|
|
HomeGraffitiAboutSitemapVisualDevWorkWebCam
Email BrianGPG Key |
GRAFFITI -- March 31 thru April 06, 2003>> Latest: Sunday, 0845 EST <<Last Week << Mon Tues Wed Thu Fri Sat Sun >> Next Week Welcome to Orb Graffiti, a place for me to write daily about life and computers. Contrary to popular belief, the two are not interchangeable. About eMail - I publish email sometimes. If you send me an email and you want privacy or anonymity, please say so clearly at the beginning of your message.. |
MONDAY
Tues
Wed
Thu
Fri
Sat
Sun
March 31, 2003 - Updates at 0711 EST
Good morning. Well, just to top things off nicely, and ensure that we remembered where we were (not California, that is), it snowed yesterday. It snowed most of the day. There's very little evidence of it left on the ground now, but for a while there was about 1 - 1.5 inches laying about on the grass and among my freshly planted flowers. Oh, yes. Sigh, I don't know how those are going to hold up, we'll see.
I also ran laundry (four loads), baked a pair of apple pies (a good thing to do on an icy spring day), and installed Mandrake 9.1 rc2 a couple of times. The reason for a couple of times is that the Paranoid security mode is so effective that users actually have permission to do ... nothing. When I logged in the first time, I had a basic KDE screen, but a fairly scant task bar. I thought, "How nice, they let me decide what to put there!" Then I popped the menu, and saw that fallow and empty. Huh? Ah, security mode. Users don't have read permission anyplace, so can't see the basic menus and the commands. Funny. I thrashed about for a bit in there, then decided the better part of valour would be spent investigating something that works more like I expect, at least at the moment.
Busy day ahead today, with trash to get out and a drive up to Rockville in my immediate future. I'd best be about it. Have a good 'un. Go USA!!! ... Oh, Dan Bowman sent me this, I include it for your pleasure and amusement:
Mon
TUESDAY
Wed
Thu
Fri
Sat
Sun
April 01, 2003 - Updates at 0725
Welcome to my day, All Fools' Day, the first day of National Village Idiots month. This is a special time for me, as usual. So I was merely lightly amused to see continued snow flurries off and on throughout the afternoon yesterday. I figure those are just a precursor to whatever horrid prank Mother Nature intends to play on her fool today! Then there was this link, sent by Roland Dobbins, about an important new Internet RFC:
Network Working Group S. Bellovin
Request for Comments: 3514 AT&T Labs Research
Category: Informational 1 April 2003
The Security Flag in the IPv4 Header
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2003). All Rights Reserved.
Abstract
Firewalls, packet filters, intrusion detection systems, and the like
often have difficulty distinguishing between packets that have
malicious intent and those that are merely unusual. We define a
security flag in the IPv4 header as a means of distinguishing the two
cases.
1. Introduction
Firewalls [CBR03], packet filters, intrusion detection systems, and
the like often have difficulty distinguishing between packets that
have malicious intent and those that are merely unusual. The problem
is that making such determinations is hard. To solve this problem,
we define a security flag, known as the "evil" bit, in the IPv4
[RFC791] header. Benign packets have this bit set to 0; those that
are used for an attack will have the bit set to 1.
1.1. Terminology
The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD,
SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this
document, are to be interpreted as described in [RFC2119].
2. Syntax
The high-order bit of the IP fragment offset field is the only unused
bit in the IP header. Accordingly, the selection of the bit position
is not left to IANA.
Bellovin Informational [Page 1]
RFC 3514 The Security Flag in the IPv4 Header 1 April 2003
The bit field is laid out as follows:
0
+-+
|E|
+-+
Currently-assigned values are defined as follows:
0x0 If the bit is set to 0, the packet has no evil intent. Hosts,
network elements, etc., SHOULD assume that the packet is
harmless, and SHOULD NOT take any defensive measures. (We note
that this part of the spec is already implemented by many common
desktop operating systems.)
