From owner-freebsd-security@FreeBSD.ORG Mon Aug 18 04:53:04 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4081537B401 for ; Mon, 18 Aug 2003 04:53:04 -0700 (PDT) Received: from kremilek.gyrec.cz (gyrec.cz [195.113.191.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7E99343F93 for ; Mon, 18 Aug 2003 04:53:03 -0700 (PDT) (envelope-from xskoba1@gyrec.cz) Received: from xskoba1 (helo=localhost) by kremilek.gyrec.cz with local-esmtp (Exim 3.35 #1 (Debian)) id 19oiHm-0006bW-00 for ; Mon, 18 Aug 2003 13:34:54 +0200 Date: Mon, 18 Aug 2003 13:34:54 +0200 (CEST) From: xskoba1@kremilek.gyrec.cz To: freebsd-security@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Subject: question about routing, firewall, natd and bridge X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Aug 2003 11:53:04 -0000 Hallo there, I had to change the provider. And after that my public IP adress are routed straight through FreeBSD Box. What is it best way to do it? I personally done it the way, where exist the localnet alias for every interface... eg.. ifconfig_ed0="inet 62.168.40.188 netmask 255.255.255.252 broadcast 62.168.40.191" after that there is local interface 192.168.1.1/255 and it's alias 172.16.0.1/255 and then route add -host 62.168.40.190 172.16.0.251 #it is an public and local ip adress of that host... but /var/log/kern.log is still clamining a warning arplookup 62.168.40.190 failed: host is no on local network... is it the correct way to do a route (especiall if I want to have a firewall with ipfw,natd and bridge or not?) your sincerely Karel Rous From owner-freebsd-security@FreeBSD.ORG Sat Aug 16 02:29:21 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 388E537B401; Sat, 16 Aug 2003 02:29:21 -0700 (PDT) Received: from out003.verizon.net (out003pub.verizon.net [206.46.170.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1975943F85; Sat, 16 Aug 2003 02:29:20 -0700 (PDT) (envelope-from kent.hauser@verizon.net) Received: from hnl ([4.3.107.135]) by out003.verizon.net (InterMail vM.5.01.05.33 201-253-122-126-133-20030313) with ESMTP id <20030816092918.XGGI29617.out003.verizon.net@hnl>; Sat, 16 Aug 2003 04:29:18 -0500 From: Kent Hauser To: Christian Kratzer Date: Fri, 15 Aug 2003 23:29:17 -1000 User-Agent: KMail/1.5.3 References: <200308110011.58180.kent.hauser@verizon.net> <20030811141505.M85450@majakka.cksoft.de> In-Reply-To: <20030811141505.M85450@majakka.cksoft.de> MIME-Version: 1.0 Content-Type: Multipart/Mixed; boundary="Boundary-00=_tlfP/ZcdoJePGyf" Message-Id: <200308152329.17393.kent.hauser@verizon.net> X-Authentication-Info: Submitted using SMTP AUTH at out003.verizon.net from [4.3.107.135] at Sat, 16 Aug 2003 04:29:18 -0500 X-Mailman-Approved-At: Mon, 18 Aug 2003 07:00:07 -0700 X-Content-Filtered-By: Mailman/MimeDel 2.1.1 cc: security@freebsd.org cc: questions@freebsd.org Subject: dynamic IPSEC: Holy grail sighted X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Aug 2003 09:29:21 -0000 --Boundary-00=_tlfP/ZcdoJePGyf Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Hi, Thanks to some pointers from Christian Kratzer, I am now able to join the office VPN from a random WiFi hotspot. With the configuration files changes detailed below, from a public WiFi hotspot I can now use this 3 step procedure to login to the office VPN. 1) While at hotspot, boot up my -STABLE laptop. 