Re: List Archive (Was: Re: p2p, anonymity and security)

[Derek Martin]

On Thu, Mar 11, 2004 at 10:40:15PM -0500, [EMAIL PROTECTED] wrote:
>   You're the only person I have ever met who thinks a publicly archived,
> publicly accessible, open-to-anyone-who-subscribes mailing list has any
> expectation of privacy.  

Then I suggest you look at the archives of some mailing list software
mailing lists...  The idea is often brought up there, for the very
same reasons I brought them up here (originally).  Personally, I find
the notion that I should be required to provide personally identifying
information to the whole world in order to participate in a public
forum to be offensive, and contrary to the priciples by which the
United States of America was founded.  It does not need to be, and
should not be so.  That so few people value their 4th amendment right
to privacy is a travesty.

-- 
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.
Replying to it will result in undeliverable mail.
Sorry for the inconvenience.  Thank the spammers.



pgp0.pgp
Description: PGP signature

Re: Photo Album

[Jeff Macdonald]

On Thu, 2004-03-11 at 10:46 -0500, Cole Tuininga wrote:
> Hi all - I'm looking to replace my current web based photo album
> software as the current one has some security issues.  Anybody have
> suggestions for or against any particular software?

IDS - Image Display System - written in perl

ids.sf.net I believe.

-- 
Jeff Macdonald <[EMAIL PROTECTED]>
My birding blog: http://www.virtualbuilder.com/archives/cat_birding.html



signature.asc
Description: This is a digitally signed message part

Re: List Archive (Was: Re: p2p, anonymity and security)

[bscott]

On Fri, 12 Mar 2004, at 11:59am, [EMAIL PROTECTED] wrote:
> I agree that the nature of this specific list is much more public than
> private, but I will maintain that the requirement to sign up in order to
> participate makes it a closed, i.e. semi-private, list.

  You can maintain whatever you want.  The list is open to anyone who wants
to participate.  There are no entrance requirements.  That fits the
dictionary definition of "public", if you care to look it up.

  There's also a web gateway.  It used to allow you to post; I think that
broke, but eventually, we want it to come back.

> There's a reason why most mailing lists are closed lists these days: to
> keep the rifraf (i.e. the spammers) out.

  Public places often have access control mechanisms (such as gates) to
prevent abuse.  That does not make them non-public.

  The only reason the list is closed is to keep it from being flooded with
junk-mail.  It used to be open; anyone could post.  Ideally, it still would
be, but the spam situation makes that unlikely.

> I also harp on this point to squash the idea that all mailing lists are
> and must be public.  It's simply not true, but many people seem to feel
> that way.

  Nobody is saying all mailing lists are and must be public.  However, I am
saying that *THIS ONE* is.

>> If you don't like this, my opinion is that you should fscking
>> unsubscribe.
> 
> I do not currently object to anything about the way the list is being run
> ... If I did, I would (as I always do) ask that it be changed, and if that
> failed, I assure you I would do as you suggest.

  There's nothing keeping anyone from doing anything they want with the
messages posted to this list.  For that matter, there is nothing keeping a
spammer from signing up to the list and harvesting all day long.  *It just
hasn't happened yet*.

> (though I would prefer that the archives were available, but with e-mail
> addresses removed)

  The archives are set "private" because nobody's had the time to install
actual spam-guard software.  The eventual goal is something like what
www.mail-archive.com uses, where the address is guarded but can still be
accessed.

> A private club which has one or more members who videotape its
> proceedings, and subsequently post them on the Internet, is still a
> private club.

  GNHLUG is not a private club.  Heck, GNHLUG doesn't even have an official
status.  The closest we ever came to a membership requirement was, "The
intersection of those who are subscribed to the mailing list and those who
attend the meetings".  About all you have to do to "be a part" of GNHLUG is
be interested in it.  This is by design.

> Though it's possible that some of the members may want to hunt you down
> for violating their privacy, depending on the situation.

  You're the only person I have ever met who thinks a publicly archived,
publicly accessible, open-to-anyone-who-subscribes mailing list has any
expectation of privacy.  I suspect you would have a hard time making a case
in a court of law -- due diligence would seem to imply that if one wants
privacy, one should not post publicly.

-- 
Ben Scott <[EMAIL PROTECTED]>
| The opinions expressed in this message are those of the author and do  |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind.  |

___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

What happened to Red Hat? (was: acronyms)

[bscott]

On Thu, 11 Mar 2004, at 8:52pm, [EMAIL PROTECTED] wrote:
> Fedora (though I think I now understand that is the name for the lastest
> distro of RedHat)

  More completely:

  Red Hat Software (RHS) used to produce something called "Red Hat Linux"  
(RHL), which was a distribution of Linux.  Several years ago, RHS added a
second major OS product, called "Red Hat Enterprise Linux" (RHEL).  Several
months ago, RHS announced that they were discontinuing the RHL product.  
The old RHL product was turned into "Fedora Core" (FC).

  RHEL is trying to be a more "commercial" product then RHL was.  RHS is
trying to please large system vendors (e.g., Dell), software vendors (e.g.,
Oracle), and large customers (e.g., Boeing).  Think Red Hat Linux with a
large splash of Sun Solaris added.  RHEL can be *very* expensive, depending
on which flavor you buy.

  FC is trying to be a more "community" distribution then RHL was.  FC is
highly focused on FOSS.  They welcome community contributions.  Think Red
Hat Linux with a large splash of Debian added.  FC is not a product; you
cannot buy it.

  There is also "Red Hat Professional Workstation" (RHPW).  RHPW is
basically RHEL Workstation, but without any offer of "enterprise support"  
from Red Hat.  RHPW takes the place of the price-point of RHL in RHS's
product line.  List is about $90 US.

  The name "Fedora Core" comes from "The Fedora Project".  The Fedora
Project was an independent project that aimed to provide community
contributed RPMs as "add-ons" to the regular RHL product (when it still
existed).  When RHS dissolved RHL, they created "The Red Hat Linux" project.  
The two projects quickly realized that they overlapped heavily, so they
merged.

  It remains to be seen how all this will end up.

  More information:

http://fedora.redhat.com/
  Red Hat's Fedora Project page

http://www.fedora.us/
  Original Fedora Project page

http://www.redhat.com/software/workstation/ 
  Red Hat Professional Workstation

http://www.redhat.com/software/rhel/
  Red Hat Enterprise Linux

-- 
Ben Scott <[EMAIL PROTECTED]>
| The opinions expressed in this message are those of the author and do  |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind.  |


___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: List Archive (Was: Re: p2p, anonymity and security)

[Travis Roy]

Derek Martin wrote:

On Thu, Mar 11, 2004 at 01:01:48PM -0500, [EMAIL PROTECTED] wrote:

On Fri, 12 Mar 2004, at 1:04am, [EMAIL PROTECTED] wrote:

(and this is a wholely public forum).  
I disagree there, also. 
 Derek: *GET OVER THIS*.


Thank you, but no.  

I agree that the nature of this specific list is much more public than
private, but I will maintain that the requirement to sign up in order
to participate makes it a closed, i.e.  semi-private, list.  There's a
reason why most mailing lists are closed lists these days: to keep the
rifraf (i.e.  the spammers) out.  This behavior is exactly analogous
to private clubs which require membership, as I have argued before.
Many private clubs will pretty much let anyone join, but they require
membership so that they know who they're dealing with (and probably
also to hit them up for money every so often)
ugh, not this again...

Any list that does not require a human to manually add somebody is 
public. Anybody can set up a disposable email to join the list and 
harvest email addresses. Anybody can write a bot to join the list 
automatically and sit there and collect email addresses from list 
emails. I also have no doubt that this is already happening.


I do not currently object to anything about the way the list is being
run (though I would prefer that the archives were available, but with
e-mail addresses removed).  If I did, I would (as I always do) ask
that it be changed, and if that failed, I assure you I would do as you
suggest.
How do you know that somebody that's subscribed to the list isn't 
already putting up an archive of the list with the email addresses intact.

A private club which has one or more members who videotape its
proceedings, and subsequently post them on the Internet, is still a
private club.  Your personal archival of the ensuing events on a
public network makes no difference...  Though it's possible that some
of the members may want to hunt you down for violating their privacy,
depending on the situation.
So if me, or anybody else on the list decides to start posting a public 
archive of the list with email addresses attached you'll hunt them 
down.. I'll remember that and be sure to do it under a yahoo account 
with bogus information and have it archive the list on a free web 
hosting site that also has bogus information. I'd wonder how much they 
would laugh at you when you try to get the sites taken down because 
you're email address is posted in the archive.

___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: List Archive (Was: Re: p2p, anonymity and security)

[Derek Martin]

On Thu, Mar 11, 2004 at 01:01:48PM -0500, [EMAIL PROTECTED] wrote:
> On Fri, 12 Mar 2004, at 1:04am, [EMAIL PROTECTED] wrote:
> >> (and this is a wholely public forum).  
> > 
> > I disagree there, also. 
> 
>   Derek: *GET OVER THIS*.

Thank you, but no.  

I agree that the nature of this specific list is much more public than
private, but I will maintain that the requirement to sign up in order
to participate makes it a closed, i.e.  semi-private, list.  There's a
reason why most mailing lists are closed lists these days: to keep the
rifraf (i.e.  the spammers) out.  This behavior is exactly analogous
to private clubs which require membership, as I have argued before.
Many private clubs will pretty much let anyone join, but they require
membership so that they know who they're dealing with (and probably
also to hit them up for money every so often).

I also harp on this point to squash the idea that all mailing lists
are and must be public.  It's simply not true, but many people seem to
feel that way.

> If you don't like this, my opinion is that you should fscking
> unsubscribe.  

I do not currently object to anything about the way the list is being
run (though I would prefer that the archives were available, but with
e-mail addresses removed).  If I did, I would (as I always do) ask
that it be changed, and if that failed, I assure you I would do as you
suggest.


On Thu, Mar 11, 2004 at 12:45:45PM -0500, Travis Roy wrote:
> >limited to those who are signed up.  This list happens to also archive
> >the messages, but a) not in their original form, and b) this does not
> >need to be the case.
> 
> Actually, you have no idea what other people on the list are doing with 
> regards to the list. For a time I posted a public archive of another 
> list that I belonged to (because the list didn't have it's own archive). 

A private club which has one or more members who videotape its
proceedings, and subsequently post them on the Internet, is still a
private club.  Your personal archival of the ensuing events on a
public network makes no difference...  Though it's possible that some
of the members may want to hunt you down for violating their privacy,
depending on the situation.

-- 
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.
Replying to it will result in undeliverable mail.
Sorry for the inconvenience.  Thank the spammers.


pgp0.pgp
Description: PGP signature

Re: acronyms - Re: Boston Linux Meeting Wednesday, March 17, 2004 (room 4-370):Movie Production with Linux & Cinelerra

[bscott]

On Thu, 11 Mar 2004, at 8:52pm, [EMAIL PROTECTED] wrote:
> How about a small FAQ specific to GNHLUG for interpreting commonly used
> acronyms on this list?

  http://www.acronymfinder.com/

  Also, I have the following "URL" configured as a link on my Mozilla
"Personal Toolbar".  It should work in just about any JavaScript-enabled
browser.  Watch out for line-wrapping.

javascript:void(q=prompt('Expand:',''));if(q)void(location.replace('http://www.acronymfinder.com/af-query.asp?String=exact&Acronym='+escape(q)));

  The above technique is often called a "bookmarklet" or "favlet".  A Google
search on those terms can be quite rewarding.

  YMMV.  HTH.  HAND.  ;-)

-- 
Ben Scott <[EMAIL PROTECTED]>
| The opinions expressed in this message are those of the author and do  |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind.  |

___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: acronyms - Re: Boston Linux Meeting Wednesday, March 17, 2004 (room 4-370):Movie Production with Linux & Cinelerra

[Travis Roy]

What is PITA?


Pain in the rear
rear doesn't start with an a, that would be pain in the ASS

:)

___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: acronyms - Re: Boston Linux Meeting Wednesday, March 17, 2004 (room 4-370):Movie Production with Linux & Cinelerra

[Tom Buskey]

ksandre wrote:

What is PITA?
Pain in the rear
Here's the rest of my list:

FOSS
Free/Open Source Software


IAAL
I am a lawyer (?)

ISV
Independent Software Vendor

Fedora  (though I think I now understand that is the name for the lastest
distro of RedHat)
Yep

Here's one from the MPlayer-HQ site too:
GOOM
No clue...

___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re:CODECs mplayer

[ksandre]

Tom Buskey said:

> Installing from source is a PITA.  There are RPMs out there w/ mplayer +
> various CODECs (including quicktime).  You need to install 4-6 rpms.  They
> work well on Mandrake atleast.
>


Doh!  I finally get what PITA is.

"/me blushes"


[Re:  MPlayer source]

I had always understood that in order to have MPlayer operate maximally, one
needed to install from source from the machine on which it will be use.  Also
that the preferred version of the source to use is alway CVS (or the "current"
snapshot).  With this in mind, I have always done this with quite a bit of
success, managing to force machines-of-minmal-power to play movies against
their will.  However, I will admit that initial attempts required a great bit
of reading to get it right, but the configuration defaults usually work
anyway.  It seems to me now that MPlayer is a whole lot easier to install from
source than it was.  The configuration is more simple and seems to find most
libs and codecs without quite as much coaxing.  The same seems true for
general useage as well.  I still think too, that the CVS result is better than
the *-pre3 source, though I am still using the *-pre3 and have not yet
reverted to the CVS snapshot.

Caveat:  I do not use it for anything demanding because of my hardware
limitations (ie., I do not even have a writeable CDRom drive or DVD player or
TV card for my computer).


