In one case, the firewalls were so restrictive (and slow) that I had to burn the ISOs at home (on a Win98 Desktop) and carry them in.
2nd case the worm was rampaging, time was literally money, and bootable FreeBSD ISOs won out.
In a perfect world I would have the time and resources to plan everything and do it 'right.'
I don't want to get into a lame OpenBSD/Theo bashing thread. He's done spectacular work. Suffice to say that I know for a fact that OpenBSD has lost 'marketshare' due to restricting ISOs.
2 years ago I wanted to install OpenBSD on a number of Snort IDS systems on rack-mountable Compaq systems. I've used just about all flavors of Unix, use Linux on my desktop, but prefer *BSD for servers.
I look around for ISO images. No official OpenBSD ones available for free; you buy CDs to support OpenBSD. I need to do this *today*, and other installation methods are suboptimal (compared with booting off an install CD) in a heavily firewalled environment.
On to FreeBSD. Install crashes during the kernel boot. Some sort of driver issue.
On to Redhat. Works first time. We use RedHat.
Flash forward to last week. New job, new heavily-firewalled infrastructure, new IDS systems needed quickly to squash a worm problem. Compaq DL320 hardware available.
I want to go with OpenBSD, but once again I need to buy the CDs to get legitimate CDs, and I don't have time to mess with this. Make note to self to buy them anyways, to support OpenBSD's fine efforts.
On to FreeBSD: download ISOs, burn them and boot: works first time.
ACHTUNG! Alles touristen und non-technischen peepers! Das machine control is nicht fur gerfinger-poken und mittengrabben. Oderwise is easy schnappen der springenwerk, blowen fuse, und poppencorken mit spitzensparken.
Der machine is diggen by experten only. Is nicht fur geverken by das dummkopfen. Das rubbernecken sightseenen keepen das cotten picken hands in das pockets, so relaxen und watchen das blinkenlights.
I'm trying to design a secure wireless architecture for a multi-site, multi-floor deployment (with roaming). I have to deploy soon: within a month or so, and can't afford to wait until IEEE fixes the standards.
I see possible 2 ways to attempt this (with 802.11b or 802.11a when it's available):
- VPN over wireless
- 802.1x authentication with TKIP
Both have their pros and cons.
I demoed Bluesocket (VPN concentrator/firewall for building wireless DMZ networks), which works. I found it difficult to administer, lacking reporting, and wonder how many VPN tunnels it will handle.
I'd prefer to go with the new industry standard (TKIP and 802.1x auth), and segregate wireless traffic onto DMZs, protected by a custom machine running iptables/sport, to provide firewalling, routing, IDS, arpwatch, etc.
I can't use 802.1x if it's insecure, and I'm having a difficult time determing how insecure 802.1x is based on the articles I've read.
Assuming I used 128 bit WEP, TKIP with fast key rotation, EAP auth via 802.1x, and segregate traffic on a WDMZ with a firewall and IDS, what vulnerabilities are left to exploit?
If it's the MiM attack, VPN over wireless may have the same issue, unless I roll out strong mutual authentication via certificates. Doable, but very unwieldy.
...but I was a happy Windows-free Linux/BSD geek at home (keeping only a DOS partition for gaming), but buckled under and installed a Windows partition 2 years ago for the sole purpose of running Tax software. Today I'd look into WINE or other alternatives, but of course the Windows virus has festered on that machine, and going back would not be easy (and my wife would divorce me).
The bang for the buck offered by these programs is unbeatable, and I've never seen any comparable software for Unix.
And anyway, UNIX had it's virus/security problems a (not so)long time ago. The Worm anyone?
Uhhh... The !@#$%%^ worm was 10 years ago. That is very the definition of "a long time ago', especially when you convert to internet time. I'm sure there are slashdotters who weren't even born then.
If worm technology can hurt your Unix internet systems today, you've already got spammers, mp3 pirates, script kiddies, and wannabies partying like it's 1999 on them right now.
All the geeks at NASA are invited to my house for beer & pretzels while we watch tapes of 'Metric Marvels':
Now a miler runs in miles, you know, That's hardly any news. But Meter Man runs in meters, Which we ought to learn to use. So watch them very closely, As they run their hard-fought race... You'll learn some metric distances By following their pace.
A meter's just a little longer than a yard. That's not very hard. Lay a thousand meters end to end... Then you've got what's called a kilometer, One Kilometer... Now they're on your car's speedometer.
