[opensuse] who uses my WLAN? wireshark question
Hello, As my internet sometimes is very slow I opened 192.168.1.1 (with that movistar/Spain specific page) that showed me that besides of my eth0-wired computer there are 4 other WLAN-IPs, although I, for the moment, do not have switched on any wireless device. I don't know if I'm wrong, but because of this I think somebody else is using my WLAN and I'd like to find out about it. After googling I installed wireshark (with Yast), but now I am stuck. The found web pages say I have to use "monitor mode", but the list of interfaces shows "n/a" for all the interfaces in the "monitor mode"-column. Is there a more or less simple way to find out if there are others using my WLAN - even for somebody who has not the slightest idea of how networks work? Thanks for hints! Daniel -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 14.09.2015 um 20:51 schrieb Daniel Bauer:
... Is there a more or less simple way to find out if there are others using my WLAN - even for somebody who has not the slightest idea of how networks work?
Some more details: my router tells me on the status page: There are 3 "DHCP clients" (one is my computer, I guess I know the 2 other ones) and there are 6 "Wireless Clients - Authenticated stations"; 3 of the Mac-Addresses correspond to the ones in "DHCP clients", of the other 3 I don't know nothing... -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/14/2015 03:07 PM, Daniel Bauer wrote:
and there are 6 "Wireless Clients - Authenticated stations"; 3 of the Mac-Addresses correspond to the ones in "DHCP clients", of the other 3 I don't know nothing...
As I suspected. Either disable WiFi or use WPA2 with a new password. BTW, is this your router or the ISPs? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 14.09.2015 um 21:12 schrieb James Knott:
On 09/14/2015 03:07 PM, Daniel Bauer wrote:
and there are 6 "Wireless Clients - Authenticated stations"; 3 of the Mac-Addresses correspond to the ones in "DHCP clients", of the other 3 I don't know nothing...
As I suspected. Either disable WiFi or use WPA2 with a new password.
Yes, I'll change the password. I was just keen on finding out what happens, before I'll do it.
BTW, is this your router or the ISPs?
It's the router the ISP provides. -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On September 14, 2015 4:14:16 PM EDT, Daniel Bauer
On 09/14/2015 03:07 PM, Daniel Bauer wrote:
and there are 6 "Wireless Clients - Authenticated stations"; 3 of
Am 14.09.2015 um 21:12 schrieb James Knott: the
Mac-Addresses correspond to the ones in "DHCP clients", of the other 3 I don't know nothing...
As I suspected. Either disable WiFi or use WPA2 with a new password.
Yes, I'll change the password. I was just keen on finding out what happens, before I'll do it.
BTW, is this your router or the ISPs?
It's the router the ISP provides.
Semi-off-topic, but this thread reminds me about Comcast's rather unique WiFi offering. The have millions of wireless routers around the country in people's homes and businesses. They got the rather unique idea that they could make them all advertise the "xfinity" SSID, then let any of their customers use any of their wireless routers. Thus I can log into literally millions of residential wireless routers using my comcast credentials. Comcast knows it's me and tracks my bandwidth and charges it against my monthly allotment regardless of which router i'm using. It's actually a pretty cool setup. I've been at friends houses and jumped on their wireless router without ever asking them for their credentials. I'd guess that about 50% of the time I'm sitting at a red light, my tablet grabs a xfinity WiFi connection and pulls down the latest emails. Greg -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
greg.freemyer@gmail.com wrote:
Semi-off-topic, but this thread reminds me about Comcast's rather unique WiFi offering. The have millions of wireless routers around the country in people's homes and businesses.
They got the rather unique idea that they could make them all advertise the "xfinity" SSID, then let any of their customers use any of their wireless routers. Thus I can log into literally millions of residential wireless routers using my comcast credentials. Comcast knows it's me and tracks my bandwidth and charges it against my monthly allotment regardless of which router i'm using.
UPC Cablecom (Liberty Global) does the same here. AFAIK (I am not a cablecom customer), given customer permission, their routers have two SSIDs, one for the customer, one for all other cablecom customers. Quite clever. -- Per Jessen, Zürich (15.9°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, 15 Sep 2015, Per Jessen wrote:
greg.freemyer@gmail.com wrote:
Semi-off-topic, but this thread reminds me about Comcast's rather unique WiFi offering. The have millions of wireless routers around the country in people's homes and businesses.
They got the rather unique idea that they could make them all advertise the "xfinity" SSID, then let any of their customers use any of their wireless routers. Thus I can log into literally millions of residential wireless routers using my comcast credentials. Comcast knows it's me and tracks my bandwidth and charges it against my monthly allotment regardless of which router i'm using.
UPC Cablecom (Liberty Global) does the same here. AFAIK (I am not a cablecom customer), given customer permission, their routers have two SSIDs, one for the customer, one for all other cablecom customers. Quite clever.
The biggest cable company in the Netherlands does it as well. At first they were UPC and Ziggo separate, but those companies merged. It started out back in the day with the FON network. Fon tried to strike deals with telco's, and was successful in Portugal/Spain, Belgium and the UK (among others perhaps). In the UK BT (British Telecom) offered a Fon service for its customers which meant that I could also log into it using my Fon credentials (friend tested it for me). In the Netherlands most companies stayed away from Fon and created their own solution/network. Personally I don't like it because I never was the one who decided that I'd share my wifi and these routers downloading updates from centralized servers is a security risk. But even Fon went out the door with me, I just 'hacked' their cheap router and put OpenWRT on it :p. Sharing wifi may be nice but if you never know who you are sharing with, it is not really a "sharing" experience. Fon tried to turn it into a sunny community -- : become a Fonero!!!. And it was interesting particularly because it was a bit of a 'grass roots movement' or at least had the feel of it. And you could earn money with it, if you had a busy spot. The service was available to non-members for a small payment. In the end it was a nice idea but if it's not even opt-in I don't want it. In the UPC modem/router you can turn the service off, but actually it is turned off remotely and your thing "knows" about your choice apparently. It's a chance on building community but this way there is no community at all, just bragging rights for the cable company.
-- Per Jessen, Zürich (15.9°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Xen wrote:
Personally I don't like it because I never was the one who decided that I'd share my wifi and these routers downloading updates from centralized servers is a security risk.
I think the two SSIDs basically take of any concerns wrt privacy and sharing. I could imagine some issue wrt load balancing and abuse, but even elderly Zyxel routers had some basic traffic control. I imagine modern boxes to be more sophisticated.
In the end it was a nice idea but if it's not even opt-in I don't want it.
I think it is strictly opt-in in Switzerland, but as I am not a Cablecom customer, I don't know for certain. -- Per Jessen, Zürich (18.1°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-09-15 11:27, Per Jessen wrote:
Xen wrote:
Personally I don't like it because I never was the one who decided that I'd share my wifi and these routers downloading updates from centralized servers is a security risk.
I think the two SSIDs basically take of any concerns wrt privacy and sharing. I could imagine some issue wrt load balancing and abuse, but even elderly Zyxel routers had some basic traffic control. I imagine modern boxes to be more sophisticated.
I think ONO in Spain does the same. I think it is opt-in here, but I haven't looked carefully at the config (I have access to one some times). I suppose it uses two SSIDs and isolation, so that the passerby would not have access to the house clients. I think the company keeps track of passerbys bandwidth usage somehow, because there is a limit. But the wireless being one device, there could be issues when some one (in or out house) demands a fast download. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX39UoACgkQja8UbcUWM1xIbwEAjaRvF6I7Ga8+odYGJY1SAP0i VuxePUvkHI3xLR8A7xoBAIXFM+bfRQrvfL8WWucERn0224f7SxvxAs83WLKDWJnS =y55k -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, 15 Sep 2015, Per Jessen wrote:
Xen wrote:
Personally I don't like it because I never was the one who decided that I'd share my wifi and these routers downloading updates from centralized servers is a security risk.
I think the two SSIDs basically take of any concerns wrt privacy and sharing. I could imagine some issue wrt load balancing and abuse, but even elderly Zyxel routers had some basic traffic control. I imagine modern boxes to be more sophisticated.
Yes the 'pubic' SSID will simply have access to the (internal) gateway but not to the LAN. I have my Fonera configured this way as well, I had it configured as a public/private SSID provider. The private SSID then had access to the local LAN (bridged with eth0) and the public SSID had its own public interface that was only routed past the main router in the home, but which could not even access it. It's just that I consider it a .... When "community" is no longer the result of "having each other's back" but of some rational, clinical, economic trade... then your "community" falls apart when the rational overlords (the ISP) decide it is no longer in their interests, or whatever. It's just that you are not in control about your life. In the past this wasn't so much of a problem because "they" didn't try to control so much of it. Much of life was free for people to "fill in" on their own, as they pleased. And as a result much was in the hands of the people (even if religion dictated a lot). The thing is that as soon as you let some external party supply a feature of your life to you that should be your own thing, but which you now have no say about at all, you will be less inclined to create your own. This is true of government welfare and government health services and all of that as well. The government's role has grown each and every year and it is still growing. But there is a thing called "the customer decides". Or in Dutch "wie betaalt, bepaalt". (Who pays, decides). And because of this government is getting to have a total say in how these services are offered and within what constraints and under what conditions. Because IT is an area in which complex, hierarchical systems can be introduced in the 'wrong' way, it is an area that lends itself to 'supplying' you your needs to you (or their supposed fulfillment) in a way that leaves you completely powerless and dependent. Instead of spending the time to create your own systems, you would just use what is offered and never become more independent for it. In fact, you might lose things that were previously within your control. Linux and 'free software' is, in fact, at least in principle and in theory, an attempt to "stay in control" about the systems you use. Take Adobe Photoshop and other programs. Software as rental. Microsoft wants to go there too. The software is never in your control because you need to keep dishing out cash to keep using it. In the past, at least, when you had purchased something, you had access to it pretty much forever. That makes Photoshop skills these days a less safe, less dependable, less trustworthy investment for a person to make, and shifts the balance towards open source tools. With open source, the promise and guarantee is pretty much (at least in principle) that the software is never going to go away if you don't want it to. Of course if you are a professional and you believe you will always have that €12 or €60 each month to "buy" the "suite" perhaps it is all irrelevant. Or there are alternatives like Corel Draw and Pain Shop Pro. I hestitate to fall in line with systems that promise heaven but at the cost of your own independence. Even if you had a system where you actually shared wifi or internet access with 10 real persons, you would own more than if you had free (supposedly) access to a 100.000 households. I just don't care to have it. If you really sat in a friend's home, it would be worth more to ask him/her for wifi than to surreptitiously "use" the wifi without asking because you happen to have a login for the shared part... I think it breaks away community and friendship. Anyway, that's just my thought.
In the end it was a nice idea but if it's not even opt-in I don't want it.
I think it is strictly opt-in in Switzerland, but as I am not a Cablecom customer, I don't know for certain.
They would never do that here because they want to deploy it to basically everyone. They will just assume everyone is happy with it and you can turn it off. But most people won't know or won't have any conscious thought about it and will just leave it on. ;-).
In the end it was a nice idea but if it's not even opt-in I don't want it.
I think it is strictly opt-in in Switzerland, but as I am not a Cablecom customer, I don't know for certain.
I think Comcast is opt-out. But even before that you have to have Comcast internet to your house, plus a Comcast provided wireless router. I'm a customer at home and work, but neither have a Comcast wireless router. Greg -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/15/2015 07:46 AM, greg.freemyer@gmail.com wrote:
I think Comcast is opt-out. But even before that you have to have Comcast internet to your house, plus a Comcast provided wireless router. I'm a customer at home and work, but neither have a Comcast wireless router.
It likely wouldn't work for me. I have a cable modem/router provided by my ISP, but have it configured for bridge mode and a Linux box for my router. I hope the home customer gets priority over the "visitors". -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi, thanks for your input! I changed the WiFi password, and all those suspicious IP's are gone... However, for testing the new pwd, I connected with my cellular, disconnected - and now, more than 2 hours later, it's IP is still shown on the routers page. In the DHCP stats it tells me that it will be refreshed in 42thousand-something seconds... So maybe those IP's that showed as "connected" in fact only have been connected long time ago, which is possible, because I had a visit the night before who used an iphone and a dont-know-tablet. Anyway it's weird, that those IPs showed up during more than 24hrs (they were still shown this morning)... I'll see what happens with the new password. thanks to all of you! Daniel Am 14.09.2015 um 21:07 schrieb Daniel Bauer:
Am 14.09.2015 um 20:51 schrieb Daniel Bauer:
... Is there a more or less simple way to find out if there are others using my WLAN - even for somebody who has not the slightest idea of how networks work?
Some more details:
my router tells me on the status page:
There are 3 "DHCP clients" (one is my computer, I guess I know the 2 other ones)
and there are 6 "Wireless Clients - Authenticated stations"; 3 of the Mac-Addresses correspond to the ones in "DHCP clients", of the other 3 I don't know nothing...
-- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 15/09/2015 10:10, Daniel Bauer a écrit :
So maybe those IP's that showed as "connected" in fact only have been connected long time ago, which is possible, because I had a visit the night before who used an iphone and a dont-know-tablet.
Anyway it's weird, that those IPs showed up during more than 24hrs (they were still shown this morning)...
it's common around me with internet boxes. The IP is kept with the mac of the computer, and often even kept reserved, so once I couldn't connect because there where no more Ip available. It's probably to make the connection more convenient for visitors I have now 29 computers in the box dhcp - including at least one never connected and other not connected since more than one year jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-09-15 10:27, jdd wrote:
Le 15/09/2015 10:10, Daniel Bauer a écrit :
So maybe those IP's that showed as "connected" in fact only have been connected long time ago, which is possible, because I had a visit the night before who used an iphone and a dont-know-tablet.
Anyway it's weird, that those IPs showed up during more than 24hrs (they were still shown this morning)...
it's common around me with internet boxes. The IP is kept with the mac of the computer, and often even kept reserved, so once I couldn't connect because there where no more Ip available. It's probably to make the connection more convenient for visitors
Yes, the connection is remembered for some time. It is convenient for machines that connect intermittently, like a mobile phone or tablet.
I have now 29 computers in the box dhcp - including at least one never connected and other not connected since more than one year
A year? Wow. That's a long time to remember. Seems yours is set to never forget, and you did not reboot. Typical is one day. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX39oYACgkQja8UbcUWM1x3EQEAiL1SSlbhfoupinPQK10M9MZs Ll36uZSfMPNXxc26lvcBAIgAftAPunWBJAtHbIGOHRltphxKdiLVE/GsONTXHc6B =lPz0 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 15/09/2015 12:44, Carlos E. R. a écrit :
A year? Wow. That's a long time to remember. Seems yours is set to never forget, and you did not reboot. Typical is one day.
yes I rebooted, several times, but the setup is backed on the ISP servers :-) and I don't see any way to configure that. DHCP have a classical one day delay, but keep the IP/mac of others coputers... jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/14/2015 02:07 PM, Daniel Bauer wrote:
Am 14.09.2015 um 20:51 schrieb Daniel Bauer:
... Is there a more or less simple way to find out if there are others using my WLAN - even for somebody who has not the slightest idea of how networks work?
Some more details:
my router tells me on the status page:
There are 3 "DHCP clients" (one is my computer, I guess I know the 2 other ones)
and there are 6 "Wireless Clients - Authenticated stations"; 3 of the Mac-Addresses correspond to the ones in "DHCP clients", of the other 3 I don't know nothing...
In addition to WPA, virtually all routers support mac address filter. Basically a lookup table of mac address that can be used to "Allow only those listed." to connect. You get the mac addresses for your wireless devices, enter those in the table, and turn the filter on and unless the mac address of a wireless device matches what you put in the table -- that device cannot connect. With WPA and a mac address filter, you can eliminate 99.99% of unwanted connections, even if you put your router in the middle of Times Square. (the other 0.01% are those the pentagon can't keep out and you are not going to keep out with normal routers...) -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 17.09.2015 um 18:33 schrieb David C. Rankin:
In addition to WPA, virtually all routers support mac address filter.
Basically a lookup table of mac address that can be used to "Allow only those listed." to connect. You get the mac addresses for your wireless devices, enter those in the table, and turn the filter on and unless the mac address of a wireless device matches what you put in the table -- that device cannot connect.
With WPA and a mac address filter, you can eliminate 99.99% of unwanted connections, even if you put your router in the middle of Times Square.
Yes, I've seen that. Problem is that I want to offer my WiFi to visiting friends, and also to the guests of the room I rent. It would be very (too much) complicated to add the mac address each time...
(the other 0.01% are those the pentagon can't keep out and you are not going to keep out with normal routers...)
I guess/hope, Pentagon wouldn't eat up my internet speed. :-) -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-09-17 20:06, Daniel Bauer wrote:
Yes, I've seen that. Problem is that I want to offer my WiFi to visiting friends, and also to the guests of the room I rent. It would be very (too much) complicated to add the mac address each time...
Some routers provide a secondary SSID/Pass for guests. I don't know if they are in a different network segment or not. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX7B90ACgkQja8UbcUWM1wuuwD+Jsqc4sjiMKIn33wyYg9QsSDx K2ZQj0/nIpvdC7Xkea4BAJgjjNdU7ib6qed+QltoqjVTydcwo4PcU841VHWRMZfV =jv15 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/17/2015 11:35 AM, Carlos E. R. wrote:
On 2015-09-17 20:06, Daniel Bauer wrote:
Yes, I've seen that. Problem is that I want to offer my WiFi to visiting friends, and also to the guests of the room I rent. It would be very (too much) complicated to add the mac address each time...
Some routers provide a secondary SSID/Pass for guests. I don't know if they are in a different network segment or not.
Just about all of these are in a separate VLAN, but given the somewhat dismal quality code in consumer routers it might not be that hard to penetrate the Vlan. But most models of routers on the market these days support VLANs Even DD-WRT supports this. http://www.ciscopress.com/articles/article.asp?p=1730493 - -- After all is said and done, more is said than done. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlX7CY8ACgkQv7M3G5+2DLLacwCfcsutIKubpZi9UqpcMRm4TxOZ YA8AoIltwmB6S47QO2PC5xsHqV98eKCK =/ukL -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/17/2015 02:35 PM, Carlos E. R. wrote:
Some routers provide a secondary SSID/Pass for guests. I don't know if they are in a different network segment or not.
Guest access tends to allow access to the Internet only. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Daniel Bauer wrote:
Am 17.09.2015 um 18:33 schrieb David C. Rankin:
In addition to WPA, virtually all routers support mac address filter.
Basically a lookup table of mac address that can be used to "Allow only those listed." to connect. You get the mac addresses for your wireless devices, enter those in the table, and turn the filter on and unless the mac address of a wireless device matches what you put in the table -- that device cannot connect.
With WPA and a mac address filter, you can eliminate 99.99% of unwanted connections, even if you put your router in the middle of Times Square.
Yes, I've seen that. Problem is that I want to offer my WiFi to visiting friends, and also to the guests of the room I rent. It would be very (too much) complicated to add the mac address each time...
Alternatively, you could make the SSID invisible, your friends would then need to type it in once. -- Per Jessen, Zürich (13.6°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/18/2015 02:16 AM, Per Jessen wrote:
visiting friends, and also to the guests of the room I rent. It would be very (too much) complicated to add the mac address each time... Alternatively, you could make the SSID invisible, your friends would
Yes, I've seen that. Problem is that I want to offer my WiFi to then need to type it in once.
That's another thing that doesn't provide much security. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
On 09/18/2015 02:16 AM, Per Jessen wrote:
visiting friends, and also to the guests of the room I rent. It would be very (too much) complicated to add the mac address each time... Alternatively, you could make the SSID invisible, your friends would
Yes, I've seen that. Problem is that I want to offer my WiFi to then need to type it in once.
