TFA also states that "People who distribute networking
vulnerability scanning tools such as Nmap or Nessus could also be
caught up in part (b), Clayton warned.". A quick reading of section
41 seems to bear that out. As author and maintainer of the Nmap Security Scanner, I am
more than a little concerned.
I'm certainly not going to let anything as silly as some U.K. law stop me from distributing Nmap, but I also don't want to become like Dmitry Skylarov the next time I give a presentation in England. And even if (as I would expect) the rest of the world ignores this, it could have a chilling effect on important security tools and research from U.K. citizens. Think of all the good research and tools that David Litchfield from London (NGS Software) has brought us. And my London friend Hoobie brought us the free Brutus password cracker, which appears to be prohibited by this bill.
The good news is that this is just a proposal. So I would join the chorus in urging our British friends to make their voice heard against this silly bill.
Create a new graphical frontend and powerful results viewer
Generate graphical maps from the Nmap XML output (you can take inspiration from projects like fe3d and Cheops/Cheops-NG).
Create a web interface for scanning your networks and reporting the results.
Become a performance Czar, whipping out your profilers and introducing your own algorithms to make Nmap run even faster while using fewer resources.
Create a brand new interpretation of the venerable Netcat and Hping utilities.
Add scripting/module support to Nmap so it can be used for vulnerability assessment or more intrusive application discovery.
I think those are some of the coolest projects, though the page lists others (and is always growing as I get new ideas). And don't forget, you can always propose any new idea you come up with -- don't feel limited to that list.
And while we hope you consider Nmap, remember that you can increase your odds by applying to multiple projects. I've seen some pretty cool ideas from the other organizations.
Digg has an obsession with Alexa stats that has lead many Digg users to install Alexa for the sake of adding to the view count for Digg.
That may be, but the site popularity is comparable in at least some
metrics. For example, a Digg link can generate more traffic
to target sites than even the notorious Slashdot Effect. For
example, the big Nmap 4.00
release was covered by both Slashdot
and Digg.
According to my referrer logs, Slashdot delivered a respectable 4,934
hits, while Digg brought more than twice as many (11,349). An article in
Heise.De generated more traffic than either of them.
Of course there could be other explanations for these results. Maybe it is just more evidence for the sterotype that Sladhot readers don't RTFA. And I realize there are many other variables involved -- but the results surprised me.
What will GOOG do to stop the same outright shambles this time round?
The page
you linked to says nothing about outright shambles. He specifically
says "I don't want this post to be seen as bashing either SoCcers or
mentors". The page offers some excellent comments and suggestions for
2006, and I'm glad to see that Google is listening (Chris responded in
the comments). Some of the suggestions are also meant for us mentors.
The Nmap project is proud
to have been invited to participate in SoC again for 2006, and we are
looking forward to it!
You can call it "outright shambles" if you want, but all the emails I have from participants talking about how much they learned and enjoyed the program speak otherwise. And was it valuable to the Nmap project too? Take a look at their efforts and decide for yourself:
Doug Hoyte nearly tripled the size of the version detection
database, and added OS/device type/hostname detection using the version
detection DB. He made numerous other improvements as well.
Adriano Monteiro designed and implemented an advanced Nmap GUI and results viewer
named UMIT
(screenshots).
Ole Morten Grodaas designed and implemented another advanced Nmap
GUI and results viewer (its nice to have choices in open source!)
named NmapGUI. Details and download here)
Chris Gibson has written a sweet little network tool named Ncat,
which takes the venerable Netcat in an interesting and extremely
useful direction with features such as connection brokering, socks
proxying, and much more.
Paul Tarjan added the runtime interaction feature to Nmap. While Nmap is running, you can now press 'v' to increase verbosity,
'd' to increase the debugging level, 'p' to enable packet tracing,
or the capital versions (V,D,P) to do the opposite. Any other key
(such as enter) will print out a status message giving the estimated
time until scan completion.
They did much more -- these are just some of the highlights. So I, for one, am looking forward to continuing these outright shambles again this year! But at the same time, there is always room for improvements . So I appreciate Gerv's constructive criticism.
Roland's article summary is wrong. He says that the algorithm "promises to reduce energy consumption -- and electricity bills -- by as much as 30 percent", but the article states that "When the thermostat settings are adjusted in an optimal fashion, the result is a 25 percent to 30 percent reduction in peak electrical demand for air conditioning.". So extra cooling before peak hours certainly reduces your peak AC usage, but you won't reduce your total electrical consumption much. Unless your utility charges you less for non-peak usage (some do), then the article states that you may get "about $50 in annual savings per 1,000 square feet of building space". In other words, your total electrical usage stays basically the same.
The Nmap Network Scanning book isn't yet complete, but I have
decided to release one of the most important chapters in advance
online. That is this Nmap Reference Guide, which will become the new
man page. It is rewritten from scratch to be much more comprehensive
and detailed than the previous version, and better organized
as well. It can be read top to bottom or used as a quick reference to look up that obscure scan type you are considering. Let me know if you
have any suggestions for improving it. I'm also looking for
translators (the previous man page is available in nine
languages. If you are interested, send me mail with your target
language. That way I can send you the source file (DocBook XML) to
translate rather than the HTML/Nroff which is auto-generated. That
will also prevent the case of several people duplicating effort by translating to the same
language. I was planning to announce this tomorrow, but since the
book seems to be mentioned at the top of Slashdot right now anyway, I
just scrambled to put it up.
And now for the goods. Here is the HTML Nmap
Reference Guide. Or you can download the Nroff (man page) form here. Enjoy!
Moral of this Story and Nmap Response
on
Nessus Closes Source
·
· Score: 5, Informative
I responded for the Nmap Security Scanner project yesterday. We aren't planning to follow suit. Nmap has been GPL since its release more than 8 years ago and I am happy with that license.
I agree that this is not a good trend, and the question is how to
reverse it. It is important to note a key reason Renaud gave:
the lack of community involvement. It is easy to take the open source
tools we depend on for granted, and forget that open source is a two way
street. The bazaar model doesn't work so well with everyone taking
and not contributing back. In the Nessus response, I suggest a few ways that programmers and non-programmers can support projects they use and enjoy. Rather than mope
over the loss of open source Nessus, we can treat this as a call to
action and a reminder not to take valuable open source software such
as Ethereal, DSniff, Ettercap, gcc, emacs, apache, OpenBSD, and Linux
for granted.
Meanwhile, I know at least one group of experienced open source
programmers that is preparing to announce a new open source
vulnerability scanner project or Nessus fork. It would be encouraging
for such a fork to succeed.
such a
great idea but no content on their site re: the actual work. They
should have paid someone $4500 to maintain their summer of code page!
Yeah, for a $2 million dollar project it was ridiculously understaffed
on the Google side. But Googlers like Chris DiBona and Greg Stein
worked extraordinarily hard to keep things flowing relatively
smoothly. So it still turned out to be a huge success for Nmap and
most/all of the other participating projects. Thanks, Chris and Greg!
So what did we (Nmap project) accomplish in those two months? The
sponsored students and their credentials/projects are listed
here. Much of their work can be found in Nmap 3.90, which was released
on Thursday. SoC changes include:
Doug Hoyte nearly tripled the size of the version detection
database, added OS/device type/hostname detection using the version
detection DB. He made numerous other improvements as well.
Ole Morten Grodaas designed and implemented another advanced Nmap
GUI and results viewer (its nice to have choices in open source!)
named NmapGUI. Details and download here)
Chris Gibson has written a sweet little network tool named Ncat,
which takes the venerable Netcat in an interesting and extremely
useful direction with features such as connection brokering, socks
proxying, and much more.
It has been a crazy two months, but I'm very pleased to see so much
accomplished! If you're using an older version of Nmap, you really
should consider upgrading to 3.90 to see
the difference.
Google did bring in some $90000 worth of support through their Summer of Code project.
Not to mention the remaining 1.91M they spent on other projects. FreeBSD just one of
about 40 projects mentoring 400 students. The Nmap Security Scanner project
is mentoring 10 of them, who have already produced great work! A
list of their credentials and projects is available here.
I'll give an update on their progress at my Defcon
Presentation this Friday at 10AM.
Meanwhile, many of the other SoC mentors have posted details on the projects being worked on. For example,
This seems to be a duplicate of the June 12 article on HTTP Request Smuggling. I don't see anything new here, as the original paper also talks about Apache being susceptible to this relatively minor (yet still interesting) issue.
He doesn't seem to be going after open source software yet. Maybe he figures that we can't afford to pay him off. My Nmap (Stealth) Security Scanner comes up as result #4 in a Google search for "stealth", higher than the upcoming movie and some other sites he has sued/threatened. Yet I haven't received anything. Not that I feel disappointed and left out or anything...
-Fyodor (who is now resuming the search for SCO products or marketing messages talking about Stealth;)
Re:Acetylene Balloon Bomb
on
PHRACK Final
·
· Score: 2, Interesting
the poster spells out a recipe for an acetylene balloon
bomb.
Pshaw -- everyone knows to ignore their bomb making advice. It
is Phrack's Blackjack
advice you should follow:
Bet big when you want to win big. Lose a big hand? Double your bet.
Lose again? Double it again. Lose again? Goto 1... Eventually,
odds are, you will win all your money back, AND THEN SOME!
But in all seriousness -- Phrack rocks. I released my Nmap Security Scanner in P51
and OS
detection in P54. I wish they wouldn't call P63 Phrack final, as
I expect it to flourish again under more capable/interested hands.
That may even happen soon if they select the next editor(s) well. Let us all hope so. The underground and hobbyist researchers deserve a voice. It is rather refreshing and nostalgic to see portions of the security community that haven't yet sold out.
Your $1500/year assumption also assumes that the price will stay
$79/year. Their ad calls this a "special introductory price". The
worst thing is that unless you pay enough attention to cancel before
hand, they will charge the next non-special, non-introductory fee to
your credit card in exactly 12 months without any notification to you. From
the Terms
and Conditions:
"YOU UNDERSTAND YOUR MEMBERSHIP WILL AUTOMATICALLY RENEW AND YOU AUTHORIZE US TO CHARGE TO YOUR CREDIT OR DEBIT CARD (WITHOUT NOTICE TO YOU) THE THEN-APPLICABLE ANNUAL MEMBERSHIP FEE AND ANY TAXES, UNLESS YOU NOTIFY US BEFORE RENEWAL THAT YOU WANT TO CANCEL YOUR MEMBERSHIP."
They don't provide (AFAICT) any option to buy just one year. By
purchasing Amazon Prime you are giving them permission to choose any price and charge it to you next year. They may also "in our discretion
change these Terms... or any aspect of Prime membership without
notice to you... YOUR CONTINUED MEMBERSHIP AFTER WE CHANGE THESE
TERMS CONSTITUTES YOUR ACCEPTANCE OF THE CHANGES." So they can change their terms without telling you, then you automatically accept if you don't immediately notice and cancel. Great!
I hate it when companies try to pull this. Forcing an annual set
fee on people is bad enough -- but to raise the price arbitrarily and
still charge people's card without notification is outrageous. This
is the kind of thing sleazy porn sites do (or so I hear:).
There may be some advantages to this program, but I certainly won't
sign up until they let me buy ONE YEAR at a known price. None of this
blank check nonsense.
And at 355 pages in length, the book's discussion of nmap starts on
page 324; a good sign indeed.
WTF? By this heuristic, my upcoming O'Reilly book on the Nmap Security Scanner will be
a miserable failure. No single security tool, be it Nmap, Nessus,
Snort, or any of the other most popular security
tools, is a holy grail, but don't judge a book based on what page
numbers they appear on. That is almost as bad as making the title
words a huge consideration. I do tend to look askance at books with
"hacking" or "cyber" in the title, but give them a chance anway. It
is often the publisher's marketing department, and not the authors, that
have the most influence in the cover. I flipped through NSA, and
found it good enough to ask O'Reilly for a copy (I haven't read it yet
though).
In any case, NSA does not start its Nmap coverage on page 324.
Nmap has its own subsection on page 11, and a peak at the index shows
that Nmap is also discussed on pages 39, 47, 58, 69, 192, 322-324,
325-326, and 354. If the location of Nmap coverage is one of your two
primary considerations in buying security books, at least check the
index!
-Fyodor PS: Nmap 3.70 was just released
last week, with dozens of improvements.
I hope to have a patch restoring functionality within a couple
days, but a workaround is available now. Try adding the
--win_norawsock option to your Nmap command-line. That tells Nmap to avoid raw sockets
and use the workaround that Nmap uses for systems like Win98 that
never supported raw sockets in the first place. Several people have
confirmed that Nmap works again for them now, as long as they use that
option.
While I commend Microsoft for some of the real security
improvements in SP2, limiting raw sockets like this is misguided and
harmful. As this workaround shows, there are still plenty of
loopholes for sending packets. If that continues, worms and virii
will simply use the same techniques. Alternatively, if MS continues
to cripple Windows until security scanners can't function, Windows
users lose as well. While they won't be able
to scan their own systems and networks for vulnerabilities, attackers
on superior systems will suffer from no such limitations.
MS should focus on security the system against compromise in the
first place (through more timely patching, limiting services available
by default, code auditing, privilege separation, etc.) rather than
crippling the system for legitimate users. Linux and *BSD offer full raw sockets, and yet they haven't become the haven for viruses and worm propagation that Windows has.
Here is an interview with Sheriff Joe Arpaio, where he brags about his treatment of prisoners. I have no comments, as I feel the raw text speaks for itself:
Q: In addition to the Web cam, what are some other things that are unique about your jail?
A: When I took office, I decided to put tents up, so we have almost 1,500 [inmates housed] in tents in the desert. I've gone down from three meals a day to two meals a day -- I call it brunch. And we have the cheapest meals, probably, in the country: 20 cents a meal.
I'm cracking down on animal cruelty, and when I make an arrest [for that], I have to seize [the animal involved]. I decided to put the dogs in cell blocks [in an unused jail]. I took some heat because that's the only jail we have that's air-conditioned. Also, it costs $1.15 a day to feed the dogs and only 40 cents a day to feed the inmates, but that's the way it goes around here.
I took away [inmates'] coffee; took away their smoking; took away their movies. The only TV they get is the Weather Channel, and they have to hear me do bedtime stories. I introduce the story, and [then play an] audio book. They can go to the library and get a regular copy, but this helps them learn how to read.
I put them in pink underwear. I decided to do that six years ago. I put them in striped uniforms several years ago, and I have male and female chain gangs. We do things different here since I became the sheriff. I just got reelected to a third term, and now everybody thinks I'm running for governor. All the polls show me leading for governor, but I haven't decided whether I'm running next year.
Q: It's been reported that you've had at least 800 lawsuits filed against you.
A: It doesn't mean nothing. It's how many you lose. Everybody sues me for the cockroaches, the food.
Q: Have you had to change some of your policies as a result?
As the author of the free Nmap ("Network Mapper") tool,
I have also considered creating a map of the entire Internet. I would
have focused on end hosts (where they are, what operating systems and
services they run, trending, etc.) instead of routing. Rather than try
this from a single high-bandwidth machine (as with Opte), I was going
to take a distributed approach. I would release a P2P-like
application that users could run and each scan small sections of
network space to be contributed to the global database. The app would be called Nmapster:). I also liked to think about it as a
"caching service", so that you don't have to spend the time rescanning
the Microsoft network if someone else has done so in the last N hours.
Then I came to my senses and decided to work on more practical and
less controversial projects such as Nmap Version
Detection. But the subversive in me still hasn't given up entirely
on Nmapster:).
I wouldn't put anything past Microsoft, but this article doesn't provide any strong evidence that MS is really behind this particular cash infusion. And who needs a conspiracy theory about MS sneaking indirect funding to SCO when MS has been blatantly shoveling money to SCO all year? MS gave SCO 8 million in the first quarter, then 5 million in the second. The just-released SCO 8K states that Microsoft just paid them Another 8 million dollars! That is a grand total of $21 million MS has paid this year for vague "expanded licensing rights with respect to SCO's UNIX source code."
Whether this alleged BayStar/Microsoft link is true or not, it is already crystal clear that Microsoft has been directly paying SCO to conduct this underhanded attack on Linux! Sun certainly appears to be doing the same thing.
> Should make for good popcorn munching entertainment. If it were me, I
> would sue Darly McB individually, in his personal capacity, as well
> as SCO.
Darl bashing is even more fun now that we know he
actually reads Slashdot! The Linuxworld piece links to a Computer
World Interview with McBride. In the last question, Darl admits
that he reads our rants on Slashdot and it hurts his feelings:
Q: How do you feel about apparently being reviled in the open-source
community due to SCO's legal fight? Does it bother you?
A:It does and it doesn't. We're at the center of a hurricane. Clearly, in this case we have one set of forces here that are pro-SCO, and I've characterized them as the silent majority. Then there's the other side that is anything but silent, and they're some of the most boisterous enemies or antagonists that one could ever hope for. You think pro sports stars have got it bad as they're driving home after the game when they've gone 1 for 10 and missed five three-pointers. They think their lives are bad from the sound bites on sports radio. They need to come over here and read Slashdot. That part of it is not the most exciting part of your life.
So Darl, if you are reading this: fuck you! We know your
evidence is bogus, we are on to your stock scams (e.g. the Vultus
"acquisition"), and we laugh at your suggestions that we cooperate to
"monetize Linux". Give it up now, before we finally convince the SEC
to launch an official
investigation.
So they can't do anything about it except the post they just made.
Actually they can. Section 4 of the GNU GPL states that violations of the GPL automatically terminates distribution rights for GPL'd programs. The GPL also states that you must agree with the GPL or you don't have any distribution rights. SCO/Caldera has publicly announced their refusal to comply. I plan to exercise section 4 to revoke their right to redistribute Nmap. I just started on the wording and haven't yet run it by a lawyer (I will). But the announcement will probably be something like:
SCO Corporation of Lindon, Utah (formerly Caldera) has lately taken
to an extortion campaign of demanding license fees from Linux users
for code that they themselves knowingly distributed under the terms
of the GNU GPL. They have also refused to accept the GPL, claiming
that some preposterous theory of theirs makes it invalid. In
response to these blatant violations, and in accordance with section
4 of the GPL, we hereby terminate SCO's rights to redistribute any
versions of Nmap in any of their products, including (without
limitation) OpenLinux, OpenServer, and UNIXWare.
-Fyodor Concerned about your network security? Try the free Nmap Security Scanner PS:I just posted a similar comment to an older SCO article, but it is more relevant here. Also I don't know if OpenLinux or any of their other products include Nmap. Most Linux distributions do, but Caldera wasn't exactly at the forefront of technology.
Yes, the GPL does have that handy section 4 whch allows for the termination of redistribution rights of any company that violates the GPL. I plan to exercise this (actually it happens automatically) to revoke their right to redistribute Nmap. I just started on the wording and haven't run it by a lawyer yet (I will). But the announcement will probably be something like:
SCO Corporation of Lindon, Utah (formerly Caldera) has lately taken
to an extortion campaign of demanding license fees from Linux users
for code that they themselves knowingly distributed under the terms
of the GNU GPL. They have also refused to accept the GPL, claiming
that some preposterous theory of theirs makes it invalid. In
response to these blatant violations, and in accordance with section
4 of the GPL, we hereby terminate SCO's rights to redistribute any
versions of Nmap in any of their products, including (without
limitation) OpenLinux, OpenServer, and UNIXWare.
My favorite quote from the article is that after selling just one license, Sontag of SCOsource states that "we are very pleased with the licensing interest to date". Apparently, they didn't expect anyone to fall for it.
However I do understand why the buyer wants to be anonymous. I would rather be caught buying penis enlargement pills from spammers than SCO licenses. Both prove that you are sucker, but at least with the pills you aren't the only one.
Note that Insecure.Org DOES NOT in any way condone or promote this so-called challenge. I'm just providing the link so people can see what the fuss was about. I'm planning to add a note to that effect to the top of the page in a few minutes. What I found most humorous is that they ask people to register in advance by sending in their contact info. That is a really great idea:).
> I call upon all slashdotters who maintain opensource products to remove support for UNIXWARE in all future version.?
For what it is worth, I thought refusing Nmap support for SCO products might generate a firestorm of flames from angry users. In fact, the opposite has happened! Obviously Linux/AIX users praised the move, but even the occasional SCO users seemed pleased. The one or two complaints were more than offset by pleasant emails like this one that just came in (name removed for his privacy):
Date: Wed, 18 Jun 2003 17:41:07 -0700 To: <fyodor@insecure.org> Subject: I'm the one user affected by a lack of SCO support and i'm happy
I'll be sure to report with great delight of your choice to no longer support UnixWare to the one company I do contract work. The choice to use SCO isn't mine, it's simply what Mas90 runs on, and in the past has been adquate for the job. It's my hope others follow your example so I can report to management that useful applications will no longer be supported for this overpriced platform.
I appricate your lack of support for the SCO platform and look forward to future unsupported products.
With great respect...
-- End email paste
Anyway, I thought this datapoint might be useful to people considering such a move.
> And the logic of punishing the SCO community instead of the company is?
I am not "punishing" SCO users, just refraining from spending my
free time supporting a platform whose vendor has taken Linux hostage
as part of their scorched-earth greenmail campaign. Why should I?
Also note that I have not (as of now) intentionally broken Nmap on that
platform. I just won't spend my time providing free support. Nmap is
Open Source, so SCO users can support/maintain it themselves if they
care enough.
Like many Slashdot readers, I have been following the SCO updates, their press releases, SEC filings such as their latest 10Q, etc. The more I read, the more absurd their case seems. Yet despite the utter lack of evidence from SCO and their increasing signs of desperation, Wall Street is still believes in them(!). Why? Now I realize the market isn't always rational, and certainly has no conscience. But the disconnect is still surprising. Many people obviously still believe SCO has a case. For this reason, I believe continued publicity and research is called for. Removing Nmap support for SCO systems is just one of my tiny efforts in this area.
Slashdot Mirror
TFA also states that "People who distribute networking vulnerability scanning tools such as Nmap or Nessus could also be caught up in part (b), Clayton warned.". A quick reading of section 41 seems to bear that out. As author and maintainer of the Nmap Security Scanner, I am more than a little concerned.
I'm certainly not going to let anything as silly as some U.K. law stop me from distributing Nmap, but I also don't want to become like Dmitry Skylarov the next time I give a presentation in England. And even if (as I would expect) the rest of the world ignores this, it could have a chilling effect on important security tools and research from U.K. citizens. Think of all the good research and tools that David Litchfield from London (NGS Software) has brought us. And my London friend Hoobie brought us the free Brutus password cracker, which appears to be prohibited by this bill.
The good news is that this is just a proposal. So I would join the chorus in urging our British friends to make their voice heard against this silly bill.
-Fyodor
Insecure.Org
I think those are some of the coolest projects, though the page lists others (and is always growing as I get new ideas). And don't forget, you can always propose any new idea you come up with -- don't feel limited to that list.
And while we hope you consider Nmap, remember that you can increase your odds by applying to multiple projects. I've seen some pretty cool ideas from the other organizations.
-Fyodor
That may be, but the site popularity is comparable in at least some metrics. For example, a Digg link can generate more traffic to target sites than even the notorious Slashdot Effect. For example, the big Nmap 4.00 release was covered by both Slashdot and Digg. According to my referrer logs, Slashdot delivered a respectable 4,934 hits, while Digg brought more than twice as many (11,349). An article in Heise.De generated more traffic than either of them.
Of course there could be other explanations for these results. Maybe it is just more evidence for the sterotype that Sladhot readers don't RTFA. And I realize there are many other variables involved -- but the results surprised me.
-Fyodor (still a loyal /. reader)
What will GOOG do to stop the same outright shambles this time round?
The page you linked to says nothing about outright shambles. He specifically says "I don't want this post to be seen as bashing either SoCcers or mentors". The page offers some excellent comments and suggestions for 2006, and I'm glad to see that Google is listening (Chris responded in the comments). Some of the suggestions are also meant for us mentors. The Nmap project is proud to have been invited to participate in SoC again for 2006, and we are looking forward to it!
You can call it "outright shambles" if you want, but all the emails I have from participants talking about how much they learned and enjoyed the program speak otherwise. And was it valuable to the Nmap project too? Take a look at their efforts and decide for yourself:
They did much more -- these are just some of the highlights. So I, for one, am looking forward to continuing these outright shambles again this year! But at the same time, there is always room for improvements . So I appreciate Gerv's constructive criticism.
-Fyodor
-Fyodor
Version 3.95 of the Free Nmap Security Scanner is now available.
The Nmap Network Scanning book isn't yet complete, but I have decided to release one of the most important chapters in advance online. That is this Nmap Reference Guide, which will become the new man page. It is rewritten from scratch to be much more comprehensive and detailed than the previous version, and better organized as well. It can be read top to bottom or used as a quick reference to look up that obscure scan type you are considering. Let me know if you have any suggestions for improving it. I'm also looking for translators (the previous man page is available in nine languages. If you are interested, send me mail with your target language. That way I can send you the source file (DocBook XML) to translate rather than the HTML/Nroff which is auto-generated. That will also prevent the case of several people duplicating effort by translating to the same language. I was planning to announce this tomorrow, but since the book seems to be mentioned at the top of Slashdot right now anyway, I just scrambled to put it up.
And now for the goods. Here is the HTML Nmap Reference Guide. Or you can download the Nroff (man page) form here. Enjoy!
-Fyodor
I responded for the Nmap Security Scanner project yesterday. We aren't planning to follow suit. Nmap has been GPL since its release more than 8 years ago and I am happy with that license.
I agree that this is not a good trend, and the question is how to reverse it. It is important to note a key reason Renaud gave: the lack of community involvement. It is easy to take the open source tools we depend on for granted, and forget that open source is a two way street. The bazaar model doesn't work so well with everyone taking and not contributing back. In the Nessus response, I suggest a few ways that programmers and non-programmers can support projects they use and enjoy. Rather than mope over the loss of open source Nessus, we can treat this as a call to action and a reminder not to take valuable open source software such as Ethereal, DSniff, Ettercap, gcc, emacs, apache, OpenBSD, and Linux for granted.
Meanwhile, I know at least one group of experienced open source programmers that is preparing to announce a new open source vulnerability scanner project or Nessus fork. It would be encouraging for such a fork to succeed.
-Fyodor
Yeah, for a $2 million dollar project it was ridiculously understaffed on the Google side. But Googlers like Chris DiBona and Greg Stein worked extraordinarily hard to keep things flowing relatively smoothly. So it still turned out to be a huge success for Nmap and most/all of the other participating projects. Thanks, Chris and Greg!
So what did we (Nmap project) accomplish in those two months? The sponsored students and their credentials/projects are listed here. Much of their work can be found in Nmap 3.90, which was released on Thursday. SoC changes include:
It has been a crazy two months, but I'm very pleased to see so much accomplished! If you're using an older version of Nmap, you really should consider upgrading to 3.90 to see the difference.
Cheers,
Fyodor
Google did bring in some $90000 worth of support through their Summer of Code project.
Not to mention the remaining 1.91M they spent on other projects. FreeBSD just one of about 40 projects mentoring 400 students. The Nmap Security Scanner project is mentoring 10 of them, who have already produced great work! A list of their credentials and projects is available here. I'll give an update on their progress at my Defcon Presentation this Friday at 10AM.
Meanwhile, many of the other SoC mentors have posted details on the projects being worked on. For example,
- NetBSD
- Gaim
- Inksape
- MozDev
- WinLibre (with pics!).
Cheers,Fyodor @ Insecure.Org
This seems to be a duplicate of the June 12 article on HTTP Request Smuggling. I don't see anything new here, as the original paper also talks about Apache being susceptible to this relatively minor (yet still interesting) issue.
-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner.
He doesn't seem to be going after open source software yet. Maybe he figures that we can't afford to pay him off. My Nmap (Stealth) Security Scanner comes up as result #4 in a Google search for "stealth", higher than the upcoming movie and some other sites he has sued/threatened. Yet I haven't received anything. Not that I feel disappointed and left out or anything ...
;)
-Fyodor (who is now resuming the search for SCO products or marketing messages talking about Stealth
Pshaw -- everyone knows to ignore their bomb making advice. It is Phrack's Blackjack advice you should follow:
But in all seriousness -- Phrack rocks. I released my Nmap Security Scanner in P51 and OS detection in P54. I wish they wouldn't call P63 Phrack final, as I expect it to flourish again under more capable/interested hands. That may even happen soon if they select the next editor(s) well. Let us all hope so. The underground and hobbyist researchers deserve a voice. It is rather refreshing and nostalgic to see portions of the security community that haven't yet sold out.
-Fyodor (Insecure.Org)
Your $1500/year assumption also assumes that the price will stay $79/year. Their ad calls this a "special introductory price". The worst thing is that unless you pay enough attention to cancel before hand, they will charge the next non-special, non-introductory fee to your credit card in exactly 12 months without any notification to you. From the Terms and Conditions:
They don't provide (AFAICT) any option to buy just one year. By purchasing Amazon Prime you are giving them permission to choose any price and charge it to you next year. They may also "in our discretion change these Terms ... or any aspect of Prime membership without
notice to you ... YOUR CONTINUED MEMBERSHIP AFTER WE CHANGE THESE
TERMS CONSTITUTES YOUR ACCEPTANCE OF THE CHANGES." So they can change their terms without telling you, then you automatically accept if you don't immediately notice and cancel. Great!
I hate it when companies try to pull this. Forcing an annual set fee on people is bad enough -- but to raise the price arbitrarily and still charge people's card without notification is outrageous. This is the kind of thing sleazy porn sites do (or so I hear :).
There may be some advantages to this program, but I certainly won't sign up until they let me buy ONE YEAR at a known price. None of this blank check nonsense.
-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner.
WTF? By this heuristic, my upcoming O'Reilly book on the Nmap Security Scanner will be a miserable failure. No single security tool, be it Nmap, Nessus, Snort, or any of the other most popular security tools, is a holy grail, but don't judge a book based on what page numbers they appear on. That is almost as bad as making the title words a huge consideration. I do tend to look askance at books with "hacking" or "cyber" in the title, but give them a chance anway. It is often the publisher's marketing department, and not the authors, that have the most influence in the cover. I flipped through NSA, and found it good enough to ask O'Reilly for a copy (I haven't read it yet though).
In any case, NSA does not start its Nmap coverage on page 324. Nmap has its own subsection on page 11, and a peak at the index shows that Nmap is also discussed on pages 39, 47, 58, 69, 192, 322-324, 325-326, and 354. If the location of Nmap coverage is one of your two primary considerations in buying security books, at least check the index!
-Fyodor
PS: Nmap 3.70 was just released last week, with dozens of improvements.
I hope to have a patch restoring functionality within a couple days, but a workaround is available now. Try adding the --win_norawsock option to your Nmap command-line. That tells Nmap to avoid raw sockets and use the workaround that Nmap uses for systems like Win98 that never supported raw sockets in the first place. Several people have confirmed that Nmap works again for them now, as long as they use that option.
While I commend Microsoft for some of the real security improvements in SP2, limiting raw sockets like this is misguided and harmful. As this workaround shows, there are still plenty of loopholes for sending packets. If that continues, worms and virii will simply use the same techniques. Alternatively, if MS continues to cripple Windows until security scanners can't function, Windows users lose as well. While they won't be able to scan their own systems and networks for vulnerabilities, attackers on superior systems will suffer from no such limitations.
MS should focus on security the system against compromise in the first place (through more timely patching, limiting services available by default, code auditing, privilege separation, etc.) rather than crippling the system for legitimate users. Linux and *BSD offer full raw sockets, and yet they haven't become the haven for viruses and worm propagation that Windows has.
-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner
Q: In addition to the Web cam, what are some other things that are unique about your jail?
A: When I took office, I decided to put tents up, so we have almost 1,500 [inmates housed] in tents in the desert. I've gone down from three meals a day to two meals a day -- I call it brunch. And we have the cheapest meals, probably, in the country: 20 cents a meal.
I'm cracking down on animal cruelty, and when I make an arrest [for that], I have to seize [the animal involved]. I decided to put the dogs in cell blocks [in an unused jail]. I took some heat because that's the only jail we have that's air-conditioned. Also, it costs $1.15 a day to feed the dogs and only 40 cents a day to feed the inmates, but that's the way it goes around here.
I took away [inmates'] coffee; took away their smoking; took away their movies. The only TV they get is the Weather Channel, and they have to hear me do bedtime stories. I introduce the story, and [then play an] audio book. They can go to the library and get a regular copy, but this helps them learn how to read.
I put them in pink underwear. I decided to do that six years ago. I put them in striped uniforms several years ago, and I have male and female chain gangs. We do things different here since I became the sheriff. I just got reelected to a third term, and now everybody thinks I'm running for governor. All the polls show me leading for governor, but I haven't decided whether I'm running next year.
Q: It's been reported that you've had at least 800 lawsuits filed against you.
A: It doesn't mean nothing. It's how many you lose. Everybody sues me for the cockroaches, the food.
Q: Have you had to change some of your policies as a result?
A: I haven't changed anything.
Then I came to my senses and decided to work on more practical and less controversial projects such as Nmap Version Detection. But the subversive in me still hasn't given up entirely on Nmapster :).
-Fyodor
I wouldn't put anything past Microsoft, but this article doesn't provide any strong evidence that MS is really behind this particular cash infusion. And who needs a conspiracy theory about MS sneaking indirect funding to SCO when MS has been blatantly shoveling money to SCO all year? MS gave SCO 8 million in the first quarter, then 5 million in the second. The just-released SCO 8K states that Microsoft just paid them Another 8 million dollars! That is a grand total of $21 million MS has paid this year for vague "expanded licensing rights with respect to SCO's UNIX source code."
Whether this alleged BayStar/Microsoft link is true or not, it is already crystal clear that Microsoft has been directly paying SCO to conduct this underhanded attack on Linux! Sun certainly appears to be doing the same thing.
-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner
> would sue Darly McB individually, in his personal capacity, as well
> as SCO.
Darl bashing is even more fun now that we know he actually reads Slashdot! The Linuxworld piece links to a Computer World Interview with McBride. In the last question, Darl admits that he reads our rants on Slashdot and it hurts his feelings:
So Darl, if you are reading this: fuck you! We know your evidence is bogus, we are on to your stock scams (e.g. the Vultus "acquisition"), and we laugh at your suggestions that we cooperate to "monetize Linux". Give it up now, before we finally convince the SEC to launch an official investigation.
-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner
Actually they can. Section 4 of the GNU GPL states that violations of the GPL automatically terminates distribution rights for GPL'd programs. The GPL also states that you must agree with the GPL or you don't have any distribution rights. SCO/Caldera has publicly announced their refusal to comply. I plan to exercise section 4 to revoke their right to redistribute Nmap. I just started on the wording and haven't yet run it by a lawyer (I will). But the announcement will probably be something like:
SCO Corporation of Lindon, Utah (formerly Caldera) has lately taken to an extortion campaign of demanding license fees from Linux users for code that they themselves knowingly distributed under the terms of the GNU GPL. They have also refused to accept the GPL, claiming that some preposterous theory of theirs makes it invalid. In response to these blatant violations, and in accordance with section 4 of the GPL, we hereby terminate SCO's rights to redistribute any versions of Nmap in any of their products, including (without limitation) OpenLinux, OpenServer, and UNIXWare.
-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner
PS:I just posted a similar comment to an older SCO article, but it is more relevant here. Also I don't know if OpenLinux or any of their other products include Nmap. Most Linux distributions do, but Caldera wasn't exactly at the forefront of technology.
Yes, the GPL does have that handy section 4 whch allows for the termination of redistribution rights of any company that violates the GPL. I plan to exercise this (actually it happens automatically) to revoke their right to redistribute Nmap. I just started on the wording and haven't run it by a lawyer yet (I will). But the announcement will probably be something like:
SCO Corporation of Lindon, Utah (formerly Caldera) has lately taken to an extortion campaign of demanding license fees from Linux users for code that they themselves knowingly distributed under the terms of the GNU GPL. They have also refused to accept the GPL, claiming that some preposterous theory of theirs makes it invalid. In response to these blatant violations, and in accordance with section 4 of the GPL, we hereby terminate SCO's rights to redistribute any versions of Nmap in any of their products, including (without limitation) OpenLinux, OpenServer, and UNIXWare.
-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner
My favorite quote from the article is that after selling just one license, Sontag of SCOsource states that "we are very pleased with the licensing interest to date". Apparently, they didn't expect anyone to fall for it.
However I do understand why the buyer wants to be anonymous. I would rather be caught buying penis enlargement pills from spammers than SCO licenses. Both prove that you are sucker, but at least with the pills you aren't the only one.
-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner
They were shut down by their ISP (Affinity), but I still have the English version in my cache from an earlier viewing:
http://www.insecure.org/tmp/defacers-challenge/
Note that Insecure.Org DOES NOT in any way condone or promote this so-called challenge. I'm just providing the link so people can see what the fuss was about. I'm planning to add a note to that effect to the top of the page in a few minutes. What I found most humorous is that they ask people to register in advance by sending in their contact info. That is a really great idea :).
-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner
> I call upon all slashdotters who maintain opensource products to remove support for UNIXWARE in all future version.?
For what it is worth, I thought refusing Nmap support for SCO
products might generate a firestorm of flames from angry users. In
fact, the opposite has happened! Obviously Linux/AIX users praised
the move, but even the occasional SCO users seemed pleased. The one
or two complaints were more than offset by pleasant emails like this
one that just came in (name removed for his privacy):
Date: Wed, 18 Jun 2003 17:41:07 -0700
To: <fyodor@insecure.org>
Subject: I'm the one user affected by a lack of SCO support and i'm happy
I'll be sure to report with great delight of your choice to no longer
support UnixWare to the one company I do contract work. The choice to use
SCO isn't mine, it's simply what Mas90 runs on, and in the past has been
adquate for the job. It's my hope others follow your example so I can
report to management that useful applications will no longer be supported
for this overpriced platform.
I appricate your lack of support for the SCO platform and look forward to
future unsupported products.
With great respect...
-- End email paste
Anyway, I thought this datapoint might be useful to people considering
such a move.
-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner
I am not "punishing" SCO users, just refraining from spending my free time supporting a platform whose vendor has taken Linux hostage as part of their scorched-earth greenmail campaign. Why should I? Also note that I have not (as of now) intentionally broken Nmap on that platform. I just won't spend my time providing free support. Nmap is Open Source, so SCO users can support/maintain it themselves if they care enough.
Like many Slashdot readers, I have been following the SCO updates, their press releases, SEC filings such as their latest 10Q, etc. The more I read, the more absurd their case seems. Yet despite the utter lack of evidence from SCO and their increasing signs of desperation, Wall Street is still believes in them(!). Why? Now I realize the market isn't always rational, and certainly has no conscience. But the disconnect is still surprising. Many people obviously still believe SCO has a case. For this reason, I believe continued publicity and research is called for. Removing Nmap support for SCO systems is just one of my tiny efforts in this area.
-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner