Re: [work] Integrity of Debian packages

2003-03-06 Thread Andrew Pollock
On Thu, Mar 06, 2003 at 09:21:21PM -0500, Gary MacDougall wrote: [snip] > This is silly to blame the FBI. I'd be far more concerned about the > average knucklehead > trying to do this maliciously than thinking the FBI would do it... please. I wasn't that worried about the FBI, being Australian

Re: [work] Integrity of Debian packages

2003-03-06 Thread Andrew Pollock
On Thu, Mar 06, 2003 at 09:21:21PM -0500, Gary MacDougall wrote: [snip] > This is silly to blame the FBI. I'd be far more concerned about the > average knucklehead > trying to do this maliciously than thinking the FBI would do it... please. I wasn't that worried about the FBI, being Australian

Re: [work] Integrity of Debian packages

2003-03-06 Thread Peter Cordes
On Thu, Mar 06, 2003 at 09:21:21PM -0500, Gary MacDougall wrote: > If the FBI has the power, time and energy to install a proxy between my > router > and my ISP to spoof a package host (i.e. security.debian.org) just to > root my servers, then they > are clearly a heck of lot more "geeky" than I

Re: Integrity of Debian packages

2003-03-06 Thread berin
Andrew, Apologies - I'm having a bad day. Ignore previous e-mail. If I'd bothered to read the start of the article properly I would have picked up where it was coming from a bit better. However, check out : http://groups.google.com/groups?q=debian+signatures&hl=en&lr=&ie=UTF-8&selm=2001031417

Re: [work] Integrity of Debian packages

2003-03-06 Thread Gary MacDougall
If the FBI has the power, time and energy to install a proxy between my router and my ISP to spoof a package host (i.e. security.debian.org) just to root my servers, then they are clearly a heck of lot more "geeky" than I thought. Hell, why go through that trouble, why not just grab my traffic

Re: Integrity of Debian packages

2003-03-06 Thread berin
Putting aside the signing of deb packages - The article is a wee bit simplistic. The fact that the author is stating that a win box is not vulnerable would indicate a fairly large gap in understanding. If someone has root/Administrator access on a box, they can bypass any integrity checking mech

Integrity of Debian packages

2003-03-06 Thread Andrew Pollock
Hi, One of my friends sent me this URL, it's an oldie, and the topic in general has been discussed before, but this article certainly does raise some concerns. http://www.astalavista.com/privacy/library/magic-lantern/fbi.shtml Andrew

Re: [work] Integrity of Debian packages

2003-03-06 Thread Peter Cordes
On Thu, Mar 06, 2003 at 09:21:21PM -0500, Gary MacDougall wrote: > If the FBI has the power, time and energy to install a proxy between my > router > and my ISP to spoof a package host (i.e. security.debian.org) just to > root my servers, then they > are clearly a heck of lot more "geeky" than I

Re: Integrity of Debian packages

2003-03-06 Thread berin
Andrew, Apologies - I'm having a bad day. Ignore previous e-mail. If I'd bothered to read the start of the article properly I would have picked up where it was coming from a bit better. However, check out : http://groups.google.com/groups?q=debian+signatures&hl=en&lr=&ie=UTF-8&selm=2001031417

Re: [work] Integrity of Debian packages

2003-03-06 Thread Gary MacDougall
If the FBI has the power, time and energy to install a proxy between my router and my ISP to spoof a package host (i.e. security.debian.org) just to root my servers, then they are clearly a heck of lot more "geeky" than I thought. Hell, why go through that trouble, why not just grab my traffic

Re: Integrity of Debian packages

2003-03-06 Thread berin
Putting aside the signing of deb packages - The article is a wee bit simplistic. The fact that the author is stating that a win box is not vulnerable would indicate a fairly large gap in understanding. If someone has root/Administrator access on a box, they can bypass any integrity checking mech

Integrity of Debian packages

2003-03-06 Thread Andrew Pollock
Hi, One of my friends sent me this URL, it's an oldie, and the topic in general has been discussed before, but this article certainly does raise some concerns. http://www.astalavista.com/privacy/library/magic-lantern/fbi.shtml Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subj

Re: Nessus 2.0.0 packages available

2003-03-06 Thread Javier Fernández-Sanguino Peña
On Thu, Mar 06, 2003 at 11:17:07AM -0300, Gustavo Franco wrote: > Hi jfs, Hi there. > > What's the relationship between these nessus 2.0 packages and the nessus > 2.0.1 packages[1] of Josip Rodin at the experimental release? > These packages are not Josip's :-) (the packages pag

Re: Nessus 2.0.0 packages available

2003-03-06 Thread Javier Fernández-Sanguino Peña
On Thu, Mar 06, 2003 at 11:17:07AM -0300, Gustavo Franco wrote: > Hi jfs, Hi there. > > What's the relationship between these nessus 2.0 packages and the nessus > 2.0.1 packages[1] of Josip Rodin at the experimental release? > These packages are not Josip's :-) (the packages pag

Re: Nessus 2.0.0 packages available

2003-03-06 Thread Gustavo Franco
On Tue, 2003-02-25 at 08:17, Javier Fernández-Sanguino Peña wrote: > For those of you who are not aware of it: Nessus 2.0.0 has been released > just today [1]. I've bugged Joy about this (Bug# 182411) but in order to > make his (and my) life easier I've made new 2.0.0 packages for Nessus (i386 > on

Re: Nessus 2.0.0 packages available

2003-03-06 Thread Gustavo Franco
On Tue, 2003-02-25 at 08:17, Javier Fernández-Sanguino Peña wrote: > For those of you who are not aware of it: Nessus 2.0.0 has been released > just today [1]. I've bugged Joy about this (Bug# 182411) but in order to > make his (and my) life easier I've made new 2.0.0 packages for Nessus (i386 > on

Re: Sendmail vulnerability : is Debian falling behind?

2003-03-06 Thread Arnd Hannemmann
Rich Puhek schrieb: Jeremy T. Bouse wrote: It's been discussed plenty on the Debian mailing lists as well as having the package maintainer give an update on the status of the packages that are being prepared/ready at this time... Might suggest checking a bit further before making such a

Re: Sendmail vulnerability : is Debian falling behind?

2003-03-06 Thread Arnd Hannemmann
Rich Puhek schrieb: Jeremy T. Bouse wrote: It's been discussed plenty on the Debian mailing lists as well as having the package maintainer give an update on the status of the packages that are being prepared/ready at this time... Might suggest checking a bit further before making such a ras

Re: [Q] How to keep Debian system secure: automation?

2003-03-06 Thread Jean-Francois Dive
if you build your own packages *from debian sources*, just get the appropriate source tree. This apply for the kernel as well. JeF On Tue, 2003-03-04 at 14:10, Kynn Jones wrote: > > > > > > apt-get update/upgrade is good enough for me as a way to keep up with > security updates at the binary

Re: [Q] How to keep Debian system secure: automation?

2003-03-06 Thread Jean-Francois Dive
if you build your own packages *from debian sources*, just get the appropriate source tree. This apply for the kernel as well. JeF On Tue, 2003-03-04 at 14:10, Kynn Jones wrote: > > > > > > apt-get update/upgrade is good enough for me as a way to keep up with > security updates at the binary