Re: Please remove me from this list

2014-06-26 Thread Erwan David 
Le 26/06/2014 16:06, Jason Fergus a écrit :
> Ha ha, made me laugh.  
>
> Speaking of lists, I wish I knew how Evolution knows to ask if one would
> like to reply to the list or the sender.  My work uses a bunch of
> mailing lists, and I always feel like I'm breaking list etiquette when I
> have to do a group reply, because the option isn't there to just reply
> to the list.  I'm guessing it sees 'lists' in the To or CC field.. 
>

There are several List-* headers relevant to this. eg. for this list you
get in the headers :

List-Id: 
List-URL: 
List-Post: 
List-Help: 
List-Subscribe: 

List-Unsubscribe: 


The relevant header for "replying to list" is List-Post:





signature.asc
Description: OpenPGP digital signature

Re: Debian mirrors and MITM

2014-05-30 Thread Erwan David 
Le 30/05/2014 22:02, Henrique de Moraes Holschuh a écrit :
> On Fri, 30 May 2014, Erwan David wrote:
>> Le 30/05/2014 21:30, Joey Hess a écrit :
>>> Alfie John wrote:
>>>> Taking a look at the Debian mirror list, I see none serving over HTTPS:
>>>>   https://www.debian.org/mirror/list
>>> https://mirrors.kernel.org/debian is the only one I know of.
>>>
>>> It would be good to have a few more, because there are situations where
>>> debootstrap is used without debian-archive-keyring being available, and
>>> recent versions of debootstrap try to use https in that situation, to at
>>> least get the weak CA level of security.
>>>
>> Note that at least debian.org DNS is segned by DNSSEC and DANE is used,
>> which allows to check that the certificate used by a debian.org site is
>> the real one.
> We don't ship a DNSSEC-enabled resolver by default, and fixing THAT would
> require some very careful considerations and large-scale testing.
>
> That said, AFAIC it is a critical bug on debootstrap that it doesn't just
> keel over and die very loudly when run without a trust path to verify the
> downloaded packages [as usual, this means we'd need to make it possible to
> provide such trust paths for the harder usecases as well].
>

I understand it is not so simple... However it is a first step toward a
more secure path.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/5388e670.9070...@rail.eu.org

Re: Debian mirrors and MITM

2014-05-30 Thread Erwan David 
Le 30/05/2014 21:30, Joey Hess a écrit :
> Alfie John wrote:
>> Taking a look at the Debian mirror list, I see none serving over HTTPS:
>>
>>   https://www.debian.org/mirror/list
> https://mirrors.kernel.org/debian is the only one I know of.
>
> It would be good to have a few more, because there are situations where
> debootstrap is used without debian-archive-keyring being available, and
> recent versions of debootstrap try to use https in that situation, to at
> least get the weak CA level of security.
>
Note that at least debian.org DNS is segned by DNSSEC and DANE is used,
which allows to check that the certificate used by a debian.org site is
the real one.




signature.asc
Description: OpenPGP digital signature

Re: Debians security features in comparison to Ubuntu

2014-05-17 Thread Erwan David 
Le 17/05/2014 18:38, Jan Moskyto Matejka a écrit :
>> I might be misinterpreting your definition of "meaningful", but I
>> have been looking for a public entropy source for my Debian system
>> for quite a while. If you can point me to the Debian equivalent of
>> pollinate and https://entropy.ubuntu.com/ that would be highly
>> appreciated.
> To transport the entropy securely, you need cryptography, which is
> preciously the thing you need entropy to. Public entropy source is
> an insecure crap with no security profit at all. More that than, it
> makes admins think their system is better secured. It isn't.
more than that : it is an excellent attack vector, since some
cryptographic operation become weak when the attacker knows a bias of
the generation of secrets.




signature.asc
Description: OpenPGP digital signature

Re: finding a process that bind a spcific port

2014-01-22 Thread Erwan David 
On Wed, Jan 22, 2014 at 02:33:27PM CET, Nico Angenon  said:
> no output
> 
> Thanks for all...
> 
> Nico

You may also try lsof -i udp:10001

Launch it as root, because a normal user cannot see the descriptors of 
processes owned by others.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20140122133528.gi11...@rail.eu.org

Re: NULL Scan issues or something else?

2013-02-08 Thread Erwan David 
On Fri, Feb 08, 2013 at 02:06:48PM CET, Daniel Curtis  
said:
> Hi Mr Erwan
> 
> So, everything is okay? Even these strange logs
> mentioned earlier? I'm still curious about this rule;
> SYN,RST, ACK,FIN, PSH,URG, SYN,RST,ACK,
> FIN,PSH,URG
> 
> What do you mean by writing, that I should not contact servers?
> 
> Best regards!

Those packets are normal answers from servers whttp://lists.debian.org/20130208131005.gp3...@rail.eu.org

Re: NULL Scan issues or something else?

2013-02-07 Thread Erwan David 

Le 07/02/2013 21:22, Daniel Curtis a écrit :

Hi,

>>//(...)/Nothing that should bother you.
/
Okay, so far so good. But what about the rest of
IP addresses, which occurred in logs? You have
mentioned about a /bendel.debian.org / website.
I wonder why?

Because that's the source of the packet you showed us


I noticed, that all the logged events relating to this
strange rule** mentioned earlier, are related to
/SPT=80/ and /IN=eth0/. Literally all of the connections.
What does it mean?

