Linux-Advocacy Digest #452, Volume #32 Sat, 24 Feb 01 18:13:03 EST
Contents:
Re: RTFM at M$ (Brent R)
Re: SSH vulnerabilities - still waiting [ was Interesting article ] (Mig)
Re: SSH vulnerabilities - still waiting [ was Interesting article ] (Peter da Silva)
Re: State of linux distros (Bob Hauck)
Re: M$ doing it again! ("Adam Warner")
Re: Could Linux be used in this factory environment ? ("Adam Warner")
Re: SSH vulnerabilities - still waiting [ was Interesting article ] ("Bobby Shaftoe")
Re: Could Linux be used in this factory environment ? (mlw)
Re: Does anyone know how much computer power we have/ (Peter Hayes)
Re: State of linux distros (Peter Hayes)
Re: Stability of 2.4.1? (Stefan Ohlsson)
Re: RTFM at M$ (Glitch)
Re: It's just too easy (T. Max Devlin)
Re: Now we know why Allchin was tweaked! ("Adam Warner")
Re: Something Seemingly Simple. ("Mark Duell")
Re: Does anyone know how much computer power we have/ (Glitch)
Re: Something Seemingly Simple. ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: Brent R <[EMAIL PROTECTED]>
Crossposted-To: alt.destroy.microsoft
Subject: Re: RTFM at M$
Date: Sat, 24 Feb 2001 20:55:13 GMT
Chris Ahlstrom wrote:
>
> Brent R wrote:
> >
> > SPAMMERS use that trick a lot. There's also some way to enter in URL as
> > octal, hex, and binary numbers but I forget how; and there's a way to
> > 'comment out' characters in the middle of addresses.
> >
> > Why browsers allow this is beyond me.
>
> Well, if you're going to allow a browser to accept code, shouldn't
> you also allow it to accept "comments".
>
> HAW HAW HAW!!!
>
> Chris
NO, I figured that's why it did it, but... why would you need comments
in a URL?
------------------------------
From: Mig <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: SSH vulnerabilities - still waiting [ was Interesting article ]
Date: Sat, 24 Feb 2001 21:55:43 +0100
Chad Myers wrote:
>
> "Shane Phelps" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > Chad,
> >
> > We're still waiting for all this evidence about shoddy encryption in SSH
> >
> > Please enlighten us
> >
> > BTW, I've taken the liberty of cross-posting this to comp.security.ssh
> > :-)
>
> I've already listed the exploits. They may have been patched, but how
> many systems out there are patched? If SSH is so great, why then does
> it have so many vulnerabilities?
>
> Why is SSH1 considered "fundamentally flawed" by its own makers?
You are an embaressment Chad. You actually managed to lower the quality of
the advocacy groups. Its time for you to get out of this thread Chad... i
hoped you allready had done that since you've been quit for a few days.
It has been pointed to you again and again by people that work on SSH that
you dont know what youre talking about (neither do I and I use ssh
irregularly). You simply are not capable of understanding the issues and
everything has been explained to you... so help your self and read the FAQ
at www.openssh.net... just click under Resources on your left.. there's
even a manual
--
Cheers
------------------------------
From: [EMAIL PROTECTED] (Peter da Silva)
Crossposted-To: comp.os.ms-windows.nt.advocacy,alt.dev.null
Subject: Re: SSH vulnerabilities - still waiting [ was Interesting article ]
Date: 24 Feb 2001 20:58:32 GMT
In article <NJTl6.7512$[EMAIL PROTECTED]>,
Chad Myers <[EMAIL PROTECTED]> wrote:
> I've already listed the exploits. They may have been patched, but how
> many systems out there are patched? If SSH is so great, why then does
> it have so many vulnerabilities?
>
> Why is SSH1 considered "fundamentally flawed" by its own makers?
This is the same message you posted over a week ago. What, the flame
war was dying down? You needed to repost it?