That's another thing that doesn't provide much security.
Well, he's not looking for a lot of securitys, so it's fits the bill. Unless there is an easy way of determining unadvertised SSIDs ? -- Per Jessen, Zürich (15.9°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, 18 Sep 2015, Per Jessen wrote:
James Knott wrote:
On 09/18/2015 02:16 AM, Per Jessen wrote:
visiting friends, and also to the guests of the room I rent. It would be very (too much) complicated to add the mac address each time... Alternatively, you could make the SSID invisible, your friends would
Yes, I've seen that. Problem is that I want to offer my WiFi to then need to type it in once.
That's another thing that doesn't provide much security.
Well, he's not looking for a lot of securitys, so it's fits the bill. Unless there is an easy way of determining unadvertised SSIDs ?
I once read of a tool that could download/offload lists of previously used SSIDs from mobile devices themselves. Never seen it, never heard it, never used it, so can't be sure. But apparently it was very well possible and this information was just leaked by devices (not even by APs). Once you know the name of an SSID/ap you can pretend to be it and usually the mobile device will hand you over its password, so now you have the password to the router/ap. Then you can just offer each SSID in turn and take every password that is offered to you. There is no security in this, no verification at all. But still I would take security by obscurity over no security any time. Any time at all. Obscurity is a good measure and you can complement it with whatever measure you have in place (security by access token). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, Sep 18, 2015 at 9:29 AM, Xen wrote:
Once you know the name of an SSID/ap you can pretend to be it and usually the mobile device will hand you over its password, so now you have the password to the router/ap. Then you can just offer each SSID in turn and take every password that is offered to you. There is no security in this, no verification at all.
With an rouge AP/evil-twin attack, the four way handshake prevents the AP from obtaining a plaintext pre-shared key. You would still need to brute force the handshake/message integrity check similar to a normal WPA2-PSK access point. Brandon Vincent -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, Sep 18, 2015 at 2:57 PM, James Knott
Security by obscurity is no security.
The simplest solution is to disable the wireless on the ISP provided modem/router (either via software or physically) and roll your own access point. Brandon Vincent -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 18.09.2015 um 23:57 schrieb James Knott:
On 09/18/2015 12:29 PM, Xen wrote:
But still I would take security by obscurity over no security any time.
Security by obscurity is no security.
I guess, apart from my suse firewall, I have no security. For a non-expert (or even the contrary of an expert), and somebody who doesn't want to spend money in more devices, things are not understandable. I have never found a how-to-website, that clearly says: do this 1, then this 2, then this, and explains why - without using tons of words I've never heard before, that informs about the drawbacks and that is so serious, that I don't get the feeling, in following its advices I am exactly opening access to this specific site or ruining my system, especially since most things have to be done as root. Probably it is not even possible to set up such a how-to, thinking about all the different systems, routers... So for people like me, the only hope is that the firewall as set up by default when installing the system and using strong passwords, is enough to protect me from a disaster... Maybe I could call this "security by luck". -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/19/2015 04:47 AM, Daniel Bauer wrote:
I have never found a how-to-website, that clearly says: do this 1, then this 2, then this, and explains why - without using tons of words
that's probably because it's such a wide filed. However, you can find out a lot just by reading about the various things. Also, as I mentioned, there are things that people consider "security", such as not broadcasting SSID, which on the surface look good, but are really nonsense. For WiFi, you need WPA2 and a strong password. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/19/2015 06:36 AM, James Knott wrote:
that's probably because it's such a wide filed.
Sorry, typo. I hadn't had my morning beer yet. ;-) That should be "That's probably because it's such a wide field". -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2015-09-19 a las 06:36 -0400, James Knott escribió:
On 09/19/2015 04:47 AM, Daniel Bauer wrote:
I have never found a how-to-website, that clearly says: do this 1, then this 2, then this, and explains why - without using tons of words
that's probably because it's such a wide filed. However, you can find out a lot just by reading about the various things. Also, as I mentioned, there are things that people consider "security", such as not broadcasting SSID, which on the surface look good, but are really nonsense. For WiFi, you need WPA2 and a strong password.
Hiding the SSID is not a serious security measure, but it hinders many intruders, those not determined enough. If used with other measures, it helps a bit. Same goes for MAC filters. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX9TlgACgkQja8UbcUWM1ztrAD/VnzcbvMJRzTlh4r3dJeEgKYW uE7jVcuGDyoPEQevFUYA/imtjACJktCdv7ffj+EOGrqq7EvzZxl6/Jq5fv0jtn4E =nHAl -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/19/2015 05:00 AM, Carlos E. R. wrote:
Hiding the SSID is not a serious security measure, but it hinders many intruders, those not determined enough. If used with other measures, it helps a bit.
Same goes for MAC filters.
Exactly. Hiding those things keeps out 5 nines (99.999%) of the wifi freeloaders. The rest you aren't going to keep out anyway, but unless you live near a serious hacker you simply don't need to worry about them. That said, WPA2 and a longish password seems good enough for me. - -- After all is said and done, more is said than done. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlX9tUQACgkQv7M3G5+2DLJejwCeM0G3AJnf5wIZwRuZXxf9DS3Y QfQAnAtrzdSSc/Wz/7uz3GEMWD6/1TQH =LeTQ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, 19 Sep 2015, John Andersen wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/19/2015 05:00 AM, Carlos E. R. wrote:
Hiding the SSID is not a serious security measure, but it hinders many intruders, those not determined enough. If used with other measures, it helps a bit.
Same goes for MAC filters.
Exactly. Hiding those things keeps out 5 nines (99.999%) of the wifi freeloaders.
The rest you aren't going to keep out anyway, but unless you live near a serious hacker you simply don't need to worry about them.
Yeah. And I do know how to hack a WPA2 signal (the tutorials are there) but I do not know how to find an unadvertized SSID. So there you have it. Maybe if you can hook onto a key exchange / connection setup, you can find out. But I don't yet know if it is possible. So there you have it. You are protected against me :p. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/19/2015 12:24 PM, Xen wrote:
On Sat, 19 Sep 2015, John Andersen wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/19/2015 05:00 AM, Carlos E. R. wrote:
Hiding the SSID is not a serious security measure, but it hinders many intruders, those not determined enough. If used with other measures, it helps a bit.
Same goes for MAC filters.
Exactly. Hiding those things keeps out 5 nines (99.999%) of the wifi freeloaders.
The rest you aren't going to keep out anyway, but unless you live near a serious hacker you simply don't need to worry about them.
Yeah. And I do know how to hack a WPA2 signal (the tutorials are there) but I do not know how to find an unadvertized SSID. So there you have it. Maybe if you can hook onto a key exchange / connection setup, you can find out. But I don't yet know if it is possible. So there you have it. You are protected against me :p.
Yes, I am protected against you. You see, WIFI is by design a short range system. So, me, sitting in Washington State, need only worry about the immediate vacinity of 300 meters or so, and I don't need to worry about some wifi interloper located in Amsterdam or some such place. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, 19 Sep 2015, John Andersen wrote:
Yeah. And I do know how to hack a WPA2 signal (the tutorials are there) but I do not know how to find an unadvertized SSID. So there you have it. Maybe if you can hook onto a key exchange / connection setup, you can find out. But I don't yet know if it is possible. So there you have it. You are protected against me :p.
Yes, I am protected against you.
You see, WIFI is by design a short range system. So, me, sitting in Washington State, need only worry about the immediate vacinity of 300 meters or so, and I don't need to worry about some wifi interloper located in Amsterdam or some such place.
Oh, how nice you are to me now. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/19/2015 03:37 PM, John Andersen wrote:
Yes, I am protected against you.
You see, WIFI is by design a short range system. So, me, sitting in Washington State, need only worry about the immediate vacinity of 300 meters or so, and I don't need to worry about some wifi interloper located in Amsterdam or some such place.
I guess you didn't watch the last few episodes of "The Last Ship" where the bad guys set up a Bluetooth network that covered much of the U.S.. ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, Sep 19, 2015 at 12:24 PM, Xen wrote:
Yeah. And I do know how to hack a WPA2 signal (the tutorials are there) but I do not know how to find an unadvertized SSID. So there you have it. Maybe if you can hook onto a key exchange / connection setup, you can find out. But I don't yet know if it is possible. So there you have it. You are protected against me :p.
When you hide the SSID on your router/access point, the access point sends out beacon frames that have the SSID set to a null value. When your computer or other device wants to connect to a wireless network with a hidden SSID, it has to issue a probe request that contains the SSID of the hidden network. Your access point now responds with the information required for your device to connect. So when devices are establishing a connection with a hidden SSID, the SSID is leaked. Hiding the SSID can actually decrease overall security because computers that are set to automatically connect to wireless networks are constantly sending probes with the SSID when looking for hidden SSIDs. When you set your computer to automatically connect to a non-hidden SSID, the computer only listens for the beacon frames from the access point your computer wants to connect to instead of having your computer will advertise what network it is searching for. This makes it easy for individuals to spoof your router/access point (when the SSID is hidden) and cause your computer to connect to their network. Brandon Vincent -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
This is amazing. Thank you so much. On Sat, 19 Sep 2015, Brandon Vincent wrote:
When you hide the SSID on your router/access point, the access point sends out beacon frames that have the SSID set to a null value. When your computer or other device wants to connect to a wireless network with a hidden SSID, it has to issue a probe request that contains the SSID of the hidden network. Your access point now responds with the information required for your device to connect. So when devices are establishing a connection with a hidden SSID, the SSID is leaked.
Hiding the SSID can actually decrease overall security because computers that are set to automatically connect to wireless networks are constantly sending probes with the SSID when looking for hidden SSIDs. When you set your computer to automatically connect to a non-hidden SSID, the computer only listens for the beacon frames from the access point your computer wants to connect to instead of having your computer will advertise what network it is searching for.
This makes it easy for individuals to spoof your router/access point (when the SSID is hidden) and cause your computer to connect to their network.
Are you confident that devices ordinarily don't do this? The reason I wrote my earlier post (that you responded to with equal amazing information) was because I have read of a journalist who went on a trip with a wifi hacker who demonstrated his skill. They sat down in a café or coffee shop and the guy put a little usb wifi device on the table covered by a newspaper or book. The device had a radio that he configured to broadcast the same SSID as the establishment they were at. Many devices connected to his AP instead of the real one and his computer started deciphering all of the communication between their devices and the internet. He had to do nothing else. The software started displaying passwords for email services and facebook and the like as they were sent by these devices to those services. I remember reading that "it is encrypted" but that equally it was painless to decipher it on the spot. His device just relayed the connections to the real SSID he was connected to (the real BSSID). He showed the journalist how he could now log into their facebok if he wanted to and he opened some of these pages (without logging in) and we saw the pictures of people sitting across the table etc. He could send them an email if he wanted to. He also said that his device would probe the devices for lists of SSIDs and we saw (e.g. on the journalist's phone) how the 'room' was being populated with those SSIDs by that device, ie. the device just posed as all of them simultaneously. I don't know or remember for what purpose.
On Sat, Sep 19, 2015 at 1:01 PM, Xen wrote:
He had to do nothing else. The software started displaying passwords for email services and facebook and the like as they were sent by these devices to those services. I remember reading that "it is encrypted" but that equally it was painless to decipher it on the spot. His device just relayed the connections to the real SSID he was connected to (the real BSSID). He showed the journalist how he could now log into their facebok if he wanted to and he opened some of these pages (without logging in) and we saw the pictures of people sitting across the table etc. He could send them an email if he wanted to. He also said that his device would probe the devices for lists of SSIDs and we saw (e.g. on the journalist's phone) how the 'room' was being populated with those SSIDs by that device, ie. the device just posed as all of them simultaneously. I don't know or remember for what purpose.
Unless you configure your computer or phone to connect to a specific BSSID, a computer set to connect to a particular SSID could have connected to his access point instead. He likely configured his device to relay the network traffic to the real access point. This is called an "evil-twin attack". A successful "evil-twin attack" allows an attacker to control virtually all network traffic between your computer and the Internet. For a long time, Facebook, some financial institutions, and other major companies had login pages that were served via HTTPS (preventing disclosure of your username and password), but left other pages unencrypted. Anytime a user would request a webpage from these companies via an unencrypted channel, a portion of the session cookie that identified the user would be automatically sent by the browser. This allowed anyone to capture the session cookie generated during login and impersonate the user. An extension called Firesheep [1] used to do this automatically without requiring any expertise. If you connected to a public wireless access point without any form of wireless security, performing an "evil-twin" attack to obtain such session cookies was not necessary since these networks are unencrypted. You could perform such attacks passively since user's computers are transmitting HTTP data to the access point unencrypted. Today, most websites enforce HTTPS for all pages (mitigating such attacks) since HTTPS no longer requires a lot of overhead. Additionally, proper session cookies should be set with the "secure" attribute to prevent them from being transmitted over a unencrypted HTTP connection. Also, even with an "evil-twin" attack, newer security concepts such as RFC 6797/HTTP Strict Transport Security (HSTS) would prevent typical MitM attacks on SSL/TLS enabled websites. Brandon Vincent -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2015-09-19 a las 14:36 -0700, Brandon Vincent escribió:
For a long time, Facebook, some financial institutions, and other major companies had login pages that were served via HTTPS (preventing disclosure of your username and password), but left other pages unencrypted. Anytime a user would request a webpage from these companies via an unencrypted channel, a portion of the session cookie that identified the user would be automatically sent by the browser. This allowed anyone to capture the session cookie generated during login and impersonate the user. An extension called Firesheep [1] used to do this automatically without requiring any expertise.
Ah! :-o So that's why! Thanks, very interesting tidbit. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX+n9UACgkQja8UbcUWM1wg1wD7BAmziKOUSJeVlYoE0BqK1/Hz sPoGsV2fUzl52nBY2vcBAJPWvgmZAFyxqBhaFy8bP7Rhw7eBtXxQEPQHl18dX6Dr =VcOJ -----END PGP SIGNATURE-----
On 09/19/2015 03:24 PM, Xen wrote:
The rest you aren't going to keep out anyway, but unless you live near a serious hacker you simply don't need to worry about them.
Yeah. And I do know how to hack a WPA2 signal (the tutorials are there) but I do not know how to find an unadvertized SSID. So there you have it. Maybe if you can hook onto a key exchange / connection setup, you can find out. But I don't yet know if it is possible. So there you have it. You are protected against me :p.
WPA2??? WPA perhaps and definitely WEP. BTW, I read something recently about what the NSA said about AES, which is the encryption method used in WPA2. It went something like "If you had a computer that could break DES in one second, it would take 139 trillion years to break AES". DES was used by banks etc. for several years, but is now considered insecure. At work I use a piece of test equipment that could read the unadvertised SSID, if it was equipped for WiFi. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/19/2015 03:19 PM, John Andersen wrote:
That said, WPA2 and a longish password seems good enough for me.
You can go to www.grc.com and generate passwords like this: ANOFn]FCzpaKAJ%A,P)XiQ*]e{kMz"xvgiltX0aWWAYI)Of,3X:W6z`cy.zukU/ Try guessing that one. ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2015-09-19 a las 16:52 -0400, James Knott escribió:
You can go to www.grc.com and generate passwords like this:
ANOFn]FCzpaKAJ%A,P)XiQ*]e{kMz"xvgiltX0aWWAYI)Of,3X:W6z`cy.zukU/
Try guessing that one. ;-)
:-) I suppose that any long enough password, with content not related to the person that created it (such as a birthday or dog name) are hard enough to guess. For instance, a phrase taken from a book, with some numbers and symbols inserted at random. It makes dictating the password to a guest easier. (Of course, if it is a sentence from a book, knowing a part of it would make easier to guess the rest) That said... what is long enough? Or rather, optimal password length? (for wifi) - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX+ocIACgkQja8UbcUWM1zLAQD9Es8fvQKNCN+YNWVEQKgKu+q8 XV/sGISTmk04rBmMhUQA/2Hj08GMd5c/fRpn+ooZpsPCvYbIlou100XKUCfhN7CD =J/NB -----END PGP SIGNATURE-----
On 09/20/2015 08:08 AM, Carlos E. R. wrote:
That said... what is long enough? Or rather, optimal password length? (for wifi)
WPA2 supports up to 63 ASCII characters or 64 hex digits. 64 hex characters are 256 bits, which happens to be the key size used. When using any number, up to 63, of ASCII characters, the password is converted to a 256 bit hash. One interesting fact about this is there are many more possible password combinations than possible hash values. So, you could have multiple passwords that would work, but it would be a huge job to find even one. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/19/2015 04:52 PM, James Knott wrote:
On 09/19/2015 03:19 PM, John Andersen wrote:
That said, WPA2 and a longish password seems good enough for me.
You can go to www.grc.com and generate passwords like this:
ANOFn]FCzpaKAJ%A,P)XiQ*]e{kMz"xvgiltX0aWWAYI)Of,3X:W6z`cy.zukU/
Try guessing that one. ;-)
KDE users don't need to go off-site to generate passwords of arbitrary length. There is an on-screen applets with KDE4 "Random password generator", with a couple of options: special characters and all lower-case, just in case you meet oddball sites that can't handle upper-case or special characters. Truth be told there are many sites like that! You can set the length of the password. Most site I try for 16 characters and many baulk at that! I just tried setting it to 63 and this is what I got; ]?\$d<`<^FyySDg~p263!I_Q/6jkn^K36QK/;UQXSuk4MwI/wCFiAGvgw]}b]K0 and again SnZ!qN]QUY,jK9Cf,b;rsMn((88=2yKy:<3-}ky89q=p*]WvP!J%2p'd'tP|*)Z Surely there's a similar tool for Gnome/LXDE/xfce and even e16 users? If you prefere CLI, there is $ openssl rand -base64 63 and example output WVaYjqo2Be8iBmIw53mtPytR45ZRSG1AEjr4mS7WLW7b/C1Cn2kPZqCOtqZfLhpz pXhal+CN9b8lGL/UpCZ/ Of course you could use $ xscreensaver-getimage-file --name --nocache and feed that file though some hash generator. point it at a big directory of images or a tree of your photogrpahs! And hash that ... $ openssl passwd -apr1 \ -in /home/anton/Photographs/$(xscreensaver-getimage-file \ --name --no-cache /home/anton/Photographs/) $apr1$vyAPOM0m$QUr604ES6YXtPmvnwW3AE1 Although that's 37 character and always begins with "$apr1$". So, just 32. Take 2 and string them together! HMMMM There are many other such ways of LOCALLY producing strong (for various interpretations of the terms 'strong') password strings. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/20/2015 10:01 AM, Anton Aylward wrote:
If you prefere CLI, there is
$ openssl rand -base64 63
and example output
I have used ps aux|md5sum to generate a 32 digit hex string. You'd have to do that twice to create a 64 hex digit password for WPA2. Regardless, there's no reason to use easily guessed passwords such as "123456" as many on that Ashley Madison did. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Content-ID:
I have used ps aux|md5sum to generate a 32 digit hex string. You'd have to do that twice to create a 64 hex digit password for WPA2. Regardless, there's no reason to use easily guessed passwords such as "123456" as many on that Ashley Madison did.