2) Insert wireless card. 3) "rsh server" This procedure works for a DHCP assigned private address translated by NAT at the hotspot to an unknown public address. The office VPN server is also behind a NAT firewall & uses private network addresses with a *dynamically* assigned public address. In other words, it's about as a complicated as you can get (I think). Three pieces of software must be configured for this to work. First "racoon" is used to exchange keys and security policies. Second, "DHCP" is configured to install security policies & alias the remote's interface with the remote's VPN address. Finally, the office router is setup to use DDNS (see dyndns.org) so that the office dynamic IP address can be found from a fixed DNS name. First racoon configuration. The office router must be programmed to pass port 500 to the server for racoon negotiation. The office server is set to "listen" and "generate policy". This means that the policy proposed by the remote is inserted in the server's tables. There is a question of trust involved here I will not address. Also, my example uses "shared private keys", but there are plenty of examples of cert-based racoon, etc. The mods for my remote racoon conf are merely timers. Second, DHCP on the remote is configured using "/etc/dhcp-exit-hooks" and "/etc/dhcp.conf". The file "/etc/dhcp-exit-hooks" is executed by DHCP whenever an address is assigned. My "dhcp-exit-hooks" script (below) is a poorly written combination "perl" & "sh" script which translated DNS names to numbers & creates a security policy which is installed in the kernel by "setkey". I did the perl part in perl so that I could translate DNS names to numbers for setkey (see above: my server public address has static name but dynamic number). The "server" definitions at the head of the script should probably go in "/etc/rc.conf" in a production environment. Finally, DHCP is also configured to alias the private VPN address on the WiFi interface. This causes the kernel to use the correct source address on VPN packets. In a production environment, the "dhcp-exit-hooks" script should probably set up a GIF interface for this purpose to eliminate the need for the "dhcp.conf" file. After all this is done, "setkey -PD" on the remote shows packets from the remote's VPN address to the VPN network travelling thru a tunnel from the WiFi dynamic address to the office's public address. A "setkey -PD" on the server show packets from the VPN network to the remote passing thru a tunnel from the server's private address to the WiFi hotspot's public address (obviously racoon magic). AH & ESP are negotiated. I haven't checked if the server sets up a proxy arp for the remote -- but this is standard VPN fare. One final thing. Everything's screwed up if the WiFi hotspot chooses the same private network address as the office VPN. FWIW, I would recommend VPNs use the reserved class-B addresses (172.16->171.31) instead of the more common 192.168 & 10 (both of which I've seen in hotspots & hotels). I've never seen an address in the Class-B range assigned by a public server. That's it. Comments appreciated. And if anyone knows perl & wants to clean up my mess, pls send me a copy. Cheers. Kent --Boundary-00=_tlfP/ZcdoJePGyf Content-Type: text/plain; charset="iso-8859-1"; name="dhclient.conf" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="dhclient.conf" # $FreeBSD: src/etc/dhclient.conf,v 1.2.2.1 2001/12/14 11:44:31 rwatson Exp $ # # This file is required by the ISC DHCP client. # See ``man 5 dhclient.conf'' for details. # # In most cases an empty file is sufficient for most people as the # defaults are usually fine. # alias { interface "wi0"; fixed-address 192.168.101.50; } --Boundary-00=_tlfP/ZcdoJePGyf-- From owner-freebsd-security@FreeBSD.ORG Mon Aug 18 07:08:27 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2DDA337B404; Mon, 18 Aug 2003 07:08:27 -0700 (PDT) Received: from aeimail.aei.ca (aeimail.aei.ca [206.123.6.