Jump to content

Wikipedia:Reference desk/Archives/Computing/2015 October 15

From Wikipedia, the free encyclopedia
Computing desk
< October 14 << Sep | October | Nov >> October 16 >
Welcome to the Wikipedia Computing Reference Desk Archives
The page you are currently viewing is an archive page. While you can leave answers for any questions shown below, please ask new questions on one of the current reference desk pages.


October 15

[edit]

Why block ssh?

[edit]

I'm visiting an institution that is preventing me from making outbound ssh connections using their network. The IT rationale here seems arbitrary and capricious, but I don't know if there might be a shred of a good reason in this case. Can anyone give me a brief overview of why it might be considered a security risk to allow me to use the institutional network to connect via ssh to any other computer? My limited understanding was that out ssh was widely considered fairly secure and had few risks. Thanks, SemanticMantis (talk) 14:24, 15 October 2015 (UTC)[reply]

The rationale is one of using a whitelist - blocking everything and only permitting certain pre-approved network protocols. The problem with this approach is that it blocks many non-malicious programs, as well. This is to say nothing of the efficacy of the technique: in principle, malicious software can use any TCP port.
If the administrator intentionally wants you to use "only" web browsers and email, they'll probably open up standard ports for HTTP, HTTPS, TLS IMAP and SMTP, and so on; and block everything else. Port 22 is probably not singled out; it's just collateral damage.
Does this improve security? Well, it prevents some malicious software activity, at the expense of annoying a small number of users... that's a tradeoff that the network administrator has decided to make.
If you want to be really savvy, set up your home base to proxy SSL over HTTP (or just host an SSL server on port 80). That will get you through a lot of the annoying firewalls, at the expense of "standards-compliance." This will only work around the problem if the firewall's block is based on TCP port; a modern firewall can be much more sophisticated. Here are instructions from haax.se (the same group who provide us with cURL and other great free software): SSH Through or Over Proxy.
Nimur (talk) 15:39, 15 October 2015 (UTC)[reply]
Thanks @Nimur: I'm familiar with whitelist paradigm, but I get the sense that SSH is specifically blocked. I don't really want to out my institutional affiliations here, but an old (2004) internal audit I found online includes "..an internal webserver used by the laboratory... had five security holes, including FTP, SSH, HTTP..." Now I know at least vaguely why unsecured FTP and HTTP can be "security holes", but I was surprised to see SSH on that list. Thanks for the workaround suggestions, I think they would work for me in principle, but not until I can physically get back the other machine and set up the appropriate stuff :-/ SemanticMantis (talk) 17:41, 15 October 2015 (UTC)[reply]
I've hit this problem twice myself and I'm both a computer science professor and an old curmudgeon. So, I pester the hell out of the kids who run the IT department with little more than a Microsoft and Cisco certification until they can give me a real answer. The answer both times was that they are a Microsoft shop. They use Windows. Windows doesn't come with SSH. So, if I am trying to use SSH, I am using a program that I added to the computer, which is not allowed. So, I'm in violation of their computer use policy. They shouldn't allow a protocol that isn't allowed to be used. The reality is that SSH is very secure. Yes - old versions of SSH aren't secure now because computers have advanced. But, current versions of SSH are secure. I am hesitant to note another issue because it implies that the people you are working with are dishonest. They may be doing traffic monitoring - nasty deep packet stuff. Many organizations are doing it now. If you encrypt your traffic, they can't spy on you. So, they ban attempts to encrypt traffic. That also means that they decrypt SSL traffic by using a man-in-the-middle against everyone on the network. I do work for an organization like that and I told them that I refuse to use any computer that they will be inspecting in that way (I also blocked their fake registrar to keep my computer from blindly accepting their fake certificates). Being a major asshole, my refusal to work went high above IT and administration decided that they needed my work more than they needed IT to spy on me. I really kind of which I would have been allowed to pocket my 1/3 up front pay and walk away without doing the work though. 199.15.144.250 (talk) 19:03, 15 October 2015 (UTC)[reply]
Doesn't this old curmudgeon remember that it was Bill Gates who invented the computer!, discovered the internet!!, created the bestest software in the whole universe!!!, made computers safe from male-ware and viruses!!!! You may have bought your computer and own it but only Microsoft is competent enough to control how you use it, and ... Oh going to have to break off here, as my psychiatric nurse is telling me its time for my next dose of medication My apologies for writing this with a green crayon but they won't let me have anything sharp on this ward.--Aspro (talk) 22:31, 15 October 2015 (UTC)[reply]
Privacy is great and all, but not when you are trying to run a company, say the finance sector. When you are looking after billions of dollars that belongs to your customers, you really don't want anyone to be able to do anything without at least "some" oversight. I work for such a company and we do all the above, man in the middle, SSL inspection, email filtering, DLP, etc... We also investigate about a dozen cases of misconduct, up to and including fraud and embezzlement every month. (If you've ever worked for a company with almost 6 figures of employees, this won't be shocking). If there is any secret back door or place to hide in the network, no matter how "well intentioned" it might be, if it can be used to commit illegal activity, you must assume it will be used to commit illegal activity, otherwise you're just a sucker waiting to get fleeced. You can argue that your privacy is more important to you, but in reality you have no reason to do anything "private" on company computers anyway, it's NOT "your" computer, it's NOT "your" network connection. You want to do something private, bring a tablet to work. Vespine (talk) 03:15, 16 October 2015 (UTC)[reply]
It isn't always about personal privacy. I work with medical data. There is a legal privacy involved. IT guys are not authorized to see patient data. So, the act of decrypting patient data that is encrypted specifically to keep people from seeing it is a security risk, not a security benefit. It is a complicated issue. It is not black and white. 199.15.144.250 (talk) 15:30, 16 October 2015 (UTC)[reply]
I was not suggesting it was just about personal privacy, even client banking data is highly confidential of course you don't want every "IT guy" seeing it. I'm an IT guy and I'm not authorized to view any of it, but that does not mean there are not other checks and procedures in place to ensure it is appropriate and that it can't be used for nefarious purposes. or that there isn't a legal/security/ audit/ compliance team that IS authorized to view it. What you are talking about is a completely different issue. Vespine (talk) 00:09, 20 October 2015 (UTC)[reply]

