Am 14.09.2015 um 21:12 schrieb James Knott:

On 09/14/2015 03:07 PM, Daniel Bauer wrote:

...

and there are 6 "Wireless Clients - Authenticated stations"; 3 of the Mac-Addresses correspond to the ones in "DHCP clients", of the other 3 I don't know nothing...

As I suspected. Either disable WiFi or use WPA2 with a new password.

Yes, I'll change the password. I was just keen on finding out what happens, before I'll do it.

BTW, is this your router or the ISPs?

It's the router the ISP provides. -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On September 14, 2015 4:14:16 PM EDT, Daniel Bauer wrote:

...

On 09/14/2015 03:07 PM, Daniel Bauer wrote:

...

and there are 6 "Wireless Clients - Authenticated stations"; 3 of

Am 14.09.2015 um 21:12 schrieb James Knott: the

...

...

Mac-Addresses correspond to the ones in "DHCP clients", of the other 3 I don't know nothing...

As I suspected. Either disable WiFi or use WPA2 with a new password.

Yes, I'll change the password. I was just keen on finding out what happens, before I'll do it.

...

BTW, is this your router or the ISPs?

It's the router the ISP provides.

Semi-off-topic, but this thread reminds me about Comcast's rather unique WiFi offering. The have millions of wireless routers around the country in people's homes and businesses. They got the rather unique idea that they could make them all advertise the "xfinity" SSID, then let any of their customers use any of their wireless routers. Thus I can log into literally millions of residential wireless routers using my comcast credentials. Comcast knows it's me and tracks my bandwidth and charges it against my monthly allotment regardless of which router i'm using. It's actually a pretty cool setup. I've been at friends houses and jumped on their wireless router without ever asking them for their credentials. I'd guess that about 50% of the time I'm sitting at a red light, my tablet grabs a xfinity WiFi connection and pulls down the latest emails. Greg -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On Tue, 15 Sep 2015, Per Jessen wrote:

greg.freemyer@gmail.com wrote:

...

Semi-off-topic, but this thread reminds me about Comcast's rather unique WiFi offering. The have millions of wireless routers around the country in people's homes and businesses.

They got the rather unique idea that they could make them all advertise the "xfinity" SSID, then let any of their customers use any of their wireless routers. Thus I can log into literally millions of residential wireless routers using my comcast credentials. Comcast knows it's me and tracks my bandwidth and charges it against my monthly allotment regardless of which router i'm using.

UPC Cablecom (Liberty Global) does the same here. AFAIK (I am not a cablecom customer), given customer permission, their routers have two SSIDs, one for the customer, one for all other cablecom customers. Quite clever.

The biggest cable company in the Netherlands does it as well. At first they were UPC and Ziggo separate, but those companies merged. It started out back in the day with the FON network. Fon tried to strike deals with telco's, and was successful in Portugal/Spain, Belgium and the UK (among others perhaps). In the UK BT (British Telecom) offered a Fon service for its customers which meant that I could also log into it using my Fon credentials (friend tested it for me). In the Netherlands most companies stayed away from Fon and created their own solution/network. Personally I don't like it because I never was the one who decided that I'd share my wifi and these routers downloading updates from centralized servers is a security risk. But even Fon went out the door with me, I just 'hacked' their cheap router and put OpenWRT on it :p. Sharing wifi may be nice but if you never know who you are sharing with, it is not really a "sharing" experience. Fon tried to turn it into a sunny community -- : become a Fonero!!!. And it was interesting particularly because it was a bit of a 'grass roots movement' or at least had the feel of it. And you could earn money with it, if you had a busy spot. The service was available to non-members for a small payment. In the end it was a nice idea but if it's not even opt-in I don't want it. In the UPC modem/router you can turn the service off, but actually it is turned off remotely and your thing "knows" about your choice apparently. It's a chance on building community but this way there is no community at all, just bragging rights for the cable company.

-- Per Jessen, Zürich (15.9°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland.

-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-09-15 11:27, Per Jessen wrote:

Xen wrote:

...

Personally I don't like it because I never was the one who decided that I'd share my wifi and these routers downloading updates from centralized servers is a security risk.

I think the two SSIDs basically take of any concerns wrt privacy and sharing. I could imagine some issue wrt load balancing and abuse, but even elderly Zyxel routers had some basic traffic control. I imagine modern boxes to be more sophisticated.

I think ONO in Spain does the same. I think it is opt-in here, but I haven't looked carefully at the config (I have access to one some times). I suppose it uses two SSIDs and isolation, so that the passerby would not have access to the house clients. I think the company keeps track of passerbys bandwidth usage somehow, because there is a limit. But the wireless being one device, there could be issues when some one (in or out house) demands a fast download. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX39UoACgkQja8UbcUWM1xIbwEAjaRvF6I7Ga8+odYGJY1SAP0i VuxePUvkHI3xLR8A7xoBAIXFM+bfRQrvfL8WWucERn0224f7SxvxAs83WLKDWJnS =y55k -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

...

In the end it was a nice idea but if it's not even opt-in I don't want it.

I think it is strictly opt-in in Switzerland, but as I am not a Cablecom customer, I don't know for certain.

I think Comcast is opt-out. But even before that you have to have Comcast internet to your house, plus a Comcast provided wireless router. I'm a customer at home and work, but neither have a Comcast wireless router. Greg -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Hi, thanks for your input! I changed the WiFi password, and all those suspicious IP's are gone... However, for testing the new pwd, I connected with my cellular, disconnected - and now, more than 2 hours later, it's IP is still shown on the routers page. In the DHCP stats it tells me that it will be refreshed in 42thousand-something seconds... So maybe those IP's that showed as "connected" in fact only have been connected long time ago, which is possible, because I had a visit the night before who used an iphone and a dont-know-tablet. Anyway it's weird, that those IPs showed up during more than 24hrs (they were still shown this morning)... I'll see what happens with the new password. thanks to all of you! Daniel Am 14.09.2015 um 21:07 schrieb Daniel Bauer:

Am 14.09.2015 um 20:51 schrieb Daniel Bauer:

...

... Is there a more or less simple way to find out if there are others using my WLAN - even for somebody who has not the slightest idea of how networks work?

Some more details:

my router tells me on the status page:

There are 3 "DHCP clients" (one is my computer, I guess I know the 2 other ones)

and there are 6 "Wireless Clients - Authenticated stations"; 3 of the Mac-Addresses correspond to the ones in "DHCP clients", of the other 3 I don't know nothing...

-- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-09-15 10:27, jdd wrote:

Le 15/09/2015 10:10, Daniel Bauer a écrit :

...

So maybe those IP's that showed as "connected" in fact only have been connected long time ago, which is possible, because I had a visit the night before who used an iphone and a dont-know-tablet.

Anyway it's weird, that those IPs showed up during more than 24hrs (they were still shown this morning)...

it's common around me with internet boxes. The IP is kept with the mac of the computer, and often even kept reserved, so once I couldn't connect because there where no more Ip available. It's probably to make the connection more convenient for visitors

Yes, the connection is remembered for some time. It is convenient for machines that connect intermittently, like a mobile phone or tablet.

I have now 29 computers in the box dhcp - including at least one never connected and other not connected since more than one year

A year? Wow. That's a long time to remember. Seems yours is set to never forget, and you did not reboot. Typical is one day. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX39oYACgkQja8UbcUWM1x3EQEAiL1SSlbhfoupinPQK10M9MZs Ll36uZSfMPNXxc26lvcBAIgAftAPunWBJAtHbIGOHRltphxKdiLVE/GsONTXHc6B =lPz0 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 09/14/2015 02:07 PM, Daniel Bauer wrote:

Am 14.09.2015 um 20:51 schrieb Daniel Bauer:

...

... Is there a more or less simple way to find out if there are others using my WLAN - even for somebody who has not the slightest idea of how networks work?

Some more details:

my router tells me on the status page:

There are 3 "DHCP clients" (one is my computer, I guess I know the 2 other ones)

and there are 6 "Wireless Clients - Authenticated stations"; 3 of the Mac-Addresses correspond to the ones in "DHCP clients", of the other 3 I don't know nothing...

In addition to WPA, virtually all routers support mac address filter. Basically a lookup table of mac address that can be used to "Allow only those listed." to connect. You get the mac addresses for your wireless devices, enter those in the table, and turn the filter on and unless the mac address of a wireless device matches what you put in the table -- that device cannot connect. With WPA and a mac address filter, you can eliminate 99.99% of unwanted connections, even if you put your router in the middle of Times Square. (the other 0.01% are those the pentagon can't keep out and you are not going to keep out with normal routers...) -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-09-17 20:06, Daniel Bauer wrote:

Yes, I've seen that. Problem is that I want to offer my WiFi to visiting friends, and also to the guests of the room I rent. It would be very (too much) complicated to add the mac address each time...

Some routers provide a secondary SSID/Pass for guests. I don't know if they are in a different network segment or not. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX7B90ACgkQja8UbcUWM1wuuwD+Jsqc4sjiMKIn33wyYg9QsSDx K2ZQj0/nIpvdC7Xkea4BAJgjjNdU7ib6qed+QltoqjVTydcwo4PcU841VHWRMZfV =jv15 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 09/17/2015 02:35 PM, Carlos E. R. wrote:

Some routers provide a secondary SSID/Pass for guests. I don't know if they are in a different network segment or not.

Guest access tends to allow access to the Internet only. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 09/18/2015 02:16 AM, Per Jessen wrote:

...

...

visiting friends, and also to the guests of the room I rent. It would be very (too much) complicated to add the mac address each time... Alternatively, you could make the SSID invisible, your friends would

Yes, I've seen that. Problem is that I want to offer my WiFi to then need to type it in once.

That's another thing that doesn't provide much security. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On Fri, 18 Sep 2015, Per Jessen wrote:

James Knott wrote:

...

