Re: on potato's proftpd
On Sat, Apr 06, 2002 at 08:48:59AM +, Martin WHEELER wrote: On Fri, 5 Apr 2002, Petro wrote: You *like* upgrading 100 servers every few days? You'll have to ask the scripts that do that stuff for me :) So you don't mind verifying ever couple days that none of your quantity one software is going to break because a security fix changed something? -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Sat, Apr 06, 2002 at 08:48:59AM +, Martin WHEELER wrote: On Fri, 5 Apr 2002, Petro wrote: You *like* upgrading 100 servers every few days? You'll have to ask the scripts that do that stuff for me :) So you don't mind verifying ever couple days that none of your quantity one software is going to break because a security fix changed something? -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Thu, Apr 04, 2002 at 06:24:18PM +, Martin WHEELER wrote: On Wed, Apr 03, 2002 at 09:22:34AM +, Martin WHEELER wrote: Release early; release often. On Wed, 3 Apr 2002, Petro wrote: bemfont size=7blinkNO/font/em/b Measure twice, cut once. Fine. You wear the same size suit from birth to death; me, I'll adjust according to circumstances. You *like* upgrading 100 servers every few days? -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Wed, Apr 03, 2002 at 10:56:32AM +0900, Howland, Curtis wrote: I would bet that the vast majority of flame wars begin because someone mistakes terse or concise for hostility. The reverse, being the endless spewing of meaningless words, all the while saying nothing at all or even the opposite of what it sounds like, is the art of politicians and diplomats. I'll take a flame war any day, when compared to the alternative. aol -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Wed, Apr 03, 2002 at 09:22:34AM +, Martin WHEELER wrote: Release early; release often. bemfont size=7blinkNO/font/em/b Measure twice, cut once. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Wed, Apr 03, 2002 at 10:56:32AM +0900, Howland, Curtis wrote: I would bet that the vast majority of flame wars begin because someone mistakes terse or concise for hostility. The reverse, being the endless spewing of meaningless words, all the while saying nothing at all or even the opposite of what it sounds like, is the art of politicians and diplomats. I'll take a flame war any day, when compared to the alternative. aol -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Re: iptables filtering rules
On Mon, Mar 25, 2002 at 06:01:45AM -0300, Luiz Carlos Santos de Alencar wrote: Andrew Tait wrote: I've checked up one of that IPs; it's being used right now by a web server pretty much infected with I-Worm.Nimda.A! AVG identification. The standard page delivers a readme.eml file in a pop-up window; less then a minute to have an infected readme.exe being executed. I've heard about it, but never had seen until then. From a Linux box is safe to acess http 216.72.135.102 and verify that the host is infecting all the Window$ based visitors machines, using X/wav OE vulnerability, so far I know (*Atention* Do not try from a Win box; it's vulnerable). By the way, what to do about it... The polite thing to do is to inform the owner of the machine. If that is not possible, or you feel particularly bastardly, hack the freaken thing and wipe it's drives. And/or contact their upstream provider to get their IP feed pulled. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Re: iptables filtering rules
On Mon, Mar 25, 2002 at 06:01:45AM -0300, Luiz Carlos Santos de Alencar wrote: Andrew Tait wrote: I've checked up one of that IPs; it's being used right now by a web server pretty much infected with I-Worm.Nimda.A! AVG identification. The standard page delivers a readme.eml file in a pop-up window; less then a minute to have an infected readme.exe being executed. I've heard about it, but never had seen until then. From a Linux box is safe to acess http 216.72.135.102 and verify that the host is infecting all the Window$ based visitors machines, using X/wav OE vulnerability, so far I know (*Atention* Do not try from a Win box; it's vulnerable). By the way, what to do about it... The polite thing to do is to inform the owner of the machine. If that is not possible, or you feel particularly bastardly, hack the freaken thing and wipe it's drives. And/or contact their upstream provider to get their IP feed pulled. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: failed ssh breakins on my exposed www box ..
On Mon, Mar 25, 2002 at 04:50:17PM -0500, Gary MacDougall wrote: Agreed. I'll never understand why people will let crackers reap havoc on a network without issue, but if someone comes up and tries to break into my house, the police will be there in 2 seconds. Hate to break it to you, but in normal circumstances, the cops aren't even going to want to show up for a normal burglary (well, if the person is *in the act* they may head that way). For a BE where the young socialists are no longer on-scene, you have to fight with them (the police) to get them to come out at all. Went through this twice in Chicago. Oh, and be there in 2 seconds. Call for a pizza, call the cops. You'll be well fed when the cops show up. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: failed ssh breakins on my exposed www box ..
On Mon, Mar 25, 2002 at 04:50:17PM -0500, Gary MacDougall wrote: Agreed. I'll never understand why people will let crackers reap havoc on a network without issue, but if someone comes up and tries to break into my house, the police will be there in 2 seconds. Hate to break it to you, but in normal circumstances, the cops aren't even going to want to show up for a normal burglary (well, if the person is *in the act* they may head that way). For a BE where the young socialists are no longer on-scene, you have to fight with them (the police) to get them to come out at all. Went through this twice in Chicago. Oh, and be there in 2 seconds. Call for a pizza, call the cops. You'll be well fed when the cops show up. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: failed ssh breakins on my exposed www box ..
On Sun, Mar 24, 2002 at 12:28:17PM -0500, timothy bauscher wrote: We seriouslly need a US branch of the law-enforcement to deal with this sort of stuff. I respect your opinion, but i would hate to have a new branch of government wasting my tax dollars. If these types of attacks can be stopped on the software side, than that be much more effective than government intervention. How far are you willing to take that attitude? If they cannot be stopped, than we simply report the abuse to an already existing branch of government. That probably won't help capture the criminal, but neither would a *new* branch of government. 100% agreement. I think if more people got prosecuted for trying to crack into a site, the level of BS would drop to zero. That reminds me of a threat from the DOJ to prosecute a cracker as a criminal with a possibility of life in prison. When i heard that statement, it sent chills down my back. It depends on the systems they hack. If you've got someone trying to hack e.g. an Air Traffic Control system, and they know it, then they do belong behind bars for life. They deserve it--they have, by their deliberate actions, shown either (a) a callous disregard for the lives and saftey of others or (b) an utter inability to see potential problems of their actions. Either way, they should be put some place where they cannot harm innocent people. I think this way of reasoning is flawed. The government uses capital punishment as a deterrent for committing murder, but that has hardly stopped murders. There's your mistake. Capital punishment is not meant as a deterrent, we know that doesn't work. It's a punishment for a heinous crime, and a 100% assurance that the individual so punished never does it again (modulo reincarnation). I'm not going to take one side or the other on Capital Punishment other than to say: (1) There is almost nothing a hacker can do with a computer to deserve capital punishment that isn't covered under other laws, and (2) Recedivism amounst those recieving the death penalty is about 0%. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: failed ssh breakins on my exposed www box ..
On Sun, Mar 24, 2002 at 07:24:18PM +0100, andreas mayer wrote: We seriouslly need a US branch of the law-enforcement to deal with this sort of stuff. ?I think if more people got prosecuted for trying to crack into a site, the level of BS would drop to zero. Yeah! And what if the attacker is from a other country? You cannot just bomb 'em for terrorist action, can you? Well, can, and should are different things. Yes, you can, and IMO if you can limit the destruction to the fsckwit that tried to hack your system, you should. Collaterial damage is not acceptable in these cases. Of course, it's not bombing them for terrorism, it's simply doing your best to clean out the gene pool. I think the net is freedom, and that is good... Then you aren't paying attention. ...you are responsable for your own security! This is, and always has been true, both IRL and on the net. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: failed ssh breakins on my exposed www box ..
On Sun, Mar 24, 2002 at 12:28:17PM -0500, timothy bauscher wrote: We seriouslly need a US branch of the law-enforcement to deal with this sort of stuff. I respect your opinion, but i would hate to have a new branch of government wasting my tax dollars. If these types of attacks can be stopped on the software side, than that be much more effective than government intervention. How far are you willing to take that attitude? If they cannot be stopped, than we simply report the abuse to an already existing branch of government. That probably won't help capture the criminal, but neither would a *new* branch of government. 100% agreement. I think if more people got prosecuted for trying to crack into a site, the level of BS would drop to zero. That reminds me of a threat from the DOJ to prosecute a cracker as a criminal with a possibility of life in prison. When i heard that statement, it sent chills down my back. It depends on the systems they hack. If you've got someone trying to hack e.g. an Air Traffic Control system, and they know it, then they do belong behind bars for life. They deserve it--they have, by their deliberate actions, shown either (a) a callous disregard for the lives and saftey of others or (b) an utter inability to see potential problems of their actions. Either way, they should be put some place where they cannot harm innocent people. I think this way of reasoning is flawed. The government uses capital punishment as a deterrent for committing murder, but that has hardly stopped murders. There's your mistake. Capital punishment is not meant as a deterrent, we know that doesn't work. It's a punishment for a heinous crime, and a 100% assurance that the individual so punished never does it again (modulo reincarnation). I'm not going to take one side or the other on Capital Punishment other than to say: (1) There is almost nothing a hacker can do with a computer to deserve capital punishment that isn't covered under other laws, and (2) Recedivism amounst those recieving the death penalty is about 0%. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: failed ssh breakins on my exposed www box ..
On Sun, Mar 24, 2002 at 07:24:18PM +0100, andreas mayer wrote: We seriouslly need a US branch of the law-enforcement to deal with this sort of stuff. ?I think if more people got prosecuted for trying to crack into a site, the level of BS would drop to zero. Yeah! And what if the attacker is from a other country? You cannot just bomb 'em for terrorist action, can you? Well, can, and should are different things. Yes, you can, and IMO if you can limit the destruction to the fsckwit that tried to hack your system, you should. Collaterial damage is not acceptable in these cases. Of course, it's not bombing them for terrorism, it's simply doing your best to clean out the gene pool. I think the net is freedom, and that is good... Then you aren't paying attention. ...you are responsable for your own security! This is, and always has been true, both IRL and on the net. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 122-1] New zlib other packages fix buffer overflow
On Wed, Mar 13, 2002 at 10:36:15AM +, David Hart wrote: On Wed, Mar 13, 2002 at 01:47:57AM +, David Hart wrote: Duh, sorry. As someone else has kindly pointed out, 'potato/woody'/'stable/testing' should be transposed :) (I really shouldn't post at 1:45 in the morning) Why? Haven't had your 10th cup of coffee yet? -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Problems with tripwire:
On Wed, Mar 13, 2002 at 04:31:01PM +0100, Michel Verdier wrote: Petro [EMAIL PROTECTED] a écrit : | The last match is used, try to switch these ones | | I did, that is the second. I'll try it again. In fact you have 3 /var statements, the order should refine matching like this : /var /var/log /var/log/ksymoops /var@@AW /var/log@@LOGSEARCH !/var/log/ksymoops/ It's now like this and it's still doing the same thing. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 122-1] New zlib other packages fix buffer overflow
On Wed, Mar 13, 2002 at 10:36:15AM +, David Hart wrote: On Wed, Mar 13, 2002 at 01:47:57AM +, David Hart wrote: Duh, sorry. As someone else has kindly pointed out, 'potato/woody'/'stable/testing' should be transposed :) (I really shouldn't post at 1:45 in the morning) Why? Haven't had your 10th cup of coffee yet? -- Share and Enjoy.
