Re: nobody goes after the small fry
〉Want to do a raid on that well known felon Mr Winston Kadogo?
Ah, someone else who remembers "Not the Nine o'clock news" :-).
Few of us left these days...
61 posts • joined 19 Oct 2008
〉Want to do a raid on that well known felon Mr Winston Kadogo?
Ah, someone else who remembers "Not the Nine o'clock news" :-).
Few of us left these days...
Fantastic article from Alexander Bokovoy on
how this thing was found and fixed !
Best comment I've seen on Infosec "reporting". From Alexander Bokovoy:
"Overall reaction is exactly by throwing content out and concentrating on the messenger. To give you a level of incredible misunderstanding what the content is, here is a quote from 'threatpost.com', a site that is associated with Kaspersky Lab:
"As it turns out, Badlock was hardly the remote code execution monster many anticipated. Instead, it’s a man-in-the-middle and denial-of-service bug, allowing an attacker to elevate privileges or crash a Windows machine running Samba services."
The end of the second sentence is all you need to know about infosec news reporting."
The "sniffing the traffic" bit isn't required. Just get the client to connect to you and bobs-yer-uncle ! :-).
You must be on the same network as the client connecting to the AD-DC, but you don't need to be able to sniff any traffic, just be able to spoof the client to connect to you instead of the correct DC.
It's the first protocol-level bug in DCE RPC I'm aware of, and Metze did an amazing job both finding it, working out the implications and creating the required fixes for this. Also many other engineers put in long
Not gonna comment on the "badlock" website, only that it wasn't a Samba Team activity.
> > "Sure no company would ever let her near the levers of power again?"
> You'd be surprised.
> Really, you would.
Yep. Once you reach the CXX level there are never any consequences for your actions. Google the ex-CEO of SGI who became a VP at Microsoft, then back to CEO here in the valley for a good example.
What people don't realize about the HBO "Silicon Valley" TV show is that they have to *tone down* the antics of the VC's and company management. No one would believe the truth here..
Nope - I have a lot of users who haven't forgotten that Samba4 == AD-DC. I fix bugs for them every day :-).
Nothing of what you posted addressed what I said in any way. I am pointing to direct copying of Linux kernel source code under GPLv2 into zfs-on-linux because the code inside the kernel was restricted to GPL-only modules and the ZFS developers wanted to use it. I know little about the NVidia drivers but I very much doubt their developers have been careless enough to do the same sort of thing.
Don't conflate the two issues. The zfs on Linux code is clearly not clean, and I'm amazed Canonical have tried to ignore these problems to sell to commercial customers. If I were a Canonical cloud customer I'd be calling them right now asking them what they hell they thought they were doing putting my business and my customers at legal risk.
Disclosure, I'm on the Board of Directors of Software Freedom Conservancy (SFC).
shows that the ZFS-on-Linux developers copied GPLv2 code from the Linux kernel into their zfs on linux source tree in order to avoid having to use an EXPORT_SYMBOL_GPL function that they needed.
The haven't been careful, or clean in developing this. Details like this *matter*.
Everyone wants ZFS inside Linux. Doing a dirty, careless hack-job that plays fast and loose with the licenses isn't the right way to do this.
Conservancy is doing Canonical a favour by pointing out the folly in what they are doing here (IMHO of course).
> especially because Samba implementation of SMB is not so performant
Utter bollocks. Prove it you anonymous troll. Samba can saturate 10GigE for both read and write, plus we're currently testing multi-channel SMB3 TCP for multiple NIC concurrent performance goodness. I hate 'nony-coward drive-by slagging off like this.
"Edit: wow Samba is an even bigger POS than I realized."
Easy to say - hard to write secure code. If you want to do the things that Samba needs to do on a computer system, you have to have the privileges needed to do so. That means root.
You do realize we continuously test with Coverity static analysis, Codenomicon protocol fuzzers, and work with Linux vendor security Teams to issue CERT alerts when vulnerabilities are found ? I'd hold up Samba security practices as best-in-class against any vendor, Open Source or proprietary.
(From a post I made to email@example.com):
Hmmm. Doesn't look real as far as I can see
(the article is full of hyperbole).
It's got lots of phrases like:
"So, if we have an access to the key.."
