Re: scan debian packages for security vulnerabilitys big time
On 00-11-07 Andreas Schuldei wrote: > * Christian Kurz ([EMAIL PROTECTED]) [001107 00:03]: > > [Changed Reply-To to point to the right list] > Not so sure about that. I do NOT want the security issues to be an issue for > the super advanced/paranoid/freaked-out-ones/security-aware ones. That is part This is the right list if we talk about security or extreme security-related things like a security audit of source code. -devel is not the right list and already cluttered with a lot of topic, so let's move it to the right list. > of the idear. So I do not want the diskussion going on in some remote > mailinglist but for everyone to see and read. If we do not get the idear It's not a remote list. It's a debian list which is open for everyone to join who has a interest in security. Please inform yourself better next time. > across to lots of people, we will not win anything. todays volume of our Why? Can't we talk about the things for first on the correct list and then announce it to the people? Following your idea, we discuss everything now on -devel and remove -policy, -security, -user and so on. > distrubution is out of hand. we have 4000 packages and are not enough (all > developers that is, not just the ones reading debian-security) to look over > our source in any time soon. And numbers get worse, if people are not > educated. You talked first about OpenBSD, where only the base system is really audited and gets audited and now you talk about auditing 4000 packages? What the hell do you have in mind? Please make an exact statement what you want to audit? And please think very careful about the idea of auditing 4000 packages and if that's really needed. > > This won't be possible as you need a lot of knowledge about security and > > programming to do a real audit. It's not enough to have knowledge about > > security only or programming only, but it's the combination of both > > knowledges that allows you to do audits. > We are running debian and most of us speaks at least one programming > language. I guess within the last 3 to 5 years you have learnd things > you were not even aware they existed. It is a continous process and > why should it stopp at secure programming? Because not everyone is interested in programming even if he is a debian developer. You make assumptions here that are not correct and if you read the secure programming faq (You know the URL to it?), you should be aware that security audits of program code are not easy to do and only for advanced programmers and security people. > > Why don't you ask for help on this on security-audit? This list was > > originally created for doing audits of unix tools and is seldom used. > > (You should know this. :) > I should, I am subscribed there. I also see how much progress is made. > the majority of the mails form the last two weeks were of topic and > about the brake in at Microsoft. I guess it were 10 Mails alltogether. > You get my point? Yes, but why do you not ask on this list for help in auditing some source code and using the list for the things it was planned for? Just because currently it's close to dead and has off-topic stuff shouldn't stop someone from using it for the right things, which are on-topic there. > I think, the long term perspective must be to have some AI (yes, > SciFi) doing the simple audits. There is no other way to manage > nowerdays amounts of code. And again I tell you there's no way to automatically do this or either the OpenBSD guys would already be using it? Why do you think they are just auditing the base system and not all the ports? Ciao Christian -- Debian Developer and Quality Assurance Team Member 1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853 pgpQnRePjvYjn.pgp Description: PGP signature
Re: ipchains question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Nov 07, 2000 at 06:44:48PM -0300, Eduardo Gargiulo wrote: > I'm trying to do something like this... > > ROUTER Linux -- > || > Real_IP || Internal_IP > || > >| HUB | > > | | | | | | | | > > Is it possible? The IP specification states that the above diagram is exactly the same as ROUTER Linux -- | | Internal_IP | | HUB | | | | | | | | | That is, packets from the internal network destined to Linux's real IP never hit the router. noah - -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6CHyAYrVLjBFATsMRAoddAJ4x3sJp8HZ/GOCyy9V2r7kcsrkk5QCcDiJn wjU7yRpmb6Ofqx9erjAtBHY= =RlPa -END PGP SIGNATURE-
Re: ipchains question
Artur Gorniak wrote: > > On Tue, Nov 07, 2000 at 06:22:09PM +0100, Marcin Owsiany wrote: > > If you mean changing from: > > > > INTERNET --[ A hub ] -- linux box > > / | | \ > > host host host host > > > > to > > > > INTERNET --linux box--[ hub ] ---host > > / | \ > >host host host > > > > Then I guess nothing needs to be changed, provided the boxen have linux box > > set as default gateway. > I think you didn't read whole the message. > > he said that linux is masquarading net after it. > > so it's something like: > > INTERNET > \ \Linux -- m1 > | \ m2 > router > \ \ > h1 h2 ... > > in that situation configuration of maquarade have to be redone. > > I never do it by myself. > just lame of me (cause I should).. > > it's all in documentation of ipchains. > > you masq addresses from m1 to mn > > and than route hosts h1-hn. > > it's similar to questions about two subnets after firewall. > > I think there is lot of examples on the net just it's rather > standard solution in many nets. > > Artur Górniak > I'm trying to do something like this... ROUTER Linux -- || Real_IP || Internal_IP || | HUB | | | | | | | | | Is it possible? -- :%s/Micros~1/GNU\/Linux/g^M :wq!
