To : msolnik@hlug.org Cc : wt-changes@wiretapped.net,
tcpdump-workers@tcpdump.org,
mcr@sandelman.ottawa.on.ca Subject : tcpdump.org mirrors ----- Message Text ----- Hi guys,
I run the main mirror of tcpdump at wiretapped.net (no relation to wiretapped.us) in Australia. We rsync from cvs.tcpdump.org, and have removed the entire tcpdump.org tree and disabled rsync updates until we hear from Michael Richardson at tcpdump.org.
You may like to add this info to your Updates area, as the unavailability of the main mirror site may seem suspicious. It is not, as described above.
Because wiretapped.net itself is mirrored to a few other sites, it may take between 1 hour and 24 hours for this removal (and any subsequent re-addition) to take effect. We'll note when it goes back online at http://www.wiretapped.net/changelog.html
Hope this assists in preventing any further spread,
The flaw with this is that your named can still be subverted, and run any number of other syscalls, for things like reading files, creating files (albeit in places with 777 perms), binding other ports, exec a shell, fork some other app (a trojan that was uploaded to/tmp?), and so many other things.
You're talking about minimal uid privilege, which isn't really "minimal" at all.
systrace is about minimal syscall privilege - unless you as the sysadmin have explicitly allowed all of those things above, named can do nothing whatsoever. The policy would perhaps elevate privileges to bind to port 53/udp&tcp only on a single IP address, read configuration files from a certain path only, load certain shared libraries (libc is the obvious one), read/etc/localtime and write to certain network sockets (syslogd? nameserver queries/responses?). It can't write to/tmp, can't exec, can't fork, can't read other files in/home or/etc or elsewhere, or any of the sorts of potentially dangerous things that vulnerable apps have been known to do (the Apache/OpenSSL worm comes to mind).
You didn't even read the post properly, let alone the legislation.
If you're an SSL hoster in the country, you'd need to register your organisation _once_, providing details of what you do ("we serve web pages over SSL v2, v3 and TLS v1 encrypted connections to Internet users").
If you're an SA user just downloading Open/Free/NetBSD from somewhere outside the country, this doesn't affect you at all.
You only need to register if you are _supplying_ cryptography or cryptography services from within the country. Not using. Not downloading. Not thinking about while choking a turd.
As is usual for Slashdot users, it appears almost everybody has gone off half-cocked on this one. In other words, it doesn't look like any of you have even read the legislation...
Reading through the legislation, this only appears to apply if you're providing cryptography or "cryptography services" from "premises in the Republic". In particular, check Section 30.3(a-c):
(3) A cryptography service or cryptography product is regarded as being provided in the Republic if it is provided-
( a ) from premises in the Republic; ( b ) to a person who is present in the Republic when that person makes use of the service or productl or ( c ) to a person who uses the service or product for the purposes of a business carried on in the Republic or from premises in the Republic.
Note that there's no "or" between (a) and (b). If there was, it'd (in theory) apply to cryptography or "cryptography service" providers worldwide.
On the face of it, this appears to mean that if you're a site or company doing business from outside South Africa, you can continue to do so without registration with the authority mentioned in the Legislation.
In my particular case (www.wiretapped.net), since I operate from outside South Africa, I am unaffected. If Wiretapped had a mirror site in South Africa, it appears as though the operator of it would need to register with the authority mentioned in the legislation.
Given that the registration doesn't require that you reveal any trade secrets about the cryptography or "cryptography services" that you provide, it doesn't look like this is a particularly onerous requirement. That said, there does appear to be a small intelligence trapdoor in it - as part of the information provided to the register, you'd need to provide enough information to "identify and locate the cryptography provider". I wonder if this means - "identify the specific cryptography in use and hence the cryptography provider from a stream of random bits". This may not be possible given the output streams of widely used, modern ciphers. It might only be possible if there's some other hint(s) in the surrounding protocol. Although the true strength of modern cryptography is considered to be in the key rather than the algorithm, to my mind there's no harm obscuring what algorithm you're using as well as (obviously) the key.
One wonders if this will endanger the existence of mirror sites in South Africa for things like OpenSSH, OpenBSD, FreeBSD, NetBSD, GnuPG, PGPi etc... Perhaps just the poor ones...
"What jackass would want to waste time and money recreating a POS firewall like a PIX? When's the article coming showing me how to clone a watchguard?"