What *is* really giving me fits right now is the mplayerplug-in for the
browser.  It is totally changed (since the requirement of pkgconfig), and I
can not make it work yet.  There are new source releases though, which I have
not yet tried.




-- 
=ksandre=
"Don't panic!"




___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

acronyms - Re: Boston Linux Meeting Wednesday, March 17, 2004 (room 4-370):Movie Production with Linux & Cinelerra

[ksandre]

Joshua Flythe said:

> I installed Mplayer from source last year and it was a PITA. I have since
> found unofficial Debian packages for Mplayer which are available from


OK, I give up.  Either I have been out of the loop too long or there are far
too many either totally new or newly defined useages of acronyms to
comprehend.  How about a small FAQ specific to GNHLUG for interpreting
commonly used acronyms on this list?  No, really.  I am semi-serious.  (The
acronym internet site these days sometimes has too many possible definitions
for one acronym to accurately translate.)

What is PITA?

Here's the rest of my list:

FOSS
IAAL
ISV
Fedora  (though I think I now understand that is the name for the lastest
distro of RedHat)

Here's one from the MPlayer-HQ site too:
GOOM


-- 
=ksandre=
"Don't panic!"




___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: best ISP in north country?

[Dan Jenkins]

ksandre wrote:
FCG/Cyberportal.  (Originally in Claremont, 1996.)

http://www.fcgnetworks.net

We have used their services since 1996.  The only reason we do not use MVCom
is because they did not offer a local access number in our area at the time
dialup ISP service first became available here [Central NH].
FCG/Cyberportal was the first (well, actually LR.net was, but they went down
fast).  MVCom was actually  our *first* email and internet connection,
albeit toll-cost-intensive during times preceding 1996 absent options other
than FIDONet, and we liked them alot.  (They still offer a plain shell
account too last I checked.)  I think the cost comparison between FCG and MV
are similiar, though there may be more options offered by MV.  There are a
few Linux users who work at FCG too, though support for Linux/UNIX is not
immediately obvious.
I had good experiences with them some years ago. It was dial-up then and 
I had a Linux box acting as a router for a small office. The dial-up was 
kept up 8 hours a day, all week with nary a drop. Only problem I had was 
billing issues. Took FCG 6 months to terminate the account when they 
switched to another provider (broadband). I have to admit, I'm not sure 
how much of that problem was the then office manager at my client and 
maybe not FCG.

--
Dan Jenkins ([EMAIL PROTECTED])
Rastech Inc., Bedford, NH, USA --- 1-603-624-7272
*** Technical Support for over a Quarter Century
___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: best ISP in north country?

[ksandre]

Dan Jenkins said:
> Randy Edwards wrote:
>
>>> I'm sure this has been asked before but, what is (are) the best ISP  in
>>> north country?

> MV Communications services a lot of the North Country. I recommend them
> wholeheartedly. Also, MV tends to be
> less expensive

FCG/Cyberportal.  (Originally in Claremont, 1996.)

http://www.fcgnetworks.net


We have used their services since 1996.  The only reason we do not use MVCom
is because they did not offer a local access number in our area at the time
dialup ISP service first became available here [Central NH].
FCG/Cyberportal was the first (well, actually LR.net was, but they went down
fast).  MVCom was actually  our *first* email and internet connection,
albeit toll-cost-intensive during times preceding 1996 absent options other
than FIDONet, and we liked them alot.  (They still offer a plain shell
account too last I checked.)  I think the cost comparison between FCG and MV
are similiar, though there may be more options offered by MV.  There are a
few Linux users who work at FCG too, though support for Linux/UNIX is not
immediately obvious.




___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Gallery question

[Michael Bovee]

Hi,
A couple months back I was looking into Gallery for organizing pics on 
my webpage here at UVM.  (I'm here not as a Linux hacker, just a MacOSX 
guy who's trying to learn a few things...)

I hit a roadblock when I read that Gallery says something about PHP has 
to be configured with 'safe mode' turned OFF, something like that, 
sorry I dont remember the details at the moment. I found out that here 
at UVM the setting in question was turned ON, and I dont know of a way 
to get around this. Probably easy, I just dont have anyone else to ask. 
Can I still set up gallery to work in this environment where I dont 
have control over how php is configured?

Thanks,
--Michael
___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: p2p, anonymity and security

[ksandre]

Mark J. Dulcey said:

>
> At least two Linux companies, Red Hat and Lindows, have been using
> BitTorrent to distribute recent versions of their products. Red Hat  offered
> RH9 by BitTorrent, and BT is the primary means of distribution  of Fedora
> Core.
>

Slackware is now also on the BitTorrent bandwagon.  It is nice to see Bram
Cohen's success here.  I have been a fan of the BitTorrent idea since its
introduction at CodeCON 2002.  (I believe his presentation at that CC might be
archived, btw.  The whole event had been streamed from DNALounge which how I
happened to see it.)



-- 
=ksandre=
"Don't panic!"




___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: p2p, anonymity and security

[ksandre]

bmcculley said:

>
> I haven't kept up with the current status of this field, but I
> remember when there was an outfit named Zero Knowledge Systems
> establishing something called "Freedom Net" to anonymize net
> access.


The last I knew (per news at The L0pht BBS and HNN, both now morphed into
AtStake) about Zero Knowledge Systems is that they abandonned their
intentions, ie., they no longer exist.  (It was something attributed to the
political climate at the time, though I do not recall the specific issue.)
I, too, was interested in their service.  As I understood it, developement
had only reached the point to where it was required that one must get one's
ISP to offer the service in order to use it as an individual.  I did this
actively, and my ISP was initially interested, then withing that same time
frame, Zero Knowledge went out of business.

I have not, however, attempted lately to see if they have rebirthed.


-- 
=ksandre=
"Don't panic!"



___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: p2p, anonymity and security

[ksandre]

Derek Martin said:

>
> And again, even if you actually don't intend to share files illegally, few
> would believe you...
>


Actually, I found the intial post to be exactly as the Subject suggests, "p2p,
anonymity and security.

My background is in medicine, law, and politics.  ;p



-- 
=ksandre=
"Don't panic!"




