Re: (How) do we roll-back lprng?
On Sun, 25 Nov 2001, Craig Small wrote: with me. 3.8.0 had some good but not essential fixes in it (for most people anyway). I just don't know how to do it. Well, if you want to keep the version numbering, epochs are the only sane way :( -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: is 3des secure??
While this may be whipping a greasy stain on the road, it is true that 3DES was created by the government back when private cryptology was difficult or unknown. I believe it is prudent to consider that it was allowed to be used because of practical cracking available to the crypto experts. I'm not referring to a back-door, just a known method such as a hardware based method for cracking in near-real time. However, 3DES is likely strong enough for normal people. If you're trying to keep things from them, they are already reading your screen and keyboard strokes directly by their radion emissions from accross the street. Paranoid? Yes. That's what security is all about. Curt- -Original Message- From: Noah L. Meyerhans [mailto:[EMAIL PROTECTED]] Sent: Saturday, November 24, 2001 21:43 To: Johannes Weiss Cc: [EMAIL PROTECTED] Subject: Re: is 3des secure?? On Sat, Nov 24, 2001 at 10:28:56AM +0100, Johannes Weiss wrote: -BEGIN PGP SIGNED MESSAGE- UNfortunately, WIN-SSH is very buggy, it only works if I take the 3des algorithm, if I take one of the others (blowfish,...) it crashed. What is unfortunate about that? From my experience, 3DES is used more commonly than any other crypto algorithm for things like SSH and IPSEC. I know that some people feel that Blowfish, Twofish, and friends are too new to be thoroughly tested. DES (and thus 3DES) has withstood 30 years of cryptanalysis. The only weakness found in DES, a weakness known from the very beginning, is that the short keylength makes it vulnerable to a brute force attack, which is why 3DES was creates. 3DES is basically DES cubed, and effectively uses a 168 bit key, which is quite secure by modern standards. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: rogue Chinese crawler
Is there a "drop from..." command as well? I much prefer simply black-holing packets rather than giving back to the perp "I'm here, but I know about you" data by "deny". Or is that what the Apache "deny" does? Curt- -Original Message- From: Christoph Moench-Tegeder [mailto:[EMAIL PROTECTED]] Sent: Saturday, November 24, 2001 03:36 To: [EMAIL PROTECTED] Subject: Re: rogue Chinese crawler ## Martin WHEELER ([EMAIL PROTECTED]): Is anyone else having problems with the robot from openfind.com.tw That one has not been seen here. Anyone know of a sure-fire robot killer under woody? Apache himself (assuming your webserver runs apache, other servers should have something similar). Just take mod_access and add a "deny from" line to the Directory /-section of your config. Gruss, cmt -- Spare Space -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is 3des secure??
On Mon, Nov 26, 2001 at 09:04:59AM +0900, Howland, Curtis wrote: While this may be whipping a greasy stain on the road, it is true that 3DES was created by the government back when private cryptology was difficult or unknown. I believe it is prudent to consider that it was allowed to be used because of practical cracking available to the crypto experts. No, DES (and thus 3DES) was created by IBM, with collaboration by the government. The biggest govt. influence was in the short 56 bit key length. In 3DES, this is not an issue. Personally I'd trust 3DES more than the DSA signature algorith used in GPG. DSA *was* created by the government. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg04374/pgp0.pgp Description: PGP signature
Re: is 3des secure??
On Mon, Nov 26, 2001 at 09:04:59AM +0900, Howland, Curtis wrote: While this may be whipping a greasy stain on the road, it is true that 3DES was created by the government back when private cryptology was difficult or unknown. I believe it is prudent to consider that it was allowed to be used because of practical cracking available to the crypto experts. It wasn't allowed to be used, the government promulgated DES as a standard for banks and other high security industries because it was the best they could find at the time to do the job. It has withstood a great deal of cryptoanalysis over the last couple decades, and has held up fairly well. It's only real weakness has been it's key-length. While there may be some people in the government who would be happy to promulgate a broken standard to make their data-collection easier, wiser heads realize that if it's broken for our side (note quotes) it's broken for the other side as well. 3DES effectively triples the key-length for DES, and for SSH sessions, it's quite good enough. I'm not referring to a back-door, just a known method such as a hardware based method for cracking in near-real time. 3DES is more than strong enough for *today*, it's just that in the near future it won't be. However, 3DES is likely strong enough for normal people. If you're trying to keep things from them, they are already reading your screen and keyboard strokes directly by their radion emissions from accross the street. No, they've tapped your machine, and theres a minature camera looking over your shoulder from the air-vent in the room. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: is 3des secure??
