On Tue, Dec 09, 2003 at 11:45:58PM +1100, Russell Coker wrote:
As for acting like a Jackass, the Johnny Knoxville and his colleagues are
very
talented entertainers who work hard. I wouldn't compare them to you in any
way.
Oh, I dunno. I got *your* attention.
But chill the hell out.
On Tue, 9 Dec 2003 22:52, Tom [EMAIL PROTECTED] wrote:
On Tue, Dec 09, 2003 at 01:12:13AM +, Colin Watson wrote:
. Could you please try
to keep debian-devel posts to well-thought-out [1] technical content,
Sure. I'd also ask everyone to keep their anti-American, anti-Bush SIGs
and
On Dec 8, 2003, at 07:14, Julian Mehnle wrote:
Apart from that, as soon as the use of IPv6 broadens, dynamically
assigned IP addresses will diminish.
Stateless autoconfig + privacy extensions means quite the opposite is
likely to occur.
On Tue, Dec 09, 2003 at 01:12:13AM +, Colin Watson wrote:
. Could you please try
to keep debian-devel posts to well-thought-out [1] technical content,
Sure. I'd also ask everyone to keep their anti-American, anti-Bush SIGs
and random comments out of both lists. I have acted like a
On Sun, Dec 07, 2003 at 09:16:58PM -0500, Patrick Ouellette wrote:
Instead of a smartcard/token/whatever physical device, this incident
could possibly have been thwarted by requiring developers to pre-register
their machine with the project (using ssh host key for example). The
attacker would
Russell Coker wrote:
On Mon, 8 Dec 2003 13:16, Patrick Ouellette [EMAIL PROTECTED] wrote:
Instead of a smartcard/token/whatever physical device, this incident
could possibly have been thwarted by requiring developers to
pre-register their machine with the project (using ssh host key for
On Mon, 8 Dec 2003 23:14, Julian Mehnle [EMAIL PROTECTED] wrote:
One problem with this is developer's machines that are on dial-up
Internet connections. In the case of such machines you can verify the
host key but not the IP address.
You cannot verify the IP address *exactly*, but you can
Russell Coker wrote:
On Mon, 8 Dec 2003 23:14, Julian Mehnle [EMAIL PROTECTED] wrote:
You cannot verify the IP address *exactly*, but you can verify
whether the IP address lies within a range. Dial-up users could at
least register a certain address range, so as to vastly mitigate the
On Thu, Dec 04, 2003 at 03:29:02PM -0800, Tom wrote:
Just rambling... I'm sure there's tons of holes in what I just said.
All this rambling is getting pretty damn tedious as I try to read
through two weeks' worth of debian-devel backlog. Could you please try
to keep debian-devel posts to
On Mon, Dec 08, 2003 at 01:28:20PM +1100, Russell Coker wrote:
Another problem is that host keys require SUID ssh client in the
default configuration.
This hasn't been true since OpenSSH 3.3, and therefore since before
woody. See ssh-keysign(8).
openssh (1:3.3p1-0.0woody1) testing-security;
On Thu, Dec 04, 2003 at 11:55:26AM -0800, Tom wrote:
instance is the hacker sniffed the password, and then logged on to
Debian's servers later at his leisure from a different PC. With a
Instead of a smartcard/token/whatever physical device, this incident
could possibly have been thwarted by
On Mon, 8 Dec 2003 13:16, Patrick Ouellette [EMAIL PROTECTED] wrote:
On Thu, Dec 04, 2003 at 11:55:26AM -0800, Tom wrote:
instance is the hacker sniffed the password, and then logged on to
Debian's servers later at his leisure from a different PC. With a
Instead of a
On Mon, Dec 08, 2003 at 01:28:20PM +1100, Russell Coker wrote:
But this still leaves the issue of how to deal with dial-up machines. Even
if
we restrict connections to a single ISP as often dial-up machines are not
used with multiple machines, this still isn't necessarily much good, some
On Tue, Dec 02, 2003 at 05:19:22PM -0800, Tom wrote:
Smartcards would have avoided the Debian compromise: merely having a
compromised DD box would have prevented bad guy from getting on the box.
It's all about layers of defense.
I think the DD's should seriously think about requiring
On Thu, Dec 04, 2003 at 02:23:54PM -0500, Matt Zimmerman wrote:
On Tue, Dec 02, 2003 at 05:19:22PM -0800, Tom wrote:
You must be joking. If the developer's system is compromised, and he logs
into another system after that time, that system can be easily compromised
also.
Yes, but the reason
On Thu, Dec 04, 2003 at 11:55:26AM -0800, Tom wrote:
Yes, but the reason it would have been efficiacious in this *particular*
instance is the hacker sniffed the password, and then logged on to
Debian's servers later at his leisure from a different PC. With a
smartcard, he would have had to
On Thu, Dec 04, 2003 at 06:13:49PM -0500, Matt Zimmerman wrote:
Not really; he just has to set things up ahead of time. This is like
claiming the attacker has to be present in order to sniff your password from
a telnet session (he doesn't; he just has to have been around at any time
before
On Wed, Dec 03, 2003 at 02:57:11AM +0100, Bernd Eckenfels wrote:
On Wed, Dec 03, 2003 at 10:54:24AM +1000, Andrew Pollock wrote:
The only way to have avoided this kernel vulnerability from day-0 of
discovery/fix release would have been to be constantly upgrading to
pre-release kernels.
On Tue, 02 Dec 2003, Tom wrote:
Yes but the attacker did not steal the DD's computer. He rooted it
remotely.
So the machine is rooted remotely, the DD logs into a debian box even
using our new fangled smart cards, and the attacker still can control
the connection.
In this particular intrusion
On Wed, Dec 03, 2003 at 12:20:59AM -0800, Don Armstrong wrote:
On Tue, 02 Dec 2003, Tom wrote:
Yes but the attacker did not steal the DD's computer. He rooted it
remotely.
So the machine is rooted remotely, the DD logs into a debian box even
using our new fangled smart cards, and the
[NB: I wanted to take this OT discussion off [EMAIL PROTECTED] and into private
mail, but your e-mail address was munged in some sort of anti-spam
measure, and not trivially un-mungeable. Please consider providing
information on how to demunge it in some X- header, or not using
munging at all.]
On Wed, Dec 03, 2003 at 01:03:16AM -0800, Don Armstrong wrote:
[NB: I wanted to take this OT discussion off [EMAIL PROTECTED] and into
private
mail, but your e-mail address was munged in some sort of anti-spam
measure, and not trivially un-mungeable. Please consider providing
information on
On Wed, Dec 03, 2003 at 01:16:39AM -0800, Tom wrote:
If something could have prevented something that actually happened, I
say go for it.
Oh, one last thing: each DD should pay for the device him/her self and
should be required to fly to meet wherever they can pick them up. Why
do you
On Wed, Dec 03, 2003 at 02:00:51PM +1100, Russell Coker wrote:
I agree that smartcards would help a lot. However as has been previously
suggested the cost of 1200+ smart-card readers is probably prohibitive.
What about RSA tokens? This solution does not require any special hardware
to connect
On Wed, 03 Dec 2003, Tom wrote:
each DD should pay for the device him/her self and should be required
to fly to meet wherever they can pick them up. Why do you assume
somebody has to pay for everything? What's wrong with bearing some
of the costs yourself?
Could it possibly be because
On Wed, 3 Dec 2003 20:34, Artur R. Czechowski [EMAIL PROTECTED] wrote:
On Wed, Dec 03, 2003 at 02:00:51PM +1100, Russell Coker wrote:
I agree that smartcards would help a lot. However as has been previously
suggested the cost of 1200+ smart-card readers is probably prohibitive.
What about
On Wed, Dec 03, 2003 at 09:49:21PM +1100, Russell Coker wrote:
On Wed, 3 Dec 2003 20:34, Artur R. Czechowski [EMAIL PROTECTED] wrote:
On Wed, Dec 03, 2003 at 02:00:51PM +1100, Russell Coker wrote:
I agree that smartcards would help a lot. However as has been previously
suggested the cost
On Tue, Dec 02, 2003 at 05:19:22PM -0800, Tom wrote:
On Wed, Dec 03, 2003 at 10:54:24AM +1000, Andrew Pollock wrote:
On Wed, Dec 03, 2003 at 11:17:19AM +1100, Russell Coker wrote:
The only way to have avoided this kernel vulnerability from day-0 of
discovery/fix release would have been
On Wed, Dec 03, 2003 at 12:06:33PM +0100, Artur R. Czechowski wrote:
What is a RSA token?
