#497789 - security bug on iceweasel
Hi. Sorry if I've missed discussions on this. What's the scoop? apt-listbugs is telling me don't do it: critical bugs of iceweasel (2.0.0.16-0etch1 -> 2.0.0.17-0etch1) I guess I'll scurry off to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=497789 Hmm ... Flash related? Don't care. :-) -- Any technology distinguishable from magic is insufficiently advanced. (*)http://blinkynet.net/comp/uip5.html Linux Counter #80292 - -http://www.faqs.org/rfcs/rfc1855.htmlPlease, don't Cc: me. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Root login
Vincent Deffontaines <[EMAIL PROTECTED]>: > Marek Kubica a écrit : > > On Thu, 4 Sep 2008 13:25:13 +0100 > > Pawe? Krzywicki <[EMAIL PROTECTED]> wrote: > > > >>> the solution was as Cerbelle said. Login as a normal user and do > >>> sudo ( or you can activate root login from the login menu; but i > >>> personally consider it really dangerous!) > >> I am wondering why this is dangerous? > >> If your password is seen as "strong" "FaG34#fCFD12drtfdg" something > >> like this for example why this is dangerous? > > > > The point is, that 1) not too many people use strong passwords 2) > > having root access allowed makes it [easier] to break in, since the > > username is known as it is always "root". User-accounts might be named > > pawel, pawelk, krzywicki or be completely unknown for the attacker. > > Even though this principle is true, it seems to me it is not in > application on every system. > > Try to login on any Lenny box console with an invalid account. > You will get "Incorrect login" without being prompted for a > password at all. What? And you get a shell prompt?!? > I tend to consider this as a quite bad bug, but it seems it has > been so for a while in Lenny, and even in upstream PAM. reportbug, search bugs.debian.org, ask in [EMAIL PROTECTED], ... The "What?!?" was meant seriously. The closest I've come to running Testing is Sidux which is Sid based, so I can't easily verify this. I find it's difficult to believe that Lenny really does this, but what do I know? Can anyone confirm? -- Any technology distinguishable from magic is insufficiently advanced. (*)http://blinkynet.net/comp/uip5.html Linux Counter #80292 - -http://www.faqs.org/rfcs/rfc1855.htmlPlease, don't Cc: me. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Can not login as root
Pawe? Krzywicki <[EMAIL PROTECTED]>: > On czwartek, 4 wrze?nia 2008, Murat Ohannes Berin wrote: > > > > I just installed Debian on my laptop. However, I can not login as root. It ...^^^ > Try to login as a single user and change your root password FYI, single-user asks for root pword. However, he's solved his problem now. -- Any technology distinguishable from magic is insufficiently advanced. (*)http://blinkynet.net/comp/uip5.html Linux Counter #80292 - -http://www.faqs.org/rfcs/rfc1855.htmlPlease, don't Cc: me. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
Incoming from Micah Anderson: > * s. keeling <[EMAIL PROTECTED]> [2008-07-09 17:31-0400]: > > Micah Anderson <[EMAIL PROTECTED]>: > > > * Wolfgang Jeltsch <[EMAIL PROTECTED]> [2008-07-09 13:31-0400]: > > > > > > configure it to only listen on 127.0.0.1, > > > > > > > > How do I do this? dpkg-reconfigure doesn?t help. > > > > > > I think the bind9 package comes configured this way by default in > > > Debian (a caching-only local nameserver). > > > > If that's what the OP requires, maradns provides that, and a lot > > simpler. > > What could be more simpler than apt-get install bind9? ... followed by configuring it for (assumed, worst case) his particular Franken-network situation. I've fought with bind numerous times before, and didn't enjoy it. If all he needs is caching-only local, that's what maradns is for. I'm not dissing bind*. I'm just suggesting maradns's simpler, and possibly apropos in OP's situation. I could be wrong though; the start of this thread recedes into the depths of time ... and I may have missed important details. -- Any technology distinguishable from magic is insufficiently advanced. (*) Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
Micah Anderson <[EMAIL PROTECTED]>: > * Wolfgang Jeltsch <[EMAIL PROTECTED]> [2008-07-09 13:31-0400]: > > > > configure it to only listen on 127.0.0.1, > > > > How do I do this? dpkg-reconfigure doesn?t help. > > I think the bind9 package comes configured this way by default in > Debian (a caching-only local nameserver). If that's what the OP requires, maradns provides that, and a lot simpler. -- Any technology distinguishable from magic is insufficiently advanced. (*)http://blinkynet.net/comp/uip5.html Linux Counter #80292 - -http://www.faqs.org/rfcs/rfc1855.htmlPlease, don't Cc: me. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ssh-keygen still gives vulnerable keys
Harrison Conlin <[EMAIL PROTECTED]>: > On Wed, Jun 4, 2008 at 10:58 AM, Dan Christensen <[EMAIL PROTECTED]> wrote: > > I had this problem with a completely up-to-date Ubuntu gutsy install on > > > > I can't reproduce this now, as I have since upgraded the machine to > > hardy, which doesn't show the problem. > > Ubuntu != Debian :) Did SuSE, Redhat, or *BSD suffer from this glitch? Ubuntu, along with the rest of Debian, did. It's a Debian downstream, so quite a lot applies to both. Not everything, but a lot. Take a look into alt.os.linux.slackware to see how those with that attitude treat Zenwalk users. I don't use *buntu myself, but I've no problem with *buntu users seeking Debian answers here. -- Any technology distinguishable from magic is insufficiently advanced. (*)http://blinkynet.net/comp/uip5.html Linux Counter #80292 - -http://www.faqs.org/rfcs/rfc1855.htmlPlease, don't Cc: me. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Thanks to Debian OpenSSL developers
Izak Burger <[EMAIL PROTECTED]>: > On Thu, May 15, 2008 at 9:58 PM, Guido Hennecke > <[EMAIL PROTECTED]> wrote: > > In Germany we say: "Wer nichts macht, macht auch nichts verkehrt". > > Which means: he who does nothing makes no mistakes. (For those who > don't understand German) Danke. "Behold, the turtle. He makes progress when he sticks his neck out." -- Any technology distinguishable from magic is insufficiently advanced. (*)http://blinkynet.net/comp/uip5.html Linux Counter #80292 - -http://www.faqs.org/rfcs/rfc1855.htmlPlease, don't Cc: me. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Is oldstable security support duration something to be proud of?
Marc Haber <[EMAIL PROTECTED]>: > > This is a remarkable way to make the blatant failure to release Sarge > in a timely manner an advantage from a different poit of view. > > If we really manage to release stable every 18 months, that would make > the normal support cycle for any stable release 30 months. Which is > not bad, but will drive corporate users who are used to updates being > as painful as a reinstall away from us and towards Ubuntu LTS (if they Painful as a reinstall, yes. So much so that they're often *very* unwilling to upgrade anything! Sec. patches yes, but upgrade? Hell no! That would break fifteen other things they rely on. Real corps don't even consider Ubuntu. They're Redhat for the support agreements. Minimizes lawyer fees. -- Any technology distinguishable from magic is insufficiently advanced. (*)http://blinkynet.net/comp/uip5.html Linux Counter #80292 - -http://www.faqs.org/rfcs/rfc1855.htmlPlease, don't Cc: me. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Is oldstable security support duration something to be proud of?
Sorry to continue this. :-P Filipus Klutiero <[EMAIL PROTECTED]>: > > No. My point is not that users shouldn't upgrade or that Debian > releases should be supported for longer. I'm just pointing that > it's useless/misleading to state the project is proud of the > security support duration. An obviously blatantly wrong assertion, considering many testimonials from the Sec. bunch themselves, and us mere users of all this great [EMAIL PROTECTED] In another mail you complain about bragging. Bragging and pride are very closely tied in this language. I do brag to prospective clients about my past successes. I feel no shame in this. I see nothing different in what the Sec. team are doing. Kudos again DDs. & Sec. esp. -- Any technology distinguishable from magic is insufficiently advanced. (*)http://blinkynet.net/comp/uip5.html Linux Counter #80292 - -http://www.faqs.org/rfcs/rfc1855.htmlPlease, don't Cc: me. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ssh attacks script
Incoming from Henrique de Moraes Holschuh: > On Sun, 03 Apr 2005, chad wrote: > > where trying to get into me from. so i wrote a script to do it for me. > > I would change that script to trigger only with two or more attempts from > the same IP... ... And realize that reports like this are routinely ignored. You mark yourself as little more than a "GWF" (Goober With a Firewall). Many feel justified in completely ignoring abuse like this. After all, what did they do? From their point of view, little more than ping you. They won't bother doing anything about it if the kiddie didn't actually get in. I agree with you it would be nice to shut these twirps down, but I doubt your script will have much affect on the overworked ISP net abuse people. -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [OT] Release cycle - was Re: My machine was hacked - possibly via sshd?
Incoming from Malcolm Ferguson: > > I completely agree that this needs to be discussed, but is a Debian > security list the right forum? No, and sorry for continuing it. Just one more thought ... > It's clear that Debian is used for different purposes and one size might > not fit all. Personally I like long release cycles. I can't stand > constantly tinkering with my systems. I've got better things to do with Agreed, and in case that's not loud enough for (some of) you, others out here think the nitwits running bleeding edge software are utterly insane! :-) I am tired of hearing Sven tell me to upgrade to the latest mutt whenever I venture into comp.mail.mutt with a problem. I don't care if the latest version has cool new features. It's also got uncool new bugs (no offense intended). I sympathise with the developer in him who wants to fix bugs in the current source, not the old source, but the old mutt mostly works pretty damn fine for me. Why the heck would I want to upgrade to less stable software?!? For all those out there moaning that Woody is just too damn old to matter to anyone, bite me. I love it. You, on the other hand, are apparently making unsound hardware purchases, or poorly researched ones at least. Physician, heal thyself. -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: My machine was hacked - possibly via sshd?
Incoming from David Pastern: > On Tue, 2005-03-29 at 07:25 +1000, Malcolm Ferguson wrote: > > > > I'm curious though about your statements telling me that everything I > > have is old and that I should be using new versions. This makes me ask: > > what is the point of Debian stable? Everything but the kernel was a > > Debian stable package with all the latest security patches. > > Your kernel is old. That's for starters. 2.4.30 is in rc2 now. It > alone fixes some security issues. 2.4.18 is ancient, and there's most But 2.4.18 is the Debian stable kernel, which gets security updates and patches, no? -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: secure ident daemon
Incoming from LeVA: > > Can someone please suggest me a secure ident daemon. I can not choose from > the > apt searched list. fauxident.py -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Packet sniffing & regular users
Incoming from Alvin Oga: > > On Wed, 2 Mar 2005, David Mandelberg wrote: > > > s. keeling wrote: > > > Isn't it generally accepted that black hats who get local access (ie., > > > a user login account) is _much_ worse than black hats who've been kept > > anybody and everybody has "local access" with or without permission > > > > out? Assuming black hat wants root, taking over a user's account is a > > > very big first step. > > that's trivial to do ... assuming you allow anybody to reboot a pc Are you confusing "local access" with "physical access?" With the latter, all bets are off and any security you rely on on the running system is irrelevant. > sniffers: > http://linux-sec.net/Sniffers > > i like pfilt.pl ... anybody, non-techies can use it and sniff http://www.linux-sec.net/Sniffer/Scripts/royans.net/pfilt.pl Your link points at wireless sniffers? But thanks for that. Interesting site. -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Packet sniffing & regular users
Incoming from David Mandelberg: > s. keeling wrote: > > "... should be" != "are." Are you sure no-one there's using telnet, > > ftp, & etc? > Allowing > network > sniffing is just another good incentive not to send confidential data > unencrypted. Isn't it generally accepted that black hats who get local access (ie., a user login account) is _much_ worse than black hats who've been kept out? Assuming black hat wants root, taking over a user's account is a very big first step. I would take the security of your user's accounts much more seriously if I were you. If your users are leaving the door open, sooner or later someone much worse than the paper boy is going to come stumbling in. -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Packet sniffing & regular users
Incoming from David Mandelberg: > s. keeling wrote: > > Do you understand what "anyone can see anything" really means? Have > > you pumped tcpdump output into ethereal lately? > > > > "anyone can see anything" really means "anyone can see anything". > > Think about it. And what's the real reason why you don't want to > > bother with sudo? > I'm curious, but what's wrong with letting them sniff all hardware interfaces > (i.e. not lo)? Any passwords or confidential data should be encrypted anyway "... should be" != "are." Are you sure no-one there's using telnet, ftp, & etc? -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Packet sniffing & regular users
Incoming from Brian Kim: > [snip] > solution, what sorts of security concerns does it present, aside from > the obvious "anyone can see anything" sort of concern? Do you understand what "anyone can see anything" really means? Have you pumped tcpdump output into ethereal lately? "anyone can see anything" really means "anyone can see anything". Think about it. And what's the real reason why you don't want to bother with sudo? -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Incoming from Florian Weimer: > * s. keeling: > > > People who don't use stupid Windows email clients have no trouble with > > attachments at all. Attachments are a very useful tool; for instance, > > for code listings, they arrive unmangled by line wrap. > > > > Get a better email client, running on a better OS. > > You mean the OS whose users invented shell archives and unshar? Yes, the one that was smart enough to learn from mistakes like that. The one he's using still thinks that kind of behaviour is a feature. -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Incoming from Rick Moen: > Quoting s. keeling ([EMAIL PROTECTED]): > > > Well, even mutt will, if you turn on autoload crap in .muttrc and load > > up your .mailcap with stupid helper apps. > > > > Out of the box, no, mutt doesn't do that. > > Ja. We might call the .mailcap scenario the "aim-gun-at-my-foot-please" Ha! The problem here is the nitwit factor. Nitwits who are deathly afraid of having to think about what to do with some obscure file format, want their app/OS to just fscking handle it and do the right thing. Well, what app/OS is well known for that sort of behaviour? And what are the generally expected repercussions? Oh yes. Lookout! and Internet Exploder, and consequently enabled viruses, worms, trojans, spambots, spyware, ... I say again to the original poster, get a better MUA, running on a better OS. I've no sympathy for your present situation. Attachments are a valuable feature that your system is unable to take advantage of. We don't have that problem here. That's why we run Debian. -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Incoming from Denis O'Toole: > Can you please OT: this Hint: the "d" key will probably do this for you. Please stop interfering with discussions of insecure applications on debian-security. TVM. :-) -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Incoming from Rick Moen: > Quoting David Mandelberg ([EMAIL PROTECTED]): > > > Do you mean to say that opening "message.txt\t\t\t.desktop" which > > happens to be a freedesktop.org compliant launcher for the program "rm > > -rf $HOME" is safe because it's designed for people running one of the > > F/OSS products GNOME or KDE on a F/OSS OS? > > Please advise this mailing list of which specific Linux or BSD MUA (or > specific configuration thereof) is willing to execute a received binary Hi Rick. :-) Well, even mutt will, if you turn on autoload crap in .muttrc and load up your .mailcap with stupid helper apps. Out of the box, no, mutt doesn't do that. -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Incoming from David Mandelberg: > s. keeling wrote: > > Incoming from Moe: > > > >>Martin Schulze wrote: > >> > >>> Part 1 Type: C > >>>Encoding: 8bit > >> > >>After all these months/years of warnings to NEVER open email > >>attachments, why are you sending attachments instead of in-line? > > > > People who don't use stupid Windows email clients have no trouble with > > attachments at all. Attachments are a very useful tool; for instance, > > for code listings, they arrive unmangled by line wrap. > > > > Get a better email client, running on a better OS. > > Do you mean to say that opening "message.txt\t\t\t.desktop" which happens to > be > a "freedesktop.org compliant launcher for the program "rm -rf $HOME" is safe No, I assume people have half a brain in their heads, look at the attachment type, maybe save it to a file and inspect it, then maybe look at it or delete it. Too much work? Okay, slap a lot of autoload crap in your .mailcap and watch your system disappear. You don't _have_ to look at an attachment if you don't trust it. Write the person who you got it from and tell them to post it on a website instead. Then point something sensible like firefox at it. How often have you seen a "freedesktop.org compliant launcher for the program "rm -rf $HOME"" anyway? I never have. 'Sound like a Microsoft Security Update (aka Swen) to me. Okay, it could happen. That's why I take the time to think about what I'm doing. > I agree that not opening any attachments is counter-productive and shows Fear of opening attachments is stupid. It's fear mongering based on experience with Windows applications' ineptitude. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Incoming from Moe: > Martin Schulze wrote: > > > >Part 1 Type: C > > Encoding: 8bit > > After all these months/years of warnings to NEVER open email > attachments, why are you sending attachments instead of in-line? People who don't use stupid Windows email clients have no trouble with attachments at all. Attachments are a very useful tool; for instance, for code listings, they arrive unmangled by line wrap. Get a better email client, running on a better OS. -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: iptables requires packets counter
Incoming from RatÓn: > So it is not ment for iptables testing. How can I test my config then?? Here's how I do it: iptables -A INPUT -s ! 127.0.0.1/32 -m state --state NEW -j LOG iptables -A INPUT -s ! 127.0.0.1/32 -m state --state NEW -j DROP Then I just watch Xconsole. Modify those to LOG & DROP the packets you're concerned with. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: iptables requires packets counter
Incoming from RatÓn: > > I´m new to packet-filtering. As you can imaging starting to use > iptables. Well once I´ve reached my first configuration I want to test > it by asking iptables if a certain type of traffic is going to be > ACCEPTED or not. To do this I make use of the -c option as follows: > > > iptables -c forward -p tcp -s 172.26.0.2 -d 192.168.0.1 -i br0 > > But as unespected iptables answers: > > 'iptables v1.2.9: -c requires packet and byte counter' > > Any help please? -c, --set-counters PKTS BYTES This enables the administrater to initialize the packet and byte counters of a rule (during INSERT, APPEND, REPLACE operations). -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Serious problem after tetex security update
Incoming from Andreas Goesele: > Andreas Goesele <[EMAIL PROTECTED]> writes: > > > After the last security update with libkpathsea3 and tetex-bin my > > LaTeX installation doesn't work any more. When I try to compile a > > LaTeX file I get: > > > > I can't find the format file `latex.fmt'! > > > > What can I do to get a working LaTeX installation back? I urgently > > need it! > > I found the solution. There is a bug in the new package: > > /usr/share/texmf/web2c does not link to /var/lib/texmf/web2c (as it Odd. It worked for me (though I haven't tried any LaTeX commands): (0) keeling /home/keeling/.mozilla/plugins_ ls -al /usr/share/texmf/web2c /var/lib/texmf/web2c /var/lib/texmf/web2 ls: /var/lib/texmf/web2: No such file or directory lrwxrwxrwx1 root root 20 Nov 25 11:06 /usr/share/texmf/web2c -> /var/lib/texmf/web2c/ /var/lib/texmf/web2c: total 14315 drwxr-xr-x2 root root 3072 Nov 25 11:07 ./ drwxr-xr-x3 root root 1024 Nov 26 06:30 ../ -rw-r--r--1 root root 5320 Nov 24 01:55 amiga-pl.tcx -rw-r--r--1 root root 405356 Nov 25 11:07 amstex.fmt -rw-r--r--1 root root 3064 Nov 25 11:07 amstex.log ... -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: rkhunter / chkrootkit
Incoming from [EMAIL PROTECTED]: > > chkrootkit found nothing but rkhunter found quite a lot: > > /bin/login /bin/su /usr/bin/locate /usr/sbin/useradd /usr/sbin/usermod > /usr/sbin/vip > > All these binaries have been alerted within rkhunter. > > I got a message like this [ and there was indeed an debian > update of passwd(login) but to get sure I need reilly competent > advices]: > > Rootkit Hunter found some bad or unknown hashes. This can be happen due > replaced binaries or updated packages (which give other hashes). Be sure > your hashes are fully updated (rkhunter --update). If you're in doubt > about these hashes, contact the author ... > > And another alert was this: > > Checking /dev for suspicious files... [ Warning! > (unusual files found) ] > > What's up now I would expect someone has replaced my /bin/login - what version of chkrootkit are you running? Latest is 0.44. - rkhunter appears to only be showing a "tripwire" sort of alert. Its recognition of what's on the system apparently wasn't updated when you installed new software, and that would be the mistake you made that's causing this confusion. So, I'd say the prudent things to do are: - install and run the latest chkrootkit. - rkhunter --update However, I don't run rkhunter. Is there an rkhunter-users mailing list anywhere? Perhaps you can check their archive? -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: telnetd vulnerability from BUGTRAQ
Incoming from Rick Moen: > Quoting Milan Jurik ([EMAIL PROTECTED]): > > > The question isn't if stop using telnet. The question is why Debian's > > telnetd is still vunerable. > > I'd apologise for the off-topic digression -- if I thought I'd given > offence. ;-> No-one should have to apologise for warning against bad security practices. $DEITY knows the Windows crowd doesn't care about it, but we're better than that, right? One unpatched Microsh*t box in your LAN, and one nitwit using IE, and your whole network is owned. It would be irresponsible not to warn others about it. If/when they get in, they can also get a sniffer in. If you're running telnet, you're fooling yourself. If you're using ssh ubiquitously, that's yet another vector closed to them. I don't have a lot of patience for those who think, "Yes, we know the risks, but we'd rather not change." Evolution in action, indeed. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: telnetd vulnerability from BUGTRAQ
Incoming from James Renken: > Greetings, > > I noticed the message below on BUGTRAQ last weekend, reporting a remote > root compromise in telnetd. I haven't seen any discussion of this on the > list archives, nor a new DSA. Am I missing something? Is anyone still using telnet when there's ssh? Why? I wouldn't even use it inside my own firewalled LAN. ssh is just better. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Spyware / Adware
Incoming from Daniel Pittman: > > *Most* mail clients under Unix are better written than to do that, but Even mutt (a terrific MUA) _can be told_ to automatically "handle" MIME types for you, if you want. It just depends what's in your ~/.mailcap, and that can contain any sort of command you can imagine. If you want it to mangle your user data when it runs across a malicious png, it can do that. That doesn't mean it has to. It only means you have that option. There's nothing inherently wrong with an MUA being able to do this. The difference is, an MUA in Unix/Linux doing that can affect user space. In other (so called) OS's, it likely can affect privileged areas of the system, which is probably not a good thing. See "auto_view" in the mutt manual. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: get notice of sec update if package is on hold
Incoming from Timo Veith: > > if I have a package on hold for some reason AND I would not read > debian-security-announce, how could I get to know whether there is a > secur[it]y update for that package ? i) Subscribe to debian-security-announce !?! ii) Go to lists.debian.org and see them there? The first of those is an absolutely perfect answer to the problem. That's why it exists. Why would you not want to use it? -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: sshd: Logging illegal users
Incoming from Greg Folkert: > > Hey, I have found some thing. Rather than repost. I'll share where I > posted it. > > http://z.iwethey.org/forums/render/content/show?contentid=169321 "Zope Error" -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: newbie iptables question
Incoming from Daniel Pittman: > On 14 Aug 2004, s. keeling wrote: > > > > Are you suggesting that I might see stuff in my logs that was destined > > for a foreign IP? > > Not often, but occasionally, depending on how your ISP connects you to > the Internet. It is most common on a LAN or a cable setup. Sorry, I meant "foreign IP" as "something outside of my LAN." -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: newbie iptables question
Incoming from Bernd Eckenfels: > In article <[EMAIL PROTECTED]> you wrote: > >> > > Aug 12 04:36:53 towern kernel: |iptables -- IN=ppp0 OUT= MAC= > >> > > SRC=201.129.122.85 DST=12.65.24.43 LEN=48 TOS=0x00 PREC=0x00 TTL=115 > >> > > ID=40023 DF PROTO=TCP SPT=4346 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0 > ... > > It all depends on whether you have services running on your machine > > that listen on DPT (445 in this case). If something is there to "pick > > up the phone" so to speak, anything can happen. That service could > > answer on another port altogether. > > Well, you need to check if DST= is a local address, anyway. Are you suggesting that I might see stuff in my logs that was destined for a foreign IP? If so, that would make me an open mail relay, no? -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: newbie iptables question
Incoming from Wanda Round: > "s. keeling" <[EMAIL PROTECTED]> wrote in message news:<[EMAIL PROTECTED]>... > > Incoming from Wanda Round: > > > > > > Aug 12 04:36:53 towern kernel: |iptables -- IN=ppp0 OUT= MAC= > > > SRC=201.129.122.85 DST=12.65.24.43 LEN=48 TOS=0x00 PREC=0x00 TTL=115 > > > ID=40023 DF PROTO=TCP SPT=4346 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0 > > > > - It came in over ppp0. > > Many thanks for the clear, tiny-bite answer! Which specific item > tells you that it "didn't get back out"? I spoke too soon on that. Sorry. :-P > You're saying that as long as the incoming doesn't get back out > I'm ok, correct? It all depends on whether you have services running on your machine that listen on DPT (445 in this case). If something is there to "pick up the phone" so to speak, anything can happen. That service could answer on another port altogether. The trick is, don't run services that you don't need to run. Go into /etc/inetd.conf and comment out anything that you don't like; things like ftpd, telnetd, rsh (remote shell), portmap, identd. If you never need to ssh _into_ your box, tell it not to run sshd. You'll still be able to ssh out. > thing only with different MAC addresses. Does this mean, FROM > THE LITTLE YOU'VE SEEN, that the iptables is doing a good job? It _may_ be, but if you're running services you don't need to, you will have opened the door and iptables can't solve that. All a firewall does is _break connectivity_. Unix was designed to listen to a lot of ports and respond to requests appropriately. iptables just slaps duct tape over those ports. I'd get one of the firewall management tools (fwbuilder, shorewall, etc.) and play with it. It'll build you your iptables rules for you. That's the best way to wrap your head around this stuff. My theory on iptables rules, for a personal workstation, is: anything outgoing NEW,ESTABLISHED,RELATED is allowed anything incoming NOT from localhost that's NEW - log and drop anything incoming over ppp0 that's ESTABLISHED,RELATED to existing connections - accept then you can add exceptions; I allow tcp 113 because I run something called fauxident. some cvs servers demand it. groups.google.com for comp.os.linux.security can be a lot of help. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: newbie iptables question
Incoming from s. keeling: > Incoming from Wanda Round: > > After reading that I should look through /var/log/messages, I did > > and found many lines like these: > > > > Aug 12 04:36:53 towern kernel: |iptables -- IN=ppp0 OUT= MAC= > > SRC=201.129.122.85 DST=12.65.24.43 LEN=48 TOS=0x00 PREC=0x00 TTL=115 > > ID=40023 DF PROTO=TCP SPT=4346 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0 > > - It came in over ppp0. [snip] > The only thing I tend to care about is: > > - What, on my machine, is at port #445 (nothing). "grep 445 /etc/services". /bin/netstat -tnupl /bin/netstat -nr -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: newbie iptables question
Incoming from Wanda Round: > After reading that I should look through /var/log/messages, I did > and found many lines like these: > > Aug 12 04:36:53 towern kernel: |iptables -- IN=ppp0 OUT= MAC= > SRC=201.129.122.85 DST=12.65.24.43 LEN=48 TOS=0x00 PREC=0x00 TTL=115 > ID=40023 DF PROTO=TCP SPT=4346 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0 - It came in over ppp0. - It didn't get back out. - No network card was involved. - It came from 201.129.122.85 - Your IP was 12.65.24.43 - [Other stuff] - It was TCP protocol (as opposed to UDP, ICMP, ...) - It came from their port #4346. - It went at your port #445. - [Other stuff] The only thing I tend to care about is: - What, on my machine, is at port #445 (nothing). "grep 445 /etc/services". - If it's an INcoming or OUTgoing packet, is it (related to) something I started? - Many things (like 53, DNS) are just idiots out there who (for whatever reason) think you are their nameserver. Ignore them. - Many hits on your box are from viruses and worms looking to infect your box. Ignore them. - Many hits are from spammers trying to find out if they can use you as an open mail relay. Ignore them. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Advice needed, trying to find the vulnerable code on Debian webserver.
Incoming from Ross Tsolakidis: > > One of our webservers seems to get compromised on a daily basis. > When I do a ps ax I see these processes all the time. > > 18687 ?S 0:00 shell > 18701 ?Z 0:00 [sh ] > 18704 ?T 0:00 ./3 200.177.162.185 1524 I vaguely remember that "3" in /tmp is slapper. Wipe, install, set up chkrootkit and run it often. How does phpnuke compromise apache if apache is set up correctly? -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: Advice needed, trying to find the vulnerable code on Debian webserver.
Incoming from Ross Tsolakidis: > > One of our webservers seems to get compromised on a daily basis. > When I do a ps ax I see these processes all the time. > > 18687 ?S 0:00 shell > 18701 ?Z 0:00 [sh ] > 18704 ?T 0:00 ./3 200.177.162.185 1524 I vaguely remember that "3" in /tmp is slapper. Wipe, install, set up chkrootkit and run it often. How does phpnuke compromise apache if apache is set up correctly? -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [OT] Spam fights
Incoming from no name supplied: > First off, if you are not Richard Atterer ([EMAIL PROTECTED]) > and you are strapped for time, I'd like to warn you in advance that Noted. > On Jun 10, 2004, at 6:10 AM, Richard Atterer wrote: > >On Thu, Jun 10, 2004 at 12:27:04PM +0300, Dmitry Golubev wrote: > >>I second that. If I receive a confirmation message I never respond to > >>it! > > > >If *I* receive a confirmation message, I always respond to it! > > > >That's because all confirmation messages I get are in response to spam > >with > >my address in the From field. If I confirm, the person sending me the > >confirmation message will be delivered the spam. If more people did > >this, > >confirmation senders would notice that the system doesn't work. > > Well, you're just an asshole. It has been said that without assholes Now, now. This list does have rules. Anyone using a C-R system is just _asking_ for it to be abused. That's the "Challenge" in C-R. If anyone challenges me, I followup, and they're ridiculously naive not to expect it. I'm not Richard. I don't reply to Spam, worms, viruses, or C-R systems (except for self-initiated requests, of course). However, I can see where he's coming from. I don't fault him a bit. > subjected to such a process. Which brings me to what really annoys > me... > "Out of Office" messages posted to mailing lists. Bob, if I cared that Pot ... Kettle ... Black. You're allowed your hot buttons, but he's not? > translation to your OO message, or, better still, stop sending it to > the list. Better yet, stop telling the burglars you're on vacation. Why would anyone want to do that?!? -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: [OT] Spam fights
Incoming from no name supplied: > First off, if you are not Richard Atterer ([EMAIL PROTECTED]) > and you are strapped for time, I'd like to warn you in advance that Noted. > On Jun 10, 2004, at 6:10 AM, Richard Atterer wrote: > >On Thu, Jun 10, 2004 at 12:27:04PM +0300, Dmitry Golubev wrote: > >>I second that. If I receive a confirmation message I never respond to > >>it! > > > >If *I* receive a confirmation message, I always respond to it! > > > >That's because all confirmation messages I get are in response to spam > >with > >my address in the From field. If I confirm, the person sending me the > >confirmation message will be delivered the spam. If more people did > >this, > >confirmation senders would notice that the system doesn't work. > > Well, you're just an asshole. It has been said that without assholes Now, now. This list does have rules. Anyone using a C-R system is just _asking_ for it to be abused. That's the "Challenge" in C-R. If anyone challenges me, I followup, and they're ridiculously naive not to expect it. I'm not Richard. I don't reply to Spam, worms, viruses, or C-R systems (except for self-initiated requests, of course). However, I can see where he's coming from. I don't fault him a bit. > subjected to such a process. Which brings me to what really annoys > me... > "Out of Office" messages posted to mailing lists. Bob, if I cared that Pot ... Kettle ... Black. You're allowed your hot buttons, but he's not? > translation to your OO message, or, better still, stop sending it to > the list. Better yet, stop telling the burglars you're on vacation. Why would anyone want to do that?!? -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Spam fights
Incoming from Rick Moen: > Quoting Russell Coker ([EMAIL PROTECTED]): > > > Some of the anti-spam people are very enthusiastic about their work. I > > wouldn't be surprised if someone writes a bot to deal with CR systems. > > A bot to detect C-R queries and add them to the refused-mail ACL list > would be most useful. ;-> A better one would be one that successfully negotiates the C-R itself. Then we can give the spammers a copy and teach the C-R nitwits a lesson. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: Spam fights
Incoming from Rick Moen: > Quoting Russell Coker ([EMAIL PROTECTED]): > > > Some of the anti-spam people are very enthusiastic about their work. I > > wouldn't be surprised if someone writes a bot to deal with CR systems. > > A bot to detect C-R queries and add them to the refused-mail ACL list > would be most useful. ;-> A better one would be one that successfully negotiates the C-R itself. Then we can give the spammers a copy and teach the C-R nitwits a lesson. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Unusual spam recently - hummm - postprocess
Incoming from Bernd Eckenfels: > In article <[EMAIL PROTECTED]> you wrote: > > Are you suggesting then, that we should not relay mail at all?, not even > > to/from our customers? > > If you relay mail from your customers, you have to deliver them their > bounces if they spam. If you relay to your customers you better make sure What?!? If they spam, you cut them off, surely! And charge their credit card for cleanup costs!! -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: Unusual spam recently - hummm - postprocess
Incoming from Michael Stone: > > It's not misbehaving to generate a bounce message. Glad I could clear > that up. s/bounce/valid bounce/ You're welcome. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: Unusual spam recently - hummm
Incoming from Alvin Oga: > On Thu, 3 Jun 2004, s. keeling wrote: > > personal email .. you can proably reject alll html emails > and whitelist all your friends that are sending html emails ... Assuming you can see into the future and can predict where all your future mail will be coming from. That's an impossible assumption. I get personal replies from Usenet, from debian-*, from headhunters, from friends of my friends, from people I've never heard of who landed on my homepage, ... I'm sick of whitelisting. It doesn't work if you care about communicating with people you've never met. Besides, the simple way to deal with html is with mutt and a .mailcap: text/html; /usr/bin/w3m -dump %s; copiousoutput; nametemplate=%s.html -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: Unusual spam recently - hummm - postprocess
Incoming from Bernd Eckenfels: > In article <[EMAIL PROTECTED]> you wrote: > > Are you suggesting then, that we should not relay mail at all?, not even > > to/from our customers? > > If you relay mail from your customers, you have to deliver them their > bounces if they spam. If you relay to your customers you better make sure What?!? If they spam, you cut them off, surely! And charge their credit card for cleanup costs!! -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Unusual spam recently - hummm - postprocess
Incoming from Michael Stone: > > It's not misbehaving to generate a bounce message. Glad I could clear > that up. s/bounce/valid bounce/ You're welcome. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Unusual spam recently - hummm
Incoming from Phillip Hofmeister: > On Thu, 03 Jun 2004 at 04:10:30PM -0400, s. keeling wrote: > > > I don't use spamassisin, just bogofilter. Here is my relevant > > > procmailrc snippet... > > > > Downloading it now, thanks. Hopefully this gets me back to a > > maintainable system without all the exception handling, whitelisting, > > Let me warn you. Bogofilter requires training a database. You may not Much appreciated. That prompted me to read the man page before I let it bite me. :-) > handful of a few hundred spam messages and a few hundred ham messages to > shoot at it right away. use cat to pipe the messages/MBOX files through > bogofilter -n and bogofilter -s. That would be "bogofilter -Mn < ~/Mail/spam" for mbox style, no? > If you are interested I can try bzip2ing my wordlist.db and sending it > to you via http. Email me off-list if you would like this. This Again, much appreciated. I'll just start banging my head on it and see what I can come up with. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: Unusual spam recently - hummm
Incoming from Alvin Oga: > On Thu, 3 Jun 2004, s. keeling wrote: > > personal email .. you can proably reject alll html emails > and whitelist all your friends that are sending html emails ... Assuming you can see into the future and can predict where all your future mail will be coming from. That's an impossible assumption. I get personal replies from Usenet, from debian-*, from headhunters, from friends of my friends, from people I've never heard of who landed on my homepage, ... I'm sick of whitelisting. It doesn't work if you care about communicating with people you've never met. Besides, the simple way to deal with html is with mutt and a .mailcap: text/html; /usr/bin/w3m -dump %s; copiousoutput; nametemplate=%s.html -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Unusual spam recently - hummm
Incoming from Rick Moen: > Quoting s. keeling ([EMAIL PROTECTED]): > > > Yes. The problem with Alvin's solution is it only looks at the crap > > that spammers send. A lot of legitimate mail does all the silly > > things that spammers do, and users do want to receive that mail. > > 1. Content-based filtering doesn't work very well (if that's what > you mean, which you probably don't). I actually meant the typical "worst practices" for which spammers are so well known. Spammers use these things to avoid detection. Average users do them without even realizing it. For instance, Alvin automatically deep-sixes html mail. Ordinary users don't even know when they're sending html mails. > 2. Most silly things legitimate mail does can be accomodated by an > efficient antispam regime; a few cannot. Remember the screams > of outrage when people started being told "You shouldn't run > open relays any more?" We're entering another round of that. Immaterial, I know, but Last time I looked Gilmore was still fighting that one. :-) > > You and I may see no legitimate point to html mail, but ordinary users > > (If you think this discussion concerns HTML mail, you have badly > misunderstood. See also point #1, supra.) No, it was just an example since Alvin mentioned it. I don't see much point in html mail but the headhunters who send me job offers appear to like it, so I have to find a way to accept it in an inoffensive (to me) manner. > > For a big organization with thousands of users, what's Spam is not > > really all that easy to quantify. > > And another fine, ruddy herring! Delicious, thanks. Uhh, what? My original starting point in all this was to find out if Alvin's suggestions had merit. Following on that, what would it take to implement them? My favourite admin is loathe to do _anything_ that could cause his users to complain of lost mail. How he cuts out the %60-%80 of crap without causing a riot is all I wanted to know. BTW, regarding "2." above. Remember the days when there was such reticence on the part of Sendmail's maintainers to actually change Sendmail to comply with RFCs? It was pretty well a given then that doing so would turn half the planet dark overnight because so many admins were still running Sendmail versions that had been obsoleted years before. Ah, those were the days. :-P -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: Unusual spam recently - hummm
Incoming from Phillip Hofmeister: > On Thu, 03 Jun 2004 at 04:10:30PM -0400, s. keeling wrote: > > > I don't use spamassisin, just bogofilter. Here is my relevant > > > procmailrc snippet... > > > > Downloading it now, thanks. Hopefully this gets me back to a > > maintainable system without all the exception handling, whitelisting, > > Let me warn you. Bogofilter requires training a database. You may not Much appreciated. That prompted me to read the man page before I let it bite me. :-) > handful of a few hundred spam messages and a few hundred ham messages to > shoot at it right away. use cat to pipe the messages/MBOX files through > bogofilter -n and bogofilter -s. That would be "bogofilter -Mn < ~/Mail/spam" for mbox style, no? > If you are interested I can try bzip2ing my wordlist.db and sending it > to you via http. Email me off-list if you would like this. This Again, much appreciated. I'll just start banging my head on it and see what I can come up with. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Unusual spam recently - hummm
Incoming from Rick Moen: > Quoting s. keeling ([EMAIL PROTECTED]): > > > Yes. The problem with Alvin's solution is it only looks at the crap > > that spammers send. A lot of legitimate mail does all the silly > > things that spammers do, and users do want to receive that mail. > > 1. Content-based filtering doesn't work very well (if that's what > you mean, which you probably don't). I actually meant the typical "worst practices" for which spammers are so well known. Spammers use these things to avoid detection. Average users do them without even realizing it. For instance, Alvin automatically deep-sixes html mail. Ordinary users don't even know when they're sending html mails. > 2. Most silly things legitimate mail does can be accomodated by an > efficient antispam regime; a few cannot. Remember the screams > of outrage when people started being told "You shouldn't run > open relays any more?" We're entering another round of that. Immaterial, I know, but Last time I looked Gilmore was still fighting that one. :-) > > You and I may see no legitimate point to html mail, but ordinary users > > (If you think this discussion concerns HTML mail, you have badly > misunderstood. See also point #1, supra.) No, it was just an example since Alvin mentioned it. I don't see much point in html mail but the headhunters who send me job offers appear to like it, so I have to find a way to accept it in an inoffensive (to me) manner. > > For a big organization with thousands of users, what's Spam is not > > really all that easy to quantify. > > And another fine, ruddy herring! Delicious, thanks. Uhh, what? My original starting point in all this was to find out if Alvin's suggestions had merit. Following on that, what would it take to implement them? My favourite admin is loathe to do _anything_ that could cause his users to complain of lost mail. How he cuts out the %60-%80 of crap without causing a riot is all I wanted to know. BTW, regarding "2." above. Remember the days when there was such reticence on the part of Sendmail's maintainers to actually change Sendmail to comply with RFCs? It was pretty well a given then that doing so would turn half the planet dark overnight because so many admins were still running Sendmail versions that had been obsoleted years before. Ah, those were the days. :-P -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Unusual spam recently - hummm
Incoming from Rick Moen: > Quoting s. keeling ([EMAIL PROTECTED]): > > > However, I _would_ like to STOP it from being delivered at all, as > [snip] > > What's it going to cost my ISP to implement this? Is it feasible for > > an ISP to implement this? > > Is it feasible for them _not_ to? ;-> Yes. The problem with Alvin's solution is it only looks at the crap that spammers send. A lot of legitimate mail does all the silly things that spammers do, and users do want to receive that mail. Add to that all the broken-ness of many mail systems and you're left with little to count on. You and I may see no legitimate point to html mail, but ordinary users do. I ordinarily couldn't care less about html mail, but if it contains a job offer you bet I want to see it. The same is true for undisclosed-recipients: and "From "'s that don't match mailhosts. For a big organization with thousands of users, what's Spam is not really all that easy to quantify. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: Unusual spam recently - hummm
Incoming from Phillip Hofmeister: > On Thu, 03 Jun 2004 at 01:32:55PM -0400, s. keeling wrote: > > Assuming my incoming mail is POPped off my ISP's mailhost and my > > outgoing mail goes to my ISP's mailhost, how do I implement this? > > > > If I can't, what does my ISP have to do to implement this? > > User-Agent: Mutt/1.3.28i > > You use Mutt, a wonderful MUA if I must say so myself... I agree. It's only failing that I can see is it encourages insufferable smugness on the part of its users ("Nyaa, nyaa. My mailer is marter, more conformant, faster, more configurable, and better documented and supported than your mailer! Nyaa, nyaa! Pthbthbthbthb!" :-) > I don't know how you currently handle your email. Whether you use IMAP My ISP has SA installed and running globally. I have a procmail recipe in my shell account on the ISP pluck out the crap and segregate it in a spamfile on my ISP. I can view it with webmail and blow it all away without DLing it. I have procmail here on my own machine splitting mail into folders locally and some more spam matching recipes to handle whatever manages to make it past SA. It has been slowly building up to the point that this system is verging on the unmanageable. So much crap (unsubscribes, viruses, worms, ...) are coming in from mailing lists, I now have two passes filtering out crap, before and after mailing list processing. Add to that false positives, whitelisting known senders, ... and it's becoming annoying. Most people would be very happy with the result but I've come to the conclusion it's no longer good enough for me. So, time for a re-org. > I don't use spamassisin, just bogofilter. Here is my relevant > procmailrc snippet... Downloading it now, thanks. Hopefully this gets me back to a maintainable system without all the exception handling, whitelisting, false positives & etc. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: Unusual spam recently - hummm
Incoming from Phillip Hofmeister: > On Thu, 03 Jun 2004 at 12:57:46PM -0400, Alvin Oga wrote: > > - email from [EMAIL PROTECTED] should be bounced since > > its not coming from bresnan.net > > This is a bad suggestion. My ISP requires us (by blocking port 25 > outbound) to use their SMTP server. Therefore I cannot connect to the Considering 60% - 80% of the traffic these days is crap, this is beginning to look like a fairly reasonable restriction. If you can figure out how to have SMTP negotiate that your ISP legitimately handles mail for your domain, that's the only way around it I can see. There are a lot of spam friendlies out there for whom no amount of reporting spam will have any effect on their actions. Refusing forgeries is the only solution for those. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: Unusual spam recently - hummm
Incoming from Rick Moen: > Quoting s. keeling ([EMAIL PROTECTED]): > > > However, I _would_ like to STOP it from being delivered at all, as > [snip] > > What's it going to cost my ISP to implement this? Is it feasible for > > an ISP to implement this? > > Is it feasible for them _not_ to? ;-> Yes. The problem with Alvin's solution is it only looks at the crap that spammers send. A lot of legitimate mail does all the silly things that spammers do, and users do want to receive that mail. Add to that all the broken-ness of many mail systems and you're left with little to count on. You and I may see no legitimate point to html mail, but ordinary users do. I ordinarily couldn't care less about html mail, but if it contains a job offer you bet I want to see it. The same is true for undisclosed-recipients: and "From "'s that don't match mailhosts. For a big organization with thousands of users, what's Spam is not really all that easy to quantify. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Unusual spam recently - hummm
Incoming from Phillip Hofmeister: > On Thu, 03 Jun 2004 at 01:32:55PM -0400, s. keeling wrote: > > Assuming my incoming mail is POPped off my ISP's mailhost and my > > outgoing mail goes to my ISP's mailhost, how do I implement this? > > > > If I can't, what does my ISP have to do to implement this? > > User-Agent: Mutt/1.3.28i > > You use Mutt, a wonderful MUA if I must say so myself... I agree. It's only failing that I can see is it encourages insufferable smugness on the part of its users ("Nyaa, nyaa. My mailer is marter, more conformant, faster, more configurable, and better documented and supported than your mailer! Nyaa, nyaa! Pthbthbthbthb!" :-) > I don't know how you currently handle your email. Whether you use IMAP My ISP has SA installed and running globally. I have a procmail recipe in my shell account on the ISP pluck out the crap and segregate it in a spamfile on my ISP. I can view it with webmail and blow it all away without DLing it. I have procmail here on my own machine splitting mail into folders locally and some more spam matching recipes to handle whatever manages to make it past SA. It has been slowly building up to the point that this system is verging on the unmanageable. So much crap (unsubscribes, viruses, worms, ...) are coming in from mailing lists, I now have two passes filtering out crap, before and after mailing list processing. Add to that false positives, whitelisting known senders, ... and it's becoming annoying. Most people would be very happy with the result but I've come to the conclusion it's no longer good enough for me. So, time for a re-org. > I don't use spamassisin, just bogofilter. Here is my relevant > procmailrc snippet... Downloading it now, thanks. Hopefully this gets me back to a maintainable system without all the exception handling, whitelisting, false positives & etc. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Unusual spam recently - hummm
Incoming from Alvin Oga: > > On Thu, 3 Jun 2004, s. keeling wrote: > > > > why is your spam filter allowing 3 basic "spam signs" thru ?? > > > - email to "undisclosed-recipients" should be bounced > > > > > > - email from non-existent hosts should be bounced > > > host-69-145-228-124.client.bresnan.net > > > > > > - email from [EMAIL PROTECTED] should be bounced since > > > its not coming from bresnan.net > > > > If I can't, what does my ISP have to do to implement this? > > ISP will probably NOT provide spam filtering, becuase of legal issues My ISP does provide spam filtering; spamassassin marks crap on the mailhost and procmail moves it to my spamfile. I can review it there via webmail and blow it away without downloading it. However, I _would_ like to STOP it from being delivered at all, as defined by simple rules like those above. As far as I can tell, this must be done in the SMTP negotiation phase. What's it going to cost my ISP to implement this? Is it feasible for an ISP to implement this? -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: Unusual spam recently - hummm
Incoming from Alvin Oga: > > On Thu, 3 Jun 2004, David Stanaway wrote: > > > X-Original-To: [EMAIL PROTECTED] > > Delivered-To: [EMAIL PROTECTED] > > Received: from host-69-145-228-124.client.bresnan.net (unknown > > [69.145.228.124]) by david.dialmex.net (Postfix) with SMTP id > > CF733146132E > > for <[EMAIL PROTECTED]>; Thu, 3 Jun 2004 09:31:35 -0500 (CDT) > > X-Message-Info: 8+ggs369/bIdvoHulUPnaKEY41Q[1 > > Message-Id: <[EMAIL PROTECTED]> > > Date: Thu, 3 Jun 2004 09:31:35 -0500 (CDT) > > From: [EMAIL PROTECTED] > > To: undisclosed-recipients:; > > why is your spam filter allowing 3 basic "spam signs" thru ?? > - email to "undisclosed-recipients" should be bounced > > - email from non-existent hosts should be bounced > host-69-145-228-124.client.bresnan.net > > - email from [EMAIL PROTECTED] should be bounced since > its not coming from bresnan.net Assuming my incoming mail is POPped off my ISP's mailhost and my outgoing mail goes to my ISP's mailhost, how do I implement this? If I can't, what does my ISP have to do to implement this? Is it feasible for busy sites to implement this or is this going to cost them too much, in comparison to simply accepting it and dropping it? In other words, what's my ISP's busy admin likely to say when I suggest this? That's at least one good reason why this crap gets through. I'd love to implement this, or have my ISP implement this, but I doubt it's going to happen soon. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: Unusual spam recently - hummm
Incoming from Phillip Hofmeister: > On Thu, 03 Jun 2004 at 12:57:46PM -0400, Alvin Oga wrote: > > - email from [EMAIL PROTECTED] should be bounced since > > its not coming from bresnan.net > > This is a bad suggestion. My ISP requires us (by blocking port 25 > outbound) to use their SMTP server. Therefore I cannot connect to the Considering 60% - 80% of the traffic these days is crap, this is beginning to look like a fairly reasonable restriction. If you can figure out how to have SMTP negotiate that your ISP legitimately handles mail for your domain, that's the only way around it I can see. There are a lot of spam friendlies out there for whom no amount of reporting spam will have any effect on their actions. Refusing forgeries is the only solution for those. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Unusual spam recently - hummm
Incoming from Alvin Oga: > > On Thu, 3 Jun 2004, s. keeling wrote: > > > > why is your spam filter allowing 3 basic "spam signs" thru ?? > > > - email to "undisclosed-recipients" should be bounced > > > > > > - email from non-existent hosts should be bounced > > > host-69-145-228-124.client.bresnan.net > > > > > > - email from [EMAIL PROTECTED] should be bounced since > > > its not coming from bresnan.net > > > > If I can't, what does my ISP have to do to implement this? > > ISP will probably NOT provide spam filtering, becuase of legal issues My ISP does provide spam filtering; spamassassin marks crap on the mailhost and procmail moves it to my spamfile. I can review it there via webmail and blow it away without downloading it. However, I _would_ like to STOP it from being delivered at all, as defined by simple rules like those above. As far as I can tell, this must be done in the SMTP negotiation phase. What's it going to cost my ISP to implement this? Is it feasible for an ISP to implement this? -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Unusual spam recently - hummm
Incoming from Alvin Oga: > > On Thu, 3 Jun 2004, David Stanaway wrote: > > > X-Original-To: [EMAIL PROTECTED] > > Delivered-To: [EMAIL PROTECTED] > > Received: from host-69-145-228-124.client.bresnan.net (unknown > > [69.145.228.124]) by david.dialmex.net (Postfix) with SMTP id > > CF733146132E > > for <[EMAIL PROTECTED]>; Thu, 3 Jun 2004 09:31:35 -0500 (CDT) > > X-Message-Info: 8+ggs369/bIdvoHulUPnaKEY41Q[1 > > Message-Id: <[EMAIL PROTECTED]> > > Date: Thu, 3 Jun 2004 09:31:35 -0500 (CDT) > > From: [EMAIL PROTECTED] > > To: undisclosed-recipients:; > > why is your spam filter allowing 3 basic "spam signs" thru ?? > - email to "undisclosed-recipients" should be bounced > > - email from non-existent hosts should be bounced > host-69-145-228-124.client.bresnan.net > > - email from [EMAIL PROTECTED] should be bounced since > its not coming from bresnan.net Assuming my incoming mail is POPped off my ISP's mailhost and my outgoing mail goes to my ISP's mailhost, how do I implement this? If I can't, what does my ISP have to do to implement this? Is it feasible for busy sites to implement this or is this going to cost them too much, in comparison to simply accepting it and dropping it? In other words, what's my ISP's busy admin likely to say when I suggest this? That's at least one good reason why this crap gets through. I'd love to implement this, or have my ISP implement this, but I doubt it's going to happen soon. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: passwords changed?
Incoming from [EMAIL PROTECTED]: > > If it was rooted, I need to get some source code off it. Can I just stick the hard drive in another system, so I can get that source off of it, and diff it to my backups? Probably simpler to just boot from a CD and mount the filesystem you need to get stuff off of. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: passwords changed?
Incoming from [EMAIL PROTECTED]: > > If it was rooted, I need to get some source code off it. Can I just stick the hard drive in another system, so I can get that source off of it, and diff it to my backups? Probably simpler to just boot from a CD and mount the filesystem you need to get stuff off of. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ps warning message
Incoming from Costas Magkos: > On 30/03/04 18:50, s. keeling wrote: > > > >I doubt debian-security is the right place for this. > > I've tried debian-sparc before posting here, but got no reply. Sorry for > the inconvenience. :-) No problem. debian-user would have been appropriate I think. You'd have got better coverage too. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: ps warning message
Incoming from Costas Magkos: > > I am running woody on a SPARCstation 10 with kernel from testing: > > # uname -a > Linux foo 2.4.24-sparc32 #1 Fri Jan 30 16:04:55 EST 2004 sparc unknown > > When I run ps I get the following two lines before the actual output. > > # ps ax > {iommu_get_scsi_sgl_pflush} {___f_mmu_get_scsi_sgl} > Warning: /boot/System.map-2.4.24-sparc32 does not match kernel data. > > Does anyone know how severe is this warning? How can I eliminate it? I used to see something like that back in the 2.0 kernels. It was a harmless bug then. I imagine recompiling your kernel, or installing a binary kernel package, would squash it. I doubt debian-security is the right place for this. And, btw, do you know about lists.debian.org, where you can search the mailing list archives? -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: ps warning message
Incoming from Costas Magkos: > On 30/03/04 18:50, s. keeling wrote: > > > >I doubt debian-security is the right place for this. > > I've tried debian-sparc before posting here, but got no reply. Sorry for > the inconvenience. :-) No problem. debian-user would have been appropriate I think. You'd have got better coverage too. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ps warning message
Incoming from Costas Magkos: > > I am running woody on a SPARCstation 10 with kernel from testing: > > # uname -a > Linux foo 2.4.24-sparc32 #1 Fri Jan 30 16:04:55 EST 2004 sparc unknown > > When I run ps I get the following two lines before the actual output. > > # ps ax > {iommu_get_scsi_sgl_pflush} {___f_mmu_get_scsi_sgl} > Warning: /boot/System.map-2.4.24-sparc32 does not match kernel data. > > Does anyone know how severe is this warning? How can I eliminate it? I used to see something like that back in the 2.0 kernels. It was a harmless bug then. I imagine recompiling your kernel, or installing a binary kernel package, would squash it. I doubt debian-security is the right place for this. And, btw, do you know about lists.debian.org, where you can search the mailing list archives? -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Getting spam though again :-(
Incoming from Brett Furlong: > Soz, to pester. > Got spam though debian security list again... > > Was from "Jalousies M. Pseudonyms" <[EMAIL PROTECTED]> > > Not winging @ Deb Mail Crew, You guys rock. > But yeh, is there a way, we can have a human filter all the eMails before > they > are allowed to be sent to all of us? A volunteer! How nice! :-) Thank you very much! Not that they bother me any. I run Debian! My ISP runs Spamassassin. I use Procmail. I report spammers (to Spamcop) and kill their accounts. SA catches a hundread a day - they're deleted on my ISP's mailserver. I get like one or two a day that make it through to my machine. [In mutt,] -b, sc, and Boom, they're off to Spamcop. Spam is only a problem if you're using crappy software, and anything related to Debian ain't crappy. Keep it up Debian _volunteer_ mail crew! No need to change a thing from my perspective. =[8]-) -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: Getting spam though again :-(
Incoming from Brett Furlong: > Soz, to pester. > Got spam though debian security list again... > > Was from "Jalousies M. Pseudonyms" <[EMAIL PROTECTED]> > > Not winging @ Deb Mail Crew, You guys rock. > But yeh, is there a way, we can have a human filter all the eMails before they > are allowed to be sent to all of us? A volunteer! How nice! :-) Thank you very much! Not that they bother me any. I run Debian! My ISP runs Spamassassin. I use Procmail. I report spammers (to Spamcop) and kill their accounts. SA catches a hundread a day - they're deleted on my ISP's mailserver. I get like one or two a day that make it through to my machine. [In mutt,] -b, sc, and Boom, they're off to Spamcop. Spam is only a problem if you're using crappy software, and anything related to Debian ain't crappy. Keep it up Debian _volunteer_ mail crew! No need to change a thing from my perspective. =[8]-) -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Updating Kernel Using make-kpkg - Not Intuitive ?
Incoming from Nick Boyce: > > Otherwise, I suggest you move /lib/modules/2.4.18 out of the way, > perhaps to /lib/modules/2.4.18.old or something, and then try > re-installing this image. > [snip] > What on earth is this trying to say to me ? "Hi. This is the kernel install helper thingy. As I've detected that you did NOT move your old kernel modules to somewhere safe before trying to install new ones (as anyone familiar with kernel installs would have done), I'm bound to offer you the chance to save your butt and do it now. 'Kay? Otherwise, I'm about to clobber something potentially important." It's merely being conservative. It wants you to have some sort of backout path in case anything goes wrong. Having your old kernel and all its modules in a safe place offers you that backout path. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: Updating Kernel Using make-kpkg - Not Intuitive ?
Incoming from Nick Boyce: > > Otherwise, I suggest you move /lib/modules/2.4.18 out of the way, > perhaps to /lib/modules/2.4.18.old or something, and then try > re-installing this image. > [snip] > What on earth is this trying to say to me ? "Hi. This is the kernel install helper thingy. As I've detected that you did NOT move your old kernel modules to somewhere safe before trying to install new ones (as anyone familiar with kernel installs would have done), I'm bound to offer you the chance to save your butt and do it now. 'Kay? Otherwise, I'm about to clobber something potentially important." It's merely being conservative. It wants you to have some sort of backout path in case anything goes wrong. Having your old kernel and all its modules in a safe place offers you that backout path. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: libxml, libxml2; Debian Security Advisory DSA 455-1
Incoming from Martin Schulze: > s. keeling wrote: > > Incoming from Martin Schulze: > > > Debian Security Advisory DSA 455-1 [EMAIL PROTECTED] > > > > > > Package: libxml, libxml2 > > > > > > libxml2 is a library for manipulating XML files. > > > [snip] > > > For the stable distribution (woody) this problem has been fixed in > > > version 1.8.17-2woody1 of libxml and version 2.4.19-4woody1 of libxml2. > > . > > > > (0) root /root_ apt-get install libxml libxml2 > > Reading Package Lists... Done > > Building Dependency Tree... Done > > E: Couldn't find package libxml > > (100) root /root_ dpkg -l | grep libxml > > [snip] > > ii libxml11.8.17-2 GNOME XML library > > ii libxml22.5.7-1woody1 GNOME XML library > > > > So, is that "libxml" above a typo? Should I instead have done > > "apt-get install libxml1 libxml2"? Suggestions? I'm using: > > > > deb ftp://ftp.rfc822.org/debian-security/ stable/updates main contrib > > non-free > > Please see the output of apt-cache show {libxml,libxml1,libxml2}. That says libxml doesn't exist (W: Unable to locate package libxml), so am I to take that as a hint that I only need update libxml2, since the advisory doesn't mention "libxml1"? [Sorry for the mis-post to debian-security-private. Think, then post.] -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: libxml, libxml2; Debian Security Advisory DSA 455-1
Incoming from Martin Schulze: > s. keeling wrote: > > Incoming from Martin Schulze: > > > Debian Security Advisory DSA 455-1 [EMAIL PROTECTED] > > > > > > Package: libxml, libxml2 > > > > > > libxml2 is a library for manipulating XML files. > > > [snip] > > > For the stable distribution (woody) this problem has been fixed in > > > version 1.8.17-2woody1 of libxml and version 2.4.19-4woody1 of libxml2. > > . > > > > (0) root /root_ apt-get install libxml libxml2 > > Reading Package Lists... Done > > Building Dependency Tree... Done > > E: Couldn't find package libxml > > (100) root /root_ dpkg -l | grep libxml > > [snip] > > ii libxml11.8.17-2 GNOME XML library > > ii libxml22.5.7-1woody1 GNOME XML library > > > > So, is that "libxml" above a typo? Should I instead have done > > "apt-get install libxml1 libxml2"? Suggestions? I'm using: > > > > deb ftp://ftp.rfc822.org/debian-security/ stable/updates main contrib non-free > > Please see the output of apt-cache show {libxml,libxml1,libxml2}. That says libxml doesn't exist (W: Unable to locate package libxml), so am I to take that as a hint that I only need update libxml2, since the advisory doesn't mention "libxml1"? [Sorry for the mis-post to debian-security-private. Think, then post.] -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: setting up iptables
Incoming from Klaus Maxam: > von: s. keeling / Thu, 4 Mar 2004 09:56:01 -0700 > > Incoming from Costas Magkos: > > > > > > Can someone give me some best-practices for setting up iptables on a > > > > Good question. I'm using ppp and I have a script in /etc/ppp/ip-up.d > > that should be run by /etc/ppp/ip-up: > > > > # This script is run by the pppd after the link is established. > > # It uses run-parts to run scripts in /etc/ppp/ip-up.d, so to add > > > > I've yet to see ip-up execute it. I haven't yet figured out why. The > > You've read the manpage? Sigh. No. I didn't realize there was one. > directory directory. Filenames should consist entirely of upper > and lower case letters, digits, underscores, and hyphens. Sub That could be the problem, thanks. mv blah.sh blah Much appreciated. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: setting up iptables
