Dumb question
What's chroot ?
Dumb question
What's chroot ? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Benign crackers?
Daniel Stark wrote: > You wouldn't actually imply that hackers are out their providing a > welcome service do you? I can see if you asked for your network to > be stress tested, but to go as far as saying they provide a welcome > service? Come on! Yeah, they might have found a security whole, but > oops, now the firewall admin is out of a job. People should > constantly strive to secure their own boxen, we don't need hackers to > do it for us. I would imply that truly benign hackers are good. We should try to secure our own boxen, but what if we miss something. I'd rather have a benign hacker find it than an bad bad hacker find it. It's like open-source, the more good eyes, the less bad problems... Of course, if a benign hacker got me, I'd also be inclined to re-format and re-install, bearing in-mind their entry point... Just in case. GBY -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Benign crackers?
Daniel Stark wrote: You wouldn't actually imply that hackers are out their providing a welcome service do you? I can see if you asked for your network to be stress tested, but to go as far as saying they provide a welcome service? Come on! Yeah, they might have found a security whole, but oops, now the firewall admin is out of a job. People should constantly strive to secure their own boxen, we don't need hackers to do it for us. I would imply that truly benign hackers are good. We should try to secure our own boxen, but what if we miss something. I'd rather have a benign hacker find it than an bad bad hacker find it. It's like open-source, the more good eyes, the less bad problems... Of course, if a benign hacker got me, I'd also be inclined to re-format and re-install, bearing in-mind their entry point... Just in case. GBY
Anti Virus for Debian
Are there any gpl or similar anti-virus programs for linux ? Any reccomendations ? GBY
Re: Debian or Redhat 7???
It may get too heavy to not mirror the security update packages. Why don't we put signature verification into apt and dpkg and mirror everything ? And perhaps have a tool that checks a bunch of known mirrors for discrepencies in the keyring packages ? And have a single URL, location aware, load balancing server ? :) (I know we've been through this before. I just had a brainwave and wanted to see if anyone was interested in doing the above. Sorry for the lack of realism, but not for the extra zeal) GBY Tal Danzig wrote: There are no mirrors of security.debian.org (or shouldn't be) for security reasons. This way the authenticity of security packages can be better controlled. - Tal
Anti Virus for Debian
Are there any gpl or similar anti-virus programs for linux ? Any reccomendations ? GBY -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian or Redhat 7???
It may get too heavy to not mirror the security update packages. Why don't we put signature verification into apt and dpkg and mirror everything ? And perhaps have a tool that checks a bunch of known mirrors for discrepencies in the keyring packages ? And have a single URL, location aware, load balancing server ? :) (I know we've been through this before. I just had a brainwave and wanted to see if anyone was interested in doing the above. Sorry for the lack of realism, but not for the extra zeal) GBY Tal Danzig wrote: > There are no mirrors of security.debian.org (or shouldn't be) > for security reasons. > This way the authenticity of security packages can be better controlled. > > - Tal -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian or Linux 7???
Steve Rudd wrote: Hi Steve, It's not just the kernel that can get hacked. Is it Linux 7 or Redhat 7 ? (I'm pretty sure it's Redhat 7). Anyway, I'm pretty new to Debian and Linux so anyone please feel free to correct me. An example of the different methodologies between Redhat and Debian: the stable version of Debian doesn't use the latest kernel; it hasn't been tested enough yet (I assume). I heard that Redhat and Mandrake (no offense, I like all Linuxes) act a bit like capitalist companies; they want their product to be popular, so they throw in all the latest stuff, sacrificing some stability and security (by not testing enough) for "the edge!", having the most popular product. I think that about sums up the security differences between Debian and most other distros. I believe the Debian maintainers and developers take a more methodical, technical view of things. --- A cool thing about Debian is the super control it gives you about what runs on your box and what it can access. I think it actually sacrifices user friendliness (for newbies like me) in exchange for control. I tried Corel Linux last week (which is kind of based on Debian) and it installed everything without me typing more than my name, hitting "next, next, next". It did a pretty good job, it only missed my sound card! But I didn't know what it had installed on my machine, and exactly what it was doing! I recently read the "Secure Install" thread in this group and tried it. I killed Corel, and re-installed from the CD and just exited out of DSelect. (I discovered by the way that you should at least select the "6) Remove..." option before exiting, so it can remove the pcmcia packages). Anyway, after that I installed things as I desired with apt-cache search and apt-get install. (Thank you developers of apt-setup, and apt-cdrom!). The point is, by installing packages one at a time, and checking things after, I could keep great control of everything on my machine. I also know what modules are loading from, /etc/modules.conf and /etc/modules. I also know what services are running in different run levels from the /etc/rc2.d and other directories. It's so cool. I'm not an expert on security, I've never been hacked or virused since I started Linux about a year ago! (Practically all of my MS friends have had viruses though!) Enough blurb... GBY
Re: Debian or Linux 7???
Steve Rudd wrote: Hi Steve, It's not just the kernel that can get hacked. Is it Linux 7 or Redhat 7 ? (I'm pretty sure it's Redhat 7). Anyway, I'm pretty new to Debian and Linux so anyone please feel free to correct me. An example of the different methodologies between Redhat and Debian: the stable version of Debian doesn't use the latest kernel; it hasn't been tested enough yet (I assume). I heard that Redhat and Mandrake (no offense, I like all Linuxes) act a bit like capitalist companies; they want their product to be popular, so they throw in all the latest stuff, sacrificing some stability and security (by not testing enough) for "the edge!", having the most popular product. I think that about sums up the security differences between Debian and most other distros. I believe the Debian maintainers and developers take a more methodical, technical view of things. --- A cool thing about Debian is the super control it gives you about what runs on your box and what it can access. I think it actually sacrifices user friendliness (for newbies like me) in exchange for control. I tried Corel Linux last week (which is kind of based on Debian) and it installed everything without me typing more than my name, hitting "next, next, next". It did a pretty good job, it only missed my sound card! But I didn't know what it had installed on my machine, and exactly what it was doing! I recently read the "Secure Install" thread in this group and tried it. I killed Corel, and re-installed from the CD and just exited out of DSelect. (I discovered by the way that you should at least select the "6) Remove..." option before exiting, so it can remove the pcmcia packages). Anyway, after that I installed things as I desired with apt-cache search and apt-get install. (Thank you developers of apt-setup, and apt-cdrom!). The point is, by installing packages one at a time, and checking things after, I could keep great control of everything on my machine. I also know what modules are loading from, /etc/modules.conf and /etc/modules. I also know what services are running in different run levels from the /etc/rc2.d and other directories. It's so cool. I'm not an expert on security, I've never been hacked or virused since I started Linux about a year ago! (Practically all of my MS friends have had viruses though!) Enough blurb... GBY -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: sources.list
I ran apt-setup and it automatically added my local mirrors. I'm not sure if it wipes your previous sources.list though... GBY
Re: sources.list
I ran apt-setup and it automatically added my local mirrors. I'm not sure if it wipes your previous sources.list though... GBY -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
insecure temporary file creation
I just wanted to bring this to that attention of those who care... Because there were quite a few insecure temp file creation reports a while ago, perhaps some of us should use this tool to find more ASAP. It was in the fresh meat mailing list: [012] - Eliott 1.0 (Stable) by j (http://freshmeat.net/users/frankdenis/) Monday, February 5th 2001 16:51 Eliott is a tool to help system administrators and programmers discover insecure temporary file creation, even in closed-source applications. It watches a directory for file creation/deletion/writes using the dnotify facility of Linux 2.4.x . Every change is logged, even temporary files with a very short lifetime. In addition to logging, Eliott can simulate hard-link exploits in order to find and report vulnerable applications. License: GNU General Public License (GPL) URL: http://freshmeat.net/projects/eliott/ GBY
Re: The Next Yahoo
Who is the list maintainer ? GBY
insecure temporary file creation
I just wanted to bring this to that attention of those who care... Because there were quite a few insecure temp file creation reports a while ago, perhaps some of us should use this tool to find more ASAP. It was in the fresh meat mailing list: [012] - Eliott 1.0 (Stable) by j (http://freshmeat.net/users/frankdenis/) Monday, February 5th 2001 16:51 Eliott is a tool to help system administrators and programmers discover insecure temporary file creation, even in closed-source applications. It watches a directory for file creation/deletion/writes using the dnotify facility of Linux 2.4.x . Every change is logged, even temporary files with a very short lifetime. In addition to logging, Eliott can simulate hard-link exploits in order to find and report vulnerable applications. License: GNU General Public License (GPL) URL: http://freshmeat.net/projects/eliott/ GBY -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: The Next Yahoo
Who is the list maintainer ? GBY -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: mirroring security.debian.org?
What about having a nightly email out of updates (with GPG) for those that really need them and charging the subscribers (except contributors)? I would imagine corporate sites subscribing. That way there'll be more bandwidth for the developers, and the income can be used for the Debian project. GBY
Re: ISPs offering ssl-encrypted e-mail?
> I think that has a lot to do with the fact that they don't explicitly say > to run something else, or give a URI for a different mail client. A news > story that said, "... your email is insecure ... run this to make it better > http://debian.org/ :)", might get some people using non-outlook, esp if the > URI was for a decent windoze email client instead of a whole new OS :) (I've > never checked email from 'doze in my life, except by ssh, but I assume such > a beast must exist...). A bunch of ppl (who can without getting fired) should make their mail/list servers attach that message to the bottom of all emails passing through that are generated by extremely unsecure clients (like this one)! ;) GBY
Re: mirroring security.debian.org?