On 09/18/2015 02:16 AM, Per Jessen wrote:

...

...

...

visiting friends, and also to the guests of the room I rent. It would be very (too much) complicated to add the mac address each time... Alternatively, you could make the SSID invisible, your friends would

Yes, I've seen that. Problem is that I want to offer my WiFi to then need to type it in once.

That's another thing that doesn't provide much security.

Well, he's not looking for a lot of securitys, so it's fits the bill. Unless there is an easy way of determining unadvertised SSIDs ?

I once read of a tool that could download/offload lists of previously used SSIDs from mobile devices themselves. Never seen it, never heard it, never used it, so can't be sure. But apparently it was very well possible and this information was just leaked by devices (not even by APs). Once you know the name of an SSID/ap you can pretend to be it and usually the mobile device will hand you over its password, so now you have the password to the router/ap. Then you can just offer each SSID in turn and take every password that is offered to you. There is no security in this, no verification at all. But still I would take security by obscurity over no security any time. Any time at all. Obscurity is a good measure and you can complement it with whatever measure you have in place (security by access token). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 09/18/2015 12:29 PM, Xen wrote:

But still I would take security by obscurity over no security any time.

Security by obscurity is no security. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Am 18.09.2015 um 23:57 schrieb James Knott:

On 09/18/2015 12:29 PM, Xen wrote:

...

But still I would take security by obscurity over no security any time.

Security by obscurity is no security.

I guess, apart from my suse firewall, I have no security. For a non-expert (or even the contrary of an expert), and somebody who doesn't want to spend money in more devices, things are not understandable. I have never found a how-to-website, that clearly says: do this 1, then this 2, then this, and explains why - without using tons of words I've never heard before, that informs about the drawbacks and that is so serious, that I don't get the feeling, in following its advices I am exactly opening access to this specific site or ruining my system, especially since most things have to be done as root. Probably it is not even possible to set up such a how-to, thinking about all the different systems, routers... So for people like me, the only hope is that the firewall as set up by default when installing the system and using strong passwords, is enough to protect me from a disaster... Maybe I could call this "security by luck". -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 09/19/2015 06:36 AM, James Knott wrote:

that's probably because it's such a wide filed.

Sorry, typo. I hadn't had my morning beer yet. ;-) That should be "That's probably because it's such a wide field". -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/19/2015 05:00 AM, Carlos E. R. wrote:

Hiding the SSID is not a serious security measure, but it hinders many intruders, those not determined enough. If used with other measures, it helps a bit.

Same goes for MAC filters.

Exactly. Hiding those things keeps out 5 nines (99.999%) of the wifi freeloaders. The rest you aren't going to keep out anyway, but unless you live near a serious hacker you simply don't need to worry about them. That said, WPA2 and a longish password seems good enough for me. - -- After all is said and done, more is said than done. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlX9tUQACgkQv7M3G5+2DLJejwCeM0G3AJnf5wIZwRuZXxf9DS3Y QfQAnAtrzdSSc/Wz/7uz3GEMWD6/1TQH =LeTQ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 09/19/2015 12:24 PM, Xen wrote:

On Sat, 19 Sep 2015, John Andersen wrote:

...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 09/19/2015 05:00 AM, Carlos E. R. wrote:

...

Hiding the SSID is not a serious security measure, but it hinders many intruders, those not determined enough. If used with other measures, it helps a bit.

Same goes for MAC filters.

Exactly. Hiding those things keeps out 5 nines (99.999%) of the wifi freeloaders.

The rest you aren't going to keep out anyway, but unless you live near a serious hacker you simply don't need to worry about them.

Yeah. And I do know how to hack a WPA2 signal (the tutorials are there) but I do not know how to find an unadvertized SSID. So there you have it. Maybe if you can hook onto a key exchange / connection setup, you can find out. But I don't yet know if it is possible. So there you have it. You are protected against me :p.

Yes, I am protected against you. You see, WIFI is by design a short range system. So, me, sitting in Washington State, need only worry about the immediate vacinity of 300 meters or so, and I don't need to worry about some wifi interloper located in Amsterdam or some such place. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 09/19/2015 03:37 PM, John Andersen wrote:

Yes, I am protected against you.

You see, WIFI is by design a short range system. So, me, sitting in Washington State, need only worry about the immediate vacinity of 300 meters or so, and I don't need to worry about some wifi interloper located in Amsterdam or some such place.

I guess you didn't watch the last few episodes of "The Last Ship" where the bad guys set up a Bluetooth network that covered much of the U.S.. ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

This is amazing. Thank you so much. On Sat, 19 Sep 2015, Brandon Vincent wrote:

When you hide the SSID on your router/access point, the access point sends out beacon frames that have the SSID set to a null value. When your computer or other device wants to connect to a wireless network with a hidden SSID, it has to issue a probe request that contains the SSID of the hidden network. Your access point now responds with the information required for your device to connect. So when devices are establishing a connection with a hidden SSID, the SSID is leaked.

Hiding the SSID can actually decrease overall security because computers that are set to automatically connect to wireless networks are constantly sending probes with the SSID when looking for hidden SSIDs. When you set your computer to automatically connect to a non-hidden SSID, the computer only listens for the beacon frames from the access point your computer wants to connect to instead of having your computer will advertise what network it is searching for.

This makes it easy for individuals to spoof your router/access point (when the SSID is hidden) and cause your computer to connect to their network.

Are you confident that devices ordinarily don't do this? The reason I wrote my earlier post (that you responded to with equal amazing information) was because I have read of a journalist who went on a trip with a wifi hacker who demonstrated his skill. They sat down in a café or coffee shop and the guy put a little usb wifi device on the table covered by a newspaper or book. The device had a radio that he configured to broadcast the same SSID as the establishment they were at. Many devices connected to his AP instead of the real one and his computer started deciphering all of the communication between their devices and the internet. He had to do nothing else. The software started displaying passwords for email services and facebook and the like as they were sent by these devices to those services. I remember reading that "it is encrypted" but that equally it was painless to decipher it on the spot. His device just relayed the connections to the real SSID he was connected to (the real BSSID). He showed the journalist how he could now log into their facebok if he wanted to and he opened some of these pages (without logging in) and we saw the pictures of people sitting across the table etc. He could send them an email if he wanted to. He also said that his device would probe the devices for lists of SSIDs and we saw (e.g. on the journalist's phone) how the 'room' was being populated with those SSIDs by that device, ie. the device just posed as all of them simultaneously. I don't know or remember for what purpose.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2015-09-19 a las 14:36 -0700, Brandon Vincent escribió:

For a long time, Facebook, some financial institutions, and other major companies had login pages that were served via HTTPS (preventing disclosure of your username and password), but left other pages unencrypted. Anytime a user would request a webpage from these companies via an unencrypted channel, a portion of the session cookie that identified the user would be automatically sent by the browser. This allowed anyone to capture the session cookie generated during login and impersonate the user. An extension called Firesheep [1] used to do this automatically without requiring any expertise.

Ah! :-o So that's why! Thanks, very interesting tidbit. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX+n9UACgkQja8UbcUWM1wg1wD7BAmziKOUSJeVlYoE0BqK1/Hz sPoGsV2fUzl52nBY2vcBAJPWvgmZAFyxqBhaFy8bP7Rhw7eBtXxQEPQHl18dX6Dr =VcOJ -----END PGP SIGNATURE-----

On 09/19/2015 03:19 PM, John Andersen wrote:

That said, WPA2 and a longish password seems good enough for me.

You can go to www.grc.com and generate passwords like this: ANOFn]FCzpaKAJ%A,P)XiQ*]e{kMz"xvgiltX0aWWAYI)Of,3X:W6z`cy.zukU/ Try guessing that one. ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 09/20/2015 08:08 AM, Carlos E. R. wrote:

That said... what is long enough? Or rather, optimal password length? (for wifi)

WPA2 supports up to 63 ASCII characters or 64 hex digits. 64 hex characters are 256 bits, which happens to be the key size used. When using any number, up to 63, of ASCII characters, the password is converted to a 256 bit hash. One interesting fact about this is there are many more possible password combinations than possible hash values. So, you could have multiple passwords that would work, but it would be a huge job to find even one. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 09/20/2015 10:01 AM, Anton Aylward wrote:

If you prefere CLI, there is

$ openssl rand -base64 63

and example output

I have used ps aux|md5sum to generate a 32 digit hex string. You'd have to do that twice to create a 64 hex digit password for WPA2. Regardless, there's no reason to use easily guessed passwords such as "123456" as many on that Ashley Madison did. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 09/20/2015 01:32 PM, Carlos E. R. wrote:

Is it possible to enter Hex passwords as such?

I would expect that anything that accepts alpha-numeric characters would accept hex. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 09/20/2015 04:43 PM, Carlos E. R. wrote:

...

...

Is it possible to enter Hex passwords as such?

I would expect that anything that accepts alpha-numeric characters would accept hex.

I mean whether I can just type the hex password in the entry field, and whatever will know that I'm typing hex, not ascii. Be it network manager, wicd, android, etc.

That would depend on what needs the passwords. WiFi gear generally accepts either. My access point will accept 8-63 ASCII characters or 8-64 hex digits. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 09/20/2015 05:18 PM, Carlos E. R. wrote:

Then we have a problem.

If I enter, say, 60 hex digits, which is after all a plain ascii string, if the password field thinks it is ascii, it will be a very poor password, with only 16 values per byte.

Lessee now. 60 hex digits. That's 16^60 possible values. That's 1.7668^72. Of course, the attacker wouldn't have any idea about the number of characters or whether hex or ASCII. They will all result in a 256 bit hash and there are 2^256 of them. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 09/22/2015 08:24 AM, Anton Aylward wrote:

I think the point that Carlos was trying to make is that there's no way to tell from a certain set of strings is the input is hex or not simply because the hex representation is a subset of asii.

For example, is the following in hex or not?

