From david at catwhisker.org Thu Apr 1 07:06:57 2004 From: david at catwhisker.org (David Wolfskill) Date: Thu, 1 Apr 2004 07:06:57 -0800 (PST) Subject: Advice wanted regarding setting up WiFi In-Reply-To: <16491.23104.627317.427295@komodo.home.wards.net> Message-ID: <200404011506.i31F6uNZ023210@bunrab.catwhisker.org> >Date: Wed, 31 Mar 2004 15:54:40 -0800 >From: bill at wards.net (William R Ward) >To: baylisa at baylisa.org >Subject: Advice wanted regarding setting up WiFi >Sender: owner-baylisa at baylisa.org >The question is, what's the best way to hook up the base station? I'm >nervous about plugging it into our existing hub (behind the firewall) >because then, anyone in the neighborhood with a WiFi-enabled computer >can get online through our connection. That means they could use our >bandwidth, hack into our machines, or even send spam through our >network. Not that I think that's likely, but I'm paranoid. >So I see two options: > 1) Add a new firewall box between the cable modem and the WiFi >station, and then our existing firewall between that and the wired >computers. > 2) Add a second ethernet port to our Linux server and connect the >WiFi to that, and use Linux's built-in firewall to control access. I did something vaguely similar: I added a 3rd NIC to my firewall box, and thus have 2 "internal" nets. One is (more-or-less) "trusted"; the other is for "guests". The access points in the house reside on the latter net. (And if we *ever* get the place straightened out enough, and we can figure out appropriate evasive maneuvers for dealing with the parking issue, if I were to host, say, a blw meeting here, I'd also connect a hub or switch to that net for use by the attendees.) Access to the trusted net from the guest net is via the same mechanism as from the Internet: SSH. And the guest net does not permit 25/tcp outbound. >Either way, I would also want to set up something to provide >authentication (NoCatAuth?) so only authorized users can use it. I use a combination of: * WEP * Set the access points to not broadcast the SSID * Only permit listed MAC addresses to connect but even together, they only really constitute an "Authorized Personnel Only" sign. (I figure that if it comes down to it, some one can certainly connect without my authorization; claiming to have done so accidentally will, however, strain the imagination somewhat.) As far as I know -- and I do review various logs, including the logging of DHCP requests, daily -- I have yet to have seen a problem. Then again, the street in front of my house is not conducive to someone being relatively inconspicuous while parked there, trying to hack my net. :-} >I have very little spare time to mess with this, so I want something >that can be set up easily. I also don't have the budget to be buying >a lot of hardware. If your existing firewall can accept another NIC, I suggest at least considering the approach. (I expect that Linux could do this reasonably, though I don't know from experience. I tend to be rather more BSD-oriented.) Peace, david -- David H. Wolfskill david at catwhisker.org I do not "unsubscribe" from email "services" to which I have not explicitly subscribed. Rather, I block spammers' access to SMTP servers I control, and encourage others who are in a position to do so to do likewise. From jxh at jxh.com Thu Apr 1 09:02:33 2004 From: jxh at jxh.com (Jim Hickstein) Date: Thu, 01 Apr 2004 11:02:33 -0600 Subject: Advice wanted regarding setting up WiFi In-Reply-To: <200404011506.i31F6uNZ023210@bunrab.catwhisker.org> References: <200404011506.i31F6uNZ023210@bunrab.catwhisker.org> Message-ID: <2147483647.1080817353@split.jxh.com> > As far as I know -- and I do review various logs, including the logging > of DHCP requests, daily -- I have yet to have seen a problem. Then > again, the street in front of my house is not conducive to someone being > relatively inconspicuous while parked there, trying to hack my net. :-} Who says they have to be near your house? Remember the BayLISA meeting where we heard about "wardriving" with a directional antenna from the tops of the hills? From peter at usestrict.org Thu Apr 1 10:17:07 2004 From: peter at usestrict.org (Piotr T Zbiegiel) Date: Thu, 01 Apr 2004 10:17:07 -0800 Subject: Advice wanted regarding setting up WiFi In-Reply-To: References: Message-ID: <1080843426.1869.83.camel@zx.zbagel.net> On Wed, 2004-03-31 at 18:12, Alvin Oga wrote: > hi ya bill > > i'll take the flame bait . . . > - do NOT use WEP ... its as good as giving away your key > to the house > What?! What does that mean? Seriously! "WEP" vs "no WEP", which one is easier to exploit? I vote for "no WEP", but maybe I am just not 733t enough to do things the hard way. The lock on your house's door is a deterrent. It's not there to make your house impregnable, it's there to make entering your house just inconvenient enough to make burglars move on to the next place which happened to leave their door unlocked. WEP does the same thing, it makes many war-((w|ch)alkers|drivers) move on to the open AP your neighbor has. Yes, if someone actually _WANTS_ to crack your WEP key, they can, but as Tony pointed out, they have to collect a certain amount of data to do that. If you rotate your WEP keys regularly (quarterly, monthly, weekly?) depending on usage levels you can avoid giving your attacker enough information to crack your key. Now, even given that, I would still segment off the AP from the rest of the network. An extra NIC in your Linux box is a possibility, but you do have to make an effort to lock down and properly configure IPChains if you go that route. > ( you're hosed if you using a fries special for the ap > ( and i donno if the dlink/linksys can use ipsec instead of wep > I have a netgear and I did a little research before purchasing it. None of the low-end(read end-user) APs do IPSEC. Later, Peter From bill at wards.net Thu Apr 1 11:36:22 2004 From: bill at wards.net (William R Ward) Date: Thu, 1 Apr 2004 11:36:22 -0800 Subject: Advice wanted regarding setting up WiFi In-Reply-To: <200404011506.i31F6uNZ023210@bunrab.catwhisker.org> References: <16491.23104.627317.427295@komodo.home.wards.net> <200404011506.i31F6uNZ023210@bunrab.catwhisker.org> Message-ID: <16492.28470.424579.41364@komodo.home.wards.net> David Wolfskill writes: >>Either way, I would also want to set up something to provide >>authentication (NoCatAuth?) so only authorized users can use it. > >I use a combination of: > >* WEP > >* Set the access points to not broadcast the SSID > >* Only permit listed MAC addresses to connect > >but even together, they only really constitute an "Authorized Personnel >Only" sign. (I figure that if it comes down to it, some one can >certainly connect without my authorization; claiming to have done so >accidentally will, however, strain the imagination somewhat.) I want to make it painless to get online with my wifi setup, so I don't think I want to restrict by MAC address. And that's easy to spoof anyway. NoCatAuth still sounds pretty cool to me. >>I have very little spare time to mess with this, so I want something >>that can be set up easily. I also don't have the budget to be buying >>a lot of hardware. > >If your existing firewall can accept another NIC, I suggest at least >considering the approach. (I expect that Linux could do this >reasonably, though I don't know from experience. I tend to be rather >more BSD-oriented.) As I said earlier, my existing firewall is a little box from Linksys. But I could scrape together one using either a laptop or an old 486 tower case with two NIC's and put it in line ahead of my existing firewall. --Bill. -- William R Ward bill at wards.net http://www.wards.net/~bill/ ----------------------------------------------------------------------------- Never doubt that a small group of thoughtful, committed citizens can change the world. Indeed, it's the only thing that ever has. -- Margaret Mead From chuck+baylisa at snew.com Thu Apr 1 11:54:08 2004 From: chuck+baylisa at snew.com (Chuck Yerkes) Date: Thu, 1 Apr 2004 14:54:08 -0500 Subject: Advice wanted regarding setting up WiFi In-Reply-To: <2147483647.1080817353@split.jxh.com> References: <200404011506.i31F6uNZ023210@bunrab.catwhisker.org> <2147483647.1080817353@split.jxh.com> Message-ID: <20040401195408.GA11479@2004.snew.com> Quoting Jim Hickstein (jxh at jxh.com): > > As far as I know -- and I do review various logs, including the logging > > of DHCP requests, daily -- I have yet to have seen a problem. Then > > again, the street in front of my house is not conducive to someone being > > relatively inconspicuous while parked there, trying to hack my net. :-} > > Who says they have to be near your house? Remember the BayLISA meeting > where we heard about "wardriving" with a directional antenna from the tops > of the hills? Missed it, but I will offer, living atop a hill with a box and a spare very directional antenna that just because I can reach IT doesn't mean it can reach ME. Imagine you have a very large PA and are talking to someone 1000feet away who doesn't... But I can hear networks far enough away to sniff and crack. WEP vs. "no WEP" By all means use WEP. I consider it like my door's slam lock. When I leave for real, I throw the bolt, but if I'm walking the dog down the street, I'm ok to just use the slam lock. WEP won't stop all. TKIP and LEAP likely would be Good Enough. (they just spin the keys periodically). I use WEP, I also presume that a stranger is on the network. ODDS: Are the odds high that someone will use your bandwidth? Well, we're mostly geeks here. The odds are more than "never". I like the "extra leg on the Linux box" notion. It isolates it. In general, I'm a fan of a secure network, but you have windows. Sit on my LAN and your not getting into my machine. I use a soekris box for my firewall/NAT box, so it's got an Internet leg, a wireless leg, and an inside leg. I don't allow port 25 from wireless to Internet. You can do that with your NAT box. If you want to send mail, you send it via the inside box and authenticate. Ideally, I'd have laptop -> IPSec -> Soekris. I did, I don't since an upgrade. IPSec means wep is moot. It also means visitor pain. Ideally, I want "sure, you can use port 80, at 2400 baud, without auth. Authenticate (IPSec? NoCatAUth trusts MAC addresses. Reality for home is that that's enough) and you have full bandwidth." I have WEP for now, we change keys fairly often, I block port 25. I should have IPSec back in play again soon. Set it up like you know someone outside is on your net and firewall appropriately. There's no reason a wireless client should be able to reach all ports on your LAN (esp the windows box). Hell, setup your NETWORK like you know someone is on your LAN. Perhaps put that extra Linux network there just for the Windows box and harden the other boxes. From michael at halligan.org Thu Apr 1 13:45:42 2004 From: michael at halligan.org (Michael T. Halligan) Date: Thu, 1 Apr 2004 13:45:42 -0800 (PST) Subject: Network testing tools. Message-ID: I'm about to do a set of 100 tests to prove "phase 1" of an infrastructure roll-out is done.. Most of these have to do with testing various failover scenarios. Some of the things we're testing are failover, state transition, failover time, etc. I've got some hackish ways to do these, but I was wondering if anybody was aware of a more formal testing suite for this type of work? ------------------- Michael T. Halligan Chief Geek Halligan Infrastructure Designs. http://www.halligan.org/ 2250 Jerrold Ave #11 San Francisco, CA 94124-1012 (415) 724.7998 - Mobile From greg.edwards at lmco.com Thu Apr 1 14:25:24 2004 From: greg.edwards at lmco.com (Edwards, Greg) Date: Thu, 01 Apr 2004 14:25:24 -0800 Subject: Advice wanted regarding setting up WiFi Message-ID: <982A2933712F3740921D842654ED470D03028110@emss01m12.us.lmco.com> That talk, Thursday, 18 October, 2001: Peter Shipley, CCNP/CCDA - WarDriving and LanJacking Risks, showed them trying to connect to the Exploratorium from the Berkeley hills, about 25miles away. They missed it. They connected to an AP at someone's home beyond the Exploratorium... The slides are at http://www.baylisa.org/library/slides/2001/10/openlans.pdf Interesting talk. Some update needed, but most still applies. Greg Edwards -----Original Message----- From: owner-baylisa at baylisa.org [mailto:owner-baylisa at baylisa.org]On Behalf Of Chuck Yerkes Sent: Thursday, April 01, 2004 11:54 AM To: baylisa at baylisa.org Subject: Re: Advice wanted regarding setting up WiFi Quoting Jim Hickstein (jxh at jxh.com): > > As far as I know -- and I do review various logs, including the logging > > of DHCP requests, daily -- I have yet to have seen a problem. Then > > again, the street in front of my house is not conducive to someone being > > relatively inconspicuous while parked there, trying to hack my net. :-} > > Who says they have to be near your house? Remember the BayLISA meeting > where we heard about "wardriving" with a directional antenna from the tops > of the hills? Missed it, but I will offer, living atop a hill with a box and a spare very directional antenna that just because I can reach IT doesn't mean it can reach ME. Imagine you have a very large PA and are talking to someone 1000feet away who doesn't... But I can hear networks far enough away to sniff and crack. WEP vs. "no WEP" By all means use WEP. I consider it like my door's slam lock. When I leave for real, I throw the bolt, but if I'm walking the dog down the street, I'm ok to just use the slam lock. WEP won't stop all. TKIP and LEAP likely would be Good Enough. (they just spin the keys periodically). I use WEP, I also presume that a stranger is on the network. ODDS: Are the odds high that someone will use your bandwidth? Well, we're mostly geeks here. The odds are more than "never". I like the "extra leg on the Linux box" notion. It isolates it. In general, I'm a fan of a secure network, but you have windows. Sit on my LAN and your not getting into my machine. I use a soekris box for my firewall/NAT box, so it's got an Internet leg, a wireless leg, and an inside leg. I don't allow port 25 from wireless to Internet. You can do that with your NAT box. If you want to send mail, you send it via the inside box and authenticate. Ideally, I'd have laptop -> IPSec -> Soekris. I did, I don't since an upgrade. IPSec means wep is moot. It also means visitor pain. Ideally, I want "sure, you can use port 80, at 2400 baud, without auth. Authenticate (IPSec? NoCatAUth trusts MAC addresses. Reality for home is that that's enough) and you have full bandwidth." I have WEP for now, we change keys fairly often, I block port 25. I should have IPSec back in play again soon. Set it up like you know someone outside is on your net and firewall appropriately. There's no reason a wireless client should be able to reach all ports on your LAN (esp the windows box). Hell, setup your NETWORK like you know someone is on your LAN. Perhaps put that extra Linux network there just for the Windows box and harden the other boxes. From alvin at Mail.Linux-Consulting.com Thu Apr 1 14:43:09 2004 From: alvin at Mail.Linux-Consulting.com (Alvin Oga) Date: Thu, 1 Apr 2004 14:43:09 -0800 (PST) Subject: Advice wanted regarding setting up WiFi - fun In-Reply-To: <16492.28470.424579.41364@komodo.home.wards.net> Message-ID: hi ya bill On Thu, 1 Apr 2004, William R Ward wrote: > I want to make it painless to get online with my wifi setup, so I > don't think I want to restrict by MAC address. And that's easy to > spoof anyway. NoCatAuth still sounds pretty cool to me. i dont know if nocatauth supports ipsec ( its predecessor did ) and i'm not in favor of sending "everybody" a webpage and asking them to login before they get authenticated for wireless connection - they are already connected to get the webpage - httpd, ssl, ssh has exploitable holes if its not patched - secure wireless logins doesn't seem to be too trivial .. always got some form of gotchas > As I said earlier, my existing firewall is a little box from Linksys. those linksys puppies supposedly runs linux ... - we should be able to replace it's wep app with a new one that runs ipsec instead - using wep or not does not make much difference.. - "most" people's passwd is what?? ( 50% uses password or some variation of it ( 25% uses their spouses names ( 10% uses their atm pin# - guess how long it takes for a pc to brute force it all - run some of the various passwd crackers on your /etc/shadow file and see what the varitions are ... passwd crackers http://www.Linux-Sec.net/Audit/Tools.fs/ - hopefully you have 10 regular people for each techie that knows what makes a good password to be using (one of the) ipsec howto http://jcs.org/ipsec_wep/ rest of the nite-nite readingz... http://www.Linux-Sec.net/Wireless c ya alvin From chuck+baylisa at snew.com Thu Apr 1 15:59:27 2004 From: chuck+baylisa at snew.com (Chuck Yerkes) Date: Thu, 1 Apr 2004 18:59:27 -0500 Subject: Advice wanted regarding setting up WiFi - fun In-Reply-To: References: <16492.28470.424579.41364@komodo.home.wards.net> Message-ID: <20040401235927.GA22765@2004.snew.com> Sometimes I'm amazed the messages make it through my Baysian filters... Quoting Alvin Oga (alvin at Mail.Linux-Consulting.com): ... > and i'm not in favor of sending "everybody" a webpage and asking > them to login before they get authenticated for wireless connection > - they are already connected to get the webpage But perhaps not allowed access to the rest of the net. > - httpd, ssl, ssh has exploitable holes if its not patched and your point? > - secure wireless logins doesn't seem to be too trivial .. always got > some form of gotchas low SO acceptance factor to demand that s/he ssh to a machine to enable authpf (obsd) to open access. web page is easier and an 11 year old can figure it out (I tested) > > As I said earlier, my existing firewall is a little box from Linksys. > those linksys puppies supposedly runs linux ... > - we should be able to replace it's wep app with a new one ah, that land of should. I looked at a house there once. Let us know when you have PROM images. > - using wep or not does not make much difference.. > - "most" people's passwd is what?? > ( 50% uses password or some variation of it > ( 25% uses their spouses names > ( 10% uses their atm pin# Really. You have some reference for this info? Something you can cite? I think you're making it up. Anyhow, personal passwords are not the same as a shared WEP key, so you fail to make a coherent point. In our den is this month's wep key. It's public for visitors. If you can get to where you can see it, you can just plug into the LAN. OTOH, if you plug into the LAN, you're still not trusted... And you still can't spam. > - guess how long it takes for a pc to brute force it all About 100k packets and a few hours. For a determined user. Guess how long it takes me to get into a slamlocked door? Guess how fast someone will come when the alarm goes off? What is your point? (use complete sentences) > (one of the) ipsec howto > http://jcs.org/ipsec_wep/ > > rest of the nite-nite readingz... > http://www.Linux-Sec.net/Wireless eliza dumps core trying to parse this. From rsr at inorganic.org Thu Apr 1 18:23:14 2004 From: rsr at inorganic.org (Roy S. Rapoport) Date: Thu, 1 Apr 2004 18:23:14 -0800 Subject: Advice wanted regarding setting up WiFi - fun In-Reply-To: <20040401235927.GA22765@2004.snew.com> References: <16492.28470.424579.41364@komodo.home.wards.net> <20040401235927.GA22765@2004.snew.com> Message-ID: <20040402022313.GA22055@nag.inorganic.org> Two men are walking in the woods. In the distance, they hear a bear. One of the men puts on running shoes, so the other asks him why. He says "So I can escape the bear." "Dude, you can't outrun a bear in those shoes!" "That's OK, I don't need to outrun the bear, I just need to outrun you." $DAYJOB is a financial services company. We. Don't. Do. Wifi. That's because if we did run Wifi, and you cracked it, and you cracked all the other security mechanisms, you could walk away with $18,000,000,000 or thereabouts. And we're small. At home, I have wifi. If someone was to crack that, and crack the trivial password on my PC server, they could get access to my DVD images! And my pr0n! Maybe even delete it! Whatever. I'm just not likely to be subject to an attack, so my goal is not to outrun the bear, but to be somewhat less attractive than the house next to me. We can talk all day about how not perfectly secure a protocol is. The art of IT is in figuring out what the acceptable compromises are. -roy On Thu, Apr 01, 2004 at 06:59:27PM -0500, Chuck Yerkes wrote: > Sometimes I'm amazed the messages make it through my Baysian filters... > > Quoting Alvin Oga (alvin at Mail.Linux-Consulting.com): > ... > > and i'm not in favor of sending "everybody" a webpage and asking > > them to login before they get authenticated for wireless connection > > - they are already connected to get the webpage > But perhaps not allowed access to the rest of the net. > > - httpd, ssl, ssh has exploitable holes if its not patched > and your point? > > > - secure wireless logins doesn't seem to be too trivial .. always got > > some form of gotchas > low SO acceptance factor to demand that s/he ssh to a machine to enable > authpf (obsd) to open access. web page is easier and an 11 year old > can figure it out (I tested) > > > > As I said earlier, my existing firewall is a little box from Linksys. > > those linksys puppies supposedly runs linux ... > > - we should be able to replace it's wep app with a new one > ah, that land of should. I looked at a house there once. > Let us know when you have PROM images. > > > - using wep or not does not make much difference.. > > - "most" people's passwd is what?? > > ( 50% uses password or some variation of it > > ( 25% uses their spouses names > > ( 10% uses their atm pin# > Really. You have some reference for this info? Something you can cite? > I think you're making it up. > > Anyhow, personal passwords are not the same as a shared WEP key, so > you fail to make a coherent point. > > In our den is this month's wep key. It's public for visitors. If you can > get to where you can see it, you can just plug into the LAN. OTOH, if > you plug into the LAN, you're still not trusted... > And you still can't spam. > > > - guess how long it takes for a pc to brute force it all > About 100k packets and a few hours. For a determined user. > Guess how long it takes me to get into a slamlocked door? > Guess how fast someone will come when the alarm goes off? > > What is your point? (use complete sentences) > > > (one of the) ipsec howto > > http://jcs.org/ipsec_wep/ > > > > rest of the nite-nite readingz... > > http://www.Linux-Sec.net/Wireless > > eliza dumps core trying to parse this. -- "Don't be an asshole -- vote Democratic in 2004." From fscked at pacbell.net Thu Apr 1 18:43:17 2004 From: fscked at pacbell.net (richard childers / kg6hac) Date: Thu, 01 Apr 2004 18:43:17 -0800 Subject: Network testing tools. In-Reply-To: References: Message-ID: <406CD345.2040207@pacbell.net> I'd be happy to contribute ... normally, that is ... but, regrettably, my postings keep getting "lost" ... so I guess my twenty years of experience is just going to have to gather dust, until things change. Regards, -- richard Michael T. Halligan wrote: >I'm about to do a set of 100 tests to prove "phase 1" of an infrastructure >roll-out is done.. Most of these have to do with testing various failover >scenarios. Some of the things we're testing are failover, state transition, >failover time, etc. > >I've got some hackish ways to do these, but I was wondering if anybody was >aware of a more formal testing suite for this type of work? > > >------------------- >Michael T. Halligan >Chief Geek >Halligan Infrastructure Designs. >http://www.halligan.org/ >2250 Jerrold Ave #11 >San Francisco, CA 94124-1012 >(415) 724.7998 - Mobile > > > -- Richard Childers / Senior Engineer Daemonized Networking Services 945 Taraval Street, #105 San Francisco, CA 94116 USA [011.]1.415.759.5571 http://www.daemonized.com From rsr at inorganic.org Thu Apr 1 20:21:00 2004 From: rsr at inorganic.org (Roy S. Rapoport) Date: Thu, 1 Apr 2004 20:21:00 -0800 Subject: Network testing tools. In-Reply-To: <406CD345.2040207@pacbell.net> References: <406CD345.2040207@pacbell.net> Message-ID: <20040402042100.GB26829@nag.inorganic.org> On Thu, Apr 01, 2004 at 06:43:17PM -0800, richard childers / kg6hac wrote: > I'd be happy to contribute ... normally, that is ... but, regrettably, > my postings keep getting "lost" ... so I guess my twenty years of > experience is just going to have to gather dust, until things change. Frankly, Richard, I'd be rather surprised if they really were lost. My guess is that the BayLISA postmaster is in the pay of Larry Ellison and the Israeli Mossad and is intentionally blocking your mail because