Re: NSA software in Debian
Am 23.01.2014 um 13:31 schrieb Marko Randjelovic : > On Wed, 22 Jan 2014 16:16:21 -0800 > Andrew Merenbach wrote: > >> I installed the i386 architecture and installed the `paxtest' suite. My >> results were fairly disappointing, to be honest: > >>> $ sudo paxtest blackhat >>> Executable anonymous mapping (mprotect) : Vulnerable >>> Executable bss (mprotect): Vulnerable >>> Executable data (mprotect) : Vulnerable >>> Executable heap (mprotect) : Vulnerable >>> Executable stack (mprotect) : Vulnerable >>> Executable shared library bss (mprotect) : Vulnerable >>> Executable shared library data (mprotect): Vulnerable >>> Writable text segments : Vulnerable > > It's a good idea to configure the kernel (grsec options) before > recompiling. Probably MPROTECT feature is not enabled in kernel, or your > CPU doesn't have NX bit feature. > >> A followup there links to the following bug, "linux-2.6: [RFC] Add a grsec >> featureset to Debian kernels": >> >><http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605090> > > This would of course be the real solution. I would also like this. Yesterday I started compiling 3.2.54 with grsec and PaX. A ready debian kernel(-source) with grsec and PaX would be fine. Currently I am distributing my special packages via my own repository - is there any concern when making it public (copyright, etc.)? > > -- > Education is a process of making people see what is advanced and not > obvious, but also not see what is basic and obvious. > > http://markorandjelovic.hopto.org > > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/20140123133150.71dbc...@eunet.rs > Kevin Olbrich. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/157c3070-f95d-46bb-ad86-5602f6eae...@dolphin-it.de
Re: finding a process that bind a spcific port
Yes but this is only the case when rkhunter was active before. AFAIK rkhunter itself has no signatures, it generates the initial checksumms on first start. Mit freundlichen Grüßen / best regards, Kevin Olbrich. Web: http://kevin-olbrich.de/ -- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind und/oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. Am 23.01.2014 um 00:22 schrieb NOKUBI Takatsugu : > At Wed, 22 Jan 2014 19:47:27 +0700, > Andika Triwidada wrote: >> >> On Wed, Jan 22, 2014 at 7:37 PM, Nico Angenon wrote: >>> the same...no output >> >> could be hidden by rootkit :( > > I think so too. > > Could you try to use debsum and rkhunter? It would find cracked > commands. > > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/87ob3338mc.wl%k...@daionet.gr.jp >
Re: NSA software in Debian
> > On Jan 22, 2014, at 9:59 AM, Kevin Olbrich wrote: > >> Wouldn't this mean there is an error message? The patch could work with a >> newer kernel in general (?). >> >> I did not try it but are there so many changes between both releases? > > Hi Kevin, > > I just tried this an Debian with kernel 3.2.51 in a VM and while it succeeds > (as it did in my primary install), the patch version may indeed be > mismatched, which I definitely missed before. Bold formatting added by me: > >> Preconfiguring packages ... >> Selecting previously unselected package libgettextpo0:amd64. >> (Reading database ... 114419 files and directories currently installed.) >> Unpacking libgettextpo0:amd64 (from .../libgettextpo0_0.18.1.1-9_amd64.deb) >> ... >> Selecting previously unselected package autopoint. >> Unpacking autopoint (from .../autopoint_0.18.1.1-9_all.deb) ... >> Selecting previously unselected package dctrl-tools. >> Unpacking dctrl-tools (from .../dctrl-tools_2.22.2_amd64.deb) ... >> Selecting previously unselected package gettext. >> Unpacking gettext (from .../gettext_0.18.1.1-9_amd64.deb) ... >> Selecting previously unselected package gradm2. >> Unpacking gradm2 (from .../gradm2_2.9.1~201206091838-1_amd64.deb) ... >> Selecting previously unselected package intltool-debian. >> Unpacking intltool-debian (from >> .../intltool-debian_0.35.0+20060710.1_all.deb) ... >> Selecting previously unselected package po-debconf. >> Unpacking po-debconf (from .../po-debconf_1.0.16+nmu2_all.deb) ... >> Selecting previously unselected package kernel-package. >> Unpacking kernel-package (from .../kernel-package_12.036+nmu3_all.deb) ... >> Selecting previously unselected package libsys-hostname-long-perl. >> Unpacking libsys-hostname-long-perl (from >> .../libsys-hostname-long-perl_1.4-2_all.deb) ... >> Selecting previously unselected package libmail-sendmail-perl. >> Unpacking libmail-sendmail-perl (from >> .../libmail-sendmail-perl_0.79.16-1_all.deb) ... >> Selecting previously unselected package linux-source-3.2. >> Unpacking linux-source-3.2 (from .../linux-source-3.2_3.2.51-1_all.deb) ... >> Selecting previously unselected package linux-patch-grsecurity2. >> Unpacking linux-patch-grsecurity2 (from >> .../linux-patch-grsecurity2_2.9.1+3.2.21-201206221855-1_all.deb) ... >> Processing triggers for man-db ... >> Processing triggers for install-info ... >> Setting up libgettextpo0:amd64 (0.18.1.1-9) ... >> Setting up autopoint (0.18.1.1-9) ... >> Setting up dctrl-tools (2.22.2) ... >> Setting up gettext (0.18.1.1-9) ... >> Setting up gradm2 (2.9.1~201206091838-1) ... >> Setting up intltool-debian (0.35.0+20060710.1) ... >> Setting up po-debconf (1.0.16+nmu2) ... >> Setting up kernel-package (12.036+nmu3) ... >> Setting up libsys-hostname-long-perl (1.4-2) ... >> Setting up libmail-sendmail-perl (0.79.16-1) ... >> Setting up linux-source-3.2 (3.2.51-1) ... >> Setting up linux-patch-grsecurity2 (2.9.1+3.2.21-201206221855-1) ... > Okay but this missmatch does not automatically mean it is not working. Can you check if the features are present? Maybe the patch is still compatible with a newer kernel? > Best, > Andrew Best regards, Kevin Olbrich.
