Re: [Full-Disclosure] Web sites compromised by IIS attack
Per the Free Software model it does. The key point here is that Red Hat is redistributing the code and making a profit off of it. It's Red Hat's choice regarding whether to redistribute said code. Since they're making the money off of it, they have to support it. Sorry Barry but your wrong. If I burn a CD of a bunch of appliactions I get off the net and sell it, then by what your saying I should be supporting it? So then my ISP should support all the applications I get off the net since they take my money and give me net access? Sendmail and Bind have been riddled with bugs, this is true, but I don't know if I'd label them some of the most buggy bits of code ever written. :) But, as you said, there are far better choices out there -- and Red Hat (hypothetically speaking, of course) has the choice to distribute those instead of sendmail/bind. Have to agree with you here. To me some of the software that they have bundled into their CD's has been odd to say the least. I fear that RH will probally try to become like M$ in the linux world. Denis ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Web sites compromised by IIS attack
Stuart, First off. Don't think I ever have been to support.m$.com don't think they have anything I'd ever want. Since I only use M$ for it's proper use, to play games, why would I care about support. Any REAL work I want to do is done under some flavor of Unix. As oon as someone gets CoD running under Linux, I'll go back to a single boot system. Denis On Thu, 1 Jul 2004, Stuart Fox (DSL AK) wrote: Paul, If I'm understanding you correctly you don't understand Linux/Redhat. Or your just being silly to make a point. sendmail, wftp , php, etc.. are not owned by Redhat. Each of these applications are owned buy someone else and Redhat is allowed to re-distribute them. Yeah, but Redhat are the vendor, whether or not they actually wrote the software, they distributed it to you. Their product is Redhat Linux (the distribution), if that has a flaw in it they shouldn't get exempted just because they didn't write it. Could Microsoft then pass off support for ftp.exe for instance? And using the number of fixes/patches to an application as an indication of how god it is, is a bad thing. Using this logic you would have to say M$ is a good product. I believe you haven't looked at http://support.microsoft.com for a while? And besides, it was pretty clear that he wasn't using it as an indication of relative quality, just as an indicator of the fact that noone writes perfect software. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Web sites compromised by IIS attack
LMAO.. I see it now, your makeing a joke out of it.. On Wed, 30 Jun 2004, Frank Knobbe wrote: On Wed, 2004-06-30 at 22:05, Denis Dimick wrote: They pretty much do. That is if the application is one that users have found worth supporting. Exactly. The responsible parties are doing their job. Now contrast that with commercial software. So can I assume that you would allow a vendor to remotely patch your system? Not remotely, but... Like I said, Do you REALLY want a vendor to install patches for you? Absolutely. Have them send a technician ON SITE. Have them STAY and fix the product until it is working. (Free of charge mind you... just like the free repair of a recalled water pump for your car). If applied patches crash the system further, it is the responsibility of that technician (representing the vendor) to get it back in working order. If he can't do that well.. since he is there, you can hold him accountable in any way you see fit. :) If we were able to mandate such a response, how long do you think it would take before out-of-the-box software quality improves suddenly? I think Frank that your starting to point out a problem for M$ and other vendors. They don't have the money to support there products any longer. M$ has somewhere like 20,000 payed programers, How many programers are working on open source products? 100,000 plus, maybe more. How do you expect a company like M$ to compete? I don't think they can. There are a lot of healthy, smaller commercial software shops out there that produce usable (and often surprisingly good quality) code. They typically also have good support and decent business ethics. Some larger vendors these days are more concerned with increasing their own wealth rather than producing good quality software. That's unfortunate. In case of Microsoft, I think that this company has grown to such proportions that it is starting to collapse on itself, much like the operating system they produce. If that is going to happen as quietly as a cheese soufle or as loud as a supernova remains to be seen (although it will be spectacular either way). The next 5-10 years will be interesting. Anyhow. my main gripe is the sale of broken products. I don't remember if that was NT4.0 or some other product, but the box came with the CD for the software, and a CD with patches. Here, your purchase. It's broken. Fix it yourself while you install it. Regards, Frank ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Web sites compromised by IIS attack
