I'm using about 6 years from PGP. Those days PGP only has command line version but now a days with Windows Desktop version you can use more options such as Global Directory or so on.
The latest version is 9 beta but its license will expire on 7 may.
Get PGP Desktop 8.1 for Windows now.
Tuesday, April 12, 2005
Monday, April 11, 2005
Mozila Firefox or Microsoft IE?
...I was working on Firefox about 6 months and IE too at the same time.
The advantage of firefox is only: more safe than IE; because IE is most popular than Firefox so it'll be the attackers target more than Firefox.
It seems Firefox downloading files faster than IE (use more bandwidth by open more sessions) and with the resume support.But Firefox opens web pages slower than IE, specially if you open many pages at the same time or to the same destination (website).Maybe it depends on TCP sessions that Firefox opens or so on.
Finally, some websites could not be appear correctly in Firefox but in IE or netscape can be open .It seems the web pages style & structure viewer is different in Firefox.
Any comment?
...
The advantage of firefox is only: more safe than IE; because IE is most popular than Firefox so it'll be the attackers target more than Firefox.
It seems Firefox downloading files faster than IE (use more bandwidth by open more sessions) and with the resume support.But Firefox opens web pages slower than IE, specially if you open many pages at the same time or to the same destination (website).Maybe it depends on TCP sessions that Firefox opens or so on.
Finally, some websites could not be appear correctly in Firefox but in IE or netscape can be open .It seems the web pages style & structure viewer is different in Firefox.
Any comment?
...
Security Alert: Microsoft issues DNS poisoning advisory
After the Internet Storm Center raised its warning level over the pharming-related vulnerability the software behemoth updated its advice for people running Windows servers...
DNS cache poisoning involves the practice of hacking into domain name servers and replacing the numeric addresses of legitimate Web sites with the addresses of malicious sites. The scheme typically redirects Internet users to bogus Web pages where they may be asked for sensitive information or have spyware installed on their PCs, an online assault that has also become known as pharming.
On Windows 2000 SP3 and above, the DNS server DOES protect against DNS cache pollution by default. The registry key to protect against the poisoning is not necessary: the value is TRUE if the registry key does not exist. Microsoft has now corrected the KB article that we published earlier with this information.
On Windows 2000, you should manage the DNS cache protection security setting through the DNS Management Console. On Windows 2000 below SP3, the "Secure cache against pollution" is not the default so you should enable it using the DNS Management Console. On Windows 2000 SP3 and above (and Windows 2003), the secure setting is the default (even if the registry key does not exist).
Our recommendation is to only set the registry key (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters) on Windows NT4. Otherwise, use the DNS Management Console. If you are on Windows 2000 and you created the key already, you are safe to leave it in place as long as the value is "1".
More info about How to prevent DNS cache pollution .
DNS cache poisoning involves the practice of hacking into domain name servers and replacing the numeric addresses of legitimate Web sites with the addresses of malicious sites. The scheme typically redirects Internet users to bogus Web pages where they may be asked for sensitive information or have spyware installed on their PCs, an online assault that has also become known as pharming.
On Windows 2000 SP3 and above, the DNS server DOES protect against DNS cache pollution by default. The registry key to protect against the poisoning is not necessary: the value is TRUE if the registry key does not exist. Microsoft has now corrected the KB article that we published earlier with this information.
On Windows 2000, you should manage the DNS cache protection security setting through the DNS Management Console. On Windows 2000 below SP3, the "Secure cache against pollution" is not the default so you should enable it using the DNS Management Console. On Windows 2000 SP3 and above (and Windows 2003), the secure setting is the default (even if the registry key does not exist).
Our recommendation is to only set the registry key (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters) on Windows NT4. Otherwise, use the DNS Management Console. If you are on Windows 2000 and you created the key already, you are safe to leave it in place as long as the value is "1".
More info about How to prevent DNS cache pollution .
Enabling "automatic logon" on Windows NT/2000/XP
Sometimes maybe you need some of your servers logon after reboot automatically ...
