Linux-Advocacy Digest #602, Volume #32 Fri, 2 Mar 01 19:13:05 EST
Contents:
Re: SSH vulnerabilities - still waiting [ was Interesting article ] ("Ed Rosten")
Re: [OT] .sig (Dave Vandervies)
Re: SSH vulnerabilities - still waiting [ was Interesting article ] (Shane Phelps)
Re: [OT] .sig (Karel Jansens)
Re: SSH vulnerabilities - still waiting [ was Interesting article ] (Chris Ahlstrom)
Re: MS websites: a tale of total and humiliating failure! (Chris Ahlstrom)
Re: Richard Stallman what a tosser, and lies about free software ("Mart van de Wege")
Re: why open source software is better ("Mart van de Wege")
Re: If I delete using rm? (Andres Soolo)
Re: Judge Harry Edwards comments.... (Charlie Ebert)
Tux takes New York ("lenny")
Re: Judge Harry Edwards comments.... (Charlie Ebert)
Developer Panel Invitation ("Resarch")
Re: Microsoft dying, was Re: Microsoft seeks government help to stop Linux (Scott
Gardner)
----------------------------------------------------------------------------
From: "Ed Rosten" <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: SSH vulnerabilities - still waiting [ was Interesting article ]
Date: Fri, 02 Mar 2001 22:45:50 +0000
> It's like no one actually listens to what I say. They're so foaming at
> the mouth they pick out a few words and go on that.
The guys on css who did not know you were a net.kook were very helpful
and provided nothing but reasonable, well thought out arguments along
with accurate information. You did not listen to them, but instead posted
the same stuff over and over again. You are/were the one not listening.
> I never said the links I posted were the end-all be all. It was merely
> to illustrate that SSH IS NOT perfect and has flaws and there doesn't
SSH1 does have several flaws. Some are unavoidable in any secure
mechanism (the first authenticaion over an insecure channel), the others
involved a theoretical vulnerability (which has not beed exploited
despite knowledge of its existence).
Even considering that, SSH2 has been superceded by SSH1. SSH1
compatibility is provided for convinence and provides a warning. You
can't ask for much more than that.
> seem to be a large effort by the SSH or OpenSSH folks to make sure that
> people running SSH have the latest updates.
It is not up to the SSH developers to force every admin to upgrade; that
is what the admin has been hired for. They have posted information in all
the relavent places that any security guys should look in.
> It is my opinion (and apparently that of other security folks) that
> security software must be held to a higher standard and part of
> distributing security software is ensuring that users always have the
> latest updates and patches rather than just posting them passively to a
> site somewhere.
That is just an opinion. I don't see how you can force everyone to
upgrade. Security is best handled by a competant admin. It is (and should
be) up to the admin to decide if and when to upgrade. There are probably
some really nasty vulnerabilities that could be exploited by automatic
software updates.
-ed
--
| u98ejr
| @
This argument is a beta version. | eng.ox
| .ac.uk
------------------------------
From: [EMAIL PROTECTED] (Dave Vandervies)
Crossposted-To: comp.lang.c
Subject: Re: [OT] .sig
Date: 2 Mar 2001 22:17:43 GMT
In article <[EMAIL PROTECTED]>,
Richard Heathfield <[EMAIL PROTECTED]> wrote:
>Aaron Kulkis wrote:
>> Richard Heathfield wrote:
>> >
>> > Users are so cute.
>>
>> Try systems engineer.
>
>The only way we're likely to believe that is if you provide some clueful
>responses to technical questions. So far, there is no evidence of this
>within comp.lang.c. No, I'm afraid I've definitely got you down as a
>user.
The 'l' is silent, but not invisible.
>> > No, of course comp.lang.c doesn't keep military service records. That
>> > was precisely the point I was making.
>>
>> You failed to make any point, other than the irrelevance of your statements.
>
>Translation: you didn't understand my point. Allow me to clarify, then.
>Military records are not topical in this newsgroup. Therefore, no
>argument based solely on military records can succeed. Furthermore, your
>being in, or not in, the US Army is not topical here either.
