Re: Root exploit for FreeBSD
Mario Lobo wrote: On Saturday 12 December 2009 21:23:00 Rolf Nielsen wrote: Where's that? The Nvidia site says nothing about it yet, and the makefile for x11/nvidia-driver still says ONLY_FOR_ARCHS=i386. I'm eagerly waiting for it, but I can't find anything other than a forum post (I don't have the address handy at this computer, but I know it's somewhere in the mailing list archive) from Zander at Nvidia corporation saying it's on its way. http://www.nvnews.net/vbulletin/showthread.php?t=142120 Thanks Mario and George. Just installed it and rebooted now. :D ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
On Saturday 12 December 2009 21:23:00 Rolf Nielsen wrote: > Where's that? The Nvidia site says nothing about it yet, and the > makefile for x11/nvidia-driver still says ONLY_FOR_ARCHS=i386. I'm > eagerly waiting for it, but I can't find anything other than a forum > post (I don't have the address handy at this computer, but I know it's > somewhere in the mailing list archive) from Zander at Nvidia corporation > saying it's on its way. > http://www.nvnews.net/vbulletin/showthread.php?t=142120 -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since version 2.2.8 [not Pro-Audio YET!!] (99,7% winfoes FREE) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
http://www.nvnews.net/vbulletin/showthread.php?t=142120 On Sun, Dec 13, 2009 at 2:23 AM, Rolf Nielsen wrote: > Sam Fourman Jr. wrote: >>> >>> Are you sure that OpenBSD has a better record? >> >> >> I found this for loose reference. >> http://en.wikipedia.org/wiki/OpenBSD#Security_and_code_auditing >> >> I will say that even though on the surface OpenBSD appears to have a >> better track record security wise >> I tend to use FreeBSD for my desktop needs because of things like >> Nvidia Graphics (esp now that there is amd64 support) > > Where's that? The Nvidia site says nothing about it yet, and the makefile > for x11/nvidia-driver still says ONLY_FOR_ARCHS=i386. I'm eagerly waiting > for it, but I can't find anything other than a forum post (I don't have the > address handy at this computer, but I know it's somewhere in the mailing > list archive) from Zander at Nvidia corporation saying it's on its way. > >> also wine works in FreeBSD and some of my clinets still run windows apps. >> >> I find FreeBSD is the middle ground the world needs between Linix and >> OpenBSD >> >> Sam Fourman Jr. >> Fourman Networks >> ___ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "freebsd-questions-unsubscr...@freebsd.org" >> >> >> > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
Sam Fourman Jr. wrote: Are you sure that OpenBSD has a better record? I found this for loose reference. http://en.wikipedia.org/wiki/OpenBSD#Security_and_code_auditing I will say that even though on the surface OpenBSD appears to have a better track record security wise I tend to use FreeBSD for my desktop needs because of things like Nvidia Graphics (esp now that there is amd64 support) Where's that? The Nvidia site says nothing about it yet, and the makefile for x11/nvidia-driver still says ONLY_FOR_ARCHS=i386. I'm eagerly waiting for it, but I can't find anything other than a forum post (I don't have the address handy at this computer, but I know it's somewhere in the mailing list archive) from Zander at Nvidia corporation saying it's on its way. also wine works in FreeBSD and some of my clinets still run windows apps. I find FreeBSD is the middle ground the world needs between Linix and OpenBSD Sam Fourman Jr. Fourman Networks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
> > Are you sure that OpenBSD has a better record? I found this for loose reference. http://en.wikipedia.org/wiki/OpenBSD#Security_and_code_auditing I will say that even though on the surface OpenBSD appears to have a better track record security wise I tend to use FreeBSD for my desktop needs because of things like Nvidia Graphics (esp now that there is amd64 support) also wine works in FreeBSD and some of my clinets still run windows apps. I find FreeBSD is the middle ground the world needs between Linix and OpenBSD Sam Fourman Jr. Fourman Networks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
In message: <20091210095122.a164bf95.wmo...@potentialtech.com> Bill Moran writes: : In response to Anton Shterenlikht : : : > >From my information security manager: : > : > FreeBSD isn't much used within the University (I understand) and has a : > (comparatively) poor security record. Most recently, for example: : > : > http://www.h-online.com/security/news/item/Root-exploit-for-FreeBSD-873352.html : : Are you trying to make your infosec guy look like an idiot? Does he : realize that FreeBSD has a grand total of 16 security problems for all : of 2009? Hell, Microsoft has that many in an average month. And many of them were for code supplied by others... : If he can find something (other than OpenBSD) with a better record than : that, I'd love to hear about it. Are you sure that OpenBSD has a better record? Warner ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
> 2009/12/11 Kevin Oberman : > >> Date: Fri, 11 Dec 2009 08:49:42 + > >> From: Matthew Seaman > >> Sender: owner-freebsd-curr...@freebsd.org > >> > >> Polytropon wrote: > >> > On Fri, 11 Dec 2009 01:42:36 -0600, "Sam Fourman Jr." wrote: > >> >> I have tried looking around and OpenBSD appears to be the undisputed > >> >> #1 track record in terms of security and FreeBSD is #2 (I didn't > >> >> count dragonflyBSD) > >> > > >> > VMS would be #0, then? :-) > >> > >> I dunno. Haven't seen many MS-DOS exploits recently either... > > > > I'm sure that there are systems happily running MSDOS, but I bet not too > > many are networked. > > > > I know that there is still a lot of VMS out there and that it has > > remained a cash cow for HP. It lived on primarily in the banking and > > financial sector, though I guess the use is dropping since HP recently > > outsourced support to India and that lead to the retirement of the last > > of the original VMS developers, Andy Goldstein. > > > > Also, the the end of TECO as Andy was responsible for porting it to > > almost every platform DEC ever sold (RSX, RSTS, VMS, TOPS-10 and > > TOPS-20, RT-11, and several others) and continued to maintain it until > > his retirement. (Most readers of this list probably don't even remember > > TECO.) > > > > And, for may years VMS had major network security problems, especially > > the infamous default DECNET/DECNET account that lead to may compromises > > and the second major network worm, Worms Against Nuclear Killers. (I > > won't use the acronym so as not to offend our British readers. I found > > out about that when the BBC interviewed me about it and I was told that > > I could not utter the word.) > > Wow, I didn't know your side don't use that word... I thought I knew > about all the stereotypically British ones! > > Do you guys have any curses or insults at all??? > > Chris > I ran a radio show in the states - the language restrictions there ww were they strict!! David ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
On Fri 11 Dec 2009 at 20:59:57 PST Robert Huff wrote: Ulf Zimmermann writes: Just go to Fry's Electronic. Most of their systems are still MS-Dos with Novell for network, running text based inventory/quote/sales app. Ca _lot_ of small businesses have something similar. And why not? There's no need for any multi-user, multi-processing GUIness in those environments. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