You're wrong about there being any exploits. There are a few potential
vulnerabilities that are so hard to exploit that the ONE suspected ssh
compromise turned out to be a stolen password. Even if nobody patched
any of those SSH1 systems, they would still be safer than any sites
*not* using SSH... including ones using Microsoft's remote management
software, because SSH has far fewer vulnerabilities than most software,
even security software. You came up with a list of *three* issues, all
minor, all fixed, all sufficiently hard to exploit that nobody's
actually done so... that's insanely good, compared to most of the stuff
out there.
Finally, the author of SSH has an economic interest in convincing people
to use SSH2 instead of SSH1, so you need to take anything he says about
them with a grain of salt.
Followups set to an alt group I created for this purpose ten years ago.
--
`-_-' In hoc signo hack, Peter da Silva.
'U` "A well-rounded geek should be able to geek about anything."
-- [EMAIL PROTECTED]
Disclaimer: WWFD?
------------------------------
From: [EMAIL PROTECTED] (Bob Hauck)
Subject: Re: State of linux distros
Reply-To: bobh = haucks dot org
Date: Sat, 24 Feb 2001 21:43:41 GMT
On Sat, 24 Feb 2001 13:50:41 GMT, Reefer <[EMAIL PROTECTED]> wrote:
>"pip" <[EMAIL PROTECTED]> skrev i meddelandet
>> If you have a faulty RAM chip, would windows be able to map around
>> the bad addresses so that you can continue to use it?
>
>with a ECC-stick? ...yes!
We don't need no steenking ECC: <http://rick.vanrein.org/linux/badram/>
--
-| Bob Hauck
-| To Whom You Are Speaking
-| http://www.haucks.org/
------------------------------
From: "Adam Warner" <[EMAIL PROTECTED]>
Subject: Re: M$ doing it again!
Date: Sun, 25 Feb 2001 10:19:32 +1300
In article <[EMAIL PROTECTED]>, "Brent R"
<[EMAIL PROTECTED]> wrote:
> Martigan wrote:
>>
>> Well it seems that good Ol' Bill is doing it again, and the world does
>> nothing!
>>
>> M$ Claims it has created a new environment for Whistler which
>> allows
>> users to customize their desk top...Like X ...now M$ is "claiming"
>> partial opensource. To me this is scary!
>
> Do you have a link for this? I need proof, because somehow I don't think
> you're an impartial observer.
All I know is that just a few days ago Microsoft had abandoned full
skinning, and was closing the APIs from developers:
http://www.theregister.co.uk/content/4/17001.html
'We first heard the rumour that Microsoft was dropping plans to "skin"
Microsoft XP during Comdex. Now Redmond says it won't be releasing those
theming APIs to developers. It's also likely that Microsoft will attempt
to control the third party themes by bouncing digitally signed themes off
the system.'
This would certainly be a different approach by MS and as I too would
appreciate the URL.
Regards,
Adam
------------------------------
From: "Adam Warner" <[EMAIL PROTECTED]>
Subject: Re: Could Linux be used in this factory environment ?
Crossposted-To: comp.os.linux.hardware,comp.os.linux.misc
Date: Sun, 25 Feb 2001 10:47:13 +1300
Hi Peter,
> What I'm trying to do, is design a factory inventory system. To keep
> cost down I want to use Linux. The model I'm using, is a furniture
> factory. I want to design a system that will allow the factory to keep
> track of their "work in progress" and finished goods. I'm guessing that
> this will be a little more complicated than your average inventory
> system?
Well as others have said you'll probably want to use an *SQL database.
> Of course the workers would have to access the system to enter data,
> etc, so the user interfaces can't be too complicated (GUI?).
Your workers would know how to use a web browser, so why not make the
inventory system accessible through any web browser? The MySQL database
and PHP scripting language would be a good combination for this task.
> SOFTWARE
>
> Is there any "open source" software that can help me with the inventory
> and tracking ? or
Try search words such as 'inventory' over at www.freshmeat.net. There's
quite a few potential candidates.
Remember that you do not have to release the source to your software even
if it is GPLed unless you decide to distribute the code. Even so you may
of course want to share the code.