0x1 If the bit is set to 1, the packet has evil intent. Secure
systems SHOULD try to defend themselves against such packets.
Insecure systems MAY chose to crash, be penetrated, etc.
3. Setting the Evil Bit
There are a number of ways in which the evil bit may be set. Attack
applications may use a suitable API to request that it be set.
Systems that do not have other mechanisms MUST provide such an API;
attack programs MUST use it.
Multi-level insecure operating systems may have special levels for
attack programs; the evil bit MUST be set by default on packets
emanating from programs running at such levels. However, the system
MAY provide an API to allow it to be cleared for non-malicious
activity by users who normally engage in attack behavior.
Fragments that by themselves are dangerous MUST have the evil bit
set. If a packet with the evil bit set is fragmented by an
intermediate router and the fragments themselves are not dangerous,
the evil bit MUST be cleared in the fragments, and MUST be turned
back on in the reassembled packet.
Intermediate systems are sometimes used to launder attack
connections. Packets to such systems that are intended to be relayed
to a target SHOULD have the evil bit set.
Some applications hand-craft their own packets. If these packets are
part of an attack, the application MUST set the evil bit by itself.
In networks protected by firewalls, it is axiomatic that all
attackers are on the outside of the firewall. Therefore, hosts
inside the firewall MUST NOT set the evil bit on any packets.
Bellovin Informational [Page 2]
RFC 3514 The Security Flag in the IPv4 Header 1 April 2003
Because NAT [RFC3022] boxes modify packets, they SHOULD set the evil
bit on such packets. "Transparent" http and email proxies SHOULD set
the evil bit on their reply packets to the innocent client host.
Some hosts scan other hosts in a fashion that can alert intrusion
detection systems. If the scanning is part of a benign research
project, the evil bit MUST NOT be set. If the scanning per se is
innocent, but the ultimate intent is evil and the destination site
has such an intrusion detection system, the evil bit SHOULD be set.
4. Processing of the Evil Bit
Devices such as firewalls MUST drop all inbound packets that have the
evil bit set. Packets with the evil bit off MUST NOT be dropped.
Dropped packets SHOULD be noted in the appropriate MIB variable.
Intrusion detection systems (IDSs) have a harder problem. Because of
their known propensity for false negatives and false positives, IDSs
MUST apply a probabilistic correction factor when evaluating the evil
bit. If the evil bit is set, a suitable random number generator
[RFC1750] must be consulted to determine if the attempt should be
logged. Similarly, if the bit is off, another random number
generator must be consulted to determine if it should be logged
despite the setting.
The default probabilities for these tests depends on the type of IDS.
Thus, a signature-based IDS would have a low false positive value but
a high false negative value. A suitable administrative interface
MUST be provided to permit operators to reset these values.
Routers that are not intended as as security devices SHOULD NOT
examine this bit. This will allow them to pass packets at higher
speeds.
As outlined earlier, host processing of evil packets is operating-
system dependent; however, all hosts MUST react appropriately
according to their nature.
5. Related Work
Although this document only defines the IPv4 evil bit, there are
complementary mechanisms for other forms of evil. We sketch some of
those here.
For IPv6 [RFC2460], evilness is conveyed by two options. The first,
a hop-by-hop option, is used for packets that damage the network,
such as DDoS packets. The second, an end-to-end option, is for
packets intended to damage destination hosts. In either case, the
Bellovin Informational [Page 3]
RFC 3514 The Security Flag in the IPv4 Header 1 April 2003
option contains a 128-bit strength indicator, which says how evil the
packet is, and a 128-bit type code that describes the particular type
of attack intended.
Some link layers, notably those based on optical switching, may
bypass routers (and hence firewalls) entirely. Accordingly, some
link-layer scheme MUST be used to denote evil. This may involve evil
lambdas, evil polarizations, etc.
DDoS attack packets are denoted by a special diffserv code point.
An application/evil MIME type is defined for Web- or email-carried
mischief. Other MIME types can be embedded inside of evil sections;
this permit easy encoding of word processing documents with macro
viruses, etc.
6. IANA Considerations
This document defines the behavior of security elements for the 0x0
and 0x1 values of this bit. Behavior for other values of the bit may
be defined only by IETF consensus [RFC2434].
7. Security Considerations
Correct functioning of security mechanisms depend critically on the
evil bit being set properly. If faulty components do not set the
evil bit to 1 when appropriate, firewalls will not be able to do
their jobs properly. Similarly, if the bit is set to 1 when it
shouldn't be, a denial of service condition may occur.
8. References
[CBR03] W.R. Cheswick, S.M. Bellovin, and A.D. Rubin, "Firewalls
and Internet Security: Repelling the Wily Hacker", Second
Edition, Addison-Wesley, 2003.
[RFC791] Postel, J., "Internet Protocol", STD 5, RFC 791, September
1981.
[RFC1750] Eastlake, D., 3rd, Crocker, S. and J. Schiller, "Randomness
Recommendations for Security", RFC 1750, December 1994.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 2434,
October 1998.
Bellovin Informational [Page 4]
RFC 3514 The Security Flag in the IPv4 Header 1 April 2003
[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", RFC 2460, December 1998.
[RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network
Address Translator (Traditional NAT)", RFC 3022, January
2001.
9. Author's Address
Steven M. Bellovin
AT&T Labs Research
Shannon Laboratory
180 Park Avenue
Florham Park, NJ 07932
Phone: +1 973-360-8656
EMail: [email protected]
Bellovin Informational [Page 5]
RFC 3514 The Security Flag in the IPv4 Header 1 April 2003
10. Full Copyright Statement
Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
As you can see, there's much work to be done in the world today, and I have to do my part. Have a lovely day.
Mon
Tues
WEDNESDAY
Thu
Fri
Sat
Sun
April 02, 2003 - Updates at 0700
Good morning. That was fun. April Fools Day is always a blast in the Free/Open world. From Gentoo modding Portage for RPM as the base package, to RMS converting to the Shared Source Initiative philosophy, there were a number of great hoots to be found. Of course there was a rinsed and reused variant on the perennial MS Buys Linux story (link sent to me by Rob Clay, a leaf on the net's tree), and then one of my favorites this year, Judge Kotar-Kelly, revisionista:
Kollar-Kotelly stated that her earlier ruling was a mistake and that it was quote "issued after the defendant offered bribes to individuals residing within the Department of Justice..."
I also found one really good, useful link - a long comparison of applications between Linux and Windows, by category and function: The table of equivalents / replacements / analogs of Windows software in Linux. That might come in handy at your next meeting with a PHB.
It came to be that April First was also the right day for downloading Red Hat Linux 9 "Shrike" ISO images from my freshly minted (over the weekend) RHN subscription page. Monday was dreadful. Dropped connections, partial downloads that wouldn't resume properly. Today, after my strenuous half-day of work and my errands, I started pulling down all three binary ISO image files, and got 50 - 70 KBps simultaneously on all three. By about 6 it was all done and images were checksummed and burnt. I installed on Gryphon last night. There are no big differences in the installer, and I've not had a chance to do much else. More when I know more, over on LinuxMuse. I did go for a kitchen sink install, so I can explore to my heart's content.
Thanks to Dana Blankenhorn for the "Shameless Promotions" department. This particular linkage takes you to Creations by Patricia. Patty is my buddy Mike's new bride, and she does some pretty cool stuff with gift baskets, chocolate and the like. I'm told they have really interesting chocolate molds for extra-special events, too. Check it out!
Have a great day. Go USA!!!
Mon
Tues
Wed
THURSDAY
Fri
Sat
Sun
April 03, 2003 - Updates at 0715
Good morning. I've got a busy set of days ahead. I'm installing a passel of Dell Optiplex workstations at a customer site in Gaithersburg today, Monday and Tuesday. Tomorrow I'm in Rockville setting up a Linux Bind/Apache/Postfix server. On Saturday evening, I'm doing remote updates on the servers at yet another customer site. And we've got Ebony coming to visit Sally for a few days starting tonight. I don't think I'm going to make it to my LUG meeting tonight...
