How did they get behind my NAT?
Maniaque
I have a question that is about routers, security, and connectivity
all rolled into one.
Yesterday while I was working on my desktop all of a sudden a session
kicked in on my VNC server - my desktop background image disappeared
and the RealVNC system tray icon turned black to indicate a session in
progress. Within a couple of seconds, something hit my start menu, run
dialog, "cmd", and typed "TFT" in the new command prompt window. At
this point I panicked and shutdown the VNC service ASAP.
This post is not actually about the VNC problem, I found out today
that the version I used had a known security flaw that allowed
bypassing the password prompt. That is clearly what happened there,
and could be easily fixed with upgrading to the newest version.
My question is how the attacker got to my VNC port!
Here's all the background I can muster:
- I am running an ADSL router, "Xavi" brand, "7028r" model, and it
seems to run a "GlobespanVirata" chipset. This was provided to me by
my previous ADSL provider, Telefonica Spain.
- I have a standard NAT lan, with a variety of devices connecting to
the internet through the router.
- I have certain very specific ports forwarded to my desktop for
remote access, peer-to-peer connectivity, etc. \
- I am NOT forwarding either of the VNC ports (standard ports 5900
and 5800), so to my limited knowledge the VNC service should not be
accessible from the internet. I have of course tested this, and found
that to be correct. The VNC service is not publically accessible.
- I do not have the firewall enabled on the router, because I assumed
the NAT basically made it safe. I tried enabling the router firewall
today but it also seems to block the services that I need to be able
to access from the internet (eg HTTP, I run a small webserver), so
that does not work for me.
- I WAS running uTorrent at the time of the attack (and had been for
a few hours)
- I did get the IP address of the attacker from my VNC log, it was
"85.239.126.86", an address in germany. I have not looked for or found
any further information. I guess I could try a port scan but I assume
it's a zombie computer so what's the point.
Now my understanding is that "85.239.126.86" being an internet
address, for the VNC session to work that address would need to be
routable - the only way that that address could be routed on my
network is through the ADLS router / gateway (I think). In theory I
guess there could have been some sort of local tunnel set up, but I
assume that would have required a virtual network adapter to have been
set up on my computer? (I saw nothing like that, and virus and spyware
scans have come up clean).
If it was routed through my router, how could the attacker have
convinced the router to initiate the communication to my internal port
5900 on that particular machine??? The safety of a NAT, as I
understand it, is that remote hosts cannot access an internal address
unless there is explicit port forwarding enabled, or the session is
initiated by a host behind the NAT, is that not correct?
I guess I'm only coming to the real point of my post now - assuming
that I'm on the right track, and that this communication on port 5900
was happily handled by my router, could it have been initiated my
another program on my desktop, specifically the uTorrent client? I've
been logging sessions on my router since this morning, and I see that
client connections are opened by the uTorrent client (very frequently,
thousands per hour) with random local port numbers, that slowly seem
to increase / cycle. It is possible that the uTorrent client made a
client connection using local port number 5900 (which was also being
used by the VNC server), and the computer/remote host that the
uTorrent client was connecting to took advantage of this situation to
test / probe / attack the VNC server on that port?
I guess the questions are:
- it it possible for a client TCP connection to be initiated by a
local "client" program from a port that is already being used by a
"server" program, like VNC server?
- what are the chances, statistically speaking, that this would
happen? Would it be worth a hacker's time to set up servers as
bittorrent participants / seeds in the hopes that some client computer
makes a connection using a special port (eg VNC), which could then
allow the computer's VNC server to be probed / tested for the known
VNC vulnerability? It's the only explanation that I can think of, but
I just can't see how it would be worth a hacker's time!
Final blurb: I set up a syslog server on my desktop and have been
logging all incoming and outgoing sessions from my router (generating
a nasty amount of log data, but I'll put up with it). This way I'll be
able to see how the session gets set up, if I ever become aware of
another similar situation. I will upgrade my VNC server of course, so
the attack would need to use another vector. My concern of course is
that I may NOT be aware of it next time. My desktop is not hardened as
a public server with all ports exposed - I'm very much counting on the
fact that only specific selected ports should be accessible from
outside. In theory, if any port on the desktop can be exposed, then my
windows filesharing setup is just one of the things that would be
vulnerable to brute-force attack. Is there anything else I can do to
investigate this or help prevent future issues? Does anyone have any
experience with the Xavi router or GlobespanVirata chipset that could
help me get it set up to prevent this from happening again? For now I
will probably install a local firewall on the desktop allowing only
the servers I need to work, but that of course makes all sorts of
things more complicated - file and printer sharing, VPN client
software setup, HTTP proxy setup, etc etc. I just wish I could feel
safe in my own network again!
Sorry about the monster first post, I would appreciate any and all
feedback.
Thanks,
Tao
Leythos
mania...@gmail.com says...
> - I am running an ADSL router, "Xavi" brand, "7028r" model, and it
> seems to run a "GlobespanVirata" chipset. This was provided to me by
> my previous ADSL provider, Telefonica Spain.
> - I have a standard NAT lan, with a variety of devices connecting to
> the internet through the router.
> - I have certain very specific ports forwarded to my desktop for
> remote access, peer-to-peer connectivity, etc. \
> - I am NOT forwarding either of the VNC ports (standard ports 5900
> and 5800), so to my limited knowledge the VNC service should not be
> accessible from the internet. I have of course tested this, and found
> that to be correct. The VNC service is not publically accessible.
> - I do not have the firewall enabled on the router, because I assumed
> the NAT basically made it safe. I tried enabling the router firewall
> today but it also seems to block the services that I need to be able
> to access from the internet (eg HTTP, I run a small webserver), so
> that does not work for me.
> - I WAS running uTorrent at the time of the attack (and had been for
> a few hours)
> - I did get the IP address of the attacker from my VNC log, it was
> "85.239.126.86", an address in germany. I have not looked for or found
> any further information. I guess I could try a port scan but I assume
> it's a zombie computer so what's the point.
You mention the ADSL Router and NAT LAN, but you don't tell us how the
NAT is implemented - is the ADSL device doing the NAT or do you have a
NAT Router Appliance? You sort of indicate you do, but you don't tell us
what device/vendor it is.
You mention that you have ports forwarded for sharing - bad move.
I suspect that you also have UPnP enabled and a weak password on the
router.
I suspect that you have so many holes in your NAT that you've let the
person in on VNC and just don't know it.
Try this:
1) Disable UPnP
2) Change the NAT Router (assuming that you have one and it's not the
DSL router) to 192.168.6.1/24 and remove ALL port forwards and ALL
Triggers if used. Change the password to something proper.
3) Run a quality Anti-Malware tool on your computer, run it in Safe Mode
also.
4) Do not share your computer with anything/anyone outside the LAN, stop
doing file sharing completely - buy what you need instead.
5) Put your website on a proper web server, one protected by a real
firewall and on a locked down OS following the OS Vendors FULL
SUGGESTIONS ON HOW TO SECURE IT.
Don't port forward and make sure that UPnP is disabled.
Stop providing services over a residential grade DSL service.
--
Leythos - spam9...@rrohio.com (remove 999 to email me)
Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.
Maniaque
> > - I am running an ADSL router, "Xavi" brand, "7028r" model, and it
> > seems to run a "GlobespanVirata" chipset. This was provided to me by
> > my previous ADSL provider, Telefonica Spain.
> You mention the ADSL Router and NAT LAN, but you don't tell us how the
> NAT is implemented - is the ADSL device doing the NAT or do you have a
> NAT Router Appliance? You sort of indicate you do, but you don't tell us
> what device/vendor it is.
Sorry I wasn't clear - the ADSL router is the NAT device. The ADSL
connection uses PPPoA, which means (as I understand it) that I cannot
operate the ADSL device in "bridged" mode with a different device
handling the routers/NAT functions. I guess I could simply leave the
ADSL device be, and set up a second NAT LAN behind another device - is
there any disadvantage to double-NATing?
>
> You mention that you have ports forwarded for sharing - bad move.
>
Fair enough - why? Based on my limited understanding, this would only
be a bad move if the file sharing program (uTorrent) had some
vulnerability, right? Otherwise how could this be a problem?
To be fair, I agree that the file-sharing is probably a major
contributing factor - first of all there is the fact that the attack
happened while I had the file-sharing program running, which is only
once a month or less, and secondly I have noticed that when I have it
running it drastically increases the amount of non-legitimate-looking
activity to my IP address, so I guess attackers monitor this activity
closely as "clueless but ambitious home user here, let's see what we
can do with him!" targets. There could well be an unknown
vulnerability in uTorrent of course, but I expect if that were the
case the attacker would have done more than access my vulnerable VNC
server.
> I suspect that you also have UPnP enabled and a weak password on the
> router.
No and No. And the router does not have outside admin access enabled.
And the first thing I did within seconds of the attack was check the
router configuration to make sure that they hadn't got in that way.
>
> I suspect that you have so many holes in your NAT that you've let the
> person in on VNC and just don't know it.
>
Fair enough, but I'd love to know how!
> Try this:
>
> 1) Disable UPnP
>
done, always was
> 2) Change the NAT Router (assuming that you have one and it's not the
> DSL router) to 192.168.6.1/24 and remove ALL port forwards and ALL
> Triggers if used. Change the password to something proper.
>
I could do this, but that would really defeat the purpose of my asking
the question here, as it would also prevent me from providing public
access to specific services on the desktop. If that is totally
impossible (to expose only specific ports to the internet and have all
other ports be normally hidden) then I guess that's that. But it seems
counter-inuitive.