of its subversive and counter-norms content. -roy From vince at litrium.com Thu Apr 1 20:26:21 2004 From: vince at litrium.com (Vince Hoang) Date: Thu, 1 Apr 2004 18:26:21 -1000 Subject: trolls (Was Re: Network testing tools.) In-Reply-To: <20040402042100.GB26829@nag.inorganic.org> References: <406CD345.2040207@pacbell.net> <20040402042100.GB26829@nag.inorganic.org> Message-ID: <20040402042621.GU22752@anarchy.com> http://jni.sdf-eu.org/trolls.html -Vince -- This message is a clue virus. From alvin at Mail.Linux-Consulting.com Thu Apr 1 19:25:01 2004 From: alvin at Mail.Linux-Consulting.com (Alvin Oga) Date: Thu, 1 Apr 2004 19:25:01 -0800 (PST) Subject: Advice wanted regarding setting up WiFi - fun In-Reply-To: <20040401235927.GA22765@2004.snew.com> Message-ID: hi ya chuck On Thu, 1 Apr 2004, Chuck Yerkes wrote: > Sometimes I'm amazed the messages make it through my Baysian filters... just to poke fun at ya too, i see you havent added my name to your filters to drop my mails :-) > Quoting Alvin Oga (alvin at Mail.Linux-Consulting.com): ... > > - httpd, ssl, ssh has exploitable holes if its not patched > and your point? i assume you know what all that means when a box is not patched > > - secure wireless logins doesn't seem to be too trivial .. always got > > some form of gotchas > low SO acceptance factor to demand that s/he ssh to a machine to enable > authpf (obsd) to open access. web page is easier and an 11 year old > can figure it out (I tested) precisely why a home network ( user ) should never be allowed to VPN into the corp network - no way for the corp admin to maintain/secure the corp data and network against the home pc and networks > > > As I said earlier, my existing firewall is a little box from Linksys. > > those linksys puppies supposedly runs linux ... > > - we should be able to replace it's wep app with a new one > ah, that land of should. I looked at a house there once. > Let us know when you have PROM images. let me know when the check is ready to be cut, and it'd probably be a couple 2-3 days work, which would than imply about a week by the time its truely ready - wild ass guessig that it's a simple tweek the initrd problem > > - using wep or not does not make much difference.. > > - "most" people's passwd is what?? > > ( 50% uses password or some variation of it > > ( 25% uses their spouses names > > ( 10% uses their atm pin# > Really. You have some reference for this info? Something you can cite? unfortunately for you and me ... it was a silly radio talk show .... and the results of their informal survey i've tried "password survey" and got just SAN's writeup which was interesting, but not the talk show's passwd survey > I think you're making it up. you're entitled to your opinions ... :-) > Anyhow, personal passwords are not the same as a shared WEP key, so > you fail to make a coherent point. but the key and ssid comes from "easy to remember" words/phrases which is one reason why brute force can and have cracked wep > Guess how long it takes me to get into a slamlocked door? a good locksmith ... 5 seconds > Guess how fast someone will come when the alarm goes off? in a good neighborhood with a good police dept ... 10-15 minutes unless they had prev complaints, and it'd be the normal expected time of 1-3 minutes - just dont go speeding down the street the cops are coming up on nite-nite alvin From david at catwhisker.org Fri Apr 2 09:58:06 2004 From: david at catwhisker.org (David Wolfskill) Date: Fri, 2 Apr 2004 09:58:06 -0800 (PST) Subject: Advice wanted regarding setting up WiFi In-Reply-To: <2147483647.1080817353@split.jxh.com> Message-ID: <200404021758.i32Hw6vu028247@bunrab.catwhisker.org> >Date: Thu, 01 Apr 2004 11:02:33 -0600 >From: Jim Hickstein >To: David Wolfskill >cc: baylisa at baylisa.org, bill at wards.net >Subject: Re: Advice wanted regarding setting up WiFi >> As far as I know -- and I do review various logs, including the logging >> of DHCP requests, daily -- I have yet to have seen a problem. Then >> again, the street in front of my house is not conducive to someone being >> relatively inconspicuous while parked there, trying to hack my net. :-} >Who says they have to be near your house? Remember the BayLISA meeting >where we heard about "wardriving" with a directional antenna from the tops >of the hills? Note that from the onset, I maintain that the exercise is a matter of reducing probabilities: You will not stop a sufficiently resourceful and determined cracker (by definition :-}). Also note that I provided empirical observations. :-} The upshot is that there tend to be rather more attractive targets than my net. :-) Peace, david -- David H. Wolfskill david at catwhisker.org I do not "unsubscribe" from email "services" to which I have not explicitly subscribed. Rather, I block spammers' access to SMTP servers I control, and encourage others who are in a position to do so to do likewise. From jac at panix.com Fri Apr 2 10:02:24 2004 From: jac at panix.com (John Clear) Date: Fri, 2 Apr 2004 10:02:24 -0800 Subject: Advice wanted regarding setting up WiFi - fun In-Reply-To: <20040402022313.GA22055@nag.inorganic.org> References: <16492.28470.424579.41364@komodo.home.wards.net> <20040401235927.GA22765@2004.snew.com> <20040402022313.GA22055@nag.inorganic.org> Message-ID: <20040402180224.GA14470@panix.com> On Thu, Apr 01, 2004 at 06:23:14PM -0800, Roy S. Rapoport wrote: > > Whatever. I'm just not likely to be subject to an attack, so my goal is > not to outrun the bear, but to be somewhat less attractive than the house > next to me. That is my strategy at home as well. I can connect to three wide open networks from my house, so I consider WEP, MAC filtering and a hidden SSID good enough to encourage a hacker to use one of the open networks. The machines at my house are not on full time, so at most times, all a hacker can do is steal bandwidth. As always, YMMV. John From eser at us.ibm.com Fri Apr 2 10:29:13 2004 From: eser at us.ibm.com (Eser Kandogan) Date: Fri, 2 Apr 2004 10:29:13 -0800 Subject: IBM Academy of Technology Conference on the Human Impact and Application of Autonomic Computing Systems (CHIACS2) Message-ID: Please consider attending the IBM Academy of Technology Conference on the Human Impact and Application of Autonomic Computing Systems (CHIACS2), to be held April 21, 2004 at the IBM T.J. Watson Research Center in Yorktown Heights, NY. The call for attendance is attached below. Note that the deadline for registration is April 14, 2004. Eser Kandogan, Ph. D. --------------------------------------------------------------------------- Computer Science, Human-Computer Interaction USER Group, IBM Almaden Research Center Ph: (408) 927-1949, tie: 457-1949, Fax: (408) 927-3030 Conference on the Human Impact and Application of Autonomic Computing Systems (CHIACS2) Sponsored by the IBM Academy of Technology April 21, 2004 IBM T. J. Watson Research Center Yorktown Heights, New York Web: http://www.almaden.ibm.com/asr/chiacs Registration deadline: April 14, 2004 Conference Date: April 21, 2004 (7:00am-8:00pm) Chairs: Rob Barrett, Paul Maglio, and Michael Shallcross Contact: chiacs at us.ibm.com CALL FOR PARTICIPATION The complexity of large-scale computing systems is beginning to overwhelm software developers and system administrators. One approach to this problem is to create systems that configure and manage themselves under human supervision---an approach often called autonomic computing. Introducing autonomic components into the creation and management of large- scale computer systems will change the relationships between systems and people; for instance, high-level policy-based control (supervision) will replace low-level parameter tuning (configuration setting). But not a lot is known about this kind of transformation in the human-computer relationship. How will human system supervisors learn to trust an autonomic system that sets its own configuration parameters? How should an autonomic system keep its supervisors informed of its states, problems, or suggested solutions? How will developers treat autonomic systems? This conference aims to bring together stakeholders in the success of autonomic computing---including human science researchers, computer science researchers, IT architects, product developers, outsourcing practitioners, and consultants---to explore real-world autonomic computing and its effects on the way people and systems work together to generate business value. Conference topics will include: * Transforming the Human-Computer Relationship * Trust and Adoption of Autonomic Systems * Advancing Policy-based Management * Experience with Real-World Automated Systems CONFERENCE FORMAT The format will be a single-track, one-day conference and is open to both IBM and non-IBM participants. The day will feature keynote presentations from IBM executives, invited presentations from noted academics, as well as accepted submissions. In the evening, there will also be a poster session, demos, hors d'oeuvres, and plenty of time for conference attendees to interact in an informal setting. Registration will begin at 7:00 am and the first presentation will be at 8:00 am. The poster session will conclude at 8:00 pm. A more complete conference schedule may be found on the conference web site (http://www.almaden.ibm.com/asr/chiacs/). LOCATION, EXPENSES AND ACCOMMODATION Speakers and attendees will be responsible for their own air travel, hotel reservations/fees, ground transportation, lodging, meals, and other expenses. There is no charge for the conference. Directions to the T. J. Watson Research Center in Yorktown Heights, NY and accommodation suggestions can be found at the T. J. Watson web site at http://www.watson.ibm.com/visitor.html. REGISTRATION Attendees must register via email to chiacs at us.ibm.com no later than April 14, 2004. It will not be possible to register at the door. Registration email should include the attendee's name, institution and city, state, country as they should appear on the name tag. FEATURED SPEAKERS * Thomas B. Sheridan Professor Emeritus, Ford Prof. of Engineering and Applied Psychology Emeritus, MIT Senior Research Fellow, DoT Volpe National Transportation Systems Center * Susan Brennan Associate Professor, Psychology, SUNY Stony Brook * Alan Ganek Vice President Autonomic Computing, IBM Software Group * Robert Morris Vice President Personal Systems and Storage Director, IBM Almaden Research Center -------------- next part -------------- An HTML attachment was scrubbed... URL: From rsr at inorganic.org Fri Apr 2 12:57:01 2004 From: rsr at inorganic.org (Roy S. Rapoport) Date: Fri, 2 Apr 2004 12:57:01 -0800 Subject: SPAM: Re: Network testing tools. In-Reply-To: <406DB6F0.20703@pacbell.net> References: <406CD345.2040207@pacbell.net> <20040402042100.GB26829@nag.inorganic.org> <406DB6F0.20703@pacbell.net> Message-ID: <20040402205701.GA5731@nag.inorganic.org> On Fri, Apr 02, 2004 at 10:54:40AM -0800, richard childers / kg6hac wrote: > Frankly, Roy, I'd like to hear you explain the following ... No. -roy ObBayLISAContent: Buffalo Technology 802.11g routers are pretty darn decent. -roy From jeff at drinktomi.com Thu Apr 1 15:58:52 2004 From: jeff at drinktomi.com (Jeff With The Big Yellow Suit) Date: Thu, 01 Apr 2004 15:58:52 -0800 Subject: Advice wanted regarding setting up WiFi In-Reply-To: <16492.28470.424579.41364@komodo.home.wards.net> References: <16491.23104.627317.427295@komodo.home.wards.net> <200404011506.i31F6uNZ023210@bunrab.catwhisker.org> <16492.28470.424579.41364@komodo.home.wards.net> Message-ID: <406CACBC.1000201@drinktomi.com> Look at a netgear FVM318. It's a cool little router-firewall-vpn-wireless access point. It isolates the wireless to it's own segment, and the only way to get out is by setting up an IPSec session. There are other configurations, but it's trival to configure it in this manner. It's about $150. My experience with it has been great. (I have only used the wireless with windows boxen.) I haven't done a serious search for exploits on this box, but I'm only using if for home, so I'm not as concerned as if I were recommending it professionally. I'd love to hear if anyone knows about exploits for this netgear equipment. -jeff younker From david at catwhisker.org Sat Apr 3 06:12:30 2004 From: david at catwhisker.org (David Wolfskill) Date: Sat, 3 Apr 2004 06:12:30 -0800 (PST) Subject: Network testing tools. In-Reply-To: <20040402042100.GB26829@nag.inorganic.org> Message-ID: <200404031412.i33ECUQL032214@bunrab.catwhisker.org> >Date: Thu, 1 Apr 2004 20:21:00 -0800 >From: "Roy S. Rapoport" >To: baylisa at baylisa.org >Subject: Re: Network testing tools. >Sender: owner-baylisa at baylisa.org >Frankly, Richard, I'd be rather surprised if they really were lost. My >guess is that the BayLISA postmaster is in the pay of Larry Ellison and the >Israeli Mossad and is intentionally blocking your mail because of its >subversive and counter-norms content. Hmmm... I'll need to look into that, since my current job barely pays the house payment.... :-}, david (current hat: postmaster at baylisa.org) -- David H. Wolfskill david at catwhisker.org I do not "unsubscribe" from email "services" to which I have not explicitly subscribed. Rather, I block spammers' access to SMTP servers I control, and encourage others who are in a position to do so to do likewise. From ulf at Alameda.net Sat Apr 3 13:52:31 2004 From: ulf at Alameda.net (Ulf Zimmermann) Date: Sat, 3 Apr 2004 13:52:31 -0800 Subject: Does anyone have an unused IBM Deathstar 20GB laying around ? Message-ID: <20040403215230.GN89845@seven.alameda.net> I am trying to find an IBM Deathstar 20GB drive DPTA-372050 as close to the following data: Label on the top: Model: DPTA-372050 Production Date: Aug 1999 P/N: 31L9056 MLC: F42312 31L9056F423120H98 On the IDE connector itself: 31L9047 F42304- 98L926 01CL One chip under a cover with an opening above the chip: 45L5909 IBM 98 PQ 19923R4302 I have another DPTA-372050 but its november 1999 and with that electronic the drive hammers the heads to one end. That electronic has different numbers on the IDE connector and that above chip is from Mitsubishi instead of IBM. If you have a drive close to the above, please send me a reply with a price. -- Regards, Ulf. --------------------------------------------------------------------- Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-865-0204 You can find my resume at: http://seven.Alameda.net/~ulf/resume.html From alvin at Mail.Linux-Consulting.com Sat Apr 3 14:34:17 2004 From: alvin at Mail.Linux-Consulting.com (Alvin Oga) Date: Sat, 3 Apr 2004 14:34:17 -0800 (PST) Subject: Does anyone have an unused IBM Deathstar 20GB laying around ? In-Reply-To: <20040403215230.GN89845@seven.alameda.net> Message-ID: hi ya ulf i have 3 death stars.. 20GB, 30GB, 40GB that probably should be returned for a replacement c ya alvin On Sat, 3 Apr 2004, Ulf Zimmermann wrote: > I am trying to find an IBM Deathstar 20GB drive DPTA-372050 as close > to the following data: > From chuck+baylisa at snew.com Sun Apr 4 22:36:03 2004 From: chuck+baylisa at snew.com (Chuck Yerkes) Date: Mon, 5 Apr 2004 01:36:03 -0400 Subject: Advice wanted regarding setting up WiFi - fun In-Reply-To: References: <20040401235927.GA22765@2004.snew.com> Message-ID: <20040405053603.GG8611@2004.snew.com> Quoting Alvin Oga (alvin at Mail.Linux-Consulting.com): > On Thu, 1 Apr 2004, Chuck Yerkes wrote: > > Sometimes I'm amazed the messages make it through my Baysian filters... > just to poke fun at ya too, i see you havent added my name to your filters > to drop my mails :-) No, but they usually catch random words with no clear grammar. > > Quoting Alvin Oga (alvin at Mail.Linux-Consulting.com): > > > - secure wireless logins doesn't seem to be too trivial .. always got > > > some form of gotchas > > low SO acceptance factor to demand that s/he ssh to a machine to enable > > authpf (obsd) to open access. web page is easier and an 11 year old > > can figure it out (I tested) > > precisely why a home network ( user ) should never be allowed to VPN into > the corp network > - no way for the corp admin to maintain/secure the corp > data and network against the home pc and networks or precisely why origin should not be considered authentication. Project Athena, in 1988(1) dealt with computers in non-secured areas (say, a home). I tire of admins who seem to believe that if the connection is a magical "VPN" connection, then all access should be granted to that connection. I've also dealt with several incidents that had break-ins through remote users' connections. Sites that seemed to believe that VPN was enough and things like security tokens and limiting access from ALL machines. One would have hoped, in 1994, that we'd have FEWER "soft chewy centers" than then. My experience is that every center is soft and chewy. I branch of a company I worked at ran the Athena stuff (folks had written lots of it). The root passwd was posted on the wall. Why? Because having root on the workstation didn't get you anything (mostly, it got your a workstation that rebooted and rebuilt itself). > > > - using wep or not does not make much difference.. > > > - "most" people's passwd is what?? > > > ( 50% uses password or some variation of it > > > ( 25% uses their spouses names > > > ( 10% uses their atm pin# > > Really. You have some reference for this info? Something you can cite? > > unfortunately for you and me ... it was a silly radio talk show .... > and the results of their informal survey And wasn't it "Hackers" that offered that the most common passwords used were: "Love", "Secret", "Sex" & "God" Don't always believe the media. > i've tried "password survey" and got just SAN's writeup which > was interesting, but not the talk show's passwd survey Because it was fiction... > but the key and ssid comes from "easy to remember" words/phrases > which is one reason why brute force can and have cracked wep No, a poor encyption algorithm is why WEP is cracked easily. This is not computer scientology. It's not all wishes and guesses. > From strata at virtual.net Thu Apr 8 16:11:20 2004 From: strata at virtual.net (Strata R Chalup) Date: Thu, 08 Apr 2004 16:11:20 -0700 Subject: BayLISA Monthly: 4/15/04: Becoming a Mahout on the VOIP Elephant, David Kuder Message-ID: <4075DC18.8030209@virtual.net> BayLISA Monthly Technical Talk & General Meeting Please RSVP to rsvp at baylisa.org so that we can get an idea of how many will be attending. This event is open to the general public. You do not need to be a member to attend. -------- Where: Apple Computer, Town Hall Auditorium Addr: Four Infinite Loop, Cupertino, CA http://www.baylisa.org/locations/current.html -------- Date: Thursday, 15 April 2004 Time: 7:30pm - 9:30pm PST Becoming a Mahout on the VOIP Elephant David Kuder Remember that old joke about three blind men trying to figure out what an elephant was: rope, snake or tree trunk? Well I'll stretch the metaphor to the breaking point with a broad survey of Voice over IP (VOIP). I will try to provide information that a system administrator will need to know about VOIP and how it will co-exist with current systems and networks. -------- BayLISA meets every month on the 3rd Thursday of the month. A short period of announcements of general interest to the sysadmin community is presented, followed by a technical talk. Anyone may make an announcement; typical are upcoming presentations, user group meetings, employment offers, etc. For further information on BayLISA, check out our web site: http://www.baylisa.org/ Directions and details about the current meeting and future events: http://www.baylisa.org/events/ BayLISA makes video tapes of the meetings available to members. Tape library is often available at the general meeting, or for more information on available videos, please send email to "video at baylisa.org". If you have suggestions for speakers, or would like to volunteer to present a talk at one of our meetings, please email the Board and Working Group at "blw at baylisa.org". Thanks! -------- From extasia at extasia.org Wed Apr 14 07:30:09 2004 From: extasia at extasia.org (David Alban) Date: Wed, 14 Apr 2004 07:30:09 -0700 Subject: [baylisa] SIG-BEER-WEST this Saturday 4/17 in San Francisco Message-ID: <20040414073009.A6774@gerasimov.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SIG-beer-west Saturday, April 17, 2004 at 6:00pm San Francisco, CA Beer. Mental stimulation. This event: Saturday, 04/17/2004, 6:00pm, at the Zeitgeist Bar and Guest Haus, San Francisco Coming events (third Saturdays): Saturday, 05/15/2004, 6:00pm, location to be determined Saturday, 06/19/2004, 6:00pm, location to be determined Saturday, 07/17/2004, 6:00pm, location to be determined Saturday, 08/21/2004, 6:00pm, location to be determined San Francisco's next social event for techies and their friends, sig-beer-west, will take place at 6:00pm on Saturday, April 17, 2004 at Zeitgeist Bar and Guest Haus[3] located at 199 Valencia at Duboce[4] in San Francisco, CA. [3] http://www.sonic.net/~wwpints/zeitgeist/ [4] http://tinyurl.com/2hacx According to their website, Zeitgeist has: plenty of drafts, mostly micro-brewed beers,[5] a good selection of call liquors, a beer garden, and hotel accomodation [5] http://www.sonic.net/~wwpints/zeitgeist/#Beers Concerning food, they say: the grill opens around 6.00 p.m. each day and closes when everyone's fed (or Aundre's fed up) Festivities will start at 6:00pm and continue until we've all left. Zeitgeist is on the corner of Valencia and Duboce[6] and looks like this.[7] It's three blocks from the 16th St BART station[8] (16th St and Mission). [6] http://tinyurl.com/2hacx [7] http://www.sonic.net/~wwpints/zeitgeist/exterior.html [8] http://tinyurl.com/3f8mp When you show up, you should look for some kind of home made sig-beer-west sign. We will try to make it obvious who we are. :-) Note: Please look for the sig-beer-west sign, not for a particular person. sig-beer-west may have different hosts from month to month. Everyone is welcome at this event. We mean it! Please feel free to forward this information and to invite friends, co-workers, and others (all of legal drinking age) who might enjoy lifting a glass with interesting folks from all over the place. Can't come this month? Mark your calendar for next month. (Do it now before you forget!) sig-beer-west occurs on the third Saturday of each month. Any questions, comments, suggestions of things to do later on that evening, or new venue suggestions ... email the current sig-beer-west Instigator. The Instigator's Username is extasia. The Instigator's email address is *the Username* at *the Username* dot *org*. sig-beer-west FAQ 1. Q: Your announcement says "techies and their friends". How do I know if I'm a techie, or a friend of one? A: Well, actually, you don't have to be a techie to attend. You just have to be able to find the sig-beer-west sign at this month's event. That's it. Simple, huh? 2. Q: I'm not really a beer person. In fact I'm interested in hanging out, but not in drinking. Would I be welcome? A: Absolutely! The point is to hang out with fun, interesting folks. Please do join us. 3. Q: Is parking difficult in the city, like maybe I should factor this into my travel time? A: Yes. Note for April 2004: Zeitgeist is three blocks from 16th St BART.