I concur with ShadowRangerRIT, for most people noscript is much too difficult to use. There are two big problems.
In many situations there is some site they go to for the first time and it does not work. Then the ones that are trying go and click on the noscript icon or message and are promptly presented with a list of ten or so sites with blocked scripts. They pick one essentially arbitrarily (hopefully the same domain) and then let the page reload. But 7 out of ten times it is some cross domain script that needs to be allowed. So it still does not work. At this point they may try one more by guessing or simply give-up on noscript.
The other big problem is when it does not work but now the page is missing any indication of flash content. There they may go through the steps above or they may just decide right then and there that this noscript extension is breaking this website, and that is the last that they ever use it.
I use yahoo mail classic with noscript and adblock plus in Firefox. I see no such problems. I also use RequestPolicy and CookieMonster, but for that site they happen to do nothing special. You should try again.
Or the update could be patching XP so that it's kernel avoids the troublesome instructions, the way that there patches to linux in the past to allow nearly native speed in qemu. Then it would not need all the essentially an emulator code of the previous vpc versions.
I went to one geared towards security for people in physics. Essentially only the people from CERN were willing to give talks where they discussed actual incidents. Everyone from DOE labs was unable. I had the sense that other labs were under rules like that as well. It was ridiculous because of that nothing could be shared, hence nothing could be learned. We were all admin types at the labs, it was not open to the public or anything of that sort.
That's exactly what the script does but over the years it got more useful. It used to use cpio at first, so I would pipe find output into it. But then I ran into a machine that did not have cpio, so I changed it to tar. Then I ran into trouble once where a file started with -, so the checks for that. At some point I started using more OSX machines and then I routinely ran into paths with spaces and got tired double escaping that for ssh, so the work around. Then then the switch to chsum instead of wc because of some OSX version where wc counted characters wrong when there was a colon or backslash in the filename or something ridicuolous like that.
And so that's how something so simple becomes so complicated over time. Oh and I could not use any too fancy options of tar since it's not always gnu tar that's installed. Also that's why I used cat instead of echo, I don't know what sh is.
In my "Hosts *" sction earlier I have various items I usually like enabled (I have A LOT of hosts I ssh to, many not behind a gateway), such as agent and X11 forwarding. So before it dawned on me that I should leave these kinds of featres off for the gateway I could ot get things like X11 forwarding to host.gateway to work.
BUt the key idea is that this all works if you disable for the gateway. For example:
no X11 forwarding ssh -x host.gateway
no pty on host.example (there is never one on gateway.example) ssh -T host.gateway 'echo "$TERM"'
So what happens is that netcat forwards everything to host.gateway:%p and that sshd that gets forked there then can do any of these different modes just like before. The one on the gateway does not. For example I used to run out of pty on a heavily used gateway, the admin did not wish to increase the number, that's no longer a problem for me.
I also think I quieted the ssh to the gateway since then for some gateways that used a banner I would get the huge gateway banner message. Again, that does not affect the settings of the host behind the gateway, though sometimes it makes it harder to see why a connection is failing (I can't remember if -v works here).
Anyway I did a poor job of explaining, but it took me years of doing 'ssh gateway ssh host double-escaped-stuff' and two hop X11 forwarding with two proxies in that case before somehow it suddenly hit me that the netcat will forward everything so I just want to disable that stuff on the gateway and then I can enable/disable whatever I wish from the commandline or config files.
They don't have to be random. Say you decide that will allow 20 simultaneous connections, so then you allocate a block of 40 (if it's not busy you can have less, but TIMEDWAIT after the connection is closed implies you should have some extras) below the ephemeral lower limit. Then in your firewall you open-up those 40 to the world or your organization. If nothing is listening on a port then there really is no harm having that port open. If you like you can block outgoing ICMP port unreachable messages. With the tcp windows pretty much the only things an adversary can get away with is possibly a RST attack. So you could configure your ftp server and firewall like that.
That said all the firewalls have very good mechanisms now for watching ftp connection and adding temporary rules for any secondary ports needed. You may have better luck reading the man pages and running the tools from the command line with -d and -v options, that way you will get more diagnostics.
