That the -STABLE branch is not the most stable distribution of FreeBSD available. As I say every time some idiot posts this. See http://www.freebsd.org/handbook/current-stable.htm l for more information.
Yes, you still have to add options DIVERT into the kernel to get IPFW to work with natd, if that's what you mean.
One of the goals for 5.3 (and indeed something that Sam has been doing some wonderful and hard work on) is cleaning up the IP stack. Getting IPFW pfil(9) ready (if I understood correctly) is also one of these goals and will mean that using any software firewall solution such as pf, IPFW or ipfilter would be a question of loading the module. At which point you wouldn't have to recompile the kernel for this functionality.
But this is a 5.3 goal and will not be present in 5.2.
I re-iterate. -STABLE is *NOT* the most stable branch. It is not comparable to 2.4 in Linux. For more information, please see http://www.freebsd.org/handbook/current-stable.htm l (which explains the -CURRENT and -STABLE branches as well as a bit about releng.)
But yes, thanks to the developers who have been working on this. And thank heavens that it's the holiday season; now I'll finally have time to work on locks in the IPv6 stack (thanks Sam and Robert;))
Apple's got a ways to go before they're really on the ball with security. I generally run their security update feature every day; I just got the patches for OpenSSL and zlib a week ago. Also, there's a bug filed in OpenDarwin that works in Jaguar and, I'm disappointed to see, also works in Panther.
Run this as any user with an argument of any other user's username. Pay careful attention to the second field.
#include #include
int main(int argc, char **argv) {
struct passwd *p;
p = getpwnam(argv[1]);
printf("%s:%s:%d:%d:%d:%d:%s:%s:%s:%s",p->pw_name, p->pw_passwd,p->pw_uid,
p->pw_gid,p->pw_class,p->pw_change,p->pw_expire,p- >pw_gecos,p->pw_dir,
p->pw_shell,p->pw_expire); }
Don't bitch at me about publishing this. It's already available in the OpenDarwin bug list.
Similar thing for Flash ActionScript
on
Javascrypt
·
· Score: 2, Interesting
I created a similar thing for Flash ActionScript called ActionCrypt; although it's still in progress. You might want to check it out; Javascript and ActionScript are very similar (as they're both based on the same syntax).
Flash is an open, binary format with lots of support and libraries and Macromedia will even give you the source code for the player if you've got a good reason.
Anyway, as is painfully obvious, I didn't read a word of anything. It's also a bit too late for me to try to retract this coherently. But if I pissed you off, cool:)
If privacy invasion is punishment, this has never been the case. If the law enforcement agencies have reason to believe you've committed a crime, they can generally get whatever permission they need to prove you've done it. That's when they're allowed to invade privacy.
Pardon me, that was a rather bad (horrible) typo. Hopefully my point still comes across: you do something illegal, you get punished. That's how things should work.
If they've got probable cause, they can do just about anything. If you've murdered someone, I want the government to be able to find out how long it takes for you to shit if it will help them any.
He shouldn't have done anything with that virus. Period. Nobody should have. And if all his personal information will help them confirm that he did it and/or find leads to others that did, I say more power to them. They've got cause to believe he did it, they've got cause to be on his case. This isn't a story.
If you read the article, you'd notice several things:
a) this is completely different from OpenBSD's implementation b) it's portable across filesystems c) you wouldn't have written this idiotic post.
Additionally, you obviously know nothing about cryptography, otherwise you'd not make such a stupid assumption about Rijndael, an OPEN algorithm developed outside the United States. It's been out for years and many people have failed miserably when trying to cryptanalyze it.
Additionally, it's also interesting to note that *NO* algorithms available in the mcrypt library are authorized for encryption of 'classified' data, by the NSA. Rijndael is authorized for encryption of 'highly sensitive' and some forms of 'classified' data.
Actually, the NIST and NSA are quite open with information about these algorithms.
Okay, so we get our collective asses together and infect ourselves with some DDoS trojan and attack with all our collective Gbit/100Mbit/10Mbit/DSL/Cable/Dialup stuff. We get 1% of/. to do this. That's about 6,000 people. Say we generate enough to knock several spammers out for a good while. They get a nice bill from their ISP. Since they provide a nice "click here to be removed" from this list, they're not doing anything illegal. They've also got the kind of deep pockets to get the FBI and others involved.
It's a sad, strange world out on that Internet, it is...
This is one of the most comprehensive articles I've ever seen about locking down a FreeBSD box. It covers stuff I didn't expect, including using schg to deny the ability to overwrite files.
The but is that I felt it could have included more information about *why* you'd do these kinds of things instead of just how. This information would help people who are newer to FreeBSD understand how to expand on this. While it is comprehensive, I feel it could give people a little more idea of the 'why' rather than the 'how' so that people could do some securing of their own:).
I'd be surprised if the time was not introduced at some point in the process (possibly when you get the number from the server). But since your login number comes from the server, it seems more secure than the Rabobank system, where the login information is generated entirely at the client-end and can be accomplished with any Random Reader.
With my "Random Reader" (heh) from Rabobank, there's a big menu button; if you click "Informatie" you get a ton if information about the thing:
Battery % (it's at 72% ATM) System Date (today) System Time (strangely this says 09:24, when it is now 11:04 AM.... and I can still log in:\) Version: 16.0C Product Type: DP800v1 Product Date: 23-11-2001 Serial Number: 10-053551-5
When logging in, you hit the 'I' key, type in your PIN (4 digits), and are given an 8 digit number. If you hit 'I' again you get a 'BRIT CODE', which is a 6 digit number (never seen it used). Repeated attemps at generating the number show that it only changes every 30 seconds, but this system obviously has to do with time.
When authorizing a transaction, this is a different matter. You're supposed to hit the 'S' key, type in your PIN and a 8 digit number (space is provided for nine numbers of 10 digits in length each, but only one 8 digit number is used). I'm then provided with a 'Signeercode' of 8 digits in length. Apparently, this is simply a hash function applied on the numbers, no matter how many times you type them in or over what period.
I'm somewhat worried that if someone were to find out the hashing algorithm, it'd be possible to hack the system... in which case this thing is more of a security threat to me than it is a help;). I think the server generated codes are moot -- the hashing is obviously PIN-based (there are also obviously people with the same PIN; the hashing for transaction verification is also obviously *NOT* time-based) and, since I can accomplish this with *any* Random Reader, it can't be serial number based -- everything happens client-side... so, if I have the hash functions, the entire process can be automated. I think I'm going to do a little bit of research now;)
P.S. My random reader is also manufactured by Vasco. Time to check their site out (vasco.com)
Perhaps you should read the PHP 5 changelog. I'd argue that any variables placed in global scope in any language can be clobbered by any equivalent of an 'include'. In this sense, it'd be perfectly possible to create a PHP script containing only functions and classes with local variables and a call to a main() function of sorts.
Perhaps I've mistaken you and this isn't what you mean at all. In this case, please feel free to clarify.
I'd suggest that you read http://www.php.net/zend-engine-2.php; you might be surprised.
Let me put it this way: if it's done correctly, I'm sure there will be no security problem. And I'm sure its cheaper for the banks to offer me something that can give me $40, a lottery ticket and a can of Pepsi (though I'm sure MS sponsors Coke, heh) since it's already based on something they use and there are already drivers for the required parts. This means less cost in development personnel and less cost for me.
I'm not sure about this. Merriam-Webster uses PHP for their online dictionary; Yahoo uses PHP for their site and many other corporations are using PHP for thier web development.
Additionally, PHP 5 has true OO support and ends up looking a lot like a hybrid C/C++/Java.
I think one of the main reasons it hasn't been picked up in corporations is because of its lack of OO features (and possibly its inability to be compiled into a single app), although you do have plenty of good encoders and caches.
I don't think speed's really an issue -- PHP consumes a relatively low amount of memory and is quite fast. On a 143MHz UltraSPARC IIi, I can fetch and pattern match 70,000 directory listings from a MySQL connection to a remote computer and display output in approximately 15 seconds. On a modern machine, this is instantaneous. Additionally, the caches speed up the process by magnitudes. PHP has a much lower overhead than enterprise Java (even J2SE) and.NET. And it does a good job doing what it does:).
And I'd suggest that you take a look into using the require_once language construct instead of include;).
Finally, PHP is an Apache Group-backed project, so it's not just floating out there with a few developers. PHP has great documentation, tons of developers and a huge publisher interest (buy my books, BTW). I think it could make it.
Okay, education point here (if you know, then it's cool. If not, here's something you should know).
The -STABLE branch is NOT STABLE! In the FreeBSD development cycle, the most stable systems run -RELEASE. Major development is done on -CURRENT. Working ideas are then moved into -STABLE (to stablize) -- a -STABLE system is a development system and is not guaranteed to boot. When the -STABLE branch proves itself to be very stable and contains enough new functionality, a -RELEASE snapshot is made. -STABLE should be renamed to -BETA or something similar (it actually was at one point, but this was retracted when a lot of people complained that they didn't want a -BETA branch, they wanted it to be stable).
For more information, please read about -CURRENT and -STABLE and what they really are at http://freebsd.org/handbook/current-stable.html. Unless you're doing development and if these are production servers, I suggest that you run -RELEASE on them.
There are many good reasons for corporations to use Windows, as we all know. Security isn't a problem in this situation since it's neither TCP/IP nor on a public network. I fail to see your point. My point was to educate the poster of the original post that
a) Bruce Schneier has a better idea about what's secure than most people on the planet and,
b) ATMs don't work the way that the original poster thought, thus rendering his point moot.
Why don't you read the posts before you post your crap? These posts are all obviously off-topic. This is worth a -1: judging your grammar and (in)ability to express a point, you should probably stick to writing horrible gothic poetry. And watching Star Wars movies (yes, it's an incomplete sentence).
I have no problems with banking people who think this is a good idea. If banks can give me better service at a lower price using Windows than another OS, I'm all for it. I am fully aware that security isn't an issue here, so I'm 2 times more for it.
The rest of your comments indicate that you've no clue how managed systems and enterprise-level corporations work. That's perfectly okay, but don't go spouting ideas like 'why would you want compatibility with your own products'.
End of discussion. dodell 1, everyone else in the thread 0. STFU.
Slashdot Mirror
Have you ever tried using the -x switch with an argument in tar? Read the manpage, you can extract single files (or file paths) very easily.
That the -STABLE branch is not the most stable distribution of FreeBSD available. As I say every time some idiot posts this. See http://www.freebsd.org/handbook/current-stable.htm l for more information.
Of course, then people just get around that by making the javascript look like
d e);
code = "window"+"open"+"(extra_open_commands)";
eval(co
Good luck trying to get around all the possible combinations of doing that. In fact, google uses something like this for their ads -- read their JS.
Yes, you still have to add options DIVERT into the kernel to get IPFW to work with natd, if that's what you mean.
One of the goals for 5.3 (and indeed something that Sam has been doing some wonderful and hard work on) is cleaning up the IP stack. Getting IPFW pfil(9) ready (if I understood correctly) is also one of these goals and will mean that using any software firewall solution such as pf, IPFW or ipfilter would be a question of loading the module. At which point you wouldn't have to recompile the kernel for this functionality.
But this is a 5.3 goal and will not be present in 5.2.
Hope this was of help.
I re-iterate. -STABLE is *NOT* the most stable branch. It is not comparable to 2.4 in Linux. For more information, please see http://www.freebsd.org/handbook/current-stable.htm l (which explains the -CURRENT and -STABLE branches as well as a bit about releng.)
;))
But yes, thanks to the developers who have been working on this. And thank heavens that it's the holiday season; now I'll finally have time to work on locks in the IPv6 stack (thanks Sam and Robert
What version are you using? It works in 10.3.1 and 10.2.8. For me.
Grr.
The required header files are sys/types.h and pwd.h, respectively.
Apple's got a ways to go before they're really on the ball with security. I generally run their security update feature every day; I just got the patches for OpenSSL and zlib a week ago. Also, there's a bug filed in OpenDarwin that works in Jaguar and, I'm disappointed to see, also works in Panther.
, p->pw_passwd,p->pw_uid,- >pw_gecos,p->pw_dir,
Run this as any user with an argument of any other user's username. Pay careful attention to the second field.
#include
#include
int main(int argc, char **argv)
{
struct passwd *p;
p = getpwnam(argv[1]);
printf("%s:%s:%d:%d:%d:%d:%s:%s:%s:%s",p->pw_name
p->pw_gid,p->pw_class,p->pw_change,p->pw_expire,p
p->pw_shell,p->pw_expire);
}
Don't bitch at me about publishing this. It's already available in the OpenDarwin bug list.
I created a similar thing for Flash ActionScript called ActionCrypt; although it's still in progress. You might want to check it out; Javascript and ActionScript are very similar (as they're both based on the same syntax).
Flash is an open, binary format with lots of support and libraries and Macromedia will even give you the source code for the player if you've got a good reason.
and probably linux too.
/usr/ports/multimedia/mmsclient, you can also pkg_add -r mmsclient)
_ 001/cnetnews.download.akamai.com/674/t080901_1130_ 1_hi.asf
get mmsclient (on freebsd this is
run
mmsclient mms://a644.m.akastream.net/7/644/674/t080901_1130
have fun.
Anyway, as is painfully obvious, I didn't read a word of anything. It's also a bit too late for me to try to retract this coherently. But if I pissed you off, cool :)
You airhead, that's what I just said.
I said it's "an OPEN algorithm developed outside the United States". Are you being contradictory or needlessly pedantic?
If privacy invasion is punishment, this has never been the case. If the law enforcement agencies have reason to believe you've committed a crime, they can generally get whatever permission they need to prove you've done it. That's when they're allowed to invade privacy.
Pardon me, that was a rather bad (horrible) typo. Hopefully my point still comes across: you do something illegal, you get punished. That's how things should work.
If they've got probable cause, they can do just about anything. If you've murdered someone, I want the government to be able to find out how long it takes for you to shit if it will help them any.
He shouldn't have done anything with that virus. Period. Nobody should have. And if all his personal information will help them confirm that he did it and/or find leads to others that did, I say more power to them. They've got cause to believe he did it, they've got cause to be on his case. This isn't a story.
If you read the article, you'd notice several things:
a) this is completely different from OpenBSD's implementation
b) it's portable across filesystems
c) you wouldn't have written this idiotic post.
Additionally, you obviously know nothing about cryptography, otherwise you'd not make such a stupid assumption about Rijndael, an OPEN algorithm developed outside the United States. It's been out for years and many people have failed miserably when trying to cryptanalyze it.
Additionally, it's also interesting to note that *NO* algorithms available in the mcrypt library are authorized for encryption of 'classified' data, by the NSA. Rijndael is authorized for encryption of 'highly sensitive' and some forms of 'classified' data.
Actually, the NIST and NSA are quite open with information about these algorithms.
Think before you speak.
Okay, so we get our collective asses together and infect ourselves with some DDoS trojan and attack with all our collective Gbit/100Mbit/10Mbit/DSL/Cable/Dialup stuff. We get 1% of /. to do this. That's about 6,000 people. Say we generate enough to knock several spammers out for a good while. They get a nice bill from their ISP. Since they provide a nice "click here to be removed" from this list, they're not doing anything illegal. They've also got the kind of deep pockets to get the FBI and others involved.
It's a sad, strange world out on that Internet, it is...
This is one of the most comprehensive articles I've ever seen about locking down a FreeBSD box. It covers stuff I didn't expect, including using schg to deny the ability to overwrite files.
:).
The but is that I felt it could have included more information about *why* you'd do these kinds of things instead of just how. This information would help people who are newer to FreeBSD understand how to expand on this. While it is comprehensive, I feel it could give people a little more idea of the 'why' rather than the 'how' so that people could do some securing of their own
I'd be surprised if the time was not introduced at some point in the process (possibly when you get the number from the server). But since your login number comes from the server, it seems more secure than the Rabobank system, where the login information is generated entirely at the client-end and can be accomplished with any Random Reader.
:\)
;). I think the server generated codes are moot -- the hashing is obviously PIN-based (there are also obviously people with the same PIN; the hashing for transaction verification is also obviously *NOT* time-based) and, since I can accomplish this with *any* Random Reader, it can't be serial number based -- everything happens client-side... so, if I have the hash functions, the entire process can be automated. I think I'm going to do a little bit of research now ;)
With my "Random Reader" (heh) from Rabobank, there's a big menu button; if you click "Informatie" you get a ton if information about the thing:
Battery % (it's at 72% ATM)
System Date (today)
System Time (strangely this says 09:24, when it is now 11:04 AM.... and I can still log in
Version: 16.0C
Product Type: DP800v1
Product Date: 23-11-2001
Serial Number: 10-053551-5
When logging in, you hit the 'I' key, type in your PIN (4 digits), and are given an 8 digit number. If you hit 'I' again you get a 'BRIT CODE', which is a 6 digit number (never seen it used). Repeated attemps at generating the number show that it only changes every 30 seconds, but this system obviously has to do with time.
When authorizing a transaction, this is a different matter. You're supposed to hit the 'S' key, type in your PIN and a 8 digit number (space is provided for nine numbers of 10 digits in length each, but only one 8 digit number is used). I'm then provided with a 'Signeercode' of 8 digits in length. Apparently, this is simply a hash function applied on the numbers, no matter how many times you type them in or over what period.
I'm somewhat worried that if someone were to find out the hashing algorithm, it'd be possible to hack the system... in which case this thing is more of a security threat to me than it is a help
P.S. My random reader is also manufactured by Vasco. Time to check their site out (vasco.com)
Perhaps you should read the PHP 5 changelog. I'd argue that any variables placed in global scope in any language can be clobbered by any equivalent of an 'include'. In this sense, it'd be perfectly possible to create a PHP script containing only functions and classes with local variables and a call to a main() function of sorts.
Perhaps I've mistaken you and this isn't what you mean at all. In this case, please feel free to clarify.
I'd suggest that you read http://www.php.net/zend-engine-2.php; you might be surprised.
Let me put it this way: if it's done correctly, I'm sure there will be no security problem. And I'm sure its cheaper for the banks to offer me something that can give me $40, a lottery ticket and a can of Pepsi (though I'm sure MS sponsors Coke, heh) since it's already based on something they use and there are already drivers for the required parts. This means less cost in development personnel and less cost for me.
I'm not sure about this. Merriam-Webster uses PHP for their online dictionary; Yahoo uses PHP for their site and many other corporations are using PHP for thier web development.
.NET. And it does a good job doing what it does :).
;).
Additionally, PHP 5 has true OO support and ends up looking a lot like a hybrid C/C++/Java.
I think one of the main reasons it hasn't been picked up in corporations is because of its lack of OO features (and possibly its inability to be compiled into a single app), although you do have plenty of good encoders and caches.
I don't think speed's really an issue -- PHP consumes a relatively low amount of memory and is quite fast. On a 143MHz UltraSPARC IIi, I can fetch and pattern match 70,000 directory listings from a MySQL connection to a remote computer and display output in approximately 15 seconds. On a modern machine, this is instantaneous. Additionally, the caches speed up the process by magnitudes. PHP has a much lower overhead than enterprise Java (even J2SE) and
And I'd suggest that you take a look into using the require_once language construct instead of include
Finally, PHP is an Apache Group-backed project, so it's not just floating out there with a few developers. PHP has great documentation, tons of developers and a huge publisher interest (buy my books, BTW). I think it could make it.
Okay, education point here (if you know, then it's cool. If not, here's something you should know).
The -STABLE branch is NOT STABLE! In the FreeBSD development cycle, the most stable systems run -RELEASE. Major development is done on -CURRENT. Working ideas are then moved into -STABLE (to stablize) -- a -STABLE system is a development system and is not guaranteed to boot. When the -STABLE branch proves itself to be very stable and contains enough new functionality, a -RELEASE snapshot is made. -STABLE should be renamed to -BETA or something similar (it actually was at one point, but this was retracted when a lot of people complained that they didn't want a -BETA branch, they wanted it to be stable).
For more information, please read about -CURRENT and -STABLE and what they really are at http://freebsd.org/handbook/current-stable.html.
Unless you're doing development and if these are production servers, I suggest that you run -RELEASE on them.
There are many good reasons for corporations to use Windows, as we all know. Security isn't a problem in this situation since it's neither TCP/IP nor on a public network. I fail to see your point. My point was to educate the poster of the original post that
a) Bruce Schneier has a better idea about what's secure than most people on the planet and,
b) ATMs don't work the way that the original poster thought, thus rendering his point moot.
Why don't you read the posts before you post your crap? These posts are all obviously off-topic. This is worth a -1: judging your grammar and (in)ability to express a point, you should probably stick to writing horrible gothic poetry. And watching Star Wars movies (yes, it's an incomplete sentence).
I have no problems with banking people who think this is a good idea. If banks can give me better service at a lower price using Windows than another OS, I'm all for it. I am fully aware that security isn't an issue here, so I'm 2 times more for it.
The rest of your comments indicate that you've no clue how managed systems and enterprise-level corporations work. That's perfectly okay, but don't go spouting ideas like 'why would you want compatibility with your own products'.
End of discussion. dodell 1, everyone else in the thread 0. STFU.