> 3) Run a quality Anti-Malware tool on your computer, run it in Safe Mode
> also.
>
Any suggestions on quality anti-malware tools? I use AVG antivirus and
Spybot S&D, so far they haven't missed anything that I know of (but
then I wouldn't, would I? :))
err - how does safe mode help? you mean so I don't have any additional
programs running?
> 4) Do not share your computer with anything/anyone outside the LAN, stop
> doing file sharing completely - buy what you need instead.
If what I "need" were easy to buy, I would happily do so :) - I use
uTorrent only to get stuff that I cannot find anywhere else, or for
linux distributions (I would recommend it in fact, it is an incredibly
fast way of getting any full multi-GB distribution you may want to try
out, AND it makes the overall distribution much much easier/cost-
effective for the maintainers)
>
> 5) Put your website on a proper web server, one protected by a real
> firewall and on a locked down OS following the OS Vendors FULL
> SUGGESTIONS ON HOW TO SECURE IT.
ok, so what you're saying is that there is no way to safely run a
simple website without paying out either professional hosting fees or
buying all the equipment that hosting vendors require. A safe, but
uninspiring, answer.
>
> Don't port forward and make sure that UPnP is disabled.
UPnP is disabled, but I would love to understand what the problem /
risk with port forwarding is - can you provide any information, links,
resources to help me understand?
>
> Stop providing services over a residential grade DSL service.
>
"Services"? I run my own personal 10-pageview/month website! It's
kind of sad if there is no way to do that using home tools... Maybe
that's where we're at now, I'm not sure.
Thanks again for the feedback, I'd appreciate any info you could
provide on the port forwarding question though!
Thanks,
Tao
Leythos
mania...@gmail.com says...
> Thanks for the feedback!
>
> > > - I am running an ADSL router, "Xavi" brand, "7028r" model, and it
> > > seems to run a "GlobespanVirata" chipset. This was provided to me by
> > > my previous ADSL provider, Telefonica Spain.
>
> > You mention the ADSL Router and NAT LAN, but you don't tell us how the
> > NAT is implemented - is the ADSL device doing the NAT or do you have a
> > NAT Router Appliance? You sort of indicate you do, but you don't tell us
> > what device/vendor it is.
>
> Sorry I wasn't clear - the ADSL router is the NAT device. The ADSL
> connection uses PPPoA, which means (as I understand it) that I cannot
> operate the ADSL device in "bridged" mode with a different device
> handling the routers/NAT functions. I guess I could simply leave the
> ADSL device be, and set up a second NAT LAN behind another device - is
> there any disadvantage to double-NATing?
Not having experience with that router, I can't be sure what limits it
has or what quality of NAT and forwarding it has. The key thing is that
the device does not provide a PUBLIC IP inside the LAN area and that you
have control over what is forwarded inbound.
I've seen a number of DSL routers that are PPPOE (no experience with oA)
that use NAT to 1 IP, but they forward ALL ports inbound to that IP - so
the users might as well be on a public IP.
Double NAT'ing only has an advantage if you have one of those devices
that forwards ALL PORTS to the single internal IP provided by the
device.
> > You mention that you have ports forwarded for sharing - bad move.
> >
>
> Fair enough - why? Based on my limited understanding, this would only
> be a bad move if the file sharing program (uTorrent) had some
> vulnerability, right? Otherwise how could this be a problem?
Because if you don't know enough that you have to ask here, it means you
don't know enough to be securely exposed to the internet.
> To be fair, I agree that the file-sharing is probably a major
> contributing factor - first of all there is the fact that the attack
> happened while I had the file-sharing program running, which is only
> once a month or less, and secondly I have noticed that when I have it
> running it drastically increases the amount of non-legitimate-looking
> activity to my IP address, so I guess attackers monitor this activity
> closely as "clueless but ambitious home user here, let's see what we
> can do with him!" targets. There could well be an unknown
> vulnerability in uTorrent of course, but I expect if that were the
> case the attacker would have done more than access my vulnerable VNC
> server.
You can get Linux without uTorrent, at least any quality Distro.
uTorrent doesn't expose your VNC, but, there is any number of unknowns
where as to what you've done in addition. The issue is that I've not see
anyone that needs to run a file-sharing program on their computer unless
they were pirating files of some type. Yea, not always true, but it's a
good assumption since there are legal means and methods without using
file sharing methods.
> > I suspect that you also have UPnP enabled and a weak password on the
> > router.
>
> No and No. And the router does not have outside admin access enabled.
> And the first thing I did within seconds of the attack was check the
> router configuration to make sure that they hadn't got in that way.
>
> >
> > I suspect that you have so many holes in your NAT that you've let the
> > person in on VNC and just don't know it.
> >
>
> Fair enough, but I'd love to know how!
>
> > Try this:
> >
> > 1) Disable UPnP
> >
>
> done, always was
>
> > 2) Change the NAT Router (assuming that you have one and it's not the
> > DSL router) to 192.168.6.1/24 and remove ALL port forwards and ALL
> > Triggers if used. Change the password to something proper.
> >
>
> I could do this, but that would really defeat the purpose of my asking
> the question here, as it would also prevent me from providing public
> access to specific services on the desktop. If that is totally
> impossible (to expose only specific ports to the internet and have all
> other ports be normally hidden) then I guess that's that. But it seems
> counter-inuitive.
No, it's the start of trying to determine what happened while you are
also secure to do it. NAT only blocks inbound, so you could learn if
what's on your machine also phones home or creates a connection to a
remote location to allow control. First thing is block inbound
connections, second is monitor outbound connections or block them
entirely while you look.
> > 3) Run a quality Anti-Malware tool on your computer, run it in Safe Mode
> > also.
> >
>
> Any suggestions on quality anti-malware tools? I use AVG antivirus and
> Spybot S&D, so far they haven't missed anything that I know of (but
> then I wouldn't, would I? :))
AVG is crap - I've seen hundreds of computers with AVG compromised. I
use Symantec Corporate software, it's not a resource hog like Norton is
and it's stopped all that I've been exposed to.
If you want to know what AV products to trust, I've always found this
site to have unbiased reviews and test results:
http://www.av-comparatives.org/
Here are a few tools that I use and trust:
Always remember - only download files from Trusted Sites.
The following links will take you to vendors sites for Spy Ware / Ad
ware removal tools and also for Antivirus tools. After you install any
of these applications and update them, run them in SAFE MODE to allow
them to properly clean your system.
First, make sure that your Java is updated to the latest version:
http://www.java.com/en/download/index.jsp
These sites are for downloading Anti-Malware and Anti-Spyware tools, in
order that I would use them myself:
Dave Lipman's tools:
Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe
AdAwareSE can be found here:
http://www.lavasoft.com/products/ad_aware_free.php
SpyBot Search and Destroy can be found here:
http://www.safer-networking.org/en/download/index.html
> err - how does safe mode help? you mean so I don't have any additional
> programs running?
Because many malware can't run in safe mode - it's not just "you having
any additional programs running". In the case of Multi-av, download it,
run it in normal mode to get the updates, but don't run the scans, then
reboot in safe mode, run it again, since safe mode disables the network,
you've already downloaded them, now run the scans, full drive, run each
of the 4 scanners and run them until nothing is found.
> > 4) Do not share your computer with anything/anyone outside the LAN, stop
> > doing file sharing completely - buy what you need instead.
>
> If what I "need" were easy to buy, I would happily do so :) - I use
> uTorrent only to get stuff that I cannot find anywhere else, or for
> linux distributions (I would recommend it in fact, it is an incredibly
> fast way of getting any full multi-GB distribution you may want to try
> out, AND it makes the overall distribution much much easier/cost-
> effective for the maintainers)
I'm well aware of torrent software, but I don't use it either and never
have a problem getting distro's downloaded. I don't subject my networks
to unknowns.
I also don't download apps I've not paid for or music or anything that
is questionable - not saying you do, as you've side stepped that issue -
but the quickest way to get compromised is to start downloading pirate
wares.
> > 5) Put your website on a proper web server, one protected by a real
> > firewall and on a locked down OS following the OS Vendors FULL
> > SUGGESTIONS ON HOW TO SECURE IT.
>
> ok, so what you're saying is that there is no way to safely run a
> simple website without paying out either professional hosting fees or
> buying all the equipment that hosting vendors require. A safe, but
> uninspiring, answer.
No, what I'm saying is that there is little chance that a non-OS guru,
that a non-technical type, is going to run a website without being
compromised or exploited - notice why you are here.
> > Don't port forward and make sure that UPnP is disabled.
>
> UPnP is disabled, but I would love to understand what the problem /
> risk with port forwarding is - can you provide any information, links,
> resources to help me understand?
IF you allow anyone in you risk being connected too, simple enough to
understand.
> > Stop providing services over a residential grade DSL service.
> >
>
> "Services"? I run my own personal 10-pageview/month website! It's
> kind of sad if there is no way to do that using home tools... Maybe
> that's where we're at now, I'm not sure.
If you run a website then you really need to step back and start
learning about security and how to setup a DMZ and how to lock down your
services, BEFORE YOU PUT THEM ONLINE.
> Thanks again for the feedback, I'd appreciate any info you could
> provide on the port forwarding question though!
Port Forwarding - means you are allowing the WORLD ACCESS TO THE PC YOU
ARE PORT FORWARDING TO, FOR THAT PORT/SERIES OF PORTS. If you don't have
the service answering that port(s) secured then you've exposed your
network.
Bit Twister
>
> First, make sure that your Java is updated to the latest version:
> http://www.java.com/en/download/index.jsp
And have removed the older java installs. :)
Maniaque
>
> > > > - I am running an ADSL router, "Xavi" brand, "7028r" model, and it
> > > > seems to run a "GlobespanVirata" chipset. This was provided to me by
> > > > my previous ADSL provider, Telefonica Spain.
