Thursday, Debtember 01, 2005
Yet more thoughts on spam
Last month I switched email clients from Thunderbird to mutt (I found Thunderbird to be too sluggish but that's a story for another entry) and configured our primary email server to forward my mail directly to my workstation, where procmail can then filter it.
So now I can burn through mail in about half the time it used to take me.
I get a ton of email, most of it from the various servers (from root mostly) and most of that is generated by the mail system itself, informing me that it's found, yet again, another email infected with a virus (oh, easily 500 a day) or it couldn't deliver a message (another 500 a day easy) or the multi-thousand line output of logwatch (each easily 15,000 lines of summary per day).
So it was a simple matter to set up procmail
to filter the
messages (and say, automatically delete the virus warnings—I tried turning
that off on the servers themselves, but … well … control panels and
hidden configuration files and I'm stuck getting them even though I don't
care for them). Now, since our mail goes through a dedicated spam filtering
system and can mark emails as spam, I thought it would be a good idea to
simply delete those upon receipt as well.
Only I kept receiving emails marked as spam.
31 N Dec 01 trespassers@gre ( 306) [SPAM] Breaking News
Puzzled, I moved the procmail
configuration to delete such marked
spam:
:0: * ^Subject: .*SPAM.* in-TRASH
to the start of my .procmailrc
, and yet, I still
get the emails. I bumped up the verbosity of logging, and yes,
some of it was actually being caught and trashed, but not all of
it.
What the heck?
In mutt
I see:
From: <trespassers@greenoblivion.com>
To: <apache@XXXXXXXXXXX>
Subject: [SPAM] Breaking News
Date: Thu, 1 Dec 2005 22:49:10 +0200
But when I checked the actual raw email message …
From: <trespassers@greenoblivion.com>
To: <apache@XXXXXXXXXXX>
Subject: =?ascii?B?W1NQQU1dICBCcmVha2luZyBOZXdz?=
Date: Thu, 1 Dec 2005 22:49:10 +0200
That funky subject line? A form of MIME encoding for email headers. In this case,
the subject line uses the US-ASCII
character set and is encoded
as base-64. procmail
knows
nothing about MIME encodings. It's looking for “SPAM” in the
subject line and not finding it.
Well now …
Obviously, I can add
:0: * ^Subject: =\?.*\?W1NQQU1dIC.* in-TRASH
(“[SPAM]” encoded as base-64) to my .procmailrc
file, but is there a
better way?
Sure, Bayesian filtering is pretty cool, but I still think that a few simple heuristics in place would help just as much.
One idea: check the character encoding of the incoming email. In my
case, if it isn't US-ASCII
, ISO-8859-1
or
UTF-8
(oh, might as well include WINDOWS-1251
for
those unfortunate friends that are abused by Microsoft), then discard it.
It doesn't matter if it's legitimate email if I don't understand the
language it's written in.
Now, with ISO-8859-1
, UTF-8
or
WINDOWS-1251
, I still might not be able to read the message
(since ISO-8859-1
and WINDOWS-1251
covers western
European langauges like French and German, and UFT-8
covers
just about all written languages), but my second idea should take care of
that.
Second idea: spell check the incoming email.
No, seriously.
Take this bit of spam I received today:
lt is really hard to recollect a company: the market is full of sugqestions and the information is overwhelming; but A GOOD CATCHY LOGO, STYLISH STATlONERY and OUTSTANDING WEBSIT E wilI make the task much easier.
We do not promise that having ordered a loqo your company wiIl automaticaIly become a worId Ieader: it is quite clear that without good products ,effective business orqanization and practicable aim it will be hot at nowadays market; but we do promise that your marketing efforts will become much more effective.
Twelve spelling errors (and one punctuation error, which I marked, but not counting in the following statistic) for a 14% spelling error rate. And if the email is in a different language, the spelling error rate will easily go past 95%. So, if the number of misspelled words exceeds say, 70%, delete it, and if it's above say, 5% (hey, we all make mistakes sometimes) mark it as possible spam.
This would definitely piss off the V1@gr@ pushers.
Third idea: Unless whitelisted, any email that consists of any type of attachment, delete it (well, for me at least).
