On Thu, Sep 12, 2013 at 9:39 AM, E Frank Ball III fra...@efball.com wrote:
On Thu, Sep 12, 2013 at 09:13:46AM +0900, Joel Rees wrote:
On Thu, Sep 12, 2013 at 7:48 AM, E Frank Ball III fra...@efball.com
wrote:
Last fall there was a debian 64-bit / nginx rootkit going around,
now I've
On Sep 11, 2013, at 18:48, E Frank Ball III fra...@efball.com wrote:
Last fall there was a debian 64-bit / nginx rootkit going around,
now I've been hit with what sounds similar but on 32-bit wheezy.
Here's a link to info on the previous 64-bit rootkit:
On Thu, Sep 12, 2013 at 07:15:57PM +0900, Joel Rees wrote:
The lynx webrowser shows this as the first line of the webpages:
Local on the machine in question or external?
external.
IFRAME: http://122.226.137.123:/yixi.exe
It also appears in downloads using wget.
view
I am glad some one asked if the browser is running on the server; I had
that thought too. The problem could be something in between the actual
client and the server. Additionally, this could be done without using
any malicious software, like a rootkit. Legitimate software could be
configured to
How secure is a Debian installation packages installed only from main,
none from contrib or non-free?
It will lack for example the firmware-linux-nonfree package and the
intel-microcode / amd-microcode package. At least the microcode one is
security relevant? Are there any other packages which
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Not everyone has to individually audit their own code unless they're
just ridiculously paranoid. It's true that serious bugs can go by
unnoticed. Another example would be that SSL debacle in Debian a few
years back. That thing slipped by without
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I still don't see why this should make me trust closed code more. For
all I know Intel's code is full of lines like that, or worse.
On 09/12/2013 03:15 PM, Jann Horn wrote:
On Thu, Sep 12, 2013 at 05:01:09PM -0500, Jordon Bedwell wrote:
On Thu, Sep
On Thu, Sep 12, 2013 at 05:01:09PM -0500, Jordon Bedwell wrote:
On Thu, Sep 12, 2013 at 5:01 PM, Jonathan Perry-Houts
jperryho...@gmail.com wrote:
I can't speak to those packages specifically but I think the answer
you'll get from most people, especially in this community, is that
non-free
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I can't speak to those packages specifically but I think the answer
you'll get from most people, especially in this community, is that
non-free software is inherently insecure because you can't know
exactly what it is doing. Thus, a fully free system
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Read my first email, I never said that anyone should trust open source
software to be perfect. I said that closed software is inherently
untrustworthy. If you disagree, I'd like to hear why.
On 09/12/2013 04:25 PM, Jordon Bedwell wrote:
On Thu, Sep
On Thu, Sep 12, 2013 at 5:23 PM, Jonathan Perry-Houts
jperryho...@gmail.com wrote:
I still don't see why this should make me trust closed code more. For
all I know Intel's code is full of lines like that, or worse.
It's not about getting you to like closed or open source software
more, it's
adrelanos:
How secure is a Debian installation packages installed only from main,
none from contrib or non-free?
It will lack for example the firmware-linux-nonfree package and the
intel-microcode / amd-microcode package. At least the microcode one is
security relevant? Are there any other
On 09/12/2013 07:12 PM, adrelanos wrote:
To rephrase my original question:
How vulnerable is Debian installation without intel-microcode /
amd-microcode package?
Are there other contrib and/or non-free packages, similar to the
microcode package, which make the system vulnerable, if not
On Fri, Sep 13, 2013 at 8:42 AM, adrelanos adrela...@riseup.net wrote:
adrelanos:
How secure is a Debian installation packages installed only from main,
none from contrib or non-free?
It will lack for example the firmware-linux-nonfree package and the
intel-microcode / amd-microcode package.
I am not Debian, but I am in rant-mode on this subject today, so bear with me --
On Fri, Sep 13, 2013 at 10:02 AM, adrelanos adrela...@riseup.net wrote:
Jose Luis Rivas:
So no, there's no other contrib/non-free packages there.
I didn't want to imply, that there are preinstalled.
The reason
Jose Luis Rivas:
So no, there's no other contrib/non-free packages there.
I didn't want to imply, that there are preinstalled.
The reason why you can't install Debian directly from a WiFi with some
manufacturers is precisely that we do not ship non-free nor contrib
software by default in our
Okay, thank you for your reply! Convinces me.
Joel Rees:
I assume you have read his essay on
trusting trust?
Yes, but I am not claiming, that I fully understand it.
rant-mode
Not perceived as rant at all.
Are there other contrib and/or non-free packages, similar to the
microcode package,
On Fri, Sep 13, 2013 at 10:11 AM, adrelanos adrela...@riseup.net wrote:
[...]
Yes, the more I dig into one topic, the open questions remain and them
stronger the conclusion we're totally screwed becomes.
We've always been screwed. I'd say, ever since the 6809 faded away,
but what I'd mean is
Joel Rees:
I am not Debian, but I am in rant-mode on this subject today, so bear with me
--
On Fri, Sep 13, 2013 at 10:02 AM, adrelanos adrela...@riseup.net wrote:
Jose Luis Rivas:
So no, there's no other contrib/non-free packages there.
I didn't want to imply, that there are
On 09/12/2013 08:32 PM, adrelanos wrote:
So we have the (intel/amd)-microcode and the firmware-linux-nonfree
package which should be installed to improve security? Are there any
other packages of this type?
Who said they improve security? We don't know what they are. And I doubt
they will
On Thu, Sep 12, 2013 at 9:03 PM, adrelanos adrela...@riseup.net wrote:
Microcode. (I guess if the vulnerability can not be fixed with some kind
of firmware upgrade and is used in the wild, that would be a reason to
get it replaced for free or being required to buy a new one.)
I'm not a lawyer
On Thu, Sep 12, 2013 at 11:41 PM, adrelanos wrote:
How secure is a Debian installation packages installed only from main,
none from contrib or non-free?
Install and run debsecan on such a system to find out about the known
vulnerabilities. For the unknown ones you have to audit the code
22 matches
Mail list logo
