another note, I agree with $1500 being inexpensive for a block, I thought it was a typo at first as for a business, that's less then a drop in the bucket!
Sounds like you've never run a small / SOHO business my friend.:)
The coffee was hotter than industry average, it adds nothing to flavor, but can cause 3rd degree burns in 2 seconds.
Awwwwww. Poor people who can't manage to keep a lid on their coffee or keep their fresh, hot coffee away from their crotch. Some of us who have the fortune of working outside actually enjoy really hot coffee. See, it doesn't cool to 5 degrees celcius within ten minutes of hitting the out of doors and we can still enjoy it without the aid of a microwave.
It all boils down to personal responsibility and no amount of lawsuits or precedent is going to change the fact that, by and large, (North) American citizens are too quick to blame everybody but themselves for their own shortcomings. It just happens that in all too many cases that blame is centred square on the shoulders of a corporation with a billion dollar bankroll.
Ask yourself; is $xx million going to restore your legs to their former state? No. Is it going to rid you of your clumsiness? No. Is it going to prevent you from committing further acts of stupidity? No. Why do people sue for millions of dollars? Greed, a corrupted legal system, and selfish people who want to get rich quick.
I always thought the McDonalds case was frivolous till I read the facts. Check out McFacts about the case.
In my mind it still amounts to something like this;
Woman spills hot liquid in own lap.
Woman sues Big Pocketted Corporation for egregious amounts of financial "compensation"
I've got news for anybody who considers the above lawsuit anything less than frivolous; it's hot coffee. McDonald's (or any other restaurant) should not be under any obligation to inform people of same. FACT: If it weren't hot, people would not desire to purchase and/or consume it.
What happens to a DJBDNS server's Sitefinder blocking performance should Verisign restart the Sitefinder web site and move its web server to a different IP every 24 hours?
Not to mention if they smartened up and put it on a round-robin. {hilarity ensues}
Quite frankly, a million sysadmins could configure themselves as the authority over '.', 'com', 'net', or any domain of their choosing and it would similarly break thousands (millions) of connections.
Misconfiguration is hardly the fault of the software package. It's not BIND's responsibility to inform you that you're not the proud owner of ".com" and that it won't start until you smarten up.
*What* bugs are there in BIND due to the anti-wildcarding of DNS patches? ISC's patch provides two ways of approaching the problem; either prevent wildcarding of specific TLDs or globally ban wildcarding of TLDs and provide an exception list. Both approaches work fine, provided that the DNS admins that implement them take the time to understand the implications and approach the patch with caution instead of a jerking knee.
Boy, I wish my mod points hadn't expired. I'll quote this portion again;
provided that the DNS admins that implement them take the time to understand the implications and approach the patch with caution instead of a jerking knee.
As I saw it, the patches were exactly what the BIND/DNS communities (and, for that matter, this community in particular) were asking for. Simple elegance. Designate particular zones as delegate-only (deny some, allow all) or declare delegate-only for all zones and list exceptions (deny all, allow some).
IMHO, this story was poorly worded, poorly presented and highly inflammatory. To everybody wailing for Paul's head on a stake or complaining about the coding style of the single most integral piece of software on the Internet, please take the time to investigate the patches yourself, else I'd suggest a little butter to flavour your pedals.
assuming you exercise for 15 minutes(what's not enough, it takes my dad 2.5 hours, including driving and dressing)
Your father devotes 2.5 hours/day to excersize? Sorry to say, but he's wasting a lot of time and energy (not to mention money). There's no part of your body you can't excersize with free weights. He'd be better suited to spend ~4 months of health club dues and purchase same and save himself 1.5 hours/day and a small fortune in unspent dues.
You cannot conclude "wireless technology is now important, but soon crucial to their overall education." from this. CRUCIAL?
More and more wireless technology enters our lives. Hospital staff carry wireless tablets with them to dispense medicine and/or other treatment. Field engineers and contractors use wireless PDAs to organize their staff, materials, scheduling, etc. For that matter - even the likes of Burger King utilize wirless technology (drive-thru headsets aside, the Interac terminals are wireless).
For a carpenter, the ability to swing a hammer with precision is crucial. It's a tool he will use every day in his line of work. Same goes for a T-square or measuring tape. Wireless technology, on the other and, is pervasive in almost every line of work. Throw a rock in any major metropolitan city and you'll hit a wireless hot spot. If students aren't comfortable with and taught to use respect this equipment (not neccesarily even service it) they'll be at a defeceit walking into many new job positions.