There are tons of botnet machines on the Internet that constantly try to brute force SSH logins. If you have a public IP address, just monitor incoming traffic and you'll see fairly regular new connection attempts on port 22. They're just doing dictionary attacks with common username/password combinations, to try to get into poorly secured machines, take them over, and add them to the botnet. For network administrators this means it often seems like a good idea to just cut off SSH traffic entirely, to avoid the headache of trying to ensure every machine on your network has strong passwords for user accounts. This often happens for other protocols, like IRC, which have a reputation for being used for malicious activity. Only computer nerds like us care about any of those protocols anyway; the vast majority of users only want Facebook and e-mail. None of this has anything to do with SSH itself being insecure, which seems to be what you've assumed. --71.119.131.184 (talk) 05:28, 16 October 2015 (UTC)[reply]

So does running the SSH daemon on an obscure port help to ameliorate this threat? Or do the brute force attacks generally first scan all ports for openings? I ask because I have a couple Linux machines running on random port numbers. Justin15w (talk) 18:25, 16 October 2015 (UTC)[reply]
That gets into portscanning. If you run SSH on port 12345 and when I connect it says "Hello There! I'm a happy SSH service!" then I know it is SSH. The number of available ports is limited, so it won't take long to scan all of them. Most SSH (and other service) configuration files have options to remove any sort of service identification. Then, the client has to try to login on every port that connects. To slow them down more, you can add honeypot ports that say "Hello There! I'm a very old unpatched SSH server!" and let them pound on it for a while. (note: SSH doesn't actually respond with Hello There - but all services respond predictably from given input). 199.15.144.250 (talk) 18:50, 16 October 2015 (UTC)[reply]
It depends. Some only probe common ports; some attempt a full port scan. Using a nonstandard port can cut down on malicious login attempts, but it isn't any kind of ironclad security, and it adds the annoyance that any legitimate user needs to know the port number and pass it to their SSH client. An alternative option is to use something like DenyHosts to lock addresses out after a certain number of failed logins. Or, disallow password login and require public key login instead, which makes brute-forcing impossible. But of course, the tradeoff with all of these methods is added inconvenience to legitimate users. --71.119.131.184 (talk) 01:48, 18 October 2015 (UTC)[reply]
Well another argument to be made is that SSH can be specifically a threat to corporate security as it can be used as a tunnel tunnel bypass firewall and protective web proxy/IDS rules that are justifiably in place. For example a reverse tunnel out to a server could give backdoor access inside the network their firewall is protecting or allow unfiltered internet through SOCKS proxies to malware distributing sites. It's a very versatile tool, but that can be a double edged sword. 86.1.60.21 (talk) 13:31, 21 October 2015 (UTC)[reply]