Re: scan debian packages for security vulnerabilitys big time
On 00-11-07 Andreas Schuldei wrote: > * Christian Kurz ([EMAIL PROTECTED]) [001107 00:03]: > > [Changed Reply-To to point to the right list] > Not so sure about that. I do NOT want the security issues to be an issue for > the super advanced/paranoid/freaked-out-ones/security-aware ones. That is part This is the right list if we talk about security or extreme security-related things like a security audit of source code. -devel is not the right list and already cluttered with a lot of topic, so let's move it to the right list. > of the idear. So I do not want the diskussion going on in some remote > mailinglist but for everyone to see and read. If we do not get the idear It's not a remote list. It's a debian list which is open for everyone to join who has a interest in security. Please inform yourself better next time. > across to lots of people, we will not win anything. todays volume of our Why? Can't we talk about the things for first on the correct list and then announce it to the people? Following your idea, we discuss everything now on -devel and remove -policy, -security, -user and so on. > distrubution is out of hand. we have 4000 packages and are not enough (all > developers that is, not just the ones reading debian-security) to look over > our source in any time soon. And numbers get worse, if people are not > educated. You talked first about OpenBSD, where only the base system is really audited and gets audited and now you talk about auditing 4000 packages? What the hell do you have in mind? Please make an exact statement what you want to audit? And please think very careful about the idea of auditing 4000 packages and if that's really needed. > > This won't be possible as you need a lot of knowledge about security and > > programming to do a real audit. It's not enough to have knowledge about > > security only or programming only, but it's the combination of both > > knowledges that allows you to do audits. > We are running debian and most of us speaks at least one programming > language. I guess within the last 3 to 5 years you have learnd things > you were not even aware they existed. It is a continous process and > why should it stopp at secure programming? Because not everyone is interested in programming even if he is a debian developer. You make assumptions here that are not correct and if you read the secure programming faq (You know the URL to it?), you should be aware that security audits of program code are not easy to do and only for advanced programmers and security people. > > Why don't you ask for help on this on security-audit? This list was > > originally created for doing audits of unix tools and is seldom used. > > (You should know this. :) > I should, I am subscribed there. I also see how much progress is made. > the majority of the mails form the last two weeks were of topic and > about the brake in at Microsoft. I guess it were 10 Mails alltogether. > You get my point? Yes, but why do you not ask on this list for help in auditing some source code and using the list for the things it was planned for? Just because currently it's close to dead and has off-topic stuff shouldn't stop someone from using it for the right things, which are on-topic there. > I think, the long term perspective must be to have some AI (yes, > SciFi) doing the simple audits. There is no other way to manage > nowerdays amounts of code. And again I tell you there's no way to automatically do this or either the OpenBSD guys would already be using it? Why do you think they are just auditing the base system and not all the ports? Ciao Christian -- Debian Developer and Quality Assurance Team Member 1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853 PGP signature