A99CBDF0

Clearly this is not hex:

A99;;Bd/F

My AP will allow entering either 63 ASCII or 64 hex characters. So, it would check for any characters that are out of the hex range and, if found, assume ASCII. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 09/22/2015 08:57 AM, Patrick Shanahan wrote:

...

My AP will allow entering either 63 ASCII or 64 hex characters. So, it

...

would check for any characters that are out of the hex range and, if found, assume ASCII. And if they are not "out of the hex range" but *are* ascii ???

They'd still be hex, up to 64 characters of them. Either way the result, no matter what you enter, is a 256 bit hash. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2015-09-22 a las 08:24 -0400, Anton Aylward escribió:

I think the point that Carlos was trying to make is that there's no way to tell from a certain set of strings is the input is hex or not simply because the hex representation is a subset of asii.

Exactly. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlYBXTkACgkQja8UbcUWM1zC+AD9G9DxkXzPUxduuPyd1C7M1IPn S3pi9pJPnw2vXX1TWvgA/RjhRkkxAnNjIj29ywl5SOs1paafcTATxdtA8os/jYGt =xBzX -----END PGP SIGNATURE-----

On 09/20/2015 05:08 PM, Lew Wolfgang wrote:

On 09/20/2015 10:47 AM, James Knott wrote:

...

On 09/20/2015 01:32 PM, Carlos E. R. wrote:

...

Is it possible to enter Hex passwords as such? I would expect that anything that accepts alpha-numeric characters would accept hex.

But limiting the character set for each entered digit would limit the entropy for the cryptographic hash, making it easier to brute-force guess, given the same password length. It might take only 100-years to crack, instead of 1,000-years. :-)

An ASCII password will still be converted to a 256 bit hash, no matter how many characters that are used. However, there are far more possible combinations of ASCII characters (96^63) than the 2^256 possible hash values. So, by using only hex digits, you're really not limiting much. BTW, there are 6.598^47 63 character ASCII passwords for each hash value. That's a fair number of hash collisions. ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2015-09-20 a las 14:08 -0700, Lew Wolfgang escribió:

On 09/20/2015 10:47 AM, James Knott wrote:

...

On 09/20/2015 01:32 PM, Carlos E. R. wrote:

...

Is it possible to enter Hex passwords as such? I would expect that anything that accepts alpha-numeric characters would accept hex.

But limiting the character set for each entered digit would limit the entropy for the cryptographic hash, making it easier to brute-force guess, given the same password length. It might take only 100-years to crack, instead of 1,000-years. :-)

Yes, exactly. That's what I'm saying. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX/Iz8ACgkQja8UbcUWM1wf9QD/Un0aewKMI0d3izn4XUYpiGdp NYJtr0wsVNyGfn4QpekA/i80EjmQvMmG8pvp72qCh+WJ0NGi1X/i2dwV8L134hMV =fEho -----END PGP SIGNATURE-----

On 09/20/2015 05:08 PM, Lew Wolfgang wrote:

It might take only 100-years to crack, instead of 1,000-years. :-)

I mentioned earlier the NSA comment about breaking AES in that a computer that could break DES in one second would take 139 trillion years to break AES. AES uses the same 256 bit length as WPA2. I don't know if there's any way to make it a smaller task, they way there was with WEP and the initialization vector. Of course WPA2 uses AES for the encryption, so if you can't crack the password, it will still take 139 trillion years to break the encryption. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 09/20/2015 05:30 PM, Anton Aylward wrote:

...

Of course WPA2 uses AES for the

...

encryption, so if you can't crack the password, it will still take 139 trillion years to break the encryption. Are you actually "breaking" the encryption algorithmically or are you generating the set of all possible combinations and trying them one by one?

Brute force, trying all combinations. I'll let you know when I'm done. ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On September 20, 2015 9:38:01 PM EDT, James Knott wrote:

On 09/20/2015 05:30 PM, Anton Aylward wrote:

...

...

Of course WPA2 uses AES for the

...

encryption, so if you can't crack the password, it will still take 139 trillion years to break the encryption. Are you actually "breaking" the encryption algorithmically or are you generating the set of all possible combinations and trying them one by one?

Brute force, trying all combinations. I'll let you know when I'm done. ;-)

That's why uniqueness in passwords is important. The bad guys have been stealing credentials by the millions for a decade plus. With some of the lesser protected encryption scheme a rainbow attack allowed them to decrypt every password. Then they use the list of actual passwords as a big dictionary for future attacks. I understand the dictionary of actual passwords known to have been used by someone is now huge. The first thing a real hacker would do is run through that list first. Even 100 million could probably be checked in less than a day. So one key to good password is to pick one no one else has ever used and had stolen. Greg -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 09/20/2015 09:38 PM, James Knott wrote:

On 09/20/2015 05:30 PM, Anton Aylward wrote:

...

...

Of course WPA2 uses AES for the

...

encryption, so if you can't crack the password, it will still take 139 trillion years to break the encryption. Are you actually "breaking" the encryption algorithmically or are you generating the set of all possible combinations and trying them one by one?

Brute force, trying all combinations. I'll let you know when I'm done. ;-)

There's an argument over which will come first: a) the heat death of the universe b) the decay of the neutron You're a distant 54th. :-) -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 09/20/2015 10:01 AM, Anton Aylward wrote:

There are many other such ways of LOCALLY producing strong (for various interpretations of the terms 'strong') password strings.

True, but many people don't know them. That's why I tell them to use www.grc.com. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 09/20/2015 05:39 PM, Anton Aylward wrote:

You could just as well tell them to install the KDE app.

They often run Windows. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

There's an idiom spoken by people in northern Lancashire that is lexically unredendable, but which translates, it is told, to people living further south and use "received pronunciation", when stripped of local colourful idioms, anatomical references and other obscenities, as "People are strange". https://en.wikipedia.org/wiki/Received_Pronunciation#Comparison_with_other_v...

Or "There's Nowt So Queer As Folk" M

-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 2015-09-22 19:01, Anton Aylward wrote:

On 09/22/2015 12:18 PM, michael norman wrote:

...

Or "There's Nowt So Queer As Folk"

Sah that, lad, with a 'onest broad north lancy accent them southerners and 'merican's won't know what yer yamemring abut.

Nor me :-} -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2015-09-23 a las 09:26 +0100, michael norman escribió:

I'm a southerner, as if you couldn't tell. (Ian Dury : Billericay Dickie)

In the 80's my wife and I lived in Scotland. We had a son. When we returned south for good in 1989 our son was just over two years old and spoke with a broad West of Scotland accent.

We broke the journey in Sheffield and stayed overnight in a pub. On hearing my son speak the landlord remarked "by gum. don't he talk funny"

:-) I'm Spanish, but I have british ancestors. Second and a half generation expat, I think. Well, when I was a kid, an aunt told me that she had been reading a very funny book by someone called James Herriot. I was actually searching for books to read, so I bought one (I think I was visiting England by the time). Soon I bought all I could find, they were really funny. One curious thing was the slang and expressions used by the agricultural folks that appeared on the book. The author found them interesting, and so did I, with time - it took some time for me to understand them. In writing, that is, probably no chance I could understand some one talking like that to me. The author was scottish, and went to work (vet), later to live, in the yorkshire dales (hope I got the place name right). That "by gum" was one of those expressions, what that landlord of yours said instantly reminded me of those books :-) - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlYCl2YACgkQja8UbcUWM1xfigEAlyjctGCC4x2IInZzs76UI8Tg i/ycdTZq5tJFJ9ap+rQA/2duxwsgezAtMBh1EfhTdpFUtHoNS9IA3QymUIZV8mYV =XMg6 -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 23/09/15 15:24, Mark Goldstein wrote:

On Wed, Sep 23, 2015 at 3:13 PM, Carlos E. R. wrote:

...

James Herriot

"The Lord God Made them all"... In 1989 it was translated into Russian. Of course it should have lost the slang in translation, but still was excellent and till now it stays on the honorable place in my bookcase. (Funny, even in 1989 they called the book (in reverse translation) "They are all the creations of nature" though the original name was printed on the next page :-( ).

Or was it "All creatures great and small"? I'm sure that was the name of the TV series. - -- Bob Williams System: Linux 3.16.7-7-desktop Distro: openSUSE 13.2 (x86_64) with KDE Development Platform: 4.14.3 Uptime: 06:00am up 7:55, 3 users, load average: 0.16, 0.05, 0.06 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlYCwxsACgkQ0Sr7eZJrmU6KLgCgkdwqu10Ml7xedagJwkqKFvwK X7sAn3vXbbzoPxuH3DeUINMNtHP1GAri =nOg3 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2015-09-23 a las 16:19 +0100, Bob Williams escribió:

Or was it "All creatures great and small"? I'm sure that was the name of the TV series.

Both. There were several books. Some covered a year of his life each book, then there were others grouping two or more books in one. I was going to look up the titles on the wikipedia, but it is down this instant :-? Maybe is the search which is down, vea google I find it. These are the titles_ If Only They Could Talk (1970) It Shouldn't Happen to a Vet (1972) All Creatures Great and Small (1972) Let Sleeping Vets Lie (1973) Vet in Harness (1974) All Things Bright and Beautiful (1974) Vets Might Fly (1976) Vet in a Spin (1977) All Things Wise and Wonderful (1977) James Herriot's Yorkshire (1979) The Lord God Made Them All (1981) Every Living Thing (1992) James Herriot's Cat Stories (1994) James Herriot's Favourite Dog Stories In the US, they were published as omnibus editions; the wikipedia explains which are which. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlYC1CYACgkQja8UbcUWM1ymHQD+M8HG3lHEN+qND4c6FcnRxH4d cAGfHabt4eL383OWbHEA/R9sqmLP/2HZ/FD4HyudWO8vpJFPSB0oSEBqJooCA3H+ =tPny -----END PGP SIGNATURE-----

On 09/22/2015 08:16 AM, Anton Aylward wrote:

...

