There was no country on earth that was less a threat to the United States than Iraq. We had blasted the daylights out of that country during the Gulf War [1991]. There was never anything like this: 110,000 aerial sorties in 42 days, 88,500 tons of bombs destroying the infrastructure and taking lives… Electricity was out within 24 hours all over the country, the sanctions were brutal. There were imposed on Hiroshima Day of 1990, August the 6th and those sanctions finally took a million and a half lives, without any question.

The war in Irag [2003-?] is a human catastrophe of unbelievable proportion – there’s been 600,000 killed and that means 5, 6, 7 times that injured by violence. 2.2 million, according the UN High Commissioner for Refugees, are exiled out of the country and 90% of those are living in refugee camps and misery.

Ramsey Clark (Attorney General of the United States from 1967-1969) talking on Sean Stone’s short film “Dangerous Dynasty” 2008.

The problem was that when the ssh daemon was confronted with an incorrect password, it was checking against the password database multiple times, which was overwhelming the password services. A better explanation from [1] is “every time the attacking machine tried another key/password, it would spawn a new sshd process, which had to communicate with the password services (com.apple.SecurityServer) in order to validate the password. Eventually what ended up happening is that there were so many requests to the password services that they basically ended up just hanging, and anything that required a password: ssh, ftp, etc, just stopped working.”

Firstly I changed the default /etc/sshd_config file, un-commenting this line and changing yes to no:
ChallengeResponseAuthentication no
This edit does not stop attackers from trying but it does protect the password services from the attack.

Next I installed the most excellent sshdfilter [2] – a perl daemon that actively monitors ssh logins and detects signs of intrusion attempts and then blocks the attacking IP addresses. Blocked addresses are saved in between reboots and the he startup script is here:
/Library/LaunchDaemons/net.jonbell.sshdfilter.plist
(this runs /etc/sshdfilterLoad.sh which runs /etc/firewallrules)

To receive email notifications for each block, edit the /etc/sshdfilterrc file (the mail= and mail policy sections – there are comments in the policy).
“The default setting is to block most failed logins after 5 attempts, some common invalid logins after 0 attempts, incorrect root logins after 2 attempts, and logins to non-existent accounts after 3 attempts. Counters are reset upon a valid login. These thresholds can be modified in the sshdfilterrc file if desired. It is not currently setup to expire the blocks (even if you set it here in the configuration file, they will remain in the persisting file).”

[1] http://www.slicksurface.com/blog/2008-06/ssh-attack-and-password-problems-on-os-x

[2] Mac OS X sshdfilter Installer:

http://projects.seas.columbia.edu/sshdfilter/sshdfilter_mac.zip

sshdfilter Project Home:

http://www.csc.liv.ac.uk/~greg/sshdfilter/

“So as I worked on my resolutions for 2010 I struggled for several days to get some achievable goals. I long to look back next New Year’s Eve and be proud that I did what I promised I would do 12 months earlier – Lord knows it’s never happened before.
And then suddenly it was all very clear. In truth we have little control of our lives and while we can certainly make some minor changes at a surface level, in reality life will take us where it will. Isn’t 12 months of life reward enough in itself? Wht can’t we just be happy with what we’ve got? Why not just enjoy the here and now while it is, well, here and now?
My resolution for this year is to be me. Warts’n'all, take me as you find me, like it or lump it. And if I make it to December 31 and I’m still smiling, then I will be pretty damned pleased with myself.
Happy New Year!”

The Customer login section and the public site contain absolutely no information about the cost of their credit.
None at all. They suck in so many ways. Did I mention the interest rate is 29%. Usury.

Vulnerability Database National Vulnerability Database (NVD) National(CVE-2009-3555)
“The TLS protocol, and the SSL protocol 3.0 as used in… mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l… does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions..”

TLS renegotiation attack. More bad news for SSL | Cupfighter.net
While the attack only works for the first request sent over a TLS session (subsequent renegotiation requests are sent in the encryption context and can thus not be inserted) M[an in the middle] could force the session to reset after x seconds of inactivity by sending a reset packet to both Client and Server, thus forcing a new TCP and TLS session to be re-established and thus gaining a new window of opportunity.
In response to this attack OpenSSL (Nov 8th) released OpenSSL 0.9.8l which does fix the vulnerability, but disables renegotiation completely. This change to OpenSSL may break certain applications so it should be carefully tested before it is implemented. [Server-side HTTPS will generally not be broken.]
This attack will first appear in highly targeted scenarios. Since the attack is a man in the middle attack the attacker will have to have control over all the traffic between client and server and vice versa in order to fully exploit the attack. With this attack TLS does not fully protect the integrity of the communication between client and server.

The root of the problem is servers that perform (allow) TLS renegotiations and make flawed assumptions about what a successful TLS renegotiation means for the data previously received.

PhoneFactors Status of Patches

Understanding the TLS Renegotiation Attack – Educated Guesswork
‘CVE-2009-3555 – apache/mod_ssl vulnerability and mitigation’ – MARC
Links » Another Protocol Bites The Dust
Extended Subset » Blog Archive » Authentication Gap in TLS Renegotiation
The Secure Goose: TLS renegotiation vulnerability (CVE-2009-3555)
Confidence 2009.02 – Cupfighter renegotiation vulnerability slides
TLS Test here:

Renegotiation Test | netsekure rn

In a poll, he says [Al Gore], 80 percent of CEOs and CFOs said they would not spend money to make their factories more efficient and save money in the long run if it hurt their next-quarter bottom line. “That,” says Gore, “is functionally insane.”

I couldn’t agree more. Such short-term thinking from such highly paid people.
That sound you can hear is my mind boggling.

You get full CS3 versions of InDesign, Photoshop Extended, Illustrator, Flash Professional, Dreamweaver and Acrobat 8 Professional. All future updates are included as long as you are still subscribed. Coretech is taking preorders if you’re interested.

Be warned that the 12 month subscription can not be cancelled and automatically renews unless you turn off the “auto-renew-subscription” option.
At this stage this is the only product that you can get via subscription. I’m sure there’ll be more.