2009/12/11 Kevin Oberman : >> Date: Fri, 11 Dec 2009 08:49:42 + >> From: Matthew Seaman >> Sender: owner-freebsd-curr...@freebsd.org >> >> Polytropon wrote: >> > On Fri, 11 Dec 2009 01:42:36 -0600, "Sam Fourman Jr." >> > wrote: >> >> I have tried looking around and OpenBSD appears to be the undisputed >> >> #1 track record in terms of security and FreeBSD is #2 (I didn't count >> >> dragonflyBSD) >> > >> > VMS would be #0, then? :-) >> >> I dunno. Haven't seen many MS-DOS exploits recently either... > > I'm sure that there are systems happily running MSDOS, but I bet not too > many are networked. > > I know that there is still a lot of VMS out there and that it has > remained a cash cow for HP. It lived on primarily in the banking and > financial sector, though I guess the use is dropping since HP recently > outsourced support to India and that lead to the retirement of the last > of the original VMS developers, Andy Goldstein. > > Also, the the end of TECO as Andy was responsible for porting it to > almost every platform DEC ever sold (RSX, RSTS, VMS, TOPS-10 and > TOPS-20, RT-11, and several others) and continued to maintain it until > his retirement. (Most readers of this list probably don't even remember > TECO.) > > And, for may years VMS had major network security problems, especially > the infamous default DECNET/DECNET account that lead to may compromises > and the second major network worm, Worms Against Nuclear Killers. (I > won't use the acronym so as not to offend our British readers. I found > out about that when the BBC interviewed me about it and I was told that > I could not utter the word.) Wow, I didn't know your side don't use that word... I thought I knew about all the stereotypically British ones! Do you guys have any curses or insults at all??? Chris -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in a mailing list? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
On Fri, 11 Dec 2009 13:01:51 -0800, Kurt Buff wrote: > Well, yes, except this assumes one has access to the sysadmin... Physical access. It's hard to exploit a sysadmin by social engineering because he hardly has any friends. :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
> but i look in syslogs of some FreeBSD internet server and there is a great > evidence that some "botnets" are (again) tryng simple combination of > uid/pwd. /usr/ports/security/sshguard-* randy ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
Ulf Zimmermann writes: > Just go to Fry's Electronic. Most of their systems are still > MS-Dos with Novell for network, running text based > inventory/quote/sales app. Ca _lot_ of small businesses have something similar. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
On Fri, Dec 11, 2009 at 03:23:56PM -0800, Kevin Oberman wrote: > > Date: Fri, 11 Dec 2009 08:49:42 + > > From: Matthew Seaman > > Sender: owner-freebsd-curr...@freebsd.org > > > > Polytropon wrote: > > > On Fri, 11 Dec 2009 01:42:36 -0600, "Sam Fourman Jr." > > > wrote: > > >> I have tried looking around and OpenBSD appears to be the undisputed > > >> #1 track record in terms of security and FreeBSD is #2 (I didn't count > > >> dragonflyBSD) > > > > > > VMS would be #0, then? :-) > > > > I dunno. Haven't seen many MS-DOS exploits recently either... > > I'm sure that there are systems happily running MSDOS, but I bet not too > many are networked. > > I know that there is still a lot of VMS out there and that it has > remained a cash cow for HP. It lived on primarily in the banking and > financial sector, though I guess the use is dropping since HP recently > outsourced support to India and that lead to the retirement of the last > of the original VMS developers, Andy Goldstein. Just go to Fry's Electronic. Most of their systems are still MS-Dos with Novell for network, running text based inventory/quote/sales app. > > Also, the the end of TECO as Andy was responsible for porting it to > almost every platform DEC ever sold (RSX, RSTS, VMS, TOPS-10 and > TOPS-20, RT-11, and several others) and continued to maintain it until > his retirement. (Most readers of this list probably don't even remember > TECO.) > > And, for may years VMS had major network security problems, especially > the infamous default DECNET/DECNET account that lead to may compromises > and the second major network worm, Worms Against Nuclear Killers. (I > won't use the acronym so as not to offend our British readers. I found > out about that when the BBC interviewed me about it and I was told that > I could not utter the word.) > -- > R. Kevin Oberman, Network Engineer > Energy Sciences Network (ESnet) > Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) > E-mail: ober...@es.netPhone: +1 510 486-8634 > Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 > ___ > freebsd-curr...@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" > -- Regards, Ulf. - Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-865-0204 You can find my resume at: http://www.Alameda.net/~ulf/resume.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
> Date: Fri, 11 Dec 2009 08:49:42 + > From: Matthew Seaman > Sender: owner-freebsd-curr...@freebsd.org > > Polytropon wrote: > > On Fri, 11 Dec 2009 01:42:36 -0600, "Sam Fourman Jr." > > wrote: > >> I have tried looking around and OpenBSD appears to be the undisputed > >> #1 track record in terms of security and FreeBSD is #2 (I didn't count > >> dragonflyBSD) > > > > VMS would be #0, then? :-) > > I dunno. Haven't seen many MS-DOS exploits recently either... I'm sure that there are systems happily running MSDOS, but I bet not too many are networked. I know that there is still a lot of VMS out there and that it has remained a cash cow for HP. It lived on primarily in the banking and financial sector, though I guess the use is dropping since HP recently outsourced support to India and that lead to the retirement of the last of the original VMS developers, Andy Goldstein. Also, the the end of TECO as Andy was responsible for porting it to almost every platform DEC ever sold (RSX, RSTS, VMS, TOPS-10 and TOPS-20, RT-11, and several others) and continued to maintain it until his retirement. (Most readers of this list probably don't even remember TECO.) And, for may years VMS had major network security problems, especially the infamous default DECNET/DECNET account that lead to may compromises and the second major network worm, Worms Against Nuclear Killers. (I won't use the acronym so as not to offend our British readers. I found out about that when the BBC interviewed me about it and I was told that I could not utter the word.) -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
On Fri, Dec 11, 2009 at 11:53, J Sisson wrote: > 2009/12/11 Svein Skogen (Listmail Account) > >> The easiest way of brute-forcing access to a FreeBSD server includes >> locating the sysadmin and applying the common desk drawer. It's that >> simple. >> > > http://xkcd.com/538/ > > indeed. Well, yes, except this assumes one has access to the sysadmin... Kurt ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
2009/12/11 Svein Skogen (Listmail Account) > The easiest way of brute-forcing access to a FreeBSD server includes > locating the sysadmin and applying the common desk drawer. It's that > simple. > http://xkcd.com/538/ indeed. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
If memory serves me right, sometime around 10:49am, Jerry McAllister told me: On Fri, Dec 11, 2009 at 08:49:42AM +, Matthew Seaman wrote: Polytropon wrote: On Fri, 11 Dec 2009 01:42:36 -0600, "Sam Fourman Jr." wrote: I have tried looking around and OpenBSD appears to be the undisputed #1 track record in terms of security and FreeBSD is #2 (I didn't count dragonflyBSD) VMS would be #0, then? :-) I dunno. Haven't seen many MS-DOS exploits recently either... Chuckle Chuckle Chuckle. I haven't either. Don't see much MS-DOS network activity either... jerry nor any AtariDOS either. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dag-Erling Smørgrav wrote: > "Svein Skogen" writes: >> The easiest way of brute-forcing access to a FreeBSD server includes >> locating the sysadmin and applying the common desk drawer. It's that >> simple. > > *laugh* > > I thought you were more of a baseball bat kind of guy :) Desk drawers are easier found around the sysadmin, and that means you don't have to carry suspicious evidence around the city. ;) //Svein - -- - +---+--- /"\ |Svein Skogen | sv...@d80.iso100.no \ / |Solberg Østli 9| PGP Key: 0xE5E76831 X|2020 Skedsmokorset | sv...@jernhuset.no / \ |Norway | PGP Key: 0xCE96CE13 | | sv...@stillbilde.net ascii | | PGP Key: 0x58CD33B6 ribbon |System Admin | svein-listm...@stillbilde.net Campaign|stillbilde.net | PGP Key: 0x22D494A4 +---+--- |msn messenger: | Mobile Phone: +47 907 03 575 |sv...@jernhuset.no | RIPE handle:SS16503-RIPE - +---+--- If you really are in a hurry, mail me at svein-mob...@stillbilde.net This mailbox goes directly to my cellphone and is checked even when I'm not in front of my computer. - Picture Gallery: https://gallery.stillbilde.net/v/svein/ - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksikO8ACgkQODUnwSLUlKT6XwCeLkdjul97Z3I4sC4l0QPmlaPB fJcAn37Lr0NX/LFafzmNNTvg+9rDUzSB =HlBm -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