They often run Windows. Indeed, there are also people who smoke regularly, despite the proven health risk. There are even, according to police records, people who drive while seriously intoxicated.

For some reason there is a class of humans who habitually engage in high risk activities.

Unfortunately, my work computer runs Windows 8. Yuck!!! Of course, there are many who don't know better and think Windows is all there is. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Op 22-09-15 om 20:57 schreef Anton Aylward:

On 09/22/2015 02:39 PM, James Knott wrote:

...

Of course, there are many who don't know better and think Windows is all there is.

As opposed to the likes of us who KNOW that Linux is that MATTERS.

:-)

you ca always install OpenSUSE... with 13.2 as first choice. GET RID OFF MICROSOFT BALL AND CHAIN!! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On Tue, Sep 22, 2015 at 3:30 PM, Xen wrote:

On Tue, 22 Sep 2015, James Knott wrote:

...

Unfortunately, my work computer runs Windows 8. Yuck!!!

Of course, there are many who don't know better and think Windows is all there is.

Luckily, I do know better and I still think Windows is all there is.

:D.

Actually I believe I'm migrating to a VM inside of Windows. Not sure yet, but I seem to be in the process of wiping openSUSE off my HDD.

Still rsyncing my volume backups to a remote host.

I might have room to keep the backups locally as well.

One thing I learned though: you can't use XFS with LVM and create a snapshot of your XFS volume and then mount it; it will complain that the UUID is the same, so you can't mount your snapshots and make backups off of them, so there goes my XFS experiment, I'm back to ext3 now.

Please give XFS some credit. It has been an enterprise quality filesystem for well over a decade. === man mount <snip> Mount options for xfs <snip> nouuid Don't check for double mounted filesystems using the filesystem uuid. This is useful to mount LVM snapshot volumes. ===

I believe I'm hoping to run a Linux desktop or something close to it inside of Windows :p.

I wonder if I can use it to run services and connect to them from Windows. Ie. use Linux as an embedded server. That would be awesome. That would be like having a remote box or second computer, but it's still in this machine.

Ignoring speed issues, why not?

It would be lovely to migrate these "VM" installations to other computers at will. I've always best used Linux as a remote box. Ie. previously it was my file server, later it was my web server, and my email shell host.

I still mostly do that. 80% of my time on Linux is CLI. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On Tue, 2015-09-22 at 22:41 +0200, Xen wrote:

On Tue, 22 Sep 2015, Greg Freemyer wrote:

...

Please give XFS some credit. It has been an enterprise quality filesystem for well over a decade. === man mount <snip> Mount options for xfs <snip> nouuid Don't check for double mounted filesystems using the filesystem uuid. This is useful to mount LVM snapshot volumes. === Well, it didn't tell me that. And it would give me trouble mounting my snapshots because now I have to check for which filesystem is in use which is just ....more work.

Only because whatever other tool or filesystem you have previously been using *FAILED* to warn you of double mounting; this is a feature, not a bug. Mounting a snapshot is a special use-case, requiring relief of a safety is just a good practice, not a problem.

Suddenly a simple "mount" command is no longer fool-proof.

It never ever was. A "simple" mount command is merely one where you are assuming the defaults are OK, and that you remember exactly the context you are operating in.

And now you need a fool-proof way to discover the filesystem type of a block device

And? I would hope if you are moving, snapshoting, and mounting/unmounting LV's that you *just-know* the file-system you are working with.

It's a bit like Tar that includes some device number in the archives it creates.

I am not sure what "some device number" means. Tar persists the meta -data and contents of a file.

is beyond me, a path is supposed to be uniquely identified by.... path.

No, this has never ever ever been true. It is certainly not true in any kind of modern-ish storage system. -- Adam Tauno Williams mailto:awilliam@whitemice.org GPG D95ED383 Systems Administrator, Python Developer, LPI / NCLA -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 09/22/2015 07:40 PM, Carlos E. R. wrote:

that is why we have several methods.

And it is why they are described in the man pages. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Greg Freemyer schreef:

...

What is dangerous about double mounting?

I don't think this was answered.

The issue comes in with Enterprise Storage Area Networks. They often have redundant paths to the same filesystem. Thus in a SAN environment it is easy to mistakenly mount the same filesystem two different places simultaneously.

If all reads/writes were atomic, that would be fine. But in the real world there are buffers and caches. The data in them often conflicts with what is on the actual storage system. Having 2 independent sets of buffers/caches quickly leads to chaos on a busy system.

I guess in a typical local system the kernel is aware of every second mount and would use the same buffers and caches at least I would believe that would normally hold true. It would not make sense to not be aware of a second mount, in that case every --bind mount would start causing trouble as well, or wouldn't it?. So it seems we have a special case here where the kernel can't be aware. And now XFS is using filesystem descriptions/identifiers (whatever those may be) to identify the filesystem (which would typically be stored on some device) but it can't distinguish identical or near-identical copies because the UUID obviously does not describe the entire thing like a checksum would. And even if it did, it would still be wrong. But in actual fact the condition arises easily where two filesystems with identical UUID can be on a different device, which means the logic for not mounting twice does not hold true, which means the FS UUID logic is just flawed and WRONG. And it also means you can't just say a person is lazy or a turd or "has a problem with looking up information" (as per mr. Anton) as if the bad design of some feature suddenly warrants every individual have some obligation to the Unix world to design around that flaw. I don't know if it makes more sense in the context of that SAN, perhaps there are also conditions where network shares cannot be identified by device because the devices on different systems may be different, but the filesystem itself may not? I don't know. Apparently we are talking about local systems here still. So I think it is just not right. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Thanks for your reply Carlos. You are always positive around here. On Thu, 24 Sep 2015, Carlos E. R. wrote:

...

I guess in a typical local system the kernel is aware of every second mount and would use the same buffers and caches at least I would believe that would normally hold true. It would not make sense to not be aware of a second mount, in that case every --bind mount would start causing trouble as well, or wouldn't it?.

No, a bind mount is very different. It is a kind of simulation, a link, whereas a double mount is a real mount, with two completely separated structures.

Think of a hard disk having two SATA cables, for redundancy.

I have accidentally mounted the same filesystem twice, only temporarily, shortly, a few times. It is easy to remount e.g. ... wait. Well I think I did. It is also possible to mount some snapshot on top of /. Then you can type "umount /" and it will umount the second mount (the one of the snapshot ) :P. But I don't know what "two completely separated structures" means. I take it that would mean that you have two sets of buffers, like the other guy mentioned, which would be a liability. Nevertheless, FS UUID doesn't solve this, not in a good way.

...

So it seems we have a special case here where the kernel can't be aware.

And now XFS is using filesystem descriptions/identifiers (whatever those may be) to identify the filesystem (which would typically be stored on some device) but it can't distinguish identical or near-identical copies because the UUID obviously does not describe the entire thing like a checksum would.

The current version of XFS also stores checksums. And the UUID is not a string stored somewhere at the start of the partition, but rather is replicated all over the partition.

Not sure if that is relevant. I know e.g. from partitions that you can enlarge a partition and the UUID stays the same, but when you change the starting sector it becomes different. It is completely obvious (at least to me) that UUIDs are more trouble than they're worth, at least for a regular system. I heard they were essential for uniquely identifying objects in large scale deployment scenarios. Again, something that is apparently designed for a very rare (from a user's point of view) use case but which permeates and disrupts all use cases that differ from it (ie. normal ones). I have never benefitted from UUID. Those experts don't have it right. It has entroubled my knowing what is what. It's the same with IPv6's format. It does not benefit me. I cannot normally remember it. It is only made for computers, not humans, just like UUID. They've done slightly the same with Europe's banking system where everyone now has to remember a pan-European banking account number. We used to have something like XXXXXXX now it is something like NL81INGB000XXXXXXX. They make the same mistakes over and over. There is not even a practical reason not to be able to be allowed to use the old number: all those software can easily automatically convert it for you. But they are not allowed to because of Reasons. IPv6 is a disaster, IBAN is pretty much a disaster, and UUID is also pretty much disastrous. The only way to not see it as a disaster is to see it as an opportunity and a call to turn away from madness and start designing your own systems. So yes, that means "Linux" is no longer a system of the people. Look at what SystemD NetworkD is doing to the device names?.... Ridiculous. It is becoming less user friendly every day almost. Now we see here (apparently, I don't know it) (It is just gut feeling and deep perception) that XFS has a feature that is only relevant for certain rare use cases (from a non-enterprise point of view) but which ALL users suffer for. That is identical to the reason for UUID in the first place. I don't want to suffer for the perks of other people. UUID for partitions/volumes makes no sense whatsoever. A path name such as /dev/sda2 or /dev/mapper/vg--lv is more resilient to change. Even if you have raid arrays you will have /dev/mdx and if that fails (or is not resilient enough) you can still give labels to your filesystem if you must. All of which are better solutions (from my point of view) than relying on a UUID you cannot really remember or identify. It makes it nearly impossible, for instance, to check a Grub2 config file for errors. At least manually. It makes your fstab completely unintelligable. So that's for UUID to begin with. It does not serve the normal user.

No, don't ask me why. I read the reasoning, but I can't explain it from memory. I'm not that good.

That's fair, you are at least using your own mind ;-).

You should be aware that the people designing and creating these filesystems like XFS really know what they are doing, and it is rather more possible that you don't. Not me, anyway.

