Re: how secure is mail and ftp and netscape/IE???
Yes, you should be concerned. Now-a-days most people are using SSH for all communication. It's really the way to go for remote access. Take a look at openssh.com for some more information. Plus it's free, and we like free. ;) From: Steve Rudd <[EMAIL PROTECTED]> To: debian-security@lists.debian.org Subject: how secure is mail and ftp and netscape/IE??? Date: Wed, 21 Feb 2001 15:13:43 -0500 Hello! Steve here, Well I am one of the family now! My server is Debian 2.2r2. A benign hacker got me. All he seemed to do was overwrite my root index.html page and notify the "hackers watchdog" group to take responsibility for the act! I have some security questions: 1. How secure is it checking email with eudora pro, given they have not yet got ssh or any other system that is secure? Since outlook has ssh, is it worth switching for that? I use a separate user and password for mail and ftp. 2. Cute ftp is not secure yet, but should be soon. 3. Using netscape to port to private sections of the website: www.abc.com:1020/systemconfig/index.html (for example) I am asked for a user name and password via netscape/IE === Ok all these things are really transmitting my user name and password via plain text with no encryption. If I have sudo installed and a sniffer comes along, they have root access very easily! Should I be concerned about using email, ftp and IE ? Steve -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com
RE: Anti Virus for Debian
You're talking about removing viruses though. I'm talking about preventing them. Anybody can manually remove a virus from a Windows machine, it's really easy. I can even remove W95.MTX (The Matrix) virus in 5 minutes. I'm not sure of any network admin that wants to spend their time removing viruses though. I think the easiest way to go about virus safety is just make it more difficult to get a virus. Thus disabling scripting. Of course many of Microsoft's auto updates are kind enough to enable it again. That's why you use a program like Autoinstall to role out your updates. ;) >From: "Magus Ba'al" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Subject: RE: Anti Virus for Debian >Date: Wed, 21 Feb 2001 09:32:28 -0700 > >After ILOVEYOU first came out and AV vendors didn't have a fix for it, we >had to figure out a way to quickly disable the virus. So I spent 5min >finding the reg key and writing 2 scripts to make the default action Edit, >instead of Open, and another in reverse, make the default action Open >instead of Edit. I wouldn't suggest renaming wscript.exe, jscript.exe or >csscript.exe, as Critical Updates, Repairing, or Upgrading IE will just put >those files back in place. The javascripts are attached, take a peek and >see >if they fit the bill. If not, at least you still have the option to quickly >disable VBS scripting :) > > > > >-Original Message- >From: Daniel Stark [mailto:[EMAIL PROTECTED]] >Sent: Wednesday, February 21, 2001 9:12 AM >To: [EMAIL PROTECTED]; [EMAIL PROTECTED] >Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] >Subject: Re: Anti Virus for Debian > > >Speaking of Windows and *.vbs attacks. What you should really do is >disable >the scripting host on all of your Windows machines. For those of you who >don't know, you can just rename "wscript.exe" "jscript.exe" and >"cscript.exe". There's a good chance you'll only have one of them. > > > >From: Bradley M Alexander <[EMAIL PROTECTED]> > >To: Mario Zuppini <[EMAIL PROTECTED]> > >CC: Matthew Sherborne <[EMAIL PROTECTED]>, > >[EMAIL PROTECTED] > >Subject: Re: Anti Virus for Debian > >Date: Mon, 19 Feb 2001 23:35:01 -0500 > > > >On Tue, Feb 20, 2001 at 01:59:20PM +1000, Mario Zuppini wrote: > > > I would also like to know of virus scanners especially for mail >servers > >ie > > > sendmail > > > that will work on a SPARC ??? > > > > > > there are a few that work under i386 ie like amavris etc can be found >on > > > freshmeat.net > > > but nothing will work under a sparc > > > >As a quick and dirty option, you can use procmail to filter. Depending on > >your security posture and thread environment, you can filter on > >multi-extension vbs files (e.g. AnnaKournikova.jpg.vbs), all VBS files, >exe > >files, or any combination. You could filter them to a quarantine area, >then > >peruse them at your leisure. > > > >You should combine this with turning off auto execute of attachments on >all > >of your windows boxen. > > > >-- > >--Brad > >=== >= > >Bradley M. Alexander, CISSP | Co-Chairman, > >Beowulf System Admin/Security Specialist |NoVALUG/DCLUG Security SIG > >Winstar Telecom | [EMAIL PROTECTED] > >(703) 889-1049 | [EMAIL PROTECTED] > >=== >= > >Those who trade liberty for security have neither. > > > > > >-- > >To UNSUBSCRIBE, email to [EMAIL PROTECTED] > >with a subject of "unsubscribe". Trouble? Contact > >[EMAIL PROTECTED] > > > >_ >Get your FREE download of MSN Explorer at http://explorer.msn.com > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact >[EMAIL PROTECTED] > ><< VBSscripts.zip >> _ Get your FREE download of MSN Explorer at http://explorer.msn.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Anti Virus for Debian
You're talking about removing viruses though. I'm talking about preventing them. Anybody can manually remove a virus from a Windows machine, it's really easy. I can even remove W95.MTX (The Matrix) virus in 5 minutes. I'm not sure of any network admin that wants to spend their time removing viruses though. I think the easiest way to go about virus safety is just make it more difficult to get a virus. Thus disabling scripting. Of course many of Microsoft's auto updates are kind enough to enable it again. That's why you use a program like Autoinstall to role out your updates. ;) From: "Magus Ba'al" <[EMAIL PROTECTED]> To: Subject: RE: Anti Virus for Debian Date: Wed, 21 Feb 2001 09:32:28 -0700 After ILOVEYOU first came out and AV vendors didn't have a fix for it, we had to figure out a way to quickly disable the virus. So I spent 5min finding the reg key and writing 2 scripts to make the default action Edit, instead of Open, and another in reverse, make the default action Open instead of Edit. I wouldn't suggest renaming wscript.exe, jscript.exe or csscript.exe, as Critical Updates, Repairing, or Upgrading IE will just put those files back in place. The javascripts are attached, take a peek and see if they fit the bill. If not, at least you still have the option to quickly disable VBS scripting :) -Original Message- From: Daniel Stark [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 21, 2001 9:12 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; debian-security@lists.debian.org Subject: Re: Anti Virus for Debian Speaking of Windows and *.vbs attacks. What you should really do is disable the scripting host on all of your Windows machines. For those of you who don't know, you can just rename "wscript.exe" "jscript.exe" and "cscript.exe". There's a good chance you'll only have one of them. >From: Bradley M Alexander <[EMAIL PROTECTED]> >To: Mario Zuppini <[EMAIL PROTECTED]> >CC: Matthew Sherborne <[EMAIL PROTECTED]>, >debian-security@lists.debian.org >Subject: Re: Anti Virus for Debian >Date: Mon, 19 Feb 2001 23:35:01 -0500 > >On Tue, Feb 20, 2001 at 01:59:20PM +1000, Mario Zuppini wrote: > > I would also like to know of virus scanners especially for mail servers >ie > > sendmail > > that will work on a SPARC ??? > > > > there are a few that work under i386 ie like amavris etc can be found on > > freshmeat.net > > but nothing will work under a sparc > >As a quick and dirty option, you can use procmail to filter. Depending on >your security posture and thread environment, you can filter on >multi-extension vbs files (e.g. AnnaKournikova.jpg.vbs), all VBS files, exe >files, or any combination. You could filter them to a quarantine area, then >peruse them at your leisure. > >You should combine this with turning off auto execute of attachments on all >of your windows boxen. > >-- >--Brad >=== = >Bradley M. Alexander, CISSP | Co-Chairman, >Beowulf System Admin/Security Specialist |NoVALUG/DCLUG Security SIG >Winstar Telecom | [EMAIL PROTECTED] >(703) 889-1049 | [EMAIL PROTECTED] >=== = >Those who trade liberty for security have neither. > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact >[EMAIL PROTECTED] > _ Get your FREE download of MSN Explorer at http://explorer.msn.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] << VBSscripts.zip >> _ Get your FREE download of MSN Explorer at http://explorer.msn.com
Re: Anti Virus for Debian
Speaking of Windows and *.vbs attacks. What you should really do is disable the scripting host on all of your Windows machines. For those of you who don't know, you can just rename "wscript.exe" "jscript.exe" and "cscript.exe". There's a good chance you'll only have one of them. From: Bradley M Alexander <[EMAIL PROTECTED]> To: Mario Zuppini <[EMAIL PROTECTED]> CC: Matthew Sherborne <[EMAIL PROTECTED]>, debian-security@lists.debian.org Subject: Re: Anti Virus for Debian Date: Mon, 19 Feb 2001 23:35:01 -0500 On Tue, Feb 20, 2001 at 01:59:20PM +1000, Mario Zuppini wrote: > I would also like to know of virus scanners especially for mail servers ie > sendmail > that will work on a SPARC ??? > > there are a few that work under i386 ie like amavris etc can be found on > freshmeat.net > but nothing will work under a sparc As a quick and dirty option, you can use procmail to filter. Depending on your security posture and thread environment, you can filter on multi-extension vbs files (e.g. AnnaKournikova.jpg.vbs), all VBS files, exe files, or any combination. You could filter them to a quarantine area, then peruse them at your leisure. You should combine this with turning off auto execute of attachments on all of your windows boxen. -- --Brad Bradley M. Alexander, CISSP | Co-Chairman, Beowulf System Admin/Security Specialist |NoVALUG/DCLUG Security SIG Winstar Telecom | [EMAIL PROTECTED] (703) 889-1049 | [EMAIL PROTECTED] Those who trade liberty for security have neither. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com
Re: Benign crackers?