On Fri, 11 Dec 2009 10:49:50 -0500, Jerry McAllister wrote: > On Fri, Dec 11, 2009 at 08:49:42AM +, Matthew Seaman wrote: > > > Polytropon wrote: > > > On Fri, 11 Dec 2009 01:42:36 -0600, "Sam Fourman Jr." > > > > > > wrote: > > >> I have tried looking around and OpenBSD appears to be the undisputed > > >> #1 track record in terms of security and FreeBSD is #2 (I didn't count > > >> dragonflyBSD) > > > > > > VMS would be #0, then? :-) > > > > I dunno. Haven't seen many MS-DOS exploits recently either... > > Chuckle Chuckle Chuckle. > I haven't either. > Don't see much MS-DOS network activity either... Lemme check... C:\>ne2000 -w 0x65 0xC 0x300 C:\>doslynx :b echo Looking for Sybille... goto b Ah, there it was! :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
On Fri, Dec 11, 2009 at 08:49:42AM +, Matthew Seaman wrote: > Polytropon wrote: > > On Fri, 11 Dec 2009 01:42:36 -0600, "Sam Fourman Jr." > > wrote: > >> I have tried looking around and OpenBSD appears to be the undisputed > >> #1 track record in terms of security and FreeBSD is #2 (I didn't count > >> dragonflyBSD) > > > > VMS would be #0, then? :-) > > I dunno. Haven't seen many MS-DOS exploits recently either... Chuckle Chuckle Chuckle. I haven't either. Don't see much MS-DOS network activity either... jerry > > Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. Flat 3 > 7 Priory Courtyard > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > Kent, CT11 9PW, UK > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
On Fri, Dec 11, 2009 at 08:49:42AM +, Matthew Seaman wrote: > I dunno. Haven't seen many MS-DOS exploits recently either... That's true, it would be difficult to find a local privilege escalation exploit in an operating system without the concept of limited user accounts :) -- Mark Shroyer http://markshroyer.com/contact/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
On Dec 10, 2009, at 8:41 AM, Anton Shterenlikht wrote: >> From my information security manager: > > FreeBSD isn't much used within the University (I understand) and has a > (comparatively) poor security record. Most recently, for example: > > > http://www.h-online.com/security/news/item/Root-exploit-for-FreeBSD-873352.html From http://www.serverwatch.com/eur/article.php/3850401/FreeBSD-Shines-While-Apple-Fails.htm > All software has bugs, but it's how people react when things go wrong that > you can judge them. Did the FreeBSD folks sit around and do nothing? Did they > busy themselves with other things and leave 8.0, 7.1 and 7.0 users vulnerable > to pwnage? No, they did not! A matter of hours later Colin Percival, > FreeBSD's security officer, made this announcement: > > A short time ago a 'local root' exploit was posted to the full-disclosure > mailing list; as the name suggests, this allows a local user to execute > arbitrary code as root ... since exploit code is already widely available I > want to make a patch available ASAP. > And with that, he released said patch. > So what OS does your information security manager run on his {desk,lap}top? -stacey.___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
"Svein Skogen" writes: > The easiest way of brute-forcing access to a FreeBSD server includes > locating the sysadmin and applying the common desk drawer. It's that > simple. *laugh* I thought you were more of a baseball bat kind of guy :) DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dag-Erling Smørgrav wrote: > $witch writes: >> but i look in syslogs of some FreeBSD internet server and there is a >> great evidence that some "botnets" are (again) tryng simple >> combination of uid/pwd. >> >> starting from Dec 8 01:00:34 (CET) hundreds of zombies are looking >> for a valid username. > > Starting from Dec 8? This has been going on for years, and it is not > targeted at FreeBSD; they attack anything that runs an SSH server. Of > course, on current OpenSSH versions, it will get them nowhere, because > there is no partial confirmation, so they have to guess at the user > *and* the password, instead of first searching for an existing user and > *then* guessing at the password. > > (on certain OSes - but not FreeBSD - running certain older OpenSSH > versions, you could figure out if the user existed, even if you didn't > have thee right password) The easiest way of brute-forcing access to a FreeBSD server includes locating the sysadmin and applying the common desk drawer. It's that simple. //Svein - -- - +---+--- /"\ |Svein Skogen | sv...@d80.iso100.no \ / |Solberg Østli 9| PGP Key: 0xE5E76831 X|2020 Skedsmokorset | sv...@jernhuset.no / \ |Norway | PGP Key: 0xCE96CE13 | | sv...@stillbilde.net ascii | | PGP Key: 0x58CD33B6 ribbon |System Admin | svein-listm...@stillbilde.net Campaign|stillbilde.net | PGP Key: 0x22D494A4 +---+--- |msn messenger: | Mobile Phone: +47 907 03 575 |sv...@jernhuset.no | RIPE handle:SS16503-RIPE - +---+--- If you really are in a hurry, mail me at svein-mob...@stillbilde.net This mailbox goes directly to my cellphone and is checked even when I'm not in front of my computer. - Picture Gallery: https://gallery.stillbilde.net/v/svein/ - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksiUHcACgkQODUnwSLUlKT/MwCfdWQsuwr8EIOkJOJsrXFTmTAY KroAn0pGiF4vbGgcfQqp6IwVULGqYcQk =7Qj5 -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
$witch writes: > but i look in syslogs of some FreeBSD internet server and there is a > great evidence that some "botnets" are (again) tryng simple > combination of uid/pwd. > > starting from Dec 8 01:00:34 (CET) hundreds of zombies are looking > for a valid username. Starting from Dec 8? This has been going on for years, and it is not targeted at FreeBSD; they attack anything that runs an SSH server. Of course, on current OpenSSH versions, it will get them nowhere, because there is no partial confirmation, so they have to guess at the user *and* the password, instead of first searching for an existing user and *then* guessing at the password. (on certain OSes - but not FreeBSD - running certain older OpenSSH versions, you could figure out if the user existed, even if you didn't have thee right password) DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
Paul Schmehl writes: > >> And from I understand it's going to get worse. > >> Apparently the IT services are drawing up > >> plans to completely forbid use of "non-autorized" > >> OS. I imagine fbsd will not be authorized. > >> So I'm anticipating another battle already. > > > > Does this extend to computers used for academic research, student > > owned computers being used on campus, etc? > > > > Perhaps it's because we're conditioned to think this way but a lot of > > us at universities in the US see a lot of this as being commonplace > > and to *not* do them is generally considered bad security practice. > > > > This last part is surprising to me. Not only are we not > Windows-centric, the very idea of not allowing a diversity of > OSes is foreign to our operation. We are a heavy Solaris shop > (as are many universities), have a good amount of Suse and RHEL > and far less Windows servers exposed to the Internet. At the > desktop users may install whatever they want, so long as it's > maintained properly (which we audit routinely) and used in an > acceptable manner (which you agree to when you get an account.) > We have just about every OS you can imagine, including some you > wouldn't believe still exist. I haven't worked directly with academic IT in decades ... but I live in Boston, which has the highest concentration of colleges on the planet, and talk to peopke who do. If any of the major local colleges tried to ban non-Windows OSs as either or desktop, the only question would be who got to IT first - the students with the stakes and holy water, or the professors with the tar and feathers. On the other hand a well considered security policy specifying ends and not means, and accompanied by end-user detection/correction mechanisms, would be adopted quite happily. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
