Re: Allow password auth for one user with sftp?
On Tue, 2007-01-16 at 09:23 +0100, Maik Holtkamp wrote: Hi, Michel Messerschmidt wrote/schrieb @ 15.01.2007 20:39: [...] Public keys can be stolen too. If you consider this a risk, you should [Typ|Brain]o? s/Public/Private/ My thoughts exactly... stealing and placing *MY* public key means *I* get more access or they can communicate with me in encrypted format. I guess, a stolen public key is like a Free Information Brochure, only good to those that will understand and use it to contact me or want to have me do something for them. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Re: My machine was hacked - possibly via sshd?
On Tue, 2005-03-29 at 13:38 +0100, Simon Heywood wrote: On Tue, 29 Mar 2005 at 13:18:42 +, Maurizio Lemmo - Tannoiser wrote: On martedì 29 marzo 2005, alle 00:34, Adam M. wrote: But 2.4.18 is the Debian stable kernel, which gets security updates and patches, no? No, it doesn't. I really think that packages like this old kernel should be removed from the mirrors, or at least updated with big fat warning. Sorry, but this isn't correct. kernel 2.4.18-1 in woody is patched against known vulnerability. The security team have quietly stopped updating it, preferring to concentrate on the Sarge kernels. Please back this up with proof please. Otherwise you'll be disliked even more for your obvious lack of tact. Recent [vulnerabilities] involve code not present in this release of kernel. Some of them, maybe. But take a look at #289708 for an example of an unfixed vulnerability in Woody's 2.4.18. Maybe because of this little fact you might just want to point out: Maintainer for kernel-source-2.4.18 is Herbert Xu [EMAIL PROTECTED] As if you don't know the implications of that. IIRC, You were in the argument, though not hugely, which gave him cause to resign from Debian. Quit making assumptions based on your beliefs and provide real tangible proof. Otherwise please take it elsewhere. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Re: My machine was hacked - possibly via sshd?
On Tue, 2005-03-29 at 11:52 +0200, List (mitm) wrote: From: Michelle Konzack [EMAIL PROTECTED] Sent: Tuesday, March 29, 2005 11:21 AM Subject: Re: My machine was hacked - possibly via sshd? Your kernel is old. That's for starters. 2.4.30 is in rc2 now. It alone fixes some security issues. 2.4.18 is ancient, and there's most But 2.4.18 is the Debian stable kernel, which gets security updates and patches, no? NO, since one year. Is there an official policy on what gets updated and what not? Like Malcolm Ferguson I was under the impression that debian stable was always updated with the latest security patches. Besides kernel-images are there other packages that do not get updated? Mozilla for one. Not all kernel exploits for for 2.6 or much later versions of 2.4 (after 2.4.23) really have any effect on 2.4.18-blah in the Stable Distro, the problem areas aren't even there! But tell me, have they fixed the futex problems in 2.6? Also, when are they going to make it so modules (such as many IDE modules) are unloadable? If you can justify to me why a newer kernel will fix any of my problems on my woody systems, you will have succeeded where many other have failed. Just so you understand, I do like the newer kernels, but 2.6.x right now has big difficulties with java apps, due to the futex issues. Yes, there are other ways to implement workarounds, but why when 2.4.18 does just fine. My other machine is still running 2.4.20 with stack smashing protection and preemptive task switching on. I haven't had a single problem yet. And please, I already have tracked all the traffic on them. No point in showing any malice now. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Re: My machine was hacked - possibly via sshd?
On Mon, 2005-03-28 at 15:58 -0500, Malcolm Ferguson wrote: Mark Foster wrote: Malcolm Ferguson wrote: My machine was cracked on Thursday evening. I'm trying to understand how it happened so that it doesn't go down again. Sounds to me like you know exactly how it happened - ssh user enumeration won the jackpot. Thanks: you got me thinking. I see exactly what happened now. A dictionary attack via ssh found user 'steve' with a weak password. The auth.log shows this user login and su to root. Perhaps a local exploit? I have a short summary of my tracking of these Bruteforce SSH2 attempts that are taking up bandwidth. Here is what I have come up with ending 21mar2005 2100 GMT: * Starting July 26th, 2004 totals for recent Bruteforce attempts on knight.gregfolkert.net * Total of 8,988 events seperated by minutes sometimes, hours, days, never weeks, months or years * 158,913 bruteforce total attempts to password guess or stumble onto a no password user * 3727 unique combinations of username-(from)IP Address * 663 unique names used * 210 unique IP Addresses have been identified as sources of the attempts Amazing ain't it? So, indeed It has been on the increase. Time to review those password policies. This is just the SSH2 problems, not to mention the Apache related applications. We can basically quadruple the counts as a total for everything that machine has seen. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Re: Any way to simulate traffic?
On Thu, 2005-01-13 at 20:37 +0100, Javier Pardo wrote: Hello. I´m looking after a way to simulate traffic in order to probe my iptables' rules. In other words. Is there any way, any command or any iptables parameter to ask iptables what is going to do (according with the active rules) when some traffic arrives? Thanks in advanced. RatÓn. nmap and other Security testing tools. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Re: Log file IDS package?
On Wed, 2005-01-12 at 16:57 +1100, Andrew Pollock wrote: Hi, I've done some cursory apt-cache searching, and nothing's jumped out at me... Is there software in Debian that will do something along the lines of a tail -f of a given logfile, looking for supplied regexs and do custom actions on matches? I want to tarpit excessive SSH login failures. Are you talking about the recent (since July 27th 2004) brute force ssh attempts? The ones with NO_USER attached to them? things like this: Jan 10 23:52:45 knight sshd[12863]: Failed password for illegal user test from 220.75.202.225 port 35881 ssh2 Jan 10 23:52:51 knight sshd[12865]: Failed password for illegal user guest from 220.75.202.225 port 35973 ssh2 Jan 10 23:52:55 knight sshd[12867]: Failed password for admin from 220.75.202.225 port 36117 ssh2 Jan 10 23:52:57 knight sshd[12869]: Failed password for admin from 220.75.202.225 port 36212 ssh2 Jan 10 23:53:00 knight sshd[12871]: Failed password for illegal user user from 220.75.202.225 port 36284 ssh2 Jan 10 23:53:03 knight sshd[12873]: Failed password for root from 220.75.202.225 port 36367 ssh2 Jan 10 23:53:07 knight sshd[12882]: Failed password for root from 220.75.202.225 port 36457 ssh2 Jan 10 23:52:45 knight sshd[12863]: Illegal user test from 220.75.202.225 Jan 10 23:52:45 knight sshd[12863]: error: Could not get shadow information for NOUSER Jan 10 23:52:50 knight sshd[12865]: Illegal user guest from 220.75.202.225 Jan 10 23:52:51 knight sshd[12865]: error: Could not get shadow information for NOUSER Jan 10 23:53:00 knight sshd[12871]: Illegal user user from 220.75.202.225 Jan 10 23:53:00 knight sshd[12871]: error: Could not get shadow information for NOUSER Or something else? If it is that... well unless you are doing something stupid for passwords, you really shouldn't worry about it. This goes back to tarpit setups for mail... it won't stop them, just increase number of connections you'll have tied up, possibly DoS style. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Re: [SECURITY] [DSA 557-1] New rp-pppoe packages fix potential root compromise
On Mon, 2004-10-11 at 21:13 +0200, Nils Rennebarth wrote: Martin Schulze wrote: Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet driver from Roaring Penguin. When the program is running setuid root (which is not the case in a default Debian installation), an attacker could overwrite any file on the file system. For the stable distribution (woody) this problem has been fixed in version 3.3-1.2. For the unstable distribution (sid) this problem has been fixed in version 3.5-4. Is there an estimation when the 3.5-4 Version for unstable will hit the archive? Okay, don't run it as setuid root. Nothing I can find on bugs.d.o or packages.d.o or alioth even begins to show 3.5-4 as existing yet. But, unless you run rp-pppoe/pppoe as setuid root... you should be fine. Minimizing ghe damage has already been done in the way it is setup by default in Debian. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Re: BAHAHA was (telnetd vulnerability from BUGTRAQ)