Incoming from Klaus Maxam: > von: s. keeling / Thu, 4 Mar 2004 09:56:01 -0700 > > Incoming from Costas Magkos: > > > > > > Can someone give me some best-practices for setting up iptables on a > > > > Good question. I'm using ppp and I have a script in /etc/ppp/ip-up.d > > that should be run by /etc/ppp/ip-up: > > > > # This script is run by the pppd after the link is established. > > # It uses run-parts to run scripts in /etc/ppp/ip-up.d, so to add > > > > I've yet to see ip-up execute it. I haven't yet figured out why. The > > You've read the manpage? Sigh. No. I didn't realize there was one. > directory directory. Filenames should consist entirely of upper > and lower case letters, digits, underscores, and hyphens. Sub That could be the problem, thanks. mv blah.sh blah Much appreciated. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: setting up iptables
Incoming from Costas Magkos: > > Can someone give me some best-practices for setting up iptables on a > Debian system? I'm looking for things like where should the rules be > placed, what startup script to use [1], good configuration tools [2] and Good question. I'm using ppp and I have a script in /etc/ppp/ip-up.d that should be run by /etc/ppp/ip-up: # This script is run by the pppd after the link is established. # It uses run-parts to run scripts in /etc/ppp/ip-up.d, so to add routes, # set IP address, run the mailq etc. you should create script(s) there. I've yet to see ip-up execute it. I haven't yet figured out why. The script runs fine at the command line. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: setting up iptables
Incoming from Costas Magkos: > > Can someone give me some best-practices for setting up iptables on a > Debian system? I'm looking for things like where should the rules be > placed, what startup script to use [1], good configuration tools [2] and Good question. I'm using ppp and I have a script in /etc/ppp/ip-up.d that should be run by /etc/ppp/ip-up: # This script is run by the pppd after the link is established. # It uses run-parts to run scripts in /etc/ppp/ip-up.d, so to add routes, # set IP address, run the mailq etc. you should create script(s) there. I've yet to see ip-up execute it. I haven't yet figured out why. The script runs fine at the command line. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: output of last
Incoming from Jan Lühr: > Greetings, > > I discovered some strange output of the last command on our Woody > Terminalserver (for X11). I have already posted it on debian-user-german, but > I didn't get any answer. (I hope you don't mind, if I post it for the english > speaking majority) > Although I hope it is not security related, I thing, it may have a security > related aspect, which I cannot ignore. > > At first a run ordinary chkrootkit scan (like I do it every one or two > weeks). Two weeks? I run it every night. > This time, it discovered: > > Checking `wted'... 24 deletion(s) between Thu Jan 1 01:00:00 1970 and Sun > Apr > 7 02:03:36 1974 Have you checked the chkrootkit archives for anything like this? > 17 deletion(s) between Sun Jan 25 08:20:56 2004 and Sun Apr 7 02:03:36 1974 Whaat?!? Between 2004 and 1974?!? > So I renamed all relatedi files in order to start with a non-corrupt database. > But what could have caused this corruption? The machine itself is quite > stable Sunspots? Disk errors? Resource exhaustion? Unless you can definitively nail it down, I wouldn't start worrying until it happens again. > But because of being a valuable information on intruders, intruders or > illegal > root'ers might have compromised it. > > What's your opinion? Can you send logging to another (perhaps dedicated) machine? -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: output of last
Incoming from Jan Lühr: > Greetings, > > I discovered some strange output of the last command on our Woody > Terminalserver (for X11). I have already posted it on debian-user-german, but > I didn't get any answer. (I hope you don't mind, if I post it for the english > speaking majority) > Although I hope it is not security related, I thing, it may have a security > related aspect, which I cannot ignore. > > At first a run ordinary chkrootkit scan (like I do it every one or two weeks). Two weeks? I run it every night. > This time, it discovered: > > Checking `wted'... 24 deletion(s) between Thu Jan 1 01:00:00 1970 and Sun Apr > 7 02:03:36 1974 Have you checked the chkrootkit archives for anything like this? > 17 deletion(s) between Sun Jan 25 08:20:56 2004 and Sun Apr 7 02:03:36 1974 Whaat?!? Between 2004 and 1974?!? > So I renamed all relatedi files in order to start with a non-corrupt database. > But what could have caused this corruption? The machine itself is quite stable Sunspots? Disk errors? Resource exhaustion? Unless you can definitively nail it down, I wouldn't start worrying until it happens again. > But because of being a valuable information on intruders, intruders or illegal > root'ers might have compromised it. > > What's your opinion? Can you send logging to another (perhaps dedicated) machine? -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DSA 438 - bad server time, bad kernel version or information delayed?
Incoming from Matt Zimmerman: > On Thu, Feb 19, 2004 at 09:12:42PM -0700, s. keeling wrote: > > > Incoming from Matt Zimmerman: > > > On Thu, Feb 19, 2004 at 02:24:42PM +0100, Florian Weimer wrote: > > > > > > > You don't. Tough luck, of course, but that's the price for running > > > > affordable, off-the-shelf software (free or proprietary). > > > > > > You seem to imply that one is better off with a proprietary software > > > vendor. > > > > I think you mis-read him Matt. Note the "free or proprietary." > > > > He's saying you can go with commercial software, and fixes may take > > months. Or go with Open Source, and fixes may take (eg.) weeks. In > > either case, you will have to wait. > > Note the "affordable, off-the-shelf". The implication being that if you pay > more to a proprietary software vendor (and they typically are more > expensive), then you'll be better off security-wise. Well, I've bought "affordable, off-the-shelf" software; my first Debian install arrived on CDs from InfoMagic (whatever happened to them?). I'm pretty sure I paid more in shipping than I paid for the disks but it was well worth it to me. This go 'round, Libranet got my money. Still well worth it. I'm still here. :-) -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: DSA 438 - bad server time, bad kernel version or information delayed?
Incoming from Matt Zimmerman: > On Thu, Feb 19, 2004 at 02:24:42PM +0100, Florian Weimer wrote: > > > You don't. Tough luck, of course, but that's the price for running > > affordable, off-the-shelf software (free or proprietary). > > You seem to imply that one is better off with a proprietary software vendor. I think you mis-read him Matt. Note the "free or proprietary." He's saying you can go with commercial software, and fixes may take months. Or go with Open Source, and fixes may take (eg.) weeks. In either case, you will have to wait. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: DSA 438 - bad server time, bad kernel version or information delayed?
Incoming from Matt Zimmerman: > On Thu, Feb 19, 2004 at 09:12:42PM -0700, s. keeling wrote: > > > Incoming from Matt Zimmerman: > > > On Thu, Feb 19, 2004 at 02:24:42PM +0100, Florian Weimer wrote: > > > > > > > You don't. Tough luck, of course, but that's the price for running > > > > affordable, off-the-shelf software (free or proprietary). > > > > > > You seem to imply that one is better off with a proprietary software vendor. > > > > I think you mis-read him Matt. Note the "free or proprietary." > > > > He's saying you can go with commercial software, and fixes may take > > months. Or go with Open Source, and fixes may take (eg.) weeks. In > > either case, you will have to wait. > > Note the "affordable, off-the-shelf". The implication being that if you pay > more to a proprietary software vendor (and they typically are more > expensive), then you'll be better off security-wise. Well, I've bought "affordable, off-the-shelf" software; my first Debian install arrived on CDs from InfoMagic (whatever happened to them?). I'm pretty sure I paid more in shipping than I paid for the disks but it was well worth it to me. This go 'round, Libranet got my money. Still well worth it. I'm still here. :-) -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DSA 438 - bad server time, bad kernel version or information delayed?
Incoming from Matt Zimmerman: > On Thu, Feb 19, 2004 at 02:24:42PM +0100, Florian Weimer wrote: > > > You don't. Tough luck, of course, but that's the price for running > > affordable, off-the-shelf software (free or proprietary). > > You seem to imply that one is better off with a proprietary software vendor. I think you mis-read him Matt. Note the "free or proprietary." He's saying you can go with commercial software, and fixes may take months. Or go with Open Source, and fixes may take (eg.) weeks. In either case, you will have to wait. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Help! File permissions keep changing...
Incoming from John Hardcastle: > > So the default file permissions don't do what you want. > $ umask > Read the manual page for the umask command, > $ man umask > As root, change the umask in /etc/profile to reflect the permissions you > want. > # vi /etc/profile > Then have all users logout and login again. Their $HOME/.bashrc will > read /etc/profile and their umask will reflect your changes. ... Except where their own $HOME/.bashrc changes umask, in which case you'll be left to track those down. However, they should stand out like a sore thumb now. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: Help! File permissions keep changing...
Incoming from John Hardcastle: > > So the default file permissions don't do what you want. > $ umask > Read the manual page for the umask command, > $ man umask > As root, change the umask in /etc/profile to reflect the permissions you > want. > # vi /etc/profile > Then have all users logout and login again. Their $HOME/.bashrc will > read /etc/profile and their umask will reflect your changes. ... Except where their own $HOME/.bashrc changes umask, in which case you'll be left to track those down. However, they should stand out like a sore thumb now. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
W32/Mydoom@MM (was: Re: )
Incoming from Eduardo Almeida: > > I don't know if all of you already heard about this. This message is a > virus as you can see below. Pardon me if this seems a bit thick headed, but why should I care? The Windows world is always being attacked by crap like this. Why is this news? I don't use Windows. Since you're using Evolution, I assume you aren't either. So what's the big deal? Of course if you're using Debian as a mailserver for an internal Windows network, this may affect you, but what's it got to do with Debian? -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
W32/Mydoom@MM (was: Re: )
Incoming from Eduardo Almeida: > > I don't know if all of you already heard about this. This message is a > virus as you can see below. Pardon me if this seems a bit thick headed, but why should I care? The Windows world is always being attacked by crap like this. Why is this news? I don't use Windows. Since you're using Evolution, I assume you aren't either. So what's the big deal? Of course if you're using Debian as a mailserver for an internal Windows network, this may affect you, but what's it got to do with Debian? -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: LKM
Incoming from Matthijs: > On Mon, 2004-01-26 at 11:40, Thiago Ribeiro wrote: > > > > When I run tiger, I got a follow error: > > > > NEW: --WARN-- [rootkit004f] Chkrootkit has detected a possible rootkit > > installation > > NEW: Warning: Possible LKM Trojan installed > > > > But I alredy list my proccess and did find nothing... > > You know what a LKM is ? > > It's a Loadable Kernel Module and it can hide himself and processes and > files... > > So please check your computer And check the chkrootkit-users mailing list archives: http://marc.theaimsgroup.com/?l=chkrootkit-users That's a _much_ better place to ask about chkrootkit than is debian-*, both for you and for debian-*. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: LKM
Incoming from Matthijs: > On Mon, 2004-01-26 at 11:40, Thiago Ribeiro wrote: > > > > When I run tiger, I got a follow error: > > > > NEW: --WARN-- [rootkit004f] Chkrootkit has detected a possible rootkit > > installation > > NEW: Warning: Possible LKM Trojan installed > > > > But I alredy list my proccess and did find nothing... > > You know what a LKM is ? > > It's a Loadable Kernel Module and it can hide himself and processes and > files... > > So please check your computer And check the chkrootkit-users mailing list archives: http://marc.theaimsgroup.com/?l=chkrootkit-users That's a _much_ better place to ask about chkrootkit than is debian-*, both for you and for debian-*. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mail processing tool
Incoming from Jonas J Linde: > And [EMAIL PROTECTED] spoke unto the world. And said: > > I need a tool that does the following work: > > checks for new mail in a maibox via pop3; So, IMAP is the wrong answer. > > verify the digital signature and decrypts the mail; GnuPG > > parse the body; procmail/grep/sed/perl/bash/python/... > > executes 1 or more action (completely customizzable); procmail > > delete (archives) the mail; fetchmail > This sounds like an ideal job for the combination of the rather > appropriately named tools fetchmail and procmail, which - to no big > surprise - are suitable to fetch and process mail. Agreed. Add on gnupg for signature verification and decryption (perhaps callable by procmail). I'm not surprised there isn't one monolithic tool to do what you ask; you're asking a lot. Chaining one existing specific tool after another to build up your overall system is the way to go. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: Mail processing tool
Incoming from Jonas J Linde: > And [EMAIL PROTECTED] spoke unto the world. And said: > > I need a tool that does the following work: > > checks for new mail in a maibox via pop3; So, IMAP is the wrong answer. > > verify the digital signature and decrypts the mail; GnuPG > > parse the body; procmail/grep/sed/perl/bash/python/... > > executes 1 or more action (completely customizzable); procmail > > delete (archives) the mail; fetchmail > This sounds like an ideal job for the combination of the rather > appropriately named tools fetchmail and procmail, which - to no big > surprise - are suitable to fetch and process mail. Agreed. Add on gnupg for signature verification and decryption (perhaps callable by procmail). I'm not surprised there isn't one monolithic tool to do what you ask; you're asking a lot. Chaining one existing specific tool after another to build up your overall system is the way to go. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 411-1] New mpg321 packages fix ... - PGP key? [solved]
Incoming from ZsoL: > Hash: SHA1 > > On Tuesday 06 January 2004 06.37, s. keeling wrote: > > Incoming from Matt Zimmerman: > > > Debian Security Advisory DSA 411-1 > > > [EMAIL PROTECTED] http://www.debian.org/security/ > > > Matt Zimmerman January 5th, 2004 > > > http://www.debian.org/security/faq > > > > > > Package: mpg321 > > > > Were any of you able to verify the PGP signatures on the latest > > debian-security-announce messages? I can't: > > > > [-- PGP output follows (current time: Mon 05 Jan 2004 10:30:43 PM MST) > > 43E25D1E gpg: Can't check signature: public key not found > > [-- End of PGP output --] > > > maybe you have to import [EMAIL PROTECTED]'s public key. I've tried. GPA import key fails quietly. So I used w3m to go to the URL he supplied: (2) keeling /home/keeling/dox_ gpg --verify matt_zimmerman.txt gpg: verify signatures failed: unexpected data (2) keeling /home/keeling/dox_ gpg --verify < matt_zimmerman.txt gpg: verify signatures failed: unexpected data So, I tried wget: (0) keeling /home/keeling/dox_ gpg --verify lookup\?op\=get\&search\=0x440202C3137B1CB4 gpg: verify signatures failed: unexpected data (2) keeling /home/keeling/dox_ gpg --verify < lookup\?op\=get\&search\=0x440202C3137B1CB4 gpg: verify signatures failed: unexpected data So, I "C"opied the mail to a file, then: (0) keeling /home/keeling/dox_ gpg --verify-files matt_zimmerman.msg gpg: Signature made Mon 05 Jan 2004 07:51:35 PM MST using DSA key ID 43E25D1E gpg: Can't check signature: public key not found Then I tried --import: (2) keeling /home/keeling/dox_ gpg --import matt_zimmerman.msg gpg: no valid OpenPGP data found. gpg: Total number processed: 0 Ah! Finally: (2) keeling /home/keeling/dox_ gpg --recv-keys 43E25D1E gpg: key 43E25D1E: removed multiple subkey binding gpg: key 43E25D1E: public key "Matt Zimmerman <[EMAIL PROTECTED]>" imported gpg: Total number processed: 1 gpg: imported: 1 Now why was that so difficult?!? Every other time just reading mail from someone grabs their key from the keyserver and checks the signature. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: [SECURITY] [DSA 411-1] New mpg321 packages fix ... - PGP key? [solved]
Incoming from ZsoL: > Hash: SHA1 > > On Tuesday 06 January 2004 06.37, s. keeling wrote: > > Incoming from Matt Zimmerman: > > > Debian Security Advisory DSA 411-1 > > > [EMAIL PROTECTED] http://www.debian.org/security/ > > > Matt Zimmerman January 5th, 2004 > > > http://www.debian.org/security/faq > > > > > > Package: mpg321 > > > > Were any of you able to verify the PGP signatures on the latest > > debian-security-announce messages? I can't: > > > > [-- PGP output follows (current time: Mon 05 Jan 2004 10:30:43 PM MST) > > 43E25D1E gpg: Can't check signature: public key not found > > [-- End of PGP output --] > > > maybe you have to import [EMAIL PROTECTED]'s public key. I've tried. GPA import key fails quietly. So I used w3m to go to the URL he supplied: (2) keeling /home/keeling/dox_ gpg --verify matt_zimmerman.txt gpg: verify signatures failed: unexpected data (2) keeling /home/keeling/dox_ gpg --verify < matt_zimmerman.txt gpg: verify signatures failed: unexpected data So, I tried wget: (0) keeling /home/keeling/dox_ gpg --verify lookup\?op\=get\&search\=0x440202C3137B1CB4 gpg: verify signatures failed: unexpected data (2) keeling /home/keeling/dox_ gpg --verify < lookup\?op\=get\&search\=0x440202C3137B1CB4 gpg: verify signatures failed: unexpected data So, I "C"opied the mail to a file, then: (0) keeling /home/keeling/dox_ gpg --verify-files matt_zimmerman.msg gpg: Signature made Mon 05 Jan 2004 07:51:35 PM MST using DSA key ID 43E25D1E gpg: Can't check signature: public key not found Then I tried --import: (2) keeling /home/keeling/dox_ gpg --import matt_zimmerman.msg gpg: no valid OpenPGP data found. gpg: Total number processed: 0 Ah! Finally: (2) keeling /home/keeling/dox_ gpg --recv-keys 43E25D1E gpg: key 43E25D1E: removed multiple subkey binding gpg: key 43E25D1E: public key "Matt Zimmerman <[EMAIL PROTECTED]>" imported gpg: Total number processed: 1 gpg: imported: 1 Now why was that so difficult?!? Every other time just reading mail from someone grabs their key from the keyserver and checks the signature. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 411-1] New mpg321 packages fix format string vulnerability - PGP key?
Incoming from Matt Zimmerman: > Debian Security Advisory DSA 411-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Matt Zimmerman > January 5th, 2004 http://www.debian.org/security/faq > > Package: mpg321 > Vulnerability : format string > Problem-Type : remote > Debian-specific: no > CVE Ids: CAN-2003-0969 Were any of you able to verify the PGP signatures on the latest debian-security-announce messages? I can't: [-- PGP output follows (current time: Mon 05 Jan 2004 10:30:43 PM MST) --] gpg: Signature made Mon 05 Jan 2004 07:51:35 PM MST using DSA key ID 43E25D1E gpg: Can't check signature: public key not found [-- End of PGP output --] I'm using mutt, and ESC-P usually works checking traditional PGP signatures, but not with these three (bind, libnids, mpg321). -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: [SECURITY] [DSA 411-1] New mpg321 packages fix format string vulnerability - PGP key?
Incoming from Matt Zimmerman: > Debian Security Advisory DSA 411-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Matt Zimmerman > January 5th, 2004 http://www.debian.org/security/faq > > Package: mpg321 > Vulnerability : format string > Problem-Type : remote > Debian-specific: no > CVE Ids: CAN-2003-0969 Were any of you able to verify the PGP signatures on the latest debian-security-announce messages? I can't: [-- PGP output follows (current time: Mon 05 Jan 2004 10:30:43 PM MST) --] gpg: Signature made Mon 05 Jan 2004 07:51:35 PM MST using DSA key ID 43E25D1E gpg: Can't check signature: public key not found [-- End of PGP output --] I'm using mutt, and ESC-P usually works checking traditional PGP signatures, but not with these three (bind, libnids, mpg321). -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 407-1] New ethereal packages fix several vulnerabilities
Incoming from Martin Schulze: > > - -- > Debian Security Advisory DSA 407-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Martin Schulze > January 5th, 2004 http://www.debian.org/security/faq > - -- > > Package: ethereal This showed up this morning with a couple of others (lftp, screen), so I did apt-get update ; apt-get upgrade. That picked up the others but not ethereal. Why is that? I had ethereal installed, though I've never used it. It was easily sorted out with apt-get install ethereal; I just wonder why it didn't come along with the other two updates. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: [SECURITY] [DSA 407-1] New ethereal packages fix several vulnerabilities
Incoming from Martin Schulze: > > - -- > Debian Security Advisory DSA 407-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Martin Schulze > January 5th, 2004 http://www.debian.org/security/faq > - -- > > Package: ethereal This showed up this morning with a couple of others (lftp, screen), so I did apt-get update ; apt-get upgrade. That picked up the others but not ethereal. Why is that? I had ethereal installed, though I've never used it. It was easily sorted out with apt-get install ethereal; I just wonder why it didn't come along with the other two updates. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: suspicious files in /tmp
Incoming from Rick Moen: > Quoting Marcel Weber ([EMAIL PROTECTED]): > > > But what made me shudder was this: In the /tmp folder I found these files: > > > > drwx-- 2 root root 48 Aug 10 19:36 Ib2KZi > > drwx-- 2 root root 88 Jan 3 06:12 MF2oMw > > drwx-- 2 root root 48 Aug 11 16:32 S0oNze > > > > Is this a left over from an attempt to hack my system? > > Highly unlikely. Attackers know that /tmp isn't an out-of-the-way > place. Admins and other users look there all the time. Intruders tend > to hide things away in places like boring-sounding subdirectories of /dev . > > > How can I check what happened and if the attacker succeeded? > > Read the advisories from your well-tuned IDS. ;-> > http://linuxgazette.net/issue98/moen.html Install chkrootkit (www.chkrootkit.org) and run it regularly (from cron). It's very easy to use, and chkrootkit-users is a very low volume, high S/N ratio list. BTW: (0) keeling /home/keeling/dox_ all `which netstat` `which env` -rwxr-xr-x1 root root86892 Nov 23 2001 /bin/netstat* -rwxr-xr-x1 root root10332 Jul 26 2001 /usr/bin/env* 1 Mb is *way* out of line! -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -