Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

VPN Flaw Shows Users' IP Addresses

Soulskill posted more than 4 years ago | from the illusion-of-privacy dept.

Networking 124

AHuxley writes "A VPN flaw announced at the Telecomix Cyphernetics Assembly in Sweden allows individual users to be identified. 'The flaw is caused by a combination of IPv6, which is a new Internet protocol due to replace the current IPv4, and PPTP (point-to-point tunneling protocol)-based VPN services, which are the most widely used. ... The flaw means that the IP address of a user hiding behind a VPN can still be found, thanks to the connection broadcasting information that can be used to identify it. It's also relatively easy to find a MAC address (which identifies a particular device) and a computer's name on the network that it's on.' The Swedish anti-piracy bureau could already be gathering data using the exploit."

cancel ×

124 comments

Sorry! There are no comments related to the filter you selected.

FIRST BACON (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#32643278)

I rub bacon over my parts as a form of lubricant and then fry the bacon for leaner result

MOD PARENT UP! (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#32643334)

...Or pick up the red phone, dial the Pentagon, and tell them that General Friedbrain needs to be put back on his meds.
 
Bacon? Really??

Tor (0)

Anonymous Coward | more than 4 years ago | (#32643290)

All the more reason to donate to Tor!

Re:Tor (4, Insightful)

Rijnzael (1294596) | more than 4 years ago | (#32643348)

I seriously doubt any reasonable level of donations will ever allow the Tor network to add the kind of capacity required to torrent. I think it has many more important needs than that anyway.

Re:Tor (4, Insightful)

TheRealMindChild (743925) | more than 4 years ago | (#32643402)

Not only that, but Tor isn't nearly as secure as most people think it is

Re:Tor (2, Interesting)

Rijnzael (1294596) | more than 4 years ago | (#32643434)

Good point, anyone can host a Tor node, and I'm sure we can bet the bad guys are hosting just as many or more than the good guys. Web of trust for Tor, anyone?

Re:Tor (2, Insightful)

bsDaemon (87307) | more than 4 years ago | (#32643468)

In order to have a web of trust, don't you need to be able to establish the identity of the other people in your web to a reasonable degree of certainty? Wouldn't verifiable identities undermine the concept of anonymity that is the whole purpose of Tor?

Re:Tor (2, Informative)

Rijnzael (1294596) | more than 4 years ago | (#32643488)

The Tor nodes themselves are actually quite identified, as you can see by the hostnames/IP's of the nodes themselves. The clients are the ones who are anonymous, as is intended.

Re:Tor (1)

negRo_slim (636783) | more than 4 years ago | (#32643682)

And information that resides on the Tor network itself never needs an exit node at all.

Re:Tor (1)

mrsteveman1 (1010381) | more than 4 years ago | (#32643498)

That only matters for exit traffic, onion site traffic can't be easily sniffed by nodes

Re:Tor (0)

Anonymous Coward | more than 4 years ago | (#32643724)

So what? As long as I secure my browser properly not to leak information and/or use ssl where appropriate it doesn't matter whether a bad or a good guy runs the exit node.

Re:Tor (2, Interesting)

Rijnzael (1294596) | more than 4 years ago | (#32643852)

I think persistently sending a file over SSL over Tor to wikileaks might be somewhat suspicious to a malicious man in the middle listening for as much. Hiding who one is talking to is still as important as hiding what is said.

Re:Tor (2, Informative)

Tacvek (948259) | more than 4 years ago | (#32644110)

Somebody who listens to your tor traffic at your end has absolutely no way of telling who you are communicating with. so who you are talking to is just as hidden as what you say. All packets in the tor network are encrypted in such a way that the contents are only ever known by the exit node. There is little point in using SSL if sending a file to wikieaks via tor, since only wikileaks and the exit node would see the plaintext even over plain old http, and neither would be able to determine who or where the sender was. If wikileaks is going to publish what you sent anyway, so the exit node could see it upon publication, there is little reason to hide anything, unless there is identifying information in your submission that wikileaks has agreed not to republish. In that case using SSL over tor to talk to wikileaks makes good sense.

You would use SSL over Tor only if there was some reason why the it would be undesirable for the exit node to hear what you are saying, and you also want to hide your identity or perhaps only your location from the server you are talking to.

Re:Tor (2, Informative)

Hatta (162192) | more than 4 years ago | (#32644130)

The exit node might know that there's an SSL connection going through his computer that terminates at wikileaks. If everything is configured properly he should be unable to determine where that SSL connection originated.