"if we’re able to steal those tickets and somehow
insert them into our own system"
"It’s just an account in domain controller
database, so your obviously need access to DC or it’s data."
So looks like a "if we can break the security
then we've broken the security" article :-).
Forgot to address the comment about "Maybe they should have spent their efforts in making it scale better.."
I don't think you have any idea about how much effort we put into making Samba scale, to the point of counting instructions using cachgrind and modifying core algorithms to improve scalability. We have one Samba Team member (Volker) who does this to the point of obsessiveness. I love him for it :-).
Haven't you heard, the pendulum has swung back again, and being in user-space is the new, new hotness - again (see the other recent article on IP-in-userspace performance improvements :-).
for details. Apple are religious zealots about patenting software. Nothing we can do about that. All other vendors had no problems with it.
Here is the link for donations. Thanks !
No I haven't forgotten about the FSF. The FSF hasn't enforced the GPL on their copyrighted material for many years. Last time they did that was when Bradley Kuhn (who now works at Conservancy) worked there. Since he left they haven't done enforcement (are you seeing a pattern here ?).
Thanks for highlighting this (disclosure, I'm on the Conservancy Board of Directors).
Conservancy is the only organization doing GPL compliance work in the USA. Not only that, they do it in a reasonable and non-confrontational way:
But lots of corporations really don't like GPL compliance, to the extent of putting financial and political pressure on Conservancy for doing it at all. If we developers want the license enforced, we'll have to donate and fund it ourselves. Please help !
It takes care of all this for you.. Seriously, it's very nice for C code. Makes something as complex as Samba even possible.
You can be a murderous paedophile and the police and security services will move heaven and earth to protect you and keep you in parliament (especially if you have royal friends).
But publish "secret" information that embarrasses them and their rage and vindictiveness knows no bounds, as poor Julian will eventually find out.
As "terrorists and extortionists."
Utter shits, who find zero day exploits and refuse to disclose them to the creators of the software but sell them to others instead.
I can't be bothered to download their crap, can anyone tell me if they have contracts that explicitly prohibit licensees from disclosing the vulnerabilities to the actual authors of the software ? Other similar companies (let's hope you get hacked too, you disgraceful bastards) have such clauses. I remember knowing about a vulnerability because of one of these companies, but being unable to fix it for a while because of these contracts. We eventually figured it out.
As a Free Software author myself, this makes my blood boil.
AC wrote: "once that happens you will be stacking shelves..."
Hahahahaha ! Consequences for their actions ? Clearly you must live in a different silicon valley than I do.
Lookup "Rick Belluzzo" for the perfect example of a Silicon Valley CEO. They make the banksters look honest :-).
Sir Percy Browne: "Sometimes Mr. Fiennes, I think you'll only be content when you have the population of Great Britain under permanent, twenty-four hour surveillance. Would you be happy then ?"
Fiennes: "Happy, sir ? Satisfied."
I *loved* those guys... Sig11 I think it was.
"Information wants to be wiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiide" :-).
Haha. I know why they want to have 'the right to modify your files' :-).
Given a 'jpg backend with 'infinite' storage, it is relatively trivial for an experienced storage engineer (i.e. I've thought of it :-) to write code (Samba VFS or FUSE maybe) to split any incoming file into a set of JPG formatted backend files, and re-combine them on read. Layered filesystems - they're a wonderful thing ! :-).
Offering 'infinite' picture storage means simply 'infinite' storage of any kind.
If they transform the incoming data, then it's harder to build a generic storage backend out of the thing (although probably not impossible with clever enough error-correction code :-).
No, that's tridge :-). Andrew Tridgell wrote both rsync and Samba. I just wrote Samba (we're co-authors on that).
It's an easy mistake to make, him being Australian and me being from Sheffield and all. Most people think we sound and look *exactly* alike (except for the old accent thing and the fact I'm probably 100lbs heavier :-).
Err. Yeah, that's me. Not sure what your comment is trying to say though :-).
In the words of Popeye the sailor, "I Yam What I Yam".
If you want to donate to help Conservancy:
There's a $50k challenge match at the moment, plus donations are tax deductible (in the USA at least). Full disclosure - I'm on the Board of Directors of the Conservancy.
Unfortunately the NSA/GCHQ *ARE* the real bad guys.