Re: Problems with tripwire:
On Wed, Mar 13, 2002 at 04:31:01PM +0100, Michel Verdier wrote: Petro [EMAIL PROTECTED] a ?crit : | The last match is used, try to switch these ones | | I did, that is the second. I'll try it again. In fact you have 3 /var statements, the order should refine matching like this : /var /var/log /var/log/ksymoops /var@@AW /var/log@@LOGSEARCH !/var/log/ksymoops/ It's now like this and it's still doing the same thing. -- Share and Enjoy.
Re: Problems with tripwire:
On Tue, Mar 12, 2002 at 08:59:08AM +0100, Martin Peikert wrote: Petro wrote: Is there a file-security scanner like tripwire (or like AIDE) that works across a network? I'm envisioning something that does local file scanning, then transmits the resulting table to a remote (more secure) host where the verification is done. Try samhain or freeveracity: http://samhain.sourceforge.net/surround.html?main_q.html2 This seems to be exactly what I'm looking for. These guys are paranoid. That is good. That stealth option looks...interesting. http://www.freeveracity.org/ GTi -- For encrypted messages please use my public key, key-ID: 0xA9E35B01 The fingerprint is A684 87F3 C7AA 9728 3C1B 85BF 0500 B2C7 A9E3 5B01 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Problems with tripwire:
On Tue, Mar 12, 2002 at 08:57:40PM +0100, Michel Verdier wrote: Petro [EMAIL PROTECTED] a écrit : | !/var/log/ksymoops/ | /var/log@@LOGSEARCH | | Now, according to my understanding, the ! in front of /var/log/ksymoops/ | should be telling tripwire to ignore things under there, right? | | Obviously, it's not. The last match is used, try to switch these ones I did, that is the second. I'll try it again. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Problems with tripwire:
On Tue, Mar 12, 2002 at 08:59:08AM +0100, Martin Peikert wrote: Petro wrote: Is there a file-security scanner like tripwire (or like AIDE) that works across a network? I'm envisioning something that does local file scanning, then transmits the resulting table to a remote (more secure) host where the verification is done. Try samhain or freeveracity: http://samhain.sourceforge.net/surround.html?main_q.html2 This seems to be exactly what I'm looking for. These guys are paranoid. That is good. That stealth option looks...interesting. http://www.freeveracity.org/ GTi -- For encrypted messages please use my public key, key-ID: 0xA9E35B01 The fingerprint is A684 87F3 C7AA 9728 3C1B 85BF 0500 B2C7 A9E3 5B01 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Share and Enjoy.
Re: Problems with tripwire:
On Tue, Mar 12, 2002 at 08:57:40PM +0100, Michel Verdier wrote: Petro [EMAIL PROTECTED] a ?crit : | !/var/log/ksymoops/ | /var/log@@LOGSEARCH | | Now, according to my understanding, the ! in front of /var/log/ksymoops/ | should be telling tripwire to ignore things under there, right? | | Obviously, it's not. The last match is used, try to switch these ones I did, that is the second. I'll try it again. -- Share and Enjoy.
Problems with tripwire:
I have tripwire installed on one of my servers (Debian Stable), and I've managed to get the configuration pretty quiet, but I'm having a little problem with one or two of them. The particular section of tw.config looks like: /var@@AW !/var/log/ksymoops/ /var/log@@LOGSEARCH /var/lib@@LOGSEARCH /var/backups@@LOGSEARCH !/var/spool !/var/run !/var/cache !/var/lock !/var/state/ where @@AW is: @@define AW +pinugsm17-ac2345689 The problem is that I still get: Changed files/directories include: added: -r--r--r-- root32630 Mar 10 06:25:03 2002 /var/log/ksymoops/20020310062503.ksyms added: -r--r--r-- root 78 Mar 10 06:25:03 2002 /var/log/ksymoops/20020310062503.modules added: -r--r--r-- root32630 Mar 11 06:25:02 2002 /var/log/ksymoops/20020311062502.ksyms added: -r--r--r-- root 78 Mar 11 06:25:02 2002 /var/log/ksymoops/20020311062502.modules deleted: -r--r--r-- root32630 Mar 8 06:25:01 2002 /var/log/ksymoops/20020308062501.ksyms deleted: -r--r--r-- root 78 Mar 8 06:25:01 2002 /var/log/ksymoops/20020308062501.modules deleted: -r--r--r-- root32630 Mar 5 06:25:02 2002 /var/log/ksymoops/20020305062502.ksyms deleted: -r--r--r-- root 78 Mar 5 06:25:02 2002 /var/log/ksymoops/20020305062502.modules deleted: -r--r--r-- root32630 Mar 7 06:25:02 2002 /var/log/ksymoops/20020307062502.ksyms deleted: -r--r--r-- root 78 Mar 7 06:25:02 2002 /var/log/ksymoops/20020307062502.modules changed: -rw-r--r-- root 52 Mar 11 06:25:02 2002 /var/state/logrotate/status Now, according to my understanding, the ! in front of /var/log/ksymoops/ should be telling tripwire to ignore things under there, right? Obviously, it's not. Additionally: Is there a file-security scanner like tripwire (or like AIDE) that works across a network? I'm envisioning something that does local file scanning, then transmits the resulting table to a remote (more secure) host where the verification is done. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Problems with tripwire:
I have tripwire installed on one of my servers (Debian Stable), and I've managed to get the configuration pretty quiet, but I'm having a little problem with one or two of them. The particular section of tw.config looks like: /var@@AW !/var/log/ksymoops/ /var/log@@LOGSEARCH /var/lib@@LOGSEARCH /var/backups@@LOGSEARCH !/var/spool !/var/run !/var/cache !/var/lock !/var/state/ where @@AW is: @@define AW +pinugsm17-ac2345689 The problem is that I still get: Changed files/directories include: added: -r--r--r-- root32630 Mar 10 06:25:03 2002 /var/log/ksymoops/20020310062503.ksyms added: -r--r--r-- root 78 Mar 10 06:25:03 2002 /var/log/ksymoops/20020310062503.modules added: -r--r--r-- root32630 Mar 11 06:25:02 2002 /var/log/ksymoops/20020311062502.ksyms added: -r--r--r-- root 78 Mar 11 06:25:02 2002 /var/log/ksymoops/20020311062502.modules deleted: -r--r--r-- root32630 Mar 8 06:25:01 2002 /var/log/ksymoops/20020308062501.ksyms deleted: -r--r--r-- root 78 Mar 8 06:25:01 2002 /var/log/ksymoops/20020308062501.modules deleted: -r--r--r-- root32630 Mar 5 06:25:02 2002 /var/log/ksymoops/20020305062502.ksyms deleted: -r--r--r-- root 78 Mar 5 06:25:02 2002 /var/log/ksymoops/20020305062502.modules deleted: -r--r--r-- root32630 Mar 7 06:25:02 2002 /var/log/ksymoops/20020307062502.ksyms deleted: -r--r--r-- root 78 Mar 7 06:25:02 2002 /var/log/ksymoops/20020307062502.modules changed: -rw-r--r-- root 52 Mar 11 06:25:02 2002 /var/state/logrotate/status Now, according to my understanding, the ! in front of /var/log/ksymoops/ should be telling tripwire to ignore things under there, right? Obviously, it's not. Additionally: Is there a file-security scanner like tripwire (or like AIDE) that works across a network? I'm envisioning something that does local file scanning, then transmits the resulting table to a remote (more secure) host where the verification is done. -- Share and Enjoy.
Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload
On Thu, Feb 28, 2002 at 08:37:45AM -, Jeff wrote: I received this CERT Advisory about 6 hours ago, regarding PHP. The php website confirms the details: www.php.net I think this is going to be a problem for us, due to the way the Debian packaging works - I guess that the immediate solution in this case is for us to try to get the unstable Apache 1.3.23 package + an updated PHP4 4.2.1 package + MySQL, SSL etc to work. - aint going to be quick to test this and roll it out into production, and in the mean time, we have production servers running a PHP4 that has a now widely known security issue. Oh - and yes, we could go out of business and not accept data, but methinks my tenure would be somewhat shortened if I propose that at our emergency security meeting in an hours time! Help? Grab the php4.05 source package, patch and rebuild the package, then distribute. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Security implications of chpasswd.
For some very good reasons I had to do a mass change of passwords on one of our exposed login machines (no breach/hack, different reason). There is a utility included in Debian Stable (and the others) to do this called chpasswd. I believe there may be some security issues with this utility: 1) This utility does DES passwords instead of MD5, even tho' the rest of the system does/understands MD5. 2) when doing a mass password change, the first 2 characters are the same for every password. This could be an information leak indicating mass-password changes, and displaying *which passwords are still at the set default*. For a better example of what I mean, consider this case: A college campus creates 2k accounts and passwords at once. JR hacker gains access a week later through his account w/out changing the password, then somehow gets ahold of the shadow file. In it he can determine (with some margin of error) which accounts have or haven't been changed. Since many universities use some stupid pattern for their passwords, or hand out cards with the account passwords on them (later found in the trash), he now has a pool of accounts to attack. 3) chpasswd provides no facility to use MD5 rather than (I suspect) DES. DES is unacceptable these days. Also, where is the source for this utility, and the passwd utility? I can't seem to find it in my local mirror. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload
On Thu, Feb 28, 2002 at 08:37:45AM -, Jeff wrote: I received this CERT Advisory about 6 hours ago, regarding PHP. The php website confirms the details: www.php.net I think this is going to be a problem for us, due to the way the Debian packaging works - I guess that the immediate solution in this case is for us to try to get the unstable Apache 1.3.23 package + an updated PHP4 4.2.1 package + MySQL, SSL etc to work. - aint going to be quick to test this and roll it out into production, and in the mean time, we have production servers running a PHP4 that has a now widely known security issue. Oh - and yes, we could go out of business and not accept data, but methinks my tenure would be somewhat shortened if I propose that at our emergency security meeting in an hours time! Help? Grab the php4.05 source package, patch and rebuild the package, then distribute. -- Share and Enjoy.
Security implications of chpasswd.