Re:Tor (0)

Anonymous Coward | more than 4 years ago | (#32644042)

Take a bunch of donations and send them to a few unscrupulous people who promise a few million "involuntary" installations for a relatively small sum. If the bots can host emails they can host exit nodes just as well.

Re:Tor (1)

Runaway1956 (1322357) | more than 4 years ago | (#32643906)

http://www.i2p2.de/ [i2p2.de]

Considerably more secure than TOR, but not any faster.

And, the donations most needed by any such community, is the donation of BANDWIDTH. Exit nodes, or the lack of exit nodes, are the most limiting factors with any of the darkweb softwares.

Re:Tor (1)

hairyfeet (841228) | more than 4 years ago | (#32644758)

While what you say is true about bandwidth, unless you are a "bad guy" using your exit node to try to capture useful data, you would have to be bug fucking crazy to run Tor or i2p2 or any of those on your PC as a node. Why? Because guess whose door gets kicked, guess who gets drug off to jail, guess who has their PC confiscated, when some perv looks at CP over your connection...hmmm?

As we have seen with the CP witchhunt innocence don't mean shit as long as they grab somebody to parade in front of the press. Sure you may get proven innocent months later, after having to deal with threats of 30+ year prison sentences and everyone looking at you like a monster, but will anyone care? After all retractions get buried on the back page while arrests get front page headlines.

So as much as I support the idea behind these networks, as someone with a family I wouldn't touch one of them with a 50 foot pole. And unless you have 50k+ in the bank to fight back you shouldn't be running a node either. The risks are simply too high in this witchhunt atmosphere to risk it. And as anyone even tested the whole "plausible deniability" thing that these networks use? They pretty much ALL cache to speed up the network, yes? Now correct me if I'm wrong, but most laws I've seen you have to possess or distribute CP, not that you yourself actually have to have access to it. If you are an exit node they can easily prove YOUR IP address went to a CP site, and as far as I have heard that is all the "proof" they need to fuck your life up royally. Yeah, no thanks.

Re:Tor (0)

Anonymous Coward | more than 4 years ago | (#32645376)

I2P shares some of your bandwidth with the network, so you route data for others.
What it does NOT do (unless you choose to do so, which I don't advise, for the reasons you posted above), is let your run as an outproxy.
It also doesn't cache any of the data (that is encrypted, have a look at onion routing) you send.

Re:Tor (0)

Anonymous Coward | more than 4 years ago | (#32645506)

Your last argument doesn't quite hold up. If you, nor anyone else outside the network can access any cached data, because it's encrypted, there is no way to prove what kind of data it is.

However, you make a valid point stating that running an exit node is not the smartest thing to do in these times. Don't forget that there are other ways to help the network. Merely running a node donating your bandwidth helps the network tremendously. It doesn't have to be an exit node. Inner nodes are just as useful and there is no way to even guess what kind of data flows over a given node because inside, everything is encrypted, and you are not making requests over the normal web on behalf of strangers. To outsiders, it looks like garbage in, garbage out. Everything stays within the network.

Bittorrent already works nicely within I2P. The only downside is the somewhat limited offerings and low speeds. These should improve as the user base grows.

Don't forget that there are also a lot of very legitimate reasons for these networks. Whistle-blowers could use them for safe distribution of information, leading up to publication at normal websites like wikileaks. The day general purpose anonymous networks are banned would be a very sad day indeed.

garbage in, garbage out... (3, Informative)

Michael Kristopeit (1751814) | more than 4 years ago | (#32643296)

it's also relatively easy to spoof an IP address or MAC address.

Re:garbage in, garbage out... (0)

Anonymous Coward | more than 4 years ago | (#32643328)

IPv6 a new protocol?

Since when? Just because no one uses the darn thing (yet) does not make it new, just "newer" than IPv4

Re:garbage in, garbage out... (1)

madddddddddd (1710534) | more than 4 years ago | (#32645396)

IPv6 a new protocol?

Since when? Just because no one uses the darn thing (yet) does not make it new, just "newer" than IPv4

so obviously the "new" thing will always be the "most newer" thing, but you're saying that the "most newer" thing isn't necessarily "new", and in this case, not "new" at all.

Re:garbage in, garbage out... (5, Insightful)

dotgain (630123) | more than 4 years ago | (#32643336)

And it's just as sensible as spoofing your home address when ordering pizza that you ultimately want to eat.

Re:garbage in, garbage out... (1)

Michael Kristopeit (1751814) | more than 4 years ago | (#32643492)

so you spoof 1,000 packets with incorrect IP addressed for every 1 packet with the correct IP... you still get your data, albeit 1/1001 as fast, but now your "attacker" has 1,000 times more work to do to locate you.