Polytropon wrote: > On Fri, 11 Dec 2009 01:42:36 -0600, "Sam Fourman Jr." > wrote: >> I have tried looking around and OpenBSD appears to be the undisputed >> #1 track record in terms of security and FreeBSD is #2 (I didn't count >> dragonflyBSD) > > VMS would be #0, then? :-) I dunno. Haven't seen many MS-DOS exploits recently either... Matthew -- Dr Matthew J Seaman MA, D.Phil. Flat 3 7 Priory Courtyard PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW, UK signature.asc Description: OpenPGP digital signature
Re: Root exploit for FreeBSD
On Fri, 11 Dec 2009 12:29:44 +0100, $witch wrote: > starting from Dec 8 01:00:34 (CET) hundreds of zombies are looking for a > valid username. For example "Administrator"... :-) > i love the FreeBSD security while it is MOSTLY based on KNOWLEDGE of users > than on a PERFECT code. Security is not a state, it's a process, involving many considerations; "the user" is one of the most important ones. Even "perfectly secure" code can't cope with human stupidity. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
At 2009-12-11 11:29:44+, $witch writes: > but i look in syslogs of some FreeBSD internet server and there is a great > evidence that some "botnets" are (again) tryng simple combination of > uid/pwd. # always, everywhere: PasswordAuthentication No Nick B ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
On Thu, 10 Dec 2009 15:41:41 +0100, Anton Shterenlikht wrote: From my information security manager: FreeBSD isn't much used within the University (I understand) and has a (comparatively) poor security record. .. Hi, almost all of you remark how FreeBSD is more-secure-than-others-OS, will add nothing to varius comments. but i look in syslogs of some FreeBSD internet server and there is a great evidence that some "botnets" are (again) tryng simple combination of uid/pwd. starting from Dec 8 01:00:34 (CET) hundreds of zombies are looking for a valid username. it mean that most of the matter is our; the FreeBSD users. we are the only ones that will (or will not) patch the systems; i love the FreeBSD security while it is MOSTLY based on KNOWLEDGE of users than on a PERFECT code. cheers Alessandro -- "If 386BSD had been available when I started on Linux, Linux would probably never had happened." Linus Torvalds ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
On Thu, Dec 10, 2009 at 10:34:34PM -0600, Paul Schmehl wrote: > > I'm starting to wonder if the security manager really said what Anton > claims he said, or Anton is filtering his perceptions through the anger he > feels at being restricted in his ability to operate freely. If the latter > is the case, you'd better adjust to it. It's the world of the future. > You can do whatever you want at home, but on the corporate network you > either follow the rules or lose your access. yes, he did, I can forward you our communication off list if you wish. -- Anton Shterenlikht Room 2.6, Queen's Building Mech Eng Dept Bristol University University Walk, Bristol BS8 1TR, UK Tel: +44 (0)117 331 5944 Fax: +44 (0)117 929 4423 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
On Fri, 11 Dec 2009 01:42:36 -0600, "Sam Fourman Jr." wrote: > I have tried looking around and OpenBSD appears to be the undisputed > #1 track record in terms of security and FreeBSD is #2 (I didn't count > dragonflyBSD) VMS would be #0, then? :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
> >From my information security manager: > > FreeBSD isn't much used within the University (I understand) I sometimes wonder the validity of such statements, since we use it on 99% of our servers, the work-stations run Linux. Then again, we are concidered a more theoretical than practical school :-) and has a > (comparatively) poor security record. Most recently, for example: > > > http://www.h-online.com/security/news/item/Root-exploit-for-FreeBSD-873352.html as many have explained, connecting a computer to the network has its risks, and FreeBSD has a great security record. my 2c. danny -- Daniel Braniss e-mail: da...@cs.huji.ac.il Manager of Computing Facilities The Selim and Rachel Benin School ofphone: +972 2 658 4385 Engineering and Computer ScienceFax:+972 2 561 7723 The Hebrew University of Jerusalem Edmond Safra Campus, Givat Ram, Israel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
On Thu, Dec 10, 2009 at 8:51 AM, Bill Moran wrote: > In response to Anton Shterenlikht : > >> >From my information security manager: >> >> FreeBSD isn't much used within the University (I understand) and has a >> (comparatively) poor security record. Most recently, for example: >> >> >> http://www.h-online.com/security/news/item/Root-exploit-for-FreeBSD-873352.html > > Are you trying to make your infosec guy look like an idiot? Does he > realize that FreeBSD has a grand total of 16 security problems for all > of 2009? Hell, Microsoft has that many in an average month. > > If he can find something (other than OpenBSD) with a better record than > that, I'd love to hear about it. Either your infosec guy is close to incompetent or this is flame bait. I have tried looking around and OpenBSD appears to be the undisputed #1 track record in terms of security and FreeBSD is #2 (I didn't count dragonflyBSD) Linux is Just horrible, and Windows well enough said :) Sam Fourman Jr. Fourman Networks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
I think democracy is a choice of freedom. Freedom what to use, AND, in such cases - freedom where to work! If you are marketing specialist probably you should NOT touch much of your computer's control gear. If you are an IT specialist or support such treatment is similar to treat you as a cattle. It's only up to you to allow or forbid such treatment. The freedom has it's price, of course. I always choose to pay it. If someone hires me to manage something he should listen to my or my team's advices. Otherwise he spends money for nothing and I earn headache and broken nerves! And as for academic battle: If universities deny to make tests, experiments and cutting edge implementations then who would??? If IT or computing science, or telecommunication departments are treated in such manner probably they should be dismissed for not letting them to damage our future specialists! It's a sin to read just one book, even if it is the Holly Bible! God, forgive me for comparing М$ with the Bible, it's just for conviction ;-)! In fact I won partially such a battle in 2002-2003, and even if I don't work for our University they still relay on FreeBSD for major part of their IT infrastructure. I wish you all freedom and success! Jerry-107 wrote: > > On Thu, 10 Dec 2009 20:21:26 +0100 > Julian H. Stacey replied: > >>> Fortuantely, I had no problem setting up a "black" FreeBSD box to >>> preserve my sanity. >> >>A tip for those threatened with no BSD box at work: >>FreeBSD runs fine _inside_ a box that looks like a multi sheet scanner. >>OK, slow, but invisible to managers who require MS only. >> >>These scanners often lie abandoned in company junk rooms (& cheap >>on web), as people know they used to need MS's abandoned NT (= Not >>There) operating system. Well they do ... until one installs BSD. >>Credit to David M. who did the FreeBSD work. Pictures of hardware >>to look for in junk rooms: http://www.berklix.com/scanjet/ >> >>Cheers, >>Julian > > Out of pure morbid curiosity, would you please answer this question for > me. > > You work for a corporation that specifically requires the use of > a specific OS, the OS itself is not material to this question. It also > forbids the use of any unauthorized OS or equipment on the companies > network. You decide to ignore their directives and eventually: > > 1) Get caught > 2) Cause a problem with the company's network, etc. > > Now, when you get fired and possible charged with a crime, do you: > > 1) Cry and bitch that they are being unfair? > 2) Accept the fact that you deserved to be dismissed? > > Where I use to work, two or three employees were fired each year > because they thought they knew more than everyone else. They failed to > realize that they were being compensated to do what they were told and > not what they thought they should be doing. The bottom line is if they > are not smart enough to follow company directives, they are certainly > not capable of instigating their own protocol. > > -- > Jerry > ges...@yahoo.com > > |=== > |=== > |=== > |=== > | > > Grandpa Charnock's Law: > You never really learn to swear until you learn to drive. > > [I thought it was when your kids learned to drive. Ed.] > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscr...@freebsd.org" > > -- View this message in context: http://old.nabble.com/Root-exploit-for-FreeBSD-tp26728358p26739505.html Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