For some very good reasons I had to do a mass change of passwords on one of our exposed login machines (no breach/hack, different reason). There is a utility included in Debian Stable (and the others) to do this called chpasswd. I believe there may be some security issues with this utility: 1) This utility does DES passwords instead of MD5, even tho' the rest of the system does/understands MD5. 2) when doing a mass password change, the first 2 characters are the same for every password. This could be an information leak indicating mass-password changes, and displaying *which passwords are still at the set default*. For a better example of what I mean, consider this case: A college campus creates 2k accounts and passwords at once. JR hacker gains access a week later through his account w/out changing the password, then somehow gets ahold of the shadow file. In it he can determine (with some margin of error) which accounts have or haven't been changed. Since many universities use some stupid pattern for their passwords, or hand out cards with the account passwords on them (later found in the trash), he now has a pool of accounts to attack. 3) chpasswd provides no facility to use MD5 rather than (I suspect) DES. DES is unacceptable these days. Also, where is the source for this utility, and the passwd utility? I can't seem to find it in my local mirror. -- Share and Enjoy.
Re: webhosting
On Mon, Feb 25, 2002 at 02:18:29PM -0700, Jerry Lynde wrote: True, true... But Michael was asking for secure, not non-anal licensing... I don't expect he was gonna try and hack BIND or djbdns or anything else... shrug I just wouldn't suggest anyone use BIND is the same sense that I wouldn't suggest they ride a Harley naked on snow-packed icy roads... something bad's bound to happen... Does it have to be a Harley? -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: webhosting
On Mon, Feb 25, 2002 at 02:18:29PM -0700, Jerry Lynde wrote: True, true... But Michael was asking for secure, not non-anal licensing... I don't expect he was gonna try and hack BIND or djbdns or anything else... shrug I just wouldn't suggest anyone use BIND is the same sense that I wouldn't suggest they ride a Harley naked on snow-packed icy roads... something bad's bound to happen... Does it have to be a Harley? -- Share and Enjoy.
Re: Un-installing inetd on Woody.
On Wed, Feb 13, 2002 at 09:39:02PM -0800, Ted Cabeen wrote: You shouldn't use the update-rc.d script to remove init.d scripts. If you do, when you upgrade the package, all of the scripts should be reinstalled. Read the man page for update-rc.d for info on how to turn off a service and ensure that it won't be re-enabled on upgrade. A lot of people seem to do this, but it will eventually cause problems. update-rc.d was written for scripts to use, not administrators. Um. Then what should one use (other than manual intervention) to manage init.d symlinks? -- Share and Enjoy.
Re: securid logins
On Mon, Jan 21, 2002 at 06:16:34AM -0800, martin f krafft wrote: assuming i have SecurID tokens with licenses, can i make linux authenticate based on these *without* the use of external or commercial software (like ACE/Server)? any experience anyone? I don't think so. But I'd be interested in the responses as well. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: securid logins
On Mon, Jan 21, 2002 at 06:16:34AM -0800, martin f krafft wrote: assuming i have SecurID tokens with licenses, can i make linux authenticate based on these *without* the use of external or commercial software (like ACE/Server)? any experience anyone? I don't think so. But I'd be interested in the responses as well. -- Share and Enjoy.
Re: Secure 2.4.x kernel
On Fri, Dec 28, 2001 at 11:18:35AM +0300, Nyarlathotep wrote: On Fri, 2001-12-28 at 03:22, Howland, Curtis wrote: Naa, it's simian posturing. It happens with humans everywhere. I enjoyed watching it in Good Will Hunting, and two days ago rented Finding Forrester (same movie, different actors), and sure enough lots of simian posturing. You dare to challenge me in MY classroom? etc. Oh yes. The alpha chimp syndrome. Second-circuit through and through. No, more of locking horns. I can suggest the writings of Jeff Cooper for a better exploration of the kinds of attitudes and processes that are now missing, and R.A.Heinlein for lots of fictional explorations of the issue. May I humbly say anything by Tim Leary or Robert Anton Wilson you can lay your hands on? Also the book The War Against Boys, Christina Hoff Sommers, ISBN 0-684-84956-9. Relevance to security? Well, a lot of the script kiddies, having been denied traditional means of locking horns turn to other means. -- Share and Enjoy.
cdimages.debian.org
Is this host offline for good? Shouldn't there be an obvious mirror of this somewhere? -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cdimages.debian.org
On Thu, Dec 20, 2001 at 04:54:01PM -0800, Brian Bilbrey wrote: On Thu, Dec 20, 2001 at 12:42:17PM -0800, Petro wrote: Is this host offline for good? h. Try cdimage.debian.org (there's no 's' in the url as you put it in the subject: line). However, right now, I'm timing out on the correct host. A traceroute to the host appears to reveal a router problem someplace in XO's network, in the UK: fe0-llb-x-many.RL2-HE.access.rtr.uk.xo.net (195.224.254.198) I'd counsel patience. I'd also wonder why you posted this to debian-security? But neither here nor there. Well, it's the only debian list I read--which is a bad reason, and I wanted the CDs to build a replacement for our current secure entry point into our network--which is a bad reason, but mostly because the people here are the ones I know who know most about debian and assocaited web sites. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
cdimages.debian.org
Is this host offline for good? Shouldn't there be an obvious mirror of this somewhere? -- Share and Enjoy.
Re: cdimages.debian.org
On Thu, Dec 20, 2001 at 04:54:01PM -0800, Brian Bilbrey wrote: On Thu, Dec 20, 2001 at 12:42:17PM -0800, Petro wrote: Is this host offline for good? h. Try cdimage.debian.org (there's no 's' in the url as you put it in the subject: line). However, right now, I'm timing out on the correct host. A traceroute to the host appears to reveal a router problem someplace in XO's network, in the UK: fe0-llb-x-many.RL2-HE.access.rtr.uk.xo.net (195.224.254.198) I'd counsel patience. I'd also wonder why you posted this to debian-security? But neither here nor there. Well, it's the only debian list I read--which is a bad reason, and I wanted the CDs to build a replacement for our current secure entry point into our network--which is a bad reason, but mostly because the people here are the ones I know who know most about debian and assocaited web sites. -- Share and Enjoy.
Re: cdimages.debian.org
On Thu, Dec 20, 2001 at 12:42:17PM -0800, Petro wrote: Is this host offline for good? Shouldn't there be an obvious mirror of this somewhere? I got my answer to the obvious mirror part, and found the information (if not the file) that I was looking for. thanks for all the responses. And yes, I acknowlege that I should have asked elsewhere. -- Share and Enjoy.
Re: Spam?!?
On Mon, Dec 17, 2001 at 11:48:13PM +0900, Yooseong Yang wrote: can you speak korean? if so give them a call or a nasty email for us. I am be shameful of this kinda spam stuffs as a korean. I send an email to hanmail mail administrator about this kinda problem. If I got some mails from whom is concerned, I'll get posted of it. with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] Don't be ashamed, there are plently of people in every country with internet access who are spammers. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Spam?!?
On Mon, Dec 17, 2001 at 11:48:13PM +0900, Yooseong Yang wrote: can you speak korean? if so give them a call or a nasty email for us. I am be shameful of this kinda spam stuffs as a korean. I send an email to hanmail mail administrator about this kinda problem. If I got some mails from whom is concerned, I'll get posted of it. with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] Don't be ashamed, there are plently of people in every country with internet access who are spammers. -- Share and Enjoy.
Re: Exim mail
On Fri, Dec 14, 2001 at 06:22:03PM -0600, Daniel Rychlik wrote: How do I stop this from happening. Apparently my bud telented to port 25 and somehow sent mail from my root account. Any suggestions, white papers or links? Id would like to block the telnet application all together, but I dont think thats possible. It's not possible to block telnet access to port 25, unless you just want to stop getting mail altogther. Thanks in advance, Daniel im a newbie so please send flame mail to [EMAIL PROTECTED]null thanks. Heres what he sent to me... - Original Message - From: [EMAIL PROTECTED] Sent: Thursday, December 13, 2001 10:03 PM hehe this wasnt so hard either, i guess that makes me a pimp? lmfao, anyway learn to call a brotha damnit! and dont act like you dont know who dis be! foo! hehehe later.. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Exim mail
On Fri, Dec 14, 2001 at 06:22:03PM -0600, Daniel Rychlik wrote: How do I stop this from happening. Apparently my bud telented to port 25 and somehow sent mail from my root account. Any suggestions, white papers or links? Id would like to block the telnet application all together, but I dont think thats possible. It's not possible to block telnet access to port 25, unless you just want to stop getting mail altogther. Thanks in advance, Daniel im a newbie so please send flame mail to [EMAIL PROTECTED]null thanks. Heres what he sent to me... - Original Message - From: [EMAIL PROTECTED] Sent: Thursday, December 13, 2001 10:03 PM hehe this wasnt so hard either, i guess that makes me a pimp? lmfao, anyway learn to call a brotha damnit! and dont act like you dont know who dis be! foo! hehehe later.. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Share and Enjoy.
Re: Deducing key from encrypted original data
On Tue, Dec 11, 2001 at 01:33:41AM +, Andrew Bolt wrote: ...unless you are from Hollywood - in which case a good encryption scheme is one that can be cracked by having lots of digits flash up on the screen, and gradually have individual digits lock into the correct key. Some wierd variant of working Quantum Computer. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Deducing key from encrypted original data
On Tue, Dec 11, 2001 at 01:33:41AM +, Andrew Bolt wrote: ...unless you are from Hollywood - in which case a good encryption scheme is one that can be cracked by having lots of digits flash up on the screen, and gradually have individual digits lock into the correct key. Some wierd variant of working Quantum Computer. -- Share and Enjoy.
Re: Can a daemon listen only on some interfaces?
On Sat, Dec 08, 2001 at 01:40:06AM -0800, [EMAIL PROTECTED] wrote: After reading a previous thread about stopping services from listening on certains ports, I decided to investigate things a little further for my system. So, what I can figure out is that it seems that I have only the following daemons listening: postfix, sshd, cupsd, XF86_SVGA, portmap. I have only deliberately decided to run postfix, sshd and cupsd. Everything in /etc/inetd.conf is hashed out. In fact I renamed the file so that it is not accessed at all. Better just not to start inetd at all. man inetd and update-rc.d The only ones I didn't know about in this list are portmap and XF86_SVGA. Firstly, I can't seem to find the config file for X where you set the --nolisten parameter - but I have not unset this at any stage and I thought Debian did this by default. Secondly, I guess everyone needs portmap it seems, so I can't turn this off or some things won't work. Someone please educate me here. Can't help with the X thing, IMO nothing running X should be talking directly to an untrusted network (clarification, X runs on workstations, workstations should not be run directly on untrusted networks as they have *users* on them, and users do stupid things, even sysadmins do stupid things as users sometimes). But, as far as portmap, well, man portmap to start, but if you're not using NIS, NFS and the like (anything that would need portmap) then disable it. (hint: /etc/init.d/portmap, man update-rc.d). So my question is: Is there some way to make certain daemons, (say postfix) listen only on some interfaces? For example, I have everything firewalled from This is per-daemon. Some can (named, apache, IIRC postfix) some cannot (I assume, but I don't know any off the top of my head). outside, so I really only need postfix to listen on the loopback interface for local connections. Is this possible? If postfix isn't dealing with incoming mail (i.e. from another machine) then it doesn't need to run as a daemon at all. At least sendmail didn't, and I assume postfix could mimick this behavior. Just run it out of cron for delivery. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Can a daemon listen only on some interfaces?