___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: p2p, anonymity and security

[Hewitt Tech]

- Original Message - 
From: <[EMAIL PROTECTED]>
To: "Greater NH Linux User Group" <[EMAIL PROTECTED]>
Sent: Thursday, March 11, 2004 1:22 PM
Subject: Re: p2p, anonymity and security


> On Thu, 11 Mar 2004, at 12:04am, [EMAIL PROTECTED] wrote:
> > So, my first question...Is a Linksys Router doing 'firewall' duty and
NAT
> > easy to get past?
>
>   Absolutely.  But not through the vectors you think.
>
>   Those SOHO routers are pretty simple.  They do stateful tracking of TCP
> and UDP, and block anything incoming that you didn't originate.  For
> example, someone trying to telnet into the root shell you have running on
> TCP port 666 will be blocked.
>
>   It's the stuff you allow that is the problem.  You say you have forward
> some ports?  What ports?  What are you running on those ports?
>
>   For example: If you forward a port in for that root shell I mentioned,
> anyone who finds that can take over your computer.
>
>   You mention you've installed some software.  How trustworthy is this
> software?  If the software contains backdoors which grant remote access,
it
> won't matter how strong your firewall is -- because you've explicitly told
> your firewall to allow the traffic.  Or maybe the software contains no
> deliberate exposures, but is so buggy that exploits are a dime a dozen.
Or
> maybe the design of the network protocol(s) it uses defeat your firewall.
> Or whatever.
>
>   I have encountered many situations where a network with a very good
> firewall is totally compromised by hostile software.  A firewall won't
help
> if you download and install the attack vectors willingly.

You may recall within the last year or so a case where someone walked into a
Kinkos copy center and installed a keyboard logger on their public access
machines. In at least a couple of instances, Kinko's customers were using
GoToMyPC software thinking that they could securely access their systems at
the office or home. Unfortunately the keyboard logger trapped the account,
account password, and server password as they were being entered for access
to the GoToMyPC servers.

The guy was caught but not before he managed to perpetrate a fair bit of
identity theft. So the moral is that even relatively secure setups such as
used by GoToMyPC can be compromised by a trojan. Firewalls have pretty much
no defense against this kind of exploit.

-Alex

P.S. The keyboard logger was cleaned off the Kinko's systems but only after
the exploit had been uncovered.

>
> -- 
> Ben Scott <[EMAIL PROTECTED]>
> | The opinions expressed in this message are those of the author and do  |
> | not represent the views or policy of any other person or organization. |
> | All information is provided without warranty of any kind.  |
>
> ___
> gnhlug-discuss mailing list
> [EMAIL PROTECTED]
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
>

___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: p2p, anonymity and security

[bscott]

On Thu, 11 Mar 2004, at 12:37pm, [EMAIL PROTECTED] wrote:
> How do you know that?  Perhaps he wants to share legal content but doesn't
> want everybody and their brother knowing his IP address, name, and
> location.

  If you encountered someone standing in front a bank, carrying a set of
safe-cracking tools, at 2 AM, dressed all in black, and wearing gloves and
ski-mask, what would you think?

  None of what I describe is illegal.  Maybe the person is just a locksmith
who keeps odd hours and has a bizarre sense of fashion.  However, I think it
is far more likely that the person intends to rob the bank.  Certainly, I
would consider such an encounter sufficient cause to notify law enforcement.

  Obviously, these two situations are not the same, but I do hope nobody
here is naive enough to miss the point I'm making.

-- 
Ben Scott <[EMAIL PROTECTED]>
| The opinions expressed in this message are those of the author and do  |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind.  |

___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: p2p, anonymity and security

[bscott]

On Thu, 11 Mar 2004, at 12:04am, [EMAIL PROTECTED] wrote:
> So, my first question...Is a Linksys Router doing 'firewall' duty and NAT
> easy to get past?

  Absolutely.  But not through the vectors you think.

  Those SOHO routers are pretty simple.  They do stateful tracking of TCP
and UDP, and block anything incoming that you didn't originate.  For
example, someone trying to telnet into the root shell you have running on
TCP port 666 will be blocked.

  It's the stuff you allow that is the problem.  You say you have forward
some ports?  What ports?  What are you running on those ports?

  For example: If you forward a port in for that root shell I mentioned,
anyone who finds that can take over your computer.

  You mention you've installed some software.  How trustworthy is this
software?  If the software contains backdoors which grant remote access, it
won't matter how strong your firewall is -- because you've explicitly told
your firewall to allow the traffic.  Or maybe the software contains no
deliberate exposures, but is so buggy that exploits are a dime a dozen.  Or
maybe the design of the network protocol(s) it uses defeat your firewall.  
Or whatever.

  I have encountered many situations where a network with a very good
firewall is totally compromised by hostile software.  A firewall won't help
if you download and install the attack vectors willingly.

-- 
Ben Scott <[EMAIL PROTECTED]>
| The opinions expressed in this message are those of the author and do  |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind.  |

___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

The term "anonymous trust" is an oxymoron

[bscott]

  This is related to the recent thread entitled "p2p, anonymity and
security".

  One thing I see a lot in crypto and privacy discussions is the concept of
"anonymous trust".  In context to the discussion in question, it applies to
the desire for a peer-to-peer system which can be trusted to protect the
anonymity of users of said P2P system.

  The term "anonymous trust" is an oxymoron.  It is an inherent
contradiction.

  Case in point: In order to provide anonymity, you have to be able to trust
other members of the system.  Their system could be hijacked by trojan
software, or they might be a hostile force.  Said hostile force might be
using a modified version of the system which is programmed to lie about the
anonymous nature of the connection.  If their identity is anonymous, you
cannot know anything about them.  If you *do* know, then, by definition, it
is no longer anonymous, and it can thus be traced, given sufficient effort.

  The peer you connect to on a P2P network might be some guy in Asia... or
it might be a honey-pot configured by RIAA storm-troopers.  You cannot know.

  Something to keep in mind.

-- 
Ben Scott <[EMAIL PROTECTED]>
| The opinions expressed in this message are those of the author and do  |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind.  |

___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

This is a public forum (was: p2p, anonymity and security)

[bscott]

On Fri, 12 Mar 2004, at 1:04am, [EMAIL PROTECTED] wrote:
>> (and this is a wholely public forum).  
> 
> I disagree there, also. 

  Derek: *GET OVER THIS*.

  This is a public forum.  Always has been, by intent and in practice.  
Anyone who wants to can join.  Anywho who wants to can read.  Anyone is free
to archive this forum, and at least one site out of our control
(http://www.mail-archive.com) does.  My posting to this forum, you're
implictly giving your concent for all this to happen.

  (The archives at mail.gnhlug.org are currently set to "private", but that
is due to a technical difficulty we are having.  It is not a desired
situation, and should be a temporary thing.)

  If you don't like this, my opinion is that you should fscking unsubscribe.  
That's my opinion.  I cannot say that anyone agrees with me, but I suspect
many do.

-- 
Ben Scott <[EMAIL PROTECTED]>
| The opinions expressed in this message are those of the author and do  |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind.  |


___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: [blu] Re: Photo Album

[Ben Jackson]

On Thu, 11 Mar 2004, Chris Devers wrote:

> The other feature I'd like in a photo site engine would be an architecture
> that is friendly to people who can scp/rsync over new photo directories.
> That way, I could just copy over a fresh batch of photos to my web server,
> and the photo engine would -- maybe as a cron job -- find the new content
> and do various forms of auto-magic (make thumbnails, build & cache pages,
> etc). I don't want to have to upload everything through a web form if I
> can just as easily copy the files over and tell the server where to look
> for new content (or better still, let it be auto-discovered).

*cough* YAPPA *cough*
I use it, its kinda amateurish, but all I have to do is scp all my photos
over to a directory that I specify in the config, and it automagically
converts thumbnails and dynamic resizing on the fly via ImageMagick.

http://www.innismir.net/photos/

Which reminds me, I need to start making a tree of albums. :)

--
/"\  Ben Jackson
\ /  bbj  innismir.net - http://www.innismir.net/
 X   Member of the ASCII Ribbon Campaign Against HTML Mail
/ \



___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: Photo Album

[Johannes Ullrich]

> I've found "yappa-ng" and "r.i.g." that seem to do what I want, but I'm
> not familiar with either.  Anybody have feedback or suggestions?


yappa-ng works well for me. Required a little bit of php tweaking
to get going, but wasn't too bad (maybe I should have read 'README'
first)


-- 
--
Johannes Ullrich [EMAIL PROTECTED]
pgp key: http://johannes.homepc.org/PGPKEYS
contact: http://johannes.homepc.org/contact.htm
--
   "We regret to inform you that we do not enable any of the 
security functions within the routers that we install."
 [EMAIL PROTECTED]
--

___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: Photo Album

[Travis Roy]

Cole Tuininga wrote:

On Thu, 2004-03-11 at 11:08, Drew Taylor wrote:

Are you referring to the PHP based gallery? If so, the vulnerabilities 
have been fixed in a subsequent release.


Nope - I'm talking about a fairly obscure one written quite some time
ago by a guy I knew.  It's called "phpix" ( http://phpix.sf.net ).
Heh, that's good, you go to the site and the first thing you see is:

** FILES CURRENTLY OFFLINE TO PATCH SECURITY BUGS ** PHPix is a 
web-based photo album. It can automatically generate thumbnails and 
different resolution versions of each image so users can view images at 
their desired resulution.

I'll stick with Gallery ;)
___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: Photo Album

[Chris Devers]

On Thu, 11 Mar 2004, Cole Tuininga wrote:

> Hi all - I'm looking to replace my current web based photo album
> software as the current one has some security issues.  Anybody have
> suggestions for or against any particular software? 

You never actually specify what software you're trying to move away from.
That might be relevant for anyone trying to make suggestions :)

> My feature requirements are that it be able to handle multiple albums,
> have "sub" albums/folders, and most importantly, needs to allow the
> viewer to choose the resolution they wish to view at.  It would be nice
> if it also supported me being able to add comments to the pictures as
> well. 



I've also been looking for something like this. 

The most popular application for this kind of thing seems to be PHP
Gallery , but I wasn't very impressed with
what I've seen of it. (Why do PHP engines always look so... amateur? Or
something, I can't put my finger on it, but the tiny sans-serif fonts and 
the near-ubiquitous smiley icons really grate on me for some reason...)

SpiderEyeBalls  is IMO much slicker than
Gallery, but it may not be quite as flexible. (Then again, I may just be
confusing the design of the SEB pages with the interesting photography of
the guy who writes the software -- that is, his photos are interesting, so
the site & its software picks up some of that shine.) 

I really like , which is run by a homemade photo
gallery application called Stem. The pages all look nice, but I
particularly like the touch of using CSS to superimpose captions directly
over the images. Also, and this one is a big deal for me, site visitors
seem to be able to add comments -- I really want a photo site engine that
has this capability, and Stem is the only one I'm aware of -- aside from
some MovableType blog hacks -- that provides this capability.


The other feature I'd like in a photo site engine would be an architecture
that is friendly to people who can scp/rsync over new photo directories. 
That way, I could just copy over a fresh batch of photos to my web server,
and the photo engine would -- maybe as a cron job -- find the new content
and do various forms of auto-magic (make thumbnails, build & cache pages,
etc). I don't want to have to upload everything through a web form if I
can just as easily copy the files over and tell the server where to look
for new content (or better still, let it be auto-discovered). 

Most photo site software I'm aware of doesn't really work that way. 


I'm also interested in suggestions.


-- 
Chris Devers

___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: p2p, anonymity and security

[Travis Roy]

Derek Martin wrote:
On Thu, Mar 11, 2004 at 12:04:57AM -0500, Greg Rundlett wrote:

I also want to get a general purpose p2p tool similar to Napster, for 
sharing ogg, mp3 or other multimedia files.  The number one prerequisite 
here is which tool/protocol offers the best anonymity.


I feel obligated to point out that you are basically advertising in a
relatively public forum your intention to violate Federal law.  This
is rather a bad idea, particularly in today's climate.  It is
certainly possible to exchange materials which do not have copyrights
to which you are not the owner via these file sharing networks;
however I don't think anyone here is naive enough to believe that is
(exclusively) what you intend...
How do you know that? Perhaps he wants to share legal content but 
doesn't want everybody and their brother knowing his IP address, name, 
and location. Bands like Guster allow sharing of their music if it's a 
live show that they taped. You can get tons of their shows on 
archive.org. I host guster.net for a friend and he has many many media 
files up that the band has no problem with.

Just because somebody is sharing media files doesn't automatically mean 
they are illegal, even if they want to keep their identity a secret.
___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: p2p, anonymity and security

[Travis Roy]

You confused me a bit with this wording.  I think you meant to say that 
you agree there are thousands of legitimate uses for this technology, 
and only the naive here will forget all the fair-use rights bestowed 
upon us all.  Or  else you were saying that I could share all the 
Grateful Dead songs, public speeches, and other forms of un-encumbered 
media that I want.



Then why bother with the anonymity? If your sharing with your friends,
then simply set up a password protected area! If the RIAA somehow
charges you for that then I would think you could sue them for hacking
your systems.
Perhaps because he wants to share legal content with more then just the 
people he knows, and/or distribute the bandwidth over many connections.

___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: Photo Album

[Travis Roy]

Cole Tuininga wrote:

Hi all - I'm looking to replace my current web based photo album
software as the current one has some security issues.  Anybody have
suggestions for or against any particular software?
My feature requirements are that it be able to handle multiple albums,
have "sub" albums/folders, and most importantly, needs to allow the
viewer to choose the resolution they wish to view at.  It would be nice
if it also supported me being able to add comments to the pictures as
well.
I've found "yappa-ng" and "r.i.g." that seem to do what I want, but I'm
not familiar with either.  Anybody have feedback or suggestions?
I swear by gallery (galler.sourceforge.net) I love it.
___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

List Archive (Was: Re: p2p, anonymity and security)

[Travis Roy]

(and this is a wholely public forum).  


I disagree there, also.  In order to post to the list, you must sign
up...  It is not possible to post unless you are a member.  In order
to sign up, you must provide some amount of personally identifying
information (an e-mail address).  That e-mail address can ALWAYS be
traced back to you, with varying degrees of difficulty, by those with
government-backed subpoena power...
A public resource, by contrast, is one which anyone can use.
Generally speaking, there's some amount of anonimity implied.  If I
use a public restroom, I do not need to sign up to use it, nor do I
need to identify myself when I do.  If I use a municipal swimming
pool, (usually) the same is true.  These are public.
You say that this list is a public forum; not so.  In order to be a
forum, people must participate.  In order to participate, you must
sign up and identify yourself (albeit minimally).  Hence, it's not
public.  Likewise, distribution of the original source messages is
limited to those who are signed up.  This list happens to also archive
the messages, but a) not in their original form, and b) this does not
need to be the case.
Actually, you have no idea what other people on the list are doing with 
regards to the list. For a time I posted a public archive of another 
list that I belonged to (because the list didn't have it's own archive). 
I could easily do the same with this list and post an archive with 
unedited messages that all the world can see. So I wouldn't say that 
there is no public archive of this list, just that there isn't one that 
you are aware of.
___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: Photo Album

[Drew Taylor]

Cole Tuininga wrote:

Hi all - I'm looking to replace my current web based photo album
software as the current one has some security issues.  Anybody have
suggestions for or against any particular software?
Are you referring to the PHP based gallery? If so, the vulnerabilities 
have been fixed in a subsequent release.

Sorry but I don't have any suggestions for other software. :-( But I'd 
like to know too. Especially if it's written in perl since my perl 
skills are WAY better than my php.

Drew
--

Drew Taylor *  Web development & consulting
Email: [EMAIL PROTECTED]  *  Site implementation & hosting
Web  : www.drewtaylor.com   *  perl/mod_perl/DBI/mysql/postgres

___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: p2p, anonymity and security

[Mark J. Dulcey]

Greg Rundlett wrote:
I am not advertising any intention to violate any law.  My intention is 
explicitly stated and legal (and this is a wholely public forum).  I 
think it's a good idea to discuss anything.  Who gets to discuss illegal 
things?  Only lawyers?

To the legal eagles ready to take my rights away, there are much bigger 
fish to catch: http://www.archive.org/audio/etree.php
Indeed. For those unfamiliar with it, the etree collection on 
archive.org has a large collection of live concerts by hundreds of 
"taper-friendly" artists, available for free download. They offer HTTP 
and FTP downloads.

Another site, digitalpanic.org, offers BitTorrent downloads of 
Widespread Panic and other taper-friendly groups. I think they're closer 
to the future of music downloading, because they are harnessing the 
power of p2p networking. Digital Panic doesn't actually host any music 
files, so they don't need the massive resources that a site like 
archive.org has to have.

At least two Linux companies, Red Hat and Lindows, have been using 
BitTorrent to distribute recent versions of their products. Red Hat 
offered RH9 by BitTorrent, and BT is the primary means of distribution 
of Fedora Core.

The Lindows move is particularly interesting in that they are using it 
as one way to offer a COMMERCIAL product - you can buy Lindows 4.5 by 
BitTorrent download, and you get a 50% discount on the price. This 
appears to be a honor-system deal, as their software does not use any 
type of activation code; the Lindows site itself won't give you the 
.torrent file unless you pay, but if you were to obtain it elsewhere, 
they couldn't stop you from downloading and using the software. I think 
their revenue model is to get most of their money from subscriptions to 
the Click-And-Run Warehouse, not from sales of the OS itself, so they 
probably don't much care if people steal the OS itself.
___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: p2p, anonymity and security

[Mark J. Dulcey]

Greg Rundlett wrote:

So, my first question...Is a Linksys Router doing 'firewall' duty and 
NAT easy to get past?  If the answer is yes, then what should I do?  Use 
a firewall-specific distro to convert my old P133MHz box into a Linux 
firewall?  Maybe someone wants $100 to come over and show me how it's 
done? (location Newburyport, MA or E. Kingston, NH)
Until you start forwarding some ports for running servers, NAT is 
actually pretty hard to get around; it won't forward any incoming 
connections unless you tell it to. Make sure to set the Linksys box not 
to accept any management connections from the WAN port, or else somebody 
could try to attack it.

If you want to be even more secure, you can set your router to block all 
incoming packets to ports other than the specific services you want to 
be able to use. That would protect you against machines on the LAN 
trying to make connections to unknown services on the outside. This 
takes more work, though, if anybody on the LAN wants to do online gaming 
or the like, since that often requires the use of unusual (and sometimes 
undocumented) ports.

If you forwand any ports to an inside box, that box has to be properly 
secured, paying special attention to any ports that get forwarded to it. 
If you set up a machine to be a DMZ, as some NAT boxes allow (that is, a 
machine that receives ALL incoming ports from the outside world), that 
machine had better be running a really good firewall - it's even more 
sensitive than usual, because anyone who cracks it now has access to 
your LAN and the possibly unsecured machines on it.

If you have any Windows machines on the LAN, it's a good idea to block 
the ports that have been used by the popular Windows exploits: 135, 
137-139, and 445. These should be blocked in both directions (incoming 
and outgoing); there are no commonly used services that use these ports 
that you would ever want to run over the Internet. With those filters in 
place, viruses like Blaster are fairly harmless (though they might 
generate some extra traffic on the LAN), even if machines on your LAN 
are infected.

None of this, of course, will protect against users downloading and 
installing Trojan horses or the like. You still have to watch out for those.
___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: Photo Album

[Steven W. Orr]

On Thursday, Mar 11th 2004 at 10:46 -0500, quoth Cole Tuininga:

=>
=>Hi all - I'm looking to replace my current web based photo album
=>software as the current one has some security issues.  Anybody have
=>suggestions for or against any particular software?
=>
=>My feature requirements are that it be able to handle multiple albums,
=>have "sub" albums/folders, and most importantly, needs to allow the
=>viewer to choose the resolution they wish to view at.  It would be nice
=>if it also supported me being able to add comments to the pictures as
=>well.
=>
=>I've found "yappa-ng" and "r.i.g." that seem to do what I want, but I'm
=>not familiar with either.  Anybody have feedback or suggestions?

After exhaustive review, I decided on something called Album. You can see 
mine at http://steveo.syslang.net/album and at the bottom of every page is 
a link to Dave's Marginal Hacks so you can get the software. It does 
everything I want and it does it without PHP or MySQL. It just produces 
good old-fashioned HTML.

-- 
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net
___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: Photo Album

[Jared Watkins]

Cole Tuininga wrote:

On Thu, 2004-03-11 at 11:08, Drew Taylor wrote:
 

Are you referring to the PHP based gallery? If so, the vulnerabilities 
have been fixed in a subsequent release.
   

Nope - I'm talking about a fairly obscure one written quite some time
ago by a guy I knew.  It's called "phpix" ( http://phpix.sf.net ).
 