Please don't get upset, there were a lot of people offering useful advice. Maybe you can use HTTP instead if the FTP is too troublesome for you? BTW most people do not read log files using tcpdump, but I guess there are those ubercool that read the raw syslog traffic over the wire instead of tailing some log files, that must be you.
client X.509 certs with TLS is vulnerable to renegotiation attacks. telnet would be vulnerable to some timing attacks with TLS if it were not configured carefully as well. Sometimes simple is better.
Have they fixed the bug with ChrootDirectory on Mac OS X? On that system / is group writeable and that fails some sanity check. I do not permit any admin users to ssh in though so it should not really be a problem in practice. (To admin you need to ssh in as yourself, then/usr/bin/login -p admin, from there sudo.) I used to have a dylib I would preload but at some point it stopped working so I would compile my own versions.
Also it seemed a while back that I would be able to use sftp on even if sftp was disabled on the server. A coworker of mine implied that ot seemed that simply knowing where the sftp helper was you could run it if you could get a shell via ssh. I wonder if that has been addressed?
I find that -qaxT are really key to getting everything to work right and that's not documented well. You can of course forward X11 and what not, the trick is to not get the gateway involved, it just passes it on to the host and that sshd handles it. You don't need the pty on the gateway either, etc for the other options. That with ControlMaster and screen has really been a fantastic swiss army knife for dealing with lots of hosts.
In case you run into a gateway that does not have netcat installed or you can't get putty to work right with netcat, a coworker of mine came-up with a trick where you use a socks proxy. It pretty ingenious but socks can proxy any tcp since the v4 or so not just http. If you are concerned about eavesdroppers inside that will not do, also if you have shared accounts on the machine you are sshing from it's not ideal unless your firewall allows you to restrict a port to UID.
If you are using Windows and Kerberos then I have some builds of openssh here that are useful:
This way you can use xterm or rxvt with cygwin and the MIT kerberos with ssh. I never really figured-out how to handled the mess that is Windows permissions (nothing like root:wheel it seems) so the files in those tarballs have my guids. There is a NOTES.txt there that explains a bit. You can see how I built. I have ssh38, scp38, sftp38 that supports gssapi and gssapi-with-mic. The 51 version supports only gssapi-with-mic.
I have NO idea how to get this to post on slashdot, here is the guts of the last line (in some heavy quoting):
IFS=""; n="`dd bs='$n' count=1 2>/dev/null`" && mkdir -p "$n" && cd "$n" && bunzip2 -c - | tar xvf -
The idea is that the name of the destination dir is sent over stdin to the target host. This way I do not need to deal with all the arcane quoting. The command line itself is fixed save for the integer of the length of the dir name, so no complicated quoting is needed there.
Recently I have been using pax (I used to be a fan of cpio) mainly since it has the -s regex option and I can do some clever restructuring of the directories and files in this way all in one shot. But pax is not available on enough machines yet for me to use it so generically.
# learn how many octets are in remdir # wc is annoying since it was buggy on BSD and sometimes returns number of 'characters' foo $n
# tar does not support --, so need to make sure all file/dir args start with / # or . (not starting with - is not good enough, some versions of tar treat @ # as special for example. m='' for i in "$@" do
m="$m"x done
foo() {
case "$c" in
"$m")
return 1;;
esac
c="$c"x
return 0 }
c='' while foo do
i="$1"; shift
case "$i" in/* |.*);;
*)
i=./"$i";;
esac
set -- "$@" "$i" done
# these next functions are so that remdir is sent followed by the tarball # this is what worked, various other methods ran into bugs in some versions of # bash! bar() { cat/dev/null`" && mkdir -p "$n" && cd "$n" && bunzip2 -c - | tar xvf -'\'''
This scripts has served me well over the years. There hasn't been a unix-alike where it has failed me in a very long time now. It also makes the target directory hierarchy for you automatically if needed.
$ cat bin/stjput #!/bin/sh # e.g. copy all non-hidden files and dirs from your home dir using protocol 2 # $ cd && stjput '-24 remuser@host' . *
IFS=' '
case $# in
[012])
echo 'Usage: stjput sshopts remdir file|dir [file|dir...]' >&2
exit 2;; esac
# some defaults, may not work with very old versions of ssh #sshopts='-24 -o PermitLocalCommand=no -qaxT '"$1"; shift sshopts='-qaxT '"$1"; shift
remdir="$1"; shift
# protect sh from stripping trailing whitespace, eg newline(s) case "$remdir" in
'')
# someone used '' instead of . for CWD!
remdir=.;;
*/);;
*)
# It does not matter to have the trailing / for a dir
remdir="$remdir"/;; esac
# need to prevent cd and mkdir thinking it is some option case "$remdir" in/* |.*);;
*)
remdir=./"$remdir";; esac
foo() {
n=$2 }
# lots of testing shows that this works on many shells, # don't use $() or "``" and make sure that closing tick is all by itsewlf on the # last line n=`cksum/dev/null`" && mkdir -p "$n" && cd "$n" && bunzip2 -c - | tar xvf -'\'''
I think the obvious thing would be to trust the errer detection code in the ECM too much. This error path code that is not fully tested likely. What happens if there is some rare sort of error where the main/sub voltages read something like 4.5V and before then the ECM goes into lala land due to some bug (like error detected that main and sub do not match) and because of a coding error now is in an infinite loop handling that error say. Now the throttle position at the engine is at almost full open and stays there since the ECM never sends it anything else. Do they have something like a watchdog timer or this? Could this explain the 1s sudden acceleration on the Prius?
Slashdot Mirror
I concur with ShadowRangerRIT, for most people noscript is much too difficult to use. There are two big problems.
In many situations there is some site they go to for the first time and it does not work. Then the ones that are trying go and click on the noscript icon or message and are promptly presented with a list of ten or so sites with blocked scripts. They pick one essentially arbitrarily (hopefully the same domain) and then let the page reload. But 7 out of ten times it is some cross domain script that needs to be allowed. So it still does not work. At this point they may try one more by guessing or simply give-up on noscript.
The other big problem is when it does not work but now the page is missing any indication of flash content. There they may go through the steps above or they may just decide right then and there that this noscript extension is breaking this website, and that is the last that they ever use it.
I use yahoo mail classic with noscript and adblock plus in Firefox. I see no such problems. I also use RequestPolicy and CookieMonster, but for that site they happen to do nothing special. You should try again.
Exactly, if you want to call anyone pompous it's not Heuer. One of his predecessors on the other hand...
Or the update could be patching XP so that it's kernel avoids the troublesome instructions, the way that there patches to linux in the past to allow nearly native speed in qemu. Then it would not need all the essentially an emulator code of the previous vpc versions.
You know one of the founders of Google is named "Sergey" and I bet that has a lot to do with why they are taking this stance. I commend them.
Please somebody mod this up and restore my faith in slashdot.
Rather what fun it was when they weren't there, say most clone PC VGA cards.
I went to one geared towards security for people in physics. Essentially only the people from CERN were willing to give talks where they discussed actual incidents. Everyone from DOE labs was unable. I had the sense that other labs were under rules like that as well. It was ridiculous because of that nothing could be shared, hence nothing could be learned. We were all admin types at the labs, it was not open to the public or anything of that sort.
It's funny but I use rbash (restricted) and rsh (remote)just like that (vxworks).
But I think we are agreeing, seems pointless to disable sftp if you let people login instead of restricting to certain commands.
I ended-up just putting it here:
http://home.fnal.gov/~mzs/tips/unix/ssh/stjput
Yeah I should have used pastebin, it was late.
That's exactly what the script does but over the years it got more useful. It used to use cpio at first, so I would pipe find output into it. But then I ran into a machine that did not have cpio, so I changed it to tar. Then I ran into trouble once where a file started with -, so the checks for that. At some point I started using more OSX machines and then I routinely ran into paths with spaces and got tired double escaping that for ssh, so the work around. Then then the switch to chsum instead of wc because of some OSX version where wc counted characters wrong when there was a colon or backslash in the filename or something ridicuolous like that.
And so that's how something so simple becomes so complicated over time. Oh and I could not use any too fancy options of tar since it's not always gnu tar that's installed. Also that's why I used cat instead of echo, I don't know what sh is.
Yes, I did a bad job of explaining, for example I have such entries:
Host host.gateway /usr/bin/ssh -24 -o PermitLocalCommand=no -qaxT gateway.example exec /usr/bin/nc %h %p
ForwardX11 yes
ForwardX11Trusted yes
TCPKeepAlive yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
HostName host.example
ProxyCommand
In my "Hosts *" sction earlier I have various items I usually like enabled (I have A LOT of hosts I ssh to, many not behind a gateway), such as agent and X11 forwarding. So before it dawned on me that I should leave these kinds of featres off for the gateway I could ot get things like X11 forwarding to host.gateway to work.