Device used in some internet banks. You have a device, which has only
chipset, digital pad with on/off switch and display, all embedded in small
case. Authentication is made using C/R algorithm: you
On Wed, Dec 03, 2003 at 12:10:28PM +0100, Wouter Verhelst wrote:
Are you going to pay for all those smartcards plus their readers?
Including any smartcards for possible future DD's?
If not, I suggest we forget about this, as it won't be feasible.
I don't think the USB models cost that much
On Wed, Dec 03, 2003 at 12:06:33PM +0100, Artur R. Czechowski wrote:
What is a RSA token?
Device used in some internet banks. You have a device, which has only
chipset, digital pad with on/off switch and display, all embedded in small
case. Authentication is made using C/R algorithm: you
On Wed, 3 Dec 2003 22:27:39 +1100, Hamish Moffatt [EMAIL PROTECTED]
wrote:
The RSA SecurID tokens are a bit smarter than that; the output for a
given input changes every minute. My employer uses them for remote
access to their intranet; you have a fixed pin number which you enter
into the card to
On Wed, 3 Dec 2003 23:06, Marc Haber [EMAIL PROTECTED] wrote:
I have no idea what they cost. Also the newest ones are not exactly fit
for carrying around in your wallet. They last 3 years on internal
batteries.
I seriously doubt that the server-side software is DFSG-free. The only
Linux
On Wed, Dec 03, 2003 at 01:06:08PM +0100, Marc Haber wrote:
On Wed, 3 Dec 2003 22:27:39 +1100, Hamish Moffatt [EMAIL PROTECTED]
wrote:
The RSA SecurID tokens are a bit smarter than that; the output for a
given input changes every minute. My employer uses them for remote
access to their
On Wed, Dec 03, 2003 at 01:16:39AM -0800, Tom wrote:
On Wed, Dec 03, 2003 at 01:03:16AM -0800, Don Armstrong wrote:
[NB: I wanted to take this OT discussion off [EMAIL PROTECTED] and into
private
mail, but your e-mail address was munged in some sort of anti-spam
measure, and not
On Thu, Dec 04, 2003 at 12:20:57AM +1100, Hamish Moffatt wrote:
How about including your full name somewhere in your posts too then?
I find it a bit off-putting to discuss security with someone who's
obscuring their identity.
Ha Ha Ha what a joke. I don't want to be googled for all
On Thu, 4 Dec 2003 00:19:36 +1100, Hamish Moffatt [EMAIL PROTECTED]
wrote:
On Wed, Dec 03, 2003 at 01:06:08PM +0100, Marc Haber wrote:
I seriously doubt that the server-side software is DFSG-free. The only
Linux Agent that is available from rsa.com is for RedHat 7.3, and I
would be astonished
On Wed, Dec 03, 2003 at 01:24:50AM -0800, Tom wrote:
On Wed, Dec 03, 2003 at 01:16:39AM -0800, Tom wrote:
If something could have prevented something that actually happened, I
say go for it.
Oh, one last thing: each DD should pay for the device him/her self and
should be required to
On Wed, Dec 03, 2003 at 08:45:49AM -0600, Steve Langasek wrote:
Share the crack.
In my experience kids in college and right out tend to freak out over
the thought of having to spend a few dollars of disposable income,
because they don't have any :-)
Hey, laugh if you want, most
On Wed, Dec 03, 2003 at 05:42:20AM -0800, Tom wrote:
Let me tell you a story about a job I had one time: I worked for a guy
(in his basement -- don't ask) who bought your personal credit card data
and other publicly available information. He would pay about $10,000 or
$15,000 for lists of
On Wed, Dec 03, 2003 at 09:06:07AM -0600, Graham Wilson wrote:
So you've aided telemarketers and worked for Microsoft? Is your last
name Darkness, middle name Prince of?
Satan fell because he wanted to know. So do I.