Obscure?  I've been using it at home since version 1x  and it's now
located at http://sourceforge.net/projects/phpix2/
Very easy to customize too... I added in a few lines that would include
a notes file located in each album directory to describe the pictures in
that group.
Jared

___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: Photo Album

[Marc Nozell]

On Thu, 2004-03-11 at 10:46, Cole Tuininga wrote:
> Hi all - I'm looking to replace my current web based photo album
> software as the current one has some security issues.  Anybody have
> suggestions for or against any particular software?
> 
> My feature requirements are that it be able to handle multiple albums,
> have "sub" albums/folders, and most importantly, needs to allow the
> viewer to choose the resolution they wish to view at.  It would be nice
> if it also supported me being able to add comments to the pictures as
> well.
> 
> I've found "yappa-ng" and "r.i.g." that seem to do what I want, but I'm
> not familiar with either.  Anybody have feedback or suggestions?

I've been using 'zoph' for a few weeks and am pretty happy with it.  
That said, it is not accessible to anyone but me, but could be. 

Things I like about it:

* web-based *and* command line interface

* stores lots of meta data in MySQL -- photographer, people in the
  picture, location, date, all the exif stuff, mulitple user-defined
  categories, mulitple, user-defined albums...
   
* different way to look at photos -- pictures of Spencer taken by Marc
  and date after 11-March-1999 and category is 'Destination Imagination'

* Export to static photo albums  - 'bins', 'albums' and zoph 
  formatted HTML.  Handy to burn for CD archives or give to non-internet
  relatives.

* Light boxes, multiple users with difference privileges, user ratings
  of photos, etc...

The project hasn't had a release in a while, but the developer is still
around.   I started with the version in debian/testing (apt-get install
zoph), but have since pulled the latest files from their CVS tree.

-marc
-- 
Marc Nozell <[EMAIL PROTECTED]> http://www.nozell.com/blog

___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: Photo Album

[Cole Tuininga]

On Thu, 2004-03-11 at 11:08, Drew Taylor wrote:
> Are you referring to the PHP based gallery? If so, the vulnerabilities 
> have been fixed in a subsequent release.

Nope - I'm talking about a fairly obscure one written quite some time
ago by a guy I knew.  It's called "phpix" ( http://phpix.sf.net ).

-- 
Brooks's Law: Adding manpower to a late software project makes it later.

Cole Tuininga
Lead Developer
Code Energy, Inc
[EMAIL PROTECTED]
PGP Key ID: 0x43E5755D


___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: p2p, anonymity and security

[Derek Martin]

On Thu, Mar 11, 2004 at 01:57:48AM -0500, Greg Rundlett wrote:
> To the legal eagles ready to take my rights away, there are much bigger 
> fish to catch: http://www.archive.org/audio/etree.php

There's no one to catch there...  The site obtains permission to
archive the material they archive there.  They are not infringing
anyone's copyright (assuming they're not lying).  At any rate, if they
were sharing illegally, you can be pretty sure they'd be shut down
fast.

-- 
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.
Replying to it will result in undeliverable mail.
Sorry for the inconvenience.  Thank the spammers.



pgp0.pgp
Description: PGP signature

Re: Photo Album

[brian]

I second the gallery nomination, I've been playing with gallery on my
personal site: http://www.karas.net/gallery

Has a lot of cool features (print an image from ifoto.com or similar
services), java-based management clients for PC's, etc...

On Thu, 2004-03-11 at 11:09, Mark Komarinski wrote:

> gallery.sourceforge.net
> 
> -Mark
-- 
brian <[EMAIL PROTECTED]>

___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: p2p, anonymity and security

[Bill Mullen]

On Thu, 11 Mar 2004, Greg Rundlett wrote:

> I would like to get bittorrent working, to be able to download ISO's and
> free software more quickly than perhaps I've been able to in the past,
> and at the same time donate my spare bandwidth to those around me who
> are looking for the same files.
[snip]
> I poked a few holes in my Linksys to forward packets to my Linux server.

I have no experience with other P2P apps than BitTorrent (and no interest 
in them, really), but I can tell you that to get the most out of BT, you 
need to tell your router to forward ports 6881 through 6889 inclusive to 
the internal machine running BT. You also need to limit the upload rate to 
no more than about 60-70% of your upstream bandwidth, or the inability to 
send packets in a timely fashion will choke your download speeds - and not 
just the BT d/l speed, but everything else on the box (browsing, etc.).

How the upload rate is limited will vary from client to client; with the 
ncurses client, it's a command-line option (--max_upload_rate). I have no 
idea how this is done with MLdonkey, nor do I know if it can support the 
range of open ports that BT requires for proper (IOW, fast) operation. You 
may have better luck with another client for the BitTorrent stuff - one 
that is more specifically tailored to BT, and not one that "tacks it on".

> So, my first question...Is a Linksys Router doing 'firewall' duty and 
> NAT easy to get past?  If the answer is yes, then what should I do?  Use 
> a firewall-specific distro to convert my old P133MHz box into a Linux 
> firewall?  Maybe someone wants $100 to come over and show me how it's 
> done? (location Newburyport, MA or E. Kingston, NH)

It should be acting as a reasonably effective firewall, and should only be 
permeable on those specific ports you have left open /and/ forwarded to an 
internal system. Should you opt to replace it with Linux, I've had great 
results with SmoothWall (http://www.smoothwall.org), which is very easy to 
install, works on low-spec systems, and has a browser-based interface. It 
also includes the Squid proxy, and Snort for intrusion detection/logging.

As for your offer, I'd take it, but I have no transportation (I'm in North 
Andover, MA, a stone's throw from 495). If that's not a problem for you, 
send me an e-mail and we'll set a mutually-convenient date and time.

HTH!

-- 
Bill Mullen   [EMAIL PROTECTED]   MA, USA   RLU #270075   MDK 8.1 & 9.0
Veni, vidi, velcro. "I came, I saw, I stuck around."  -- Anonymous
___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: Photo Album

[Kenneth E. Lussier]

On Thu, 2004-03-11 at 10:46, Cole Tuininga wrote:
> Hi all - I'm looking to replace my current web based photo album
> software as the current one has some security issues.  Anybody have
> suggestions for or against any particular software?

I have used several different photo albumn systems, and they all have
their flaws. I have been using Gallery (http://gallery.sourceforge.net/)
for a while now, and it does all of the things that you need, including
the comments. 

C-Ya,
Kenny


signature.asc
Description: This is a digitally signed message part

Re: Photo Album

[Mark Komarinski]

On Thu, Mar 11, 2004 at 10:46:17AM -0500, Cole Tuininga wrote:
> 
> Hi all - I'm looking to replace my current web based photo album
> software as the current one has some security issues.  Anybody have
> suggestions for or against any particular software?
> 
> My feature requirements are that it be able to handle multiple albums,
> have "sub" albums/folders, and most importantly, needs to allow the
> viewer to choose the resolution they wish to view at.  It would be nice
> if it also supported me being able to add comments to the pictures as
> well.
> 
> I've found "yappa-ng" and "r.i.g." that seem to do what I want, but I'm
> not familiar with either.  Anybody have feedback or suggestions?

gallery.sourceforge.net

-Mark


signature.asc
Description: Digital signature

Re: p2p, anonymity and security

[Derek Martin]

On Thu, Mar 11, 2004 at 01:57:48AM -0500, Greg Rundlett wrote:
> Derek Martin wrote:
> 
> >I feel obligated to point out that you are basically advertising in a
> >relatively public forum your intention to violate Federal law.  This
> >is rather a bad idea, particularly in today's climate.
> I am not advertising any intention to violate any law.  