On Sat, Dec 08, 2001 at 01:40:06AM -0800, [EMAIL PROTECTED] wrote: After reading a previous thread about stopping services from listening on certains ports, I decided to investigate things a little further for my system. So, what I can figure out is that it seems that I have only the following daemons listening: postfix, sshd, cupsd, XF86_SVGA, portmap. I have only deliberately decided to run postfix, sshd and cupsd. Everything in /etc/inetd.conf is hashed out. In fact I renamed the file so that it is not accessed at all. Better just not to start inetd at all. man inetd and update-rc.d The only ones I didn't know about in this list are portmap and XF86_SVGA. Firstly, I can't seem to find the config file for X where you set the --nolisten parameter - but I have not unset this at any stage and I thought Debian did this by default. Secondly, I guess everyone needs portmap it seems, so I can't turn this off or some things won't work. Someone please educate me here. Can't help with the X thing, IMO nothing running X should be talking directly to an untrusted network (clarification, X runs on workstations, workstations should not be run directly on untrusted networks as they have *users* on them, and users do stupid things, even sysadmins do stupid things as users sometimes). But, as far as portmap, well, man portmap to start, but if you're not using NIS, NFS and the like (anything that would need portmap) then disable it. (hint: /etc/init.d/portmap, man update-rc.d). So my question is: Is there some way to make certain daemons, (say postfix) listen only on some interfaces? For example, I have everything firewalled from This is per-daemon. Some can (named, apache, IIRC postfix) some cannot (I assume, but I don't know any off the top of my head). outside, so I really only need postfix to listen on the loopback interface for local connections. Is this possible? If postfix isn't dealing with incoming mail (i.e. from another machine) then it doesn't need to run as a daemon at all. At least sendmail didn't, and I assume postfix could mimick this behavior. Just run it out of cron for delivery. -- Share and Enjoy.
Re: shutdown user and accountability
On Thu, Nov 29, 2001 at 05:59:40PM +, Niall Walsh wrote: Carel Fellinger wrote: On Thu, Nov 29, 2001 at 10:37:24AM +, Niall Walsh wrote: I can't resist it! me too:) Add a usb digital camera to the box and only allow people who are not I've thought of this too, but rejected it because it's s easy to circumvent, just place your hand in front of the camera. Not if they don't know where it is or even that it exists :-) I'd be sneeking it into the case perhaps so it looks out a drive bay or else building it into something. Also you could use a capture card hooked up to a pin hole camera and for completeness (but system performance thrashing) use motion detection to make sure you get them before they get the hand in place! Have the camera take 1 shot every second (or .5 seconds) and save them in a round-robin naming fashion e.g.: shot1.jpg, shot2.jpg, shot3.jpg...shot10.jpg, shot1.jpg, and then have an init-script move the directory they are in to something like pic.old/. That way you have the last 5-10 seconds on the machines life. Yeah, this is getting seriously rube-goldberg. Seriously crazy, but what else can you do if you really want to supply anyone with the ability to shut it down AND know who did it! Maybe put the password with the security guard so he can record who took the passwd to reset it (obviously you need to reset the password then etc.) -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: shutdown user and accountability
On Thu, Nov 29, 2001 at 05:59:40PM +, Niall Walsh wrote: Carel Fellinger wrote: On Thu, Nov 29, 2001 at 10:37:24AM +, Niall Walsh wrote: I can't resist it! me too:) Add a usb digital camera to the box and only allow people who are not I've thought of this too, but rejected it because it's s easy to circumvent, just place your hand in front of the camera. Not if they don't know where it is or even that it exists :-) I'd be sneeking it into the case perhaps so it looks out a drive bay or else building it into something. Also you could use a capture card hooked up to a pin hole camera and for completeness (but system performance thrashing) use motion detection to make sure you get them before they get the hand in place! Have the camera take 1 shot every second (or .5 seconds) and save them in a round-robin naming fashion e.g.: shot1.jpg, shot2.jpg, shot3.jpg...shot10.jpg, shot1.jpg, and then have an init-script move the directory they are in to something like pic.old/. That way you have the last 5-10 seconds on the machines life. Yeah, this is getting seriously rube-goldberg. Seriously crazy, but what else can you do if you really want to supply anyone with the ability to shut it down AND know who did it! Maybe put the password with the security guard so he can record who took the passwd to reset it (obviously you need to reset the password then etc.) -- Share and Enjoy.
Re: shutdown user and accountability
On Wed, Nov 28, 2001 at 10:58:47AM +0900, Olaf Meeuwissen wrote: Blake Barnett [EMAIL PROTECTED] writes: Can't you give a group sudo access? If so, just add everyone to a group and give that group sudo /sbin/halt or sudo /sbin/shutdown or both. That's exactly what my sudo setup does right now. The problem is that apparently *everyone* needs to be able to shut down the machine (for reasons that are beyond me). Added accounts on an as needed basis is fine with me, but I don't fancy creating, oh, 250+ password protected accounts just to meet policy. Put a small APC on the machine that talks to the serial port. Run the APC shutdown daemon, then to shut the machine down, pull the plug from the wall--or have it hooked to a power strip and trip the switch on the power strip. APC loses power, triggers daemon, daemon shuts machine down. Note: this also works if there is a power-outage during a time when no one is in the office. This doesn't give accountability, but you put a big axe near the machine... -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: shutdown user and accountability
On Wed, Nov 28, 2001 at 10:58:47AM +0900, Olaf Meeuwissen wrote: Blake Barnett [EMAIL PROTECTED] writes: Can't you give a group sudo access? If so, just add everyone to a group and give that group sudo /sbin/halt or sudo /sbin/shutdown or both. That's exactly what my sudo setup does right now. The problem is that apparently *everyone* needs to be able to shut down the machine (for reasons that are beyond me). Added accounts on an as needed basis is fine with me, but I don't fancy creating, oh, 250+ password protected accounts just to meet policy. Put a small APC on the machine that talks to the serial port. Run the APC shutdown daemon, then to shut the machine down, pull the plug from the wall--or have it hooked to a power strip and trip the switch on the power strip. APC loses power, triggers daemon, daemon shuts machine down. Note: this also works if there is a power-outage during a time when no one is in the office. This doesn't give accountability, but you put a big axe near the machine... -- Share and Enjoy.
Re: is 3des secure??
On Tue, Nov 27, 2001 at 12:44:23PM +0100, Janusz A. Urbanowicz wrote: Petro wrote/napisa?[a]/schrieb: On Mon, Nov 26, 2001 at 12:17:32PM +1100, Steve Smith wrote: 3DES is generally considered strong enough. However, it is slow, and can effect performance. Try doing large 'scp's and switch between DES/3DES was designed to be implemented in hardware, doing a software-only implementation is going to be slow. Current DES implementations aren't so slow, they reach millions of encryptions per sencond on current hardware. It's relative. Encrypt x amount of data with 3des, do the same with blowfish or one of the other AES canidates, using a comparable keylength. Which is faster? -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: is 3des secure??
On Tue, Nov 27, 2001 at 12:44:23PM +0100, Janusz A. Urbanowicz wrote: Petro wrote/napisa?[a]/schrieb: On Mon, Nov 26, 2001 at 12:17:32PM +1100, Steve Smith wrote: 3DES is generally considered strong enough. However, it is slow, and can effect performance. Try doing large 'scp's and switch between DES/3DES was designed to be implemented in hardware, doing a software-only implementation is going to be slow. Current DES implementations aren't so slow, they reach millions of encryptions per sencond on current hardware. It's relative. Encrypt x amount of data with 3des, do the same with blowfish or one of the other AES canidates, using a comparable keylength. Which is faster? -- Share and Enjoy.
Re: is 3des secure??
On Mon, Nov 26, 2001 at 12:17:32PM +1100, Steve Smith wrote: 3DES is generally considered strong enough. However, it is slow, and can effect performance. Try doing large 'scp's and switch between DES/3DES was designed to be implemented in hardware, doing a software-only implementation is going to be slow. 3DES and blowfish. Personally I prefer blowfish, as it has performance, is 'secure-enough' to my (less-than-expert) eye, and frankly I doubt anybody capable of defeating it is interested in what I have to say. Yup. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: is 3des secure??
On Mon, Nov 26, 2001 at 12:17:32PM +1100, Steve Smith wrote: 3DES is generally considered strong enough. However, it is slow, and can effect performance. Try doing large 'scp's and switch between DES/3DES was designed to be implemented in hardware, doing a software-only implementation is going to be slow. 3DES and blowfish. Personally I prefer blowfish, as it has performance, is 'secure-enough' to my (less-than-expert) eye, and frankly I doubt anybody capable of defeating it is interested in what I have to say. Yup. -- Share and Enjoy.
Re: is 3des secure??
On Mon, Nov 26, 2001 at 09:04:59AM +0900, Howland, Curtis wrote: While this may be whipping a greasy stain on the road, it is true that 3DES was created by the government back when private cryptology was difficult or unknown. I believe it is prudent to consider that it was allowed to be used because of practical cracking available to the crypto experts. It wasn't allowed to be used, the government promulgated DES as a standard for banks and other high security industries because it was the best they could find at the time to do the job. It has withstood a great deal of cryptoanalysis over the last couple decades, and has held up fairly well. It's only real weakness has been it's key-length. While there may be some people in the government who would be happy to promulgate a broken standard to make their data-collection easier, wiser heads realize that if it's broken for our side (note quotes) it's broken for the other side as well. 3DES effectively triples the key-length for DES, and for SSH sessions, it's quite good enough. I'm not referring to a back-door, just a known method such as a hardware based method for cracking in near-real time. 3DES is more than strong enough for *today*, it's just that in the near future it won't be. However, 3DES is likely strong enough for normal people. If you're trying to keep things from them, they are already reading your screen and keyboard strokes directly by their radion emissions from accross the street. No, they've tapped your machine, and theres a minature camera looking over your shoulder from the air-vent in the room. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: is 3des secure??
On Mon, Nov 26, 2001 at 09:04:59AM +0900, Howland, Curtis wrote: While this may be whipping a greasy stain on the road, it is true that 3DES was created by the government back when private cryptology was difficult or unknown. I believe it is prudent to consider that it was allowed to be used because of practical cracking available to the crypto experts. It wasn't allowed to be used, the government promulgated DES as a standard for banks and other high security industries because it was the best they could find at the time to do the job. It has withstood a great deal of cryptoanalysis over the last couple decades, and has held up fairly well. It's only real weakness has been it's key-length. While there may be some people in the government who would be happy to promulgate a broken standard to make their data-collection easier, wiser heads realize that if it's broken for our side (note quotes) it's broken for the other side as well. 3DES effectively triples the key-length for DES, and for SSH sessions, it's quite good enough. I'm not referring to a back-door, just a known method such as a hardware based method for cracking in near-real time. 3DES is more than strong enough for *today*, it's just that in the near future it won't be. However, 3DES is likely strong enough for normal people. If you're trying to keep things from them, they are already reading your screen and keyboard strokes directly by their radion emissions from accross the street. No, they've tapped your machine, and theres a minature camera looking over your shoulder from the air-vent in the room. -- Share and Enjoy.
Re: Mail-server config
On Wed, Nov 21, 2001 at 04:34:46PM +0100, Johannes Weiss wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi @all, I plan to install a mailserver for ca. 800 users, now I planned to make 800 users with shell /bin/bash, home /dev/nul,... So, I ask you ;)), if this is a good solution, to make 800 UNIX-users for a mailserver and if not what's the best solution (security reason) Most modern MTAs have support for some sort of non-system based user database (LDAP etc.). I know postfix has support for virtual maps and such, see www.postfix.org http://kummefryser.dk/HOWTO/mail/postfix_mysql.html. You would then need to find an imap/pop server that could use the same thing. This would be much easier to maintain securely. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: In Praise of Dos (RE: Mutt tmp files)
On Tue, Nov 20, 2001 at 08:25:36PM -0800, Nathan E Norman wrote: On Tue, Nov 20, 2001 at 12:01:32PM -0800, J C Lawrence wrote: On Mon, 19 Nov 2001 21:57:05 -0600 Nathan E Norman Nathan wrote: On Mon, Nov 19, 2001 at 03:26:50PM -0800, Petro wrote: But his is hugely off topic, and I'll go no futher down this road. Could you at least honor my Mail-Followup-To: header? Mail-Followup-To is a non-standard, un-RFC documented, generally unsupported header. The guy is using mutt. mutt supports M-F-T. You figure it out. M-F-T is generally used on debian mailing lists. Sometimes I see it (now that I'm looking for it) sometimes I don't. This post didn't have it. Others do. Some posts come through (for another debian list) matching ^X-Mailing-List:[EMAIL PROTECTED], others don't. I don't know if exchange is randomly changing the headers (it wouldn't surprise me) or if sometimes the original poster puts them in and sometimes not. -- Share and Enjoy.
Re: Mail-server config
On Wed, Nov 21, 2001 at 04:34:46PM +0100, Johannes Weiss wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi @all, I plan to install a mailserver for ca. 800 users, now I planned to make 800 users with shell /bin/bash, home /dev/nul,... So, I ask you ;)), if this is a good solution, to make 800 UNIX-users for a mailserver and if not what's the best solution (security reason) Most modern MTAs have support for some sort of non-system based user database (LDAP etc.). I know postfix has support for virtual maps and such, see www.postfix.org http://kummefryser.dk/HOWTO/mail/postfix_mysql.html. You would then need to find an imap/pop server that could use the same thing. This would be much easier to maintain securely. -- Share and Enjoy.
Re: Mutt tmp files -- Root is not my Enemy
On Tue, Nov 20, 2001 at 02:47:56PM +0100, Florian Bantner wrote: On Die, 20 Nov 2001, Rolf Kutz wrote: Florian Bantner ([EMAIL PROTECTED]) wrote: A fact about which I'm concerned even more than about a hack from outside via the internet etc. is real physical access to the box. Something hackers normaly don't pay enough attention is that just somebody steps - let's say 6 o'clock in the morning - into your room, shows you his police card - or what ever govermental id card - and tells you that your computer is now his. Use TMPFS. Encrypt your disk or do everything in RAM (maybe set up a diskless system booting from cd. See the bootcd-package). They might still be bugging your hardware. I don't know tmpfs. What I'm currently thinging about is: * Create for every user a directory under his home. * Use some kind of ram-disk device. * Perhaps (just to be sure) encrypt it. Perhaps that's where I need some kind of encrypting filesystem (do I?). I'm not experienced in fs encryption. How do I mount such devices. Which encryption is used? When to enter passphrase? Several years ago Matt Blaze published a bit of code that mounted encrypted files via the loop interface as home directories. It was fairly resource intensive, and hence not really scaleable. It is good for protecting against casual browsing, but while you're logged in to the machine (and hence have your home dir mounted) then it's just like a normal home directory. Found it http://www.ibiblio.org/pub/Linux/docs/faqs/security/Cryptographic-File-System Seems I mis-remember bits of it. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mutt tmp files -- Root is not my Enemy
On Tue, Nov 20, 2001 at 03:34:54PM +0100, Rolf Kutz wrote: Alexander Clouter ([EMAIL PROTECTED]) wrote: I am the root guy of my own laptop and I can trust myself :) However a lot of countries (uk/us and probably others, lots in the eu I would imagine) have encryption laws, not preventing it but permiting them to throw you in jail unless you hand over your encryption codes. If you don't you get a nice big What, if I someone gets an email encrypted with a bogus key claiming to, but not belonging to the recipient? What if I lost the key? Silly law. Many these days are. Not to get all Religious (cause I'm not), but that Moses guy pretty much summed everything up in those 10 laws (well 9 of 'em are ok, there's one that a little off), and ever since politicians have been trying to prove their worth by making things worse. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: WAY OT (Re: In Praise of Dos (RE: Mutt tmp files))
On Tue, Nov 20, 2001 at 01:00:58PM -0800, Vineet Kumar wrote: * J C Lawrence ([EMAIL PROTECTED]) [011120 12:04]: On Mon, 19 Nov 2001 21:57:05 -0600 Nathan E Norman Nathan wrote: On Mon, Nov 19, 2001 at 03:26:50PM -0800, Petro wrote: But his is hugely off topic, and I'll go no futher down this road. Could you at least honor my Mail-Followup-To: header? Mail-Followup-To is a non-standard, un-RFC documented, generally unsupported header. So are please and thank you, but it's generally considered polite. To carry your analogy forward into the absurd, to be useful please and thank you have to be heard and recognized as such. If you use a header that is not universally supported, or even supported by a fairly popular mail client (Mutt in this case) or frequently used (if not popular) MTA (Exchange in this case), then you can't really complain if it gets ignored. As I said earlier, Mutt never saw it. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: In Praise of Dos (RE: Mutt tmp files)
On Tue, Nov 20, 2001 at 08:25:36PM -0800, Nathan E Norman wrote: On Tue, Nov 20, 2001 at 12:01:32PM -0800, J C Lawrence wrote: On Mon, 19 Nov 2001 21:57:05 -0600 Nathan E Norman Nathan wrote: On Mon, Nov 19, 2001 at 03:26:50PM -0800, Petro wrote: But his is hugely off topic, and I'll go no futher down this road. Could you at least honor my Mail-Followup-To: header? Mail-Followup-To is a non-standard, un-RFC documented, generally unsupported header. The guy is using mutt. mutt supports M-F-T. You figure it out. M-F-T is generally used on debian mailing lists. Sometimes I see it (now that I'm looking for it) sometimes I don't. This post didn't have it. Others do. Some posts come through (for another debian list) matching ^X-Mailing-List:.*debian-user@.*, others don't. I don't know if exchange is randomly changing the headers (it wouldn't surprise me) or if sometimes the original poster puts them in and sometimes not. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: In Praise of Dos (RE: Mutt tmp files)
On Mon, Nov 19, 2001 at 07:57:05PM -0800, Nathan E Norman wrote: On Mon, Nov 19, 2001 at 03:26:50PM -0800, Petro wrote: But his is hugely off topic, and I'll go no futher down this road. Could you at least honor my Mail-Followup-To: header? I would have if I saw it. Mutt didn't notice it, and I don't see it in my backups. There is a possibility that $exchange elided it. Either way, if you'd stuck it in there, I apologize for not being able to follow it, since it didn't make it here. -- Share and Enjoy.
Re: Mutt tmp files -- Root is not my Enemy
On Tue, Nov 20, 2001 at 12:13:05PM +0100, Rolf Kutz wrote: Florian Bantner ([EMAIL PROTECTED]) wrote: A fact about which I'm concerned even more than about a hack from outside via the internet etc. is real physical access to the box. Something hackers normaly don't pay enough attention is that just somebody steps - let's say 6 o'clock in the morning - into your room, shows you his police card - or what ever govermental id card - and tells you that your computer is now his. Use TMPFS. Encrypt your disk or do everything in RAM (maybe set up a diskless system booting from cd. See the bootcd-package). They might still be bugging your hardware. If this kind of attack is in your threat model, you need to seriously re-evaluate what you are doing. Not saying that you should stop doing it, but there really isn't much you can do to stop it. Quite frankly local encryption isn't going to help much against government agencies--even local police. The quickest way to break encryption is to use a rubber hose, and while they may apologize afterwards--if local law requires it, they still have access to your files and you are in pain. This starts to get into magnesium strips taped to the HD and other such destructive foolishness--that, depending on what you're trying to hid and from whom may be necessary, but is still *really* ugly. You have to experience that for yourself to believe how easy this could happen. Just be in the wrong place to the wrong time. It happend to me once, just because I lived that time in a flat-sharing community. I didn't see my computers for about a year and then all harddisk had been removed and where broken. Did they replace the damage? -- Share and Enjoy.
Re: Mutt tmp files -- Root is not my Enemy
On Tue, Nov 20, 2001 at 02:47:56PM +0100, Florian Bantner wrote: On Die, 20 Nov 2001, Rolf Kutz wrote: Florian Bantner ([EMAIL PROTECTED]) wrote: A fact about which I'm concerned even more than about a hack from outside via the internet etc. is real physical access to the box. Something hackers normaly don't pay enough attention is that just somebody steps - let's say 6 o'clock in the morning - into your room, shows you his police card - or what ever govermental id card - and tells you that your computer is now his. Use TMPFS. Encrypt your disk or do everything in RAM (maybe set up a diskless system booting from cd. See the bootcd-package). They might still be bugging your hardware. I don't know tmpfs. What I'm currently thinging about is: * Create for every user a directory under his home. * Use some kind of ram-disk device. * Perhaps (just to be sure) encrypt it. Perhaps that's where I need some kind of encrypting filesystem (do I?). I'm not experienced in fs encryption. How do I mount such devices. Which encryption is used? When to enter passphrase? Several years ago Matt Blaze published a bit of code that mounted encrypted files via the loop interface as home directories. It was fairly resource intensive, and hence not really scaleable. It is good for protecting against casual browsing, but while you're logged in to the machine (and hence have your home dir mounted) then it's just like a normal home directory. Found it http://www.ibiblio.org/pub/Linux/docs/faqs/security/Cryptographic-File-System Seems I mis-remember bits of it. -- Share and Enjoy.
Re: Mutt tmp files -- Root is not my Enemy
On Tue, Nov 20, 2001 at 03:34:54PM +0100, Rolf Kutz wrote: Alexander Clouter ([EMAIL PROTECTED]) wrote: I am the root guy of my own laptop and I can trust myself :) However a lot of countries (uk/us and probably others, lots in the eu I would imagine) have encryption laws, not preventing it but permiting them to throw you in jail unless you hand over your encryption codes. If you don't you get a nice big What, if I someone gets an email encrypted with a bogus key claiming to, but not belonging to the recipient? What if I lost the key? Silly law. Many these days are. Not to get all Religious (cause I'm not), but that Moses guy pretty much summed everything up in those 10 laws (well 9 of 'em are ok, there's one that a little off), and ever since politicians have been trying to prove their worth by making things worse. -- Share and Enjoy.
Re: WAY OT (Re: In Praise of Dos (RE: Mutt tmp files))
On Tue, Nov 20, 2001 at 01:00:58PM -0800, Vineet Kumar wrote: * J C Lawrence ([EMAIL PROTECTED]) [011120 12:04]: On Mon, 19 Nov 2001 21:57:05 -0600 Nathan E Norman Nathan wrote: On Mon, Nov 19, 2001 at 03:26:50PM -0800, Petro wrote: But his is hugely off topic, and I'll go no futher down this road. Could you at least honor my Mail-Followup-To: header? Mail-Followup-To is a non-standard, un-RFC documented, generally unsupported header. So are please and thank you, but it's generally considered polite. To carry your analogy forward into the absurd, to be useful please and thank you have to be heard and recognized as such. If you use a header that is not universally supported, or even supported by a fairly popular mail client (Mutt in this case) or frequently used (if not popular) MTA (Exchange in this case), then you can't really complain if it gets ignored. As I said earlier, Mutt never saw it. -- Share and Enjoy.
Re: In Praise of Dos (RE: Mutt tmp files)
On Mon, Nov 19, 2001 at 12:30:34AM -0800, Martin Christensen wrote: Petro == Petro [EMAIL PROTECTED] writes: Petro On Mon, Nov 19, 2001 at 10:24:05AM +0900, Howland, Curtis Petro wrote: ps: From a personal perspective, I think Linux is about where Windows 3.0 was. This is not a troll, just a usability thing. Petro No, it's about where win3.11 was in a lot of ways. Modulo Petro the stability etc. I am just dying to find out why this is so. I find the unices I work with to be much more usable than any incarnation of Windows. So what exactly do you put into 'usability'? Consistency of UI, availibility and integration of applications, slickness of look and feel. Under 3.1[1] applications had widely varying look and feel, and were not well integrated, nor was the windowing system well integrated with the underlying OS (it didn't provide proper abstraction of things like file-systems, processes etc.). With Windows 95, Microsoft changed a lot of that. Not that they did it *well* (the Win95 style interface gives me hives), but they provided a fairly consistent (if awful) interface, and a good deal of abstraction of the underlying hardware/OS. Linux is still at the Win3.11 level in those regards. Does this mean Linux isn't useable? Well, considering I've had at least one Linux box running at home since late 1993/94 (and had it installed on and off for about a year before that), I would have to say it's perfectly usable for those inclined to learn, those who have specific tasks it needs done. But I wouldn't put it on my mother-in-laws computer, or my moms. Then again, I wouldn't give my Mom a windows machine either (I gave her a Mac about 3/4 years ago, and she hasn't bothered to plug it in yet). I like Linux, I think it's a *good* OS, and it's coming along quite nicely, but that doesn't mean I think it's easy to use. IMO, one of the biggest problems Linux is facing in it's quest to take the desktop is that (1) there are too many different groups working on UI stuff, and (2) Most of them think that the Win95 LOOK is right, but don't bother trying for the consistency. Of course, my primary desk-top machine at home right now is a Mac running OS X. Which has some UI issues as well. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: In Praise of Dos (RE: Mutt tmp files)
On Mon, Nov 19, 2001 at 12:46:21PM -0800, James Hamilton wrote: My Gnome/X/Debian GNU/Linux Desktop is much slicker than anything I have ever been able to do with Windows. The Gnome apps have a fairly consistent interface as well. There is a steeper and longer learning curve to learn how to really use X and Unix, but I would say that is an asset for members of the technocracy rather than a drawback. I honestly don't know what you are talking about. Using No, you are not listening. The slickness of the UI isn't what you can accomplish with the OS, but rather about how things look. Look at the icons, look at the buttons that gnome provides. Simple and functional, but not nearly the degree of sophistication that Windows/MacOS provide. Look at the integration of the application UI into the OS UI, it all looks the same. Now maybe if I used FVWM2, or KDE, I would see more of this, but frankly they act too much like windows (hit people, having the minimize, maximize and KILL WINDOW buttons so close together is wrong. This is one of the many UI issues Apple got right in OS 6-9, but broke in X, and that windows got wrong with the 95 style UI). so and use too much screen realestate for their icons and task bar, so I use a different window manager (one of what, 20? available). the NT box I am using now to post this message is sheer torture, but Outhouse huh. What's the Free Replacement for that? I have to have one Windows desktop and support one Windows server here at work. I would say the functionality of Linux is currently and Functionality is not useability. The Functionality of Linux is far superior to Windows in every area except common desktop applications (Word processors, spread sheets, Graphic Design (which is the only reason I still use MacOS at home, there is simply nothing in the Open Source world that is any where near Illustrator and Quark X-Press, and while the GIMP comes close to PhotoShop, I've been using Photoshop for over 10 years now, and I'm used to it). Yes, I've used Star Office and OO, and they are good, but not quite ready. rapidly surpassing that of Microsoft OSes, and that perhaps you haven't found or learned the right environment and apps. With Windows, everthing gets set up and it works the way MS decrees it will. With GNU/Linux, you have a huge number of choices. Part of becoming a real user of open source is spending a lot of time evaluating different Stop right there. Do *NOT* assume because I criticize Linux that I don't know Linux. I'm not going to get in a DSW with you, but I started using Linux with kernel .99p6. I've built X from scratch (once). I use Linux on my desk at work, and I'm one of like 2 or 3 in my office to do so. I've used Slackware, DeadRat, Debian, and SuSE. I am the team lead for a small SA team that maintains a 100+ server site, primarily (and if testing goes well this week, soon to be almost completely) Linux based. We're pusing an average (24 hour average) of around 60 Mbits a second, and our front end is entirely Linux. I spent my weekend fighting with kernels and LVM to get snap shots working properly I've used Linux as a desktop OS for 5 or 6 years, either primarily, or in conjunction with my Mac. I've used Star Office, Open Office, SAIG, Lyx, and WordPerfect on Linux (among others) for word processing. I've used or tried just about every mail application out there for Linux, and (check the headers) use Mutt daily at work--with Exchange no less. I don't criticize Linux because I know windows better, I criticize Linux because it's not as good as it *could* be. In fact, I don't know windows better. I've only had 2 machines of mine that run windows--one is a work laptop used for Word and accessing a shared mailbox on Exchange, the other is my Counter-Strike box. That's all that's on it. Windows, and the files needed for Counter-Strike. enviroments and applications to figure out what it takes to make a system really consistent and usable for you. Even if you pick some things that aren't quite finished as part of your enviroment, if they are part of an active project, they will be working much better soon. Go into Netscape, open up some random web page. What's the key command for find? Now open Lyx. What's the key command for find? Mutt? Opera? OpenOffice? Just like Windows 3.11. Which was my point. Once I set up my box, my roomates (non-tech) can use it to surf the web, read their email, write papers, browse newsgroups etc with a fairly consistent and truly complete suite of free applications. I did that 5 years ago for my wife. Of course, that was also true of Windows 3.11, with the exception that the underlying OS wasn't free. --
Re: In Praise of Dos (RE: Mutt tmp files)
On Mon, Nov 19, 2001 at 02:14:54PM -0800, Nathan E Norman wrote: On Mon, Nov 19, 2001 at 01:47:40PM -0800, Petro wrote: enviroments and applications to figure out what it takes to make a system really consistent and usable for you. Even if you pick some things that aren't quite finished as part of your enviroment, if they are part of an active project, they will be working much better soon. Go into Netscape, open up some random web page. What's the key command for find? Now open Lyx. What's the key command for find? Mutt? Opera? OpenOffice? Just like Windows 3.11. Which was my point. Install Netscape 4.x, 6.x, Mozilla, and IE on a windows box. Good luck expecting the same key strokes to do the same thing in each application. I don't have Netscape for my windows laptop, but on Opera, IE, Pegasus Mail, Star Office, and Office the Select All, Cut, Copy, Paste, and Find options all had the exact same key commands. Most of them (were applicable) had the same key command for undo. All of them used ctrl-n for new, whatever new meant in their context. Even WinCVS, a port of a Unix App uses most of these. Ctrl-p is almost always print etc. Beyond those basics, there will (and arguably should) be differences in what keys do, but the basics should (were applicable) be consistent across an interface. But his is hugely off topic, and I'll go no futher down this road. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: In Praise of Dos (RE: Mutt tmp files)
On Mon, Nov 19, 2001 at 07:57:05PM -0800, Nathan E Norman wrote: On Mon, Nov 19, 2001 at 03:26:50PM -0800, Petro wrote: But his is hugely off topic, and I'll go no futher down this road. Could you at least honor my Mail-Followup-To: header? I would have if I saw it. Mutt didn't notice it, and I don't see it in my backups. There is a possibility that $exchange elided it. Either way, if you'd stuck it in there, I apologize for not being able to follow it, since it didn't make it here. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: In Praise of Dos (RE: Mutt tmp files)
On Mon, Nov 19, 2001 at 12:30:34AM -0800, Martin Christensen wrote: Petro == Petro [EMAIL PROTECTED] writes: Petro On Mon, Nov 19, 2001 at 10:24:05AM +0900, Howland, Curtis Petro wrote: ps: From a personal perspective, I think Linux is about where Windows 3.0 was. This is not a troll, just a usability thing. Petro No, it's about where win3.11 was in a lot of ways. Modulo Petro the stability etc. I am just dying to find out why this is so. I find the unices I work with to be much more usable than any incarnation of Windows. So what exactly do you put into 'usability'? Consistency of UI, availibility and integration of applications, slickness of look and feel. Under 3.1[1] applications had widely varying look and feel, and were not well integrated, nor was the windowing system well integrated with the underlying OS (it didn't provide proper abstraction of things like file-systems, processes etc.). With Windows 95, Microsoft changed a lot of that. Not that they did it *well* (the Win95 style interface gives me hives), but they provided a fairly consistent (if awful) interface, and a good deal of abstraction of the underlying hardware/OS. Linux is still at the Win3.11 level in those regards. Does this mean Linux isn't useable? Well, considering I've had at least one Linux box running at home since late 1993/94 (and had it installed on and off for about a year before that), I would have to say it's perfectly usable for those inclined to learn, those who have specific tasks it needs done. But I wouldn't put it on my mother-in-laws computer, or my moms. Then again, I wouldn't give my Mom a windows machine either (I gave her a Mac about 3/4 years ago, and she hasn't bothered to plug it in yet). I like Linux, I think it's a *good* OS, and it's coming along quite nicely, but that doesn't mean I think it's easy to use. IMO, one of the biggest problems Linux is facing in it's quest to take the desktop is that (1) there are too many different groups working on UI stuff, and (2) Most of them think that the Win95 LOOK is right, but don't bother trying for the consistency. Of course, my primary desk-top machine at home right now is a Mac running OS X. Which has some UI issues as well. -- Share and Enjoy.