David Thoraarinsson wrote in to draw our attention to the Toshiba Windows Refund petition. I've signed, as I'd really rather not pay for a copy of Windows I don't want. While that's pretty easy for me with desktop systems because I build my own, the same is not true with laptop boxen.
So, when are they going to tell us what happened with Pvt. Jessica for the last ten days, and how pissed off are we going to get when we find out? That's my question of the morning. Now to work with me. Take it easy, GO USA!!!
Mon
Tues
Wed
Thu
FRIDAY
Sat
Sun
April 04, 2003 - Updates at 0700
Good morning. Yesterday I installed a printer and two Dell workstations onto a small corporate network, transferring data and settings from old machines to new. Don't let anyone fool you - A new Windows box is certainly no less work that a new Linux box, it's more. This is exacerbated by some user data being in one place, some in another. The "C:\Documents and Settings" directory is a giant stride in the correct direction, but many programs continue to keep data in their own tree. Witness Netscape. Witness Eudora. Okay, enough whining.
Now I've got to finish my coffee, post this, and head off to Rockville. Have a great day - Go USA!!!
Mon
Tues
Wed
Thu
Fri
SATURDAY
Sun
April 05, 2003 - Updates at
Good morning. In yesterday's Clue, Dana Blankenhorn wrote:
It is time we admit a profound and disturbing truth. It is no accident that politics in the age of the Internet has become increasingly angry, intolerant, and caustic. We no longer live in a shared experience. We live individual experiences, and share only according to our prejudices.
How do we change this?
So, um, I'm sorry, but this is profound? He's surprised? I mean, really. Look at history. Life with homo sapiens sapiens is about conflict. Full stop. When has it ever been otherwise except in some hash poisoned minds here and there? Sure, it's nice to hope for more but you'll note that the most noise, heat and light is generated by people who are against something, not people who are for something. Being against a thing is what brings people together. It's you and me against the world, kid...
That's why we really need to find life somewhere else in the universe. Then we can all be against the same thing. Then we'll have peace among each other. Now if the other guys have a handy-dandy solar exploder ray, or can fire off a local gamma burster (or just have a foot to drop on us) then we're all toast anyway, but at least we'll be at peace with one-another.
These days it is apparently fashionable to be against one's own government. Unless your own government is oppressing you, in which case you are against whoever it seems politic to be against at the moment. I do believe that the Iraqis are happy to see us, as long as we're looking. If we look away, and Ba'ath stays in power, those people are going to be hurting. We can't turn our backs now. Meantime we have people who are so adamant about their anti-war stance that they can disrupt businesses, and block roads, as well as miss that little point. I say, behave like a speed bump, be treated like a speed bump.
I vote in the voting booth. I support my President, I support our troops. As Jerry is wont to say, whether or not we should be there, being there we should do what we came to do. If I think, come time to vote again, that the bums need to go, then I'll speak my mind and vote my heart. As it is, I think we're doing the right thing. This is my freedom of speech.
Looking at the headlines in the New York Times, I keep going back to just one question: When did the news stop being the news, and start being the opinion? How you present your headline is how you slant your story. The neutral headline could have read: Bush Authorizes Tear Gas Use In Baghdad. Or if the powers that be wanted a positive bias on the topic, then they could say Bush Hopes To Save Civilian Lives Using Tear Gas. But the headline reads: U.S. Use of Tear Gas Could Violate Treaty, Critics Say. Now that the tone has been set, let's see how many people we can affront. Sigh. Sure, it is possible that tear gas violates the letter of the Chemical Weapons Convention. But honestly, anything that allows the military to accomplish their goal with less loss of life, and less destruction of infrastructure can certainly more easily be interpreted as a positive measure, a "civilized" method... unless your goal is criticism at the expense of credibility. Moron alert at the Times!
