Re: Media Hackers
On Sun, 29 Sep 2002, Samuele Giovanni Tonon wrote: > On Sat, Sep 28, 2002 at 05:36:06PM +0100, Dale Amon wrote: > > I'm curious if anyone has thought about ways of blocking > > this sort of attack before it gets to the home user? > > http://www.the-dailyrant.com/archives/000855.html#000855 > > > it depends on the attack: they say they want the > "Congress to allow them to be able to legally hack" > My understanding of this, just from some online study, is that what they are contemplating doing at this time would be along the lines of: Custom client uses the normal API of the P2P sharing services to find files that are being made available from the individuals machine, in the ordinary way of doing so. (So far that is not a hack or attack in any sense I am aware of). Then they retrieve the shared file(s) but at a very slow rate and from as many client machines as the 'server' machine will allow. Thus tying up the 'server' at it's limit denying access for as long as they can keep the connection alive. Still IMHO not a real 'attack', but may in some cases be a form of denying legitimate 'use and enjoyment' of the individual's computer. Not likely to be a cause of 'damage', so much as it might tie up lots of bandwidth through any particular ISP, when/if they concentrate efforts on some range of IP addresses. On some of the networks we oversee, we were doing some really short DHCP leases to their DSL customers. Got only one complaint, and it likely was a user whose P2P sharing was hampered. But we decided for other reasons to lengthen the default and allowed leases to 14400 and 7200 seconds anyway. (We were using 3600 Max and 600 Default for the trial period). Mostly we wanted to see if we could get more efficient return of ip addresses to the DHCP pool. And gather stats on how long customers were actually leaving their systems/bridges (call them modems if you want) on. Turns out to be about two hours per session. I personally thought that we had somewhat fewer questions and complaints about 'hacking attempts' from those customers for the duration of the experiment. But it really is not common enough to get complaints that there could be any statistical validity, and other influences could easily be the cause of perceived reduced complaints. > so it seems not specific to p2p flaws but by using > any known flaws of the target system. > How can you block them ? the same way you block > normal "hackers" . Really, from what I have read, the way to block it would seem to be to limit how many slow connections the P2P software would permit. > > I think it is especially important to those of us > > who are not under US law, living in places where such > > activity would not only *be* criminal, but would be treated > > as such under law. Not at all obvious that it would be criminal anywhere if the so-called hack is as I saw described. > it depends on the "agreement law" between your country and US, > Anyway they should cooperate with the local country police, > because (fortunately) DMCA is not a "global law"; so they can > be persecuted if they hack on to my pc that is outside us law; > if not, well, there would be so many law about privacy, private rights, > local law that were breaked, that i should start to think of living > in a world with a "us dictatorship", and that "1984" is now true. But is it a problem if someone just hogs the available connections that your software is able to form? Doing nothing other than what you set it up to provide, but much slower? > Anyway, Stay in touch with debian security updates and watch your logs :-) > > Regards > Samuele > Standard disclaimers apply. IANAL. Not anyone's opinion except my own. No warranty. Do not eat anything bigger than your head.
Re: Media Hackers
On Sun, 29 Sep 2002, Samuele Giovanni Tonon wrote: > On Sat, Sep 28, 2002 at 05:36:06PM +0100, Dale Amon wrote: > > I'm curious if anyone has thought about ways of blocking > > this sort of attack before it gets to the home user? > > http://www.the-dailyrant.com/archives/000855.html#000855 > > > it depends on the attack: they say they want the > "Congress to allow them to be able to legally hack" > My understanding of this, just from some online study, is that what they are contemplating doing at this time would be along the lines of: Custom client uses the normal API of the P2P sharing services to find files that are being made available from the individuals machine, in the ordinary way of doing so. (So far that is not a hack or attack in any sense I am aware of). Then they retrieve the shared file(s) but at a very slow rate and from as many client machines as the 'server' machine will allow. Thus tying up the 'server' at it's limit denying access for as long as they can keep the connection alive. Still IMHO not a real 'attack', but may in some cases be a form of denying legitimate 'use and enjoyment' of the individual's computer. Not likely to be a cause of 'damage', so much as it might tie up lots of bandwidth through any particular ISP, when/if they concentrate efforts on some range of IP addresses. On some of the networks we oversee, we were doing some really short DHCP leases to their DSL customers. Got only one complaint, and it likely was a user whose P2P sharing was hampered. But we decided for other reasons to lengthen the default and allowed leases to 14400 and 7200 seconds anyway. (We were using 3600 Max and 600 Default for the trial period). Mostly we wanted to see if we could get more efficient return of ip addresses to the DHCP pool. And gather stats on how long customers were actually leaving their systems/bridges (call them modems if you want) on. Turns out to be about two hours per session. I personally thought that we had somewhat fewer questions and complaints about 'hacking attempts' from those customers for the duration of the experiment. But it really is not common enough to get complaints that there could be any statistical validity, and other influences could easily be the cause of perceived reduced complaints. > so it seems not specific to p2p flaws but by using > any known flaws of the target system. > How can you block them ? the same way you block > normal "hackers" . Really, from what I have read, the way to block it would seem to be to limit how many slow connections the P2P software would permit. > > I think it is especially important to those of us > > who are not under US law, living in places where such > > activity would not only *be* criminal, but would be treated > > as such under law. Not at all obvious that it would be criminal anywhere if the so-called hack is as I saw described. > it depends on the "agreement law" between your country and US, > Anyway they should cooperate with the local country police, > because (fortunately) DMCA is not a "global law"; so they can > be persecuted if they hack on to my pc that is outside us law; > if not, well, there would be so many law about privacy, private rights, > local law that were breaked, that i should start to think of living > in a world with a "us dictatorship", and that "1984" is now true. But is it a problem if someone just hogs the available connections that your software is able to form? Doing nothing other than what you set it up to provide, but much slower? > Anyway, Stay in touch with debian security updates and watch your logs :-) > > Regards > Samuele > Standard disclaimers apply. IANAL. Not anyone's opinion except my own. No warranty. Do not eat anything bigger than your head. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Media Hackers
On Sat, Sep 28, 2002 at 05:36:06PM +0100, Dale Amon wrote: > I'm curious if anyone has thought about ways of blocking > this sort of attack before it gets to the home user? > http://www.the-dailyrant.com/archives/000855.html#000855 > it depends on the attack: they say they want the "Congress to allow them to be able to legally hack" so it seems not specific to p2p flaws but by using any known flaws of the target system. How can you block them ? the same way you block normal "hackers" . > I think it is especially important to those of us > who are not under US law, living in places where such > activity would not only *be* criminal, but would be treated > as such under law. it depends on the "agreement law" between your country and US, Anyway they should cooperate with the local country police, because (fortunately) DMCA is not a "global law"; so they can be persecuted if they hack on to my pc that is outside us law; if not, well, there would be so many law about privacy, private rights, local law that were breaked, that i should start to think of living in a world with a "us dictatorship", and that "1984" is now true. Anyway, Stay in touch with debian security updates and watch your logs :-) Regards Samuele -- Samuele Giovanni Tonon <[EMAIL PROTECTED]> http://www.linuxasylum.net/~samu/ Acid -- better living through chemistry. Timothy Leary
RE: Re: Media Hackers
On Sat, 28 Sep 2001 at 10:19 AM, Phillip Hofmeister wrote: >On Sat, 28 Sep 2002 at 05:36:06PM +0100, Dale Amon wrote: >> I'm curious if anyone has thought about ways of blocking >> this sort of attack before it gets to the home user? >> >> http://www.the-dailyrant.com/archives/000855.html#000855 >> >> I think it is especially important to those of us >> who are not under US law, living in places where such >> activity would not only *be* criminal, but would be treated >> as such under law. >1. This post (like the one before it) is probably off-topic and is marked > as such... I disagree. This is debian-*security* after all. I believe that this is an entirely apropo discussion. Besides, P2P isn't just windoze anymore. >2. It will be interesting to see how they will hack through NAT Any time one of the end users connects to the network via thier P2P server, they would be at risk (potentially) if there were any security flaws in thier P2P software. Assuming that there are no such flaws, then no, they (media company) would have to hack into the firewall (NAT) first. For a box directly on the internet, well... I say that (IMNSHO) a a well-patched firewall w/ NAT and port-forwarding is the way to go. >3. I suggest you write your congressperson. *Doh*! Dale's message indicates that he is not a US citizen (or that he's asking from the perspective of a non-US citizen), and therefore it is reasonably safe to assume that he doesn't have a congress critter to talk to. However, for anyone with a congressperson, get out those pens and paper! Ian Greenhoe [EMAIL PROTECTED] PBP -- Paranoid By Profession
Re: Why does rpc.statd need a privileged port?
On Saturday, 2002-09-28 at 18:33:43 +0200, Wichert Akkerman wrote: > Previously Lupe Christoph wrote: > > Opinions? Comments? > Does it really matter? Well it may collide with a service started after it that wants this particular privileged port. I also believe that services that do not require a privileged port should not use one. There are only 1023 of them. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Big Misunderstandings #6398: The Titanic was not supposed to be| | unsinkable. The designer had a speech impediment. He said: "I have | | thith great unthinkable conthept ..." |
Re: Media Hackers
On Sat, Sep 28, 2002 at 05:36:06PM +0100, Dale Amon wrote: > I'm curious if anyone has thought about ways of blocking > this sort of attack before it gets to the home user? > http://www.the-dailyrant.com/archives/000855.html#000855 > it depends on the attack: they say they want the "Congress to allow them to be able to legally hack" so it seems not specific to p2p flaws but by using any known flaws of the target system. How can you block them ? the same way you block normal "hackers" . > I think it is especially important to those of us > who are not under US law, living in places where such > activity would not only *be* criminal, but would be treated > as such under law. it depends on the "agreement law" between your country and US, Anyway they should cooperate with the local country police, because (fortunately) DMCA is not a "global law"; so they can be persecuted if they hack on to my pc that is outside us law; if not, well, there would be so many law about privacy, private rights, local law that were breaked, that i should start to think of living in a world with a "us dictatorship", and that "1984" is now true. Anyway, Stay in touch with debian security updates and watch your logs :-) Regards Samuele -- Samuele Giovanni Tonon <[EMAIL PROTECTED]> http://www.linuxasylum.net/~samu/ Acid -- better living through chemistry. Timothy Leary -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Re: Media Hackers
On Sat, 28 Sep 2001 at 10:19 AM, Phillip Hofmeister wrote: >On Sat, 28 Sep 2002 at 05:36:06PM +0100, Dale Amon wrote: >> I'm curious if anyone has thought about ways of blocking >> this sort of attack before it gets to the home user? >> >> http://www.the-dailyrant.com/archives/000855.html#000855 >> >> I think it is especially important to those of us >> who are not under US law, living in places where such >> activity would not only *be* criminal, but would be treated >> as such under law. >1. This post (like the one before it) is probably off-topic and is marked > as such... I disagree. This is debian-*security* after all. I believe that this is an entirely apropo discussion. Besides, P2P isn't just windoze anymore. >2. It will be interesting to see how they will hack through NAT Any time one of the end users connects to the network via thier P2P server, they would be at risk (potentially) if there were any security flaws in thier P2P software. Assuming that there are no such flaws, then no, they (media company) would have to hack into the firewall (NAT) first. For a box directly on the internet, well... I say that (IMNSHO) a a well-patched firewall w/ NAT and port-forwarding is the way to go. >3. I suggest you write your congressperson. *Doh*! Dale's message indicates that he is not a US citizen (or that he's asking from the perspective of a non-US citizen), and therefore it is reasonably safe to assume that he doesn't have a congress critter to talk to. However, for anyone with a congressperson, get out those pens and paper! Ian Greenhoe [EMAIL PROTECTED] PBP -- Paranoid By Profession -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Why does rpc.statd need a privileged port?
On Saturday, 2002-09-28 at 18:33:43 +0200, Wichert Akkerman wrote: > Previously Lupe Christoph wrote: > > Opinions? Comments? > Does it really matter? Well it may collide with a service started after it that wants this particular privileged port. I also believe that services that do not require a privileged port should not use one. There are only 1023 of them. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Big Misunderstandings #6398: The Titanic was not supposed to be| | unsinkable. The designer had a speech impediment. He said: "I have | | thith great unthinkable conthept ..." | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
OT: Re: Re: Media Hackers
On Sat, 28 Sep 2002 13:19:44 -0400 Phillip Hofmeister <[EMAIL PROTECTED]> wrote: > On Sat, 28 Sep 2002 at 05:36:06PM +0100, Dale Amon wrote: > > I'm curious if anyone has thought about ways of blocking > > this sort of attack before it gets to the home user? > > > > http://www.the-dailyrant.com/archives/000855.html#000855 > > > > I think it is especially important to those of us > > who are not under US law, living in places where such > > activity would not only *be* criminal, but would be treated > > as such under law. > 1. This post (like the one before it) is probably off-topic and is > marked as such... > > 2. It will be interesting to see how they will hack through NAT > > 3. I suggest you write your congressperson. > 2. A question: If you are sharing files from a PC behind any firewall which does NAT, the software running on this PC must act like a server, right? So, if you are able to hack this software you are done. Wouldn't this be correct? Regards, Michael Meyer
OT: Re: Media Hackers
On Sat, 28 Sep 2002 at 05:36:06PM +0100, Dale Amon wrote: > I'm curious if anyone has thought about ways of blocking > this sort of attack before it gets to the home user? > > http://www.the-dailyrant.com/archives/000855.html#000855 > > I think it is especially important to those of us > who are not under US law, living in places where such > activity would not only *be* criminal, but would be treated > as such under law. 1. This post (like the one before it) is probably off-topic and is marked as such... 2. It will be interesting to see how they will hack through NAT 3. I suggest you write your congressperson. -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/ | gpg --import XP Source Code: #include #include #include #include #include #include #include #include //os_ver="Windows 2000" os_ver="Windows XP"
Media Hackers
I'm curious if anyone has thought about ways of blocking this sort of attack before it gets to the home user? http://www.the-dailyrant.com/archives/000855.html#000855 I think it is especially important to those of us who are not under US law, living in places where such activity would not only *be* criminal, but would be treated as such under law.
Re: Why does rpc.statd need a privileged port?
Previously Lupe Christoph wrote: > Opinions? Comments? Does it really matter? Wichert. -- _ /[EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.wiggy.net/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
OT: Re: Re: Media Hackers
On Sat, 28 Sep 2002 13:19:44 -0400 Phillip Hofmeister <[EMAIL PROTECTED]> wrote: > On Sat, 28 Sep 2002 at 05:36:06PM +0100, Dale Amon wrote: > > I'm curious if anyone has thought about ways of blocking > > this sort of attack before it gets to the home user? > > > > http://www.the-dailyrant.com/archives/000855.html#000855 > > > > I think it is especially important to those of us > > who are not under US law, living in places where such > > activity would not only *be* criminal, but would be treated > > as such under law. > 1. This post (like the one before it) is probably off-topic and is > marked as such... > > 2. It will be interesting to see how they will hack through NAT > > 3. I suggest you write your congressperson. > 2. A question: If you are sharing files from a PC behind any firewall which does NAT, the software running on this PC must act like a server, right? So, if you are able to hack this software you are done. Wouldn't this be correct? Regards, Michael Meyer -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Why does rpc.statd need a privileged port?
Hi! I'm running chkrootkit on my workstation, just for testing. After the last reboot it found: Checking `bindshell'... INFECTED (PORTS: 600) Slightly shocking on a workstation without direct Internet connectivity. Doing an "lsof -i :600" showed rpc.statd using this port. Huh? Why a low port? On Solaris, rpc.statd runs on an ancillary port (> 32767). Browsing through the source of rpc.statd, I found this: if (bindresvport (sock, &addr)) It's called if rpc.statd has not been assigned a port to operate on (option -p or --port). On the security-audit mailing list, Olaf Kirch said I don't recall whether lockd wants that call to originate from a privileged port. I can't find anything like that in the sources. Since I have no code that locks a file on an NFS-mounted filesystem, I can't verify this (run rpc.statd -p $unpriv_port, try locking). And since requiring a low port would break locking between a Solaris and a Linux box, I doubt this would be a good idea. Opinions? Comments? Thanks, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Big Misunderstandings #6398: The Titanic was not supposed to be| | unsinkable. The designer had a speech impediment. He said: "I have | | thith great unthinkable conthept ..." |
OT: Re: Media Hackers
On Sat, 28 Sep 2002 at 05:36:06PM +0100, Dale Amon wrote: > I'm curious if anyone has thought about ways of blocking > this sort of attack before it gets to the home user? > > http://www.the-dailyrant.com/archives/000855.html#000855 > > I think it is especially important to those of us > who are not under US law, living in places where such > activity would not only *be* criminal, but would be treated > as such under law. 1. This post (like the one before it) is probably off-topic and is marked as such... 2. It will be interesting to see how they will hack through NAT 3. I suggest you write your congressperson. -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/ | gpg --import XP Source Code: #include #include #include #include #include #include #include #include //os_ver="Windows 2000" os_ver="Windows XP" -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Media Hackers
I'm curious if anyone has thought about ways of blocking this sort of attack before it gets to the home user? http://www.the-dailyrant.com/archives/000855.html#000855 I think it is especially important to those of us who are not under US law, living in places where such activity would not only *be* criminal, but would be treated as such under law. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Why does rpc.statd need a privileged port?
Previously Lupe Christoph wrote: > Opinions? Comments? Does it really matter? Wichert. -- _ [EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.wiggy.net/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Why does rpc.statd need a privileged port?
Hi! I'm running chkrootkit on my workstation, just for testing. After the last reboot it found: Checking `bindshell'... INFECTED (PORTS: 600) Slightly shocking on a workstation without direct Internet connectivity. Doing an "lsof -i :600" showed rpc.statd using this port. Huh? Why a low port? On Solaris, rpc.statd runs on an ancillary port (> 32767). Browsing through the source of rpc.statd, I found this: if (bindresvport (sock, &addr)) It's called if rpc.statd has not been assigned a port to operate on (option -p or --port). On the security-audit mailing list, Olaf Kirch said I don't recall whether lockd wants that call to originate from a privileged port. I can't find anything like that in the sources. Since I have no code that locks a file on an NFS-mounted filesystem, I can't verify this (run rpc.statd -p $unpriv_port, try locking). And since requiring a low port would break locking between a Solaris and a Linux box, I doubt this would be a good idea. Opinions? Comments? Thanks, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Big Misunderstandings #6398: The Titanic was not supposed to be| | unsinkable. The designer had a speech impediment. He said: "I have | | thith great unthinkable conthept ..." | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: slapper countermeasures
KevinL <[EMAIL PROTECTED]> writes: > On Wed, 2002-09-18 at 06:05, Michael Renzmann wrote: > > "killall .bugtraq" would be suitable as well, and it would "destroy" > > every other instance of the program that is running currently. Even if > > detecting the current PPID does not work for whatever reason. > *chuckle* > Solaris is vulnerable to this bug? Solaris "killall" kills _everything_ > - not just the named process. Not everything - just any process with an open filedescriptor. > KJL > (Who knows this from bitter experience...) Me, too. Brought down one of our production servers hard... Learned that lesson! ;-) Regards, Ulli -- Ullrich Jans Eichenstrasse 4 Tel: +49 89 74427834 82024 Taufkirchen Usenet: [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: slapper countermeasures
KevinL <[EMAIL PROTECTED]> writes: > On Wed, 2002-09-18 at 06:05, Michael Renzmann wrote: > > "killall .bugtraq" would be suitable as well, and it would "destroy" > > every other instance of the program that is running currently. Even if > > detecting the current PPID does not work for whatever reason. > *chuckle* > Solaris is vulnerable to this bug? Solaris "killall" kills _everything_ > - not just the named process. Not everything - just any process with an open filedescriptor. > KJL > (Who knows this from bitter experience...) Me, too. Brought down one of our production servers hard... Learned that lesson! ;-) Regards, Ulli -- Ullrich Jans Eichenstrasse 4 Tel: +49 89 74427834 82024 Taufkirchen Usenet: [EMAIL PROTECTED] RealUlli@IRC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]