Those are packets sents by web servers (source port 80) in answer to 
your requests.


If you do not want to receive them you must not contact the servers.


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/51141b97.2080...@rail.eu.org

Re: NULL Scan issues or something else?

2013-02-07 Thread Erwan David 

Le 07/02/2013 19:34, Daniel Curtis a écrit :

Hi

Thank you all for your answers. They are very helpful.
I have to mention some thing, which I forgot to write;

  * no running services
  * all ports are closed (according to e.g. nmap)
  * iptables has concerning rules about /INVALID/ packets
  * flags filtering for /--tcp-flags /and use /--ctstate/.

Now this computer is used for a various test etc. Maybe, in
the future this machine will be something else, more important.
So, should I afraid of these scans attempts, despite that, there
are _not enabled_ any service? Blocking (/DROP/) these connections
is sufficient? In that case, what is the type of scan, that uses these
flags; SYN,RST,ACK,FIN,PSH,URG SYN,RST,ACK, FIN,PSH,URG?

Why this type of scan occurs when all ports are closedand none of
the services are not running? Sorry for the naive question, but I'm
surprised, because I was never in a similar situation. Especially with
closed ports and no services.

Again sorry for so many questions, and thanks for all the answers.
If you can, please answer to the above questions. They are very
important for me.

*Some part of the log:
*SCAN: IN=eth0 OUT= MAC=_mac_addresses
SRC=82.195.75.100 DST=192.168.10.X
LEN=1500 TOS=0x00 PREC=0x00
TTL=52 ID=14512 DF
PROTO=TCP SPT=80 DPT=54790
WINDOW=6432 RES=0x00 ACK URGP=0

...and many more...

Best regards! 


To me it looks like an acknowledgement of a packet you sent to the web 
server on bendel.debian.org ML and archive server for debian...


Nothing that should bother you.


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/5113f565.20...@rail.eu.org

Re: sun-java6-plugin outdated and vulnerable to an actively exploited security issue

2012-08-16 Thread Erwan David 
On Thu, Aug 16, 2012 at 11:37:09AM CEST, Thijs Kinkhorst  
said:
> Hi Adam,
> 
> On Thu, August 16, 2012 07:56, echo083 wrote:
> > The sun-java6 in the stable branch is the version 1.6.0_26 is there a
> > plan for any security upgrade ?
> 
> I'm afraid that's not possible. Oracle has changed licensing such that
> it's no longer allowed for Debian to distribute newer versions. There's
> somewhat more detail in http://www.debian.org/News/weekly/2011/15/#javarm
> 
> It is advised to switch to openjdk-6 instead.
> 
> Cheers,
> Thijs

I might do this when every java application I need to use is compatible with 
it...
Meanwhile some do not work...


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120816100929.gy28...@rail.eu.org

Re: Debian LTS?

2011-10-05 Thread Erwan David 
On 06/10/11 00:13, Sythos wrote:
> On Wed, 05 Oct 2011 19:13:33 +0200
> wer...@aloah-from-hell.de wrote:
> 
>> Hi all,
>>
>> a Debian LTS-Version would be so welcome and is definitly
>> something that's missing for Debian.
>>
> 
> in 18 years Debian released 6 "stable", an avarage of 3 years between a
> stable and the next one, i think is already longer than others call
> "LTS" a distro. 3 years between stables is already (imho, maybe) too
> much, is already an overload of work for maintainers to backport
> patches and other on software often classified "old" if not "obsolete"
> too.
> 
> The major benefit of opensource software is the "darwin effect", good
> software evolve quickly, bad software die, force a maintainer to work
> on a software for 2 years more than usual may mean force a unusefull
> work, *imho* 3 years are already too much for a lot of enviroments
> (like development)
> 
> 

Moreover, if you wait to long you may have an important software, with
an outdated not upstream supported major version, where backports are
not possible because upstream architecture changed completely.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4e8d2ed8.9090...@rail.eu.org

Re: Debian LTS?

2011-10-05 Thread Erwan David 
On 05/10/11 19:13, wer...@aloah-from-hell.de wrote:
> Hi all,
> 
> a Debian LTS-Version would be so welcome and is definitly something that's
> missing for Debian.
> 
> best,
> Werner

Isn't it called "stable" ?


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4e8c9ad7.6020...@rail.eu.org

Re: CVE Exploit

2011-03-11 Thread Erwan David 
On Fri, Mar 11, 2011 at 04:08:29PM CET, Mike!  said:
> On 03/11/2011 04:06 PM, Jordon Bedwell wrote:
> >On 3/11/2011 9:04 AM, Andrey Rahmatullin wrote:
> >>On Fri, Mar 11, 2011 at 09:42:17AM -0500, hans wrote:
> >>>rm / -rf worked fine last time I tried it on a VM as an experiment.
> >>It was fixed in coreutils 6.2 [2006-09-18].
> >>
> >
> >Subjective fix. It can still destroy your system, it can still delete
> >critical files, just not certain critical files.
> >We've done it before too.
> >
> >
> perhaps dd if=/dev/zero of=/dev/root is a better solution?

if=/dev/urandom would be more fun, whereas /dev/random might stop
before doing too much damage, but restart when any action is done.

The latest case might be fun to see...
 


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110311153104.gb3...@rail.eu.org