> FreeBSD isn't much used within the University (I understand) and has a > (comparatively) poor security record. unlike linux or windoze, rofl randy ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
--On December 10, 2009 2:11:31 PM -0600 Kevin Wilcox wrote: 2009/12/10 Anton Shterenlikht : I was just stressed after being forced by him to explain why I wanted firewall exceptions for two ports to my FreeBSD portscluster nodes. I explained the reasons and that was settled. Anton, I don't know about the UK, Great Britain or England, but in US Universities, this is fairly common. It just serves as a sanity check for the many, many requests central IT tends to get regarding allowing ingress traffic for faculty/staff machines, and it gives the firewall guys documentation that such-and-such machine should be receiving inbound traffic on specific ports. I can confirm this, at least for us. Our practice is to only open ports for thoroughly justified business reasons, document thoroughly and audit regularly. The Uni is, of course, addicted to Microsoft, but having realised all the problems with that, lately the policy has been to deny (!) MS users admin access to their own desktops. The situation is just ridiculous - if a MS user wants to install a piece of software on their PC he/she has to ask for permission, and then wait until some computer officer would come and do install for them. Again, I don't know about the UK, Great Britain or England, but in the US this is also quite common, at least with regards to University owned hardware. The first responsibility is to protect the network and existing services. Sadly, many groups fail to provide the next step, that being a relatively quick, easy way to have approved software installed for users, and a method for having non-approved software scrutinised and either approved or rejected. This is less common at the universities that I'm familiar with. I think it becomes less common the larger and/or older a university is. The trend is to move in this direction, but we're also moving toward much stronger compliance controls. There are things about your computer's configuration and maintenance that you will no longer get to decide, regardless of the OS you run - password strength and length, for example, the ability to create local accounts, and other such things. These things aren't being done to harass or irritate users but because of long and bitter experience with a lack of controls. Our view is, if your computer is going to connect on our network it must be configured in certain ways and behave "normally" or you won't get a connection. Also recently, well.. about a year ago, no host (!) could be accessed from outside the Uni firewall. Special exception has to be obtained even for ssh. There is only one dedicated sun server which accepts only ssh. The users are supposed to dial to this frontend server first, and from there to hosts on the local net. Again, quite common. Most Universities here do not provide public-facing IP addresses without some sort of application and approval process. For example, we have a handful of machines that are public facing but most of our hardware sits inside site-only networks. To access those machines you either have to be on-campus or you have to connect via VPN (and yes, we support Windows, Mac, Linux, Solaris, *BSD). This mirrors our practice. You don't get a public address without being thoroughly vetted *and* agreeing to the terms of use, unscheduled and unannounced monitoring and immediate disconnection without prior notice if a problem is detected. Having an SSH proxy isn't an entirely bad idea, though I can see where performance may be hindered. I had to fight a long battle, well.. I had some support from other academics, to have a linux class in my Faculty. Here the opposition wasn't so much security, as "why would any undegraduate need linux", as if MS solutions are a pinnacle of human thought. That's a pretty fair question and one that I hope you would have asked yourself before you made the push for the class. And from I understand it's going to get worse. Apparently the IT services are drawing up plans to completely forbid use of "non-autorized" OS. I imagine fbsd will not be authorized. So I'm anticipating another battle already. Does this extend to computers used for academic research, student owned computers being used on campus, etc? Perhaps it's because we're conditioned to think this way but a lot of us at universities in the US see a lot of this as being commonplace and to *not* do them is generally considered bad security practice. This last part is surprising to me. Not only are we not Windows-centric, the very idea of not allowing a diversity of OSes is foreign to our operation. We are a heavy Solaris shop (as are many universities), have a good amount of Suse and RHEL and far less Windows servers exposed to the Internet. At the desktop users may install whatever they want, so long as it's maintained properly (which we audit routinely) and used in an acceptable manner (which you agree to when you get an account.) We have just about ev
Re: Root exploit for FreeBSD
Jerry wrote: > Out of pure morbid curiosity, would you please answer this question for > me. > > You work for a corporation that specifically requires the use of > a specific OS, the OS itself is not material to this question. It also > forbids the use of any unauthorized OS or equipment on the companies > network. You decide to ignore their directives and eventually: > > 1) Get caught > 2) Cause a problem with the company's network, etc. > > Now, when you get fired and possible charged with a crime, do you: > > 1) Cry and bitch that they are being unfair? > 2) Accept the fact that you deserved to be dismissed? Accept, humbly. The majority of companies that I have worked for that have a 'policy', have a 'policy' that is extremely spread thin. Personally, I've never _breached_ policy... I've always expressed to the proper level of management as to *why* something needs to be done differently. With that said, again, in your case, I'll resign, gleefully, as my next contract picks me up for being diligent. > Where I use to work, two or three employees were fired each year > because they thought they knew more than everyone else. They failed to > realize that they were being compensated to do what they were told and > not what they thought they should be doing. Then the managers have the wrong attitude...completely. I will only allow myself to be hired as an employee or contractor if the person hiring me is doing so because they expect to gain something from my knowledge and experience. Only a monkey is paid to do what they are told. I don't do that. I couldn't do that. If that is what you do, I feel sorry for you. > The bottom line is if they > are not smart enough to follow company directives, they are certainly > not capable of instigating their own protocol. ...companies that enforce their staff to do what they are told will collapse. People who take their pay cheque just because they sit there and do what they are told hate their job. I love my job, I love my work. I am underpaid, but I do what I *LOVE*. I direct our company through innovation, ingenuity, integrity and risk. If I had to sit at a desk and do the same thing every day because my company told me to, I'd rather. never mind... it'll be archived. Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
