Re: [Full-disclosure] Working exploit for Debian generated SSH Keys
Salut, Michael, On Tue, 20 May 2008 13:41:41 -0400, Michael Holstein wrote: > Smoke Detector + Webcam = cheapo RNG We were talking about PRNGs here, which are highly complex mathematical constructs, not hardware RNGs, which are also slightly hairy though. There are a couple of books on PRNG design, and even if you read them you probably still need a couple of years to design a secure PRNG. > I know some highly secure operations (eg: web casinos, using Geiger > counters and background radiation) use a version of this for their > RNGs, and random.org does it with RF (radios listening to static) .. > do patches exist for OpenSSL to use hardware devices? (short of a > hack to take something like the above and pipe it to /dev/random, > etc). OpenSSL would probably be slightly the wrong place to do this. The BSD systems tend to have kernel drivers for various hardware random sources, XORing them into each other to eliminate the problem with weak random sources. You can then distill this through the /dev/random device. OpenSSL needs a build flag to make use of this additional random material then, I think they add a certain amount of random material to their MD on each iteration. Please note that even hardware random sources are of quite varying quality. Like you said, a Geiger counter provides you with quite high-quality random numbers since, to our knowledge, quantum effects are rather hard to predict. You can also use hard disk seek times as a RNG source, but the quality is rather poor in this case, and you should only use it in addition to other sources. Tonnerre -- SyGroup GmbH Tonnerre Lombard Solutions Systematiques Tel:+41 61 333 80 33Güterstrasse 86 Fax:+41 61 383 14 674053 Basel Web:www.sygroup.ch [EMAIL PROTECTED] signature.asc Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Need some help with management
Why don't you sell them on a RedHat based SMB filesharing solution and install a copy of Security Blanket. (http://www.trustedcs.com) RedHat provides regular updates that keep it pretty secure and with Security Blanket on there it will stay secure. Additionally the presence of a non windows fileserver will help to provide fault tolerance for your network. Use this box to host back up services for your network. Having a linux box to play with will also allow you to set up inexpensive IDS/IPS threat monitoring solutions. Instead of netbies transfers you could do it over SSH with WinSCP. Feel free to give me a ring if you want some help putting something together for management. cheers, Jesse Bacon (703)537-4358 >Appeal to them with language that they understand. Since they don't seem to >be as technical as you are, appeal to them with a financial and/or legal >liability argument. Managers understand liability and the bottom line. >- - Original Message - >From: Daniel Sichel >To: full-disclosure@lists.grok.org.uk >Sent: Thursday, May 22, 2008 12:51 PM >Subject: [Full-disclosure] Need some help with management >My management here wants to put a server on our LAN, not administered by us >(the IT department) and use a share on it to serve files and data to our >workstations. They do not understand why having a server with a file share >that is NOT part of our secure infrastructure represents a threat to the >computers accessing it. Keep in mind this is an all Windows network. Sooo, >if you guys can succinctly explain why having a trusted computer trust an >untrusted computer is a problem, that would be helpful. Keep in mind we are >talking to management here. It's kind of like trying to explain why, when >you are in the United States, it's a bad idea to drive on the left hand >side of the road. It's just so basic it's not documented anywhere. So, >please help me explain why netbios and file shares on machines not within >your network are bad ideas. >Thanks, >Daniel Sichel, CCNP, MCSE,MCSA,MCTS (Windows 2008) >Network Engineer >Ponderosa Telephone (559) 868-6367 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Need some help with management
On Thu, May 22, 2008 at 09:51:01AM -0700, Daniel Sichel wrote: > it's not documented anywhere. So, please help me explain why netbios and > file shares on machines not within your network are bad ideas. This situation is ultimately and entirely your fault. You, i.e. your IT department, has failed to provide the services and resources that your management needs. As such, they are forced to invent ways to get around you. This is probably not the first and will most assuredly not be the last time it will happen. That you know about. Do not explain to this manager what he cannot do. Ask him what he wants to do. And then provide him with what he needs. In a simple and straightforward manner. Where he doesn't need to know anything about disks and RAM and IP and firewalls or anything related to your job. The conversation should go like this: Y: "Hey boss, so I hear you want to set up some kinda server. What the story?" B: "We want a file server." Y: "You need to share files?" B: "Yes. We all have to work on the same spreadsheet and it's getting to be a real pain to send it back and forth between us in email." Y: "A spreadsheet?" B: "Yes. We track our offered quotes in an Excel spreadsheet. Every morning Cindy sends out the spreadsheet