Did M$ write ftp.exe? If so then they own it, they own the sources and all rights to the code. Redhat owns very little of the code you get on there CD. Denis On Thu, 1 Jul 2004, Stuart Fox (DSL AK) wrote: Paul, If I'm understanding you correctly you don't understand Linux/Redhat. Or your just being silly to make a point. sendmail, wftp , php, etc.. are not owned by Redhat. Each of these applications are owned buy someone else and Redhat is allowed to re-distribute them. Yeah, but Redhat are the vendor, whether or not they actually wrote the software, they distributed it to you. Their product is Redhat Linux (the distribution), if that has a flaw in it they shouldn't get exempted just because they didn't write it. Could Microsoft then pass off support for ftp.exe for instance? And using the number of fixes/patches to an application as an indication of how god it is, is a bad thing. Using this logic you would have to say M$ is a good product. I believe you haven't looked at http://support.microsoft.com for a while? And besides, it was pretty clear that he wasn't using it as an indication of relative quality, just as an indicator of the fact that noone writes perfect software. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [OT] Web sites compromised by IIS attack
On Wed, 30 Jun 2004, codec wrote: Thanks Eric, I'll look into it this weekend.. Denis Eric Paynter wrote: CoD runs also under Linux - with Wine. Maybe there's an Installer on the Web... It's the Q3 Engine, there are many games with this engine, also for linux. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Web sites compromised by IIS attack
Barry, I have to agree with you one once a company changes the code then they own it. However wrapping the same old software in an RPM to me does not change it enough to have someone else own the code. I do find it funny that sendmail and BIND have been thrown out in the e-mails (don't think it was you) But these two applications are some of the most buggy bits of code ever written. There are far better aplications out there if someone want to run a mail or dns server if you ask me. Denis On Thu, 1 Jul 2004, Barry Fitzgerald wrote: Denis Dimick wrote: Did M$ write ftp.exe? If so then they own it, they own the sources and all rights to the code. Redhat owns very little of the code you get on there CD. Denis I think that the demarcation line for this is where money changed hands. First of all, ftp.exe is a common example because the ftp.exe that MS has traditionally included with various versions of windows has text data in it's binary that's part of the BSD license. So, ftp.exe is borrowed code, so to speak. First, I'm all for Free Software businesses (anyone who knows me knows this). But, once a company chooses to redistribute Free Software code, they own it for all intents and purposes. The original authors aren't responsible for it because distributions can (and in many cases do) modify the code before they redistribute it. Red Hat takes the money, they get the burden of support. That's the way the model works. :) -Barry ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [OT] Web sites compromised by IIS attack
WOW.. Nice link.. Thanks Again Ken Denis On Thu, 1 Jul 2004, ken wrote: Eric Paynter wrote: On Thu, July 1, 2004 8:01 am, Denis Dimick said: As oon as someone gets CoD running under Linux, I'll go back to a single boot system. Here you go... http://liflg.sourceforge.net/?page=catcatid=7 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [OT] Web sites compromised by IIS attack
Thanks Ken.. Denis On Thu, 1 Jul 2004, ken wrote: Eric Paynter wrote: On Thu, July 1, 2004 8:01 am, Denis Dimick said: As oon as someone gets CoD running under Linux, I'll go back to a single boot system. Here you go... http://liflg.sourceforge.net/?page=catcatid=7 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Web sites compromised by IIS attack
Frank, I think your barking up the wrong tree here. Any admin worth his/her salt would at least keep up with security, and try to keep current on all the required patches. There's very little reason to expect, let alone blame M$ for acting they way they have always acted. As long as acting this way will make them money, then there going to keep acting this way. If your really mad, then go after the retarded CIO's that don't see antthing wrong with giving money to companies that act this way. Denis On Wed, 30 Jun 2004, Frank Knobbe wrote: On Wed, 2004-06-30 at 15:58, TIERNAN RAY, BLOOMBERG/ NEWSROOM: wrote: [...] Sites running Microsoft server software, such as the Kelley Blue Book, were infected with malicious code. [...] ``Our site was infected,'' said Robyn Eckard, a spokeswoman for Kelley Blue Book, an automotive pricing site at http://www.kbb.com. Users tipped off the site Wednesday that one of 15 Web servers running Microsoft's IIS was infected, she said. [...] If this email is real (and the headers do look legit), I have to applaud Kelley Blue Book for coming forward with this information. It takes a bit of guts to make an announcement like this. But I don't think Kelley's Admins are to blame. Administrators should spend their time on keeping systems operating, setting up jobs, and satisfying business requirements. They should not have to spend their time fixing broken products. No. The blame squarely falls on the manufacturers of broken products. They should produce software that works. That includes QA, product testing, due diligence etc. (Insert your favorite car analogy here) I think we all have tolerated broken software products for too long. It is high time to demand better products, or to select alternative products. We need to stop accepting software riddled with flaws and instead demand better quality software. No other products besides software is purchased with flaws -- knowingly at least, and consumer oriented organizations are making sure that consumers know about defects. Why should software be different? Because it is more convenient for the manufacturer and not the consumer to fix it after the sale? We should start treating software like any other products. If it's broken, the producer is required to fix it, not the consumer. No, I do not blame the companies of compromised servers, nor their admins. I blame the manufacturer of the product. So, with sympathy to Kelley Blue Book, and all other companies that had been affected, I say Shame on you, Microsoft. Instead of requiring the consumer to install patches, Microsoft should be required to fix their own, broken products. That means that they should send their army of engineers (a lot of which are now carrying the CISSP certification) to the consumers and have their engineers correct the flaws in their products. They sold flawed products, they should fix it. Regards, Frank ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Web sites compromised by IIS attack
Please see below.. On Wed, 30 Jun 2004, Frank Knobbe wrote: On Wed, 2004-06-30 at 21:08, Paul Schmehl wrote: I'm right there with you, Frank, on one condition. You hold *every* software vendor to the same standard. [...] If we're going to require that software vendors produce flawless products, we're not going to have many software products. Even Postfix, which *to my knowledge* has never had a security issue, has had numerous bug fixes. (And I think so highly of Postfix that the first thing I do when I install a new OS is replace sendmail with Postfix.) Heya Paul, well, there is a difference between *free* stuff you choose to pull from the Internet and run yourself. Community driven projects should require that everyone running the product is doing there part to fix flaws (even if it just means reporting it to someone who can fix it). They pretty much do. That is if the application is one that users have found worth supporting. The difference is with products you *pay for*. If you *buy* a product you trade your money (perhaps chicken in other parts of the world) in the amount considered to equal the worth of the product. You should expect to receive a working product in return. My beef is that we started to accept broken products, and we assumes the task of fixing broken products ourselves. That task should not fall on us but on the manufacturer. So can I assume that you would allow a vendor to remotely patch your system? We need better methodologies for finding bugs in software. Right. But we also need better methodologies for vendors to fix their products. The emphasis here is on the vendor fixing the broken product. It should not be a burden on the consumer, but on the vendor. Like I said, Do you REALLY want a vendor to install patches for you? And yes, I'm not targeting Microsoft in particular, although they are the most blatant abusers of consumer rights. I intentionally included all manufacturer of commercial software products. I think Frank that your starting to point out a problem for M$ and other vendors. They don't have the money to support there products any longer. M$ has somewhere like 20,000 payed programers, How many programers are working on open source products? 100,000 plus, maybe more. How do you expect a company like M$ to compete? I don't think they can. Denis Cheers, Frank ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Web sites compromised by IIS attack
Paul, If I'm understanding you correctly you don't understand Linux/Redhat. Or your just being silly to make a point. sendmail, wftp , php, etc.. are not owned by Redhat. Each of these applications are owned buy someone else and Redhat is allowed to re-distribute them. And using the number of fixes/patches to an application as an indication of how god it is, is a bad thing. Using this logic you would have to say M$ is a good product. Denis On Wed, 30 Jun 2004, Paul Schmehl wrote: --On Wednesday, June 30, 2004 6:27 PM -0500 Frank Knobbe [EMAIL PROTECTED] wrote: Instead of requiring the consumer to install patches, Microsoft should be required to fix their own, broken products. That means that they should send their army of engineers (a lot of which are now carrying the CISSP certification) to the consumers and have their engineers correct the flaws in their products. They sold flawed products, they should fix it. I'm right there with you, Frank, on one condition. You hold *every* software vendor to the same standard. IOW, Apache should be required to fix their own, broken products...RedHat Linux should be required..Oracle should be required.sendmail.wuftpd.php...mysql...etc., etc., etc., ad infinitum, ad nauseum. Be careful what you wish for. You may actually get it. I just upgraded my workstation from RedHat 9.0 to Fedora Core 1. I then ran up2date and found that there were 