[9] You may want to consider BARTing[10] and not worrying at all about parking. [9] http://tinyurl.com/3f8mp [10] http://www.bart.gov/ __________________________________________________________________ sig-beer-west was started in February 2002 when a couple Washington, D.C. based systems administrators who moved to the San Francisco Bay area wanted to continue a dc-sage[11] tradition, sig-beer, which is described in dc-sage web space as: SIG-beer, as in "Special Interest Group - Beer" ala ACM, or as in "send the BEER signal to that process". [11] http://www.dc-sage.org/ The original SIG-beer gathering takes place in Washington DC, usually on the first Saturday night of the month. __________________________________________________________________ Last modified: $Date: 2004/04/13 00:12:43 $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAfUqDPh0M9c/OpdARAjuJAKCdcO52hzkUyOq+4kq/MHt92a5FlQCgjebL zL/CLHO2viS5VRoVhl88Oqw= =D3Ue -----END PGP SIGNATURE----- From fscked at pacbell.net Wed Apr 14 10:21:39 2004 From: fscked at pacbell.net (richard childers / kg6hac) Date: Wed, 14 Apr 2004 10:21:39 -0700 Subject: Hams Report 85-mile 802.11b File Transfers @ Oregon Message-ID: <407D7323.50001@pacbell.net> Those of you inclined towards worrying about eavesdroppers will find the following interesting ... QST Magazine (or was it NASA Tech Briefs?) recently reported that two people successfully achieved connectivity and exchanged files across a span of 85 miles, using COTS technology and antennas optimized for operation in the 2.4 gHz frequency. People operating 802.11b networks in corporate environments, take note - your networks can probably be monitored from anywhere within a few [dozen?] miles of the antenna, depending upon obstructions, and perhaps from over the horizon, as well. Regards, -- richard -- Richard Childers / Senior Engineer Daemonized Networking Services 945 Taraval Street, #105 San Francisco, CA 94116 USA [011.]1.415.759.5571 http://www.daemonized.com From chuck at 2004.snew.COM Wed Apr 14 14:37:58 2004 From: chuck at 2004.snew.COM (Chuck Yerkes) Date: Wed, 14 Apr 2004 17:37:58 -0400 Subject: Hams Report 85-mile 802.11b File Transfers @ Oregon In-Reply-To: <407D7323.50001@pacbell.net> References: <407D7323.50001@pacbell.net> Message-ID: <20040414213758.GA27644@2004.snew.com> Quoting richard childers / kg6hac (fscked at pacbell.net): > Those of you inclined towards worrying about eavesdroppers will find the > following interesting ... QST Magazine (or was it NASA Tech Briefs?) Yeah, references are a good idea when you make assertions. > recently reported that two people successfully achieved connectivity and > exchanged files across a span of 85 miles, using COTS technology and > antennas optimized for operation in the 2.4 gHz frequency. Two people working together with a PAIR on antennae optimized for this. Whereas my little AP does NOT have a 6' parabolic antenna and high gain radio in it. Whereas my little AP is hard to hear in the guest room. > People operating 802.11b networks in corporate environments, take note - > your networks can probably be monitored from anywhere within a few > [dozen?] miles of the antenna, depending upon obstructions, and perhaps > from over the horizon, as well. Well, depending on radio, antenna, power and several things... But I'll take the surface intent of your note and offer that it's clearly been a Best Practice, from the start to: - assume that someone hostile is standing 3 feet from the AP and can gather all your packets. - and *know* that WEP (and now LEAP) are deeply broken and shouldn't be used for auth or encryption anyway. And act accordingly. IPSec works fine on my laptops. And Windows, too. Even PPTP beats WEP. 85 miles or 50 feet, it doesn't matter. It's SIMPLE to leave a PDA near your office and gather enough traffic to snap your WEP in two. And easier with some radio trickery, to crack your LEAP connection. And send 50,000,000 emails from your site. And attack sites from your systems. And browse your networks. And change files (that's a bit scarier than copying or erasing - unnoticed changes. Your CEO will be delighted in this quarter's financials are off by a million or so, esp with the new regulations). -a friend, before a meeting about a client's security, sat in a restaurant parking lot and mapped out the client's network for them, printed it on his portable printer, walked in an did his presentation on their network and several vulnerabilities. "But how did you get onto our wireless? It's over 4 floors up!?" -Another friend rollerskated around his office with a PDA and sniffs out folks who've setup their own little APs (and taught them how to PROPERLY get on and use the new corporate one. Second violation and you get to pack). I'd also add the 10 year old: Assume that someone hostile is on your LAN and act accordingly. But then, I was using machines with the root password posted on the wall (root/MrRoot) and it didn't take away from the security of the systems at all. With the lone exception of ssh: How far we've fallen... From mark at bitshift.org Wed Apr 14 15:23:26 2004 From: mark at bitshift.org (Mark C. Langston) Date: Wed, 14 Apr 2004 15:23:26 -0700 Subject: Hams Report 85-mile 802.11b File Transfers @ Oregon In-Reply-To: <20040414213758.GA27644@2004.snew.com> References: <407D7323.50001@pacbell.net> <20040414213758.GA27644@2004.snew.com> Message-ID: <20040414222326.GE5444@bitshift.org> On Wed, Apr 14, 2004 at 05:37:58PM -0400, Chuck Yerkes wrote: > it's clearly been a Best Practice, from the start to: > - assume that someone hostile is standing 3 feet from the AP and > can gather all your packets. > - and *know* that WEP (and now LEAP) are deeply broken and shouldn't > be used for auth or encryption anyway. > Since it hardly ever gets mentioned, except as a "secure substitute" for WEP, I'll point out that WPA is also broken, in a manner somewhat similar to WEP: http://www.icsalabs.com/html/communities/WLAN/wp_SimpleSecrets.pdf (note that the weakness is related to choosing simplistic keys for WPA and is not due to ISV problems as WEP is). The caveat here should be: Assume all hosts and protocols are insecure, regardless of the steps taken to secure them. Act accordingly. For the truly paranoid, you may assume all hosts have already been compromised, and take steps to ensure data integrity and service continuity. -- Mark C. Langston Sr. Unix SysAdmin mark at bitshift.org mark at seti.org Systems & Network Admin SETI Institute http://bitshift.org http://www.seti.org From rsr at inorganic.org Wed Apr 14 15:47:52 2004 From: rsr at inorganic.org (Roy S. Rapoport) Date: Wed, 14 Apr 2004 15:47:52 -0700 Subject: Hams Report 85-mile 802.11b File Transfers @ Oregon In-Reply-To: <20040414213758.GA27644@2004.snew.com> References: <407D7323.50001@pacbell.net> <20040414213758.GA27644@2004.snew.com> Message-ID: <20040414224752.GB16318@nag.inorganic.org> On Wed, Apr 14, 2004 at 05:37:58PM -0400, Chuck Yerkes wrote: > - and *know* that WEP (and now LEAP) are deeply broken and shouldn't > be used for auth or encryption anyway. > > And act accordingly. IPSec works fine on my laptops. And Windows, too. > Even PPTP beats WEP. Oh, and a minor note: GMail (Google's email service) supports HTTPS*. -roy * Better than Yahoo, at least -- you log in, it drops you into an HTTP URL. Change that HTTP URL to https and it works; more importantly, if you log out once you've done this, when you log back in it'll drop you into an HTTPS URL. This is nice. Less nice is the fact that if you close your browser, next time you log in it'll drop you into http again; I've got a feature request in asking for them to allow "always keep me in SSL" as an option. From rsr at inorganic.org Wed Apr 14 16:01:13 2004 From: rsr at inorganic.org (Roy S. Rapoport) Date: Wed, 14 Apr 2004 16:01:13 -0700 Subject: Hams Report 85-mile 802.11b File Transfers @ Oregon In-Reply-To: <20040414222326.GE5444@bitshift.org> References: <407D7323.50001@pacbell.net> <20040414213758.GA27644@2004.snew.com> <20040414222326.GE5444@bitshift.org> Message-ID: <20040414230113.GA16819@nag.inorganic.org> On Wed, Apr 14, 2004 at 03:23:26PM -0700, Mark C. Langston wrote: > Since it hardly ever gets mentioned, except as a "secure substitute" for > WEP, I'll point out that WPA is also broken, in a manner somewhat > similar to WEP: > > http://www.icsalabs.com/html/communities/WLAN/wp_SimpleSecrets.pdf > > (note that the weakness is related to choosing simplistic keys for WPA > and is not due to ISV problems as WEP is). If I read the document correctly, then you're OK as long as your pre-shared key is, in fact, a good one. In other words, WPA is broken in much the same way that Linux is HIGHLY VULNERABLE because users sometimes pick stupid passwords. Solution: DON'T PICK STUPID PASSWORDS. When appropriate and necessary (such as in the case of Wifi), don't let your users pick the password. A competent sysadmin should be able to whip something together out of perl/python/shell that will give him 256 bits of pseudo-randomness (no, not in the technical definition of 'random', of course, but more in the "not 'thisismystupidpassword' sense"). > For the truly paranoid, you may assume all hosts have already been > compromised, and take steps to ensure data integrity and service > continuity. Pshaw. That's really naive and trusting. For the truly paranoid, turn off your systems and go live under a rock. When someone comes near, throw that rock at them. Then, find another rock. Repeat as necessary. -roy From mark at bitshift.org Wed Apr 14 16:13:54 2004 From: mark at bitshift.org (Mark C. Langston) Date: Wed, 14 Apr 2004 16:13:54 -0700 Subject: Hams Report 85-mile 802.11b File Transfers @ Oregon In-Reply-To: <20040414230113.GA16819@nag.inorganic.org> References: <407D7323.50001@pacbell.net> <20040414213758.GA27644@2004.snew.com> <20040414222326.GE5444@bitshift.org> <20040414230113.GA16819@nag.inorganic.org> Message-ID: <20040414231354.GG5444@bitshift.org> On Wed, Apr 14, 2004 at 04:01:13PM -0700, Roy S. Rapoport wrote: > On Wed, Apr 14, 2004 at 03:23:26PM -0700, Mark C. Langston wrote: > > Since it hardly ever gets mentioned, except as a "secure substitute" for > > WEP, I'll point out that WPA is also broken, in a manner somewhat > > similar to WEP: > > > > http://www.icsalabs.com/html/communities/WLAN/wp_SimpleSecrets.pdf > > > > (note that the weakness is related to choosing simplistic keys for WPA > > and is not due to ISV problems as WEP is). > > If I read the document correctly, then you're OK as long as your > pre-shared key is, in fact, a good one. In other words, WPA is broken in > much the same way that Linux is HIGHLY VULNERABLE because users sometimes > pick stupid passwords. > Basically. The difference here being that simple passwords on hosts either have to be sniffed directly, or their hashes obtained and brute-forced (which generally requires compromising security on the host in question to begin with). On WPA-secured systems, the hash is available in the air to anyone who wants it, so one could spend one's time simply grabbing hashes out of the ether and brute-forcing them, waiting for one to fall. Were the solution simply "don't use weak (low-entropy) passwords", we could put up web pages containing the contents of everyone's /etc/shadow, confident that all the passwords contained therein were strong. In much the same way that were the solution simply, "teach users not to open email from strangers", we wouldn't have a virus problem. I'm afraid that, while the solution is trivial, the practical application of the WPA weakness is still very valid, because the weak link is biological. > > Pshaw. That's really naive and trusting. > > For the truly paranoid, turn off your systems and go live under a rock. > When someone comes near, throw that rock at them. Then, find another rock. > Repeat as necessary. > Piffle. You're an optimist. If you want to be really paranoid, turn off your systems, encase them in Lucite, set the Lucite blocks in cement, drop the cement blocks down the Marianas Trench, and use mass drivers and shaped charges to deflect the planet's orbit into the heart of a convenient star. With luck, some of your data may escape prying eyes. -- Mark C. Langston Sr. Unix SysAdmin mark at bitshift.org mark at seti.org Systems & Network Admin SETI Institute http://bitshift.org http://www.seti.org From david at catwhisker.org Wed Apr 14 16:20:20 2004 From: david at catwhisker.org (David Wolfskill) Date: Wed, 14 Apr 2004 16:20:20 -0700 (PDT) Subject: Help getting ezmlm-stuff configured? Message-ID: <200404142320.i3ENKK7l060112@bunrab.catwhisker.org> Is it possible to get ezmlm-idx & ezmlm-web configured without drinking (large quantities of) DJB Kool-Aid? I've got a situation where the MTA is -- unfortunately, IMNSHO opinion -- is qmail, and there's a moderate amount of infrastructure set up that depends on the MTA being qmail. :-( At one point, I was fairly keen on replacing it, but I now believe that the disruption would not be worth the benefit -- qmail ought to be able to be coerced into working well enough. Or so I hope. And I have a requirement to implement mailing lists in this qmail environment, so ezmlm-idx-0.40 and ezmlm-web-2.1.3 had been installed, but not configured. So I'm trying to get things working prior to a demo for next week... and I keep running into documentation that appears to be about 4 years old, and it turns out that ezmlm-idx is basically a set of patches on top of ezmlm, and the docs that I do find tend to remind me of the Sidney Harris cartoon that shows a couple of scientists (or mathematicians) in front of a board; one has been explaining the diagrams and equations to the other (and the astute reader sees that in the middle is written "then a miracle occurs"), and his colleague comments "I think you should be more explicit in step two" -- http://www.sciencecartoonsplus.com/gallery.htm to get the proper effect. And I'm just not up to drinking much DJB Kool-Aid. Not when qmail's author writes "Every message should contain a Message-Id field" [from the qmail-header man page] (a perspective with which I happen to agree, at least for messages that pass from one administrative domain to another), but when I tried sending the qmail MTA a test message, it accepted the message, then subsequently determined the message to be undeliverable, then tried to create a bounce-o-gram to send back to my MTA ... but the bounce-o-gram did not *have* a Message-ID, so my MTA rejected it. Eh... I better stop before I get in a foul mood. :-( So -- has anyone managed to do this sort of thing, emerged without appreciable loss of sanity, and would be willing to provide a pointer or two? I'd appreciate it. Replies should probably be private; I'll summarize if there's interest. Thanks, david -- David H. Wolfskill david at catwhisker.org I do not "unsubscribe" from email "services" to which I have not explicitly subscribed. Rather, I block spammers' access to SMTP servers I control, and encourage others who are in a position to do so to do likewise. From alvin at ns.Linux-Consulting.com Wed Apr 14 17:09:58 2004 From: alvin at ns.Linux-Consulting.com (Alvin Oga) Date: Wed, 14 Apr 2004 17:09:58 -0700 Subject: Hams Report 85-mile 802.11b File Transfers @ Oregon - pwd In-Reply-To: <20040414230113.GA16819@nag.inorganic.org>; from Roy S. Rapoport on Wed, Apr 14, 2004 at 04:01:13PM -0700 References: <407D7323.50001@pacbell.net> <20040414213758.GA27644@2004.snew.com> <20040414222326.GE5444@bitshift.org> <20040414230113.GA16819@nag.inorganic.org> Message-ID: <20040414170958.A28554@Maggie.Linux-Consulting.com> hi ya roy On Wed, Apr 14, 2004 at 04:01:13PM -0700, Roy S. Rapoport wrote: > On Wed, Apr 14, 2004 at 03:23:26PM -0700, Mark C. Langston wrote: > Solution: DON'T PICK STUPID PASSWORDS. When appropriate and necessary > (such as in the case of Wifi), don't let your users pick the password. problem is some folks dont know what a good passwd is or what is stupid passwd and pass phrases > > For the truly paranoid, you may assume all hosts have already been > > compromised, and take steps to ensure data integrity and service > > continuity. its always safe to assume that cracker has root access to any and all of the machines and protect what you can .. :-0 > For the truly paranoid, turn off your systems and go live under a rock. > When someone comes near, throw that rock at them. Then, find another rock. > Repeat as necessary. and hopefully one gets bigger rocks and boulders instead of smaller ones to fend off the suspects c ya alvin - btw .. if anybody is interested in setting up a tower w/ antenna etc, a non-profit entity ( sbay.org ) will be setting up these puppies - i'm fairly sure the antenna is already available - just need some testing before the boxes and antenna goes up to the tower ( test the sw, test the xmit/receive signals ) From rsr at inorganic.org Wed Apr 14 17:45:15 2004 From: rsr at inorganic.org (Roy S. Rapoport) Date: Wed, 14 Apr 2004 17:45:15 -0700 Subject: Hams Report 85-mile 802.11b File Transfers @ Oregon In-Reply-To: <20040414231354.GG5444@bitshift.org> References: <407D7323.50001@pacbell.net> <20040414213758.GA27644@2004.snew.com> <20040414222326.GE5444@bitshift.org> <20040414230113.GA16819@nag.inorganic.org> <20040414231354.GG5444@bitshift.org> Message-ID: <20040415004515.GB20449@nag.inorganic.org> On Wed, Apr 14, 2004 at 04:13:54PM -0700, Mark C. Langston wrote: > Were the solution simply "don't use weak (low-entropy) passwords", we > could put up web pages containing the contents of everyone's > /etc/shadow, confident that all the passwords contained therein were > strong. > > In much the same way that were the solution simply, "teach users not to > open email from strangers", we wouldn't have a virus problem. > > I'm afraid that, while the solution is trivial, the practical > application of the WPA weakness is still very valid, because the weak > link is biological. Right. What I'm saying, however, is that -- unless I misunderstand the basic concept behind WPA (disclosure: I haven't deployed it yet) -- nothing requires you to let the user select the password, right? So why not do "Hi, here's your new laptop with wireless card. And here's your WPA password: B2A40F73F92810." (BTW, this was auto-generated from an 11-line script I just wrote) Doesn't this solve the problem? > > Pshaw. That's really naive and trusting. > > > > For the truly paranoid, turn off your systems and go live under a rock. > > When someone comes near, throw that rock at them. Then, find another rock. > > Repeat as necessary. > > > > Piffle. You're an optimist. > > If you want to be really paranoid, turn off your systems, encase them in > Lucite, set the Lucite blocks in cement, drop the cement blocks down the > Marianas Trench, and use mass drivers and shaped charges to deflect the > planet's orbit into the heart of a convenient star. > > With luck, some of your data may escape prying eyes. "On a long enough timeline, the surival rate for everything drops to zero." -roy From claw at kanga.nu Wed Apr 14 17:47:20 2004 From: claw at kanga.nu (J C Lawrence) Date: Wed, 14 Apr 2004 20:47:20 -0400 Subject: Hams Report 85-mile 802.11b File Transfers @ Oregon - pwd In-Reply-To: Message from Alvin Oga of "Wed, 14 Apr 2004 17:09:58 PDT." <20040414170958.A28554@Maggie.Linux-Consulting.com> References: <407D7323.50001@pacbell.net> <20040414213758.GA27644@2004.snew.com> <20040414222326.GE5444@bitshift.org> <20040414230113.GA16819@nag.inorganic.org> <20040414170958.A28554@Maggie.Linux-Consulting.com> Message-ID: <22401.1081990040@kanga.nu> On Wed, 14 Apr 2004 17:09:58 -0700 Alvin Oga wrote: > problem is some folks dont know what a good passwd is or what is > stupid passwd and pass phrases The standard approach to this is to no let users set their own passwords, but to instead assign strong ones for them. I've usually seen this done with a small SSL wrapped web app that accepts the current auth data and spits back the new. Of course none of this prevents users from writing their passwords on post-it notes, or as in the case of the office across the hall from me, a long list of root passwords for hosts and switches written in sharpie marker on the side of the desk. > its always safe to assume that cracker has root access to any and all > of the machines and protect what you can .. :-0 I'm largely of the mind that administrative passwords are and were a bad idea from the get-go. IP-limited public keys with passphrases seem the better approach -- even better if you have a way to distinguish between a pass phrased key and a non-passphrased key without having the private key. -- J C Lawrence ---------(*) Satan, oscillate my metallic sonatas. claw at kanga.nu He lived as a devil, eh? http://www.kanga.nu/~claw/ Evil is a name of a foeman, as I live. From mark at bitshift.org Wed Apr 14 18:02:21 2004 From: mark at bitshift.org (Mark C. Langston) Date: Wed, 14 Apr 2004 18:02:21 -0700 Subject: Hams Report 85-mile 802.11b File Transfers @ Oregon In-Reply-To: <20040415004515.GB20449@nag.inorganic.org> References: <407D7323.50001@pacbell.net> <20040414213758.GA27644@2004.snew.com> <20040414222326.GE5444@bitshift.org> <20040414230113.GA16819@nag.inorganic.org> <20040414231354.GG5444@bitshift.org> <20040415004515.GB20449@nag.inorganic.org> Message-ID: <20040415010221.GH5444@bitshift.org> On Wed, Apr 14, 2004 at 05:45:15PM -0700, Roy S. Rapoport wrote: > > Right. What I'm saying, however, is that -- unless I misunderstand the > basic concept behind WPA (disclosure: I haven't deployed it yet) -- nothing > requires you to let the user select the password, right? So why not do "Hi, > here's your new laptop with wireless card. And here's your WPA password: > B2A40F73F92810." (BTW, this was auto-generated from an 11-line script I just > wrote) > > Doesn't this solve the problem? > It minimizes the possibility that the WPA hash will be brute-forced. It significantly raises the possibility that the user in question will keep the password written down somewhere, or that management will decree that Easier Passwords Shall Be Used(TM). My Best Practice for deploying a wireless network is the following: 1) Deploy all wireless access points outside your edge, with standard precautions taken (MAC ACLs, high-entropy password, non-default SSID, no 802.11b/g/whathaveyou broadcast frames enabled, etc.) 2) Connections originating from/routed through the access point can go only one place: One end of a VPN, after authenticating to an internal LDAP, RADIUS, or similar system. All traffic will thus be wrapped in TCP 50/51 while in the air. 3) All traffic shall use encrypted protocols whenever possible. This implies that the AP's encryption, the AP's access restriction, the VPN's encryption, and the VPN's access restriction are still insufficient. Which is entirely true, because the whole bet's off if, after jumping through these hoops, the user then telnets, POP3s, or otherwise insecurely puts account name and password on the wire to a system that has access to your network, over whose transit you have no control. Because I can assure you to a fairly high degree of certainty that a great many users make an effort to use the same username and password everywhere, unless forced to do otherwise. 4) If possible, port and protocols will be firewalled at the VPN endpoint, before encapsulation, providing further control over traffic influx from the wireless network. 5) If possible, permitted traffic will be proxied outbound from the VPN, and restricted or prohibited otherwise. ...of course, this is my preferred remote access solution crossing an edge in either direction. Needless to say, I rarely if ever get to implement the full-spectrum best practice as described above. However, I try to insist on 1-4 when deploying wireless networks, and am only really comfortable negotiating away #4. There are other approaches that provide a similar level of security, if you're willing to grant access to all and sundry: E.g., put the AP outside your edge, and only allow traffic from the APs to travel out from your edge, never cross it. So wardrivers may end up with free bandwidth, but they'll hit a null route when trying to hit your infrastructure. -- Mark C. Langston Sr. Unix SysAdmin mark at bitshift.org mark at seti.org Systems & Network Admin SETI Institute http://bitshift.org http://www.seti.org From chuck+baylisa at snew.com Wed Apr 14 18:18:21 2004 From: chuck+baylisa at snew.com (Chuck Yerkes) Date: Wed, 14 Apr 2004 21:18:21 -0400 Subject: Hams Report 85-mile 802.11b File Transfers @ Oregon In-Reply-To: <20040414231354.GG5444@bitshift.org> References: <407D7323.50001@pacbell.net> <20040414213758.GA27644@2004.snew.com> <20040414222326.GE5444@bitshift.org> <20040414230113.GA16819@nag.inorganic.org> <20040414231354.GG5444@bitshift.org> Message-ID: <20040415011821.GA7373@2004.snew.com> Quoting Mark C. Langston (mark at bitshift.org): > On Wed, Apr 14, 2004 at 04:01:13PM -0700, Roy S. Rapoport wrote: > > On Wed, Apr 14, 2004 at 03:23:26PM -0700, Mark C. Langston wrote: ... > In much the same way that were the solution simply, "teach users not to > open email from strangers", we wouldn't have a virus problem. And we didn't. Until users were convinced to use free, preinstalled programs that opened viruses for you. Yeah, they've fixed it, I know. Several times, they've fixed it. From alvin at Mail.Linux-Consulting.com Wed Apr 14 18:43:53 2004 From: alvin at Mail.Linux-Consulting.com (Alvin Oga) Date: Wed, 14 Apr 2004 18:43:53 -0700 (PDT) Subject: Hams Report 85-mile 802.11b File Transfers @ Oregon - management In-Reply-To: <20040415010221.GH5444@bitshift.org> Message-ID: hi ya mark On Wed, 14 Apr 2004, Mark C. Langston wrote: > > here's your new laptop with wireless card. And here's your WPA password: > > B2A40F73F92810." (BTW, this was auto-generated from an 11-line script I just > > wrote) .. > It minimizes the possibility that the WPA hash will be brute-forced. brute force goes thru all possibilities ?? dictionary attacks might be slowed down a bit ?? > It significantly raises the possibility that the user in question will > keep the password written down somewhere, or that management will decree > that Easier Passwords Shall Be Used(TM). 99% chance that the managers willl make the passwd the name of their dog or spouse or the same as their atm pin# and 99% chance that the passwd will be written down somewhere as JC said early - but if they have physical access, i guess it really doesn't matter, as they now have free access to anything they want - hopefully, there's a lock and key to get into the server room, that emphasis its a secure/locked/off-limits area - and if your network/hosts are secured, nobody should be able to randomly get into the machine yyy even if they knew its passwds - one should only get in from certain machines only - rest of the machines attempting to connect should be considered crackers with the intent to rm -rf / > My Best Practice for deploying a wireless network is the following: > > 1) Deploy all wireless access points outside your edge, with standard > precautions taken (MAC ACLs, high-entropy password, non-default > SSID, no 802.11b/g/whathaveyou broadcast frames enabled, etc.) i'd add gw info into that list ... since mac addresses can be modified add ipsec to the list too ... the fun part to do i guess... > 2) Connections originating from/routed through the access point can > go only one place: One end of a VPN, after authenticating to > an internal LDAP, RADIUS, or similar system. All traffic will > thus be wrapped in TCP 50/51 while in the air. if you're allowing vpn from people's home network that is allowed to vpn into the secure network, the home network will be the weakest link - too many vpn problems and what gain does the company gets for the extra risk ? ( just as bad as wireless problems, imho ) and worst, the corp admin has zero control of the home network which can log into the secure corp network have fun alvin From fscked at pacbell.net Wed Apr 14 18:47:14 2004 From: fscked at pacbell.net (richard childers / kg6hac) Date: Wed, 14 Apr 2004 18:47:14 -0700 Subject: Hams Report 85-mile 802.11b File Transfers @ Oregon In-Reply-To: <20040414213758.GA27644@2004.snew.com> References: <407D7323.50001@pacbell.net> <20040414213758.GA27644@2004.snew.com> Message-ID: <407DE9A2.7050901@pacbell.net> "Whereas my little AP does NOT have a 6' parabolic antenna and high gain radio in it." You seem to have missed an important point. I'll repeat it, below. "Whereas my little AP is hard to hear in the guest room." This is probably a consequence of geometry, antenna, or both. Better wireless cards provide a jack for the connection of an external antenna. I'd be happy to consult on this problem, separately. It's important to understand that an antenna which radiates strongly in a specific direction (at the expense of all other directions) also receives strongly (IE, possesses signal gain, measured in decibels) in that same direction - IE, it passively amplifies the signal. So, for the record, let me emphasize that it does not matter if your WAP has a 6' parabolic dish or a high gain radio; the absence is unimportant, from the hypothetical eavesdropper's point of view. What -does- matter is that, as the radius of the circle increases, the area containing people in a position to receive your 802.11b traffic - the volume of the circle - increases dramatically, also. The important point is that the radius of that circle should now be estimated to be at least one order of magnitude larger than you previously estimated it to be - perhaps two orders of magnitude. As an important corollary, it's safe to assume that the number of people in a position to receive your 802.11b traffic - as hinted at, above - is two to three orders of magnitude more than you previously estimated, as well. By my estimate, that translates into a two-to-three orders-of-magnitude increase in risk. Which is a number you can bring to your Board of Directors, if they still think 802.11b is a Pretty Good Idea (and it is, under many circumstances - but not all). "Yeah, references are a good idea when you make assertions." This sort of sniping is really beneath you. But since you bring up the subject ... You are welcome to dispute my assertions, but if you wish to undermine them, you need to provide some references of your own so that I, personally, can distinguish between objective facts - such as the abrupt, unannounced resignation of the Chairman of the Board of Directors of the Oracle Corporation, for instance, three days after a website connects his regi^H^H^H^Hmanagement with criminal conduct - and less well documented fantasies, by would-be critics ... reduced, alas, to picking at imaginary nits. (But I digress.) I have the courage of my convictions, Chuck. ... And, there's no law against exercising one's freedom of speech, provided it is done in a law-abiding manner. That is one of the major structural elements of the United States, one of the main pillars in the platform upon which everything else rests - the right to tell others what is happening, even if it's unsanctioned, or even unpopular. It's not just a right - it's a responsibility. If anyone allows themself to be coerced into silence when they should tell others about something bad that is happening, they are hurting themselves and everyone around them ... just as much as if they saw the foundation of their house rotting, and ignored it, and let their family members walk up and down worm-eaten stairs, day after day. If the California and Federal goverments spent as much money prosecuting Larry Ellison for some of the things he has done to the people of this state, as they do prosecuting victimless crimes, in one city, for one year, this state would be a safer place - and a safer place to do business ... in my opinion. You can quote me. Regards, -- richard -- Richard Childers / Senior Engineer Daemonized Networking Services 945 Taraval Street, #105 San Francisco, CA 94116 USA [011.]1.415.759.5571 http://www.daemonized.com From chuck+baylisa at snew.com Wed Apr 14 19:40:16 2004 From: chuck+baylisa at snew.com (Chuck Yerkes) Date: Wed, 14 Apr 2004 22:40:16 -0400 Subject: Hams Report 85-mile 802.11b File Transfers @ Oregon - management In-Reply-To: References: <20040415010221.GH5444@bitshift.org> Message-ID: <20040415024016.GA28769@2004.snew.com> Quoting Alvin Oga (alvin at Mail.Linux-Consulting.com): ... > > It significantly raises the possibility that the user in question will > > keep the password written down somewhere, or that management will decree > > that Easier Passwords Shall Be Used(TM). > > 99% chance that the managers willl make the passwd the name of > their dog or spouse or the same as their atm pin# > > and 99% chance that the passwd will be written down somewhere as JC said Again, do you have citations for this information or are you just pulling numbers out of your ass based on your beliefs and prejudices based on narrow experience? > > 1) Deploy all wireless access points outside your edge, with standard > > precautions taken (MAC ACLs, high-entropy password, non-default > > SSID, no 802.11b/g/whathaveyou broadcast frames enabled, etc.) > i'd add gw info into that list ... since mac addresses can be modified which is moot when it's as part of a continuing, authenticated protocol. ssh doesn't take well to another machine hopping in as one end suddenly. > if you're allowing vpn from people's home network that is allowed > to vpn into the secure network, the home network will be the weakest link > - too many vpn problems and what gain does the company gets > for the extra risk ? ( just as bad as wireless problems, imho ) > > and worst, the corp admin has zero control of the home network > which can log into the secure corp network Right, and that shouldn't be a problem or an issue. PRESUME that the desktop (in work, at home) in compromised. Now work from that. SecureIDs (or similar) and encrypted connections are a big part. But this becomes a rerun doesn't it? From alvin at Mail.Linux-Consulting.com Wed Apr 14 20:46:56 2004 From: alvin at Mail.Linux-Consulting.com (Alvin Oga) Date: Wed, 14 Apr 2004 20:46:56 -0700 (PDT) Subject: Hams Report 85-mile 802.11b File Transfers @ Oregon - management In-Reply-To: <20040415024016.GA28769@2004.snew.com> Message-ID: hi ya chuck On Wed, 14 Apr 2004, Chuck Yerkes wrote: > > 99% chance that the managers willl make the passwd the name of > > their dog or spouse or the same as their atm pin# > > > > and 99% chance that the passwd will be written down somewhere as JC said > > Again, do you have citations for this information or are you > just pulling numbers out of your ass based on your beliefs > and prejudices based on narrow experience? i see you like to ride my butt eh, yeah, it's all fake shit based on my little world of reality of managers that wants their passwd and by the way, i've never worked a day in my life doing passwd stuff so i have zero experience and i'm 1 year old and act that way just for you :-0 relax ... it's not a "prove it" or i call you names .. it aint the end of your world > > and worst, the corp admin has zero control of the home network > > which can log into the secure corp network > > Right, and that shouldn't be a problem or an issue. PRESUME that > the desktop (in work, at home) in compromised. Now work from that. good ... and, it means they cannot connect to begin with and have to wait till morning to have a sit down chat w/ managers and computer usage and security policies and for fun, do you wanna site a study, of what kind of work people do from home that couldn't wait till the next work day ?? - probably different kind of work if you're a coder vs managers vs sales droid vs tech supp vs ... c ya alvin From fscked at pacbell.net Thu Apr 15 20:21:43 2004 From: fscked at pacbell.net (richard childers / kg6hac) Date: Thu, 15 Apr 2004 20:21:43 -0700 Subject: Packet Marking for Traceback of Illegal Content Distribution Message-ID: <407F5147.6040609@pacbell.net> In the spirit of continuing education ... "To defend against spam and viruses or to stop illegal file sharing, an organization must be able to identify the originator of the offending messages. However, spammers, pirates and hackers most often use incorrect, disguised or false addresses on their messages or data packets to deter trace back. Such spoofed addresses are illegal in the U.S. but so far, effective. To overcome such spoofed source addresses, the Penn State researchers propose a strategy in which every message or data packet is marked with an identifying number by a border router. Border routers are peripheral stations that a packet passes through on its way onto the Internet. Since every packet is forwarded onto the Internet and marked by only one trustworthy border router, spoofers would not be able to insert false marks on their packets to undermine trace back. The packets would always be traceable to a specific border router and could be stopped or investigated at that point." Ah, but who guards the guardians? That is, the efficacy of this concept relies upon the administrators of the routers being (a) competent and (b) beyond bribery or other corruption ... in an economy choked with under-educated, and under-paid, personnel. The complete URL - for those whom do not shield their eyes when they see HTML - is below: http://www.psu.edu/ur/2004/traceback.html Regards, -- richard -- Richard Childers / Senior Engineer Daemonized Networking Services 945 Taraval Street, #105 San Francisco, CA 94116 USA [011.]1.415.759.5571 http://www.daemonized.com From jeff at drinktomi.com Thu Apr 15 16:35:23 2004 From: jeff at drinktomi.com (Jeff With The Big Yellow Suit) Date: Thu, 15 Apr 2004 16:35:23 -0700 Subject: Hams Report 85-mile 802.11b File Transfers @ Oregon - pwd In-Reply-To: <20040414170958.A28554@Maggie.Linux-Consulting.com> References: <407D7323.50001@pacbell.net> <20040414213758.GA27644@2004.snew.com> <20040414222326.GE5444@bitshift.org> <20040414230113.GA16819@nag.inorganic.org> <20040414170958.A28554@Maggie.Linux-Consulting.com> Message-ID: <407F1C3B.4080207@drinktomi.com> >>Solution: DON'T PICK STUPID PASSWORDS. When appropriate and necessary >>(such as in the case of Wifi), don't let your users pick the password. >> >> >problem is some folks dont know what a good passwd is or what is stupid >passwd and pass phrases > > Exactly. Computer security applications have moved very rapidly into the consumer electronics arena. Unless thought is given to addressing these concerns in a user-friendly way security concerns won't be addressed. Doing the secure thing needs to be insanely easy. I imagine key choice and exchange as being automatable. Picture every wireless device having a little contact area. If you want two devices to communicate then you touch them together and hold down a little buttons on each device. When their lights go green they have exchanged the session key. Now they will talk together over a wireless connection. You could have a little wand device that picks a random key, or picks one up from another device. You can you this wand to set the keys in other devices about your house. Or for meetings you could have a little session pad. You press a button and it chooses a key. Everyone in the meeting syncs their devices to it. The session pad could be built into devices like conference phones. (Everyone wants to fondle the landmine in the middle of the table anyway.) The scheme could be generalized to handle a number of underlying encryption schemes. It doesn't prevent someone from walking in and stealing the key from another device, but it does require physical access. There are problems with the scheme, but it potentially raises the bar pretty far. -jeff From rsr at inorganic.org Thu Apr 15 21:26:11 2004 From: rsr at inorganic.org (Roy S. Rapoport) Date: Thu, 15 Apr 2004 21:26:11 -0700 Subject: Packet Marking for Traceback of Illegal Content Distribution In-Reply-To: <407F5147.6040609@pacbell.net> References: <407F5147.6040609@pacbell.net> Message-ID: <20040416042610.GA22793@nag.inorganic.org> On Thu, Apr 15, 2004 at 08:21:43PM -0700, richard childers / kg6hac wrote: > To overcome such spoofed source addresses, the Penn State researchers > propose a strategy in which every message or data packet is marked with > an identifying number by a border router. Border routers are peripheral > stations that a packet passes through on its way onto the Internet. > > Since every packet is forwarded onto the Internet and marked by only one > trustworthy border router, spoofers would not be able to insert false > marks on their packets to undermine trace back. The packets would always > be traceable to a specific border router and could be stopped or > investigated at that point." Is it just me, or does this translate to "as long as every entry point to the internet does the Correct Thing and uses our suggested system to mark their outbound packets, we'll make sure that nobody forges TCP/IP," which sort of neglects the fact that, today, every entity's border gateway is ethically supposed to do this anyway -- certainly, my _home_ router is set to start screaming if it sees packets outbound from a network other than my own. In other words, if everyone followed their complex solution, the problem would be solved; but if everyone was willing to do something like this, they'd be even more willing to use current capabilities to do something much simpler that would *also* solve the problem. That people aren't doing that suggests that they wouldn't be able to do something even more complicated. > The complete URL - for those whom do not shield their eyes when they see > HTML - is below: > > http://www.psu.edu/ur/2004/traceback.html That's HTML in the same way that this is HTML. Technically true, but meaningless. -roy From lanning at monsoonwind.com Thu Apr 15 23:35:31 2004 From: lanning at monsoonwind.com (Robert Hajime Lanning) Date: Thu, 15 Apr 2004 23:35:31 -0700 (PDT) Subject: Packet Marking for Traceback of Illegal Content Distribution In-Reply-To: <407F5147.6040609@pacbell.net> References: <407F5147.6040609@pacbell.net> Message-ID: <37165.192.168.128.30.1082097331.squirrel@192.168.128.30> > "To defend against spam and viruses or to stop illegal file sharing, an > organization must be able to identify the originator of the offending > messages. However, spammers, pirates and hackers most often use > incorrect, disguised or false addresses on their messages or data > packets to deter trace back. Such spoofed addresses are illegal in the > U.S. but so far, effective. Ah, but, how many spams/viruses have spoofed IP addresses? I have yet to receive a spam/virus that contains, or was sent from, a spoofed IP address. I have spams that have spoofed/forged "Received:" headers, but the IP address that connected to my mailserver is real enough. They really need to do some research on this. The only way to have a spoofed IP address make a full TCP connection (to send an email, or to send a file) is to (1) be at the right router between points A and B, or (2) grab the route for the "spoofed" IP address. Now, you can do DoS attacks with spoofed addresses, as you usually do not need any of the return traffic. And as Rich said, it relies on every administrator configuring their border routers correctly. Then again, if all the ISP's maintained propper anti-spoofing ACLs, at their borders, spoofing would not be a problem. No need for any new protocols, or modifications to protocols. This really sounds like somebody had an idea, and is now looking for a problem it can solve. -- END OF LINE -MCP From gwen at reptiles.org Fri Apr 16 07:39:28 2004 From: gwen at reptiles.org (Gwendolynn ferch Elydyr) Date: Fri, 16 Apr 2004 10:39:28 -0400 (EDT) Subject: Hams Report 85-mile 802.11b File Transfers @ Oregon In-Reply-To: <407DE9A2.7050901@pacbell.net> Message-ID: <20040416103831.A1054-100000@iguana.reptiles.org> On Wed, 14 Apr 2004, richard childers / kg6hac wrote: > I have the courage of my convictions, Chuck. ... And, there's no law > against exercising one's freedom of speech, provided it is done in a > law-abiding manner. That is one of the major structural elements of the > United States, one of the main pillars in the platform upon which > everything else rests - the right to tell others what is happening, even ... but what does this have to do with the direction that we cut our sandwiches in? cheers! ========================================================================== "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now." From michael at halligan.org Fri Apr 16 18:40:20 2004 From: michael at halligan.org (Michael T. Halligan) Date: Fri, 16 Apr 2004 18:40:20 -0700 (PDT) Subject: Anyone interested in sharing rackspace in SF? Message-ID: 365 main is giving me a good deal on another rack, but I only need 1/2 rack right now. I was wondering if anybody would be interested in going in on a rack with me (my consulting company anyways)? Michael ------------------- Michael T. Halligan Chief Geek Halligan Infrastructure Designs. http://www.halligan.org/ 2250 Jerrold Ave #11 San Francisco, CA 94124-1012 (415) 724.7998 - Mobile From bill at wards.net Thu Apr 22 13:53:39 2004 From: bill at wards.net (William R Ward) Date: Thu, 22 Apr 2004 13:53:39 -0700 Subject: PenLUG Tonight: SGI Altix Message-ID: <16520.12499.493372.306040@komodo.home.wards.net> Tonight the Peninsula Linux Users Group will feature a speaker from SGI (Silicon Graphics), Wayne Vieira. Here are the details about this meeting. For more information or directions go to http://www.penlug.org/ Please join our "members" mailing list, or the "announce" list if you just want announcements of upcoming events. Follow the links from our home page. Our website is a TWiki; please feel free to create a user account and modify the website if you have something to contribute. Thanks! Date: Thursday, April 22, 2004 Time: 7:00 - 9:00 PM Location: 100 Oracle Parkway, Redwood Shores, CA 94065 Room 1op104 Conference Call: If you cannot attend in person, but would like to dial in and listen, please send mail to conferencecall at penlug.org and we will try to accomodate you. Agenda: ======= 7:00 - 8:30 PM: Presentation by Wayne Vieira, SGI 8:30 - 9:00 PM: Members' Minutes 9:00 PM: Adjourn to IHOP (Belmont) for social & food time Presentation by Wayne Vieira, SGI ================================= The presentation will cover technical issues regarding SGI's Altix 3000 and 300 HPC systems, which leverage Silicon Graphics' NUMALink technology on Intel's Itanium2 processors and the Linux operating system, enabling scaling from 1 to 2048 processors within this high-bandwidth/low-latency interconnect fabric. Single systems with only 1 copy of the operating system resident can be as large as 512 processors and 8TB of memory. A true shared memory multiprocessor system, the Altix series enables high-performance computer users insight like never before. Topics to be discussed are: SGI NUMAFlex architecture Altix3000 system overview Altix350 system overview Developing applications on large Linux systems SGI's Linux development and support strategy SGI Altix Visualization System for Linux (VSL) development Questions will follow. Members' Minutes ================ Members will have an opportunity to take a few minutes to... * Describe their latest Linux discovery * Ask questions and get help from other members * Discuss Linux projects You can just stand up and talk, or give a short demo or presentation. If you need audio/visual support for your Members' Minute, please contact Bill in advance to arrange for your needs. Although it is NOT required, we like to have an idea of how many people to expect, so if possible please email rsvp at penlug.org if you are planning to attend. -- William R Ward bill at wards.net http://www.wards.net/~bill/ ----------------------------------------------------------------------------- Never doubt that a small group of thoughtful, committed citizens can change the world. Indeed, it's the only thing that ever has. -- Margaret Mead From rleedy at ketera.com Fri Apr 23 09:36:26 2004 From: rleedy at ketera.com (Ron Leedy) Date: Fri, 23 Apr 2004 09:36:26 -0700 Subject: Setting locale settings Message-ID: <5444A9998C69D5458C5330D1A64DE387B83567@kexbe1.ketera.com> How do I set the locale variables? Such as: LANG= LC_CTYPE=en_US.ISO8859-1 LC_NUMERIC=en_US.ISO8859-1 LC_TIME=en_US.ISO8859-1 LC_COLLATE=en_US.ISO8859-1 LC_MONETARY=en_US.ISO8859-1 LC_MESSAGES=C LC_ALL= Thanks you, Ron From david at catwhisker.org Sat Apr 24 20:07:42 2004 From: david at catwhisker.org (David Wolfskill) Date: Sat, 24 Apr 2004 20:07:42 -0700 (PDT) Subject: Setting locale settings In-Reply-To: <5444A9998C69D5458C5330D1A64DE387B83567@kexbe1.ketera.com> Message-ID: <200404250307.i3P37gMT025305@bunrab.catwhisker.org> >Subject: Setting locale settings >Date: Fri, 23 Apr 2004 09:36:26 -0700 >From: "Ron Leedy" >To: >Sender: owner-baylisa at baylisa.org >How do I set the locale variables? Such as: >LANG= >LC_CTYPE=en_US.ISO8859-1 >LC_NUMERIC=en_US.ISO8859-1 >LC_TIME=en_US.ISO8859-1 >LC_COLLATE=en_US.ISO8859-1 >LC_MONETARY=en_US.ISO8859-1 >LC_MESSAGES=C >LC_ALL= Standard answer #0: it depends. In this case, a great deal depends on the applications/programs that you wish to be aware of the variables, and the computing environment that you wish to influence by doing so. Here are ways I might do it for some environments I might wish to influence: * For the local X server (usually, my laptop, running FreeBSD): - Set the variables (as environment variables) in ~/.xsession. - Same as above, but in my ~/.cshrc -- but this only works because my ~/.xsession is a csh script (the only one I've written, honest!) that "sources" ~/.cshrc. * For applications running on some arbitrary machine somewhere in the world to which I login and use csh as my login shell (thus implying that the remote environment is sufficiently UNIX-like to support csh): - Set the variables (as environment variables) in ~/.login. * Depending on the application, there may be some application-specific initialization file (ref. ~/.xsession, in the case of X sessions started via xdm & similar applications); it may be possible to specify such things in that file. * If the application were (say) a Perl script of my own, I might do any of the above, or cobble up something within the script itself to set the variables (if, for whatever reason, I didn't wish to trust or use environment variables as they were set at the time the script started). Note that in my present case, the computing environments I wish to influence tend to be UNIX-ish (and in particular, FreeBSD for the most part, with Solaris a distant second place). Even if I recalled how to do such things in MVS (IBM mainframe), I doubt that my memories would be all that applicable to mainframe environments within the last 5 years or so. Note, too, that some environments are more amenable to manipulation than others. :-} >Thanks you, Sorry about the delay; was working on an email backlog of moderate size. I hope the above provide some clues for you. Peace, david -- David H. Wolfskill david at catwhisker.org I do not "unsubscribe" from email "services" to which I have not explicitly subscribed. Rather, I block spammers' access to SMTP servers I control, and encourage others who are in a position to do so to do likewise.