Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Encryption

OpenSSH 5.4 Released 127

Posted by timothy from the but-it's-secret dept.
HipToday writes "As posted on the OpenBSD Journal, OpenSSH 5.4 has been released: 'Some highlights of this release are the disabling of protocol 1 by default, certificate authentication, a new "netcat mode," many changes on the sftp front (both client and server) and a collection of assorted bugfixes. The new release can already be found on a large number of mirrors and of course on www.openssh.com.'"

Comment Do nothing (Score 1) 497

by dmiller (#31385682) Attached to: Coping With 1 Million SSH Authentication Failures?
If you are randomly generating your passwords and they are of a decent length then you don't really need to do anything. If your passwords contain lower-case letters only (not recommended), but are eight characters long then your million authentication attempts would represent only a 0.0005% chance of success. If you passwords contain numbers and upper-case characters too, then the likelihood is 1000 times less.

Comment Re:Fast, Weak sshfs (Score 1) 249

by dmiller (#29625509) Attached to: OpenSSH Going Strong After 10 Years With Release of v5.3

Faster still (and a better cipher):

ssh -o Compression=no -o Ciphers=arcfour256 -o MACs=umac64@openssh.com ...

The umac-64 MAC is only supported by OpenSSH AFAIK (though the spec is available to anyone else who wants to). It is faster and has a better security guarantee than HMAC-MD5 (and is way faster than HMAC-SHA1).

Comment Re:Thanks OpenBSD (Score 1) 249

by dmiller (#29625393) Attached to: OpenSSH Going Strong After 10 Years With Release of v5.3

I'd like to thank the OpenBSD project, as well, but I'd also like to point out a few issues.

OpenSSH still won't work with certificates signed by a CA.

Quite right, and we have no intention of incorporating x.509 support. X.509 parsing and verification exposes a large amount of attack surface and all of it is, by necessity, pre-authentication too (the type which, if buggy, allows worms). Read Peter Gurmann's X.509 style guide and see if you ever want to go near this horror again. We have actually written our own minimal RSA verification code to avoid the sort of ASN.1 parsing that is necessary to deal with X.509, and it has saved us from at least seven bugs - some probably exploitable for authentication bypass or remote code execution.

OpenSSH doesn't allow an unencrypted connection (after authentication). Not all CPUs can encrypt/decrypt at 1Gbps.

Yep, we are a _secure_ shell and we take a mildly patriarchal attitude to adding options that can lead to insecure use of OpenSSH. Note that the actual bottleneck in most cases is not the crypto anyway (at least when using arcfour256 as your cipher) but the MAC, and you wouldn't want to switch that off. We do have a very fast MAC though: umac-64

OpenSSH doesn't work - as advertised - with an exclamation point in a "Match" statement.

File a bug, we'll fix it.

Other than that, OpenSSH is possibly one of the most capable and reliable pieces of software I've ever had the privilege to use.

Thanks :)

Comment Re:Thanks OpenBSD (Score 1) 249

by dmiller (#29625267) Attached to: OpenSSH Going Strong After 10 Years With Release of v5.3
Use arcfour256 as your cipher and umac-64@openssh.com as your MAC (ssh -oCiphers=arcfour256 -oMACs=umac-64@openssh.com ...). Between these, CPU is usually not the bottleneck anymore.

We don't support the none cipher because "secure networks" often aren't, and there are already tools that are insecure and go fast.
Biotech

Scientists Deliver Bee Toxin To Tumors Via "Nanobees" 98

Posted by ScuttleMonkey from the stop-calling-everything-nano dept.
ScienceDaily is reporting that Washington University School of Medicine researchers have found a way to deliver bee toxin to tumors using nano-spheres they call "nanobees." The results in mice showed a cessation of growth or even shrinkage of tumors while the surrounding tissue was protected from the toxin. "The core of the nanobees is composed of perfluorocarbon, an inert compound used in artificial blood. The research group developed perfluorocarbon nanoparticles several years ago and have been studying their use in various medical applications, including diagnosis and treatment of atherosclerosis and cancer. About six millionths of an inch in diameter, the nanoparticles are large enough to carry thousands of active compounds, yet small enough to pass readily through the bloodstream and to attach to cell membranes."
Democrats

Obama Significantly Revises Technology Positions 940

Posted by timothy from the platitude-adjustment dept.
method9455 writes "Barack Obama has edited his official website on many issues, including a huge revision on the technology page. Strangely it seems net neutrality is no longer as important as it was a few months ago, and the swaths of detail have been removed and replaced with fairly vague rhetoric. Many technologists were alarmed with the choice of Joe Biden before, and now it appears their fears might have been well founded." Update: 09/22 18:07 GMT by T : Julian Sanchez of Ars Technica passed on a statement from an Obama campaign representative who points out that the changes in wording highlighted by Versionista aren't the whole story, and that more Obama tech-plan details are now available in a PDF, saying "there is absolutely no substantive change to our policy - folks who want more information can click to get our full plan."
Security

Cubicle Security For Laptops, Electronics? 532

Posted by kdawson from the down-sizing-needn't-mean-down-securing dept.
kamikasee writes "I recently found out that I'm going to be moved from an office to a cubicle. The cubicle area is not very secure, and I'm worried about things wandering off. My boss has offered to buy some equipment to help me secure things, but so far I haven't found anything that fits my requirements. Google and Amazon searches are overwhelmed by lockable key cabinets and larger pieces of furniture. Here are some of the requirements: The main issue with traditional solutions (e.g. locking things in a drawer) is convenience. I use a laptop with a second LCD monitor. There's also an external keyboard and mouse and a USB hard drive. I leave my laptop on at night so I can remote-desktop into it, so I'm not really happy about putting it in a drawer (no ventilation), plus I don't like the idea of having to 'unharness' everything every time I want to put it away. I don't trust cable locks. Besides, cable locks won't help me secure my the USB drive and other electronics that might wander off. The solution I imagine is a lockable, ventilated metal box that would sit under the monitor and house most of the electronics. If it was big enough, I could stick my laptop into it at night (while leaving it running) and feel confident that it would still be there in the morning. I'd be open to other types of solutions. Surely someone else must have dealt with this problem."

Can Google Kill PowerPoint? 257

Posted by Zonk from the fight-it-out-with-pretty-colors dept.
theodp writes "Far from a PowerPoint killer, Slate's Paul Boutin finds Google's online presentation tool Preso more like a PowerPoint commercial — a half-baked app that shows how powerful Microsoft's program really is. But if you have your druthers, Boutin suggests ditching both and opting for Apple's Keynote, which helped snag an Oscar for Al Gore and inspired this Dear-PPT-Letter. 'The first hurdle ... You can't use it on a plane. Google Preso only works if you've got a live, high-bandwidth Internet connection. You can save the finished product to an HTML presentation on your laptop, but you can't edit the saved version or upload it back. The Splunkers would need to finalize their presos early in the morning in a rented conference room, where both Wi-Fi and Verizon wireless cards have been known to fail. That would kill the presentation.'"
Google

Google Goes After Open Source Licensing Cruft 127

Posted by CowboyNeal from the wheel-reinvention dept.
pacopico writes "Google has secret plans to put out its own open source software license, according to this story in The Register. Apparently, Google's efforts will center around developing a simplified open source license that makes it easier for developers to stay "within the spirit" of the license in addition to the law. Chris DiBona at Google was asked about the plans but won't budge with details yet. Still, The Register claims that Google's efforts could improve the license proliferation issues facing the OSI."

Slashdot Top Deals

It is clear that the individual who persecutes a man, his brother, because he is not of the same opinion, is a monster. - Voltaire

Close