The following registry hack details the registry keys which control automatic logon:
..
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: AutoAdminLogon
Type: REG_SZ
Value: 1 enable auto logon
Value: 0 disable auto logon
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: DefaultUserName
Type: REG_SZ
Value: account to logon automatically
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: DefaultPassword
Type: REG_SZ
Value: pw for DefaultUserName above
Caution: Password is stored in clear text. Set security permissions on Winlogon subkey to protect the account used.
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: DefaultDomainName
Type: REG_SZ
Value: if domain account, domain name; if local account, server name
Windows 2000 / XP has an additional registry setting to force autologon and ignore bypass attempts. This can be valuable with a kiosk environment:
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: ForceAutoLogon
Type: REG_SZ
Value: 1
The following registry values must not exist: LegalNoticeCaption, LegalNoticeText. These values force a person logging into a PC to acknowledge having read the notice. If these values exist, the legal notice dialog hangs until someone hits enter. Don't just null out the values. Delete them.
The value DontDisplayLastUserName determines whether the logon dialog box displays the username of the last user that logged onto the PC. The value does not exist by default. If it exists, you must set it to 0 or the value of DefaultUser will be wiped and autologon will fail.
Finally, the value RunLogonScriptSync determines whether a logon script will run synchronously or asynchronously. It should not effect this process but there have been reports that setting the value=1, that is, sychronous, is more stable.
Whether you use the Autologon utility or the registry approach, there are times when you must logon as another user or need the logon dialog to appear. Hold down the shift key until during boot until the logon dialog appears. For the control freaks, even the shift override can be blocked (also see ForceAutoLogon above) :
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: IgnoreShiftOverride
Type: REG_SZ
Value: 1
If you want to enable autologon for a certain number of times, follow the above instructins and use the following Windows NT / W2K / XP registry hack:
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: AutoLogonCount
Type: REG_SZ
Value: # autologons you want to allow
The following registry hack details the registry keys which control automatic logon:
..
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: AutoAdminLogon
Type: REG_SZ
Value: 1 enable auto logon
Value: 0 disable auto logon
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: DefaultUserName
Type: REG_SZ
Value: account to logon automatically
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: DefaultPassword
Type: REG_SZ
Value: pw for DefaultUserName above
Caution: Password is stored in clear text. Set security permissions on Winlogon subkey to protect the account used.
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: DefaultDomainName
Type: REG_SZ
Value: if domain account, domain name; if local account, server name
Windows 2000 / XP has an additional registry setting to force autologon and ignore bypass attempts. This can be valuable with a kiosk environment:
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: ForceAutoLogon
Type: REG_SZ
Value: 1
The following registry values must not exist: LegalNoticeCaption, LegalNoticeText. These values force a person logging into a PC to acknowledge having read the notice. If these values exist, the legal notice dialog hangs until someone hits enter. Don't just null out the values. Delete them.
The value DontDisplayLastUserName determines whether the logon dialog box displays the username of the last user that logged onto the PC. The value does not exist by default. If it exists, you must set it to 0 or the value of DefaultUser will be wiped and autologon will fail.
Finally, the value RunLogonScriptSync determines whether a logon script will run synchronously or asynchronously. It should not effect this process but there have been reports that setting the value=1, that is, sychronous, is more stable.
Whether you use the Autologon utility or the registry approach, there are times when you must logon as another user or need the logon dialog to appear. Hold down the shift key until during boot until the logon dialog appears. For the control freaks, even the shift override can be blocked (also see ForceAutoLogon above) :
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: IgnoreShiftOverride
Type: REG_SZ
Value: 1
If you want to enable autologon for a certain number of times, follow the above instructins and use the following Windows NT / W2K / XP registry hack:
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: AutoLogonCount
Type: REG_SZ
Value: # autologons you want to allow
Wednesday, February 16, 2005
IPv6 Part - B-3 : Address types (host part)
For auto-configuration and mobility issues, it was decided to use the lower 64 bits as host part of the address in most of the current address types. Therefore each single subnet can hold a large amount of addresses.