Is it possible to enter Hex passwords as such? Because typing, for instance, "50c64e454405dac3688aa8548e8d0a88" is easier than "SnZ!qN]QUY,jK9Cf,b;rsMn((88=2yKy:<3-}ky89q=p*]WvP!J%2p'd'tP|*)Z". - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX+7bcACgkQja8UbcUWM1y/CQD9HEHQs8b3BpA4XI2FTFEGixol Fec35bNSMr49/X91B2QA/ill6GlkV8guOKrKPgVZNnN8+2l0Es58wEI8Lj5GmFYV =+q9S -----END PGP SIGNATURE-----
On 09/20/2015 01:32 PM, Carlos E. R. wrote:
Is it possible to enter Hex passwords as such?
I would expect that anything that accepts alpha-numeric characters would accept hex. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2015-09-20 a las 13:47 -0400, James Knott escribió:
On 09/20/2015 01:32 PM, Carlos E. R. wrote:
Is it possible to enter Hex passwords as such?
I would expect that anything that accepts alpha-numeric characters would accept hex.
I mean whether I can just type the hex password in the entry field, and whatever will know that I'm typing hex, not ascii. Be it network manager, wicd, android, etc. Or do I need to toggle a setting somewhere to tell it I'm using hex? I have never tried, that's why I do not know. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX/GoQACgkQja8UbcUWM1x37QD+NTagnFhOggVR3pOpyAIxSE1J 1zwistHtKBRDaIDVg0UA/R9U/yxyT/nRMr5pUVsGxz3xm3s8YntpN5z/NanCYwet =zaIB -----END PGP SIGNATURE-----
On 09/20/2015 04:43 PM, Carlos E. R. wrote:
Is it possible to enter Hex passwords as such?
I would expect that anything that accepts alpha-numeric characters would accept hex.
I mean whether I can just type the hex password in the entry field, and whatever will know that I'm typing hex, not ascii. Be it network manager, wicd, android, etc.
That would depend on what needs the passwords. WiFi gear generally accepts either. My access point will accept 8-63 ASCII characters or 8-64 hex digits. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2015-09-20 a las 17:11 -0400, James Knott escribió:
On 09/20/2015 04:43 PM, Carlos E. R. wrote:
Is it possible to enter Hex passwords as such?
I would expect that anything that accepts alpha-numeric characters would accept hex.
I mean whether I can just type the hex password in the entry field, and whatever will know that I'm typing hex, not ascii. Be it network manager, wicd, android, etc.
That would depend on what needs the passwords. WiFi gear generally accepts either. My access point will accept 8-63 ASCII characters or 8-64 hex digits.
Then we have a problem. If I enter, say, 60 hex digits, which is after all a plain ascii string, if the password field thinks it is ascii, it will be a very poor password, with only 16 values per byte. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX/IsIACgkQja8UbcUWM1wclgD7B0s1W5iU+SMMIm7w9vXiNX+p DeKaYplrefHy9UuteNkA/12/QVXUNKd2JsB+CJRV2M4xYsWrMPCcR6+EK+LNUWba =FSiW -----END PGP SIGNATURE-----
On 09/20/2015 05:18 PM, Carlos E. R. wrote:
Then we have a problem.
If I enter, say, 60 hex digits, which is after all a plain ascii string, if the password field thinks it is ascii, it will be a very poor password, with only 16 values per byte.
Lessee now. 60 hex digits. That's 16^60 possible values. That's 1.7668^72. Of course, the attacker wouldn't have any idea about the number of characters or whether hex or ASCII. They will all result in a 256 bit hash and there are 2^256 of them. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/20/2015 05:11 PM, James Knott wrote:
On 09/20/2015 04:43 PM, Carlos E. R. wrote:
Is it possible to enter Hex passwords as such?
I would expect that anything that accepts alpha-numeric characters would accept hex.
I mean whether I can just type the hex password in the entry field, and whatever will know that I'm typing hex, not ascii. Be it network manager, wicd, android, etc.
That would depend on what needs the passwords. WiFi gear generally accepts either. My access point will accept 8-63 ASCII characters or 8-64 hex digits.
I think the point that Carlos was trying to make is that there's no way to tell from a certain set of strings is the input is hex or not simply because the hex representation is a subset of asii. For example, is the following in hex or not? A99CBDF0 Clearly this is not hex: A99;;Bd/F -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/22/2015 08:24 AM, Anton Aylward wrote:
I think the point that Carlos was trying to make is that there's no way to tell from a certain set of strings is the input is hex or not simply because the hex representation is a subset of asii.
For example, is the following in hex or not?
A99CBDF0
Clearly this is not hex:
A99;;Bd/F
My AP will allow entering either 63 ASCII or 64 hex characters. So, it would check for any characters that are out of the hex range and, if found, assume ASCII. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* James Knott
On 09/22/2015 08:24 AM, Anton Aylward wrote:
I think the point that Carlos was trying to make is that there's no way to tell from a certain set of strings is the input is hex or not simply because the hex representation is a subset of asii.
For example, is the following in hex or not?
A99CBDF0
Clearly this is not hex:
A99;;Bd/F
My AP will allow entering either 63 ASCII or 64 hex characters. So, it would check for any characters that are out of the hex range and, if found, assume ASCII.
And if they are not "out of the hex range" but *are* ascii ??? -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/22/2015 08:57 AM, Patrick Shanahan wrote:
My AP will allow entering either 63 ASCII or 64 hex characters. So, it
would check for any characters that are out of the hex range and, if found, assume ASCII. And if they are not "out of the hex range" but *are* ascii ???
They'd still be hex, up to 64 characters of them. Either way the result, no matter what you enter, is a 256 bit hash. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/22/2015 08:41 AM, James Knott wrote:
On 09/22/2015 08:24 AM, Anton Aylward wrote:
I think the point that Carlos was trying to make is that there's no way to tell from a certain set of strings is the input is hex or not simply because the hex representation is a subset of asii.
For example, is the following in hex or not?
A99CBDF0
Clearly this is not hex:
A99;;Bd/F
My AP will allow entering either 63 ASCII or 64 hex characters. So, it would check for any characters that are out of the hex range and, if found, assume ASCII.
Two qualifiers: That is "My AP will allow entering either **UP TO** 63 ASCII or **UP TO** 64 hex characters." And "... it would check for any characters that are out of the hex range and, if found, assume ASCII BUT IF NOT WOULD NOT BE ABLE TO DETERMINE IF THEY WERE HEX OR ASCII" The only way that this can be disambiguated when using the set of characters [0-9A-Fa-f] is if you enter 64. Any less than that and its ambiguous. -- I suspect that, over time, all bureaucratic processes decay into cargo cults unless regularly challenged by a hostile reality. -- Alan Rocker 2001-11-23 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2015-09-22 a las 08:24 -0400, Anton Aylward escribió:
I think the point that Carlos was trying to make is that there's no way to tell from a certain set of strings is the input is hex or not simply because the hex representation is a subset of asii.
Exactly. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlYBXTkACgkQja8UbcUWM1zC+AD9G9DxkXzPUxduuPyd1C7M1IPn S3pi9pJPnw2vXX1TWvgA/RjhRkkxAnNjIj29ywl5SOs1paafcTATxdtA8os/jYGt =xBzX -----END PGP SIGNATURE-----
On 09/20/2015 10:47 AM, James Knott wrote:
On 09/20/2015 01:32 PM, Carlos E. R. wrote:
Is it possible to enter Hex passwords as such? I would expect that anything that accepts alpha-numeric characters would accept hex.
But limiting the character set for each entered digit would limit the entropy for the cryptographic hash, making it easier to brute-force guess, given the same password length. It might take only 100-years to crack, instead of 1,000-years. :-) Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/20/2015 05:08 PM, Lew Wolfgang wrote:
On 09/20/2015 10:47 AM, James Knott wrote:
On 09/20/2015 01:32 PM, Carlos E. R. wrote:
Is it possible to enter Hex passwords as such? I would expect that anything that accepts alpha-numeric characters would accept hex.
But limiting the character set for each entered digit would limit the entropy for the cryptographic hash, making it easier to brute-force guess, given the same password length. It might take only 100-years to crack, instead of 1,000-years. :-)
An ASCII password will still be converted to a 256 bit hash, no matter how many characters that are used. However, there are far more possible combinations of ASCII characters (96^63) than the 2^256 possible hash values. So, by using only hex digits, you're really not limiting much. BTW, there are 6.598^47 63 character ASCII passwords for each hash value. That's a fair number of hash collisions. ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/20/2015 05:18 PM, James Knott wrote:
BTW, there are 6.598^47 63 character ASCII passwords for each hash value. That's a fair number of hash collisions. ;-)
Also, assuming the 8-63 character rules my access point uses, the number of possible ASCII passwords is 96^63! - 96^8!, which is quite a few... ;-) For those that aren't familiar with the math, the "!" means factorial. https://en.wikipedia.org/wiki/Factorial -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2015-09-20 a las 14:08 -0700, Lew Wolfgang escribió:
On 09/20/2015 10:47 AM, James Knott wrote:
On 09/20/2015 01:32 PM, Carlos E. R. wrote:
Is it possible to enter Hex passwords as such? I would expect that anything that accepts alpha-numeric characters would accept hex.
But limiting the character set for each entered digit would limit the entropy for the cryptographic hash, making it easier to brute-force guess, given the same password length. It might take only 100-years to crack, instead of 1,000-years. :-)
Yes, exactly. That's what I'm saying. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX/Iz8ACgkQja8UbcUWM1wf9QD/Un0aewKMI0d3izn4XUYpiGdp NYJtr0wsVNyGfn4QpekA/i80EjmQvMmG8pvp72qCh+WJ0NGi1X/i2dwV8L134hMV =fEho -----END PGP SIGNATURE-----
On 09/20/2015 05:21 PM, Carlos E. R. wrote:
But limiting the character set for each entered digit would limit the entropy for the cryptographic hash, making it easier to brute-force guess, given the same password length. It might take only 100-years to crack, instead of 1,000-years. :-)
Yes, exactly. That's what I'm saying.
But I think it would take a bit longer than 1000 years. See my comments about the NSA and AES. No matter what you use, it will still be a 256 bit hash. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/20/2015 05:08 PM, Lew Wolfgang wrote:
It might take only 100-years to crack, instead of 1,000-years. :-)
I mentioned earlier the NSA comment about breaking AES in that a computer that could break DES in one second would take 139 trillion years to break AES. AES uses the same 256 bit length as WPA2. I don't know if there's any way to make it a smaller task, they way there was with WEP and the initialization vector. Of course WPA2 uses AES for the encryption, so if you can't crack the password, it will still take 139 trillion years to break the encryption. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/20/2015 05:22 PM, James Knott wrote:
On 09/20/2015 05:08 PM, Lew Wolfgang wrote:
It might take only 100-years to crack, instead of 1,000-years. :-)
I mentioned earlier the NSA comment about breaking AES in that a computer that could break DES in one second would take 139 trillion years to break AES. AES uses the same 256 bit length as WPA2. I don't know if there's any way to make it a smaller task, they way there was with WEP and the initialization vector. Of course WPA2 uses AES for the encryption, so if you can't crack the password, it will still take 139 trillion years to break the encryption.
Are you actually "breaking" the encryption algorithmically or are you generating the set of all possible combinations and trying them one by one? -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/20/2015 05:30 PM, Anton Aylward wrote:
Of course WPA2 uses AES for the
encryption, so if you can't crack the password, it will still take 139 trillion years to break the encryption. Are you actually "breaking" the encryption algorithmically or are you generating the set of all possible combinations and trying them one by one?
Brute force, trying all combinations. I'll let you know when I'm done. ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, Sep 20, 2015 at 6:38 PM, James Knott
On 09/20/2015 05:30 PM, Anton Aylward wrote:
Of course WPA2 uses AES for the
encryption, so if you can't crack the password, it will still take 139 trillion years to break the encryption. Are you actually "breaking" the encryption algorithmically or are you generating the set of all possible combinations and trying them one by one?
Brute force, trying all combinations. I'll let you know when I'm done. ;-)
Not necessary relevant, but WPA uses PBKDF2 as part of the authentication process. PBKDF2 is intentionally incredibly slow to make brute forcing harder. With a strong password, you would need some serious computing power to do it in a reasonable time-frame. Brandon Vincent -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On September 20, 2015 9:38:01 PM EDT, James Knott
On 09/20/2015 05:30 PM, Anton Aylward wrote:
Of course WPA2 uses AES for the
encryption, so if you can't crack the password, it will still take 139 trillion years to break the encryption. Are you actually "breaking" the encryption algorithmically or are you generating the set of all possible combinations and trying them one by one?
Brute force, trying all combinations. I'll let you know when I'm done. ;-)
That's why uniqueness in passwords is important. The bad guys have been stealing credentials by the millions for a decade plus. With some of the lesser protected encryption scheme a rainbow attack allowed them to decrypt every password. Then they use the list of actual passwords as a big dictionary for future attacks. I understand the dictionary of actual passwords known to have been used by someone is now huge. The first thing a real hacker would do is run through that list first. Even 100 million could probably be checked in less than a day. So one key to good password is to pick one no one else has ever used and had stolen. Greg -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, 20 Sep 2015, greg.freemyer@gmail.com wrote:
That's why uniqueness in passwords is important. The bad guys have been stealing credentials by the millions for a decade plus.
With some of the lesser protected encryption scheme a rainbow attack allowed them to decrypt every password. Then they use the list of actual passwords as a big dictionary for future attacks.
I understand the dictionary of actual passwords known to have been used by someone is now huge. The first thing a real hacker would do is run through that list first. Even 100 million could probably be checked in less than a day.
So one key to good password is to pick one no one else has ever used and had stolen.
"I wanna be a bad guy and I wanna get stoned by..." :p. A regular password I use once got hacked. At least, I thought it was, but the funny thing was it was never changed and yet someone had access to the account. After changing it, that access was gone, apparently. But it's rather hard to change your 'stock' passwords for memory issues if only that. I must use at least 20 different combinations of that password though. Nevertheless, it is a liability. Perhaps I should just try to acquire that list or one of those lists. Probably closely guarded, but perhaps not necessarily so. There was one person in the Ashley Madison debacle who took the opportunity to download the list of hashed passwords and crack the one he was interested in: one that belonged to an acquaintance who couldn't access his/her account anymore. At least that is how I remember it. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/20/2015 09:38 PM, James Knott wrote:
On 09/20/2015 05:30 PM, Anton Aylward wrote:
Of course WPA2 uses AES for the
encryption, so if you can't crack the password, it will still take 139 trillion years to break the encryption. Are you actually "breaking" the encryption algorithmically or are you generating the set of all possible combinations and trying them one by one?
Brute force, trying all combinations. I'll let you know when I'm done. ;-)
There's an argument over which will come first: a) the heat death of the universe b) the decay of the neutron You're a distant 54th. :-) -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/20/2015 05:08 PM, Lew Wolfgang wrote:
It might take only 100-years to crack, instead of 1,000-years. :-)
"on average..." You might hi lucky, or you might have a clue as to the first few characters. Perhaps they might be "$md5$: or "$apr1$" or something like that :-( -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/20/2015 10:01 AM, Anton Aylward wrote:
There are many other such ways of LOCALLY producing strong (for various interpretations of the terms 'strong') password strings.
True, but many people don't know them. That's why I tell them to use www.grc.com. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/20/2015 10:25 AM, James Knott wrote:
On 09/20/2015 10:01 AM, Anton Aylward wrote:
There are many other such ways of LOCALLY producing strong (for various interpretations of the terms 'strong') password strings.
True, but many people don't know them. That's why I tell them to use www.grc.com.
Oh Blitheration! You tell them that because they don't know that EITHER! You could just as well tell them to install the KDE app. Or tell them one of many other alternatives. And if you ask, then you must know. If you still doubt, you should be told. It was not we that made it so. It was by those who went before. - Uriah Heep, "Tales", on "The Magician's Birthday" (1972) The point is you tell them SOMETHING. My point is that something local gives them a warm fuzzy that they have control over it on their OWN machine and not what someone else thinks that should be using! -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/20/2015 06:29 PM, James Knott wrote:
On 09/20/2015 05:39 PM, Anton Aylward wrote:
You could just as well tell them to install the KDE app.
They often run Windows.
Indeed, there are also people who smoke regularly, despite the proven health risk. There are even, according to police records, people who drive while seriously intoxicated. For some reason there is a class of humans who habitually engage in high risk activities. While that may be explained away as avoiding boredom and an excess of endorphins, serotonin, and dopamine or a damaged amygdala, we must seek elsewhere for an explanation of why some people not only use Windows but defend their use of it vigorously. http://abcnews.go.com/Health/Healthday/risk-takers-lack-ability-limit-brain-... That being said, there are people who vigorously defend their right to smoke, to drive while drunk and to carry loaded weapons when there are no potentially fatal violent threats (other than drunk drivers) in their vicinity. There's an idiom spoken by people in northern Lancashire that is lexically unredendable, but which translates, it is told, to people living further south and use "received pronunciation", when stripped of local colourful idioms, anatomical references and other obscenities, as "People are strange". https://en.wikipedia.org/wiki/Received_Pronunciation#Comparison_with_other_v... -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
There's an idiom spoken by people in northern Lancashire that is lexically unredendable, but which translates, it is told, to people living further south and use "received pronunciation", when stripped of local colourful idioms, anatomical references and other obscenities, as "People are strange". https://en.wikipedia.org/wiki/Received_Pronunciation#Comparison_with_other_v...
Or "There's Nowt So Queer As Folk" M
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/22/2015 12:18 PM, michael norman wrote:
Or "There's Nowt So Queer As Folk"
Sah that, lad, with a 'onest broad north lancy accent them southerners and 'merican's won't know what yer yamemring abut. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-09-22 19:01, Anton Aylward wrote:
On 09/22/2015 12:18 PM, michael norman wrote:
Or "There's Nowt So Queer As Folk"
Sah that, lad, with a 'onest broad north lancy accent them southerners and 'merican's won't know what yer yamemring abut.
Nor me :-} -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
I'm a southerner, as if you couldn't tell. (Ian Dury : Billericay Dickie) In the 80's my wife and I lived in Scotland. We had a son. When we returned south for good in 1989 our son was just over two years old and spoke with a broad West of Scotland accent. We broke the journey in Sheffield and stayed overnight in a pub. On hearing my son speak the landlord remarked "by gum. don't he talk funny" Sorry I know its OT M On 22/09/15 18:01, Anton Aylward wrote:
On 09/22/2015 12:18 PM, michael norman wrote:
Or "There's Nowt So Queer As Folk"
Sah that, lad, with a 'onest broad north lancy accent them southerners and 'merican's won't know what yer yamemring abut.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2015-09-23 a las 09:26 +0100, michael norman escribió:
I'm a southerner, as if you couldn't tell. (Ian Dury : Billericay Dickie)
In the 80's my wife and I lived in Scotland. We had a son. When we returned south for good in 1989 our son was just over two years old and spoke with a broad West of Scotland accent.
We broke the journey in Sheffield and stayed overnight in a pub. On hearing my son speak the landlord remarked "by gum. don't he talk funny"
:-) I'm Spanish, but I have british ancestors. Second and a half generation expat, I think. Well, when I was a kid, an aunt told me that she had been reading a very funny book by someone called James Herriot. I was actually searching for books to read, so I bought one (I think I was visiting England by the time). Soon I bought all I could find, they were really funny. One curious thing was the slang and expressions used by the agricultural folks that appeared on the book. The author found them interesting, and so did I, with time - it took some time for me to understand them. In writing, that is, probably no chance I could understand some one talking like that to me. The author was scottish, and went to work (vet), later to live, in the yorkshire dales (hope I got the place name right). That "by gum" was one of those expressions, what that landlord of yours said instantly reminded me of those books :-) - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlYCl2YACgkQja8UbcUWM1xfigEAlyjctGCC4x2IInZzs76UI8Tg i/ycdTZq5tJFJ9ap+rQA/2duxwsgezAtMBh1EfhTdpFUtHoNS9IA3QymUIZV8mYV =XMg6 -----END PGP SIGNATURE-----
On Wed, Sep 23, 2015 at 3:13 PM, Carlos E. R.
