Posts by Daniel Palmer

@Exploit

>VmWare does a pretty good job of hiding itself from the client OS.

The vmware hypervisor or whatever you want to call it is visible to clients via special io ports on the virtualised processor. You can see how that works by looking at the openvm tools stuff vmware has released recently..... and this "exploit" is slightly different; As far as I can see it's basically about generating interrupts at a high enough privilege level (kernel debugging level) that you can do whatever you like, including trapping attempts by the running kernel to detect the rootkit. Unless this has some fairly extensive code to bind the kernel debugger part into the running OS I can't see how it's that useful scriptkiddies, if they can't manage a buffer overflow by themselves how are they going to work with something that requires knowledge of the inner workings of the processor to understand?

@AC

>Indeed, but at least in the UK and other EU countries operators

>are obliged to unlock the phone (for a fee) after your initial

>contract period has ended.

>There is no such obligation in Japan and the operators won't do it.

Are you sure that's true? Surely the terms which you are given (leased) the phone dictate whether the supplier has to unlock it. You would have to read all the legal documents of each supplier to find out exactly where they stand.

>but the way the Japanese bureaucrats tick, they are more likely to

>issue a first number in order to get a second number which then

>allows you to submit your application. Go figure.

Well, it's their country isn't it?

>However, I don't think anybody who's been living in Japan for a few years >would find this sort of thing unusual.

I find it really silly how people that have "been living in Japan for a few years" whine and whine about their "situation". Take that arsehat debito as the greatest example of that. Japan isn't all that different from any other country it's just the majority of people that move to Japan have no experience of living anywhere outside their home country and expect Japan to jump hurdles to accommodate the less than 2% of population that aren't Japanese.

Bottom line; If you don't like what the operators do to hardware before they lease it to you in Japan either A: move somewhere else B: learn some Japanese and buy a shiro-rom phone.

@ Anonymous Coward -- Japan

>Well, here in Japan, the land where presumably your ancestors have come from, >there are no cell phones which are not locked to the network, all phones are locked, >and after you paid your dues and the duration of the 2 year contract you signed has >passed, guess what, they won't unlock your phone then anyway, you have to go >overseas to get that done.

That's if the phone has a SIM card. The Softbank ones seem to have what would otherwise be on the sim card burnt into the firmware. DoCoMo and Au handsets do seem to have cards though.

You said the iPhone brought freedom to Japan (I'm guessing you're not Japanese as your ingurishu is too good), but the fact is all phones are restricted in Japan. Not many places require evidence of your right of abode and take copies of your papers before allowing you to have a phone, and that's not just for the monkey ALT's but for Japanese citizens.

Also if you want to get your data off of your phone you could always get an SD reader.. all Japanese phones have miniSD microSD slots, even the 5000 yen ones, and the formats are generally pretty standard.

Re: OH NOES!?! ITS 1984 OH NOES!!!

Sounds like a good idea to me. Currently we give out 6 month visa's[1] to almost anyone that turns up on the door and send them on their way, and those people have the choice just to disappear. The problem is other parties (i.e. their sponsor) could also make them disappear and there's no way of finding out where they went. People that have things to hide shouldn't be vouching for other people to enter the country.

As for ID cards for foreign visitors; It's only recently that you haven't had to carry a resident registration card in Spain if you intend to stay there for an extended period of time. Even with a tourist entry permit in Japan you need to register yourself as an alien at the local city hall after a certain period. It's very hard to track down people relatives if they get run over if they don't have any in that country,.. having some documentation of your existence in that country is a good idea (TM).

1 - We say visas.. those are the things you apply for before you get here, and even though you have a visa in your passport is no guarantee that you'll be permitted to enter the country. Non-EU nationals from countries with visa exception agreements get 6 month entry permits or something stamped into their passports when they get here IIRC.

@Chris Thomas

>1) if I was at a company and personally created a disaster that caused millions of >pounds of damage, it doesnt matter

Millions of pounds of damage? Evidence? Even if some bigwigs lost "millions of pounds" because of this patch they have no legal grounds for complaint. They used the code under the license it was offered.

RSA have sold console makers like Nintendo encryption and it hasn't worked,.. Nintendo haven't sued. Figure that out.

>ONE LITTLE BIT that they have insurance you dumbass, it has NO RELEVENCE >WHATEVER on the fact that at the end of the day, I am collecting my P45, they are >covered, thats true, but I AM OUT OF THERE.

You need something like 3 warnings of increasing severity to be fired unless your mistake can be considered "gross misconduct". I hope silly human mistakes aren't considered gross misconduct, I think that assumes intent to commit wrong doing.

Companies actually give courses on how to fire people these days....

>2) it depends on whether you want to be taken seriously or not, if I had an employee >who did this and basically if you work for "me" you're my employee

Far be it for me to tell you how to run your business, but you should have code review, a peer should be checking for an obvious blunder. It's very easy to miss things. The DD that patched OpenSSL tried to get peer review from the OpenSSL developers.

>3) If the TV was straight out of the box and then at night set fire to my house killing >my wife and children, yeah I'd be around your house to find out what happened with >that TV that made it do that and if you tell me it was standing in a puddle of water!!

You didn't check it for signs of damage before plugging it in? I offered you no warranty of the fitness of the goods and you should have expected as much. If you don't have the common sense to protect what is important to you these things will happen. What if it was stolen? You'd be liable for handling stolen goods.

>4) but he obviously isnt, because if he was, he wouldnt make such a f**king n00b >mistake would he.

So your informed critique comes down to the DD being a "n00b". Pat on the back.

>5) Since I learned that debian is for idiots, I pretty much stayed away from it and I >have nothing to do with it, and I enforce that with everything I do, I dislike their entire >band of brothers do much, I never run into this problem. However, some of my friends, >have.

You will never run into this problem? Chances are you have communicated with a server running Debian that has been using weak keys. Everyone is affected.

There must be billions and billions of pounds of damages outstanding from dodgy webservers, broken MTA's,... You'd think having to brute force thousands of keys would be a minor issue in comparison.

>6) Thankfully, I've never had to directly deal with idiots from debian, so I've been >mostly free from having to interact with them and be "infected" with cool 1337 ideas >like removing parts of RNG code.

So you don't actually understand what happened? The intent was to disable an almost unless part of the entropy generation process (uninitialised memory isn't a good source of entropy), but by mistake the DD managed to knock out a fundamental part of OpenSSL's entropy generating process.

>Seriously man, get a grip, millions of pounds of damage has been done and >thousands of man hours wasted over a f**king valgrind fix, this shit does not happen >to good developers. Stop protecting the weak, their death is SUPPOSED to happen. >It's called nature.

Earth quakes cause millions of pounds of damage, I think the damage this has caused is subjective at best. Maybe someone is replaying old SSL encrypted credit card transactions against the known weak keys in a hope of getting some usable data? Otherwise I'm totally lost as to where these $18.500.000 Million dollars (Eighteen Million Five Hundred  Thousand

us dollars Only) have been lost. You would have thought all those big companies that rely on SSL to protect their loot would have to use encryption accelerators anyhow.

@Chris Thomas

>Irrational? ok, being in the software industry, if I caused this kind of damage, you think >I'd be collecting a phat paycheck at the end of the month? or my P45?

Your employer should have liability insurance and contracts et al. worded in such a way that you aren't directly liable.

Read the first couple lines of *any* opensource license and you'll see the developers have nicely decoupled themselves from any responsibility. Many proprietary licenses shed as much responsibility as legally possible. Your's should too.

Aside from that the employment laws in the UK would make it almost impossible to just sack you and withhold your salary.

>Seriously, this guy needs ejecting and find his fun somewhere else and yes, in this >case, he isnt paid, but should he continue to work on the project?

Not being part of the Debian community is that really for you to have say so on?

It would be very easy to revoke this DD's rights within the project but that is for the project itself to decide not Random Internet Commentators (TM).

>We are constantly living in a society where failure is tolerated at any level and while I >agree that people make mistakes, they should also be shown that severe mistakes, >are taken and fixed severely.

Again, you're saying that instead of trying to limit the damage this has caused we should be telling people off. If someone gifts you a TV and it doesn't work do you go around their house and give them a mouth full of crap about it? You didn't pay for it, what right to you have to start a witch hunt against anyone? The licenses this stuff is distributed under actually forbids you any right to complain.

>There are some bugs you shrug off and others which you cannot and the only >recourse is your head, sorry, but this guy was editing and compiling code which he >isnt even remotely qualified to do.

More assumptions. Do you know anything of this guy's background? He could Schneier's genetic clone.

>and as for helping, I am helping, by using fedora and telling everyone else to not use

Well, even with Fedora you could have weak keys in your system; Keys created by debian users etch and beyond. Actually, with a Fedora system you are more vulnerable ssh-wise because you don't have the blacklist for weak keys. Maybe you should spend your time telling your sysadmin friends to watch out for keys generated on Debian boxes and to install blacklists where possible?

>Sorry, but for a decade I have had a hatred of debian because of it's idiotic mindset

So what you're basically saying is - I don't really care about this, I just don't like Debian and because of that I should decide the course of action taken in resolving the problem at hand. Is it possible you have been scorned by the Debian community for *your* lack of ability hence have this negative outlook towards them?

@Alan W. Rateliff, II

http://cr.yp.to/maildisasters/sendmail.html, aside from being historically insecure you simply don't need it. Exim, postfix etc all include sendmail wrappers.

@Chris Thomas

> Then he ships crap sandwiches to everyone and openssl are to blame????

No one said that the person that did the change *isn't* to blame. The problem here is that your and other like minded peoples responses are totally irrational.

People make mistakes.

>And you are correct in saying that distributions "repackage" software for their >distribution, but the difference here is that they ONLY REPACKAGE

All distributions patch the original source files to some degree. That could be something as simple as changing the location of the config files,.. and that could still introduce security problems that weren't present in the vanilla source.

Are you saying we should change everything to DJB-style licenses?

>It is simply not openssl team's job to respond to every mail on the mailing list, it's >their job to look after their project and their code,

They did respond. There seems to have been some confusion over what their response meant; Yes comment it out, or maybe comment it out only for debugging. The fact remains the damage is done. No amount of being a tit on either side is going to fix that. Debian announced the problem publicly, and have/are putting in place measures to limit the damage. (i.e. openssh now depends on a package that blocks known weak keys)

> it's not the fault of openssl

Instead of telling people off maybe you could help? Debian is a community project and I'm sure they could do with more people like yourself that understand everything and never make cockups.

@The real problem with debian

>Can anyone remember the last time debian made something revolutionary

>linux ecosystem? Graphical installers? dbus? gnome? kde? firefox? x.org?

apt? dpkg? debian-installer has had a graphical option since Etch...

Also your argument about Debian "importing trees" is total crap. The Debian packaging tools advise "against" creating native packages that depend on the Debian build tools, and actually create a complete trail of changes that have happened to the original source....

It takes one slip up to bring out all the whiners and idiots... Debian isn't only vendor that patches software; I'm pretty sure Fedora patch their packages to put config files in really stupid places, maybe it's just magic?

El Reg is populated by super-humans that never make mistakes apparently.