Linux-Advocacy Digest #469, Volume #32 Sun, 25 Feb 01 14:13:05 EST
Contents:
Re: Something Seemingly Simple. (Chris Kern)
Re: SSH vulnerabilities - still waiting [ was Interesting article ] (Peter da Silva)
Re: SSH vulnerabilities - still waiting [ was Interesting article ] (Chris Ahlstrom)
[OT] Was: Re: Something Seemingly Simple. ("Edward Rosten")
Re: Something Seemingly Simple. ("Edward Rosten")
Re: M$ doing it again! (T. Max Devlin)
Re: Something Seemingly Simple. (Bob Hauck)
Re: RTFM at M$ (T. Max Devlin)
Re: SSH vulnerabilities - still waiting [ was Interesting article ] (T. Max Devlin)
Re: RTFM at M$ (T. Max Devlin)
Re: SSH vulnerabilities - still waiting [ was Interesting article ] (T. Max Devlin)
Re: Microsoft says Linux threatens innovation (T. Max Devlin)
Re: SSH vulnerabilities - still waiting [ was Interesting article ] (T. Max Devlin)
Re: Microsoft says Linux threatens innovation (T. Max Devlin)
Re: Microsoft says Linux threatens innovation (T. Max Devlin)
Re: SSH vulnerabilities - still waiting [ was Interesting article ] (Bob Hauck)
Re: SSH vulnerabilities - still waiting [ was Interesting article ] (Stuart Krivis)
Re: PC to Linux file transfer? (PJ)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Chris Kern)
Crossposted-To: comp.lang.c
Subject: Re: Something Seemingly Simple.
Date: Sun, 25 Feb 2001 16:26:40 GMT
On Sat, 24 Feb 2001 22:51:14 +0000, [EMAIL PROTECTED] posted the
following:
>Chris Kern wrote:
>>
>> On 24 Feb 2001 12:41:40 GMT, [EMAIL PROTECTED] (Bloody Viking) posted
>> the following:
>>
>> > Why isn't it in degrees as is the standard?
>>
>> While degrees may be the standard for many people, mathemeticians
>> always (or nearly always) use radians.
>>
>> -Chris
>
>*real* mathematicians don't really care
real mathemeticians don't bother with calculations of things like
degrees and radians. Group theory doesn't generally deal in circles
;)
-Chris
------------------------------
From: [EMAIL PROTECTED] (Peter da Silva)
Crossposted-To: comp.os.ms-windows.nt.advocacy,alt.dev.null
Subject: Re: SSH vulnerabilities - still waiting [ was Interesting article ]
Date: 25 Feb 2001 17:16:48 GMT
In article <Vs9m6.9562$[EMAIL PROTECTED]>,
Chad Myers <[EMAIL PROTECTED]> wrote:
> I have shown nothing but concern. In fact, the only reason I still
> post to this thread is because I'm concerned that there are thousands
> of people out there happily using SSH1 and are completely unaware
> that it is "fundamentally flawed".
I'll bet you that every application and OS you use is "fundamentally flawed".
I've called everything from Microsoft Windows to X Windows "fundamentally
flawed" at one time or another. It's a technical term, and doesn't mean
what you think it means.
Please observe followups.
--
`-_-' In hoc signo hack, Peter da Silva.
'U` "A well-rounded geek should be able to geek about anything."
-- [EMAIL PROTECTED]
Disclaimer: WWFD?
------------------------------
From: Chris Ahlstrom <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy,comp.security.ssh
Subject: Re: SSH vulnerabilities - still waiting [ was Interesting article ]
Date: Sun, 25 Feb 2001 17:26:10 GMT
Chad Myers wrote:
>
> "J Sloan" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> > Chad Myers wrote:
> >
> > > Is this how security is treated in the Open Source realm? With
> > > childish insults and assinine comments and no real concern?
> >
> > You've shown no concern, so this wouldn't apply.
> >
> > Trolls and bozos are treated as such.
>
> <sigh> You ignore obvious facts so that you can get in a personal
> insult.
>
> I have shown nothing but concern. In fact, the only reason I still
> post to this thread is because I'm concerned that there are thousands
> of people out there happily using SSH1 and are completely unaware
> that it is "fundamentally flawed".
