I don't work with mail systems for a living, but as I
understand it, the people at my company do seem to
consider Notes and Groupwise a step backward from
Outlook/Exchange. Any alternative to the MS mail solution
would have to be at least as fast, stable and cost-effective.
NAS -> user: challenge = 123456
user -> NAS: reponse = 584602
you could start generating hashes for '123456' against a
dictionary of 100 common passwords and look for one that
hashes to '584602'.
CHAP-Challenges
are 16 bytes so precomputed dictionary
attacks are unlikely due to storage requirements. what is more likely is an attacker would generate just the hashes
for the challenge he just saw with the 100 bad passwords
and throw the entire thing away if he does not get a hit, if
one of them matches the response then the attacker wins
and gets to steal service from you. Requiring good
passwords of at least 17 character (ha!) is about the only
way to prevent this.
PAP in a wireless environment is even worse. Sure the
password is obscured in RADIUS, but it is sent in the clear
from the user to the NAS during LCP.
1) Must integrate with Exchange and Outlook
2) Must have all the features, none of the bugs
3) Must remain un-bought-out by MS, or sued for patent infringement
4) Get VC to raise money while they show it's working and sell it
points 1 and 2 are the killers. OE keeps changing, and part of the reason for the bugs is that the features encourage their use.
I can accept point 1, there must be a compatible migration
path. Point 2 was sort of the point of my previous post,
how many of the features of Outlook get used? At my
company it is just just the calendar, so why
can't someone market an 80% solution that is simply a really good email
and calendar app? If they want to allow customers to add a
feature that they need then add extension/scripting
hooks at well defined points.
I'm certainly not claiming that it is trivial, but it seems like
something within the reach of a fairly small company. I'm
also making the assumption that we are fairly normal users
of Outlook, and I could easily be very wrong in that.
I'm not sure about point 3, I'm not aware of any IP that
Microsoft has in Outlook/Exchange. Private companies
are not subject to being bought unless they agree to it.
As regards point 4, an old-fashioned non-VC funded
company could produce software of
this size.
Your solution doesn't prevent someone from using an authenticated connection.
Agreed.
If you do want to use PPP, you have to use some sort of Encryption Contol Protocol. I'm not sure what's out there. There's at least a 3DES ECP RFC.
I remember some drafts on using EAP to negotiate a TLS
key
(might be published as an RFC by now)
since EAP is supported in ECP you are at the mercy of the
PPP implementor of your NAS and client as to how much
magic you can do during connection establishment.
I suspect that you won't find anything satisfactory on the default XP driver, though I may be selling M$ short.
You are selling MS short on this one, XP has fairly good
EAP and ECP support and is a decent PPP implementation
overall. The problem is supporting w2k, 95,
98, etc. Some of those have problems doing LCP
correctly.
To avoid authenticating each packet that goes across the air is to accept successful abuse of your service. Operators generally take this route.
You must use TLS or ipsec, or authenticated connections
can be
hi-jacked. Even with session encryption your infrastructure
may be vulnerable to attack.
The question isn't "why are people still using Outlook", but rather "why isn't there a real Outlook killer for Windows?"
Good point, the killer app portion of Outlook at my
company is the calendar. The rest of the features go
mostly unused and the power-users would figure out how
to accomplish the same things on any other system we
went with, so why isn't there anything to buy?
I like Outlook at least as well as any other Windows mail
client, so I'm not really upset by this, just kind of surprised.
Wow an actual reply to my question from an AC. Thanks.
So it sounds like anyone using Outlook with Hotmail will
use DAV, thus no easy kill recipe unless you are ready
to go to the extreme of treating all Hotmail addresses as
spam. I have a few friends using it, maybe I'll just put
their names in a whitelist and drop everything else from
Hotmail.
So they report that spam sent by means of this
has the following in the header:
Received: from 202.144.44.81 by bay3-dav91.bay3.hotmail.com with DAV;
Sat, 07 Jun 2003 23:33:24 +0000
and that the vulnerability was created to allow
greater integration for Outlook users. Anyone know if
all mail sent with Outlook through Hormail contains this
in the header?
You are correct, Oracle has a history of buying up companies and pissing off current customers
Ugh, I've been through that before. You buy an application
from a smallish-midsize company, everything is great until
they get bought by a giant. I experienced this four
years ago and we are still on an unsupported version
from before GigantiCo bought out our vendor of choice
(and the new vendor offerings in our area are unsuitable).
Hacking that poor old thing to keep it somewhat modern
takes a fair amount of effort (no source). To avoid that we have a deal with our new vendor to put the code in escrow
so we cannot get stuck with abandon-ware again.
Yeah, both User-Password and Tunnel-Password
will be XORed with a block built from packet
contents and the secret (using the result of
XORing the previous 16 bytes to XOR the next until
the rounds on length are exhausted).
My point was that RADIUS itself is not encrypted
(and the PAP password is available in the clear
over LCP).
The scariest part about using RADIUS in a scenario
like this is that the request/response
"Authenticator" pairs only validate the two
password types (pap and tunnel setup and
may be used to carry the chap challenge)
and that the response is valid for the request
(acct or auth). No validation of requests
(and request source) is
possible with the standard, your RADIUS vendor and
NAS vendor may support a couple different ways of
attempting to validate requests, but probably not.
The upside to using RADIUS here is that it is
standard and probably good enough, most people
with real security concerns use RADIUS to setup an
initial tunnel connection and do secondary
authentication over that.
Slightly OT, but CHAP is not encrypted, the password
is never sent, just challenge/response.
(If I give you this challenge what will you give me back,
does it match what I computed the response should be
for the password I have for you on record with the
challenge I gave you.)
Also, the entire auth session is seldom encrypted, LCP
takes place in the clear, as does RADIUS
My guess is that the typical Slashdotter can see what a pain it would be to have email address portability. Telephone number portability is just as bad. Not that you can't do it, but it's really hard and expensive. Every phone call becomes a database dip. Consider the size and speed of that distributed database.
Because of the system in place right now switching
equipment is supposed to consult a table
(adminstered by our
friends at Telecordia) to find out if a
dialed number is in an NPA-NXX subject to LNP.
Failure on the part of some smaller telcos
(because of configuration or equipment) to do that
is a large part of why number portability does not
always work.
So half the db work is already done (query to find
out whether to use LRN rather than LERG dest) and
upgrading all numbers to use a routing number
rather than the actual number is an obvious
extension. Non-trivial,
but certainly within Verizon's abilities with the
number of extensions they have been given.
Lest you think me blindly anti-Verizon,
I'm willing to bet that a majority of
problems with ported numbers will be caused
by smaller telcos, but Verizon will get all the
blame. The big problems that Verizon will have
will be the billing, monitoring/reporting, and
number administration back end systems -
but again I can't really cry for them too much wrt
that issue as they have seen LNP requirements for
wireless coming for years.
The real reason companies stall on this sort of
stuff is because they know they can get away with
it. Many times the unofficial tactic is to wait
to implement things because you may be able to
get the particular regulation changed, or a new
political administration may cause a change in the
overall regulatory environment.
Re:Littering the world with ads for IP
on
Copyright Defeats?
·
· Score: 1
If downloading IP for free either removes the financial incentive for companies to litter the world with it or gives said companies a notion of what people really like vs what they'll tolerate having crammed at them, then I'd consider that a step forward.
I agree that the best way to get companies to stop
engaging in obnoxious behaviour is to stop
rewarding it (purchasing their products). We
should stop consuming it as well. In the minds
of the media producers a dl of Britney shows a
public demand for their obnoxious non-music and
is nothing more than a lost sale. A real consumer
revolt would be if their sort of product was
ignored, their advertising tactics were ignored,
and people started getting their media from other
sources.
The problem is that somehow MTV and
Clear Channel have come to define "cool" and
the public has accepted it. The only hope I hold
wrt to "piracy" changing that is that when the
media companies put a stop to it with draconian
laws that people won't want to go back to
paying $15 for a CD. At that point people
might discover the great alternatives to mass
produced non-music.
I'm just worried about the collateral damage done
along the way.
Yeah, okay, they are associated with existing projects. But the site makes it sound like they are running a business, but they as yet have no proven business *product* unique to themselves.
The weblog makes the entire thing sound like a
bunch of kiddies stating "hee hee we screwed our
last employer with a mass walkout". Hardly seems
like a good reputation with which to start a
consulting company.
Re:Littering the world with ads for IP
on
Copyright Defeats?
·
· Score: 1
One way of dealing with that pollution is to refuse
to buy it. I see your point about popular songs and
movies being pollution, and we should all have the
right to parody them, write critical reviews of
them, write fan stories about the characters,
whatever interests you.
But I fail to see how downloading
a copy of Britney or Nsync or Madonna or The Fast
and the Furious or any of the other garbage being
pushed down our throats is any sort of solution.
I really do agree that the IP restrictions are out
of hand wrt to critical works, song samples,
fan-fiction, and so on. But that issue can be
addressed without allowing unrestricted use of the
source material itself. Unauthorized use of the
source material gives media companies
something to point to and cry out for the need to
protect their IP and results in the kind of insane
laws currently being passed in the US.
When you read a quote like that, it's clearly coming from someone who doesn't fit within a corporate environment.
Although corporate employment has it's downsides
it has advantages beside the obvious financial
ones. Problems incidental to your work can be
black-boxed to a certain extent and allow you
greater focus, the scope of the problems you
work on solving are much larger, you have talented
peers to learn from, and so on.
I'll probably work in the corporate world for a
few more years before starting another business.
I've worked for companies before that have draconian contracts, "Anything you think is our property! Hah!"
I don't sign contracts like that. My current
employer sends a gentle reminder every 6 months
that I need to sign that contract, and every 6
months I say, "Not until the work for the
company vs. work during personal time issue
is corrected". They have not pressed it too hard
because many of my co-workers have not signed it
either.
Re:Littering the world with ads for IP
on
Copyright Defeats?
·
· Score: 1
I'm not sure how adverstising can be scaled back at
this point. I'd love to hear realistic suggestions,
because I'm sick of the constant bombardment too.
Advertising (unfortunately) works. Far too often
I've paid money for something that turns out to
be crap.
However, I do not think that constant advertising of a work entitles anyone to use of that work
without
paying. It is our responsibility to become more
discriminating, wait for independent reviews
before buying an album, seeing a movie, purchasing
a game, etc.
So although advertising is a serious problem it
is not a blanket excuse for IP violations
(dishonest advertising does excuse some reciprocal
piracy).
I just dug a very deep hole, and filled it in again, neatly. I worked very hard. I deserve to be compensated.
How about: "Creators have the right to set a price
for use of their creation". Individuals can decide
if they want to pay the price or go without
access to the created work.
The application to your hole digging scenario
is obvious.
That's a bit easier in Oregon than you might think. Oregon gas stations are all full service. You do not pump your own gas there. Anywhere in the whole State.
There's an old joke that when a baby is born in
Oregon the doctor whispers "no sales tax, no self
serve gas" in the newborn's ear before handing the
child to the mother.
The trust system can be easily broken
with the assistance of any of the manufacturers.
Content producers threatens legal action against
Microsoft to get access to untrustworthy
(user controllable) copies of Windows.
P2P app thinks it can trust the OS
CP obtains keys to app
CP free to produce trusted apps and continue
attacking the network (or they could just use
the real P2P app and manipulate it on the fly)
I believe the Content Providers will be able to
coerce MS into providing the tools to carry this
out. If not there are probably other ways for them to
gain access to the trust network. You'd better
count on law enforcement having access to such
tools.
Ever seen those 50's ads? Everything was
atomic-this and electro-that. You could take
something
mundane, hyphenate it, and give it gee-wiz factor.
Tired of the same old cars? Get the atomo-car: of
future!!!!!
This supposedly patentable idea seems to be of the
same variety. It's not a old fashioned auction
(where people accidentaly bid on things with
hilarious results), no siree, it's a computerized
auction: of the future!!!!!
I meant a chained hash can avoid overflow. In
practice plenty of people make the collision
list a fixed length, moving the overflow problem
one step up.
Does this still work on hashtables where each node consists of a linked list? (as opposed to ones where if the node is full, it does on to check the next node)
Yep, both chained and open-addressed hash can degenerate to a linked list. A chained hash (what
you describe as a node consisting of a linked
list) is actually a much more common hash type than open-addressing (where the values are stored in
the table). There are a couple
reasons, a chained hash can overflow, and an open
ended hash always has to check the value, not just
during collision resolution (many implementations
of chained hashes do the same).
Slashdot Mirror
I don't work with mail systems for a living, but as I understand it, the people at my company do seem to consider Notes and Groupwise a step backward from Outlook/Exchange. Any alternative to the MS mail solution would have to be at least as fast, stable and cost-effective.
A lot of us have grown up, and the things that used to amuse us (Usenet culture, the jargon file, etc.) now seem ridiculous.
Honest typo (I caught it in preview, but decided it seems to fit).
Pretty much. If you see the following exchange:
you could start generating hashes for '123456' against a dictionary of 100 common passwords and look for one that hashes to '584602'.CHAP-Challenges are 16 bytes so precomputed dictionary attacks are unlikely due to storage requirements. what is more likely is an attacker would generate just the hashes for the challenge he just saw with the 100 bad passwords and throw the entire thing away if he does not get a hit, if one of them matches the response then the attacker wins and gets to steal service from you. Requiring good passwords of at least 17 character (ha!) is about the only way to prevent this.
PAP in a wireless environment is even worse. Sure the password is obscured in RADIUS, but it is sent in the clear from the user to the NAS during LCP.
2) Must have all the features, none of the bugs
3) Must remain un-bought-out by MS, or sued for patent infringement
4) Get VC to raise money while they show it's working and sell it
points 1 and 2 are the killers. OE keeps changing, and part of the reason for the bugs is that the features encourage their use.
I can accept point 1, there must be a compatible migration path. Point 2 was sort of the point of my previous post, how many of the features of Outlook get used? At my company it is just just the calendar, so why can't someone market an 80% solution that is simply a really good email and calendar app? If they want to allow customers to add a feature that they need then add extension/scripting hooks at well defined points.
I'm certainly not claiming that it is trivial, but it seems like something within the reach of a fairly small company. I'm also making the assumption that we are fairly normal users of Outlook, and I could easily be very wrong in that.
I'm not sure about point 3, I'm not aware of any IP that Microsoft has in Outlook/Exchange. Private companies are not subject to being bought unless they agree to it.
As regards point 4, an old-fashioned non-VC funded company could produce software of this size.
Agreed.
If you do want to use PPP, you have to use some sort of Encryption Contol Protocol. I'm not sure what's out there. There's at least a 3DES ECP RFC.
I remember some drafts on using EAP to negotiate a TLS key (might be published as an RFC by now) since EAP is supported in ECP you are at the mercy of the PPP implementor of your NAS and client as to how much magic you can do during connection establishment.
I suspect that you won't find anything satisfactory on the default XP driver, though I may be selling M$ short.
You are selling MS short on this one, XP has fairly good EAP and ECP support and is a decent PPP implementation overall. The problem is supporting w2k, 95, 98, etc. Some of those have problems doing LCP correctly.
To avoid authenticating each packet that goes across the air is to accept successful abuse of your service. Operators generally take this route.
You must use TLS or ipsec, or authenticated connections can be hi-jacked. Even with session encryption your infrastructure may be vulnerable to attack.
Good point, the killer app portion of Outlook at my company is the calendar. The rest of the features go mostly unused and the power-users would figure out how to accomplish the same things on any other system we went with, so why isn't there anything to buy?
I like Outlook at least as well as any other Windows mail client, so I'm not really upset by this, just kind of surprised.
So it sounds like anyone using Outlook with Hotmail will use DAV, thus no easy kill recipe unless you are ready to go to the extreme of treating all Hotmail addresses as spam. I have a few friends using it, maybe I'll just put their names in a whitelist and drop everything else from Hotmail.
Ugh, I've been through that before. You buy an application from a smallish-midsize company, everything is great until they get bought by a giant. I experienced this four years ago and we are still on an unsupported version from before GigantiCo bought out our vendor of choice (and the new vendor offerings in our area are unsuitable). Hacking that poor old thing to keep it somewhat modern takes a fair amount of effort (no source). To avoid that we have a deal with our new vendor to put the code in escrow so we cannot get stuck with abandon-ware again.
The scariest part about using RADIUS in a scenario like this is that the request/response "Authenticator" pairs only validate the two password types (pap and tunnel setup and may be used to carry the chap challenge) and that the response is valid for the request (acct or auth). No validation of requests (and request source) is possible with the standard, your RADIUS vendor and NAS vendor may support a couple different ways of attempting to validate requests, but probably not.
The upside to using RADIUS here is that it is standard and probably good enough, most people with real security concerns use RADIUS to setup an initial tunnel connection and do secondary authentication over that.
Also, the entire auth session is seldom encrypted, LCP takes place in the clear, as does RADIUS
Because of the system in place right now switching equipment is supposed to consult a table (adminstered by our friends at Telecordia) to find out if a dialed number is in an NPA-NXX subject to LNP. Failure on the part of some smaller telcos (because of configuration or equipment) to do that is a large part of why number portability does not always work.
So half the db work is already done (query to find out whether to use LRN rather than LERG dest) and upgrading all numbers to use a routing number rather than the actual number is an obvious extension. Non-trivial, but certainly within Verizon's abilities with the number of extensions they have been given.
Lest you think me blindly anti-Verizon, I'm willing to bet that a majority of problems with ported numbers will be caused by smaller telcos, but Verizon will get all the blame. The big problems that Verizon will have will be the billing, monitoring/reporting, and number administration back end systems - but again I can't really cry for them too much wrt that issue as they have seen LNP requirements for wireless coming for years.
The real reason companies stall on this sort of stuff is because they know they can get away with it. Many times the unofficial tactic is to wait to implement things because you may be able to get the particular regulation changed, or a new political administration may cause a change in the overall regulatory environment.
I agree that the best way to get companies to stop engaging in obnoxious behaviour is to stop rewarding it (purchasing their products). We should stop consuming it as well. In the minds of the media producers a dl of Britney shows a public demand for their obnoxious non-music and is nothing more than a lost sale. A real consumer revolt would be if their sort of product was ignored, their advertising tactics were ignored, and people started getting their media from other sources.
The problem is that somehow MTV and Clear Channel have come to define "cool" and the public has accepted it. The only hope I hold wrt to "piracy" changing that is that when the media companies put a stop to it with draconian laws that people won't want to go back to paying $15 for a CD. At that point people might discover the great alternatives to mass produced non-music.
I'm just worried about the collateral damage done along the way.
The weblog makes the entire thing sound like a bunch of kiddies stating "hee hee we screwed our last employer with a mass walkout". Hardly seems like a good reputation with which to start a consulting company.
I really do agree that the IP restrictions are out of hand wrt to critical works, song samples, fan-fiction, and so on. But that issue can be addressed without allowing unrestricted use of the source material itself. Unauthorized use of the source material gives media companies something to point to and cry out for the need to protect their IP and results in the kind of insane laws currently being passed in the US.
Although corporate employment has it's downsides it has advantages beside the obvious financial ones. Problems incidental to your work can be black-boxed to a certain extent and allow you greater focus, the scope of the problems you work on solving are much larger, you have talented peers to learn from, and so on.
I'll probably work in the corporate world for a few more years before starting another business.
I don't sign contracts like that. My current employer sends a gentle reminder every 6 months that I need to sign that contract, and every 6 months I say, "Not until the work for the company vs. work during personal time issue is corrected". They have not pressed it too hard because many of my co-workers have not signed it either.
However, I do not think that constant advertising of a work entitles anyone to use of that work without paying. It is our responsibility to become more discriminating, wait for independent reviews before buying an album, seeing a movie, purchasing a game, etc.
So although advertising is a serious problem it is not a blanket excuse for IP violations (dishonest advertising does excuse some reciprocal piracy).
How about: "Creators have the right to set a price for use of their creation". Individuals can decide if they want to pay the price or go without access to the created work.
The application to your hole digging scenario is obvious.
There's an old joke that when a baby is born in Oregon the doctor whispers "no sales tax, no self serve gas" in the newborn's ear before handing the child to the mother.
I believe the Content Providers will be able to coerce MS into providing the tools to carry this out. If not there are probably other ways for them to gain access to the trust network. You'd better count on law enforcement having access to such tools.
This supposedly patentable idea seems to be of the same variety. It's not a old fashioned auction (where people accidentaly bid on things with hilarious results), no siree, it's a computerized auction: of the future!!!!!
I meant a chained hash can avoid overflow. In practice plenty of people make the collision list a fixed length, moving the overflow problem one step up.
Yep, both chained and open-addressed hash can degenerate to a linked list. A chained hash (what you describe as a node consisting of a linked list) is actually a much more common hash type than open-addressing (where the values are stored in the table). There are a couple reasons, a chained hash can overflow, and an open ended hash always has to check the value, not just during collision resolution (many implementations of chained hashes do the same).