You wouldn't actually imply that hackers are out their providing a welcome
service do you? I can see if you asked for your network to be stress
tested, but to go as far as saying they provide a welcome service? Come on!
Yeah, they might have found a security whole, but oops, now the firewall
admin is out of a job. People should constantly strive to secure their own
boxen, we don't need hackers to do it for us.
From: "A. L. Meyers" <[EMAIL PROTECTED]>
To: Steve Rudd <[EMAIL PROTECTED]>
CC: debian-security@lists.debian.org
Subject: Benign crackers?
Date: Wed, 21 Feb 2001 08:21:02 +0100 (CET)
-BEGIN PGP SIGNED MESSAGE-
On Tue, 20 Feb 2001, Steve Rudd wrote:
> Daniel Stark asked:
>
> At 01:53 PM 2/20/01 -0800, you wrote:
> >How exactly did you get hacked? Did you leave security wholes large
> >enough for a bus to drive through open? Open your inetd.conf file and
#
> >out everything! The only thing you need open is port 22. Others will
> >disagree, but depending on what you server is used for, this should be
> >your first step for security.
>
> Steve here,
>
> Several have voiced an interest in the hack. Well here is a guess and
some
> facts:
>
> THE HACK:
> For those interested in the hack, I think it was the "Dameon worm" but
> could not find any evidence of the trace files on my system. Here is
what
> happened:
>
> 1. I get a letter from "[EMAIL PROTECTED]" saying: "Urgent! Security
> incident on your machine! Attrition.org is a non-profit, hobby web site
> that monitors
> computer crime on the internet. In the past few minutes, we
> have been notified that your domain was hacked, and your web
> page defaced. This means that the intruder has edited your
> web page in some way. Due to this, it is quite likely that
> one or all of the machines on your network are compromised.
> You may wish to take immediate action to correct this problem
> and respond to the intrusion."
>
> 2, I noticed my clock went forward maybe a day and had to reset it via
> "date" command.
>
> 3. I notice a single page was changed: "index.html"
>
> Here is the code from that page:
>
>
>
>
>NS_ActualOpen=window.open;
>function NS_NullWindow(){this.window;}
</pre><tt>>function NS_NewOpen(url,nam,atr){return(new
</tt><tt>NS_NullWindow());}
</tt><pre style="margin: 0em;">
>window.open=NS_NewOpen;
>
>
>
>
>
> ..:: Quit Crew ::..
>
>
>
> >
codebase="http://active.macromedia.com/flash2/cabs/swflash.cab#version=4,0,0,0";
> ID=devil WIDTH=731 HEIGHT=562>
>
>
>
>
>
>
>
>
>
>
>
> =
> end code
>
> 4. I have noticed nothing other than these changes.
>
> So there you have it. I didn't even ever get to see what the flash was
all
> about it just loaded forever without anything. You know for all my
trouble,
> I should have at least got some free artwork!
>
> Steve
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
>
>
Dear fellow debianites,
To dispel any doubts, I would not even know how to start a crack
attempt.
There seem to be more and more "benign" hackers and crackers on the web
who might even be a "blessing in disguise". If all they do it crack
sites without damaging anything and afterwards inform the sites, they
might just be performing a very valuable service.
My own experience is that no one believes he is vulnerable until he has
experienced a real security breach or worse. People in general seem to
prefer to remain blissfully unaware of internet security risks. Even
pursuading clients to download pgp and use it to transfer confidential
information encrypted is not easy.
Best regards,
Lucien Meyers
-BEGIN PGP SIGNATURE-
Version: 2.6.3ia
Charset: noconv
iQCVAwUBOpNsZYsavovzoIkNAQGLbAQAgjvixxb5CZuEQaso96iNTJCne9t3rVkN
52r7aHqfvGSzHcA64KDWBMv/59aNLDa/OqggJrTdPVIwXAyXTjFbc2jpPEmLD3fk
bsChFH3Zb0xAz537BBbpMRLeCcdvCHqQEyEDQB+WJz4mFt+8ET9N9xqnMIFCJ3Xn
TsLjeB2SlhM=
=XOB8
-END PGP SIGNATURE-
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
_
Get your FREE download of MSN Explorer at http://explorer.msn.com
Re: Anti Virus for Debian
Speaking of Windows and *.vbs attacks. What you should really do is disable the scripting host on all of your Windows machines. For those of you who don't know, you can just rename "wscript.exe" "jscript.exe" and "cscript.exe". There's a good chance you'll only have one of them. >From: Bradley M Alexander <[EMAIL PROTECTED]> >To: Mario Zuppini <[EMAIL PROTECTED]> >CC: Matthew Sherborne <[EMAIL PROTECTED]>, >[EMAIL PROTECTED] >Subject: Re: Anti Virus for Debian >Date: Mon, 19 Feb 2001 23:35:01 -0500 > >On Tue, Feb 20, 2001 at 01:59:20PM +1000, Mario Zuppini wrote: > > I would also like to know of virus scanners especially for mail servers >ie > > sendmail > > that will work on a SPARC ??? > > > > there are a few that work under i386 ie like amavris etc can be found on > > freshmeat.net > > but nothing will work under a sparc > >As a quick and dirty option, you can use procmail to filter. Depending on >your security posture and thread environment, you can filter on >multi-extension vbs files (e.g. AnnaKournikova.jpg.vbs), all VBS files, exe >files, or any combination. You could filter them to a quarantine area, then >peruse them at your leisure. > >You should combine this with turning off auto execute of attachments on all >of your windows boxen. > >-- >--Brad > >Bradley M. Alexander, CISSP | Co-Chairman, >Beowulf System Admin/Security Specialist |NoVALUG/DCLUG Security SIG >Winstar Telecom | [EMAIL PROTECTED] >(703) 889-1049 | [EMAIL PROTECTED] > >Those who trade liberty for security have neither. > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact >[EMAIL PROTECTED] > _ Get your FREE download of MSN Explorer at http://explorer.msn.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Benign crackers?
You wouldn't actually imply that hackers are out their providing a welcome
service do you? I can see if you asked for your network to be stress
tested, but to go as far as saying they provide a welcome service? Come on!
Yeah, they might have found a security whole, but oops, now the firewall
admin is out of a job. People should constantly strive to secure their own
boxen, we don't need hackers to do it for us.
>From: "A. L. Meyers" <[EMAIL PROTECTED]>
>To: Steve Rudd <[EMAIL PROTECTED]>
>CC: [EMAIL PROTECTED]
>Subject: Benign crackers?
>Date: Wed, 21 Feb 2001 08:21:02 +0100 (CET)
>
>-BEGIN PGP SIGNED MESSAGE-
>
>On Tue, 20 Feb 2001, Steve Rudd wrote:
>
> > Daniel Stark asked:
> >
> > At 01:53 PM 2/20/01 -0800, you wrote:
> > >How exactly did you get hacked? Did you leave security wholes large
> > >enough for a bus to drive through open? Open your inetd.conf file and
>#
> > >out everything! The only thing you need open is port 22. Others will
> > >disagree, but depending on what you server is used for, this should be
> > >your first step for security.
> >
> > Steve here,
> >
> > Several have voiced an interest in the hack. Well here is a guess and
>some
> > facts:
> >
> > THE HACK:
> > For those interested in the hack, I think it was the "Dameon worm" but
> > could not find any evidence of the trace files on my system. Here is
>what
> > happened:
> >
> > 1. I get a letter from "[EMAIL PROTECTED]" saying: "Urgent! Security
> > incident on your machine! Attrition.org is a non-profit, hobby web site
> > that monitors
> > computer crime on the internet. In the past few minutes, we
> > have been notified that your domain was hacked, and your web
> > page defaced. This means that the intruder has edited your
> > web page in some way. Due to this, it is quite likely that
> > one or all of the machines on your network are compromised.
> > You may wish to take immediate action to correct this problem
> > and respond to the intrusion."
> >
> > 2, I noticed my clock went forward maybe a day and had to reset it via
> > "date" command.
> >
> > 3. I notice a single page was changed: "index.html"
> >
> > Here is the code from that page:
> >
> >
> >
> >
> >NS_ActualOpen=window.open;
> >function NS_NullWindow(){this.window;}
> >function NS_NewOpen(url,nam,atr){return(new
>NS_NullWindow());}
> >window.open=NS_NewOpen;
> >
> >
> >
> >
> >
> > ..:: Quit Crew ::..
> >
> >
> >
> > >
>codebase="http://active.macromedia.com/flash2/cabs/swflash.cab#version=4,0,0,0"
> > ID=devil WIDTH=731 HEIGHT=562>
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > =
> > end code
> >
> > 4. I have noticed nothing other than these changes.
> >
> > So there you have it. I didn't even ever get to see what the flash was
>all
> > about it just loaded forever without anything. You know for all my
>trouble,
> > I should have at least got some free artwork!
> >
> > Steve
> >
> >
> > --
> > To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> > with a subject of "unsubscribe". Trouble? Contact
>[EMAIL PROTECTED]
> >
> >
>Dear fellow debianites,
>
>To dispel any doubts, I would not even know how to start a crack
>attempt.
>
>There seem to be more and more "benign" hackers and crackers on the web
>who might even be a "blessing in disguise". If all they do it crack
>sites without damaging anything and afterwards inform the sites, they
>might just be performing a very valuable service.
>
>My own experience is that no one believes he is vulnerable until he has
>experienced a real security breach or worse. People in general seem to
>prefer to remain blissfully unaware of internet security risks. Even
>pursuading clients to download pgp and use it to transfer confidential
>information encrypted is not easy.
>
>Best regards,
>
>Lucien Meyers
>
>-BEGIN PGP SIGNATURE-
>Version: 2.6.3ia
>Charset: noconv
>
>iQCVAwUBOpNsZYsavovzoIkNAQGLbAQAgjvixxb5CZuEQaso96iNTJCne9t3rVkN
>52r7aHqfvGSzHcA64KDWBMv/59aNLDa/OqggJrTdPVIwXAyXTjFbc2jpPEmLD3fk
>bsChFH3Zb0xAz537BBbpMRLeCcdvCHqQEyEDQB+WJz4mFt+8ET9N9xqnMIFCJ3Xn
>TsLjeB2SlhM=
>=XOB8
>-END PGP SIGNATURE-
>
>
>--
>To UNSUBSCRIBE, email to [EMAIL PROTECTED]
>with a subject of "unsubscribe". Trouble? Contact
>[EMAIL PROTECTED]
>
_
Get your FREE download of MSN Explorer at http://explorer.msn.com
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian or Linux 7???
How exactly did you get hacked? Did you leave security wholes large enough for a bus to drive through open? Open your inetd.conf file and # out everything! The only thing you need open is port 22. Others will disagree, but depending on what you server is used for, this should be your first step for security. From: Steve Rudd <[EMAIL PROTECTED]> To: debian-security@lists.debian.org Subject: Debian or Linux 7??? Date: Mon, 19 Feb 2001 18:12:29 -0500 Hi! I am frustrated with the linux 2.2 kernel. I have had two hacks in 3 months and I am going broke rebuilding my server. I went out and bought Redhat 7, and got hacked 6 weeks later. I have been placed in contact with a guy who wants me to use Debian. But if it based upon the same kernel as redhat, how is it going to be more secure? I checked and found that from (http://www.securityfocus.com/) Security risks for years: 1997-2000 respectively: Debian 3, 2, 32, 45, 12 RedHat 6, 10, 49, 85, 20 So Debian is about twice as good as redhat, but that is not real reassuring. I am considering joining the debian family, but am a bit concerned about security. Just how much more secure is Debian than redhat? Thanks! Steve Rudd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com
Re: secure install
When you clone mirrors you usually have to take some steps. Typically, depending on your mirror, you need to break the mirror and clone each side seperately. Someone told me this was because of drive signing or some other thing, but I'm not sure if that's the truth. From: Carel Fellinger <[EMAIL PROTECTED]> To: debian-security@lists.debian.org Subject: Re: secure install Date: Sun, 18 Feb 2001 03:38:24 +0100 On Sat, Feb 17, 2001 at 02:14:44PM -0500, Steve Robbins wrote: > On Sat, Feb 17, 2001 at 06:21:04PM +0100, Carel Fellinger wrote: ... > > The disadvantage of this command is that it doesn't preserve hardlinks. > > Really? Mine preserves hard (and soft) links. strange...reading...hm it says it does...trying...and it does, how come? I'm sure that just days ago whilst copying my mirror with cp -a to a new drive the size of the new mirror exploded, but using good old tar the size of the new mirror was about the same as the old mirror. I think I checked some hardlinks, and sure enough they had vanished, but in the light of this new test I'm not so sure anymore. Anyway, cp -a seems to work. -- groetjes, carel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com
Re: secure install
You know, Ghost 2001 supports the ext2 partition on certain versions of Linux. It doesn't officially support Debian Linux, but I've cloned my Debian laptop and my Debian desktop many times. From: "Thor" <[EMAIL PROTECTED]> To: "Zak Kipling" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> CC: Subject: Re: secure install Date: Sat, 17 Feb 2001 14:49:03 +0100 Hi > On Sat, 17 Feb 2001 [EMAIL PROTECTED] wrote: > > > i am sure that is note the case, > > the only requirement is that the target media is the > > same size or larger? > > Indeed. Most filesystems, including ext2, are independent of the disk > geometry. So you can "dd" _partitions_ (eg /dev/hda1) from smaller to > larger disks, then add additional partitions if you want to take advantage > of the extra space. The geometry is only relevant is you want to "dd" > entire disks (eg /dev/hda). Alternatively you can tar the whole system -- and in effect we are talking about "cloning" an entire disk from an installed system to n other systems. Speak for cloning a single partition then i suggest a simple 'cp -ax /mount_point_of_original_parition /mount_point_of_target_partiton' the 'a' stand for archive (recursive and same permission) and with the 'x' the copy don't go out the indicated filesystem. you can find the same suggestion in How-To/Large-Disk --- ;---+---; bye | bye |hor -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com
Re: secure install
You know, Ghost 2001 supports the ext2 partition on certain versions of Linux. It doesn't officially support Debian Linux, but I've cloned my Debian laptop and my Debian desktop many times. >From: "Thor" <[EMAIL PROTECTED]> >To: "Zak Kipling" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> >CC: <[EMAIL PROTECTED]> >Subject: Re: secure install >Date: Sat, 17 Feb 2001 14:49:03 +0100 > >Hi > > > On Sat, 17 Feb 2001 [EMAIL PROTECTED] wrote: > > > > > i am sure that is note the case, > > > the only requirement is that the target media is the > > > same size or larger? > > > > Indeed. Most filesystems, including ext2, are independent of the disk > > geometry. So you can "dd" _partitions_ (eg /dev/hda1) from smaller to > > larger disks, then add additional partitions if you want to take >advantage > > of the extra space. The geometry is only relevant is you want to "dd" > > entire disks (eg /dev/hda). Alternatively you can tar the whole system >-- > >and in effect we are talking about "cloning" an entire disk from an >installed system >to n other systems. >Speak for cloning a single partition then i suggest a simple >'cp -ax /mount_point_of_original_parition /mount_point_of_target_partiton' >the 'a' stand for archive (recursive and same permission) >and with the 'x' the copy don't go out the indicated filesystem. >you can find the same suggestion in How-To/Large-Disk > >--- >;---+---; >bye | >bye |hor > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact >[EMAIL PROTECTED] > _ Get your FREE download of MSN Explorer at http://explorer.msn.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian or Linux 7???
How exactly did you get hacked? Did you leave security wholes large enough for a bus to drive through open? Open your inetd.conf file and # out everything! The only thing you need open is port 22. Others will disagree, but depending on what you server is used for, this should be your first step for security. >From: Steve Rudd <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Debian or Linux 7??? >Date: Mon, 19 Feb 2001 18:12:29 -0500 > >Hi! > >I am frustrated with the linux 2.2 kernel. I have had two hacks in 3 months >and I am going broke rebuilding my server. > >I went out and bought Redhat 7, and got hacked 6 weeks later. > >I have been placed in contact with a guy who wants me to use Debian. But if >it based upon the same kernel as redhat, how is it going to be more secure? >I checked and found that > >from (http://www.securityfocus.com/) >Security risks for years: 1997-2000 respectively: >Debian 3, 2, 32, 45, 12 >RedHat 6, 10, 49, 85, 20 > >So Debian is about twice as good as redhat, but that is not real >reassuring. > >I am considering joining the debian family, but am a bit concerned about >security. > >Just how much more secure is Debian than redhat? > >Thanks! > >Steve Rudd > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact >[EMAIL PROTECTED] > _ Get your FREE download of MSN Explorer at http://explorer.msn.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: secure install
When you clone mirrors you usually have to take some steps. Typically, depending on your mirror, you need to break the mirror and clone each side seperately. Someone told me this was because of drive signing or some other thing, but I'm not sure if that's the truth. >From: Carel Fellinger <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Re: secure install >Date: Sun, 18 Feb 2001 03:38:24 +0100 > >On Sat, Feb 17, 2001 at 02:14:44PM -0500, Steve Robbins wrote: > > On Sat, Feb 17, 2001 at 06:21:04PM +0100, Carel Fellinger wrote: >... > > > The disadvantage of this command is that it doesn't preserve >hardlinks. > > > > Really? Mine preserves hard (and soft) links. > >strange...reading...hm it says it does...trying...and it does, how come? > >I'm sure that just days ago whilst copying my mirror with cp -a to >a new drive the size of the new mirror exploded, but using good old >tar the size of the new mirror was about the same as the old mirror. >I think I checked some hardlinks, and sure enough they had vanished, >but in the light of this new test I'm not so sure anymore. Anyway, >cp -a seems to work. > >-- >groetjes, carel > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact >[EMAIL PROTECTED] > _ Get your FREE download of MSN Explorer at http://explorer.msn.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Food for thought - SECURITY (design flaw?)