>
> has or what quality of NAT and forwarding it has. The key thing is that
> the device does not provide a PUBLIC IP inside the LAN area and that you
> have control over what is forwarded inbound.
It does not.
>
> I've seen a number of DSL routers that are PPPOE (no experience with oA)
> that use NAT to 1 IP, but they forward ALL ports inbound to that IP - so
> the users might as well be on a public IP.
>
regardless of the inbound transport type (PPPoE, PPPoA, RFC1483, etc),
most NAT router devices (that I have seen) do not by default use a
"default forwarding IP", although it is an option on many. Not this
one, as it turns out.
> Double NAT'ing only has an advantage if you have one of those devices
> that forwards ALL PORTS to the single internal IP provided by the
> device.
>
ok... and what is the advantage then? The only reason I'm considering
it is because then I can use a regular/standard device like the
linksys wrt54G that is well-known and supported on the internet, turn
on the firewall on that device (which I had to disable on the router I
use now), and keep the services that I need up.
>
> Because if you don't know enough that you have to ask here, it means you
> don't know enough to be securely exposed to the internet.
Oh come on - this sounds a lot like "I don't know exactly, but I know
it's a bad idea, so I'm going to make fun of you instead of answering
the question". I understand that exposing a port exposes any service
that listens on that port. I also understand that that then means any
vulnerability in that service then becomes a vulnerability for the
entire server, and potentially (in my case, without DMZ etc) the
entire network. I understand that, and it's a risk I'm OK with. My
question is whether anyone can tell me whether there are any
circumstances under which port forwarding is "bad" in and of itself,
rather than because of any vulnerabilities in the services that it
purposefully exposes.
>
> uTorrent doesn't expose your VNC, but, there is any number of unknowns
> where as to what you've done in addition. The issue is that I've not see
> anyone that needs to run a file-sharing program on their computer unless
> they were pirating files of some type. Yea, not always true, but it's a
> good assumption since there are legal means and methods without using
> file sharing methods.
>
OK, now there's a sensible suggestion - you're saying (unless I got it
wrong) that the infection probably had nothing to do with the port
forwarding at all, but rather was because of some something I picked
up while downloading all those pirated "w4r3z" that I keep hidden
under the kitchen sink, and that said malware has escaped detection
either through comporomising my detection tools or because they're
just too specific, not known widespread infections. To be fair, that
is a possibility. I do take more risks than I probably should, I could
well at some point have run something I shouldn't have... but I don't
think so.
>
> No, it's the start of trying to determine what happened while you are
> also secure to do it. NAT only blocks inbound, so you could learn if
> what's on your machine also phones home or creates a connection to a
> remote location to allow control. First thing is block inbound
> connections, second is monitor outbound connections or block them
> entirely while you look.
Ah, now there's a sensible suggestion, again - running a software
firewall or carefully monitoring all outgoing traffic on the router (a
monster task, i
it's accumulated 20 megs of data in 1 day) would certainly help
identify any unpleasant low-key trojan I may have running.
>
> AVG is crap - I've seen hundreds of computers with AVG compromised. I
> use Symantec Corporate software, it's not a resource hog like Norton is
> and it's stopped all that I've been exposed to.
>
> If you want to know what AV products to trust, I've always found this
> site to have unbiased reviews and test results:
>
> http://www.av-comparatives.org/
>
Nice to know, thanks!
> Here are a few tools that I use and trust:
>
> Always remember - only download files from Trusted Sites.
>
> The following links will take you to vendors sites for Spy Ware / Ad
> ware removal tools and also for Antivirus tools. After you install any
> of these applications and update them, run them in SAFE MODE to allow
> them to properly clean your system.
>
> First, make sure that your Java is updated to the latest version:http://www.java.com/en/download/index.jsp
>
> These sites are for downloading Anti-Malware and Anti-Spyware tools, in
> order that I would use them myself:
>
> Dave Lipman's tools:
> Download MULTI_AV.EXE from the URL --http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe
>
> AdAwareSE can be found here:http://www.lavasoft.com/products/ad_aware_free.php
>
> SpyBot Search and Destroy can be found here:http://www.safer-networking.org/en/download/index.html
>
Thanks, never heard of multi-AV
> > err - how does safe mode help? you mean so I don't have any additional
> > programs running?
>
> Because many malware can't run in safe mode - it's not just "you having
> any additional programs running". In the case of Multi-av, download it,
> run it in normal mode to get the updates, but don't run the scans, then
> reboot in safe mode, run it again, since safe mode disables the network,
> you've already downloaded them, now run the scans, full drive, run each
> of the 4 scanners and run them until nothing is found.
>
Fair enough, I didn't realize the idea was to more thoroughly scan for
malware, but with the suggestions above I think I'm well equipped to
do that :)
>
> I'm well aware of torrent software, but I don't use it either and never
> have a problem getting distro's downloaded. I don't subject my networks
> to unknowns.
ok, but calling the entire family of bittorrent programs a general
"unknown" is exaggerating a little, no? The protocol is well-specified
and well-understood, there are the same security measures built in as
for a direct download from a distributor via HTTP or FTP (i.e MD5
hash). If you're referring specifically to uTorrent, fair enough. Not
open-source, already had one known vulnerability - I'd say it's more
risky than I planned.
>
> I also don't download apps I've not paid for or music or anything that
> is questionable - not saying you do, as you've side stepped that issue -
> but the quickest way to get compromised is to start downloading pirate
> wares.
Yep, that's fair.
>
> > > 5) Put your website on a proper web server, one protected by a real
> > > firewall and on a locked down OS following the OS Vendors FULL
> > > SUGGESTIONS ON HOW TO SECURE IT.
>
> > ok, so what you're saying is that there is no way to safely run a
> > simple website without paying out either professional hosting fees or
> > buying all the equipment that hosting vendors require. A safe, but
> > uninspiring, answer.
>
> No, what I'm saying is that there is little chance that a non-OS guru,
> that a non-technical type, is going to run a website without being
> compromised or exploited - notice why you are here.
Yep, but that's how you learn. I'm a little bit irked by your
condescending tone, but I really do appreciate the time and help -
while I have worked with professional windows-based webserver
development and hosting for several years and have a pretty good idea
of "best practices" are at a corporate level, I'm trying to work on a
shoe-string budget here, get a taste for doing things for free or
cheap. As I get burned, I'm trying to understand exactly why and how.
> > UPnP is disabled, but I would love to understand what the problem /
> > risk with port forwarding is - can you provide any information, links,
> > resources to help me understand?
>
> IF you allow anyone in you risk being connected too, simple enough to
> understand.
But more than a little simplistic, no? The ONLY argument against port-
forwarding that I have seen from you so far, and that I was well
aware of before, is that it limits the security of your server, and in
my case network, to the security of the service running on the
forwarded port. On the other thread (sorry about the messed up cross-
post, like I said I am new here), someone suggested that there are
ways and means to gain access to a port OTHER than the one being
forwarded - but if I understand correctly that argument applies
equally if you don't forward ports at all!
>
> If you run a website then you really need to step back and start
> learning about security and how to setup a DMZ and how to lock down your
> services, BEFORE YOU PUT THEM ONLINE.
Well, I was pretty sure I had :)
Which is why I'm trying to understand where I went wrong. As you've
noted, I have probably not searched extensively enough for malware - I
will keep at it. Other than that, I run an updated version of Apache,
there are no known vulnerabilities for other services I expose,
uTorrent seems the most risky, and the jury's still out on what
actually caused the problem:
- malware that I somehow acquired?
- unknown uTorrent vulnerability?
- misunderstanding of how NAT works, leading to attacker's ability to
access a port that was NOT forwarded?
>
> Port Forwarding - means you are allowing the WORLD ACCESS TO THE PC YOU
> ARE PORT FORWARDING TO, FOR THAT PORT/SERIES OF PORTS. If you don't have
> the service answering that port(s) secured then you've exposed your
> network.
Yes, that's pretty obvious. But that's not a problem with port
forwarding, it's a problem with the services you are exposing.
Obviously if they are not secure, and they are public, nothing is
secure.
Thanks again,
Tao
Leythos
mania...@gmail.com says...
> On Oct 11, 6:25 am, Leythos <v...@nowhere.lan> wrote:
> >
> > > > > - I am running an ADSL router, "Xavi" brand, "7028r" model, and it
> > > > > seems to run a "GlobespanVirata" chipset. This was provided to me by
> > > > > my previous ADSL provider, Telefonica Spain.
> >
> > Not having experience with that router, I can't be sure what limits it
> > has or what quality of NAT and forwarding it has. The key thing is that
> > the device does not provide a PUBLIC IP inside the LAN area and that you
> > have control over what is forwarded inbound.
>
> It does not.
>
> >
> > I've seen a number of DSL routers that are PPPOE (no experience with oA)
> > that use NAT to 1 IP, but they forward ALL ports inbound to that IP - so
> > the users might as well be on a public IP.
> >
>
> regardless of the inbound transport type (PPPoE, PPPoA, RFC1483, etc),
> most NAT router devices (that I have seen) do not by default use a
> "default forwarding IP", although it is an option on many. Not this
> one, as it turns out.
And, having worked all over the country here in the US, I can say that
I've seen in about 30% of cases - that's why I mentioned it.
> > Double NAT'ing only has an advantage if you have one of those devices
> > that forwards ALL PORTS to the single internal IP provided by the
> > device.