On Tue, 2004-09-28 at 12:23 +0200, Dariush Pietrzak wrote: I would suggest updating one's knowledge at least every ~5 years or so... (it's easy for me to say, because i'm still learning, maybe people with decades of IT experience find it more difficult to follow development of standards) Wow, the next thing you are going to say, is that Microsoft isn't standards friendly. Or that SCO doesn't own UNIX. Or that (the) SUN is setting. Every 5 years... I doubt *I* could keep up with that pace. BTW, I won't get into any further arguments about ftp, mainly I am convinced its usefulness is past. Remember *I* *AM* *CONVINCED*, which means *OPINION*. Sure other options exist, but FTP in the 5 years ago old school sense isn't even optimal anymore except for anonymous/chroot'd (or non-chroot'd for significantly larger values of sane FTPDs) UL/DL. I won't use it and haven't for 5+ years (/me grins). -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Re: telnetd vulnerability from BUGTRAQ
On Mon, 2004-09-27 at 09:24 +0200, Dariush Pietrzak wrote: The point remains that while telnet/ftp should be treated as deprecated Why is that exactly? There is no replacement for ftp, and I don't know of any problems with it? Please enlighten me. ftp == good enough for public upload and download in a chroot environment. scp == the preferred method for data transfer between machines. Nearly as fast on semi-modern machines. pscp == the windows equivalent for regault *NIXX scp. I have no problems with scp, best part there isn't the mistaken problem of transfer in ASCII mode, when it should be in IMAGE mode (or BINARY mode) or Vice-Versa. We should get rid of TelnetD (The Telnet Daemon) For practical purposes beyond place where there is no option, keep the telnet Client. About the only thing I can think of that is useful for port 23 == mud'ing At the very least, telnetd should not ever be installed as default. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
Re: sshd: Logging illegal users
On Sun, 2004-08-15 at 19:46 -0600, s. keeling wrote: Incoming from Greg Folkert: Hey, I have found some thing. Rather than repost. I'll share where I posted it. http://z.iwethey.org/forums/render/content/show?contentid=169321 Zope Error Hmmm... try it again. I get it. I'd be surprised if you get it again. If you do, please send me the backtrace from the page source of the error page. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Re: sshd: Logging illegal users
On Sun, 2004-08-15 at 19:15 +0200, Thomas Hungenberg wrote: Hello, sshd included with Debian/sarge logs connection attempts with illegal usernames this way: sshd[xxx]: Illegal user username from xxx.xxx.xxx.xxx sshd[xxx]: Failed unknown for illegal user username from xxx.xxx.xxx.xxx port x ssh2 However, the older sshd version from Debian/woody by default only logs the following when trying to connect with an illegal username: sshd[xxx]: Connection from xxx.xxx.xxx.xxx port x sshd[xxx]: Enabling compatibility mode for protocol 2.0 Is there a way to make the sshd included with Debian/woody to also log the usernames an attacker tried to connect with? Hey, I have found some thing. Rather than repost. I'll share where I posted it. http://z.iwethey.org/forums/render/content/show?contentid=169321 Check it out. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Re: advice needed on how to proceed
On Fri, 2004-07-30 at 15:06, Martin-Éric Racine wrote: (note: I'm not subscribing to this list, please CC me) Bug#259993 was submitted on one of my package, tagged as a security risk. Upstream has been quite cooperative in asserting the gravity and is very willing to fix anything that the submitter can demonstrate. The problem is that some of the submitter's claims appear questionable and that he refuses to substanciate. I'm tempted to tag this as wont-fix, but would like this list's input first. This I believe is the same bug or Security Risk that caused our Mozilla Packager to remove the PS print engine from Mozilla and package it that way. Now, a specific switch passed onto ghostscript needs to be used to fix the issue. From the gs man page: -dSAFER Disables the deletefile and renamefile operators and the ability to open files in any mode other than read-only. This is desirable for spoolers or any other environments where a malicious or badly written PostScript program must be prevented from changing important files. This is what he is spouting about, I think. Cheers. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Re: preventing /dev/kmem and /dev/mem writes?