This host part can be inspected differently:
- Automatically computed (also known as stateless)
With auto-configuration, the host part of the address is computed by converting the MAC address of an interface (if available), with the EUI-64 method, to a unique IPv6 address. If no MAC address is available for this device (happens e.g. on virtual devices), something else (like the IPv4 address or the MAC address of a physical interface) is used instead.
Consider again the first example
3ffe:ffff:100:f101:210:a4ff:fee3:9566
here,
210:a4ff:fee3:9566
is the host part and computed from the NIC's MAC address
00:10:A4:E3:95:66
using the IEEE-Tutorial EUI-64 design for EUI-48 identifiers.
- Privacy problem with automatically computed addresses and a solution
Because the "automatically computed" host part is globally unique (except when a vendor of a NIC uses the same MAC address on more than one NIC), client tracking is possible on the host when not using a proxy of any kind.
This is a known problem, and a solution was defined: privacy extension, defined in RFC 3041 / Privacy Extensions for Stateless Address Autoconfiguration in IPv6 (there is also already a newer draft available: draft-ietf-ipngwg-temp-addresses-*.txt). Using a random and a static value a new suffix is generated from time to time. Note: this is only reasonable for outgoing client connections and isn't really useful for well-known servers.
- Manually set
For servers it's probably easier to remember simpler addresses, this can also be accommodated. It is possible to assign an additional IPv6 address to an interface, e.g.
3ffe:ffff:100:f101::1
For manual suffixes like "::1" shown in the above example it's required that the 7th most significant bit is set to 0 (the universal/local bit of the automatically generated identifier). Also some other (otherwise unchosen ) bit combinations are reserved for anycast addresses, too.
This host part can be inspected differently:
- Automatically computed (also known as stateless)
With auto-configuration, the host part of the address is computed by converting the MAC address of an interface (if available), with the EUI-64 method, to a unique IPv6 address. If no MAC address is available for this device (happens e.g. on virtual devices), something else (like the IPv4 address or the MAC address of a physical interface) is used instead.
Consider again the first example
3ffe:ffff:100:f101:210:a4ff:fee3:9566
here,
210:a4ff:fee3:9566
is the host part and computed from the NIC's MAC address
00:10:A4:E3:95:66
using the IEEE-Tutorial EUI-64 design for EUI-48 identifiers.
- Privacy problem with automatically computed addresses and a solution
Because the "automatically computed" host part is globally unique (except when a vendor of a NIC uses the same MAC address on more than one NIC), client tracking is possible on the host when not using a proxy of any kind.
This is a known problem, and a solution was defined: privacy extension, defined in RFC 3041 / Privacy Extensions for Stateless Address Autoconfiguration in IPv6 (there is also already a newer draft available: draft-ietf-ipngwg-temp-addresses-*.txt). Using a random and a static value a new suffix is generated from time to time. Note: this is only reasonable for outgoing client connections and isn't really useful for well-known servers.
- Manually set
For servers it's probably easier to remember simpler addresses, this can also be accommodated. It is possible to assign an additional IPv6 address to an interface, e.g.
3ffe:ffff:100:f101::1
For manual suffixes like "::1" shown in the above example it's required that the 7th most significant bit is set to 0 (the universal/local bit of the automatically generated identifier). Also some other (otherwise unchosen ) bit combinations are reserved for anycast addresses, too.
Thursday, January 27, 2005
IPv6 Part - B-2 : Network part, also known as prefix
Now lets take a look at the different types of prefixes (and therefore address types):
- Link local address type
These are special addresses which will only be valid on a link of an interface. Using this address as destination the packet would never pass through a router. It's used for link communications such as:
- anyone else here on this link?
- anyone here with a special address (e.g. looking for a router)?
