CK’s that contain no data are not reliably transmitted by TCP. If zero window probing is not supported, a connection may hang forever when an ACK segment that re-opens the window is lost. This type of attack has been realized since 2006. This means that an application or firewall must selectively abort TCP connections that appear malicious by staying in the persist state and consume large amounts of resources.

Assuming you’ve already installed and configured your directory to use TLS encryption, you should verify LDAP is working as you expect before you start streaming passwords and other important data across the wire. You can use Wireshark and it’s full blown gui interface, but it’s faster just to fire up tethereal for this test.

Think of all the software you install on your computer as windows on a battle tank. Every app is another window where armor used to be. The next time you get hit with a virus, the chance that it’s aimed at one of your windows just increased.

Instead of storing whole dd images, even if they’re just backups of small partitions, you can save space and bandwidth by piping dd into a compression utility like gzip. You can then unzip the files straight into sha1sum to get a checksum of what you just backed up.

Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient. There are a lot of ways to order a 52 card deck. You can hide a message by putting the cards in the correct order. The only thing missing to take this from an obscure message to a secure one is a password, or pre-shared key that serves as the agreed upon starting order of the deck.

I can see a use of this type of attack for getting around captchas. If I host a web page that gives you access to download free mp3s, and all you have to do is complete a captcha to get it, what if I get that captcha from another site? I mean, when you load my page, I load the site I want to attack and show you their captcha instead?! That would basically make you my captcha-cracking conscript!

The default out-of-the-box installation should delete any additional anonymous users after installation and disallow remote logins completely, but it doesn’t. At least all you have to do is run the mysql_secure_installation script to do so.

First you’ll narrow the possible combinations from 64,000 down to 100. But you don’t have to try each of those 100 combos. There’s a simple task you go through to figure out the actual combination in a matter of minutes. Or just make a shim out of a coke can and pick it in 2 seconds. Now that you know a simple combo padlock is basically just a deterrent, you shouldn’t ever use one to lock up anything of real value.

The interesting part is 1/8 was just allocated. That’s hard to look at without reading it as one-eighth. IANA predicts all address blocks will be completely assigned by late 2011. I guess the real switch to IPv6 will be a forced one after all.

Daemon
Daniel Suarez’s book, “Daemon”, just released December 29th, 2009 is a great read. I picked it up in an airport over the weekend and couldn’t put it down. I’m not an avid recreational reader. I only pick up a work of fiction about every three months or so. Sometimes I …