>
> ok... and what is the advantage then? The only reason I'm considering
> it is because then I can use a regular/standard device like the
> linksys wrt54G that is well-known and supported on the internet, turn
> on the firewall on that device (which I had to disable on the router I
> use now), and keep the services that I need up.
In a double NAT you could use it like a DMZ and LAN - the first NAT
would be your DMZ, the second NAT would be your LAN - so, you would port
forward to the DMZ computer and not to the LAN computers. This means
that your LAN computers could access the internet and DMZ computers, but
the DMZ/WAN networks would not be able to access the LAN computers:
WAN >>> NAT1 >>> DMZ >>> NAT2 >>> LAN
> > Because if you don't know enough that you have to ask here, it means you
> > don't know enough to be securely exposed to the internet.
>
> Oh come on - this sounds a lot like "I don't know exactly, but I know
> it's a bad idea, so I'm going to make fun of you instead of answering
> the question".
No, it means that you really don't know enough and have not spent the
time to just read how to secure your web/network from the thousands of
websites that have been around since before you started doing this. It
means that you're looking for a short-cut to get it done quickly and
don't want to spend the time to properly secure it and learn about it.
No picking on you intended, just calling it like I've seen it thousands
of times.
> I understand that exposing a port exposes any service
> that listens on that port. I also understand that that then means any
> vulnerability in that service then becomes a vulnerability for the
> entire server, and potentially (in my case, without DMZ etc) the
> entire network. I understand that, and it's a risk I'm OK with. My
> question is whether anyone can tell me whether there are any
> circumstances under which port forwarding is "bad" in and of itself,
> rather than because of any vulnerabilities in the services that it
> purposefully exposes.
Port Forwarding is not different than exposing the listening service by
any other means - all traffic that hits that port is sent to the device
listening. Once that listening service is compromised, any number of
things can be done to the host computer/device - and there is no way to
know what the hacker would/is doing unless we see the computer.
> > uTorrent doesn't expose your VNC, but, there is any number of unknowns
> > where as to what you've done in addition. The issue is that I've not see
> > anyone that needs to run a file-sharing program on their computer unless
> > they were pirating files of some type. Yea, not always true, but it's a
> > good assumption since there are legal means and methods without using
> > file sharing methods.
> >
>
> OK, now there's a sensible suggestion - you're saying (unless I got it
> wrong) that the infection probably had nothing to do with the port
> forwarding at all, but rather was because of some something I picked
> up while downloading all those pirated "w4r3z" that I keep hidden
> under the kitchen sink, and that said malware has escaped detection
> either through comporomising my detection tools or because they're
> just too specific, not known widespread infections. To be fair, that
> is a possibility. I do take more risks than I probably should, I could
> well at some point have run something I shouldn't have... but I don't
> think so.
No, since the problem could have been things you downloaded OR from
compromised services you allow public exposure too.
You say you don't think you've done anything, but the fact is that
Someone was using your VNC connection other than you - so you've done
something and don't know what, yet you want to knock the basics of
security because "you don't think so".
> > No, it's the start of trying to determine what happened while you are
> > also secure to do it. NAT only blocks inbound, so you could learn if
> > what's on your machine also phones home or creates a connection to a
> > remote location to allow control. First thing is block inbound
> > connections, second is monitor outbound connections or block them
> > entirely while you look.
>
> Ah, now there's a sensible suggestion, again - running a software
> firewall or carefully monitoring all outgoing traffic on the router (a
> monster task, i
> it's accumulated 20 megs of data in 1 day) would certainly help
> identify any unpleasant low-key trojan I may have running.
No, software firewalls are useless on most personal computers. What you
want to do is run a logging application that accepts the logs from the
NAT appliance - this will show, in real time, inbound and outbound
traffic clearly.
If the log doesn't allow easy determination of ports/IP, then it's
useless.
Always scan offline - in fact, if you can place the drive in a clean
machine and scan, it's even better.
> > I'm well aware of torrent software, but I don't use it either and never
> > have a problem getting distro's downloaded. I don't subject my networks
> > to unknowns.
>
> ok, but calling the entire family of bittorrent programs a general
> "unknown" is exaggerating a little, no? The protocol is well-specified
> and well-understood, there are the same security measures built in as
> for a direct download from a distributor via HTTP or FTP (i.e MD5
> hash). If you're referring specifically to uTorrent, fair enough. Not
> open-source, already had one known vulnerability - I'd say it's more
> risky than I planned.
well, fact is that most people doing torrents are also downloading
things that are unethical/pirated and against licensing. Being Open
Source does not mean it's any better, but that you download a lot means
your exposure is much higher.
> > I also don't download apps I've not paid for or music or anything that
> > is questionable - not saying you do, as you've side stepped that issue -
> > but the quickest way to get compromised is to start downloading pirate
> > wares.
>
> Yep, that's fair.
>
> >
> > > > 5) Put your website on a proper web server, one protected by a real
> > > > firewall and on a locked down OS following the OS Vendors FULL
> > > > SUGGESTIONS ON HOW TO SECURE IT.
> >
> > > ok, so what you're saying is that there is no way to safely run a
> > > simple website without paying out either professional hosting fees or
> > > buying all the equipment that hosting vendors require. A safe, but
> > > uninspiring, answer.
> >
> > No, what I'm saying is that there is little chance that a non-OS guru,
> > that a non-technical type, is going to run a website without being
> > compromised or exploited - notice why you are here.
>
> Yep, but that's how you learn. I'm a little bit irked by your
> condescending tone, but I really do appreciate the time and help -
> while I have worked with professional windows-based webserver
> development and hosting for several years and have a pretty good idea
> of "best practices" are at a corporate level, I'm trying to work on a
> shoe-string budget here, get a taste for doing things for free or
> cheap. As I get burned, I'm trying to understand exactly why and how.
It's not condescending, it's accurate and because of years of working
with people in your boat - yea, people don't like to be exposed for not
doing the leg work before jumping into things, but, it's not personal,
it's technical.
Fact is that you can secure a Windows PC just fine with a Simple NAT
router and run a nice website on it without much fear, but you really
needed to follow ALL of the security instructions and methods as
suggested for YEARS by MS and others - before you put it online.
> > > UPnP is disabled, but I would love to understand what the problem /
> > > risk with port forwarding is - can you provide any information, links,
> > > resources to help me understand?
> >
> > IF you allow anyone in you risk being connected too, simple enough to
> > understand.
>
> But more than a little simplistic, no? The ONLY argument against port-
> forwarding that I have seen from you so far, and that I was well
> aware of before, is that it limits the security of your server, and in
> my case network, to the security of the service running on the
> forwarded port. On the other thread (sorry about the messed up cross-
> post, like I said I am new here), someone suggested that there are
> ways and means to gain access to a port OTHER than the one being
> forwarded - but if I understand correctly that argument applies
> equally if you don't forward ports at all!
Yea, some routers can be cracked by several means, most of them have
been patched - that's part of not using the default network address
range, not using a weak password, not using standard ports, checking the
logs, etc.... If you are hosting a web server you really need a real
firewall and not a NAT device.
> > If you run a website then you really need to step back and start
> > learning about security and how to setup a DMZ and how to lock down your
> > services, BEFORE YOU PUT THEM ONLINE.
>
> Well, I was pretty sure I had :)
>
> Which is why I'm trying to understand where I went wrong. As you've
> noted, I have probably not searched extensively enough for malware - I
> will keep at it. Other than that, I run an updated version of Apache,
> there are no known vulnerabilities for other services I expose,
> uTorrent seems the most risky, and the jury's still out on what
> actually caused the problem:
> - malware that I somehow acquired?
> - unknown uTorrent vulnerability?
> - misunderstanding of how NAT works, leading to attacker's ability to
> access a port that was NOT forwarded?
>
> > Port Forwarding - means you are allowing the WORLD ACCESS TO THE PC YOU
> > ARE PORT FORWARDING TO, FOR THAT PORT/SERIES OF PORTS. If you don't have
> > the service answering that port(s) secured then you've exposed your
> > network.
>
> Yes, that's pretty obvious. But that's not a problem with port
> forwarding, it's a problem with the services you are exposing.
> Obviously if they are not secure, and they are public, nothing is
> secure.
Well, since you can't be sure that you secured the services then you
have to look at if you really need the ports forwarded.
There are methods that you can use to detect attacks with you needing to
be there (auto methods in firewalls) - hosting means you need to
consider the protection of your devices so that the rest of us don't
suffer because of your compromise.
Maniaque
The double NAT setup makes sense, I did not understand that you meant
using the first NAT as DMZ.
I am familiar with Microsoft's Baseline security checklists, multi-
layer security, etc - I'm just more concerned with having a solid
first layer for this simple home-hosting situation, and keeping all my
"convenience" functionality (eg VNC service hidden from public access,
rather than disabled) around. I don't have a machine to spare as my
web server, so until I get truly fried I'll soldier on... :)
I'm pretty sure I found the attack vector in the end, it turned out to
be neither downloaded malware nor a compromized service (although I am
aware that both remain a possibility):
Michael Ziegler helped me find the issue on a thread I badly cross-
posted on alt.comp.networking.connectivity:
http://groups.google.com/group/alt.comp.networking.connectivity/browse_thread/thread/8c6a972156a51e0d/#
My router (Xavi 7768r with GlobespanVirata chipset, I think I had it
wrong above) has an Active FTP "NAT Helper" which allows any program
with TCP-connection-creation priviledges on any of my computers to
open an incoming port to this machine from a target site on the
internet. Java Applets, by default, have this functionality enabled.