142 software packages that needed to be updated. Just before I did that, I run portupgrade on one of my FreeBSD boxes. It had 17 programs that had to be updated. If we're going to require that software vendors produce flawless products, we're not going to have many software products. Even Postfix, which *to my knowledge* has never had a security issue, has had numerous bug fixes. (And I think so highly of Postfix that the first thing I do when I install a new OS is replace sendmail with Postfix.) I attended a presentation yesterday for a security product in the application firewall field. During the presentation, the CISSP stated that in every 1000 lines of code there will be 15 errors. I don't know if I'd agree with that - I suspect most coders are a bit better than that - but I had to chuckle, because, of course, I immediately thought, So you admit that your code is riddled with holes! We need better methodologies for finding bugs in software. We need better training of programmers. We need established standards for coding that would define things like bounds checking. We need a *lot* of improvements in software development, and those improvements need to be *industry-wide*, not just Microsoft. Every time I read about a security vendor with a remote hole in their products, I think, How in the world can they identify attacks, if they can't even see them in their own code? Clearly the problem is a *lot* bigger than Microsoft alone. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] C# Web application security scanner
As soon as I saw the C# I knew it was a troll.. On Fri, 21 May 2004, Mister Coffee wrote: Don't feed the trolls... On Thu, May 20, 2004 at 03:24:01PM -0400, [EMAIL PROTECTED] wrote: I want to start my own web application security company using open source code so I don't have to pay for it. That way I can get everyone else to do my work for me and make lots of money -Original Message- From: Martin Mkrtchian [EMAIL PROTECTED] Sent: May 20, 2004 1:05 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] C# Web application security scanner Why would u want to start your company with someone elses code? Web application scanner? Are you refering to something like APPSCAN type thing or are you refering to VA Scanner type thing like Nessus. If you are seeking for something like Nessus, then obviously the code is out there, hire someone to customize it to your needs. On Thu, 20 May 2004 10:08:26 +0530, Aditya, ALD [Aditya Lalit Deshmukh] [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: Can anyone give me the source code to a good web application security scanner written in C# so I can start my own company? Drop me an email with a link or code off of the list please. since u are starting your own company, i would be very happy to write one for u and share it with the list provided you pay me for doing this, wouldent u agree ? Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Knocking Microsoft
Linux/Unix just has to be more sercure then Windows..;) Also as for lame admins.. Yes there are some when it comes to unix/Linux.. However, when the base OS is more secure then Windows it's not as painful to the rest of us.. -Denis On Fri, 27 Feb 2004, James F. Wilkus wrote: and now they try to make it secure. UNIX was made to be secure, and now they are adding colours. This is not true. UNIX was not made to be secure. Any UNIX security history book will tell you that. Just because you run UNIX does not make you immune to attacks. Linux, with it's world domination kick, is recruiting more and more windows admins to it's ranks. You think that these same windows, now linux, admins are going to do a better job at securing their systems? These same admins who can not apply patches before the next major worm strikes? apt-get update is easy, so is clicking on windows update... I think people are doing a disservice by claiming that linux is something it is not, or more accurately, generalizing all UNIX's to be secure. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] HP All-in-one printers on Dells
Wonder if you could make a USB drive or something like that load a PXE image on them and boot a non-windows os.. Looks to me like something to play with and see if it can be used as a crack tool.. -Denis On Sat, 22 Nov 2003, Irwan Hadi wrote: On Thu, Nov 20, 2003 at 08:44:02AM -0700, Jim Duggan wrote: I have a few customers using various dell PCs, and it seems upon booting up with a HP all-in-one printer attached to the USB port the PC attempt to boot off the printer, causing boot times to exceed 20 minutes. Obviously its timing out after said time but im wondering what the hell makes the dell bios think it can boot off the printer, my only assumption would be the smart card reader. Wondering if anyone else has experienced something like this and if so could give a little more insite. I dont see anything short of a bios upgrade from dell fixing this, as of now i just have the customer unplugging the printer upon reboots as a temp workaround. I think at that time I resolved it by turning off support for legacy USB applications on the BIOS, or something like that. Just go to the BIOS, and check the settings for the USB. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Any news on www.kievonline.org site?