Noah L Meyerhans writes: On Mon, Nov 26, 2001 at 09:04:59AM +0900, Howland, Curtis wrote: While this may be whipping a greasy stain on the road, it is true that 3DES was created by the government back when private cryptology was difficult or unknown. I believe it is prudent to consider that it was allowed to be used because of practical cracking available to the crypto experts. No, DES (and thus 3DES) was created by IBM, with collaboration by the government. The biggest govt. influence was in the short 56 bit key length. In 3DES, this is not an issue. Actually, probably the biggest influence from the government was from the NSA. IBM handed them the algorithm to review, and the NSA handed it back to them with the S-boxes subtly altered, no explanation. IBM accepted the changes, and they became part of the standard. Years later, after differential cryptanalysis was discovered, it was found that the changes made foiled differential cryptanalysis. 3DES is generally considered strong enough. However, it is slow, and can effect performance. Try doing large 'scp's and switch between 3DES and blowfish. Personally I prefer blowfish, as it has performance, is 'secure-enough' to my (less-than-expert) eye, and frankly I doubt anybody capable of defeating it is interested in what I have to say. Steve -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: is 3des secure??
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Saturday 24 November 2001 03:28 am, Johannes Weiss wrote: So, because of this my question is: Is 3des secure enough?? The putty website (search for it on google) has something to say about the security of des algorithm, which AFAIK it doesn't support. - -- Warren GPG Fingerprint: 30C8 BDF1 B133 14CB 832F 2C5D 99A1 A19F 559D 9E88 GPG Public Key @ http://www.cbu.edu/~wturkal/wturkal.gpg - -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS d- s: a-- C++ UL+ P+ L+++ E W++ N+ o-- K- w--- O M+ V-- PS+ PE Y+ PGP++ t 5 X R tv+ b+ DI+ D+ G e h-- r y? - --END GEEK CODE BLOCK-- -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8AdM2maGhn1WdnogRAkalAJ9sR44dLiSXzqX6VYO/TDSbTkwm1ACghPP4 tcXQxrLhfmN9s7VA2LMT6eo= =RzJt -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: is 3des secure??
On Sun, Nov 25, 2001 at 11:29:22PM -0600, Warren Turkal wrote: On Saturday 24 November 2001 03:28 am, Johannes Weiss wrote: So, because of this my question is: Is 3des secure enough?? The putty website (search for it on google) has something to say about the security of des algorithm, which AFAIK it doesn't support. It is important to distinguish between DES and 3DES. DES, which cryptographically secure (i.e. there is no known flaw in the algorithm) uses too short a key to be considered secure. 3DES is a great deal more secure. I was not able to find references to the PuTTY author's opinion on the security of DES or 3DES on his web site, but I do know that PuTTY does support 3DES, if not DES. Also, it is worth noting that if you use the standard unix crypt(3) passwords, then you are using a variant of DES which has the addition of the 16 bit salt. noah -- ___ | A subversive is anyone who can out-argue their government | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg04379/pgp0.pgp Description: PGP signature
Re: is 3des secure??
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday 26 November 2001 12:08 am, Noah L. Meyerhans wrote: I was not able to find references to the PuTTY author's opinion on the security of DES or 3DES on his web site, but I do know that PuTTY does support 3DES, if not DES. I was thinking DSA, which putty does now also support. Sorry. - -- Warren GPG Fingerprint: 30C8 BDF1 B133 14CB 832F 2C5D 99A1 A19F 559D 9E88 GPG Public Key @ http://www.cbu.edu/~wturkal/wturkal.gpg - -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS d- s: a-- C++ UL+ P+ L+++ E W++ N+ o-- K- w--- O M+ V-- PS+ PE Y+ PGP++ t 5 X R tv+ b+ DI+ D+ G e h-- r y? - --END GEEK CODE BLOCK-- -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8Ad+3maGhn1WdnogRAiQTAJ0fCdUtQRqUqWY+Jd+WVgA0524YEACdGJvA IJipWx26Bia/SHz2kN8Z5Jk= =jN8I -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rogue Chinese crawler
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OK, I've now been 24 hours without a hit, so I'm presuming I've got rid of all the crawlers. Thanks for all the help and advice from both lists. Resume: - - the openfind.com(.tw) 'bots don't respect the norobots conventions, so your robots.txt is useless, whatever its contents. (In fact, these 'bots don't even look for it.) - - the 'bots are no respecters of any other conventions, either -- they will stay on your machine for unlimited amounts of time, doing a constant recursive grab, and gradually freezing out all other activity. (Worst case on my machine -- 45 minutes) - - there are 16 'bots, none of which knows what the others are doing. This means you can have any number on your machine at any one time, each progressively slowing down the system. (Worst case on my machine -- 8 simultaneously, for over 30 minutes.) This can create a virtual DoS attack, or paralysis of services. - - they may not all come from the same address -- I've currently got two addresses in my rules/directives to drop packets. (Monitor where they're coming from.) - - the originators do NOT reply to e-mails or polite requests to fix their code to respect the norobots conventions. The DO respond to abusive e-mails by bouncing any further attempts at communication with them. - - as pointed out by almost everyone, the best method of dissuasion is to drop all packets from thisese sources as they come into the firewall/router. Failing that, a Deny from directive in httpd.conf fixes them good. - - if the above is implemented, it takes a while for all the 'bots to learn they're not welcome. I don't mind well-behaved spiders -- in fact, I welcome them, as no-one would be able to find some of my pages otherwise -- but these ones go beyond what is tolerable behaviour for me. I don't know whether it's due to bad code, or a don't care attitude to others; but I would advise anyone who finds them clogging up their system to ban them completely. Martin - -- - Share your knowledge. It's a way to achieve immortality - [EMAIL PROTECTED] pub 1024D/01269BEB 2001-09-29 Martin Wheeler (personal key) Key fingerprint = 6CAD BFFB DB11 653E B1B7 C62B AC93 0ED8 0126 9BEB -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8AY5orJMO2AEmm+sRAuBRAJ9gRbweyJAsYn1dL1OWWYJcHg2x1ACgkFLe 4Af36/11JM3+bXXhtNNVFoU= =EBHS -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: (How) do we roll-back lprng?
On Sun, 25 Nov 2001, Craig Small wrote: with me. 3.8.0 had some good but not essential fixes in it (for most people anyway). I just don't know how to do it. Well, if you want to keep the version numbering, epochs are the only sane way :( -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh
RE: is 3des secure??
While this may be whipping a greasy stain on the road, it is true that 3DES was created by the government back when private cryptology was difficult or unknown. I believe it is prudent to consider that it was allowed to be used because of practical cracking available to the crypto experts. I'm not referring to a back-door, just a known method such as a hardware based method for cracking in near-real time. However, 3DES is likely strong enough for normal people. If you're trying to keep things from them, they are already reading your screen and keyboard strokes directly by their radion emissions from accross the street. Paranoid? Yes. That's what security is all about. Curt- -Original Message- From: Noah L. Meyerhans [mailto:[EMAIL PROTECTED] Sent: Saturday, November 24, 2001 21:43 To: Johannes Weiss Cc: debian-security@lists.debian.org Subject: Re: is 3des secure?? On Sat, Nov 24, 2001 at 10:28:56AM +0100, Johannes Weiss wrote: -BEGIN PGP SIGNED MESSAGE- UNfortunately, WIN-SSH is very buggy, it only works if I take the 3des algorithm, if I take one of the others (blowfish,...) it crashed. What is unfortunate about that? From my experience, 3DES is used more commonly than any other crypto algorithm for things like SSH and IPSEC. I know that some people feel that Blowfish, Twofish, and friends are too new to be thoroughly tested. DES (and thus 3DES) has withstood 30 years of cryptanalysis. The only weakness found in DES, a weakness known from the very beginning, is that the short keylength makes it vulnerable to a brute force attack, which is why 3DES was creates. 3DES is basically DES cubed, and effectively uses a 168 bit key, which is quite secure by modern standards. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
RE: rogue Chinese crawler
Is there a drop from... command as well? I much prefer simply black-holing packets rather than giving back to the perp I'm here, but I know about you data by deny. Or is that what the Apache deny does? Curt- -Original Message- From: Christoph Moench-Tegeder [mailto:[EMAIL PROTECTED] Sent: Saturday, November 24, 2001 03:36 To: debian-security@lists.debian.org Subject: Re: rogue Chinese crawler ## Martin WHEELER ([EMAIL PROTECTED]): Is anyone else having problems with the robot from openfind.com.tw That one has not been seen here. Anyone know of a sure-fire robot killer under woody? Apache himself (assuming your webserver runs apache, other servers should have something similar). Just take mod_access and add a deny from line to the Directory /-section of your config. Gruss, cmt -- Spare Space -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rogue Chinese crawler
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OK, I've now been 24 hours without a hit, so I'm presuming I've got rid of all the crawlers. Thanks for all the help and advice from both lists. Resume: - - the openfind.com(.tw) 'bots don't respect the norobots conventions, so your robots.txt is useless, whatever its contents. (In fact, these 'bots don't even look for it.) - - the 'bots are no respecters of any other conventions, either -- they will stay on your machine for unlimited amounts of time, doing a constant recursive grab, and gradually freezing out all other activity. (Worst case on my machine -- 45 minutes) - - there are 16 'bots, none of which knows what the others are doing. This means you can have any number on your machine at any one time, each progressively slowing down the system. (Worst case on my machine -- 8 simultaneously, for over 30 minutes.) This can create a virtual DoS attack, or paralysis of services. - - they may not all come from the same address -- I've currently got two addresses in my rules/directives to drop packets. (Monitor where they're coming from.) - - the originators do NOT reply to e-mails or polite requests to fix their code to respect the norobots conventions. The DO respond to abusive e-mails by bouncing any further attempts at communication with them. - - as pointed out by almost everyone, the best method of dissuasion is to drop all packets from thisese sources as they come into the firewall/router. Failing that, a Deny from directive in httpd.conf fixes them good. - - if the above is implemented, it takes a while for all the 'bots to learn they're not welcome. I don't mind well-behaved spiders -- in fact, I welcome them, as no-one would be able to find some of my pages otherwise -- but these ones go beyond what is tolerable behaviour for me. I don't know whether it's due to bad code, or a don't care attitude to others; but I would advise anyone who finds them clogging up their system to ban them completely. Martin - -- - Share your knowledge. It's a way to achieve immortality - [EMAIL PROTECTED] pub 1024D/01269BEB 2001-09-29 Martin Wheeler (personal key) Key fingerprint = 6CAD BFFB DB11 653E B1B7 C62B AC93 0ED8 0126 9BEB -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8AY5orJMO2AEmm+sRAuBRAJ9gRbweyJAsYn1dL1OWWYJcHg2x1ACgkFLe 4Af36/11JM3+bXXhtNNVFoU= =EBHS -END PGP SIGNATURE-
Re: is 3des secure??
On Mon, Nov 26, 2001 at 09:04:59AM +0900, Howland, Curtis wrote: While this may be whipping a greasy stain on the road, it is true that 3DES was created by the government back when private cryptology was difficult or unknown. I believe it is prudent to consider that it was allowed to be used because of practical cracking available to the crypto experts. No, DES (and thus 3DES) was created by IBM, with collaboration by the government. The biggest govt. influence was in the short 56 bit key length. In 3DES, this is not an issue. Personally I'd trust 3DES more than the DSA signature algorith used in GPG. DSA *was* created by the government. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpWDbL6RoqHU.pgp Description: PGP signature
Re: is 3des secure??
On Mon, Nov 26, 2001 at 09:04:59AM +0900, Howland, Curtis wrote: While this may be whipping a greasy stain on the road, it is true that 3DES was created by the government back when private cryptology was difficult or unknown. I believe it is prudent to consider that it was allowed to be used because of practical cracking available to the crypto experts. It wasn't allowed to be used, the government promulgated DES as a standard for banks and other high security industries because it was the best they could find at the time to do the job. It has withstood a great deal of cryptoanalysis over the last couple decades, and has held up fairly well. It's only real weakness has been it's key-length. While there may be some people in the government who would be happy to promulgate a broken standard to make their data-collection easier, wiser heads realize that if it's broken for our side (note quotes) it's broken for the other side as well. 3DES effectively triples the key-length for DES, and for SSH sessions, it's quite good enough. I'm not referring to a back-door, just a known method such as a hardware based method for cracking in near-real time. 3DES is more than strong enough for *today*, it's just that in the near future it won't be. However, 3DES is likely strong enough for normal people. If you're trying to keep things from them, they are already reading your screen and keyboard strokes directly by their radion emissions from accross the street. No, they've tapped your machine, and theres a minature camera looking over your shoulder from the air-vent in the room. -- Share and Enjoy.
Re: is 3des secure??
Noah L Meyerhans writes: On Mon, Nov 26, 2001 at 09:04:59AM +0900, Howland, Curtis wrote: While this may be whipping a greasy stain on the road, it is true that 3DES was created by the government back when private cryptology was difficult or unknown. I believe it is prudent to consider that it was allowed to be used because of practical cracking available to the crypto experts. No, DES (and thus 3DES) was created by IBM, with collaboration by the government. The biggest govt. influence was in the short 56 bit key length. In 3DES, this is not an issue. Actually, probably the biggest influence from the government was from the NSA. IBM handed them the algorithm to review, and the NSA handed it back to them with the S-boxes subtly altered, no explanation. IBM accepted the changes, and they became part of the standard. Years later, after differential cryptanalysis was discovered, it was found that the changes made foiled differential cryptanalysis. 3DES is generally considered strong enough. However, it is slow, and can effect performance. Try doing large 'scp's and switch between 3DES and blowfish. Personally I prefer blowfish, as it has performance, is 'secure-enough' to my (less-than-expert) eye, and frankly I doubt anybody capable of defeating it is interested in what I have to say. Steve
Remote Root exploit in stable icecast-server package
Hi All, I have been considering changing our RealAudio broadcasts (on a NT box) over to a linux box and have decided to go with a icecast server. However, I noticed that the stable package is version 1.00. Version 1.3.8b2 and prior have a remote vunerability to execute code as the particular UID/GID that the icecast-server is running, which, forgive me if I'm wrong, appears to be root! I cannot find and security advisories on this matter either! Can we get the package fixed or at least the stable packeage removed? The woody package has been fixed, and the server runs as a user icecast instead of root. Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 It's the smell! If there is such a thing. Agent Smith - The Matrix
Re: is 3des secure??
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Saturday 24 November 2001 03:28 am, Johannes Weiss wrote: So, because of this my question is: Is 3des secure enough?? The putty website (search for it on google) has something to say about the security of des algorithm, which AFAIK it doesn't support. - -- Warren GPG Fingerprint: 30C8 BDF1 B133 14CB 832F 2C5D 99A1 A19F 559D 9E88 GPG Public Key @ http://www.cbu.edu/~wturkal/wturkal.gpg - -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS d- s: a-- C++ UL+ P+ L+++ E W++ N+ o-- K- w--- O M+ V-- PS+ PE Y+ PGP++ t 5 X R tv+ b+ DI+ D+ G e h-- r y? - --END GEEK CODE BLOCK-- -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8AdM2maGhn1WdnogRAkalAJ9sR44dLiSXzqX6VYO/TDSbTkwm1ACghPP4 tcXQxrLhfmN9s7VA2LMT6eo= =RzJt -END PGP SIGNATURE-