Yes, I believe a tool that is the future of our information management in all lines of work is "crucial" to a student's future.
If funding dictates that the child can only have three of the four, which do you think is the least "crucial"?
Of course you realize in this context this is a strawman. The parents filing suit against the school board are contributing to (causing) a funding defeceit. By the logic above, they just may win their fight after the money dissapears.
You know, I have a hunch that it is possible, possible, if a teacher is sufficiently brilliant, to get an elementary school education without a wireless connection.
While that may be true, why deny students access to the tools they'll be using in their day-to-day lives in future? Never before have our lives, personal and professional, been so dominated by a particular implement as the computer. While it may not be vital to their traditional "Three R's" educational model, wireless technology is now important, but soon crucial to their overall education.
Remember that the primary advantage of the public education sector is the mere fact that it makes children social. Socialization isn't vital to a child's ability to learn fractions or write prose. It is, however, vital for their survival in the Real World.
...you could call up Information and harass them f or the 1-800 number for the Direct Marketing Association, or whatever they call themselves up here, and then get your name put on a do-not-call list.
That's correct, however we already have legislation in effect that functions similar to the Do Not Call list. The CRTC, bless their hearts, some time ago drafted a regulation that states that upon request, a telemarketting firm must (I'll reiterate; MUST) remove your number from their call list within seven (7) days. If a telemarketer refuses or acts confused on the phone when you make the (simple) request, inform them that it is a CRTC regulation and if they're in doubt, you'll have the CRTC contact them and clarify the situation.
No need to be rude, just a few words always worked for me. "Please remove my number from your list. Thank-you." Generally they apologized for my inconvenience and assured me it would be done. Within days my calls dropped in half, within a few weeks I forgot what a telemarketting call sounded like.
Another tacts that always works well; "This is a cell phone." {click!}
(It's also highly illegal to place telemarketting calls to cellular phones.)
Would you consider my mozilla (galeon, whichever) browser to be some obsolescence I should let go of as well? How am I supposed to see their non-standard page on FreeBSD (or Linux, whichever). I have Macromedia's flashplayer plugin installed, but only the front page renders anything because it doesn't use any flash/mx. The second page merely comes up mostly blank with a picture at the bottom.
I don't know what distribution you're running, but Gentoo Linux's installation of Mozilla rendered the entire site just fine. Sound and all.
So yes, perhaps you should give up your obsolescence and switch to a distribution that uses modern software packages and compilation options.
That page is just as bad as any other flash page I've seen. They didn't even take the time to provide alt tags for their images. This is what the page looks like in lynx:
Oh, would you let go of your obsolescence already? Links has been out for years now and it's outshined Lynx almost from the beginning. Tables? Frames? Hell, it'll even support graphics on a TTY console!
Now how is that good design? They should've spent a little extra after the flash courses to learn a little html.
Give it up. They're an advanced media company; they're catering to customers who WANT flashy eye-candy and glitz. Face it; they don't care about you and your antique browser or your stubborn refusal to walk into the 21st century.
(n.b. Before you scream "Blind people!", I have to re-iterate; advanced media. Blind people aren't exactly their clientelle. They have no reason to cater to people who can't enjoy their work.)
they're bound to ask more technically minded people what's going on - and eventually that will come down to "software patents".
Thanks to Microsoft's last big change, I already have to explain to most of our customers why they can no longer access virtually any e-mail attachment in Outlook [Express]. "Well sir, Microsoft have decided that they can not safeguard you against the dangers of attachments, so they've adopted an all-or-nothing security policy. Do you run a virus scanner? Yes? Ok, click Tools, Options, select the Security tab, and de-select the box that prevents access to e-mail attachments. Now please update your virus definitions and have a nice day!"
After years of using computers almost exclusively for written communication, my manual writing skills have atrophied to the point of near uselessness. My handwriting - never my strong point - now makes a doctor's look like calligraphy, and my hand starts cramping up almost instantly.
I don't know how you got modded "Funny", but I'm in the same boat. I can write a 20 page dissertation on a keyboard with minimal strain, but after my second paragraph handwriting I find myself running for a wrist brace.
My handwriting is probably as atrocious as yours (if not moreso), but if I really strain, and only have to write a small amount of text, I find I can struggle my way through a legible paragraph. Of course it takes three times as long, which means I can only write a third as much text before going for an ice-pack.
In the end any type of information can be turned into any other type of information and thus cannot be descriminated solely by the type of data it currently is. Who knows what it might really be, there is no way of telling.
That's all well and good until your (family's) medical and financial data start floating around the Internet, free for anyone on FastTrack to download. Perhaps the location and defense capabilities (blueprints) of all United States military installations. ("Security through obscurity", remember, is a misnomer. Obscurity is an integral part of security.)
Like so many other things in life, this is not a binary issue, and I certainly hope it won't be treated like one.
Windows NT/2K/XP will always be using almost all of your RAM. Any RAM that is not in use by programs will by allocated to disk cache, so your memory will always look full.
Your signature is apt; your opinion is uninformed.
At a previous sysadmin job, our NT4 server with 1GB of SDRAM would barely utilize even half of it at high load - including system, program, and disk cache. Its disk cache was so dreadful, I couldn't perform a search across the RAID5 array without bringing the machine to its knees.
Yes, it was at the current service pack level with all patches applied. For kicks, we decided to bring in an IBM MCSE. He brought his supervisor with him when he couldn't make it work. Alas, the dear old NetFinity could have donated 512MB of RAM to one of us and nobody would have noticed any difference.
You can already do this. Enable that 'one click shortcut' option I've always despised about Windows, then create a shortcut to a shutdown command with a reboot flag.
Nice sentiment and all, but as someone who's worked both for pizza places and as a delivery driver I ask you; please don't. It costs the restaurant money in wasted food and preparation time, costs the delivery driver time and gas to make a round-trip for nothing, and is generally a Very Bad Idea.
If you want to annoy the man, please find a means of doing so that won't affect the pocketbooks of innocents.
Slashdot Mirror
Ok; assuming our attacker is thorough, he's compromised an rsync server. He's got a trojanned version of Portage on ice. He also knows how to use our development tools so he's created new digest and Manifest files correctly. He uploaded these three files to the rsync server, and there's a 30 minute window during which time some people on that particular national rsync rotation could possibly sync and retreive the false copy before the tree is automatically re-synced with the master. After this, there is a minute chance that someone will upgrade (a) package(s) which could pull in the trojan. (Note that except in severe cases, the user must specify one of -u(pgrade) or -U(pgrade only) to pull in dependancies - including Portage)
So we have a breech that could have, in an extreme hypothetical situation, caused a percentage of 20 people to become trojanned out of our ~300k userbase.
That's a lot of time and trouble to (possibly) affect so few people. If someone were intending to do damage to the Gentoo community, they'd have been wiser to attack rsync1.us.gentoo.org or cvs.gentoo.org and pollute one of those trees. In all likelyhood this attacker was merely a script kiddie looking to r00t lots of machines to have a place to play, or possibly a Mitnick-esque type looking for a drop-point for files, but most likely a person attacking for a reason completely un-related to Gentoo.
You have to keep in mind that the rsync mirrors are provided by volunteers. I have enough bandwidth at home and at work that I could set up two myself.
Because, save for an attacker compromising all Gentoo workstations and altering the Portage application itself, this is not plausible. `emerge sync` updates only the tree of ebuilds - text file application install scripts, analagous to Makefiles. The process is quite similar to BSD's `cvsup` process. The only files modified in this process are contained in /usr/portage/ (or another location optionally configured by the user). The `emerge` program itself is contained in /usr/bin, and is not touched by the rsync process.
Sorry to tear that nasty gash in your tin-foil hat, though.
Since Gentoo doesn't have a "THE" source code repository, I'm afraid you've got some facts to get straight, Herr Coward.
The mirror had read-only rsync access to Gentoo's primary (US) mirror. Even if the tree were compromised, the changes could not propagate into the main tree. For that, one would require CVS access to the CVS repository, against which the primary rsync server is synchronized.
This was only posted as a matter of keeping our user community, and the OSS community as a whole informed.
Also, I believe the announcement gave mention of it, but the Portage tree on the primary mirror was re-created from the CVS repository immediately upon being notified that a mirror was compromised. Within 30 minutes, every Gentoo rsync mirror had a fresh copy of the tree automatically (as stated by Gentoo rsync mirror policy, mirrors are updated every 30 minutes in order to remain on the official rotation).