You can test for this "feature" or "flaw" at the following site:
http://bedatec.dyndns.org/ftpnat/dotest_en.html
On the day this happened, I was browsing on at least a couple of sites
that could well have had "harmful content", probably including a java
applet that opened up my port to the attacking site by using the FTP
NAT helper trick. My VNC server was a flawed version which (I tested
that) allowed certain well-crafted incoming connections to bypass
authentication.
Now - at this point I have no proof that that was the course of
events, but "Occam's razor" and all that, it is definitely the
simplest explanation that fits all the facts. I will definitely do a
more thorough malware check on my machine and I will implement a
solution that allows be to forward the ports I want without the NAT
Helper flaw, but in the meantime I will sleep much better knowing that
chances are 95% that I at least know exactly what the problem was. And
at the same time I learned a lot about what NAT is and isn't!
Thanks for all your help!
Tao
Leythos
mania...@gmail.com says...
>
> The double NAT setup makes sense, I did not understand that you meant
> using the first NAT as DMZ.
A DMZ is a secured network that you use for Public hosts that they don't
want to expose their LAN to when they are compromised.
So, look at how this works:
WAN/PUBLIC >> NAT 1 DEVICE >> LAN1 (DMZ) >> NAT 2 DEVICE >> LAN2 (LAN)
So, you put your web server in the DMZ network - that would be the LAN
side of NAT 1 device. In NAT 1 you forward from the public IP to the DMZ
network machines as needed.
In NAT 2 device you don't forward ANYTHING, nothing, nada, zip. This
means that the computers in your LAN network are not exposing anything
to the public for them to vector in on.
So, DMZ is web/ftp/etc servers, (LAN2) is the protected network were
your computers reside.
Make sure that you change the default subnets for each LAN/DMZ.
LAN1 = 192.168.8.1/24
LAN2 = 192.168.9.1/24
Unruh
no NAT on it.
You may also have your system set up in bridging mode in which case there
is no NAT either. What is your IP address on your computer?
ifconfig in linux or ipconfig. If it is a routable addresses you are
running in bridging mode and do not have NAT.
Maniaque <mania...@gmail.com> writes:
>Sorry I'm new here, not sure this is the right newsgroup to post to -
>I have a question that is about routers, security, and connectivity
>all rolled into one.
>Yesterday while I was working on my desktop all of a sudden a session
>kicked in on my VNC server - my desktop background image disappeared
>and the RealVNC system tray icon turned black to indicate a session in
>progress. Within a couple of seconds, something hit my start menu, run
>dialog, "cmd", and typed "TFT" in the new command prompt window. At
>this point I panicked and shutdown the VNC service ASAP.
>This post is not actually about the VNC problem, I found out today
>that the version I used had a known security flaw that allowed
>bypassing the password prompt. That is clearly what happened there,
>and could be easily fixed with upgrading to the newest version.
>My question is how the attacker got to my VNC port!
>Here's all the background I can muster:
> - I am running an ADSL router, "Xavi" brand, "7028r" model, and it
>seems to run a "GlobespanVirata" chipset. This was provided to me by
>my previous ADSL provider, Telefonica Spain.
> - I have a standard NAT lan, with a variety of devices connecting to
>the internet through the router.
> - I have certain very specific ports forwarded to my desktop for
>remote access, peer-to-peer connectivity, etc. \
And any one of those could be broken into, especially the http port.
> - I am NOT forwarding either of the VNC ports (standard ports 5900
>and 5800), so to my limited knowledge the VNC service should not be
>accessible from the internet. I have of course tested this, and found
>that to be correct. The VNC service is not publically accessible.
> - I do not have the firewall enabled on the router, because I assumed
>the NAT basically made it safe. I tried enabling the router firewall
>today but it also seems to block the services that I need to be able
>to access from the internet (eg HTTP, I run a small webserver), so
>that does not work for me.
And that means you do not have http (port 80) NATed.
Unruh
>Thanks for the feedback!
>> > - I am running an ADSL router, "Xavi" brand, "7028r" model, and it
>> > seems to run a "GlobespanVirata" chipset. This was provided to me by
>> > my previous ADSL provider, Telefonica Spain.
>> You mention the ADSL Router and NAT LAN, but you don't tell us how the
>> NAT is implemented - is the ADSL device doing the NAT or do you have a
>> NAT Router Appliance? You sort of indicate you do, but you don't tell us
>> what device/vendor it is.
>Sorry I wasn't clear - the ADSL router is the NAT device. The ADSL
>connection uses PPPoA, which means (as I understand it) that I cannot
>operate the ADSL device in "bridged" mode with a different device
>handling the routers/NAT functions. I guess I could simply leave the
>ADSL device be, and set up a second NAT LAN behind another device - is
>there any disadvantage to double-NATing?
No you cannot. Having double NAT confuses the hell out of many routers.
t set up a firewall properly.
>>
>> You mention that you have ports forwarded for sharing - bad move.
>>
>Fair enough - why? Based on my limited understanding, this would only
>be a bad move if the file sharing program (uTorrent) had some
>vulnerability, right? Otherwise how could this be a problem?
And you know it does not? You also have port 80 open but do not tell us
which web server you run.
Unruh
>You can get Linux without uTorrent, at least any quality Distro.
>uTorrent doesn't expose your VNC, but, there is any number of unknowns
>where as to what you've done in addition. The issue is that I've not see
>anyone that needs to run a file-sharing program on their computer unless
>they were pirating files of some type. Yea, not always true, but it's a
>good assumption since there are legal means and methods without using
>file sharing methods.
You talk about Linux which you almost certainly downloaded using torrent
and you say that the only use you know of for filesharing is pirated files?
Sheesh.
Leythos
says...
> No you cannot. Having double NAT confuses the hell out of many routers.
No, what confuses users is not understanding that both LAN's must be in
different subnets or the router wont know which LAN you want to access.
Routers have NO issues with double NAT, it's only when the user doesn't
know anything about networking and sets both LAN's to 192.168.0.1/24 (or
the default subnet on both).
Leythos
says...
No, I downloaded Linux (Fedora) using FTP, not a torrent, and I do not
use torrent programs, nor other PtP programs.
You also misstated my view of P2P programs, I said "I've not see anyone
that needs to run a file-sharing program on their computer unless they
were pirating files of some type." which is not the same "the only use".
Yes, people CAN use P2P software ethically, but I've not seen ANY person
that has P2P software installed that has ONLY used it ethically.
Unruh
>In article <DZEPi.11013$G25.8264@edtnps89>, unruh...@physics.ubc.ca
>says...
>> No you cannot. Having double NAT confuses the hell out of many routers.
>No, what confuses users is not understanding that both LAN's must be in
>different subnets or the router wont know which LAN you want to access.
>Routers have NO issues with double NAT, it's only when the user doesn't
>know anything about networking and sets both LAN's to 192.168.0.1/24 (or
>the default subnet on both).
That can certainly confuse things. But also NAT tends to work by assigning
a very high port number on the outgoing and translating those. If the port
on the inward side is also a high number, then the system can get confused.
Of course they should not, but should not and do not are different things.
Unruh
>In article <r0FPi.11014$G25.349@edtnps89>, unruh...@physics.ubc.ca
>says...
>> Leythos <vo...@nowhere.lan> writes:
>>
>>
>> >You can get Linux without uTorrent, at least any quality Distro.
>>
>> >uTorrent doesn't expose your VNC, but, there is any number of unknowns
>> >where as to what you've done in addition. The issue is that I've not see
>> >anyone that needs to run a file-sharing program on their computer unless
>> >they were pirating files of some type. Yea, not always true, but it's a
>> >good assumption since there are legal means and methods without using
>> >file sharing methods.
>>
>> You talk about Linux which you almost certainly downloaded using torrent
>> and you say that the only use you know of for filesharing is pirated files?
>> Sheesh.
>No, I downloaded Linux (Fedora) using FTP, not a torrent, and I do not
>use torrent programs, nor other PtP programs.
>You also misstated my view of P2P programs, I said "I've not see anyone
>that needs to run a file-sharing program on their computer unless they
>were pirating files of some type." which is not the same "the only use".
>Yes, people CAN use P2P software ethically, but I've not seen ANY person
>that has P2P software installed that has ONLY used it ethically.
As I pointed out, I have and almost certainly you have as well. Let me give
as an example Mandriva, which I am downloading via torrent right now from a
bunch of sites around the world, and I suspect strongly that they use
torrent only for downloading programs. Also I have a torrent running to
allow people to download the arxiv.org repostitory. That is a completely
legitimate use and the system is not used for "unethical" purposes (We have
permission from the people at arixiv.org to do so). So, now you have to
change your statement.
Unruh
>On Thu, 11 Oct 2007 01:16:49 -0700, Maniaque <mania...@gmail.com>
>wrote:
>>Fair enough - why? Based on my limited understanding, this would only
>>be a bad move if the file sharing program (uTorrent) had some
>>vulnerability, right? Otherwise how could this be a problem?
>if you are running software obtained from a bittorrent you
>do not know if its been tampered with to include a backdoor
>for some hacker.
Yes, you do. The tracker has a md5sum which tells you that what you
downloaded is the same as what you were supposed to download.
If what you meant to say is that if you download a torrent whose tracker is
controlled by some totally unknown person, you do not know whether what you
downloaded is not tampered with. But that is also true if you download via
ftp or http or whatever. And with torrent you have the MD5 checksum to
ensure that what you downloaded is what you were supposed to.
Ie, your observation is ass backwards.
>--
>Jim Watt
>http://www.gibnet.com
Leythos
says...
> That is a completely
> legitimate use and the system is not used for "unethical" purposes (We have
> permission from the people at arixiv.org to do so). So, now you have to
> change your statement.
You've not comprehended what I wrote - I never once said that "ALL
USES" are unethical or illegal - but I can see how someone that is
paranoid would think I said that if they didn't comprehend what I wrote.
nemo_outis
news:MPG.2179e986f...@adfree.Usenet.com:
> In article <FpUPi.9637$GO5.4175@edtnps90>, unruh...@physics.ubc.ca
> says...
>> That is a completely
>> legitimate use and the system is not used for "unethical" purposes
>> (We have permission from the people at arixiv.org to do so). So, now
>> you have to change your statement.
>
> You've not comprehended what I wrote - I never once said that "ALL
> USES" are unethical or illegal - but I can see how someone that is
> paranoid would think I said that if they didn't comprehend what I
> wrote.
It is you who hasn't comprehended.
You said that you had never encountered a person who used P2P exclusively
for ethical purposes. Unruh gave himself as an example of someone who only
uses P2P ethically (which he described with examples). Unless you believe
Unruh is lying, you now DO KNOW at least one person who uses P2P ethically
and, accordingly, you must (at least in future) change your statement about
never having encountered such a person.
Regards,
Leythos
says...
> Leythos <vo...@nowhere.lan> wrote in
> news:MPG.2179e986f...@adfree.Usenet.com:
>
> > In article <FpUPi.9637$GO5.4175@edtnps90>, unruh...@physics.ubc.ca
> > says...
> >> That is a completely
> >> legitimate use and the system is not used for "unethical" purposes
> >> (We have permission from the people at arixiv.org to do so). So, now
> >> you have to change your statement.
> >
> > You've not comprehended what I wrote - I never once said that "ALL
> > USES" are unethical or illegal - but I can see how someone that is
> > paranoid would think I said that if they didn't comprehend what I
> > wrote.
>
>
> It is you who hasn't comprehended.
>
> You said that you had never encountered a person who used P2P exclusively
> for ethical purposes. Unruh gave himself as an example of someone who only
> uses P2P ethically (which he described with examples).
Clearly, my statement was correct and completely accurate.
> Unless you believe
> Unruh is lying, you now DO KNOW at least one person who uses P2P ethically
> and, accordingly, you must (at least in future) change your statement about
> never having encountered such a person.
At this time I have never met or seen his computer or systems and can
not verify his statement.
His reply about my statement was wrong, as I have never met a P2P user
that was 100% ethical and didn't download at least 1 pirated media of
some type.
You/he can claim that I said no-one uses it ethically, but that would be
your failure to comprehend what I wrote. I'm sure, somewhere, there are
people that ethically use P2P apps, but in all the years they've been
available and the thousands of people and thousands of computers I've
come across with P2P software installed, all of them have pirated
something at one point or another.
nemo_outis
news:MPG.2179eee11...@adfree.Usenet.com:
>> It is you who hasn't comprehended.
>>
>> You said that you had never encountered a person who used P2P
>> exclusively for ethical purposes. Unruh gave himself as an example
>> of someone who only uses P2P ethically (which he described with
>> examples).
...
>> Unless you believe
>> Unruh is lying, you now DO KNOW at least one person who uses P2P
>> ethically and, accordingly, you must (at least in future) change your
>> statement about never having encountered such a person.
...
> His reply about my statement was wrong, as I have never met a P2P user
> that was 100% ethical and didn't download at least 1 pirated media of
> some type.
Unless you believe Unruh is lying, you have now encountered at least one
person, Unruh, who has only used P2P for ethical purposes. And therefore
your statement that there are none such must be emended.
You can weasel about wanting to inspect his computer, but that is clearly
just and only that: weaselling.
Unruh thinks and writes carefully and his gentle call for you to correct
your statement was entirely correct, because there are indeed folks (such
as he) who only use P2P ethically. Up to now you have only been guilty
of sloppiness, but you are rapidly entering the realm of intellectual
dishonesty with your weaselling.
Regards,
Leythos
says...
> Leythos <vo...@nowhere.lan> wrote in
> news:MPG.2179eee11...@adfree.Usenet.com:
>
>
> >> It is you who hasn't comprehended.
> >>
> >> You said that you had never encountered a person who used P2P
> >> exclusively for ethical purposes. Unruh gave himself as an example
> >> of someone who only uses P2P ethically (which he described with
> >> examples).
> ...
> >> Unless you believe
> >> Unruh is lying, you now DO KNOW at least one person who uses P2P
> >> ethically and, accordingly, you must (at least in future) change your
> >> statement about never having encountered such a person.
> ...
> > His reply about my statement was wrong, as I have never met a P2P user
> > that was 100% ethical and didn't download at least 1 pirated media of
> > some type.
>
>
> Unless you believe Unruh is lying, you have now encountered at least one
> person, Unruh, who has only used P2P for ethical purposes. And therefore
> your statement that there are none such must be emended.
Unless you can't understand, I have neither met or encountered anyone -
Usenet is Anonymous and there is nothing to validate his statement. I
neither believe or disbelieve his statement - it's worthless unless his
computer and past have been examined.
> You can weasel about wanting to inspect his computer, but that is clearly
> just and only that: weaselling.
No, it's you taking the lamers path to try and make more out of what I
wrote than was there.
> Unruh thinks and writes carefully and his gentle call for you to correct
> your statement was entirely correct, because there are indeed folks (such
> as he) who only use P2P ethically. Up to now you have only been guilty
> of sloppiness, but you are rapidly entering the realm of intellectual
> dishonesty with your weaselling.
My statement was clearly about what I HAVE EXPERIENCED, it was not all
encompassing and did not claim what you have presumed it did - at this
point you're the one being sloppy, you're trying to say I said something
I did not say.
nemo_outis
>> correct your statement was entirely correct, because there are indeed
>> folks (such as he) who only use P2P ethically. Up to now you have
>> only been guilty of sloppiness, but you are rapidly entering the
>> realm of intellectual dishonesty with your weaselling.
>
> My statement was clearly about what I HAVE EXPERIENCED, it was not all
> encompassing and did not claim what you have presumed it did - at this
> point you're the one being sloppy, you're trying to say I said
> something I did not say.
Ah, I see, you've decided to persist with your weaselling. You're not
man enough to back off from your idiotic over-broad statement even in the
face of personal testimony from an immensely credible fellow who gently
confronts you with a direct exception to your idiotic vacuous statement.
You thought Unruh was a liar and I thought you weren't a dishonest
weaselling fool.
Well, we were both wrong!
Regards,
PS Here's Unruh's entry in the Wikipedia, Leythos. Here's the man whose
credibility you've decided to malign. Goddammit, Leythos, you're a
dishonest obdurate moron!
Bill Unruh
http://en.wikipedia.org/wiki/Bill_Unruh
Leythos
says...
> You thought Unruh was a liar and I thought you weren't a dishonest
> weaselling fool.
>
> Well, we were both wrong!
No, nemo, you are the only one wrong here, clearly.
I don't "think" anything about Unruh, neither right/wrong, nothing. His
post is just that, A Post. It doesn't contradict my statement, it
doesn't prove me wrong, it doesn't anything. You see, the part you
missed is that I worded my statement with "I" and limited it to "my
experience" and didn't claim the entire world. You keep trying to twist
my statement to cover more than the scope it was defined as - that's
dishonest on your part.
Unruh "could" be honest and ethical, or he could be dishonest and
telling a lie, but I pass no judgment on him because I've not see his PC
and don't know him.
nemo_outis
news:MPG.217a8136a...@adfree.Usenet.com:
> I don't "think" anything about Unruh, neither right/wrong, nothing.
Precisely! You don't think!
You originally made a silly and tendentious statement based only on bad
reasoning from your narrow experience.
When a highly credible fellow, Unruh, provided a direct counter-example
to your foolish exaggeration you did not have the wit or grace to learn
and emend your statement.
Nope, that's not your style, Leythos. You weren't going to back off.
You weren't going to learn anything. You weren't going to think.
No, instead you were going to cling all the more rigidly to your
stupidity with weaseling and dishonesty. You were going to stick your
fingers in your ears, hum loudly, and say, "If I can't inspect Unruh's
computer I get to stay stupid."
Well, of course, you can maintain your idiotic opinion even in the face
of contradictory evidence from a fellow whose credibility and
reasonableness outshines yours by many orders of magnitude. You can be
as rigid, dishonest, and stupid as you wish, for as long as you wish.
Just as you said above, you don't think. And you will continue not to
think. After all, it's your right to obdurately stay stupid.
Regards,
Leythos
says...
> Well, of course, you can maintain your idiotic opinion even in the face
> of contradictory evidence from a fellow whose credibility and
> reasonableness outshines yours by many orders of magnitude. You can be
> as rigid, dishonest, and stupid as you wish, for as long as you wish.
Lets see if you can start thinking or if you're just going to keep your
hate up. Here is what I wrote:
"The issue is that I've not see anyone that needs to run a file-sharing
program on their computer unless they were pirating files of some type.
Yea, not always true, but it's a good assumption since there are legal
means and methods without using file sharing methods."
Notice that I clearly said "I've not see anyone" and that I also said
"Yea, not always true"......
You appear to just be a troll as it's quite clear what I've stated and
that I'm not wrong in any part of my statement.
So, my statement was about what I've seen and experienced and I even
allow for ethical use of P2P apps, but clearly state that I've not seen
it.
You seem to think that some poster that claims they only use P2P apps
ethically is telling the truth - how would anyone know?
So, grow up sonny - fact is that what I said is clearly true, in the
context that I've stated.