> > FreeBSD isn't much used within the University (I understand) and has a > > (comparatively) poor security record. Most recently, for example: > > > > > > http://www.h-online.com/security/news/item/Root-exploit-for-FreeBSD-873352.html > > Are you trying to make your infosec guy look like an idiot? Does he Give the infosec guy a break. he has been so busy fixing the other OSes that he never noticed how many FreeBSD system are in use in his own place, nor that they went with relatively satisfactory security level. Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
> On Thu, 10 Dec 2009 20:21:26 +0100 > > Julian H. Stacey replied: > >> Fortuantely, I had no problem setting up a "black" FreeBSD box to > >> preserve my sanity. > > > >A tip for those threatened with no BSD box at work: > >FreeBSD runs fine _inside_ a box that looks like a multi sheet scanner. > >OK, slow, but invisible to managers who require MS only. > > > >These scanners often lie abandoned in company junk rooms (& cheap > >on web), as people know they used to need MS's abandoned NT (= Not > >There) operating system. Well they do ... until one installs BSD. > >Credit to David M. who did the FreeBSD work. Pictures of hardware > >to look for in junk rooms: http://www.berklix.com/scanjet/ > > > >Cheers, > >Julian > > Out of pure morbid curiosity, would you please answer this question for > me. > > You work for a corporation that specifically requires the use of > a specific OS, the OS itself is not material to this question. It also > forbids the use of any unauthorized OS or equipment on the companies > network. You decide to ignore their directives and eventually: > > 1) Get caught > 2) Cause a problem with the company's network, etc. > > Now, when you get fired and possible charged with a crime, do you: > > 1) Cry and bitch that they are being unfair? > 2) Accept the fact that you deserved to be dismissed? > > Where I use to work, two or three employees were fired each year > because they thought they knew more than everyone else. They failed to > realize that they were being compensated to do what they were told and > not what they thought they should be doing. The bottom line is if they > are not smart enough to follow company directives, they are certainly > not capable of instigating their own protocol. > most lickers are not very smart either. David ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
2009/12/10 Anton Shterenlikht : > I was just stressed after being forced by him > to explain why I wanted firewall exceptions > for two ports to my FreeBSD portscluster nodes. > I explained the reasons and that was settled. Anton, I don't know about the UK, Great Britain or England, but in US Universities, this is fairly common. It just serves as a sanity check for the many, many requests central IT tends to get regarding allowing ingress traffic for faculty/staff machines, and it gives the firewall guys documentation that such-and-such machine should be receiving inbound traffic on specific ports. > The Uni is, of course, > addicted to Microsoft, but having realised all > the problems with that, lately the policy has > been to deny (!) MS users admin access to their > own desktops. The situation is just ridiculous - > if a MS user wants to install a piece of software > on their PC he/she has to ask for permission, > and then wait until some computer officer would > come and do install for them. Again, I don't know about the UK, Great Britain or England, but in the US this is also quite common, at least with regards to University owned hardware. The first responsibility is to protect the network and existing services. Sadly, many groups fail to provide the next step, that being a relatively quick, easy way to have approved software installed for users, and a method for having non-approved software scrutinised and either approved or rejected. > Also recently, well.. about a year ago, no > host (!) could be accessed from outside the > Uni firewall. Special exception has to be > obtained even for ssh. There is only one dedicated > sun server which accepts only ssh. The users > are supposed to dial to this frontend server > first, and from there to hosts on the local net. Again, quite common. Most Universities here do not provide public-facing IP addresses without some sort of application and approval process. For example, we have a handful of machines that are public facing but most of our hardware sits inside site-only networks. To access those machines you either have to be on-campus or you have to connect via VPN (and yes, we support Windows, Mac, Linux, Solaris, *BSD). Having an SSH proxy isn't an entirely bad idea, though I can see where performance may be hindered. > I had to fight a long battle, well.. I had > some support from other academics, to have > a linux class in my Faculty. Here the > opposition wasn't so much security, as > "why would any undegraduate need linux", > as if MS solutions are a pinnacle of human thought. That's a pretty fair question and one that I hope you would have asked yourself before you made the push for the class. > And from I understand it's going to get worse. > Apparently the IT services are drawing up > plans to completely forbid use of "non-autorized" > OS. I imagine fbsd will not be authorized. > So I'm anticipating another battle already. Does this extend to computers used for academic research, student owned computers being used on campus, etc? Perhaps it's because we're conditioned to think this way but a lot of us at universities in the US see a lot of this as being commonplace and to *not* do them is generally considered bad security practice. kmw -- Beware the leader who bangs the drums of war in order to whip the citizenry into a patriotic fervor, for patriotism is indeed a double-edged sword. It both emboldens the blood, just as it narrows the mind. And when the drums of war have reached a fever pitch and the blood boils with hate and the mind has closed, the leader will have no need in seizing the rights of the citizenry. Rather, the citizenry, infused with fear and blinded by patriotism, will offer up all of their rights unto the leader and gladly so - Unattributed, post 9/11 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
On Thu, 10 Dec 2009 20:21:26 +0100 Julian H. Stacey replied: >> Fortuantely, I had no problem setting up a "black" FreeBSD box to >> preserve my sanity. > >A tip for those threatened with no BSD box at work: >FreeBSD runs fine _inside_ a box that looks like a multi sheet scanner. >OK, slow, but invisible to managers who require MS only. > >These scanners often lie abandoned in company junk rooms (& cheap >on web), as people know they used to need MS's abandoned NT (= Not >There) operating system. Well they do ... until one installs BSD. >Credit to David M. who did the FreeBSD work. Pictures of hardware >to look for in junk rooms: http://www.berklix.com/scanjet/ > >Cheers, >Julian Out of pure morbid curiosity, would you please answer this question for me. You work for a corporation that specifically requires the use of a specific OS, the OS itself is not material to this question. It also forbids the use of any unauthorized OS or equipment on the companies network. You decide to ignore their directives and eventually: 1) Get caught 2) Cause a problem with the company's network, etc. Now, when you get fired and possible charged with a crime, do you: 1) Cry and bitch that they are being unfair? 2) Accept the fact that you deserved to be dismissed? Where I use to work, two or three employees were fired each year because they thought they knew more than everyone else. They failed to realize that they were being compensated to do what they were told and not what they thought they should be doing. The bottom line is if they are not smart enough to follow company directives, they are certainly not capable of instigating their own protocol. -- Jerry ges...@yahoo.com |=== |=== |=== |=== | Grandpa Charnock's Law: You never really learn to swear until you learn to drive. [I thought it was when your kids learned to drive. Ed.] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
> Fortuantely, I had no problem setting up a "black" FreeBSD box to > preserve my sanity. A tip for those threatened with no BSD box at work: FreeBSD runs fine _inside_ a box that looks like a multi sheet scanner. OK, slow, but invisible to managers who require MS only. These scanners often lie abandoned in company junk rooms (& cheap on web), as people know they used to need MS's abandoned NT (= Not There) operating system. Well they do ... until one installs BSD. Credit to David M. who did the FreeBSD work. Pictures of hardware to look for in junk rooms: http://www.berklix.com/scanjet/ Cheers, Julian -- Julian Stacey: BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com Mail plain text not quoted-printable, HTML or Base64: http://asciiribbon.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
On Thu, Dec 10, 2009 at 10:21 AM, Anton Shterenlikht wrote: > Perhaps I should start putting together > some statistics to make my case more forcefully. > I fought the same battle at the Univ. I attended (as a student). They were an M$ shop as well and had issues with me running OpenBSD. I stuck to it and finally got a "straight" answer from the Dean of CS: "I don't know anything about OpenBSD...please just use Windows and be like everyone else!". Odd, I thought that one role of higher education is to teach critical thinking, which by definition means disagreements will (and should!) occur. Apparently I was wrong. I later took a independent study at the same Univ. I wanted to compare security records for various OS's (FreeBSD and OpenBSD being listed in there). This was rejected in favor of me doing security research for Windows...so I wrote a program to demonstrate why Admins shouldn't blindly trust even system code (Windows Server 2003...stuff like netstat and task manager) and demonstrated that to the graduate level network security class (I was an undergrad at the time). I completely gave up when the grad students followed suit with the dean and tried arguing with me that my code was "hacked together specifically to exhibit the behavior I was trying to demonstrate"...as if it wasn't *real* and it couldn't be used to a malicious user's advantage. I guess it doesn't exist in the security world (according to the previously mentioned grad students) if it's not "mainstream thinking"...I feel sorry for the companies that depend on those idiots for security. If they've bought into M$ FUD, no amount of statistics/code/demonstrations will help. I'd skip the statistics in favor of putting together a resume. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
On Thu, 10 Dec 2009 16:21:50 + Anton Shterenlikht wrote: > I had to fight a long battle, well.. I had > some support from other academics, to have > a linux class in my Faculty. Here the > opposition wasn't so much security, as > "why would any undegraduate need linux", > as if MS solutions are a pinnacle of human thought. > I feel for you. I used to work for DEC, at one time a major UNIX vendor. Then one day all employees were forced to install Windows NT to access their mail accounts because management, in its wisdom, decided to standardize on Mickeysoft Exchange Server. No real reason, since up til then UNIX mail servers had been more than adequate. IT services had similarly restrictive policies regarding users installing SW, etc. I always wondered who Mickeysoft bribed to get that put through. Fortuantely, I had no problem setting up a "black" FreeBSD box to preserve my sanity. --- Gary Jennejohn ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chargen wrote: > On Thu, Dec 10, 2009 at 5:21 PM, Anton Shterenlikht > wrote: >> On Thu, Dec 10, 2009 at 09:51:22AM -0500, Bill Moran wrote: >>> In response to Anton Shterenlikht : > >> I had to fight a long battle, well.. I had >> some support from other academics, to have >> a linux class in my Faculty. Here the >> opposition wasn't so much security, as >> "why would any undegraduate need linux", >> as if MS solutions are a pinnacle of human thought. > > This is getting so funny.. > > Next topic please. > > Peace. What bothers me is that some of these worshipers (be that demon, penguin, apple, or windows) simple cannot fathom the old "right tool for the right job" saying... //Svein - -- - +---+--- /"\ |Svein Skogen | sv...@d80.iso100.no \ / |Solberg Østli 9| PGP Key: 0xE5E76831 X|2020 Skedsmokorset | sv...@jernhuset.no / \ |Norway | PGP Key: 0xCE96CE13 | | sv...@stillbilde.net ascii | | PGP Key: 0x58CD33B6 ribbon |System Admin | svein-listm...@stillbilde.net Campaign|stillbilde.net | PGP Key: 0x22D494A4 +---+--- |msn messenger: | Mobile Phone: +47 907 03 575 |sv...@jernhuset.no | RIPE handle:SS16503-RIPE - +---+--- If you really are in a hurry, mail me at svein-mob...@stillbilde.net This mailbox goes directly to my cellphone and is checked even when I'm not in front of my computer. - Picture Gallery: https://gallery.stillbilde.net/v/svein/ - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkshKgUACgkQODUnwSLUlKQepACgkDgvRoCEbJvrRbfkCa3YrF9P c/IAoKNxVaAcoVn/cEYUg0yIJgf6k+ek =oGMp -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
http://security.freebsd.org/advisories/FreeBSD-SA-09:16.rtld.asc On Thu, Dec 10, 2009 at 11:05:16AM -0600, Paul Schmehl thus spake: --On Thursday, December 10, 2009 08:41:41 -0600 Anton Shterenlikht wrote: From my information security manager: FreeBSD isn't much used within the University (I understand) and has a (comparatively) poor security record. Most recently, for example: http://www.h-online.com/security/news/item/Root-exploit-for-FreeBSD-873352.ht ml Please pass this to your information security manager: From one information security manager to another, you're an idiot. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. *** "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" -- i am a mutthead ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
--On Thursday, December 10, 2009 08:41:41 -0600 Anton Shterenlikht wrote: From my information security manager: FreeBSD isn't much used within the University (I understand) and has a (comparatively) poor security record. Most recently, for example: http://www.h-online.com/security/news/item/Root-exploit-for-FreeBSD-873352.ht ml Please pass this to your information security manager: From one information security manager to another, you're an idiot. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. *** "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
On Thu, Dec 10, 2009 at 5:21 PM, Anton Shterenlikht wrote: > On Thu, Dec 10, 2009 at 09:51:22AM -0500, Bill Moran wrote: >> In response to Anton Shterenlikht : > I had to fight a long battle, well.. I had > some support from other academics, to have > a linux class in my Faculty. Here the > opposition wasn't so much security, as > "why would any undegraduate need linux", > as if MS solutions are a pinnacle of human thought. This is getting so funny.. Next topic please. Peace. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
On Thu, Dec 10, 2009 at 09:51:22AM -0500, Bill Moran wrote: > In response to Anton Shterenlikht : > > > >From my information security manager: > > > > FreeBSD isn't much used within the University (I understand) and has a > > (comparatively) poor security record. Most recently, for example: > > > > > > http://www.h-online.com/security/news/item/Root-exploit-for-FreeBSD-873352.html > > Are you trying to make your infosec guy look like an idiot? Does he > realize that FreeBSD has a grand total of 16 security problems for all > of 2009? Hell, Microsoft has that many in an average month. > > If he can find something (other than OpenBSD) with a better record than > that, I'd love to hear about it. I was just stressed after being forced by him to explain why I wanted firewall exceptions for two ports to my FreeBSD portscluster nodes. I explained the reasons and that was settled. I wouldn't be surprised if I'm the sole fbsd user at my Uni. The situation with computing is not great and getting worse. The Uni is, of course, addicted to Microsoft, but having realised all the problems with that, lately the policy has been to deny (!) MS users admin access to their own desktops. The situation is just ridiculous - if a MS user wants to install a piece of software on their PC he/she has to ask for permission, and then wait until some computer officer would come and do install for them. Also recently, well.. about a year ago, no host (!) could be accessed from outside the Uni firewall. Special exception has to be obtained even for ssh. There is only one dedicated sun server which accepts only ssh. The users are supposed to dial to this frontend server first, and from there to hosts on the local net. Honestly, the situation is so bad that I sometimes wonder - perhaps it's me who is mad. It seems IT services look at anybody who wants to escape MS with suspicion at best. I had to fight a long battle, well.. I had some support from other academics, to have a linux class in my Faculty. Here the opposition wasn't so much security, as "why would any undegraduate need linux", as if MS solutions are a pinnacle of human thought. And from I understand it's going to get worse. Apparently the IT services are drawing up plans to completely forbid use of "non-autorized" OS. I imagine fbsd will not be authorized. So I'm anticipating another battle already. Perhaps I should start putting together some statistics to make my case more forcefully. many thanks for your support, as always -- Anton Shterenlikht Room 2.6, Queen's Building Mech Eng Dept Bristol University University Walk, Bristol BS8 1TR, UK Tel: +44 (0)117 331 5944 Fax: +44 (0)117 929 4423 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
Anton Shterenlikht wrote: From my information security manager: FreeBSD isn't much used within the University (I understand) and has a (comparatively) poor security record. Most recently, for example: http://www.h-online.com/security/news/item/Root-exploit-for-FreeBSD-873352.html yeah we know, but really, quoting security as a reason not to use it is a bit like quoting flat tyres (British spelling to those USA'ns reading) as a reason to not buy a Jag. Every OS has them and in fact we are better than many. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
Fire the noob you have working for you and hire someone with a clue. Anton Shterenlikht wrote: From my information security manager: FreeBSD isn't much used within the University (I understand) and has a (comparatively) poor security record. Most recently, for example: http://www.h-online.com/security/news/item/Root-exploit-for-FreeBSD-873352.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
On Thu, 10 Dec 2009 14:41:41 + Anton Shterenlikht wrote: > FreeBSD isn't much used within the University (I understand) and has a > (comparatively) poor security record. In comparison to what it is supposed to have a poor security record? > Most recently, for example: > http://www.h-online.com/security/news/item/Root-exploit-for-FreeBSD-873352.html Yes, and? http://docs.freebsd.org/cgi/getmsg.cgi?fetch=0+0+archive/2009/freebsd-security-notifications/20091206.freebsd-security-notifications http://security.freebsd.org/advisories/FreeBSD-SA-09:16.rtld.asc Andreas -- GnuPG key : 0x2A573565|http://www.gnupg.org/howtos/de/ Fingerprint: 925D 2089 0BF9 8DE5 9166 33BB F0FD CD37 2A57 3565 pgps1e71xOvxr.pgp Description: PGP signature
Re: Root exploit for FreeBSD
2009/12/10 Anton Shterenlikht : > >From my information security manager: > > FreeBSD isn't much used within the University (I understand) and has a > (comparatively) poor security record. Most recently, for example: > > > http://www.h-online.com/security/news/item/Root-exploit-for-FreeBSD-873352.html Wow. Just...wow. FreeBSD's security record, the rate at which fixes occur, the ports system and the overall sanity of the environment is *precisely* why we have been migrating from RHEL to FreeBSD at my University (I'm employed by the University, not a student). I would be quite curious as to which operating system is serving as the baseline for this comparison. I would also be quite curious as to whether the manager making said statement is responsible for central IT services or is locked into providing services by a particular vendor. kmw -- Beware the leader who bangs the drums of war in order to whip the citizenry into a patriotic fervor, for patriotism is indeed a double-edged sword. It both emboldens the blood, just as it narrows the mind. And when the drums of war have reached a fever pitch and the blood boils with hate and the mind has closed, the leader will have no need in seizing the rights of the citizenry. Rather, the citizenry, infused with fear and blinded by patriotism, will offer up all of their rights unto the leader and gladly so - Unattributed, post 9/11 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
Anton Shterenlikht writes: > From my information security manager: > > FreeBSD isn't much used within the University (I understand) and has a > (comparatively) poor security record. Most recently, for > example: "comparatively", compared to what? Windows? Linux? We beat them both into the ground. He is speaking from ignorance. DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
Bill Moran wrote: > In response to Anton Shterenlikht : > >> >From my information security manager: >> >> FreeBSD isn't much used within the University (I understand) and has a >> (comparatively) poor security record. Most recently, for example: >> >> >> http://www.h-online.com/security/news/item/Root-exploit-for-FreeBSD-873352.html > > Are you trying to make your infosec guy look like an idiot? He doesn't really have to _try_, does he? I have always thought that an infosec person should *know* what they have running within their own network, and furthermore, gather his comparative analysis from somewhere other than the dept-of-some-guys-blog. Perhaps these are not the job requirements of a security person. Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
At 09:41 AM 12/10/2009, Anton Shterenlikht wrote: >From my information security manager: FreeBSD isn't much used within the University (I understand) and has a (comparatively) poor security record. Most recently, for example: http://www.h-online.com/security/news/item/Root-exploit-for-FreeBSD-873352.html Some say... world flat... some say roundish. There are lots of opinions to choose from. It would be nice to see an actual properly designed study quoted... or even some raw data referenced. and I am not talking about something vendor sponsored that examines such track records. In the case of the above mentioned zero day exploit someone posted, I think FreeBSD did a GREAT job at getting a fast unofficial patch out and then 2 days later an official advisory and patch out. Take a look at their actual track record at http://www.freebsd.org/security and judge for yourself based on that. Note, a good chunk of whats there is common across multiple operating systems (e.g ntpd, BIND, openssl etc) There are lots of reasons why someone might use or not use FreeBSD. In my _opinion_, a "poor security record" is not one of them... But judge for yourself based on their actual track record. ---Mike Mike Tancsa, tel +1 519 651 3400 Sentex Communications,m...@sentex.net Providing Internet since 1994www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
Anton Shterenlikht wrote: >>From my information security manager: > > FreeBSD isn't much used within the University (I understand) and has a > (comparatively) poor security record. Most recently, for example: > > > http://www.h-online.com/security/news/item/Root-exploit-for-FreeBSD-873352.html Without wanting to get into any "flame wars", I will only say this .. I find this kind of unsubstantiated speculation extremely disappointing. It speaks not only to an apparent lack of knowledge about FreeBSD but also about any alternative operating system. Subject closed, imb ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Root exploit for FreeBSD
In response to Anton Shterenlikht : > >From my information security manager: > > FreeBSD isn't much used within the University (I understand) and has a > (comparatively) poor security record. Most recently, for example: > > > http://www.h-online.com/security/news/item/Root-exploit-for-FreeBSD-873352.html Are you trying to make your infosec guy look like an idiot? Does he realize that FreeBSD has a grand total of 16 security problems for all of 2009? Hell, Microsoft has that many in an average month. If he can find something (other than OpenBSD) with a better record than that, I'd love to hear about it. -- Bill Moran http://www.potentialtech.com http://people.collaborativefusion.com/~wmoran/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"