Sorry for the confusion, all, but there's really nothing to see here. But it was good clamouring practise for when/if a real Gentoo server is compromised. ;)
By the sounds of the article, it sounds as if he's going to sell a few kits to recoup some cash, and/or because others are interested and he wants to share. It doesn't sound to me as if he wants to become the next Rockafeller out of the deal.
People used to say the same thing about IPv4 space. "Just use whatever block you want; it's only a lab!" Suddenly companies small and large alike are finding people announcing routes for their IP space halfway across the Internet. In other words, if you're going to "make up" your vendor ID, try to find a reserved/testing block or ensure that these devices will never get into the wild.
Sounds like you've never run a small / SOHO business my friend. :)
Awwwwww. Poor people who can't manage to keep a lid on their coffee or keep their fresh, hot coffee away from their crotch. Some of us who have the fortune of working outside actually enjoy really hot coffee. See, it doesn't cool to 5 degrees celcius within ten minutes of hitting the out of doors and we can still enjoy it without the aid of a microwave.
It all boils down to personal responsibility and no amount of lawsuits or precedent is going to change the fact that, by and large, (North) American citizens are too quick to blame everybody but themselves for their own shortcomings. It just happens that in all too many cases that blame is centred square on the shoulders of a corporation with a billion dollar bankroll.
Ask yourself; is $xx million going to restore your legs to their former state? No. Is it going to rid you of your clumsiness? No. Is it going to prevent you from committing further acts of stupidity? No. Why do people sue for millions of dollars? Greed, a corrupted legal system, and selfish people who want to get rich quick.
In my mind it still amounts to something like this;
I've got news for anybody who considers the above lawsuit anything less than frivolous; it's hot coffee. McDonald's (or any other restaurant) should not be under any obligation to inform people of same. FACT: If it weren't hot, people would not desire to purchase and/or consume it.
In the general sense it means "Bending numbers to fit your conclusions."
I can see the slogans now ...
Not to mention if they smartened up and put it on a round-robin. {hilarity ensues}
Quite frankly, a million sysadmins could configure themselves as the authority over '.', 'com', 'net', or any domain of their choosing and it would similarly break thousands (millions) of connections.
Misconfiguration is hardly the fault of the software package. It's not BIND's responsibility to inform you that you're not the proud owner of ".com" and that it won't start until you smarten up.
Boy, I wish my mod points hadn't expired. I'll quote this portion again;
As I saw it, the patches were exactly what the BIND/DNS communities (and, for that matter, this community in particular) were asking for. Simple elegance. Designate particular zones as delegate-only (deny some, allow all) or declare delegate-only for all zones and list exceptions (deny all, allow some).
IMHO, this story was poorly worded, poorly presented and highly inflammatory. To everybody wailing for Paul's head on a stake or complaining about the coding style of the single most integral piece of software on the Internet, please take the time to investigate the patches yourself, else I'd suggest a little butter to flavour your pedals.
Your father devotes 2.5 hours/day to excersize? Sorry to say, but he's wasting a lot of time and energy (not to mention money). There's no part of your body you can't excersize with free weights. He'd be better suited to spend ~4 months of health club dues and purchase same and save himself 1.5 hours/day and a small fortune in unspent dues.
More and more wireless technology enters our lives. Hospital staff carry wireless tablets with them to dispense medicine and/or other treatment. Field engineers and contractors use wireless PDAs to organize their staff, materials, scheduling, etc. For that matter - even the likes of Burger King utilize wirless technology (drive-thru headsets aside, the Interac terminals are wireless).
For a carpenter, the ability to swing a hammer with precision is crucial. It's a tool he will use every day in his line of work. Same goes for a T-square or measuring tape. Wireless technology, on the other and, is pervasive in almost every line of work. Throw a rock in any major metropolitan city and you'll hit a wireless hot spot. If students aren't comfortable with and taught to use respect this equipment (not neccesarily even service it) they'll be at a defeceit walking into many new job positions.
Yes, I believe a tool that is the future of our information management in all lines of work is "crucial" to a student's future.
Of course you realize in this context this is a strawman. The parents filing suit against the school board are contributing to (causing) a funding defeceit. By the logic above, they just may win their fight after the money dissapears.
While that may be true, why deny students access to the tools they'll be using in their day-to-day lives in future? Never before have our lives, personal and professional, been so dominated by a particular implement as the computer. While it may not be vital to their traditional "Three R's" educational model, wireless technology is now important, but soon crucial to their overall education.