--
Leythos - spam9...@rrohio.com (remove 999 to email me)
Fight exposing kids to porn, complain about sites like pcbutts1 that
nemo_outis
@adfree.Usenet.com:
Are you back again?
Look, you won! You've firmly established your right to be stupid, your
right to weasel, your right not to learn anything.
And I must say you've shown that, for you, thse are not just theoretical
rights either.
No, with each successive post you prove you fully live out those rights,
you demonstrate your complete committment to putting those rights into
practice.
So congratulations on being a man who lives up (down?) to his principles.
Regards,
Leythos
says...
> Regards
So, you were trolling - I have to admit, until your previous post I
wasn't sure you were a troll, now with this one I see I've fallen for
it.
nemo_outis
@adfree.Usenet.com:
> So, you were trolling - I have to admit, until your previous post I
> wasn't sure you were a troll, now with this one I see I've fallen for
> it.
No, the only thing that tripped you up and made you fall is your own
stupidity - the stupidity, the obduracy, the weaselling you campaigned so
hard for.
But the really good news is that now you can continue with your stupidity
and weaselling with no downside since you've long since destroyed any
credibility you may have had.
Regards,
Leythos
says...
> stupidity
> and weaselling
Clearly described yourself.
nemo_outis
>> stupidity
>> and weaselling
> Clearly described yourself.
That's it? That's your snappy comeback? Gee, you really are living your
stupidity to the fullest!
Regards,
Unruh
>In article <FpUPi.9637$GO5.4175@edtnps90>, unruh...@physics.ubc.ca
>says...
>> That is a completely
>> legitimate use and the system is not used for "unethical" purposes (We have
>> permission from the people at arixiv.org to do so). So, now you have to
>> change your statement.
>You've not comprehended what I wrote - I never once said that "ALL
>USES" are unethical or illegal - but I can see how someone that is
>paranoid would think I said that if they didn't comprehend what I wrote.
You said that you had never seen a computer with torrent seeder/tracker
which did not also deal in illegitimate material. If that was really true,
it no longer is, since I gave you an example of someone who only uses it
for legitimate means, and pointed you to other examples (eg Mandriva,
Suse,...) where it is used only for legitimate means.
Your statement made it seem that one could draw the conclusion that running
a tracker or seeder automatically meant that the person doing so trafficed
in illegitimate items as well as maybe legitimate. That implication is
simply wrong.
Ari
> I said "I've not see anyone
> that needs to run a file-sharing program on their computer unless they
> were pirating files of some type." which is not the same "the only use".
No, it's not but what a tunnelled life you must lead!
Keter Noebling
> Unruh thinks and writes carefully and his gentle call for you
Hey, nemo, pay royalties to Will Shakespeare, will ya?
Unruh
>In article <Xns99C7E3457...@204.153.245.131>, a...@xyz.com
>says...
>> You thought Unruh was a liar and I thought you weren't a dishonest
>> weaselling fool.
>>
>> Well, we were both wrong!
>No, nemo, you are the only one wrong here, clearly.
>I don't "think" anything about Unruh, neither right/wrong, nothing. His
>post is just that, A Post. It doesn't contradict my statement, it
>doesn't prove me wrong, it doesn't anything. You see, the part you
>missed is that I worded my statement with "I" and limited it to "my
>experience" and didn't claim the entire world. You keep trying to twist
>my statement to cover more than the scope it was defined as - that's
>dishonest on your part.
False. You stated your observation in order that the readers should draw a
conclusion, that anyone who used torrent was unethical. Otherwise what was
the purpose of your statement. I contradicted you. I pointed out that there
are legitimate users of torrents, and that your statement was either
dishonest or ignorant, and that the implication contained in your statement
was wrong.
>Unruh "could" be honest and ethical, or he could be dishonest and
>telling a lie, but I pass no judgment on him because I've not see his PC
>and don't know him.
Yes, you do. You placed the word could in quotations. In that context,
since you were not quoting, those quotes can only be used to cast doubt on
that word.
nemo_outis
$.154e0gl0...@40tude.net:
> On 13 Oct 2007 02:09:14 GMT, nemo_outis wrote:
>
>> Unruh thinks and writes carefully and his gentle call for you
>
> Hey, nemo, pay royalties to Will Shakespeare, will ya?
That cheap hack? :-)
Regards,
Leythos
says...
You did not give me an example of someone that doesn't - your statement
is the same as standing in the woods, without anyone around, and
shouting BOO - it doesn't mean crap.
You have not provided any proof of what you say, so my statement stands,
as I made it, clear and simple.
--
Leythos - spam9...@rrohio.com (remove 999 to email me)
Fight exposing kids to porn, complain about sites like pcbutts1 that
Leythos
says...
> Leythos <vo...@nowhere.lan> writes:
>
> >In article <Xns99C7E3457...@204.153.245.131>, a...@xyz.com
> >says...
> >> You thought Unruh was a liar and I thought you weren't a dishonest
> >> weaselling fool.
> >>
> >> Well, we were both wrong!
>
> >No, nemo, you are the only one wrong here, clearly.
>
> >I don't "think" anything about Unruh, neither right/wrong, nothing. His
> >post is just that, A Post. It doesn't contradict my statement, it
> >doesn't prove me wrong, it doesn't anything. You see, the part you
> >missed is that I worded my statement with "I" and limited it to "my
> >experience" and didn't claim the entire world. You keep trying to twist
> >my statement to cover more than the scope it was defined as - that's
> >dishonest on your part.
>
> False. You stated your observation in order that the readers should draw a
> conclusion, that anyone who used torrent was unethical. Otherwise what was
> the purpose of your statement. I contradicted you. I pointed out that there
> are legitimate users of torrents, and that your statement was either
> dishonest or ignorant, and that the implication contained in your statement
> was wrong.
Face it chap, your statement means squat. I clearly said what I had
seen/experienced and your use/machine is not something that I've seen or
experienced, so my observations hold true at this time. Notice that I
didn't say that ALL uses of P2P apps are unethical (which you seem to
have ignored), just the ones that I've seen are being (or have been)
used unethically.
The implications are that I've not seen P2P software used ethically -
that's it.
If you're bent out of shape about my observation then to bad, you've not
changed my observation and can't change it over Usenet - there is NO
POSSIBLE MEANS FOR YOU TO CHANGE IT BY POSTING INFORMATION.
> >Unruh "could" be honest and ethical, or he could be dishonest and
> >telling a lie, but I pass no judgment on him because I've not see his PC
> >and don't know him.
>
> Yes, you do. You placed the word could in quotations. In that context,
> since you were not quoting, those quotes can only be used to cast doubt on
> that word.
Actually, since you're an anonymous person on the net, I didn't pass
anything on you. I also, which you seem to have ignored, left the
possibility that there are ethical users of P2P apps, but I've not seen
them. So, go back to mommy and have her explain the difference between
what I said and what you think I said.
--
Leythos - spam9...@rrohio.com (remove 999 to email me)
Fight exposing kids to porn, complain about sites like pcbutts1 that
nemo_outis
news:MPG.217d12aa...@adfree.Usenet.com:
...snip Leythos' drivel...
Still weaselling, eh Leythos?
It's not very good weaselling but you make up in quantity what you lack in
quality.
Regards,
nemo_outis
news:MPG.217d118a1...@adfree.Usenet.com:
...snip Leythos' whining...
Good old Leythos. Deep in a hole of his own making and too stupid to stop
digging.
Regards,
goarilla
Rick Merrill
...I believe with
> bittorrents you don't know where things come from.
That's right, delivery packages could have been modified.
Unruh
>On Sat, 13 Oct 2007 00:38:52 GMT, Unruh <unruh...@physics.ubc.ca>
>wrote:
>Who generates the checksum ?
The tracker.
>If you download a file from the Adobe website, you have
>a reasonable degree of certainty that its genuine.
>I once found a client downloading from 'the mad hackers BBS'
>it was not a name that inspired confidence, I believe with
>bittorrents you don't know where things come from.
You do not know where the actual chunks come from. YOu are supposed to know
what the true MD5 sum of the chunk is from the tracker which is supposed to
be at a trusted site.
Unruh
As I understand bittorrent, it should not be. Your system is supposed to
chech the hash of that package and refuse it if it is wrong ( the hash
coming from the tracker). Or have I misunderstood bittorrent?
Sebastian G.
Being able to detect modified content doesn't mean that you can avoid the
modification, and not even that you can correct it (the unmodified content
might not exist anymore or might have never existed at all -> "fake").
At any rate, you might not know if the content whose checksum you know might
actually be the claimed content. It might be a completely different one, or
a carefully modified original. You really need to get the checksum from the
actual creator or a trusted deliverer of the original content.
Unruh
>Unruh wrote:
>> Rick Merrill <rick0....@NOSPAM.gmail.com> writes:
>>
>>> Jim Watt wrote:
>>> ...I believe with
>>>> bittorrents you don't know where things come from.
>>
>>> That's right, delivery packages could have been modified.
>>
>> As I understand bittorrent, it should not be. Your system is supposed to
>> chech the hash of that package and refuse it if it is wrong ( the hash
>> coming from the tracker). Or have I misunderstood bittorrent?
>Being able to detect modified content doesn't mean that you can avoid the
>modification, and not even that you can correct it (the unmodified content
>might not exist anymore or might have never existed at all -> "fake").
???? If you know the stuff is bad, you can avoid it. If you want to
download bad stuff you can always do so, and NOTHING can protect you. That
is not the issue under discussion. You order a car, they deliver a load of
manure. You can accept it, but you know that you are not accepting a car.
