Re: raw disk access
El sáb, 08 de feb de 2003, a las 23:49 +0100, Christian decía que: What about cp /dev/sdx /dev/sdy cp, dd and every command use the system calls, and system calls use the drivers, and i am not sure the drivers don't modify structure. example: step 1) you read a block of data from one of the hard-disks step 2) when you are going to write the block on the other, the sector has a hardware error, so the driver mark the sector as useless and write the information on other sector. The data on both is the same for sure, but the structure is not the same. One solution is to simulate a hard-disk on top of another hard-disk (or memory or whatever), something like a virtual hard-disk that allow you to forget about these hardware differences. -- Alberto Cortés Martín | Ing. en Telecomunicación email: [EMAIL PROTECTED] | Universidad Carlos III Jabber y MSN: alcortes43 | Madrid ICQ#: 101088159 | Spain url: http://montoya.aig.uc3m.es/~acortes/index.html 1A8B 0FE6 2094 8E48 38A2 7785 03CD 07CD 6CA4 E242 msg08609/pgp0.pgp Description: PGP signature
Re: raw disk access
El sáb, 08 de feb de 2003, a las 23:49 +0100, Christian decía que: What about cp /dev/sdx /dev/sdy cp, dd and every command use the system calls, and system calls use the drivers, and i am not sure the drivers don't modify structure. example: step 1) you read a block of data from one of the hard-disks step 2) when you are going to write the block on the other, the sector has a hardware error, so the driver mark the sector as useless and write the information on other sector. The data on both is the same for sure, but the structure is not the same. One solution is to simulate a hard-disk on top of another hard-disk (or memory or whatever), something like a virtual hard-disk that allow you to forget about these hardware differences. -- Alberto Cortés Martín | Ing. en Telecomunicación email: [EMAIL PROTECTED] | Universidad Carlos III Jabber y MSN: alcortes43 | Madrid ICQ#: 101088159 | Spain url: http://montoya.aig.uc3m.es/~acortes/index.html 1A8B 0FE6 2094 8E48 38A2 7785 03CD 07CD 6CA4 E242 pgpO5gYGm16fq.pgp Description: PGP signature
Re: raw disk access
El mar, 07 de ene de 2003, a las 19:51 -0800, Blars decía que: In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: i am looking for forensics tools that can be used in computer crime investigations, and am particularly interesting in a tool that provides raw drive (hard, floppy, CD, DVD, etc.) access in order to create complete and accurate drive images. Low level tools are no trick at all. If you are root or root has given you access (recomended), you can use any normal tools (dd, grep, perl) on the appropriate /dev/hd* or /dev/sd* . You can mount the filesystem read-only if you don't want to access deleted files, etc. As far as i know, when u do something like: dd if=/dev/org_dev of=/dev/dest_dev You are pasing through 2 interfaces u don't control, at least u don't have direct control of them. I am talking about the drivers of the devices, which can do some modifications of the data. A look to the drivers, driver_open() driver_close(), driver_read() and so on has to be done to fully understand what they are doing with the data, not to mention the hardware functionality implemented by the hardware, like error checking and other things. I have never look at any hard disk driver but i think u will have to do it if u want to be sure. Maybe u can disable some hardware functionality with some IOCTL. -- Alberto Cortés Martín | Ing. en Telecomunicación email: [EMAIL PROTECTED] | Universidad Carlos III Jabber y MSN: alcortes43 | Madrid ICQ#: 101088159 | Spain url: http://montoya.aig.uc3m.es/~acortes/index.html 1A8B 0FE6 2094 8E48 38A2 7785 03CD 07CD 6CA4 E242 msg08590/pgp0.pgp Description: PGP signature
Re: raw disk access
El mar, 07 de ene de 2003, a las 19:51 -0800, Blars decía que: In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: i am looking for forensics tools that can be used in computer crime investigations, and am particularly interesting in a tool that provides raw drive (hard, floppy, CD, DVD, etc.) access in order to create complete and accurate drive images. Low level tools are no trick at all. If you are root or root has given you access (recomended), you can use any normal tools (dd, grep, perl) on the appropriate /dev/hd* or /dev/sd* . You can mount the filesystem read-only if you don't want to access deleted files, etc. As far as i know, when u do something like: dd if=/dev/org_dev of=/dev/dest_dev You