It's very simple: when it asks you "Use (W)hole disk or (E)dit the MBR? [whole]", just hit to get the default, and you'll never have to use the fdisk tool at all.
Disklabel layout of the various filesystems is now auto-configured by default to a generic layout suitable for the size of disk you're installing on.
This malware is very professionally written and produced. Which of course means it's not written for fun.
Why include this swipe at amateur software development?
Nearly all of the "professionally produced" code that I've read is horrendous and looks like it's been coded by rabid gibbons on LSD, while the best code I've read has been written by people for whom it's a labor of love. Yes, there is also plenty of ugly open-source code, but the fact that it's well written just means that the programmer cared about it.
Please correct me if I am wrong but it seems that documentation for Marvell's 88W8388's is not publically available without signing an NDA?
If this is the case why did a project that seems to pride itself of openess agree to deal with such a company? Drivers written under NDA tend to be full of magic numbers, near impossible for others to properly maintain andtotally against the spirit of open projects.
If they were really concerned about security, they would be demanding full documentation for this hardware - if security problems are discovered in the magic-number filled drivers (generally the case with drivers developped under NDA), it would be nice to be able to actually fix the bugs.
"Scheduling time for a visual clean-up at pixel level, layout corrections (alignment, spacing), and other visual "fit and finish" is as important as it is to schedule time for bug fixing and other types of quality control.
Nice to see that Microsoft is commited to putting security first; No, they've definately given up compromising security and stability for eyecandy and features. </SARCASM>
/usr/share/misc/license.template on OpenBSD:/*
* Copyright (c) CCYY YOUR NAME HERE
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
Re:Cliff's Notes: Start Using TCP Sequence Number
on
Examining ICMP Flaws
·
· Score: 4, Informative
I just ran my sniffer and inspected a icmp echo request. I see the ICMP seq#, there is no TCP header on the packet.
Well duh, ICMP echo request/reply messages are not the ICMP error messages being discussed. From TFA:
There are three ICMP type 3 'destination unreachable' errors that are defined in RFC 1122 as hard errors. Code 2, 'protocol unreachable', code 3, 'port unreachable', and possibly code 4, 'fragmentation needed and don't fragment bit set' are all hard errors that if received can cause a TCP stack to tear down an existing connection.
This is much worse than the TCP reset attacks we read about. Why? Because using these ICMP exploits, you can stall a connection without the application layer ever receiving notification that something is amiss.
Also TCP MD5 authentication (one of the "official" solutions to the TCP reset attacks) provides no protection against this protocol flaw.
Re:Cliff's Notes: Start Using TCP Sequence Number
on
Examining ICMP Flaws
·
· Score: 4, Informative
The ICMP error message that's returned contains a chunk of the packet that the message refers to. The recipient of the error message uses this to demultiplex the ICMP error and apply the error to the correct connection. To do this for TCP, it needs the source and destination IP addresss and ports.
The TCP sequence number is also there, but the protocol doesn't require it to be checked.
By an large most protocols are designed to work, not to be secure. This needs to change. The TCPM working group needs to admit that this is a flaw, and change the standard rather than sticking their heads in the sand.
Re:Cliff's Notes: Start Using TCP Sequence Number
on
Examining ICMP Flaws
·
· Score: 3, Informative
The spec calls for a sequence number in the block. Vendors aren't checking it.There are a lot of technical details about how TCP connections can be slowed down by a ICMP attack, but if the vendors checked the sequence number it would make it almost impossible to implement these attacks.
The spec does not require the sequence number be checked (or even mention it), but some OSs check it anyways.
Even with the sequence number check, the attack is still not impossible, now just on par with the TCP reset attack which got tons of publicity last year. Additional fixes are required.
That specific comment was made in regards to the removal of IPF. But this interpretation of the concept of freedom is strongly held by the whole OpenBSD development team; just have a look at the Lyrics page, which outlines some of the big issues behind OpenBSD releases:
3.3 - Sun refuses to release full documentation for the UltraSparc III processor.
3.4 - OpenBSD loses funding after no-strings-attached grant turns out to have strings attached limiting freedom of speech
3.5 - Cisco attempts to assert patent rights on IETF standards (VRRP)
3.6 - "Free" software projects becoming less free
3.7 - Open wireless drivers and free firmware (OpenBSD is now the only free BSD. Ironic, no?)
Developers of killing devices won't use Linux, of course. The'll use the OS specifically licenced for these purposes: OpenBSD.
"...software which OpenBSD uses and redistributes must be free to all (be they people or companies), for any purpose they wish to use it, including modification, use, peeing on, or even integration into baby mulching machines or atomic bombs to be dropped on Australia."
-- Theo de Raadt
Ummmm. If you look at the OpenBSD Events Page you'll notice that regarding FOSDEM in Brussels, "Theo de Raadt will also be present at this event, though not presenting a talk."
No need to speculate, he was there personally to recieve the award.
Hypothesis: The first account will start receiving spam almost immediately. Due to the nature of the spam, the second should never receive spam unless someone is sending email to random 8-character accounts at my domain (brute force attack).
Instead of publishing a list of opt-out addresses, the FTC or whomever could simply publish a list of SHA1 hashes of the addresses. The spammer could check for an address on the list by hashing it and looking for the hash, but would be unable to use the list to spam to.
Sure, a dictionary attack is possible, but hashing like this makes it much more expensive to use the list for the wrong reason. (And by adding different random salt to the list for each spammer you send it to, anong with some trap email addresses, it would be possible in many cases to identify the spammer(s) who perform this attack)
It is impossible to make money selling a cryptographic algorithm. It's difficult, but not impossible, to make money selling a cryptographic protocol.
However, it is possible to make money by "giving away" a cryptographic algorigthm, using it as proof of how very, very smart you are, and then charging people loads of money for your consulting services. This model seems to have worked pretty well for Bruce.
If Schneier is the LAST author in the list, it probably means he did very little except motivate the paper and help brainstorm.
No, if he's the last author on the list, it means his name is last when sorted alphabetically. However I agree that it's too bad the others don't get credit in the headline.
I would love to see a standard developed for a plugable security model on top of these transports, so a 'suitable' level of protection can be installed for the situation.
This exists. It's called IPSec and there is no reason that it should not be running on all your wireless links. For pete's sake, there's even IPSec implementations for Palm OS and WinCE.
We don't need a new security protocol, we just need to implement and use the ones we have (IPSec, ssh, ssl) properly. I'd rather see wireless lan cards come out with 3DES, AES, RSA, SHA-1 etc. hardware acceleration (and open documentation) than yet an other wireless "security" protocol that hasn't been peer reviewed properly.
Don't buy them... We got some at my place, and we've already had 2 strings burn out. I havn't investigated too closely, but it appears that although they attempted to wire them in parallel, if one LED dies the whole string goes. They're really hard to get out of their little sockets too, so it's tough to replace them one at a time to find the faulty one.
They've already been doing this in Canada for about a year in the Chapters chain of bookstores. I'm not sure if there's an official team-up with Microsoft, but they're running the evil empire OS.
It might not be in every store either but in both the Vancouver and Montreal downtown stores they 10 or so workstations set in nice wooden cabinets, and appointed with a video camera and a telephone handset. You set up your account/buy time at a separate terminal which spits out a magenetic strip card that you use to pay at each station.
Slashdot Mirror
It's very simple: when it asks you "Use (W)hole disk or (E)dit the MBR? [whole]", just hit to get the default, and you'll never have to use the fdisk tool at all.
Disklabel layout of the various filesystems is now auto-configured by default to a generic layout suitable for the size of disk you're installing on.
If you use vi, then clearly you need Vimperator.
Metered curb spaces are relatively common in commercial parts of Tokyo at least, but there is essentially no street parking in residential areas.
One interesting feature of car ownership in Tokyo is that you have to prove that you have a parking space before you even purchase the vehicle.
Why include this swipe at amateur software development?
Nearly all of the "professionally produced" code that I've read is horrendous and looks like it's been coded by rabid gibbons on LSD, while the best code I've read has been written by people for whom it's a labor of love. Yes, there is also plenty of ugly open-source code, but the fact that it's well written just means that the programmer cared about it.
Somebody needs to write a IE7 exploit that installs Firefox.
/usr/share/misc/license.template on OpenBSD: /*
* Copyright (c) CCYY YOUR NAME HERE
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
Well duh, ICMP echo request/reply messages are not the ICMP error messages being discussed. From TFA:
Also TCP MD5 authentication (one of the "official" solutions to the TCP reset attacks) provides no protection against this protocol flaw.
The ICMP error message that's returned contains a chunk of the packet that the message refers to. The recipient of the error message uses this to demultiplex the ICMP error and apply the error to the correct connection. To do this for TCP, it needs the source and destination IP addresss and ports.
The TCP sequence number is also there, but the protocol doesn't require it to be checked.
By an large most protocols are designed to work, not to be secure. This needs to change. The TCPM working group needs to admit that this is a flaw, and change the standard rather than sticking their heads in the sand.
And this is quite possibly the funniest (and oddly relevant to this discussion) email on the subject.
Ummmm. If you look at the OpenBSD Events Page you'll notice that regarding FOSDEM in Brussels, "Theo de Raadt will also be present at this event, though not presenting a talk." No need to speculate, he was there personally to recieve the award.
It's also useful for viewing http://www.seizurerobots.com/.
Hypothesis: The first account will start receiving spam almost immediately. Due to the nature of the spam, the second should never receive spam unless someone is sending email to random 8-character accounts at my domain (brute force attack).
Instead of publishing a list of opt-out addresses, the FTC or whomever could simply publish a list of SHA1 hashes of the addresses. The spammer could check for an address on the list by hashing it and looking for the hash, but would be unable to use the list to spam to.
Sure, a dictionary attack is possible, but hashing like this makes it much more expensive to use the list for the wrong reason. (And by adding different random salt to the list for each spammer you send it to, anong with some trap email addresses, it would be possible in many cases to identify the spammer(s) who perform this attack)
However, it is possible to make money by "giving away" a cryptographic algorigthm, using it as proof of how very, very smart you are, and then charging people loads of money for your consulting services. This model seems to have worked pretty well for Bruce.
No, if he's the last author on the list, it means his name is last when sorted alphabetically. However I agree that it's too bad the others don't get credit in the headline.
The male:female ration at defcon is probably something like 100:1. If you're going to defcon to get laid, chose one of the following options:
This exists. It's called IPSec and there is no reason that it should not be running on all your wireless links. For pete's sake, there's even IPSec implementations for Palm OS and WinCE.
We don't need a new security protocol, we just need to implement and use the ones we have (IPSec, ssh, ssl) properly. I'd rather see wireless lan cards come out with 3DES, AES, RSA, SHA-1 etc. hardware acceleration (and open documentation) than yet an other wireless "security" protocol that hasn't been peer reviewed properly.
Don't buy them... We got some at my place, and we've already had 2 strings burn out. I havn't investigated too closely, but it appears that although they attempted to wire them in parallel, if one LED dies the whole string goes. They're really hard to get out of their little sockets too, so it's tough to replace them one at a time to find the faulty one.
They've already been doing this in Canada for about a year in the Chapters chain of bookstores. I'm not sure if there's an official team-up with Microsoft, but they're running the evil empire OS.
It might not be in every store either but in both the Vancouver and Montreal downtown stores they 10 or so workstations set in nice wooden cabinets, and appointed with a video camera and a telephone handset. You set up your account/buy time at a separate terminal which spits out a magenetic strip card that you use to pay at each station.
--
Argh. It's just not my linking day today. The full text of the report is HERE
--