Re:garbage in, garbage out... (0)

Anonymous Coward | more than 4 years ago | (#32643754)

either do 1000 times more work, or spend 10 seconds finding the only IP that's actually getting ACKed, and then filter out everything else.

Re:garbage in, garbage out... (1)

Michael Kristopeit (1751814) | more than 4 years ago | (#32643854)

so now you can filter out ACKs behind a VPN you aren't connected to? if you could already do that, then how is this story relevant?

Re:garbage in, garbage out... (1)

clone53421 (1310749) | more than 4 years ago | (#32644984)

All he’d have to do is filter the IP addresses to only identify one(s) that requested/received all of the data. Which is probably just one IP. Which is yours.

Re:garbage in, garbage out... (1)

madddddddddd (1710534) | more than 4 years ago | (#32645150)

how will you process all of the received packets on the VPN without being connected to it already? the exploit was on sent packets.... specifically BROADCAST packets. you think the response is coming broadcast? do you know what VPN is?

Re:garbage in, garbage out... (1)

Sir_Lewk (967686) | more than 4 years ago | (#32643874)

That applies for spoofing your IP address, but not for spoofing your MAC address.

Re:garbage in, garbage out... (1)

dotgain (630123) | more than 4 years ago | (#32644282)

Fair enough. As my laptop and WiFi capable phone go from place to place, my (unspoofed) MAC address gets pissed all over the place. Much like the licence plate on my car does. This doesn't really bother me.

Re:garbage in, garbage out... (2, Informative)

Rijnzael (1294596) | more than 4 years ago | (#32643394)

MAC address sure, since your device's MAC address isn't used after your packets reach the ISP's border. However, I invite you to try to establish a full duplex connection using a spoofed IP. Sure, you can send packets using a spoofed IP provided your ISP allows you to send packets for IP's which they don't announce, but you're not getting the response to that packet back. This is actually the basis for DDoS reflection attacks [plynt.com] .

Re:garbage in, garbage out... (0)

Anonymous Coward | more than 4 years ago | (#32643438)

You're just not as badass a hacker as Michael Kristopeit. YOU ARE NOTHING!!!

Re:garbage in, garbage out... (0)

Anonymous Coward | more than 4 years ago | (#32643946)

Thank you AC. You just made my day.

Re:garbage in, garbage out... (2, Interesting)

Michael Kristopeit (1751814) | more than 4 years ago | (#32643600)

see my comment [slashdot.org] above...

you flood the network with "ghosts"... 1,000+ spoofed IP packets for every 1 real one. sort of like under siege dark territory with the ghost satellites.

it isn't perfect, but provides enough ambiguity to make a counter attack almost pointless for a considerable time.

Re:garbage in, garbage out... (2, Interesting)

Rijnzael (1294596) | more than 4 years ago | (#32643650)

Definitely an interesting thought, though with a MITM attacker (presumably the person one is using Tor/VPN/whathaveyou to hide from) it would be pretty obvious that one isn't actually establishing true communication, as the TCP sequence numbers et al wouldn't make any sense, and the remote machine wouldn't be sending back any data packets. With UDP it might be less obvious, though it would be clear one is only sending and not receiving.

Re:garbage in, garbage out... (1)

Michael Kristopeit (1751814) | more than 4 years ago | (#32643794)

i thought the exploit was only on the sent packets and the sender address... they can get the receiver address off the received packets behind a VPN as well?

Re:garbage in, garbage out... (1)

Rijnzael (1294596) | more than 4 years ago | (#32644040)

Ah, I was talking in general. I don't think most VPN daemons would accept and transmit as expected an IP packet addressed from an incorrectly sourced IP, probably due to no entry in the ARP table and (from pure gut feeling) other reasons I might be unfamiliar with.

Re:garbage in, garbage out... (1)

Michael Kristopeit (1751814) | more than 4 years ago | (#32644082)

well... if you are going through the trouble of altering your network infrastructure to spew garbage, i'm pretty sure that includes modifying your VPN daemons to play along.

Re:garbage in, garbage out... (0)

Anonymous Coward | more than 4 years ago | (#32643988)

YOU ARE NOTHING

Re:garbage in, garbage out... (1)

Anachragnome (1008495) | more than 4 years ago | (#32645586)

"'see my comment [slashdot.org] above...

you flood the network with "ghosts"... 1,000+ spoofed IP packets for every 1 real one. sort of like under siege dark territory with the ghost satellites.

it isn't perfect, but provides enough ambiguity to make a counter attack almost pointless for a considerable time."