If by "there ARE real bad guys out there" you're referring to people like the Islamists and the IRA, as Steve Bell famously pointed out, they're bad guys wearing clown shoes. Getting hurt by them is like a car accident, you're just unlucky.
No, NSA/GCHQ are *much* *much* worse. As good 'ol King Henry VIII says in "A Man For All Seasons" : they are "a deadly canker in the body politic". They are an infection in the very ideals of our Democracy, and there's no way back from that.
Yeah, I was gonna mention this too.
If you mentally convert the 'magic' SEATEC ASTRONOMY box to a method be quickly breaking DES, then just about everything else in this movie makes sense :-).
Even down to James Earl Jones saying "We're the US Government, we don't do that kind of thing" to the request for "peace on Earth and goodwill to all men" :-).
The dirty secret of Register Copyright articles is that they never mention the "limited time" aspect of copyright.
Remember that ? The idea that eventually published works will go into the public domain.
Let's see how many works went into the public domain in the USA at the end of 2014 shall we ?
Oh that's right. Nothing. Nada. Zilch..
Whilst this continues to be the case, the copyright contract is null and void and neither side feels any qualms about violating it. I say this as someone who makes their living via copyrights on software too.
What a shitty situation for all concerned.
"Decoding a BER (or worse, PER) datastream from scratch is a mugs game; that's what libraries and tools are for."
Oh, so that's your answer. The details are hard - let someone else do it...
I'm one of the people who have to do it from scratch. ASN.1 utterly *sucks* I'm afraid. Far too complex for its own good. Type tagging is a bad idea. The software needs to understand the marshalling/unmarshalling format, so type tagging is irrelevant IMHO. You either completely understand the stream format, or you have no business trying to parse it (that way lies security holes for sure).
I'm old :-). ONC/RPC xdr format is nice, simple, and has already had its share of security holes so it's now pretty well understood. Give me an xdr stream any day...
I take it you've never written or debugged an ASN.1 stack.
That thing is a f&%king nightmare. DO NOT USE ASN.1 for new protocols please, unless you are having a competition to see how many CVE's you can get for your software ("look Ma, we beat LDAP... !" :-).
The USA and UK showed the way. Spy on everyone, everywhere, anytime with no restrictions. Any wonder you're starting to see the balkanization of the Internet. This will get a lot worse, in a lot more places I expect.
"So the theory for higher-fidelity playback of stored music through the Sonos system is to get a FLAC copy of the music, convert it to ALAC, import that into iTunes, re-set the Sonos music index, and then play the music."
WHAT ? Why are you messing about with all these steps. To play flac:
1). Rip the CD to flac format onto your NAS drive.
2). Re-index the SONOS music library.
3). Play the flac file on the SONOS from your NAS drive.
That's what I do...
Oh, wait a minute. iTunes and Apple - there's your problem mate. FLAC is a *Free Software* created format. That's like garlic to a vampire for Mac's :-).
We can't have something like that because Microsoft won't build it into their clients :-(.
Same reason we can't have decent filesystems (ext4 anyone ?) on USB sticks - Microsoft insist on FATxxxx-only to keep the monopoly rent on the patents I'm afraid.
Still, SMB is pretty multiplatform these days - with the unix extensions turned on in the Linux CIFSFS client and Samba as a server it's pretty close to UNIX->UNIX semantics. Reminds me of RFS it does :-).
And it's *certainly* better than NFS (which turned into a monster the moment they tried to import wholesale some of the CIFS/SMB stateful semantics, and the ACLs, god help me don't mention the ACLs :-).
Thanks for the shout-out ! It's lovely to hear someone mentioning Samba in an article (sounds like 1997 again :-).
To be honest, many of the vendors who 'move on' from Samba are pushed to do so by their marketing department - not be the engineers. The marketing people like to say "our implementation is unique" - hoping to mean "better" of course :-). That's not always the case :-).
I know of at least 2 vendors mentioning no names of course :-) whose engineers have privately told me that's what happened..
Still, there's enough work to keep everyone busy on Samba for a good number of years yet !
As I keep telling the young-'uns - if you're a qualified Samba coder I can get you a job tomorrow (many postitions in Silicon Valley). But they keep wanting to do the webby stuff... :-(.
The article states:
> The only big SaaS alternative is Google, with Docs. This does not support ODF and is not listed on
> G-Cloud – instead you need to go through small suppliers.
In Google docs there is "Download As" -> "OpenDocument Format" (.odt).
I think that qualifies as ODF support.
Yep. SONOS systems are Linux boxes. You can even download the source code (not to their fancy proprietary bits of course, but to the bog-standard GPL components).
I'm with Chris on this one. I *LOVE* the SONOS systems. I have a bunch of them in my house (3 play-5's, 2 play-1's in the kitchen and 4 connects to drive the surround-sound systems in various rooms).
I do have some really fancy audiophile speakers (JM Labs Focal Beryllium speakers) but the systems I find myself listening to the most are the stereo paired SONOS Play-1's in the kitchen, and the stereo paired Play-5's in the master bedroom, linked with a SONOS sub.
The sound really is amazing. Regular non-audiophile people listen to the bedroom system and just go "Oooh, that sounds different. How does it do that ?" It's the depth and richness of the sound that the SONOS sub adds I think. I now listen to music all the time at home as it's just so easy and convenient (controlled by my Android phone).
Oh yeah, one other thing. Wired is the way to go. Wireless just *SUCKS*. Always :-). All my SONOS boxes are wired (the house came with gigabit already plumbed into every room so that was easier :-). Even the one too far away from the wall-plate is wired via a ethernet-over-power box. Wireless *SUCKS* :-).
Only problem is convincing the wife to let me add more zones :-).
Yep. Here's Linus telling me about his QL whilst we were hanging out at Sao Paulo Zoo (great Zoo by the way :-). For some strange reason this wasn't a popular video :-). I was also a QL fan :-).
Good way to annoy the NSA and GCHQ, evil fucks that they are:
Refuse to hire ex-NSA/GCHQ people into private industry. Let the grunts know that working for the NSA/GCHQ is a one-way street. You are forever after tainted and no one will ever trust you again.
That should stick a spike into their University recruiting pipeline. Those government pensions not looking so guaranteed now eh ?
Just FYI Trevor, I got an email from a Synology UK support person today, so I think we might be off to the races.. Here's hoping :-).
Thanks (and if you want to email I'm firstname.lastname@example.org).
QNAP at least talk to me (as do most of the other NAS vendors). I can't get any response from Synology, even though they're shipping our stuff embedded in their OS (see here:
for their source code - it's got Samba 3.6.x). Trevor, if you have any contacts at Synology that might want to talk to the people who create their SMB1/SMB2/SMB3 server, please send 'em my way. I don't bite, I'll even give them advanced notice of our security fixes (I do for all the other vendors :-) and help them fix any customer issues they might have. I have tried to find someone there to talk to, but got no joy :-(.
Everyone seems to forget - it's nothing to do with controlling pirates or users, it's to keep the device makers brought to heel to protect obsolete business models.
Hicksie nails it here:
Disclaimer (I work with Hicksie, when he turns up in the office :-).
Pure FUD I'm afraid, and the kind I'm getting less and less inclined to tolerate. Do you have any *specific* Samba bugs you're complaining about, or are you just repeating what your NetApp or EMC rep. told you ?
You do realize Samba powers IBM Sonas storage, which is used by some of the most demanding NAS customers in the world ?
See Ian Hickson (author of the HTLM5 spec) on this.
DRM works just fine. It's just not designed to stop people copying, but to restrict innovative devices.
So long as they don't screw up the access to Ranch99 Chinese Market on Wolfe+Homestead whilst they're building it I'm good.
It'll make the house prices go up anyway :-).
Sure you can get the source code. But unless you build it yourself, you can't know that what you are running matches the source code you were given under the contracted NDA.
That always amuses me about the Microsoft claims of "but we gave the organization the source code, so it's the same as Open Source/Free Software, honest !"
Unless the organization has the build system as well, and does their own builds, then no it really isn't the same.
The wonderful thing about the Linux-based Open Source/Free Software releases is that you get the build systems as well and they're really widely understood - so if you're really paranoid yes you *can* build everything yourself. From scratch - just like CentOS does.
Of course then you have to trust the compiler, but now we're going into an interesting recursive problem :-).