I'm a contrarian. I believe the opposite of whatever I'm confronted
with
On Wed, Dec 03, 2003 at 01:54:22PM +1100, Matthew Palmer wrote:
Nov 28 22:39 Linux 2.4.23 released
^
Bernd is correct, though - if the machines had been running 2.4.23, they
wouldn't have been vulnerable. The fact that it was impossible to do so
* Russell Coker ([EMAIL PROTECTED]) [031203 04:03]:
I have sent a message to Werner asking if the GPG smart-card device could be
re-implemented with a USB interface. I think that a USB dongle with GPG
technology would be a good option as most developer's machines already have
USB support.
I demand that Tom may or may not have written...
On Wed, Dec 03, 2003 at 08:45:49AM -0600, Steve Langasek wrote:
Share the crack.
In my experience kids in college and right out tend to freak out over the
thought of having to spend a few dollars of disposable income, because they
don't have
On Tue, Dec 02, 2003 at 05:34:05PM -0800, Don Armstrong wrote:
On Tue, 02 Dec 2003, Tom wrote:
I think the DD's should seriously think about requiring smartcards.
It would have prevented the proxmiate cause of our recent troubles.
Smartcards are not a magical panacea either. The problems
On Tue, 2 Dec 2003 23:46:45 +, Geoff Richards [EMAIL PROTECTED] said:
On Tue, Dec 02, 2003 at 01:28:28PM -0800, Tom wrote:
I read all the words but took a completely different meaning :-)
I'm from the South, we have different speech patterns...
South of where?
The Mason-Dixon
Andreas Schuldei wrote:
* Russell Coker ([EMAIL PROTECTED]) [031203 04:03]:
I have sent a message to Werner asking if the GPG smart-card device
could be re-implemented with a USB interface. I think that a USB
dongle with GPG technology would be a good option as most developer's
machines
On Wed, 3 Dec 2003 08:30:55 +0100, Bernd Eckenfels [EMAIL PROTECTED] said:
Hehe, well I am sorry. I had the impression 2.4.23 was older. Should
have checked my facts.
BTW: I do have checked the kernel version of the major distros, all
ship newer kernels than debian (if you look at the
On Wed, Dec 03, 2003 at 10:34:13AM +0100, Artur R. Czechowski wrote:
What about RSA tokens? This solution does not require any special hardware
to connect on the client side.
This also means it does not provide any additional security, besides the costs.
Greetings
Bernd
--
(OO) --
On Thu, Dec 04, 2003 at 12:03:52AM +1100, Russell Coker wrote:
For an initial order of 1200 units and the potential for other larger orders
they may reconsider this.
There are some more tokens, which are baed on the open X9.9 DES protcol and
not the secret SecureID stuff.
Greetings
Bernd
--
On Thu, Dec 04, 2003 at 10:18:44AM +1100, Russell Coker wrote:
What about RSA tokens? This solution does not require any special
hardware to connect on the client side.
This also means it does not provide any additional security, besides the
costs.
What makes you think that?
Well, I
On Wed, Dec 03, 2003 at 11:42:06PM +0100, Bernd Eckenfels wrote:
On Wed, Dec 03, 2003 at 10:34:13AM +0100, Artur R. Czechowski wrote:
What about RSA tokens? This solution does not require any special hardware
to connect on the client side.
This also means it does not provide any additional
On Thu, 4 Dec 2003 09:42, Bernd Eckenfels [EMAIL PROTECTED] wrote:
On Wed, Dec 03, 2003 at 10:34:13AM +0100, Artur R. Czechowski wrote:
What about RSA tokens? This solution does not require any special
hardware to connect on the client side.
This also means it does not provide any
On Thu, 4 Dec 2003 05:02, Andreas Schuldei [EMAIL PROTECTED] wrote:
* Russell Coker ([EMAIL PROTECTED]) [031203 04:03]:
I have sent a message to Werner asking if the GPG smart-card device could
be re-implemented with a USB interface. I think that a USB dongle with
GPG technology would be a
On Wed, Dec 03, 2003 at 02:57:11AM +0100, Bernd Eckenfels wrote:
On Wed, Dec 03, 2003 at 10:54:24AM +1000, Andrew Pollock wrote:
The only way to have avoided this kernel vulnerability from day-0 of
discovery/fix release would have been to be constantly upgrading to
pre-release kernels.
On Wed, Dec 03, 2003 at 02:11:59PM +1100, Russell Coker wrote:
Every DD needs to have immediate access to servers running each of the
supported architectures.