James Herriot
"The Lord God Made them all"... In 1989 it was translated into Russian. Of course it should have lost the slang in translation, but still was excellent and till now it stays on the honorable place in my bookcase. (Funny, even in 1989 they called the book (in reverse translation) "They are all the creations of nature" though the original name was printed on the next page :-( ). -- Mark Goldstein -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 23/09/15 15:24, Mark Goldstein wrote:
On Wed, Sep 23, 2015 at 3:13 PM, Carlos E. R.
wrote: James Herriot
"The Lord God Made them all"... In 1989 it was translated into Russian. Of course it should have lost the slang in translation, but still was excellent and till now it stays on the honorable place in my bookcase. (Funny, even in 1989 they called the book (in reverse translation) "They are all the creations of nature" though the original name was printed on the next page :-( ).
Or was it "All creatures great and small"? I'm sure that was the name of the TV series. - -- Bob Williams System: Linux 3.16.7-7-desktop Distro: openSUSE 13.2 (x86_64) with KDE Development Platform: 4.14.3 Uptime: 06:00am up 7:55, 3 users, load average: 0.16, 0.05, 0.06 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlYCwxsACgkQ0Sr7eZJrmU6KLgCgkdwqu10Ml7xedagJwkqKFvwK X7sAn3vXbbzoPxuH3DeUINMNtHP1GAri =nOg3 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Sep 23, 2015 at 04:19:57PM +0100, Bob Williams wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 23/09/15 15:24, Mark Goldstein wrote:
On Wed, Sep 23, 2015 at 3:13 PM, Carlos E. R.
wrote: James Herriot
"The Lord God Made them all"... In 1989 it was translated into Russian. Of course it should have lost the slang in translation, but still was excellent and till now it stays on the honorable place in my bookcase. (Funny, even in 1989 they called the book (in reverse translation) "They are all the creations of nature" though the original name was printed on the next page :-( ).
Or was it "All creatures great and small"? I'm sure that was the name of the TV series.
<spoiler alert> by gum -- it broke my heart when that neighbor farmer killed the otter -- "it's only an otter" indeed -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2015-09-23 a las 16:19 +0100, Bob Williams escribió:
Or was it "All creatures great and small"? I'm sure that was the name of the TV series.
Both. There were several books. Some covered a year of his life each book, then there were others grouping two or more books in one. I was going to look up the titles on the wikipedia, but it is down this instant :-? Maybe is the search which is down, vea google I find it. These are the titles_ If Only They Could Talk (1970) It Shouldn't Happen to a Vet (1972) All Creatures Great and Small (1972) Let Sleeping Vets Lie (1973) Vet in Harness (1974) All Things Bright and Beautiful (1974) Vets Might Fly (1976) Vet in a Spin (1977) All Things Wise and Wonderful (1977) James Herriot's Yorkshire (1979) The Lord God Made Them All (1981) Every Living Thing (1992) James Herriot's Cat Stories (1994) James Herriot's Favourite Dog Stories In the US, they were published as omnibus editions; the wikipedia explains which are which. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlYC1CYACgkQja8UbcUWM1ymHQD+M8HG3lHEN+qND4c6FcnRxH4d cAGfHabt4eL383OWbHEA/R9sqmLP/2HZ/FD4HyudWO8vpJFPSB0oSEBqJooCA3H+ =tPny -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2015-09-23 a las 17:24 +0300, Mark Goldstein escribió:
On Wed, Sep 23, 2015 at 3:13 PM, Carlos E. R. <> wrote:
James Herriot
"The Lord God Made them all"... In 1989 it was translated into Russian. Of course it should have lost the slang in translation, but still was excellent and till now it stays on the honorable place in my bookcase. (Funny, even in 1989 they called the book (in reverse translation) "They are all the creations of nature" though the original name was printed on the next page :-( ).
ROTFL! It certainly lost more than slang ;-) I don't know if it was translated to Spanish. Probably. At that age, I could buy English books with the excuse that it was for improving my English skills (which was true). Spanish books went scarce for me :-} There was a TV serial on it. They tried the show in Spain, but it was about a total failure. Even I didn't like it much, although I watched it. I think English humor is an acquired taste ;-) - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlYC0g8ACgkQja8UbcUWM1xYMwEAnWOTLbntnhiRPvAsgSdmmNym zEIcJ/o9j6GdLjG7F2wA/28TjY9ZPFNs/FU9J8awDbH/SERGfZK/z5j/hfDjb1zb =bfEY -----END PGP SIGNATURE-----
On 09/22/2015 08:16 AM, Anton Aylward wrote:
They often run Windows. Indeed, there are also people who smoke regularly, despite the proven health risk. There are even, according to police records, people who drive while seriously intoxicated.
For some reason there is a class of humans who habitually engage in high risk activities.
Unfortunately, my work computer runs Windows 8. Yuck!!! Of course, there are many who don't know better and think Windows is all there is. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/22/2015 02:39 PM, James Knott wrote:
Of course, there are many who don't know better and think Windows is all there is.
As opposed to the likes of us who KNOW that Linux is that MATTERS. :-) -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Op 22-09-15 om 20:57 schreef Anton Aylward:
On 09/22/2015 02:39 PM, James Knott wrote:
Of course, there are many who don't know better and think Windows is all there is.
As opposed to the likes of us who KNOW that Linux is that MATTERS.
:-)
you ca always install OpenSUSE... with 13.2 as first choice. GET RID OFF MICROSOFT BALL AND CHAIN!! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, 22 Sep 2015, James Knott wrote:
Unfortunately, my work computer runs Windows 8. Yuck!!!
Of course, there are many who don't know better and think Windows is all there is.
Luckily, I do know better and I still think Windows is all there is. :D. Actually I believe I'm migrating to a VM inside of Windows. Not sure yet, but I seem to be in the process of wiping openSUSE off my HDD. Still rsyncing my volume backups to a remote host. I might have room to keep the backups locally as well. One thing I learned though: you can't use XFS with LVM and create a snapshot of your XFS volume and then mount it; it will complain that the UUID is the same, so you can't mount your snapshots and make backups off of them, so there goes my XFS experiment, I'm back to ext3 now. I believe I'm hoping to run a Linux desktop or something close to it inside of Windows :p. I wonder if I can use it to run services and connect to them from Windows. Ie. use Linux as an embedded server. That would be awesome. That would be like having a remote box or second computer, but it's still in this machine. It would be lovely to migrate these "VM" installations to other computers at will. I've always best used Linux as a remote box. Ie. previously it was my file server, later it was my web server, and my email shell host. Given that, the programs I've used most by far are Vim and Alpine. Using it as a desktop has never been as quite a success. Modest victories with mplayer (I remember that) and Inkscape, but most of the really good programs are available in Windows as well. Linux is a development powerhouse and a nice console environment and that's all I've ever really used it for: to run services and possibly also develop them. I used to program in Windows when I was a kid (Delphi, Pascal) and then I changed to cross-platform (Java) but application development, I haven't cared about it since 1999. I'd rather do PHP and write web services or whatever. Or do python and perhaps write some GIMP plugin. But Java and PHP are my most loves, and luckily, or coincidentally, they are both platform independent and geared towards services that anyone can use, whatever OS they use. Being stuck to one OS is really troublesome these days, as ever it has been, perhaps. I was even writing GTK for Windows, no matter how ...moronic. For a reason I still like GTK better than Qt. It seems smaller, easier to understand. Even if it's full of bugs. And Gnome has some perks, notably "Evolution" is still a program with potential. It was a program with potential 10 years ago and that status didn't change much :-/ :p. There also used to be something called Open Groupware. It is apparently called Sogo now (http://www.scalableogo.org) and still alive and kicking, slightly, it seems. I'm more in the business or writing services anyway. It might be. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Sep 22, 2015 at 3:30 PM, Xen wrote:
On Tue, 22 Sep 2015, James Knott wrote:
Unfortunately, my work computer runs Windows 8. Yuck!!!
Of course, there are many who don't know better and think Windows is all there is.
Luckily, I do know better and I still think Windows is all there is.
:D.
Actually I believe I'm migrating to a VM inside of Windows. Not sure yet, but I seem to be in the process of wiping openSUSE off my HDD.
Still rsyncing my volume backups to a remote host.
I might have room to keep the backups locally as well.
One thing I learned though: you can't use XFS with LVM and create a snapshot of your XFS volume and then mount it; it will complain that the UUID is the same, so you can't mount your snapshots and make backups off of them, so there goes my XFS experiment, I'm back to ext3 now.
Please give XFS some credit. It has been an enterprise quality filesystem for well over a decade. === man mount <snip> Mount options for xfs <snip> nouuid Don't check for double mounted filesystems using the filesystem uuid. This is useful to mount LVM snapshot volumes. ===
I believe I'm hoping to run a Linux desktop or something close to it inside of Windows :p.
I wonder if I can use it to run services and connect to them from Windows. Ie. use Linux as an embedded server. That would be awesome. That would be like having a remote box or second computer, but it's still in this machine.
Ignoring speed issues, why not?
It would be lovely to migrate these "VM" installations to other computers at will. I've always best used Linux as a remote box. Ie. previously it was my file server, later it was my web server, and my email shell host.
I still mostly do that. 80% of my time on Linux is CLI. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, 22 Sep 2015, Greg Freemyer wrote:
Please give XFS some credit. It has been an enterprise quality filesystem for well over a decade.
=== man mount
<snip> Mount options for xfs <snip> nouuid Don't check for double mounted filesystems using the filesystem uuid. This is useful to mount LVM snapshot volumes. ===
Well, it didn't tell me that. And it would give me trouble mounting my snapshots because now I have to check for which filesystem is in use which is just ....more work. If there is anything true about computers is that you have to avoid doing more work, because around that corner there is always again more work, and it never ends. Suddenly a simple "mount" command is no longer fool-proof. And now you need a fool-proof way to discover the filesystem type of a block device (LV). I guess that means parsing blkid. Nevertheless, more work. So no, no credit here. It makes life harder by requiring specialized commands (or options) to simply mount it. It's a bit like Tar that includes some device number in the archives it creates. Why it does this is beyond me, a path is supposed to be uniquely identified by.... path. So you have to pass it an option --no-check-device or something to work with LVM. Constantly running into issues like this. No credit ;-). Regards,.. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, 2015-09-22 at 22:41 +0200, Xen wrote:
On Tue, 22 Sep 2015, Greg Freemyer wrote:
Please give XFS some credit. It has been an enterprise quality filesystem for well over a decade. === man mount <snip> Mount options for xfs <snip> nouuid Don't check for double mounted filesystems using the filesystem uuid. This is useful to mount LVM snapshot volumes. === Well, it didn't tell me that. And it would give me trouble mounting my snapshots because now I have to check for which filesystem is in use which is just ....more work.
Only because whatever other tool or filesystem you have previously been using *FAILED* to warn you of double mounting; this is a feature, not a bug. Mounting a snapshot is a special use-case, requiring relief of a safety is just a good practice, not a problem.
Suddenly a simple "mount" command is no longer fool-proof.
It never ever was. A "simple" mount command is merely one where you are assuming the defaults are OK, and that you remember exactly the context you are operating in.
And now you need a fool-proof way to discover the filesystem type of a block device
And? I would hope if you are moving, snapshoting, and mounting/unmounting LV's that you *just-know* the file-system you are working with.
It's a bit like Tar that includes some device number in the archives it creates.
I am not sure what "some device number" means. Tar persists the meta -data and contents of a file.
is beyond me, a path is supposed to be uniquely identified by.... path.
No, this has never ever ever been true. It is certainly not true in any kind of modern-ish storage system. -- Adam Tauno Williams mailto:awilliam@whitemice.org GPG D95ED383 Systems Administrator, Python Developer, LPI / NCLA -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2015-09-22 a las 18:05 -0400, Adam Tauno Williams escribió:
On Tue, 2015-09-22 at 22:41 +0200, Xen wrote:
Well, it didn't tell me that. And it would give me trouble mounting my snapshots because now I have to check for which filesystem is in use which is just ....more work.
Only because whatever other tool or filesystem you have previously been using *FAILED* to warn you of double mounting; this is a feature, not a bug. Mounting a snapshot is a special use-case, requiring relief of a safety is just a good practice, not a problem.
What is dangerous about double mounting? Like, for instance, mounting a backup image of the current filesystem. I can only think of "/dev/disk/by-uuid/" having a problem: two devices with the same entry, thus mount by uuid would be impossible. Same as mount by label. But if that happens, there are other methods for mounting: that is why we have several methods. :-? - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlYB5vAACgkQja8UbcUWM1yANAD/bo4AHsDUdsfI5p+Uxb3a/bQl As025yJsf02a//p+v8kA/08oFu9bpJ/YI0wSHWyI7nbQMv/BwXRofAhSCqAUaBZ0 =9lT8 -----END PGP SIGNATURE-----
On 09/22/2015 07:40 PM, Carlos E. R. wrote:
that is why we have several methods.
And it is why they are described in the man pages. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Sep 22, 2015 at 7:40 PM, Carlos E. R.
El 2015-09-22 a las 18:05 -0400, Adam Tauno Williams escribió:
On Tue, 2015-09-22 at 22:41 +0200, Xen wrote:
Well, it didn't tell me that. And it would give me trouble mounting my snapshots because now I have to check for which filesystem is in use which is just ....more work.
Only because whatever other tool or filesystem you have previously been using *FAILED* to warn you of double mounting; this is a feature, not a bug. Mounting a snapshot is a special use-case, requiring relief of a safety is just a good practice, not a problem.
What is dangerous about double mounting?
I don't think this was answered. The issue comes in with Enterprise Storage Area Networks. They often have redundant paths to the same filesystem. Thus in a SAN environment it is easy to mistakenly mount the same filesystem two different places simultaneously. If all reads/writes were atomic, that would be fine. But in the real world there are buffers and caches. The data in them often conflicts with what is on the actual storage system. Having 2 independent sets of buffers/caches quickly leads to chaos on a busy system. Greg -- Greg Freemyer www.IntelligentAvatar.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Greg Freemyer
What is dangerous about double mounting?
I don't think this was answered.
The issue comes in with Enterprise Storage Area Networks. They often have redundant paths to the same filesystem. Thus in a SAN environment it is easy to mistakenly mount the same filesystem two different places simultaneously.
If all reads/writes were atomic, that would be fine. But in the real world there are buffers and caches. The data in them often conflicts with what is on the actual storage system. Having 2 independent sets of buffers/caches quickly leads to chaos on a busy system.
I guess in a typical local system the kernel is aware of every second mount and would use the same buffers and caches at least I would believe that would normally hold true. It would not make sense to not be aware of a second mount, in that case every --bind mount would start causing trouble as well, or wouldn't it?. So it seems we have a special case here where the kernel can't be aware. And now XFS is using filesystem descriptions/identifiers (whatever those may be) to identify the filesystem (which would typically be stored on some device) but it can't distinguish identical or near-identical copies because the UUID obviously does not describe the entire thing like a checksum would. And even if it did, it would still be wrong. But in actual fact the condition arises easily where two filesystems with identical UUID can be on a different device, which means the logic for not mounting twice does not hold true, which means the FS UUID logic is just flawed and WRONG. And it also means you can't just say a person is lazy or a turd or "has a problem with looking up information" (as per mr. Anton) as if the bad design of some feature suddenly warrants every individual have some obligation to the Unix world to design around that flaw. I don't know if it makes more sense in the context of that SAN, perhaps there are also conditions where network shares cannot be identified by device because the devices on different systems may be different, but the filesystem itself may not? I don't know. Apparently we are talking about local systems here still. So I think it is just not right. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2015-09-23 a las 22:36 +0200, Xen escribió: ...
I guess in a typical local system the kernel is aware of every second mount and would use the same buffers and caches at least I would believe that would normally hold true. It would not make sense to not be aware of a second mount, in that case every --bind mount would start causing trouble as well, or wouldn't it?.
No, a bind mount is very different. It is a kind of simulation, a link, whereas a double mount is a real mount, with two completely separated structures. Think of a hard disk having two SATA cables, for redundancy.
So it seems we have a special case here where the kernel can't be aware.
And now XFS is using filesystem descriptions/identifiers (whatever those may be) to identify the filesystem (which would typically be stored on some device) but it can't distinguish identical or near-identical copies because the UUID obviously does not describe the entire thing like a checksum would.
The current version of XFS also stores checksums. And the UUID is not a string stored somewhere at the start of the partition, but rather is replicated all over the partition. No, don't ask me why. I read the reasoning, but I can't explain it from memory. I'm not that good. You should be aware that the people designing and creating these filesystems like XFS really know what they are doing, and it is rather more possible that you don't. Not me, anyway. Current filesystems are very complex things. Normal peasant knowledge is far from understanding it. :-)) - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlYDJv8ACgkQja8UbcUWM1yHKAEAjg0IWt89f7Kr3D8c8z4mZBJu +axXZxRD0j+nuEFccaAA/29oa6WgPRJNCTVZZNE7ejlbFRlyyBAo8Nii8umFwzur =VBjd -----END PGP SIGNATURE-----
Thanks for your reply Carlos. You are always positive around here. On Thu, 24 Sep 2015, Carlos E. R. wrote:
I guess in a typical local system the kernel is aware of every second mount and would use the same buffers and caches at least I would believe that would normally hold true. It would not make sense to not be aware of a second mount, in that case every --bind mount would start causing trouble as well, or wouldn't it?.
No, a bind mount is very different. It is a kind of simulation, a link, whereas a double mount is a real mount, with two completely separated structures.
Think of a hard disk having two SATA cables, for redundancy.
I have accidentally mounted the same filesystem twice, only temporarily, shortly, a few times. It is easy to remount e.g. ... wait. Well I think I did. It is also possible to mount some snapshot on top of /. Then you can type "umount /" and it will umount the second mount (the one of the snapshot ) :P. But I don't know what "two completely separated structures" means. I take it that would mean that you have two sets of buffers, like the other guy mentioned, which would be a liability. Nevertheless, FS UUID doesn't solve this, not in a good way.
So it seems we have a special case here where the kernel can't be aware.
And now XFS is using filesystem descriptions/identifiers (whatever those may be) to identify the filesystem (which would typically be stored on some device) but it can't distinguish identical or near-identical copies because the UUID obviously does not describe the entire thing like a checksum would.
The current version of XFS also stores checksums. And the UUID is not a string stored somewhere at the start of the partition, but rather is replicated all over the partition.
Not sure if that is relevant. I know e.g. from partitions that you can enlarge a partition and the UUID stays the same, but when you change the starting sector it becomes different. It is completely obvious (at least to me) that UUIDs are more trouble than they're worth, at least for a regular system. I heard they were essential for uniquely identifying objects in large scale deployment scenarios. Again, something that is apparently designed for a very rare (from a user's point of view) use case but which permeates and disrupts all use cases that differ from it (ie. normal ones). I have never benefitted from UUID. Those experts don't have it right. It has entroubled my knowing what is what. It's the same with IPv6's format. It does not benefit me. I cannot normally remember it. It is only made for computers, not humans, just like UUID. They've done slightly the same with Europe's banking system where everyone now has to remember a pan-European banking account number. We used to have something like XXXXXXX now it is something like NL81INGB000XXXXXXX. They make the same mistakes over and over. There is not even a practical reason not to be able to be allowed to use the old number: all those software can easily automatically convert it for you. But they are not allowed to because of Reasons. IPv6 is a disaster, IBAN is pretty much a disaster, and UUID is also pretty much disastrous. The only way to not see it as a disaster is to see it as an opportunity and a call to turn away from madness and start designing your own systems. So yes, that means "Linux" is no longer a system of the people. Look at what SystemD NetworkD is doing to the device names?.... Ridiculous. It is becoming less user friendly every day almost. Now we see here (apparently, I don't know it) (It is just gut feeling and deep perception) that XFS has a feature that is only relevant for certain rare use cases (from a non-enterprise point of view) but which ALL users suffer for. That is identical to the reason for UUID in the first place. I don't want to suffer for the perks of other people. UUID for partitions/volumes makes no sense whatsoever. A path name such as /dev/sda2 or /dev/mapper/vg--lv is more resilient to change. Even if you have raid arrays you will have /dev/mdx and if that fails (or is not resilient enough) you can still give labels to your filesystem if you must. All of which are better solutions (from my point of view) than relying on a UUID you cannot really remember or identify. It makes it nearly impossible, for instance, to check a Grub2 config file for errors. At least manually. It makes your fstab completely unintelligable. So that's for UUID to begin with. It does not serve the normal user.
No, don't ask me why. I read the reasoning, but I can't explain it from memory. I'm not that good.
That's fair, you are at least using your own mind ;-).
You should be aware that the people designing and creating these filesystems like XFS really know what they are doing, and it is rather more possible that you don't. Not me, anyway.
But this is the most... this is about the least intelligent thing you could ever have said. Trusting authority -- blindly trusting authority -- is the root cause of basically every problem we face in this world. Whether it is religious authority, moral authority, political authority, or corporate authority. It is the same as having presidents of national or European banks telling the population that they "have to spend more" because it will help the economy. Trusting authority like that is like taking out a gun and shooting yourself. You're almost dead in any case, already. It is people not thinking for themselves. When people stop thinking for themselves and begin to only trust the thinking of other people, you get the world we are in today. Even the reverent (vehement? :P) mr. Steve Jobs said something reasonably intelligent about the subject. He is reported to have said: "Your time is limited, so don’t waste it living someone else’s life. Don’t be trapped by dogma – which is living with the results of other people’s thinking. Don’t let the noise of other’s opinions drown out your own inner voice. And most important, have the courage to follow your heart and intuition. They somehow already know what you truly want to become. Everything else is secondary." And this, my friend Carlos, is exactly what Dogma is about. If some "experts" have determined that this is the Right Way to do things, that is dogma. It is uncontested and uncontestable truth. After all, they are the /experts/, right? :P.
Current filesystems are very complex things. Normal peasant knowledge is far from understanding it.
If any object system uses the "equals" method to test whether two object pointers point to the same object, that system is flawed. You don't have understand much to see that, and that is the power of simplicity. It is pretty clear this system we are talking about tries to do this: (In java): String a = new String("some string"); String b = new String("some string"); if (a.equals(b)) { System.out.println("a and b are the same object"); <-- WRONG } Any programmer will understand the wrongness of this. To test object identicality you have to write: if (a == b) { System.out.println("a and b are the same object"); <-- RIGHT } But XFS doesn't do this. It uses the former method. I don't care for their reasons. The code is just flawed from a very simple and easy to understand perspective. And I shouldn't be the one to suffer for it, and I had no big reasons to use XFS in the first place (just trying to test its performance, perhaps) so going back to ext3 was a lot easier than starting to read man pages hunting for reasons or error and then writing my script to accommodate this anomaly. I needed to get something done ASAP. I had no time to be dealing with the flaws of other people. Basically that's what Linux is about anyway. Dealing with the flaws of other people. Until it is no more.... There was another reason not to use XFS and that is that you cannot shrink its filesystem, but that is beside the point here really.. I just think the experts may be experts but that doesn't mean they have your interests in mind. They may very well have corporate-grade interests in mind. Many of them work for Red Hat etc. So the home user suffers, and the solution is or may not even be the best solution in the general sense of being acceptable to everyone. I never take anyone's word for it. Sometimes that makes me stubborn, but only slightly. In Dutch they have a word for it called "eigenwijs" that is almost always a pejorative, ie. used in a negative sense. You are rarely complimented for being eigenwijs. But if you want to live your own life and make use of your own time, you have to be 'eigenwijs', you have to be your own person. You have to do your own thinking. And you can stop blaming yourself for inadequacies that are really situated not in your self, but rather in the system you are using. Linux, being rather dysfunctional in many areas, has a habit and a culture of blaming the user. That is what happened here as well. It is always the user's fault. Anton Aylward just did it again, he's very good at it. Compliments :D :P. :). But what I have learned and found is that I don't have myself to blame for most circumstances. What I've found is that my self is usually right, and when it isn't, there are /friendly/ ways of revealing that to a person, usually. And trying to find character faults with someone is not that. Not at all. Anton is very good at telling me that there is something wrong about my person. That I wasn't born right, in that sense. That my being is flawed, in pretty serious ways too, if it's up to him. And that when I choose to make use of my time effectively, and efficiently, and choose to avoid a trap of /needing to use a certain software or system/ when I don't even have to such that I can get back to doing meaningful things again, it feels to him like a betrayal of Linux. There is no Linux now on my computer. What is the point to writing fucking scripts to cater to a filesystem I don't even need to use just so that my project of transforming my computer will take even longer? And why am I even writing this? Explaining my choices.... You really owe no one explanations of the choices you make. A wise person once said: It is not appropriate to interfere with choice, nor to question it. It is particularly inappropriate to condemn it. What is appropriate is to observe it, and then to do whatever might be done to assist the soul in seeking and making a higher choice. And reading the manual and then adjusting my scripts and wasting important time is not exactly "making a higher choice". But saying that I have in fact an issue with looking up manuals, is indeed condemning the choice. And most of what people do in Linux is condemning the choices made by others, particularly those who do not choose Linux or who do not choose a Linux solution at any point or interval.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2015-09-23 a las 15:45 -0400, Greg Freemyer escribió:
On Tue, Sep 22, 2015 at 7:40 PM, Carlos E. R. <> wrote:
What is dangerous about double mounting?
I don't think this was answered.
The issue comes in with Enterprise Storage Area Networks. They often have redundant paths to the same filesystem. Thus in a SAN environment it is easy to mistakenly mount the same filesystem two different places simultaneously.
If all reads/writes were atomic, that would be fine. But in the real world there are buffers and caches. The data in them often conflicts with what is on the actual storage system. Having 2 independent sets of buffers/caches quickly leads to chaos on a busy system.
I see. Understood. Thanks :-) - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlYDJFMACgkQja8UbcUWM1wKvwEAkVtio3JLBwudPg0shA+Uw2xg nLpTRDbv99afIsXJw8kA/0Jxfsem+ca1glePDpGdfpWRID1mfCR8Ed5zx+FlT7P8 =vY2s -----END PGP SIGNATURE-----
On 09/22/2015 06:05 PM, Adam Tauno Williams wrote:
... requiring relief of a safety is just a good practice, not a problem.
RTFM, which Greg did and pointed out same to Xen, is also a Good Practice. It has become clear from a lot of his posts that Xen is deficient in this area. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/22/2015 06:05 PM, Adam Tauno Williams wrote:
It never ever was. A "simple" mount command is merely one where you are assuming the defaults are OK, and that you remember exactly the context you are operating in.
For the most part, "mount" worked 'naked' of detailed parameters because those details were supplied by the configuration entries in /etc/fstab. If Xen had taken the time to RTFM (about mount) and to make suitable configuration changes, which is something he's made clear in the past that he doesn't want the burden and of doing and the time it takes to do, he could have avoided this. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Adam Tauno Williams
On Tue, 2015-09-22 at 22:41 +0200, Xen wrote:
Well, it didn't tell me that. And it would give me trouble mounting my snapshots because now I have to check for which filesystem is in use which is just ....more work.
Only because whatever other tool or filesystem you have previously been using *FAILED* to warn you of double mounting; this is a feature, not a bug. Mounting a snapshot is a special use-case, requiring relief of a safety is just a good practice, not a problem.
You're WRONG. You've just said (way below at the tar example) that a file should be uniquely identified not just by path but also by device ID. Now you're saying that a filesystem UUID (which tells nothing about device whatsoever) would tell an adequate tale of what device we are dealing with, so you are not double mounting that device. Otherwise, what could be the trouble with double mounting a FS that just happens to be identical or have identical features/parameters? So if it is true indeed that the UUID we are talking about is some FS UUID and not some device UUID, then obviously the feature is a BUG because it is like treating identical copies as identical THINGS. Which they are not. They are separate objects. UUID is flawed in any case.
Suddenly a simple "mount" command is no longer fool-proof.
It never ever was. A "simple" mount command is merely one where you are assuming the defaults are OK, and that you remember exactly the context you are operating in.
It was for me just a moment ago. I don't know what people you are talking about or what excellent outstanding universal use cases, but obviously it was not mine. Now you may suggest that my use case is not a valid use case. But that is kinda like begging the question. You must assume that my use case is not a valid one in order to prove that my use case is not a valid one. In order words, you are doing a circular reasoning. But to be more precise: yes the defaults were okay, if they had not been, I could choose the defaults (for all filesystems) myself, but I have not been in an environment where that was necessary, so it is not relevant. It is not .. it is just ludicrous to assume that we must cater to all possible environments when we write our scripts, or anything. And I don't know what context you are mentioning. I guess you mean environment. So I needed remember nothing, and the same is true for that.
And now you need a fool-proof way to discover the filesystem type of a block device
And? I would hope if you are moving, snapshoting, and mounting/unmounting LV's that you *just-know* the file-system you are working with.
Why should I if to my common understanding "mount" will always work, whether it is NTFS (I will assume) or EXT3/4. Things work best when they are transparent, at least they work best to me who values his time. If you have to know implementation details before you can use an interface, it is a bad interface. "Mount" is the interface. Mount has several implementations. I believe there is probably a mount.xfs command that will handle mounting XFS. But "mount" is the interface that makes the command file-system agnostic. Now you are saying that this interface should not be or does not have to be filesystem agnostic, while filesystem-agnosticity was its entire purpose. You're again reasoning from the conclusion to the premise: you feel it is perfectly reasonable to be having to use filesystem-cognisant commands, and hence you feel it is perfectly reasonable to "know" what filesystem I have in my hands before I run my script. No, the whole idea of the script is to be agnostic. And doing blkid and then scraping the output to divine the FS means that neither me nor my script knows in advance what I am dealing with, but this suddenly is acceptable to you?. It is perfectly clear the system would be more fool-proof, and hence more user friendly (and more usable) if the thing worked /without having to know more details/. Having to know lots of details of any system /before you can use it/ is the mark of a badly designed system.
It's a bit like Tar that includes some device number in the archives it creates.
I am not sure what "some device number" means. Tar persists the meta -data and contents of a file.
Me neither, but if you create incremental archives using -g or -G, and I guess any other kind of archive, it will (GNU tar will) store a device number and use that to compare files. If two files have the same path but a differing device number (e.g. a different LVM snapshot) it will assume the files are different, which is obviously a wrong assumption.
is beyond me, a path is supposed to be uniquely identified by.... path.
No, this has never ever ever been true. It is certainly not true in any kind of modern-ish storage system.
You just said it was perfectly okay if mount.xfs assumed two filesystems were referencing the same device just based on their path. So you're perfectly contradictiong yourself, my friend. In all honestly a mount command should (if such 'safety' is warranted) be aware of real devices, while tar, when comparing backups, or archives of certain directory paths, should not. After all, tar does not store the entire path either. It usually just stores the relative path or whatever you have supplied. Why then, if it does not even extend to the root, should it extend to the device to with the current (relative path) is mounted? That will break lots of schemes. So you have it a bit... the other way around. Backwards. So I'm sorry but I will not take "has been in professional use for over a decade" (or whatever) as proof or even evidence that my own reasoning is flawed. I will take no false idols, okay? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/22/2015 03:30 PM, Xen wrote:
I believe I'm hoping to run a Linux desktop or something close to it inside of Windows
Today I ran an X11 Server on my Android tablet; DM and other clients from the desktop PC over wifi. Next up; get it working with my bluetooth keyboard and bluetooth headset :-) Why don't you try running Linux in the VM and connection to it from the host Windows via a VNC service (slow & clunky) or an X11 server running under Windows? best of both worlds that way :-) -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 22/09/15 19:39, James Knott wrote:
On 09/22/2015 08:16 AM, Anton Aylward wrote:
They often run Windows. Indeed, there are also people who smoke regularly, despite the proven health risk. There are even, according to police records, people who drive while seriously intoxicated.
For some reason there is a class of humans who habitually engage in high risk activities.
Unfortunately, my work computer runs Windows 8. Yuck!!!
Of course, there are many who don't know better and think Windows is all there is.
Peggy Lee : "Is That All There Is" M -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/19/2015 05:00 AM, Carlos E. R. wrote:
Hiding the SSID is not a serious security measure, but it hinders many intruders, those not determined enough. If used with other measures, it helps a bit.
Same goes for MAC filters.
Exactly. Hiding those things keeps out 5 nines (99.999%) of the wifi freeloaders.
The rest you aren't going to keep out anyway, but unless you live near a serious hacker you simply don't need to worry about them.
That said, WPA2 and a longish password seems good enough for me.
Yep, I agree. I have been thinking about using two SSIDs, but mostly to have different service levels/hours. (we have a teenager in the house). -- Per Jessen, Zürich (12.7°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, 21 Sep 2015, Per Jessen wrote:
Yep, I agree. I have been thinking about using two SSIDs, but mostly to have different service levels/hours. (we have a teenager in the house).
Funky. So you will keep the password to the 'real' SSID hidden from said teenager? :P. Naughty these creatures are. Using internet in the midst of the night. I'm glad the people that run the show here where I reside don't do that sort of shit. They closed everything but port 80, 443 and ostensibly, 53, and they banned VPN, but at least there are no banned usage hours :). You should teach your teenager to hack the wifi! :D. But if you use a non-dictionary-word-like password, it's gonna be difficult. I guess you'll always be two steps ahead. Still, gives them something to do in the night :P. Only risk is that they hack the neighbours' wifi instead. :D. And pubic places often have dictionary passwords. A coffee shop with a password of "espresso" :P. Oh well. When I was that teenager I had to pay for my own phone bill as I was dialing out :(. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Xen wrote:
On Mon, 21 Sep 2015, Per Jessen wrote:
Yep, I agree. I have been thinking about using two SSIDs, but mostly to have different service levels/hours. (we have a teenager in the house).
Funky. So you will keep the password to the 'real' SSID hidden from said teenager? :P.
Yup, that's the idea. My current AP doesn't support multiple SSIds though, so I'll have to upgrade first.
Only risk is that they hack the neighbours' wifi instead.
The neighbour's Wifi doesn't reach far enough :-) -- Per Jessen, Zürich (16.9°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2015-09-19 a las 10:47 +0200, Daniel Bauer escribió:
Probably it is not even possible to set up such a how-to, thinking about all the different systems, routers...
Maybe it exists. I have read writeups but I don't remember where.
So for people like me, the only hope is that the firewall as set up by default when installing the system and using strong passwords, is enough to protect me from a disaster...
Maybe I could call this "security by luck".
:-) The firewall alone is not enough, but yes, the default firewall (set as external) is good enough (as firewall). The important thing is that security is not achieved by a single item. If you use WiFi, you need to secure access to it, because anybody within, say, 50 meters, can try. Even an inocent child. Maybe they just want to use your connection and do no harm, but things happen. Hiding the SSID does little, and it is a nuisance for you and your guests. But if you want to use it, go ahead: it will make no harm. Similarly for MAC filtering, but it is harder to bypass. Use WPA2 with a strong password, and don't use the one supplied by your ISP: who knows where they store it and who knows it. I heard of one ISP which generated the password from the phone number and/or SSID; the algorithm had been found, so anybody could in fact have your password. Have all internal machines with a firewall. In openSUSE, use the external interface setting, or if you use the internal setting, tell YaST to also protect from internal. Yes, this is a nuisance, but I don't trust ISP routers with firewall: those things have holes and they are seldom patched. Keep your machines updated. This protects you from most "hacks". Use common sense when clicking links or opening emails, specially in Windows. An antivirus, even in Windows, does little. In fact, I know people that don't use one, yet their machines are absolutely clean. And most of the virii I get on the mail the antivirus pass them as clean, anyway... Finally, if you need to have open services to the outside, like ssh, http, whatever, you have to really secure them. Ask, if you don't know how. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX9UucACgkQja8UbcUWM1wrIgD9FOU6LD/XbahOH59c6N7mvH75 UyZJRcei+fCgqubPDnwA/i4RU7eSrs8YUHp23trTldV3cH37KSV4JFRmxxIpSduW =ikAP -----END PGP SIGNATURE-----
Am 19.09.2015 um 14:19 schrieb Carlos E. R.: ...
Use WPA2 with a strong password...
I changed the SSID-name, use WPA2 and have a good (now new) password, I believe.
Have all internal machines with a firewall.
Here confusion already begins. What is an "internal" machine? I have my computer on the eth-cable, and my laptop on WiFi.
In openSUSE, use the external interface setting,
that's what I have
or if you use the internal setting, tell YaST to also protect from internal.
and I have no idea what it means to protect from internal...
Yes, this is a nuisance, but I don't trust ISP routers with firewall: those things have holes and they are seldom patched.
What nuisance? The routers firewall isn't even on, simply because I don't know what those settings mean...
Keep your machines updated. This protects you from most "hacks". Use common sense when clicking links or opening emails, specially in Windows.
Of course. The only Windows I have is in a virtual box with blocked network/internet.
Finally, if you need to have open services to the outside, like ssh, http, whatever, you have to really secure them. Ask, if you don't know how.
I have the ssh server "on". I need it to let my laptop connect, for rsync and the like, I would really like to know how I can manage that only MY laptop can ssh to the PC (and reverse). Due to DHCP, IP's change, so filtering by IP wouldn't help... What I "fear" most, is that one of my guests (to whom I gave the WiFi password) can follow my web-actions or even get into my PC.... Ahhh, it's all so complicated :-) -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
I'm not sure if this helps, but...
Daniel Bauer
Here confusion already begins. What is an "internal" machine? I have my computer on the eth-cable, and my laptop on WiFi.
Typically in a normal home network, the computers inside the network are shielded from the outside (internet) by way of a routing featured called Network Address Translation. Normally not a single host (computer) on the inside is reachable from any computer on the outside. An "internal" device is then some computer that is being NATted, that is to say, whenever it communicates with the outside, the router takes care of presenting it to the outside as if it is the router itself. If you have a bunch of computers on your network, they all appear to be only just talking to the router. Your internal addresses then usually have the form of 192.168.1.x. This is then what determines an "internal" machine. Internal machines are not directly reachable from the outside, which also means any services on any open ports they have, cannot be accessed. Computers on the inside can normally only contact SERVER devices on the internet. If, in another case, the program or computer wants to open some port, it can ask the router to open one for it, this is called "UPnP". Typically your router is the 'separator' (or the gateway) between the internal network, and the outside, or external internet. It, by that definition, is also a firewall protecting your computers.
and I have no idea what it means to protect from internal...
I'm not sure if this is what Yast does, but to protect from internal, would, under normal or ordinary nomenclature, mean or be meaning to protect against LAN computers (such as your visitors). However, most of what a firewall does is blocking ports or dropping suspicious packets. I don't know much about SuSE's configuration.
Yes, this is a nuisance, but I don't trust ISP routers with firewall: those things have holes and they are seldom patched.
What nuisance? The routers firewall isn't even on, simply because I don't know what those settings mean...
Carlos was not speaking of the router you have in your home, but rather of the firewall of the machine your are running OpenSuse on. If you have a machine on an internal NAT (NATted LAN) you don't really need a firewall. Although it is useful to know if some process on your computer is trying to open a port to the outside, usually you will want to monitor and know about this. I am not sure if this is possible in Linux. Typically, for instance, I want or would want to know whenever my computer is phoning home to microsoft. Unfortunately, this information is not available or made visible by default. But any "phoning home" by contrast is also not any different, or differentiable, from any other ordinary internet request made by your computer. Any process on your computer can request e.g. any web resource (a http:// request) and you will never know unless you have some software (which would be a firewall) that would monitor and maintain lists of processes doing stuff on the web/ on the internet, and allow you to cut short such attempts that you don't want. Actually I would very much prefer to do that. I normally seriously want to know and to decide what program can do what when.
Finally, if you need to have open services to the outside, like ssh, http, whatever, you have to really secure them. Ask, if you don't know how.
I have the ssh server "on". I need it to let my laptop connect, for rsync and the like,
I don't know much about securing. It seems a lot of work. I am securing some VPS online host but for me securing means having automated tools to monitor and respond to threats. So security for me means power and knowledge. Not necessarily "hardening". It seems quite a lot of work to get this power and knowledge in place, because it doesn't seem to be any form of default. People don't seem to care about it, to put the average user in this kind of control (you have more control in Windows than you do in e.g. Suse).
I would really like to know how I can manage that only MY laptop can ssh to the PC (and reverse). Due to DHCP, IP's change, so filtering by IP wouldn't help...
One way to achieve this is to require either a key without password, or a key with password, and to turn password-only off. Your laptop then needs to supply a key that matches what you have (on earlier occassion) given to the PC so secure that account. The usual way to do this is to copy the public key for your user account (that you can generate with ssh-keygen) to the .ssh directory of the remote user account (so it is account based, not host based). This is then copied with e.g. "cat ~/.ssh/id_rsa.pub | ssh user@laptop "cat - >> ~/.ssh/authorized_keys" This would copy the public RSA key on one host, to the authorized key file on another. By typical extention, this means now you no longer need a password to login. I do not yet know how to change that behaviour. There are directives like "PasswordAuthentication" and "PreferredAuthentications". But the result of this might be that a computer will be only be able to log into that account on that other machine (e.g. your laptop) (or vice versa) if that computer/user account can supply the required key. In sshd_config you can read the following: AuthenticationMethods Specifies the authentication methods that must be successfully completed for a user to be granted access. This option must be followed by one or more comma-separated lists of authentication method names. Successful authentication requires completion of every method in at least one of these lists. This is in the config for sshd, the ssh server daemon. If you set "AuthenticationMethods publickey" then any login attempt to that machine will require a public key.
What I "fear" most, is that one of my guests (to whom I gave the WiFi password) can follow my web-actions or even get into my PC....
Ahhh, it's all so complicated :-)
Maybe if they sniffed your LAN traffic (including wifi) they would be able to. This sniffing, however, is much more likely (or doable) than breaking into your pc. But someone still needs to be that hacker, sortof, that would do that. He/she would need to login to your wifi, but ordinarily it is (I think) impossible to read other people's traffic. On a regular network cable it should be possible. But I'm not sure what kind of visitors you get ;-). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/19/2015 10:14 AM, Xen wrote:
Your internal addresses then usually have the form of 192.168.1.x. This is then what determines an "internal" machine.
Internal machines are not directly reachable from the outside, which also means any services on any open ports they have, cannot be accessed.
This bit of confusion is due to people being forced to use NAT, due to the lack of IPv4 addresses. Without NAT, you'd generally get a block of addresses that are all publicly reachable. You then configure the firewall to allow or block as required. This is still often the case with business customers on IPv4 and with anyone on IPv6. For example, I run IPv6 on my home network. I have a /56 prefix, which gives me 2^72 addresses for my own use. That's a trillion times the entire IPv4 address space. Every IPv6 capable device I have, including smart phone and tablet, get an address that can be publicly available, if I so configure my firewall. My firewall is configured to pass only ssh and imaps to my main computer and ssh to my firewall computer. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/19/2015 09:01 AM, Daniel Bauer wrote:
Here confusion already begins. What is an "internal" machine? I have my computer on the eth-cable, and my laptop on WiFi.
"Internal" means a computer on your local network, protected from the world by your firewall. "External" means the rest of the world. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Content-ID:
Am 19.09.2015 um 14:19 schrieb Carlos E. R.: ...
Use WPA2 with a strong password...
I changed the SSID-name, use WPA2 and have a good (now new) password, I believe.
Ok...
Have all internal machines with a firewall.
Here confusion already begins. What is an "internal" machine? I have my computer on the eth-cable, and my laptop on WiFi.
Well, all the machines that are connected to the ISP provided router. Outside is Internet, inside is your home, local network.
In openSUSE, use the external interface setting,
that's what I have
or if you use the internal setting, tell YaST to also protect from internal.
and I have no idea what it means to protect from internal...
Oh, it's just a setting in SuSEfirewall2 config that is named that way: ## Type: list(yes,no,notrack,) # # Do you want to protect the firewall from the internal network? # Requires: FW_DEV_INT # # If you set this to "yes", internal machines may only access # services on the firewall you explicitly allow. If you set this to # "no", any internal user can connect (and attack) any service on # the firewall. # # The value "notrack" acts similar to "no" but additionally # connection tracking is switched off for interfaces in the zone. # This is useful to gain better performance on high speed # interfaces. # # defaults to "no" if not set # # see also FW_REJECT_INT # FW_PROTECT_FROM_INT="no" /etc/sysconfig/SuSEfirewall2 lines 219-240/1169 24% Let me expand. If you have a computer on a company or college network, you could define the interface as "internal", which would facilitate other users in the company to connect to your machine, for sharing files, for instance. You would be protected from the dangerous outside world by the company firewalls. You could do the same on home. However, if you don't trust all the people on that company network, you would set "protect from internal", that would immediately close all ports; if you want to share files, you would have to specifically open the needed ports. Basically, it is about the same as defining the network interface as "external".
Yes, this is a nuisance, but I don't trust ISP routers with firewall: those things have holes and they are seldom patched.
What nuisance? The routers firewall isn't even on, simply because I don't know what those settings mean...
Well, you don't need to know the settings; just enable the firewall in the router. You only need to configure it when you want someone outside to be able to connect to a computer on your home. Like, for instance, to set up an internet phone. I mean that it is a nuisance to try to share files between two computers if the firewalls inside home are up. But it is safer, too, specially if the firewall on your router is down.
Keep your machines updated. This protects you from most "hacks". Use common sense when clicking links or opening emails, specially in Windows.
Of course. The only Windows I have is in a virtual box with blocked network/internet.
Good! I forgot about phishing and social engineering: say that somebody sends to you an email asking you to read some report on a photographer meeting at La Hague, or offering a contract. You would be intrigued and have a look. Well, that's a possible dangerous situation. Specially in Windows, because they tell people to open, say, an invoice in a PDF, but the file is not a PDF, but an executable, which immediately owns the Windows computer because the typical setup is to run Windows as administrator. If they send you an email with a text that seems realistic and intriguing, specially if they already know about you, it is possible that you get hooked. It is dangerous, more than virii.
Finally, if you need to have open services to the outside, like ssh, http, whatever, you have to really secure them. Ask, if you don't know how.
I have the ssh server "on". I need it to let my laptop connect, for rsync and the like,
Ok, but you use it for connecting inside home; not to connect from a coffee shop, right?
I would really like to know how I can manage that only MY laptop can ssh to the PC (and reverse). Due to DHCP, IP's change, so filtering by IP wouldn't help...
Well... If you configure for static addresses instead, you can then filter in the firewall to allow those addresses. Some home routers can be configured to assign a certain IP to a certain machine, via DHCP. So the computer is still on automatic network configuration, but it always gets the same address. On http://adslzone.net/ you can find information about the routers typically used in Spain, with howtos for doing typical things.
What I "fear" most, is that one of my guests (to whom I gave the WiFi password) can follow my web-actions or even get into my PC....
Ahhh, it's all so complicated :-)
Well, getting into your PC is not trivial. Following your web actions is easier, /if/ your router publishes all network traffic of everybody on the wireless interface, which they typically don't. If you are connected by cable, it is easier to "sniff" (that's the name of the action). - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX98p4ACgkQja8UbcUWM1xkGQD/bTBTWwG8EiM8FVTOA0MkknHe l+KUXTzqVlST6qU3w/MA/RQQa8SfHdIlSyRWyZ9uzjbfeq9BhZeLC9heZXRzcEZm =dP09 -----END PGP SIGNATURE-----
Thanks Carlos, Xen and James for the explenations! (I'm always a bit shy to answer in this thread, I hope it does not annoy too much to purely open-suse-related people. But for me it is very interesting and I think I already learned a little more...) Am 20.09.2015 um 01:41 schrieb Carlos E. R.:
I forgot about phishing and social engineering: say that somebody sends to you an email asking you to read some report on a photographer meeting at La Hague, or offering a contract. You would be intrigued and have a look. Well, that's a possible dangerous situation.
Yes, they try a lot. Apart from stupid ones (cancelling a credit card I don't have, warning of a paypal block 15 times a day, using such bad translations that it already gets funny, sender addresses or links that point to other addresses than shown in the text...) some might be made intelligent enough to trigger me. Well, it doesn't need so much :-) I do open image files from unknown senders with quickshow and I some pdf's with okular. Unknown websites coming up with flash contents (blocked by my browser settings) are not viewed. But yes, they triggered my mother into opening an attachment (a hidden .exe) writing her that her bank account had been charged a high sum. She clicked and clicked the .exe, and as nothing happened (she's on linux, too) she desperately called me...
If they send you an email with a text that seems realistic and intriguing, specially if they already know about you, it is possible that you get hooked. It is dangerous, more than virii.
It's possible. I try to keep my brain up and running... ...
I have the ssh server "on". I need it to let my laptop connect, for rsync and the like,
Ok, but you use it for connecting inside home; not to connect from a coffee shop, right?
No. Just used to surf a bit the web, but since a company sold an application to many cafés that offer free WiFi when you login via facebook, not even that. I heard a conversation of an agent of this company and the statistics about those who connect in the café she offered to the owner let my hair stood on end. No, I only connect my laptop to my PC at home.
I would really like to know how I can manage that only MY laptop can ssh to the PC (and reverse). Due to DHCP, IP's change, so filtering by IP wouldn't help...
Well... If you configure for static addresses instead, you can then filter in the firewall to allow those addresses.
Some home routers can be configured to assign a certain IP to a certain machine, via DHCP. So the computer is still on automatic network configuration, but it always gets the same address.
On http://adslzone.net/ you can find information about the routers typically used in Spain, with howtos for doing typical things.
The page is open. I read in little mouthfuls...
What I "fear" most, is that one of my guests (to whom I gave the WiFi password) can follow my web-actions or even get into my PC....
Ahhh, it's all so complicated :-)
Well, getting into your PC is not trivial.
Following your web actions is easier, /if/ your router publishes all network traffic of everybody on the wireless interface, which they typically don't. If you are connected by cable, it is easier to "sniff" (that's the name of the action).
Why is that easier? I thought the contrary. My main PC is connected by cable... Should I better connect it per WiFi? (I have an old WiFi-card laying around somewhere...) Enjoy a sunny sunday! Daniel -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/20/2015 03:08 AM, Daniel Bauer wrote:
Following your web actions is easier, /if/ your router publishes all network traffic of everybody on the wireless interface, which they typically don't. If you are connected by cable, it is easier to "sniff" (that's the name of the action).
Why is that easier? I thought the contrary. My main PC is connected by cable... Should I better connect it per WiFi? (I have an old WiFi-card laying around somewhere...)
Actually, "sniffing" on the wired network is harder, as you need physical access to it. Also, with switches, someone on another port will see very little traffic that's intended for someone else. All they'd see is broadcasts, including unicast frames flooded to the network, when the switch doesn't yet know what port a device is connected to. The exception to this is with managed switches which can be configured to mirror all traffic on one port to another. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2015-09-20 a las 07:17 -0400, James Knott escribió:
Why is that easier? I thought the contrary. My main PC is connected by cable... Should I better connect it per WiFi? (I have an old WiFi-card laying around somewhere...)
Actually, "sniffing" on the wired network is harder, as you need physical access to it. Also, with switches, someone on another port will see very little traffic that's intended for someone else. All they'd see is broadcasts, including unicast frames flooded to the network, when the switch doesn't yet know what port a device is connected to. The exception to this is with managed switches which can be configured to mirror all traffic on one port to another.
And cheap ISP router-switches, probably hubs. Otherwise, ntop would not learn what other computers at home are doing. But when ntop is running on the laptop, via wifi, it sees nothing of the others. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX+ncYACgkQja8UbcUWM1zmVAD/arSj9fjovcAuCU6ZANes8g1K QP+iqMpZpIdbq6L5NG8A/3FUDBeQQWz8ldqU3BnRxzunrNUnXwrHFVtsC2bKUV/6 =ZcMD -----END PGP SIGNATURE-----
On 09/20/2015 07:51 AM, Carlos E. R. wrote:
El 2015-09-20 a las 07:17 -0400, James Knott escribió:
Why is that easier? I thought the contrary. My main PC is connected by cable... Should I better connect it per WiFi? (I have an old WiFi-card laying around somewhere...)
Actually, "sniffing" on the wired network is harder, as you need physical access to it. Also, with switches, someone on another port will see very little traffic that's intended for someone else. All they'd see is broadcasts, including unicast frames flooded to the network, when the switch doesn't yet know what port a device is connected to. The exception to this is with managed switches which can be configured to mirror all traffic on one port to another.
And cheap ISP router-switches, probably hubs. Otherwise, ntop would not learn what other computers at home are doing.
Cheap or not, all switches work the same way and hubs have been obsolete for many years. Also, hubs are half duplex and most 10 Mb only. Ntop doesn't show all the data on a network. It can show what's happening on your computer or use software on other devices to collect data. However, it cannot just see other traffic.
But when ntop is running on the laptop, via wifi, it sees nothing of the others.
That's more due to the hardware. WiFi is quite different in operation than Ethernet networks. The same happens with Wireshark. Normally a WiFi NIC has to associate with another device, before it receives data from it. To my knowledge, there's no such thing as the "promiscuous mode" as used on Ethernet NICs to sniff traffic on WiFi. Sniffing WiFi generally requires special equipment, such as the test equipment I mentioned in another note. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2015-09-20 a las 08:01 -0400, James Knott escribió:
On 09/20/2015 07:51 AM, Carlos E. R. wrote:
Cheap or not, all switches work the same way and hubs have been obsolete for many years. Also, hubs are half duplex and most 10 Mb only. Ntop doesn't show all the data on a network. It can show what's happening on your computer or use software on other devices to collect data. However, it cannot just see other traffic.
But that's the issue, it just does. At least on my home.
But when ntop is running on the laptop, via wifi, it sees nothing of the others.
That's more due to the hardware. WiFi is quite different in operation than Ethernet networks. The same happens with Wireshark. Normally a WiFi NIC has to associate with another device, before it receives data from it. To my knowledge, there's no such thing as the "promiscuous mode" as used on Ethernet NICs to sniff traffic on WiFi. Sniffing WiFi generally requires special equipment, such as the test equipment I mentioned in another note.
yep. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX+rBIACgkQja8UbcUWM1yMnwD+Mttbx7fDK1OLv8M1idfuFwGR Au4kV4wQznAV5fNVo4cA/jowpca/SQVaGAUzgC/lDXrvOsz7fMyoTiVIoQNLpEoF =C9Va -----END PGP SIGNATURE-----
On 09/20/2015 08:52 AM, Carlos E. R. wrote:
But that's the issue, it just does. At least on my home.
You can see traffic between other devices on your computer??? Are you using a hub??? Unlike hubs, switches don't just pass traffic to all other ports. They use MAC lookup tables to determine the port connected to the destination and send the frame only to that port. The only exceptions would be broadcast/multicast and flooding frames when it hasn't yet learned the port for the destination. That is the only traffic you should see that's not meant specifically for your computer. However, if your're running ntop, you could, for example, have Netflow agents on routers etc., that can monitor traffic on those devices. Even then, I doubt you'd see the actual traffic. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2015-09-20 a las 10:18 -0400, James Knott escribió:
On 09/20/2015 08:52 AM, Carlos E. R. wrote:
But that's the issue, it just does. At least on my home.
You can see traffic between other devices on your computer??? Are you using a hub???
Some months ago, probably. I no longer have that device, provided by my ISP. It is (was) labeled as router, but it does not specify whether it has an integrated switch or hub. Now my hardware is different. I'll check again when I get back home. Now I have a standalone 8 port switch.
Unlike hubs, switches don't just pass traffic to all other ports. They use MAC lookup tables to determine the port connected to the destination and send the frame only to that port. The only exceptions would be broadcast/multicast and flooding frames when it hasn't yet learned the port for the destination. That is the only traffic you should see that's not meant specifically for your computer. However, if your're running ntop, you could, for example, have Netflow agents on routers etc., that can monitor traffic on those devices. Even then, I doubt you'd see the actual traffic.
No, I certainly have not installed agents anywhere :-) - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX+w3QACgkQja8UbcUWM1xCZQD/QFs0s7P7eIRD3390f4MG8kv0 EQZFl+AJuhOmusX+mfYA/RTg4/7hPYdvw/roVDDp4SDA0mDPpJwINtkMPdid1QLu =S8OL -----END PGP SIGNATURE-----
On 09/20/2015 10:32 AM, Carlos E. R. wrote:
Some months ago, probably. I no longer have that device, provided by my ISP. It is (was) labeled as router, but it does not specify whether it has an integrated switch or hub.
As I mentioned, hubs have been obsolete for 20 years and if they gave you one, they gave you an antique. ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2015-09-20 a las 10:37 -0400, James Knott escribió:
On 09/20/2015 10:32 AM, Carlos E. R. wrote:
Some months ago, probably. I no longer have that device, provided by my ISP. It is (was) labeled as router, but it does not specify whether it has an integrated switch or hub.
As I mentioned, hubs have been obsolete for 20 years and if they gave you one, they gave you an antique. ;-)
I know, but ISPs are /cheap/. You have been surprised other times at the things I tell that providers in Spain do ;-p I did a quick search on internet, and found several places that say they sell "network hubs", when they are actually and obviously switches. They use confusing naming here, it seems. I was unable to find out if they do sell a real hub. (browsing the mobile version of pages is a bit difficult) - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX+8JIACgkQja8UbcUWM1zS6wD/WWN1K1AQbXCp3uhXzl2g0N7g wRsnOd/TSbk+WrL1zJgA/1wBpb68wu/RDCbRlxJpmSNO8FsiSs8LnLb4gXfK3mGW =KdNo -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2015-09-20 a las 09:08 +0200, Daniel Bauer escribió:
Thanks Carlos, Xen and James for the explenations!
(I'm always a bit shy to answer in this thread, I hope it does not annoy too much to purely open-suse-related people. But for me it is very interesting and I think I already learned a little more...)
Not me in the least :-) I often ask questions not directly related to Linux, because I think Linux users often use a multitude of systems and devices, whereas a Windows user typically knows nothing about a mixed Window/Linux environment. A photography page would know nothing about what software to use in Linux for picture management/manipulation ;-)
Am 20.09.2015 um 01:41 schrieb Carlos E. R.:
I forgot about phishing and social engineering: say that somebody sends to you an email asking you to read some report on a photographer meeting at La Hague, or offering a contract. You would be intrigued and have a look. Well, that's a possible dangerous situation.
Yes, they try a lot. Apart from stupid ones (cancelling a credit card I don't have, warning of a paypal block 15 times a day, using such bad translations that it already gets funny, sender addresses or links that point to other addresses than shown in the text...) some might be made intelligent enough to trigger me.
Many of them are trapped by Thunderbird learning, or by spamassassin or amavis. But not the good ones.
Well, it doesn't need so much :-) I do open image files from unknown senders with quickshow and I some pdf's with okular. Unknown websites coming up with flash contents (blocked by my browser settings) are not viewed.
Yep.
But yes, they triggered my mother into opening an attachment (a hidden .exe) writing her that her bank account had been charged a high sum. She clicked and clicked the .exe, and as nothing happened (she's on linux, too) she desperately called me...
Well, good thing she was using Linux ;-)
...
I have the ssh server "on". I need it to let my laptop connect, for rsync and the like,
Ok, but you use it for connecting inside home; not to connect from a coffee shop, right?
No. Just used to surf a bit the web, but since a company sold an application to many cafés that offer free WiFi when you login via facebook, not even that. I heard a conversation of an agent of this company and the statistics about those who connect in the café she offered to the owner let my hair stood on end.
LOL.
No, I only connect my laptop to my PC at home.
Good. Then you don't need to secure your ssh more. Just enable the firewall at the ISP router. My previous router, the one that I say that may have a hub, not switch, could not enable the firewall on the menu. Instead, you had to save the config to a backup file, open the file with an editor, change something there, then import it back. Presto! New entry on the menu labeled firewall or similar. Same router that had a fixed login "1234" and default password "1234" which clients were not advised to change...
On http://adslzone.net/ you can find information about the routers typically used in Spain, with howtos for doing typical things.
The page is open. I read in little mouthfuls...
It is quite useful :-) There is another similar site, but I can't remember the name now.
Following your web actions is easier, /if/ your router publishes all network traffic of everybody on the wireless interface, which they typically don't. If you are connected by cable, it is easier to "sniff" (that's the name of the action).
Why is that easier? I thought the contrary. My main PC is connected by cable... Should I better connect it per WiFi? (I have an old WiFi-card laying around somewhere...)
No, no, cable is more secure, as long as they don't hook a cable to your home, and most don't.
Enjoy a sunny sunday!
28°C and 80% humidity here, at La Manga. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX+850ACgkQja8UbcUWM1yVCwEAn+ZTK0Ab0OzopvQ/LyMnsWDf MhCOymK7y7Bk3WDmHgIA/0NX5g11yLsOHOzWq/k76Y2B0kseFPRVxjtFegE77MKk =aIKz -----END PGP SIGNATURE-----
On Sun, Sep 20, 2015 at 10:57 AM, Carlos E. R.
28°C and 80% humidity here, at La Manga.
That sounds nice. It's going to be 39°C and 30% here today. Brandon Vincent -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/19/2015 01:47 AM, Daniel Bauer wrote:
without using tons of words I've never heard before
At this point you seem to be connected to the internet. I suspect that might not always be true, but for now it is. Don't come to the internet whining about being exposed to new words. Virtually the entire knowledge of mankind is at your finger tips. So stop acting like a third grader, and do what your 4th grade teacher told you to do: Look those words up. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, 19 Sep 2015, John Andersen wrote:
On 09/19/2015 01:47 AM, Daniel Bauer wrote:
without using tons of words I've never heard before
At this point you seem to be connected to the internet. I suspect that might not always be true, but for now it is.
Don't come to the internet whining about being exposed to new words. Virtually the entire knowledge of mankind is at your finger tips.
So stop acting like a third grader, and do what your 4th grade teacher told you to do: Look those words up.
I wouldn't expect that of you John. Shame on you!. Anyone can get flushed from an overexposure of unknown terms and concepts and this can quickly render a text (or treatise) completely incomprehensible to a person, and any successful learning experiences depends on managing that exposure. To say otherwise is to say a lie of education. So if that teacher told you that ("Look those words up") it would just be a very bad teacher blaming the student for his own lack of skill. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott
On 09/18/2015 12:29 PM, Xen wrote:
But still I would take security by obscurity over no security any time.
Security by obscurity is no security.
That IS nonsense. Maybe your definition of security precludes such measures (but when you've defined it as strictly as to exclude that). Security by obscurity is EXTREMELY valuable. If that still doesn't make it "security" to you, then I don't care about security, I care about being protected. There are simply two types of attacks: - the broad spectrum, automated, known-vulnerability mass-exploit attack - anything that requires dedication to a single host. Security by obscurity gets wiped by the second type of attack, but the first can't really touch it. That is because security by obscurity relies on individual alteration or uniqueness to make it impossible for an automated attacker to know where to strike. Not exposing yourself in the first place is a good form of security. It's the same as running SSH on a non-default port. Many automated attempts will already be thwarted because you don't run it on 22. If you have a dedicated attacker then security by obscurity won't do much good for you. But it does nothing bad for you either. WHY THE HATE?. If you want to get rid of spam, user registrations, etc. on any public website (forum, blog) all you need to do is to change some of the parameters deviating from the default offering of that package, and the spam will be GONE. As long as the attackers don't catch up, but why advertise it (you want to be obscure!). It may not be the solution for all time but it is a rather painless and quick fix that no real spam protection plugin or addon can do for you. A spammer simply needs to know in advance if not the API calls to make submissions, then at least the layout of the interface elements that lead to that submission. Or it gets very advanced and they need to start using neural networks. But in general your typical today spammer on e.g. WordPress gets thwarted by changing two lines of code. Okay, maybe 5. But that's about it. If have a friend.... in warfare it is a pretty common proposition that if you know the terrain, you have an advantage. This is security by obscurity. There are things you adversary does not know which puts him at a disadvantage when it comes to a battle. It would be folly to disregard such things. It would also be folly to count on them for all time (your adversary may explore the terrain). The guy changed the ignition to his vehicle and caused the standard ignition to lock the doors and inject a sleeping gas into the chambre. It also notified him by text message that someone had broken into his car. He did the same to his house. A burglar was trapped in a flooded chambre and the police were automatically notified. I once escaped the police this way (knowing the terrain better than them) :P. You may think of it what you will. Insurgents in my home town used it to escape German soldiers in my home town during WW2. It can mean the difference between life and death, this security by obscurity. If that means nothing to you, then I don't care much for security (for what is the point?). If your system is all nice and secure but it is of no use because, for instance, you have no plausible deniability or you get blackmailed or a system you depend on gets compromised (such as a family member :p) I'm just saying that all the little bits count and you need to make use of all of them to stay safe. You can't throw away half of what you can do because you're snobbish and it doesn't live up to your standards. In the real world, you have no time for such crap. You use what you can and what you need to stay at the advantage, and to stay at the edge. The people who didn't want to use any obscurity measures can now relate it from the grave. So good luck with that. Oh, and learn from the Cameleon. Learn from the Giraffe. And while you're at it, learn from the military as well. Camo, yes, is a form of security by obscurity. So I don't know what world you live it, but it is obviously not the real one. You would happily go to war in pink carriages with neon lights because "it is bad to depend on not being seen" or "real skill is irrespective of whether anyone knows you're there; you should be able to prevail in any case". Any advantage is an an advantage and you need all of it (at least if you don't want to die/lose). Whereas camo would be security by obscurity, the other form of security would be the equivalent of having superior arms or systems that can better deal with a threat, or having impenetrable walls. All not unimportant -- armor is not unimportant. But armor is pretty much useless if you make yourself out to be a shooting target and you need both. By obscurity and by defensive wall are compliments and should not be disregarded in favour of the other. That security bigots everywhere are repeating that mantra that "security by obscurity is no obscurity" just means that a lot of them are not dealing with real world situations. They want some level of security or some concept of security that has no meaning in the real world. Because in the real world security (or safety) is determined by more factors than just the ones they want to adhere to, the ones that they consider "worth their attention". And no real world person with experience would be able to deny the benefits of knowing more about your system or environment than does the assailant. An access token is in fact also a measure of obscurity. Any wall needs a door and the door needs a key. The key depends on information not being known to the attacker. Sometimes the key is not tied to any individual person/account, and sometimes it is. Sometimes account-bound gates protect access to object-bound keys. That then give access to the object that is protected. But they remain secrets and secrets are "obscure". It is information. And the information that the attacker does not know, protects you. Address-scanning some hidden host in a network is pretty much the same thing as brute-forcing a key. Once you have found the address (or the key) you can immediately unlock the thing or gain access to it. Many systems penalize repeated attempts at "guessing" the key. If brute-forcing something becomes very expensive, the obscurity value of it increases and hence the obscurity of it is being strengthened. All real world systems depend on that. When they can. Having a strong key is one thing, not giving anyone access to the ciphertext is another. Any information leak can be used to compromise. So the idea that security by obscurity is useless is complete and utterly estranged of the real world. All password or token systems depend on it. It is the vital component that makes it work. It is complimentary and compliments need each other. So, whatever. I guess it is just a case of someone thinking his knowledge is superior or something. But it's just a dogma and it is not even understood. No one in his right mind would disregards the benefits of knowledge-based advantages. If you count only on some algorithm being "perfect" and put all your hopes and all your trust in that, stake everything with that, then I can guarantee you at some point you will be proven wrong about that. And you will regret not having done something else, or something extra. And all because of some ego position that you wished to defend.... Well, whatever. What does it matter to me. What another does. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/17/2015 12:33 PM, David C. Rankin wrote:
With WPA and a mac address filter
Use nothing less than WPA2. Even WPA has issues. Also, MAC filtering doesn't do much, as spoofing is easy. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/14/2015 02:51 PM, Daniel Bauer wrote:
Hello,
As my internet sometimes is very slow I opened 192.168.1.1 (with that movistar/Spain specific page) that showed me that besides of my eth0-wired computer there are 4 other WLAN-IPs, although I, for the moment, do not have switched on any wireless device.
If you haven't enabled wireless, how would those others be connecting? The only other way is via direct Ethernet connection. Many devices have WiFi enabled out of the box.
I don't know if I'm wrong, but because of this I think somebody else is using my WLAN and I'd like to find out about it.
After googling I installed wireshark (with Yast), but now I am stuck. The found web pages say I have to use "monitor mode", but the list of interfaces shows "n/a" for all the interfaces in the "monitor mode"-column.
You normally use only one connection, such as an Ethernet port. However, even that might not do you much good. With switches, you will see only traffic for your computer or broadcasts. With managed switches, you can set up a monitor port, which copies all the traffic from another port to the monitor port, so Wireshark can see it.
Is there a more or less simple way to find out if there are others using my WLAN - even for somebody who has not the slightest idea of how networks work?
Many access points maintain a log of connections. Also, why not just change the WiFi password, if you think someone else is connecting to your WLAN? Of course, you should be using WPA2, as it's the most secure. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-09-14 21:10, James Knott wrote:
On 09/14/2015 02:51 PM, Daniel Bauer wrote:
Hello,
As my internet sometimes is very slow I opened 192.168.1.1 (with that movistar/Spain specific page) that showed me that besides of my eth0-wired computer there are 4 other WLAN-IPs, although I, for the moment, do not have switched on any wireless device.
If you haven't enabled wireless, how would those others be connecting? The only other way is via direct Ethernet connection. Many devices have WiFi enabled out of the box.
The Spanish Movistar system adds some VLANs (not WLANs) to the setup, uses one for the TV service, and another for SIP, both hidden from view.
Many access points maintain a log of connections. Also, why not just change the WiFi password, if you think someone else is connecting to your WLAN? Of course, you should be using WPA2, as it's the most secure.
The Movistar router (a comtrend, typically) is not configured directly, but via a remote web page at the ISP, which only gives the client access to limited settings. You can not change the SSID, nor the encryption type, as far as I remember. And I don't remember if it can be disabled, which would be the sensible thing to do if not used. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 09/14/2015 03:17 PM, Carlos E. R. wrote:
The Movistar router (a comtrend, typically) is not configured directly, but via a remote web page at the ISP, which only gives the client access to limited settings. You can not change the SSID, nor the encryption type, as far as I remember. And I don't remember if it can be disabled, which would be the sensible thing to do if not used.
I keep on getting the idea that Spain is a really screwed up country. Let me get this right. You have a WiFi access point, but you can't change the SSID? What about the password? If they use any encryption type other than WPA2, they're creating a security hole. I have a few access points and have configured several others. In every case, I was the one that chose encryption type, set the SSID and password and also what 802.11 versions were allowed (802.11b really should not be used these days). As mentioned, the best encryption available is WPA2. 802.11n and 802.11ac allow only WPA2. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 14.09.2015 um 21:29 schrieb James Knott:
On 09/14/2015 03:17 PM, Carlos E. R. wrote:
The Movistar router (a comtrend, typically) is not configured directly, but via a remote web page at the ISP, which only gives the client access to limited settings. You can not change the SSID, nor the encryption type, as far as I remember. And I don't remember if it can be disabled, which would be the sensible thing to do if not used.
I keep on getting the idea that Spain is a really screwed up country. Let me get this right. You have a WiFi access point, but you can't change the SSID? What about the password? If they use any encryption type other than WPA2, they're creating a security hole. I have a few access points and have configured several others. In every case, I was the one that chose encryption type, set the SSID and password and also what 802.11 versions were allowed (802.11b really should not be used these days). As mentioned, the best encryption available is WPA2. 802.11n and 802.11ac allow only WPA2.
The router comes from movistar. It's a BHS_RTA. Yes, one can go around that movistar special page when accessing the router with http://192.168.1.1:8000/ and you can change the ssid. And using WPA2. And a lot more... <OT> (b.t.w.: It's not the country, it's the government that is screwed up, but really f****d up - well, it's a government, what do you expect... </OT> -- -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/14/2015 03:42 PM, Daniel Bauer wrote:
Yes, one can go around that movistar special page when accessing the router with http://192.168.1.1:8000/ and you can change the ssid. And using WPA2. And a lot more...
You should disable 802.11b if you don't need it. Same with 802.11g, but b makes the biggest difference. Some access points also allow you to turn off 802.11b protection. 802.11b causes a big performance hit if allowed. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 14.09.2015 um 22:12 schrieb James Knott:
On 09/14/2015 03:42 PM, Daniel Bauer wrote:
Yes, one can go around that movistar special page when accessing the router with http://192.168.1.1:8000/ and you can change the ssid. And using WPA2. And a lot more...
You should disable 802.11b if you don't need it. Same with 802.11g, but b makes the biggest difference. Some access points also allow you to turn off 802.11b protection. 802.11b causes a big performance hit if allowed.
Under 802.11 Mode I can choose 802.11b 802.11g 802.11n 802.11b/g 802.11n/g 802.11b/g/n it is set to 802.11b/g/n. I have no idea if I need "b" or any of the other, and I don't know what is affected if I change the setting. I want the best available performance for web, mail and skype, of course... -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/14/2015 04:33 PM, Daniel Bauer wrote:
it is set to 802.11b/g/n. I have no idea if I need "b" or any of the other, and I don't know what is affected if I change the setting. I want the best available performance for web, mail and skype, of course...
That depends on your devices. If all support n, then just configure for 802.11n only. If you have some devices that are capable of g but not n, then n/g. I really hope you don't have anything that's b only, as it's been obsolete for years and can really slow down a g or n network. It also won't work with WPA2, which n requires, so the access point could do g at best. BTW, the reason it causes the slow down is 802.11b uses something called "Direct Sequence Spread Spectrum" (DSSS), while everything else uses Orthogonal Frequency Division Multiplexing" (OFDM). Since 802.11b cannot understand OFDM, g and n devices have to send a frame in b, that reserves the channel for a period of time and then transmit the data with OFDM. Without that reservation, b devices wouldn't know the channel was busy and transmit over top of the other devices. You don't have the same problem with g & n, as they use the same modulation type and the n device only has to slow down the header, so that g devices can learn how long the channel will be busy, and then transmit the data at best speed. Similar happens on 5 GHz with a, n & ac, all of which use OFDM. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-09-14 21:29, James Knott wrote:
On 09/14/2015 03:17 PM, Carlos E. R. wrote:
The Movistar router (a comtrend, typically) is not configured directly, but via a remote web page at the ISP, which only gives the client access to limited settings. You can not change the SSID, nor the encryption type, as far as I remember. And I don't remember if it can be disabled, which would be the sensible thing to do if not used.
I keep on getting the idea that Spain is a really screwed up country.
I'm sure you get your share from AT&T and the like :-P
Let me get this right. You have a WiFi access point, but you can't change the SSID?
Not by default, no.
What about the password?
Yes, you can.
If they use any encryption type other than WPA2, they're creating a security hole.
I can't check what they use now, I have disabled that config page. Let me explain. The provider has designed a procedure for doing remote configuration for the masses of the client routers. They can do all from their control centres. In order to do this, they give you routers with their local configuration page disabled, and they don't tell you the password to it. Instead, you go to a page at movistar.es, where after identification you can change a few things; the same interface for all supported routers. They can, for instance, remotely upgrade the firmware of all the installed routers. Thus, that page allows setting up the password, but not the SSID. However, you can click on a special link in that page, and after two warnings to make sure, you get to change the password to your local router, and then we can administer ii on our own. I must say that the fibre router has an ugly configuration page with some cryptical settings that I prefer not to touch. I must say that the wireless in that router is a piece of rubbish. I have disabled it completely, and instead use my own access point hardware.
I have a few access points and have configured several others. In every case, I was the one that chose encryption type, set the SSID and password and also what 802.11 versions were allowed (802.11b really should not be used these days). As mentioned, the best encryption available is WPA2. 802.11n and 802.11ac allow only WPA2.
On another provider (Ono), your own router may setup your wifi to give internet to people on the street, that happen to be clients of the same ISP. Maybe without your knowing. And of course, you can use the connection of other people as you walk on the street. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 2015-09-14 20:51, Daniel Bauer wrote:
Hello,
As my internet sometimes is very slow I opened 192.168.1.1 (with that movistar/Spain specific page)
The local or the remote? Fibre or ADSL?
that showed me that besides of my eth0-wired computer there are 4 other WLAN-IPs, although I, for the moment, do not have switched on any wireless device.
WLAN or VLAN?
Is there a more or less simple way to find out if there are others using my WLAN - even for somebody who has not the slightest idea of how networks work?
Yes. Install "ntop", then start it "rcntop start", as root. Then point a browser to http://localhost:3000 After a while, you will be able to see everything that is sending or receiving traffic, and some information and what is that traffic, and perhaps what type of machines they are. If you have the IPs, you can find more about them with "nmap": Telcontar:~ # nmap 192.168.1.2 Starting Nmap 6.40 ( http://nmap.org ) at 2015-09-14 21:21 CEST Nmap scan report for moria.valinor (192.168.1.2) Host is up (0.0023s latency). Not shown: 994 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 80/tcp open http 10001/tcp open scp-config 12000/tcp open cce4x MAC Address: 00:01:02:03:04:05 (3com) Nmap done: 1 IP address (1 host up) scanned in 1.48 seconds Telcontar:~ # -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Am 14.09.2015 um 21:24 schrieb Carlos E. R.:
On 2015-09-14 20:51, Daniel Bauer wrote:
Hello,
As my internet sometimes is very slow I opened 192.168.1.1 (with that movistar/Spain specific page)
The local or the remote?
Local
Fibre or ADSL?
ADSL
that showed me that besides of my eth0-wired computer there are 4 other WLAN-IPs, although I, for the moment, do not have switched on any wireless device.
WLAN or VLAN?
WLAN
Is there a more or less simple way to find out if there are others using my WLAN - even for somebody who has not the slightest idea of how networks work?
Yes. Install "ntop", then start it "rcntop start", as root. Then point a browser to http://localhost:3000
the browser says that the page seems valid, but the connection was denied...
After a while, you will be able to see everything that is sending or receiving traffic, and some information and what is that traffic, and perhaps what type of machines they are.
If you have the IPs, you can find more about them with "nmap":
Telcontar:~ # nmap 192.168.1.2
venus:~ # nmap 192.168.1.35 Starting Nmap 6.47 ( http://nmap.org ) at 2015-09-14 22:05 CEST Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 0.59 seconds venus:~ # nmap 192.168.1.37 Starting Nmap 6.47 ( http://nmap.org ) at 2015-09-14 22:06 CEST Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 0.46 seconds venus:~ # nmap 192.168.1.37 -Pn Starting Nmap 6.47 ( http://nmap.org ) at 2015-09-14 22:06 CEST Nmap done: 1 IP address (0 hosts up) scanned in 0.47 seconds venus:~ # nmap 192.168.1.35 -Pn Starting Nmap 6.47 ( http://nmap.org ) at 2015-09-14 22:06 CEST Nmap done: 1 IP address (0 hosts up) scanned in 0.46 seconds -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-09-14 22:07, Daniel Bauer wrote:
Am 14.09.2015 um 21:24 schrieb Carlos E. R.:
The local or the remote?
Local
Ok, full control then.
Fibre or ADSL?
ADSL
WLAN or VLAN?
WLAN
Right, with ADSL you have no VLANS. They are used for the TV and the phone.
Yes. Install "ntop", then start it "rcntop start", as root. Then point a browser to http://localhost:3000
the browser says that the page seems valid, but the connection was denied...
What says "rcntop status"?
venus:~ # nmap 192.168.1.35
Starting Nmap 6.47 ( http://nmap.org ) at 2015-09-14 22:05 CEST Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 0.59 seconds venus:~ # nmap 192.168.1.37
Starting Nmap 6.47 ( http://nmap.org ) at 2015-09-14 22:06 CEST Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 0.46 seconds venus:~ # nmap 192.168.1.37 -Pn
Starting Nmap 6.47 ( http://nmap.org ) at 2015-09-14 22:06 CEST Nmap done: 1 IP address (0 hosts up) scanned in 0.47 seconds venus:~ # nmap 192.168.1.35 -Pn
Starting Nmap 6.47 ( http://nmap.org ) at 2015-09-14 22:06 CEST Nmap done: 1 IP address (0 hosts up) scanned in 0.46 seconds
It may be a phone. My Android phone has no open ports. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Am 14.09.2015 um 22:14 schrieb Carlos E. R.:
Install "ntop", then start it "rcntop start", as root. Then point a browser to http://localhost:3000
the browser says that the page seems valid, but the connection was denied...
What says "rcntop status"?
venus:~ # rcntop status Checking for service ntop: unused ntop.service - LSB: ntop Network Monitor Loaded: loaded (/etc/init.d/ntop) Active: active (exited) since Mon 2015-09-14 22:21:26 CEST; 48s ago Process: 4750 ExecStart=/etc/init.d/ntop start (code=exited, status=0/SUCCESS) -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-09-14 22:23, Daniel Bauer wrote:
venus:~ # rcntop status Checking for service ntop: unused ntop.service - LSB: ntop Network Monitor Loaded: loaded (/etc/init.d/ntop) Active: active (exited) since Mon 2015-09-14 22:21:26 CEST; 48s ago Process: 4750 ExecStart=/etc/init.d/ntop start (code=exited, status=0/SUCCESS)
It has failed for some reason. Try to start it again and check the logs. I have the suspicion that you have to configure something in its configuration file in /etc/something. Perhaps the network interface to watch. I don't have it installed in this laptop; tomorrow I can check my desktop machine configuration and find out. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX3en8ACgkQja8UbcUWM1wRNgEAkh3W06SVLA1H8u+UCqms6qyX 54Id5IHHsWAJ79EVBtcBAJoxhRXMAexjx8t96IMpOOYTrLAZKwOw2BdGR8ghqGTV =gQL1 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Sep 14, 2015 at 11:51 AM, Daniel Bauer
Is there a more or less simple way to find out if there are others using my WLAN - even for somebody who has not the slightest idea of how networks work?
Out of curiosity, for the MAC addresses you do not recognize could you post the first six characters of each for us? Brandon Vincent -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 14.09.2015 um 21:47 schrieb Brandon Vincent:
On Mon, Sep 14, 2015 at 11:51 AM, Daniel Bauer
wrote: Is there a more or less simple way to find out if there are others using my WLAN - even for somebody who has not the slightest idea of how networks work?
Out of curiosity, for the MAC addresses you do not recognize could you post the first six characters of each for us?
Brandon Vincent
20:a2:e4 58:a2:b5 f0:27:65 -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Sep 14, 2015 at 12:54 PM, Daniel Bauer
20:a2:e4 58:a2:b5 f0:27:65
According to the IEEE, the manufacturers of the wireless components of these devices are Apple, Inc., LG Electronics, and Murata Manufacturing Co., Ltd. This information can be very easily spoofed by a malicious individual, but if you don't own an Apple product something sinister is happening. Brandon Vincent -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Daniel Bauer wrote:
Hello,
As my internet sometimes is very slow I opened 192.168.1.1 (with that movistar/Spain specific page) that showed me that besides of my eth0-wired computer there are 4 other WLAN-IPs, although I, for the moment, do not have switched on any wireless device.
I don't know if I'm wrong, but because of this I think somebody else is using my WLAN and I'd like to find out about it.
Try pinging the broadcast address: ping -b 192.168.1.255 Leave it to do a couple of pings, then : arp -n will show who else is (currently) on your network. As Brandon already said, the first 3 bytes of the MAC address will identify the hardware manufacturer, that might give you a hint. -- Per Jessen, Zürich (15.1°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-09-15 08:28, Per Jessen wrote:
Try pinging the broadcast address:
ping -b 192.168.1.255
Leave it to do a couple of pings, then :
Ah. I like this trick. But it fails in my network, 100% loss, and arp finds nothing.
arp -n
will show who else is (currently) on your network.
As Brandon already said, the first 3 bytes of the MAC address will identify the hardware manufacturer, that might give you a hint.
And you can read it in ntop display ;-) - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX3928ACgkQja8UbcUWM1wouQD/Wjucw7+upR4m6+Bk1Jy5JchN jxunkJqSyHl68YIbNcgBAKC7rhetdly5eRWotr9g5/V2LHQfHoCCKp8RkmNo7uS0 =rDBP -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2015-09-15 08:28, Per Jessen wrote:
Try pinging the broadcast address:
ping -b 192.168.1.255
Leave it to do a couple of pings, then :
Ah. I like this trick. But it fails in my network, 100% loss, and arp finds nothing.
Did you use the right broadcast address? For instance, for the office I use 192.168.0.0/21, broadcast 192.168.7.255. # ping -b 192.168.7.255 WARNING: pinging broadcast address PING 192.168.7.255 (192.168.7.255) 56(84) bytes of data. 64 bytes from 192.168.2.250: icmp_seq=1 ttl=255 time=0.283 ms 64 bytes from 192.168.6.80: icmp_seq=1 ttl=64 time=0.502 ms (DUP!) 64 bytes from 192.168.2.85: icmp_seq=1 ttl=64 time=0.579 ms (DUP!) 64 bytes from 192.168.2.86: icmp_seq=1 ttl=64 time=0.592 ms (DUP!) 64 bytes from 192.168.2.84: icmp_seq=1 ttl=64 time=0.595 ms (DUP!) 64 bytes from 192.168.2.249: icmp_seq=1 ttl=64 time=0.598 ms (DUP!) 64 bytes from 192.168.6.161: icmp_seq=1 ttl=64 time=0.600 ms (DUP!) 64 bytes from 192.168.6.21: icmp_seq=1 ttl=64 time=0.603 ms (DUP!) 64 bytes from 192.168.6.78: icmp_seq=1 ttl=64 time=0.606 ms (DUP!) 64 bytes from 192.168.6.146: icmp_seq=1 ttl=64 time=0.609 ms (DUP!) 64 bytes from 192.168.6.152: icmp_seq=1 ttl=64 time=0.611 ms (DUP!) 64 bytes from 192.168.6.91: icmp_seq=1 ttl=64 time=0.614 ms (DUP!) 64 bytes from 192.168.6.79: icmp_seq=1 ttl=64 time=0.616 ms (DUP!) 64 bytes from 192.168.2.82: icmp_seq=1 ttl=64 time=0.646 ms (DUP!) 64 bytes from 192.168.3.1: icmp_seq=1 ttl=64 time=0.937 ms (DUP!) 64 bytes from 192.168.6.144: icmp_seq=1 ttl=64 time=1.66 ms (DUP!) 64 bytes from 192.168.2.51: icmp_seq=1 ttl=64 time=1.71 ms (DUP!) 64 bytes from 192.168.2.229: icmp_seq=1 ttl=64 time=2.63 ms (DUP!) 64 bytes from 192.168.2.5: icmp_seq=1 ttl=255 time=6.21 ms (DUP!) 64 bytes from 192.168.6.24: icmp_seq=1 ttl=64 time=14.1 ms (DUP!) [snip] And the arp table is nicely populated afterwards. -- Per Jessen, Zürich (19.8°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-09-15 14:55, Per Jessen wrote:
Carlos E. R. wrote:
Ah. I like this trick. But it fails in my network, 100% loss, and arp finds nothing.
Did you use the right broadcast address?
Yes. minas-tirith:~ # ifconfig ... wlan0 Link encap:Ethernet HWaddr 0C:EE:E6:D7:BB:5F inet addr:192.168.1.129 Bcast:192.168.1.255 Mask:255.255.255.0 ... minas-tirith:~ # ping -b 192.168.1.255 WARNING: pinging broadcast address PING 192.168.1.255 (192.168.1.255) 56(84) bytes of data. ^C - --- 192.168.1.255 ping statistics --- 11 packets transmitted, 0 received, 100% packet loss, time 9999ms minas-tirith:~ # - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX4GiUACgkQja8UbcUWM1y5qgEAlJtEEp5LfEq+KqBgYEqyDph7 urn+t8ELRp/coMv5F9wA/3iqK7eP4sm4I5XnjQnImNu4XR0FEcl+bfMI5+FE+25M =ttdy -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2015-09-15 14:55, Per Jessen wrote:
Carlos E. R. wrote:
Ah. I like this trick. But it fails in my network, 100% loss, and arp finds nothing.
Did you use the right broadcast address?
Yes.
minas-tirith:~ # ifconfig ... wlan0 Link encap:Ethernet HWaddr 0C:EE:E6:D7:BB:5F inet addr:192.168.1.129 Bcast:192.168.1.255 Mask:255.255.255.0 ... minas-tirith:~ # ping -b 192.168.1.255 WARNING: pinging broadcast address PING 192.168.1.255 (192.168.1.255) 56(84) bytes of data. ^C - --- 192.168.1.255 ping statistics --- 11 packets transmitted, 0 received, 100% packet loss, time 9999ms
I guess you've only got Linux systems on your network, and by default (see Brandon's later post) they won't respond to the broadcast ping. -- Per Jessen, Zürich (17.9°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-09-15 17:07, Per Jessen wrote:
Carlos E. R. wrote:
- --- 192.168.1.255 ping statistics --- 11 packets transmitted, 0 received, 100% packet loss, time 9999ms
I guess you've only got Linux systems on your network, and by default
When I tried there were two routers, on switch, a Linux laptop, and two android devices.
(see Brandon's later post) they won't respond to the broadcast ping.
I see. that makes sense. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX4X2AACgkQja8UbcUWM1wDlQD/X4VMWrwYoX6D4xXB3O7oJG/F VRHhTeRDcGAo9jz4zPEA/02eX0Jh4LwPaISbYVID9j+dc5cCAi+Yh665LgZEXji4 =Q00e -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2015-09-15 17:07, Per Jessen wrote:
Carlos E. R. wrote:
- --- 192.168.1.255 ping statistics --- 11 packets transmitted, 0 received, 100% packet loss, time 9999ms
I guess you've only got Linux systems on your network, and by default
When I tried there were two routers, on switch,
If those were managed (i.e. with their own IP) switches, they probably would have responded.
a Linux laptop, and two android devices.
Dunno about Android, it probably doesn't respond either. -- Per Jessen, Zürich (14.9°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-09-16 07:37, Per Jessen wrote:
Carlos E. R. wrote:
When I tried there were two routers, on switch,
If those were managed (i.e. with their own IP) switches, they probably would have responded.
It did not, to the broadcast. It responds to a direct one: minas-tirith:~ # ping switch PING switch (192.168.1.6) 56(84) bytes of data. 64 bytes from switch (192.168.1.6): icmp_seq=1 ttl=64 time=31.1 ms 64 bytes from switch (192.168.1.6): icmp_seq=2 ttl=64 time=5.22 ms ^C - --- switch ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 5.229/18.193/31.157/12.964 ms minas-tirith:~ #
a Linux laptop, and two android devices.
Dunno about Android, it probably doesn't respond either.
Maybe. Even nmap can't find a hole. An alternative is: minas-tirith:~ # fping -a -g 192.168.1.0/24 192.168.1.1 192.168.1.2 192.168.1.5 192.168.1.6 192.168.1.15 192.168.1.51 ICMP Host Unreachable from 192.168.1.129 for ICMP Echo sent to 192.168.1.3 ICMP Host Unreachable from 192.168.1.129 for ICMP Echo sent to 192.168.1.4 ICMP Host Unreachable from 192.168.1.129 for ICMP Echo sent to 192.168.1.7 ICMP Host Unreachable from 192.168.1.129 for ICMP Echo sent to 192.168.1.8 ICMP Host Unreachable from 192.168.1.129 for ICMP Echo sent to 192.168.1.9 192.168.1.129 ICMP Host Unreachable from 192.168.1.129 for ICMP Echo sent to 192.168.1.10 ICMP Host Unreachable from 192.168.1.129 for ICMP Echo sent to 192.168.1.11 But I can't find a concoction that keeps silent about unreachable targets. Maybe: minas-tirith:~ # fping -C 1 -q -g 192.168.1.0/24 192.168.1.1 : 2.22 192.168.1.2 : 4.62 192.168.1.3 : - 192.168.1.4 : - 192.168.1.5 : 1.67 192.168.1.6 : 7.32 192.168.1.7 : - 192.168.1.8 : - - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX5YbcACgkQja8UbcUWM1zEWAD/djRivf+nE+bH+pNrp4mWihC+ VzJk1Wc2pR3PDyaVLCgA/3A3Xqaj4ZGaya3+zk9BEgzk7rKI3rWPXaNhTX4T3LPr =eaYd -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* Carlos E. R.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2015-09-16 07:37, Per Jessen wrote:
Carlos E. R. wrote:
When I tried there were two routers, on switch,
If those were managed (i.e. with their own IP) switches, they probably would have responded.
It did not, to the broadcast. It responds to a direct one:
minas-tirith:~ # ping switch PING switch (192.168.1.6) 56(84) bytes of data. 64 bytes from switch (192.168.1.6): icmp_seq=1 ttl=64 time=31.1 ms 64 bytes from switch (192.168.1.6): icmp_seq=2 ttl=64 time=5.22 ms ^C - --- switch ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 5.229/18.193/31.157/12.964 ms minas-tirith:~ #
a Linux laptop, and two android devices.
Dunno about Android, it probably doesn't respond either.
Maybe. Even nmap can't find a hole.
An alternative is:
minas-tirith:~ # fping -a -g 192.168.1.0/24 192.168.1.1 192.168.1.2 192.168.1.5 192.168.1.6 192.168.1.15 192.168.1.51 ICMP Host Unreachable from 192.168.1.129 for ICMP Echo sent to 192.168.1.3 ICMP Host Unreachable from 192.168.1.129 for ICMP Echo sent to 192.168.1.4 ICMP Host Unreachable from 192.168.1.129 for ICMP Echo sent to 192.168.1.7 ICMP Host Unreachable from 192.168.1.129 for ICMP Echo sent to 192.168.1.8 ICMP Host Unreachable from 192.168.1.129 for ICMP Echo sent to 192.168.1.9 192.168.1.129 ICMP Host Unreachable from 192.168.1.129 for ICMP Echo sent to 192.168.1.10 ICMP Host Unreachable from 192.168.1.129 for ICMP Echo sent to 192.168.1.11
But I can't find a concoction that keeps silent about unreachable targets.
Maybe:
minas-tirith:~ # fping -C 1 -q -g 192.168.1.0/24 192.168.1.1 : 2.22 192.168.1.2 : 4.62 192.168.1.3 : - 192.168.1.4 : - 192.168.1.5 : 1.67 192.168.1.6 : 7.32 192.168.1.7 : - 192.168.1.8 : -
prints every addr of 192.168.1.0/24 pfing -agq 192.168.1.0/24 prints only answering ip's -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-09-16 15:02, Patrick Shanahan wrote:
pfing -agq 192.168.1.0/24
prints only answering ip's
Right, thanks :-) - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX5cRoACgkQja8UbcUWM1xfAAD/ca8ORIxw4hSrNEQqu3fX2yR0 QgY7JthlTWXtR6TCHngBAIdzXBry+fv4/fHLp0EmPwEe1vNiDxcKgbXQ+RXp4HT5 =mZsN -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Sep 15, 2015 at 5:55 AM, Per Jessen
And the arp table is nicely populated afterwards.
Most devices and operating systems will not respond to broadcast ICMP pings. It's very easy to do smurf denial of service attacks when devices respond. For example, I think most GNU/Linux distributions have net.ipv4.icmp_echo_ignore_broadcasts = 1 set. Some devices may respond, printers, etc. but this is far from an effective technique. An ISP can properly implement a shared internet setup as long as the router handles client isolation (allowing traffic only to the router/gateway not other systems connecting on the shared WLAN), properly configured VLANs/routes (separating the ability to reach systems on your home LAN), unique SSID, and QoS (ensuring that your devices have priority in regards to bandwidth) then I wouldn't worry. You probably agreed to this in the agreement you signed when you started your internet service. Brandon Vincent -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Brandon Vincent wrote:
On Tue, Sep 15, 2015 at 5:55 AM, Per Jessen
wrote: And the arp table is nicely populated afterwards.
Most devices and operating systems will not respond to broadcast ICMP pings. It's very easy to do smurf denial of service attacks when devices respond. For example, I think most GNU/Linux distributions have net.ipv4.icmp_echo_ignore_broadcasts = 1 set. Some devices may respond, printers, etc. but this is far from an effective technique.
That's true - in fact, none of the devices that responded to my own broadcast ping were Linux boxes. They were telephones, printers, routers, remote service cards etc. -- Per Jessen, Zürich (17.9°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (20)
-
Adam Tauno Williams
-
André Verwijs
-
Anton Aylward
-
Bob Williams
-
Brandon Vincent
-
Carlos E. R.
-
Daniel Bauer
-
David C. Rankin
-
Greg Freemyer
-
greg.freemyer@gmail.com
-
James Knott
-
jdd
-
John Andersen
-
Lew Wolfgang
-
Mark Goldstein
-
michael norman
-
Patrick Shanahan
-
Per Jessen
-
toothpik
-
Xen