They begin with ( where "x" is any hex character, normally "0")
fe8x: <- currently the only one in use.
fe9x:
feax:
febx:
An address with this prefix is found on each IPv6-enabled interface
after stateless auto-configuration (which is normally always the case).
- Site local address type
These are addresses similar to the RFC 1918 / Address Allocation for Private Internets in IPv4 today, with the added advantage that everyone who use this address type has the capability to use the given 16 bits for a maximum number of 65536 subnets. Comparable with the 10.0.0.0/8 in IPv4 today.
Another advantage: because it's possible to assign more than one address to an interface with IPv6, you can also assign such a site local address in addition to a global one.
It begins with:
fecx: <- most commonly used.
fedx:
feex:
fefx:(where "x" is any hex character, normally "0")
- Global address type "(Aggregatable) global unicast"
Today, there is one global address type defined (the first design, called "provider based," was thrown away some years ago RFC 1884 / IP Version 6 Addressing Architecture [obsolete], you will find some remains in older Linux kernel sources).
It begins with (x are hex characters)
2xxx:
3xxx:
Note: the prefix "aggregatable" is thrown away in current drafts.There are some further subtypes defined…
- Multicast addresses
Multicast addresses are used for related services.
They alway start with (xx is the scope value)
ffxy:
They are split into scopes and types:
1. Multicast scopes:
Multicast scope is a parameter to specify the maximum distance a multicast packet can travel from the sending entity.
Currently, the following regions (scopes) are defined:
- ffx1: node-local, packets never leave the node.
- ffx2: link-local, packets are never forwarded by routers, so they never leave the specified link.
- ffx5: site-local, packets never leave the site.
- ffx8: organization-local, packets never leave the organization (not so easy to implement, must be covered by routing protocol).
- ffxe: global scope.
- others are reserved.
2. Multicast types:
There are many types already defined/reserved (see RFC 2373 / IP Version 6 Addressing Architecture for details). Some examples are:
- All Nodes Address: ID = 1h, addresses all hosts on the local node (ff01:0:0:0:0:0:0:1) or the connected link (ff02:0:0:0:0:0:0:1).
- All Routers Address: ID = 2h, addresses all routers on the local node (ff01:0:0:0:0:0:0:2), on the connected link (ff02:0:0:0:0:0:0:2), or on the local site (ff05:0:0:0:0:0:0:2).
3. Solicited node link-local multicast address:
Special multicast address used as destination address in neighborhood discovery, because unlike in IPv4, ARP no longer exists in IPv6.
An example of this address looks like ff02::1:ff00:1234
Used prefix shows that this is a link-local multicast address. The suffix is generated from the destination address. In this example, a packet should be sent to address "fe80::1234", but the network stack doesn't know the current layer 2 MAC address. It replaces the upper 104 bits with "ff02:0:0:0:0:1:ff00::/104" and leaves the lower 24 bits untouched. This address is now used `on-link' to find the corresponding node which has to send a reply containing its layer 2 MAC address.
- Anycast addresses
Anycast addresses are special addresses and are used to cover things like nearest DNS server, nearest DHCP server, or similar dynamic groups. Addresses are taken out of the unicast address space (aggregatable global or site-local at the moment). The anycast mechanism (client view) will be handled by dynamic routing protocols.
Note: Anycast addresses cannot be used as source addresses, they are only used as destination addresses:
- Subnet-router anycast address:
A simple example for an anycast address is the subnet-router anycast address. Assuming that a node has the following global assigned IPv6 address:
3ffe:ffff:100:f101:210:a4ff:fee3:9566/64 <- Node's address The subnet-router anycast address will be created blanking the suffix (least significant 64 bits) completely:
3ffe:ffff:100:f101::/64 <- subnet-router anycast address.
Monday, January 24, 2005
IPv6 Part - B-1 : Address Space Forms
I'll start with two useful questions :
Q: Why is the name IPv6 and not IPv5 as successor for IPv4?
A: On any IP header, the first 4 bits are reserved for protocol version. So theoretically a protocol number between 0 and 15 is possible:
A:During the design of IPv4, people thought that 32 bits were enough for the world. Looking back into the past, 32 bits were enough until now and will perhaps be enough for another few years. However, 32 bits are not enough to provide each network device with a global address in the future. Think about mobile phones, cars (including electronic devices on its CAN-bus), toasters, refrigerators, light switches, and so on...So designers have chosen 128 bits, 4 times more in length and 2^96 greater in size than in IPv4 today.The usable size is smaller than it may appear however. This is because in the currently defined address schema, 64 bits are used for interface identifiers. The other 64 bits are used for routing. Assuming the current strict levels of aggregation (/48, /32, ...), it is still possible to "run out" of space, but hopefully not in the near future.
- Addresses without a special prefix
This is a special address for the loopback interface, similiar to IPv4 with its "127.0.0.1". With IPv6, the localhost address is:
0000:0000:0000:0000:0000:0000:0000:0001 or compressed ::1
- Unspecified address
This is a special address like "any" or "0.0.0.0" in IPv4 . For IPv6 it's:
0000:0000:0000:0000:0000:0000:0000:0000 or ::
These addresses are mostly used/seen in socket binding (to any IPv6 address) or routing tables.
Note: the unspecified address cannot be used as destination address.
- IPv6 address with embedded IPv4 address
1. IPv4-mapped IPv6 address:
0:0:0:0:0:0:a.b.c.d/96 or ::a.b.c.d/96
Q: Why is the name IPv6 and not IPv5 as successor for IPv4?
A: On any IP header, the first 4 bits are reserved for protocol version. So theoretically a protocol number between 0 and 15 is possible:
-
4: is already used for IPv4
-
5: is reserved for the Stream Protocol (STP, RFC 1819 / Internet Stream Protocol Version 2) (which never really made it to the public)
The next free number was 6. Hence IPv6 was born!
A:During the design of IPv4, people thought that 32 bits were enough for the world. Looking back into the past, 32 bits were enough until now and will perhaps be enough for another few years. However, 32 bits are not enough to provide each network device with a global address in the future. Think about mobile phones, cars (including electronic devices on its CAN-bus), toasters, refrigerators, light switches, and so on...So designers have chosen 128 bits, 4 times more in length and 2^96 greater in size than in IPv4 today.The usable size is smaller than it may appear however. This is because in the currently defined address schema, 64 bits are used for interface identifiers. The other 64 bits are used for routing. Assuming the current strict levels of aggregation (/48, /32, ...), it is still possible to "run out" of space, but hopefully not in the near future.
- Addresses without a special prefix
This is a special address for the loopback interface, similiar to IPv4 with its "127.0.0.1". With IPv6, the localhost address is:
0000:0000:0000:0000:0000:0000:0000:0001 or compressed ::1
- Unspecified address
This is a special address like "any" or "0.0.0.0" in IPv4 . For IPv6 it's:
0000:0000:0000:0000:0000:0000:0000:0000 or ::
These addresses are mostly used/seen in socket binding (to any IPv6 address) or routing tables.
Note: the unspecified address cannot be used as destination address.
- IPv6 address with embedded IPv4 address
1. IPv4-mapped IPv6 address:
IPv4-only IPv6-compatible addresses are sometimes used/shown for sockets created by an IPv6-enabled daemon, but only binding to an IPv4 address.
These addresses are defined with a special prefix of length 96 (a.b.c.d is the IPv4 address):
0:0:0:0:0:ffff:a.b.c.d/96 or ::ffff:a.b.c.d/96
For example, the IPv4 address 1.2.3.4 looks like this: ::ffff:1.2.3.4
- IPv4-compatible IPv6 address
Used for automatic tunneling (RFC 2893 / Transition Mechanisms for IPv6 Hosts and Routers), which is being replaced by 6to4 tunneling.0:0:0:0:0:0:a.b.c.d/96 or ::a.b.c.d/96
Subscribe to:
Posts (Atom)