Not only not topical, but completely irrelevant (which is slightly
stronger than not topical).
dave
--
Dave Vandervies
[EMAIL PROTECTED]
And no, that's not an expletive, it's an adjective. --Brenda
------------------------------
From: Shane Phelps <[EMAIL PROTECTED]>
Subject: Re: SSH vulnerabilities - still waiting [ was Interesting article ]
Date: Sat, 03 Mar 2001 09:55:01 +1100
"." wrote:
>
> In comp.os.linux.advocacy Peter K�hlmann <[EMAIL PROTECTED]> wrote:
> > Chad Myers wrote:
> >>
> >> It's like no one actually listens to what I say. They're so foaming
> >> at the mouth they pick out a few words and go on that.
>
> > Could it be that you are just keep on writing BS, Chad?
>
> >>
> >> I never said the links I posted were the end-all be all. It was merely
> >> to illustrate that SSH IS NOT perfect and has flaws and there doesn't
> >> seem to be a large effort by the SSH or OpenSSH folks to make sure
> >> that people running SSH have the latest updates.
> >>
> > You simply don�t get it, Chad. There is not a single case where someone
> > exploited SSH (version 1 and 2). Even if you repeat your stuff until
> > doomsday, noone will believe you, because it simply is not true.
>
> Yes there is actually. A quite famous one; rootshell was exploited
> and nuked because of an old ssh vulnerability about two years ago.
>
> But thats the only one.
>
> -----.
I've already knocked this one on the head fairly early in the thread.
Rootshell actually said they were broken into by an attacker using ssh.
The assumption was that this was an ssh exploit. There was a flurry of
activity to try to find this hitherto-unknown hole. IBM found a buffer
overflow, which was thought briefly to be the cause.
I think this is the one they found:
http://rootshell.com/archive-j457nxiqi3gq59dv/199811/sshkerb.txt.html
>From www.rootshell.com:
'SSH Admits Buffer Overflow in 1.2.26 client
11/5/98 8:44AM PDT
This morning SSH Communications Security LTD. released information about
a buffer overflow in its ssh 1.2.26 client kerberos code. This came as
quite a surprise after SSH was very bullish about there being no buffer
overflows
in their code. While it is VERY hard to exploit and only works under
certain conditions, it is still a valid security hole.
PLEASE REMEMBER, ROOTSHELL HAS NEVER STATED THAT THE BREAK-IN
WE HAD WAS FROM A SECURITY HOLE IN SSH. Anyone who believes otherwise
has read too far into what we have said. "
Rootshell never let on what had really happened AFAIK, but did state that
it wasn't a vulnerability in SSH.
A possible explanation is:
http://cthulhu.ale.org/ale-archive/ale-1999-01/msg00329.html
This one scared the hell out of us when rootshell made the original
announcement, even though we don't allow ssh (or much else) through
the firewalls. The flap only lasted a few days, but they were an
interseting few days.
BTW, Chad was making allegations about the protocol itself and about
the "shoddy encryption". If ssh is vulnerable on the encryption front
then almost avery security system is too because most of them use the
same crypto :-) The protocol is potentially vulnerable to Man in the
Middle attacks on the initial host key exchange, provided you ignore
the prominent warnings!
He somehow got onto the tack of complaining about the lack of notification
of problems because of the need to actually read the CERT advisories or
subscribe to the mailing lists or read the NG or visit the web site(s)
Oddly enough, a large part of a security manager's job consists of
keeping abreast of current security practice, vulnerability reports
and looking for better products and practices.
------------------------------
From: Karel Jansens <[EMAIL PROTECTED]>
Subject: Re: [OT] .sig
Date: Fri, 2 Mar 2001 21:36:00 +0100
Richard Bos wrote:
> Karel Jansens <[EMAIL PROTECTED]> wrote:
>
> > Gergo Barany wrote:
> >
> > > Yes, and because that was the quickest way to get to France. The
> > > keyword here is "neutral"; this part of the war was not due to
> > > treaty obligations.
> >
> > Belgiums and Luxemburgs neutrality was guaranteed by several bi-lateral
> > treaties. IIRC, according to those treaties, Belgium couldn't even do
> > anything else but call for help to its allies.
>
> True, but that there _was_ a war in Belgium in the first place was not
> due to those treaties. In fact, it was a direct violation of them.
>
Yup. Hence my last paragraph. Besides, from Gergo's remarks I got the
impression he thought the western front in WWI had nothing to do with
treaty violations which I think is not true.
> > The treaties themselves were remnants from the Napoleonic wars.