to everyone in an email so any salesman can answer questions when the prospect calls. They email any changes they made to her in the afternoon. And she consolidates them and builds the sheet for the next morning. So, my cousin's roomate's uncle's stepkid was visiting the other week and says, 'Why don't you use a fileserver? Then you can all edit the one copy and not have to worry about a second call in the afternoon not realizing what happened that morning.' I mean, that's a great idea, right? So that's what we want to do. We oughtta get him in here as a consultant." Y: At which point you'll discover the business requirement for a database or versioning system or CRM or whateverelse. Which you have been utterly ignoring for the past year by reading Slashdot instead of engaging the rest of your company and discovering its business needs. Your job is to enable your coworkers to do their jobs more effectively. The computer should seamlessly integrate into their task. If they have to think about it, you've failed. You support them. They do not support you. Check your geekgo and do your job. So the answer to your immediate question is: You set up their fileserver and acquiesce to every little feature they think that they need. And watch it like a hawk. In doing so, you'll play catchup in figuring out what they actually need. And then you can replace that horror with something better. .. Great. Just great. Now I'm gonna feel managment-dirty all day. I'll have to pick up a box of scouring pads from the grocery on the way to the gym this afternoon. -- . ___ ___ . . ___ . \/ |\ |\ \ . _\_ /__ |-\ |-\ \__ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Need some help with management
Daniel, I think you will find that this is a common problem in the industry. There are going to be times where non-company owned assets are going to need to plug into your network with business justifications such as a vendor visiting onsite or in your case where the vendor agrees to manage their asset on your network. I understand as a network administrator you see the risk of having a machine on your LAN that you\your team did not personally secure (un-trusted) however it is imperative that you balance the security of your network with the business needs of your organization. In this situation it is important to develop a policy that acknowledges this as a known risk and establish guidelines to reduce the risk such as requiring all non-company owned assets that utilize your LAN to have antivirus installed with the latest updates, secured with the latest patches, etc. The vendor will need to be informed of the policy and understand that he needs to comply with this policy to ensure the security and stability of your corporate IT infrastructure. Angelo Castigliola III Information Security - Application Security Architecture Unum * [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Sichel Sent: Thursday, May 22, 2008 12:51 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Need some help with management My management here wants to put a server on our LAN, not administered by us (the IT department) and use a share on it to serve files and data to our workstations. They do not understand why having a server with a file share that is NOT part of our secure infrastructure represents a threat to the computers accessing it. Keep in mind this is an all Windows network. Sooo, if you guys can succinctly explain why having a trusted computer trust an untrusted computer is a problem, that would be helpful. Keep in mind we are talking to management here. It's kind of like trying to explain why, when you are in the United States, it's a bad idea to drive on the left hand side of the road. It's just so basic it's not documented anywhere. So, please help me explain why netbios and file shares on machines not within your network are bad ideas. Thanks, Daniel Sichel, CCNP, MCSE,MCSA,MCTS (Windows 2008) Network Engineer Ponderosa Telephone (559) 868-6367 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Need some help with management
Hi Izaac, >> it's not documented anywhere. So, please help me explain why >> netbios and file shares on machines not within your network are bad >> ideas. > > This situation is ultimately and entirely your fault. > > You, i.e. your IT department, has failed to provide the services and > resources that your management needs. This is a little bit oversimplified. I know some business solutions where the software is bundled together with the server hardware and the complete package is administered by the manufacturer via vpn. Ok, if the management decided to buy such a solution they should have asked th IT guys first. But we all know that this is wishful thinking... Ciao Marcus -- Hail Eris! Hail Discordia! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Need some help with management