Very strange dude if you ask me.. He made it past my TMDA filter.. But glad to see he got slamed.. On Tue, 14 Oct 2003, Steve Wray wrote: Hi all, today I found a really wierd email in my inbox, which got me curious about this kievonline.org that this guy is screaming about (I had never heard of it before. I may be an 'infidel' not being moslem but they guy has my skintone and drinking habits all wrong!) When I go to the site, it has a very sad look to it... Apparently it was taken down by 'infidels'. So far in my googling I havn't found anything about the site. Ring any bells with anyone? Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, 14 October 2003 6:34 p.m. To: Steve Wray Subject: thank you You are a piss head for hacking my site and informing my isp !!! Fuck you nigger. if your a man you should come here and tell me in my face A man needs to make a living you know, Now you think my isp is going to do something to stop me ? FUCK YOU Nice try. I have added your email address to every fucking spam list I can find Next time youll fuck with the right person ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Blocking Music Sharing.
The lastest issue of Linux Journal had a writeup on how to do this.. HTH, Denis On Mon, 15 Sep 2003, Johnson, Mark wrote: Due to the legal issues, I am trying to block access to sites like Kazaa and Limewire in the office. If I am not mistaken, these networks can use different ports each time, so there is no way to block it at the firewall. Is this right? And if so, what is the best way to block access to these types of sites? Many thanks, Mark J. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] SoBig.F strange problem
Just got off the phone with a small ISP out here in New Mexico.. Looks like one of there users has SoBig.f and is doing the same thing as Scott wrote about.. Not a lot you can do until ISP fix there mail servers to dis-allow this type of activity.. -Denis On Tue, 19 Aug 2003, Rainer Gerhards wrote: Scott, I know this problem, too. Fortunately not (yet) with SoBig.F, but with other such virii. The answer is simple: I am sending mail to a lot of people. My mail address is also on a lot of web sites. This provides excellent material for the virus to find my mail address (and now yours) and then it can use that address to forge it as the sender address. So don't takeit personally. Sit back and relax. Anyhow, there is nothing you can do against it... Rainer -Original Message- From: Scott Phelps / Dreamwright Studios [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 9:01 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] SoBig.F strange problem All day today I've been getting copies of SoBig.F. I've gotten around 150 copies so far, and a large number of postmaster bounces saying that a copy sent from my address was undeliverable. I know that SoBig forges the from address from files it finds on the victims machine, but I can't for the life of me figure out why I'm the attempted victim for so many other copies. I'm not infected with the virus, I'm running antivirus that strips the attachment before it lands in my inbox, and I'm running a version of outlook that disallows the attachment extensions that SoBig uses. I've run manual scans on all of my machines, in case of infection through a network share, but I don't have any of those from outside either. All the emails seem to be coming from different places, but around 90% are using a from address of @msu.edu. Is there some logical explanation why I'm being singled out here? My antivirus is driving me insane with popups, so I've had to shut down my mail program to get some work done. I'm sorry for the off topic nature of this question, but this makes no sense to me! Scott ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [Fwd: Edwards AFB shut down by W32Blaster](fwd)
We should talk about gun control next.. On Tue, 19 Aug 2003, Michael Gale wrote: Please ... if a MCSE is in charge of a network and something happens, like everyone on the network gets the MSBLASTER worm then the MCSE is as much at fault as Microsoft is. Microsoft builds the piece of sh*t but the MCSE are the ones pushing it down everyone's throat saying Look at how user friend and secure this is. Any real MCSE would know that windows is crap and should therefor do a better job of protecting the internal network. Michael. On Tue, 19 Aug 2003 17:42:17 -0500 (CDT) Ron DuFresne [EMAIL PROTECTED] wrote: On Tue, 19 Aug 2003, Schmehl, Paul L wrote: -Original Message- From: Bryan K. Watson [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 3:46 AM To: 'Byron Copeland'; 'Ron DuFresne'; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] [Fwd: Edwards AFB shut down by W32Blaster] (fwd) That is a load of B.S. if I ever heard it. I can attest to the fact that this is indeed NOT BS... True, there are a bunch of MCSE's that are on top of thingshowever, there are way too many scam artists with MCSE's who only give a damn about getting a bigger consulting fee than securing their customer's networks. And of course there isn't a single *nix consultant around who isn't worth his/her weight in gold and doing an absolutely fabulous job.. Shitty people come in all shapes and sizes and infest every profession. They're as unavoidable as air. Kinda feeling like all fingers point home huh? Why blame the poor MCSE's when one should perhaps fault the vendor again, for not only failing to provide a viable patching system that does not overburden these folks, but also undertrains them in perperation for the world of hurt they are about to be employed in. There, that should satisfy all those indignant MCSE's that try to do the right thing, but are swamped with the rate of and poor quality of patches they have to deal with. Thanks, Ron DuFresne ~~ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Linux firewall