> Would it make more sense to just buy the software (for linux) ?
It would probably make more sense to buy support for a custom solution.
> HARDWARE
<snip>
> this up!!!) On the server side, things get a little tricky, maybe (just
> maybe) tie into a win 2000 server (A lot depends on what existing system
> they already have, and we all know that many of the existing systems
> will be win98, etc).
You don't actually know the state of the present computer system at the
factory? Then this is bogus. Still you shouldn't have compatibility
problems accessing the server from Win98 clients, particularly if a web
browser is used to access the inventory system.
> I guess the management would need to access the data entered by the
> factory workers to check progress, productivity, etc. A linux server
> could be used and we could somehow give the management access to this
> server though their existing win boxes (secure CRT ?). Or we could
> design a simple way to access and read the data in linux
> (write a small reporting program or use some simple database program)
> and also have the forms printed automatically at the end of the day.
Again, you could make the data accessible from a web browser.
> SUPPORT
>
> Depending on the size of the factory, in-house linux/windows support
> would be smart, But if it's a small company, then they could call on the
> systems/software provider (me) for support. From what I read about
> linux, if I design the system right, there won't be to many problems. I
> would probably set up a service contract where I would come in every
> month and check things out.
I'm sorry but if you only know GNU+Linux from "what you read" you are
certainly not qualified enough to be support.
> SECURITY
>
> This system would not be accessible from the outside, This is a lone
> factory (pretty rare in today's world, but let's keep things simple :)
> Managers would have internet access, so normal virus protection, and
> other precautions would be in place.
So long as the computers that can access the database also have Internet
access then security will be incredibly important.
With the money saved, why not use that money for separate low-end clients
to access the inventory system (that is, partition off the inventory
system from the Internet)?
Regards,
Adam
------------------------------
From: "Bobby Shaftoe" <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy,comp.security.ssh
Subject: Re: SSH vulnerabilities - still waiting [ was Interesting article ]
Date: Sat, 24 Feb 2001 21:48:36 -0000
It seems to be, Chad, that all you've succeeded in doing is causing a large
quantity of the regular users of this newsgroup to lose a whole load of
respect for you. Am I correct in saying that the one outstanding
'fundamental flaw' in SSH is its "insecure" man-in-the-middle attack during
initial key exchange?
I'm hoping you've done all your research before crying wolf, because we all
know that there isn't an encryption or certification algorithm on the planet
that can authenticate an anonymous system. It is for this reason that
trusted third parties were conceived. If you exchange your first ever key
across the Internet (or any other public network) then you have to accept
that the key could have been compromised at that moment, but then, you
wouldn't do that on a "secure" system, would you?
In addition, you must also be aware that SSH2 does not improve the situation
here. Just like SSH1, OpenSSH and SSL, the secure transports used by things
such as BACS cannot circumvent the key exchange problems we have in this day
and age. If you exchange keys in a secure manner, and trust the server and
client integrity, then you have a secure system. If you do your first key
exchange over the Internet and think you're secure, you're a fool, and you
should have read the manual. This holds true for any key exchange, not just
the public/private keys in SSH.
Fingerprinting overcomes some of these issues, but how can you trust the
fingerprint? This is why PGP keys as used internationally are traditionally
fingerprinted over the telephone. It may not be secure, but it's another
system the man-in-the-middle must crack to compromise the key.
The security issues illustrated in SSH1 and 2 have all been fixed, and new
flaws will continue to be fixed as soon as possible. It means I have to be
vigilant to ensure my systems are as secure as they need to be, but it's
preferable than closed systems, where a serious security flaw can go years
without being noticed, and months without being fixed.
I'd like to know how SSH becomes susceptible to further attacks by being
based on Telnet. The telnet protocol is a proven remote access system, the
risky clear-text password and IP based authentication has been solved since
SSH's original beta. I'm guessing that you don't drive a car, because it's
new fuel-injection, variable-valve timed engine is still based on the
principles of internal combustion developed in the 19th Century, even though
a large number of the pollution and efficiency questions have been answered.