But this is the most... this is about the least intelligent thing you could ever have said. Trusting authority -- blindly trusting authority -- is the root cause of basically every problem we face in this world. Whether it is religious authority, moral authority, political authority, or corporate authority. It is the same as having presidents of national or European banks telling the population that they "have to spend more" because it will help the economy. Trusting authority like that is like taking out a gun and shooting yourself. You're almost dead in any case, already. It is people not thinking for themselves. When people stop thinking for themselves and begin to only trust the thinking of other people, you get the world we are in today. Even the reverent (vehement? :P) mr. Steve Jobs said something reasonably intelligent about the subject. He is reported to have said: "Your time is limited, so don’t waste it living someone else’s life. Don’t be trapped by dogma – which is living with the results of other people’s thinking. Don’t let the noise of other’s opinions drown out your own inner voice. And most important, have the courage to follow your heart and intuition. They somehow already know what you truly want to become. Everything else is secondary." And this, my friend Carlos, is exactly what Dogma is about. If some "experts" have determined that this is the Right Way to do things, that is dogma. It is uncontested and uncontestable truth. After all, they are the /experts/, right? :P.

Current filesystems are very complex things. Normal peasant knowledge is far from understanding it.

If any object system uses the "equals" method to test whether two object pointers point to the same object, that system is flawed. You don't have understand much to see that, and that is the power of simplicity. It is pretty clear this system we are talking about tries to do this: (In java): String a = new String("some string"); String b = new String("some string"); if (a.equals(b)) { System.out.println("a and b are the same object"); <-- WRONG } Any programmer will understand the wrongness of this. To test object identicality you have to write: if (a == b) { System.out.println("a and b are the same object"); <-- RIGHT } But XFS doesn't do this. It uses the former method. I don't care for their reasons. The code is just flawed from a very simple and easy to understand perspective. And I shouldn't be the one to suffer for it, and I had no big reasons to use XFS in the first place (just trying to test its performance, perhaps) so going back to ext3 was a lot easier than starting to read man pages hunting for reasons or error and then writing my script to accommodate this anomaly. I needed to get something done ASAP. I had no time to be dealing with the flaws of other people. Basically that's what Linux is about anyway. Dealing with the flaws of other people. Until it is no more.... There was another reason not to use XFS and that is that you cannot shrink its filesystem, but that is beside the point here really.. I just think the experts may be experts but that doesn't mean they have your interests in mind. They may very well have corporate-grade interests in mind. Many of them work for Red Hat etc. So the home user suffers, and the solution is or may not even be the best solution in the general sense of being acceptable to everyone. I never take anyone's word for it. Sometimes that makes me stubborn, but only slightly. In Dutch they have a word for it called "eigenwijs" that is almost always a pejorative, ie. used in a negative sense. You are rarely complimented for being eigenwijs. But if you want to live your own life and make use of your own time, you have to be 'eigenwijs', you have to be your own person. You have to do your own thinking. And you can stop blaming yourself for inadequacies that are really situated not in your self, but rather in the system you are using. Linux, being rather dysfunctional in many areas, has a habit and a culture of blaming the user. That is what happened here as well. It is always the user's fault. Anton Aylward just did it again, he's very good at it. Compliments :D :P. :). But what I have learned and found is that I don't have myself to blame for most circumstances. What I've found is that my self is usually right, and when it isn't, there are /friendly/ ways of revealing that to a person, usually. And trying to find character faults with someone is not that. Not at all. Anton is very good at telling me that there is something wrong about my person. That I wasn't born right, in that sense. That my being is flawed, in pretty serious ways too, if it's up to him. And that when I choose to make use of my time effectively, and efficiently, and choose to avoid a trap of /needing to use a certain software or system/ when I don't even have to such that I can get back to doing meaningful things again, it feels to him like a betrayal of Linux. There is no Linux now on my computer. What is the point to writing fucking scripts to cater to a filesystem I don't even need to use just so that my project of transforming my computer will take even longer? And why am I even writing this? Explaining my choices.... You really owe no one explanations of the choices you make. A wise person once said: It is not appropriate to interfere with choice, nor to question it. It is particularly inappropriate to condemn it. What is appropriate is to observe it, and then to do whatever might be done to assist the soul in seeking and making a higher choice. And reading the manual and then adjusting my scripts and wasting important time is not exactly "making a higher choice". But saying that I have in fact an issue with looking up manuals, is indeed condemning the choice. And most of what people do in Linux is condemning the choices made by others, particularly those who do not choose Linux or who do not choose a Linux solution at any point or interval.

On 09/22/2015 06:05 PM, Adam Tauno Williams wrote:

... requiring relief of a safety is just a good practice, not a problem.

RTFM, which Greg did and pointed out same to Xen, is also a Good Practice. It has become clear from a lot of his posts that Xen is deficient in this area. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Adam Tauno Williams schreef:

On Tue, 2015-09-22 at 22:41 +0200, Xen wrote:

...

Well, it didn't tell me that. And it would give me trouble mounting my snapshots because now I have to check for which filesystem is in use which is just ....more work.

Only because whatever other tool or filesystem you have previously been using *FAILED* to warn you of double mounting; this is a feature, not a bug. Mounting a snapshot is a special use-case, requiring relief of a safety is just a good practice, not a problem.

You're WRONG. You've just said (way below at the tar example) that a file should be uniquely identified not just by path but also by device ID. Now you're saying that a filesystem UUID (which tells nothing about device whatsoever) would tell an adequate tale of what device we are dealing with, so you are not double mounting that device. Otherwise, what could be the trouble with double mounting a FS that just happens to be identical or have identical features/parameters? So if it is true indeed that the UUID we are talking about is some FS UUID and not some device UUID, then obviously the feature is a BUG because it is like treating identical copies as identical THINGS. Which they are not. They are separate objects. UUID is flawed in any case.

...

Suddenly a simple "mount" command is no longer fool-proof.

It never ever was. A "simple" mount command is merely one where you are assuming the defaults are OK, and that you remember exactly the context you are operating in.

It was for me just a moment ago. I don't know what people you are talking about or what excellent outstanding universal use cases, but obviously it was not mine. Now you may suggest that my use case is not a valid use case. But that is kinda like begging the question. You must assume that my use case is not a valid one in order to prove that my use case is not a valid one. In order words, you are doing a circular reasoning. But to be more precise: yes the defaults were okay, if they had not been, I could choose the defaults (for all filesystems) myself, but I have not been in an environment where that was necessary, so it is not relevant. It is not .. it is just ludicrous to assume that we must cater to all possible environments when we write our scripts, or anything. And I don't know what context you are mentioning. I guess you mean environment. So I needed remember nothing, and the same is true for that.

...

And now you need a fool-proof way to discover the filesystem type of a block device

And? I would hope if you are moving, snapshoting, and mounting/unmounting LV's that you *just-know* the file-system you are working with.

Why should I if to my common understanding "mount" will always work, whether it is NTFS (I will assume) or EXT3/4. Things work best when they are transparent, at least they work best to me who values his time. If you have to know implementation details before you can use an interface, it is a bad interface. "Mount" is the interface. Mount has several implementations. I believe there is probably a mount.xfs command that will handle mounting XFS. But "mount" is the interface that makes the command file-system agnostic. Now you are saying that this interface should not be or does not have to be filesystem agnostic, while filesystem-agnosticity was its entire purpose. You're again reasoning from the conclusion to the premise: you feel it is perfectly reasonable to be having to use filesystem-cognisant commands, and hence you feel it is perfectly reasonable to "know" what filesystem I have in my hands before I run my script. No, the whole idea of the script is to be agnostic. And doing blkid and then scraping the output to divine the FS means that neither me nor my script knows in advance what I am dealing with, but this suddenly is acceptable to you?. It is perfectly clear the system would be more fool-proof, and hence more user friendly (and more usable) if the thing worked /without having to know more details/. Having to know lots of details of any system /before you can use it/ is the mark of a badly designed system.

...

It's a bit like Tar that includes some device number in the archives it creates.

I am not sure what "some device number" means. Tar persists the meta -data and contents of a file.

Me neither, but if you create incremental archives using -g or -G, and I guess any other kind of archive, it will (GNU tar will) store a device number and use that to compare files. If two files have the same path but a differing device number (e.g. a different LVM snapshot) it will assume the files are different, which is obviously a wrong assumption.

...

is beyond me, a path is supposed to be uniquely identified by.... path.

No, this has never ever ever been true. It is certainly not true in any kind of modern-ish storage system.

You just said it was perfectly okay if mount.xfs assumed two filesystems were referencing the same device just based on their path. So you're perfectly contradictiong yourself, my friend. In all honestly a mount command should (if such 'safety' is warranted) be aware of real devices, while tar, when comparing backups, or archives of certain directory paths, should not. After all, tar does not store the entire path either. It usually just stores the relative path or whatever you have supplied. Why then, if it does not even extend to the root, should it extend to the device to with the current (relative path) is mounted? That will break lots of schemes. So you have it a bit... the other way around. Backwards. So I'm sorry but I will not take "has been in professional use for over a decade" (or whatever) as proof or even evidence that my own reasoning is flawed. I will take no false idols, okay? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 22/09/15 19:39, James Knott wrote:

On 09/22/2015 08:16 AM, Anton Aylward wrote:

...

...

They often run Windows. Indeed, there are also people who smoke regularly, despite the proven health risk. There are even, according to police records, people who drive while seriously intoxicated.

For some reason there is a class of humans who habitually engage in high risk activities.

Unfortunately, my work computer runs Windows 8. Yuck!!!

Of course, there are many who don't know better and think Windows is all there is.

Peggy Lee : "Is That All There Is" M -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On Mon, 21 Sep 2015, Per Jessen wrote:

Yep, I agree. I have been thinking about using two SSIDs, but mostly to have different service levels/hours. (we have a teenager in the house).

