Re: Microsoft-IIS/6.0 serves up Debian... WTF!
On Sunday 08 June 2008 14:04:14 Jim Popovitch wrote: > On Sun, Jun 8, 2008 at 7:02 AM, Nico Golde <[EMAIL PROTECTED]> wrote: > > Yep this is lighttpd and it's mod_status. > > OK (if true), I still question the need for posing as IIS, and > therefore I question the mirror operator's > intent/reasons/capabilities/interests/ as well as security > capabilites. Are they playing around by posing as IIS. Is it meant > to deflect interest in a Linux box being on their network? What is > the reason behind masquerading as something they aren't? > > If they want to do this, fine. But should they continue to be in > rotation for ftp.us.debian.org? You're never studied system security methods and tactics very much, have you? :-) > The reason is this: *if* they are using "security by obscurity", then > that raises the bigger question of their security knowledge and > capabilities. That would be enough for me to remove them from > distributing software to others from my domain (ftp.us.debian.org). And some would question yours :-) JW -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Microsoft-IIS/6.0 serves up Debian... WTF!
On Sun, 08 Jun 2008, Jim Popovitch wrote: > I would think that neither of those cases immediately passes muster > with concerned security minded folks. And, just because you are OK > with it, it doesn't mean I have to be. ;-) Clearly the people in charge are. Can we move on to relevant stuff now? -- weasel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Microsoft-IIS/6.0 serves up Debian... WTF!
On Sun, Jun 8, 2008 at 7:00 PM, Jacob Appelbaum <[EMAIL PROTECTED]> wrote: > Your thoughts on this subject are really fascinating. Because while I > agree that the idea of "security by obscurity" as the only line of > defense is flawed, you're making assumptions and value judgments that > seem beyond your abilities. I question your security knowledge and > capabilities. Yeah, yeah. Whatever dude. > [snip, snip] > Have you found some actual security issue with the mirror? Are the > packages tampered with? Are the signatures invalid? No, I haven't found an actual security issue with the mirror. And I don't believe in waiting for someone to raise a security issue to determine the actual security of a system. Surely you would agree that there are acceptable minimums. I do think that it would be prudent for the Debian Security and Mirror teams to know the specifics about their mirror ops. And I say that as former v.d.o mirror op, where my experience revealed little concern over mirror operators. The mirror in this instance seems to fall into one of two cases: 1) Security by Obscurity plus possible unknown foo. 2) Bored opers having fun. I would think that neither of those cases immediately passes muster with concerned security minded folks. And, just because you are OK with it, it doesn't mean I have to be. ;-) -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Microsoft-IIS/6.0 serves up Debian... WTF!
2008/6/9 Anderson Kaiser <[EMAIL PROTECTED]>: [...] > > [EMAIL PROTECTED]:~# ping ike.egr.msu.edu > PING ike.egr.msu.edu (35.9.37.225) 56(84) bytes of data. > 64 bytes from ike.egr.msu.edu (35.9.37.225): icmp_seq=1 ttl=39 time=315 ms > 64 bytes from ike.egr.msu.edu (35.9.37.225): icmp_seq=2 ttl=39 time=289 ms > 64 bytes from ike.egr.msu.edu (35.9.37.225): icmp_seq=3 ttl=39 time=317 ms > 64 bytes from ike.egr.msu.edu (35.9.37.225): icmp_seq=4 ttl=39 time=326 ms > 64 bytes from ike.egr.msu.edu (35.9.37.225): icmp_seq=5 ttl=39 time=308 ms > 64 bytes from ike.egr.msu.edu (35.9.37.225): icmp_seq=7 ttl=39 time=272 ms also, it would be diffucult and rather pointles or insecure (cygwin ? ;/ ) to run rsync on windows machine : [EMAIL PROTECTED]:/home/servers# telnet 35.9.37.225 873 Trying 35.9.37.225... Connected to 35.9.37.225. Escape character is '^]'. @RSYNCD: 30.0 regards -- Wojciech Ziniewicz Unix SEX :{look;gawk;find;sed;talk;grep;touch;finger;find;fl ex;unzip;head;tail; mount;workbone;fsck;yes;gasp;fsck;more;yes;yes;eje ct;umount;makeclean; zip;split;done;exit:xargs!!;)} -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Microsoft-IIS/6.0 serves up Debian... WTF!
2008/6/8 Joey Hess <[EMAIL PROTECTED]>: > Jim Popovitch wrote: > > Here's my issue, please correct me if I am wrong. .debs and sigs both > > exist on the same server. If the Windows box/network is compromised, > > then the sigs and debs can be modified and who would know? > > The security provided by a gpg signature is the difficulty in forging > the signature, not the server that serves it. > > http://wiki.debian.org/SecureApt > > -- > see shy jo Well, The TTL from this server is equal 64.The Default TTL Debian. See my tests from Brasil: I use: # tracert ike.egr.msu.edu It returns 25 jumps. The TTL returns 39 39 + 25 = 64 TTL [EMAIL PROTECTED]:~# ping ike.egr.msu.edu PING ike.egr.msu.edu (35.9.37.225) 56(84) bytes of data. 64 bytes from ike.egr.msu.edu (35.9.37.225): icmp_seq=1 ttl=39 time=315 ms 64 bytes from ike.egr.msu.edu (35.9.37.225): icmp_seq=2 ttl=39 time=289 ms 64 bytes from ike.egr.msu.edu (35.9.37.225): icmp_seq=3 ttl=39 time=317 ms 64 bytes from ike.egr.msu.edu (35.9.37.225): icmp_seq=4 ttl=39 time=326 ms 64 bytes from ike.egr.msu.edu (35.9.37.225): icmp_seq=5 ttl=39 time=308 ms 64 bytes from ike.egr.msu.edu (35.9.37.225): icmp_seq=7 ttl=39 time=272 ms -- Anderson Kaiser [EMAIL PROTECTED] Linux User #: 426240
Re: Microsoft-IIS/6.0 serves up Debian... WTF!
Jim Popovitch wrote: > Here's my issue, please correct me if I am wrong. .debs and sigs both > exist on the same server. If the Windows box/network is compromised, > then the sigs and debs can be modified and who would know? The security provided by a gpg signature is the difficulty in forging the signature, not the server that serves it. http://wiki.debian.org/SecureApt -- see shy jo signature.asc Description: Digital signature
Re: Microsoft-IIS/6.0 serves up Debian... WTF!
Jim Popovitch wrote: > On Sun, Jun 8, 2008 at 5:30 PM, Simon Valiquette <[EMAIL PROTECTED]> wrote: >> Jim Popovitch un jour écrivit: >>> If they want to do this, fine. But should they continue to be in >>> rotation for ftp.us.debian.org? >> Personnaly, I would have chosen to impersonate another web server than >> IIS, but except for that I see no problem with what they have done. >> >> >> I don't see why you want them to be removed from ftp.us.debian.org, >> except that you don't like to see them lying about the server application >> and version they use, which is something done by a lot of people on >> production systems that directly face the Internet. > > The reason is this: *if* they are using "security by obscurity", then > that raises the bigger question of their security knowledge and > capabilities. That would be enough for me to remove them from > distributing software to others from my domain (ftp.us.debian.org). > Your thoughts on this subject are really fascinating. Because while I agree that the idea of "security by obscurity" as the only line of defense is flawed, you're making assumptions and value judgments that seem beyond your abilities. I question your security knowledge and capabilities. How would you feel if they used a firewall that obscured their TCP stack? Or if they dropped ICMP time stamp requests? Or used address space randomization to stop certain types of remote code execution? Or what if they removed all real version strings from all software that they used that faces the internet? Do you really think that obscurity as *part* of your security plan is only negative? And do you really think that you know their entire security plan? I think not. In addition, I think the mere fact that they took the time to customize their banner shows that they're at least thinking about the problem. Even if we agree that it is flawed to *only* try hiding version strings, you don't know that this is all they are doing. Personally, I think it's worse to print proper version strings and feel so smugly about it. It is not as if being honest about this little detail somehow protects people using your Debian mirror. Have you found some actual security issue with the mirror? Are the packages tampered with? Are the signatures invalid? If so, have you tried contacting the administrator of the mirror? Regards, Jacob Appelbaum -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Microsoft-IIS/6.0 serves up Debian... WTF!