Yeah, speaking of jackasses, look at all the slashflunkies getting al dente over the idea that this article should have been about writing an IPTABLES firewall. Funny how if their enthusiasm was converted to textual works (million monkey scenarios, anyone?), it might describe exactly that - the cloning of a watchguard.
It's worth noting that the only reason the Australian guy (from NOIE) wants there to be better privacy and authentication standards/implementation is so people can trust "e-commerce".
NOIE never "got it" during the Internet boom days of 1999 and 2000, and it's clear they still don't "get it" now.
To them, it's all about money. Screw privacy so people can actually keep their personal information private. Screw authentication so your friend knows it's actually you're they're talking to. When you've got a religious zealot like Senator Richard Alston running a liberal, freewheeling, abstract, technical and artistic portfolio like Communications, Information Technology and the Arts, you're doomed to failure. At every turn, with regards to policy and proposed legislation is the shadowy hand of religious zealotry and fear - "close it down, lock it up, throw away the key, because only the heathens do it" sort of mentality.
Online gambling is the obvious example, with "content regulation" (aka censorship) being the other.
It should be no surprise that the NOIE representative is there pushing the out of touch, out of place, out of money approach.
Thank goodness NOIE got a swift kick in the pants at the last Federal Budget.
The Australian Labor Party is more divided and misguided than they've ever been in the recent past. Internally, the leader is battling to reduce the influence of the Union movement on party policy making efforts. Externally, they're not even sure where they stand on the issue of border control and the inevitable discussion regarding asylum seekers that pops up. On the issue of this legislation, few people even remember the original fracas in 2001 that caused the Coalition Government to withdraw it for re-drafting. The originally proposed legislation (pre-September 11th, it should be pointed out), made it in some cases an act of treason to be a "whistleblower" of sorts. The Attorney-General assured the Parliament it wasn't so, but the opposition to the legislation ended up being so great when the media picked up the story that it got shelved. When the legislation was re-introduced earlier this year, now with the new mission of catching the evil terrorists in our midst, it was considered a bit of a shoe-in. It made it to the Senate and promptly got donked on the head by the Legal and Constitutional Committee, receiving in excess of 400 submissions for the "Terrorism" and "Treason" parts. Once the Committee made it's report, the Government backed down on certain elements of the proposed legislation only after their backbench staged a revolt of sorts. In the Telecommunications part of the "new" package (ie the part relating to interception etc), the Committee's recommendations were ignored, quite explicitly.
And what have Labor been doing throughout all of this?
Bugger-all.
As much as it's convenient and heart-warming to think of the Opposition as a viable, or as you put it "useful" one, it's just not true, and this matter as well as the wishy washy response on the matter of border defence and asylum seekers is the perfect illustration of it.
This legislation does nothing whatsoever to differentiate between "analog" and "digital". It's all to do with whether the communication between Person A and Person B is immediate and real-time (as is any normal phone call), or whether the communication is stored in any way, such as email is (the email waits on a server for someone to pick it up), such as voicemail is (the message sits on a server waiting for the recipient to pick it up), SMS (the message will sit on a server waiting until the intended recipient's mobile phone comes online). These "stored communications" are what the legislation is all about.
Slashdot syndrome strikes again.
When will you people ever read the legislation that these posts refer to. Every time you come up with wild discussions regarding what it does and doesn't cover, the less sense you begin to make.
Hell, at least real journalists usually try to check their facts before writing about it. At Slashdot, facts are few and far between.
SMS and Email are considered different by the legislation because they have the capability to be stored, rather than being immediately person-to-person, as a normal phone conversation is considered to be.
Another Slashdot bandwagon jumper that doesn't read between the lines.
The "Government Officials" that are being referred to are the same law enforcement that have always had access to interception warrants and so on, and in certain cases involving Australians acting as agents of a foreign power etc, the Defence Signals Directorate (the Australian equivalent and partner of the National Security Agency).
It's not "without a warrant" - it's "without an interception warrant". The change that the proposed legislation (even the "new" package that's been announced (See here http://www.ag.gov.au/aghome/agnews/2002newsag/56_0 2.htm) is that instead of gaining access to "stored communications" with an interception warrant (think along the lines of email waiting to be picked up, voicemail waiting to be picked up, SMS awaiting delivery to a phone), all law enforcement will need is a search warrant for the premises at which the information is stored (ISP, Telecommunications carrier etc).