> > Originally the Waterloo victors had "set up" the "Verenigd Koninkrijk
> > der Nederlanden", composed of what would later become Holland and
> > Belgium.
>
> s/Holland/the Netherlands/. There is more to the Netherlands than just
> Holland; calling us Holland is even worse than calling Great Britain
> England. Don't do it, or I shall have to resort to calling you a Walloon
> ;->.
>
Most people reading this are 'merricans, or worse: AOL-ers. We have to keep
it simple. Ie stopped referring to my native language as Flemish, it just
takes too long to explain.
The _real_ irony is that we are conversing in English :-)
> > The reason for this construct was to assure the neutrality of the
> > estuaries of the great rivers (Rhine, Meuse and Scheldt). After the
> > independance of Belgium in 1830, bilateral treaties were constructed
> > between the new countries and the European superpowers to assure the
> > continuity of this policy.
> >
> > This shows you that the paper treaties are written on is worth slightly
> > more than the contents...
>
> Though, mind you, the Netherlands managed to remain neutral in WWI. Of
> course, as WWII showed, this was only because nobody _wanted_ to invade
> us...
>
Dude, you said it, not me... :-)
--
Regards,
Karel Jansens
]]] "Go go gadget linux!" Zzzooommm!! [[[
------------------------------
From: Chris Ahlstrom <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: SSH vulnerabilities - still waiting [ was Interesting article ]
Date: Fri, 02 Mar 2001 23:24:40 GMT
Chad Myers wrote:
>
> It's like no one actually listens to what I say. They're so foaming
> at the mouth they pick out a few words and go on that.
>
> I never said the links I posted were the end-all be all. It was merely
> to illustrate that SSH IS NOT perfect and has flaws and there doesn't
> seem to be a large effort by the SSH or OpenSSH folks to make sure
> that people running SSH have the latest updates.
>
> It is my opinion (and apparently that of other security folks) that
> security software must be held to a higher standard and part of
> distributing security software is ensuring that users always have
> the latest updates and patches rather than just posting them
> passively to a site somewhere.
He's trolling for a reaction, pure and simple.
------------------------------
From: Chris Ahlstrom <[EMAIL PROTECTED]>
Crossposted-To:
alt.destroy.microsoft,comp.os.ms-windows.advocacy,comp.os.ms-windows.nt.advocacy
Subject: Re: MS websites: a tale of total and humiliating failure!
Date: Fri, 02 Mar 2001 23:31:53 GMT
Chad Myers wrote:
>
> Ask Sun. Their developer forums are IIS/ASP driven.
>
> If it works, don't break it.
>
Proof requested: Show that their developer forums are
IIS/ASP driven; show that Sun the company actually hosts
those forums.
Chris
------------------------------
From: "Mart van de Wege" <[EMAIL PROTECTED]>
Subject: Re: Richard Stallman what a tosser, and lies about free software
Date: Sat, 03 Mar 2001 00:40:20 +0100
Crossposted-To: gnu.misc.discuss,comp.os.ms-windows.advocacy,misc.int-property
In article <JSRn6.145$[EMAIL PROTECTED]>, "JD" <[EMAIL PROTECTED]>
wrote:
>
> "Edward Rosten" <[EMAIL PROTECTED]> wrote in message
> news:97nmcd$sgt$[EMAIL PROTECTED]...
>> > Nothing, except such sharing doesn't make software 'free'. The
>> > problem with the GPL isn't the license, but the people who use it and
>> > use the term 'free' misleadingly in describing it.
>> ^^^^^^^^^^^^^^^^^^^^
>>
>> in what way?
>>
> Think of it like this: GPL is free sort of like our Income Tax is
> 'voluntary.' In fact, our Income Tax isn't 'voluntary', and GPL isn't
> free. Another common misusage (by almost all parties in the US) is that
> the US is a Democracy, which technically it isn't. In fact, the misusage
> of the term 'Democracy' has often caused confusion.
>
> If GPL is a license of free software, then you wouldn't have multiple
> rules and redistribution encumberances. A few, simple, non costly rules
> wouldn't be important, but the GPL is a multi-page license with
> significant redistribution requirements.
>
> You'll often hear about the GPL being free with lots of spin that
> morally justifies it. But no matter what, because of the contstraints,
> it isn't free.
>
> John
>
>
Hmmm,
About those constraints: I have a right to free speech, it's in my country's
constitution. However this right is constrained by libel and slander
laws.
So because I can't call you "an absolutely clueless moron" (note the
quotes please, this *is* an *example*) with impunity, does this now mean
I don't have *any* right to free speech? Of course not. When will people
learn that the only person with absolute freedom is a hermit? All other
people's freedoms are always constrained by the very fact that excessive
freedom for one takes away another's freedom.
The GPL does nothing but codify this inevitable truth.
Mart
--
The moon is a planet just like the Earth, only it is even deader.
------------------------------
From: "Mart van de Wege" <[EMAIL PROTECTED]>
Subject: Re: why open source software is better
Date: Sat, 03 Mar 2001 00:46:11 +0100
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
wrote:
> On Thu, 01 Mar 2001 19:23:22 +0100, Mart van de Wege
> <[EMAIL PROTECTED]> wrote:
>
>>The high point is irrelevant. That was reached in a market plagued by
>>'irrational exuberance' (10 points if you can identify the quote).
>
> Alan Greenspan. What do I win?
>
Ten points of course. What did you think? A car? Sorry, I am not wealthy
enough. A brand new linux kernel 2.4.3? Sorry, my programming skills
aren't up to that quite yet.
Seriously, I tossed off the quote to impress the fact that this was not
some random USENET denizen ranting, but a well supported opinion. Quite
frankly, if anyone mentions the name Greenspan in my presence I tend to
get a little cross, as anytime that man opens his mouth I get hit by a
double workload the next morning.
Thanks for playing anyway,
Mart
--
The moon is a planet just like the Earth, only it is even deader.
------------------------------
From: Andres Soolo <[EMAIL PROTECTED]>
Subject: Re: If I delete using rm?
Date: 2 Mar 2001 23:52:39 GMT
Interconnect <[EMAIL PROTECTED]> wrote:
> If I accidentally delete a subdirectory and files is there any way of
> recovering these in Linux. That is without resorting to the tape backups?
Yes, if you use non-tape backups.
--
Andres Soolo <[EMAIL PROTECTED]>
Half of being smart is knowing what you're dumb at.
------------------------------
From: [EMAIL PROTECTED] (Charlie Ebert)
Crossposted-To: comp.os.ms-windows.advocacy,comp.os.ms-windows.nt.advocacy
Subject: Re: Judge Harry Edwards comments....
Reply-To: [EMAIL PROTECTED]
Date: Fri, 02 Mar 2001 23:55:36 GMT
In article <97nhgp$rdj$[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>
>Charlie Ebert wrote in message ...
>>In article <[EMAIL PROTECTED]>, Aaron Kulkis wrote:
>>>
>>>http://www.eetimes.com/special/special_issues/millennium/companies/bell.ht
>ml
>>>
>>> At first the research arm of AT&T, Bell Labs enjoyed a special status
>>> after its founding in the 1920s. Because of the monopoly granted AT&T
>>> by the government, in the interests of standardizing the telephone
>>> system, the lab could both be part of a commercial operation and play
>>> the open role of a national laboratory.
>>>
>>
>>I see this in print and I've read it.
>>
>>There is no record in congress of an actual vote nor bill passed which
>>grants AT&T nor IT&T a monopoly that I've seen.
>>
>>Perhaps what they are refering to is some kind of excusive contract.
>>
>>But I can't seem to find support for where congress passed and the
>>president signed any such bill approving a monopoly.
>
>Charlie,
>
>I know the posters think that you put up phony links and side squirts.
>
>However, your great mind is actually in great demand.
>
>I am here to offer you a guest spot on a nationally syndicated show.
>
>Yes, you have been selected because of your extensive knowledge on the
>subject of antitrust.
>
>The breadth of your intellect is what impresses.
>
>So I'd like to invite you to the Art Bell show as an expert on ALIEN
>Antitrust.
>
>Well, you might say, hey wait a minute.
>
>But I say, all those great ideas come from SOMEPLACE, huh buddy?
>
>2 + 2
>
That or Tom Ballentine, right?
Charlie
------------------------------
From: "lenny" <[EMAIL PROTECTED]>
Subject: Tux takes New York
Date: Fri, 02 Mar 2001 23:57:45 GMT
Tux hits the big time:
http://news.cnet.com/news/0-1003-200-5005017.html
------------------------------
From: [EMAIL PROTECTED] (Charlie Ebert)
Crossposted-To: comp.os.ms-windows.advocacy,comp.os.ms-windows.nt.advocacy
Subject: Re: Judge Harry Edwards comments....