are pasing through 2 interfaces u don't control, at least u don't have direct control of them. I am talking about the drivers of the devices, which can do some modifications of the data. A look to the drivers, driver_open() driver_close(), driver_read() and so on has to be done to fully understand what they are doing with the data, not to mention the hardware functionality implemented by the hardware, like error checking and other things. I have never look at any hard disk driver but i think u will have to do it if u want to be sure. Maybe u can disable some hardware functionality with some IOCTL. -- Alberto Cortés Martín | Ing. en Telecomunicación email: [EMAIL PROTECTED] | Universidad Carlos III Jabber y MSN: alcortes43 | Madrid ICQ#: 101088159 | Spain url: http://montoya.aig.uc3m.es/~acortes/index.html 1A8B 0FE6 2094 8E48 38A2 7785 03CD 07CD 6CA4 E242 pgpEDDmZhswaD.pgp Description: PGP signature
Re: port 16001 and 111
El mar, 15 de oct de 2002, a las 09:47 +0200, Martin decía que: 15 Oct 2002, Jussi Ekholm wrote: Of the top of my head: Do you have any nfs services running on the machine? I seem to remember sunrpc beeing used by the nfs-server ... -- Fin del mensaje original -- NIS too. -- Alberto Cortés Martín | Ing. en Telecomunicación email: [EMAIL PROTECTED] | Universidad Carlos III Jabber y MSN: alcortes43 | Madrid ICQ#: 101088159 | Spain url: http://montoya.aig.uc3m.es/~acortes/index.html 1A8B 0FE6 2094 8E48 38A2 7785 03CD 07CD 6CA4 E242 msg07371/pgp0.pgp Description: PGP signature
Re: port 16001 and 111
El mar, 15 de oct de 2002, a las 09:47 +0200, Martin decía que: 15 Oct 2002, Jussi Ekholm wrote: Of the top of my head: Do you have any nfs services running on the machine? I seem to remember sunrpc beeing used by the nfs-server ... -- Fin del mensaje original -- NIS too. -- Alberto Cortés Martín | Ing. en Telecomunicación email: [EMAIL PROTECTED] | Universidad Carlos III Jabber y MSN: alcortes43 | Madrid ICQ#: 101088159 | Spain url: http://montoya.aig.uc3m.es/~acortes/index.html 1A8B 0FE6 2094 8E48 38A2 7785 03CD 07CD 6CA4 E242 pgpZBporKEe7G.pgp Description: PGP signature
export problems on security updates?
On http://security.debian.org/ it can be read: You can use apt to easily get the latest security updates. This requires a line such as deb http://security.debian.org/ woody/updates main contrib non-free Since I am not living in the US, and some security updates deals with cryptographic software, I understand that it will be illegal for me downloading these updates from outside of the USA. In other words, is http://security.debian.org/ located outside the US?. -- Alberto Cortés Martín | Ing. en Telecomunicación email: [EMAIL PROTECTED] | Universidad Carlos III Jabber y MSN: alcortes43 | Madrid ICQ#: 101088159 | Spain url: http://montoya.aig.uc3m.es/~acortes/index.html 1A8B 0FE6 2094 8E48 38A2 7785 03CD 07CD 6CA4 E242 msg07264/pgp0.pgp Description: PGP signature
Re: export problems on security updates?
thanks to all of you! -- Alberto Cortés Martín | Ing. en Telecomunicación email: [EMAIL PROTECTED] | Universidad Carlos III Jabber y MSN: alcortes43 | Madrid ICQ#: 101088159 | Spain url: http://montoya.aig.uc3m.es/~acortes/index.html 1A8B 0FE6 2094 8E48 38A2 7785 03CD 07CD 6CA4 E242 msg07284/pgp0.pgp Description: PGP signature
export problems on security updates?
On http://security.debian.org/ it can be read: You can use apt to easily get the latest security updates. This requires a line such as deb http://security.debian.org/ woody/updates main contrib non-free Since I am not living in the US, and some security updates deals with cryptographic software, I understand that it will be illegal for me downloading these updates from outside of the USA. In other words, is http://security.debian.org/ located outside the US?. -- Alberto Cortés Martín | Ing. en Telecomunicación email: [EMAIL PROTECTED] | Universidad Carlos III Jabber y MSN: alcortes43 | Madrid ICQ#: 101088159 | Spain url: http://montoya.aig.uc3m.es/~acortes/index.html 1A8B 0FE6 2094 8E48 38A2 7785 03CD 07CD 6CA4 E242 pgpu3lbyXwOJj.pgp Description: PGP signature
Re: export problems on security updates?
thanks to all of you! -- Alberto Cortés Martín | Ing. en Telecomunicación email: [EMAIL PROTECTED] | Universidad Carlos III Jabber y MSN: alcortes43 | Madrid ICQ#: 101088159 | Spain url: http://montoya.aig.uc3m.es/~acortes/index.html 1A8B 0FE6 2094 8E48 38A2 7785 03CD 07CD 6CA4 E242 pgpOyzwKM8xoX.pgp Description: PGP signature
Re: Can a daemon listen only on some interfaces?