And this is before explicit filtering, Bayesian or otherwise.
I wonder just how hard something like that would be to write …
Friday, Debtember 02, 2005
One obscene car
I just came across a most obscene production car.
It's a stylish looking car, like something The Batman would drive. A one thousand horsepower 8 liter W-16 engine (that's two V-8s merged into a single block) that can accellerate from 0 to 60 mph in just three seconds. Accelleration slows down a bit after that, since it takes 14 seconds to hit 180 mph (and not 9 seconds a straight linear accelleration would predict). But give it a few more seconds and you'll top out at 250 mph, complete with your own personal police escourt.
But the Bugatti Veyron comes with a price. A rather steep price, and this is were it gets obscene (as if a 1000Hp 8 liter W-16 isn't obscene enough). It's a cool $1,000,000.00 to buy (and yes, it is a production car. And if you can afford the cool one million to get the car, then you certainly can afford to fill (and refill and refill) it—at top speed you'll be burning fuel at a rate of 1.3 gallons per minute (or an effective 3 mpg).
Thirsty little car.
It'd be real fun to drive this car at perhaps 100 mph, just to get the attention of the local police. Once I get a few lined up behind me, punch the gas pedel (and assuming I don't slam into the side of a mountain) and watch as the red and blue flashers receed into the distance.
Until I run out of gas ten minutes (and fourty miles) later.
And as fast as the Bugatti Veyron is, nobody can outrun a Motorola …
Monday, Debtember 05, 2005
One man's pollution is another animals food source
As the world increasingly considers hydrogen as a potential biofuel, technology could benefit from having the genomes of such microbes. “C. hydrogenoformans is one of the fastest-growing microbes that can convert water and carbon monoxide to hydrogen,” remarks TIGR evolutionary biologist Jonathan Eisen, senior author of the PLoS Genetics study. “So if you're interested in making clean fuels, this microbe makes an excellent starting point.”
Via Robot Wisdom, Poison + water = hydrogen. New microbial genome shows how
This is really cool news, and just goes to show that for any problems we create, we're clever enough to find a solution.
Tuesday, Debtember 06, 2005
BBEdit
I just got a copy of BBEdit and I've been playing around with it for the past few hours (way too long actually). While fairly nice (and as far as I can see, those programmers that use Macs tend to use BBEdit and really like it), I do have a few gripes about it.
- The PageUp and PageDn keys don't work like I expect them to work. In my world, the PageUp and PageDn will not only page the document up and down, but move the cursor as well. It does not mean page up (or down) the document only if it extends past the visible portion of the window, and most emphatically does not mean “never move the cursor.” I page up, oh, want to type over there, hit the arrow key and hey! I'm back down a page‽
- There's no simple key sequence to enable/disable word wrap. Yes, you can enable/disable, and I suspect you can enable/disable it based upon the document type being edited, but there isn't a way to enable/disable word wrap on the fly within a document.
Okay, only two gripes.
But big ones given the way I like to work.
I do like the ability to add extentions, and they even make a SDK so you can (if you can) program your own extentions. That may be something I need to play around with.
Wednesday, Debtember 07, 2005
We're just a conduit
One of our customers sent in a ticket complaining about not receiving email:
I sent myself an email to [customer's email address at their ISP] and it came back in less than 5 secs.
I sent myself an email to [customer's email address on our server] and it NEVER came back.
What is happening?
I checked the mail logs and they didn't show anything. I then sent email to the customer's address on our server, and got the following back:
From: Mail Delivery Subsystem <MAILER-DAEMON@XXXXXXXXXXXXXXX>
To: <support@XXXXXXXXXXX>
Subject: Returned mail: see transcript for details
Date: Wed, 7 Dec 2005 12:52:12 -0500The original message was received at Wed, 7 Dec 2005 12:52:11 -0500 from root@localhost
----- The following addresses had permanent fatal errors ----- [address to customer's ISP]
(reason: 550-[our server IP address] blocked by ldap:ou=rblmx,dc=XXXXXXX,dc=XXX) (expanded from: <XXXXXXXXXXXXXXXXXXXXXXXXX>) ----- Transcript of session follows ----- ... while talking to XXXXXXXXXXXXXXXXXXXXX.: >>> MAIL From:<support@XXXXXXXXXXX> SIZE=1311 <<< 550-[our server IP address] blocked by ldap:ou=rblmx,dc=XXXXXXX,dc=XXX <<< 550 Blocked for abuse. Please send blacklist removal requests to XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - Be sure to include your mail server IP ADDRESS. 554 5.0.0 Service unavailable
This is a major problem.
Basically, our customer's ISP is blocking our server because it sent too much spam to towards our customer's ISP. Well, yes, because it's forwarding email, including all the spam. So of course it's going to look like our server is spamming.
I could write to XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX and say that this is a shared webhosting server and that we'll filter for spam and sorry about that, but we're already filtering spam for this client (although apparently not filtering enough). And even if they remove our server, there's no guarentee that sometime in the future they won't block our server due to excessive levels of spam coming from our server (because spam never stops).
Well, I'll write to the address anyway and profusely apologize and all that, and hope they'll remove the block.
Sigh.
Thursday, Debtember 08, 2005
You almost have to root for her.
Now she hopes to retain her office on the basis that she ran her office so incompetently that you can't trust the results of the election she oversaw. Her reasoning boils down to this: Based specifically on being thoroughly incompetent, she should have her old job back.
In just about any other city, the proffering of one's own idiocy as a specific qualification for office would be laughable and ridiculous. But this is Detroit, and Currie can ask for a recount with a straight face and without embarrassment because she knows her audience well—they're the same people who took a look at her, dementia and all, and decided to put her in charge of the city's elections. Several times.
“Untitled” from The Detroit Blog
I have a soft spot for Detroit (go figure). But it's sad to see a once great city slowly become a modern ghost town (although at the rate that buildings are either torn down or burn down, there may not be much left) and the antics of the current city government aren't helping things any.
But, claiming that her opponent was fraudulently elected when she [Jackie Currie] herself oversaw the election … that's just chutzpah.
This past Detroit election reminds of me a student election at FAU years ago. The election so pissed off everybody that the Student President and Student Senate Speaker resign. Then, the Judicial Branch declares the recently held elections invalid, prompting the Student Senate to start impeachment proceedings against the Judicial branch.
I kid you not.
I always wondered what happened to that lot. Seems they all moved to Detroit.
Sounds like someone who really loves their job
Ring.
Ring.
“Hello, this is Technical Support,” I said.
“Yes, I need to talk to the office manager,” said the person on the other end. I'm not sure if it was possible for this person to sound more apathetic.
“I'm sorry, but he's on the phone right now. Can I take a message?”
“No, I'll call back when he's available. When would that be?”
“I don't know how long he'll be on the phone.”
“You've been a wonderful help. I hope you do it more often.” Click.
You have a nice day too!
Friday, Debtember 09, 2005
Yes, I expected documentation in a man page …
So Smirk calls me up late last night. “Hey Sean,” he said. “Can you install a Radius server on such-n-such a machine. I need to get my DSL working.” We're offering DSL to customers, and as a side benefit, we're all getting DSL (from The Company) for free.
Although I didn't expect things to be quite so far along. I think my reply to Smirk was “Ack,” but secretly, I was Now? He wants it now? Although, had the roles been reversed, I think I would have demanded DSL immediately as well.
I do a search for freely available Radius servers, and the first one I come across is the GNU Radius server. I get it installed and running, despite the lack of documentation. Seriously. It's not like I could immediately buy and get the documentation right then and there, and the man pages all read like:
- NAME
- radiusd - Authentication and accounting server
- SYNOPSYS
- radiusd [-A] [-a account_dir] …
- DESCRIPTION
- Ha ha ha ha ha ha ha! You expected documentation in man format? Ha ha ha ha ha ha ha ha! Silly Mortal!
Man
is The Man's documentation format, and we're here to screw The Man! We useinfo
, based on the “One True Editor” that is known as Emacs (and no jokes about it sucking up more memory than Windows least we come in and reformat your system to the GNU Hurd). So what if the key bindings give you carpel tunnel syndrome? If it's good enough to cripleRMS
then it's good enough to criple you. So suck it up and useinfo
.
And the info
pages are a twisty maze of jargon and confusing examples (more on that later).
But at this point, I have no clue how to get a Cisco router to authenticate against a Radius server, did a quick search, found a few commands, typed them in, and locked myself out of the router (as it was attempting to authenticate my administrative logins against the Radius server).
So much for Smirk and his DSL last night.
Today I spent all day on the phone with G, our CCNE consultant (who did admit that on th Cisco test, all Radius server questions were only worth a collective two points, so even he was unsure on some of this). I did, however, realize I didn't fully finish configuring GNU Radius. You first need to expliticly tell it to listen on the network port (okay, good default for the security conscience) and tell it the IP address of the client(s) (an even better default for the security paranoid).
I was luckily able to log into the Cisco router on the console port and fix the administrative login problem so G could log in. A few hours of playing, and we could administratively login locally, but network authentications (for say, DSL) would go against the Radius server. We then saw Smirk's DSL unit attempt to log in, as smirk@exapmle.net
.
Only, I set the account up as smirk
.
When Smirk changed his user ID to smirk
, nothing, and I mean nothing came through. Smirk, G and I were checking both the Cisco logs and the Radius server logs, and nope. Smirk's DSL unit wasn't even making an attempt.
An hour or so later, Smirk got off the phone with either the CPC, the BRC or the BBG (yes, we have to work through at least three departments at BellSouth to offer DSL as a CLEC (pronounced “sē′‧lək”)—alphabet soup anyone?) and found out that BellSouth will only pass the authentication request if the packet has the format user
“@”domain
.
Nice.
Only I opted to configure the GNU Radius server to use the underlying Unix system authentication. Now I had to figure out how to get it to accept smirk@example.net
.
I'll spare you the pain I suffered, but let me just say that GNU Radius is extremely picky about the syntax of its configuration files. And for it's security conscience about networking, it's rather stupid about CHAP authentication, where it requires the un-encrypted version of the password in the configuration file. Five hours to get:
"smirk@example.net" Suffix = "@example.net", Strip-User-Name = Yes, Auth-Type = Local, User-Password = XXXXXXXXXX Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = XXX.XXX.XXX.XXX
The commands? Case sensitive. Options, like the “Yes” … case sensitive and it has to be “Yes”. Commas? I can't figure out where it wants them, and where it doesn't want them. Basically, I had to make a change, then run radiusd -m c
to see if it liked the configuration file, and if not, what it didn't like about it. And the examples! That further confused issues because of random indenting! In one section, I saw:
DEFAULT Suffix = ".ppp", Auth-Type = SQL, Login-Time = "Al", Simultaneous-Use = 1, Strip-User-Name = Yes Service-Type = Framed-User, Framed-Protocol = PPP
Somewhere else:
DEFAULT Suffix = ".slip", Strip-User-Name = Yes Hint = "SLIP", Service-Type = Framed-User, Framed-Protocol = SLIP
But then:
DEFAULT Hint = "SLIP", Auth-Type = Mysql Service-Type = Framed-User Framed-Protocol = SLIP
I found out that indenting isn't that important—that is, it's required, but how much isn't. And if you can figure out where commas are required and not, please tell me so I don't have to play “Hunt the Comma Location” again.
Sheesh.
But I finally got Smirk up and running with his DSL, and I'm slated to get it later this month. Woot!
Saturday, Debtember 10, 2005
Still a cut-up
Same book, different cake.
When I made a cake for The Younger's birthday, at the time I asked The Older which cake he would want for his birthday. He flipped through the book and pointed to one of the boats. That was September.
Come December, and it's time for The Older's birthday. And yes, I remembered which cake he pointed out.
Amusingly, as I was making it (I was up till 6 am making the darned thing) The Younger (who's a morning person by default) came down, saw what I was making.
“Is The Older going to [visit Dad] by boat?” he asked. I made the airplane for The Younger at his birthday since he was flying to see his Dad.
“No, he's going by plane,” I said. “But he wanted a boat cake.”
“Ah.”
But at least this time, I remembered the sugar.
Monday, Debtember 12, 2005
Talk like who day?
“So I'm playing around with BBEdit—”
“How do you do that?”
“Do what?”
“Talk with links.”
“Talk with links?”
“Talk with links. You just mentioned BBEdit and I swear—”
“Swear what?”
“That I could hear the link to the BBEdit site.”
“Maybe it's because I said BBEdit with scare links.”
“You just did it again.”
“Will you stop?”
“That's just—”
“Stop!”
“But—”
“Shh!”
“But—”
“Shh!”
“Okay! Okay!”
“So I'm playing around with BBEdit (see, no ‘scare links’ this time).”
“And how do you like it?”
“It's growing on me.”
“Growing?”
“Growing. As in ‘I'm begining to like using it’ growing.”
“But I feel a ‘But …’ in that statement.”
“Right you are.”
“So … ”
“So what?”
“So … what's the but?”
“The part of the body you sit on.”
“Funny guy.”
“Thank you.”
“No, really, what don't you like about BBEdit?”
“The PageUp and PageDown keys.”
“The what?”
“The PageUp and PageDown keys.”
“What does the PageUp and PageDown keys have to do with BBEdit? Those on keys on the keyboard.”
“I don't like the way BBEdit handles those keys.”
“What's wrong with the way BBEdit handles those keys?”
“Well, they page the window up and down—”
“I would expect that to happen with the PageUp and PageDown keys.”
“But the cursor doesn't move.”
“So?”
“So? The cursor doesn't move!”
“Why would you want the cursor to move? When I page up, it's usually to look at something.”
“Yes, but I also use the PageUp and PageDown keys to move to the next area of a file I want to edit.”
“That's what the scroll bar and mouse are for.”
“No.”
“No?”
“No.”
“Then what are the scroll bar and mouse for?”
“I don't care about the scroll bar and mouse. When I'm editing, I want to use the keyboard exclusively.”
“You're weird.”
“I'm ‘old school.’”
“That's not ‘old school,’ that's ‘dead school.’”
“Funny guy.”
“Thank you.”
“If I didn't want the cursor to move, then I'd hit the …”
“Hit the … ?”
“Oh, never mind.”
“Never mind what?”
“The ScrollLock key.”
“The what?”
“ScrollLock.”
“Does that key do anything?”
“I just tried. Nope.”
“Tried what?”
“I thought that if I hit ScrollLock, it would ‘unlock’ the cursor so it would move when I hit PageUp and PageDown.”
“But you just said the ScrollLock doesn't do anything.”
“That's right. I just tried it. Didn't you see me?”
“No.”
“You should pay attention.”
“I am. Or trying anyway. Besides, if you use the PageUp and PageDown keys to navigate, what if you want to page up and look at something and not loose your place?”
“Then I split the window in two.”
“Show off.”
“Hey, I just want my PageUp and PageDown keys to work.”
“They work.”
“Like I want them to.”
“Oh.”
“And one more thing.”
“Yes?”
“Happy ‘Talk Like Brian Michael Bendis Day.’”
“What a geek.”
“Why thank you.”
Tuesday, Debtember 13, 2005
The Buns of St. Lucy
In celebration of Lucia, Wlofie made the traditional lussekatter, a sweet bread made with saffron (which costs about ¼ the price of gold—yes, it's expensive stuff, but you don't need much). I think I enjoyed the lussekatter more than the cake I made the other day.
All I want to do is resize some graphics!
I spent way too much time last night tring to get ImageMagick installed on my Mac mini. I compiled and installed the latest version, but each time I tried using it, I kept getting:
convert: no decode delegate for this image format (jpeg)
A Google
search on the error didn't prove anything conclusive. Even installing
an older version didn't work (same error). The binary install of
ImageMagick was useless as that's for Tiger
, and apparently, I
don't have Tiger
but Panther
(gee, what ever
happened to things like version 10.4 or 10.3?).
Eventually, I was able to find a package I could install, but by then several hours had passed, and all I wanted to do was resize some pictures.
Sigh.
Wednesday, Debtember 14, 2005
Immiment Death of the Internet: mpeg @ 127.0.0.1
The [phone/TV cable] carriers are going to lobby for the laws and regulations they need, and they're going to do the deals they need to do. The new system will be theirs, not ours. The NEA principle—Nobody owns it, Everybody can use it, Anybody can improve it— so familiar to the Free Software and Open Source communities will prove to be a temporary ideal, a geek conceit. Code is not Law. Culture is not Free. From the Big Boys' perspective, code and culture are stuff nobody cares about.
That's us: Nobody.
The new carrier-based Net will work in the same asymmetrical few-to- many, top-down pyramidal way made familiar by TV, radio, newspapers, books, magazines and other Industrial Age media now being sucked into Information Age pipes. Movement still will go from producers to consumers, just like it always did. Meet the new boss, same as the old boss. Literally.
Saving the Net: How to Keep the Carriers from Flushing the Net Down the Tubes
Network Neutrality, that is, a network that just delivers the packets, stupid, with no cognizance of what app, device, or end-user generated them, is an public good that gives rise to much innovation, value creation and economic growth at the application layer. It is the single greatest factor in the success of the current Internet.
But a Network Neutrality rule, even a strong one, can fail.
http://isen.com/blog/2005/12/what-network-neutrality-rule- wants.html
If you want to help save the net, bug your provider for IPv6 today.
If you want to ensure the Net remains a free place for ideas and services - you - yes you, dear reader, must also take action. Implement IPv6 at home, and at work. Get a ipv6 tunnel and publish your
AAAA
records! Don't ask for permission. Just. Do. It.
One escape from the silo - ipv6
Each article is a definite must-read if you value the future of the Internet. I know that David Isenberg has been saying this for a long time on isen.blog, but it seems to be coming to a head, what with the entrenched phone and cable companies wanting to carve out the Internet in their own (incompatible) images.
And IPv6 would prevent a lot of networking problems and return us once again to a true “point-to-point” nature of the early (pre- commercial) Internet.
Monday, Debtember 19, 2005
There are some that don't know?
Just because the front page said “Inside Area51: Secret government UFO center finally exposed” I just had to get it. I mean, it's Area 51 for crying out loud. Now, on the front page it says:
THE WORLD'S ONLY RELIABLE NEWSPAPER
ALL NEW!
- SHOCKING!
- BIZARRE!
- INCREDIBLE!
and it's ALL TRUE!
[and if by now, you haven't guessed I'm talking about the Weekly World News, then you haven't been paying attention much at the supermarket checkout lanes]
Now, with such stories as The 24 Days of Christmas and Thanksgiving Attack of the Turkey From Hell you know the articles in the Weekly World News isn't real.
But that's part of the charm of the newspaper. It's so over the top (“Gal topples office building in a fit of rage”) and I'm surprised that anyone would believe anything that's reported in it.
But sadly, just inside in the lower left hand corner, just below the headline that reads “Slipper Power: Man with large fuzzy slippers creates enough electricity to heat his house,” it states:
Weekly World News articles are drawn from different sources and most are fictious. Weekly World News uses invented names in many of its stories, except in cases where public figures are being satirized. Any other use of real names is accidental and coincidental. The reader should suspend belief for the sake of enjoyment.
Somehow, I just find that sad that such a disclaimer has to be printed.
Wednesday, Debtember 21, 2005
“OMG! You're running server software older than two days! Pwned!”
I was just given a security scan compliance report, run by XXX XXXXXXXX XXXXXXXX & XXXXXXXXXX XXXX on behalf of one of our customers, and it's rather amusing at 502 pages in length.
The security company wanted a list of everything that is even remotely associated with the customer's dedicated server that is publically accessible via IP—stuff like name servers, mail servers and routers. Well, the customer's server handles everything except DNS and routing, so I sent along the IP address of the DNS servers and the primary router here at The Company.
The security company did their scan, and sent along their 502 page report.
Ho ho ho.
There are five levels of vulnerabilities. One and two are in the “Well,
we don't like that these exist, but I suppose we'd get
too many complaints if we actually recommended that people be
unable to use ping
or traceroute
, or force people
to forge WHOIS
contact information” (heaven forbid anyone
wanting to trouble shoot networking issues). Think I'm kidding about levels
one and two? Here are some sample level one and two
“vulnerabilities:”
- Web Server Supports HTTP Request Pipelining [it's part of the HTTP protocol as specified in RFC-2616]
- Mail Exchange (MX) Record Gathered from DNS Server [um … I suppose disabling of SMTP entirely might be considered a Good Thing™, given the levels of spam, but people still use email, and this is part of the SMTP specification]
- SMTP Service Detected [at level two no less!]
- DNS Hierarchy of Target DNS Server Traced [just writing about these is causing my blood pressure to escalate—is this security company on Crack or something?]
- Host Names Found [oh dear we seem to
actually have DNS
PTR
records!] - Target Network Information [this means
The Company is listed in the
WHOIS
database as owning the IP address. The fact that for any given publically routable IP address on the Internet someone somewhere owns said IP address has probably escaped this security company]
Levels three and four are in the “There exists a theorectical exploit that in reality is impossible to actually exploit, but since it does exist, and the fact that the server software you are running is older than twenty minutes old, means we don't like it and therefore you don't pass. Please upgrade immediately to the latest codebase; we don't care if it causes the server to become inoperable (actually, that's a Good Thing™)—upgrade now!” And level five is “OH MY GOD THE INFOCAPALYPSE IS NIGH UPON YOU! YOU ARE PWNED! GET AWAY FROM US YOU VENOMOUS CRETINS FOR EVEN THINKING OF RUNNING SERVER SOFTWARE THAT IS OLDER THAN TWO DAYS!”
Of course, I have issues with the report.
Okay, one of the three bazillion “vulnerabilities” on the customer's server, at level “Infocapalypse” is the following:
Title: Multiple Apache Web Server < 2.0.51 Vulnerabilities
Severity: 5
Diagnosis: There is an input validation issue in IPv6 literal address parsing which can result in a negative length parameter being passed to memcpy.
A buffer overflow in configuration file parsing makes it possible for a local user to gain the privileges of a httpd child, if the server can be forced to parse a carefully crafted “.htaccess” file.
A segfault in “mod ssl” can be triggered by a malicious remote server, if proxying to SSL servers has been configured.
A potential infinite loop in “mod ssl” can be triggered given particular timing of a connection abort.
A segfault in “mod dav fs” can be remotely triggered by an indirect lock refresh request.
Consequence: An attacker may get control of the server.
(Yes, that is one “vulnerability,” by the way)
Can you say “overboard?”
We don't run IPv6 on our
network. Even if we were, this would most likely cause the server to crash
on startup (or at the worse, if trigger by a directive in
.htaccess
, crash just that child process).
We don't proxy SSL servers. Even if we were, this would just crash that particular request. Yes, it could lead to a denial of service attack, but those are rather hard to guard against anyway.
We don't have mod_dav
running. And again, even if it were,
it's just a replay of the above problem.
Of the two remaining “issues,” one sounds theoretical, and even if it were possible, is just a (heh—“just a”) type of denial service attack. Hard to gain control of a server that way (well, for certain values of “control” I suppose).
That does leave the last “issue,” which is a valid issue, but one
that's (in my humble opinion) rather moot—if someone can place a carefully
crafted .htacces
file on the server, they already have
access to the server!
Um … yeah.
I would also be more impressed if the report did not contain five duplicates of this “issue.” And I don't mean because there are five different IP addresses on the server—no, this was six instances reported for a single IP address. I'm guessing that a 502 page security scan compliance report is more impressive than a mere 302 page security scan compliance report.
In fact, of the 216 “vulnerabilities” listed for the customer's server, 129 were duplicates. Sure, some of them are interesting, but the sheer repetition (and the silliness of some of them) lessens the impact for me. It makes reading the report rather tedious, which in my mind, lessens the worth of this 502 page report.
I just hope Smirk can calm down the customer.
Thursday, Debtember 22, 2005
Network control
Today I received my Company provided DSL unit. Smirk told me that at some point today, the service would cut over, but The Monopolistic Phone Company could not provide a timeframe for said cut over. Just that it would happen sometime during the 22nd.
I was not expecting the cut over to be about ten minutes past midnight.
But now, I have DSL that I fully control!
Muahahahahahahahaha!