--On Thursday, May 22, 2008 20:45:06 -0700 coderman <[EMAIL PROTECTED]> wrote: > On Thu, May 22, 2008 at 9:51 AM, Daniel Sichel <[EMAIL PROTECTED]> > wrote: >> My management here wants to put a server on our LAN, not administered by us >> ... > > all of the responses to this are retarded. > > tell him to setup a server. dare him. double dog dare! > > when it pings, load it full of goatse.cx and tubgurl and lemonparty. > > ask, "do you want to run AND SECURE your own server?" > > case closed. > You clearly don't work anywhere near an enterprise. If you did, you'd realize this very scenario occurs almost on a daily basis and the "owners" are perfectly happy with their dreg-filled completely insecure "servers" running on Windows XP SP1. -- Paul Schmehl As if it wasn't already obvious, my opinions are my own and not those of my employer. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Need some help with management
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Its not even funny how often this happens. I have a friend who does some consulting work for small businesses, and the amount of times that he has come across medical practices that run their billing and record keeping software on the same "fully-loaded" XP box that their receptionist(s) use to download random crap... E On Fri, 23 May 2008 11:24:29 -0400 Paul Schmehl <[EMAIL PROTECTED]> wrote: >--On Thursday, May 22, 2008 20:45:06 -0700 coderman ><[EMAIL PROTECTED]> wrote: > >> On Thu, May 22, 2008 at 9:51 AM, Daniel Sichel ><[EMAIL PROTECTED]> >> wrote: >>> My management here wants to put a server on our LAN, not >administered by us >>> ... >> >> all of the responses to this are retarded. >> >> tell him to setup a server. dare him. double dog dare! >> >> when it pings, load it full of goatse.cx and tubgurl and >lemonparty. >> >> ask, "do you want to run AND SECURE your own server?" >> >> case closed. >> > >You clearly don't work anywhere near an enterprise. If you did, >you'd realize >this very scenario occurs almost on a daily basis and the "owners" >are >perfectly happy with their dreg-filled completely insecure >"servers" running on >Windows XP SP1. > >-- >Paul Schmehl >As if it wasn't already obvious, >my opinions are my own and not >those of my employer. > >___ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQECAAYFAkg26R8ACgkQi04xwClgpZhnggP/csi9CIZ0cDkOsiKY9JiLklvXlsza tKrHqNtqkhVwSd2J4H5IWKHd1p8Gr/KM7QAyJvLo8gsOgrjspUzJISPqBGVUDBGj/aa0 zp/NCqbyeVlp5UX7j49bUyCtbZMQ/j5oxJSTg0iag2BXIWx1xgEf+XiwkwTxOZmYaWmy i+s7lwI= =Yv1C -END PGP SIGNATURE- -- Click to see huge collection of designer watches. http://tagline.hushmail.com/fc/Ioyw6h4diTNZQSUCsmCO7tLISg1VmGZiJIb9U6fdLVATcvkNbwUmxi/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Need some help with management
--On Friday, May 23, 2008 11:56:15 -0400 Elazar Broad <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Its not even funny how often this happens. I have a friend who does > some consulting work for small businesses, and the amount of times > that he has come across medical practices that run their billing > and record keeping software on the same "fully-loaded" XP box that > their receptionist(s) use to download random crap... > Typical scenario - professor runs Windows XP with Skpe and Google Toolbar and a host of other "helpful" desktop applications - oh, but that's his "server" too - running IIS and mysql - default installs, mind you - replete with cross-site scripting and sql injection problems - and all his research with no backups - and then gets irate because his computer gets blocked at the switch port for policy violations. I could go on, but you get the idea. Why do they do it? Because they can - at least until we catch them. How many mysql installs do you think there are worldwide, listening on the default port, with "[EMAIL PROTECTED]", "[EMAIL PROTECTED]", "@localhost" and "@FQHN" all in the default state with no password? -- Paul Schmehl As if it wasn't already obvious, my opinions are my own and not those of my employer. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Thank you for help with management.
Thank you to all who responded to my request for how to deal with a non secure server. Responses ranged from lol witty to incisive. I will definitely be asking the general manager for a key to his house and I will be requiring a release from liability in writing. It was very helpful, thank you all again. Daniel Sichel, CCNP, MCSE,MCSA,MCTS (Windows 2008) Network Engineer Pwnderosa Telephone (559) 868-6367 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Thank you for help with management.
On Fri, 23 May 2008 14:26:07 PDT, Daniel Sichel said: > Thank you to all who responded to my request for how to deal with a non > secure server. Responses ranged from lol witty to incisive. I will > definitely be asking the general manager for a key to his house and I > will be requiring a release from liability in writing. It was very > helpful, thank you all again. Just keep in mind, that *sometimes* you *do* want to give people a key to the house/office/etc - for instance, if you're going on vacation, you'll likely want to give a key to whoever is petsitting for you. The important question is *why* is said person getting access, what the risks and benefits are, and if there's other ways to achieve the goal (for instance, you may not need to have somebody stop by to feed your fish if one of those 7-day feeder blocks will work)... When I suggested "Ask him if he'd give people keys to the office", the *expected* response is "But the cleaning crews have keys.." or similar - which lets you get the *discussion* going of who has what access and why... pgpOT5MJmxoNc.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Thank you for help with management.