It all happens with a warrant - it's just that the amount of resistance placed in the way of getting an interception warrant was always considered to be greater than with a search warrant, despite the propensity of law enforcement to "shop around" amongst Judges to get what they want. (Think along the lines of one judge refusing an interception warrant in the morning, then the Australian Federal Police taking the application back to the court in the afternoon and getting a different Judge...).
---------- Forwarded message ---------- Date: Wed, 22 May 2002 14:41:59 +1000 (EST) From: Grant Bayley To: Declan McCullagh , R. A. Hettinga,
Meyer Wolfsheim , peter_beruk@nai.com Subject: Re: NAI pulls out the DMCA stick.
Hi Declan, others.
The hype being generated by the "NAI pulls out the DMCA stick" postings and the spectre of PGP being "removed from the Internet" is entirely bogus, and provably so with a little bit of fact checking.
Looking through the Google cache, it becomes very clear very quickly that crypto.radiusnet.net was hosting a copy of the commercial version of the software - not a copy of the PGPi (aka freeware) version of the PGP product. Given that this is the case, NAI is well within their rights to demand the removal of the files.
Keep in mind that of the couple of crypto/security archives out there, the radiusnet one is basically the "abortion" of the bunch. It's disorganised and out of date in so many places as to be dangerous.
By "crypto/security archives", I'm referring to Wiretapped (www.wiretapped.net, which I operate), munitions.vipul.net, the zedz.net archives (ftp://ftp.zedz.net/) and Packetstorm (www.packetstormsecurity.org).
If this is the straw that breaks the radiusnet camel's back, I for one won't be complaining, if only because of the old and out of date material on the site. In the case of tools that perform a security function using crypto (IPSec, ssh etc), being updated is critical, as a number of the older versions of the software have contained serious security problems.
(If anyone else is mirroring from minnie, you may like to add the --links -and -safe-links flags to your rsync command, and make sure the filesystem you're writing to is mounted "nodev" as there's a bunch of character/block special devices in the 2.11BSD trees)
Re:The slightly more detailed changelog...
on
Linux 2.4.8 is Out
·
· Score: 1
Oh, and if you're going to have a look, click on some of the filenames and bring up some diffs of various files to see what changes have been made.
For example, the MAINTAINERS. Once you've clicked on this, click on the "Diff to previous" option and you can see what changes were made between 2.4.7 and 2.4.8 (click here). Or, click "Select for diffs" on one kernel and then on "to selected" on another further down on the same page. For example, check what changes were made in the MAINTAINERS file between 2.4.6 and 2.4.8 here.
"No more hidden changes":)
The slightly more detailed changelog...
on
Linux 2.4.8 is Out
·
· Score: 1
2600 Australia will be making a submission to this committee. If you'd like to discuss this legislation prior to our submission (which must be lodged by the 20th of July), please join the 2600-law mailing list, by sending an empty email to 2600-law-subscribe@wiretapped.net. There are also public hearings in Sydney on 19th July and in Canberra on 9th August.
Slashdot Mirror
This was just sent ~1 min ago:
To : msolnik@hlug.org
Cc : wt-changes@wiretapped.net,
tcpdump-workers@tcpdump.org,
mcr@sandelman.ottawa.on.ca
Subject : tcpdump.org mirrors
----- Message Text -----
Hi guys,
I run the main mirror of tcpdump at wiretapped.net (no relation to wiretapped.us) in Australia. We rsync from cvs.tcpdump.org, and have removed the entire tcpdump.org tree and disabled rsync updates until we hear from Michael Richardson at tcpdump.org.
You may like to add this info to your Updates area, as the unavailability of the main mirror site may seem suspicious. It is not, as described above.
Because wiretapped.net itself is mirrored to a few other sites, it may take between 1 hour and 24 hours for this removal (and any subsequent re-addition) to take effect. We'll note when it goes back online at http://www.wiretapped.net/changelog.html
Hope this assists in preventing any further spread,
Grant
www.wiretapped.net
The flaw with this is that your named can still be subverted, and run any number of other syscalls, for things like reading files, creating files (albeit in places with 777 perms), binding other ports, exec a shell, fork some other app (a trojan that was uploaded to /tmp?), and so many other things.
/etc/localtime and write to certain network sockets (syslogd? nameserver queries/responses?). It can't write to /tmp, can't exec, can't fork, can't read other files in /home or /etc or elsewhere, or any of the sorts of potentially dangerous things that vulnerable apps have been known to do (the Apache/OpenSSL worm comes to mind).
You're talking about minimal uid privilege, which isn't really "minimal" at all.
systrace is about minimal syscall privilege - unless you as the sysadmin have explicitly allowed all of those things above, named can do nothing whatsoever. The policy would perhaps elevate privileges to bind to port 53/udp&tcp only on a single IP address, read configuration files from a certain path only, load certain shared libraries (libc is the obvious one), read
Shit a brick.
You didn't even read the post properly, let alone the legislation.
If you're an SSL hoster in the country, you'd need to register your organisation _once_, providing details of what you do ("we serve web pages over SSL v2, v3 and TLS v1 encrypted connections to Internet users").
If you're an SA user just downloading Open/Free/NetBSD from somewhere outside the country, this doesn't affect you at all.
You only need to register if you are _supplying_ cryptography or cryptography services from within the country. Not using. Not downloading. Not thinking about while choking a turd.
Please, read the legislation.
It is clear that you have not.
As is usual for Slashdot users, it appears almost everybody has gone off half-cocked on this one. In other words, it doesn't look like any of you have even read the legislation...
Reading through the legislation, this only appears to apply if you're providing cryptography or "cryptography services" from "premises in the Republic". In particular, check Section 30.3(a-c):
(3) A cryptography service or cryptography product is regarded as being provided in
the Republic if it is provided-
( a ) from premises in the Republic;
( b ) to a person who is present in the Republic when that person makes use of the service or productl or
( c ) to a person who uses the service or product for the purposes of a business
carried on in the Republic or from premises in the Republic.
Note that there's no "or" between (a) and (b). If there was, it'd (in theory) apply to cryptography or "cryptography service" providers worldwide.
On the face of it, this appears to mean that if you're a site or company doing business from outside South Africa, you can continue to do so without registration with the authority mentioned in the Legislation.
In my particular case (www.wiretapped.net), since I operate from outside South Africa, I am unaffected. If Wiretapped had a mirror site in South Africa, it appears as though the operator of it would need to register with the authority mentioned in the legislation.
Given that the registration doesn't require that you reveal any trade secrets about the cryptography or "cryptography services" that you provide, it doesn't look like this is a particularly onerous requirement. That said, there does appear to be a small intelligence trapdoor in it - as part of the information provided to the register, you'd need to provide enough information to "identify and locate the cryptography provider". I wonder if this means - "identify the specific cryptography in use and hence the cryptography provider from a stream of random bits". This may not be possible given the output streams of widely used, modern ciphers. It might only be possible if there's some other hint(s) in the surrounding protocol. Although the true strength of modern cryptography is considered to be in the key rather than the algorithm, to my mind there's no harm obscuring what algorithm you're using as well as (obviously) the key.
One wonders if this will endanger the existence of mirror sites in South Africa for things like OpenSSH, OpenBSD, FreeBSD, NetBSD, GnuPG, PGPi etc... Perhaps just the poor ones...
Bravo, Sherlock.
Pity you're wrong.
I didn't write it.
Do you blame all the geocities user pages on the guy that actually runs the machine?
No, I didn't think so.
I never knew making fun of slashflunkies would have been so fun. Can we do this again sometime soon?
PS: Yes, you are being trolled.
"Or am I missing something, has someone published a mimick PIX OS under open source or something? "
No.
They are using a card you can buy, and they are using their CCO login (and the access to Cisco software it provides) to get the software for it.
The only thing that deserves to be heavily punished is your shallow, doom-filled assertions.
Kiss me where it smells funny,
DC
You said the article should have been about a low-cost, open source alternative blah blah blah.
I'm waiting for your article.
Please, mod me down. This discussion isn't worth having until you post it.
"What jackass would want to waste time and money recreating a POS firewall like a PIX? When's the article coming showing me how to clone a watchguard?"
Yeah, speaking of jackasses, look at all the slashflunkies getting al dente over the idea that this article should have been about writing an IPTABLES firewall. Funny how if their enthusiasm was converted to textual works (million monkey scenarios, anyone?), it might describe exactly that - the cloning of a watchguard.
Yeah, it's amazing how many Linux boxes with IPTABLES are deployed in the Internet backbones and network edges.
Simply amazing.
"This article shouldnt have been how to make a pix it should be how to make a legal,cheap,open source alternative to one."
Why not write one then, mr genius?
Better yet - kill yourself now. The quality of the human gene pool is already low enough without your depressingly negative impact upon it.
I guess we better remove all those stories from Slashdot about file sharing, music downloads etc etc.
Let he who is without sin cast the first stone.
If you are downloading it through your authorised CCO account, how is it stealing?
Oh, you didn't think of that.
Bzzzt.
What got pirated, and where?
People with CCO access can test any of the software there.
Routermonkey provided no link to download any of the binaries mentioned (with the exception of the highly illegal rawrite.exe).
Mod yourself up a clue, slashflunky.
NOIE never "got it" during the Internet boom days of 1999 and 2000, and it's clear they still don't "get it" now.
To them, it's all about money. Screw privacy so people can actually keep their personal information private. Screw authentication so your friend knows it's actually you're they're talking to. When you've got a religious zealot like Senator Richard Alston running a liberal, freewheeling, abstract, technical and artistic portfolio like Communications, Information Technology and the Arts, you're doomed to failure. At every turn, with regards to policy and proposed legislation is the shadowy hand of religious zealotry and fear - "close it down, lock it up, throw away the key, because only the heathens do it" sort of mentality.
Online gambling is the obvious example, with "content regulation" (aka censorship) being the other.
It should be no surprise that the NOIE representative is there pushing the out of touch, out of place, out of money approach.
Thank goodness NOIE got a swift kick in the pants at the last Federal Budget.
When they finally die, they will not be missed.
The Australian Labor Party is more divided and misguided than they've ever been in the recent past. Internally, the leader is battling to reduce the influence of the Union movement on party policy making efforts. Externally, they're not even sure where they stand on the issue of border control and the inevitable discussion regarding asylum seekers that pops up. On the issue of this legislation, few people even remember the original fracas in 2001 that caused the Coalition Government to withdraw it for re-drafting. The originally proposed legislation (pre-September 11th, it should be pointed out), made it in some cases an act of treason to be a "whistleblower" of sorts. The Attorney-General assured the Parliament it wasn't so, but the opposition to the legislation ended up being so great when the media picked up the story that it got shelved. When the legislation was re-introduced earlier this year, now with the new mission of catching the evil terrorists in our midst, it was considered a bit of a shoe-in. It made it to the Senate and promptly got donked on the head by the Legal and Constitutional Committee, receiving in excess of 400 submissions for the "Terrorism" and "Treason" parts. Once the Committee made it's report, the Government backed down on certain elements of the proposed legislation only after their backbench staged a revolt of sorts. In the Telecommunications part of the "new" package (ie the part relating to interception etc), the Committee's recommendations were ignored, quite explicitly.
And what have Labor been doing throughout all of this?
Bugger-all.
As much as it's convenient and heart-warming to think of the Opposition as a viable, or as you put it "useful" one, it's just not true, and this matter as well as the wishy washy response on the matter of border defence and asylum seekers is the perfect illustration of it.
This legislation does nothing whatsoever to differentiate between "analog" and "digital". It's all to do with whether the communication between Person A and Person B is immediate and real-time (as is any normal phone call), or whether the communication is stored in any way, such as email is (the email waits on a server for someone to pick it up), such as voicemail is (the message sits on a server waiting for the recipient to pick it up), SMS (the message will sit on a server waiting until the intended recipient's mobile phone comes online). These "stored communications" are what the legislation is all about.
Slashdot syndrome strikes again.
When will you people ever read the legislation that these posts refer to. Every time you come up with wild discussions regarding what it does and doesn't cover, the less sense you begin to make.
Hell, at least real journalists usually try to check their facts before writing about it. At Slashdot, facts are few and far between.
Read the legislation.
It's all there.
Another Slashdot bandwagon jumper that doesn't read between the lines.
The "Government Officials" that are being referred to are the same law enforcement that have always had access to interception warrants and so on, and in certain cases involving Australians acting as agents of a foreign power etc, the Defence Signals Directorate (the Australian equivalent and partner of the National Security Agency).
Read the EFF document. Read the legislation.
It's not "without a warrant" - it's "without an interception warrant". The change that the proposed legislation (even the "new" package that's been announced (See here http://www.ag.gov.au/aghome/agnews/2002newsag/56_0 2.htm) is that instead of gaining access to "stored communications" with an interception warrant (think along the lines of email waiting to be picked up, voicemail waiting to be picked up, SMS awaiting delivery to a phone), all law enforcement will need is a search warrant for the premises at which the information is stored (ISP, Telecommunications carrier etc).
It all happens with a warrant - it's just that the amount of resistance placed in the way of getting an interception warrant was always considered to be greater than with a search warrant, despite the propensity of law enforcement to "shop around" amongst Judges to get what they want. (Think along the lines of one judge refusing an interception warrant in the morning, then the Australian Federal Police taking the application back to the court in the afternoon and getting a different Judge...).
Read between the lines, Slashdot flunkies.
You'll be surprised what you find.
---------- Forwarded message ---------- ,
4 C: crypto.radiusnet.net/archive/pgp/+&hl=en
Date: Wed, 22 May 2002 14:41:59 +1000 (EST)
From: Grant Bayley
To: Declan McCullagh , R. A. Hettinga
Meyer Wolfsheim , peter_beruk@nai.com
Subject: Re: NAI pulls out the DMCA stick.
Hi Declan, others.
The hype being generated by the "NAI pulls out the DMCA stick" postings and the spectre of PGP being "removed from the Internet" is entirely bogus, and provably so with a little bit of fact checking.
Looking through the Google cache, it becomes very clear very quickly that crypto.radiusnet.net was hosting a copy of the commercial version of the software - not a copy of the PGPi (aka freeware) version of the PGP product. Given that this is the case, NAI is well within their rights to demand the removal of the files.
You can confirm this in the Google Cache, here:
http://216.239.33.100/search?q=cache:QA-H5VtPvP
Keep in mind that of the couple of crypto/security archives out there, the radiusnet one is basically the "abortion" of the bunch. It's disorganised and out of date in so many places as to be dangerous.
By "crypto/security archives", I'm referring to Wiretapped (www.wiretapped.net, which I operate), munitions.vipul.net, the zedz.net archives (ftp://ftp.zedz.net/) and Packetstorm (www.packetstormsecurity.org).
If this is the straw that breaks the radiusnet camel's back, I for one won't be complaining, if only because of the old and out of date material
on the site. In the case of tools that perform a security function using crypto (IPSec, ssh etc), being updated is critical, as a number of the older versions of the software have contained serious security problems.
Grant
Sounds like how Linux Kernel development operates....
Everyone keeps sending patches until Linus just gives up and puts em in to shut people up.
*cough*reiserfs*cough*
http://www.mirrors.wiretapped.net/UnixArchive/
ftp://ftp.mirrors.wiretapped.net/pub/UnixArchive/
Non-authoritative answer:
Name: www.mirrors.wiretapped.net
Addresses: 203.220.0.25, 210.9.80.201
(If anyone else is mirroring from minnie, you may like to add the --links -and -safe-links flags to your rsync command, and make sure the filesystem you're writing to is mounted "nodev" as there's a bunch of character/block special devices in the 2.11BSD trees)
For example, the MAINTAINERS. Once you've clicked on this, click on the "Diff to previous" option and you can see what changes were made between 2.4.7 and 2.4.8 (click here). Or, click "Select for diffs" on one kernel and then on "to selected" on another further down on the same page. For example, check what changes were made in the MAINTAINERS file between 2.4.6 and 2.4.8 here.
"No more hidden changes" :)
http://orbital.wiretapped.net/cgi-bin/cvsweb.cgi/l inux-kernel/2.4/
(nmap is also in CVS http://orbital.wiretapped.net/cgi-bin/cvsweb.cgi/n map/)
There's also a Senate Legal and Constitutional Committee inquiry into the legislation, at:
2600 Australia will be making a submission to this committee. If you'd like to discuss this legislation prior to our submission (which must be lodged by the 20th of July), please join the 2600-law mailing list, by sending an empty email to 2600-law-subscribe@wiretapped.net. There are also public hearings in Sydney on 19th July and in Canberra on 9th August.