On Mon, 2004-07-26 at 10:58, [EMAIL PROTECTED] wrote: On Mon, Jul 26, 2004 at 10:23:21AM -0400, Michael Stone wrote: On Mon, Jul 26, 2004 at 11:38:33PM +1000, [EMAIL PROTECTED] wrote: /dev/kmem unusable. That, he says, will break lilo (I can't use GRUB as it doesn't support booting off RAID devices properly) Hmm. Seems to work here. Mike Stone This was with a Mylex AcceleRAID 170 RAID 5 with 6 disks. That was when I last tried it 2 years ago. Maybe they have added that capability.. Umm, yes. Update the Firmware on the Adapter. Then run grub-install /dev/sda Then (if this *IS* a Sarge or Sid machine) run update-grub, answer the questions. Voila. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Re: mod_ssl 2.8.19 for Apache 1.3.31
On Mon, 2004-07-19 at 17:44, Peter Holm wrote: On Mon, 19 Jul 2004 23:30:14 +0200, Phillip Hofmeister [EMAIL PROTECTED] wrote: Is this line in your /etc/apt/sources.list (or a line like it...) deb http://security.debian.org stable/updates main non-free contrib my /etc/apt/sources.list contains: deb http://security.debian.org/ stable/updates main does this affect updates for mod_ssl? I see nothing about an available update for this mod_ssl problem on debian.org/security? Are you sure this affects Woody? What version of Apache and mod_ssl is in Woody? Are you capable of providing and working on a patch to back port the issue fixes if it affects Woody? Have to make sure that you understand that if this DOES affect Woody, the fixes will have to be backported to the versions in Woody. It may even require another package or two to fix it fully. BTW, does the term Regression testing mean anything to you? Are you willing to do regression testing for the Security Team? Are you willing to do the research needed to help reduce the time to fix release? Can you in fact do anything to help out? Are you even willing to Volunteer? Are you just able to complain and expect people to JUMP and DO? A taker and not a helper? Debian needs people to HELP do the work, what ever work you can. Volunteers are the HEART and SOUL of Debian. Are you willing to be a Debian Volunteer? -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Re: Mozilla/Firefox PostScript/default security problems
Excuse the cross posting, but many are discussing on all of these lists. On Sat, 2004-07-10 at 06:47, Magnus Therning wrote: If I were to dselect today, would I still be able to print to file a website page as ps? [Y/N] Yes. Printing PS to a file is still possible. What is removed is the ability to have Mozilla/Firefox execute an external command (e.g. lpr) in order to print. H. Now since printing to a file is fine. (DING, light goes on.) What say we make a PIPE and attach it to something. Oh like say a print queue process, a redirect or something similar. That would allow us to use nearly anything we wanted to. Seems possible it'd be a simple process, given you could know what you are doing. Even for Epiphany or Galeon. Heck, we could even have insert favorite desktop environ here do the work. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
ISC DHCP3 Certs (yes multiple)
http://www.kb.cert.org/vuls/id/654390 http://www.kb.cert.org/vuls/id/317350 Look like uploads are in incoming.d.o ATM. 1517 UTC -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
Re: Spam fights
Sent to list. On Thu, 2004-06-10 at 14:31, Jaroslaw Tabor wrote: Hello! W licie z czw, 10-06-2004, godz. 19:06, Greg Folkert pisze: Don't do it. Confirmation systems are just as bad as the problems that they try to solve. Here, here. Agreement on all fronts. If I get a challenge, I put it into /dev/null I'm really surprised with your opinion. Is it so big problem, to press reply, when you are sending first email to someone new ? You are receving confirmation request whenever you are trying to update DNS, subscribe to newsgroup or talking with any automatic service. Is it so difficult ? You see there is a difference there. *I* initiated them, not some spammer. If someone doesn't want mail that could be very valuable to them, especially if they asked for it on D-U... forcing me to write another e-mail JUST to help them... nope, ain't gonna happen. Currently, in many cases when I'm sending email to address found on website I'm receiving challenge, and I fully understand people doing it. Whitelist with email/IP can decrease also number of challenges from spammers: email comming from different IP can be treated as spam automatically. I implemented SPAM Filtering software and have continued to train it with ham and spam. I started when last year when I was getting ~ 6,000 Swen e-mails a day. My e-mail address is posted EVERYWHERE. Since that point, I get maybe 3 a day. When they (they being the spmmers) find a new way to trick the Bayesian testing I use I'll get a spat of about 12 or so for a few days then back to maybe 3 a day. I use server side software (maildrop and procmail) to do the sorting after it has been graded by the filter. I still get upto 1000 e-mail messages a day, but those are from mailing lists and people I support via e-mail. If I had a CR system in place, I'd have to maintain more than I want. Consider in a given day, I e-mail about 30+ new people a day. I also can be and am very busy in Debian's Mailing list(s), Samba, Exim, Grip, Elitists and many other venues. If I got a CR back for every one of the e-mails I sent to a mailing list, I'd be answering thousands of NEW Challenges a week. Sounds like SPAM to me. When you understand that nearly every challenge I get comes from a forged envelope-from(or similar), I can't see how it reduces the problem, it just double perhaps triples the amount of mail traffic. Plus some are web-server driven auth, thereby causing a loading of the program and grabbing of the URI indicated in the e-mail I got from the Challenge. So, basically: You get a piece of SPAM, your systems sends out another piece of e-mail that is in response to the forged envelope, (assume) I get this e-mail and then have to delete this mail or respond to it (a third message) or goto a URI inside the Challenge (more processor time and bandwidth) just so *YOU* can verify my message was or was not SPAM? I consider sending me e-mail in Challenge form as unsolicited e-mail. Therefore under my classification SPAM. Why should *I* verify your SPAM problem for you. I deal with mine, and mine alone. I am not going to spend resources (at my cost of those resources) to verify or not it being SPAM. Of course if everyone just affirmed the Challenge every time, it would definitely not work. Where as my solution would continue to. I also drop all of the courtesy notifications that *I* sent an infected e-mail to a certain domain's user. There is another example of Unsolicited E-Mail. I don't care to know that someone forged my e-mail addy inside the one someone got. It does me absolutely ZERO good to even read these. I have an automated system to send those to /dev/null as well. I deal with enough mail per day, CR systems DO NOT reduce my number, Spam filtering does. BY the way, I do support Whitelisting and Blacklisting to make sure things I want to absolutely get through do, and things I don't won't. BTW, are you not glad *I* don't CR everyone that e-mails me? It could have taken you 3 messages to get me to see one. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
Re: Spam fights
Sent to list. On Thu, 2004-06-10 at 14:31, Jaroslaw Tabor wrote: Hello! W liście z czw, 10-06-2004, godz. 19:06, Greg Folkert pisze: Don't do it. Confirmation systems are just as bad as the problems that they try to solve. Here, here. Agreement on all fronts. If I get a challenge, I put it into /dev/null I'm really surprised with your opinion. Is it so big problem, to press reply, when you are sending first email to someone new ? You are receving confirmation request whenever you are trying to update DNS, subscribe to newsgroup or talking with any automatic service. Is it so difficult ? You see there is a difference there. *I* initiated them, not some spammer. If someone doesn't want mail that could be very valuable to them, especially if they asked for it on D-U... forcing me to write another e-mail JUST to help them... nope, ain't gonna happen. Currently, in many cases when I'm sending email to address found on website I'm receiving challenge, and I fully understand people doing it. Whitelist with email/IP can decrease also number of challenges from spammers: email comming from different IP can be treated as spam automatically. I implemented SPAM Filtering software and have continued to train it with ham and spam. I started when last year when I was getting ~ 6,000 Swen e-mails a day. My e-mail address is posted EVERYWHERE. Since that point, I get maybe 3 a day. When they (they being the spmmers) find a new way to trick the Bayesian testing I use I'll get a spat of about 12 or so for a few days then back to maybe 3 a day. I use server side software (maildrop and procmail) to do the sorting after it has been graded by the filter. I still get upto 1000 e-mail messages a day, but those are from mailing lists and people I support via e-mail. If I had a CR system in place, I'd have to maintain more than I want. Consider in a given day, I e-mail about 30+ new people a day. I also can be and am very busy in Debian's Mailing list(s), Samba, Exim, Grip, Elitists and many other venues. If I got a CR back for every one of the e-mails I sent to a mailing list, I'd be answering thousands of NEW Challenges a week. Sounds like SPAM to me. When you understand that nearly every challenge I get comes from a forged envelope-from(or similar), I can't see how it reduces the problem, it just double perhaps triples the amount of mail traffic. Plus some are web-server driven auth, thereby causing a loading of the program and grabbing of the URI indicated in the e-mail I got from the Challenge. So, basically: You get a piece of SPAM, your systems sends out another piece of e-mail that is in response to the forged envelope, (assume) I get this e-mail and then have to delete this mail or respond to it (a third message) or goto a URI inside the Challenge (more processor time and bandwidth) just so *YOU* can verify my message was or was not SPAM? I consider sending me e-mail in Challenge form as unsolicited e-mail. Therefore under my classification SPAM. Why should *I* verify your SPAM problem for you. I deal with mine, and mine alone. I am not going to spend resources (at my cost of those resources) to verify or not it being SPAM. Of course if everyone just affirmed the Challenge every time, it would definitely not work. Where as my solution would continue to. I also drop all of the courtesy notifications that *I* sent an infected e-mail to a certain domain's user. There is another example of Unsolicited E-Mail. I don't care to know that someone forged my e-mail addy inside the one someone got. It does me absolutely ZERO good to even read these. I have an automated system to send those to /dev/null as well. I deal with enough mail per day, CR systems DO NOT reduce my number, Spam filtering does. BY the way, I do support Whitelisting and Blacklisting to make sure things I want to absolutely get through do, and things I don't won't. BTW, are you not glad *I* don't CR everyone that e-mails me? It could have taken you 3 messages to get me to see one. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
Re: Spam fights
On Thu, 2004-06-10 at 04:58, Russell Coker wrote: On Thu, 10 Jun 2004 18:21, Jaroslaw Tabor [EMAIL PROTECTED] wrote: I'm planning to develop this feauture, but It will be nice to hear from what you thing about this idea. Don't do it. Confirmation systems are just as bad as the problems that they try to solve. Here, here. Agreement on all fronts. If I get a challenge, I put it into /dev/null Whomever came up with those things (like TMDA and brethren), must have been pulling them out of /dev/ass -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
Re: Spam fights
On Thu, 2004-06-10 at 04:58, Russell Coker wrote: On Thu, 10 Jun 2004 18:21, Jaroslaw Tabor [EMAIL PROTECTED] wrote: I'm planning to develop this feauture, but It will be nice to hear from what you thing about this idea. Don't do it. Confirmation systems are just as bad as the problems that they try to solve. Here, here. Agreement on all fronts. If I get a challenge, I put it into /dev/null Whomever came up with those things (like TMDA and brethren), must have been pulling them out of /dev/ass -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
Re: Major TCP Vulnerability
On Tue, 2004-04-20 at 14:29, Eric Dantan Rzewnicki wrote: Has anyone heard about this? this article has no details ... appologies for the post's data-mining ... I'm still looking for other references. http://www.washingtonpost.com/wp-dyn/articles/A27403-2004Apr20.html SSDD, Same Stuff, Different Decade This Vulnerability is ancient news, and it is not really a Vulnerability. What happens if the route goes dead? Same effect. Overloading a router with too many MAC addresses(overflow) has a similar effect, when the router re-inits. Another thing with the same effect. I don't quite understand this. Poisoning BGP would be more effective. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
Re: Major TCP Vulnerability
On Tue, 2004-04-20 at 14:29, Eric Dantan Rzewnicki wrote: Has anyone heard about this? this article has no details ... appologies for the post's data-mining ... I'm still looking for other references. http://www.washingtonpost.com/wp-dyn/articles/A27403-2004Apr20.html SSDD, Same Stuff, Different Decade This Vulnerability is ancient news, and it is not really a Vulnerability. What happens if the route goes dead? Same effect. Overloading a router with too many MAC addresses(overflow) has a similar effect, when the router re-inits. Another thing with the same effect. I don't quite understand this. Poisoning BGP would be more effective. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
