---------------------
BLURB to version 0.5:
---------------------

OK  I'll  not mess about with good English here,  making  ypghost
user  friendly  and documenting seems to be taking about  two  or
three  times  the  amount of time it  took  to  originally  write
it...... 

I  'pre-released'  ypghost  about a month ago on  a  small  U. K.
hacker's newsgroup (amusingly I would guess about half of the  70
odd  people  that  downloaded it as  a  result  were  anti-hacker
types,  the  http  log read like a who's who  of  U. K.  security
consultants).   Unfortunately  I have had  very  little  feedback
from  the  pre-release, so there may still be  some  mistakes  in
this release. 

Version  0.5 differs only slightly from the pre-release  version,
apart  from  a couple of small bug fixes the main  difference  is
DLT_NULL  is now supported so that ypghost now should  work  with
the loopback interface under BSD.  

If  your unsure what ypghost is supposed to do, you  should  read
the  paper  by D.Hess (the file name is probably  NIS_Paper.ps),
available  from  my  WWW page amongst other  places.   The  paper
explains  the  general principle and describes a  program  called
'ypfake'  which apparently does the same thing that  ypghost  now
does.   Note  that this 'ypfake' program is not  available  (Many
thanks  to  D.Hess for confirming this BTW),   and  since  it  is
described  as  using Sun's NIT, I suppose it would only  work  on
Suns anyway.  

Note  that ypghost only fakes UDP replies to YPPROG_MATCH  calls,
so  the false entries will not show up if you try looking at  the
maps with ypcat etc, although thats explained in NIS_Paper.ps 

I  have  so  far  tested ypghost  on  linux  using  the  loopback
interface  (which  seems  to be of 'ethernet'  type)  and  on  an
ethernet  network  of  Suns.   Linux  &  loopback  worked   fine,
although  for  some reason it seemed to work consistently  for  a
while,  then  not  work  consistently  for  a  while,  then  work
consistently   again,  presumably  if  you  tipped  the   balance
slightly by nice'ing ypserv or something, it probably would  work
consistently all the time.  

The test on the network of Suns is obviously a much better  test.
I  was  slightly surprised that with all the  machines  idle  the
real response consistently beat the spoofed response, this  could
be  for  a  variety of reasons, perhaps the  positioning  of  the
machines,  or maybe libpcap is slow on Suns.  Anyway,  bombarding
the  NIS  server  with a few NFS requests soon  popped  the  load
average up, and ypghost began to work fine.  

Ypghost  also compiles and runs fine on FreeBSD 2.1.0,   although
unfortunately  I haven't tested it to see whether it  works.   My
machine   doesn't   have   an   ethernet   card   and   the   BSD
portmap/ypserv/ypbind seemed particularly reluctant to work so  I
couldn't  test  it using the localhost interface  (I  didn't  try
that hard since it seemed to be trying to use TCP anyway).  

I  really  can't be bothered to explain the basic  principles  of
NIS  and UDP spoofing here.  Although I will say,  despite  group
wheel,  secure  consoles,  passwd  shadowing  and  efficient  NIS
servers,  it does actually work, for me anyway, so do  persevere,
it at first you don't succeed....  
               (the limitations described in the man page aside.)

No  it wont work if NIS+ is being used, NIS+ is not  something  I
know  much  about  yet  but I gather  its  use  is  still  pretty
limited,  as far as I know only solaris actually  implements  it.
However  if  you  have *nothing* but  solaris  machines  on  your
network  your  using,  you may  be  disappointed  (or  pleasantly
surprised  if  you're a fascist sysadmin).  THAT IS  NOT  TO  SAY
THAT  NIS+ IS SECURE, please don't come to any  conclusions  like
that,  quite  frankly I can't think of  any  obvious  conclusions
that  can  be drawn from ypghost, other than common  sense  ones,
like  that  confidential data should never be  kept  on  Internet
connected computers.  

Oh  yeah,  if you're planning to do anything with the  source  at
all, *do* let me know, I might be able to send you some  comments
even.   If you're used to normal RPC programming, I do  apologise
if  my  code  makes you feel physically sick,  or  if  you  can't
actually  believe  what you see.  In its defense  I'll  just  say
that,  even though I couldn't test it while I was writing it,  it
*did*  work virtually the first time I tried it.  I  also  wanted
to  make  it portable, even to systems that may not  have  rpcgen
etc.  

Apologies  for  retaining all copyright on ypghost,  if  somebody
actually  paid  me  for  doing  stuff  like  this  I  might  feel
differently,  but they don't, and I don't suppose using  my  time
to  do  stuff like this will get any credit with  the  Employment
Service, who expect me to spend all my time looking for  cleaning
jobs (or whatever else pays 50quid for a 72 hour week).  

Finally  having  spoofed packets on your network  could  possibly
confuse it, I take no responsibility for anything ypghost does.  

Please  let  me  know  of  any  bugs,  as  I  certainly   haven't
exhaustively  tested  it (testing it *once* was  enough  hassle).
Similarly  let  me  know if its worked fine on such  and  such  a
system.   In fact any comments would be welcome, although  please
put the word 'ypghost' in the subject line.  


---------------------
BLURB to version 0.6:
---------------------

Firstly,  in order to reward me for my unpaid efforts in  writing
ypghost,   *somebody*  (probably  somebody  within  the  U.   K. 
Internet  establishment, maybe JANET-CERT) decided it would be  a
good  idea to force my University to censor, maybe even  ban,  my
"unix/net/hack page".  Well thanks very much!  Whoever you are.  

This means that the URLs mentioned in Version 0.5 are now invalid.

Fortunately  not everybody responsible for running  the  Internet
are  complete  idiots, in fact some are far from  it.   With  the
very  kind  help  of various people I was able to  get  a  U. S. 
mirror  of  the  page  up and running  within  24  hours  of  the
censorship,  and  I've now finally got it running on U. K.  based
web servers again. Hopefully now that the page is not reliant  on
any particular server the same thing can't happen again.  

I've  added  a program called ypdump to the distribution  to  let
you  see what's happening.  It would probably benefit  from  some
more work to it, but its a start.  See the man page for details.  

Changes  to  ypghost include fixing a programming  error  in  the
code  that  contacts  the portmapper and adding  a  command  line
option  to  specify  the  timeout value that  is  passed  to  the
libpcap  library.  What this timeout value *actually*  does  will
depend  on how libpcap has been implemented on your  platform.  I
suspect the linux version of libpcap probably ignores it. 

On   SunOS  5.4   however,   reducing  this  timeout   seems   to
dramatically  improve  performance.  In ypghost 0.5  the  timeout
was  #define'd to 1024 milliseconds, which meant the real  server
had  to be quite heavily loaded before the spoofed  response  got
there  before  the  real response.  With a  timeout  value  of  5
milliseconds the spoofed response now seems to consistently  beat
the  real response on the network I tested it on, even  with  the
real server otherwise idle.  I've therefore now made the  default
value  5 milliseconds.  If such a small value causes problems  on
some  unknown platform that you are using, just start ypghost  0.
6  with  "-t 1024".  On the other hand you may even like  to  try
reducing it further.  

I  suspect  using  small time values to ensure  a  fast  response
isn't  an  ideal  solution, ideally we should  to  able  to  tell
libpcap to process packets immediately and I guess this was  what
the  partially  documented  but  unimplemented   pcap_immediate()
function was supposed to be for.  Sorry to be so vague about  all
this, it would be nice if somebody developed libpcap more, rather
than  leaving it half finished like this, unfortunately  I  think
its  the only portable method of capturing packets we've got ATM. 

I've  started  to look at whether it might be possible  to  spoof
the YPPROC_MATCH replies without listening on the local  network.
It may possibly be possibly possible, but so far it seems  pretty
difficult,  at  least on the machines I've experimented  with  so
far.  So  far,  I  wouldn't  worry  about  yet,  unless  you  are
completely  paranoid,  in which case you  shouldn't  probably  be
using NIS fullstop.  

I  would appreciate any intelligent feed back, I don't even  know
whether anybody else has got ypghost to work yet! ;-) 

Cheers,

Arny - arny@geek.org.uk

			http://www.unix.geek.org.uk/~arny/  (U.K.)
			http://www.unix.geek.net/~arny/     (U.S.)

