Re: thanks
In a message dated: Fri, 26 Jul 2002 16:35:52 EDT Robert Casey said: Wow, those were quick replies. I will take the advice but I'll have to do it starting Monday because I'm going home for the weekend, with a headache I might add. Print yourself out a copy of the IPChains docs before you go. Since you'll have plenty of CSTUs[1] to read them over said weekend ;) [1] CSTUCopious Spare Time Unit - something we all have *way* too much of, right? ;) -- Seeya, Paul * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: Thanks, new question
On Wed, Apr 11, 2001 at 08:27:32PM -0400, Kenneth E. Lussier wrote: You can't. There is no way to harden the RPC services without completely rewriting them from the ground up. That would be like trying to protect an open door without closing it. My favorite analogy for this came from Bob Hillery at the SANS conference: It's like trying to protect a gate with no fence. Somebody asked me (more or less) why Kenny's statement is true, and since I said you shouldn't do this without really explaining what the problem is, I s'pose I should address it. Ignoring bugs (meaning programming errors; code that does not do what it was intended to do), RPC suffers from at least one inherent design flaw from a security perspective. That is, it depends solely on host-based authentication for granting access to services. If you haven't heard by now, it's very easy to spoof an IP address, and it's even possible to forge a name lookup, so these things really can't be trusted for providing authentication to sensitive services. The result of which is that it's fairly easy to trick RPC services into doing things they shouldn't do, if you know what you're doing. Add to that all the programming errors that are found on a regular basis, and the fact that these services invariably run as root on most systems/distros/OSes, and you've got one big security nightmare. It's pretty much impossible to secure. FWIW, IIRC, debian is one of the only places I've seen an RPC daemon NOT running as root. But I may be mistaken. -- I have written this book partly to correct a mistake... A colleage of mine once told me that the world was full of bad security systems designed by people who read Applied Cryptograpy. Since writing the book, I have made a living as a cryptography consultant: designing and analyzing security systems. To my initial surprise, I found that the weak points had nothing to do with the mathematics. They were in the hardware, the software, the networks, and the people. Beautiful pices of mathematics were made irrelevant through bad programming, a lousy operating system, or someone's bad password choice. I learned to look beyond the cryptography, at the entire system, to find weaknesses. I started repeating a couple of sentiments you'll find throughout this book: 'Security is a chain; it's only as secure as the weakest link.' 'Security is a process, not a product.' --Bruce Schneier, from Secrets Lies --- Derek Martin | Unix/Linux geek [EMAIL PROTECTED]| GnuPG Key ID: 0x81CFE75D Retrieve my public key at http://pgp.mit.edu ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **
Re: Thanks, new question
On Wed, 11 Apr 2001, Derek Martin [EMAIL PROTECTED] wrote: ... Ignoring bugs (meaning programming errors; code that does not do what it was intended to do), RPC suffers from at least one inherent design flaw from a security perspective. That is, it depends solely on host-based authentication for granting access to services. If you haven't heard by now, it's very easy to spoof an IP address, and it's even possible to forge a name lookup, so these things really can't be trusted for providing authentication to sensitive services. The result of which is that it's fairly easy to trick RPC services into doing things they shouldn't do, if you know what you're doing. BTW, has anyone on the list used Secure-RPC / nis+ in a production environment? Any pros/cons to report? I recall hearing the key size was considered too small (but it seems like it could be jacked up, no?) I recall seeing mention of a Linux Secure-RPC implementation a few years back, but haven't followed it. Thanks, Karl ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **
Re: Thanks to all, espcially Kurth
At 10:47 AM 9/7/2000 -0700, Shanna wrote: Thank you to everyone who had a hand in getting my computers up and running. They are doing great Now for another questiondoes anyone know where I would be able to download ICQ (and other chat engines) online? I have gone to ICQ, but the java host needs a file I don't have, and that file requires a format I don't have (RH 6.x or better). look at freshmeat.net LICQ is very popularas is gnomeICU... then theres xCHAT for irc.and GAIMthe list goes on and on. a search at freshmeat.net will help you out a lot. Also, once upon a time a stumbled across a website that had all sorts of linux software for sale real cheap, but for the life of me, I cannot find it again. Any suggestions? This is probably a repeat question...sorry about that. cheapbytes.com? linuxmall.com? what did they sell? just software? and shanna - it was no problem :-) ~kurth Kurth Bemis - Network/Systems Administrator, USAExpress.net/Ozone Computer [EMAIL PROTECTED] http://www.usaexpress.net/kurth ICQ - 6624050 Call Sign - N1TYW PGP key available - http://www.usaexpress.net/kurth/pgp Fight Weak Encryption! Donate your wasted CPU cycles to Distributed.net (http://www.distributed.net) ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **
Re: Thanks and I'll keep at it.