>
> Whereas some of the creaters are just immature jerks.
>
> -Chad
Chad is an incredible asshole. He's got to be a case of
daementia praecox combined with obsessive compulsive disorder.
In other words, a net kook. His posts are so hypocritical, they
induce a fit of coprolalia in me every time I see them.
#$(*#%&##&
------------------------------
From: "Edward Rosten" <[EMAIL PROTECTED]>
Crossposted-To: comp.lang.c
Subject: [OT] Was: Re: Something Seemingly Simple.
Date: Sun, 25 Feb 2001 17:37:27 +0000
>>That fun problem has the further challenge of taking into account the
>>attitude of the car during ballistic flight. Air friction only adds more
>>math fun! Use fins for attitude control for ballistic flight across the
>>Grand Canyon.
>
> I think anyone willing to do that should be a nominee for a Darwin
> award.
Only if they remove themselves from the gene pool in the process.
-ed
--
| u98ejr
| @
Share, and enjoy. | eng.ox
| .ac.uk
------------------------------
From: "Edward Rosten" <[EMAIL PROTECTED]>
Crossposted-To: comp.lang.c
Subject: Re: Something Seemingly Simple.
Date: Sun, 25 Feb 2001 17:29:08 +0000
>> Is there an official place where a definition of PI is meant to reside?
>
> No trace of it in the standard, and I also checked the header directory
> without any luck.
>
> I think the problem is that you are *not* using your C compiler in ANSI
> mode.
No, probably not. I was just doing a text search for PI in math.h. I
didn't think to check it with the compiler.
It doesn't work unless __USE_BSD || __USE_XOPEN (for short ones) or
__USE_GNU (for long defs) has been defined.
-Ed
--
| u98ejr
| @
Share, and enjoy. | eng.ox
| .ac.uk
------------------------------
From: T. Max Devlin <[EMAIL PROTECTED]>
Subject: Re: M$ doing it again!
Reply-To: [EMAIL PROTECTED]
Date: Sun, 25 Feb 2001 17:45:35 GMT
Said Rex Ballard in comp.os.linux.advocacy on Sat, 24 Feb 2001 17:51:58
[...]
>Bill Gates is a brilliant strategist.
You give the man undue credit, Rex. It's not like it requires
brilliance to take advantage of the fact that the other party expects
you to adhere to the law.
>He thinks in terms of a 20 year
>timeline while most CEOs think in terms of 5 and most COOs remain
>focused on the next quarter.
He thinks in terms of monopolization, in this and every quarter; no
"timeline" necessary, again, to restrain trade. Timing isn't anywhere
near as important as, for instance, preventing the development of
technology.
>Bill has repeatedly made offers that
>averted a quarterly crisis in exchange for terms that could bankrupt the
>company three years later.
You mean he's destroyed every company he ever 'partnered' with at his
first available opportunity; subtle difference.
[...]
--
T. Max Devlin
*** The best way to convince another is
to state your case moderately and
accurately. - Benjamin Franklin ***
------------------------------
From: [EMAIL PROTECTED] (Bob Hauck)
Crossposted-To: comp.lang.c
Subject: Re: Something Seemingly Simple.
Reply-To: bobh = haucks dot org
Date: Sun, 25 Feb 2001 17:43:40 GMT
On Sun, 25 Feb 2001 15:57:35 GMT, Gregory Pietsch <[EMAIL PROTECTED]> wrote:
>Edward Rosten wrote:
>> Is there an official place where a definition of PI is meant to reside?
>
>No.
How about in the trig functions:
#define A_PI (4 * atan (1))
#define B_PI (2 * asin (1))
#define C_PI (2 * acos (0))
--
-| Bob Hauck
-| To Whom You Are Speaking
-| http://www.haucks.org/
------------------------------
From: T. Max Devlin <[EMAIL PROTECTED]>
Crossposted-To: alt.destroy.microsoft
Subject: Re: RTFM at M$
Reply-To: [EMAIL PROTECTED]
Date: Sun, 25 Feb 2001 17:58:10 GMT
Said Erik Funkenbusch in alt.destroy.microsoft on Sun, 25 Feb 2001
>"T. Max Devlin" <[EMAIL PROTECTED]> wrote in message
>> Said Erik Funkenbusch in alt.destroy.microsoft on Sat, 24 Feb 2001
[...]
>> >Most DoS attacks are ICMP based.
>>
>> This is a blatant fabrication. Possibly common, even popular, but still
>> a complete fallacy.
>>
>> A network which firewalls ping is a network which should not be
>> considered run by people competent to be connected to the Internet.
>
>Really? Let's remember that later on in this message.
Yes, lets.
[...]
>> >> I've never heard
>> >> of a DoS attack with normal, short, non-broadcast pings (and a quick
>> >> google search failed to point me to any - I would be grateful if anyone
>> >> could show me a documented case).
>> >
>> >They block all ICMP.
>>
>> No, they block ping, and can't tell the difference between ping and any
>> other ICMP. All other ICMP, however, is optional; ping is mandatory.
>> Truly mandatory; MS isn't alone in breaking this rule, but they are
>> breaking the rule, nevertheless.
>
>What "rule" might that be?
The RFC which states that ALL IP implementations must support the
ICMP_ECHO_RESPONSE datagram, mandatorily and without exception.
[...]
>> It has been going in and out of vogue since 1994.
>
>So you're saying then that AT&T, General Motors, Netscape and AOL all are
>being run incompetantly. I'm sure they'll appreciate your critique.
Unfortunately, they don't. I tried pointing out the problems to Sun Oil
and two or three other huge clients, but for some reason, they all
figured it was better to be paranoid than to be able to troubleshoot
connectivity problems. And then they paid me huge sums of money because
they couldn't troubleshoot their connectivity problems.
>> >> If they've
>> >> been blocking them for 3 or more years, maybe blocking all pings was
>> >> just a quick-and-dirty fix to their NT "ping-of-death" bug a few years
>> >> back, that they didn't bother to unfix after the NT patch.
>> >
>> >No, since pinging them is not all that productive, why leave a potential
>> >hole open?
>>
>> Because ping provides *necessary and essential* connectivity information
>> and diagnostics. The NT "ping of death", BTW, used malformed datagrams.
>
>And why is it essential for someone, external to the network, to diagnose
>them?
Yes, that's the problem. There is no "external to the network"; the
phrase is meaningless in this context.
>> >> I have heard of ultra-paranoid security people recommending blocking
>> >> pings, although more to "hide" the system from OS-type detection via
>> >> subtle packet "signatures" (nmap program) than to prevent DoS attacks.
>> >
>> >Any machine that has a single port open can still be vulnerable to these.
>>
>> Any connectivity is a security risk. All firewalling of ping is due to
>> clueless paranoia.
>
>Hmm.. so now AT&T is clueless. Interesting.
Indeed.
--
T. Max Devlin
*** The best way to convince another is
to state your case moderately and
accurately. - Benjamin Franklin ***
------------------------------
From: T. Max Devlin <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy,comp.security.ssh
Subject: Re: SSH vulnerabilities - still waiting [ was Interesting article ]
Reply-To: [EMAIL PROTECTED]
Date: Sun, 25 Feb 2001 18:07:20 GMT
Said Chad Myers in comp.os.linux.advocacy on Sat, 24 Feb 2001 23:05:18
[...]
>The SSH1 protocol had many failures and "flaws" and was therefore
>shoddy encryption, or a shoddy implementation as a whole.[...]
Chad Myers is definitely "pining for the fjords". ;-)
--
T. Max Devlin
*** The best way to convince another is
to state your case moderately and
accurately. - Benjamin Franklin ***
------------------------------
From: T. Max Devlin <[EMAIL PROTECTED]>
Crossposted-To: alt.destroy.microsoft
Subject: Re: RTFM at M$
Reply-To: [EMAIL PROTECTED]
Date: Sun, 25 Feb 2001 18:02:28 GMT
Said Bob Hauck in alt.destroy.microsoft on Sun, 25 Feb 2001 16:43:53
>On Sun, 25 Feb 2001 04:55:07 GMT, Norman D. Megill
><[EMAIL PROTECTED]> wrote:
>
>> I thought the most common DoS attacks were SYN floods. I've never
>> heard of a DoS attack with normal, short, non-broadcast pings
>
>Imagine if 10,000 people all started sending one ping/sec to the same
>site. Now imagine one guy planting a remote-control trojan like Back
>Orifice or trinoo on a few hundred systems and sending 100 pings/sec.