On Mon, Feb 12, 2001 at 10:43:33AM -0200, Carlos Carvalho wrote: > Andreas Tille ([EMAIL PROTECTED]) wrote on 12 February 2001 11:32: > >IMHO people of security team shouldn't spend their time to serve > >security fixes for testing. People who want to use testing on > >security relevant machines should know what they do and should be > >able to handle those issues themselves. Those hazardeurs could try > >to fix important bugs of the package which is stick to unstable for > >whatever reason which would help the whole distribution or backport > >the stuff themself. > > What's the purpose of testing exactly? If it's a preparation for > becoming stable it should obviously include the security fixes, > otherwise when the transition testing -> stable happens you're... If > it's not a preparation for stable it has no purpose. It is preparation for becoming stable, but not "on half a moment's notice". Security fixes go into unstable and trickle into testing. The principal, I think, is that we can throttle the packages being allowed into testing for an easier release cycle. Dan /\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/
Re: Food for thought - SECURITY (design flaw?)
On Mon, Feb 12, 2001 at 10:43:33AM -0200, Carlos Carvalho wrote: > Andreas Tille ([EMAIL PROTECTED]) wrote on 12 February 2001 11:32: > >IMHO people of security team shouldn't spend their time to serve > >security fixes for testing. People who want to use testing on > >security relevant machines should know what they do and should be > >able to handle those issues themselves. Those hazardeurs could try > >to fix important bugs of the package which is stick to unstable for > >whatever reason which would help the whole distribution or backport > >the stuff themself. > > What's the purpose of testing exactly? If it's a preparation for > becoming stable it should obviously include the security fixes, > otherwise when the transition testing -> stable happens you're... If > it's not a preparation for stable it has no purpose. It is preparation for becoming stable, but not "on half a moment's notice". Security fixes go into unstable and trickle into testing. The principal, I think, is that we can throttle the packages being allowed into testing for an easier release cycle. Dan /\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How to use apt to install security updates ?
On Sun, Feb 11, 2001 at 06:14:39PM +0100, Christian Schlettig wrote: > Hello, > > I'm new to the list and I've just read the security.debian.org page and > inserted the "deb http://security.debian.org/ slink updates" > line to my /etc/apt/sources.list. > > When i run apt-get update i'll get the following output: > > :/home/user# apt-get update > Get:1 http://security.debian.org slink/updates Packages [19.4kB] > Get:2 http://security.debian.org slink/updates Release [105B] > Fetched 19.5kB in 3s (5958B/s) > Reading Package Lists... Done > Building Dependency Tree... Done > > and nothing else. > > I'm using the original files from somewhere October so i'm wondering why > there are > no new packages for me ?! > > What am i doing wrong. Are you really running slink? We don't support that any more; you should upgrade to potato, which has been out since last August. The web page does not reference slink any more... Dan /\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/
Re: How to use apt to install security updates ?
On Sun, Feb 11, 2001 at 06:14:39PM +0100, Christian Schlettig wrote: > Hello, > > I'm new to the list and I've just read the security.debian.org page and inserted the >"deb http://security.debian.org/ slink updates" > line to my /etc/apt/sources.list. > > When i run apt-get update i'll get the following output: > > :/home/user# apt-get update > Get:1 http://security.debian.org slink/updates Packages [19.4kB] > Get:2 http://security.debian.org slink/updates Release [105B] > Fetched 19.5kB in 3s (5958B/s) > Reading Package Lists... Done > Building Dependency Tree... Done > > and nothing else. > > I'm using the original files from somewhere October so i'm wondering why there are > no new packages for me ?! > > What am i doing wrong. Are you really running slink? We don't support that any more; you should upgrade to potato, which has been out since last August. The web page does not reference slink any more... Dan /\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Disappointment in security handling in Debian
On Thu, Feb 01, 2001 at 02:12:40PM +0100, Mathieu Dessus wrote: > This is not directly related to this thread, but this post reminds me > that generally the translations pages of Security Information page ( > http://www.debian.org/security/ ) are generally not up to date. > And with the automatic switch to the page corresponding to your > languange's preference, I've been fooled several times, thinking that > Debian security was not up to date. > > What about adding a link to the original version with an warning or > simply disabling automatic swicthing language for this page ? The web people tell me that this was a bug in the automatic regeneration of the web pages; it should be fixed. Dan /\ /----\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/
Re: Disappointment in security handling in Debian
On Thu, Feb 01, 2001 at 02:12:40PM +0100, Mathieu Dessus wrote: > This is not directly related to this thread, but this post reminds me > that generally the translations pages of Security Information page ( > http://www.debian.org/security/ ) are generally not up to date. > And with the automatic switch to the page corresponding to your > languange's preference, I've been fooled several times, thinking that > Debian security was not up to date. > > What about adding a link to the original version with an warning or > simply disabling automatic swicthing language for this page ? The web people tell me that this was a bug in the automatic regeneration of the web pages; it should be fixed. Dan /\ /----\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Disappointment in security handling in Debian
On Wed, Jan 31, 2001 at 08:56:24AM +1100, Craig Small wrote: > G'day, > I'm writing this to express my frustration at the slowness Debian > seems to be afflicted with when it comes to letting people know about > our security vulnerabilities and fixes. > > We seem to be able to find, fix and upload fixed packages quite > quickly, however we are usually the last to let others know that they > should upgrade to the new packages, making our users unnecessarily > vulnerable. I beg your pardon? This isn't the general case at all. Your example is certainly accurate, but to my knowledge lprng is the only thing to slip through the cracks that way in a year. We're often behind with fixes in general, but when we post a fix the advisory generally goes out the same day! Dan /----\ /----\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/
Re: Disappointment in security handling in Debian
On Wed, Jan 31, 2001 at 08:56:24AM +1100, Craig Small wrote: > G'day, > I'm writing this to express my frustration at the slowness Debian > seems to be afflicted with when it comes to letting people know about > our security vulnerabilities and fixes. > > We seem to be able to find, fix and upload fixed packages quite > quickly, however we are usually the last to let others know that they > should upgrade to the new packages, making our users unnecessarily > vulnerable. I beg your pardon? This isn't the general case at all. Your example is certainly accurate, but to my knowledge lprng is the only thing to slip through the cracks that way in a year. We're often behind with fixes in general, but when we post a fix the advisory generally goes out the same day! Dan /----\ /----\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: rpc.statd attack?
On Tue, Jan 09, 2001 at 12:31:59PM -0800, [EMAIL PROTECTED] wrote: > I got the following (alarming) messages on syslog: > > Jan 8 13:34:23 yuban syslogd: Cannot glue message parts together Jan > 8 13:34:23 yuban /sbin/rpc.statd[159]: gethostbyname error for > ^X\xf7\xff\xbf^X\xf7\xff\xbf^Y\xf7\xff\xbf^Y\xf7\xff\xbf^Z\xf7\xff\xbf^Z\xf7\xff\xbf^[\xf7\xff\xbf^[\xf7\xff\xbf%8x%8x%8x%8x%8x%8x%8x%8x%8 > x%236x%n%137x%n%10x%n%192x%n\220 > it looks like an attack (specially when I see /bin/sh hidden in > there). I searched the lists and it seems that this problem should > have been corrected before potato was released. Any reason for > worries, or is there any reason why I should think it was an > unsuccessful attack? If it had been a successful attack, the %x and %n's in the above would not have come through to syslog; it would have crashed well beforehand. Dan /\ /----\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/
Re: rpc.statd attack?
On Tue, Jan 09, 2001 at 12:31:59PM -0800, [EMAIL PROTECTED] wrote: > I got the following (alarming) messages on syslog: > > Jan 8 13:34:23 yuban syslogd: Cannot glue message parts together Jan > 8 13:34:23 yuban /sbin/rpc.statd[159]: gethostbyname error for > >^X\xf7\xff\xbf^X\xf7\xff\xbf^Y\xf7\xff\xbf^Y\xf7\xff\xbf^Z\xf7\xff\xbf^Z\xf7\xff\xbf^[\xf7\xff\xbf^[\xf7\xff\xbf%8x%8x%8x%8x%8x%8x%8x%8x%8 > x%236x%n%137x%n%10x%n%192x%n\220 > it looks like an attack (specially when I see /bin/sh hidden in > there). I searched the lists and it seems that this problem should > have been corrected before potato was released. Any reason for > worries, or is there any reason why I should think it was an > unsuccessful attack? If it had been a successful attack, the %x and %n's in the above would not have come through to syslog; it would have crashed well beforehand. Dan /\ /----\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian audititing tool?
On Tue, Dec 26, 2000 at 10:52:47PM +0100, Christian Kurz wrote: > On 00-12-26 Peter Cordes wrote: > > have produced collisions in MD5. This is a Bad Thing for MD5, but it isn't > > a real break against MD5. It means that you can find two messages that hash > > to the same value. To do so, you _have_ to choose both messages yourself. > > If one of the messages is /bin/su, you are almost certainly out of luck. > > Nobody has figured out how to make another message that collides with a > > given message. It only works if they create _both_ messages. > > Cool, would you then please explain why Bruce Schneier writes about MD5: > "I am wary of using MD5" in his book "Applied Cryptograhy" and the end > of the section about MD5? > > Ciao > Christian > For some applications the collision-resistance property is critical. Simply computing and storing one-way hashes IS NOT an application which depends on this property. > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- dg
Re: Debian audititing tool?
On Tue, Dec 26, 2000 at 09:27:53PM +0200, Pavel Minev Penev wrote: > On Tue, Dec 26, 2000 at 05:27:07PM +0300, [EMAIL PROTECTED] wrote: > > Of course plain md5 hashes are not very helpful. But we can keep MAC[1] for > > binaries. Tampering with MAC database is useless. > > > > ... > > > > [1] Message Authentication Code. One of possible ways to compute MAC is > > H(K,H(K,M)) where H is one-way hash function (MD5 or better SHA), K is key, > > M > > is message (protected binary). > > Hey, I'm not very good at crypto; however, I was wondering what prevents the > intruder from regenerating the MAC data-base (and what is the point of the > double hashing you have stated as "H(K,H(K,M))"?). > The Book (Bruce Schneier, "Applied Cryptography"): Alice concatenates K and M, and computes the one-way hash of concatenation: H(K,M). This hash is the MAC. Since Bob knows K, he can reproduce Alice's result. Mallory, who does not know K, can't. This method works with MD-strengtheninig techniques, but has serious problems. Malory can always add new blocks to the end of message and compute a valid MAC. This attack can be thwarted if you put the message length at the beginning, but Preneel is suspictios of this scheme. It is better to put the key at then end of message, H(M,K), but this has some problems as well. The following constructions seem secure: H(K1,H(K2,M)) H(K,H(K,M)) H(K,p,M,K), where p pads K to full message block. > Sorry if off-topic (though a nice critical note would be fine). > > And don't forget to be gay (at least on Christmas), > -- > Pavel M. Penev > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- dg
Re: Debian audititing tool?
On Tue, Dec 26, 2000 at 10:52:47PM +0100, Christian Kurz wrote: > On 00-12-26 Peter Cordes wrote: > > have produced collisions in MD5. This is a Bad Thing for MD5, but it isn't > > a real break against MD5. It means that you can find two messages that hash > > to the same value. To do so, you _have_ to choose both messages yourself. > > If one of the messages is /bin/su, you are almost certainly out of luck. > > Nobody has figured out how to make another message that collides with a > > given message. It only works if they create _both_ messages. > > Cool, would you then please explain why Bruce Schneier writes about MD5: > "I am wary of using MD5" in his book "Applied Cryptograhy" and the end > of the section about MD5? > > Ciao > Christian > For some applications the collision-resistance property is critical. Simply computing and storing one-way hashes IS NOT an application which depends on this property. > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- dg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian audititing tool?
On Tue, Dec 26, 2000 at 09:27:53PM +0200, Pavel Minev Penev wrote: > On Tue, Dec 26, 2000 at 05:27:07PM +0300, [EMAIL PROTECTED] wrote: > > Of course plain md5 hashes are not very helpful. But we can keep MAC[1] for > > binaries. Tampering with MAC database is useless. > > > > ... > > > > [1] Message Authentication Code. One of possible ways to compute MAC is > > H(K,H(K,M)) where H is one-way hash function (MD5 or better SHA), K is key, M > > is message (protected binary). > > Hey, I'm not very good at crypto; however, I was wondering what prevents the > intruder from regenerating the MAC data-base (and what is the point of the > double hashing you have stated as "H(K,H(K,M))"?). > The Book (Bruce Schneier, "Applied Cryptography"): Alice concatenates K and M, and computes the one-way hash of concatenation: H(K,M). This hash is the MAC. Since Bob knows K, he can reproduce Alice's result. Mallory, who does not know K, can't. This method works with MD-strengtheninig techniques, but has serious problems. Malory can always add new blocks to the end of message and compute a valid MAC. This attack can be thwarted if you put the message length at the beginning, but Preneel is suspictios of this scheme. It is better to put the key at then end of message, H(M,K), but this has some problems as well. The following constructions seem secure: H(K1,H(K2,M)) H(K,H(K,M)) H(K,p,M,K), where p pads K to full message block. > Sorry if off-topic (though a nice critical note would be fine). > > And don't forget to be gay (at least on Christmas), > -- > Pavel M. Penev > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- dg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Problems with root on network clients
On Fri, Nov 24, 2000 at 01:08:14PM -0400, Brad Allen wrote: > erbenson> NFS is insecure, deal with it. > > Such as use something besides NFS that is secure; the options are thin > and immature, but you may still look around because I have a feeling > there may be a good match, if you're willing to sacrafice admin time > to the task. For instance, I'm curious if CODA has played this trick. > They talk about distribution, security, etc. Plus, administration of > local disk caches could become really easy with CODA -- 4GB disk > cache, now that's nice; it's as if you only really have one machine in > some administrative senses. Now, somebody tell me if I'm wrong. > There is a whole page of Linux filesystems besides EXT2 and NFS out > there someplace. Find it and take a good research if you have the > time. If you're willing to invest the time to learn it properly, I recommend AFS as a solution. The linux port is a little immature, but coming along surprisingly well. See www.openafs.org for (not much) more information, and: deb http://www.mit.edu/afs/sipb/project/openafs/debian packages/ for some preliminary packages. Dan /----\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/
Re: Problems with root on network clients
On Fri, Nov 24, 2000 at 01:08:14PM -0400, Brad Allen wrote: > erbenson> NFS is insecure, deal with it. > > Such as use something besides NFS that is secure; the options are thin > and immature, but you may still look around because I have a feeling > there may be a good match, if you're willing to sacrafice admin time > to the task. For instance, I'm curious if CODA has played this trick. > They talk about distribution, security, etc. Plus, administration of > local disk caches could become really easy with CODA -- 4GB disk > cache, now that's nice; it's as if you only really have one machine in > some administrative senses. Now, somebody tell me if I'm wrong. > There is a whole page of Linux filesystems besides EXT2 and NFS out > there someplace. Find it and take a good research if you have the > time. If you're willing to invest the time to learn it properly, I recommend AFS as a solution. The linux port is a little immature, but coming along surprisingly well. See www.openafs.org for (not much) more information, and: deb http://www.mit.edu/afs/sipb/project/openafs/debian packages/ for some preliminary packages. Dan /----\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: task-unstable-security-updates?
On Mon, Nov 20, 2000 at 08:21:10AM -0500, Itai Zukerman wrote: > > > It would be very helpful if there was a pseudo-package that conflicted > > > with packages that have known security problems that have been fixed in a > > > later version. That way one could do a regular 'apt-get install > > > task-unstable-security-updates' and cause the upgrade of all the > > > conflicting packages that are currently installed on your system. > > Seems like a great idea to me. > > If the BTS had a "security" tag, then this could be done > automatically. A quick look through the debian-devel archives, and I > can't find discussion of this tag. Was there some reason it wasn't > introduced? Most of our security fixes are never filed as bugs - and can not be. The BTS is public, and preliminary security advisories are not. Filing them after they are publicized is, on the whole, redundant. > > > Is that possible? Would the security team be willing to maintain such a > > > pseudo-package? > > > > Not really. Our priority is stable; security fixes make it to unstable > > somewhat haphazardly, especially for more obscure architectures. The > > maintenance cost on something like this is prohibitively high. > > > > The answer is just to watch one single list - debian-security-announce. > > That's what it's for :) > > I'm not sure I understand the reasoning here. If the answer is to > watch the debian-security-announce list, then what prevents someone > watching the list from maintaining the proposed virtual package? The problem is that, for one thing, maintaining this package usefully requires getting all fixes compiled on all architectures for unstable. That's impractical; we do the best that we can, but it's too time consuming and too complicated, especially given the quirks of some of our architectures. Dan /\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/
Re: task-unstable-security-updates?
On Mon, Nov 20, 2000 at 08:21:10AM -0500, Itai Zukerman wrote: > > > It would be very helpful if there was a pseudo-package that conflicted > > > with packages that have known security problems that have been fixed in a > > > later version. That way one could do a regular 'apt-get install > > > task-unstable-security-updates' and cause the upgrade of all the > > > conflicting packages that are currently installed on your system. > > Seems like a great idea to me. > > If the BTS had a "security" tag, then this could be done > automatically. A quick look through the debian-devel archives, and I > can't find discussion of this tag. Was there some reason it wasn't > introduced? Most of our security fixes are never filed as bugs - and can not be. The BTS is public, and preliminary security advisories are not. Filing them after they are publicized is, on the whole, redundant. > > > Is that possible? Would the security team be willing to maintain such a > > > pseudo-package? > > > > Not really. Our priority is stable; security fixes make it to unstable > > somewhat haphazardly, especially for more obscure architectures. The > > maintenance cost on something like this is prohibitively high. > > > > The answer is just to watch one single list - debian-security-announce. > > That's what it's for :) > > I'm not sure I understand the reasoning here. If the answer is to > watch the debian-security-announce list, then what prevents someone > watching the list from maintaining the proposed virtual package? The problem is that, for one thing, maintaining this package usefully requires getting all fixes compiled on all architectures for unstable. That's impractical; we do the best that we can, but it's too time consuming and too complicated, especially given the quirks of some of our architectures. Dan /\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: task-unstable-security-updates?
