unsubscribe
unsubscribe -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
problem to translate DSA 125 in french
Hello, We have an ongoing effort to keep all DSA translated to french. But we have a problem with the DSA125: Yuji Takahashi discovered a bug in analog which allows a cross-site scripting type attack. It is easy for an attacker to insert arbitrary strings into any web server logfile. If these strings are then analysed by analog, they can appear in the report. By this means an attacker can introduce arbitrary Javascript code, for example, into an analog report produced by someone else and read by a third person. Analog already attempted to encode unsafe characters to avoid this type of attack, but the conversion was incomplete. What is a cross-site scripting type attack ? If there is some french speaking people on this list, could you propose a translation ? If not, could you explain in english what kind of attack it is? Thanks for all, Mt. PS: keep us in CC, since we are not on the ML. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
how to unsubscribe.
how to unsubscribe. -- Best regards. áÄÍÉÎÉÓÔÒÁÔÏÒ óÅÔÉ ïïï ôÒÁÎËÏÍ ëÏÒÏÂÁÎÏ× óÅÒÇÅÊ é×ÁÎÏ×ÉÞ. ph (248) 3-96-47 (095) 745-09-50 mailto: [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: how to unsubscribe.
On Fri, 2002-04-26 at 09:58, Trancom wrote: how to unsubscribe. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] Look here Or Here \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RSA an easy crack?
I hate to say this, but I think I have reason to believe that PGP might actually be an easy crack. Before now, it probably was only easy to those with access to specially designed analog computers, which means that it really wasn't a problem. But there is now in the public domain an algorithm solution method that will generate a fast numerical solution for most systems of differential equations, given an initial value. That means that a digital solution is out there, and I think that people within the security community need to check this out before someone outside the security community does. Specifically, I think that if you have the public key, and the encrypted data, and know (or can guess) what the unencrypted data is, then you can quickly deduce the private key. That's bad... unless steps are taken to eliminate this hole. --- before I go on, for responses please cc: me at [EMAIL PROTECTED] --- Specifically, imagine a function that has a periodic nature at every nth integer being 0, but being 1 at all other integers, and is in the form of a broken triangular function. __ ___ ___ ___ ___ \/ \/ \/ \/ Now, at one location, add in an upside down triangular function to make the value 1 at that location. __ ___ ___ ___ \/ \/\/ \/ Also, define that the width of the triangle -- no matter what the spacing -- is always, say +/- 0.25. Now, define this function to be F, and define P to be the product of a whole bunch of functions F. Now, define that a function F is to be centered at any integer location where the value of the function is 1. If you can do all that, then you can generate a function that will drop out all the primes and only primes. That is, the value of the function will be 1 whereever there is a prime, and zero everywhere else. Now go research the Parker-Souchacki solution to the Picard iteration. It's actually a very simple, fast algorithm that will generate bits in linear time for any or most systems of equations or differential equations. (Developed by Ed Parker and Jim Souchacki of James Madison University in Harrisonburg, VA USA... some info available on the web, enough to learn their method.) I am pretty sure that their method can be used in this way to generate primes. More than that, if you link the primes algorithm to the known input data and the known output data and the public key, then concievably you could have an algorithm that simply drops the digits of the private key out one by one in almost no time. -- Proposed solution: It may be necessary to shift to white-noise encryption for truly secure documents such as financial transactions. There are combinations of white-noise + PGP that may offer moderate security for mostly secure documents. More than that, our attitudes about the security of RSA and PGP may need to change. - Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: disable RPC
On Wed, Apr 24, 2002 at 11:26:16AM -0400, Andrew Kaplan wrote: How do I disable RPC. I know the scripts can be removed from init.d But I know there's a command similar to apt-get remove ??? or something similar. That removes is completely. Read http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s-rpc Regards Javi PS: If you do not find that informative feel free to bug me :) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Lost root password!!
