There is a Slashdot article on Grokster.com changing their front page to one which displays your IP address and notes that it has been logged. As noted in many comments on Slashdot, I’d just like to say that this is no different to ordinary browsing: the web server always gets your IP address, otherwise it wouldn’t be able to send data back to you.

And usually, this address is logged with each request. There is nothing new here, and this site is just a scare tactic to put off people who don’t already know this.

It is important to draw people’s attention to this as some may believe that the site is doing something untoward, in order to obtain an IP address. In fact, any TCP connection (except spoofed packets) results in the server-side application being able to determine your IP address.

Tags: News, Real-World Issues

Categories: News, Real-World Issues

Leave a Comment

You will constantly see “religious” wars being fought between the camps of the above mentioned platforms. You’ll also see a lot of comparisons between the two on the net, all of which have a hint of bias in them. Well today I’m going to cover just facts between the two platforms to see which one comes out a clear winner, if any.
Let’s see when each platform launched. If we look up RedHat we’ll find that they launched version 4 of their highly acclaimed Enterprise Linux on February 15th, 2005 according to CRN. Microsoft Windows Server 2003 was released on March 28th, 2003 according to Microsoft’s own site. That’s nearly a two year gap between the two which in the IT world is nearly a lifetime of most software product versions themselves.
So Windows Server 2003 has a near 2 year head start on RedHat Enterprise Linux 4 to collect all sorts of vulnerabilities that we all know Microsoft is famous for. However, this is where it gets to be a tad bit surprising. Outside the hype and FUD (Fear, Uncertainty and Distrust), it’s not nearly as bad as the general tech community paints it out to be. A little research from Secunia reveals that it’s not bad at all.

Since its release in 2003, Windows Server has accumulated a total of 74 Secunia Advisories.

Now let us take a look at Redhat Enterprise Linux

Since its release in 2005, Enterprise Linux 4 has accumulated a total of 128 advisories.

Wait, what? There must be some mistake. Well ok, perhaps the Enterprise Linux 4 vulnerabilities are a lot less severe than Windows Server 2003. A local vulnerability is a lot less severe than a remote vulnerability.

So let’s look at RedHat Enterprise Linux 4 first.

Ok so 83 percent of all the vulnerabilities are able to be exploited remotely. That’s a pretty high number. Let’s take a look at Windows.

59 percent of all Windows Server 2003 Secunia Advisories are remotely exploitable.

Well now, this is fairly interesting. So far, dare I say, Windows is leading in terms of security.

Ah but wait, it’s not over yet. We have yet to see the type of impact most of these vulnerabilities have, and most importantly, the impact they have at the system level.

So let’s take a look at RedHat Enterprise Linux 4 first.

We see here that 30 percent of the vulnerabilities allow system access.

Now let’s take a look at Windows Server 2003.

We see here that Windows Server 2003 is a bit more severe in that 53 percent of their vulnerabilities allowed system access. That’s a fairly high percentage that is dangerous, especially in an enterprise environment.
Secunia also keeps track of vulnerabilities that they have discovered and are unpatched as of yet by the vendor, which gives us an idea of the rate at which each vendor responds to security.

The Secunia database currently contains 0 Secunia advisories marked as “Unpatched“, which affects RedHat Enterprise Linux AS 4.

That’s pretty decent, so we know that RedHat responds very quickly to any discovered security threats. Let’s have a look at Microsoft.

Currently, 8 out of 74 Secunia advisories, is marked as “Unpatched” in the Secunia database.

A much more dangerous number than zero. Although, to their credit, all of the “unpatched” vulnerabilities are not too critical. However, this still shows us how seriously Microsoft lags behind in their patching efforts. One could only attribute this to the massive complexity of the Windows system that Microsoft engineers must go through in contrast to the modular nature of Linux itself.

In conclusion, what we have here is a very interesting set of differences between the two platforms and neither comes out as a clear winner. (I know, you are disappointed!) However, we did uncover the fact that Windows Server 2003 is not nearly as bad as the general tech community paints it out to be and would be a fairly solid choice in an enterprise environment despite all the FUD.

Tags: Operating Systems, Review

Categories: Operating Systems, Review

2 Comments

It turns out that MSN are blocking the word “download.php” in MSN Messenger conversations. According to SourceForge, and verified by myself, messages containing those words simply do not get through. In addition, the conversation link is closed (but the chat window itself remains open).

I shouldn’t need to point out that many legitimate sites use download.php as a means for accessing files. Linking a less computer-savvy friend to a download page for AntiVirus software may now be impossible, thanks to MSN.

This is a totally pointless censorship, and serves no purpose whatsoever, other than to inconvenience the user.

Perhaps it is time to switch to another protocol, Jabber, for instance, built on the open XMPP protocol.

Tags: Real-World Issues, Security Policies

Categories: Real-World Issues, Security Policies

3 Comments

I wrote earlier in the week about the British plans to introduce ID cards. Now, it turns out there is an even more stupid and pointless idea following. This is to use a nationwide network of cameras which can identify car number plates to track the journeys of every car in the country. Data on the time, date and location of each sighting will be stored in a central database. Information will be fed into this from roadside cameras by a secure police communications network.

This data will apparently be used by the police and the security service (MI5) in criminal investigations and anti-terrorism efforts, and to identify cars being used without insurance or road tax.

There are a number of problems with this system. Some of these are the same as the problems with the ID card system. For one, it costs a lot � the government have already allocated �24 million to this. Money which could be put to better use elsewhere.

Let us now look at some of the other problems. There is the potential for abuse. The system is going to be open to police, security services and other government departments. Anyone working for these, as well as anyone who gains access one way or another, has access to the travel patterns of the entire population of the country. If you suspect your wife is cheating on you, its just a simple matter of asking your friend in the police to check that her car actually registers as going to Tesco that night, and not some street the other side of the city, where all the investment bankers live.

Furthermore, there will be an enormous quantity of data relayed by this system. Managing this much data is difficult, and mistakes will be made. Suppose a GPS system fails, and your car is placed near the scene of a murder, at the approximate time it took place. In fact, you were nowhere near the place, but the system never lies, and will be trusted without question. What, then, is your defence?

That somewhat extreme example illustrates just one of the things which can go wrong with such systems. And this is forgetting civil liberties, and the fact that many people object to living under the watchful eye of the government. What does it matter to the government if I was 20 minutes late into work yesterday? Although, I suppose they could track the journey and figure out that it was because of the accident which blocked the road for 15 minutes!

Again, just an example, but no matter how many advantages a system like this has, the disadvantages, security problems and potential for abuse far outweigh any conceivable advantage.

The money being wasted on systems such as this would be better spent tightening security at airports, sea ports, train stations, and other such transport hubs. One excellent way to spend this money would be to improve the training of security staff at these places. Humans are far better at spotting unusual behaviour, or security risks, than automated systems are. With training, the efficiency and security of airports, etc. can be improved significantly, without the risk and public outcry associated with schemes such as ID cards and national road-traffic monitoring!

Tags: Real-World Issues

Categories: Real-World Issues

3 Comments

With the recent news of collisions and reductions in attack complexity in both MD5, a commonly used algorithm for checksums on file downloads and integrity checkers, and SHA-1, a commonly used cryptographic hash algorithm in many encryption products, this brings up the question of where to go next, if you are implementing software which uses cryptographically strong hashing.

The SHA (Secure Hash Algorithm) family of algorithms, validated by NIST, and standard hash algorithms for cryptographic use, contains not only SHA-1 but an older algorithm called SHA-0, for which attacks have also been reported, and the SHA-2 family, which consists of SHA-224, SHA-256, SHA-384 and SHA-512, collectively.

SHA-256 forms a new minimum recommendation, in many cryptographers eyes, given the attacks on SHA-1. Whilst these attacks do not rule out SHA-1 for general use, in order for new software making use of hashing algorithms to be secure for the near future; perhaps a decade, it is important to prepare for the attacks on SHA-0 and SHA-1 becoming more feasible, especially as the cost of computing goes down, and the power continues to rise.

SHA-224, SHA-256, SHA-384 and SHA-512 are all named respective to the number of bits in the output hash. The more output bits, the harder it is to create a collision, in general, unless there is a weakness in the hash function itself, as has been found in SHA-0 and SHA-1.

Of course, the SHA-2 family are based on SHA-1, with slight differences in design and larger output, so it is possible that these have potential attacks also, but the size of the brute-force space is dramatically increased, and so these variants of the SHA family will withstand attack for longer, and should prove reliable for the near future.

Looking into the long term, few solutions exist currently that are not based on the SHA format. There are two main contenders, currently, in the form of the RIPEMD family, and the WHIRLPOOL family.

RIPEMD comes in the following flavours, in each case, the number represents the hash size in bits: RIPEMD-128, RIPEMD-160, RIPEMD-256, and RIPEMD-320. RIPEMD-128 is a replacement for the original RIPEMD, which was found to have security issues, whereas the others all increase the output size, and therefore the associated security. Again, this family is based on a construct which has been proven susceptible to attacks in the past, so it is possible that the entire family could have weaknesses.

The other main alternative, WHIRLPOOL, has no known attacks, and has had two major changes to further improve its security.

WHIRLPOOL is a 512-bit hash function. The changes mentioned involve a change from a randomly generated s-box (substitution box) to one designed to be cryptopgrahically stronger, and also easier to implement in hardware, along with a change in the diffusion matrix.

Some leading cryptographers are calling for new cryptographic hash functions to be designed, perhaps in the same design-by-committee method as the AES encryption standard.

Tags: Cryptography

Categories: Cryptography

Leave a Comment