Even though flawed, a combustion engine is still the most practical manner
of transport available to the general public.
In summary, those people that do not research, maintain and update the
systems and procedures they rely on are likely to suffer. So what? It
keeps me in a job.
Bobby.
------------------------------
From: mlw <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.hardware,comp.os.linux.misc
Subject: Re: Could Linux be used in this factory environment ?
Date: Sat, 24 Feb 2001 17:00:34 -0500
Bob Hauck wrote:
>
> On Sat, 24 Feb 2001 17:40:48 GMT, peter <[EMAIL PROTECTED]> wrote:
>
> > Is there any "open source" software that can help me with the
> > inventory and tracking ? or
>
> You will probably want to use a real database rather than inventing some
> file format of your own. The best-known open databases are MySQL and
> PostreSQL.
Hands down no competition, PostgreSQL. Neither MySQL nor msql are up to the
task. A factory environment would require transactional processing.
>
--
The majority of the stupid is invincible and guaranteed for all time.
The terror of their tyranny, however, is alleviated by their lack of
consistency.
-- Albert Einstein
========================
http://www.mohawksoft.com
------------------------------
From: Peter Hayes <[EMAIL PROTECTED]>
Subject: Re: Does anyone know how much computer power we have/
Date: Sat, 24 Feb 2001 21:48:32 +0000
Reply-To: [EMAIL PROTECTED]
On Sat, 24 Feb 2001 15:48:43 +0000, "Edward Rosten" <[EMAIL PROTECTED]> wrote:
> In article <978e26$v59$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> wrote:
>
> > "Mike" <[EMAIL PROTECTED]> writes:
> >>What's next? More transistors. More power. More speed. At this year's
> >>ISSCC, Patrick Gelsinger predicted that the processor of 2010 will
> >>contain 1B transistors, run at 20-30GHz, and perform over 1T operations
> >>per second (it will also consume in excess of 10kW of power).
> >
> > That last part makes me doubt his predictions. I simply cannot see much
> > of a market for processors that require industrial power to be connected
> > to the back of the machine.... At least not a mass-market.
>
>
> I can. Starting from the home computers of the early 80's, the amount of
> power required has steadily increased. Bear in mind, thet the faster you
> want to switch a silicon junctio, the more power you need to switch it.
Conversly, the smaller the fab process size the lower the voltage required
to run the processor and the lower the current consumption. The power
consumption of a 486dx33 made using today's fabrication techniques would be
miniscule, maybe just a few milliwatts. The 'dx33 was about the last x86
series processor that didn't need cooling.
But the trend towards smaller process size hasn't balanced the rise in
clock speed, so today's chips need forced air cooling, and, for the more
adventurous, liquid cooling.
But I'd be surprised if a 30GHz, 1,000 million transistor CPU would consume
10KW, maybe at .18 micron process, but trends suggest it'd be built using
0.04 microns, or something like that. Did Patrick Gelsinger take that into
account?
--
Peter
55°25"N 4°44'W
------------------------------
From: Peter Hayes <[EMAIL PROTECTED]>
Subject: Re: State of linux distros
Date: Sat, 24 Feb 2001 21:48:33 +0000
Reply-To: [EMAIL PROTECTED]
On Sat, 24 Feb 2001 13:42:11 GMT, "Reefer" <[EMAIL PROTECTED]>
wrote:
>
> "Aaron Kulkis" <[EMAIL PROTECTED]> skrev i meddelandet
> news:[EMAIL PROTECTED]...
>
> > Only an idiot relegates perfectly good hardware to the dustbin
> > just because some Asshole in Redmond, Washington decrees it so
>
>
>
> hardware from the late 80's is not "perfectly good hardware"
Anything running a 386 upwards is "perfectly good hardware".
For some applications a 286 machine that they'd pay you to take away is
perfectly adequate, for example real-time satellite tracking.
--
Peter
55°25"N 4°44'W
------------------------------
From: [EMAIL PROTECTED] (Stefan Ohlsson)
Subject: Re: Stability of 2.4.1?
Date: 24 Feb 2001 23:09:31 +0100
On 22 Feb 2001 16:08:38 -0700, Craig Kelley wrote:
>[EMAIL PROTECTED] (Stefan Ohlsson) writes:
>>How is the stability of 2.4.1 regarded? I have used it for 3 weeks
>>and have had only one strange incident that may have had something
>>to do with it; Sawfish stopped working for my accouont until I rebooted.
>>It still worked for root and other accounts. May have had something to
>>do with me running UAE, I suspect it fscked something up. It is very possible
>>this mishap could have been resolved without a reboot, but that solution -
>>if it exists - is beyond me.
>
>2.4.1 has been rock-solid on our beowulf cluster (we upgraded to get
>the new, spiffy 3c59x drivers that work much better than their 2.2
>ancestors).
>I've noticed the sawfish problem, but it's because the latest sawfish
>has bugs, not the kernel.
>
OK. Thanks for the info! I'll be looking at 2.4.2 anyway though
as another poster suggested. Anyway, that's the first time I rebooted a
Linux box for something other than a hardware problem :)
/Stefan
--
[ Stefan Ohlsson ] · There will always be survivors - Robert A. Heinlein · []
------------------------------
Date: Sat, 24 Feb 2001 17:15:53 -0500
From: Glitch <[EMAIL PROTECTED]>
Subject: Re: RTFM at M$
Bruce Scott TOK wrote:
>
> In article <[EMAIL PROTECTED]>, Tim Hanson <[EMAIL PROTECTED]> wrote:
> >http://www.microsoft.com&[EMAIL PROTECTED]/pub/mskb/Q209354.asp
>
> I got 404... have they "fixed" it?
>
> (I also got 404 for the other one posted in this thread)
>
its called 'removing the page b/c it is no longer news'
------------------------------
From: T. Max Devlin <[EMAIL PROTECTED]>
Subject: Re: It's just too easy
Reply-To: [EMAIL PROTECTED]
Date: Sat, 24 Feb 2001 22:14:37 GMT
Said Jeff Cochran in comp.os.linux.advocacy on Sat, 24 Feb 2001 10:08:14
[...]
>Unfortunately the argument "Linux is better because Microsoft is evil"
>doesn't have much weight, and I need numbers that justify the change.
>But that's another post.
This is that post, then.
That fact is, the argument, properly formed, has no need to reference
'evil'. Linux is better because Microsoft is a monopoly; a sole
supplier of a proprietary product which is known to have serious (and
secret) design flaws. Trapping yourself into becoming dependent on a
monopoly because it is "cheaper" is soft-headed. Its a shame its the
state of business idiocy that one needs "numbers" to justify what is,
truly, common sense, in terms of business requirements.
--
T. Max Devlin
*** The best way to convince another is
to state your case moderately and
accurately. - Benjamin Franklin ***
------------------------------
From: "Adam Warner" <[EMAIL PROTECTED]>
Subject: Re: Now we know why Allchin was tweaked!
Date: Sun, 25 Feb 2001 11:23:20 +1300
Hi Tim,
> ...and Microsoft, with its max thirty-two node behemoth (well, to hear
> the behemoth price anyway: $3,000 per node) doesn't get a look in. It's
> laughable.
>
> This is based on GPL software, which must be why Allchin's panties were
> in a knot last week to C/Net.
>
> "The U.S. Department of Defense (DOD) today said it plans within the
> next few months to install a 512-processor Linux cluster that's supposed
> to be able to process 478 billion calculations per second at a computing
> facility in Hawaii for use in applications such as tracking and fighting
> wildfires across the country."
>
> "The supercomputer is being built by IBM at the DOD-affiliated Maui High
> Performance Computing Center and will be used by the DOD, other
> government agencies and academic institutions. In addition to tracking
> fires, uses eyed for the cluster include environmental research and
> defense projects related to warfighting efforts."
>
> http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO58037,00.html
Wonderful article. I'm glad the supercomputer will be used for some
non-warfare initiatives.
Now at $3,000 per processor a (non-existant and hypothetical) Windows
2000 supercomputer would cost 512x$3,000 or $1.5m for the software alone.
The entire GNU+Linux supercomputer solution will cost less than $10m.
http://www.wininformant.com/Articles/Index.cfm?ArticleID=19953
"Application Center 2000 will cost about $3000 per processor."
Perhaps as you say this could be one of the reasons Allchin said that GNU
or GNU licensed software should not be developed by government.
We should remember that the NSA has already designed a more secure version
of Linux:
http://www.nsa.gov/selinux/index.html
'Security-enhanced Linux is being released under the conditions of the GNU
General Public License (GPL). The release includes documentation and
source code for both the system and some system utilities that were
modified to make use of the new features. Participation with comments,
constructive criticism, and/or improvements is welcome.'
Regards,
Adam
------------------------------
From: "Mark Duell" <fleacircus.org@mduell>
Crossposted-To: comp.lang.c
Subject: Re: Something Seemingly Simple.
Date: Sat, 24 Feb 2001 22:30:39 GMT
"Richard Heathfield" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Mark Duell wrote:
> >
> > "Richard Heathfield" <[EMAIL PROTECTED]> wrote in message
> > news:[EMAIL PROTECTED]...
> > > Bloody Viking wrote:
> > > >
> > > > I just tried a simple trig thing on my Linux box but the gcc
compiler
> > gave me
> > > > some error, despite having math.h added as the libraries. More
bizarre,
> > my
> > > > UNIX ISP had exactly the same problem with the same seemingly simple
> > proggie.
> > >
> > > Your question is an FAQ - there's a good answer to be found if you
look
> > > for it. See my sig for the URL.
> > >
>
> [and that sig says...]
>
> > > C FAQ: http://www.eskimo.com/~scs/C-faq/top.html
> >
> > This link returns a 404 (and a custom one at that!)
>
> Interesting. I just tried it, and it worked fine. Reload and
> Shift-Reload both work fine too.
>
> Are you sure you didn't just catch it at a busy time?
Ummm... well... yes... I guess I did, because I was given eskimo's 404 page.
Mark Duell
------------------------------
Date: Sat, 24 Feb 2001 17:45:27 -0500
From: Glitch <[EMAIL PROTECTED]>
Subject: Re: Does anyone know how much computer power we have/
Edward Rosten wrote:
>
> In article <978e26$v59$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> wrote:
>
> > "Mike" <[EMAIL PROTECTED]> writes:
> >>What's next? More transistors. More power. More speed. At this year's
> >>ISSCC, Patrick Gelsinger predicted that the processor of 2010 will
> >>contain 1B transistors, run at 20-30GHz, and perform over 1T operations
> >>per second (it will also consume in excess of 10kW of power).
> >
> > That last part makes me doubt his predictions. I simply cannot see much
> > of a market for processors that require industrial power to be connected
> > to the back of the machine.... At least not a mass-market.
>
> I can. Starting from the home computers of the early 80's, the amount of
> power required has steadily increased. Bear in mind, thet the faster you
> want to switch a silicon junctio, the more power you need to switch it.
>
what do chips currently use, say the PIII 900, in terms of power?
P=IV the lower the voltage the lower the power. Aren't chips using
less voltage? Down to about 1.5 or 2.0 volts aren't they now?
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: comp.lang.c
Subject: Re: Something Seemingly Simple.
Date: Sat, 24 Feb 2001 22:51:14 +0000
Chris Kern wrote:
>
> On 24 Feb 2001 12:41:40 GMT, [EMAIL PROTECTED] (Bloody Viking) posted
> the following:
>
> > Why isn't it in degrees as is the standard?
>
> While degrees may be the standard for many people, mathemeticians
> always (or nearly always) use radians.
>
> -Chris
*real* mathematicians don't really care
--
http://www.guild.bham.ac.uk/chess-club
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to comp.os.linux.advocacy.
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Advocacy Digest
******************************