I wonder if anyone else on this forum supports Cisco VOIP servers? Do you think you manage those? :) What about edge routers managed by your network service provider? This is not as outlandish a request as it sound like and my point with that is to illustrate that this does happen. Before you possibly dig yourself a hole with your manager and/or business folks, sincerely ask them what they are trying to do. This may just be a "business" (read: naive) solution to some need they have, which can be met far easier by you. Maybe this can be put on your current file server solution (if you have one), maybe they didn't think about how people access this remotely, maybe they didn't think about what to do if someone unplugs that machine and your team certainly isn't going to support it, right? Who do you call and who does the calling? Your team will get every bit of intial troubleshooting for this, so you may as well properly get the facts and get familiar with the overall project. Will everyone have read/write access, and if so, what happens when someone deletes what was out there? (If you don't think it happens, I'll contract out to you for a week and delete it.) And who manages the permissions? All of that said, let's say this remains stupid. Put the box on its own segment and wrap any other security technology around it in a way that it cannot communicate to anything else nor anything to it outside of your share process (smb, netbios...), and make sure it has no access to the Internet nor undue access on your domain. Lock that sucker down and limit your exposure. Oh, and if this is holding some executable that is run or used by a process on user workstations...can just anyone replace it with whatever they feel like? If it ever becomes a possibility, you should feel free to fill in more details on what this server is, or what overall project/app this was for. Those details certainly provide or hide a lot of context. On Fri, May 23, 2008 at 4:26 PM, Daniel Sichel <[EMAIL PROTECTED]> wrote: > Thank you to all who responded to my request for how to deal with a non > secure server. Responses ranged from lol witty to incisive. I will > definitely be asking the general manager for a key to his house and I will > be requiring a release from liability in writing. It was very helpful, > thank you all again. > > > > Daniel Sichel, CCNP, MCSE,MCSA,MCTS (Windows 2008) > > Network Engineer > > Pwnderosa Telephone (559) 868-6367 > > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] A cyber human shield?
A cyber human shield? A rogue government could take traditional military tactics [1] and put them into the cyberspace warfare arena. This evidently [2] hasn't been thought about after I read the military article cited by S/U/N <[EMAIL PROTECTED]>. [1] http://en.wikipedia.org/wiki/Human_shield [2] http://www.afji.com/2008/05/3375884/ All the best, n3td3v -- Forwarded message -- From: n3td3v <[EMAIL PROTECTED]> Date: Wed, May 21, 2008 at 11:25 AM Subject: Re: [Full-disclosure] pentagon botnet To: full-disclosure@lists.grok.org.uk On Wed, May 21, 2008 at 9:16 AM, S/U/N <[EMAIL PROTECTED]> wrote: > http://www.afji.com/2008/05/3375884/ > What if the bot net of the enemy state are hospital computers, will you still attack them? What if the bot net of the enemy state are power station computers, will you still attack them? Will you risk putting civilian life at risk if the enemy state hides their bot net in national infrastructure that will make you look the worst if you attack them? Enemy states would end up hiding their bot nets in places you wouldn't want to attack... because if you did it would shut down a national infrastructure. The enemy states aren't going to have their bot nets in home computers with Windows Vista running, they are going to be national infrastructure computers that if you attack them will put the countries civilians at risk, making you the baddies and them the goodies. You haven't thought things through well enough and the tactics your enemy state will use to make you the baddie for attacking their bot net, which you will have a hell of a job convincing the single mom and retired couple crowd that a hospital or power station was something called a bot net which they haven't even heard of a bot net before and are told it was attacking pentagon networks or something, which didn't affect the single mom and retired couple to begin with, but are told its a good idea