Re: name based virtual host and apache-ssl
On Wed, 2004-03-24 at 08:01, Russell Coker wrote: On Wed, 24 Mar 2004 22:22, Michael Stone [EMAIL PROTECTED] wrote: The best you could do would be to attach different certificates to different ports, but that would be extremely cumbersome and probably would lead to confusion. What if you had http://www.company1.com/ redirect to https://www.company1.com:81/ and http://www.company2.com/ redirect to https://www.company2.com:82/ ? www.company1.com and www.company2.com would have the same IP address. This should work. Why go that route. Many Proxies do not allow :81 :82 etc... It would suck. How many instances would that force you to run anyway. Many. Almost be easier to just say SSL == Separate virtual/real machine, and that would suck as well. But, on the flip-side, most companies/people wanting SSL typically want their own machine to keep the info safe from other prying eyes. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
Re: name based virtual host and apache-ssl
On Wed, 2004-03-24 at 08:01, Russell Coker wrote: On Wed, 24 Mar 2004 22:22, Michael Stone [EMAIL PROTECTED] wrote: The best you could do would be to attach different certificates to different ports, but that would be extremely cumbersome and probably would lead to confusion. What if you had http://www.company1.com/ redirect to https://www.company1.com:81/ and http://www.company2.com/ redirect to https://www.company2.com:82/ ? www.company1.com and www.company2.com would have the same IP address. This should work. Why go that route. Many Proxies do not allow :81 :82 etc... It would suck. How many instances would that force you to run anyway. Many. Almost be easier to just say SSL == Separate virtual/real machine, and that would suck as well. But, on the flip-side, most companies/people wanting SSL typically want their own machine to keep the info safe from other prying eyes. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
Re: Known vulnerabilities left open in Debian?
On Mon, 2004-03-22 at 16:05, Matt Zimmerman wrote: On Mon, Mar 22, 2004 at 09:45:00PM +0100, Jan L?hr wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greetings,... Am Montag, 22. M?rz 2004 21:05 schrieb Matt Zimmerman: On Mon, Mar 22, 2004 at 08:57:26PM +0100, Jan L?hr wrote: Cron is another example [...] If you have concrete information about unfixed bugs, bring it forth. Otherwise this is just more FUD. Moz bug 228176 [1] is an example. We have been over the mozilla situation several times; if you have something helpful to contribute, I would like to hear it. Vague allusions to insecure by definition don't fall into that category, though. THANK YOU! -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
Re: Known vulnerabilities left open in Debian?
On Mon, 2004-03-22 at 16:05, Matt Zimmerman wrote: On Mon, Mar 22, 2004 at 09:45:00PM +0100, Jan L?hr wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greetings,... Am Montag, 22. M?rz 2004 21:05 schrieb Matt Zimmerman: On Mon, Mar 22, 2004 at 08:57:26PM +0100, Jan L?hr wrote: Cron is another example [...] If you have concrete information about unfixed bugs, bring it forth. Otherwise this is just more FUD. Moz bug 228176 [1] is an example. We have been over the mozilla situation several times; if you have something helpful to contribute, I would like to hear it. Vague allusions to insecure by definition don't fall into that category, though. THANK YOU! -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
Re: W32/Mydoom@MM (was: Re: )
On Tue, 2004-01-27 at 11:50, s. keeling wrote: Incoming from Eduardo Almeida: I don't know if all of you already heard about this. This message is a virus as you can see below. Pardon me if this seems a bit thick headed, but why should I care? The Windows world is always being attacked by crap like this. Why is this news? I don't use Windows. Since you're using Evolution, I assume you aren't either. So what's the big deal? Of course if you're using Debian as a mailserver for an internal Windows network, this may affect you, but what's it got to do with Debian? I use Andreas Metzler's and Marc Haber's Exim4 Debian Package. I use the Heavy Daemon with Exiscan-acl compiled in. in the /etc/exim4/conf.d/acl/40_exim4-config_check_data deny !senders = : condition = ${if !def:h_Message-ID: {1}} message = RFC2822 says you SHOULD have a Message-ID.\n\ Most messages without it are spam,\n\ so your mail has been rejected. There now it pertains to Debian! -- greg, [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry signature.asc Description: This is a digitally signed message part