What about having a nightly email out of updates (with GPG) for those that really need them and charging the subscribers (except contributors)? I would imagine corporate sites subscribing. That way there'll be more bandwidth for the developers, and the income can be used for the Debian project. GBY -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ISPs offering ssl-encrypted e-mail?
> I think that has a lot to do with the fact that they don't explicitly say > to run something else, or give a URI for a different mail client. A news > story that said, "... your email is insecure ... run this to make it better > http://debian.org/ :)", might get some people using non-outlook, esp if the > URI was for a decent windoze email client instead of a whole new OS :) (I've > never checked email from 'doze in my life, except by ssh, but I assume such > a beast must exist...). A bunch of ppl (who can without getting fired) should make their mail/list servers attach that message to the bottom of all emails passing through that are generated by extremely unsecure clients (like this one)! ;) GBY -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ISPs offering ssl-encrypted e-mail?
> 1) Because the vast majority of users are completely ignorant of security > issues, or simply don't care. It's true, I worked for a company that made an email client, which shipped with a service, the client is for portable use (like hotmail) but not web based. The program runs off the floppy, requires a passphrase, and stores all user information in DES encrypted files on the floppy. It tries not to let anything get swapped or written to the host computer. The trouble was finding a market for it. They're still looking. Nobody knows, nobody cares. Perhaps someone should expose the truth of the general lack of email security to the media, and let them scare everybody! GBY
Re: ISPs offering ssl-encrypted e-mail?
> 1) Because the vast majority of users are completely ignorant of security > issues, or simply don't care. It's true, I worked for a company that made an email client, which shipped with a service, the client is for portable use (like hotmail) but not web based. The program runs off the floppy, requires a passphrase, and stores all user information in DES encrypted files on the floppy. It tries not to let anything get swapped or written to the host computer. The trouble was finding a market for it. They're still looking. Nobody knows, nobody cares. Perhaps someone should expose the truth of the general lack of email security to the media, and let them scare everybody! GBY -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ISPs offering ssl-encrypted e-mail?
You gave me a brain wave :) Perhaps email security having four stages: 1 MIME 2 SSL 3 SSL + Encrypted storage on mail server 4 PGP/GPG/S-MIME I don't think anyone offers number 3. I heard there was a PGP like WEB mail service where they generate your private key for you and store it on there server! The best solution may be for everyone to popularize GPG/PGP. And fix that bug that makes some GPG keys unimportable into PGP. Sorry for the babble!
Re: ISPs offering ssl-encrypted e-mail?
You gave me a brain wave :) Perhaps email security having four stages: 1 MIME 2 SSL 3 SSL + Encrypted storage on mail server 4 PGP/GPG/S-MIME I don't think anyone offers number 3. I heard there was a PGP like WEB mail service where they generate your private key for you and store it on there server! The best solution may be for everyone to popularize GPG/PGP. And fix that bug that makes some GPG keys unimportable into PGP. Sorry for the babble! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: checking security logs
> Is it not normal for nameservers to "talk" to each other? > Or are nameservers only supposed to "talk" to their listed forwarders? Perhaps your server is listed as a up-stream server for someone elses server ? > What about [A-M].ROOT-SERVERS.NET? DNS servers are only supposed to talk to their up-stream (or down-stream) servers; the up-stream may have the result they want cached from a request from another server on the same level as yours. > I am currently allowing all otherwise reasonable tcp connections > with my nameserver (by IP) as the destination in and out at port 53. > Is that risky, or is that helping resolvers get my IP quicker? > Or both? Or neither? I think that DNS servers should be open to everyone, if some other ISP server wants the address of one of your clients (assuming you're an ISP), and none of their up-stream servers have it cached, their server may come and ask your server directly. DNS requests should usually come in UDP form, and only use TCP if the request or response has too much data to fit in a UDP packet. MGBY
Re: checking security logs
> Is it not normal for nameservers to "talk" to each other? > Or are nameservers only supposed to "talk" to their listed forwarders? Perhaps your server is listed as a up-stream server for someone elses server ? > What about [A-M].ROOT-SERVERS.NET? DNS servers are only supposed to talk to their up-stream (or down-stream) servers; the up-stream may have the result they want cached from a request from another server on the same level as yours. > I am currently allowing all otherwise reasonable tcp connections > with my nameserver (by IP) as the destination in and out at port 53. > Is that risky, or is that helping resolvers get my IP quicker? > Or both? Or neither? I think that DNS servers should be open to everyone, if some other ISP server wants the address of one of your clients (assuming you're an ISP), and none of their up-stream servers have it cached, their server may come and ask your server directly. DNS requests should usually come in UDP form, and only use TCP if the request or response has too much data to fit in a UDP packet. MGBY -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]