Funky. So you will keep the password to the 'real' SSID hidden from said teenager? :P. Naughty these creatures are. Using internet in the midst of the night. I'm glad the people that run the show here where I reside don't do that sort of shit. They closed everything but port 80, 443 and ostensibly, 53, and they banned VPN, but at least there are no banned usage hours :). You should teach your teenager to hack the wifi! :D. But if you use a non-dictionary-word-like password, it's gonna be difficult. I guess you'll always be two steps ahead. Still, gives them something to do in the night :P. Only risk is that they hack the neighbours' wifi instead. :D. And pubic places often have dictionary passwords. A coffee shop with a password of "espresso" :P. Oh well. When I was that teenager I had to pay for my own phone bill as I was dialing out :(. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2015-09-19 a las 10:47 +0200, Daniel Bauer escribió:

Probably it is not even possible to set up such a how-to, thinking about all the different systems, routers...

Maybe it exists. I have read writeups but I don't remember where.

So for people like me, the only hope is that the firewall as set up by default when installing the system and using strong passwords, is enough to protect me from a disaster...

Maybe I could call this "security by luck".

:-) The firewall alone is not enough, but yes, the default firewall (set as external) is good enough (as firewall). The important thing is that security is not achieved by a single item. If you use WiFi, you need to secure access to it, because anybody within, say, 50 meters, can try. Even an inocent child. Maybe they just want to use your connection and do no harm, but things happen. Hiding the SSID does little, and it is a nuisance for you and your guests. But if you want to use it, go ahead: it will make no harm. Similarly for MAC filtering, but it is harder to bypass. Use WPA2 with a strong password, and don't use the one supplied by your ISP: who knows where they store it and who knows it. I heard of one ISP which generated the password from the phone number and/or SSID; the algorithm had been found, so anybody could in fact have your password. Have all internal machines with a firewall. In openSUSE, use the external interface setting, or if you use the internal setting, tell YaST to also protect from internal. Yes, this is a nuisance, but I don't trust ISP routers with firewall: those things have holes and they are seldom patched. Keep your machines updated. This protects you from most "hacks". Use common sense when clicking links or opening emails, specially in Windows. An antivirus, even in Windows, does little. In fact, I know people that don't use one, yet their machines are absolutely clean. And most of the virii I get on the mail the antivirus pass them as clean, anyway... Finally, if you need to have open services to the outside, like ssh, http, whatever, you have to really secure them. Ask, if you don't know how. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX9UucACgkQja8UbcUWM1wrIgD9FOU6LD/XbahOH59c6N7mvH75 UyZJRcei+fCgqubPDnwA/i4RU7eSrs8YUHp23trTldV3cH37KSV4JFRmxxIpSduW =ikAP -----END PGP SIGNATURE-----

I'm not sure if this helps, but... Daniel Bauer schreef:

Here confusion already begins. What is an "internal" machine? I have my computer on the eth-cable, and my laptop on WiFi.

Typically in a normal home network, the computers inside the network are shielded from the outside (internet) by way of a routing featured called Network Address Translation. Normally not a single host (computer) on the inside is reachable from any computer on the outside. An "internal" device is then some computer that is being NATted, that is to say, whenever it communicates with the outside, the router takes care of presenting it to the outside as if it is the router itself. If you have a bunch of computers on your network, they all appear to be only just talking to the router. Your internal addresses then usually have the form of 192.168.1.x. This is then what determines an "internal" machine. Internal machines are not directly reachable from the outside, which also means any services on any open ports they have, cannot be accessed. Computers on the inside can normally only contact SERVER devices on the internet. If, in another case, the program or computer wants to open some port, it can ask the router to open one for it, this is called "UPnP". Typically your router is the 'separator' (or the gateway) between the internal network, and the outside, or external internet. It, by that definition, is also a firewall protecting your computers.

and I have no idea what it means to protect from internal...

I'm not sure if this is what Yast does, but to protect from internal, would, under normal or ordinary nomenclature, mean or be meaning to protect against LAN computers (such as your visitors). However, most of what a firewall does is blocking ports or dropping suspicious packets. I don't know much about SuSE's configuration.

...

Yes, this is a nuisance, but I don't trust ISP routers with firewall: those things have holes and they are seldom patched.

What nuisance? The routers firewall isn't even on, simply because I don't know what those settings mean...

Carlos was not speaking of the router you have in your home, but rather of the firewall of the machine your are running OpenSuse on. If you have a machine on an internal NAT (NATted LAN) you don't really need a firewall. Although it is useful to know if some process on your computer is trying to open a port to the outside, usually you will want to monitor and know about this. I am not sure if this is possible in Linux. Typically, for instance, I want or would want to know whenever my computer is phoning home to microsoft. Unfortunately, this information is not available or made visible by default. But any "phoning home" by contrast is also not any different, or differentiable, from any other ordinary internet request made by your computer. Any process on your computer can request e.g. any web resource (a http:// request) and you will never know unless you have some software (which would be a firewall) that would monitor and maintain lists of processes doing stuff on the web/ on the internet, and allow you to cut short such attempts that you don't want. Actually I would very much prefer to do that. I normally seriously want to know and to decide what program can do what when.

...

Finally, if you need to have open services to the outside, like ssh, http, whatever, you have to really secure them. Ask, if you don't know how.

I have the ssh server "on". I need it to let my laptop connect, for rsync and the like,

I don't know much about securing. It seems a lot of work. I am securing some VPS online host but for me securing means having automated tools to monitor and respond to threats. So security for me means power and knowledge. Not necessarily "hardening". It seems quite a lot of work to get this power and knowledge in place, because it doesn't seem to be any form of default. People don't seem to care about it, to put the average user in this kind of control (you have more control in Windows than you do in e.g. Suse).

I would really like to know how I can manage that only MY laptop can ssh to the PC (and reverse). Due to DHCP, IP's change, so filtering by IP wouldn't help...

One way to achieve this is to require either a key without password, or a key with password, and to turn password-only off. Your laptop then needs to supply a key that matches what you have (on earlier occassion) given to the PC so secure that account. The usual way to do this is to copy the public key for your user account (that you can generate with ssh-keygen) to the .ssh directory of the remote user account (so it is account based, not host based). This is then copied with e.g. "cat ~/.ssh/id_rsa.pub | ssh user@laptop "cat - >> ~/.ssh/authorized_keys" This would copy the public RSA key on one host, to the authorized key file on another. By typical extention, this means now you no longer need a password to login. I do not yet know how to change that behaviour. There are directives like "PasswordAuthentication" and "PreferredAuthentications". But the result of this might be that a computer will be only be able to log into that account on that other machine (e.g. your laptop) (or vice versa) if that computer/user account can supply the required key. In sshd_config you can read the following: AuthenticationMethods Specifies the authentication methods that must be successfully completed for a user to be granted access. This option must be followed by one or more comma-separated lists of authentication method names. Successful authentication requires completion of every method in at least one of these lists. This is in the config for sshd, the ssh server daemon. If you set "AuthenticationMethods publickey" then any login attempt to that machine will require a public key.

What I "fear" most, is that one of my guests (to whom I gave the WiFi password) can follow my web-actions or even get into my PC....

Ahhh, it's all so complicated :-)

Maybe if they sniffed your LAN traffic (including wifi) they would be able to. This sniffing, however, is much more likely (or doable) than breaking into your pc. But someone still needs to be that hacker, sortof, that would do that. He/she would need to login to your wifi, but ordinarily it is (I think) impossible to read other people's traffic. On a regular network cable it should be possible. But I'm not sure what kind of visitors you get ;-). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 09/19/2015 09:01 AM, Daniel Bauer wrote:

Here confusion already begins. What is an "internal" machine? I have my computer on the eth-cable, and my laptop on WiFi.

"Internal" means a computer on your local network, protected from the world by your firewall. "External" means the rest of the world. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Thanks Carlos, Xen and James for the explenations! (I'm always a bit shy to answer in this thread, I hope it does not annoy too much to purely open-suse-related people. But for me it is very interesting and I think I already learned a little more...) Am 20.09.2015 um 01:41 schrieb Carlos E. R.:

I forgot about phishing and social engineering: say that somebody sends to you an email asking you to read some report on a photographer meeting at La Hague, or offering a contract. You would be intrigued and have a look. Well, that's a possible dangerous situation.

Yes, they try a lot. Apart from stupid ones (cancelling a credit card I don't have, warning of a paypal block 15 times a day, using such bad translations that it already gets funny, sender addresses or links that point to other addresses than shown in the text...) some might be made intelligent enough to trigger me. Well, it doesn't need so much :-) I do open image files from unknown senders with quickshow and I some pdf's with okular. Unknown websites coming up with flash contents (blocked by my browser settings) are not viewed. But yes, they triggered my mother into opening an attachment (a hidden .exe) writing her that her bank account had been charged a high sum. She clicked and clicked the .exe, and as nothing happened (she's on linux, too) she desperately called me...

If they send you an email with a text that seems realistic and intriguing, specially if they already know about you, it is possible that you get hooked. It is dangerous, more than virii.

It's possible. I try to keep my brain up and running... ...

...

I have the ssh server "on". I need it to let my laptop connect, for rsync and the like,

Ok, but you use it for connecting inside home; not to connect from a coffee shop, right?

No. Just used to surf a bit the web, but since a company sold an application to many cafés that offer free WiFi when you login via facebook, not even that. I heard a conversation of an agent of this company and the statistics about those who connect in the café she offered to the owner let my hair stood on end. No, I only connect my laptop to my PC at home.

...

I would really like to know how I can manage that only MY laptop can ssh to the PC (and reverse). Due to DHCP, IP's change, so filtering by IP wouldn't help...

Well... If you configure for static addresses instead, you can then filter in the firewall to allow those addresses.

Some home routers can be configured to assign a certain IP to a certain machine, via DHCP. So the computer is still on automatic network configuration, but it always gets the same address.

On http://adslzone.net/ you can find information about the routers typically used in Spain, with howtos for doing typical things.

The page is open. I read in little mouthfuls...

...

What I "fear" most, is that one of my guests (to whom I gave the WiFi password) can follow my web-actions or even get into my PC....

Ahhh, it's all so complicated :-)

Well, getting into your PC is not trivial.

Following your web actions is easier, /if/ your router publishes all network traffic of everybody on the wireless interface, which they typically don't. If you are connected by cable, it is easier to "sniff" (that's the name of the action).

Why is that easier? I thought the contrary. My main PC is connected by cable... Should I better connect it per WiFi? (I have an old WiFi-card laying around somewhere...) Enjoy a sunny sunday! Daniel -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2015-09-20 a las 07:17 -0400, James Knott escribió:

...

Why is that easier? I thought the contrary. My main PC is connected by cable... Should I better connect it per WiFi? (I have an old WiFi-card laying around somewhere...)

Actually, "sniffing" on the wired network is harder, as you need physical access to it. Also, with switches, someone on another port will see very little traffic that's intended for someone else. All they'd see is broadcasts, including unicast frames flooded to the network, when the switch doesn't yet know what port a device is connected to. The exception to this is with managed switches which can be configured to mirror all traffic on one port to another.

And cheap ISP router-switches, probably hubs. Otherwise, ntop would not learn what other computers at home are doing. But when ntop is running on the laptop, via wifi, it sees nothing of the others. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX+ncYACgkQja8UbcUWM1zmVAD/arSj9fjovcAuCU6ZANes8g1K QP+iqMpZpIdbq6L5NG8A/3FUDBeQQWz8ldqU3BnRxzunrNUnXwrHFVtsC2bKUV/6 =ZcMD -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2015-09-20 a las 08:01 -0400, James Knott escribió:

On 09/20/2015 07:51 AM, Carlos E. R. wrote:

Cheap or not, all switches work the same way and hubs have been obsolete for many years. Also, hubs are half duplex and most 10 Mb only. Ntop doesn't show all the data on a network. It can show what's happening on your computer or use software on other devices to collect data. However, it cannot just see other traffic.

But that's the issue, it just does. At least on my home.

...

But when ntop is running on the laptop, via wifi, it sees nothing of the others.

That's more due to the hardware. WiFi is quite different in operation than Ethernet networks. The same happens with Wireshark. Normally a WiFi NIC has to associate with another device, before it receives data from it. To my knowledge, there's no such thing as the "promiscuous mode" as used on Ethernet NICs to sniff traffic on WiFi. Sniffing WiFi generally requires special equipment, such as the test equipment I mentioned in another note.

yep. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX+rBIACgkQja8UbcUWM1yMnwD+Mttbx7fDK1OLv8M1idfuFwGR Au4kV4wQznAV5fNVo4cA/jowpca/SQVaGAUzgC/lDXrvOsz7fMyoTiVIoQNLpEoF =C9Va -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2015-09-20 a las 10:18 -0400, James Knott escribió:

On 09/20/2015 08:52 AM, Carlos E. R. wrote:

...

But that's the issue, it just does. At least on my home.

You can see traffic between other devices on your computer??? Are you using a hub???

Some months ago, probably. I no longer have that device, provided by my ISP. It is (was) labeled as router, but it does not specify whether it has an integrated switch or hub. Now my hardware is different. I'll check again when I get back home. Now I have a standalone 8 port switch.

Unlike hubs, switches don't just pass traffic to all other ports. They use MAC lookup tables to determine the port connected to the destination and send the frame only to that port. The only exceptions would be broadcast/multicast and flooding frames when it hasn't yet learned the port for the destination. That is the only traffic you should see that's not meant specifically for your computer. However, if your're running ntop, you could, for example, have Netflow agents on routers etc., that can monitor traffic on those devices. Even then, I doubt you'd see the actual traffic.

No, I certainly have not installed agents anywhere :-) - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX+w3QACgkQja8UbcUWM1xCZQD/QFs0s7P7eIRD3390f4MG8kv0 EQZFl+AJuhOmusX+mfYA/RTg4/7hPYdvw/roVDDp4SDA0mDPpJwINtkMPdid1QLu =S8OL -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2015-09-20 a las 10:37 -0400, James Knott escribió:

On 09/20/2015 10:32 AM, Carlos E. R. wrote:

...

Some months ago, probably. I no longer have that device, provided by my ISP. It is (was) labeled as router, but it does not specify whether it has an integrated switch or hub.

As I mentioned, hubs have been obsolete for 20 years and if they gave you one, they gave you an antique. ;-)

I know, but ISPs are /cheap/. You have been surprised other times at the things I tell that providers in Spain do ;-p I did a quick search on internet, and found several places that say they sell "network hubs", when they are actually and obviously switches. They use confusing naming here, it seems. I was unable to find out if they do sell a real hub. (browsing the mobile version of pages is a bit difficult) - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX+8JIACgkQja8UbcUWM1zS6wD/WWN1K1AQbXCp3uhXzl2g0N7g wRsnOd/TSbk+WrL1zJgA/1wBpb68wu/RDCbRlxJpmSNO8FsiSs8LnLb4gXfK3mGW =KdNo -----END PGP SIGNATURE-----

On Sun, Sep 20, 2015 at 10:57 AM, Carlos E. R. wrote:

28°C and 80% humidity here, at La Manga.

That sounds nice. It's going to be 39°C and 30% here today. Brandon Vincent -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On Sat, 19 Sep 2015, John Andersen wrote:

On 09/19/2015 01:47 AM, Daniel Bauer wrote:

...

without using tons of words I've never heard before

At this point you seem to be connected to the internet. I suspect that might not always be true, but for now it is.

Don't come to the internet whining about being exposed to new words. Virtually the entire knowledge of mankind is at your finger tips.

So stop acting like a third grader, and do what your 4th grade teacher told you to do: Look those words up.

I wouldn't expect that of you John. Shame on you!. Anyone can get flushed from an overexposure of unknown terms and concepts and this can quickly render a text (or treatise) completely incomprehensible to a person, and any successful learning experiences depends on managing that exposure. To say otherwise is to say a lie of education. So if that teacher told you that ("Look those words up") it would just be a very bad teacher blaming the student for his own lack of skill. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 09/17/2015 12:33 PM, David C. Rankin wrote:

With WPA and a mac address filter

Use nothing less than WPA2. Even WPA has issues. Also, MAC filtering doesn't do much, as spoofing is easy. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 2015-09-14 21:10, James Knott wrote:

On 09/14/2015 02:51 PM, Daniel Bauer wrote:

...

Hello,

As my internet sometimes is very slow I opened 192.168.1.1 (with that movistar/Spain specific page) that showed me that besides of my eth0-wired computer there are 4 other WLAN-IPs, although I, for the moment, do not have switched on any wireless device.

If you haven't enabled wireless, how would those others be connecting? The only other way is via direct Ethernet connection. Many devices have WiFi enabled out of the box.

The Spanish Movistar system adds some VLANs (not WLANs) to the setup, uses one for the TV service, and another for SIP, both hidden from view.

Many access points maintain a log of connections. Also, why not just change the WiFi password, if you think someone else is connecting to your WLAN? Of course, you should be using WPA2, as it's the most secure.

The Movistar router (a comtrend, typically) is not configured directly, but via a remote web page at the ISP, which only gives the client access to limited settings. You can not change the SSID, nor the encryption type, as far as I remember. And I don't remember if it can be disabled, which would be the sensible thing to do if not used. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)

Am 14.09.2015 um 21:29 schrieb James Knott:

On 09/14/2015 03:17 PM, Carlos E. R. wrote:

...

The Movistar router (a comtrend, typically) is not configured directly, but via a remote web page at the ISP, which only gives the client access to limited settings. You can not change the SSID, nor the encryption type, as far as I remember. And I don't remember if it can be disabled, which would be the sensible thing to do if not used.

I keep on getting the idea that Spain is a really screwed up country. Let me get this right. You have a WiFi access point, but you can't change the SSID? What about the password? If they use any encryption type other than WPA2, they're creating a security hole. I have a few access points and have configured several others. In every case, I was the one that chose encryption type, set the SSID and password and also what 802.11 versions were allowed (802.11b really should not be used these days). As mentioned, the best encryption available is WPA2. 802.11n and 802.11ac allow only WPA2.

The router comes from movistar. It's a BHS_RTA. Yes, one can go around that movistar special page when accessing the router with http://192.168.1.1:8000/ and you can change the ssid. And using WPA2. And a lot more... <OT> (b.t.w.: It's not the country, it's the government that is screwed up, but really f****d up - well, it's a government, what do you expect... </OT> -- -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Am 14.09.2015 um 22:12 schrieb James Knott:

On 09/14/2015 03:42 PM, Daniel Bauer wrote:

...

Yes, one can go around that movistar special page when accessing the router with http://192.168.1.1:8000/ and you can change the ssid. And using WPA2. And a lot more...

You should disable 802.11b if you don't need it. Same with 802.11g, but b makes the biggest difference. Some access points also allow you to turn off 802.11b protection. 802.11b causes a big performance hit if allowed.

Under 802.11 Mode I can choose 802.11b 802.11g 802.11n 802.11b/g 802.11n/g 802.11b/g/n it is set to 802.11b/g/n. I have no idea if I need "b" or any of the other, and I don't know what is affected if I change the setting. I want the best available performance for web, mail and skype, of course... -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 2015-09-14 21:29, James Knott wrote:

On 09/14/2015 03:17 PM, Carlos E. R. wrote:

...

The Movistar router (a comtrend, typically) is not configured directly, but via a remote web page at the ISP, which only gives the client access to limited settings. You can not change the SSID, nor the encryption type, as far as I remember. And I don't remember if it can be disabled, which would be the sensible thing to do if not used.

I keep on getting the idea that Spain is a really screwed up country.

I'm sure you get your share from AT&T and the like :-P

Let me get this right. You have a WiFi access point, but you can't change the SSID?

Not by default, no.

What about the password?

Yes, you can.

If they use any encryption type other than WPA2, they're creating a security hole.

I can't check what they use now, I have disabled that config page. Let me explain. The provider has designed a procedure for doing remote configuration for the masses of the client routers. They can do all from their control centres. In order to do this, they give you routers with their local configuration page disabled, and they don't tell you the password to it. Instead, you go to a page at movistar.es, where after identification you can change a few things; the same interface for all supported routers. They can, for instance, remotely upgrade the firmware of all the installed routers. Thus, that page allows setting up the password, but not the SSID. However, you can click on a special link in that page, and after two warnings to make sure, you get to change the password to your local router, and then we can administer ii on our own. I must say that the fibre router has an ugly configuration page with some cryptical settings that I prefer not to touch. I must say that the wireless in that router is a piece of rubbish. I have disabled it completely, and instead use my own access point hardware.

I have a few access points and have configured several others. In every case, I was the one that chose encryption type, set the SSID and password and also what 802.11 versions were allowed (802.11b really should not be used these days). As mentioned, the best encryption available is WPA2. 802.11n and 802.11ac allow only WPA2.

On another provider (Ono), your own router may setup your wifi to give internet to people on the street, that happen to be clients of the same ISP. Maybe without your knowing. And of course, you can use the connection of other people as you walk on the street. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)

Am 14.09.2015 um 21:24 schrieb Carlos E. R.:

On 2015-09-14 20:51, Daniel Bauer wrote:

...

Hello,

As my internet sometimes is very slow I opened 192.168.1.1 (with that movistar/Spain specific page)

The local or the remote?

Local

Fibre or ADSL?

ADSL

...

that showed me that besides of my eth0-wired computer there are 4 other WLAN-IPs, although I, for the moment, do not have switched on any wireless device.

WLAN or VLAN?

WLAN

...

Is there a more or less simple way to find out if there are others using my WLAN - even for somebody who has not the slightest idea of how networks work?

Yes. Install "ntop", then start it "rcntop start", as root. Then point a browser to http://localhost:3000

the browser says that the page seems valid, but the connection was denied...

After a while, you will be able to see everything that is sending or receiving traffic, and some information and what is that traffic, and perhaps what type of machines they are.

If you have the IPs, you can find more about them with "nmap":

Telcontar:~ # nmap 192.168.1.2

venus:~ # nmap 192.168.1.35 Starting Nmap 6.47 ( http://nmap.org ) at 2015-09-14 22:05 CEST Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 0.59 seconds venus:~ # nmap 192.168.1.37 Starting Nmap 6.47 ( http://nmap.org ) at 2015-09-14 22:06 CEST Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 0.46 seconds venus:~ # nmap 192.168.1.37 -Pn Starting Nmap 6.47 ( http://nmap.org ) at 2015-09-14 22:06 CEST Nmap done: 1 IP address (0 hosts up) scanned in 0.47 seconds venus:~ # nmap 192.168.1.35 -Pn Starting Nmap 6.47 ( http://nmap.org ) at 2015-09-14 22:06 CEST Nmap done: 1 IP address (0 hosts up) scanned in 0.46 seconds -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Am 14.09.2015 um 22:14 schrieb Carlos E. R.:

...

...

Install "ntop", then start it "rcntop start", as root. Then point a browser to http://localhost:3000

the browser says that the page seems valid, but the connection was denied...

What says "rcntop status"?

venus:~ # rcntop status Checking for service ntop: unused ntop.service - LSB: ntop Network Monitor Loaded: loaded (/etc/init.d/ntop) Active: active (exited) since Mon 2015-09-14 22:21:26 CEST; 48s ago Process: 4750 ExecStart=/etc/init.d/ntop start (code=exited, status=0/SUCCESS) -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On Mon, Sep 14, 2015 at 12:54 PM, Daniel Bauer wrote:

20:a2:e4 58:a2:b5 f0:27:65

According to the IEEE, the manufacturers of the wireless components of these devices are Apple, Inc., LG Electronics, and Murata Manufacturing Co., Ltd. This information can be very easily spoofed by a malicious individual, but if you don't own an Apple product something sinister is happening. Brandon Vincent -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-09-15 08:28, Per Jessen wrote:

Try pinging the broadcast address:

ping -b 192.168.1.255

Leave it to do a couple of pings, then :

Ah. I like this trick. But it fails in my network, 100% loss, and arp finds nothing.

arp -n

will show who else is (currently) on your network.

As Brandon already said, the first 3 bytes of the MAC address will identify the hardware manufacturer, that might give you a hint.

And you can read it in ntop display ;-) - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX3928ACgkQja8UbcUWM1wouQD/Wjucw7+upR4m6+Bk1Jy5JchN jxunkJqSyHl68YIbNcgBAKC7rhetdly5eRWotr9g5/V2LHQfHoCCKp8RkmNo7uS0 =rDBP -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-09-15 14:55, Per Jessen wrote:

Carlos E. R. wrote:

...

Ah. I like this trick. But it fails in my network, 100% loss, and arp finds nothing.

Did you use the right broadcast address?

Yes. minas-tirith:~ # ifconfig ... wlan0 Link encap:Ethernet HWaddr 0C:EE:E6:D7:BB:5F inet addr:192.168.1.129 Bcast:192.168.1.255 Mask:255.255.255.0 ... minas-tirith:~ # ping -b 192.168.1.255 WARNING: pinging broadcast address PING 192.168.1.255 (192.168.1.255) 56(84) bytes of data. ^C - --- 192.168.1.255 ping statistics --- 11 packets transmitted, 0 received, 100% packet loss, time 9999ms minas-tirith:~ # - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX4GiUACgkQja8UbcUWM1y5qgEAlJtEEp5LfEq+KqBgYEqyDph7 urn+t8ELRp/coMv5F9wA/3iqK7eP4sm4I5XnjQnImNu4XR0FEcl+bfMI5+FE+25M =ttdy -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-09-15 17:07, Per Jessen wrote:

Carlos E. R. wrote:

...

- --- 192.168.1.255 ping statistics --- 11 packets transmitted, 0 received, 100% packet loss, time 9999ms

I guess you've only got Linux systems on your network, and by default

When I tried there were two routers, on switch, a Linux laptop, and two android devices.

(see Brandon's later post) they won't respond to the broadcast ping.

I see. that makes sense. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX4X2AACgkQja8UbcUWM1wDlQD/X4VMWrwYoX6D4xXB3O7oJG/F VRHhTeRDcGAo9jz4zPEA/02eX0Jh4LwPaISbYVID9j+dc5cCAi+Yh665LgZEXji4 =Q00e -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-09-16 07:37, Per Jessen wrote:

Carlos E. R. wrote:

...

When I tried there were two routers, on switch,

If those were managed (i.e. with their own IP) switches, they probably would have responded.

It did not, to the broadcast. It responds to a direct one: minas-tirith:~ # ping switch PING switch (192.168.1.6) 56(84) bytes of data. 64 bytes from switch (192.168.1.6): icmp_seq=1 ttl=64 time=31.1 ms 64 bytes from switch (192.168.1.6): icmp_seq=2 ttl=64 time=5.22 ms ^C - --- switch ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 5.229/18.193/31.157/12.964 ms minas-tirith:~ #

...

a Linux laptop, and two android devices.

Dunno about Android, it probably doesn't respond either.

Maybe. Even nmap can't find a hole. An alternative is: minas-tirith:~ # fping -a -g 192.168.1.0/24 192.168.1.1 192.168.1.2 192.168.1.5 192.168.1.6 192.168.1.15 192.168.1.51 ICMP Host Unreachable from 192.168.1.129 for ICMP Echo sent to 192.168.1.3 ICMP Host Unreachable from 192.168.1.129 for ICMP Echo sent to 192.168.1.4 ICMP Host Unreachable from 192.168.1.129 for ICMP Echo sent to 192.168.1.7 ICMP Host Unreachable from 192.168.1.129 for ICMP Echo sent to 192.168.1.8 ICMP Host Unreachable from 192.168.1.129 for ICMP Echo sent to 192.168.1.9 192.168.1.129 ICMP Host Unreachable from 192.168.1.129 for ICMP Echo sent to 192.168.1.10 ICMP Host Unreachable from 192.168.1.129 for ICMP Echo sent to 192.168.1.11 But I can't find a concoction that keeps silent about unreachable targets. Maybe: minas-tirith:~ # fping -C 1 -q -g 192.168.1.0/24 192.168.1.1 : 2.22 192.168.1.2 : 4.62 192.168.1.3 : - 192.168.1.4 : - 192.168.1.5 : 1.67 192.168.1.6 : 7.32 192.168.1.7 : - 192.168.1.8 : - - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX5YbcACgkQja8UbcUWM1zEWAD/djRivf+nE+bH+pNrp4mWihC+ VzJk1Wc2pR3PDyaVLCgA/3A3Xqaj4ZGaya3+zk9BEgzk7rKI3rWPXaNhTX4T3LPr =eaYd -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-09-16 15:02, Patrick Shanahan wrote:

pfing -agq 192.168.1.0/24

prints only answering ip's

Right, thanks :-) - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX5cRoACgkQja8UbcUWM1xfAAD/ca8ORIxw4hSrNEQqu3fX2yR0 QgY7JthlTWXtR6TCHngBAIdzXBry+fv4/fHLp0EmPwEe1vNiDxcKgbXQ+RXp4HT5 =mZsN -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Brandon Vincent wrote:

On Tue, Sep 15, 2015 at 5:55 AM, Per Jessen wrote:

...

And the arp table is nicely populated afterwards.

Most devices and operating systems will not respond to broadcast ICMP pings. It's very easy to do smurf denial of service attacks when devices respond. For example, I think most GNU/Linux distributions have net.ipv4.icmp_echo_ignore_broadcasts = 1 set. Some devices may respond, printers, etc. but this is far from an effective technique.

That's true - in fact, none of the devices that responded to my own broadcast ping were Linux boxes. They were telephones, printers, routers, remote service cards etc. -- Per Jessen, Zürich (17.9°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org