Re: LKM
On Mon, 2004-01-26 at 10:06, Matthijs wrote: On Mon, 2004-01-26 at 11:40, Thiago Ribeiro wrote: Hi, When I run tiger, I got a follow error: NEW: --WARN-- [rootkit004f] Chkrootkit has detected a possible rootkit installation NEW: Warning: Possible LKM Trojan installed But I alredy list my proccess and did find nothing... What's can be this? You know what a LKM is ? It's a Loadable Kernel Module and it can hide himself and processes and files... So please check your computer Please make sure this isn't the faulty chrootkit... that mis-reported an LKM existing on you boxen. First off, what version of tiger and chrootkit are you using? If chkrootkit is not the misguided version, use the latest versions of both versions of both. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry signature.asc Description: This is a digitally signed message part
Re: LKM
On Mon, 2004-01-26 at 10:06, Matthijs wrote: On Mon, 2004-01-26 at 11:40, Thiago Ribeiro wrote: Hi, When I run tiger, I got a follow error: NEW: --WARN-- [rootkit004f] Chkrootkit has detected a possible rootkit installation NEW: Warning: Possible LKM Trojan installed But I alredy list my proccess and did find nothing... What's can be this? You know what a LKM is ? It's a Loadable Kernel Module and it can hide himself and processes and files... So please check your computer Please make sure this isn't the faulty chrootkit... that mis-reported an LKM existing on you boxen. First off, what version of tiger and chrootkit are you using? If chkrootkit is not the misguided version, use the latest versions of both versions of both. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry signature.asc Description: This is a digitally signed message part
Re: extrange passwd behaviour
On Thu, 2003-12-04 at 15:12, Ruben Porras wrote: I've discovered that login, sudo, gdm only take care of the first 8 characters of the passwd. The following characters don't count. See the following example (I've created a new user just to make the test) $$ adduser test Adding user test... Adding new group test (1006). Adding new user test (1006) with group test. Enter new UNIX password: qwertyuiop -- this, for example 10 letters Retype new UNIX password: qwertyuiop passwd: password updated successfully Changing the user information for test Enter the new value, or press ENTER for the default Full Name []: Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [y/n] y $$ su test Password: qwertyui --- only 8 letters (qwertyuivnksshfdd, for example would be also ok) $$ whoami test I don't see nothing about this in BTS, I'm puzzled. Why would it be ib BTS? That is standard SOP. If you are root... no password needed on that unless you have more than traditional *NIX security. Remember root OWNS the system. root RULES the roost. Now if you try it as an unprivileged user and it succeeds... then we gots LOTSA problems to deal with. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry signature.asc Description: This is a digitally signed message part
Re: extrange passwd behaviour
On Thu, 2003-12-04 at 15:12, Ruben Porras wrote: I've discovered that login, sudo, gdm only take care of the first 8 characters of the passwd. The following characters don't count. See the following example (I've created a new user just to make the test) $$ adduser test Adding user test... Adding new group test (1006). Adding new user test (1006) with group test. Enter new UNIX password: qwertyuiop -- this, for example 10 letters Retype new UNIX password: qwertyuiop passwd: password updated successfully Changing the user information for test Enter the new value, or press ENTER for the default Full Name []: Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [y/n] y $$ su test Password: qwertyui --- only 8 letters (qwertyuivnksshfdd, for example would be also ok) $$ whoami test I don't see nothing about this in BTS, I'm puzzled. Why would it be ib BTS? That is standard SOP. If you are root... no password needed on that unless you have more than traditional *NIX security. Remember root OWNS the system. root RULES the roost. Now if you try it as an unprivileged user and it succeeds... then we gots LOTSA problems to deal with. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry signature.asc Description: This is a digitally signed message part