Re: ipchains question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Nov 07, 2000 at 06:44:48PM -0300, Eduardo Gargiulo wrote: > I'm trying to do something like this... > > ROUTER Linux -- > || > Real_IP || Internal_IP > || > >| HUB | > > | | | | | | | | > > Is it possible? The IP specification states that the above diagram is exactly the same as ROUTER Linux -- | | Internal_IP | | HUB | | | | | | | | | That is, packets from the internal network destined to Linux's real IP never hit the router. noah - -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6CHyAYrVLjBFATsMRAoddAJ4x3sJp8HZ/GOCyy9V2r7kcsrkk5QCcDiJn wjU7yRpmb6Ofqx9erjAtBHY= =RlPa -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ipchains question
Artur Gorniak wrote: > > On Tue, Nov 07, 2000 at 06:22:09PM +0100, Marcin Owsiany wrote: > > If you mean changing from: > > > > INTERNET --[ A hub ] -- linux box > > / | | \ > > host host host host > > > > to > > > > INTERNET --linux box--[ hub ] ---host > > / | \ > >host host host > > > > Then I guess nothing needs to be changed, provided the boxen have linux box > > set as default gateway. > I think you didn't read whole the message. > > he said that linux is masquarading net after it. > > so it's something like: > > INTERNET > \ \Linux -- m1 > | \ m2 > router > \ \ > h1 h2 ... > > in that situation configuration of maquarade have to be redone. > > I never do it by myself. > just lame of me (cause I should).. > > it's all in documentation of ipchains. > > you masq addresses from m1 to mn > > and than route hosts h1-hn. > > it's similar to questions about two subnets after firewall. > > I think there is lot of examples on the net just it's rather > standard solution in many nets. > > Artur Górniak > I'm trying to do something like this... ROUTER Linux -- || Real_IP || Internal_IP || | HUB | | | | | | | | | Is it possible? -- :%s/Micros~1/GNU\/Linux/g^M :wq! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SCSI Tape backup
Jason, What exactly does this have to do with security? Ask this on debian-user or something. Regards, Alex. --- PGP/GPG Fingerprint: EFD1 AC6C 7ED5 E453 C367 AC7A B474 16E0 758D 7ED9 -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS/CM>CC/IT d- s:+ a16 C++()>$ UL>$ P--- L++>++$ E+ W+(-) N+ o? K? w---() !O !M !V PS+(++)>+ PE-(--) Y+>+ PGP t+>++ !5 X-- R>++ tv(+) b+(++) DI(+) D++ G>+++ e--> h! !r y>+++ --END GEEK CODE BLOCK-- On Tue, 7 Nov 2000, Jason Weidman wrote: > Can someone tell me how to setup my Tandberg SCSI tape backup on my debian > box? > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
SCSI Tape backup
Can someone tell me how to setup my Tandberg SCSI tape backup on my debian box?
ipchains question
Hi all. I have a linux box running ipchains and masquerading my inetrnal network. I have subnet of real IP. The router is connected to the hub so the REAL subnet is before the firewall, so I can't protect it. I'm thinking in add an eth to the linux box and connect the router (with a cross UTP) to eth0, and connect eth1 (with real IP) and eth2 (with masqued IP) to the hub. The question is how configure ipchains and if it is possible to work or I have to add another tool to my linux box to handle this configuration? Thanks all and sorry for my english! -- :%s/Micros~1/GNU\/Linux/g^M :wq!
Re: SCSI Tape backup
Jason, What exactly does this have to do with security? Ask this on debian-user or something. Regards, Alex. --- PGP/GPG Fingerprint: EFD1 AC6C 7ED5 E453 C367 AC7A B474 16E0 758D 7ED9 -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS/CM>CC/IT d- s:+ a16 C++()>$ UL>$ P--- L++>++$ E+ W+(-) N+ o? K? w---() !O !M !V PS+(++)>+ PE-(--) Y+>+ PGP t+>++ !5 X-- R>++ tv(+) b+(++) DI(+) D++ G>+++ e--> h! !r y>+++ --END GEEK CODE BLOCK-- On Tue, 7 Nov 2000, Jason Weidman wrote: > Can someone tell me how to setup my Tandberg SCSI tape backup on my debian box? > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
SCSI Tape backup
Can someone tell me how to setup my Tandberg SCSI tape backup on my debian box? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
ipchains question
Hi all. I have a linux box running ipchains and masquerading my inetrnal network. I have subnet of real IP. The router is connected to the hub so the REAL subnet is before the firewall, so I can't protect it. I'm thinking in add an eth to the linux box and connect the router (with a cross UTP) to eth0, and connect eth1 (with real IP) and eth2 (with masqued IP) to the hub. The question is how configure ipchains and if it is possible to work or I have to add another tool to my linux box to handle this configuration? Thanks all and sorry for my english! -- :%s/Micros~1/GNU\/Linux/g^M :wq! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: scan debian packages for security vulnerabilitys big time
* Christian Kurz ([EMAIL PROTECTED]) [001107 00:03]: > [Changed Reply-To to point to the right list] Not so sure about that. I do NOT want the security issues to be an issue for the super advanced/paranoid/freaked-out-ones/security-aware ones. That is part of the idear. So I do not want the diskussion going on in some remote mailinglist but for everyone to see and read. If we do not get the idear across to lots of people, we will not win anything. todays volume of our distrubution is out of hand. we have 4000 packages and are not enough (all developers that is, not just the ones reading debian-security) to look over our source in any time soon. And numbers get worse, if people are not educated. > This won't be possible as you need a lot of knowledge about security and > programming to do a real audit. It's not enough to have knowledge about > security only or programming only, but it's the combination of both > knowledges that allows you to do audits. We are running debian and most of us speaks at least one programming language. I guess within the last 3 to 5 years you have learnd things you were not even aware they existed. It is a continous process and why should it stopp at secure programming? > Why don't you ask for help on this on security-audit? This list was > originally created for doing audits of unix tools and is seldom used. > (You should know this. :) I should, I am subscribed there. I also see how much progress is made. the majority of the mails form the last two weeks were of topic and about the brake in at Microsoft. I guess it were 10 Mails alltogether. You get my point? I think, the long term perspective must be to have some AI (yes, SciFi) doing the simple audits. There is no other way to manage nowerdays amounts of code. We (that is: you; I just started) have acomplished a lot; why not invest some brains in a way to do better automated audits?
Re: scan debian packages for security vulnerabilitys big time
* Christian Kurz ([EMAIL PROTECTED]) [001107 00:03]: > [Changed Reply-To to point to the right list] Not so sure about that. I do NOT want the security issues to be an issue for the super advanced/paranoid/freaked-out-ones/security-aware ones. That is part of the idear. So I do not want the diskussion going on in some remote mailinglist but for everyone to see and read. If we do not get the idear across to lots of people, we will not win anything. todays volume of our distrubution is out of hand. we have 4000 packages and are not enough (all developers that is, not just the ones reading debian-security) to look over our source in any time soon. And numbers get worse, if people are not educated. > This won't be possible as you need a lot of knowledge about security and > programming to do a real audit. It's not enough to have knowledge about > security only or programming only, but it's the combination of both > knowledges that allows you to do audits. We are running debian and most of us speaks at least one programming language. I guess within the last 3 to 5 years you have learnd things you were not even aware they existed. It is a continous process and why should it stopp at secure programming? > Why don't you ask for help on this on security-audit? This list was > originally created for doing audits of unix tools and is seldom used. > (You should know this. :) I should, I am subscribed there. I also see how much progress is made. the majority of the mails form the last two weeks were of topic and about the brake in at Microsoft. I guess it were 10 Mails alltogether. You get my point? I think, the long term perspective must be to have some AI (yes, SciFi) doing the simple audits. There is no other way to manage nowerdays amounts of code. We (that is: you; I just started) have acomplished a lot; why not invest some brains in a way to do better automated audits? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]