Now, wrap it into a (pre-existing?) HOWTO. Get it published on defcon1.org. Whatevevr it takes.
But don't leave it as a random, 1-sentence Score:3 posting on Slashdot, where it will do little good for future masses encountering the same, doubtless growing, problem.
You've never heard of Google? The information is out there, but you need to be willing to spend the thirty seconds necessary to find it.
And before anyone complains about the license of QMail/ezmlm, yes, that sucks. The license is a royal pain in the butt, as it doesn't allow direct distribution of modifications, only patches. It still works though, and works really well.
qmail does not have a license and does not need one:
``What does all this mean for the free software world? Once you've legally downloaded a program, you can compile it. You can run it. You can modify it. You can distribute your patches for other people to use. If you think you need a license from the copyright holder, you've been bamboozled by Microsoft. As long as you're not distributing the software, you have nothing to worry about.''
However, if a user has tens of thousands of emails of whatever size in their mailbox (happens far, far more often than you might think) then just getting a list of files in the directory can take an age.
This is a filesystem problem. Use a better one. On FreeBSD, enable dirhash. On Linux, use ReiserFS or ext3 with htree.
They wont! I opened it? IT says on the reciept that I agree to such terms when I signed my credit card! This is standard and gives retailers a loophole. There was no label on it claiming its a crippled non cd compliant audio disc and the manager thought I made this crap up. He claimed he never heard of this and asked me to leave his store!
Wrong. You are protected by VISA. Charge it back. You will be refunded your money by the credit card company. The merchant will lose the whole amount plus an extra $10-$20 charge back fee.
Friend of mine works at a place which only allows HTTP/HTTPS traffic to pass the proxy. It's not port-based firewalling, it's packet inspection. If it isn't HTTP, it doesn't go thru.
His solution? He developed a java applet which gives him shell access to a Linux box (which also is running a webserver, necessary to serve the applet due to java security). It tunnels over HTTPS to a session running in userspace on the server. He doesn't need root to make it work, either.
You won't get good performance with mbox, period. You need to switch to Maildir. qmail-pop3d works great with Maildir. Maildir scales far better than mbox since it doesn't have to parse out the individual messages. It also doesn't have to use locking. This also makes Maildir inherently more reliable than mbox. There are many tools available to convert between mbox and Maildir.
The court isn't going to come along and say; hey you distributed your binaries with Linux, they are obviously now GPL'd, so hand over the code.
By distributing binaries from code mixed with GPL, you've agreed to the terms of the GPL. Opening up your sources may be the only way to keep the other copyright holder(s) from suing you. What would really happen is up to the courts to decide, as there have been no precedent setting cases.
Do you want to take the chance that the court would force you to open up your code? Most companies wouldn't.
This is the worst sort of paranoid scaremongering. There is no mechanism in the GPL, nor could there be any mechanism, for stealing IP from you. In a worst case scenario you might be barred from, or even fined for distributing other peoples IP without their consent, but your own IP will always remain yours. In practical terms it hasn't ever even been necessary to fine or enjoin the distribution of GPL'd software as all companies so far have been able to come to an agreement with the FSF in mediation.
He didn't say steal. He said lose. You write some code from scratch. This is now your intellectual property. You combine the code with code licensed under the GPL and distribute it. You have now "lost" your intellectual property. Sure, you still own the copyright on the code, but now everyone can see it and use it.
Take for example, SSH--port forwarding is possible both from the "server" and the "client" sides. All the client has to do is accept inbound connections across the SSH tunnel. This can even be configured so the "server" accepts incoming connections from third hosts, which are then forwarded to the client.
Yes, but where are you going to tunnel to? The proxy server in the middle has to handle all the bandwidth of both connections. So now you must pay for both your local connection and your remote connection. And since the remote connection is likely on more expensive bandwidth than a typical home broadband connection, you might as well just ahead and pay "five times as much" for a broadband connection.
Eventually, you have to pay for the bandwidth. You are correct about proxies. In order to allow any secure connections, all secure connections must be allowed. But that still doesn't solve the bandwidth issue. Who pays for the other end of the connection?
The Internet supports name server access using TCP [RFC-793] on server port 53 (decimal) as well as datagram access using UDP [RFC-768] on UDP port 53 (decimal).
Wrong. DNS is done using UDP queries. Authoritative name servers are only required to respond to UDP queries. TCP is used as a fallback method if a response will not fit in 512 bytes. This is almost never needed (since servers control what data they publish) and as a result, TCP service is not used by many sites. Blocking UDP port 53 will completely break DNS:
How would someone implement a suspended account and bounce e-mail, AND leave their current files there in case they wanted to reactivate their account?
Very easily. Create a.qmail file in the home directory with the following line:
|bouncesaying "This account is temporarily suspended."
Clarification noted, and I concede it. But I believe they forward the mail without any extra charges, don't they? And they will sometimes send out notifications if smail is marked "Address Correction Requested."
Most email providers will not forward email for free, and rightly so. With snail mail, the post office has already been paid for the delivery. It costs more in bandwidth and CPU time to forward an email than it does to store it.
Re:OpenBSD based floppy firewall?
on
OpenBSD 3.2 Available
·
· Score: 3, Informative
Try ClosedBSD, a FreeBSD based firewall. It rocks.
Congratulations on making a comment on a week-old story. Nobody will read it.
You read it. That is what is important.
P.S. DJB's dns implementation does indeed defy internet standards. DJB himself said it.
Prove it. If you are referring to worthless, BIND specific features like NOTIFY, then yes, he does not support them. However, they have nothing to do with real world interoperability.
If you are referring to something else, then be specific and give references. Otherwise, it is FUD.
Don't go down the dark path of DJB's nameserver. He has a well-established reputation for making his products non-compliant with internet standards. Plus, djbdns won't scale well for heavy use. I tried it.
That's complete FUD and you know it. djbdns complies with all DNS standards and has no interoperability problems. Informal benchmarks and real life success stories also indicate that tinydns and dnscache scale far better than BIND.
Remember that BIND doesn't log everything by default. tinydns and dnscache do. On extremely loaded machines, that can make a difference. Configure multilog to only log what is important to you, or disable logging entirely.
Re:DNS may take a while to update, eh?
on
Slashdot is Moving
·
· Score: 2
Hey, that's neat - didn't know about it, since I always have used BIND.
Re:DNS may take a while to update, eh?
on
Slashdot is Moving
·
· Score: 5, Informative
Set the expire times to 12 hours a few days in advance, 4 hours on the last day, then half an hour in the last 5 or so hours, and three to five minutes for the last forty minutes?
Why bother? With tinydns, you can specify a timestamp for each record and automatically handle updates:
You may include a timestamp on each line.
If ttl is nonzero (or omitted),
the timestamp is a starting time
for the information in the line;
the line will be ignored before that time.
If ttl is zero,
the timestamp is an ending time (``time to die'')
for the information in the line;
tinydns dynamically adjusts ttl
so that the line's DNS records are not cached for more than a few seconds
past the ending time.
A timestamp is an
external TAI64 timestamp,
printed as 16 lowercase hexadecimal characters.
For example, the lines
specify that www.heaven.af.mil will have address 1.2.3.4
until time 4000000038af1379 (2000-02-19 22:04:31 UTC)
and will then switch to IP address 1.2.3.7.
Re:Perhaps I'm missing something but...
on
Slashdot is Moving
·
· Score: 2
Overrated and Underrated are stupid. Isn't that what meta-mods are for?
Not really, because meta-mod doesn't affect the conversation. An incorrect post that is modded up as informative should be modded down as overrated. This only applies to posts that state fact (ex. no versions of Linux support USB), not opinion (ex. Linux is hard to use).
I don't see a real reason for underrated, because there are plenty of positive modifiers.
You don't need that many machines to get the bandwidth for those attacks, but doing it the DDOS way might make it harder to block. If the attack is coming for one machine they can just block a single ip address.
Not for SYN floods or DNS floods. Both of those are usually done using spoofed source addresses. Of course, SYN floods are easy to deal with using SYN cookies.
If anyone expected me to pay for them to call me, they can go and whistle. What a good way to bankrupt someone, just stick an autodialler on their cell number, either run up a bill the size of Texas or see the phone hurled into the nearest river.