Reply-To: [EMAIL PROTECTED]
Date: Sat, 03 Mar 2001 00:02:09 GMT
In article <[EMAIL PROTECTED]>, Aaron Kulkis wrote:
>
>
>Charlie Ebert wrote:
>>
>> In article <[EMAIL PROTECTED]>, Aaron Kulkis wrote:
>> >
>> >http://www.eetimes.com/special/special_issues/millennium/companies/bell.html
>> >
>> > At first the research arm of AT&T, Bell Labs enjoyed a special status
>> > after its founding in the 1920s. Because of the monopoly granted AT&T
>> > by the government, in the interests of standardizing the telephone
>> > system, the lab could both be part of a commercial operation and play
>> > the open role of a national laboratory.
>> >
>>
>> I see this in print and I've read it.
>>
>> There is no record in congress of an actual vote nor bill passed which
>> grants AT&T nor IT&T a monopoly that I've seen.
>>
>> Perhaps what they are refering to is some kind of excusive contract.
>>
>> But I can't seem to find support for where congress passed and the
>> president signed any such bill approving a monopoly.
>>
>> However, I can show you the 1970's arguments from the appeals trials
>> where the phone companies attempted to prove they had been granted
>> monopoly status from the government and they failed to exibit proof.
>>
>
>Hmmmmmmmmmmmm
>
>Interesting.
>
The entire issue could be solve that way or you could provide
us with the docket from the 1920's which shows such legislation
being considered on the floor...
Now if you can present me with that, I promise that I will state
in full to the world public at large that I was a bad boy and
obviously full of shit.
And if you can't, I will find somewhere which had the appeal arguments
on a link where we don't end up going to a law library to reference
material and show arguments....
This issue covered about a year of T.V. time in 1975-76.
Charlie
------------------------------
From: "Resarch" <[EMAIL PROTECTED]>
Subject: Developer Panel Invitation
Date: 03 Mar 2001 00:08:10 GMT
Dear Software Developer,
EDC is an independent market research firm specializing in software
development. We're recruiting developers to complete a survey and so join
our international panel of developers and enter a drawing to win $500US
CASH. You can find this survey at:
http://www.evansdata.com/Surveystart.html
Our reports are read by most of the largest development tool companies and
this is your chance to influence them so they can make the tools and
programs YOU want.
Panel members are alerted via e-mail about once a month when we run a survey
and may choose to participate or not. Everyone who does complete a survey
is automatically entered in a drawing to WIN $500US CASH.
Our surveys are not sponsored by any one company, and all personal
information is held strictly confidential. The results are aggregated and
turned into reports which influence top development tools companies. YOUR
PERSONAL INFORMATION IS NEVER GIVEN TO ANYONE UNDER ANY CIRCUMSTANCES.
To take our survey and enter the drawing please go to:
http://www.evansdata.com/Surveystart.html
We think you'll find it interesting!
The Research Team at Evans Data Corp
http://www.evansdata.com/Surveystart.html
------------------------------
From: [EMAIL PROTECTED] (Scott Gardner)
Subject: Re: Microsoft dying, was Re: Microsoft seeks government help to stop Linux
Date: Sat, 03 Mar 2001 00:09:01 GMT
On Fri, 02 Mar 2001 03:50:59 -0500, Aaron Kulkis <[EMAIL PROTECTED]>
wrote:
>
>
>Joel Barnett wrote:
>>
>> Dr. Peanut wrote:
>>
>> <snip>
>What part of "You *CANNOT* buy a computer without Mafia$oft shitware" do
>you not fucking understand...
I haven't been forced to buy a MS operating system since 1990. All
you have to do is either assemble the computer yourself, or go to one
of the independent shops that builds computers to order. Usually,
they're under no obligation to bundle an operating system with their
computers, although they will offer one at the OEM price if you've
purchased at least enough components so that they can say they sold
you a new "computer". (Usually, a motherboard/CPU combo and a hard
drive will suffice.)
Scott Gardner
LT US Navy
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to comp.os.linux.advocacy.
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Advocacy Digest
******************************