From BugTraq. It's not on their archive (yet) at www.securityfocus.com, but will be soon:
From: Markus Kuhn Subject: Re: NSA key in MSFT Crypto API
The actual funny story behind the presence of the NSA key has been seriously misunderstood here. CSP verification keys have only one *real* purpose: They are intended to enforce the US export restriction requirement that Microsoft is not allowed to ship software abroad that can easily be extended with strong cryptography. They are certainly not intended as any useful form of integrity protection for your system.
The NSA got their own CSP verification key, because they want to be able to change their own secret US government CSPs required for the handling of classified documents, without having to go to Microsoft each time to get a signature for an NSA CSP update. Fair enough. So Microsoft built in a second verification key such that the NSA can produce and install on DoD PCs their own CSPs without requiring any Microsoft involvement.
The real funny part is that Microsoft did not protect the NSA key particularly well, such that everyone can easily replace the NSA key particularly well, such that everyone can easily replace the NSA key easily with his own key. This was reported by Nicko van Someren at the Crypto'98 rump session. This means that everyone can now easily install his own CSPs with arbitrarily strong cryptography. This means that the NSA's demand to get quickly a second key added led in effect to the easy international availability of strong encryption CSPs. My guess is that this is Microsoft's sweet revenge against the NSA for creating all these Export hassles (e.g., the requirement that CSPs be signed) in the first place. It backfired nicely against the NSA.:)
All this has nothing to do with an NSA backdoor, because the CSP keys are an export enforcement tool and not an integrity protection tool. They do not protect all parts of the system that could be compromised by someone who wants to install some eavesdropping malware. The CSP verification keys only authenticate that no cryptography that violates export laws has been installed. If you are worried about the NSA installing malicious software on your PC, you should not rely on the CSP verification keys (which were never designed for that purpose anyway), but on virus scanners with tripwire functionality that report any modifications to your DLLs. There is no digital signature functionality required to implement these, simple secure hash algorithms will perfectly do.
Please apply a bit of simple critical thinking here:
If the NSA wanted to have real backdoor functionality, they would much more likely simply steal Microsofts own keys instead of embedding additional keys with an obvious symbol name. Remember: The NSA is the world's largest key thief. They have stolen crypto variables from well-protected military and government agencies from all over the world using the usual repertoire of techniques (bribery, extortion, eavesdropping, hacking, infiltration, etc.). If they can do it with eastern military agencies, they can most certainly also do it easily with Microsoft, which is orders of magnitudes less well protected than the usual NSA target. If there is a real NSA backdoor key in Windows, that it would certainly be identical to Microsoft's own key.
I 'won?t' read this garbage with ?????'s strewn all over the place. You realize you're helping Miscro$soft's campaign to embrace and extend the internet, don't you?
...without your permission. Just like your mother told you when you were 6 years old.
I'm tired ot sysadmins whining about 100-hour workweeks. If you're miserable, working marathon hours, and sitting on stock options worth a decent house, LEAVE. Take an hourly contract where you get paid for those weekend deathmarches, or go solo. I worked 16 hours last Monday, and guess what? I got PAID for it.
And anyone who renumbers a network with real IPs, and doesn't use NAT and RFC 1918 networks deserves every bit of misery they get. What happens when your current flavor-of-the-week ISP drops the soap? Renumber *again*? Riiiiight.
...without your permission. Just like your mother told you when you were 6 years old.
I'm tired ot sysadmins whining about 100-hour workweeks. If you're miserable, working marathon hours, and sitting on stock options worth a decent house, LEAVE. Take an hourly contract where you get paid for those weekend deathmarches, or go solo. I worked 16 hours last Monday, and guess what? I got PAID for it.
And anyone who renumbers a network with real IPs, and doesn't use NAT and RFC 1918 networks deserves every bit of misery they get. What happens when your current flavor-of-the-week ISP drops the soap? Renumber *again*? Riiiiight.
The movie was pretty good for basic cable fare, with the sex/personal life angles fluffed up way more than they should have been (then again, we're talking about a made-for-TV movie here).
Anthony Michael Hall was simply amazing as Bill Gates. This guy can flat-out act. I couldn't even see Hall behind the Gates persona.
Slashdot Mirror
No argument.
In one case, the firewalls were so restrictive (and slow) that I had to burn the ISOs at home (on a Win98 Desktop) and carry them in.
2nd case the worm was rampaging, time was literally money, and bootable FreeBSD ISOs won out.
In a perfect world I would have the time and resources to plan everything and do it 'right.'
I don't want to get into a lame OpenBSD/Theo bashing thread. He's done spectacular work. Suffice to say that I know for a fact that OpenBSD has lost 'marketshare' due to restricting ISOs.
Got to agree here.