On Sun, Nov 19, 2000 at 12:55:00PM -0700, Mike Fisk wrote: > There doesn't seem to be an automatic way to get all of the unstable > packages necessary to address reported security problems. You either > have to watch the security mailing lists and upgrade individual packages > yourself or do a full dist-upgrade every so often. As often as packages > get updated in unstable, that can be prohibitibely bandwidth and > time-consuming. > > It would be very helpful if there was a pseudo-package that conflicted > with packages that have known security problems that have been fixed in a > later version. That way one could do a regular 'apt-get install > task-unstable-security-updates' and cause the upgrade of all the > conflicting packages that are currently installed on your system. > > Is that possible? Would the security team be willing to maintain such a > pseudo-package? Not really. Our priority is stable; security fixes make it to unstable somewhat haphazardly, especially for more obscure architectures. The maintenance cost on something like this is prohibitively high. The answer is just to watch one single list - debian-security-announce. That's what it's for :) Dan /----\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/
Re: task-unstable-security-updates?
On Sun, Nov 19, 2000 at 12:55:00PM -0700, Mike Fisk wrote: > There doesn't seem to be an automatic way to get all of the unstable > packages necessary to address reported security problems. You either > have to watch the security mailing lists and upgrade individual packages > yourself or do a full dist-upgrade every so often. As often as packages > get updated in unstable, that can be prohibitibely bandwidth and > time-consuming. > > It would be very helpful if there was a pseudo-package that conflicted > with packages that have known security problems that have been fixed in a > later version. That way one could do a regular 'apt-get install > task-unstable-security-updates' and cause the upgrade of all the > conflicting packages that are currently installed on your system. > > Is that possible? Would the security team be willing to maintain such a > pseudo-package? Not really. Our priority is stable; security fixes make it to unstable somewhat haphazardly, especially for more obscure architectures. The maintenance cost on something like this is prohibitively high. The answer is just to watch one single list - debian-security-announce. That's what it's for :) Dan /----\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bug#77257: FWD: Joe's Own Editor File Link Vulnerability
On Sat, Nov 18, 2000 at 09:50:49AM +1100, Herbert Xu wrote:
> Colin Phipps <[EMAIL PROTECTED]> wrote:
> >
> > A fix, but it breaks the intended behaviour ("a" for append IIRC). Putting
> > DEADJOE in $HOME might be a nicer solution?
>
> No please, temporary files have no place in a user's home directory, because
> unlike /tmp it won't be deleted until the user intervenes in the event of a
> crash.
>
> Do the right thing and use tmpfile(3).
DEADJOE isn't a temporary file. It's supposed to be preserved after a
crash - that's the whole use of it. It shows what files were being
edited when joe was killed.
Dan
/\ /\
| Daniel Jacobowitz|__|SCS Class of 2002 |
| Debian GNU/Linux Developer__Carnegie Mellon University |
| [EMAIL PROTECTED] | | [EMAIL PROTECTED] |
\/ \/
Re: Bug#77257: FWD: Joe's Own Editor File Link Vulnerability
On Sat, Nov 18, 2000 at 09:50:49AM +1100, Herbert Xu wrote:
> Colin Phipps <[EMAIL PROTECTED]> wrote:
> >
> > A fix, but it breaks the intended behaviour ("a" for append IIRC). Putting
> > DEADJOE in $HOME might be a nicer solution?
>
> No please, temporary files have no place in a user's home directory, because
> unlike /tmp it won't be deleted until the user intervenes in the event of a
> crash.
>
> Do the right thing and use tmpfile(3).
DEADJOE isn't a temporary file. It's supposed to be preserved after a
crash - that's the whole use of it. It shows what files were being
edited when joe was killed.
Dan
/\ /\
| Daniel Jacobowitz|__|SCS Class of 2002 |
| Debian GNU/Linux Developer__Carnegie Mellon University |
| [EMAIL PROTECTED] | | [EMAIL PROTECTED] |
\/ \/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: vixie cron... (fwd)
On Fri, Nov 17, 2000 at 06:24:33AM -0900, Ethan Benson wrote: > > On Fri, Nov 17, 2000 at 07:54:26AM -0600, An Thi-Nguyen Le wrote: > > On Fri, Nov 17, 2000 at 03:46:19AM -0900, Ethan Benson typed: > > } On Fri, Nov 17, 2000 at 12:36:54PM +, thomas lakofski wrote: > > } > fyi -- i've not tried it. > > } > > } i have, it does not work, i tried several different variations and > > } failed to create any files in /var/spool/cron. > > } > > } i do not believe debian is vulnerable. > > > > Wrong, we *are* vulnerable. Take a look /var/spool/cron/crontabs > > instead. > > ah, your right, however this is not exploitable since > /var/spool/cron/crontabs is mode 700. > > still should be fixed though. Wrong again :) In most clean Debian installs it is not mode 0700. There will be a security advisory shortly. Dan /\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/
Re: vixie cron... (fwd)
On Fri, Nov 17, 2000 at 06:24:33AM -0900, Ethan Benson wrote: > > On Fri, Nov 17, 2000 at 07:54:26AM -0600, An Thi-Nguyen Le wrote: > > On Fri, Nov 17, 2000 at 03:46:19AM -0900, Ethan Benson typed: > > } On Fri, Nov 17, 2000 at 12:36:54PM +, thomas lakofski wrote: > > } > fyi -- i've not tried it. > > } > > } i have, it does not work, i tried several different variations and > > } failed to create any files in /var/spool/cron. > > } > > } i do not believe debian is vulnerable. > > > > Wrong, we *are* vulnerable. Take a look /var/spool/cron/crontabs > > instead. > > ah, your right, however this is not exploitable since > /var/spool/cron/crontabs is mode 700. > > still should be fixed though. Wrong again :) In most clean Debian installs it is not mode 0700. There will be a security advisory shortly. Dan /\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: security.debian.org mirrors?
On Sun, Oct 22, 2000 at 06:37:42PM +0200, Florian Friesdorf wrote: > On Sat, Oct 21, 2000 at 03:50:18PM +0200, Wichert Akkerman wrote: > > Previously Florian Friesdorf wrote: > > > What are the differences between > > > http://http.us.debian.org/debian dists/potato-proposed-updates/ > > > and > > > http://security.debian.org potato/updates main contrib non-free > > > ? > > > > One is updates that might make it into a revision of potato, > > and the other are verified security fixes. > > ok, please correct me if I'm wrong. > - security fixes wil make it sooner or later into proposed-updates That's the principle, yes. > - to get security fixes as fast as possible I use > security.debian.org Yep. > - new features only appear in proposed-updates Generally (when possible), yes > - I should use potato security fixes with woody Well, it's safe to list it as an apt source, and there will occasionally be things available there before in unstable. But fixes also tend to go straight into unstable. Dan /\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/
Re: security.debian.org mirrors?
On Sun, Oct 22, 2000 at 06:37:42PM +0200, Florian Friesdorf wrote: > On Sat, Oct 21, 2000 at 03:50:18PM +0200, Wichert Akkerman wrote: > > Previously Florian Friesdorf wrote: > > > What are the differences between > > > http://http.us.debian.org/debian dists/potato-proposed-updates/ > > > and > > > http://security.debian.org potato/updates main contrib non-free > > > ? > > > > One is updates that might make it into a revision of potato, > > and the other are verified security fixes. > > ok, please correct me if I'm wrong. > - security fixes wil make it sooner or later into proposed-updates That's the principle, yes. > - to get security fixes as fast as possible I use > security.debian.org Yep. > - new features only appear in proposed-updates Generally (when possible), yes > - I should use potato security fixes with woody Well, it's safe to list it as an apt source, and there will occasionally be things available there before in unstable. But fixes also tend to go straight into unstable. Dan /\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: security.debian.org mirrors?
On Fri, Oct 20, 2000 at 01:32:54PM +0300, Mikko Kilpikoski wrote: > Hi. > > I'm unable to reach security.debian.org or nonus.debian.org > and can't find a mirror for security.debian.org. Is there any? > Where? Can I trust it/them? Oh, and does it contain the security > fixes for nonus packages (if any)? I believe it is a matter of trust and of instant distribution; we can provide uploads to everyone using the security site in a very limited amount of time. Dan /\ /----\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/
Re: php3 security update breaks imp webmailer
On Fri, Oct 20, 2000 at 04:39:39PM +0200, Thomas Gebhardt wrote: > Hi, > > I got this response from the IMP mailing list: > > Chuck Hagenbuch <[EMAIL PROTECTED]> : > > Unfortunately, 3.0.17 is broken - it's nothing to do with IMP, except that we > happen to hit the broken functionality. The PHP folks know about it, and > hopefully. 3.0.18 will be out soon. Yep, so I've gathered. I'll do a new security upload when this happens. Dan /----\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/
Re: security.debian.org mirrors?
On Fri, Oct 20, 2000 at 01:32:54PM +0300, Mikko Kilpikoski wrote: > Hi. > > I'm unable to reach security.debian.org or nonus.debian.org > and can't find a mirror for security.debian.org. Is there any? > Where? Can I trust it/them? Oh, and does it contain the security > fixes for nonus packages (if any)? I believe it is a matter of trust and of instant distribution; we can provide uploads to everyone using the security site in a very limited amount of time. Dan /\ /----\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: php3 security update breaks imp webmailer
On Fri, Oct 20, 2000 at 04:39:39PM +0200, Thomas Gebhardt wrote: > Hi, > > I got this response from the IMP mailing list: > > Chuck Hagenbuch <[EMAIL PROTECTED]> : > > Unfortunately, 3.0.17 is broken - it's nothing to do with IMP, except that we > happen to hit the broken functionality. The PHP folks know about it, and > hopefully. 3.0.18 will be out soon. Yep, so I've gathered. I'll do a new security upload when this happens. Dan /----\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: what is on port 13223
On Wed, Oct 11, 2000 at 10:11:31PM -0800, Ethan Benson wrote: > > Does anyone know what port 13223 is? today i have been getting a > massive number of connection attempts to that port from several > different addresses. > > -- > Ethan Benson > http://www.alaska.net/~erbenson/ Probably some current trojan. Maybe a sub7 variant? There's a trojan list on the web somewhere. Dan /\ /----\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/
Re: what is on port 13223
On Wed, Oct 11, 2000 at 10:11:31PM -0800, Ethan Benson wrote: > > Does anyone know what port 13223 is? today i have been getting a > massive number of connection attempts to that port from several > different addresses. > > -- > Ethan Benson > http://www.alaska.net/~erbenson/ Probably some current trojan. Maybe a sub7 variant? There's a trojan list on the web somewhere. Dan /\ /----\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: file ownership in liblockfile1 1.01 (sparc)
On Wed, Oct 11, 2000 at 08:01:57AM -0700, andy wrote: > On Wed, 11 Oct 2000, Daniel Jacobowitz wrote: > > > On Wed, Oct 11, 2000 at 07:18:23AM -0700, andy wrote: > > > just ran tiger on a fresh debian (2.2) install, and received the following > > > warnings: > > > > > > # Performing check of PATH components... > > > # Only checking user 'root' > > > --WARN-- [path002w] /usr/bin/dotlockfile in root's PATH from default is > > > not owned by root (owned by dovienya). > > > > What uid is user dovienya on your machine? > > > > uid=1000(dovienya) > this is the user account set up during the install process. on the theory > that it was setting perms based on $SUDO_USER, i tried installing from the > console as root (w/o su, sudo, fakeroot, etc.) with the same results. -rwxr-sr-x buildd/mail 14228 1999-07-19 10:57:34 usr/bin/dotlockfile There's the problem. > all three boxes i have noticed this on are sparcs. i don't have a debian > x86 box around to check... This sort of error happens when building the package. It needs to be recompiled for sparc. I'll try to get it in 2.2r1. Dan /\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/
Re: file ownership in liblockfile1 1.01 (sparc)
On Wed, Oct 11, 2000 at 07:18:23AM -0700, andy wrote: > just ran tiger on a fresh debian (2.2) install, and received the following > warnings: > > # Performing check of PATH components... > # Only checking user 'root' > --WARN-- [path002w] /usr/bin/dotlockfile in root's PATH from default is > not owned by root (owned by dovienya). What uid is user dovienya on your machine? The liblockfile1 package contains no files not owned by root in Debian 2.2 on i386 or powerpc - what architecture are you running? > i verified that the same holds true on two other installs, and didn't find > any information on this on the net at large... so i thought i'd send an > email out debian-security way to get some feedback... Was anything unique about these installs? What are you installing from? I can't reproduce this. Dan /----\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/
Re: file ownership in liblockfile1 1.01 (sparc)
On Wed, Oct 11, 2000 at 08:01:57AM -0700, andy wrote: > On Wed, 11 Oct 2000, Daniel Jacobowitz wrote: > > > On Wed, Oct 11, 2000 at 07:18:23AM -0700, andy wrote: > > > just ran tiger on a fresh debian (2.2) install, and received the following > > > warnings: > > > > > > # Performing check of PATH components... > > > # Only checking user 'root' > > > --WARN-- [path002w] /usr/bin/dotlockfile in root's PATH from default is > > > not owned by root (owned by dovienya). > > > > What uid is user dovienya on your machine? > > > > uid=1000(dovienya) > this is the user account set up during the install process. on the theory > that it was setting perms based on $SUDO_USER, i tried installing from the > console as root (w/o su, sudo, fakeroot, etc.) with the same results. -rwxr-sr-x buildd/mail 14228 1999-07-19 10:57:34 usr/bin/dotlockfile There's the problem. > all three boxes i have noticed this on are sparcs. i don't have a debian > x86 box around to check... This sort of error happens when building the package. It needs to be recompiled for sparc. I'll try to get it in 2.2r1. Dan /\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: file ownership in liblockfile1 1.01 (sparc)
On Wed, Oct 11, 2000 at 07:18:23AM -0700, andy wrote: > just ran tiger on a fresh debian (2.2) install, and received the following > warnings: > > # Performing check of PATH components... > # Only checking user 'root' > --WARN-- [path002w] /usr/bin/dotlockfile in root's PATH from default is > not owned by root (owned by dovienya). What uid is user dovienya on your machine? The liblockfile1 package contains no files not owned by root in Debian 2.2 on i386 or powerpc - what architecture are you running? > i verified that the same holds true on two other installs, and didn't find > any information on this on the net at large... so i thought i'd send an > email out debian-security way to get some feedback... Was anything unique about these installs? What are you installing from? I can't reproduce this. Dan /----\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: funny rpc.statd events
On Tue, Oct 10, 2000 at 10:28:39PM -0400, Ben Pfaff wrote: > Daniel Jacobowitz <[EMAIL PROTECTED]> writes: > > > This was fixed a month or two before potato was released. > > I've seen those too, on up-to-date woody, so I don't think it > really got fixed. To clarify this, the logging of the message does not indicate a problem. If the attack had succeeded, rpc.statd would have most likely have crashed before it finished writing to the syslog (I think... don't quote me on that). It will certainly continue to log the attack in this annoying manner. Potato and woody are not vulnerable. Dan /\ /----\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/
Re: funny rpc.statd events
This was fixed a month or two before potato was released. On Tue, Oct 10, 2000 at 09:09:52PM -0500, Herbert Ho wrote: > hi guys. i have logcheck installed so i got this message tonight: > > (sorry about the long lines, its the way it came to me) > > Unusual System Events > =-=-=-=-=-=-=-=-=-=-= > Oct 10 19:31:37 thosolin > Oct 10 19:31:37 thosolin /sbin/rpc.statd[125]: gethostbyname error for > ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2! > ! > 20\220\220\220\220\220\220\220\220\220\220 > Oct 10 19:31:37 thosolin > Ç^F/binÇF^D/shA0À\210F^G\211v^L\215V^P\215N^L\211ó°^KÍ\200°^AÍ\200è\177ÿÿÿ > Oct 10 19:31:37 thosolin > Oct 10 19:31:37 thosolin syslogd: Cannot glue message parts together > Oct 10 19:31:37 thosolin /sbin/rpc.statd[125]: gethostbyname error for > ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2! > ! > 20\220\220\220\220\220\220\220\220\220\220 > Oct 10 19:31:37 thosolin > Ç^F/binÇF^D/shA0À\210F^G\211v^L\215V^P\215N^L\211ó°^KÍ\200°^AÍ\200è\177ÿÿÿ > > > it's nasty. sorry. =p > > so should i be worried? and is the rpc.statd a security risk? > > i have potato-based, "testing" installed. > > thanks in advance. > > > herbert > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > Dan /\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/
Re: funny rpc.statd events
On Tue, Oct 10, 2000 at 10:28:39PM -0400, Ben Pfaff wrote: > Daniel Jacobowitz <[EMAIL PROTECTED]> writes: > > > This was fixed a month or two before potato was released. > > I've seen those too, on up-to-date woody, so I don't think it > really got fixed. To clarify this, the logging of the message does not indicate a problem. If the attack had succeeded, rpc.statd would have most likely have crashed before it finished writing to the syslog (I think... don't quote me on that). It will certainly continue to log the attack in this annoying manner. Potato and woody are not vulnerable. Dan /\ /----\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: funny rpc.statd events
This was fixed a month or two before potato was released. On Tue, Oct 10, 2000 at 09:09:52PM -0500, Herbert Ho wrote: > hi guys. i have logcheck installed so i got this message tonight: > > (sorry about the long lines, its the way it came to me) > > Unusual System Events > =-=-=-=-=-=-=-=-=-=-= > Oct 10 19:31:37 thosolin > Oct 10 19:31:37 thosolin /sbin/rpc.statd[125]: gethostbyname error for >^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2! > ! > 20\220\220\220\220\220\220\220\220\220\220 > Oct 10 19:31:37 thosolin >Ç^F/binÇF^D/shA0À\210F^G\211v^L\215V^P\215N^L\211ó°^KÍ\200°^AÍ\200è\177ÿÿÿ > Oct 10 19:31:37 thosolin > Oct 10 19:31:37 thosolin syslogd: Cannot glue message parts together > Oct 10 19:31:37 thosolin /sbin/rpc.statd[125]: gethostbyname error for >^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2! > ! > 20\220\220\220\220\220\220\220\220\220\220 > Oct 10 19:31:37 thosolin >Ç^F/binÇF^D/shA0À\210F^G\211v^L\215V^P\215N^L\211ó°^KÍ\200°^AÍ\200è\177ÿÿÿ > > > it's nasty. sorry. =p > > so should i be worried? and is the rpc.statd a security risk? > > i have potato-based, "testing" installed. > > thanks in advance. > > > herbert > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > Dan /\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: su vulnerability
On Mon, Oct 09, 2000 at 05:16:20AM -0800, Ethan Benson wrote: > On Mon, Oct 09, 2000 at 03:04:35PM +0200, Javier Fernandez-Sanguino Peña > wrote: > > > > One thing I wonder is why does not Debian issue advisories to popular > > mailing > > lists (linux-security on securityportal and bugtrack on securityfocus comes > > to > > they do post announcments to BugTraq, at least every advisory i get > from debian-security-announce is cross posted to BugTraq too. > > > mind). Also, I do not see this posted at security.debian.org > > I am currently maintaining my status as Debian maintainer but starting > > to move > > my focus towards security (I finished my life as student and working now on > > a > > security related company). > > So, I'm willing to help the security team in posting these > > announcements (both > > on web and on security lists). It seems that some hands might be needed :) > > I have another proyect in mind, but will send it later on... > > i am a bit curious about the recent traceroute bug, (traceroute -g 1 > -g 1 segfaults) pretty much every other major dist has released an > advisory and update for this, but debian appears not to have (unless i > missed it). a fixed traceroute package does exist in proposed-updates > however. (its been there for awhile now) same thing with tmpreaper > (aka tmpwatch) (even though thats only a DoS solved easily by disk > file quotas) I'll say this for the fifth time this week... We are backlogged. There aren't very many of us, and we have over half a dozen half-written advisories. They will be going out soon. I posted on bugtraq that the vulnerability had been fixed in debian, informally, I believe. Dan /\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/
Re: su vulnerability
On Mon, Oct 09, 2000 at 05:16:20AM -0800, Ethan Benson wrote: > On Mon, Oct 09, 2000 at 03:04:35PM +0200, Javier Fernandez-Sanguino Peña wrote: > > > > One thing I wonder is why does not Debian issue advisories to popular mailing > > lists (linux-security on securityportal and bugtrack on securityfocus comes to > > they do post announcments to BugTraq, at least every advisory i get > from debian-security-announce is cross posted to BugTraq too. > > > mind). Also, I do not see this posted at security.debian.org > > I am currently maintaining my status as Debian maintainer but starting to move > > my focus towards security (I finished my life as student and working now on a > > security related company). > > So, I'm willing to help the security team in posting these announcements (both > > on web and on security lists). It seems that some hands might be needed :) > > I have another proyect in mind, but will send it later on... > > i am a bit curious about the recent traceroute bug, (traceroute -g 1 > -g 1 segfaults) pretty much every other major dist has released an > advisory and update for this, but debian appears not to have (unless i > missed it). a fixed traceroute package does exist in proposed-updates > however. (its been there for awhile now) same thing with tmpreaper > (aka tmpwatch) (even though thats only a DoS solved easily by disk > file quotas) I'll say this for the fifth time this week... We are backlogged. There aren't very many of us, and we have over half a dozen half-written advisories. They will be going out soon. I posted on bugtraq that the vulnerability had been fixed in debian, informally, I believe. Dan /\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Is Open Source software really more secure?
On Sun, Oct 08, 2000 at 02:34:16PM -0700, Paul Lowe wrote: > When was the last time someone looked over the entire code base of mySQL to > make sure it didn't have a trojan inside? I mean hey, theoretically, who > goes over source code? Reading other programmer's source is both painful and > difficult. It would not be hard for someone to release a oss package, > announce it on freshmeat, have it distributed to thousands of people -- and > have malicious code inside it. I mean, hey, do you always read the Makefile > to make sure it doesn't contain a line that says "rm -rf /" for "make > install"? When? Probably in the last month or so. People actually do audit these things. Not before they get posted to freshmeat, but I'm dubious about things from random sites anyway... it's a survival trait. Packaged programs in distributions are generally fairly well looked-over and tested. Dan /----\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/
Re: Is Open Source software really more secure?
On Sun, Oct 08, 2000 at 02:34:16PM -0700, Paul Lowe wrote: > When was the last time someone looked over the entire code base of mySQL to > make sure it didn't have a trojan inside? I mean hey, theoretically, who > goes over source code? Reading other programmer's source is both painful and > difficult. It would not be hard for someone to release a oss package, > announce it on freshmeat, have it distributed to thousands of people -- and > have malicious code inside it. I mean, hey, do you always read the Makefile > to make sure it doesn't contain a line that says "rm -rf /" for "make > install"? When? Probably in the last month or so. People actually do audit these things. Not before they get posted to freshmeat, but I'm dubious about things from random sites anyway... it's a survival trait. Packaged programs in distributions are generally fairly well looked-over and tested. Dan /----\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SECURITY PROBLEM: autofs [all versions]
On Sat, Jul 01, 2000 at 10:19:39AM +0200, Thor <[EMAIL PROTECTED]> was heard to say: > if you have physical access to the console and floppy drive you can always > start with a boot + root floppy, mount the hard disk and modify the > mounted /etc/passwd file ... this is an old trick, usefull when you > loose the root password ;-) ..unless, of course, the machine's owner has disabled floppy boots..in which case, you have to open the thing up and reset the BIOS; if the machine is in an environment with someone watching what's going on (eg, a school computer lab), this is fairly suspicious behavior and likely to bring unwanted attention.. Daniel -- /- Daniel Burrows <[EMAIL PROTECTED]> -\ | If you're reading|Wisdom is one of the few things | |this, you have too|that looks bigger the farther away it is. | | much free time. | -- Terry Pratchett | \- The Turtle Moves! -- http://www.lspace.org /
Re: SECURITY PROBLEM: autofs [all versions]
On Sat, Jul 01, 2000 at 10:19:39AM +0200, Thor <[EMAIL PROTECTED]> was heard to say: > if you have physical access to the console and floppy drive you can always > start with a boot + root floppy, mount the hard disk and modify the > mounted /etc/passwd file ... this is an old trick, usefull when you > loose the root password ;-) ..unless, of course, the machine's owner has disabled floppy boots..in which case, you have to open the thing up and reset the BIOS; if the machine is in an environment with someone watching what's going on (eg, a school computer lab), this is fairly suspicious behavior and likely to bring unwanted attention.. Daniel -- /- Daniel Burrows <[EMAIL PROTECTED]> -\ | If you're reading|Wisdom is one of the few things | |this, you have too|that looks bigger the farther away it is. | | much free time. | -- Terry Pratchett | \- The Turtle Moves! -- http://www.lspace.org / -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Unknown open ports
Try "netstat -p", it'll tell you which process is on each port. Daniel TaylorEmbedded and custom Linux integration. [EMAIL PROTECTED] (612)747-1609 On Tue, 6 Jun 2000, Ron Rademaker wrote: > I've just run a portscan to my computer that is connected to the internet > (permanently) and there were a few ports open of which I don't know what > they are for (all ports under 1024) and neither did the portscanner, these > are the ports: 686 698 708 > If I use telnet to go to one of those ports, the connection isn't closed > by the remote host (only after I've typed a few things and pressed enter a > few times). > > Anybody got any ideas on what these ports are for? > > Ron Rademaker > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Re: On the security of e-mails
The closest reliable method in that area is PGP encryption of e-mail. In theory only those people who have the message signed with their public key will be able to read it. In practice I haven't heard otherwise. The only place where it isn't appropriate to encrypt (maybe only sign) is on public mailing lists. Daniel TaylorEmbedded and custom Linux integration. [EMAIL PROTECTED] (612)747-1609 On Thu, 25 May 2000, Sergio Brandano wrote: > > I would like to raise the problem of the security of electronic > mail. The problem popped into my mind a while ago, while reading > about Italian legislation on the privacy and, in particular, of > paper mail. I always wanted to draw the issue to the attention of the > ``hi spheres'', but I am now in the UK, and the whole thing went into > the limbo. The problem is simply as follows: there is no legislation > that enforces the privacy of electronic mail. On the practical side, > there is no software method currently implemented at large that > allows the receiver, and only the receiver, to read his/her own mail. > The secure transmission of mail is part of the whole process. > The similar issue can easily be extended to the Internet, where sites > (from the very client to the very server) can record your preferences, > as if there were a big brother that spies on you and writes all down. > An immediate consequence of it are all the SPAM mail selling > financial services... > > Sergio > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