Yes of course. But this does not mean they have to have access to
infrastructure of the project. A box for a DD to debug and test the
Frederik Dannemare [EMAIL PROTECTED] wrote:
just curious: any particular reason why we didn't see a backport any sooner
of
the integer overflow in the brk system call (see recent announcement by
Wichert Akkerman:
On Tue, Dec 02, 2003 at 10:08:03AM +0100, Andreas Metzler wrote:
Apparently nobody knew it was comparable to ptrace, it looked like a
simple bugfix and not like a local root exploit.
Well, I just downloaded 2.4.23 from kernel.org and installed it.
[obGrumble] I never got hit by any of the
Tom [EMAIL PROTECTED] wrote:
On Tue, Dec 02, 2003 at 10:08:03AM +0100, Andreas Metzler wrote:
Apparently nobody knew it was comparable to ptrace, it looked like a
simple bugfix and not like a local root exploit.
Well, I just downloaded 2.4.23 from kernel.org and installed it.
You could have
On Tue, Dec 02, 2003 at 12:08:17PM +0100, Andreas Metzler wrote:
Afaik: 2.4.23 contains literally 100s of changes, one of these was a
small change to do_brk(), which looked like a normal non-critical
bugfix to everybody involved. Some time later Debian was hacked and
backtracing how the
Jonathan == Jonathan Dowland [EMAIL PROTECTED] writes:
Jonathan On Tue, Dec 02, 2003 at 12:08:17PM +0100, Andreas Metzler
Jonathan wrote:
Afaik: 2.4.23 contains literally 100s of changes, one of these was a
small change to do_brk(), which looked like a normal non-critical
On Tue, Dec 02, 2003 at 11:06:44PM +0800, Isaac To wrote:
rather far from changing anything in the kernel memory. Andreas is
definitely right that the hole doesn't look like that it is that dangerous.
It messed up your life for a couple weeks.
Jesus, it's not the end of the world, but that's
Scripsit Tom [EMAIL PROTECTED]
On Tue, Dec 02, 2003 at 11:06:44PM +0800, Isaac To wrote:
rather far from changing anything in the kernel memory. Andreas is
definitely right that the hole doesn't look like that it is that dangerous.
If it wasn't a big deal we wouldn't be talking about it.
On Tue, 2003-12-02 at 17:31, Tom wrote:
On Tue, Dec 02, 2003 at 11:06:44PM +0800, Isaac To wrote:
rather far from changing anything in the kernel memory. Andreas is
definitely right that the hole doesn't look like that it is that dangerous.
It messed up your life for a couple weeks.
Tom [EMAIL PROTECTED] writes:
On Tue, Dec 02, 2003 at 11:06:44PM +0800, Isaac To wrote:
rather far from changing anything in the kernel memory. Andreas is
definitely right that the hole doesn't look like that it is that dangerous.
[snip]
If it wasn't a big deal we wouldn't be talking about
On Tue, Dec 02, 2003 at 08:51:50PM +0100, Andreas Rottmann wrote:
Tom [EMAIL PROTECTED] writes:
On Tue, Dec 02, 2003 at 11:06:44PM +0800, Isaac To wrote:
rather far from changing anything in the kernel memory. Andreas is
definitely right that the hole doesn't look like that it is that
Henning Makholm wrote:
Scripsit Tom [EMAIL PROTECTED]
On Tue, Dec 02, 2003 at 11:06:44PM +0800, Isaac To wrote:
rather far from changing anything in the kernel memory. Andreas is
definitely right that the hole doesn't look like that it is that dangerous.
If it wasn't a big deal we wouldn't be
On Tue, Dec 02, 2003 at 10:08:03AM +0100, Andreas Metzler wrote:
Apparently nobody knew it was comparable to ptrace, it looked like a
simple bugfix and not like a local root exploit.
What bugs the hell out of me is that people with nothing better to do with
their time can sit on the lkml
On Tue, Dec 02, 2003 at 01:28:28PM -0800, Tom wrote:
On Tue, Dec 02, 2003 at 08:51:50PM +0100, Andreas Rottmann wrote:
Tom [EMAIL PROTECTED] writes:
On Tue, Dec 02, 2003 at 11:06:44PM +0800, Isaac To wrote:
rather far from changing anything in the kernel memory. Andreas is
On Wed, 3 Dec 2003 10:20, Andrew Pollock [EMAIL PROTECTED] wrote:
What bugs the hell out of me is that people with nothing better to do with
their time can sit on the lkml and watch what's getting fixed, and put more
analysis into individual fixes than the kernel maintainers themselves can,
On Tue, Dec 02, 2003 at 11:46:45PM +, Geoff Richards wrote:
South of where?
USA. North Carolina. Not South Carolina. Remember that.
Redhat is in North Carolina. joke I always wonder if those
mascara-wearing Cure-listening long-haired Linux skater punks ever get
into trouble out in
On Wed, Dec 03, 2003 at 11:17:19AM +1100, Russell Coker wrote:
Of course someone could look at the MS fixes and do some decompilation for a
similar result. Sure it would be more difficult to analyse the assembler
code produced from decompilation than to analyse C source, but OTOH there is
On Wed, Dec 03, 2003 at 10:54:24AM +1000, Andrew Pollock wrote:
On Wed, Dec 03, 2003 at 11:17:19AM +1100, Russell Coker wrote:
The only way to have avoided this kernel vulnerability from day-0 of
discovery/fix release would have been to be constantly upgrading to
pre-release kernels.
I'm
On Tue, 02 Dec 2003, Tom wrote:
I think the DD's should seriously think about requiring smartcards.
It would have prevented the proxmiate cause of our recent troubles.
Smartcards are not a magical panacea either. The problems associated
with them aren't too terribly different from those
On Wed, Dec 03, 2003 at 10:54:24AM +1000, Andrew Pollock wrote:
The only way to have avoided this kernel vulnerability from day-0 of
discovery/fix release would have been to be constantly upgrading to
pre-release kernels.
Yes but also the debian servers would not have been vulnerable if they
On Tue, Dec 02, 2003 at 05:19:22PM -0800, Tom wrote:
I think the DD's should seriously think about requiring smartcards. It
would have prevented the proxmiate cause of our recent troubles.
No, we have to deal with a large population of untrusted individuals. Even
if we can keep outsiders out
On Wed, Dec 03, 2003 at 02:57:11AM +0100, Bernd Eckenfels wrote:
On Wed, Dec 03, 2003 at 10:54:24AM +1000, Andrew Pollock wrote:
The only way to have avoided this kernel vulnerability from day-0 of
discovery/fix release would have been to be constantly upgrading to
pre-release kernels.
On Wed, 3 Dec 2003 12:19, Tom [EMAIL PROTECTED] wrote:
Smartcards would have avoided the Debian compromise: merely having a
compromised DD box would have prevented bad guy from getting on the box.
It's all about layers of defense.
I think the DD's should seriously think about requiring
On Wed, 3 Dec 2003 13:02, Bernd Eckenfels [EMAIL PROTECTED] wrote:
Even if it is painful to decide: more priveledges to DDs on a need-to-have
base.
Every DD needs to have immediate access to servers running each of the
supported architectures.
I use mainly i386. If I have to jump through
On Tue, Dec 02, 2003 at 08:47:10PM -0600, Steve Langasek wrote:
On Wed, Dec 03, 2003 at 02:57:11AM +0100, Bernd Eckenfels wrote:
On Wed, Dec 03, 2003 at 10:54:24AM +1000, Andrew Pollock wrote:
The only way to have avoided this kernel vulnerability from day-0 of
discovery/fix release would
On Wed, 3 Dec 2003 12:34, Don Armstrong [EMAIL PROTECTED] wrote:
Smartcards are not a magical panacea either.
True.
The problems associated
with them aren't too terribly different from those associated with
keys or other forms of physical security, notably, that they can be
stolen, or the
Hi everybody,
just curious: any particular reason why we didn't see a backport any sooner of
the integer overflow in the brk system call (see recent announcement by
Wichert Akkerman:
http://lists.debian.org/debian-security-announce/debian-security-announce-2003/msg00212.html)
like we did with
Frederik Dannemare wrote:
Hi everybody,
just curious: any particular reason why we didn't see a backport any
sooner of the integer overflow in the brk system call (see recent
announcement by Wichert Akkerman:
83 matches
Mail list logo