Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

Comment: Re:Upstart or Systemd? (Score 1) 468

by LordLimecat (#49556703) Attached to: Ubuntu 15.04 Released, First Version To Feature systemd

But if theyre the ones making the packages, they sort of have the say in how those packages are built. That is to say, if you dont like it, build your own packages. It seems perfectly legitimate to me for a software developer to make choices that may have tradeoffs in order to reduce the complexity of the development; this is a pretty common thing in fact.

And if it turns out that the things RedHat is designing their software to do dont meet your needs, I would wonder why you would use Red Hat.

Comment: This is why people get ticked @ apple products (Score 1) 93

by LordLimecat (#49556475) Attached to: Apple's Next Frontier Is Your Body

Apple is a good UI company, and theyre quite good at taking existing technologies and making them more attractive to general consumers. But language like "frontier" implies that Apple blazes new paths. The problem is that if you were to consider the last few years, theres very little apple has innovated.

Apple pay? Preceeded by some 2 years by Google Wallet. Apple watch? Preceeded by a year by Google wear. Their entire iPhone 6 unveil consisted of demoing ideas that had been in wide usage for a year or more by other vendors.

I can understand the excitement, in the same way that BMW or Lexus enthusiasts might get excited over a new model-- but to then act like Lexus is leading the way in automotive engineering would be ridiculous.

Comment: Re:systemd, eh? (Score 0) 468

by LordLimecat (#49545875) Attached to: Ubuntu 15.04 Released, First Version To Feature systemd

not the choices of linux users or the linux ecosystem.

Great news, you can pick your ball up and go home to roll your own distro. You dont have to care what RedHat does.

Obviously if package makers start targetting SystemD, that will affect you, but then again you can also make your own packages if you dont like their decision.

Comment: Re:Words without actions are meaningless (Score 1) 107

by LordLimecat (#49535395) Attached to: D-Link Apologizes For Router Security

I do know that it will prevent unsolicited traffic from the wan port into the lan section as long as the connection was not already open from the lan side.

This is not entirely correct, and is his entire point. Someone who is directly connected to the WAN of your router COULD access a port on the inside by manually supplying a route to your private network.

The security value of NAT is that WAN hosts do not generally have a way of routing traffic to your internal private subnet. However, if an attacker had control of every router between them and you, they could manually set up a route into your network.

In that sense he is correct: NAT doesnt provide any guarantees, because hypothetically a hacker could first hack your ISP, and set up static routes to your internal NATted network, and then directly access your internal network remotely.

The reason I continue to say it IS security is because NO security measures are absolute, and security is about layering to reduce risk. Taking the set of attackers from "Everyone on the internet" to some subset of that is an increase in security.

To demonstrate how this all works, lets use the following:

Your private network:
Computer: 192.168.50.5 (listening on port 80)
Router: 192.168.50.1

WAN:
Your router: 1.1.1.1
Your ISP's router: 1.1.1.2
My ISP's router: 9.9.9.2
My router: 9.9.9.1

If I wanted to access your computer, and you had no active connections, I would be unable to: your router would not automatically map any connections to 192.168.50.5, so any connections to 1.1.1.1 / port 80 would just get discarded with your router saying "WTF am I supposed to do with this?". However, if a packet arrived at your router addressed to 192.168.50.5 directly, your router would happily pass that packet on through.

The security here comes from the fact that if my router addresses a packet to 192.168.50.5, it will not know where to send it and will drop it. If I added a manual route to my router saying "packets to 192.168.50.5 go to 9.9.9.2", it will route it to my ISP's router-- who wont know where to send it, and will drop it (I believe it will send a "no route to host" ICMP message). Similarly, traceroute 192.168.50.5 will give "no route to host".

In order for me to break into your network, I would need to take control of both ISP routers (9.9.9.2 and 1.1.1.2), and add a manual route indicating how to route those packets (or modify the OSPF or BGP configuration to distribute those routes). The spec around private addressing in general is where the real security comes from, as it indicates that proper behavior is to not route packets addressed to a private RFC1918 address on the internet.

NAT isnt broken; it isnt designed as a security function, but as a way of stretching addresses. Its ability to hide network details is somewhat of a side effect of that, and that provides the security function-- but its much simpler to just set up a stateful firewall than to set up NAT if all you care about is security.

* RFC1918-- in case this term isnt clear, it refers to non-routable subnets which are not tracked by the public internet addressing authority (IANA). These subnets are what most consumer routers come preconfigured with:
  + 10.0.0.0 - 10.255.255.255 (10/8 prefix)
  + 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
  + 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

Comment: Re:Words without actions are meaningless (Score 1) 107

by LordLimecat (#49535345) Attached to: D-Link Apologizes For Router Security

If you want to run a test, I will turn off my stateful firewall and give you my current WAN address, and the private IP of a host running a web server; the test would be to see whether you are able to determine what the text of that webserver is.