That's the point, Bob. Notice that this is an imaginary example.
NOBODY has ever heard of a DoS attack with normal pings. Nor any
particular value to the use of simple ping sweeps by hackers, which is
the most often cited "reason" for being clueless about this matter.
--
T. Max Devlin
*** The best way to convince another is
to state your case moderately and
accurately. - Benjamin Franklin ***
------------------------------
From: T. Max Devlin <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy,comp.security.ssh
Subject: Re: SSH vulnerabilities - still waiting [ was Interesting article ]
Reply-To: [EMAIL PROTECTED]
Date: Sun, 25 Feb 2001 18:04:48 GMT
Said Chad Myers in comp.os.linux.advocacy on Sat, 24 Feb 2001 19:13:49
>"Shane Phelps" <[EMAIL PROTECTED]> wrote in message
>news:[EMAIL PROTECTED]...
>> Chad,
>>
>> We're still waiting for all this evidence about shoddy encryption in SSH
>>
>> Please enlighten us
>>
>> BTW, I've taken the liberty of cross-posting this to comp.security.ssh
>> :-)
>
>I've already listed the exploits.
No, you listed theoretical vulnerabilities; not a single exploit for any
of these vulnerabilities has been reported.
>They may have been patched, but how
>many systems out there are patched? If SSH is so great, why then does
>it have so many vulnerabilities?
It doesn't. Next question?
>Why is SSH1 considered "fundamentally flawed" by its own makers?
Because there are theoretical vulnerabilities which do not exist in the
maker's new (commercial) version. Duh!
--
T. Max Devlin
*** The best way to convince another is
to state your case moderately and
accurately. - Benjamin Franklin ***
------------------------------
From: T. Max Devlin <[EMAIL PROTECTED]>
Subject: Re: Microsoft says Linux threatens innovation
Reply-To: [EMAIL PROTECTED]
Date: Sun, 25 Feb 2001 18:18:25 GMT
Said Erik Funkenbusch in comp.os.linux.advocacy on Sun, 25 Feb 2001
>"T. Max Devlin" <[EMAIL PROTECTED]> wrote in message
>news:[EMAIL PROTECTED]...
>> >Netscape was *NOT* the better product.
>>
>> Of course it was.
>>
>> >IE3 and IE4 were roughly equivelant,
>> >but IE4 started leaving Netscape behind in the dust, especially in W3C
>> >standard support.
>>
>> What a pathetically softheaded perspective you have. If IE4 was so
>> technically superior, why is it exactly that MS spent the millions for
>> the exclusive bundling deals and strong-armed OEMs into "knifing the
>> baby" by including IE updates that some customers specifically didn't
>> want and excluding Netscape?
>
>I think it's pretty obvious from the context that I meant IE3 and NS4 were
>roughly equivelant. I made a mistake.
Again, this is in direct contradiction to Microsoft executive's comments
on that very subject. They also made a mistake; if they are lucky, none
of them will go to jail because of it, but Microsoft is going to be
broken up.
--
T. Max Devlin
*** The best way to convince another is
to state your case moderately and
accurately. - Benjamin Franklin ***
------------------------------
From: T. Max Devlin <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: SSH vulnerabilities - still waiting [ was Interesting article ]
Reply-To: [EMAIL PROTECTED]
Date: Sun, 25 Feb 2001 18:12:02 GMT
Said Chad Myers in comp.os.linux.advocacy on Sun, 25 Feb 2001 15:24:37
>"J Sloan" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
>> Chad Myers wrote:
>>
>> > Is this how security is treated in the Open Source realm? With
>> > childish insults and assinine comments and no real concern?
>>
>> You've shown no concern, so this wouldn't apply.
>>
>> Trolls and bozos are treated as such.
>
><sigh> You ignore obvious facts so that you can get in a personal
>insult.
You pretend there are some "obvious facts" being ignored, when really
you're just a bozo. <*hiccup*>
>I have shown nothing but concern.
Deeply concerned, that's the Chad Myers we know. Very very concerned
about how insecure a random tool is, when it provides an opportunity for
trolling.
Comp.security.ssh has been spared from this.
>In fact, the only reason I still
>post to this thread is because I'm concerned that there are thousands
>of people out there happily using SSH1 and are completely unaware
>that it is "fundamentally flawed".
You post because you find that making blatantly false claims,
particularly when you've already been thoroughly corrected by some
extremely knowledgeable people, fulfills some disturbed psychological
need for attention you have. My ten-year old nephew is bright enough to
tell you're not concerned about ssh security for any rational reason.
>Whereas some of the creaters are just immature jerks.
Because they noticed you were a troll? Bwah-ha-ha-ha-ha.
--
T. Max Devlin
*** The best way to convince another is
to state your case moderately and
accurately. - Benjamin Franklin ***
------------------------------
From: T. Max Devlin <[EMAIL PROTECTED]>
Subject: Re: Microsoft says Linux threatens innovation
Reply-To: [EMAIL PROTECTED]
Date: Sun, 25 Feb 2001 18:39:19 GMT
Said Erik Funkenbusch in comp.os.linux.advocacy on Sun, 25 Feb 2001
>"T. Max Devlin" <[EMAIL PROTECTED]> wrote in message
>news:[EMAIL PROTECTED]...
>> >> >If the numbers on the price tag stay the same, and inflation goes up.
>> >The
>> >> >dollar value has dropped, and thus the product becomes cheaper.
>> >> >
>> >> As I pointed out in my direct response to your post, the Findings
>of
>> >> Fact include email evidence from Jim Allchin which contradicts you.
>> >
>> >I don't care if the pope contradicts me. These are hard cold facts.
>> >
>> >A) It's a fact that the number of dollars charged for Windows has not
>> >changed in 6 years.
>> [...]
>>
>> Combined with the fact that everything else on the PC dropped in price
>> drastically, often by orders of magnitude, leads to the inescapable
>> conclusion that Microsoft is maintaining monopoly prices, elevated above
>> competitive levels. All the rest of your facts are just misdirection,
>> Erik.
>
>Not everything in the PC dropped in price drastically. For instance, the
>cost of the mouse has been roughly the same for the last 6 years. The cost
>of the keyboard is also roughly equivelant. The cost of the case and
>power supply have also not changed very radically, and most certainly the
>cost of the floppy disk drive hasn't changed in that time period either.
>
>So, if many componets of the PC also have not changed, does that mean those
>components are also clear evidence that those components are part of a
>monopoly as well?
>
>Software is not hardware, and it doesn't follow the same market trends of
>hardware.
Then why did you list only the most trivial hardware components above?
>For instance, Adobe Pagemaker has stayed the same price for the
>last 6 years as well. Does that mean Adobe is also monopolizing?
A) I don't believe this is so.
B) No, it shows Microsoft is monopolizing, and this prevents free market
prices from moving to competitive levels.
C) Yes; all "copyright wrapped in a trade secret" software is
monopolization.
Take your pick; I don't care which. I probably won't even respond; I'm
growing tired of you, and I'll be far too busy watching MS get chewed up
by some federal judges for the next couple days.
--
T. Max Devlin
*** The best way to convince another is
to state your case moderately and
accurately. - Benjamin Franklin ***
------------------------------
From: T. Max Devlin <[EMAIL PROTECTED]>
Subject: Re: Microsoft says Linux threatens innovation
Reply-To: [EMAIL PROTECTED]
Date: Sun, 25 Feb 2001 18:40:06 GMT
Said Erik Funkenbusch in comp.os.linux.advocacy on Sun, 25 Feb 2001
>"T. Max Devlin" <[EMAIL PROTECTED]> wrote in message
>news:[EMAIL PROTECTED]...
>> >> >If the numbers on the price tag stay the same, and inflation goes up.
>> >The
>> >> >dollar value has dropped, and thus the product becomes cheaper.
>> >> >
>> >> As I pointed out in my direct response to your post, the Findings
>of
>> >> Fact include email evidence from Jim Allchin which contradicts you.
>> >
>> >I don't care if the pope contradicts me. These are hard cold facts.
>> >
>> >A) It's a fact that the number of dollars charged for Windows has not
>> >changed in 6 years.
>> [...]
>>
>> Combined with the fact that everything else on the PC dropped in price
>> drastically, often by orders of magnitude, leads to the inescapable
>> conclusion that Microsoft is maintaining monopoly prices, elevated above
>> competitive levels. All the rest of your facts are just misdirection,
>> Erik.
>
>Not everything in the PC dropped in price drastically. For instance, the
>cost of the mouse has been roughly the same for the last 6 years. The cost
>of the keyboard is also roughly equivelant. The cost of the case and
>power supply have also not changed very radically, and most certainly the
>cost of the floppy disk drive hasn't changed in that time period either.
>
>So, if many componets of the PC also have not changed, does that mean those
>components are also clear evidence that those components are part of a
>monopoly as well?
>
>Software is not hardware, and it doesn't follow the same market trends of
>hardware.
Then why did you list only the most trivial hardware components above?
>For instance, Adobe Pagemaker has stayed the same price for the
>last 6 years as well. Does that mean Adobe is also monopolizing?
A) I don't believe this is so.
B) No, it shows Microsoft is monopolizing, and this prevents free market
prices from moving to competitive levels.
C) Yes; all "copyright wrapped in a trade secret" software is
monopolization.
Take your pick; I don't care which. I probably won't even respond; I'm
growing tired of you, and I'll be far too busy watching MS get chewed up
by some federal judges for the next couple days.
--
T. Max Devlin
*** The best way to convince another is
to state your case moderately and
accurately. - Benjamin Franklin ***
------------------------------
From: [EMAIL PROTECTED] (Bob Hauck)
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: SSH vulnerabilities - still waiting [ was Interesting article ]
Reply-To: bobh = haucks dot org
Date: Sun, 25 Feb 2001 18:43:50 GMT
On Sun, 25 Feb 2001 15:24:37 GMT, Chad Myers
<[EMAIL PROTECTED]> wrote:
> <sigh> You ignore obvious facts so that you can get in a personal
> insult.
What facts would those be? That you are pontificating on a subject
about which you know virtually _nothing_? You may even recall admitting
to that, and yet here you are, continuing to post.
Your interpretation of the facts is completely wrong and you have been
told this, repeatedly, along with the reasons why. Why should anybody
give you the time of day, much less respect?
> I have shown nothing but concern. In fact, the only reason I still
> post to this thread is because I'm concerned that there are thousands
> of people out there happily using SSH1 and are completely unaware that
> it is "fundamentally flawed".
What should they replace it with? Telnet? WTS? SMB? SSH is _far_
more secure than telnet or rsh or rcmd or any of the other protocols you
might replace it with.
You continue to post your tripe in spite of the fact that the nature of
the "flaw" has been repeatedly explained in excruiciating detail. Why
is that? At some point your behavior starts warranting a personal
attack because you are merely spewing lies and propaganda.
Once more...the "fundamental flaw" is that the initial key exchange can
be intercepted by a man-in-the-middle passing the connection through.
This is not an easy thing to exploit, since it only happens once (not
once per session, once) when you change the server key or first connect
to a new server. It also requires that other things not directly
related to SSH (e.g. DNS) first be compromised.
But in any case, the client program warns about this possibility in
GREAT BIG LETTERS before accepting a new key, and always has. If you
have to communicate over a channel where this exploit might be possible,
you simply use other means for the initial key exchange (i.e. physically
go to the machine with a floppy) and then never accept new keys from
that machine.
The other flaws are not fundamental and have been fixed. They were
largely theoretical because practical exploitation was very difficult
and attempts were likely to be quite obvious (you had to, for example,
sustain hundreds of connection attempts per second for periods of many
minutes). No breakins are known to have happened because of them.
The story about "flaws in February alone" that you keep posting is in
fact the *complete list* of *all* flaws that have *ever* been found in
SSH. You have been told this, repeatedly, yet you keep posting as if
there is a large and growing list. There is not and to my knowledge
there has never been a documented breakin vi an SSH exploit.
In short, you are wrong, you have been told you are wrong and why, and
yet you continue to post the same swill. What does that make you, Chad?
> Whereas some of the creaters are just immature jerks.
Whereas you are a liar and a propagandist who does not deserve their
time.
Removed comp.security.ssh from the xpost since this is no longer about
SSH but rather Chad's attempting to confuse innocent bystanders with
lies and propaganda.
--
-| Bob Hauck
-| To Whom You Are Speaking
-| http://www.haucks.org/
------------------------------
From: [EMAIL PROTECTED] (Stuart Krivis)
Crossposted-To: comp.os.ms-windows.nt.advocacy,comp.security.ssh
Subject: Re: SSH vulnerabilities - still waiting [ was Interesting article ]
Date: 25 Feb 2001 13:50:47 -0500
Reply-To: [EMAIL PROTECTED]
On 19 Feb 2001 03:13:49 -0500, Richard E. Silverman <[EMAIL PROTECTED]> wrote:
>These are irrelevant non-sequiturs. The claim that SSH uses "shoddy
>encryption" requires specific support: what encryption process is
>inadequate, and how exactly is it so? Challenged to provide evidence, you
>respond with vague allusions to unspecified recent bug reports, and to
>weaknesses in the SSH-1 protocol -- without saying how this connects to
>your claim. You later list specific references to bug reports, but these
>too fail to support your contention; see below.
>
> Chad> They basically took the brain-dead telnet designed and brought it
> Chad> into the 1980's, but it's still all ancient technology.
Chad is spewing a bunch of crap that simply shows he knows nothing about
cryptography or about ssh.
I'm no expert, but even I can see he's full of it.
Old technology? My computer here uses a keyboard that doesn't differ
significantly from a turn-of-the-century (19th-20th) typewriter. The
interface is practically identical. I suppose that means that it is
shoddy and should be replaced. Maybe Chad just thinks at his computer
and uses telepathy?
>- Blowfish and Twofish, designed by Schneier et al. in the early and mid
> 1990's, respectively
>
I'm not convinced that twofish is ready for prime-time. It hasn't been
around long enough.
Blowfish is my choice of cipher algorithm for use with SSH. It's fast
and has stood up to peer review quite well so far.
>- MD5, Ron Rivest, 1991
There has been some research showing that MD5 may not be entirely
secure. It is no longer suggested for use with PGP, for example.
However, this may not be meaningful with SSH when you look at how secure
you need SSH to be...
>
>- SHA-1, NIST FIPS-186, 1994
This is my choice for PGP and SSH.
>
>These are not "70's technologies." Besides, a technology's age is not per
>se an indictment of its effectiveness or suitability. SSH also uses 3DES
3DES is still quite respectable. It's main drawback is that it is slower
than some newer block ciphers.
It is certainly still very usable. In fact, it is what I choose for PGP
since I don't need anything faster like blowfish.
> Chad> SSH1 implementations may allow remote system, data compromise
> Chad> http://www.securityfocus.com/templates/advisory.html?id=3100
> Chad> (OpenSSH uses SSH1, SSH corp uses SSH2)
It says "implementation." That is far different from saying that the
protocol is insecure or that the underlying encryption mechanisms are
flawed.
>Finally, none of these three issues supports your earlier claim about SSH
>using "shoddy encryption:" the first two are software bugs having nothing
>to do with encryption, and the last is a usually-impractical attack on an
>outdated version of the protocol.
Well put.
OpenSSH is actually a very good piece of software. The authors are very
careful about auditing the code for bugs. They have provided something
that has real value for many, many people all over the world.
--
Stuart Krivis
------------------------------
From: PJ <[EMAIL PROTECTED]>
Subject: Re: PC to Linux file transfer?
Date: Sun, 25 Feb 2001 13:54:26 -0500
JimBouldin wrote:
>
> I have Linux installed on one of my hard drives and I would like to be able to
> access files from the internet to use with linux, but my ISP does not support
> Linux... Does anyone know of some sort of conversion method so that I can get
> Linux stuff using my PC?
>
> Thanks
> [EMAIL PROTECTED]
> http://trax.to/beepii
If you are dual booting Linux and Windows, you should be able to
downloads files using Windows and then boot into Linux to use them. You
can access files on your Windows partition using Linux. A file is a
file, there isn't really any conversion that needs to be done. The only
thing is that all the permissions on a file downloaded to Windows are
all lost and set on when you copy it over to Linux, because Windows
doesn't use permissions.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to comp.os.linux.advocacy.
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Advocacy Digest
******************************