to shut down a countries hospital or power station anyway. Just trust your government, shutting down a rogue nations national infrastructure is in your best interest, even though joe public don't know what the hell a bot net is and why that fluffy innocent looking hospital or power station was one and that it was attacking the United States pentagon networks. Thats really going to go down well with the American public who one fifth of have never used or sent an e-mail. http://news.cnet.com/8301-10784_3-9946706-7.html >From the American public point of view and the rest of the world's point of view it will be US government attacking innocent hospitals and power stations that look like its doing nothing wrong from the single mom and retired couple prospectus, so how are you going to win over hearts and minds that shutting down a countries national infrastructure was a good idea, when there is nothing wrong with that hospital or power station to the untrained public eye? You're going to need to educate your citizens first of all what a bot net is, and then teach them that an enemy state is hiding rogue bot net computers in hospitals and power stations, and that you need to attack that infrastructure, and once you've attacked and shut down the enemy states hospital and power station that from the untrained eye was doing nothing wrong from the prospectus of the one fifth of Americans who have never used e-mail before, you'll need to find a way of proving that hostpital or power station did have a rogue bot net in it and that you weren't just making it up. There are probably more cunning national infrastructure places your enemy state would hide their bot net than just a hospital or power station, but those are pretty good standard examples to get your mind thought juices flowing. So how are you going to convince joe public why you're DDoS'ing eastern countries national infrastructure and its citizens are out on the streets protesting because they have no food, water, health care, electricity and whatever other thing you attacked because the enemy state had placed their rogue bot net computers there for the United States to offensively attack? Those people out on the streets protesting won't even know what a bot net is or understand why their power station, hospital or other national infrastructure has suddenly stopped working. Try explaining that to them and the rest of the world when they are starving and in need of world aid organizations to come save their lives. Its not going to work, so quit this pentagon bot net idea already, there is enough carnage and problems in the world without the above carry on happening, all because of military bot nets attacking military bot nets that are cunningly placed in national infrastructure to make whoever attacks it look bad. All the best, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A cyber human shield?
"COL. CHARLES W. (CHARLIE) WILLIAMSON III is the staff judge advocate, Air Force Intelligence, Surveillance and Reconnaissance Agency, at Lackland Air Force Base, Texas. He has served as a flight test manager for small, air-breathing missiles; as a judge advocate at two base-level legal offices; as a staff judge advocate for two base-level legal offices; and as the first staff judge advocate for the Joint Task Force-Computer Network Operations. The views expressed here are the author's own and do not necessarily reflect those of the Air Force or Defense Department." But it takes a faggot like me to point out the biggest error of your article. All the best, n3td3v On Fri, May 23, 2008 at 11:03 PM, n3td3v <[EMAIL PROTECTED]> wrote: > A cyber human shield? A rogue government could take traditional > military tactics [1] and put them into the cyberspace warfare arena. > > This evidently [2] hasn't been thought about after I read the military > article cited by S/U/N <[EMAIL PROTECTED]>. > > [1] http://en.wikipedia.org/wiki/Human_shield > > [2] http://www.afji.com/2008/05/3375884/ > > All the best, > > n3td3v > > -- Forwarded message -- > From: n3td3v <[EMAIL PROTECTED]> > Date: Wed, May 21, 2008 at 11:25 AM > Subject: Re: [Full-disclosure] pentagon botnet > To: full-disclosure@lists.grok.org.uk > > > On Wed, May 21, 2008 at 9:16 AM, S/U/N <[EMAIL PROTECTED]> wrote: >> http://www.afji.com/2008/05/3375884/ >> > > What if the bot net of the enemy state are hospital computers, will > you still attack them? What if the bot