Re: Debian Stable server hacked
On Sat, Aug 23, 2003 at 10:14:24AM +0100, Dale Amon wrote: Does anyone know when a grsec patch set will be available for 2.6.0t3 or know of one updated to work with 2.4.22rc2? Yeah, I know, they are still experimental... This would be a great question posed to the GrSecurity forum, http://forums.grsecurity.net/ and in fact there's a thread on there already about it. Their forums are excellent. Steve -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Looking for a simple SSL-CA package
On Fri, Aug 22, 2003 at 01:04:54PM -0400, Matt Zimmerman wrote: On Thu, Aug 21, 2003 at 12:56:30PM +0200, Tarjei Huse wrote: I'm no expert on handling certificates and I hope not having to learn all the commandline switches of openssl by heart. However, I do need a simple setup of a CA that I may use for creating selfsigned certificates, webpages that clients may use to import the certificates and also a way to organize certificare revocationlists etc. You don't need a CA to create self-signed certificates (by definition there is no CA involved if the certificate is self-signed). Perhaps I just misinterpret the terminology, but I've had the impression that every certificate should be signed, so should the root of the tree too. Since they sit at the top of the hierarchy they must be self signed. Am I missing something? bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Stable server hacked
On Fri, Aug 22, 2003 at 06:35:37PM -0400, Phillip Hofmeister wrote: On Fri, 22 Aug 2003 at 10:32:27AM -0400, Matt Zimmerman wrote: It is often the case that the attacker doesn't know the exact location of structures in memory; there are techniques for finding out. I'm sure that the authors of PaX do not misrepresent it as complete protection. It's pointless to argue about it; it's clear that PaX provides some value in protection against security vulnerabilities, and I think it's also clear that because it will break many existing applications, it is not suitable for use by default. But there is no reason why a PaX-enabled kernel could not be provided as an option. All it needs is someone willing to do the work (hint, hint). I would be willing to maintain a grsec kernel image with PaX and temp. file symlink blocking if someone would be willing to sponsor it (hint, hint) Does anyone know when a grsec patch set will be available for 2.6.0t3 or know of one updated to work with 2.4.22rc2? Yeah, I know, they are still experimental...
Re: Debian Stable server hacked
On Sat, Aug 23, 2003 at 10:14:24AM +0100, Dale Amon wrote: Does anyone know when a grsec patch set will be available for 2.6.0t3 or know of one updated to work with 2.4.22rc2? Yeah, I know, they are still experimental... This would be a great question posed to the GrSecurity forum, http://forums.grsecurity.net/ and in fact there's a thread on there already about it. Their forums are excellent. Steve
Re: Looking for a simple SSL-CA package
On Fri, Aug 22, 2003 at 01:04:54PM -0400, Matt Zimmerman wrote: On Thu, Aug 21, 2003 at 12:56:30PM +0200, Tarjei Huse wrote: I'm no expert on handling certificates and I hope not having to learn all the commandline switches of openssl by heart. However, I do need a simple setup of a CA that I may use for creating selfsigned certificates, webpages that clients may use to import the certificates and also a way to organize certificare revocationlists etc. You don't need a CA to create self-signed certificates (by definition there is no CA involved if the certificate is self-signed). Perhaps I just misinterpret the terminology, but I've had the impression that every certificate should be signed, so should the root of the tree too. Since they sit at the top of the hierarchy they must be self signed. Am I missing something? bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
Re: Looking for a simple SSL-CA package
On Sat, Aug 23, 2003 at 07:38:25PM +0200, Adam ENDRODI wrote: Perhaps I just misinterpret the terminology, but I've had the impression that every certificate should be signed, so should the root of the tree too. Since they sit at the top of the hierarchy they must be self signed. Am I missing something? Nope, you've pretty much got it. At some point in the tree, you need to trust a key. It's not that hard to establish trust for one key, but it's very hard to establish trust for all keys. Thus, you establish trust in the certificate authority and trust keys signed by it. If you don't want to run your own certificate authority or pay a commercial one to sign your key, and you don't have a lot of certificates to deal with, you can have each key simply be self-signed, which I believe is what's being recommended here. noah pgpgmX3H7vhVZ.pgp Description: PGP signature