I have started to use www.fwbuilder.org. and a standard RH9 dist On Wed, 18 Jun 2003, Matt wrote: If you want to go with something pre made - home use you might want to look in to something like IPCop (ipcop.org) or SmoothWall (smoothwall.org). They are pretty simple to set up, requiring very low hardware specs. I had both running like a champ on a 200MHz with 32MB of ram ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Linux firewall
Dont know about BSD.. But I would use Linux.. This is what I use everyday for the past 5 years.. Have yet to have anyone get thru.. Even the morons at EEye have tried.. On Wed, 18 Jun 2003, Gabe Arnold wrote: I would suggest you use an OpenBSD 3.3 setup with the native PF (Packet Filter)package which is based on the 'BSD IPF package. It's quite nice, easy to use, and very secure. I'd check out www.openbsd.org and www.openbsd.org/faq/pf/ for a good overview of the PF package and how to use it. --Gabe * Spencer, Gary TRI-S INC ([EMAIL PROTECTED]) wrote: Hello everyone. I have been following the discussions for a few months now and enjoy the technical information that everyone has to share. What would your recommendations be for a Linux firewall? And would you use a 50,000 Cisco firewall instead?? Thanks, Gary. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] RE: [ISN] DARPA pulls OpenBSD funding
One thing I have a very hard time undersanding is this: Here in the US we have free-speach, this means you can pretty much say what ever you want, and most of the time there is very little people can do about this. But when you make your living off of people buying your products, and you say things that people dont like, why is it wrong for people to decide not to buy your products? It seems to me this is what happened with DARPA and Open BSD.. I guess the story here is yes we have free speach, but if you depend on others to make your living, maybe you may want to watch what you say, least you piss off the people that give you the money to make your living.. On Sat, 19 Apr 2003, Paul Schmehl wrote: Somehow I think Theo will find some way to get the project done. He was doing fine before the DARPA project. I do find it interesting that you characterize Theo as expressing his views yet you characterize DARPA as politicizing a technical project. Weren't they both doing the same thing? Why the difference in the characterization? --On Saturday, April 19, 2003 09:10:53 AM -0500 Curt Purdy [EMAIL PROTECTED] wrote: Unfortunately, one of the things that seems to have been overlooked in this political discussion, which I believe does not have a place in this technical forum, is that a great and sorely needed project is in jeopardy. OpenBSD is generally considered one of the most secure network operating systems available today, and that is even before the recent announcement of the new resistance, if not vulnerability to buffer overflows which can be considered the holy grail of programming. Whether you feel da Raadt was wrong for expressing his views on peace, or that DARPA was wrong for politicizing a technical project, the point here should be that the entire technical world is the loser... Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] RE: [ISN] DARPA pulls OpenBSD funding
What a great opertunitysp? for you. You can now sell them all new hardware and convert them over to OpenSource. As for the NIC issue, just sell them MB's with built in NIC's. Almost all MB's are made outside of the US, so your not going to have much of a problem finding ones that will work for what you need. And just remember. The French are always there when they need us.. On Sat, 19 Apr 2003, yossarian wrote: Thank you. I'm so sick and tired of hearing the cry of McCarthyism from celebrities who have spoken out against the war and are now suffering from boycotts of their products. Get over it. You had the right to say what you want. And we have the right to not buy your stupid records, movies, whatever. It's *free* speech, *not* speech without consequences. Ask Senator Trent Lott if there is a price for speech. I didn't hear any of the anti-war celebrities complain about that. True words, indeed, say what you like but face the consequences. But it is getting a bit awkward - one of my customers decided not to use any american computer stuff any more, ever. This means Linux stuff on funny brands of (taiwanese and french) hardware. I am OK with that for desktop and server environment (Corel is canadian), and a lot cheaper, but for the WAN part it is getting really hard. Anyway, underneath it is probably US anyway. Another customer decided to get rid of american crypto software, since he is afraid of economic espionage by No such 'n such Agency, helping his us based competitors. The Brussels incident didn't really help here.These politically motivated discussions are raising the cost of computing, i guess. yossarian ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html