On Wed, 17 May 2000, David P. Greenberg wrote: Just wanted to thank everybody for the days worth of truly fascinating reading. I actually did learn a lot, including to never say anything pro MS again :-) I I wouldn't say don't say anything pro MS, just be careful that what you say is very well backed up. Be careful with blanket statements, sweeping generalizations, and, when stating opinions, clarify it is an opinion, and be ready to back it up. am going to try to find some time to get to the meetings, but my schedule is really hectic (as I'm sure, are yours). Anyway, I really do enjoy using Linux and am certainly enjoying the challenge of learning how to use it. -- Feel free to ask questions where you don't understand something. We're here to help. jeff Jeffry Smith Technical Sales Consultant Mission Critical Linux [EMAIL PROTECTED] phone:978.446.9166,x271 fax:978.446.9470 Thought for today: Economics is extremely useful as a form of employment for economists. -- John Kenneth Galbraith ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **
Re: Thanks and I'll keep at it.
In a message dated: Wed, 17 May 2000 22:26:28 EDT "David P. Greenberg" said: Just wanted to thank everybody for the days worth of truly fascinating reading. You're quite welcome, glad we could entertain you :) I actually did learn a lot, including to never say anything pro MS again :-) Now I wouldn't say that. You can say plenty of positive things about MS here (be quiet Ben ;) MS has done amazing things with easily usable, use friendly interfaces. They have one of the most feature rich Office Suites available on the market (despite the fact it's riddled with security holes). They've introduced computing to the "common person". They've done a lot of good, positive things. Unfortunately, the negative seems to vastly outweigh the postive. If were just so simple as their software were bloated, slow, and inflexible, you'd probably not see as much animosity aimed at them. However, those 3 things are just the cornerstones they've decided to build upon. There's a whole skyscraper's worth of other things :) I am going to try to find some time to get to the meetings, but my schedule is really hectic (as I'm sure, are yours). Anyway, I really do enjoy using Linux and am certainly enjoying the challenge of learning how to use it. Well, there are meetings all over the place, check the calendar at the website, and feel free to drop in to any one of them. And feel free to ask questions on the list, that's what we're here for :) -- Seeya, Paul "I always explain our company via interpretive dance. I meet lots of interesting people that way." Niall Kavanagh, 10 April, 2000 If you're not having fun, you're not doing it right! ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **
Fwd: Re: thanks...
Hey guys, I've been talking with this guy via email for a bit, and he made the offer below.. Lemme know exactly what you'd like me to ask for, and I'll pass it along.. It's always nice to make friends over email.. :-P - Forwarded message from "Joseph E. Arruda [mr.zenn]" [EMAIL PROTECTED] - Date: Wed, 10 May 2000 12:17:09 -0700 From: "Joseph E. Arruda [mr.zenn]" [EMAIL PROTECTED] Reply-To: "Joseph E. Arruda [mr.zenn]" [EMAIL PROTECTED] Subject: Re: thanks... To: Thomas Charron [EMAIL PROTECTED] Hey, if you want some free swag (a t-shirt, some distros, Linux Mags/Journals) for you or a LUG you belong to, let me know and I'll send some your way. Thanks again, z For the nice words of /. about sourceforge. Its nice to see people understand it for what it is. Ya, I had to restate my original post, as I don't think it truely came through as it was meant to. A good open source project and a good Open Source service are two distinct things. An example would be slashdot, and or course, sourceforge. They provide an excellent service to the community. I wouldn't list that as one of the better open source products, no, but certainly an outstanding service.. :-P My first post took for granted that one would inherit from the other naturally, but the more I thought about it, the more I reliazed I was wrong, and the two really are different things.. -- Joseph E. Arruda| www.valinux.com Corporate Alchemist | sourceforge.net VA Linux Systems, Inc. | www.linux.com [EMAIL PROTECTED] | www.lugod.org +1 408.542.5730 kernel panic: cannot read from /dev/caffeine - End forwarded message - --- Thomas Charron Wanted: One decent sig Preferably litle used and stored in garage. ? ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **
