im sorry for those who are insecure of what *BSD is telling you. i read one said "a lump of concrete is even more secure" use your "BRAIN" man or your eating shit! a "TRUE" sysadmin knows how to make a machine usefull and not relying on what other default install has. if you want your system secure, create a "CONCRETE" bunker, put it inside, add some C4 which will detonate on time of intrussion, or hire a 24/7 band of fully armed men. now thats what a "a lump of concrete is even more secure" . ->
On Tue, 18 Jun 2002 08:50:11 plug-request wrote: >Send plug mailing list submissions to > [EMAIL PROTECTED] > >To subscribe or unsubscribe via the World Wide Web, visit > http://lists.q-linux.com/mailman/listinfo/plug >or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > >You can reach the person managing the list at > [EMAIL PROTECTED] > >When replying, please edit your Subject line so it is more specific >than "Re: Contents of plug digest..." > > >Today's Topics: > > 1. Bayanihan Linux site down? ([EMAIL PROTECTED]) > 2. Re: BSD security (vince cagud) > 3. Re: BSD security (Rick Moen) > 4. Re: Interbase/Firebird (Andy Sy) > 5. FreeBSD vs. Linux security (Andy Sy) > 6. Re: BSD security (vince cagud) > 7. [ OT ] IP ADDRESS CHECKER ([K][R][Y][P][T][O][N]) > 8. Re: FreeBSD vs. Linux security (Rick Moen) > 9. Re: [ OT ] IP ADDRESS CHECKER (Yardan Ambrose) > 10. Re: Vulnerability Assessment (Ina Patricia Lopez) > 11. Re: BSD security (Rick Moen) > 12. Re: Linux in "Off the Record" (Yardan Ambrose) > >--__--__-- > >Message: 1 >Date: Mon, 17 Jun 2002 09:08:05 -0700 (PDT) >From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: [plug] Bayanihan Linux site down? >Reply-To: [EMAIL PROTECTED] > >Is http://bayanihan.asti.dost.gov.ph/ web site and the beta ISO >still available? Name lookup seems to be failing for >last few days... > >What is the minimum free disk space required to >install Bayanihan Linux? Is it based on Red Hat Personal? > > >__________________________________________________ >Do You Yahoo!? >Yahoo! - Official partner of 2002 FIFA World Cup >http://fifaworldcup.yahoo.com > >--__--__-- > >Message: 2 >Date: Tue, 18 Jun 2002 00:43:06 +0800 >From: vince cagud <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Re: [plug] BSD security >Reply-To: [EMAIL PROTECTED] > >i think everybody's trying to focus too much on the "secure-by-default" >mantra sung by the OpenBSD where it indeed does not have anything useful >to start with...except maybe routing and firewalling. > >BSDs' security boasts however go beyond that through intensive code >auditing. the default install is just the tip of the iceberg guys, come >on! it's the pro-active examination of code of the programs that comes >with the distro, effectively trying to minimize possible instances of >buffer over-runs, and favorite what-nots hackers have for breaking >systems. for serious users of OpenBSD, note that there are some ports >and packages (forgot which) where de Raadt and company categorically >state that installing them is at your risk since they have not audited >that part yet. interesting to note the corollary to that; they do have >packages that could be assessed as "certified safe and audited". > >that's why OpenBSD "official" packages and software are generally >"out-of-date". they're old compared to those sported by the more popular >linux distros. > >--vince > >Rick Moen wrote: > >>Quoting Daniel O. Escasa ([EMAIL PROTECTED]): >> >> >> >>>Been a few weeks since I used OpenBSD, but I seem to remember that >>>sendmail (!) was enabled by default. In any event, I remember an >>>online forum where one of the users said that running something as >>>innocuous as httpd already deviates from the default install, and can >>>open up security holes. >>> >>> >> >>The OpenBSD mantra is "secure by default", which they achieve through >>lack of functionality out of the box. I could swear that, when last I >>loaded it, basically _no_ services started, but they may have classified >>SMTP as an "essential service" since then. But, whether it's almost >>everything or literaly everything shut off by default or almost >>everything, my point is unchanged: By that measure, a lump of concrete >>is _even more_ secure. Not terribly useful, but bloody well not subject >>to remote exploits. >> >>Mr. de Raadt and company are thus playing dumb public-relations games. >>And frankly, I would have thought that would have been obvious. >> >>Getting back to my original point, any discussion of this matter that >>centres around installation-default configurations is doomed to >>meaninglessness. Why? Because, if you give a tinker's damn about >>security, then installation defaults on _any_ Unix will necessarily >>last all of 20 seconds, until you get serious about implementing your >>site administrative policies. >> >>At which point, guess what? It'll turn out that practically without >>exception, all of your alternative Unixen offer the exact same network >>daemons, with almost identical compile options, almost all compiled >>using the exact same compiler. Differences in security histories among >>publicly-exposed portions of kernels and major libraries have been >>trivial. Which leaves administrative practices as the major factor that >>determine what kind of security you'll enjoy. >> >>Which was my point. >> >> >>_ >>Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph >>To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] >> >>To subscribe to the Linux Newbies' List: send "subscribe" in the body to >[EMAIL PROTECTED] >> >> > > > > > >--__--__-- > >Message: 3 >Date: Mon, 17 Jun 2002 10:06:41 -0700 >To: [EMAIL PROTECTED] >Subject: Re: [plug] BSD security >From: Rick Moen <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] > >Quoting vince cagud ([EMAIL PROTECTED]): > >> it's the pro-active examination of code of the programs that comes >> with the distro.... > >_Hello there_? The resulting patches get applied to instances of those >same codebases running on all Unixes. > >> for serious users of OpenBSD, note that there are some ports >> and packages (forgot which) where de Raadt and company categorically >> state that installing them is at your risk since they have not audited >> that part yet. > >A competent sysadmin on any Unix doesn't need Theo to tell him what >software and versions are risky to run. > >-- >Cheers, The difference between common sense and paranoia is that common sense >Rick Moen is thinking everyone is out to get you. That's normal; they are. >[EMAIL PROTECTED] Paranoia is thinking they're conspiring. -- J. Kegler > >--__--__-- > >Message: 4 >From: "Andy Sy" <[EMAIL PROTECTED]> >To: "fooler" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> >Date: Tue, 18 Jun 2002 00:46:32 +0800 >Subject: [plug] Re: Interbase/Firebird >Reply-To: [EMAIL PROTECTED] > >> > Incidentally, I find Interbase/Firebird to be very interesting. I >> > see people on newsgroups and mailing lists casually mention >> > running databases in the size of tens of GB on it. It has the >> > _footprint of MySQL_ (~10MB exe) with the full-fledged SQL >> > capabilities (views, stored procedures, triggers, multi-versioning >> > concurrency, etc...) of PostgreSQL! >> >> dont use firebird (modified version of interbase from other group) but use >> instead that is coming from borland... you can get it here >> http://info.borland.com/devsupport/interbase/opensource/ >> mysql and postgressql sucks compare to interbase... i'd been using >interbase >> since the begining and first release of delphi 1 (that is dec1994 as far >as >> i remember) as my back-end database and it rocks! its flexible and ease of >> use.. > >Borland retracted their open source license and that >is why the additions in Interbase 6.5 are no longer >freely available. > >Firebird is essentially a fork off Interbase 6.0 (not 6.5) >and while Borland is likely to be able to get the enhancements >and fixes made in Firebird (which they have already done), the >ones that they have made to 6.5 and above are likely not going >to be made available to the Firebird community. > >Just curious, why do you advise against using Firebird? > > > >--__--__-- > >Message: 5 >From: "Andy Sy" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Date: Tue, 18 Jun 2002 03:24:44 +0800 >Subject: [plug] FreeBSD vs. Linux security >Reply-To: [EMAIL PROTECTED] > >> Getting back to my original point, any discussion of this matter that >> centres around installation-default configurations is doomed to >> meaninglessness. Why? Because, if you give a tinker's damn about >> security, then installation defaults on _any_ Unix will necessarily >> last all of 20 seconds, until you get serious about implementing your >> site administrative policies. > >Right. But how much work and expertise is needed to >secure a Linux server versus a *BSD one? The conservative >defaults on a *BSD box allow less experienced sysadmins to >get away with not having to know about every possible >exploitable hole and how to close them. > >When it comes to security, *BSD may actually provide a >gentler learning curve. > > > > >--__--__-- > >Message: 6 >Date: Tue, 18 Jun 2002 02:59:49 +0800 >From: vince cagud <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Re: [plug] BSD security >Reply-To: [EMAIL PROTECTED] > >Rick Moen wrote: > >>Quoting vince cagud ([EMAIL PROTECTED]): >> >>>it's the pro-active examination of code of the programs that comes >>>with the distro.... >>> >>> >>_Hello there_? The resulting patches get applied to instances of those >>same codebases running on all Unixes. >> >as what? as package upgrades that you have to constantly check off a >web/ftp site? no thanks! there are those who'd rather have bug fixes as >part of the distro they're installing! some people just don't have that >time to spend. > >just compare the errata page of openbsd and redhat, especially mandrake. > >>>for serious users of OpenBSD, note that there are some ports >>>and packages (forgot which) where de Raadt and company categorically >>>state that installing them is at your risk since they have not audited >>>that part yet. >>> >>> >> >>A competent sysadmin on any Unix doesn't need Theo to tell him what >>software and versions are risky to run. >> >> >does it follow then that a competent sysad doesnt need anyone to tell >him what software and versions are risky to run? or is your statement >just limited to theo? > >with the number of developers working on linux and the the speed at >which it is developing(kernel, distros and packages), i'd think it is >quite natural that a lot of mistakes, conflicts and possibilities for >conflicts and exploits are produced. i've never heard kernel and >open-source package developers boast of their work being thoroughly >secure. what they do pride themselves with is the speed of bug-fix >turn-around time. > >personal developer realization, it's much easier to miss vulnerabilities >in library code than in end-product programs, where one usually only >cares to look only if there's something blatantly wrong with one's >program using a certain library. otherwise, if it works, the functions >do what they're supposed to do, we dont really care. maybe that's why a >lot of bugs were fixed before they became exploits in OpenBSD. at least >that's what they claim as their reward for their pro-active audits. > >personal sysadmin realization, it's more educational and secure turning >services on than actually hunting down those you don't need, turning >them off and/or uninstalling them. it's part of why a lot recommend >slackware for those starting out with linux sysadmin. part of why >security people do "default deny unless explicitly allowed" policies. >it's simply easier and more secure. > >true, it's all about sysadmin practices, but which approach takes less >work and still achieve the same result? i currently find myself >bewildered by the number of packages RH installs, it's actually a big >turnoff hunting things down and uninstalling them because i dont use >them anyway and they could be source of exploits. maybe that's why i >find AdMU-Linux and gentoo appealing. > >i hate to sound like an OpenBSD sales person because i'm not. i'm a >linux user, sysad, network ad and developer. i've never coded for any >other platform in my whole professional life. i use linux with the >awareness that i'm sacrificing a li'l bit of advance security(that i >admit the BSDs have), for a whole lot of present functionality(and cool >new features too!). never said linux is not secure, just more work >securing it compared to bsd. never said bsd is not usable, just more >work making it usable compared to linux. in my experience, that is. =P > > > > > >--__--__-- > >Message: 7 >From: "[K][R][Y][P][T][O][N]" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Date: Tue, 18 Jun 2002 06:49:22 +0800 >Subject: [plug] [ OT ] IP ADDRESS CHECKER >Reply-To: [EMAIL PROTECTED] > >Good day to all!... > >Anyone one can help me find a software which can trace two same ip address >on the same network? > >When using static ip its really hard to trace pcs which has the same ipaddy. > >Thanks >SUPERMAN > > >--__--__-- > >Message: 8 >Date: Mon, 17 Jun 2002 17:33:54 -0700 >To: [EMAIL PROTECTED] >Subject: Re: [plug] FreeBSD vs. Linux security >From: Rick Moen <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] > >Quoting Andy Sy ([EMAIL PROTECTED]): > >> Right. But how much work and expertise is needed to secure a Linux >> server versus a *BSD one? > >My, my, look at all the questionable assumptions suggested by that >wording. I'm not even going to start. But you should contemplate the >term "site administrative policies", as long as it takes to get the >point. > >> The conservative defaults on a *BSD box allow less experienced >> sysadmins to get away with not having to know about every possible >> exploitable hole and how to close them. > >"Less experienced sysadmins" who think they can get away from in any way >relying on installation defaults on _any_ *ix are kidding themselves, >extremely, and should generally stick to the aforementioned blocks of >concrete. And preferably switch to an effort (aside from system >administration) for which they're better prepared. > >Essentially, this is about the third time I've been obliged to make that >point. I really don't think I should have to make it again. > > >--__--__-- > >Message: 9 >From: "Yardan Ambrose" <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Date: Tue, 18 Jun 2002 08:35:55 +0800 >Subject: Re: [plug] [ OT ] IP ADDRESS CHECKER >Reply-To: [EMAIL PROTECTED] > >----- Original Message ----- >From: "[K][R][Y][P][T][O][N]" <[EMAIL PROTECTED]> >Date: Tue, 18 Jun 2002 06:49:22 +0800 >To: <[EMAIL PROTECTED]> >Subject: [plug] [ OT ] IP ADDRESS CHECKER >> Good day to all!... >> >> Anyone one can help me find a software which can trace two same ip address >> on the same network? >> >> When using static ip its really hard to trace pcs which has the same ipaddy. >> >> Thanks >> SUPERMAN > >Trace 2 IPs on the same network? Both are online? Hmmm... >I don't think it's possible to have 2 PC's with the same IPs online on the same LAN, >because once the duplicate PC broadcasts the used IP, it will be rejected access to >the network (someone correct me if I'm shooting off my mouth up my ass :) ). And for >a windoze LAN, AFAIK, the original PC using that IP is also dropped from the network. >Is it a linux LAN or a windoze LAN? Do you have an inventory of the IPs? For a >windoze LAN, use LanGuard Network Scanner. You can scan the entire class or just a >segment. And if you have the inventory, the IP that doesn't show up but should, is >the duplicated IP. Unless a PC is turned off. Then you have another matter on your >hands. Anyway, if it's a linux LAN, I suggest you wait for another reply to your >email. :) But I doubt you'd get two PCs with the same IP after a network scan. > >-------------- >Yardan Ambrose >Certified Penguin Enthusiast >[EMAIL PROTECTED] >-- >__________________________________________________________ >Sign-up for your own FREE Personalized E-mail at Mail.com >http://www.mail.com/?sr=signup > >Save up to $160 by signing up for NetZero Platinum Internet service. >http://www.netzero.net/?refcd=N2P0602NEP8 > > >--__--__-- > >Message: 10 >Date: Mon, 17 Jun 2002 17:43:19 -0700 (PDT) >From: Ina Patricia Lopez <[EMAIL PROTECTED]> >Subject: Re: [plug] Vulnerability Assessment >To: [EMAIL PROTECTED] >Reply-To: [EMAIL PROTECTED] > > >Fujitsu Philippines have this kind of services. > > >--- Jessie Evangelista <[EMAIL PROTECTED]> wrote: >> Mara,Meric B. wrote: >> > Can someone tell me what are the companies (here in the >> Philippines) >> > which do Vulnerability Assesments. >> > >> > All the best, >> > Meric >> > >> > _ >> > Philippine Linux Users Group. Web site and archives at >> http://plug.linux.org.ph >> > To leave: send "unsubscribe" in the body to >> [EMAIL PROTECTED] >> > >> > To subscribe to the Linux Newbies' List: send "subscribe" in the >> body to [EMAIL PROTECTED] >> > >> > >> >> For the price of a merienda, I'll do it for you =) >> >> For proper documentation and recommendations ... is a different >> matter >> >> -- >> >> >> ============================================================ >> Jessie Evangelista<[EMAIL PROTECTED]> >> Developer, SMetrix Inc. ,Philippines >> Tel no.: +6328438064 >> ============================================================ >> >> _ >> Philippine Linux Users Group. Web site and archives at >> http://plug.linux.org.ph >> To leave: send "unsubscribe" in the body to >> [EMAIL PROTECTED] >> >> To subscribe to the Linux Newbies' List: send "subscribe" in the body >> to [EMAIL PROTECTED] > > >__________________________________________________ >Do You Yahoo!? >Yahoo! - Official partner of 2002 FIFA World Cup >http://fifaworldcup.yahoo.com > >--__--__-- > >Message: 11 >Date: Mon, 17 Jun 2002 17:48:16 -0700 >To: [EMAIL PROTECTED] >Subject: Re: [plug] BSD security >From: Rick Moen <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] > >Quoting vince cagud ([EMAIL PROTECTED]): >> Rick Moen wrote: >> >> >Quoting vince cagud ([EMAIL PROTECTED]): >> > >> >>it's the pro-active examination of code of the programs that comes >> >>with the distro.... >> >>>_Hello there_? The resulting patches get applied to instances of those >>>same codebases running on all Unixes. > >> as what? as package upgrades that you have to constantly check off a >> web/ftp site? no thanks! > >You appear to be having a difficult time following this conversation. >Here's let's go over this step by step: > >1. A remote exploit in PHP 4.x gets discovered. Maybe this is from the >overhyped, not-very-productive OpenBSD "auditing" effort. More likely, >it is unearthed by some unrelated party in the PHP-using community. > >2. Someone comes up with a patch. It's incorporated into CVS, tested, >and included in first developer and then full release. > >3. At some point in that process, various Unixen adopt the fixed >version or a patch in anticipation of that version. The same process >applies for Linux distributions, OpenBSD, OS X / Darwin, BeOS, IRIX, and >whatever. They differ only in details of packaging and distribution of >revisions. > > >Now that you're a little clearer on the propagation of patches to Unix >userland software, care to explain to me again why propagation of a >security patch to PHP on OpenBSD is somehow more noble, cleaner, whiter, >and more odor-free than propagation of that same patch to (e.g.) various >Linux distributions? > >> there are those who'd rather have bug fixes as >> part of the distro they're installing! > >Funny you should mention that: Is there some specific part of "apt-get >install php4" that you're failing to grasp? > >> does it follow then that a competent sysad doesnt need anyone to tell >> him what software and versions are risky to run? or is your statement >> just limited to theo? > >Do you ask a profusion of impertinent, point-missing, and annoying >questions just because you can? > >> true, it's all about sysadmin practices, but which approach takes less >> work and still achieve the same result? > >Mine does. ;-> > >But I'm out of patience with your attitude for a while. > > >--__--__-- > >Message: 12 >From: "Yardan Ambrose" <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Date: Tue, 18 Jun 2002 08:48:20 +0800 >Subject: Re: [plug] Linux in "Off the Record" >Reply-To: [EMAIL PROTECTED] > >----- Original Message ----- >From: Pong <[EMAIL PROTECTED]> >Date: Tue, 18 Jun 2002 00:08:41 +0800 (PHT) >To: [EMAIL PROTECTED] >Subject: Re: [plug] Linux in "Off the Record" >> On Mon, 17 Jun 2002, Rick Moen wrote: >> >> > Quoting Jerome Tan ([EMAIL PROTECTED]): >> > >> > > Ano pa ok na hacking related movie? >> > >> > Well, there's always J.T.S. Moore's Revolution OS. It's a documentary, >> > not a thriller, but it's supposed to be very well done. >> > >> >> how about my ol tym peborit: The Matrix? >> Morpheus explained that while there are physical laws (virtual world >> software), it can be bent (cracked). >> >> Mr. Smith & Co. are no good sysadmins... hehehe... >> >> pong > >Mr. Smith & Co. suck at being sysads...hehehe...pwede mag-digress? > >Aside from hacker/cracker-related movie, there's a good book IMHO, about >black/white-hat hackers: The Blue Nowhere by Jeffery Deaver. You can read the first >chapter at www.thebluenowhere.com. > >For me, it does hackers justice. Though it doesn't say anything about open-source or >proprietaries. Deals more on social engineering. > > >-------------- >Yardan Ambrose >Certified Penguin Enthusiast >[EMAIL PROTECTED] > >-- >__________________________________________________________ >Sign-up for your own FREE Personalized E-mail at Mail.com >http://www.mail.com/?sr=signup > >Save up to $160 by signing up for NetZero Platinum Internet service. >http://www.netzero.net/?refcd=N2P0602NEP8 > > > >--__--__-- > >_______________________________________________ >plug mailing list >[EMAIL PROTECTED] >http://lists.q-linux.com/mailman/listinfo/plug > > >End of plug Digest > Join 18 million Eudora users by signing up for a free Eudora Web-Mail account at http://www.eudoramail.com _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