Maybe, but it certainly does read that way...  Note that I did not
write in order to attack you; I was only trying to offer you some
friendly advice.  As you say, you're not a lawyer, so you may not be
aware of the potential trouble you may cause yourself.  FWIW, I am not
a lawyer either, but I have actually studied law with real lawyers in
an actual university law course...  That said, please preface any
legal point I make with an implicit "IIRC."

Note also that I said "basically" -- perhaps my choice of words was
sub-optimal, but I included this word to suggest the possibility that
this is not actually what you intend to do.  Nevertheless, what you
actually said was this:

> I also want to get a general purpose p2p tool similar to Napster,
> for sharing ogg, mp3 or other multimedia files.  The number one
> prerequisite here is which tool/protocol offers the best anonymity.

Whether or not you actually plan to violate the law, you clearly want
to share types of files which exist primarily, almost to the exclusion
of anything else, to represent music digitally.  The usual case is for
such files to be ripped from copyrighted CDs.  You mention Napster, a
tool notoriously associated with copyright infringement.  

To complicate your situation, you went on to say you wanted anonimity,
practically in the same breath.  You stated that anonimity was your #1
criteria for choosing a file sharing tool.  We all know that there are
many reasons to want anonimity.  But it doesn't help your case at all.
RIAA lawyers will (probably rather convincingly) argue to the judge
that the only reason you could want anonimity so badly is to avoid
prosecution.

It is not unreasonable for people to believe you mean to violate the
law, based on what you've said.  It is very likely that the paranoid
(i.e. the RIAA's watchdogs) will make such assumptions.  It won't
matter much if you did or didn't, should they decide to try to
convince some judge that it IS your intention, and if they convince
the judge...  Either way, your home will be raided, and your system
will be confiscated.  You may well not go to jail, but if it were me
at the very least it would wreck my day...

> My intention is explicitly stated and legal 

I beg to differ on that.

 explicit - adj.  Fully and clearly expressed; leaving nothing implied.

This is from The American Heritage Dictionary of the English Language,
Fourth Edition.

Your intention was NOT explicit.  You left it up to the reader to
decide whether the OGG and MP3 files you intend to share are
encumbered by a non-owned copyright.

That I am splitting hairs, there is no doubt.  But these are the kinds
of hairs that lawyers (such as those in the employ of the RIAA) enjoy
splitting...

> (and this is a wholely public forum).  

I disagree there, also.  In order to post to the list, you must sign
up...  It is not possible to post unless you are a member.  In order
to sign up, you must provide some amount of personally identifying
information (an e-mail address).  That e-mail address can ALWAYS be
traced back to you, with varying degrees of difficulty, by those with
government-backed subpoena power...

A public resource, by contrast, is one which anyone can use.
Generally speaking, there's some amount of anonimity implied.  If I
use a public restroom, I do not need to sign up to use it, nor do I
need to identify myself when I do.  If I use a municipal swimming
pool, (usually) the same is true.  These are public.

You say that this list is a public forum; not so.  In order to be a
forum, people must participate.  In order to participate, you must
sign up and identify yourself (albeit minimally).  Hence, it's not
public.  Likewise, distribution of the original source messages is
limited to those who are signed up.  This list happens to also archive
the messages, but a) not in their original form, and b) this does not
need to be the case.

There is absolutely nothing inherently public about a mailing list.
They can, in fact, be extremely private.  Most are somewhere in
between...

> I think it's a good idea to discuss anything.  Who gets to discuss
> illegal things?  Only lawyers?

You can discuss illegal things all you like, so long as you don't
announce intention to commit a crime, which is generally illegal.  For
example, if you plot to commit a crime with your friends, you need not
even actually attempt the act to be guilty of a crime.  This is called
conspiracy.  If you are dumb enough to announce your intentions to
kill the president, the Secret Service will make your life unpleasant.
If you tell airport security that you intend to bomb a plane, you will
almos

Tutorials for OpenOffice

[Randy Edwards]

   This may be of interest to OOo users:

   Walter Hildebrandt of Denver has recently started a web site aimed at 
introducing people to OOo and to producing various tutorials for the suite.

   You can take a look-see at  and 
if you have any hints or slick tricks for OOo, I'm sure contributions would 
be welcome.

--
 Regards, | Why would anyone want to run an operating system that is free,
 .| has open source code, and is developed worldwide by countless
 Randy| thousands of programmers?
  | Find out why at 
___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Photo Album

[Cole Tuininga]

Hi all - I'm looking to replace my current web based photo album
software as the current one has some security issues.  Anybody have
suggestions for or against any particular software?

My feature requirements are that it be able to handle multiple albums,
have "sub" albums/folders, and most importantly, needs to allow the
viewer to choose the resolution they wish to view at.  It would be nice
if it also supported me being able to add comments to the pictures as
well.

I've found "yappa-ng" and "r.i.g." that seem to do what I want, but I'm
not familiar with either.  Anybody have feedback or suggestions?

-- 
Puritanism: The haunting fear that someone, somewhere, may be happy.

Cole Tuininga
Lead Developer
Code Energy, Inc
[EMAIL PROTECTED]
PGP Key ID: 0x43E5755D


___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: p2p, anonymity and security

[Jeff Macdonald]

On Thu, 2004-03-11 at 01:57 -0500, Greg Rundlett wrote:


> You confused me a bit with this wording.  I think you meant to say that 
> you agree there are thousands of legitimate uses for this technology, 
> and only the naive here will forget all the fair-use rights bestowed 
> upon us all.  Or  else you were saying that I could share all the 
> Grateful Dead songs, public speeches, and other forms of un-encumbered 
> media that I want.
> 

Then why bother with the anonymity? If your sharing with your friends,
then simply set up a password protected area! If the RIAA somehow
charges you for that then I would think you could sue them for hacking
your systems.

-- 
Jeff Macdonald <[EMAIL PROTECTED]>
My birding blog: http://www.virtualbuilder.com/archives/cat_birding.html



signature.asc
Description: This is a digitally signed message part

Re:CODECs mplayer

[Tom Buskey]

> If people know that there are other players with better CODEC support,
> I'll certainly be interested to look at them.  I keep meaning to check
> out mplayer...  But I had heard that mplayer was difficult to install.
> Is that (still) true?
>
> --
> Derek D. Martin
> http://www.pizzashack.org/
> GPG Key ID: 0xDFBEAD02

Installing from source is a PITA.  There are RPMs out there w/ mplayer +
various CODECs (including quicktime).  You need to install 4-6 rpms.  They
work well on Mandrake atleast.


___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss