Yes, nothing is 100% secure. But we cannot judge that ssh is less secure because you can "guess" a password based on keystroke frecuency.
If this guessing method is 10, 50 or 100 times faster to guess a password, is just a sign that the weakest part on authentication systems are poor password selections. (Administrator/admin for NT is a good example)
I think that a massive password sieving is still far more dangerous globally, than a targeted password guessing.
Let's put this issue in perspective:
FTP passwords have been circulating in plaintext for years. Many of those passwords are also shell account passwords(if not, they could enable anyone to upload a cgi connected to/bin/sh).
This is a "terrible" hole, but this is the way that millons of users upload files to their servers every day.
Considering this reality, is strange that cracks come much often from the buffer oveflow dept. (bind and nfs exploits are the top scans I've seen).
So, I'm not afraid that someone will guess my ssh r00t password just sniffing net traffic, and maybe th 98% of us should be either.
Companies are persuing an impossible task...I'm glad there's a lot of people actually selling them coloured glass, mirrors and other forms of useless systems and making money from it.
They can build as many new-amazingly-stupid protection schemmes but we always return to point 0.
IF YOU CAN HEAR IT, YOU CAN COPY IT
That's all...
The ultimate copy protection would be stop selling CD's at all
-OR-
Develop a new distribution system more suitable for this century...
Imagine how far they went that now, the first purpose of CD audio it's being forgotten (HI QUALITY) is being lost for a new concept (HI QUALITY + INDUCED DISTORTION).
I'm sure that companies will charge some extra cents to cover the costs of developing this new-soon to be drop-protection shemme.
Well, I can answer that!
As a "third world" admin, (you forgot south america in your "third world" classification)
Yes, our IP's are scanned all the time for statistical information gathering.
For the common (there are some clinic conditions that may need medical advice) back pain, there's 2 or 3 tricks that have helped me so far. This is my non professional advice:
1) Sports:
Any sport will do it, try to make some physical activity at least twice a week.
Play Tennis, Run from work to home, run in circles, bicicle, soccer, rugby, surfing, swimming...anything!
2) Change your chair:
If you care about your keyboard, your mouse, your screen, your OS, your desktop...why not care about your butt comptention device (aka chair), look around at home/office for a chair that's comfortable, the resulting back pain degree at the end of the day is a good measure about finding the right chair.
3) Avoid drugs:
In my life, I've avoided all kind of drugs (from tylenol to cocaine), just use pain killers when is ABSOLUTELY NECESARY. Like any drug, the least you take it, the maximun effect you get when you do it. If your body get used to a pain killer, it won't work when points 1) and 2) stop working.
Problem????
Wheres the problem????
ECN is explicitly marked as experimental in the kernel info. Much more, it says that MANY ROUTERS ARE NOT PREPARED TO HANDLE IT.
I cant beleive somebody wrote a piece about a experimental feature in linux kernel AND that slashdot links to it.
Unbeliable. Fsacking amazing.
Next year slashdot will link to a story about Apache 4.0.0.0.0a as Apache having trouble to serve pages because theres no 4.0.0.0.0a code writen yet.
Sometimes, having a backdoor is not a bad thing(tm).
Imagine a scenario where you administer 100's of users which, somehow, administer at the same time their own space. (virtual mail domains for example).
A backdoor password is usefull to administer all and every mail domain. But, only if the channel is secured somehow...I would not use a backdoor password while sending passwords as plain text over the network...
Well, get used to bad english and don't be ashamed....looks like everybody speaks bad english in slashdot but at the end, they get communicated....jajaja
OOP is always what comes after an OO Design.
Yes, OO Design is far superior than other Design techniques, but sometimes is also harder. Why? Because you have to give your designers the WHOLE PICTURE since the BEGGINING OF THE PROJECT.
The Designer comes to play a key role here.
In my poor experience (counted in years, not decades;)...non OO Design Techniques actually gave shorter design times, but when the design team was gone (working in the next project) coders have to start to work out ugly hacks in order to make the system work like the customer wanted.
Whit OO Design, you can present your customer a nice graphical interpretation of the system behavior BEFORE EVEN IMPLEMENTING A LINE OF CODE. And yes, my mom can understand those UML diagrams...it's easy.
At the implementation level, OOP and NON-OOP are good in their own category. But wait! A programming languaje is as good as the programmer using it.
I've seen nasty things using OOP and real good things using plain old C.
So, to this point, we can see that OOP is very design dependant.
The rehusability grail is very design dependient. I can make a "CAR" class, or I can make a "VEHICLE" class. That's up to the designer. But when the same group of programmers/designers/software engineers have to write a "BUS" class, because the "CAR" is quite different...well, REUSABILITY my ass. Stop everything and start over again. (up to some level, the CAR experience will be usefull, but not transparently and automagically reusable).
So, I won't blame OOP, I tend to blame OO Designers. And yes, I think that most commercial projects (small to medium) don't get benefits in using the OO combo.
OO Techniques (Design and Coding) could be a big benefit to the OpenSource Community.
I remember www.theClassRoom.org, nice idea.
Collect classes from opensource projects and present them to the Community for reusing.
Have you ever seen a image bank? Well, I think of many good uses for a class bank.
Search, read license, copy, paste, use, extend, submit to the community. The real Open Source spirit.
We are in deep shit.
Every week I receive portscans from "known" or "major" companies IP segments.
(whois ip@arin.net)
When this happens, I tend to "gently" reply the portscan. Not because I'm a fucking terrorist, I'm just curious. (It's not an automated script, I do it when I'm bored)
Now: Imagine that "Bigcompanyfullofshit.com" website is craked, and the perpetrator decides to install a script there, and because the twisted destiny I get scanned, and I reply the scan.
This means that the FBI, Police, or any clueless idiot will be the next day, knocking my door and confiscating my hardware, wich turns to be a legitimate bussiness, that feeds me and my family, just on the sole basis that they logged a portscan????
I HAVE HOUNDREDS OF THEM!!! And nor the FBI, CIA, Secret Service or anyone give a shit about them!!!!
I don't know if this guy really made something bad, if he likes to archive tons of porn, scripts or anything, but if the only thing the Feds needed to get a warrant was something like this:Oct 31 10:00:01 host kernel: Packet log: input DENY ??? PROTO=6 id.iot.ip:65333 myhost:12345 L=48 S=0X00 I=19781 F=0X4000 T=119 SYN (#1)
And what about port 139???? Every idiot in the planet is scanning that port. Will the FBI put in jail all of them???
Or is it that a baseball team's website is a matter of national security?
Andres got all my sympathy, just because I could be the next idiot trying to explain an Ape the diference between a portscan and a intrusion.
Just my 2cents...
But, IMHO, Samba and the SMB protocol are a good example of a Bad but neccesary thing.
Let me get this clear: "SAMBA IS GOOD, Samba let's you have a UNIX file/print server in a private network full of Windows machines.
But the PROTOCOL is BAD. The extensions that have been added to the original protocol by M$ have made it a nightmare.
I think that's why the Samba project is forking.
But again, this is only MHO.
Thanks to the samba guys anyway (both), who have been delivering a quality product from a lousy standard....
As long as RH provides a fix promptly, is OK for me. It's called "Development", this kind of things happen all the time... I'm not a RedHat Devote, but their effort to provide a easy install and mainteinance makes linux usable for a wider range of people. (sadly?, NO!)
Anyway, I only use critical daemons, and minimal services available to the net.
I don't trust RH daemons, but that's my choice...
You forgot that Microsoft would soon integrate it into Windows2000 1/2 and would introduce some some secret code alerting microsoft of your secret sexual pervertions.
But anyway, I still like the idea.
Does anybody made something like this already?
The better ideas always com from technical minds. The key problem is that we (techies) can't (or don't want to) mess with the marketing world.
So. Even if the product EXISTS , it would be so difficult to sell as a filter replacement.
Imagine one of those nice black boxes with embeeded Linux running a firewall/HTTP requests logger, and who knows what else...(Imagine a cluster of this...I had to say it..jejeje.)
with a nice HTML interface that you can access from your browser to control, audit, etc.
Interesting...I only need a name for it...
It would be a nice thing. I would buy it.
If you have kids, and you are really interested in what the are reading, searching or looking in the internet, just install a fucking proxy and the take some time to:
1) Review the logs and where your kid has gone.
2) Talk about it whit him/her.
If you can't do this, your problem is not the adult content at some internet sites...your real problem is just that Parenting is not for you.
I'm sure there's some software that does this stuff for windows.
When my father found a Playboy magazine un my room (I was 12 years old) we had a really constructive chat at that time. It helped me to learn how to be a better parent...Talking is much better that censoring, but you have to be prepared.
That's true, get root is easy in some systems, but if you care about your system, you should see what's going on in it at least on a weekly basis.
I use to exchange some intrussion tests w/other admins once a month, and do internall testing on "I'm bored and there's nothing to do" basis.
C'mon!! There's NEW files in your library path!!!!
You should notice something like that!!!
Anyway, the rpm/deb was just a joke, I did not wanted to show a open/closed philosophic issue here...
Give me a break!
I guess this is kinda repetitive but you have to actually have something called root rights to install not only a library but a server that listens in port something...
Trinity (someone needs a miracle, very funny...) is just a symptom, not a illness.
If someone get rights to install a root shell server controlled by IRC (very creative)then the DDoS part is just an application. Today DDoS, tommorrow....who knows....
So, we have not only 1 but 400 admins out there who actually got Trinity installed in their systems somehow...does any of them have actually a clue of how this happened???!!!
Accelerated X is faster than Accelerated Y.
Tested in similar conditions and hardware.
specially rendering in 2 bits (black and white) by the way, I have a benchmark article I wrote.
Anybody wants it?
AFAIK, the person who lost the domain was clarely trying to hide it's squatting using just 1000 words from the bible. There's no content, nothing but little pieces from the bible. REALLY SMALL PIECES! So I can understand the ruling BUT! What if I use my domain for email purposes? What if all my communications depend on a address/domain and I just don't use http??? Is http more important than any other service?? I Dunno... The internet is so httpized that starts to loose control... And you can get anything in this world with a couple of good lawyers...
That's important, then if you don't like their statement, you can do what you want, is up to you... It would be great if someone sets an Open Letter for them (if this gets confirmed) and then millons sign it... (Personally, I think that the Open Source Community looks bad when a company, that's interested somehow in Linux and Open Source Software in general, gets tons of flame mail and trolling...I preffer Open Letters)
If it's true, it doesn't surprise me. We will see many things like this happen in the future. Some people in the "corporate" world just want to take adventage in other's people work. Who knows how many commercial projects are now using parts of GPL'd code? Like rats, for every single rat you see, there's ten more hiding.
Slashdot Mirror
I use vigor every day. Config files, HTML, plain text, mail, remote shell...anything
Vigor leads me step by step and it's always right
Yes, nothing is 100% secure. But we cannot judge that ssh is less secure because you can "guess" a password based on keystroke frecuency.
/bin/sh).
If this guessing method is 10, 50 or 100 times faster to guess a password, is just a sign that the weakest part on authentication systems are poor password selections. (Administrator/admin for NT is a good example)
I think that a massive password sieving is still far more dangerous globally, than a targeted password guessing.
Let's put this issue in perspective:
FTP passwords have been circulating in plaintext for years. Many of those passwords are also shell account passwords(if not, they could enable anyone to upload a cgi connected to
This is a "terrible" hole, but this is the way that millons of users upload files to their servers every day.
Considering this reality, is strange that cracks come much often from the buffer oveflow dept. (bind and nfs exploits are the top scans I've seen).
So, I'm not afraid that someone will guess my ssh r00t password just sniffing net traffic, and maybe th 98% of us should be either.
Just my 1x10-3 $
Companies are persuing an impossible task...I'm glad there's a lot of people actually selling them coloured glass, mirrors and other forms of useless systems and making money from it.
They can build as many new-amazingly-stupid protection schemmes but we always return to point 0.
IF YOU CAN HEAR IT, YOU CAN COPY IT
That's all...
The ultimate copy protection would be stop selling CD's at all
-OR-
Develop a new distribution system more suitable for this century...
Imagine how far they went that now, the first purpose of CD audio it's being forgotten (HI QUALITY) is being lost for a new concept (HI QUALITY + INDUCED DISTORTION).
I'm sure that companies will charge some extra cents to cover the costs of developing this new-soon to be drop-protection shemme.
Hey!
That's a show I'd like to see!
Well, I can answer that! As a "third world" admin, (you forgot south america in your "third world" classification) Yes, our IP's are scanned all the time for statistical information gathering.
For the common (there are some clinic conditions that may need medical advice) back pain, there's 2 or 3 tricks that have helped me so far. This is my non professional advice: 1) Sports: Any sport will do it, try to make some physical activity at least twice a week. Play Tennis, Run from work to home, run in circles, bicicle, soccer, rugby, surfing, swimming...anything! 2) Change your chair: If you care about your keyboard, your mouse, your screen, your OS, your desktop...why not care about your butt comptention device (aka chair), look around at home/office for a chair that's comfortable, the resulting back pain degree at the end of the day is a good measure about finding the right chair. 3) Avoid drugs: In my life, I've avoided all kind of drugs (from tylenol to cocaine), just use pain killers when is ABSOLUTELY NECESARY. Like any drug, the least you take it, the maximun effect you get when you do it. If your body get used to a pain killer, it won't work when points 1) and 2) stop working.
Problem???? Wheres the problem???? ECN is explicitly marked as experimental in the kernel info. Much more, it says that MANY ROUTERS ARE NOT PREPARED TO HANDLE IT. I cant beleive somebody wrote a piece about a experimental feature in linux kernel AND that slashdot links to it. Unbeliable. Fsacking amazing. Next year slashdot will link to a story about Apache 4.0.0.0.0a as Apache having trouble to serve pages because theres no 4.0.0.0.0a code writen yet.
Have you noted that most microsoft enabled mail viruses appeal to love and sex in order to make the user open it?
That's all.
If I send the key for my front door in a transparent envelope, my doorlock is safe, the problem is my stupidity.
Sometimes, having a backdoor is not a bad thing(tm).
Imagine a scenario where you administer 100's of users which, somehow, administer at the same time their own space. (virtual mail domains for example).
A backdoor password is usefull to administer all and every mail domain. But, only if the channel is secured somehow...I would not use a backdoor password while sending passwords as plain text over the network...
Well, get used to bad english and don't be ashamed....looks like everybody speaks bad english in slashdot but at the end, they get communicated....jajaja
OOP is always what comes after an OO Design. ;)...non OO Design Techniques actually gave shorter design times, but when the design team was gone (working in the next project) coders have to start to work out ugly hacks in order to make the system work like the customer wanted.
Yes, OO Design is far superior than other Design techniques, but sometimes is also harder. Why? Because you have to give your designers the WHOLE PICTURE since the BEGGINING OF THE PROJECT.
The Designer comes to play a key role here.
In my poor experience (counted in years, not decades
Whit OO Design, you can present your customer a nice graphical interpretation of the system behavior BEFORE EVEN IMPLEMENTING A LINE OF CODE. And yes, my mom can understand those UML diagrams...it's easy.
At the implementation level, OOP and NON-OOP are good in their own category. But wait! A programming languaje is as good as the programmer using it.
I've seen nasty things using OOP and real good things using plain old C.
So, to this point, we can see that OOP is very design dependant.
The rehusability grail is very design dependient. I can make a "CAR" class, or I can make a "VEHICLE" class. That's up to the designer. But when the same group of programmers/designers/software engineers have to write a "BUS" class, because the "CAR" is quite different...well, REUSABILITY my ass. Stop everything and start over again. (up to some level, the CAR experience will be usefull, but not transparently and automagically reusable).
So, I won't blame OOP, I tend to blame OO Designers. And yes, I think that most commercial projects (small to medium) don't get benefits in using the OO combo.
OO Techniques (Design and Coding) could be a big benefit to the OpenSource Community.
I remember www.theClassRoom.org, nice idea.
Collect classes from opensource projects and present them to the Community for reusing.
Have you ever seen a image bank? Well, I think of many good uses for a class bank.
Search, read license, copy, paste, use, extend, submit to the community. The real Open Source spirit.
Sorry, but I need to say this stupid fact.
:)
AND
To my knowledge, there are no trains connecting even Mexico to Colombia.
So an InterContinental ride by train is far, far in the future.
The only place in Latin America wich is suitable to start this TrasAsiatic journey is, MIAMI...
err....no, I mean it, is a deliberate mistake.
We are in deep shit. Every week I receive portscans from "known" or "major" companies IP segments. (whois ip@arin.net) When this happens, I tend to "gently" reply the portscan. Not because I'm a fucking terrorist, I'm just curious. (It's not an automated script, I do it when I'm bored) Now: Imagine that "Bigcompanyfullofshit.com" website is craked, and the perpetrator decides to install a script there, and because the twisted destiny I get scanned, and I reply the scan. This means that the FBI, Police, or any clueless idiot will be the next day, knocking my door and confiscating my hardware, wich turns to be a legitimate bussiness, that feeds me and my family, just on the sole basis that they logged a portscan???? I HAVE HOUNDREDS OF THEM!!! And nor the FBI, CIA, Secret Service or anyone give a shit about them!!!! I don't know if this guy really made something bad, if he likes to archive tons of porn, scripts or anything, but if the only thing the Feds needed to get a warrant was something like this: Oct 31 10:00:01 host kernel: Packet log: input DENY ??? PROTO=6 id.iot.ip:65333 myhost:12345 L=48 S=0X00 I=19781 F=0X4000 T=119 SYN (#1) And what about port 139???? Every idiot in the planet is scanning that port. Will the FBI put in jail all of them??? Or is it that a baseball team's website is a matter of national security? Andres got all my sympathy, just because I could be the next idiot trying to explain an Ape the diference between a portscan and a intrusion. Just my 2cents...
But, IMHO, Samba and the SMB protocol are a good example of a Bad but neccesary thing. Let me get this clear: "SAMBA IS GOOD, Samba let's you have a UNIX file/print server in a private network full of Windows machines. But the PROTOCOL is BAD. The extensions that have been added to the original protocol by M$ have made it a nightmare. I think that's why the Samba project is forking. But again, this is only MHO. Thanks to the samba guys anyway (both), who have been delivering a quality product from a lousy standard....
As long as RH provides a fix promptly, is OK for me. It's called "Development", this kind of things happen all the time... I'm not a RedHat Devote, but their effort to provide a easy install and mainteinance makes linux usable for a wider range of people. (sadly?, NO!)
Anyway, I only use critical daemons, and minimal services available to the net.
I don't trust RH daemons, but that's my choice...
You forgot that Microsoft would soon integrate it into Windows2000 1/2 and would introduce some some secret code alerting microsoft of your secret sexual pervertions.
But anyway, I still like the idea.
Does anybody made something like this already?
The better ideas always com from technical minds. The key problem is that we (techies) can't (or don't want to) mess with the marketing world.
So. Even if the product EXISTS , it would be so difficult to sell as a filter replacement.
Imagine one of those nice black boxes with embeeded Linux running a firewall/HTTP requests logger, and who knows what else...(Imagine a cluster of this...I had to say it..jejeje.)
with a nice HTML interface that you can access from your browser to control, audit, etc.
Interesting...I only need a name for it...
It would be a nice thing. I would buy it.
If you have kids, and you are really interested in what the are reading, searching or looking in the internet, just install a fucking proxy and the take some time to: 1) Review the logs and where your kid has gone. 2) Talk about it whit him/her. If you can't do this, your problem is not the adult content at some internet sites...your real problem is just that Parenting is not for you. I'm sure there's some software that does this stuff for windows. When my father found a Playboy magazine un my room (I was 12 years old) we had a really constructive chat at that time. It helped me to learn how to be a better parent...Talking is much better that censoring, but you have to be prepared.
That's true, get root is easy in some systems, but if you care about your system, you should see what's going on in it at least on a weekly basis. I use to exchange some intrussion tests w/other admins once a month, and do internall testing on "I'm bored and there's nothing to do" basis. C'mon!! There's NEW files in your library path!!!! You should notice something like that!!! Anyway, the rpm/deb was just a joke, I did not wanted to show a open/closed philosophic issue here...
Give me a break!
I guess this is kinda repetitive but you have to actually have something called root rights to install not only a library but a server that listens in port something...
Trinity (someone needs a miracle, very funny...) is just a symptom, not a illness.
If someone get rights to install a root shell server controlled by IRC (very creative)then the DDoS part is just an application. Today DDoS, tommorrow....who knows....
So, we have not only 1 but 400 admins out there who actually got Trinity installed in their systems somehow...does any of them have actually a clue of how this happened???!!!
Accelerated X is faster than Accelerated Y. Tested in similar conditions and hardware. specially rendering in 2 bits (black and white) by the way, I have a benchmark article I wrote. Anybody wants it?
AFAIK, the person who lost the domain was clarely trying to hide it's squatting using just 1000 words from the bible.
There's no content, nothing but little pieces from the bible. REALLY SMALL PIECES!
So I can understand the ruling BUT!
What if I use my domain for email purposes?
What if all my communications depend on a address/domain and I just don't use http???
Is http more important than any other service??
I Dunno...
The internet is so httpized that starts to loose control...
And you can get anything in this world with a couple of good lawyers...
"C# is a modern, object-oriented language that enables programmers to quickly and easily build solutions for the Microsoft .NET platform."</I>
Hey!!!
Wait!!!! This sound so un-sharp to me...
We already have "SHARP" languajes...this will confuse people, so let's rename it...C^$ (C-Bloat)
So this C Bloat is just a new member in the large family of <B>bloated oriented</B> languajes brougth to us by microsoft.
That's important, then if you don't like their statement, you can do what you want, is up to you...
It would be great if someone sets an Open Letter for them (if this gets confirmed) and then millons sign it...
(Personally, I think that the Open Source Community looks bad when a company, that's interested somehow in Linux and Open Source Software in general, gets tons of flame mail and trolling...I preffer Open Letters)
If it's true, it doesn't surprise me. We will see many things like this happen in the future. Some people in the "corporate" world just want to take adventage in other's people work. Who knows how many commercial projects are now using parts of GPL'd code?
Like rats, for every single rat you see, there's ten more hiding.