2 years ago I wanted to install OpenBSD on a number of Snort IDS systems on rack-mountable Compaq systems. I've used just about all flavors of Unix, use Linux on my desktop, but prefer *BSD for servers.
I look around for ISO images. No official OpenBSD ones available for free; you buy CDs to support OpenBSD. I need to do this *today*, and other installation methods are suboptimal (compared with booting off an install CD) in a heavily firewalled environment.
On to FreeBSD. Install crashes during the kernel boot. Some sort of driver issue.
On to Redhat. Works first time. We use RedHat.
Flash forward to last week. New job, new heavily-firewalled infrastructure, new IDS systems needed quickly to squash a worm problem. Compaq DL320 hardware available.
I want to go with OpenBSD, but once again I need to buy the CDs to get legitimate CDs, and I don't have time to mess with this. Make note to self to buy them anyways, to support OpenBSD's fine efforts.
On to FreeBSD: download ISOs, burn them and boot: works first time.
We're getting there.
I knew I should have heeded this warning:
ACHTUNG! Alles touristen und non-technischen peepers!
Das machine control is nicht fur gerfinger-poken und mittengrabben. Oderwise is easy schnappen der springenwerk, blowen fuse, und poppencorken mit spitzensparken.
Der machine is diggen by experten only. Is nicht fur geverken by das dummkopfen. Das rubbernecken sightseenen keepen das cotten picken hands in das pockets, so relaxen und watchen das blinkenlights.
I'm trying to design a secure wireless architecture for a multi-site, multi-floor deployment (with roaming). I have to deploy soon: within a month or so, and can't afford to wait until IEEE fixes the standards.
I see possible 2 ways to attempt this (with 802.11b or 802.11a when it's available):
- VPN over wireless
- 802.1x authentication with TKIP
Both have their pros and cons.
I demoed Bluesocket (VPN concentrator/firewall for building wireless DMZ networks), which works. I found it difficult to administer, lacking reporting, and wonder how many VPN tunnels it will handle.
I'd prefer to go with the new industry standard (TKIP and 802.1x auth), and segregate wireless traffic onto DMZs, protected by a custom machine running iptables/sport, to provide firewalling, routing, IDS, arpwatch, etc.
I can't use 802.1x if it's insecure, and I'm having a difficult time determing how insecure 802.1x is based on the articles I've read.
Assuming I used 128 bit WEP, TKIP with fast key rotation, EAP auth via 802.1x, and segregate traffic on a WDMZ with a firewall and IDS, what vulnerabilities are left to exploit?
If it's the MiM attack, VPN over wireless may have the same issue, unless I roll out strong mutual authentication via certificates. Doable, but very unwieldy.
I'd appreciate anyone's throughts on this matter.
- Eric
I agree the media hype is/was ridiculous, but the number of infected systems is nearly doubling in size every hour right now (8/1/01, 11:30 a.m. EDT):
http://www.incidents.org
So the Y2K comparisons might be a bit premature.
...but I was a happy Windows-free Linux/BSD geek at home (keeping only a DOS partition for gaming), but buckled under and installed a Windows partition 2 years ago for the sole purpose of running Tax software. Today I'd look into WINE or other alternatives, but of course the Windows virus has festered on that machine, and going back would not be easy (and my wife would divorce me).
The bang for the buck offered by these programs is unbeatable, and I've never seen any comparable software for Unix.
And anyway, UNIX had it's virus/security problems a (not so)long time ago. The Worm anyone?
Uhhh... The !@#$%%^ worm was 10 years ago. That is very the definition of "a long time ago', especially when you convert to internet time. I'm sure there are slashdotters who weren't even born then.
If worm technology can hurt your Unix internet systems today, you've already got spammers, mp3 pirates, script kiddies, and wannabies partying like it's 1999 on them right now.
Residents of the '.commonwealth' will be known as 'M@ssholes'.
All the geeks at NASA are invited to my house for beer & pretzels while we watch tapes of 'Metric Marvels':
...
... ...
Now a miler runs in miles, you know,
That's hardly any news.
But Meter Man runs in meters,
Which we ought to learn to use.
So watch them very closely,
As they run their hard-fought race
You'll learn some metric distances
By following their pace.
A meter's just a little longer than a yard.
That's not very hard.
Lay a thousand meters end to end
Then you've got what's called a kilometer,
One Kilometer
Now they're on your car's speedometer.
From BugTraq. It's not on their archive (yet) at www.securityfocus.com, but will be soon:
:)
From: Markus Kuhn
Subject: Re: NSA key in MSFT Crypto API
The actual funny story behind the presence of the NSA key has been
seriously misunderstood here. CSP verification keys have only one *real*
purpose: They are intended to enforce the US export restriction
requirement that Microsoft is not allowed to ship software abroad that
can easily be extended with strong cryptography. They are certainly not
intended as any useful form of integrity protection for your system.
The NSA got their own CSP verification key, because they want to be able
to change their own secret US government CSPs required for the handling
of classified documents, without having to go to Microsoft each time to
get a signature for an NSA CSP update. Fair enough. So Microsoft built
in a second verification key such that the NSA can produce and install
on DoD PCs their own CSPs without requiring any Microsoft involvement.
The real funny part is that Microsoft did not protect the NSA key
particularly well, such that everyone can easily replace the NSA key
particularly well, such that everyone can easily replace the NSA key
easily with his own key. This was reported by Nicko van Someren at the
Crypto'98 rump session. This means that everyone can now easily install
his own CSPs with arbitrarily strong cryptography. This means that the
NSA's demand to get quickly a second key added led in effect to the easy
international availability of strong encryption CSPs. My guess is that
this is Microsoft's sweet revenge against the NSA for creating all these
Export hassles (e.g., the requirement that CSPs be signed) in the first
place. It backfired nicely against the NSA.
All this has nothing to do with an NSA backdoor, because the CSP keys
are an export enforcement tool and not an integrity protection tool.
They do not protect all parts of the system that could be compromised by
someone who wants to install some eavesdropping malware. The CSP
verification keys only authenticate that no cryptography that violates
export laws has been installed. If you are worried about the NSA
installing malicious software on your PC, you should not rely on the CSP
verification keys (which were never designed for that purpose anyway),
but on virus scanners with tripwire functionality that report any
modifications to your DLLs. There is no digital signature functionality
required to implement these, simple secure hash algorithms will
perfectly do.
Please apply a bit of simple critical thinking here:
If the NSA wanted to have real backdoor functionality, they would much
more likely simply steal Microsofts own keys instead of embedding
additional keys with an obvious symbol name. Remember: The NSA is the
world's largest key thief. They have stolen crypto variables from
well-protected military and government agencies from all over the world
using the usual repertoire of techniques (bribery, extortion,
eavesdropping, hacking, infiltration, etc.). If they can do it with
eastern military agencies, they can most certainly also do it easily
with Microsoft, which is orders of magnitudes less well protected than
the usual NSA target. If there is a real NSA backdoor key in Windows,
that it would certainly be identical to Microsoft's own key.
Markus
They also issue their own currency ("Disney Dollars"), and maintain strict border control (you can't get in without a Disney-issued pass or ticket).
If they were smart they'd open casinos and sell duty-free tobacco and cigarettes.
I 'won?t' read this garbage with ?????'s strewn all over the place. You realize you're helping Miscro$soft's campaign to embrace and extend the internet, don't you?
If you're 30, have any talent, and are making less 'than high school-educated factory workers in this area.', then you're a damn fool.
Check out the SANS Salary survey for some hard numbers. One quote from last year's survey:
Seventy five percent of the administrators report 1998 salaries between $40,000 and $89,999. The average salary is $60,991.
http://www.sans.org and follow the links
...without your permission. Just like your mother told you when you were 6 years old.
I'm tired ot sysadmins whining about 100-hour workweeks. If you're miserable, working marathon hours, and sitting on stock options worth a decent house, LEAVE. Take an hourly contract where you get paid for those weekend deathmarches, or go solo. I worked 16 hours last Monday, and guess what? I got PAID for it.
And anyone who renumbers a network with real IPs, and doesn't use NAT and RFC 1918 networks deserves every bit of misery they get. What happens when your current flavor-of-the-week ISP drops the soap? Renumber *again*? Riiiiight.
...without your permission. Just like your mother told you when you were 6 years old.
I'm tired ot sysadmins whining about 100-hour workweeks. If you're miserable, working marathon hours, and sitting on stock options worth a decent house, LEAVE. Take an hourly contract where you get paid for those weekend deathmarches, or go solo. I worked 16 hours last Monday, and guess what? I got PAID for it.
And anyone who renumbers a network with real IPs, and doesn't use NAT and RFC 1918 networks deserves every bit of misery they get. What happens when your current flavor-of-the-week ISP drops the soap? Renumber *again*? Riiiiight.
The movie was pretty good for basic cable fare, with the sex/personal life angles fluffed up way more than they should have been (then again, we're talking about a made-for-TV movie here).
Anthony Michael Hall was simply amazing as Bill Gates. This guy can flat-out act. I couldn't even see Hall behind the Gates persona.