Re: Language Gentlemen and Ladies
On Wed, 12 Feb 2003, David Cantrell wrote: > On Tue, Feb 11, 2003 at 08:28:14PM +, the hatter wrote: > > They might allow other 'common' web ports, such as 8000 and 8080 on other > > servers, maybe give that a go. If they do, you can run your own sshd on > > any machine you happen to have non-root access. > > If they allow packets straight out to those ports then yes. But normally > they'll use an http proxy, which will nto pass your ssh packets. Hence > me recommending http tunnel. I was meaning in addition to proxying 443, (which philip can't run sshd on, unless he's root on the remote machine), if the proxy allows you to issue a CONNECT 8080 then he can set up a spare sshd on 8080, and also leave 443 available on the remote machine for a legit https service. the hatter
Re: Language Gentlemen and Ladies
On Wed, 12 Feb 2003, Lusercop wrote:
> On Tue, Feb 11, 2003 at 06:42:30PM +, David Cantrell wrote:
> > https proxy? yay for man-in-the-middle fun!
>
> OK, I'll bite, given TLSv1 or SSLv3, what's the attack (bear in mind the
> proxy is a "CONNECT" proxy)? I'm sure you can get a paper out of it.
Remember, it's IE. _ANY_ valid certificate will do, even if it's a license
to breed goats in Azerbaijan.
S.
--
Shevek
I am the Borg.
sub AUTOLOAD{my$i=$AUTOLOAD;my$x=shift;$i=~s/^.*://;print"$x\n";eval
qq{*$AUTOLOAD=sub{my\$x=shift;return unless \$x%$i;&{$x}(\$x);};};}
foreach my $i (3..65535) { &{'2'}($i); }
Re: Language Gentlemen and Ladies
On Wed, Feb 12, 2003 at 12:23:46AM +, Lusercop wrote: > On Tue, Feb 11, 2003 at 06:42:30PM +, David Cantrell wrote: > > https proxy? yay for man-in-the-middle fun! > > OK, I'll bite, given TLSv1 or SSLv3, what's the attack (bear in mind the > proxy is a "CONNECT" proxy)? I'm sure you can get a paper out of it. While we're on the subject of CONNECT proxies, it's worth telling people that there are some proxies out there which are broken and don't allow port numbers as part of the CONNECT line. For this reason, I tend to enable SSL on port 80 as well as 443 on my web servers so that I'm not denying anyone access to my SSL. There may be some difference of opinion about whether it is better to try and 'gently re-educate' users and producers of such software. However, I'm leaving for NY in two hours, so I won't speculate. I also need to pack. Ben
Re: Language Gentlemen and Ladies
On Tue, Feb 11, 2003 at 06:42:30PM +, David Cantrell wrote: > https proxy? yay for man-in-the-middle fun! OK, I'll bite, given TLSv1 or SSLv3, what's the attack (bear in mind the proxy is a "CONNECT" proxy)? I'm sure you can get a paper out of it. -- Lusercop.net - LARTing Lusers everywhere since 2002
Re: Language Gentlemen and Ladies
On Tue, Feb 11, 2003 at 08:28:14PM +, the hatter wrote: > They might allow other 'common' web ports, such as 8000 and 8080 on other > servers, maybe give that a go. If they do, you can run your own sshd on > any machine you happen to have non-root access. If they allow packets straight out to those ports then yes. But normally they'll use an http proxy, which will nto pass your ssh packets. Hence me recommending http tunnel. -- David Cantrell|Degenerate|http://www.cantrell.org.uk/david For every vengeance, there is an equal and opposite revengeance. -- Cartoon Law X
Re: Language Gentlemen and Ladies
On Tue, Feb 11, 2003 at 03:15:57PM -, [EMAIL PROTECTED] wrote: > > >umm is there some particular reason that whoever is > >responsible for adding > >that massage couldn't see fit to add a proper content > >seperator (/^--\s\n/) > >as defined in the RFC's ?? > > > Massage seperator ? is that like when the Old Bill raid the joint then ? > What they're trying to say is: Many email/news clients see '\n-- \n' as a standard separator between email message body and signature. For example, many will stop scrolling at the separator and switch to the next message (well, I can think of one...) It is "convention" that if you use a signature, it should be kept to four lines, plus the sig delimiter. Corporate disclaimers added at the mail server will bloat this, so you could always have your list mail sent elsewhere and post without the office sig disclaimer (which is doubtless useless and unenforcable). At the very least, as Lusercop suggested, you could have a '\n-- \n' (the space is important) separator at the end of your message, so that those configured to do so don't have to read your ungainly and annoying corporate hyperbole. There's no need for you to "furk off now" as you put it. You're quite welcome here, although we'd appreciate it if you could try and do something about the bloody sig ;) /joel -- S. Joel Bernstein :: t 020 8458 2323 :: joel at fysh dot org
Re: Language Gentlemen and Ladies
On Tue, 11 Feb 2003, Newton, Philip wrote: > Well, since you can't proxy HTTPS, you can, kind of -- once you tell the > proxy "CONNECT remote.host 443", it'll pass through data transparently and > is presumably none the wiser whether that data is actually HTTP-over-SSL or > AIM or eDonkey2K or whatever. > > However, it only allows CONNECT to a remote port of 443. > > Not sure if that's what you meant by cheating. (I *did* try "CONNECT > remote.host 22", and a couple of other ports... not recently, granted, but I > doubt they've become more lenient since then.) They might allow other 'common' web ports, such as 8000 and 8080 on other servers, maybe give that a go. If they do, you can run your own sshd on any machine you happen to have non-root access. I finally killed my 'spare' telnetd on port 443 the other week - given that most toyboxes don't run https services, if you know anyone with a toybox better than you know me, they can probably be persuaded to set such a thing up on 443. An 'interesting' thought is that I know there are a few java ssh clients, it's quite possible that someone has added the appropriate twiddles to that to allow proxying, or you could possibly even modify the main ssh source, either as a quick hack, or as a proper, sharable patch that might be merged into the main distrib. the hatter
Re: Language Gentlemen and Ladies
On Tue, Feb 11, 2003 at 04:10:20PM +, Shevek wrote: > On Tue, 11 Feb 2003, Newton, Philip wrote: > > As in our lovely firewall which doesn't allow *any* outside access except by > > proxy (which basically reduces it to HTTP and HTTPS). > Can you cheat via an https proxy? https proxy? yay for man-in-the-middle fun! http tunnel might be more useful. I used to operate one end of such a tunnel for one of the fine gents in this august forum, and could set it up again. It works just fine through http proxies. The usual way of working is to run ssh through the http tunnel, and then whatever the hell you want through ssh. Of course, it's *not* fool-proof, as the large number of HTTP POSTs coming from your workstation will be, errm, noteworthy, to your local security wookie. -- Lord Protector David Cantrell | http://www.cantrell.org.uk/david When a woman has a man on a string, controlling his every thought and motion, backbone in said man is not a requirement. -- Ken, in alt.2eggs.sausage.beans.tomatoes.2toast.largetea.cheerslove
Re: Language Gentlemen and Ladies
robin szemeti wrote: > On Tuesday 11 February 2003 15:30, Lusercop wrote: > > Which RFC is the "-- " (not /^--\s/) defined in? > > to be precise, it is defined as "\n-- \n" > > > I always thought it was a USEFOR thing, and therefore not > > on the standards track. I suppose it could be in the > > Nettiquette RFC, but I don't remember seeing it there. > > ummm ... I *thought* it was actually in one ... hmm RFC2646 > mentions it, so does RFC1036 I've always connected it with RFC1036, i.e. Usenet, with the use for email just being a "natural extension". Cheers, Philip -- Philip Newton <[EMAIL PROTECTED]> All opinions are my own, not my employer's. If you're not part of the solution, you're part of the precipitate.
Re: Language Gentlemen and Ladies
Shevek wrote: > > On Tue, 11 Feb 2003, Newton, Philip wrote: > > > As in our lovely firewall which doesn't allow *any* outside > > access except by proxy (which basically reduces it to HTTP > > and HTTPS). > > Can you cheat via an https proxy? Well, since you can't proxy HTTPS, you can, kind of -- once you tell the proxy "CONNECT remote.host 443", it'll pass through data transparently and is presumably none the wiser whether that data is actually HTTP-over-SSL or AIM or eDonkey2K or whatever. However, it only allows CONNECT to a remote port of 443. (Which is why I'm looking for someone nice who'll run an sshd on port 443 that he'll let me use. Then I could run an ssh proxy on localhost that on accepting a connection sends the appropriate CONNECT header to the firewall/proxy and then just passes remaining data on transparently, and then connect to localhost: --> firewall:8080 --> remotehost:443 --> sshd. But that's another story.) Not sure if that's what you meant by cheating. (I *did* try "CONNECT remote.host 22", and a couple of other ports... not recently, granted, but I doubt they've become more lenient since then.) Cheers, Philip -- Philip Newton <[EMAIL PROTECTED]> All opinions are my own, not my employer's. If you're not part of the solution, you're part of the precipitate.
Re: Language Gentlemen and Ladies
On Tuesday 11 February 2003 15:30, Lusercop wrote: > On Tue, Feb 11, 2003 at 02:44:24PM +, robin szemeti wrote: > > umm is there some particular reason that whoever is responsible for > > adding that massage couldn't see fit to add a proper content seperator > > (/^--\s\n/) as defined in the RFC's ?? > > Which RFC is the "-- " (not /^--\s/) defined in? to be precise, it is defined as "\n-- \n" > I always thought it was a > USEFOR thing, and therefore not on the standards track. I suppose it could > be in the Nettiquette RFC, but I don't remember seeing it there. ummm ... I *thought* it was actually in one ... hmm RFC2646 mentions it, so does RFC1036, but as you say, more in relation to a usenet posting convention, and the business vCard one does as well iirc ... ho hum ... -- Robin Szemeti
Re: Language Gentlemen and Ladies
On Tue, 11 Feb 2003, Newton, Philip wrote:
> the hatter wrote:
> > I beleive that for appropriate donations, you can even get an
> > account on a machine very closely located to the list itself.
>
> Though this is of limited usefulness in several corporate environments that
> limit connections to useful ports such as 22, 23, or 110.
>
> As in our lovely firewall which doesn't allow *any* outside access except by
> proxy (which basically reduces it to HTTP and HTTPS).
Can you cheat via an https proxy?
S.
--
Shevek
I am the Borg.
sub AUTOLOAD{my$i=$AUTOLOAD;my$x=shift;$i=~s/^.*://;print"$x\n";eval
qq{*$AUTOLOAD=sub{my\$x=shift;return unless \$x%$i;&{$x}(\$x);};};}
foreach my $i (3..65535) { &{'2'}($i); }
Re: Language Gentlemen and Ladies
On Tue, Feb 11, 2003 at 02:44:24PM +, robin szemeti wrote: > umm is there some particular reason that whoever is responsible for adding > that massage couldn't see fit to add a proper content seperator (/^--\s\n/) > as defined in the RFC's ?? Which RFC is the "-- " (not /^--\s/) defined in? I always thought it was a USEFOR thing, and therefore not on the standards track. I suppose it could be in the Nettiquette RFC, but I don't remember seeing it there. -- Lusercop.net - LARTing Lusers everywhere since 2002
RE: Language Gentlemen and Ladies
>umm is there some particular reason that whoever is >responsible for adding >that massage couldn't see fit to add a proper content >seperator (/^--\s\n/) >as defined in the RFC's ?? Massage seperator ? is that like when the Old Bill raid the joint then ? Here comes that disclaimer again ! I'll furk off now, 'onest. D Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments.
Re: Language Gentlemen and Ladies
On Tuesday 11 February 2003 12:31, [EMAIL PROTECTED] wrote: > PS sorry for the disclaimer below ( apparently we've won awards for it ). > > Visit our website at http://www.ubswarburg.com > > This message contains umm is there some particular reason that whoever is responsible for adding that massage couldn't see fit to add a proper content seperator (/^--\s\n/) as defined in the RFC's ?? -- Robin Szemeti
Re: Language Gentlemen and Ladies
the hatter wrote: > I beleive that for appropriate donations, you can even get an > account on a machine very closely located to the list itself. Though this is of limited usefulness in several corporate environments that limit connections to useful ports such as 22, 23, or 110. As in our lovely firewall which doesn't allow *any* outside access except by proxy (which basically reduces it to HTTP and HTTPS). > you can turn off mail delivery (which still keeps you subscribed) > and read mail on the website as listed below, This may then be the best method for such restrictive situations. Cheers, Philip -- Philip Newton <[EMAIL PROTECTED]> All opinions are my own, not my employer's. If you're not part of the solution, you're part of the precipitate.
Re: Language Gentlemen and Ladies
On Tue, 11 Feb 2003, Mark Fowler wrote: > May I suggest if your email account has arbitrary restrictions on the > content it accepts that you find a replacement account to subscribe from? I beleive that for appropriate donations, you can even get an account on a machine very closely located to the list itself. In the interim, to appease your local stasi branch, you can turn off mail delivery (which still keeps you subscribed) and read mail on the website as listed below, or you can set it to digest mode, so you get a whole days worth of obscenities in one mail, rather than having to get dozens of mails approved each day. > > So, was it good, the stuff I missed ? > > For people who have had problems getting mail for any reason, the full > archive is available online here: http://london.pm.org/pipermail/london.pm/ the hatter
Re: Language Gentlemen and Ladies
On Tue, 11 Feb 2003 [EMAIL PROTECTED] wrote:
> Sorry to delurk
Hello.
> for such a trivial matter but could the people from Scunthorpe or those
> working for Microsoft please move, I keep getting "This message has been
> impounded for improper language content" message from my network nazis
> and they're getting ugly about it.
Sorry to hear that. This list is designed to be an inclusive list, and
all you need to be able to access it is a mail system that works properly
(which I might add by the number of bounces the list admins get, a lot of
you _don't_ have.)
May I suggest if your email account has arbitrary restrictions on the
content it accepts that you find a replacement account to subscribe from?
This isn't me saying "Oooh, your account isn't good enough to subscribe
here, go away", more the fact that I can't really offer any other suitable
alternative - there are just too many cases of people doing weird things
with mail for us to start controlling every little thing that's posted or
for posters to start second guessing exactly what all the little servers
out there are going to do.
> So, was it good, the stuff I missed ?
For people who have had problems getting mail for any reason, the full
archive is available online here: http://london.pm.org/pipermail/london.pm/
Mark.
London.pm Administrative Dogsbody.
--
#!/usr/bin/perl -T
use strict;
use warnings;
print q{Mark Fowler, [EMAIL PROTECTED], http://twoshortplanks.com/};
Re: Language Gentlemen and Ladies
Lawyers - never use one word when ten will suffice. On Tue, 2003-02-11 at 12:31, [EMAIL PROTECTED] wrote: > E-mail transmission cannot be guaranteed to be secure or error-free > as information could be intercepted, corrupted, lost, destroyed, > arrive late or incomplete, or contain viruses. The sender therefore > does not accept liability for any errors or omissions in the contents > of this message which arise as a result of e-mail transmission. If > verification is required please request a hard-copy version. This > message is provided for informational purposes and should not be > construed as a solicitation or offer to buy or sell any securities or > related financial instruments. Things screw up. Don't believe what you read. Don't blame us if you lose your shirt. S.
Re: Language Gentlemen and Ladies
On Tue, 2003-02-11 at 12:31, [EMAIL PROTECTED] wrote: > Sorry to delurk for such a trivial matter but could the people from Scunthorpe or >those working for Microsoft please move, I keep getting "This message has been >impounded for improper language content" message from my network nazis and they're >getting ugly about it. > > Therefore, any one banging on about APL or F77, please remember this is a perl >channel and that that language is improper. It is? Since when? > > So, was it good, the stuff I missed ? > What do you think? > Dave Neal > Under The Thumb > UBS Warburg > > PS sorry for the disclaimer below ( apparently we've won awards for it ). Which is unenforcable esp. where it is. Just think, soon we shall have to have them at the *beginning*, sigh... Dirk -- Please Note: Some Quantum Physics Theories Suggest That When the Consumer Is Not Directly Observing This Product, It May Cease to Exist or Will Exist Only in a Vague and Undetermined State.