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id D0BA043FA3; Mon, 18 Aug 2003 07:08:25 -0700 (PDT) (envelope-from anarcat@anarcat.ath.cx) Received: from shall.anarcat.ath.cx (p7vwuthgsdv1926b@hv-hs-37-117.aei.ca [216.221.37.117]) by aeimail.aei.ca (8.11.6/8.10.1) with ESMTP id h7IE86j03569; Mon, 18 Aug 2003 10:08:06 -0400 (EDT) Received: from oder.anarcat.ath.cx (oder.anarcat.ath.cx [192.168.0.32]) by shall.anarcat.ath.cx (Postfix) with SMTP id D4129C6; Mon, 18 Aug 2003 10:08:05 -0400 (EDT) Received: by oder.anarcat.ath.cx (sSMTP sendmail emulation); Mon, 18 Aug 2003 10:08:05 -0400 Date: Mon, 18 Aug 2003 10:08:05 -0400 From: The Anarcat To: Kent Hauser Message-ID: <20030818140805.GB518@inso.ath.cx> References: <200308110011.58180.kent.hauser@verizon.net> <20030811141505.M85450@majakka.cksoft.de> <200308152329.17393.kent.hauser@verizon.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <200308152329.17393.kent.hauser@verizon.net> User-Agent: Mutt/1.5.4i cc: Christian Kratzer cc: questions@freebsd.org cc: security@freebsd.org Subject: Re: dynamic IPSEC: Holy grail sighted X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Aug 2003 14:08:27 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I don't some of the attachments you intended to send (raccoon.conf? perl script?) didn't get through the list. I would be very interested to read those, if you don't mind sharing them... Thanks, A. - -- Advertisers, not governments, are the primary censors of media content in the United States today. - C. Edwin Baker http://www.ad-mad.co.uk/quotes/freespeech.htm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/QN3FttcWHAnWiGcRAja5AJwMWEMcfsicge5wcDWDFKzr1KM6XgCeOKCt hYopeXiF05aDncMzGA1ecBQ= =zeyM -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Mon Aug 18 08:16:18 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EAED637B477 for ; Mon, 18 Aug 2003 08:16:14 -0700 (PDT) Received: from ns1.cksoft.de (ns1.cksoft.de [62.111.66.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9431D43FAF for ; Mon, 18 Aug 2003 08:16:13 -0700 (PDT) (envelope-from ck-lists@cksoft.de) Received: from majakka.cksoft.de (p508A865D.dip0.t-ipconnect.de [80.138.134.93]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by ns1.cksoft.de (Postfix) with ESMTP id 8453115C01F for ; Mon, 18 Aug 2003 17:16:12 +0200 (CEST) Received: from majakka.cksoft.de (localhost [127.0.0.1]) by majakka.cksoft.de (Postfix) with ESMTP id 8A9D644AC6 for ; Mon, 18 Aug 2003 17:16:11 +0200 (CEST) Received: by majakka.cksoft.de (Postfix, from userid 1000) id C34AC44B31; Mon, 18 Aug 2003 17:16:10 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by majakka.cksoft.de (Postfix) with ESMTP id C1D6944AC5 for ; Mon, 18 Aug 2003 17:16:10 +0200 (CEST) Date: Mon, 18 Aug 2003 17:16:10 +0200 (CEST) From: Christian Kratzer X-X-Sender: ck@majakka.cksoft.de To: freebsd-security@freebsd.org Message-ID: <20030818171525.W9493@majakka.cksoft.de> X-Spammer-Kill-Ratio: 75% MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS snapshot-20020300-cksoft-02bz on majakka.cksoft.de Subject: Re: dynamic IPSEC: Holy grail sighted X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Christian Kratzer List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Aug 2003 15:16:18 -0000 Date: Mon, 18 Aug 2003 17:09:54 +0200 (CEST) From: Christian Kratzer To: The Anarcat Cc: Kent Hauser , security@freebsd.org, questions@freebsd.org Subject: Re: dynamic IPSEC: Holy grail sighted Hi, On Mon, 18 Aug 2003, The Anarcat wrote: > I don't some of the attachments you intended to send (raccoon.conf? > perl script?) didn't get through the list. > > I would be very interested to read those, if you don't mind sharing > them... we run following scripts 1. run lookup-peers.sh from cron every 3 minutes to resolve the peers listed in /usr/local/etc/peers.in 2. diff the results to the results fo the previous run and run update-ipsec.sh if changed to generate new ipsec.conf ipsec.conf.m4 using the m4 macro processor ( yes we use m4 for just about everything ;-) ) 3. update-ipsec.sh installs the new policy but purposely keeps the already handshaked associations in place so as not to hang connections unnecessarily you also need something else to update your dnsdns setup. This is left as an excercise to the reader. The following scripts are freshly pasted out of our live setup and somewhat obfuscated so there might still be something missing. Especially the ipsec.conf.m4 will need adapting to your setup and to the specific host in question. Greetings Christian --- peers.in --- peera peera.yourfavourite-dyndns-provider.com peerb peerb.yourfavourite-dyndns-provider.com peerc peerc.yourfavourite-dyndns-provider.com --- peers.in --- --- lookup-peers.sh ---- #!/bin/sh SRC=/usr/local/etc/peers.in DST=/tmp/peers.m4 TMP=/tmp/peers.tmp DYNINT=tun0 AWK=/usr/bin/awk IFCONFIG=/sbin/ifconfig HOST=/usr/local/bin/host if [ -f $TMP ]; then rm $TMP fi MYIP=`$IFCONFIG $DYNINT | $AWK '/inet /{ print $2 }'` echo "define(\`MYIP',\`$MYIP')dnl" >> $TMP while read name host; do addr=`$HOST -W 3 $host | awk '/address/{ print $4 }` if [ -n "$addr" ]; then echo "define(\`$name',\`$addr')dnl" >> $TMP fi done < $SRC if [ ! -f $DST ]; then touch $DST fi diff $DST $TMP 2> /dev/null > /dev/null if [ $? -ne 0 ]; then # ip addresses of peers changed mv $TMP $DST # trigger actions here /usr/local/libexec/update-ipsec.sh fi --- lookup-peers.sh ---- --- update-ipsec.sh --- #!/bin/sh /usr/bin/m4 < /etc/ipsec.conf.m4 > /etc/ipsec.conf /usr/sbin/setkey -f /etc/ipsec.conf --- update-ipsec.sh --- --- ipsec.conf.m4 --- (on host1) define(`SRCNET1',`192.168.1.0/24') define(`DSTNET2',`192.168.2.0/24') define(`DSTNET3',`192.168.3.0/24') # flush policy spdflush; # vpn tunnel from hosta to hostb spdadd SRCNET1 DSTNET2 any -P out ipsec esp/tunnel/MYIP-hostb/require ; spdadd DSTNET2 SRCNET1 any -P in ipsec esp/tunnel/hostb-MYIP/require ; # vpn tunnel from hosta to hostc spdadd SRCNET1 DSTNET3 any -P out ipsec esp/tunnel/MYIP-hostc/require ; spdadd DSTNET3 SRCNET1 any -P in ipsec esp/tunnel/hostc-MYIP/require ; --- ipsec.conf.m4 --- Greetings Christian -- CK Software GmbH Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen Email: ck@cksoft.de Phone: +49 7452 889-135 Open Software Solutions, Network Security Fax: +49 7452 889-136 FreeBSD spoken here! From owner-freebsd-security@FreeBSD.ORG Wed Aug 20 07:58:11 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3255116A4C2 for ; Wed, 20 Aug 2003 07:58:11 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0EC3343FDF for ; Wed, 20 Aug 2003 07:58:09 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id IAA12461; Wed, 20 Aug 2003 08:57:53 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20030820085651.02a28890@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 20 Aug 2003 08:57:44 -0600 To: Kent Hauser , Christian Kratzer From: Brett Glass In-Reply-To: <200308152329.17393.kent.hauser@verizon.net> References: <20030811141505.M85450@majakka.cksoft.de> <200308110011.58180.kent.hauser@verizon.net> <20030811141505.M85450@majakka.cksoft.de> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: security@freebsd.org Subject: Re: dynamic IPSEC: Holy grail sighted X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Aug 2003 14:58:11 -0000 At 03:29 AM 8/16/2003, Kent Hauser wrote: >I've never seen an address in the Class-B range assigned by a public server. We do, specifically so that people with VPNs that use 10.x.x.x and 192.168.x.y can tunnel back to their home networks. --Brett Glass From owner-freebsd-security@FreeBSD.ORG Fri Aug 22 10:05:23 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1435816A4BF for ; Fri, 22 Aug 2003 10:05:23 -0700 (PDT) Received: from hotmail.com (sea1-dav28.sea1.hotmail.com [207.68.162.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id 912AB43F85 for ; Fri, 22 Aug 2003 10:05:22 -0700 (PDT) (envelope-from kenzo_chin@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 22 Aug 2003 10:05:22 -0700 Received: from 209.187.233.158 by sea1-dav28.sea1.hotmail.com with DAV; Fri, 22 Aug 2003 17:05:21 +0000 X-Originating-IP: [209.187.233.158] X-Originating-Email: [kenzo_chin@hotmail.com] From: "Kenzo" To: Date: Fri, 22 Aug 2003 12:05:23 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Message-ID: X-OriginalArrivalTime: 22 Aug 2003 17:05:22.0299 (UTC) FILETIME=[9290D4B0:01C368CF] Subject: rootkit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Aug 2003 17:05:23 -0000 I ran chkrootkit and this is what I got. should I worry or is this normal? I'm running 4.8 thanks. Checking `wted'... 3 deletion(s) between Sat Jun 26 18:10:21 2027 and Sun Mar 24 04:27:12 2024 4 deletion(s) between Sun Mar 24 04:27:12 2024 and Sun Mar 24 04:27:12 2024 5 deletion(s) between Sun Mar 24 04:27:12 2024 and Sun Mar 24 04:27:12 2024 1 deletion(s) between Sun Mar 24 04:27:12 2024 and Sun Mar 24 04:27:12 2024 1 deletion(s) between Sun Mar 24 04:27:12 2024 and Sun Mar 24 04:27:12 2024 2 deletion(s) between Sun Mar 24 04:27:12 2024 and Sun Mar 24 04:27:12 2024 5 deletion(s) between Sun Mar 24 04:27:12 2024 and Sun Mar 24 04:27:12 2024 8 deletion(s) between Sun Mar 24 04:27:12 2024 and Sun Mar 24 04:27:12 2024 7 deletion(s) between Sun Mar 24 04:27:12 2024 and Sun Mar 24 04:27:12 2024 1 deletion(s) between Sun Mar 24 04:27:12 2024 and Fri Jan 19 14:33:04 1996 6 deletion(s) between Fri Jan 19 14:33:04 1996 and Sun Mar 24 04:27:12 2024 6 deletion(s) between Sun Mar 24 04:27:12 2024 and Sun Mar 24 04:27:12 2024 2 deletion(s) between Sun Mar 24 04:27:12 2024 and Sun Mar 24 04:27:12 2024 nothing deleted Checking `w55808'... not infected Checking `scalper'... not infected Checking `slapper'... not infected Checking `z2'... wtmp entry may be corrupted nothing deleted From owner-freebsd-security@FreeBSD.ORG Fri Aug 22 14:41:52 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C250B16A4C0 for ; Fri, 22 Aug 2003 14:41:52 -0700 (PDT) Received: from front1.netvisao.pt (front1.netvisao.pt [213.228.128.56]) by mx1.FreeBSD.org (Postfix) with SMTP id A105843FA3 for ; Fri, 22 Aug 2003 14:41:51 -0700 (PDT) (envelope-from casd@netvisao.pt) Received: (qmail 3735 invoked from network); 22 Aug 2003 21:41:44 -0000 Received: from unknown (HELO netvisao.pt) (217.129.211.66) by front1.netvisao.pt with SMTP; 22 Aug 2003 21:41:44 -0000 Message-ID: <3F468E1F.5060903@netvisao.pt> Date: Fri, 22 Aug 2003 22:41:51 +0100 From: Santos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5b) Gecko/20030813 Thunderbird/0.2a X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Security article on The Inquirer X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Aug 2003 21:41:53 -0000 The title is "Microsoft cerebrates fifteen years of poor security". But it's about more than Microsoft's security. It talks about buffer overflows, memory separation, OpenBSD's data "canary", etc. I think it's a good read for anyone interested on this kind of stuff. http://www.theinquirer.net/?article=11108 Santos