So what's the difference, you ask, between the XFree86 nv driver that comes with XFree's 4.3 release, and the binary driver from NVidia? I just asked the same question, because I'd noticed that in the last couple of days, running the XFree driver, I'd had no screen lockups. Now, that's a good thing, but there's no 3D acceleration of recent NVidia chips outside of their own binary/proprietary driver. So I popped up a terminal window and ran glxgears. At its default size, I was getting just a shade over 1200 frames every 5 seconds. 240 fps isn't too shabby, although that was a small window. At full screen size, it dropped to just 14 fps. That's a bit jumpy, even for these groggy eyes.
Then I emerged the 4349 revision driver and GLX library via my usual Gentoo sources. I made the appropriate modification to my XF86Config-4 file (changing "nv" to "nvidia"), and ran the opengl-update utility to change over to NVidia. Then I restarted X and KDE. A rerun of glxgears yielded over 11000 (that's 1.1 *10^4) frames every five seconds, nearly 2200 fps. WHOA!!! Even with the glxgears window maximized to full screen, I was still getting 130 fps. Yes, that's at my normal screen resolution of 1600x1200. Pretty sweet. Over the next day or two, I'll pay attention to how it affects the stability of my system. I'll let you know.
It's supposed to rain today (and it did overnight as well), I've got chores and errands to do, then I need to decide what Linux version I'm going to run as primary on Gryphon for a while. Gentoo's been working great for me, and I will continue to use it here on the desktop. But for the laptop, maybe it's time to exercise the latest Red Hat release for a while. See you around, have a fun weekend and Go USA!!!
Mon
Tues
Wed
Thu
Fri
Sat
SUNDAY
April 06, 2003 - Updates at 0845
Good morning. Today's guest head depicts Douglas Hofstader, Cognitive Scientist and author, among many other professions. Professor Hofstader wrote one of my favorite non-fiction works: Gödel, Escher, Bach: an Eternal Golden Braid. Looking at the links between Logic, Computation, Mind, Art, Music and many other fields, GEB is an important work, and forces me to think hard about new connections and concepts each time I read it. Among his other works is another that reached out and grabbed me, at least in parts. The Mind's I, a collection of essays on the topic of self, perception and consciousness, edited and commented upon by Hofstadter and Daniel Dennett, Professor of Philosophy at Tufts. Recommended reading, both. Hofstadter also wrote a column for a number of years for SciAm, following the departure of Martin Gardner. High geek factor oozing around the edges of this love fest, can you tell...?
Well, Sally is staying photgenic, and this weekend we've got her friend Ebony over visiting. Here's a few recent Sally snaps for those of you that like seeing our mutt:
 |
 |
 |
|
 |
 |
 |
|
In addition, Spring is in the air. We're getting the occasional rain shower a couple of times a day, it seems. But the trees are all in bloom, and allergens fill the air...
 |
 |
 |
 |
 |
|
Roland Dobbins sends over one of the latest security vulnerability announcements, this time for Seti@Home. Since it's likely that at least some of you are running the client, you can go read the advisory on Berend-Jan Wever's page, and head over to the Seti@Home site to download a new client version.
I was fortunate enough to have a little chat with Moshe last night, too, and I got to anguish as I sent him over to Fry's to pick up a couple of small machines for a micro-cluster. I miss Fry's. Really I do. I suppose that it's time to get into the day. Have a good un... Go USA!!!
Last Week << Mon Tues Wed Thu Fri Sat Sun >> Next Week
Visit the rest of the DAYNOTES GANG, a collection of bright minds and sharp wits. Really, I don't know why they tolerate me <grin>. My personal inspiration for these pages is Dr. Jerry Pournelle. I am also indebted to Bob Thompson and Tom Syroid for their patience, guidance and feedback. Of course, I am sustained by and beholden to my lovely wife, Marcia. You can find her online too, at http://www.dutchgirl.net/. Thanks for dropping by.
All Content Copyright © 1999-2003 Brian P. Bilbrey.