dfeldman · Slashdot Mirror

Security matters. on Building a Wireless Network for an Apartment Complex? · 2002-05-22 13:10 · Score: 3, Interesting

I have just one word of advise here: don't do it.

Back at my alma mater, one of the students (who thought he was clever) founded an ISP that provided 802.11b wireless access to apartments on campus. Inevitably, the WEP key he used was compromised, and student account passwords were sniffed and abused. Now, common sense would dictate that he shouldn't be responsible for what a criminal does with his network; but common sense does not reign supreme in the ivory tower of academia. What happened next was shocking: the student was disciplined, expelled, and sued for damages by the state college. Although he certainly could have won his case in front of a jury, he settled because he could not afford $15k to hire a good trial lawyer. Right now he has no degree, can't get into a good school, and is pumping gas for a living.

So, if you are considering rolling out a notoriously insecure network architecture (such as 802.11[ab]), consider the fact that you may be personally liable for anything bad that a crook does with your network. Be afraid.

df

They're trying to send a message on Philips vs Unlicensed DVD Players · 2002-02-13 04:22 · Score: -1, Troll

I know that defending the right of corporations to enforce intellectual property rights here is nearly suicidal, but I feel I must comment on this matter. Philips and friends lose literally millions of dollars a year to companies who make DVD players without licensing the patents behind the players. What's more, these players often have serious compatibility problems which cause headaches for users and content providers alike:

They don't run native code. Most DVD players support a modified version of the Z-80 instruction set which DVDs can use to render menus, omit scenes when a ratings limit is lowered, and handle substitution of audio without mis-synching actors' lips. These bootleg DVD players do not properly implement all of the instructions and may not work right with many DVDs.
Content protection. Macrovision is an unbreakable encryption system that keeps pirates from copying DVDs onto VHS tapes or video CDs. Many bootleg players do not implement it so we can expect the rate of piracy to skyrocket.
Compatibility with layers. Most bootleg DVD players have serious trouble handling two-layer discs, meaning that the users' experiences are affected in a very bad way.
Hackability. Most bootleg players run an embedded unix operating system, like linux, and can be tampered with easily by malcontents.

It is for these reasons that we must all stand up and oppose the manufacture and sale of unlicensed DVD players.

df

Free as in... fascism? on Custom OpenBSD 3.0 with IPFilter From Darren Reed · 2002-01-22 07:04 · Score: 3, Interesting

This move represents the latest step that Darren Reed has taken to attempt to gain control over open source operating systems that incorporate his packet filter. He has expressed the belief, on many newsgroup postings, that he deserves a place on the *BSD teams (as at least a committer) because of the way that his product has increased market share for the BSDs. And he continues to attempt to hold those distributions hostage until they bend to his will. His eventual goal is to release a closed-source BSD that incorporates his filter, because he cannot stand to give the public the right to modify and redistribute his precious code.

Well, Darren, we have news for you: your packet filter is not "all that." IPtables and Rusty's Netfilter code has been kicking ipfilter's proverbial ass since the first release of Linux 2.4, both in terms of features and security. Linux has not had issues dealing with the simple cases that have caused your firewall to fail. Theo de Raddt and the ipfw team have come up with far superior solutions to your product, and your attempted coup will hurt your market share even more.

Darren, listen to your users - change your license or perish.

df

Bad news on the horizon on SGI Sets Sights On Turnaround · 2001-12-28 19:53 · Score: 0, Troll

One of my buddies is a manager at SGI and he's not quite as optimistic as the P.R. folks are. He said that there were several reasons for their business slowdown, and none of them were easy to solve:

Consumer-grade video hardware has quickly outpaced SGI's best offerings. A GeForce3 has the same processing power as their best offerings from just two years ago, and doesn't cost as much as a new car.
Management issues cripple the company. The lack of profits through the year 2000 weren't a result of low demand; they were a result of running a bloated, disorganized company that didn't know what their resources were or how to use them.
Morale is at an all-time low. Coupled with the fact that the market for high end hardware is very weak headed into 2002, they are going to have at least a few more rough quarters.
Expenses are killing them. They spend millions of dollars a year supporting Windows NT clients, open source efforts, and R&D into doomed technologies like the Itanium. Since few of these things will ever pay off in our lifetime, the money is as good as wasted.