El dom, 09 de dic de 2001, a las 00:06 +1000, mdevin decía que: Make sure your /etc/X11/xinit/xserverrc contains something like this: #!/bin/sh exec /usr/bin/X11/X -dpi 100 -nolisten tcp Hmmm. This file did not exist on my computer. I don't know why. I just assumed that it would have the nolisten parameter as default. I remember reading somewhere that Debian did this - but I guess I did not check. Look for it in /etc/X11/xdm/Xservers or in /etc/X11/gdm... I couldn't find the portmap package. I am running potato with 2.4 kernel stuff from Adrian Bunk's site. I did apt-cache search portmap - but only found scotty. Which is not installed on my system. Then I did some google searches to see if I could remove the package it is in, but couldn't find anything. In the end I just did: update-rc.d -f portmap remove And that fixed it (see below). But I would prefer to remove the whole program from my system if that can be done with a simple apt-get remove --purge command. I had the same problem, i just made /etc/init.d/portmap a non-executable file - no more listening on 111. Whenever you have to use NIS or NFS just chown the file again to executable. -- Alberto Cortés Martín | Ing. de Telecomunicaciones email: [EMAIL PROTECTED] | Universidad Carlos III tel: +34 91 450 09 85 | Madrid mobile: 600 42 77 57 | Spain url: http://montoya.aig.uc3m.es/~acortes/index.html 1A8B 0FE6 2094 8E48 38A2 7785 03CD 07CD 6CA4 E242 msg04687/pgp0.pgp Description: PGP signature
Re: Can a daemon listen only on some interfaces?
use NIS or NFS just chown the file again to executable. OPSS, i mean chmod not chown. -- Alberto Cortés Martín | Ing. de Telecomunicaciones email: [EMAIL PROTECTED] | Universidad Carlos III tel: +34 91 450 09 85 | Madrid mobile: 600 42 77 57 | Spain url: http://montoya.aig.uc3m.es/~acortes/index.html 1A8B 0FE6 2094 8E48 38A2 7785 03CD 07CD 6CA4 E242 msg04688/pgp0.pgp Description: PGP signature
Re: Can a daemon listen only on some interfaces?
El dom, 09 de dic de 2001, a las 00:06 +1000, mdevin decía que: Make sure your /etc/X11/xinit/xserverrc contains something like this: #!/bin/sh exec /usr/bin/X11/X -dpi 100 -nolisten tcp Hmmm. This file did not exist on my computer. I don't know why. I just assumed that it would have the nolisten parameter as default. I remember reading somewhere that Debian did this - but I guess I did not check. Look for it in /etc/X11/xdm/Xservers or in /etc/X11/gdm... I couldn't find the portmap package. I am running potato with 2.4 kernel stuff from Adrian Bunk's site. I did apt-cache search portmap - but only found scotty. Which is not installed on my system. Then I did some google searches to see if I could remove the package it is in, but couldn't find anything. In the end I just did: update-rc.d -f portmap remove And that fixed it (see below). But I would prefer to remove the whole program from my system if that can be done with a simple apt-get remove --purge command. I had the same problem, i just made /etc/init.d/portmap a non-executable file - no more listening on 111. Whenever you have to use NIS or NFS just chown the file again to executable. -- Alberto Cortés Martín | Ing. de Telecomunicaciones email: [EMAIL PROTECTED] | Universidad Carlos III tel: +34 91 450 09 85 | Madrid mobile: 600 42 77 57 | Spain url: http://montoya.aig.uc3m.es/~acortes/index.html 1A8B 0FE6 2094 8E48 38A2 7785 03CD 07CD 6CA4 E242 pgp7hANnFPMaU.pgp Description: PGP signature
Re: Can a daemon listen only on some interfaces?