Re: In Praise of Dos (RE: Mutt tmp files)
On Mon, Nov 19, 2001 at 12:46:21PM -0800, James Hamilton wrote: My Gnome/X/Debian GNU/Linux Desktop is much slicker than anything I have ever been able to do with Windows. The Gnome apps have a fairly consistent interface as well. There is a steeper and longer learning curve to learn how to really use X and Unix, but I would say that is an asset for members of the technocracy rather than a drawback. I honestly don't know what you are talking about. Using No, you are not listening. The slickness of the UI isn't what you can accomplish with the OS, but rather about how things look. Look at the icons, look at the buttons that gnome provides. Simple and functional, but not nearly the degree of sophistication that Windows/MacOS provide. Look at the integration of the application UI into the OS UI, it all looks the same. Now maybe if I used FVWM2, or KDE, I would see more of this, but frankly they act too much like windows (hit people, having the minimize, maximize and KILL WINDOW buttons so close together is wrong. This is one of the many UI issues Apple got right in OS 6-9, but broke in X, and that windows got wrong with the 95 style UI). so and use too much screen realestate for their icons and task bar, so I use a different window manager (one of what, 20? available). the NT box I am using now to post this message is sheer torture, but Outhouse huh. What's the Free Replacement for that? I have to have one Windows desktop and support one Windows server here at work. I would say the functionality of Linux is currently and Functionality is not useability. The Functionality of Linux is far superior to Windows in every area except common desktop applications (Word processors, spread sheets, Graphic Design (which is the only reason I still use MacOS at home, there is simply nothing in the Open Source world that is any where near Illustrator and Quark X-Press, and while the GIMP comes close to PhotoShop, I've been using Photoshop for over 10 years now, and I'm used to it). Yes, I've used Star Office and OO, and they are good, but not quite ready. rapidly surpassing that of Microsoft OSes, and that perhaps you haven't found or learned the right environment and apps. With Windows, everthing gets set up and it works the way MS decrees it will. With GNU/Linux, you have a huge number of choices. Part of becoming a real user of open source is spending a lot of time evaluating different Stop right there. Do *NOT* assume because I criticize Linux that I don't know Linux. I'm not going to get in a DSW with you, but I started using Linux with kernel .99p6. I've built X from scratch (once). I use Linux on my desk at work, and I'm one of like 2 or 3 in my office to do so. I've used Slackware, DeadRat, Debian, and SuSE. I am the team lead for a small SA team that maintains a 100+ server site, primarily (and if testing goes well this week, soon to be almost completely) Linux based. We're pusing an average (24 hour average) of around 60 Mbits a second, and our front end is entirely Linux. I spent my weekend fighting with kernels and LVM to get snap shots working properly I've used Linux as a desktop OS for 5 or 6 years, either primarily, or in conjunction with my Mac. I've used Star Office, Open Office, SAIG, Lyx, and WordPerfect on Linux (among others) for word processing. I've used or tried just about every mail application out there for Linux, and (check the headers) use Mutt daily at work--with Exchange no less. I don't criticize Linux because I know windows better, I criticize Linux because it's not as good as it *could* be. In fact, I don't know windows better. I've only had 2 machines of mine that run windows--one is a work laptop used for Word and accessing a shared mailbox on Exchange, the other is my Counter-Strike box. That's all that's on it. Windows, and the files needed for Counter-Strike. enviroments and applications to figure out what it takes to make a system really consistent and usable for you. Even if you pick some things that aren't quite finished as part of your enviroment, if they are part of an active project, they will be working much better soon. Go into Netscape, open up some random web page. What's the key command for find? Now open Lyx. What's the key command for find? Mutt? Opera? OpenOffice? Just like Windows 3.11. Which was my point. Once I set up my box, my roomates (non-tech) can use it to surf the web, read their email, write papers, browse newsgroups etc with a fairly consistent and truly complete suite of free applications. I did that 5 years ago for my wife. Of course, that was also true of Windows 3.11, with the exception that the underlying OS wasn't free. -- Share
Re: In Praise of Dos (RE: Mutt tmp files)
On Mon, Nov 19, 2001 at 02:14:54PM -0800, Nathan E Norman wrote: On Mon, Nov 19, 2001 at 01:47:40PM -0800, Petro wrote: enviroments and applications to figure out what it takes to make a system really consistent and usable for you. Even if you pick some things that aren't quite finished as part of your enviroment, if they are part of an active project, they will be working much better soon. Go into Netscape, open up some random web page. What's the key command for find? Now open Lyx. What's the key command for find? Mutt? Opera? OpenOffice? Just like Windows 3.11. Which was my point. Install Netscape 4.x, 6.x, Mozilla, and IE on a windows box. Good luck expecting the same key strokes to do the same thing in each application. I don't have Netscape for my windows laptop, but on Opera, IE, Pegasus Mail, Star Office, and Office the Select All, Cut, Copy, Paste, and Find options all had the exact same key commands. Most of them (were applicable) had the same key command for undo. All of them used ctrl-n for new, whatever new meant in their context. Even WinCVS, a port of a Unix App uses most of these. Ctrl-p is almost always print etc. Beyond those basics, there will (and arguably should) be differences in what keys do, but the basics should (were applicable) be consistent across an interface. But his is hugely off topic, and I'll go no futher down this road. -- Share and Enjoy.
Re: In Praise of Dos (RE: Mutt tmp files)
On Mon, Nov 19, 2001 at 10:24:05AM +0900, Howland, Curtis wrote: ps: From a personal perspective, I think Linux is about where Windows 3.0 was. This is not a troll, just a usability thing. No, it's about where win3.11 was in a lot of ways. Modulo the stability etc. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: In Praise of Dos (RE: Mutt tmp files)
On Mon, Nov 19, 2001 at 10:24:05AM +0900, Howland, Curtis wrote: ps: From a personal perspective, I think Linux is about where Windows 3.0 was. This is not a troll, just a usability thing. No, it's about where win3.11 was in a lot of ways. Modulo the stability etc. -- Share and Enjoy.
Re: Root is God? (was: Mutt tmp files)
On Fri, Nov 16, 2001 at 02:36:30PM +0100, Mathias Gygax wrote: On Fre, Nov 16, 2001 at 04:13:16AM -0900, Ethan Benson wrote: Root is God. Anything you do on the system is potentially visible to root. this is, with the right patches applied, not true. And who has to apply those patches... -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Root is God? (was: Mutt tmp files)
On Fri, Nov 16, 2001 at 05:39:43PM +0100, Mathias Gygax wrote: On Fre, Nov 16, 2001 at 08:23:27AM -0800, Micah Anderson wrote: There is no way, nor any reason why, to setup a system in such a way that the maintainer of the system cannot maintain it. maintainer is someone else. root is there for serving the daemons. administrating the machine is the next security level and this time in the kernel (to deactivate it). the interface is clean. You're thinking of root as uid 0, while the other people are thinking of root as The person who controls the machine. The person who administers the machine *OWNS THE MACHINE*. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mutt tmp files
On Thu, Nov 15, 2001 at 10:17:39PM -0800, Wade Richards wrote: Also, what makes you thing root knows what he's doing? I suspect that many people with the root password could not install a tty sniffer or any other spying tool unless they could type apt-get install ttysniffer. dude, like what's this apt-get thingy, is there like a rpm for that? -- Share and Enjoy.
Re: Mutt tmp files
On Thu, Nov 15, 2001 at 11:09:41PM -0800, Craig Dickson wrote: Wade Richards wrote: I still say the bottom line is, if you don't trust root, don't use his machine. This is the sort of absolutist nonsense that gives security experts a bad name. After all, anyone armed with a chainsaw can cut through a solid oak door in a matter of hours, so why bother installing a deadbolt on your door? To keep out all the people who don't have chainsaws, obviously. But on *nix machines, root has a chainsaw, and plenty of other tools also. He can also get a key to your deadbolt if he really wants it. What you're trying to do is threat modeling, and quite frankly I'm in complete agreement with the statement that if those with the root password are in your threat model, it's time to find another machine. That said, the first thing to do is set the environmental variable TMPDIR to something under your home directory, and something only readble by you (well, and root). This gets it out of generic land. -- Share and Enjoy.
Re: Root is God? (was: Mutt tmp files)
On Fri, Nov 16, 2001 at 02:36:30PM +0100, Mathias Gygax wrote: On Fre, Nov 16, 2001 at 04:13:16AM -0900, Ethan Benson wrote: Root is God. Anything you do on the system is potentially visible to root. this is, with the right patches applied, not true. And who has to apply those patches... -- Share and Enjoy.
Re: Root is God? (was: Mutt tmp files)
On Fri, Nov 16, 2001 at 05:39:43PM +0100, Mathias Gygax wrote: On Fre, Nov 16, 2001 at 08:23:27AM -0800, Micah Anderson wrote: There is no way, nor any reason why, to setup a system in such a way that the maintainer of the system cannot maintain it. maintainer is someone else. root is there for serving the daemons. administrating the machine is the next security level and this time in the kernel (to deactivate it). the interface is clean. You're thinking of root as uid 0, while the other people are thinking of root as The person who controls the machine. The person who administers the machine *OWNS THE MACHINE*. -- Share and Enjoy.