The market has spoken, and the message is clear: proprietary technologies are on the way out. Even Sun, the mother of all vendor lock-in schemes, has started to use standard PC components in building their machines. SGI can still sell to their niche market, but they need to severely narrow their focus and cut a good deal of fat before they can be profitable again.

df

And their motives became crystal clear... on Europe Adding RFID Tags to Euro Currency · 2001-12-27 07:37 · Score: -1, Troll

For over a year and a half, I worked toward a Master's degree in Economics. I did my thesis on the Euro conversion, as the subject had come up numerous times during the course of my studies. The great mystery behind the Euro was the question of why the European banks felt the need to even bother with an expensive, difficult conversion to a single currency. After all, different currencies for different countries made a lot more sense: the value of each country's currency fluctuated based on the relative trading strength of the nation. It was a very fair, consistent system. And the introduction of the Euro would hopelessly skew or destroy the currency markets that brought prosperity to so many speculators and traders.

But now we understand the true intent of the Euro advocates: control. Giving the consumer choice in the currency in which he deals, and giving him the sole discretion in the use of his currency, has been something the banks have opposed for decades. Like the RIAA and intellectual property holders, the banks didn't just want to control the flow of money; they wanted to be able to control its use as well. Imagine the possibilities: marketing, based on cash usage; retroactive invalidation of paper currency, based on your credit history; tracking of every move you make, even if you shun the "smart cards" and other intrusive, privacy-invading inventions. When you can't use anonymous cash and bartering is rarely an option, you have no choice but to allow the banks to keep you under their watchful gaze. And when the government wants to know where you're spending your money, the banks won't hesitate to let them know.

This is why we must all reject the Euro, before it is too late. We must standardize on the dollar, a symbol of freedom and privacy. The USA, despite its poor track record under the current administration, is the only country I would trust not to invade our lives through the currency we use. Given that the USA has more civil rights organizations than most countries have citizens, we are in very good shape here and can be assured that the dollars of the future will not have embedded RF transmitters.

df

Not designed with security in mind on Linksys Incorporates HomePlug Networking · 2001-12-17 12:03 · Score: -1, Troll

I took a computer ethics course once. One of the cliches that I learned there was that "just because we can do something with technology doesn't mean we should."

As a computer security professional, I am often reminded of that quote when I read about new networking technologies. And I stop to ask myself: is the added convenience of adopting this technology really worth the potential risk of allowing complete strangers who might not have our best interests in mind to access our networks and see our traffic?

The classic counterargument that I usually hear to my pessimitic remarks is something along the lines of "encryption is a panacea," in so many words. But is it really? Is the HomePlug(tm) product really designed well enough to keep intruders from peeking into my personal life? Well, let's think about a couple of points:

Encryption schemes get weakened or broken. That makes a "useless" collection of your sniffed packets very useful for the snoop who hasn't erased his logs yet.
40 bit WEP didn't work. 128 bit WEP was broken soon after it was introduced. Apparently more bits doesn't help when there are easier ways to break these systems than with brute force.
Traffic patterns can easily be deduced from encrypted communications. I'm not a big fan of Solar Designer, but I'll admit that the work he did in analyzing SSH and guessing passwords based on keystroke timing was brilliant. Who's to say that somebody won't find a way to do that for some sort of wireless transmissions?
This does nothing to prevent DoS attacks. So if you anger your next-door neighbor, he will probably try to flood your network with crap. As a computer geek, I know this would make my life miserable.

And that just scratches the surface. When will people ever learn that shared mediums (the RF spectrum, power lines, and the like) are just not good solutions? Maybe people just need to get off their asses and run Cat5e through their houses like the rest of us do. It will save them countless headaches in the future.

df

This is not a good time for them on Nanotech Goes To Capitol Hill · 2001-12-16 07:50 · Score: 2, Interesting

We, as (mostly) educated computer professionals, understand the importance of researching nanotechnology. Nanotechnology will inevitably help cure diseases, create "smart" materials like insulation and clothing, and generally wean us off our dependence on hard-to-produce, expensive natural resources like body tissues and cotton.

Unfortunately, our current Congress and administration is not as fortunate as we are. Stuck in the 19th century, the successors of Newt have shown us that they are not interested in civil rights, advancements in medicine, or pretty much anything that doesn't involve increasing pork-barrel spending on defense. I would be surprised to find out that more than a handful of Republicans in Congress actually have college degrees. They don't need to think; everything is a matter of dollars and cents.

Although this should come as no surprise to a nation that voted Republican for the past few years, our leaders' refusal to act like they are living in the 21st century is going to have a very negative impact on science, as their core constituencies have no interest in keeping the USA's status as the most advanced nation in the world.

So, these nanotech lobbyists would be well advised to keep a low profile until Gore returns to the White House in 2004. Otherwise, they may be headed to Washington with their hands out and leaving Washington with their research banned. And that would not be good for science.

df

Been there, done that on FBI Confirms Magic Lantern Existence · 2001-12-12 17:42 · Score: 2, Interesting

And 'rpm -U' doesn't say a single word when I install an unsigned package. By the time I could see that the package was unsigned (and potentially a copy of magiclantern-i386.rpm), it would be too late.

Distributions should reject packages that aren't signed with a trusted key by default. And make the user specify the --really-install-an-untrusted-package flag in order for the package manager to accept it.

df

Not an easy task on FBI Confirms Magic Lantern Existence · 2001-12-12 17:22 · Score: 2, Insightful

Installing a new program could take several extra hours if I were forced to download, audit, and compile the source.

The super-paranoid will be safe from Magic Lantern because they probably don't upgrade software often and they probably patch security holes themselves. But for the rest of us who want to *use* our computers, this is an enormous problem.

df

They can get us Linux users too on FBI Confirms Magic Lantern Existence · 2001-12-12 17:04 · Score: 2, Troll

As an administrator of several Linux boxes at work and at home, I was wondering whether or not I could be affected by the "Magic Lantern" program. The results came in, and quite frankly, I am frightented.

To start, I talked with my colleague's brother, "Joe," who is a criminal defense attorney. Joe told me that he has been following the Magic Lantern debate very closely, because his sources indicate that the FBI will be using it in many, many cases to prevent the possibility of seizing equipment with undecryptable data on it. In fact, it has been rumored that the proposed new FBI policy regarding searches of premises requires agents to attempt to use Magic Lantern (which technically counts as a consensual search) prior to even obtaining a warrant, if the warrant is to seize computer hardware.

Joe is not very familiar with computer technology, but he did say that a large part of the Magic Lantern program involves contacting ISPs to allow the FBI to alter network data destined for the suspect's computer. I will take that at face value because they seem to have no problem pulling rank on ISPs. I suspect that their "do it or we'll arrest you" attitude plays a big part in this.

With all of that in mind, I decided to find out just how vulnerable I was. I set up a stock Debian 2.2r3 box, and a stock Red Hat 7.2 box. Both used the installation CDs produced at least a few months ago, so they were both vulnerable to the wu-ftpd exploit and would need to be upgraded for production use.

My goal was simple: I needed to play the part of the FBI, and trick my machines into accepting a trojaned version of the new wu-ftpd package.

First, I set up a transparent proxy on my gateway box, which is used to split my cable modem connection amongst my home machines and those of several neighbors. I used a program called "squirm" to rewrite URLs ending in .deb or .rpm so that they would be redirected to my local web server, from which the trojanned .deb and .rpm files would be served.

Second, I produced trojaned .deb and .rpm files. The .deb file was trivial to modify, as only a checksum stood between me and a valid hacked version. The .rpm was a bit more difficult, because RedHat signs their packages with a PGP key. However, once I rebuilt the package and did not sign it with PGP, I had a fixed package.

Third, I went to the Debian box and typed 'apt-get update ; apt-get upgrade'. After a few routine prompts, none of which triggered security alerts, the box was rooted by my "custom" package.

Fourth, I went to the Redhat box and did an 'rpm -U' pointed at the updates.redhat.com server. I got my trojanned RPM back, with no warnings or prompts to tell me it hasn't been signed. And I had an ftp server with a new backdoor up in a matter of minutes.

So, to summarize: the FBI can easily set up a transparent proxy between you and the Internet, and trick your OS into installing malware. You're damned if you do and you're damned if you don't, because you need to download the wuftpd-of-the-week sometime.

As a matter of comparison, my Windows 2000 box has no such vulnerability. The first time I went to Windows Update, I checked the box that said "always trust content from Microsoft Corporation." Therefore, only Microsoft's real certificate will be accepted by my machine. Even if the FBI forces Verisign to issue an impostor certificate, it will be detected and thwarted.

Linux distributions need to band together and find a trusted individual who will be responsible for signing all packages and verifying that they do not contain backdoors. That is the only way to solve this issue. Personally, I nominate Eric Raymond, because of his widespread respect from the community and business leaders alike. Additionally, he is a staunch libertarian and would not cave to government pressure to insert backdoors into something that he has signed. I believe that by charging the distribution vendors a small fee per package, ESR can again achieve financial success for himself and his family.

This is a serious issue for Linux users and I believe it should have been addressed years ago. That said, now is not too late and definitely not too early. I look forward to seeing this feature in all future releases of the major Linux distributions.

df

Win-win on Online e-Commerce Issues w/ PayPal? · 2001-12-10 06:59 · Score: 3, Insightful

As a customer who was defrauded by a merchant who used Paypal, I believe that Paypal would make good business sense for you and be very bad for your customers. I bought a cordless phone from an ebay merchant who never delivered it, and paid with Paypal about 3 months ago. Paypal only recently *started* to investigate my claim, and I was forced to dispute the charge with my bank instead. Their number (650-251-1100, culled from whois) is not even on their site and the customer service reps are quite useless.

If you ever "go bad" and decide to start screwing people, Paypal is your weapon of choice. If you are a scrupulous merchant, Paypal is probably the best way to go because there will be few complaints on either side of the transaction. As I am also an ebay power seller who uses Paypal, things have been just fine on that side of the table as well.

Just my 2c.

df

Re:This will never work on 2001 UCLA Internet Census · 2001-12-09 11:03 · Score: -1

Brings new meaning to the term "dictionary attack," eh?

I knew I should have left my threshold at +1.

df

Time to watch our backs on Cringely On Microsoft Settlement · 2001-12-09 09:13 · Score: -1, Troll

My Uncle Isaac used to work on the Passport team at Microsoft, but he eventually got seriously fed up with the company is now a NT/UNIX sysadmin elsewhere. He is very skeptical of the DoJ settlement and thinks that MS will be with us for a very long time to come unless the terms are changed substantially.

I spoke with Uncle Isaac on several occasions regarding his favorite stock pick, MSFT. He explained that from day one, he knew that Microsoft was one of the most nimble companies that ever existed. Pointing out their rapid turnaround in the browser wars and in internet integration, he said that with billg at the helm, Microsoft would always prosper.

"What about .Net," I asked. "Do you really expect that thing to succeed?"

".Net will put Microsoft in a position more powerful than any other company in the nation." When I pressed for details, he explained what Microsoft was planning to do:

.Net is not just about replacing web servers with web services. .Net is about promoting Passport. But what does Passport have to offer users? Maybe a little convenience, but most users won't think the tradeoff is worth it.

Passport, in fact, is going to be marketed to web site owners. Sure, personal information is sometimes fun to have, but that isn't the main attraction. Microsoft plans to offer Passport up as a system to facilitate micropayments. They are targeting the owners of the many unprofitable information sites that are being propped up by venture capital (and pathetically meager ad revenues) today. This will force users to use Passport and pay for the information they receive off the web, with Microsoft taking a cut every time. Microsoft will become the largest middleman in the world, and multinational banks will look on in envy.

As a technical matter, this isn't a very difficult thing to do, but it needs a strong, reliable company with a good name, like Microsoft, to hold it up and to fund it during tough times. Microsoft has shown itself to be willing to subsidize many unprofitable ventures (such as IE and Bob) in order to attain a stronger position in the market, so it should come as no surprise that Passport will work the same way.

And, after Passport has taken over, there will be no more need for Linux/Apache on commercial sites. Microsoft can't compete with us directly, so they will destroy our market share by making the economics favor their product. We can give them Free software but Microsoft can sell them a big profit.

We, as the open source community, need to come together to stop this plan dead in its tracks. We can't rely on our government to do it for us, so we need to innovate and find ways to stop Microsoft. Maybe a bunch of open source hackers can get together and start producing macro virii and IIS worms nonstop, so that users are more aware of the poor security afforded by Microsoft products and services. Perhaps frequent DDoS attacks on Passport-compliant web sites are in order. Or maybe something completely different. Either way, we need to do something, so that Microsoft does not use Passport to take the internet away from us.

df

Time to watch our backs on Global Warming Mostly Confirmed - On Mars · 2001-12-09 09:10 · Score: 0, Troll