CHAOS MANOR MAILA SELECTIONMAIL 100 May 8 - 14, 2000
|
|
CLICK ON THE BLIMP TO SEND MAIL TO ME The current page will always have the name currentmail.html and may be bookmarked. For previous weeks, go to the MAIL HOME PAGE. FOR THE CURRENT VIEW PAGE CLICK HERE If you are not paying for this place, click here... IF YOU SEND MAIL it may be published; if you want it private SAY SO AT THE TOP of the mail. I try to respect confidences, but there is only me, and this is Chaos Manor. If you want a mail address other than the one from which you sent the mail to appear, PUT THAT AT THE END OF THE LETTER as a signature. I try to answer mail, but mostly I can't get to all of it. I read it all, although not always the instant it comes in. I do have books to write too... I am reminded of H. P. Lovecraft who slowly starved to death while answering fan mail. Search: type in string and press return.
|
|
If you subscribed: If you didn't and haven't, why not? Highlights this week:
|
This week: | Monday
May 8, 2000
The column is on the wire. I have a cold I am recovering from. The column posted today at www.byte.com concerned firewalls. I got many helpful letters and one snide one. First the serious and helpful: Jerry, Love your columns -- I have been reading them from their inception in (the old, paper) Byte. Regarding McAfee: While they may make good products, I have found their product support to be abysmal. Their antivirus came bundled on my HP when I bought it. I found upgrading to a "real" subscription very painful the first time and impossible the second time. I switched to Norton and am very pleased with the ease of use, reinstalling, everything! There are a bunch of other free firewalls that PC Magazine and PC Week have recommended. I am using one from http://www.zonelabs.com. BlackICE has been highly recommended many places. Here is a URL with others mentioned: http://www.windows2000security.com/pages/w2k_PersonalFirewalls.html Best, Joe McDaniel Regarding McAfee, I tend to alternate between Symantec and McAfee, but in fact my favorite for years was Dr. Solomon's; I fear it is no longer what it was since Alan Solomon was bought out by OnTrack. I'm glad he got rich, but I'm sorry he's no longer personally running things: Solomon's was unreservedly the best virus service around. BlackICE finds a lot of "attacks" that aren't and will scare the daylights out of naive users. It's a LOT better than nothing. I continue to be of the opinion that your best bet is a dedicated box to serve as the firewall; in these days of very cheap machines you can build one for a few hundred dollars, but in fact you probably have a good enough one lying around unused. There are also LinkSYS routers as you will find in mail below. But once again, I think you're better off with a machine that does nothing else but firewalling if you're in business. Private users wanting personal protection can get away with a whole lot less, although BYTE readers tend to like setting things up just for the fun of it... So next we have: Use of a Pentium CPU for firewall is a waste of money. I use a 486DX2 in an IBM PC330 which I purchased for $25.00, added 8M RAM &; 2 PCI NIC's (total cost - $65.00). The OS is OpenBSD using IPFilter - see http://openbsd.org/faq/faq6.html for details and tutorial. "BlackIce" and similar so-called firewalls for Windows machines fail to filter ANY UDP ports, and my logs show that almost every attempt at entry used UDP. Actually, OpenBSD is so intrinsically secure in its default install that IPFilter is actually redundant. Nonetheless, you can't even detect my system on the internet unless you are on my local cable modem loop and sniffing packets. NO ports are open except NTP and DHCP ( necessary so that I can get an IP address, and that one is open only to my ISP). David Uhring I quite agree: any machine you have that runs is quite good enough to do firewall duty, and OpenBSD is a good choice for an operating system. Small businesses that just want an appliance would do well to look at Rebel Netwinder for a just about off the shelf solution. Ain't security a comfortable feeling? -- excerpt -- Byte.com readers may want to build their own. You can make a relatively inexpensive one using a bare-bones PC (a PII/400 w/64 Mbytes of RAM will do for most home or small office sites), Linux, and the ipchains software mentioned above. Just as a point of interest. I am running Red Hat 6.1 with ipchains and masquerading enabled on a Compaq Deskpro 5100 with 32 megs of ram , and haven't noticed any speed difference in my internet connection. B.T.Fitzmaurice Calgary, Canada
Two references you should mention regarding firewalls are "Building Internet Firewalls" by Chapman and Zwicky (O'Reilly) and Linux Firewalls by Ziegler (New Riders). The Chapman book is considered by most as to be the definitive text on the matter. Also, I would also recommend that you look at the Linux Router Project (LRP). The office LRP site is http://www.linuxrouter.org/ . However this site is rarely updated but it is the place where you can reference the LRP mailing list. The best LRP site is at http://lrp.c0wz.com/ . This site has the most up to date builds (including the Materhorn build which is based on the 2.2.x kernel). I am using LRP in front of a Screened Host Subnet and it works great. What is really interesting is that you can literally put together a 100 MBit Ethernet router for a few hundred dollars. Since LRP is a diskless system, such a system would be as reliable as any high speed Cisco router for significantly lower cost. Sincerely, Martin Reich San Francisco, CA Thanks. Alas, since the demise of Peterborough and the old BYTE LABS I don't have all the resources I used to have to do definitive surveys: there's only me, and I missed a couple of those. On the other hand, with this web site I get the benefit of a LOT of expertise from my readers, so as soon as I publish something I get a great deal of supplemental information. Thanks! I read your Byte column with interest. One quibble is over the specifications for a firewall machine. The linux router project claims to be able to handle routing and ipchains on a 486 with 12 MB. No hard drive is required. The machine can be booted from a floppy, or by network. Peace, Chris C. And this: Jerry You should check out your fellow columnist Trevor marshall's column, from Aug, 1999. He has made available a version of LRP (Linux Router Project - a version of Linux, small enough to fit on a floppy disk, and optimized as a gateway/firewall). Mr. Marshall has provided a much simpler installation routine, optimized for a dialup machine. Using a P-100 w/40M (and no hard disk!), and a 100M Netgear ethernet card, I get transfer speeds (as measured by http://computingcentral.msn.com/topics/bandwidth/speedtest.asp ) of 5.1K. It implements NAT (Network Address Translation), IP forwarding, IP Masqing, DHCP, a caching DNS server and more. And according to nmap (a Linux-based port scanner), only 3 ports are open - telnet, DNS (UDP 53), and 111 (which has something to do with RPC calls). Personally, I turned off the web server module, to close port 80. Very tight security (against intruders coming in from the outside, anyway). And it all runs from a write-protected floppy! As you say, highly recommended.
I've known Trevor forever of course, and I should have read that, but what with the time pressures I did not. Thanks. I trust that my readers do read all of BYTE and not just my column... Thanks again.
Dr. Pournelle, A friend is not necessarily needed to set up a Linux firewall. The following site provides a good method for beginners, although a friend may be needed to answer some of the questions asked in designing the firewall. http://www.linux-firewall-tools.com/linux/firewall/index.html Victor Orlikowski That depends on how sharp you are, how much you value your time, and a number of things. I agree, you can do a lot yourself. I can tool up to learn anything. But it's nice sometimes to watch an expert do it... And as to routers: Just a note about another product that you might be interested in trying. The Linksys BEFSR41 is a 4 port 10Base2/100 switch and hub with firewall, DHCP server/client and router capability, all for under $300.00 Canadian. This box works pretty much plug and play, and it works! Since all the other solutions cost way more, and this solution gives the small business or home a 10/100 hub as well, the value is incredible. The box also allows you to direct incomming traffic (by port) to particular machines inside the firewall. Like you, I use a non-routable internal IP network, but have the Linksys send incomming traffic on IP port 21, 23 and 80 to one particular box (10.1.1.3). This works very well. The box is programmed via a well designed web page, and comes complete. Here is the manufacturer's URL: http://www.linksys.com/scripts/features.asp?part=BEFSR41 This box replaced a 486/100 running NT 4 and Proxy 1 - and it does the job much faster and easier. Finally, Gibson's site cannot find any holes in the firewall provided by this box, unless you specifically enable the incoming forwarding feature. Cheers, -Richard And this: Grrr Why did you plug a product that costs money for a firewall when a very nice FREE firewall (Zonealarm from GRC.COM) is available? And as far as I know, its the only firewall that blocks unauthorized outbound traffic as well. I really hate it when a writer does this kind of promotion for a commercial product when a free product is available to do the same job Larry Greene I am not sure this deserves a comment, and in any event I won't say what I want to say here. Dear sir, I noticed in your column that you ddin't mention the ZoneAlarm firewall created by ZoneLabs. Why not? I use it and consider it to be a very good firewall for those with little firewall experience, who are using MS Windows. Why didn't myou mention them? Anything wrong with the ZoneAlarm program? -David Chipman I didn't mention it because I don't know about it, omniscience having been taken away from me at a recent birthday celebration. I try to cover the field, and thanks to readers I am able to correct omissions with some regularity, but I can't do everything. Now I'll wait for reports from experts. As a general proposition, commercial products have maintenance staffs; often free products are better but their long term viability is a bit more questionable. That's not to disparage freeware, but there's much to be said for competitive commercial software too. If there weren't -- well that should be clear.
|
This week: | Tuesday, May
9, 2000
here are some links on personal firewalls that provide some information beyond what you mentioned in your article: http://grc.com/default.htm "Shields Up" will try a simple attack on your system and show you the results. http://grc.com/su-firewalls.htm A review of many personal firewalls on the market http://www.zonelabs.com/ The recommended (in the review above) and free personal firewall. I'm using ZoneAlarm 2.1 and am very satisfied with it so far. The Gibson Research site http://grc.com also features a spy-ware killer (OptOut) and more information on ad-supported Shareware - something related to the firewall topic. Moritz Berger I thought I had mentioned Gibson's site in my column, but perhaps it was in an earlier one. Certainly I recommend that you look there for advice. I now have a ton of mail about ZoneAlarm, all favorable. I'm having people who know a lot more about security matters than I do look further into this. It has always been a principle with me that having a "software firewall" on the machine you are using is a LOT BETTER THAN NOTHING, but that you're still better off using a dedicated system. In the rodeo business they have a maxim: "There never was a horse that couldn't be rode, and there never was a cowboy who couldn't be throwed." As information warfare gets more sophisticated, the tools available to crackers get better and better. It was not long ago that one needed a $25,000 box to have any confidence in firewall security. Just at the moment the security tools are winning (provided that they are installed!) but that situation probably won't last. Freeware is a wonderful thing. I continue to worry about the stamina of individuals and freeware outfits: one of the reasons I used to recommend Dr. Solomon's anti-virus programs was that his team was working 24 hours a day -- literally -- back when a new virus a week came out of Eastern Europe. I read your column about firewalls for the home user. You mentioned that most home users wouldn't want to buy an extra machine to use for a firewall. I will be replacing my Pentium 200 MhZ, 64 MB machine with a P III machine shortly. I was wondering if this almost valueless machine would be able to serve adequately as a firewall? Could I not install Unix on it if I was willing to learn to do so? Thank you for your columns over the years. I have read, enjoyed, and learned from then a lot. I also enjoy some of your books. Best wishes, Jefferson Kent jeffskent@msn.com Indeed you could. You'd probably want to do Linux, not Unix, but there's ample information on line for doing all this. Valueless! It's true, of course, in the old legal maxim "the value of a thing is what that thing will bring," but a Pentium 200 is hardly valueless in what it will do. Fireball, my Primary Domain Controller was a dual Pentium Pro 200, and Spirit, which has taken over many server duties here, is even older and slower, and I get a lot of work out of those machines. Do note that there are Windows and even DOS firewall programs (see the letter above) that might be a bit simpler to install on your older machine: but it's not that hard to learn enough Linux to do this, and there are many benefits to having learned all that. By all means! And see BELOW I do not normally run press releases, but you may not have seen this one, and it's got a lot of information in it.
Good morning Jerry, A million copies may not land them on MTV, but it makes the latest version of BeOS a strong alternative OS for people who work with digital media. If the following release is of interest to your audience, I'd be happy to connect you with a company executive. Regards, Elena BE GOES PLATINUM WITH BEOS 5 Over One Million Copies of BeOS 5 Personal Edition Downloaded in First Month; Over Four Million CDs to be Distributed Worldwide Menlo Park, Calif.--May 9, 2000--Be Incorporated (Nasdaq: BEOS) today announced that one million copies of BeOS 5 Personal Edition have been downloaded worldwide since its release on March 28th. This number includes all downloads from Be's Website, as well as from numerous reporting download partners. BeOS 5 Personal Edition is the latest release of Be's highly-acclaimed digital media operating system and is available at no charge via the Web at http://free.be.com. In addition, Be has secured the distribution of over four million BeOS 5 Personal Edition CDs through agreements with numerous publications worldwide. Thus far, 46 publications in 18 countries around the world have agreed to bundle the BeOS 5 Personal Edition CD with their publications at no additional cost to their readers. Be also has a number of distribution agreements with publications pending which have the potential to further increase the distribution of BeOS 5 Personal Edition. "Demand for BeOS 5 Personal Edition has been enormous," said Stephan Altmann, marketing and public relations director of Computer Channel, a major computer news and information site located in Germany. "Since we began offering BeOS 5 Personal Edition on our Website, we have had over 120,000 downloads." "Since its launch, there have been over 110,000 downloads of BeOS 5 Personal Edition across the TUCOWS Network worldwide," said Scott Swedorski, founder and editor in chief of TUCOWS.com. "We are excited about this response and look forward to continue working with the team at Be to offer our users the latest and best software for BeOS." "We continue to receive a phenomenal response to BeOS 5 Personal Edition," stated Jean-Louis Gassie, chairman and chief executive officer of Be. "One million downloads of BeOS 5 Personal Edition is a milestone for us. It confirms our conviction that the public is eager for an operating system that seamlessly alleviates many of the constraints of conventional OSes. We are committed to BeOS and will continue to develop the operating system, which is also the underlying foundation and development environment for BeIA, our software platform for Internet appliances." About BeOS 5 BeOS 5 Personal Edition is ideal for first-time or casual users who want to experience the power of a digital media operating system. This version is stored as a file within users' existing Windows-based operating systems, without repartitioning their hard drives. As a result, users will find the installation process no more difficult and no riskier than installing a typical Windows application. Launching BeOS 5 Personal Edition is as simple as double-clicking an icon on the desktop. BeOS 5 Personal Edition is compatible with Intel-based PCs and includes HTML-based documentation. Additionally, Be is offering a programmer's development kit (BeIDE, or Be Integrated Development Environment) and a library of demonstration applications at no charge. These development tools aid software developers in bringing their products to market faster. A full-featured version of the operating system, BeOS 5 Pro Edition, is available through third-party publishers. BeOS 5 Pro Edition is bundled with additional applications and services for advanced functionality that truly take advantage of the power of BeOS, including features that make it ideal for individuals involved in audio and video production. Availability and Pricing BeOS 5 Personal Edition, the BeOS Developer Kit and demonstration application packages are available at no charge from http://free.be.com, as well as dozens of mirror sites throughout the world. BeOS 5 Pro Edition will be available in the Americas through Gobe Software, in Asia via Hitachi, and in Europe through Apacabar and Koch Media. Each publisher prices BeOS 5 Pro Edition independently and based on other bundled components. Publishers are also responsible for setting the upgrade policy for existing BeOS users in their territories. About Be Incorporated Founded in 1990, Be Incorporated creates software platforms that enable rich media and web experiences on personal computers and Internet appliances. Be's headquarters are in Menlo Park, California, and its European office is in Paris, France. It is publicly traded on the Nasdaq National Market under the symbol BEOS. Be can be found on the web at http://www.be.com/. ### Forward Looking Statements The statements contained in this Press Release that are not historical facts are "forward-looking statements" including without limitation statements regarding the demand for, future market penetration and market acceptance of BeOS. The number of downloads stated are based on numbers reported to Be from the Web site managers handling such downloads, and may not accurately reflect the actual number of copies of BeOS downloaded, nor are such numbers intended to imply that every download will result in the actual use and adoption of BeOS by the person or entity downloading the copy. Actual events or results may differ materially as a result of risks facing Be Incorporated or actual results differing from the assumptions underlying such statements. Such risks and assumptions include, but are not limited to, risks related to the continued availability of third party BeOS applications and drivers, ability to establish and maintain strategic publishing relationships, and the competition and market acceptance of BeOS. All forward-looking statements are expressly qualified in their entirety by the "Risk Factors" and other cautionary statements included in Be Incorporated's prospectus filed pursuant to Rule 424(b) of the Securities Act of 1933 on July 20, 1999 (Commission File No. 333- 77855), its Report on Form 10-K for the year ended December 31, 1999, and other public filings with the Securities and Exchange Commission. Note to Editors: Be and BeOS are trademarks or registered trademarks of Be Incorporated in the United States and other countries. Other brand product names are registered trademarks or trademarks of their respective holders. All rights reserved. The Internet is famous for its conspiracy theories, and perhaps this is one more instance, but there is at least some substance here. How much is real and how much is made up is not known to me. I am certainly no expert in IR photo interpretation, nor do I know any of the people involved in these reports. I do know that the Congress, as the Grand Inquest of the Nation, has yet to do its duty regarding the disaster at Waco, and until everything is aired to the satisfaction of all reasonable people, stories like this, and worse, will continue to crop up. I post the following without any claim to its veracity. I have not verified what is said at the sites it links to, or what the usual fare on those sites might be. It is perhaps enough to note that this sort of thing is being said to make my point, that the Congress really must investigate ALL of what happened. Much the same story, minus some of the details about what the HCGR was (is) sitting on, appears at: http://www.worldnetdaily.com/bluesky_fosters_news/20000503_xnfos_waco_exper.shtml Scanned images (jpeg) of Ghigliotti's preliminary report can be found at: http://www.worldnetdaily.com/images/20000503SarahFpage1.jpg http://www.worldnetdaily.com/images/20000503SarahFpage2.jpg http://www.worldnetdaily.com/images/20000503SarahFpage3.jpg Did you really have any doubt that this sort of behavior was permissable in such social circles? Or of the complicity (and I'm not really concerned with their _motivation_) of Republicans? Ghigliotti's worst fault may have been naivete in dealing with the House committee, but it may have been a fatal one. http://www.newsmax.com/articles/?a=2000/4/30/155105 === I checked with adaptec that Cd Creator 4.01 supported win2k but it failed to install with a "wrong IE5 version" errror . An email to Adaptec said install our IE5 from CD . Its an earlier version than Win2K ships with but I did. The install still fails with a wrong IE5 version errror . Can readers help?? Nick Hanstock [j.n.hanstock@blueyonder.co.uk] I gave up: I run CD CREATOR on a Win 98 machine. Can anyone help? Dear Dr. Pournelle: Your analysis of the growing mania for intervention is, as usual, pretty much on the money. However, I don't think you paid as much attention as you might have to the fact that these interventions cost the United States a great deal, and benefit us very little. What we have is not an empire, but a Guilt-pyre - Modern neo-totalitarians trying to assuage their own guilt feelings by getting American soldiers killed. As a trade power, the United States has a vested interest in keeping the trade routes clear. This particularly means keeping the sea lines of communication wide open, but a sound case can be made for discouraging conflicts ashore as well. War is bad for business. The problems arise from the fact that we have taken to sending troops to nations where we have little interest - business or otherwise. Imperialism is supposed to be a for-profit activity. Where is the profit in Bosnia or Haiti? Worse, I agree with you that we have taken a dangerous turn in actively taking sides in these disputes. When I was taking Naval War College courses, a great distinction was made between peace keeping (helping to promote a peace freely reached between the former combatants) and peace enforcement (picking sides). Peace keeping is a pacific activity. "Peace" enforcement is combat. And by picking sides in these disputes, the United States forfeits its traditional role as a neutral arbiter of unquestionable moral authority. In 1905, Theodore Roosvelt won the Nobel Peace Prize for brokering the end of the Russo-Japanese War. Two generations later, George Marshall would repeat the feat with the Marshall Plan. Both men leveraged off the traditional status of the United States as a disinterested broker. The costs were minimal, while the benefits were great. Today, we have a generation of leaders who have little to no knowledge of sound national security policy. This is not so much a lack of military service as it is a lack of diligence in studying the skills demanded of a statesman. The dirty truth is that a lieutenancy teaches few of the skills needed in the strategic arena. Were these people inclined to leave what they do not understand alone, things would be OK. However, the same ignoramuses are also ridden by guilt. Show them a photo of a civil war or a hungry child, and they rush to send other men's money and other mother's sons to help (note that these "leaders" do NOT send their own money or kin). The combination of guilt over their own lack of martial/patriotic prowess and ignorance of the costs of "peace enforcement" wars leads them into terrible folly. What we have is not the profit-driven empire of the past, but the emotion-and-folly-driven Guilt-pyre of the present. It is a far, far more wretched thing than simple imperialisim. It must be abandoned. The blood of our troops is too precious to waste slaking a politicians thirst for power and "legacy". V/R: Michael McDaniel In a Republic government policy represents the interests of the people; in an Empire the policy supports the interests of the leadership; of the government, if you will. The national interest of the people of the United States is not the same as that of those who command them, and who control policy; at least not as much as it used to be, and it is that growing separation that is disturbing. I leave out such matters as trade policy, in which it is not always clear that what's good for General Conglamorate Inc. is good for the country; I mean simply interventions in faraway places. As I write this, the State Department is saying we may have to become involved in Sierra Leone to support the failed UN mission there: which means taking sides in a Civil War, precisely what we were accused of doing in Viet Nam. At least in Viet Nam there was an interest: bleed the Russian. A long war of attrition is hard to continue for a Republic and yet it was the most painless way to bring down the USSR; and that plus Star Wars actually worked. In the present situation it is easy enough to see what having small wars does for the careers of senior officers; for major Washington lobby groups including law firms; for international corporate houses (I understand Mr. Clinton has been offered $10 million a year to take a post with an international brokerage house after he leaves office -- can policy be influenced by such offers? I don't know). It is easy enough to see the interests of some of those ordering the interventions. It is not so easy to see the interests of the American people. I am interested in one of the implications of "The need for [...] career peace keepers, is obvious -- for an Empire." Canada has largely dismantled our armed forces, REPLACING them with a police army. (The fact that nobody noticed this happening has led to morale problems and a couple fo massive fiascos in implementation) We enthusiastically join in, or even push for interventions that we could join. (NATO, UN, Brit Commonwealth). But I am interested in the psychology. Canada will never be an imperial power. But we have gone further towards what you describe as imperial thought processes than the US has. Is this a statement that we think of ourselves as a "client state" within whatever empire? (Which empire depends on the Canadian you're talking to. Brit/USA/"world") I wouldn't care to speculate except in general terms. Luttwak in The Grand Strategy of the Roman Empire shows a period when Imperial strategy was to keep an army able to win a war with anyone, but use client state forces for most local "peacekeeping" and other operations short of war. Tax farming concessions made that a good deal for the leaders of the client states. Their populations weren't really consulted. Imperial does not necessarily imply an aggressively expansionist empire although that has been the result every time. The Imperial system is one in which the interests of the government are not those of the people, although there may be many attempts to make them appear to be so. Citizens are treated as subjects; obedience is compelled, not solicited or persuaded. This has to be because there is a large bureaucracy whose interest is to continue the bureaucracy and collect taxes to pay itself, and which resists any and all attempts to cut it back or even halt its growth. Imperial means that the President, or Emperor, or Consul, may be selected by the people but is not among them and is no longer merely a citizen who holds office, but something above and beyond that. Generally the interests of the imperial ruling class will force expansionism because client states and colonies, while often very unprofitable for the home country, are quite profitable for international joint ventures in which the governing class owns shares (or owns the company outright). Operations that would not be tolerated in the home country become routine in the colonies and client states. I speak from history. The parallels won't be exact. Perhaps I am wrong to see parallels at all. The objection to missile defense is utterly perplexing in a rational sense, but it's understandable from a psychological sense. I hate this kind of argument, so often used to denigrate one's opponents; but in this case, I think it fits too well to be dismissed sans consideration. I see three major anti-defense arguments, and each springs from a different cognitive dysfunction. First, we must not ignore the disturbing fact that there is a statistically tiny but (in a nation of 260 million) numerically large portion of our population that passionately believes America is the most immoral nation on earth, and that we're just itching for a chance to destroy the rest of the world, villains we. (I believe this group is overrepresented in the intelligencia and academe.) It would be terrible, they argue, for America to have a missile defense because that would just make it all the more likely that we'd launch a nuclear war for imperial reasons (presumably when W. is elected, or whoever is the next Republican president). It's impossible to argue against these unamerican idiots. But their arguments are so extreme that they're not much of a political threat to building a solid defense. Second, there is a group that believes a missile defense would be a form of hubris, thinking we could win a nuclear war when, as Dr. Caldicott so cheerfully announced, there could be no winners and "the survivors would envy the dead." This is a strange sort of magical thinking, where other nations would be so afraid of a defended America that they would launch in a "use it or lose it" orgy of self destruction. Our very attempt to defend ourselves from the "indefensible" would tempt the gods themselves to smite us for our audacity. It's similar to saying, as some do, that putting up a firewall only makes hackers target you all the harder, as if throwing down the gauntlet. This is a more dangerous irrationality, since many more people believe it than the first. The argument against this is that we obviously wouldn't dismantle our retaliatory capability prior to building SDI; therefore, these unnamed countries would have just as much deterrent against launching missiles at us as they do today: Mutual Assured Destruction. It might work, it might not -- but it's completely unrelated to building SDI. The third irrationality -- the "all or nothing" zealots -- argue that since a missile shield wouldn't stop a nuclear truckbomb, there's "no point" in building one at all (as if a cop shouldn't wear a bullet-resistent vest because it wouldn't save him from being poisoned). This irrationality, probably the most widespread, is the hardest to argue against, because the argument is simple logic... and if they were logical, they wouldn't make it in the first place. If there are three main vectors for delivering a nuclear warhead, strategic missile launched from a land or sea, tactical missile or bomb launched or dropped from an airplane, or ground-delivery vehicle, how can it make us /less/ safe to reduce that to only one vector, the last? Maybe the best approach is to rename the program from missile defense to nuclear defense and add a small plan or two to make it even harder to smuggle fissionable materials into the US than it already is: better intelligence, better remote radiation sensors, better tracking and control of components necessary to make a bomb. No reason not to do these anyway; it's good military policy. Then, when somebody says "but the Iraqis could just smuggle a nuke in a suitcase," we can simply point to the Plutonium-sniffing-bloodhound-breeding program. Sincerely, -- Dafydd ab Hugh Beware of gifts bearing Greeks. Good analysis. I am sure there are also people who don't think we can build SDI, and some who think we can't afford it, and some who really do think we don't need it; but I admit that I don't much understand the objections to shields. I like your plutonium sniffing bloodhounds! Dr. Pournelle - Perhaps one of your readers knows the solution to my problem. I am involved in one of Microsoft's Beta programs, and in the middle of March installed a Beta of Internet Explorer 5.5. This new version of the browser works fine. However, after the install I discovered that Outlook 98, which I use for email among other things, no longer functions correctly. The word wrap function when sending email no longer operates correctly by wrapping words that would make a given line exceed the length set (default 76 characters). Instead Outlook now makes every line in a transmitted email exactly 76 characters long by breaking words apart. I reported this problem to Microsoft on 21 March, and today they closed my bug report with the comment that this behavior was "By Design". Since this problem was effectively disabled the email send function of Outlook 98 for me, and forced me to use Netscape to send email, I am looking outside of Microsoft for a solution. I have to suspect that the problem is due to a modified version of one of the common files being replaced as part of the IE 5.5 Beta software. If I knew what file(s) might be involved, I could try replacing them with files from another non corrupted machine. My machine is running Windows 98 with all the available updates. My Microsoft Office installation (which includes Outlook 98) has the 2b updates. Any help would be greatly appreciated! Ray A. Rayburn Audio@Technologist.com http://www.users.uswest.net/~rrayburn A retired USAF Colonel friend sends this (he's a decorated fighter pilot ace, Viet Nam era): Can you check this out? If true (ref: Air Force Times, March 27th) it should be widely reported, factually and not editorially; let the readers make up their own minds. I counted 90 aircraft. Bill Haynes Sent: Sunday, May 07, 2000 10:48 AM Subject: Totally unacceptable Subject: President Clinton does it again...How much more, America ????? This has to be the most expensive and most useless boondoggle in history. I'm sure President Clinton can write it off as a Spring Break trip for Chelsea! Today, I received the March 27th Air Force Times and was moved to send heads-up to some of the press re: Clinton's travel costs. Doubt if press will respond, but with your e-mail list, you may want to distribute to our Air Force friends who may not read AF Times, the March 27th Air Force Times piece should be of interest. The article details the more than $50 Million cost of the Clinton India/Pakistan trip. Nowhere else in the press have we seen reported the fact that, in addition to AIR FORCE ONE and five other Andrews aircraft, the outbound trip is using 14 C-17s from Charleston, 12 C-5s , three C-141s, two C-130s. In addition, seven KC-10s and 39 KC-135s are providing air-refueling support. The return trip requires an additional 10 C-5s and another three KC-135s. The 22 C-5s, thus occupied, represent one-third of the Air Force's entire operational C-5 fleet. A point of interest to the civilian public might be that each aging C-5 is capable of carrying internally, six Greyhound busses. (that would be enough airlift for 132 Greyhound busses in C-5s alone!) Some trip! In addition to the dollar costs, the huge number of aircraft tied up with this operation has seriously degraded the ability of the Air Force to support operational airlift and air refueling requirements round the world. Must be increasing the workload across the whole spectrum as well. In the face of continuing very careful military budgeting, will the public pay any attention to the comparison of costs of these trips to the unfunded needs of the military? THIS IS TOTALLY UNACCEPTABLE. WE HAVE APPROXIMATELY 7500 TROOPS ON FOOD STAMPS AND THE COMMANDER-IN-CHIEF INDULGES IN SUCH ACTIVITIES AS THIS. It does seem to be a bit excessive to use about a third of our heavy lift capability for one trip. But perhaps necessary. He is the President, and keeping him safe is a lot cheaper than the war that would start if someone harmed him. Ounce of prevention and all that. Still, this seems more like a kilo of prevention...
|
This week: |
Wednesday,
May 10, 2000 Zone Alarm has problems. Its default installation automatically blocks all access to a home network. Changing that requires a manual reconfiguration for each system it is installed on. It should not be used in a corporate environment, and home installation should be done only when your children do not have school papers do. Mine did. No data. One of the reasons I don't recommend stuff without using it myself: one needs to find these things out. I've long enjoyed your columns in print and now online. After reading the most recent one about personal firewalls I just wanted to tell you about the firewall that I use called GnatBoxLight (http://www.gnatbox.com/ ) I like it because it is neat - it boots and runs off a floppy. Just about any old 'retired' system is up to the task, add two network cards, yank the hard drive for silence, and it runs. The free version is limited in the number of connections it supports, but for me it is Good Enough also. happy day, .olli Again I know nothing of this. Thanks. I use a Linksys USB Network Adapter. It cost about $40 and gives you both drivers (which I didn't need because I had them installed) and a self-powered connector device - One end the Ethernet plug, the other out to USB. It works like a charm. I was having trouble with my PCMCIA Ethernet connector (would often require a reboot to solve slow as molasses speeds) and the Linksys adapter has solved my problems and caused none. Dr. David Doyle Concord, NH Thanks! Read the release regarding the use of Air Force planes for President Clinton's trip. Just curious - does USAF retired Colonel think that the President is sitting around saying, "Let's see, seven KC-10s, 39 135's - that ought to get it." Or, more likely, is a USAF Colonel saying, "We'll need to send ....."? THIS IS TOTALLY UNACCEPTABLE. WE HAVE APPROXIMATELY 7500 TROOPS ON FOOD STAMPS AND THE COMMANDER-IN-CHIEF INDULGES IN SUCH ACTIVITIES AS THIS. And what does this have to do with that? Come on Jerry, I've got nothing against rants, I indulge in them myself. But how should Billy go to India, Delta Business Class? Or shouldn't he go? Keep up the good work! Steven Smith Atlanta, GA Well, it's trivial money, but given the way they have squeezed the training and operations budgets to pay for unbudgeted imperial adventures I understand why some of our warriors are a bit unhappy: all that money for a trip, when they can't pay the troops properly? But yes, you have a point. He is the president. Incidentally, I suspect Calvin Coolidge would have gone Delta Business Class. So might Jimmy Carter... I was under the impression the C5A's are carrying C3I vans and much of the rest of the transportation is staffing and security for them rather than being directly related to physical security of the Executive. Although physical security of the President does involve pre-positioning everything from EOD teams (typically from Huntsville Alabama) to secure communication to go with the "football" it does seem to me that just turning over the Whitehouse keys to the VP would cover the rest of things better and cheaper. Certainly in the India-Pakistan theater it is easy to imagine a scenario in which the President is perfectly safe but Air Force 1 cannot fly. I think what we really bought was immunity from criticism that the President might be out of touch or unprepared to deal with a crisis while out of the Country rather than enhanced physical security. Clark Well, this President wouldn't turn over the keys to Gore even when he was having his knee operation, so he's sure unlikely to do so for more extended periods. But I expect you are right. I posted the Colonel's note I must confess more for his sake than any other. He's an old friend. But this kind of wretched excess does tend us again toward the Imperial style. Come to that, why could he NOT have taken Delta Business Class? OK, that's a bit inconvenient for everyone. But does it take that big an entourage? And next we'll have the poet laureate meet him on his return with a panagyric... I expect I am just being bilious. But I do have to say that treating the President is if he were a different sort of person from us mere mortals is a dangerous trend. Jimmy Carter, whatever his other faults, understood that perfectly and tried to discourage it. In Roman triumphs as the general rode his chariot through cheering throngs a slave stood behind him saying, "Remember thou art mortal. Remember thou are but a man. All this is fleeting, and thou art but a man." .
|
This week: |
Thursday,
May 11, 2000
This is a wonderfully subversive Windows app that builds a single floppy Linux Router Project 3.5" diskette. The program allows you to easily enter your network card interrupts and I/O address, ISP IP address and other info and then it generates a Linux boot disk which will allow a 386, 486, or faster PC to server as a firewall, router, DHCP server, DNS server, mini-Web server. You can administer the Linux Firewall/Router with a web-browser, so it doesn't need a monitor or keyboard. The PC only needs a floppy and 8 megs of RAM. Since you can write-protect the floppy, even if a cracker managed to get into the machine, he couldn't save any programs on the disk. Holden Aust Thanks. That looks to be a good use for an older machine... Subject: DMCA in action Jerry, Perhaps I've just missed it, but I haven't seen much on your feelings about the Digital Millenium Copyright Act, which was enacted in either 1998 or 1999. The main reason That I am curious is that one of the first cases of its attempted enforcement is occuring over on slashdot.org. There was a discuission on slashdot about Microsoft's "enhancements" to the Kerberos standard, and the "license" they were giving to view the details. To make a long story short, Microsoft released the specifications so that security personnel could read them, but specifically doesn't allow anyone to use the specs in products or release them to people that might. Some of the people over on Slashdot then posted the specs, or gave people advice on how to work around Microsoft's license. Microsoft has respond by invoking the part of the DMCA that allows plaintiffs to have material the claim is a copyright violation removed without a hearing of any sort. My thoughts are that this violates to basic principles of the U.S. legal system: The right to Free Speech and the right to Due Process of law. Of course, I'm no lawyer... I'd appreciate your thoughts ( and the thoughts of others) on this one. Sincerely, Chris clevesqu@yahoo.com ===== Chris Levesque Associate IT Systems Administrator Denver International Airport clevesqu@yahoo.com levesquc@dia.denver.co.us "The sky above the port was the color of television, tuned to a dead channel." -- William Gibson I don't know enough about this to have an opinion: I expect many readers know a lot more. I'd like to hear about it. If there's enough I'll open an altmail page, but in any event I'd like to know more. The following was sent as a press release. I think it important. Tim O'Reilly on the LinuxCare Layoffs Can open source businesses make it? Tim O'Reilly looks at what the recent Linuxcare layoffs really mean at http://www.oreillynet.com/pub/a/linux/2000/05/09/lessons.html An excerpt: The venture capital community and tech press is abuzz about recent layoffs at Linuxcare, the Kleiner-Perkins backed Linux support company. Boosters of open source argue that Linuxcare's stumble is simply a result of management missteps, trying to grow too fast, and the overall cooling of the market to speculative high tech offerings and to Linux in particular. Observers critical of open source might argue that this event shows the weak commercial underpinnings of Linux, and the difficulty of making money when the software is free. I draw an entirely different lesson: that the "service" opportunity for open source software requires thinking in a much bigger box. (You don't actually have to go outside the box. You just have to give yourself some elbow room.) Linuxcare's initial business model involved a great deal of reliance on phone-based tech support and other low level services; they are now repositioning themselves for higher-level professional services such as creating private label versions of Linux. They are absolutely right to think bigger. The service opportunity is immense, but it isn't necessarily in the obvious places.
|
This week: |
Friday, May
12, 2000
This is the email that saved me, in the sense that it provided a way to get my machines to see each other when they previously could not. Jerry, I've just read the tale of your, ah, adventures, and I must say that I know what you're going through over there.... I do this sort of thing for a living, and people ask me how I deal with the frustrations of working with computers day in and day out. "I'm mad," I tell them. "Quite insane." A couple of things that may help you (forgive me if you're aware of these; I try to make as few assumptions as possible when talking to people about computers, not from malice or any presumption of incompetence, but simply playing safe). When I'm installing an NT server and am having trouble with the network card drivers, I just let it create its default WORKGROUP domain, and go on. Once the install is completed you can go to your Network properties and add a card with the benefit of a better interface with which to do so. I can't recall off hand how often I've had to use that approach on a PDC, but it works well for member servers, and it certainly sounds better than your current situation.... To get a Windows 95/98 workstation to forget about trying to log into the domain, right click on your Network Neighborhood, go to Properties, select the Client for Microsoft Networks, Properties, and uncheck Log onto WIndows NT domain. Save all that, and it will no longer look for the domain controller. How much that will help you I'm not sure, without knowing more about how your network resouces are laid out, but it should help. (In fact, if after doing so you log in with the userid and password that you have on the domain, you will still be able to access domain resources normally. The only thing you really lose is running the login script on startup. For your environment it may be best to leave that box unchecked on your machines, log in locally, and let the local machine cache the password for use on the domain. For NT machines, the equivalent trick is to click the drop down on the login screen that has the domain name and select to log into the local machine. Depending on how the machine was set up you may have to log in as Administrator (if no other local userids have been created), create a local user, and go from there. NT being as helpful as it is will see this local user as a different person than the domain user of the same name, and use a different profile, but at least all the resources are accessible. I hope this is of some help to you. Hang in there, sir; we're rooting for you. --Robert On Fri, 12 May 2000 01:00:07 -0700, Jerry Pournelle wrote: >I thoroughly understand everything will have to be restarted and such. I'll >manage. I don't really have a lot of choices here. >Thanks > >-----Original Message----- >From: Robert Brown [mailto:robert@godofwar.com] >Sent: Thursday, May 11, 2000 10:05 PM >To: jerryp@jerrypournelle.com >Subject: PDC Down > >Jerry, >Checking your current view before heading off to bed I see that >you're about to try building a new PDC.... Is the old one totally >dead? You're likely already aware of this, but in case not, if you >make a new PDC, even with the same domain name as the old one, NT >will see that as _new_ domain, requiring new user accounts, new >computer accounts, and so on (this is one of the main functions of a >BDC; not just maintaining functionality if the PDC goes down, but >maintaining continuity of accounts and domain information). This is >probably not much help to you, unfortunately, but I wanted to at >least try and warn you what you may be getting into.... > >Good luck, > > >--Robert > http://www.godofwar.com > "I'm getting too old to take life seriously." --Robert http://www.godofwar.com "I'm getting too old to take life seriously." The first email warned me I'd face problems, but then I knew that. The second one made life simpler: you don't just restart the machines, you have to get them off the domain. But the ghostly connections remain: you can access drives you can no longer see so long as you have previously mapped to that drive. VERY strange! Well, enough. I have got to where I can get some work done by going through all this (I suspect that simply taking my W 98 workstation off the domain would have done that), and now I have to get to work. I'll fool with this next week. It's a great life... And thanks! As to why the problems: Subject: NT Domain Woes From: Dave Pierce (dave_pierce@NOSPAMremove.techie.com) Dr. Pournelle, I'd tell you what we long-time NT warriors call the situation you're in, but I'm trying to watch my language... ;) Seriously, though, your assessment is correct -- if you have a PDC, you must have at least one BDC, or eventually suffer the fate you are now experiencing. When the PDC fails, you can no longer authenticate domain members. Here's why: The names of domains are a convenience for mere mortals, and the machines that participate in domains actually use a SID (security identifier). If you don't have a controller with a valid SID available to authenticate machines, you're dead. You cannot join the domain, or add BDC's. Do not pass Go, do not collect $200. Your idea to create a new domain, and join all of your machines to that domain, is the best way out of your current predicament. Although trying to simultaneously migrate to Win2K Server shows that you are a far braver man than I. Good luck. Don't forget to immediately install a BDC once it works! --Dave Pierce Next week, I think, I'll do just that, probably with NT4 now that I have the driver problem solved -- that one is a PIP when you are trying to install NT4 as a PDS! And I'll have a backup server machine built and ready.
Then we have this: A valuable lesson about the security of open source code. Specifically SSH for Redhat Linux: RPM ssh-1.2.27-8i.src.rpm contains a PAM patch which is probably malicious trojan rather than a simple coding error. 1) Just because the source code is there, do not assume that it has been peer reviewed, and passed for release. 2) Check that the signatures are there, and valid. 3) Make sure that the public keys themselves are authentic! Edit, forward to Byte contacts, and use for your own advisories in your day book and regular columns as appropriate. This may have serious consequences for those foolish enough to have incorporated this software as a routine upgrade into production servers. --James Cambridge, UK -=-=-=-=-=-=-=-=-=-=- Greg Wright wrote: : > Build Host: ostrich-deluxe.labs.redhat.com : > : Ouch, I have never checked, but hopefully its trivial to forge this header, : I should have asked already, but does the packager claim to be from within : the owner of the domain ? No. I (Jan "Yenya" Kasprzak <kas@fi.muni.cz>) am written both in a vendor field and a packager one in that package :-( But this can be easy to explain - the author at labs.redhat.com(?) may have taken the original spec file and add his patch only. -Yenya -- \ Jan "Yenya" Kasprzak <kas at fi.muni.cz> http://www.fi.muni.cz/~kas/ \\ PGP: finger kas at aisa.fi.muni.cz 0D99A7FB206605D7 8B35FCDE05B18A5E // \\\ Czech Linux Homepage: http://www.linux.cz/ /// /// Vite jak Microsoft vyrabi nezavirovana CD? ... ... ... Pouziva UNIX! \\\ // http://support.microsoft.com/support/kb/articles/Q80/5/20.ASP \\ On Thu, May 11, 2000 at 09:40:08AM +0200, Jan Kasprzak wrote: > John P. McNeely wrote: > : > : Sword &; Shield Enterprise Security, Inc. - Security Advisory > : www.sses.net, Copyright (c) 2000 > [...] > : RedHat Linux RPM ssh-1.2.27-8i.src.rpm contains a PAM patch which > : contains faulty logic allowing users to essentially pass through > : the username/password authentication step and gain shell access. > : > : It should be stressed that the ssh distribution 1.2.27-7us.rpm > : and 1.2.27-7i.rpm available from the web site do not contain this > : vulnerability. > [...] > Please not that in spite of the fact I (Jan "Yenya" Kasprzak, ^^^ note? :-) > <kas@fi.muni.cz>) am stated both as "vendor" and a "packager" of the > ssh-1.2.27-8i.src.rpm, I did not make it and it is not even PGP-signed > by my key. The latest RPMs of ssh I have made are ssh-1.2.27-7{i,us}.src.rpm. Uh... I'm suddenly getting a real bad feeling here. Does anyone know what the origin of this package is? If the packager of record did not produce it and it wasn't signed and it contains a serious security hole, I'm really uncomfortable. Do we know that this was merely an accident and wasn't deliberate? > I will probably make the -9 release of the RPMs to avoid confusion. This would be a really good thing. > It is always good to check the PGP/GPG signature of the package. > I sign all my RPMs. Do you regularly check for stray keys in your name? Ben Laurie had someone attempt to upload a fake key with his name to the pgp keyservers a while back (this was just after the attempt to trojan Wietse Venema's tcpwrappers and trojan the login utilities at the tcpwrappers site). Bruce Schneier also has one running around that he swears he has been unable to crush because the keyservers are more persistant at syncing and recovering than he is at removing. Checking keys is a good thing, but we have to have confidence in the reliability of the key itself. > Thanks to SSES, Inc for discovering this vulnerability. > - -Yenya Mike -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! DETAILED INFORMATION: -----Original Message----- From: John P. McNeely [SMTP:jmcneely@sses.net] Sent: Wednesday, May 10, 2000 10:16 PM To: Alex de Joode Subject: [rh-crypto] Re: SSH Vulnerability Sword &; Shield Enterprise Security, Inc. - Security Advisory www.sses.net, Copyright (c) 2000 Advisory: Secure Shell Authentication Vulnerability Release Date: May 10, 2000 Application: sshd Severity: High - A user (local or remote) can log into any account with a valid login shell. Status: Affected systems should install alternative version. Archive: The advisory sses-002-auth-vul.txt is available at ftp://ftp.sses.net/pub/security/advisories SUMMARY ------- A vulnerable secure shell distribution is available from the popular Zedz Consultants FTP site (formally known as replay.com). The RedHat Linux RPM ssh-1.2.27-8i.src.rpm contains a PAM patch which contains faulty logic allowing users to essentially pass through the username/password authentication step and gain shell access. It should be stressed that the ssh distribution 1.2.27-7us.rpm and 1.2.27-7i.rpm available from the web site do not contain this vulnerability. The vulnerable distribution (1.2.27-8i.src.rpm) is located in the "incoming" directory at ftp://ftp.zedz.net/pub/ cryptoI/incoming (formerly pub/crypto/incoming). It is also possible that the distribution could have been obtained from the pub/crypto/redhat/unsorted directory. Due to the obscure location of the vulnerable distribution it is not known at this time how wide spread the impact of this vulnerability is. The vulnerable distribution has been removed from the site and should no longer be accessible. DESCRIPTION ----------- The vulnerable ssh distribution is patched with defective logic related to PAM authentication. The offending code from the patch file ssh-1.2.27-pam.patch is: +#ifdef HAVE_PAM + { + retval = origretval; + pampasswd = xstrdup(password); + if (retval == PAM_SUCCESS) + retval = pam_authenticate ((pam_handle_t *)pamh, 0); + if (retval == PAM_SUCCESS || retval == PAM_AUTH_ERR) + retval = pam_acct_mgmt ((pam_handle_t *)pamh, 0); + xfree(pampasswd); + } +#else /* HAVE_PAM */ Note the last 'if' statement - in essence whether the pam_authenticate() call is successful or not, the pam_acct_mgmt() call is made overwriting the contents of retval. Assuming the pam_acct_mgmt() call is successful, and it tends to be, then the remaining patch code dealing with PAM authentication opens a session with: +#ifdef HAVE_PAM + { + if (retval == PAM_SUCCESS) + retval = pam_open_session ((pam_handle_t *)pamh, 0); + return (retval == PAM_SUCCESS); + } +#endif /* HAVE_PAM */ By running the patch command patch -p0 -b < ssh-1.2.27-pam.patch we get, patching file `ssh-1.2.27/acconfig.h' patching file `ssh-1.2.27/auth-passwd.c' patching file `ssh-1.2.27/config.h.in' patching file `ssh-1.2.27/configure.in' patching file `ssh-1.2.27/sshd.c' The faulty PAM authentication logic is then inserted into the auth_password() function in the auth-passwd.c file at lines 745-755 and 879-885. IMPACT ------ The impact of this bug can be quite severe. On systems where the /etc/ssh/sshd_config file contains 'PermitRootLogin=yes' the effect is that any remote or local user can obtain root access by specifying a root login and entering a non-null password. Example, if a system (pigpen) configured with the vulnerable ssh server package has a valid user account (joe) then the command: % ssh -l joe pigpen joe@pigpen's password: 123 <--- sshd prompts for password, enter '123'. ... <--- faulty authentication check performed [joe@pigpen]$ <--- user shell accessed Checking the syslogs also reveals signs of the problem: 1- May 8 13:12:50 pigpen sshd[13422]: connect from 10.10.10.10 2- May 8 13:12:50 pigpen sshd[13422]: log: Connection from 10.10.10.10 port 1209 3- May 8 13:12:52 pigpen PAM_pwdb[13422]: authentication failure; (uid=0) -> joe for ssh service 4- May 8 13:12:53 pigpen PAM_pwdb[13422]: (ssh) session opened for user joe by (uid=0) 5- May 8 13:12:53 pigpen sshd[13422]: log: Password authentication for joe accepted. Note the authentication failure recorded by PAM on line 3, but lines 4-5 show the session being opened. It is important to note a few things here: 1) Even if an account is password locked, if it contains a valid shell the account can be accessed. 2) Site specific user accounts are not necessary for searching out vulnerable systems when standard Linux distribution/package accounts like 'gdm', 'postgres', or 'mysql' will do. This vulnerable SSH RPM has been available since March 1, 2000. RESOLUTION ---------- De-install: If your ssh installation is vulnerable, you should remove the vulnerable version and install version 1.2.27-7us. Use OpenSSH: Another alternative to consider is switching over to openssh available from http://www.openssh.com. AFFECTED VERSIONS and SYSTEMS ----------------------------- RedHat Linux, RPM ssh-1.2.27-8i.src.rpm. ACKNOWLEDGEMENTS ---------------- The bug discovery, test, demonstration, vendor coordination, and advisory generation are the results of SSES, Inc. security engineers John McNeely and Dennis Edmonds. Thanks to Alex De Joode at Zedz Consultants for a quick response and removal of the vulnerable distribution. DISCLAIMER ---------- Although SSES, Inc. intends to provide accurate information, this advisory does not claim to be complete or usable for any purpose. NO WARRANTY ----------- This advisory is provided on an "as is" basis. SSES, Inc. makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. SSES, Inc. does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. The supplied advisory is not to be used for malicious purposes and should be used for informational purposes only. It appears the problem is taken care of, anyway. But worth thinking on. Thanks. And the solution to being able to connect but not see: From: Chris Morton (cmorton@newsguy.com <mailto:cmorton@newsguy.com> ) Subject: NT Domain Networks Dear Dr. Pournelle: Here are some suggestions to try regarding you NT network: 1. I usually can't get machines to see each other over the net reliably unless I run TCP/IP _AND_ NETBEUI. The latter seems to handle the task of making sure that everything shows up in Network Neighborhood. Certainly installing it seems to consistently fix the problem of machines not showing up. 2. Check to make sure that file and printer sharing is enabled on the clients. Make sure that you do _not_ have file and printer sharing bound to the TCP/IP dialup adapter, and maybe the TCP/IP NIC as well. The former is a security vulnerability. The latter is generally unecessary (the binding to the NIC) as NETBEUI will handle the sharing and is non-routable. 3. The NT domain is not the same as an internet domain and has different properties and usages. I well know how confusing that is. If you want a peer to peer network until you sort out the NT, go to the Identification tab of the network setup dialog box (start, settings, network) and put in a workgroup name where it says "Workgroup:", "Jerry" for instance (It's case sensitive). On the Access Control Tab, select "Share Level Access". On the Configuration tab, _deselect_ "Log on to Windows Domain". This will get all of your 98/95 machines going peer to peer. For your Win2k clients, right click on My Computer. Click on the Network Identification tab. Click on "Properties". Click on the "Workgroup" radio button and put in the work group name (Jerry) you previously chose. Ok everything to exit. If you haven't already, make sure you have NETBEUI installed in protocols as you did in the Win98 machines. With something approaching Clinton's luck, you'll have a working peer to peer network, over which you can share (once you've explicitly shared) drives and printers. In fact I'm presently torturing myself with Win2k server and am totally baffled at how to mirror a couple of EIDE hard drives. It wasn't this hard in NT4/SBS. I'd like to help some more, but I'm running late for the Cuyahoga County Pistol League awards banquet, and I'm getting a couple of awards, so I can't miss it. Hope this helps. Chris Morton System Care, Inc. Cmorton@newsguy.com And that did it! Hurrah! Fergie, with NetBeui (didn't even have to reboot) now SEES all those machines as well as can connect to them. Hurrah again. Later I'll fix things right, but this has taken care of the last problem. Thanks again. Hurrah.! Perhaps this should be Immanent rather than Imminent? From: Greg Goss Re Imminent death of the internet You said Meanwhile the Internet acts as if it were full of molasses, and periodically I cannot reach any mail servers. I suspect this is Earthlink being jammed up I don't think so. Whatever you are seeing seems global. I have been having severe trouble reaching my own local DNS server (within rogers.home.com) for two or three days now. Slashdot is a total crawl, usually timing out. Even altavista and the register are timing out for me. Whatever you are encountering seems to be more widespread. I don't know my way around internet tools, so can't diagnose anything, but tracert seems to stall just getting out of my local company. I see three digit pings (milliseconds). I think we're broken. I sure hope it's an attack. The alternative would be that we're reaching the infamous IDIOT (Imminent Death, Internet (of the)) Gosh, I hope not... www.newsmax.com has a story up saying that there are gigantic holes in the "No Gun Ri" Korean-War massacre story the AP ran with (and won Pulitzer gold with) a ways back. http://www.newsmax.com/articles/?a=2000/5/12/182540 It's NewsMax, so there are tyops galore. But they quote Stars &; Stripes and US News &; World Report, so it can't be dismissed as "right-wing wackoism," which is the usual method of ignoring what one doesn't want to face: that the AP and nearly every major news organization, driven perhaps by a political desire to bash the military, were taken in by a few highly suspect "witnesses" (at least three of whom weren't even in the region at the time, according the US News). -- Dafydd ab Hugh Beware of gifts bearing Greeks. I haven't followed this much. I do know that during the early retreats in Korea the refugees streamed after our troops, and infiltrators mingled with them. I know officers who told their troops to fire warning shots if anyone came within 40 feet, and to shoot people who got closer; and put some pretty tough troops on the job who would do it, because we were losing troops to attacks coming from infiltrators among the refugees. I could easily imagine a scenario at which I set a time certain that a bridge would blow, warn people of that time, warn as the time approached, and blow it whether or not there were people on it. Our bazookas bounced off the Inmun Gun tanks even when they got a clean hit, and Task Force Smith and immediate successors were chewed to bits. The bridges had to go to give any chance of stopping the NKPA advance. It was pretty grim right up to MacArthur's Inchon Landing. Of course it got pretty sticky later on after they relieved MacArthur, too. Lordy, lordy won't you listen to me, gonna tell you 'bout a place they call it Kunu Ri, and we was buggin' out, we was movin' on. The Chinese were comin' and we were a'goin, we were movin' on.
|
This week: | Saturday,
|
This week: | Sunday,
|