Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Slashback

Slashback: Highness, Hominess, Hole-ines 285

Slashback tonight with updates on SSH vulnerabilities, the Queen's web server, the European answer to GPS (in danger, it seems) and your ever-thinner rights to use software for anything you don't have specific permission for.

Sometimes being British means self-flagellation. Ferox writes: "The November Web Site Survey from Netcraft reveals something interesting: 'Two years ago the Queen of England became an unlikely icon for the Linux revolution when her webmaster replaced Solaris as the platform for the Royal Family's site, citing the better price/performance of the Dell/Linux platform over the previous incumbent, Sun/Solaris. The open source community celebrated and speculated on when the Apache web server might receive the "By Royal Appointment" moniker. This week the site has changed platforms again, this time to Microsoft-IIS.'"

Keep your hands and passwords inside the car at all times. Niels Provos passed along word of his ongoing research into network security, with some slightly depressing news about the state of Internet security.

Even though the CRC32 bug has been found over a year ago, over 30% of all servers are still vulnerable today. Graph at http://www.citi.umich.edu/u/provos/ssh/crc32.png.

In February 2001, Razor Bindview released their "Remote vulnerability in SSH daemon crc32 compensation attack detector" advisory, which outlined a gaping hole in deployed SSH servers that can lead to a remote attacker gaining privileged access.

In November 2001, Dave Dittrich published a detailed analysis of the "CRC32 compensation attack detector exploit." This exploit is currently widely in use. CERT released Incident Note IN-2001-12.

At the Center for Information Technology Integration, Niels Provos and Peter Honeyman have been scanning the University of Michigan for vulnerable SSH server software to identify and update vulnerable SSH servers. However, scans of the Internet show that system and security administrators must react and update their SSH servers. At this writing, over 30% of all SSH servers appear to have the CRC32 bug.

A simple solution is to remove support for Version One of the SSH protocol. The majority of servers on the Internet support the SSH v2 protocol. To test whether your network has vulnerable SSH servers, you might use the ScanSSH tool.

References: "ScanSSH - Scanning the Internet for SSH Servers", Niels Provos and Peter Honeyman, 16th USENIX Systems Administration Conference (LISA). San Diego, CA, December 2001. This information is also available at http://www.citi.umich.edu/u/provos/ssh/

Don't play with your food, or your games. janolder writes "In the matter of the Civilization III translation project (articles on slashdot, apolyton and heise), the fans have gotten the short end of the stick. The project web site (translation.civ3.de) has been down for a while. Earlier this week, both the web site operator and Kai Fiebach, the project leader, signed Infogrames' cease and desists out of fear of further legal action. The legal position (not to mention the moral postion) of the fans did not appear to be too weak - EULA's are not binding in Germany and supplying patches to a program is certainly not the same as translating a book and distributing the translated manuscript.

Infogrames Germany has issued another press release (translation and my comments) justifying their legal action and position. It makes for an interesting peek into the mindset of a game publisher.

The good news is that Infogrames is considering a more timely release of Civilzation III in Germany.

The bad news is that the cease and desists apparently forbid any modification of Civ3 in any way, shape or form. So no more custom maps for your friends, custom rules or any such copyright infringing activity, please! Is it just me, or has the world suddenly become a less interesting place?"

Not as if Americans always know where we are, either. ByTor-2112 writes "Hate to be the bearer of bad news so soon after a story is posted, but as I commented on the previous story, it appears that galileo has some funding issues. Honestly, did anyone really expect the EU to go through with it? It took them long enough to agree on a common currency!"

This discussion has been archived. No new comments can be posted.

Slashback: Highness, Hominess, Hole-ines

Comments Filter:
  • Slashdotted already? (Score:3, Interesting)

    by lhand ( 30548 ) on Tuesday December 04, 2001 @08:06PM (#2657018)
    Or is the royal web site down? Hmm. Maybe they should have stuck with Linux.
  • by sterno ( 16320 )
    What do you want to bet that a Microsoft Rep walked in and said, "here's free software and hardware if you switch to IIS".
    • Re:Microsoft PR? (Score:2, Insightful)