>At any rate, you might not know if the content whose checksum you know might
>actually be the claimed content. It might be a completely different one, or
>a carefully modified original. You really need to get the checksum from the
>actual creator or a trusted deliverer of the original content.
I am sorry, you are claiming that someone could spoof the hash on the
content? Ie, create another fake chunk which has the same hash. Now if it
is md5 they use, that will not work. If it is another insecure hash it may
be possible. Do you know that the hash used by bittorrent is
cryptographically weak?
Sebastian G.
>> Being able to detect modified content doesn't mean that you can avoid the
>> modification, and not even that you can correct it (the unmodified content
>> might not exist anymore or might have never existed at all -> "fake").
>
> ???? If you know the stuff is bad, you can avoid it.
No. You can only ask other clients for the chunks, but you can only detect
the modification after you actually downloaded them.
>> At any rate, you might not know if the content whose checksum you know might
>> actually be the claimed content. It might be a completely different one, or
>> a carefully modified original. You really need to get the checksum from the
>> actual creator or a trusted deliverer of the original content.
>
> I am sorry, you are claiming that someone could spoof the hash on the
> content?
No, I'm talking about spoofing the content itself. Why would you trust me if
I offered you a CD image of Windows Vista Ultimate with the hash
270eb5c849b240dedc7b2a24f04b56f028fcda6a that this is actually unmodified
and I didn't implant a Trojan horse?
Unruh
>On Tue, 16 Oct 2007 23:57:52 GMT, Unruh <unruh...@physics.ubc.ca>
>wrote:
><snippage>
>>You do not know where the actual chunks come from. YOu are supposed to know
>>what the true MD5 sum of the chunk is from the tracker which is supposed to
>>be at a trusted site.
>That really is my point, and it is a security issue.
What is a "security issue"?
>However, as this sort of network is mostly used to circulate
No it is not. It is mostly used to circulate computer programs, and other
legitimate traffic.
>pirated software and to infringe copyright the checksum may
>protect you against damage in transit, deliberate or accidental.
>BUT does not protect you against someone inserting a trojan
>into some commercial software, bypassing its registration codes
>and posting the end product for the gullible masses sucking
>it up.
???? No, nothing can do that. IF you use an untrusted site for the tracker
data, then you do not know what it is that you download. But there is
NOTHING that can protect against that. The issue was, given a legitimate
tracker, can one of the seeders insert rogue code into the program such
that it can subvert the security of the machine doing the downloading.
There are people who respond to the Nigerian letters you know?
>Sebastian G is spot on. Unless the checksum comes from the
>owner of the content, and you have some means of knowing that
>it does not guarantee authenticity.
Duh!! Really? And do you also need air to stay alive?
That was never the issue. The claim was that, given a legitimate tracker
source, the downloaded material, which comes from many untrusted sites,
can be subverted. I do not believe the claim, although my recent use of
bittorrent has made me a bit worried about whether bittorrent works as I
believe it does.
>Now that does not matter if its elvis_hits.mp3 or pictures of
>the vatican but if its something executable it does.
>IF a software company decides to distribute packages via
>bittorrents and posts the MD5 on their website, then maybe
>otherwise, you have no certainty or trust in whats on your
>machine.
Uh, yes. And if you point a gun at your face and pull the trigger,
bad things could happen. The original claim was that because bittorrent
downloads from many anonymous untrusted sites, the downloaded material was
untrustworthy. It is not. IF the tracker is untrustworth you have trouble.
But only then.
Unruh
>Unruh wrote:
>>> Being able to detect modified content doesn't mean that you can avoid the
>>> modification, and not even that you can correct it (the unmodified content
>>> might not exist anymore or might have never existed at all -> "fake").
>>
>> ???? If you know the stuff is bad, you can avoid it.
>No. You can only ask other clients for the chunks, but you can only detect
>the modification after you actually downloaded them.
Yes. So? downloading the chunk does not do anything. It is just a string of
bits, which can be erased.
The question is, does bittorrent check the chunks it has downloaded to
ensure that the chunk hash equals the has received from the tracker?
>>> At any rate, you might not know if the content whose checksum you know might
>>> actually be the claimed content. It might be a completely different one, or
>>> a carefully modified original. You really need to get the checksum from the
>>> actual creator or a trusted deliverer of the original content.
>>
>> I am sorry, you are claiming that someone could spoof the hash on the
>> content?
>No, I'm talking about spoofing the content itself. Why would you trust me if
>I offered you a CD image of Windows Vista Ultimate with the hash
>270eb5c849b240dedc7b2a24f04b56f028fcda6a that this is actually unmodified
>and I didn't implant a Trojan horse?
Because I can check the hash against that CD image and see if it agrees. If
that hash IS the true hash of Windows Vista Ultimate then I have confidence
that it is unmodified. Of course I have to get that has from a trusted
source. I do NOT need to get the image of Windows Vista from a trusted
source. I can check the trust with the hash.
Sebastian G.
> The question is, does bittorrent check the chunks it has downloaded to
> ensure that the chunk hash equals the has received from the tracker?
Not just that, but using a hash tree it can even locate such defective
chunks very efficiently.
>> No, I'm talking about spoofing the content itself. Why would you trust me if
>> I offered you a CD image of Windows Vista Ultimate with the hash
>> 270eb5c849b240dedc7b2a24f04b56f028fcda6a that this is actually unmodified
>> and I didn't implant a Trojan horse?
>
> Because I can check the hash against that CD image and see if it agrees. If
> that hash IS the true hash of Windows Vista Ultimate then I have confidence
> that it is unmodified. Of course I have to get that has from a trusted
> source. I do NOT need to get the image of Windows Vista from a trusted
> source. I can check the trust with the hash.
And in almost any case if the torrent downloaded was not provided by the
legitimate vendor, no such way of verification exists. That is, it makes the
discussion pretty void.
Unruh
>Unruh wrote:
>> The question is, does bittorrent check the chunks it has downloaded to
>> ensure that the chunk hash equals the has received from the tracker?
>Not just that, but using a hash tree it can even locate such defective
>chunks very efficiently.
One reason I ask is that I downloaded Mandriva 2008, using the tracker on
Mandriva, and both ktorrent and bittorrent stated that the download was
completed, with no problems reported. Both downloads when I restarted
ktorrent, were found to have large numbers of chunks invalid. Ie, it did
NOT seem that the either of these implimentations had actually tested the
chunks for validity. I assume this was a bug in the implimentations. But
that leads to the question as to whether a properly coded torrent actaully
does check each chunk for validity? I assume this was coding bugs, but it
could have been a nasty seeder, who was polluting the streams.
>>> No, I'm talking about spoofing the content itself. Why would you trust me if
>>> I offered you a CD image of Windows Vista Ultimate with the hash
>>> 270eb5c849b240dedc7b2a24f04b56f028fcda6a that this is actually unmodified
>>> and I didn't implant a Trojan horse?
>>
>> Because I can check the hash against that CD image and see if it agrees. If
>> that hash IS the true hash of Windows Vista Ultimate then I have confidence
>> that it is unmodified. Of course I have to get that has from a trusted
>> source. I do NOT need to get the image of Windows Vista from a trusted
>> source. I can check the trust with the hash.
>And in almost any case if the torrent downloaded was not provided by the
>legitimate vendor, no such way of verification exists. That is, it makes the
>discussion pretty void.
No, the argument seemed to be that because you downloaded chunks from all over the
world, trusted and untrusted places ( in fact usually you have no idea
whatsoever where the chunks came from), torrent is inherently unsafe, even
if the tracker was on a trusted site. If the tracker is on an untrusted
site, then it is clear you cannot trust the download, even if all of the
chunks were obtained from trusted sites. HOwever, IF the tracker is
trusted, can I therefor trust the downloaded torrent?
Maniaque
> My router (Xavi 7768r with GlobespanVirata chipset, I think I had it
> wrong above) has an Active FTP "NAT Helper" which allows any program
> with TCP-connection-creation priviledges on any of my computers to
> open an incoming port to this machine from a target site on the
> internet. Java Applets, by default, have this functionality enabled.
> You can test for this "feature" or "flaw" at the following site:http://bedatec.dyndns.org/ftpnat/dotest_en.html
>
Quick update, for any of you who use a WRT54G linksys router (with
firewall enabled) and are concerned about the "FTP NAT Helper" issue
described above, the latest version of the Tomato firmware (1.11) now
allows you to disable the NAT helper.
Maniaque
> >>Ie, your observation is ass backwards.
> >Who generates the checksum ?
>
> The tracker.
>
> >If you download a file from the Adobe website, you have
> >a reasonable degree of certainty that its genuine.
> >I once found a client downloading from 'the mad hackers BBS'
> >it was not a name that inspired confidence, I believe with
> >bittorrents you don't know where things come from.
>
> You do not know where the actual chunks come from. YOu are supposed to know
> what the true MD5 sum of the chunk is from the tracker which is supposed to
> be at a trusted site.
>
Just a point of interest regarding this, as I recently started
wondering exactly how bittorrent works - the "Trust" point is actually
NOT the tracker, it is the ".torrent" file. You may download this from
the tracker (eg, assuming you're feeling brave, the pirate bay), or
you may download it from an index (equally brave, mininova), or you
could download it from anywhere else. In all cases the checksums /
hashes are contained within the torrent file, along with the locations
of the trackers.
If you do not trust the source of the torrent file, you cannot trust
the downloaded contents. If you trust the source of the torrent file,
and you are certain you really obtained it from that source, then any
data downloaded by a correct bittorrent implementation (that does not
skip the hash checks) should inherit the same trust, regardless of
where the data actually came from, and regardless of the trackers - it
has all been checked against the hashes contained in the original
torrent file.