use NIS or NFS just chown the file again to executable. OPSS, i mean chmod not chown. -- Alberto Cortés Martín | Ing. de Telecomunicaciones email: [EMAIL PROTECTED] | Universidad Carlos III tel: +34 91 450 09 85 | Madrid mobile: 600 42 77 57 | Spain url: http://montoya.aig.uc3m.es/~acortes/index.html 1A8B 0FE6 2094 8E48 38A2 7785 03CD 07CD 6CA4 E242 pgpCUSIEoVV5G.pgp Description: PGP signature
Re: GPG fingerprints
El lun, 17 de sep de 2001, a las 20:25 +0200, Martin decía que: also sprach Tim Haynes (on Mon, 17 Sep 2001 05:05:27PM +0100): Unless I'm well mistaken, of course... But I'd never trust a key whose fingerprint had turned up in public before. that's a little ridiculous, isn't it, given that i can use my gpg to view the fingerprint of your public key, which is, uh, public. you can safely post your fingerprint everywhere, but you have to do fingerprint verification - i have to read you mine - over the phone That's right, i use to show my fingerprint on my emails, of course if anyone want to trust my public key, he have to contact me in a more secure way than looking the signature of a single email. Looking lots of emails from me, some new, some old, could be a good way, a telephone call can be OK if you know my voice, and a mix of these things would be OK if you don't know me at all. Key-sharing in public events (like Linux conventions) it's also a good way of verifying public keys, you will meet the person, even you can ask him for his ID (car driving license or something like this), and also is a good way of making new friends, and talk a lot about linux ;-). Personal contact is (hopefully) the only real way to verify public keys, but the cost of been a man in the meddle fooling all the Internet, changing web logs of mail lists and database of every web crawler is so high that for the most common cases it's is sufficient with publishing your fingerprint on every email and your telephone number. Also use the common sense for this things, it is the best way of been real sure of the integrity of someone's public key. -- Yoda use the source, Luke! Alberto Cortés Martín | Ing. de Telecomunicaciones email: [EMAIL PROTECTED] | Universidad Carlos III tel: +34 91 450 09 85 | Madrid cel: 600 42 77 57 | Spain 1A8B 0FE6 2094 8E48 38A2 7785 03CD 07CD 6CA4 E242 pgpoVno2mBCdJ.pgp Description: PGP signature
Re: protecting against buffer overflow.
El sáb, 15 de sep de 2001, a las 13:30 -0400, Russell decía que: What's a good piece of software to monitor for system accesses? snort is good for detecting well known attacks to your system. Should I report the IP to RBL or something like that? I use to run whois on the attacker IP and send a mail to his sysadm with the logs from the incident. -- Yoda use the source, Luke! Alberto Cort=E9s Mart=EDn | Ing. de Telecomunicaciones email: [EMAIL PROTECTED] | Universidad Carlos III tel: +34 91 450 09 85 | Madrid cel: 600 42 77 57 | Spain 1A8B 0FE6 2094 8E48 38A2 7785 03CD 07CD 6CA4 E242 pgpmd5pbtZ9nv.pgp Description: PGP signature
apt-get do not douwnload new packages announced in debian-security-announce
I have a little problem with apt-get, i think i am not doing it the proper way. When there is a announce that certain package has a bug, (like gnupg v1.0.5) you can read in www.debian.org that there is a new package to download (1.0.6-0potato1). Thats OK, but i can't download it with my apt-get, maybe i am not using the correct sources, my sources.list look like this: deb http://http.us.debian.org/debian stable main contrib non-free deb http://non-us.debian.org/debian-non-US stable/non-US main contrib non-free What are the official sources if you want to have an up to date, secure system? -- Alberto Cortés Martín | Ing. de Telecomunicaciones email: [EMAIL PROTECTED] | Universidad Carlos III tel: +34 91 450 09 85 | Madrid cel: 600 42 77 57 | Spain icq# 101088159| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
apt-get do not douwnload new packages announced in debian-security-announce
I have a little problem with apt-get, i think i am not doing it the proper way. When there is a announce that certain package has a bug, (like gnupg v1.0.5) you can read in www.debian.org that there is a new package to download (1.0.6-0potato1). Thats OK, but i can't download it with my apt-get, maybe i am not using the correct sources, my sources.list look like this: deb http://http.us.debian.org/debian stable main contrib non-free deb http://non-us.debian.org/debian-non-US stable/non-US main contrib non-free What are the official sources if you want to have an up to date, secure system? -- Alberto Cortés Martín | Ing. de Telecomunicaciones email: [EMAIL PROTECTED] | Universidad Carlos III tel: +34 91 450 09 85 | Madrid cel: 600 42 77 57 | Spain icq# 101088159|