      by dirtyhippie ( 259852 )
      How much you wanna bet the Royal Family doesn't give 2 shits how much it costs to run their website. Actually, the netblock changed, my guess is they changed webhosts.
  • by slugfro ( 533652 ) on Tuesday December 04, 2001 @08:09PM (#2657035) Homepage
    Hey, the data about the Royal Page says that the Windows 2000 server has been up 5.56 days since the last reboot.
    Is that a World Record for IIS?
    • My intranet server (NT4/MSSQL/IIS) has an uptime of 63 days (since a power outage). Before that, I had a running uptime of 121 days. My WinXP laptop has not crashed for over two weeks now, and I'm running a #%@#load (cursing of your choice) of software including Oracle8i, MSSQL7, Cygnus, IIS, VS.NET, VS6, Mozilla, Office2K, and Embedded VC++. A well configured system using any modern Microsoft OS (not of the Win9X line) is quite stable. And, they don't have to be rebooted for every little upgrade.

      Yes, they have had problems in the past, and I curse every time I have to deal with Win95/98/ME. But please stop knocking the product just because of it's predecessors.

      • by Anonymous Coward
        Yeah, knock it because of its memory leaks....
      • In reply to this post's grandparent: it has an uptime of 5 days because that's when they installed the new box.

        So instead of knocking the product because of its predecessors, you're suggesting we use a more valid reason?

        How about security: every time Microsoft releases a bug fix, they introduce a new bug.

        Not to mention "Behind the scenes" black magic: whenever my proxy sends an ident request to a Windows box, the box responds with a request for http://windowsupdate.microsoft.com/ident.cab -- filling up the server's /var overnight, before I could do something to fix the problem.
        Let's not forget their plans for world domination. I must admit that the Linux community wants world domination too, but it would be an open domination, where anybody can change the source code (then patent it in some obscure country [or the US] and make a billion dollars).

        But the world isn't all bad. All these stories about narrowing rights and such can be kind of depressing. I'd like to see Slashdot (and Slashdotters) post more of the non-depressing stuff. There's a lot of good out there too.
        • ut the world isn't all bad. All these stories about narrowing rights and such can be kind of depressing. I'd like to see Slashdot (and Slashdotters) post more of the non-depressing stuff. There's a lot of good out there too.


          Hey, I'd like to be an optimist, but I don't I could do it.

      • Yes, win2k earned the reputation of being stable 2 month before it was released. Thats pretty fast.
        • Ever heard of NT4?
          • by q-soe ( 466472 )
            Ye
            One of my nt4 file servers here provides file and login for 200 staff and has an uptime of 267 days solid

            Uptime discussions are invalid when comparing file app and print servers, availability is how we measure this and that means an uptime is bull - you have to reboot servers of ANY ilk for hotfixes and general maintenance.
    • How exactly does the parent post get modded up as "funny?" It was one of the dullest replies to the article. They obviously just switched "this week." Not only that, but they are apparently in the process of switching. Not only that, but as another post mentioned, Windows 2000 based systems are usually very stable if configured correctly. Is /. simply going to the dogs?
      • Maybe it got modded as "funny" because it was simply a joke written with the intention of making the typical anti-Microsoft /. reader get a quick laugh. Of course it is obvious that the server was just switched since if clearly states that in the article. And I am running Windows 2000 right now! Remember: it was just a joke!
        • Gee...maybe if you read my post, you would see that I thought it was a dull comment. There is no question that it was a "joke" but my point was that it was very dull and should not have been modded up. I do not mind jokes against Microsoft at all, as long as they are not dull. Apparently, however, dull anti-microsoft jokes come first.
      • Blah... Windows 2000 based systems are usually very stable

        Not mine... With 128MB of 266MHz DDR RAM and a 1.13 GHz Athlon, the thing freezes all the time.

        Maybe I have something configured incorrectly :)

        Just my personal experience.
    • *sigh*. Please don't moderate trolls as anything other that troll, -1.

      FWIW I've had 139 days uptime on NT4SP6a running several servers (ssh, web, mail) as well as std workstation and dev stuff - cygwin, emacs, etc etc. No Outlook, no IE and no IIS. Result, happiness - well, as happy as it's possible to be whilst still sullying one's mind fingers with Microsoft stuff. It's the freedom thing that's important, anyway, not the quality of the code.
  • "Alert

    The operation timed out when attempting to contact www.royal.gov.uk."

    *snicker*
  • Civ III was profoundly boring - well, that is, profoundly un-inspiring, I liked CivII and played it forever and was hoping CivIII would be new and neat and I'd get to take over the world again but it's just CivII w/ some improvements (one of which is to make the game much, much harder but just harder is not really that interesting). Between the insipidness of the game and the foolishness of Interplay Germany CivIII & Interplay are now on my shit list alongside notables like Office 2000 vba, Hewlett Packard, and IIS FTP services.
  • Copyright (Score:3, Interesting)

    by Have Blue ( 616 ) on Tuesday December 04, 2001 @08:13PM (#2657054) Homepage
    I disagree with the argument that translating and distribution Civ 3 is not the same as translating and distributing Harry Potter. A better analogy would be the translation and distribution of only the first chapter of Harry Potter: It would not be the complete work and it may stimulate sales, but it's still a copyright violation (hence the "in whole or in part" bit in licenses).
    • I disagree with the argument that translating and distribution Civ 3 is not the same as translating and distributing Harry Potter. A better analogy would be the translation and distribution of only the first chapter of Harry Potter:

      Thats seems to me to be closer to distributing a demo of some sort. And definately a copyright violation.

      I think an even better analogy would be distributing free glare-reducing transparencies to lay over the pages and reduce eye strain and a free bookmark to help enjoy your purchase. If patches are being distributed that require the game already be installed, there should be no problem (IMHO). But the entire game with reworked languages should not be distibuted, as that would imply that every user already PAID for the game and thats just not reasonable.
    • Re:Copyright (Score:4, Insightful)

      by Tosta Dojen ( 165691 ) on Tuesday December 04, 2001 @08:31PM (#2657144) Homepage
      Except that this seems to be providing a patch, not the entirety of the translated work. In which case, only those who have purchased the full version will have the translation. Without the original work, the patch is just a useless file.

      So, an even better analogy would be a reading translator that would read the Harry Potter book to you in German. Copyright violation? No. Fair use? Definitely.

      • a reading translator that would read the Harry Potter book to you in German. Copyright violation? No. Fair use? Definitely.
        A very good analogy. If we push it a little further, we see what's wrong your your other assertions.

        Suppose Voldemort Publications sells you an PDF of Black Magic for Beginners on CD. The text is copyrighted, but that's not enough for VP. So they make you accept a license agreement that specifies that you can only read the book directly off the CD and you may not manipulate the text in any way.

        You pop the CD in your computer and discover that the text is in Ancient Etruscan. When you call up to complain, they explain that the English translation is licensed to Massively Manipulative Monopolies. No they don't know when it will come out.

        No problem. You go to the Hogwarts web site and download a translation spell. But as soon as you begin to incant Logos Anglicia! a VP legal troll appears in a puff of yellow-green smoke. He accuses you of violating the no-manipulation clause in your license agreement. You try to tell him that such a clause is unenforceable, but he just shrugs and says, "We think it will stand up in court. You're welcome to consult your own lawyer, of course."

        "This is ridiculous!" you say. "I acquired the book legitimately, and I have a right to read it."

        "Well, we have a right to maximize our return on our investment. That's why MMM is handling the English version -- they're much better at marketing to muggles than we are. Now cut it out. This agreement is enforcable in the Court of Giant Warts!"

        • EULA's are not legally binding in Germany.
          • Gee, I'll bet magic spells don't work there either ;)

            Point is that people who sell IP want to control how it's distributed. That's what drives their decision making. And the law, be it copyright, licensing, whatever, is almost always is on their side. Given the way the law is made [opensecrets.org], that's hardly suprising.

            From the POV of consumers and artists, the results are often absurd. German gamers who can't play games they've paid for is one example. Another is music and literature that you can't listen to or read because the copyright holder is sitting on it. I myself know a couple of musicians who feel damn frustrated because their work is controlled by publishers who won't release or sell it back. Unfair? Absolutely. But perfectly legal.