Remember that the primary advantage of the public education sector is the mere fact that it makes children social. Socialization isn't vital to a child's ability to learn fractions or write prose. It is, however, vital for their survival in the Real World.
That's correct, however we already have legislation in effect that functions similar to the Do Not Call list. The CRTC, bless their hearts, some time ago drafted a regulation that states that upon request, a telemarketting firm must (I'll reiterate; MUST) remove your number from their call list within seven (7) days. If a telemarketer refuses or acts confused on the phone when you make the (simple) request, inform them that it is a CRTC regulation and if they're in doubt, you'll have the CRTC contact them and clarify the situation.
No need to be rude, just a few words always worked for me. "Please remove my number from your list. Thank-you." Generally they apologized for my inconvenience and assured me it would be done. Within days my calls dropped in half, within a few weeks I forgot what a telemarketting call sounded like.
Another tacts that always works well; "This is a cell phone." {click!}
(It's also highly illegal to place telemarketting calls to cellular phones.)
I don't know what distribution you're running, but Gentoo Linux's installation of Mozilla rendered the entire site just fine. Sound and all.
So yes, perhaps you should give up your obsolescence and switch to a distribution that uses modern software packages and compilation options.
Really well done site! Though I didn't have any part in creating it, it's really cool that this site is hosted on my server. :)
Oh, would you let go of your obsolescence already? Links has been out for years now and it's outshined Lynx almost from the beginning. Tables? Frames? Hell, it'll even support graphics on a TTY console!
Give it up. They're an advanced media company; they're catering to customers who WANT flashy eye-candy and glitz. Face it; they don't care about you and your antique browser or your stubborn refusal to walk into the 21st century.
(n.b. Before you scream "Blind people!", I have to re-iterate; advanced media. Blind people aren't exactly their clientelle. They have no reason to cater to people who can't enjoy their work.)
Not to mention the fact that users can already install Mozilla, Opera, or a small handful of other browsers under Windows.
Thanks to Microsoft's last big change, I already have to explain to most of our customers why they can no longer access virtually any e-mail attachment in Outlook [Express]. "Well sir, Microsoft have decided that they can not safeguard you against the dangers of attachments, so they've adopted an all-or-nothing security policy. Do you run a virus scanner? Yes? Ok, click Tools, Options, select the Security tab, and de-select the box that prevents access to e-mail attachments. Now please update your virus definitions and have a nice day!"
I don't know how you got modded "Funny", but I'm in the same boat. I can write a 20 page dissertation on a keyboard with minimal strain, but after my second paragraph handwriting I find myself running for a wrist brace.
My handwriting is probably as atrocious as yours (if not moreso), but if I really strain, and only have to write a small amount of text, I find I can struggle my way through a legible paragraph. Of course it takes three times as long, which means I can only write a third as much text before going for an ice-pack.
That's all well and good until your (family's) medical and financial data start floating around the Internet, free for anyone on FastTrack to download. Perhaps the location and defense capabilities (blueprints) of all United States military installations. ("Security through obscurity", remember, is a misnomer. Obscurity is an integral part of security.)
Like so many other things in life, this is not a binary issue, and I certainly hope it won't be treated like one.
Your signature is apt; your opinion is uninformed.
At a previous sysadmin job, our NT4 server with 1GB of SDRAM would barely utilize even half of it at high load - including system, program, and disk cache. Its disk cache was so dreadful, I couldn't perform a search across the RAID5 array without bringing the machine to its knees.
Yes, it was at the current service pack level with all patches applied. For kicks, we decided to bring in an IBM MCSE. He brought his supervisor with him when he couldn't make it work. Alas, the dear old NetFinity could have donated 512MB of RAM to one of us and nobody would have noticed any difference.
Much as I hate to ruin good satire ...
You can already do this. Enable that 'one click shortcut' option I've always despised about Windows, then create a shortcut to a shutdown command with a reboot flag.
{sigh} I give. Take my karma. :(
Nice sentiment and all, but as someone who's worked both for pizza places and as a delivery driver I ask you; please don't. It costs the restaurant money in wasted food and preparation time, costs the delivery driver time and gas to make a round-trip for nothing, and is generally a Very Bad Idea.
If you want to annoy the man, please find a means of doing so that won't affect the pocketbooks of innocents.