You only pay if you answer the call. And cell phone service comes with caller ID for that purpose. If someone was doing that, you could just get the provider to block the number.
The simple fact is that this guy wants to exhibit films for profit (or to at least make money from the sale of viewing films; as far as the law is concerned, these are the same thing) and that's not covered by any definition of fair use.
What about going at it from the other angle? Have a free library of movies available. Movies can not be removed from the library, similar to how libraries do not allow certain books to be taken home. The cafe would charge for use of the movie viewing equipment. People would still be able to bring in their own laptops with batteries and watch movies for free, but there has to be a tradeoff somewhere (and they might buy food or whatever).
Correct, I know of no DNS servers, even djbdns [cr.yp.to] DNS', which restrict queries to a limited IP range as is common with SMTP. There's not really a large risk in opening up your DNS to everyone, in fact, you there are plenty of alternate DNS root servers [jerky.net].
You don't know what you are talking about. There are two different types of DNS servers: authoritative servers and recursive resolvers. djbdns comes with tinydns, an authoritative server and dnscache, a recursive resolver. The two are completely separate. BIND includes both in the same server, which is why many people are confused into thinking they are the same thing.
tinydns does not restrict queries to only certain IP addresses. However, it can return different information depending on the source address of the query. This is usually called split horizon DNS.
dnscache does have access control. You do not want just anyone to be able to query your recursive resolvers. With dnscache, you need to explicitly allow access for IP's that can query it.
There are not risks in opening your content (authoritative) DNS servers to everyone. There are risks in opening up your resolvers to everyone.
Yes. It is a UNIX web server. It does not run on Windows.
How do you get non-blocking I/O out of a blocking file system? Or are you talking about non blocking socket I/O?
You don't. Not having non blocking I/O available for the filesystem is one of the most annoying things about UNIX. Though, there are ways around it. Either use a separate thread or process to do file I/O, or use mmap() with mincore().
Slashdot Mirror
Now, wrap it into a (pre-existing?) HOWTO. Get it published on defcon1.org. Whatevevr it takes.
But don't leave it as a random, 1-sentence Score:3 posting on Slashdot, where it will do little good for future masses encountering the same, doubtless growing, problem.
You've never heard of Google? The information is out there, but you need to be willing to spend the thirty seconds necessary to find it.
And before anyone complains about the license of QMail/ezmlm, yes, that sucks. The license is a royal pain in the butt, as it doesn't allow direct distribution of modifications, only patches. It still works though, and works really well.
qmail does not have a license and does not need one:
http://cr.yp.to/softwarelaw.html
``What does all this mean for the free software world? Once you've legally downloaded a program, you can compile it. You can run it. You can modify it. You can distribute your patches for other people to use. If you think you need a license from the copyright holder, you've been bamboozled by Microsoft. As long as you're not distributing the software, you have nothing to worry about.''
However, if a user has tens of thousands of emails of whatever size in their mailbox (happens far, far more often than you might think) then just getting a list of files in the directory can take an age.
This is a filesystem problem. Use a better one. On FreeBSD, enable dirhash. On Linux, use ReiserFS or ext3 with htree.
They wont! I opened it? IT says on the reciept that I agree to such terms when I signed my credit card! This is standard and gives retailers a loophole. There was no label on it claiming its a crippled non cd compliant audio disc and the manager thought I made this crap up. He claimed he never heard of this and asked me to leave his store!
Wrong. You are protected by VISA. Charge it back. You will be refunded your money by the credit card company. The merchant will lose the whole amount plus an extra $10-$20 charge back fee.
Friend of mine works at a place which only allows HTTP/HTTPS traffic to pass the proxy. It's not port-based firewalling, it's packet inspection. If it isn't HTTP, it doesn't go thru.
His solution? He developed a java applet which gives him shell access to a Linux box (which also is running a webserver, necessary to serve the applet due to java security). It tunnels over HTTPS to a session running in userspace on the server. He doesn't need root to make it work, either.
There is a much easier solution: use Corkscrew.
You won't get good performance with mbox, period. You need to switch to Maildir. qmail-pop3d works great with Maildir. Maildir scales far better than mbox since it doesn't have to parse out the individual messages. It also doesn't have to use locking. This also makes Maildir inherently more reliable than mbox. There are many tools available to convert between mbox and Maildir.
This is exactly what autoconf and automake accomplish. Why reinvent the wheel?
The court isn't going to come along and say; hey you distributed your binaries with Linux, they are obviously now GPL'd, so hand over the code.
By distributing binaries from code mixed with GPL, you've agreed to the terms of the GPL. Opening up your sources may be the only way to keep the other copyright holder(s) from suing you. What would really happen is up to the courts to decide, as there have been no precedent setting cases.
Do you want to take the chance that the court would force you to open up your code? Most companies wouldn't.
This is the worst sort of paranoid scaremongering. There is no mechanism in the GPL, nor could there be any mechanism, for stealing IP from you. In a worst case scenario you might be barred from, or even fined for distributing other peoples IP without their consent, but your own IP will always remain yours. In practical terms it hasn't ever even been necessary to fine or enjoin the distribution of GPL'd software as all companies so far have been able to come to an agreement with the FSF in mediation.
He didn't say steal. He said lose. You write some code from scratch. This is now your intellectual property. You combine the code with code licensed under the GPL and distribute it. You have now "lost" your intellectual property. Sure, you still own the copyright on the code, but now everyone can see it and use it.
Take for example, SSH--port forwarding is possible both from the "server" and the "client" sides. All the client has to do is accept inbound connections across the SSH tunnel. This can even be configured so the "server" accepts incoming connections from third hosts, which are then forwarded to the client.
Yes, but where are you going to tunnel to? The proxy server in the middle has to handle all the bandwidth of both connections. So now you must pay for both your local connection and your remote connection. And since the remote connection is likely on more expensive bandwidth than a typical home broadband connection, you might as well just ahead and pay "five times as much" for a broadband connection.
Eventually, you have to pay for the bandwidth. You are correct about proxies. In order to allow any secure connections, all secure connections must be allowed. But that still doesn't solve the bandwidth issue. Who pays for the other end of the connection?
The Internet supports name server access using TCP [RFC-793] on server port 53 (decimal) as well as datagram access using UDP [RFC-768] on UDP port 53 (decimal).
Wrong. DNS is done using UDP queries. Authoritative name servers are only required to respond to UDP queries. TCP is used as a fallback method if a response will not fit in 512 bytes. This is almost never needed (since servers control what data they publish) and as a result, TCP service is not used by many sites. Blocking UDP port 53 will completely break DNS:
http://cr.yp.to/djbdns/tcp.html
How would someone implement a suspended account and bounce e-mail, AND leave their current files there in case they wanted to reactivate their account?
.qmail file in the home directory with the following line:
Very easily. Create a
|bouncesaying "This account is temporarily suspended."
When I move out of my apartment, and the new occupant moves in, I don't "OWN" the mailbox.
HOWEVER... any mail addressed to ME at his address is still mine, and it's a crime for him to open it, or hijack it, or what have you.
Email is different: email is addressed to the box, not to a name. An SMTP envelope recipeint is an email address.
Clarification noted, and I concede it. But I believe they forward the mail without any extra charges, don't they? And they will sometimes send out notifications if smail is marked "Address Correction Requested."
Most email providers will not forward email for free, and rightly so. With snail mail, the post office has already been paid for the delivery. It costs more in bandwidth and CPU time to forward an email than it does to store it.
Try ClosedBSD, a FreeBSD based firewall. It rocks.
Congratulations on making a comment on a week-old story. Nobody will read it.
You read it. That is what is important.
P.S. DJB's dns implementation does indeed defy internet standards. DJB himself said it.
Prove it. If you are referring to worthless, BIND specific features like NOTIFY, then yes, he does not support them. However, they have nothing to do with real world interoperability.
If you are referring to something else, then be specific and give references. Otherwise, it is FUD.
Don't go down the dark path of DJB's nameserver. He has a well-established reputation for making his products non-compliant with internet standards. Plus, djbdns won't scale well for heavy use. I tried it.
That's complete FUD and you know it. djbdns complies with all DNS standards and has no interoperability problems. Informal benchmarks and real life success stories also indicate that tinydns and dnscache scale far better than BIND.
Remember that BIND doesn't log everything by default. tinydns and dnscache do. On extremely loaded machines, that can make a difference. Configure multilog to only log what is important to you, or disable logging entirely.
Hey, that's neat - didn't know about it, since I always have used BIND.
There's no time like the present to make the switch!
Set the expire times to 12 hours a few days in advance, 4 hours on the last day, then half an hour in the last 5 or so hours, and three to five minutes for the last forty minutes?
Why bother? With tinydns, you can specify a timestamp for each record and automatically handle updates:
You may include a timestamp on each line. If ttl is nonzero (or omitted), the timestamp is a starting time for the information in the line; the line will be ignored before that time. If ttl is zero, the timestamp is an ending time (``time to die'') for the information in the line; tinydns dynamically adjusts ttl so that the line's DNS records are not cached for more than a few seconds past the ending time. A timestamp is an external TAI64 timestamp, printed as 16 lowercase hexadecimal characters. For example, the lines
+www.heaven.af.mil:1.2.3.4:0:4000000038af1379
+www.heaven.af.mil:1.2.3.7::4000000038af1379
specify that www.heaven.af.mil will have address 1.2.3.4 until time 4000000038af1379 (2000-02-19 22:04:31 UTC) and will then switch to IP address 1.2.3.7.
Overrated and Underrated are stupid. Isn't that what meta-mods are for?
Not really, because meta-mod doesn't affect the conversation. An incorrect post that is modded up as informative should be modded down as overrated. This only applies to posts that state fact (ex. no versions of Linux support USB), not opinion (ex. Linux is hard to use).
I don't see a real reason for underrated, because there are plenty of positive modifiers.
You don't need that many machines to get the bandwidth for those attacks, but doing it the DDOS way might make it harder to block. If the attack is coming for one machine they can just block a single ip address.
Not for SYN floods or DNS floods. Both of those are usually done using spoofed source addresses. Of course, SYN floods are easy to deal with using SYN cookies.
If anyone expected me to pay for them to call me, they can go and whistle. What a good way to bankrupt someone, just stick an autodialler on their cell number, either run up a bill the size of Texas or see the phone hurled into the nearest river.
You only pay if you answer the call. And cell phone service comes with caller ID for that purpose. If someone was doing that, you could just get the provider to block the number.
The simple fact is that this guy wants to exhibit films for profit (or to at least make money from the sale of viewing films; as far as the law is concerned, these are the same thing) and that's not covered by any definition of fair use.
What about going at it from the other angle? Have a free library of movies available. Movies can not be removed from the library, similar to how libraries do not allow certain books to be taken home. The cafe would charge for use of the movie viewing equipment. People would still be able to bring in their own laptops with batteries and watch movies for free, but there has to be a tradeoff somewhere (and they might buy food or whatever).
Correct, I know of no DNS servers, even djbdns [cr.yp.to] DNS', which restrict queries to a limited IP range as is common with SMTP. There's not really a large risk in opening up your DNS to everyone, in fact, you there are plenty of alternate DNS root servers [jerky.net].
You don't know what you are talking about. There are two different types of DNS servers: authoritative servers and recursive resolvers. djbdns comes with tinydns, an authoritative server and dnscache, a recursive resolver. The two are completely separate. BIND includes both in the same server, which is why many people are confused into thinking they are the same thing.
tinydns does not restrict queries to only certain IP addresses. However, it can return different information depending on the source address of the query. This is usually called split horizon DNS.
dnscache does have access control. You do not want just anyone to be able to query your recursive resolvers. With dnscache, you need to explicitly allow access for IP's that can query it.
There are not risks in opening your content (authoritative) DNS servers to everyone. There are risks in opening up your resolvers to everyone.
will Zeus run on linux?
Yes. It is a UNIX web server. It does not run on Windows.
How do you get non-blocking I/O out of a blocking file system? Or are you talking about non blocking socket I/O?
You don't. Not having non blocking I/O available for the filesystem is one of the most annoying things about UNIX. Though, there are ways around it. Either use a separate thread or process to do file I/O, or use mmap() with mincore().