BUt the key idea is that this all works if you disable for the gateway. For example:
no X11 forwarding
ssh -x host.gateway
no pty on host.example (there is never one on gateway.example)
ssh -T host.gateway 'echo "$TERM"'
So what happens is that netcat forwards everything to host.gateway:%p and that sshd that gets forked there then can do any of these different modes just like before. The one on the gateway does not. For example I used to run out of pty on a heavily used gateway, the admin did not wish to increase the number, that's no longer a problem for me.
I also think I quieted the ssh to the gateway since then for some gateways that used a banner I would get the huge gateway banner message. Again, that does not affect the settings of the host behind the gateway, though sometimes it makes it harder to see why a connection is failing (I can't remember if -v works here).
Anyway I did a poor job of explaining, but it took me years of doing 'ssh gateway ssh host double-escaped-stuff' and two hop X11 forwarding with two proxies in that case before somehow it suddenly hit me that the netcat will forward everything so I just want to disable that stuff on the gateway and then I can enable/disable whatever I wish from the commandline or config files.
They don't have to be random. Say you decide that will allow 20 simultaneous connections, so then you allocate a block of 40 (if it's not busy you can have less, but TIMEDWAIT after the connection is closed implies you should have some extras) below the ephemeral lower limit. Then in your firewall you open-up those 40 to the world or your organization. If nothing is listening on a port then there really is no harm having that port open. If you like you can block outgoing ICMP port unreachable messages. With the tcp windows pretty much the only things an adversary can get away with is possibly a RST attack. So you could configure your ftp server and firewall like that.
That said all the firewalls have very good mechanisms now for watching ftp connection and adding temporary rules for any secondary ports needed. You may have better luck reading the man pages and running the tools from the command line with -d and -v options, that way you will get more diagnostics.
Please don't get upset, there were a lot of people offering useful advice. Maybe you can use HTTP instead if the FTP is too troublesome for you? BTW most people do not read log files using tcpdump, but I guess there are those ubercool that read the raw syslog traffic over the wire instead of tailing some log files, that must be you.
I can't believe how badly slash code munged the script. Here is a link:
http://home.fnal.gov/~mzs/tips/unix/ssh/stjput
client X.509 certs with TLS is vulnerable to renegotiation attacks. telnet would be vulnerable to some timing attacks with TLS if it were not configured carefully as well. Sometimes simple is better.
tcpdump is your friend too. It is likely simply some client is not using PASV.or BIN modes.
You mean like rcp or uucp? ftp was so dominant simply because the ftp client was wonderfully interactive for its time.
Have they fixed the bug with ChrootDirectory on Mac OS X? On that system / is group writeable and that fails some sanity check. I do not permit any admin users to ssh in though so it should not really be a problem in practice. (To admin you need to ssh in as yourself, then /usr/bin/login -p admin, from there sudo.) I used to have a dylib I would preload but at some point it stopped working so I would compile my own versions.
Also it seemed a while back that I would be able to use sftp on even if sftp was disabled on the server. A coworker of mine implied that ot seemed that simply knowing where the sftp helper was you could run it if you could get a shell via ssh. I wonder if that has been addressed?
I've been using this in my ssh_config for a while:
ProxyCommand /usr/bin/ssh -24 -o PermitLocalCommand=no -qaxT gateway exec /usr/bin/nc %h %p
I find that -qaxT are really key to getting everything to work right and that's not documented well. You can of course forward X11 and what not, the trick is to not get the gateway involved, it just passes it on to the host and that sshd handles it. You don't need the pty on the gateway either, etc for the other options. That with ControlMaster and screen has really been a fantastic swiss army knife for dealing with lots of hosts.
In case you run into a gateway that does not have netcat installed or you can't get putty to work right with netcat, a coworker of mine came-up with a trick where you use a socks proxy. It pretty ingenious but socks can proxy any tcp since the v4 or so not just http. If you are concerned about eavesdroppers inside that will not do, also if you have shared accounts on the machine you are sshing from it's not ideal unless your firewall allows you to restrict a port to UID.
If you are using Windows and Kerberos then I have some builds of openssh here that are useful:
http://home.fnal.gov/~mzs/tips/windows/ssh/
This way you can use xterm or rxvt with cygwin and the MIT kerberos with ssh. I never really figured-out how to handled the mess that is Windows permissions (nothing like root:wheel it seems) so the files in those tarballs have my guids. There is a NOTES.txt there that explains a bit. You can see how I built. I have ssh38, scp38, sftp38 that supports gssapi and gssapi-with-mic. The 51 version supports only gssapi-with-mic.
I have NO idea how to get this to post on slashdot, here is the guts of the last line (in some heavy quoting):
IFS=""; n="`dd bs='$n' count=1 2>/dev/null`" && mkdir -p "$n" && cd "$n" && bunzip2 -c - | tar xvf -
The idea is that the name of the destination dir is sent over stdin to the target host. This way I do not need to deal with all the arcane quoting. The command line itself is fixed save for the integer of the length of the dir name, so no complicated quoting is needed there.
Recently I have been using pax (I used to be a fan of cpio) mainly since it has the -s regex option and I can do some clever restructuring of the directories and files in this way all in one shot. But pax is not available on enough machines yet for me to use it so generically.
There's just a little bit more: /dev/null`" && mkdir -p "$n" && cd "$n" && bunzip2 -c - | tar xvf -'\'''
cat
Hmm that's not all of it, I continue:
`
# learn how many octets are in remdir
# wc is annoying since it was buggy on BSD and sometimes returns number of 'characters'
foo $n
# tar does not support --, so need to make sure all file/dir args start with /
# or . (not starting with - is not good enough, some versions of tar treat @
# as special for example.
m=''
for i in "$@"
do
m="$m"x
done
foo() { ;;
case "$c" in
"$m")
return 1
esac
c="$c"x
return 0
}
c='' /* | .*) ;; ;;
while foo
do
i="$1"; shift
case "$i" in
*)
i=./"$i"
esac
set -- "$@" "$i"
done
# these next functions are so that remdir is sent followed by the tarball /dev/null`" && mkdir -p "$n" && cd "$n" && bunzip2 -c - | tar xvf -'\'''
# this is what worked, various other methods ran into bugs in some versions of
# bash!
bar() {
cat
This scripts has served me well over the years. There hasn't been a unix-alike where it has failed me in a very long time now. It also makes the target directory hierarchy for you automatically if needed.
$ cat bin/stjput
#!/bin/sh
# e.g. copy all non-hidden files and dirs from your home dir using protocol 2
# $ cd && stjput '-24 remuser@host' . *
IFS='
'
case $# in ...]' >&2 ;;
[012])
echo 'Usage: stjput sshopts remdir file|dir [file|dir
exit 2
esac
# some defaults, may not work with very old versions of ssh
#sshopts='-24 -o PermitLocalCommand=no -qaxT '"$1"; shift
sshopts='-qaxT '"$1"; shift
remdir="$1"; shift
# protect sh from stripping trailing whitespace, eg newline(s) ;; ;; ;;
case "$remdir" in
'')
# someone used '' instead of . for CWD!
remdir=.
*/)
*)
# It does not matter to have the trailing / for a dir
remdir="$remdir"/
esac
# need to prevent cd and mkdir thinking it is some option /* | .*) ;; ;;
case "$remdir" in
*)
remdir=./"$remdir"
esac
foo() {
n=$2
}
# lots of testing shows that this works on many shells, /dev/null`" && mkdir -p "$n" && cd "$n" && bunzip2 -c - | tar xvf -'\'''
# don't use $() or "``" and make sure that closing tick is all by itsewlf on the
# last line
n=`cksum
I am pretty sure that 2.1 added 286 and that 3.0 added 386.
I think the obvious thing would be to trust the errer detection code in the ECM too much. This error path code that is not fully tested likely. What happens if there is some rare sort of error where the main/sub voltages read something like 4.5V and before then the ECM goes into lala land due to some bug (like error detected that main and sub do not match) and because of a coding error now is in an infinite loop handling that error say. Now the throttle position at the engine is at almost full open and stays there since the ECM never sends it anything else. Do they have something like a watchdog timer or this? Could this explain the 1s sudden acceleration on the Prius?