net of the enemy state are > power station computers, will you still attack them? Will you risk > putting civilian life at risk if the enemy state hides their bot net > in national infrastructure that will make you look the worst if you > attack them? > > Enemy states would end up hiding their bot nets in places you wouldn't > want to attack... because if you did it would shut down a national > infrastructure. The enemy states aren't going to have their bot nets > in home computers with Windows Vista running, they are going to be > national infrastructure computers that if you attack them will put the > countries civilians at risk, making you the baddies and them the > goodies. > > You haven't thought things through well enough and the tactics your > enemy state will use to make you the baddie for attacking their bot > net, which you will have a hell of a job convincing the single mom and > retired couple crowd that a hospital or power station was something > called a bot net which they haven't even heard of a bot net before and > are told it was attacking pentagon networks or something, which didn't > affect the single mom and retired couple to begin with, but are told > its a good idea to shut down a countries hospital or power station > anyway. > > Just trust your government, shutting down a rogue nations national > infrastructure is in your best interest, even though joe public don't > know what the hell a bot net is and why that fluffy innocent looking > hospital or power station was one and that it was attacking the United > States pentagon networks. Thats really going to go down well with the > American public who one fifth of have never used or sent an e-mail. > http://news.cnet.com/8301-10784_3-9946706-7.html > > From the American public point of view and the rest of the world's > point of view it will be US government attacking innocent hospitals > and power stations that look like its doing nothing wrong from the > single mom and retired couple prospectus, so how are you going to win > over hearts and minds that shutting down a countries national > infrastructure was a good idea, when there is nothing wrong with that > hospital or power station to the untrained public eye? > > You're going to need to educate your citizens first of all what a bot > net is, and then teach them that an enemy state is hiding rogue bot > net computers in hospitals and power stations, and that you need to > attack that infrastructure, and once you've attacked and shut down the > enemy states hospital and power station that from the untrained eye > was doing nothing wrong from the prospectus of the one fifth of > Americans who have never used e-mail before, you'll need to find a way > of proving that hostpital or power station did have a rogue bot net in > it and that you weren't just making it up. > > There are probably more cunning national infrastructure places your > enemy state would hide their bot net than just a hospital or power > station, but those are pretty good standard examples to get your mind > thought juices flowing. So how are you going to convince joe public > why you're DDoS'ing eastern countries national infrastructure and its > citizens are out on the streets protesting because they have no food, > water, health care, electricity and whatever other thing you attacked > because the enemy state had placed their rogue bot net computers there > for the United States to off
Re: [Full-disclosure] Thank you for help with management.
I think the issue of why management doesn't want IT to have access/manage to the server needs to be answered. If it were me, I'd ask them point-blank if they trust me, and if they don't, why am I their network admin/security guy/whatever the case may be. But that's me. ;) On Fri, May 23, 2008 at 6:00 PM, <[EMAIL PROTECTED]> wrote: > On Fri, 23 May 2008 14:26:07 PDT, Daniel Sichel said: > >> Thank you to all who responded to my request for how to deal with a non >> secure server. Responses ranged from lol witty to incisive. I will >> definitely be asking the general manager for a key to his house and I >> will be requiring a release from liability in writing. It was very >> helpful, thank you all again. > > Just keep in mind, that *sometimes* you *do* want to give people a key to > the house/office/etc - for instance, if you're going on vacation, you'll > likely want to give a key to whoever is petsitting for you. > > The important question is *why* is said person getting access, what the > risks and benefits are, and if there's other ways to achieve the goal (for > instance, you may not need to have somebody stop by to feed your fish if > one of those 7-day feeder blocks will work)... > > When I suggested "Ask him if he'd give people keys to the office", the > *expected* response is "But the cleaning crews have keys.." or similar - which > lets you get the *discussion* going of who has what access and why... > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2008:106 ] - Updated gnutls packages fix denial of service vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2008:106 http://www.mandriva.com/security/ ___ Package : gnutls Date: May 23, 2008 Affected: 2007.1, 2008.0, 2008.1, Corporate 4.0 ___ Problem Description: Flaws discovered in versions prior to 2.2.4 (stable) and 2.3.10 (development) of GnuTLS allow an attacker to cause denial of service (application crash), and maybe (so far undetermined) execute arbitrary code. The updated packages have been patched to fix these flaws. Note that any applications using this library must be restarted for the update to take effect. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1948 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1949 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1950 ___ Updated Packages: Mandriva Linux 2007.1: 0823ae95b54db5e8260f6fc710dd34b2 2007.1/i586/gnutls-1.6.1-1.1mdv2007.1.i586.rpm 03e54ad292b64efa9ec196ceb617b3a3 2007.1/i586/libgnutls13-1.6.1-1.1mdv2007.1.i586.rpm 92103449ab3aab9d58f6b77d0a98bc6b 2007.1/i586/libgnutls13-devel-1.6.1-1.1mdv2007.1.i586.rpm d60a104f11bdc47a1886b778d8cf8320 2007.1/SRPMS/gnutls-1.6.1-1.1mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 977037a17dccdae58f32c7769ffe41d4 2007.1/x86_64/gnutls-1.6.1-1.1mdv2007.1.x86_64.rpm d4f0b755d5eaa2f4e009b06a8ee84b78 2007.1/x86_64/lib64gnutls13-1.6.1-1.1mdv2007.1.x86_64.rpm 12ce8c8f834a8513fba416f17045e8a2 2007.1/x86_64/lib64gnutls13-devel-1.6.1-1.1mdv2007.1.x86_64.rpm d60a104f11bdc47a1886b778d8cf8320 2007.1/SRPMS/gnutls-1.6.1-1.1mdv2007.1.src.rpm Mandriva Linux 2008.0: 426dee92eb410b4ea95d72bb95b8191b 2008.0/i586/gnutls-2.0.0-2.1mdv2008.0.i586.rpm 9c6d041a503bd22a486ae4ab9b9dea48 2008.0/i586/libgnutls13-2.0.0-2.1mdv2008.0.i586.rpm 5e0fce3f50e56c1b6e3e3e511ec54913 2008.0/i586/libgnutls-devel-2.0.0-2.1mdv2008.0.i586.rpm 600e931f9dca30f24792d06a59d3 2008.0/SRPMS/gnutls-2.0.0-2.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 386440004780f852335f569aed652030 2008.0/x86_64/gnutls-2.0.0-2.1mdv2008.0.x86_64.rpm c90ec5add91fce03f69dd2e7d0bc1c30 2008.0/x86_64/lib64gnutls13-2.0.0-2.1mdv2008.0.x86_64.rpm 84a18017f22caf2b41347987d34dac77 2008.0/x86_64/lib64gnutls-devel-2.0.0-2.1mdv2008.0.x86_64.rpm 600e931f9dca30f24792d06a59d3 2008.0/SRPMS/gnutls-2.0.0-2.1mdv2008.0.src.rpm Mandriva Linux 2008.1: ae18e0cbaae63c33c758146345d88128 2008.1/i586/gnutls-2.3.0-2.1mdv2008.1.i586.rpm d12780e4b5dfd1adc38f777c1d05e8cb 2008.1/i586/libgnutls26-2.3.0-2.1mdv2008.1.i586.rpm 2747ee390d9f415ed895384a9b3ff11a 2008.1/i586/libgnutls-devel-2.3.0-2.1mdv2008.1.i586.rpm 8f6fea3051fb772dbf2fed7db9e135d8 2008.1/SRPMS/gnutls-2.3.0-2.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 80108975e78b52c8a0fb85243aa9e5ea 2008.1/x86_64/gnutls-2.3.0-2.1mdv2008.1.x86_64.rpm 83f5d823404d4a9da542f6a20fe57ee7 2008.1/x86_64/lib64gnutls26-2.3.0-2.1mdv2008.1.x86_64.rpm 042c7574023193bead114e6c53334c90 2008.1/x86_64/lib64gnutls-devel-2.3.0-2.1mdv2008.1.x86_64.rpm 8f6fea3051fb772dbf2fed7db9e135d8 2008.1/SRPMS/gnutls-2.3.0-2.1mdv2008.1.src.rpm Corporate 4.0: 40385708c33d7e44db2e5752e3d74c8f corporate/4.0/i586/gnutls-1.0.25-2.3.20060mlcs4.i586.rpm 52a27ba26a2e6b1feb8854617c54ad7a corporate/4.0/i586/libgnutls11-1.0.25-2.3.20060mlcs4.i586.rpm a72058f1264c7320740f56f2bd1c0217 corporate/4.0/i586/libgnutls11-devel-1.0.25-2.3.20060mlcs4.i586.rpm 2d32c61aa7bfdf360cdce77f398c682b corporate/4.0/SRPMS/gnutls-1.0.25-2.3.20060mlcs4.src.rpm Corporate 4.0/X86_64: 014f5b3d150b246e6802a50427a1ece1 corporate/4.0/x86_64/gnutls-1.0.25-2.3.20060mlcs4.x86_64.rpm 3503f82acf876ddec1b084a0152820ca corporate/4.0/x86_64/lib64gnutls11-1.0.25-2.3.20060mlcs4.x86_64.rpm 29061f0e5e8ad8205ce9c04eb9d792e7 corporate/4.0/x86_64/lib64gnutls11-devel-1.0.25-2.3.20060mlcs4.x86_64.rpm 2d32c61aa7bfdf360cdce77f398c682b corporate/4.0/SRPMS/gnutls-1.0.25-2.3.20060mlcs4.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___