You wont be able to, however, because as we all know no ISP in the world is going to route your packet because the destination address will be RFC1918-- not because theyre good guy ISPs, but because they cant. This proves the point: The use of NAT-- even in the absence of a firewall-- removes you from the pool of potential attackers, along with anyone not living in the same geographical area as me.

On the first page of Google results, more than half the tutorials for setting up a NAT router leave people with a configuration that allows inbound connections into their entire LAN.

Thats not my deal. People shouldnt rely on NAT solely; I do not disagree. Stateful firewalls are a dime a dozen. But your constant statement that NAT has no security value whatsoever is clearly incorrect.

You dont fight ignorance with half truths. You can combat incorrect configurations by saying "yea, this is better than nothing, but its extremely poor practice in any case."

I dont admit Im wrong not because Im stubborn, but because the security value given by NAT is affirmed by several vendors, none of whom dispute the potential vulnerability you present, but who nevertheless would mark NAT as a part of a security strategy alongside a firewall. If you want me to reject everything I know about routing, and public / private addressing, and everything these vendors are saying, you need to come in here with a lot more than a simple experiment that wont work on the production internet.

Comment: Re:It's my choice to kill my kid! (Score 2) 608

by LordLimecat (#49535255) Attached to: Bill To Require Vaccination of Children Advances In California

The issue is also whether you allow society to dicatate what medical procedures are performed on your body.

Lets not forget the fine history of unethical human medical experimentation in the United States. And people think we should just give the government carte blanche to dicate medical procedures?

Unbelievable. Something about history, and being doomed to repeat it...

Comment: Re:It's my choice to kill my kid! (Score 1) 608

by LordLimecat (#49535233) Attached to: Bill To Require Vaccination of Children Advances In California

The real problem is that the medical community has done a lot over the years to make people justifiably hesitant to blindly trust their every whim.

That said this headline is misleading, immunization is a requirement to use public schools, but public schooling is not required.

Comment: Re:Words without actions are meaningless (Score 1) 107

by LordLimecat (#49526629) Attached to: D-Link Apologizes For Router Security

I can tell you that if my memory serves me correctly NAT works by changing the last two digits of the mac address on the packets going out so that when they come back in the box knows which port to traffic to.

Thats not really what it does, though its sort of close.

NAT covers a large number of different scenarios; the specific one we are discussing is known as Source NAT, or dynamic NAT (or PAT, in the Cisco world).

In this scenario you have a range of private IP addresses that are not publicly routable, and a single publicly routable WAN IP address to be shared among those private hosts. Each IP packet sent will have a source IP, source port, destination IP, and destination port. The router takes each outbound packet, tears down the layer 2, 3, (and possibly 4) headers, and re-writes the "source" port and IP address using a "pool" of NAT IPs and ports. It forwards the rewritten packet on, and stores in a table the mapping of the private host's IP and source port to the NAT IP/port. Return packets matching that pair of NAT IP/port will be translated (rewritten) to target the private host that originally sent them.

The argument being made is that technically this mechanism does not, in itself, identify and block unsolicited traffic-- which is correct. Technically if you were to guess a mapped pair, you could sneak an unsolicited packet through; if I've opened a connection to Google, (my private IP: 192.168.50.5) and my NAT'd IP/port is "5.5.5.5 / 5238", ANYONE could send a packet to that pair and it should get forwarded through.

In reality, there are problems with this that make it difficult to do, the most obvious being that the private host will simply reject that packet as it does not match an active TCP connection that it recognizes. Additionally, this does not work with listening services (which will not have a PAT mapping, as they arent generally initiating connections), and if there are no active conversations no one on the internet will be able to get their traffic to the private host as the router simply wont have any active NAT mappings-- it wont know what to do with the unsolicited traffic, and will dump it.

The "attack" being described is simply to set up a static route on your machine which tells it "ah, but _I_ know how to get to 192.168.50.5-- its through 5.5.5.5!". This could work, as indeed the router would know how to handle the 192.168.50.5 address; the problem is that no other router on the internet will accept a packet destined for that IP address, and you cant just tell those routers how to route the packet. So this attack only works if you are right next to your target-- either their ISP, or some hacker who is on the same cable drop as your neighborhood.

This is why I call it security: if you have no other firewall, NAT (of the sort we mean when discussing consumer routers) will at least ensure that no geographically removed attackers can access your private network, simply by virtue of every other router on the internet refusing to carry the traffic.

The real crux of this argument is that the AC is being pedantic and obnoxious, and conflating static NAT (his iptables examples) with the sort of NAT found on every consumer firewall. If someone is setting up an iptables NAT, they almost certainly are aware of what doing a default policy of ACCEPT will do: it will remove any sort of filtering and all security. But thats not what the context of the conversation was, which is why theres a disagreement here.

Don't panic.

Working...