And Comcast nukes your connection.

Seriously, ISPs are already miffed about the bandwidth usage of P2P systems. Intentionally throwing garbage down them intertubes will not only plug them up, but give the likes of Comcast another excuse for traffic-shaping that they could use as leverage when speaking before congress critters, and we don't want that, do we?

Re:garbage in, garbage out... (0)

Anonymous Coward | more than 4 years ago | (#32645766)

well, if we didn't WANT a PRIVATE network, then we shouldn't have VPN, should we?

Re:garbage in, garbage out... (1)

vlm (69642) | more than 4 years ago | (#32643716)

However, I invite you to try to establish a full duplex connection using a spoofed IP.

I think you're new to ipv6 and are thinking in ipv4 terms.

At one site I have a tunnel from sixxs (because its dynamic) and another site I have a tunnel from tunnelbroker.net aka everyones favorite ISP he.net (which only works on static IPs, more or less)

At both sites I have a /48 of which I have a /64 assigned to my ethernet LAN. Based on various blah blah blah you can figure out my MAC address based on my ipv6 address.

You can also assign multiple arbitrary ipv6 addresses to an interface. One of my boxes has no less than 5 addresses. Its cheap and simple to load balance or whatever by moving the address to another machine later, if/as necessary.

So, yeah, no problemo, on my /64 ethernet at home I can spoof most any address I want inside that /64 and it'll work, aside from the 30 or so in 2**64 odds (actually somewhat worse...) of colliding with another machine.

Re:garbage in, garbage out... (4, Informative)

quantumplacet (1195335) | more than 4 years ago | (#32643802)

assigning a second IP address, that you also control, to an interface is not 'spoofing' in any sense of the word. If you assign an IP address that I control, then you're spoofing, at which point you have the same problem in IP6 that you have in IP4.

Re:garbage in, garbage out... (2, Informative)

vlm (69642) | more than 4 years ago | (#32644008)

Kind of two separate arguments.

Lets look at the original posters claim

MAC address sure, since your device's MAC address isn't used after your packets reach the ISP's border. However, I invite you to try to establish a full duplex connection using a spoofed IP.

Now his point is that your MAC is irrelevant beyond your layer 2 link. OK, correct on ipv4.

However, what if you use ipv6 and RFC 2462 "Stateless Address Autoconfiguration" which basically picks your ipv6 address based on your MAC address. Wedging a 48 bit mac address into, say, a /28 of ipv4 space isn't going to work too well, but wedging a 48 bit mac address into a /64 LAN of ipv6 works pretty well.

http://www.ietf.org/rfc/rfc2462.txt [ietf.org]

Now the argument is that no matter which ISP you connect to, or which starbucks you connect to, etc, you can always correlate that large collection of 128 bit ipv6 addresses in a log by trashing the upper 64 bits and figuring out which 48 bit mac addresses map into the /64 ipv6 addresses.

Even worse, the top 24 bits of the mac define the device manufacturer, so no matter where you go in the world, people know you've got an apple, or whatever.

So, "your device's MAC address isn't used after your packets reach the ISP's border" isn't really true if your layer 3 address depends directly on your layer 2 address.

On the other hand, if instead of using your autoconfigured address, you fake or "spoof" some other random /64 on the LAN, then you can't be tracked. Now if you do this at work, your local net nanny is going to get all teed off that some "unknown" mac address is online, because look at that ipv6 address that doesnt match any known inventoried hardware MAC address.

You can insist that using a "fake" MAC is not spoofing, or whatever, but then you're getting into pointless naming games.

Re:garbage in, garbage out... (1)

drinkypoo (153816) | more than 4 years ago | (#32645676)

Even worse, the top 24 bits of the mac define the device manufacturer, so no matter where you go in the world, people know you've got an apple, or whatever.

If you can't change your MAC then your OS and/or driver blow. Even almost every NIC I've plugged into a Windows box has had driver support for MAC changes.

Now if you do this at work, your local net nanny is going to get all teed off that some "unknown" mac address is online, because look at that ipv6 address that doesnt match any known inventoried hardware MAC address.

Personally I think that employers that let you connect your devices to their networks are crazy anyway. I could see providing WiFi that is segregated from the corporate network for employee convenience, but then you don't have to worry too much about what is connected, only what it is doing.

Re:garbage in, garbage out... (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32645320)

"Spoofing" an IP address will tend to cause the packets to be delivered to the wrong place.