Re: NSA software in Debian
Wouldn't this mean there is an error message? The patch could work with a newer kernel in general (?). I did not try it but are there so many changes between both releases? Mit freundlichen Grüßen / best regards, Kevin Olbrich. (mobil vom iPhone) -- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind und/oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. > Am 22.01.2014 um 18:53 schrieb Andrew Merenbach : > > > On Jan 22, 2014, at 6:01 AM, Marko Randjelovic wrote: > >>> It appears that this patch is available in the apt repos under the >>> "kernel" section (sensibly enough) as: >>> >>> linux-patch-grsecurity2 >>> >>> Once it's downloaded, it patches the kernel in an automated fashion and >>> doesn't force a reboot (although I believe you still need one to make it >>> effective, I suppose). >> >> AFAIK, it's for kernel 3.2.21, I don't see how could it work with >> Wheezy kernel - 3.2.51. > > > Hi Marko, > > Thank you for the heads-up. `uname -a` indicates that I am indeed using > 3.2.51. I should probably have done my research more carefully before > blindly installing a kernel patch. :-X > > Cheers, > Andrew
Re: NSA software in Debian
" X-Mailer: iPhone Mail (11D5134c) > Am 22.01.2014 um 15:13 schrieb Marko Randjelovic : > > On Wed, 22 Jan 2014 15:08:39 +0100 > "Milan P. Stanic" wrote: > >> I found it a lot easier to go with vanilla kernel and grsec/pax patch >> instead of using Debian kernels. > > Of course, but then secret services won't see you are using Debian :) Yes, but he could mail them the root password ;) > > -- > Education is a process of making people see what is advanced and not > obvious, but also not seeing what is basic and obvious. > > http://markorandjelovic.hopto.org > > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/20140122151300.72162...@eunet.rs > -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/6630a598-d280-46fc-aefe-e5a4d00eb...@dolphin-it.de
Re: finding a process that bind a spcific port
Do you have IntelliJ installed in this box? http://stackoverflow.com/questions/13345986/intellij-idea-using-10001-port Mit freundlichen Grüßen / best regards, Kevin Olbrich. (mobil vom iPhone) -- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind und/oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. > Am 22.01.2014 um 14:01 schrieb "Nico Angenon" : > > Same : No output... > > Nico > > -Message d'origine- From: johan A. van Zanten Sent: Wednesday, > January 22, 2014 1:56 PM To: n...@creaweb.fr Cc: > debian-security@lists.debian.org Subject: Re: finding a process that bind a > spcific port > > "Nico Angenon" wrote: >> nope... never used this service... >> Still looking for an explanation, try chrootkit and rkhunter right >> now > > Try fuser: > > fuser -n udp 10001 > > -johan > > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/7FDB49F9BD694384B75B034AE72A5825@NicoPC >
Re: NSA software in Debian
Is SELinux disabled on new debian installs? Mit freundlichen Grüßen / best regards, Kevin Olbrich. Web: http://kevin-olbrich.de/ -- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind und/oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. Am 20.01.2014 um 18:22 schrieb Octavio Alvarez : > On 01/20/2014 05:29 AM, Marco Saller wrote: >> I have read that the NSA proposed to include SELinux in linux 2.5. (Linux >> Kernel Summit 2001) >> Don't you think that may be one of their fancy tricks to gain access to >> computers running linux? Some news websites also mention vulnerabilities >> similar to this one. >> It would be a great idea to include malicious software to kernel modules. > > It is easy to come up with that idea, and it's easy to fear to it. It's > easy to write about it and to popularize it and cause mass-delusion. > It's difficult to prove, though. > > If you consider that SELinux code available and with so many auditing > humans and tools it's not as easy as it sounds. It can happen, but it's > not as easy as "they can, therefore they are". > > As others have said, the NSA doesn't need specific backdoors. There are > many vulnerabilities in all software already available which are already > being exploited. > > The more general problem is that not all programmers like or know > formality and that not all developers like strict code and algorithm > correctness. *That* is something to worry about. > > I wouldn't worry about SELinux specifically. > > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/52dd5b3c.9060...@alvarezp.ods.org >
Re: NSA software in Debian
Hi, I did not know about grsecurity. Thanks for the hint. After some quick browsing it seemed it works like the windows code execution protection. I will try to compile the kernel with this patch like you did. Linux is the most secure OS IMHO - distributing this patch in debian would be great I think (as soon as all apps are compatible). Mit freundlichen Grüßen / best regards, Kevin Olbrich. (mobil vom iPhone) -- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind und/oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. > Am 20.01.2014 um 00:49 schrieb Marko Randjelovic : > > On Sat, 18 Jan 2014 15:04:48 -0500 > Noah Meyerhans wrote: > >>> On Sat, Jan 18, 2014 at 08:30:49PM +0100, Marco Saller wrote: >>> i am not sure if this question has been asked or answered yet, please do >>> not mind if i would ask it again. >>> Is it possible that the NSA or other services included investigative >>> software in some Debian packages? > > They don't need to do it. Software is full of security bugs. Most > suitable are web browsers. NSA controls Internet backbone routers. Just > check CVE records for Internet Explorer, Firefox or Chrome. Firefox ESR > is meant for security, but 17 ESR had 11 updates, which means before > bugs were corrected you were vulnerable. And probably there are still, > but 17 ESR is not anymore supported and you have to go to 24 ESR which > certainly brings new bugs and so on. > >> >> It is absolutely possible. It's even possible that you yourself have >> added such software to Debian! Can you prove that you haven't? >> >> That line of thinking leads to madness. The only rational conclusion, >> once you start down that path, is to turn off your computers and move to >> a remote cabin in the wilderness. > > What would make you highly suspicious. > >> It will never be possible to prove >> that there is no malicious software in Debian or in any other OS. Beyond >> that, it will never be possible to prove that there is no malicious >> *hardware* running executing your OS. >> >> We can and do take care to ensure that all changes to Debian are made by >> people authorized to make those changes. (Package uploads must be signed >> by a Debian developer.) We can and do take care to ensure that that the >> packages you download have not been modified in transmission (signing of >> Release files, checksums on Packages files and on packages themselves.) >> Etc. If deficiencies are found in our mechanisms or policies, then we >> take steps to improve them. If violations are found, then we take steps >> to audit for impact and resolve any potentially malicious actions that >> we identify. We take great care to minimize the likelihood of any sort >> of backdoor or malicious code in Debian, but none of this can provide >> 100% proof that such a thing doesn't exist. > > But Debian doesn't support grsecurity and similar security enhancements > for linux kernel[1], though PaX[2] is a serious protection from > exploiting security bugs in software. I needed a lots of time in order > to successfully patch Debian kernel with grsecurity, though I > immediately removed all features/* patches. It's because patch B can > assume patch A is applied and when patch A is not applied, than patch B > fails. But it is possible patch B is still needed. For that reason, and > the reason of availability of newer kernel in backports repo, my > opinion is features patches are unneeded and make more problems than > benefit. > >> Anybody that claims that >> they can prove otherwise, for Debian or any other OS, is either lying or >> ignorant. >> >> noah > > [1] https://lists.debian.org/debian-devel/2003/09/msg01133.html > [2] https://en.wikipedia.org/wiki/PaX > > -- > Education is a process of making people see what is advanced and not > obvious, but also not seeing what is basic and obvious. > > http://markorandjelovic.hopto.org -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/448b4c2d-e9c5-44a0-bef4-ab2ac6014...@dolphin-it.de
Re: Can't find gpg key AD11CF6A
Hi, there is an open bug report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=707006 http://osdir.com/ml/debian-live/2013-06/msg00029.html You can post to: https://lists.debian.org/debian-live/ Mit freundlichen Grüßen / best regards, Kevin Olbrich. Web: http://kevin-olbrich.de/ -- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind und/oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. Am 19.01.2014 um 20:34 schrieb sebs...@gmx.de: > Hi, > > i want to verify the checksum files of current debian live cds. gpg says they > were signed with key id AD11CF6A. The instructions on http://keyring.debian. > org/ say this key is included in debian gpg keyring: > > [...] > pub 4096R/AD11CF6A 2013-05-06 > Key fingerprint = 1E4F 435C 4E9A 42B3 D9DF BE3A 510A D6B9 AD11 CF6A > uid Debian Live Signing Key (2013) > [...] > > I apt-get latest debian-keyring.deb. But still > > gpg --verify MD5SUMS.sign > > claims key not found. When i let gpg list the content of the gpg files that > came with debian-keyring.deb this key seems not included. And running > http://db.debian.org/ LDAP search for the fingerprint gave no result. > > Did i get it wrong? What can i do? > > Regards > > PS: i did not subscribe to this list > > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: > http://lists.debian.org/trinity-743581dc-24b0-4287-951a-04baf1f393b0-1390160073918@3capp-gmx-bs60 >
Re: NSA software in Debian
Even if there would not be a manipulated software package - hardware manipulation in mainboards or network hardware (like cisco does) is already known. Mit freundlichen Grüßen / best regards, Kevin Olbrich. (mobil vom iPhone) -- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind und/oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. > Am 18.01.2014 um 22:30 schrieb Justin Andrusk : > > I would expect it to be root kit of some form, most likely to dwell in a > non-free repo. > > >> On Sat, Jan 18, 2014 at 3:14 PM, Kevin Olbrich >> wrote: >> Hello, >> >> This is a chance of 1 in 5. >> I think there are ways we would never imagine yet. Just think of such a >> possibility in qt and there would be thousands of zombie apps. >> >> Mit freundlichen Grüßen / best regards, >> Kevin Olbrich. >> >> (mobil vom iPhone) >> >> -- >> Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte >> Informationen. Wenn Sie nicht der richtige Adressat sind und/oder diese >> E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender >> und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte >> Weitergabe dieser Mail ist nicht gestattet. >> >> > Am 18.01.2014 um 20:39 schrieb Bjoern Meier : >> > >> > hi, >> > >> > 2014/1/18 Marco Saller : >> >> Hey there, >> >> >> >> i am not sure if this question has been asked or answered yet, please do >> >> not mind if i would ask it again. >> >> Is it possible that the NSA or other services included investigative >> >> software in some Debian packages? >> >> >> >> Mit freundlichen Grüßen / Best Regards / 谨致问候 >> >> >> >> Marco Saller >> > >> > if you let this conspiracy out, yes of course it is possible: >> > http://en.wikipedia.org/wiki/Security-Enhanced_Linux >> > You should always have in mind, that not only one has insight in the code. >> > Just the Firmware blobs, but I think this too way out of the >> > cost–benefit for the NSA. >> > But try it. Try to add a Backdoor or a "home telephone" in any of the >> > opensource software. >> > My guess: you get this thrown back on 80%. >> > >> > Greetings, >> > Björn >> > >> > >> > -- >> > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org >> > with a subject of "unsubscribe". Trouble? Contact >> > listmas...@lists.debian.org >> > Archive: >> > http://lists.debian.org/cagmps54aifnk9ye-e-xn8bajanqgedxpms213ljw4bpqled...@mail.gmail.com >> > >> >> >> -- >> To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org >> with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org >> Archive: >> http://lists.debian.org/1ff28d18-7edd-45cb-bcc6-d72171936...@dolphin-it.de >
Re: NSA software in Debian
Hello, This is a chance of 1 in 5. I think there are ways we would never imagine yet. Just think of such a possibility in qt and there would be thousands of zombie apps. Mit freundlichen Grüßen / best regards, Kevin Olbrich. (mobil vom iPhone) -- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind und/oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. > Am 18.01.2014 um 20:39 schrieb Bjoern Meier : > > hi, > > 2014/1/18 Marco Saller : >> Hey there, >> >> i am not sure if this question has been asked or answered yet, please do not >> mind if i would ask it again. >> Is it possible that the NSA or other services included investigative >> software in some Debian packages? >> >> Mit freundlichen Grüßen / Best Regards / 谨致问候 >> >> Marco Saller > > if you let this conspiracy out, yes of course it is possible: > http://en.wikipedia.org/wiki/Security-Enhanced_Linux > You should always have in mind, that not only one has insight in the code. > Just the Firmware blobs, but I think this too way out of the > cost–benefit for the NSA. > But try it. Try to add a Backdoor or a "home telephone" in any of the > opensource software. > My guess: you get this thrown back on 80%. > > Greetings, > Björn > > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: > http://lists.debian.org/cagmps54aifnk9ye-e-xn8bajanqgedxpms213ljw4bpqled...@mail.gmail.com > -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1ff28d18-7edd-45cb-bcc6-d72171936...@dolphin-it.de