    • I certainly haven't read German copyright law cases like I have US, but it sure seems to me that translations have always been covered by the right to control creation of "derivative works" granted by copyright. So the only way that the translation could be legal without permission would for it to be fair use; it seems to be in trouble on the "unrelated to other copying" test, since the translator teams obviously intended that the translation be widely distributed, and it does seem to affect the copyright holder's ability to make money on their work -- presumably Infogrames pays Firaxis money for the right to translate the game; if a free translation were distributed Infogrames would have no reason to pay Firaxis that money.

      Whether suppressing "fan" works is good marketing or not is arguable, but it doesn't seem that Infogrames/Firaxis is going beyond traditional copyright (as we knew it in, say, 1970) here.
    • No, I don't think that's a good analogy. A chapter is a specific section of a book; it is just as usable as if one were to have the book and read only that chapter. Your analogy would be like releasing a fully-playble version of Doom, but limited to the first level only. (which is pretty close to what happened, but not the point...)

      A better analogy would be to offer a list of new character names and objects and where in the book these names should be inserted. The purpose, of course, would be to localize the book: the book could be cajunized-- Jonny Pottieu would be chompin' on crawfish at a charivari [charivaricajunband.com], instead of whatever harry potter ate...

      There is no copyright violation... you are replacing the text from the original program, and not distributing any byte that was in the original. The user must own the original to apply the patches to; otherwise the patches are useless.
      • Guys, translations are specifically mentioned as a form of derivative work in US copyright law; I'm not an expert on German law, so things may be different there.

        Things get a bit dodgy when you consider that anybody can translate a work into their own language in order to understand it - however, the distribution of that translation is an infringement of copyright law.

        Remember, creativity's not all in the code!
    • Re:Copyright (Score:2, Insightful)

      by janolder ( 536297 )
      I disagree with the argument that translating and distribution Civ 3 is not the same as translating and distributing Harry Potter.

      Translating and distributing Civ3 is exactly what didn't happen. The translation team created new text lookup files and offered them as a patch for the US version of Civ3.

      Had they instead offered a complete localized package for download, I'd have to agree with you. As it is, Infogrames have really ruined their reputation in this market.

    • I disagree.

      The difference between Harry Potter and a computer game is simply that with Harry Potter, the text is the product. Period. Whether that text is read on a computer screen, off of a sheet of paper or off of microfilm, the text is the product that is being sold.

      In the case of a computer game, the product is the game, which includes the text, the gameplay, the graphics, music, sound effects, what-have-you.

      In the case of someone "ripping off" Harry Potter, the "ripped-off" product would be the complete text of the book, and that's what the publisher is trying to sell. In the case of Civ3, a patch to change the language to something else is nowhere near to being the entire product. In fact, it could be argued that the actual wording of the text is not really part of the game at all - for an example of this, does the fact that a football referee calls a game penalty in Spanish make the penalty any different than if he called it in English or used sign language? The language is not the game. Since it's the game that this outfit wants to sell (though they have a funny way of promoting it, I must say) a language patch is not a violation of "their property".

      Which brings up an interesting point. If I am paying my money for "their property", then why can't I do what I want to with it? If I pay money for any other kind of property I'm allowed to do what I choose with the product that I've purchased. Computers are about the only industry where the business revolves around "You pay for my product but I still own it."
    • Translating and distributing the first chapter of Harry Potter would only be a copyright violation if you were selling it. Otherwise there's a pretty clear case for fair use.

      However, software is treated differently. Bad analogy, but still a valid point if they're actually distributed a full translated copy of Civ3. If they're just distributing a patch, as some have said, than I'd say that puts infogrames on shaky ground unless France has a DMCA-type law that prevents reverse-engineering of any sort.

  • See? Valve and Sierra knew what they were releasing. They knew they could either make thousands of hard working, dedicated, skilled programmers, artists, geniuses into either heros or criminals. Back in the day, I actually just copied Half-Life from a friend. But when I started playing things like TFC and Counter-Strike (mods that could have been made illegal by Sierra/Valve if they wanted to), I ran out and bought a copy, because it was cool. I wish I would have pirated Civ 3 now, they're just being stupid about the whole mess. How could they make a profit from it other than by selling Civ3 in other countries at a much higher price than they're selling it here?
  • Securing OpenSSH (Score:5, Informative)

    by krogoth ( 134320 ) <slashdot@@@garandnet...net> on Tuesday December 04, 2001 @08:19PM (#2657089) Homepage
    Keeping up to date with the latest OpenSSH releases always helps, but if you want to put an end to those SSH1 attacks (which can affect OpenSSH 2 and above in some cases, and may do so again in the future), add this line to your sshd_config (in /etc or /usr/local/etc):

    Protocol 2

    This will deny all SSH1 connections and force everyone to use SSH2 to connect.
    • SSH 2 (Score:2, Interesting)

      by Jaeger ( 2722 )
      Maybe someone can explain this to me, because it doesn't make any sense. Whenever I try to make a ssh2 connection and the server can't reverse-dns my host, it refuses to authenticate me, regardless of whether I supply the correct keys or passwords. My (minimal) survey seems to indicate that this is construed as a "feature". what's up?
      • There's probably an option for that, check the manpages and manual.

        But I have to slow down now and not be informative more than once every two minutes...
      • Re:SSH 2 (Score:3, Interesting)

        by osu-neko ( 2604 )
        A lot of people are under the mistaken impression that this is a useful security check. In fact, it means jack-diddly-squat, as (a) DNS is not a security protocol, so a positive result on this test means nothing, and (b) half the ISP's in the world can't get reverse-DNS set up correctly, so a negative result also means nothing.

        If you have known incoming IP's, I believe adding them to /etc/hosts fixes the problem. Complaing to your ISP may help, but if your ISP's DNS admin has a clue, he'll probably point out that this is a really stupid test to be performed to begin with so he doesn't consider it a high priority to fix things on his end so it'll work, but he may get around to it eventually...

    • Unfortunately, it also blocks all Debian users. At least it looks like somebody *finally* packaged ssh2 for woody (ironically, a few days after I last checked for the packages, from the time stamps). Even ssh3 is now listed.
      • To the best of my knowledge, there is no SSH 3 protocol (although I could be wrong). AFAIK, OpenSSH 3+ only supports protocol 1 and 2, so don't be mislead by the version. If you want to support less secure methods, that's your choice (note that OpenSSH is available in source tarballs).
      • umm, there have been current openSSH packages in unstable for a long time.
      • Re:Securing OpenSSH (Score:4, Informative)

        by gorgon ( 12965 ) on Tuesday December 04, 2001 @09:48PM (#2657458) Homepage Journal
        Unfortunately, it also blocks all Debian users. At least it looks like somebody *finally* packaged ssh2 for woody
        Uhm, you're kind of confused. The main ssh packages in Debian are:
        • ssh [openssh.com] - OpenSSH port of BSD's version of ssh that branched off the last free version of ssh put out by ssh's original developers. It has supported ssh protocol version 2 since roughly August of 2000, and versions supporting ssh2 made it into Debian soon there after. Currently version 3.01p is in Debian, and I think its pretty much equivalent to to the non-free ssh3.
        • ssh-nonfree [ssh.com] - non-free version of ssh from its original developers. It only supports ssh protocol version 1.
        • ssh2 - Version of ssh supporting ssh protocol 2 from the makers of ssh-nonfree. License is more restrictive than ssh-nonfree's license.
        • ssh3 - As far as i can tell its not packaged yet. Is the license more restrictive than ssh3? Regardless, there is no ssh protocol version 3.
        Anyway, Debian has had ssh protocol version 2 support for a long time,.
      • Answering everyone at once, when I do "apt-get update; apt-get upgrade" I still get (open)ssh 1.2.3.

        Installing "unstable" is *not* an option at many (most?) sites. You install an unstable package on a live server, you die. Or at least you lose all root access on the live servers. The problem isn't any single unstable package, it's their tendency to pull in other unstable packages. This can get out of control real fast.

        Even installing from pool is problematic, but usually acceptable since you're compiling it locally and can avoid creeping dependencies... but some Debian tools require Perl 5.5 which breaks stable systems. If you're willing to devote a system to unstable, you might be able to create an installable package... but this is not something Joe User is going to be able to do.

        So I stand by my point. If you require SSH protocol 2 (supported by OpenSSH 2.x and 3.x), you will knock out most Debian users until either Woody is released or somebody takes a honking big clue-stick at the appropriate Debian maintainers and openssh 2.x is released as a Potato security bug-fix.
        • Well, you should say what you mean then. You said:
          Unfortunately, it also blocks all Debian users.
          When you really meant that it blocks all Debian potato users who haven't manually updated ssh. This is quite different from what you said.
  • by mwillis ( 21215 ) on Tuesday December 04, 2001 @08:21PM (#2657095) Homepage
    If you are worried about your machine being out of date, just do this:

    % telnet 127.0.0.1 22
    Trying 127.0.0.1...
    Connected to localhost.localdomain (127.0.0.1).
    Escape character is '^]'.
    SSH-1.99-OpenSSH_2.9p2

    if you see OpenSSH before version 2.3, you may be vulnerable (iff you have fallback to ssh1)
  • Things were much more fun with the original Civilization. You had to search through and patch the executable file, instead of editing a text file. And the data format wasn't exactly documented either.

    Ah, for the days of 0/99/32 settlers...
  • by Tsar ( 536185 ) on Tuesday December 04, 2001 @08:27PM (#2657121) Homepage Journal
    Is it running on a tower server?
    The enemy is [at the] Gates!
    Is HRH trying to upstage Diana's famous crash?
    I'd have thought QE version II wouldn't have this bug.
    Wait until they cut her off after three Windows Product Activations.
    Already /.ed? See, royal inbreeding does cause DNA problems.

    And finally...
    "Your highness, the people have no open source..."
    "Well, let them run DRDOS!"
  • where the config files are slightly different than on other unixes:

    1. log in to Mac OS X as an admin user
    2. navigate to the /Applications/Utilities folder and open Terminal
    3. type sudo perl -i.bk -p -e 's/#Protocol 2,1/Protocol 2/g' /etc/sshd_config at the shell prompt and enter the admin user password when prompted
    4. type sudo perl -i.bk -p -e 's/2,1/2/g' /etc/ssh_config
    5. type grep SSH /etc/hostconfig to determine whether SSH is enabled on your machine
    6. if the response is "YES", type sudo kill -HUP `cat /var/run/sshd.pid` to restart it
    7. Quit the Terminal program
  • ...@Homelessness?

    I know the joke's been made, but come on, it would have been so easy do add it to the title!
  • by The Bungi ( 221687 ) <thebungi@gmail.com> on Tuesday December 04, 2001 @08:29PM (#2657135) Homepage
    Color me silly here and all, but most of the time the teeming masses are not criticizing Microsoft for releasing a buggy web server they're banging on the IIS SysAdmins for not patching their systems. And here we have 30% of all scanned SSH servers wide open due to a dumb bug that has been documented for ages and ages?

    C'mon guys. Either clean up your act or stop being the first ones to throw the stone.
    • A fair point... but SHH doesn't seem to get BugTraq'ed every week... pity about IIS. Although I'm runing XP on my laptop and I've only had one crash in two months. I do admittidly reboot it every week or so when I'm playing around with stuff or I want some 'puter free peace. (oh and I run apache instead of IIS, IIS is evil...)
    • Which message are you replying to, or are you just trolling?

      I see no double standard here (if you do, again, please point out which message). I always complain about sysadmins who don't install the latest security patches, regardless of OS. If it appears I complain about IIS sysadmins more than Unix sysadmins, it's only because I get that opportunity more often...

      apt-get update && apt-get upgrade regularly (assuming you have security.debian.org in your sources.list, of course -- naturally I'm assuming you use Debian... :)

      • ). I always complain about sysadmins who don't install the latest security patches, regardless of OS. If it appears I complain about IIS sysadmins more than Unix sysadmins, it's only because I get that opportunity more often...

        No, I'm not trolling. And no, you obviously did not get the point I was trying to make. And I wasn't thinking about you specifically, so calm down or you're going to pop a coronary. Or something.
        • I got your point just fine, you seem to have missed mine. If you want to complain about some people's posts, reply to their posts at that time. Since you weren't doing that, just complaing in general, I would have to say I don't believe you when you say "no, I'm not trolling". Wait until someone actually does something to complain about before complaining, and then you won't be a troll...
    • Yeah, you're silly.

      repeat after me:

      Sysadmins have to patch their systems.
      Sysadmins have to patch their systems.
      Sysadmins have to patch their systems.
      Sysadmins have to patch their systems.
      Sysadmins have to patch their systems.
      Sysadmins have to patch their systems.
      Sysadmins have to patch their systems.
      ....

      (Of course, Microsoft would rather we not know when this has to happen, where as Red Hat has been sending me advisories ever since I installed their distro.)
    • 30%, while a lot, is still am minority. I'd like to see some numbers on unpatched IIS servers. As for casting the first stone... my servers stay patched, I'll say what I goddamned well want to.
    • It would have helped if the advisories had said that ssh1 had an exploitable bug instead of saying that there was a purely theoretical way in which sessions might become transparent. Sometimes you don't go messing with your only means of getting into a given box when you don't think you have a reason. Six months later CERT mentioned ssh1 exploits picking up, but by then a person can lose track of which version is safe.

      Yea, I got hit and lost some serious time and money. It was undoubtedly my fault. But it's not entirely black and white. Not all that far off, but not entirely.
  • The site www.whitehouse.gov is running unknown on Linux.

    I like it...
    • And Netcraft also says that www.whitehouse.com is running Apache on BSD.

      Not that any of whitehouse.com's visitors care or anything...
    • That's interesting, especially when you consider that the Bush campaign ran IIS. Of course they probably just inherited the contract for the Whitehouse server from the previous admin. It's hosted by Akamai, so it's possible that the administration didn't make any decision about the OS at all.

      As for the Queen, well... she traded in her fancy Sparc hardware for x86 boxes and got tired of Linux. So, if you are in that situation and you want something that's nothing like Linux, what do you choose? Windows.

      That in itself is interesting--if people dump Sparc hardware for Linux x86 boxes and then sour on the OS, what will they do? Install Windows.

      So, once again, commercial *NIX vendors are the biggest losers to Linux, not MS.

  • Civ 2 and Civ 3 (Score:3, Interesting)

    by proxima ( 165692 ) on Tuesday December 04, 2001 @08:42PM (#2657196)
    I don't think the cease and desist order prevents innocent modification of components that Firaxis intended for people to make and distribute. I don't have Civ III (yet), but Civ II was purposely designed so that it could be easily modified by fans. It also included a map editor - I can't imagine that Civ III is any different, but perhaps an owner of the game would like to comment.

    Things like rulesets were laid out in simple configuration text files, so that patches could be applied to change the nature and look of the game - right down to individual units and map squares. Civ: CTP 2 (a game I own) also has easily moddable rulesets (the game is so buggy you simply MUST install Apolyton's patch).

    Beating down on fans and modding is stupid , the most successful games are those that have been modded (Halflife, StarCraft). Until I see firm evidence of something other than this translation case, I still want Civ III and will enjoy playing it.

  • Those communist swine have gone too far attacking her Royal Highness

    George W. Bush
    We cannot tolerate this kind of mass terrorism. The threat of global "E-terrorism" must be eradicated before it takes hold

    Tony Blair
  • Currency..... (Score:1, Offtopic)

    by BLAG-blast ( 302533 )
    I feel like I've found Taco posting alias....

    Honestly, did anyone
    really expect the EU to go through with it? It took them long enough
    to agree on a common currency!


    and North America (Canada, Mexico & USA) has
    how many currencies.....

    • 3

      and we don't claim to be using the same currancy.

  • Actually, they have changed ISP. Check out the netblock owner section of the Netcraft survey, the change in operation system happens at the same time as the change in ISP backbone.
  • by Jon Chatow ( 25684 ) <slashdot@jdforrester.org> on Tuesday December 04, 2001 @09:11PM (#2657326) Homepage
    ... is that the site is no longer an internal government one (i.e., one handled by the CCTA), but has been contracted out to the combined developers (such is said in the FAQ in the site, wherever that is), and is now hosted on the UK branch of PIPEX, sorry, UUNET. This can be seen on this [netcraft.com] ppage. All CCTA sites [netcraft.com] are still hosted on *NIX systems, as you can see.
  • by Grond ( 15515 ) on Tuesday December 04, 2001 @09:16PM (#2657345) Homepage
    Well, as much as www.royal.gov.uk may have turned to Win2k and IIS, www.parliament.uk is runnning...Microsoft-IIS/4.0 on Solaris???
    Even more bizarre is that site's history:
    Solaris
    Microsoft-IIS/4.0
    13-Sep-2001
    194.60.38.75
    Houses of Parliament

    NT4/Windows 98
    Microsoft-IIS/4.0
    2-Apr-2001
    194.60.38.75
    Houses of Parliament

    Solaris
    Microsoft-IIS/4.0
    4-Jan-2001
    194.60.38.75
    Houses of Parliament

    BSD/OS
    Microsoft-IIS/4.0
    2-Nov-2000
    194.60.38.75
    Houses of Parliament

    So, not only does Parliament seem to like changing their minds (sometimes radically) every few months, they also like using impossible combinations of OS and server. Hmm....maybe it's symbolic of something...(just kidding!)
  • Neither the move to linux nor the move to IIS should be news. People continue to use what works best for them, as they have for the past 40,000 years or so.

    Move along, nothing to see here.

    -Legion

  • Okay - so I had slacked and wasn't sure if I was up to date with my patches. I read the Razor link above and if you're lazy like I am here's the meat (and this isn't fscking redundant, there's like 30 links above):

    ** Vulnerable:

    SSH 1.2.24 - 1.2.31 (ssh.com) -- all versions to date of release of this advisory

    F-SECURE SSH 1.3.x -- all recent releases

    OpenSSH prior to 2.3.0 (unless SSH protocol 1 support is disabled)

    OSSH 1.5.7 (by Bjoern Groenvall) and other ssh1/OpenSSH derived daemons

    ** Not vulnerable:

    SSH2 (ssh.com): all 2.x releases NOTE: SSH2 installations with SSH1 fallback support are vulnerable

    OpenSSH 2.3.0 (problem fixed)

    SSH 1.2.32 (ssh.com, released 10/22/2001)

    SSH1 releases prior to 1.2.24 (vulnerable to crc attacks)

    Cisco SSH (own implementation)

    LSH (SSH protocol 1 not supported)

    ** Other SSH daemons: not tested

    To test your server, do this:

    $ ssh -v -l `perl -e '{print "A"x88000}'` localhost

    if you get a seg fault like below, you need to upgrade:

    Program received signal SIGSEGV, Segmentation fault.
    0x806cfbd in detect_attack ( ..., len=88016, IV=0x0) at deattack.c:138
    136 for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED;

    Now, happily for me, I didn't have this problem. This is good since I'm logging in remotely to my box in California from Spain, VIA SSH!! I'm an idiot as I've also shut off Telnet and if it DID segfault, I would've been completely screwed.

    -Russ
  • Another good tip with the ssh holes, and as a general priniciple, is to restrict IPs that are allowed to connect to port 22 (or wherever you run sshd) at the firewall.
  • by John Hasler ( 414242 ) on Tuesday December 04, 2001 @11:24PM (#2657887) Homepage
    "To test whether your network has vulnerable SSH servers, you might use the ScanSSH tool."

    Which apparently just checks the version number and will therefor falsely identify Debian stable machines as vulnerable despite their being up to date on security patches.
  • I think their position is that people are creating and distributing a German translation of English content that is copyrighted by them. That seems like a valid point to me, and it is probably enforceable under copyright law.

    You may still be able to make other modifications to their software and distribute the patches, whether they like it or not.

    Of course, instead of contributing to a commercial game without getting compensated for your work, why not just contribute to FreeCiv or similar games? Civilization itself seems mostly like a clone of older games anyway.

  • Clearly, Microsoft marketting saw this move to Linux as a major threat just as they did with the city of Largo in Florida. This time, they got through... who knows how they got past the "price/performance" issue though... (maybe they paid the guy off)

    Anyway, I'm sure there are enough vigilantes out there who will be targetting this IIS implementation eh? Hehehehe

    (...why do I get this creepy feeling as I write this? Ah well, I'll just take a nap... Oh yeah, disclaimer -- I don't really advocate or invite illegal activities. I'm just saying in my own way that I can see it happening.)
  • In looking at their web server history, while on Linux, their IP and Netblock Owner was consistent. When they switched to IIS and Win2K, those changed. Part of the reason for the change?

    Disclaimer: I have no idea what I am talking about.

Time to take stock. Go home with some office supplies.

Working...