Re: Mutt tmp files
On Thu, Nov 15, 2001 at 11:09:41PM -0800, Craig Dickson wrote: Wade Richards wrote: I still say the bottom line is, if you don't trust root, don't use his machine. This is the sort of absolutist nonsense that gives security experts a bad name. After all, anyone armed with a chainsaw can cut through a solid oak door in a matter of hours, so why bother installing a deadbolt on your door? To keep out all the people who don't have chainsaws, obviously. But on *nix machines, root has a chainsaw, and plenty of other tools also. He can also get a key to your deadbolt if he really wants it. What you're trying to do is threat modeling, and quite frankly I'm in complete agreement with the statement that if those with the root password are in your threat model, it's time to find another machine. That said, the first thing to do is set the environmental variable TMPDIR to something under your home directory, and something only readble by you (well, and root). This gets it out of generic land. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Vulnerable SSH versions
On Mon, Nov 12, 2001 at 05:54:04PM -0800, Ethan Benson wrote: On Tue, Nov 13, 2001 at 10:10:10AM +0900, Howland, Curtis wrote: I will gladly grant that the tar file may not exist for the boot floppies, and that I do not have on hand the CD to check it. It also may have been a Potato(e) phenominon, no longer in use. However, it did exist. yes releases before woody uses a base tarball. thats not done anymore, base tarballs are obsolete. Which makes me wonder, why ship Woody with 2.2.20 at all? Oh well, not my decision. because 2.4 is not stable yet. You can say that again. Grumble -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Vulnerable SSH versions
On Mon, Nov 12, 2001 at 05:54:04PM -0800, Ethan Benson wrote: On Tue, Nov 13, 2001 at 10:10:10AM +0900, Howland, Curtis wrote: I will gladly grant that the tar file may not exist for the boot floppies, and that I do not have on hand the CD to check it. It also may have been a Potato(e) phenominon, no longer in use. However, it did exist. yes releases before woody uses a base tarball. thats not done anymore, base tarballs are obsolete. Which makes me wonder, why ship Woody with 2.2.20 at all? Oh well, not my decision. because 2.4 is not stable yet. You can say that again. Grumble -- Share and Enjoy.
Re: FTP and security
On Thu, Nov 08, 2001 at 04:57:22PM -0500, Adam Spickler wrote: Is there a decent Windows FTP application that supports sftp? Unfortunately, I have to use Windows at work. :/ Well, there's always cygwin. It almost makes Windows liveable. On Thu, Nov 08, 2001 at 10:55:17PM +0100, Wichert Akkerman wrote: Previously Lars Bjarby wrote: While were on the subject, is there an OpenSSH port of SFTP? openssh has a sftp subsystem, yes. Wichert. -- _ /[EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] - Adam Spickler Whaddu LLC. http://www.whaddu.com WebHosting and Design/Development Unlimited - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Share and Enjoy.
Re: Questions regarding the Security Secretary Position
On Mon, Oct 22, 2001 at 09:40:45AM +0300, Lauri Tischler wrote: Matt Zimmerman wrote: I think the security secretary, if we have one, should be a Debian developer. We have two of them, and they are both card-carrying developers. Unnghhh... 'Card-carrying' sounds like fiery-eyed anarchist or extreme left revolutionary, some kind of luddite the least.. And the problem with this is? (No, I don't like leftists or luddites, but I'm all in favor of fiery-eyed anarchists). -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Questions regarding the Security Secretary Position
On Mon, Oct 22, 2001 at 09:40:45AM +0300, Lauri Tischler wrote: Matt Zimmerman wrote: I think the security secretary, if we have one, should be a Debian developer. We have two of them, and they are both card-carrying developers. Unnghhh... 'Card-carrying' sounds like fiery-eyed anarchist or extreme left revolutionary, some kind of luddite the least.. And the problem with this is? (No, I don't like leftists or luddites, but I'm all in favor of fiery-eyed anarchists). -- Share and Enjoy.
Re: central administration techniques
On Fri, Oct 19, 2001 at 09:41:22AM -0700, nrvale0 wrote: maybe have a look at cfengine? or apt-cache search / freshmeat / google for other options I was down this road just a few months ago. cfengine is nice except that the author doesn't believe that 'administrative information' is something that should be protected and thus has no plans to move from rsh to an SSH tunnel or SSL. Imagine syncing /etc/shadow or some other information that should be kept secret over RSH. Yuck. It it's on the wire, it should be encrypted. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: central administration techniques
On Fri, Oct 19, 2001 at 09:41:22AM -0700, nrvale0 wrote: maybe have a look at cfengine? or apt-cache search / freshmeat / google for other options I was down this road just a few months ago. cfengine is nice except that the author doesn't believe that 'administrative information' is something that should be protected and thus has no plans to move from rsh to an SSH tunnel or SSL. Imagine syncing /etc/shadow or some other information that should be kept secret over RSH. Yuck. It it's on the wire, it should be encrypted. -- Share and Enjoy.
Re: '(no
On Sat, Sep 15, 2001 at 10:23:45PM +0300, Momchil Velikov wrote: Dimitri == Dimitri Maziuk [EMAIL PROTECTED] writes: Dimitri In linux.debian.security, you wrote: Dimitri If you suspect your machine was r00ted, Dimitri 1. Take it off the net _now_. Dimitri 2. If you want to do a post-mortem, boot from known good CD or plug Dimitrithe hd into a known good box. Dimitri 3. Post mortem or not, wipe everything out (as in fdisk) and reinstall Dimitrifrom scratch. Frankly, this looks a bit too harsh. Of course, it depends on the importance of the machine and the data on it. No, it isn't. It's not just your machine you're protecting, it's every other machine on the network. If your trivial little game box gets hacked, you lose nothing but time, but the attacker now has a clean platform (in that it's not in an IP space that can be tracked back to him) to attack *me* from, and when I notice the attack, I track it back to *you*. Unless you can demonstrate otherwise, then I have to assume that it's you who is attacking me, and then you have to convince the FBI that you didn't do it. If you believe that you've been hacked, fdisk and restore from backup--if you are absolutely positive your backup is clean. Otherwise rebuild from scratch. Dimitri The reason is that the intruder could install hacked versions of utilities Dimitri like ps, ls, lsmod etc. that won't show backdoor processes and hacked files, Dimitri and/or a kernel module that does the same at OS level. Your logs may have Dimitri been sanitized, too. You cannot trust any program on a r00ted box. ^ In theory, yes. In practice, one can (marginally) trust some of the programs, e.g. is it likely that a rootkit has changed ``tar'' ? Or ``apt-get'' ? Or ``tcsh'' ? Tar and Apt-get probably not. tcsh would be more doubtful. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: '(no
On Sat, Sep 15, 2001 at 10:23:45PM +0300, Momchil Velikov wrote: Dimitri == Dimitri Maziuk [EMAIL PROTECTED] writes: Dimitri In linux.debian.security, you wrote: Dimitri If you suspect your machine was r00ted, Dimitri 1. Take it off the net _now_. Dimitri 2. If you want to do a post-mortem, boot from known good CD or plug Dimitrithe hd into a known good box. Dimitri 3. Post mortem or not, wipe everything out (as in fdisk) and reinstall Dimitrifrom scratch. Frankly, this looks a bit too harsh. Of course, it depends on the importance of the machine and the data on it. No, it isn't. It's not just your machine you're protecting, it's every other machine on the network. If your trivial little game box gets hacked, you lose nothing but time, but the attacker now has a clean platform (in that it's not in an IP space that can be tracked back to him) to attack *me* from, and when I notice the attack, I track it back to *you*. Unless you can demonstrate otherwise, then I have to assume that it's you who is attacking me, and then you have to convince the FBI that you didn't do it. If you believe that you've been hacked, fdisk and restore from backup--if you are absolutely positive your backup is clean. Otherwise rebuild from scratch. Dimitri The reason is that the intruder could install hacked versions of utilities Dimitri like ps, ls, lsmod etc. that won't show backdoor processes and hacked files, Dimitri and/or a kernel module that does the same at OS level. Your logs may have Dimitri been sanitized, too. You cannot trust any program on a r00ted box. ^ In theory, yes. In practice, one can (marginally) trust some of the programs, e.g. is it likely that a rootkit has changed ``tar'' ? Or ``apt-get'' ? Or ``tcsh'' ? Tar and Apt-get probably not. tcsh would be more doubtful. -- Share and Enjoy.
Re: Why do people do this? [Was fishingboat in root]
On Sat, Sep 01, 2001 at 01:10:04PM +1000, CaT wrote: On Fri, Aug 31, 2001 at 10:48:37PM -0400, Layne wrote: SUCK MY COCK IF YOU SEND ME ANY MORE SPAM MAIL *gets out a pippet, a microscope and a vacuum cleaner* I'd suggest using a sledge hammer with that pipette. A clue for Layne: To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Share and Enjoy.
Re: Layne (was: Re: Is ident secure?)
On Fri, Aug 31, 2001 at 11:54:40PM -0400, Ed Street wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, If not is anyone up for a road trip? ;) Usually. We'll write it off as a Physical Security Seminar. -- Share and Enjoy.
Re: HARASS ME MORE.........
On Sat, Sep 01, 2001 at 03:04:03PM +1000, CaT wrote: On Sat, Sep 01, 2001 at 12:44:15AM -0400, Layne wrote: I ASKED YOU MORONS NOT TO SEND ME ANYMORE E-MAIL BUT HERE YOU GO AGAIN. IS THERE ANY INTELLIGENT PEOPLE THERE OR IS THE PLACE RUN BY BABOONS. i'M Oook? Yes, I'm looking for a book on summoning Dragons. -- Share and Enjoy.
Re: HARASS ME MORE.........
On Sat, Sep 01, 2001 at 03:04:03PM +1000, CaT wrote: On Sat, Sep 01, 2001 at 12:44:15AM -0400, Layne wrote: I ASKED YOU MORONS NOT TO SEND ME ANYMORE E-MAIL BUT HERE YOU GO AGAIN. IS THERE ANY INTELLIGENT PEOPLE THERE OR IS THE PLACE RUN BY BABOONS. i'M Oook? Yes, I'm looking for a book on summoning Dragons. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Is ident secure?
On Fri, Aug 31, 2001 at 01:07:05AM -0700, Christian Kurz wrote: On 01-08-30 Brian P. Flaherty wrote: I have had a lot of problems running non-Debian software when I disable ident. It seems like the licensing daemons expect to find What the hell is a licensing daemon? It's a daemon that provides license keys for commercial software. And which package contains this software in debian? May I suggest that you first start reading the RfC about Ident Protocol before you make wrong statements? Um. He distinctly said Non-Debian software. Maybe you should... -- Share and Enjoy.
Re: Linux LDAP problem
On Tue, Aug 28, 2001 at 09:23:47AM -0400, Sunny Dubey wrote: Hey, I've got a slight problem, at school we run two major networks, one half is Novell Netware based, and the other half is unix based. We basically one centralized system of authentication, so that user don't have to remember two different passwords to use either system. We been trying to get linux to use ldap to authenticate with the novell ldap server, and have had no luck. We know the novell ldap server is fine, however something seems fishy with the linux side. The problem is that when using the PAM_LDAP modules, is that when a user tries to login, they are asked for a password twice, once the normal password, and the second one being the ldap based password. However, even if you type in the correct passwords, LDAP says permission denied, or authentication failed. What makes it really odd is how at the same time the novell netware server states it has seen the authenticated user, and even gives it an OK to login. Anyone have any clue as to how to make it work? Are there any docs about getting Netware+linux+ldap to work? thanks for any info that you might pass along. have a nice day. You might want to try asking on the PAM list, which I have the address for somewhere around here if you need it. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