which partition editor recognize exfat filesystem

[edit]

gparted and easeus failMahfuzur rahman shourov (talk) 14:46, 15 October 2015 (UTC)[reply]

Windows's 7's built-in Disk Management should also help you. - Champion (talk) (contribs) (Formerly TheChampionMan1234) 10:38, 21 October 2015 (UTC)[reply]

software that will input strings and output one string at random

[edit]

OP want make program where input example:Nimur, YX-1000A, SemanticMantis so on then hit a button that make one name show in dialog box. OP want code in VB6 format. Request because hobby and forgot syntax semantics.Mahfuzur rahman shourov (talk) 15:59, 15 October 2015 (UTC)[reply]

This is Wikipedia's reference desk: our core objective is to help make a better free encyclopedia by directing contributors to reliable sources. If you wish to commission custom software, this is not the place to do it. If you need help finding information about Visual Basic, our article is a good place to start. Nimur (talk) 16:07, 15 October 2015 (UTC)[reply]

OP saw people share code on IRC, OP think refdesk help share codeMahfuzur rahman shourov (talk) 16:12, 15 October 2015 (UTC)[reply]

motd (Unix) --Hans Haase (有问题吗) 16:50, 15 October 2015 (UTC)[reply]

what is the highest available build (software+setting+tweak) for compressing black and white images

[edit]

OP browsing doujin collection, saw sizesMahfuzur rahman shourov (talk) 17:33, 15 October 2015 (UTC)[reply]

I'm not sure I understand the question, but JBIG2 is probably the best black-and-white image compression method in wide use. Both PDF and DjVu use it. -- BenRG (talk) 07:59, 17 October 2015 (UTC)[reply]

SQL problem: row not found either with IN or with NOT IN

[edit]

I ran to a problem today at work. I have an SQL query in the following style:

select id from my_object where id not in (select id from my_object where /* some conditions go here */) and /* other conditions go here */;

The query was supposed to return at least one row, but it didn't return anything. Then I replaced the not in operator before the subquery with in, but it still didn't return anything. Only when I removed the subquery altogether did it return the row I wanted. How is it possible it didn't return anything either with in or with not in? I ran the subquery by itself, and it returned over 23 thousand rows, but the row I wanted was not there, just like it was supposed to, because the main query is intended to return only rows the subquery doesn't return.

But why is the subquery not working with either operator? What could possibly be the reason? JIP | Talk 18:40, 15 October 2015 (UTC)[reply]

If you are using Oracle, it could be the happy way in which NULLs are treated. You can get something that neither "in" nor "not in". For example: select 1 from dual where 1 in (null); -- returns nothing. Try the opposite: select 1 from dual where 1 not in (null); -- returns nothing. So, if your subquery only returns records with null ID, you will be neither in and not in at the same time. 199.15.144.250 (talk) 18:53, 15 October 2015 (UTC)[reply]
No, I know for a fact that the subquery is only returning rows with non-null ID. JIP | Talk 20:20, 15 October 2015 (UTC)[reply]
On second thought, it might be worth investigating. The data model is such that the subquery is not supposed to ever return nulls. But some glitch in the software might have resulted in null values having being stored anyway. I will try to add an extra condition id is not null to the subquery when I get back to work tomorrow morning. JIP | Talk 20:26, 15 October 2015 (UTC)[reply]
And this turned out to work. Thanks for your help, 199.15.144.250. JIP | Talk 08:01, 16 October 2015 (UTC)[reply]
Great! When in Oracle, always blame the nulls until you can prove it is something else. 199.15.144.250 (talk) 11:36, 16 October 2015 (UTC)[reply]