On a very different note, it is worth remembering that MAC addresses are embedded in the IPv6 address. If these guys are presenting the idea that you can get a MAC address from an IP address (in IPv6) as a new security flaw, they obviously haven't been reading the RFCs. Why the #*%! do these morons think people are so reluctant to switch to IPv6? Because it makes it very hard to obscure a machine on the Internet, and since there's no built-in security on the Internet ...

Re:garbage in, garbage out... (0)

Anonymous Coward | more than 4 years ago | (#32645500)

the counter to this specific exploit has been explained in many posts above... the attacker get's the sender's ip from a broadcast packet sent by the sender. so the sender sends out an arbitrarily large number of these packets, much like a baseball coach sends out a large number of signals to disguise the true signal. the VPN daemon understands the signaling language and can keep it's clients public location data private.

Any Network Admin worth his weight... (2, Informative)

bagboy (630125) | more than 4 years ago | (#32643318)

has not been using pptp for vpn for quite some time. IPSEC (AES) anyone? Just sayin.

Re:Any Network Admin worth his weight... (4, Informative)

drinkypoo (153816) | more than 4 years ago | (#32643426)

Any Network Admin worth his weight has not been using pptp for vpn for quite some time. IPSEC (AES) anyone? Just sayin.

IPSEC doesn't have to use AES, it supports other ciphers. Further, PPTP does not specify encryption, but Windows clients use MPPE, which is RSA RC4.

Re:Any Network Admin worth his weight... (0)

Anonymous Coward | more than 4 years ago | (#32643626)

Probably not good to use "weight" comparisons for admins (at least the ones I've worked with).

Re:Any Network Admin worth his weight... (1)

Just Some Guy (3352) | more than 4 years ago | (#32645578)

On FreeBSD, sudo portinstall net/mpd5 and editing a config file to configure your IP addresses installs a working PPTP server that an Apple i* can use. Although you may not approve, my boss likes having an easy-to-configure VPN when he's on the road. I like being able to securely surf and IM from open WiFi. IPSEC might be the "better" way, but there's a lot to be said for having something working 5 minutes into trying it for the first time.

Re:Any Network Admin worth his weight... (1)

drinkypoo (153816) | more than 4 years ago | (#32645758)

FWIW the tools in Win2k and later for IPSEC profile management are pretty fine. I have never actually tried with a windows client with a dynamic IP though :)

Wait, IPv6+PPTP+IPSEC only? (5, Informative)

drinkypoo (153816) | more than 4 years ago | (#32643322)

You don't need PPTP if you're using IPSEC and IPv6. Even Microsoft clients don't need it any more.

Re:Wait, IPv6+PPTP+IPSEC only? (-1, Troll)

TrisexualPuppy (976893) | more than 4 years ago | (#32643374)

Go back to Mexico, troll.

IPv6 (4, Funny)

Perl-Pusher (555592) | more than 4 years ago | (#32643354)

IPv6, which is a new internet protocol due to replace the current IPv4

My grand kids will probably be saying that to their grand kids.

Re:IPv6 (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#32643408)

Actually by then, it'll be IPv6.1 with a single extra bit added to the end of each IP Address, thereby DOUBLING the IP address space.

Re:IPv6 (1)

drinkypoo (153816) | more than 4 years ago | (#32643584)

Actually by then, it'll be IPv6.1 with a single extra bit added to the end of each IP Address, thereby DOUBLING the IP address space.

Finally! I was wondering when I would have a use for my 129-bit processor design.

Re:IPv6 (0)

Anonymous Coward | more than 4 years ago | (#32643602)

Yeah, because 129-bit computing is going to be the next big thing in just a few years.

Re:IPv6 (4, Funny)

DdJ (10790) | more than 4 years ago | (#32643734)

Actually by then, it'll be IPv6.1 ...

...unless you're running on a Microsoft operating system, in which case it'll be "IPv6.11 for Workgroups".

Re:IPv6 (0, Troll)

vlm (69642) | more than 4 years ago | (#32643790)

I heard, that instead of specifying addresses using hexadecimal digits 0-9 and A-F, some PHD wants to use 0-9 and A-Z. And the offshored helpdesk wants to use unicode characters instead of hexadecimal digits.

I bet there's a heck of a lot of spreadsheets and ip allocation thingys and map generation scripts and especially webpage javascript validation that won't tolerate "letters" in yer "IP addresses". Underlying OS and apps are generally OK at this point (I've been running ipv6 for many years from various tunnelbrokers)

Re:IPv6 (0)

Anonymous Coward | more than 4 years ago | (#32644762)

Anyone using spreadsheets to store IP allocation information (or any other database, for that matter) deserves to be fucked in the ass with a hot poker for eternity, so I think they're getting off easy if shit just breaks.

Re:IPv6 (0, Funny)

Anonymous Coward | more than 4 years ago | (#32643436)

My grand kids will probably be saying that to their grand kids.

My grand-kids are saying that to their grand-kids.

Now get of my lawn, you whipper snapper.

Re:IPv6 (2, Interesting)

xanadu113 (657977) | more than 4 years ago | (#32643440)

Right after we get switched to the metric system!

In elementary school, they ONLY taught me the metric system, because it was going to replace the english system by the time I graduated high school... I'm still waiting...

Re:IPv6 (1)

BrokenHalo (565198) | more than 4 years ago | (#32643594)

Maybe you needed a different school. My education started in the '60s, and we learned to cope with both.

Re:IPv6 (1)

Runaway1956 (1322357) | more than 4 years ago | (#32643856)

Yes, what BrokenHalo says. I started school in 1961, and learned pounds, ounces, etc. Somewhere along - ohhhh - 6th grade I think, they told us that within a couple years we wouldn't see any of that stuff, we needed to learn metric.

Metric is so easy - if you can count to ten, you have metric mastered. I've never figured out why people claim they have a hard time with it. Everything is powers of ten - everything. Almost everyone is born with ten appendages at the ends of their arms, right? Yeah, yeah, a FEW people don't get the full complement of fingers, and a FEW others manage to lose an appendage or two along the way. All the same, ten digits.

Ahhh well. I kinda like miles, gallons, and all the rest. They do take a tiny bit of brain power to compute. I get to feel superior when the real dullards can't understand what 128 ounces is equal to. "Oh my God, did you have to MEMORIZE that when you sailed on Noah's Ark?" "No, Honey, I'm just a low level genius, capable of multiplying 16 x 8, or 32 x 4 without benefit of a calculator."

Quick pop quiz: 1. How many US MILES around the earth at the equator?
                                2. How many NAUTICAL miles around the earth at the equator?
                                3. How many LEAGUES around the earth at the equator?

Go ahead, pull out the calculators if you need to. I'll just act smug, and nod my head, LMAO

Re:IPv6 (1)

Wonko the Sane (25252) | more than 4 years ago | (#32643924)

The downside to a base 10 measurement system is that it only has two factors: 2 and 5.

It seems to be a lot more common to divide physical quantities into thirds than fifths so you are giving up something when you switch from a system that has 3 prime factors to one that only has 2.

The cost/benefit ratio is probably in favor of the metric system in most cases, but don't dismiss the possibility that it might not be in all cases.

Re:IPv6 (1)

hoggoth (414195) | more than 4 years ago | (#32644056)

3 and 1/3rd. 3.33. Was that so hard?
If you are measuring flour for a cake and put in 3.34 or 3.32 I'm sure everyone will be polite and not tell you how bad it turned out.

Or maybe you are calculating interstellar probe trajectories without a calculator?

Re:IPv6 (1)

clone53421 (1310749) | more than 4 years ago | (#32645044)

If you have a 3 1/3 ml measuring spoon, you’ve basically defeated your nice power-of-10 system.

Re:IPv6 (1)

Sir_Lewk (967686) | more than 4 years ago | (#32644044)

I went to school in the 90s and only learned metric. It was my understanding that this was pretty universal among public schools in my area.

Really, if everyone stopped using imperial units tomorrow, I'd venture to guess that only a handful of old geezers would have any trouble with it.

Re:IPv6 (0)

Anonymous Coward | more than 4 years ago | (#32643972)

You can still learn your inches as I have done.

Canada is officially metric, which is to say official pieces of info like speed limits and driver's license weight, height, and eye colour.

In day to day speech, though, it's feet and inches and pounds for human measurements, half the time it's Fahrenheit for room temperature, Celsius for outdoor temperature, 1/1000in or mm for machining, and so on the mishmash.

Go figure.

Re:IPv6 (1)

Ares (5306) | more than 4 years ago | (#32644358)

Canada is officially metric, which is to say official pieces of info like speed limits and driver's license weight, height, and eye colour.

metric eye colors, eh?

Re:IPv6 (1)

gknoy (899301) | more than 4 years ago | (#32644398)

metric eye colors, eh?

Yeah, they list your eye color in nanometers.

Re:IPv6 (1)

CFD339 (795926) | more than 4 years ago | (#32644824)

Did they teach entirely in Esperanto as well?

Re:IPv6 (1)

clone53421 (1310749) | more than 4 years ago | (#32645012)

Sheesh, I’d tell them to give it up and just let me graduate high school finally.

Oh no (1)

Smallpond (221300) | more than 4 years ago | (#32643532)

Now they have my IP address: 192.160.0.1

Re:Oh no (1)

sconeu (64226) | more than 4 years ago | (#32643692)

Did you mean 192.168.0.1?

192.168/16 is the private address. 192.160/16 is not.

Re:Oh no (1)

kaizendojo (956951) | more than 4 years ago | (#32644030)

Did you mean 192.168.0.1? 192.168/16 is the private address. 192.160/16 is not.

Stealth... You're doing it wrong.

Oh yeah??? (0)

Anonymous Coward | more than 4 years ago | (#32645228)

Well, *my* IP Address is 127.0.0.1

Wait a minute! (0)

Anonymous Coward | more than 4 years ago | (#32643630)

The computer's IPv6 info can only leak out if the VPN has been also configured for IPv6.

User flaw shows dilluded sense of privacy on net (2, Interesting)

Bob_Who (926234) | more than 4 years ago | (#32643642)

The only flaw is when people believe that VPN or any other network technology streaming on the public superhighway via telecoms and satellite networks is absolutely private and secure 100% of the time. Once you fix that defect, the rest won't matter anymore. Too bad our national security experts are having so much difficulty with that concept, since its bad for business to accept reality or to tell the truth, in general.

Re:User flaw shows dilluded sense of privacy on ne (0)

Anonymous Coward | more than 4 years ago | (#32644124)

No the flaw is that anonymity != security. It can however be a side effect of security. Now if you want identity to be secure that is the information you need to protect as well as the payload information you are producing/consuming. In this case the implementation is 'leaking' information. Which is how it was designed. IPv6 is not about protecting your identity but has layers to protect your information.

The internet by its very nature does not allow for totally anonymous things. It is how things get from me to you. There are logs of many connections to and from your computer.

I posted this as AC just to underscore this point however. The guys who run slashdot *COULD* find out who I am. It is a matter of do they care enough to do so.

So, what's the move? (2, Interesting)

b0bby (201198) | more than 4 years ago | (#32643718)

What, then, is the best way to preserve anonymity when using, for instance, BitTorrent? I have looked at services like BTGuard & Predator, but there's always a little spidey-sense tingle of lack of trust...

doesen't IPv6 drop some of need for VPN? (1)

Joe The Dragon (967727) | more than 4 years ago | (#32643726)

doesen't IPv6 drop some of need for VPN?

But then the ISP need to do there part and give you more then 1 ip.

Re:doesen't IPv6 drop some of need for VPN? (1)

vlm (69642) | more than 4 years ago | (#32643838)

doesen't IPv6 drop some of need for VPN?

http://en.wikipedia.org/wiki/IPv6#Mandatory_network_layer_security [wikipedia.org]

IPSec is mandatory for "full ipv6 support", and of course almost no one uses it.

Its kind of like saying having https webservers removes all need for VPNs. Well, not exactly.

But then the ISP need to do there part and give you more then 1 ip.

I'm not aware of any tunnelbroker whom won't give you a /48 for your LAN, at this time. ISPs, being ISPs, will find a way to F it all up, I'm sure.

Re:doesen't IPv6 drop some of need for VPN? (1)

spottedkangaroo (451692) | more than 4 years ago | (#32643876)

On IPv6, they shouldn't ever be giving you less than a /64 and a /48 if you request it (or pay more or whatever). NATing is apparently against the law, but we overlook it because otherwise IPv4 would be broken already. My thinking is that NATing on IPv6 will continue to be OK for security reasons, but it's supposed to be completely unnecessary since we'll have enough IPv6 addresses to give one to every grain of sand on earth or whatever.

Re:doesen't IPv6 drop some of need for VPN? (2, Interesting)

vlm (69642) | more than 4 years ago | (#32644076)

My thinking is that NATing on IPv6 will continue to be OK for security reasons

My thinking is we're going to see massive namespace pollution in the marketing world. Since most people use "nat security" as basically a complicated as heck one way valve, and its "expensive" to do nat compared to simple state based firewalls, I suspect the marketing droids are going to get simple state based firewalls that only allow outgoing connections from engineering, and then sell them as "ipv6 NAT" even though theres no address translation going on.

After all, its the same as ipv6 NAT because it allows you to connect your lan to the internet and it only allows outgoing connections, so it must be marketed with the same name.

Who cares if the engineers know that NAT actually means something.

And when it happens, you can say you saw it here on slashdot, first.

Cipher Conference Video (3, Informative)

SJ2000 (1128057) | more than 4 years ago | (#32643732)

Re:Cipher Conference Video (1, Informative)

Anonymous Coward | more than 4 years ago | (#32644558)

Unfortunately the talk is structured very poorly. The talk is about several deanonymization techniques: Flash, which allegedly does not respect proxy settings (I think it's an option), can be used to establish connections outside of the VPN if you can make the victim open a web page. Alternatives are image URLs with FTP or other protocols for which no proxy on the VPN is configured, etc. The IPv6 problem is of the same nature: If you link to an image with an IPv6 address in the URL, the request will not go through the VPN but through the normal IPv4 interface where the OS uses an IPv6 translation scheme which uses the real IPv4 and MAC addresses as part of the IPv6 address.

The common idea between all these attacks is that not all connections are forced through the VPN (or dropped) and the applications can still see the local network environment and leak this information. This is a problem shared by all VPN technologies. If you want to avoid this, make a VPN router connect to the VPN and expose only the VPN to the local network. The only packets which are ever allowed on the real external IPv4 interface should be the encapsulated tunnel packets and packets necessary for setting up the tunnel. You can still leak information by (stupidly) making services available which leak local information (like network shares, browser services with identifying names, etc.).

Re:Cipher Conference Video (1)

materi (1835936) | more than 4 years ago | (#32644704)

Was this all that they talked about? nothing specific to PPTP as title suggests? then meh, not really news. I would have liked to listen to the talks if I could find a source with decent quality audio...

Re:Cipher Conference Video (0)

Anonymous Coward | more than 4 years ago | (#32644884)

There was a bit about weak PPTP authentication, but that is also not news, I believe. The IPv6 flaw is exacerbated by IPv6 tunneling apparently not working in Windows. The basic problem however is just the fact that Windows automatically creates tunneled IPv6 interfaces which bypass the VPN and can be used to deanonymize the user by instructing an application to make a connection to an IPv6 destination.

I wish there was a paper or at least a PDF of the slides, but the link to the story goes to a page which is just a rehash of another page which is just a poor teaser for a video with bad video and audio. I find it hard to know if I'm missing the point or not.

PPTP? Who uses that? (0)

Anonymous Coward | more than 4 years ago | (#32643812)

I've always used ipsec. I've never, ever seen a pptp vpn in production use.

I RTFA but.. (1)

rwwyatt (963545) | more than 4 years ago | (#32643982)

rather wish I had not.

IP address leaked? (1)

hoggoth (414195) | more than 4 years ago | (#32644014)

Hey um... I was just kidding about the whole overthrow the government thing. And the kiddie pics were for a research project. Like Pete Townshend. Yeah, just like Pete Townshend. And I purchased all of those songs and movies and just needed backup copies.

Wait, hold on... (1)

gravis777 (123605) | more than 4 years ago | (#32644212)

The Swedish anti-piracy bureau could already be gathering data using the exploit."

Um, not sure about Swedish law, but isn't this similar to like, breaking DVD encryption? Just because the encryption is week or has a security flaw in it, I am pretty sure it is still illegal to break or exploit it. If that's the case, could IP addresses gathered using this exploit be permissable in a court of law?

Just wondering out loud

Re:Wait, hold on... (1)

b0bby (201198) | more than 4 years ago | (#32644446)

My basic understanding of it is that they're not breaking any encryption, they're just using this flaw to gather your real IP address when you are going through a VPN endpoint. Your hope would be that all anyone monitoring a torrent could see would be the address of your VPN endpoint (probably from a VPN provider like The Pirate Bay), but instead they're able to gather more information, presumably so they can identify and sue you.

Re:Wait, hold on... (1)

hag3r (770359) | more than 4 years ago | (#32644724)

And even if they were breaking laws, any evidence they found would still be permissible in a Swedish courtroom if I'm not mistaken.

Re:Wait, hold on... (1)

Husgaard (858362) | more than 4 years ago | (#32644806)

In Swedish law, even evidence gathered illegally is permissive in court.

And with the new IPRED legislation in Sweden from last year, the anti-piracy now have better means of obtaining evidence for civil court cases (pay us, or we sue) than the Swedish police has for criminal file sharing cases.

Well (1)

DaMattster (977781) | more than 4 years ago | (#32644940)

The article wasn't terribly well written. I would say it is not a big deal at all because the traffic between the tunnel end-points is encrypted anyway. I smell an attempt to spread FUD about IPv6 and I happen to like IPv6.

...IPv6, which is a new Internet protocol... (0)

Anonymous Coward | more than 4 years ago | (#32645050)

IPv6, which is a new Internet protocol due to replace the current IPv4

thank you for so much useful information

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?