On Sun, Jun 8, 2008 at 5:30 PM, Simon Valiquette <[EMAIL PROTECTED]> wrote: > Jim Popovitch un jour écrivit: >> >> If they want to do this, fine. But should they continue to be in >> rotation for ftp.us.debian.org? > > Personnaly, I would have chosen to impersonate another web server than > IIS, but except for that I see no problem with what they have done. > > > I don't see why you want them to be removed from ftp.us.debian.org, > except that you don't like to see them lying about the server application > and version they use, which is something done by a lot of people on > production systems that directly face the Internet. The reason is this: *if* they are using "security by obscurity", then that raises the bigger question of their security knowledge and capabilities. That would be enough for me to remove them from distributing software to others from my domain (ftp.us.debian.org). -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Microsoft-IIS/6.0 serves up Debian... WTF!
Quoting Simon Valiquette ([EMAIL PROTECTED]): > Personnaly, I would have chosen to impersonate another web server than > IIS, but except for that I see no problem with what they have done. It also could be just a case of the sysadmin amusing him/herself: Back in the day, I used to edit /etc/{issue|issue.net} to make the system claim to be a Super Nintendo, just for laughs. -- Cheers, "Entia non sunt multiplicanta praeter necessitatem." Rick Moen -- William of Ockham (attr.) [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Microsoft-IIS/6.0 serves up Debian... WTF!
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Jim Popovitch un jour écrivit: >> >> Yep this is lighttpd and it's mod_status. > > OK (if true), I still question the need for posing as IIS, and > therefore I question the mirror operator's > intent/reasons/capabilities/interests/ as well as security > capabilites. Are they playing around by posing as IIS. Is it meant > to deflect interest in a Linux box being on their network? What is > the reason behind masquerading as something they aren't? My best guess is that It is security by obscurity. Personnaly, I often configure mail servers to claim to be another mail server, running on a different operating system and with some ad hoc version number that seams reasonable. The idea is that script kiddies, and many other attackers, will waste time using attacks that have no chance of succeeding, giving you an opportunity to detect and block an attack before It really start. Except by buying you a bit of time, in practice It doesn't add much real security against a determined attacker, but It is very useful for honeypot. > > If they want to do this, fine. But should they continue to be in > rotation for ftp.us.debian.org? Personnaly, I would have chosen to impersonate another web server than IIS, but except for that I see no problem with what they have done. I don't see why you want them to be removed from ftp.us.debian.org, except that you don't like to see them lying about the server application and version they use, which is something done by a lot of people on production systems that directly face the Internet. Simon Valiquette -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (Linux PPC) iD8DBQFITE9qJPE+P+aMAJIRA5JpAKCtOVrvTPpcDw1/lxI7CV6oxoItDwCg9jvq kRg3a23JXWO5piDR5sl43Kc= =tHtZ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Microsoft-IIS/6.0 serves up Debian... WTF!
* Message by -Jim Popovitch- from Sun 2008-06-08: > On Sun, Jun 8, 2008 at 12:30 PM, Bernd Eckenfels <[EMAIL PROTECTED]> wrote: > > In article <[EMAIL PROTECTED]> you wrote: > >> It's mirror's like that, that make me paranoid about Debian Security. > > > > Why is that? IIS is the second most used web server on the market. And since > > mirrors are not a trusted part of software distribution anyway, I dont see > > an issue here. > > Here's my issue, please correct me if I am wrong. .debs and sigs both > exist on the same server. If the Windows box/network is compromised, > then the sigs and debs can be modified and who would know? The one who checks the 'sigs' will know that, for an attacker will not be able to forge cryptographic signatures for his modified packages. These ARE cryptographic signatures, or am I mistaken? If I am, then of course you are right, and the rationale behind the 'sigs' would have to be questioned in the first place. pgprZoblGn5Zn.pgp Description: PGP signature
Re: Microsoft-IIS/6.0 serves up Debian... WTF!
Jim Popovitch wrote: > On Sun, Jun 8, 2008 at 7:02 AM, Nico Golde <[EMAIL PROTECTED]> wrote: >> Yep this is lighttpd and it's mod_status. > > OK (if true), I still question the need for posing as IIS, and > therefore I question the mirror operator's > intent/reasons/capabilities/interests/ as well as security > capabilites. Are they playing around by posing as IIS. Is it meant > to deflect interest in a Linux box being on their network? What is > the reason behind masquerading as something they aren't? > Only the operator would be able to answer this. It seems like there are reasons for doing this. One of them is to obscure the actual platform from someone just randomly google "hacking" their server by searching for a specific banner string. There are many many more reasons for masquerading as something they aren't. > If they want to do this, fine. But should they continue to be in > rotation for ftp.us.debian.org? > I think it's irrelevant. All that matters is that the packages are available, valid, that they're properly signed and that users don't have issues with the repository. Regards, Jacob Appelbaum -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Microsoft-IIS/6.0 serves up Debian... WTF!
On Sun, 2008-06-08 at 14:58 -0400, Jim Popovitch wrote: > On Sun, Jun 8, 2008 at 12:30 PM, Bernd Eckenfels <[EMAIL PROTECTED]> wrote: > > In article <[EMAIL PROTECTED]> you wrote: > >> It's mirror's like that, that make me paranoid about Debian Security. > > > > Why is that? IIS is the second most used web server on the market. And since > > mirrors are not a trusted part of software distribution anyway, I dont see > > an issue here. > > Here's my issue, please correct me if I am wrong. .debs and sigs both > exist on the same server. If the Windows box/network is compromised, > then the sigs and debs can be modified and who would know? Any system regardless of what operating system it is running can be compromised, and the sigs and debs can be "compromised". Remember someone has admin rights, and/or physical access on those machines. If that mirror makes you feel uneasy, use another mirror. It is, after all the mirrors prerogative to use whatever operating system they wish. Regards, Yagisan -- GPG/PGP signed mail preferred. PGP Key ID 0x4B6E7209 Fingerprint E1FD 9D7E 6BB4 1BD4 AEB9 3091 0027 CEFA 4B6E 7209 signature.asc Description: This is a digitally signed message part
Re: Microsoft-IIS/6.0 serves up Debian... WTF!
On Sun, Jun 8, 2008 at 7:02 AM, Nico Golde <[EMAIL PROTECTED]> wrote: > Yep this is lighttpd and it's mod_status. OK (if true), I still question the need for posing as IIS, and therefore I question the mirror operator's intent/reasons/capabilities/interests/ as well as security capabilites. Are they playing around by posing as IIS. Is it meant to deflect interest in a Linux box being on their network? What is the reason behind masquerading as something they aren't? If they want to do this, fine. But should they continue to be in rotation for ftp.us.debian.org? -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Microsoft-IIS/6.0 serves up Debian... WTF!
On Sun, Jun 8, 2008 at 12:30 PM, Bernd Eckenfels <[EMAIL PROTECTED]> wrote: > In article <[EMAIL PROTECTED]> you wrote: >> It's mirror's like that, that make me paranoid about Debian Security. > > Why is that? IIS is the second most used web server on the market. And since > mirrors are not a trusted part of software distribution anyway, I dont see > an issue here. Here's my issue, please correct me if I am wrong. .debs and sigs both exist on the same server. If the Windows box/network is compromised, then the sigs and debs can be modified and who would know? -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Microsoft-IIS/6.0 serves up Debian... WTF!
In article <[EMAIL PROTECTED]> you wrote: > It's mirror's like that, that make me paranoid about Debian Security. Why is that? IIS is the second most used web server on the market. And since mirrors are not a trusted part of software distribution anyway, I dont see an issue here. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Microsoft-IIS/6.0 serves up Debian... WTF!
Hi Henri, * Henri Salo <[EMAIL PROTECTED]> [2008-06-08 12:34]: > On Sun, 8 Jun 2008 01:27:06 -0600 > "JD. Brown" <[EMAIL PROTECTED]> wrote: [...] > > It looks like they were running Debian before and switched this month. > > Seems very weird to me. > > > > That server looks like lighttpd. Yep this is lighttpd and it's mod_status. Microsoft-IIS/6.0 also has a different ordering of the HTTP response headers: IIS: HTTP/1.1 400 Bad Request Content-Length: 39 Content-Type: text/html Date: Sun, 08 Jun 2008 11:00:49 GMT Connection: close lighttpd: HTTP/1.1 400 Bad Request Connection: close Content-Type: text/html Content-Length: 349 Date: Sun, 08 Jun 2008 11:00:23 GMT Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgp1P3eFhWKgM.pgp Description: PGP signature
Re: Microsoft-IIS/6.0 serves up Debian... WTF!
On Sun, 8 Jun 2008 01:27:06 -0600 "JD. Brown" <[EMAIL PROTECTED]> wrote: > On Sun, Jun 8, 2008 at 12:05 AM, <[EMAIL PROTECTED]> wrote: > >> Well, I thought I had seen it all... but this takes the cake. > >> > >> http://ike.egr.msu.edu/debian/pool/ > > For the heck of it, Here is some info about them. > > http://toolbar.netcraft.com/site_report?url=http://ike.egr.msu.edu > > & > > http://private.dnsstuff.com/tools/ipall.ch?ip=35.9.37.225&src=ShowIP > > It looks like they were running Debian before and switched this month. > Seems very weird to me. > > > Regards, > That server looks like lighttpd. -- Henri Salo +358407705733 GPG ID: 2EA46E4F fp: 14D0 7803 BFF6 EFA0 9998 8C4B 5DFE A106 2EA4 6E4F signature.asc Description: PGP signature
Re: Microsoft-IIS/6.0 serves up Debian... WTF!
On Sun, Jun 8, 2008 at 12:05 AM, <[EMAIL PROTECTED]> wrote: >> Well, I thought I had seen it all... but this takes the cake. >> >> http://ike.egr.msu.edu/debian/pool/ For the heck of it, Here is some info about them. http://toolbar.netcraft.com/site_report?url=http://ike.egr.msu.edu & http://private.dnsstuff.com/tools/ipall.ch?ip=35.9.37.225&src=ShowIP It looks like they were running Debian before and switched this month. Seems very weird to me. Regards, -- JD. Brown Linux User # 375995 - http://counter.li.org/ Debian - http://www.debian.org/intro/about -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Microsoft-IIS/6.0 serves up Debian... WTF!
> Well, I thought I had seen it all... but this takes the cake. > > http://ike.egr.msu.edu/debian/pool/ > > > -Jim P. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > this is weird. but, somehow it is hard to believe. it is possible to change the identification string to anything right? maybe it is apache but trying to be IIS??? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Microsoft-IIS/6.0 serves up Debian... WTF!
On Sun, Jun 8, 2008 at 2:05 AM, <[EMAIL PROTECTED]> wrote: > this is weird. but, somehow it is hard to believe. it is possible to change > the identification string to anything right? maybe it is apache but trying > to be IIS??? That would be nice if true... but I seriously doubt that to be the case. >From : http://ike.egr.msu.edu/debian/pool/main/3/3ddesktop/ 3ddesktop_0.2.8-1.diff.gz 2005-Apr-08 05:32:087.1K application/x-gzip 3ddesktop_0.2.8-1.dsc 2005-Apr-08 05:32:080.7Kapplication/octet-stream 3ddesktop_0.2.8-1_alpha.deb 2005-Apr-09 14:02:0278.8K application/octet-stream Everything other than .gz is type "application/octet-stream", I bet if we could see permissions they'd be 0777. And then there is this: http://ike.egr.msu.edu/server-status It's mirror's like that, that make me paranoid about Debian Security. -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Microsoft-IIS/6.0 serves up Debian... WTF!
Well, I thought I had seen it all... but this takes the cake. http://ike.egr.msu.edu/debian/pool/ -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]