Linux-Advocacy Digest #732, Volume #32 Fri, 9 Mar 01 20:13:05 EST
Contents:
Re: RTFM at M$ (T. Max Devlin)
Re: Mircosoft Tax (T. Max Devlin)
Re: definition of "free" for N-millionth time (Steve Mading)
Re: definition of "free" for N-millionth time (Steve Mading)
Re: definition of "free" for N-millionth time (Steve Mading)
Re: definition of "free" for N-millionth time (Steve Mading)
Re: Microsoft's .NET Vision ("Adam Warner")
----------------------------------------------------------------------------
From: T. Max Devlin <[EMAIL PROTECTED]>
Crossposted-To: alt.destroy.microsoft
Subject: Re: RTFM at M$
Reply-To: [EMAIL PROTECTED]
Date: Sat, 10 Mar 2001 00:44:06 GMT
Said Bob Hauck in alt.destroy.microsoft on Sun, 04 Mar 2001 03:43:42
>On Sun, 04 Mar 2001 00:12:56 GMT, T. Max Devlin <[EMAIL PROTECTED]> wrote:
>>Said Bob Hauck in alt.destroy.microsoft on Fri, 02 Mar 2001 02:43:48
>
>>> Perhaps you could stick to the point and tell me what the value to me
>>> is in allowing random people to ping my broadcast address.
>>
>> The simple fact is that one cannot tell by looking what is a
>> "broadcast address" from what is a host address, since the packet does
>> not contain the subnet mask.
>
>True, but there are a number of common cases, starting with the old
>class A, B, and C. And it is quite simple to ping every address in a
>range and see how many replies you get. If you get 200, then you have a
>good smurf amplifier. Automate this with a script and you can scan huge
>chunks of the address space while you sleep.
Whatever. If not that, something else. It *is* a network, after all.
We must balance security with access, and mucking around with special
cases is not a good way to accomplish either.
>> particularly when the worst damage that can possible be done is to
>> slow down your Internet connection, and while preventing Smurf attacks
>> might be all well and good, regardless, there are a potentially
>> infinite number of other ways to deny you service.
>
>Smurf does not deny me service, necessarily, but some third party
>victim. The attacker takes advantage of my bandwidth to attack someone
>else while at the same time hiding his IP address.
And all they can do is overwhelm someone else's connection, temporarily.
Which they can do in an infinite number of other ways, if you disable
the primary and fundamental diagnostic tool of IP in order to make this
one only marginally more troublesome, or try to maintain theoretically
dynamic information (network addresses) in static configurations
(filtering tables), simply to block a theoretical attack that requires
spoofing to begin with.
>>As far as direct value in pinging a broadcast address
>
>I don't care if you can troubleshoot my network from outside. Really, I
>don't.
There is no "outside" or "inside"; just the network. If you need to get
in or out, you need to troubleshoot *it*. Really, you do. Or somebody
else does; somebody who's job is made tremendously more troublesome and
expensive because you followed a brain-dead directive to disable the
primary (and only built-in) diagnotic tool for IP networks. Oh, and
whether your network works at all is entirely dependent on that guy
being able to do his job quickly and with zero budget, because even a
perfectly configured network can suffer equipment failure, and no
network is perfectly configured.
>> No, you haven't. You are still thinking that there is some way to
>> know whether any particular ping is or is not a "broadcast ping"
>
>What do you mean? I know what my broadcast addresses are. It is
>trivial to block pings to those addresses at the border router. I am
>not talking about blocking them at the source, but at the destination.
This is an issue of a local configuration versus an internetwork
configuration. "I know what my broadcast addresses are" is the same as
saying "I will now screw my network up on purpose by hardwiring
something where it doesn't belong". And for little purpose, is the
thing.
It would make more sense simply to stop spoofing entirely, as you've
said. Still, I have this nagging feeling that it isn't really as
possible to do that in practice as we might suppose.
>> isn't true. Plus, the Smurf attack works by using your address as the
>> *source* of the pings, so you are flooded with the responses; there is
>> no disallowing of pings which will suffice, save complete partitioning
>
>No, Smurf uses the address of the *victim* as the source of the pings,
>and I am merely the "amplifier", not the victim.
I did misunderstand the complete explanation. You are correct, of
course. This probably explains why this bit of paranoid trivia has been
maintained; you never find it out it doesn't do any good anyway. And
chances are nobody actually knows how to use ping as an effective
diagnostic tool these days, anyway, eh?
>> You have not provided any reason, though you've parroted some dubious
>> reasons provided by others (who not only don't have to pay the cost of
>> implementing such things, but make money on the deal!) for firewalling
>> ping.
>
>Make money? Virtually all routers can block whatever IP protocol you
>want, ICMP included.
Certainly an admirable attempt at arm-waving (or is it hand-waving?),
but, no, it doesn't answer the question.
>The reason to block pings to broadcast addresses is to prevent your
>network being used as a smurf amplifier by script kiddies.
Repeating the premise doesn't make it any less dubious, I'm afraid. Nor
does it make sense to defend filtering internal broadcast destinations
to prevent smurfs in order to support filtering all pings to begin with.
>>>>> CERT and Cisco both recommend that you filter ICMP to broadcast
>>>>> addresses at your border. The recommend this because of the smurf
>>>>> problem.
>>>>
>>>> Actually, they recommend this because of the paranoia problem.
>>>
>>> No, they recommend it because people were using the smurf attack to
>>> cause trouble.
>
>> With a clear understanding of topology and pings, there is no need to
>> block them. To generate enough traffic to be a problem, the smurf
>> would have to be an internal attack
>
>No it is not an internal attack. The scenario is this: Party A has
>limited bandwidth but wants to DoS party B. He picks a party C such
>that C has a lot more bandwidth than B. A sends pings to C's broadcast
>address with the source address set to B. For each ping A sends, some
>number N go to B, where N is the number of hosts that respond to the
>broadcast ping. If the factor N is large enough (i.e. C has lots of
>hosts on that network), this can result in an effective DoS.
Well, it took more pondering than it should have, but I see your point.
But filtering "broadcast pings" at borders as general paranoia (quite a
good bit of which is, of course, good when you're considering security,
but I'm considering more) wasn't so much the issue as general filtering
on firewalls, or certainly complete denial of ICMP.
>>> In an ideal world smurf wouldn't work because everybody would do proper
>>> filtering so users could not forge packets. We do not live in an ideal
>>> world.
>>
>> I must imagine you are riffing at this point. What "proper filtering"
>> are you thinking of that would make "forged packets" impossible?
>
>You can't make forged packets "impossible", but you can make it so that
>users can't send packets that appear to come from outside their subnet.
No, you can't. Not without re-writing the rules of IP. Which might
well be a fine idea, but would involve much more than you believe, I
think, as making the source IP of a packet at all important in routing
decisions might have ramifications far greater than we might presume at
first blush. Still, the simple fact that source address is not
considered by the routers could mean there's not much harm in doing so
(though you do realize it would require a hard partitioning between what
is a "trunk" and what is a "leaf node", something that IP doesn't
currently do at all). The question is really whether its
cost-effective, and there's no reason to think it would be.
That's my network management hat, anyway (the typical default), though
with my network security hat on (quite the contrast), I would certainly
support firewalling of spoofed source addresses entirely. And in this
case, as few others, the network management hat doesn't have a damn
thing to say in response, as even I must admit that any argument for
such an requirement is entirely theoretical. Yet, as I've mentioned
before, it would cause a distinction between leaf "nodes" and "backbone
routers" which doesn't currently exist, and there's good reason to
believe that it wouldn't work very well if it did.
>This stops things like smurf because the kiddies packets with somone
>else's source address on them get dropped at the next router.
Indeed. I found it rather surprising when I finally realized how it
would actually work. The spoofing of source address is simply outside
the things I usually consider when trying to understand how IP works.
Thanks for sticking with me. I was tripping up over the fact that
routers don't "propagate broadcast pings"; but of course they will route
a ping, and don't give a whoop if the datagram inside is destined for a
broadcast address. Kind of make sense to remark that isn't necessarily
appropriate.
>You do this by filtering. For example, an ISP can put his dialup users
>on their own subnet behind a filtering router that blocks outbound
>packets with source addresess not on that subnet. Obviously, this has
>to be done at the leaves of the network to be effective.
Unfortunately, it would also have to be dynamic, or it doesn't really
work at all.
Thanks for your time. Hope it helps.
--
T. Max Devlin
*** The best way to convince another is
to state your case moderately and
accurately. - Benjamin Franklin ***
------------------------------
From: T. Max Devlin <[EMAIL PROTECTED]>
Crossposted-To: alt.linux.sux,alt.destroy.microsoft
Subject: Re: Mircosoft Tax
Reply-To: [EMAIL PROTECTED]
Date: Sat, 10 Mar 2001 00:44:07 GMT
Said Donovan Rebbechi in alt.destroy.microsoft on 6 Mar 2001 10:49:23
>On Tue, 6 Mar 2001 09:17:39 +0100, David Brown wrote:
>
>>There is certainly more, but not that much more. There are no significant
>>architectural differences between ME and the original Win95, which was
>>available on around 12 floppies IIRC (maybe 20 MB or so). Newer programs
>>like "movie maker" and IE5 take more space, but there really is not that
>>much more substance.
>
>If you're familiar with any Web browser development process (which, thanks
>to KDE and Mozilla, you may well be), you would be aware that quite a
>lot of "substance" needs to go into development of a web browser.
>Developing the kinds of APIs you need to make a web browser is a lot
>of work, and if you can do it in such a way that a lot of your code is
>reusable, you also add value to your platform by providing good APIs
>to other developers (who then provide better applications to the users)
Interestingly, Microsoft uses the same argument, switching back and
forth too rapidly between an application and a platform (indeed, all but
insisting, as they have a monopoly in OSes and would like one in
whatever application market might threaten it) so quickly as to
mesmerize and confuse, without ever actually dealing with the problem.
And you wonder why people accuse you of being a Microsoft hack with
barely a pretense of sheepskin to hide your trolling. Here's why. I
noticed it in the previous five posts of yours I read as well, Donovan,
but a managed to talk myself out of responding.
>One might dismiss work on GUI components, APIs and applications as "fluff",
>but it's fluff that the average end user appreciates, and it's fluff that
>takes a lot of time and hard work to develop.
No, the applications weren't part of the fluff, you see. Which is, of
course, why all the rest of it truly *is* fluff, even if any of it
actually occurred in Microsoft's case, which it didn't.
Nor was the discussion how tough it was to develop, but just WTF it was
that was developed, that took up so much more space on distribution
media.
>Finally, regarding architecture: it's a waste of time trying to improve
>the architecture of such a hideous monstrosity as Win 9x. It's already
>a frankenstein as it is. The last thing we need is another arm sewn onto
>what is essentially Dos with a whole lot of stuff tacked on. MS are doing
>the right thing by focusing on their NT product line.
No, we aren't talking about the 'architecture' of running Windows on top
of DOS. Just the stuff in Windows itself; even to call it
'architecture' is a stretch. MS don't ever do "the right thing", if
you're a customer of theirs without your blinders on.
--
T. Max Devlin
*** The best way to convince another is
to state your case moderately and
accurately. - Benjamin Franklin ***
------------------------------
From: Steve Mading <[EMAIL PROTECTED]>
Crossposted-To: gnu.misc.discuss,comp.os.ms-windows.advocacy,misc.int-property
Subject: Re: definition of "free" for N-millionth time
Date: 10 Mar 2001 00:45:03 GMT
In comp.os.linux.advocacy Pat McCann <[EMAIL PROTECTED]> wrote:
: Steve Mading <[EMAIL PROTECTED]> writes:
:> You guys just don't get it. Proprietary extensions from a work, when
:> put into a popular OS, CAN undermine the original through embrace-and-
:> extend-and-make-incompatable. ....
: All of which has absolutely nothing to do with whether the BSDL code
: is still free. It is the M$-extended work which is not free. M$ had
: the freedom to profit from their work under their own terms (mostly).
: The BSDL code owners gave M$ the license, the freedom, to do that.
: Say all you'd like about the pros and cons of doing that, but DON'T
: say that the BSDL code can be made non-free. When you say that, you
: demonstrate that YOU don't get it or that you enjoy maddening people.
I don't have to. You just did it yourself. Read above.. "the M$-extended
work which is not free." The key difference in our viewpoints seems to
be this: You say that as long as you can get the original version from
the original source, that no freedom has been lost. I say that this isn't
necessarily so, since the original version can be made useless by having
the proprietary extensions become the norm.
------------------------------
From: Steve Mading <[EMAIL PROTECTED]>
Crossposted-To: gnu.misc.discuss,comp.os.ms-windows.advocacy,misc.int-property
Subject: Re: definition of "free" for N-millionth time
Date: 10 Mar 2001 00:45:51 GMT
In comp.os.linux.advocacy David Masterson <[EMAIL PROTECTED]> wrote:
:>>>>> "Steve" == Steve Mading <[EMAIL PROTECTED]> writes:
:> The main complaint of the anti-GPL crowd seems to be that they
:> want free software to be a one-way street - they want to be
:> parasites of free software rather than participants in it.
: Or maybe they've got bills to pay...
Bzzzt. You are using "free" in the "beer" sense here.
------------------------------
From: Steve Mading <[EMAIL PROTECTED]>
Crossposted-To: gnu.misc.discuss,comp.os.ms-windows.advocacy,misc.int-property
Subject: Re: definition of "free" for N-millionth time
Date: 10 Mar 2001 00:47:00 GMT
In comp.os.linux.advocacy Austin Ziegler <[EMAIL PROTECTED]> wrote:
: On 9 Mar 2001, Steve Mading wrote:
:> Embrace-and-extend is a working way to make the original less useful.
:> Consider HTML. MS originally opposed the internet and web browsing,
:> preferring an AOL/Prodigy/Compuserve type of model for their MSN. When
:> it became clear that it wouldn't work, they instead embraced and
:> extended the technology, so that now there are some websites out there
:> that don't work worth a damn if don't use Internet Explorer. They
:> did this by glomming onto a fairly open protocol (HTML) and adding things
:> that didn't improve it one bit, they merely made it incompatable.
: Sorry, but Netscape gets that honour first -- and the stuff that I've
: been reading says that IE is still more compatible than Netscape -- but
: not necessarily Mozilla.
Who did it first doesn't change the fact that it was done. Propeitary
extensions can kill an open protocol, which is all I was trying to
say.
------------------------------
From: Steve Mading <[EMAIL PROTECTED]>
Crossposted-To: gnu.misc.discuss,comp.os.ms-windows.advocacy,misc.int-property
Subject: Re: definition of "free" for N-millionth time
Date: 10 Mar 2001 00:47:52 GMT
In comp.os.linux.advocacy Ayende Rahien <[EMAIL PROTECTED]> wrote:
: "Steve Mading" <[EMAIL PROTECTED]> wrote in message
: news:98bes2$f5a$[EMAIL PROTECTED]...
:> Embrace-and-extend is a working way to make the original less useful.
:> Consider HTML. MS originally opposed the internet and web browsing,
:> preferring an AOL/Prodigy/Compuserve type of model for their MSN. When
:> it became clear that it wouldn't work, they instead embraced and
:> extended the technology, so that now there are some websites out there
:> that don't work worth a damn if don't use Internet Explorer. They
:> did this by glomming onto a fairly open protocol (HTML) and adding things
:> that didn't improve it one bit, they merely made it incompatable.
: Yes, MS embraced & extended this attidue from Netscape.
: <BLINK>, anyone?
: IE 5.5 was the most standard compliant browser when it was released, but you
: don't bother to mention that.
: The reason so many things works on IE only is Netscape's fault. The long
: history of 4.XX drove people away from the platfrom.
Doesn't matter. My point stands no matter who it is who has usurped
the open standard.
------------------------------
From: "Adam Warner" <[EMAIL PROTECTED]>
Subject: Re: Microsoft's .NET Vision
Date: Sat, 10 Mar 2001 14:09:09 +1300
Hi Bryant,
> I was reading over that link on Product Activation, and I can see how
> this will involve extra steps (making phone calls to MS, and whatnot)
> that a lot of "knowledgeable" folks would have to deal with upon
> re-configuring their machines. Personally, I can say that having to call
> MS everytime I re-do my machine would get to be a serious pain....
Since I live in New Zealand I have already had the pleasure of product
activation with MS Office 2000. I wasn't too concerned because I thought
it only meant compulsory registration. This is what my Office 2000 box
states (in very small print):
"For software licensing reasons, this product must be registered with
Microsoft in order to obtain a confirmation of the installation.
Registering may be done by Internet, e-mail, postal mail, fax or phone.
Registration instructions will be detailed to the user during launch of
the product. This product may be used unregistered for 50 launches. The
user may register at any time during this period, however, the product
will require input of the Confirmation to allow usage after the 50th
launch."
Now 50 launches can be used up in no time (any time you start Word, Excel,
hOutlook, etc). So postal mail would be almost impossible.
I sincerely hope people value their own freedom enough to not buy MS
products with activation. I have experienced the indignity of Microsoft
requiring me to tell them why I wish to reinstall MS Office. I have had to
wait on the phone while they consult amongst themselves whether I should
be given another activation code.
I have attempted to explain (but soon gave up and changed my explanation
as the level of comprehension was non-existant) why I should be wanting to
install Microsoft Office in a Bochs virtual machine.
I worry for people wanting to reinstall Office in five or ten years time,
when Microsoft could possibly tell them "I'm sorry, your product is no
longer supported."
I can understand why someone might use a registration code that does not
require activation even though they must give up technical support and be
technically in breach of their license.
I knew I had to find some way to reclaim my freedom before I didn't have
any left. And here I am.
Microsoft has still not come clean and stated what kinds of hardware
changes will force reactivation. They only waffle that you won't need to
reactivate until you've essentially rebuilt your computer.
Wanna bet? Replacing or removing a network card could be enough given that
the MAC address will probably be used in part to generate the
computer-specific ID.
And don't even try to sell your software on the second hand market. Who's
going to want the hassles of proving to Microsoft that a new person is now
the legitimate owner of already activated software?
And remember that Microsoft is going to know what is going on in your home
or small business, such as when you are reinstalling your software because
the reactivation will be "automatic" on indentical hardware.
Regards,
Adam
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to comp.os.linux.advocacy.
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Advocacy Digest
******************************