On Wed, Apr 24, 2002 at 01:23:02AM +0200, Luis Gómez Miralles wrote: Hi, Simple. Do the init=/bin/sh trick. When you're booted, mount / -o remount,rw Then edit /etc/passwd and add this to /etc/passwd: root2::0:0:root:/root:/bin/bash This should do the trick :) If you want more detailed info take a look at the Securing Debian Manual, section 11.1.9 http://www.debian.org/doc/manuals/securing-debian-howto/ch11.en.html#s11.1 Hope that's useful. Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: RSA not an easy crack
On Fri, Apr 26, 2002 at 11:18:16AM +0200, DSC Siltec wrote: Now, define this function to be F, and define P to be the product of a whole bunch of functions F. Now, define that a function F is to be centered at any integer location where the value of the function is 1. Consider the case of a 512-bit product of two 256-bit primes. In this case, your whole bunch of functions is going to have a cardinality (if I read your pseudo-Sieve of Erathostenes idea correctly) on the order of P * 2^128 (where P is the fraction of integers that are prime), or P * 340,282,366,920,938,463,463,374,607,431,768,211,456 functions F. Back to the drawing board, I would say. -Michael Robinson -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: RSA not an easy crack
On Fri, Apr 26, 2002 at 11:18:16AM +0200, DSC Siltec wrote: Specifically, I think that if you have the public key, and the encrypted data, and know (or can guess) what the unencrypted data is, then you can quickly deduce the private key. I forgot to mention: in encryption scenarios with RSA (as opposed to digital signatures), the unencrypted data is a randomly-generated session key for a symmetric cipher, which is used to encrypt the actual unencrypted data. The session key is encrypted with RSA and then discarded. Finding the unencrypted data in this case is equivalent to either cracking the session key RNG, or cracking the symmetric cipher, the ability to do either of which obviates the need to deduce the RSA private key in the first place. -Michael Robinson -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: RSA not an easy crack
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, Michael Robinson wrote: [snip] | Finding the unencrypted data in this case is equivalent to either | cracking the session key RNG, or cracking the symmetric cipher, the | ability to do either of which obviates the need to deduce the RSA | private key in the first place. No it is not equivalent, as finding the private key would also enable you to digitally identify yourself as the key's owner, which is of at least the same importance when we look at how many people use PGP/GPG for digitally signing documents and mails. Ralf - -- Ralf Gerlich[EMAIL PROTECTED] Passionate programmer http://home.easylink.de/rgerlich/ ~(my GPG signature is here^^) - -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS d- s: a-- C++ UL++ P+++ L++ E W++ N+ o-- K- w O-- M V-- PS PE Y+ PGP+ t+ 5 X+ R- tv++ b+ DI D+ G e h-- r y+ - --END GEEK CODE BLOCK-- -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAjzJQ80ACgkQS7bkJa+XO88PywCfdV33Ua6RqWFaNdj++1FEuN13 RKkAnigx96Tems1sxSK9SPeAPhkCxWEm =9Z8H -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: problem to translate DSA 125 in french
On Fri, Apr 26, 2002 at 08:59:50AM +0200, Martin Quinson wrote: What is a cross-site scripting type attack ? One of the first analyses was published by Marc Slemko of the Apache Group at http://httpd.apache.org/info/css-security/ . You'll probably have to read the CERT links on that page as well. Marc deserves most of the credit for the current spate of cross-site scripting reports: He was reiterating the severity of the problem before most people understood it. If you're going to publish a translated explanation, I humbly suggest you read the material two or three times, to make sure you really get it. It's subtle. As for a translated term: Marc's article admits that cross-site scripting isn't all that great a name to begin with, so I'd say you're on your own. :-) Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A more secure form of .htaccess?
Hallo Brane, I'm actually a K-13 student, and so in my 'strategic' position I'm on both sides, admin of debian box and 3v1l cracker :) No, well.. I was just kidding, I have really better things to do than actually cracking Debian boxes in pubblic environments, but anyway I what do you think about using https for .htaccess authentication ? With https data will be encripted and it's impossible to find out login and password because they're not sent over the net in a clear way. Consider using https. Good work and protect your boxes ! - Ivo On Thu, Apr 25, 2002 at 09:09:03PM -0600, Schusselig Brane wrote: Tom Dominico wrote: Hello all, I have written some php-based internal systems for our users. Users are required to authenticate to access this system, and their login determines what they are allowed to do within the system. I am concerned that their logging in with cleartext passwords is a security risk. I work in a K-12 school enviroment, and many of these students are rather devious and resourceful (as I was at that age :) ). My fear is some bright student setting a sniffer up on my network and gleaning passwords from it. I am wondering if any of you have had similar problems. What is a more secure way for people to login? Is SSL an option, and if so, how do I go about using it? Do I have to purchase a certificate? Or is there some other option? Finally, should I be using .htaccess at all, or is there a better way? Thank you in advance for your advice. Another option would be to run switches instead of normal hub or bus topology. Switches tend not to allow other nodes on a network to see data that is passing over it. However, it will more than likely prove to be a PITA to convince budget makers to allow the expense of the new equipment. Useless input, I know. But, I didn't see anyone else mention this. As a side note, if your installation is new enough, switches may already be in place, and you don't have much to worry about as far as stuff getting sniffed off the network. That is, of course, if the network was designed with that in mind. -Will Wesley, CCNA To make tax forms true they should read Income Owed Us and Incommode You. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A more secure form of .htaccess?
Htaccess: --- You should be aware, that when you use normal .htaccess protection, browser never logout..With eg. Internet Explorer, all intances of IE have to be closed to make the browser forget the login.. There are several tricks to make the browser forget the login, but none really secure.. One is to make a logout link that links to eg. https://logout:[EMAIL PROTECTED]/logout In the logout folder you make a new htaccess file that uses another htpassword file which contains a user called logout with a password called logout, but keeping the same REALM.. (the realm is importent).. This rewrite's the browser credentials for your realm with username and password logout.. (Make sure users in /logout have no vital access offcourse) The hard part is to get ppl to use the logout link and not just closing the instance of the browser.. Second more, if your users are allowed to have pages on the same address as the login system, the browser can, without much effort, be tricked into giving away your systems username and password to a personal user page... Switches: The subject on switches.. It is a general misunderstanding that switches provide security.. There are several easy tricks to make a switch spill its guts.. They were designed for performance and no one ever promised security :) SSL: --- No you do not need to purchase a certificate.. Simply generate your own.. Yet, in an enviroment where users share the same pc, security is hard to achive (i am assuming that youre runnig a windows enviroment), since varios keyloggers can be installed on the clients, you have access to the cache and the cookies. On this i have no wonderous advise :).. (i didnt follow the thread, only the content of this mail, so i hope im not repeating anything already said) - Dan Faerch A/S ScanNet (Denmark) - Original Message - From: eim [EMAIL PROTECTED] To: Schusselig Brane [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, April 26, 2002 5:57 PM Subject: Re: A more secure form of .htaccess? Hallo Brane, I'm actually a K-13 student, and so in my 'strategic' position I'm on both sides, admin of debian box and 3v1l cracker :) No, well.. I was just kidding, I have really better things to do than actually cracking Debian boxes in pubblic environments, but anyway I what do you think about using https for .htaccess authentication ? With https data will be encripted and it's impossible to find out login and password because they're not sent over the net in a clear way. Consider using https. Good work and protect your boxes ! - Ivo On Thu, Apr 25, 2002 at 09:09:03PM -0600, Schusselig Brane wrote: Tom Dominico wrote: Hello all, I have written some php-based internal systems for our users. Users are required to authenticate to access this system, and their login determines what they are allowed to do within the system. I am concerned that their logging in with cleartext passwords is a security risk. I work in a K-12 school enviroment, and many of these students are rather devious and resourceful (as I was at that age :) ). My fear is some bright student setting a sniffer up on my network and gleaning passwords from it. I am wondering if any of you have had similar problems. What is a more secure way for people to login? Is SSL an option, and if so, how do I go about using it? Do I have to purchase a certificate? Or is there some other option? Finally, should I be using .htaccess at all, or is there a better way? Thank you in advance for your advice. Another option would be to run switches instead of normal hub or bus topology. Switches tend not to allow other nodes on a network to see data that is passing over it. However, it will more than likely prove to be a PITA to convince budget makers to allow the expense of the new equipment. Useless input, I know. But, I didn't see anyone else mention this. As a side note, if your installation is new enough, switches may already be in place, and you don't have much to worry about as far as stuff getting sniffed off the network. That is, of course, if the network was designed with that in mind. -Will Wesley, CCNA To make tax forms true they should read Income Owed Us and Incommode You. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: RSA not an easy crack
Michael Robinson wrote: On Fri, Apr 26, 2002 at 11:18:16AM +0200, DSC Siltec wrote: Now, define this function to be F, and define P to be the product of a whole bunch of functions F. Now, define that a function F is to be centered at any integer location where the value of the function is 1. Consider the case of a 512-bit product of two 256-bit primes. In this case, your whole bunch of functions is going to have a cardinality (if I read your pseudo-Sieve of Erathostenes idea correctly) on the order of P * 2^128 (where P is the fraction of integers that are prime), or P * 340,282,366,920,938,463,463,374,607,431,768,211,456 functions F. Back to the drawing board, I would say. -Michael Robinson Actually, the beauty of the Parker Souchacki method is that it would allow the simultaneous solution of a system of equations that has one functional solution. Which means that you only need one set of equations, and it solves for all values at once, Which means you might have only about 40 equations to solve, and when you add the RSA algorithm, perhaps another 10-20. The algorithm then starts with a single known point (for example, the value at x=2 is y=1) and then performs a simple operation on each function, cranking out one term of the MacLauren series of one function for each simple operation. One of those output functions will be a function that is 1 at every prime, and zero everywhere else. If done correctly, though, another one of the functions is y=[Solution key] that means that after 60 simple math operations you get 1 bit of the solution. Another 60 operations yields two more bits. Another 60 operations yields another 4 bits. *Again -- that is if you know the raw data.* It's that bad. However, the double-layered encryption, which always takes a randomly generated number as its raw data, does sound secure, because the RNGs are going to be practically unbreakable (we hope -- and that can be improved with white-noise CDs recorded from your local waterfall.). The thing, then, would be to upgrade all security to double-layer, or let it be understood that single-layer encryption is fragile -- if indeed this algorithm works out. - Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: connection refuse by tcp_wrapper
First check if your reverse DNS is working, after that, try to put the line: sshd: 192.168.1.10 192.168.1.11 In your /etc/hosts.allow. Regards [EMAIL PROTECTED] escreveu em Wed, 24 Apr 2002 22:18:14 +0700 (JAVT): Dear all, I am a beginner in linux os, I try to configure tcp_wrapper in myconfiguration like this : hosts.deny ALL : ALL hosts.allow ALL : 192.168.1.10 ALL : 192.168.1.11 but when i try to connect from 192.168.1.10 and 11 my server is allways give a message : ssh_exchange_identification: Connection closed by remote host What is the problem with my tcp_wrapper ? anyone can help ? Thank all, Akoe Rymond -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] --- Gleydson Mazioli da Silva [EMAIL PROTECTED] [EMAIL PROTECTED] Errar é humano, mas para se fazer uma monstruosa cagada é preciso um computador. (autor desconhecido) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A more secure form of .htaccess?
also sprach eim [EMAIL PROTECTED] [2002.04.26.1757 +0200]: With https data will be encripted and it's impossible to find out login and password because they're not sent over the net in a clear way. never say impossible. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; net@madduck crying is the refuge of plain women but the ruin of pretty ones. -- oscar wilde msg06507/pgp0.pgp Description: PGP signature
Re: RSA not an easy crack
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 DSC == DSC Siltec [EMAIL PROTECTED] writes: DSC Actually, the beauty of the Parker Souchacki method is that it DSC would allow the simultaneous solution of a system of equations that DSC has one functional solution. Which means that you only need one DSC set of equations, and it solves for all values at once, DSC Which means you might have only about 40 equations to solve, and DSC when you add the RSA algorithm, perhaps another 10-20. The I think that Michael's point was that you'd need P * 340,282,366,920,938,463,463,374,607,431,768,211,456 equations; not 10-20. BTW, why are you discussing this on debian-security, and not with some real mathematicians? (Not that there aren't any real mathematicians on this list, but d-s is populated mostly with admins.) Someone like Schneier would be in a much better position than pretty much anyone on this list to tell you whether or not you're right. Even a professor from a local University would probably know better. DSC However, the double-layered encryption, which always takes a DSC randomly generated number as its raw data, does sound secure, DSC because the RNGs are going to be practically unbreakable (we hope DSC -- and that can be improved with white-noise CDs recorded from your DSC local waterfall.). ??? According to your proposal, an attacker only needs the public key, the plaintext, and the ciphertext, all of which are easy to obtain. The public key is know due to it being public. He can generate his own plaintext, and generate a ciphertext by hand, so the fact that every PGP implementation uses a double layer encryption doesn't help. Whether or not the digital signature on this message has been forged is up to you to guess. ;-) - -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8yfEjZRhU33H9o38RAvUYAKCSTa1fPORg7ebHrwU6+m38RpzCYQCgw2Mb aQOPRN6JLnYzenpnpMlvBOI= =aHSP -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A more secure form of .htaccess?
also sprach Dan Faerch [EMAIL PROTECTED] [2002.04.26.1955 +0200]: Second more, if your users are allowed to have pages on the same address as the login system, the browser can, without much effort, be tricked into giving away your systems username and password to a personal user page... how? The subject on switches.. It is a general misunderstanding that switches provide security.. There are several easy tricks to make a switch spill its guts.. They were designed for performance and no one ever promised security true, and i love this one because it's the first thing everyone says in response to hearing something said on 'sniffing'. uhm, every previously not so exposed person as we are, i mean. but have you tried your luck on one of the better cisco and hewlett-packard switches? you know their algorithm against MAC table overflow? if yes, then just think about it, and about how good it is. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; net@madduck micro$oft productivity software - see reductio ad absurdum, conclusions. msg06509/pgp0.pgp Description: PGP signature
Re: A more secure form of .htaccess?
Trust not in switches. They too can be easily manipulated unless you have locked them down at a mac address and port level. 'apt-get install dsniff' ; 'man arpspoof' Another option would be to run switches instead of normal hub or bus topology. Switches tend not to allow other nodes on a network to see data that is passing over it. However, it will more than likely prove to be a PITA to convince budget makers to allow the expense of the new equipment. Useless input, I know. But, I didn't see anyone else mention this. As a side note, if your installation is new enough, switches may already be in place, and you don't have much to worry about as far as stuff getting sniffed off the network. That is, of course, if the network was designed with that in mind. -Will Wesley, CCNA To make tax forms true they should read Income Owed Us and Incommode You. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] [-] Steve Mickeler [ [EMAIL PROTECTED] ] [|] Todays root password is brought to you by /dev/random [+] 1024D/ACB58D4F = 0227 164B D680 9E13 9168 AE28 843F 57D7 ACB5 8D4F -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
unsubscribe
unsubscribe -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
problem to translate DSA 125 in french
Hello, We have an ongoing effort to keep all DSA translated to french. But we have a problem with the DSA125: Yuji Takahashi discovered a bug in analog which allows a cross-site scripting type attack. It is easy for an attacker to insert arbitrary strings into any web server logfile. If these strings are then analysed by analog, they can appear in the report. By this means an attacker can introduce arbitrary Javascript code, for example, into an analog report produced by someone else and read by a third person. Analog already attempted to encode unsafe characters to avoid this type of attack, but the conversion was incomplete. What is a cross-site scripting type attack ? If there is some french speaking people on this list, could you propose a translation ? If not, could you explain in english what kind of attack it is? Thanks for all, Mt. PS: keep us in CC, since we are not on the ML. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
how to unsubscribe.
how to unsubscribe. -- Best regards. Администратор Сети ООО Транком Коробанов Сергей Иванович. ph (248) 3-96-47 (095) 745-09-50 mailto: [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: how to unsubscribe.
On Fri, 2002-04-26 at 09:58, Trancom wrote: how to unsubscribe. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] Look here Or Here \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RSA an easy crack?
I hate to say this, but I think I have reason to believe that PGP might actually be an easy crack. Before now, it probably was only easy to those with access to specially designed analog computers, which means that it really wasn't a problem. But there is now in the public domain an algorithm solution method that will generate a fast numerical solution for most systems of differential equations, given an initial value. That means that a digital solution is out there, and I think that people within the security community need to check this out before someone outside the security community does. Specifically, I think that if you have the public key, and the encrypted data, and know (or can guess) what the unencrypted data is, then you can quickly deduce the private key. That's bad... unless steps are taken to eliminate this hole. --- before I go on, for responses please cc: me at [EMAIL PROTECTED] --- Specifically, imagine a function that has a periodic nature at every nth integer being 0, but being 1 at all other integers, and is in the form of a broken triangular function. __ ___ ___ ___ ___ \/ \/ \/ \/ Now, at one location, add in an upside down triangular function to make the value 1 at that location. __ ___ ___ ___ \/ \/\/ \/ Also, define that the width of the triangle -- no matter what the spacing -- is always, say +/- 0.25. Now, define this function to be F, and define P to be the product of a whole bunch of functions F. Now, define that a function F is to be centered at any integer location where the value of the function is 1. If you can do all that, then you can generate a function that will drop out all the primes and only primes. That is, the value of the function will be 1 whereever there is a prime, and zero everywhere else. Now go research the Parker-Souchacki solution to the Picard iteration. It's actually a very simple, fast algorithm that will generate bits in linear time for any or most systems of equations or differential equations. (Developed by Ed Parker and Jim Souchacki of James Madison University in Harrisonburg, VA USA... some info available on the web, enough to learn their method.) I am pretty sure that their method can be used in this way to generate primes. More than that, if you link the primes algorithm to the known input data and the known output data and the public key, then concievably you could have an algorithm that simply drops the digits of the private key out one by one in almost no time. -- Proposed solution: It may be necessary to shift to white-noise encryption for truly secure documents such as financial transactions. There are combinations of white-noise + PGP that may offer moderate security for mostly secure documents. More than that, our attitudes about the security of RSA and PGP may need to change. - Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Lost root password!!
On Wed, Apr 24, 2002 at 01:23:02AM +0200, Luis Gómez Miralles wrote: Hi, Simple. Do the init=/bin/sh trick. When you're booted, mount / -o remount,rw Then edit /etc/passwd and add this to /etc/passwd: root2::0:0:root:/root:/bin/bash This should do the trick :) If you want more detailed info take a look at the Securing Debian Manual, section 11.1.9 http://www.debian.org/doc/manuals/securing-debian-howto/ch11.en.html#s11.1 Hope that's useful. Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: RSA not an easy crack
On Fri, Apr 26, 2002 at 11:18:16AM +0200, DSC Siltec wrote: Now, define this function to be F, and define P to be the product of a whole bunch of functions F. Now, define that a function F is to be centered at any integer location where the value of the function is 1. Consider the case of a 512-bit product of two 256-bit primes. In this case, your whole bunch of functions is going to have a cardinality (if I read your pseudo-Sieve of Erathostenes idea correctly) on the order of P * 2^128 (where P is the fraction of integers that are prime), or P * 340,282,366,920,938,463,463,374,607,431,768,211,456 functions F. Back to the drawing board, I would say. -Michael Robinson -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: RSA not an easy crack
On Fri, Apr 26, 2002 at 11:18:16AM +0200, DSC Siltec wrote: Specifically, I think that if you have the public key, and the encrypted data, and know (or can guess) what the unencrypted data is, then you can quickly deduce the private key. I forgot to mention: in encryption scenarios with RSA (as opposed to digital signatures), the unencrypted data is a randomly-generated session key for a symmetric cipher, which is used to encrypt the actual unencrypted data. The session key is encrypted with RSA and then discarded. Finding the unencrypted data in this case is equivalent to either cracking the session key RNG, or cracking the symmetric cipher, the ability to do either of which obviates the need to deduce the RSA private key in the first place. -Michael Robinson -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
IPtables and Connection Tracking
Hi, today I saw something mysterious with IPtables. I had a little mistake in my script. To test the funktionality. i pinged a host in the www and changed then the wrong entries in my script. I looked with tcpdump if the ping becomes a reply. But erverything i've done, no reply came back. Then i pinged from another maschine in the same subnet and i've become a reply. Does the connection tracking hold the connections even if the firewall was flushed? If it is so, is it a bug or a feature? Thanks to all Thorsten -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: RSA not an easy crack
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, Michael Robinson wrote: [snip] | Finding the unencrypted data in this case is equivalent to either | cracking the session key RNG, or cracking the symmetric cipher, the | ability to do either of which obviates the need to deduce the RSA | private key in the first place. No it is not equivalent, as finding the private key would also enable you to digitally identify yourself as the key's owner, which is of at least the same importance when we look at how many people use PGP/GPG for digitally signing documents and mails. Ralf - -- Ralf Gerlich[EMAIL PROTECTED] Passionate programmer http://home.easylink.de/rgerlich/ ~(my GPG signature is here^^) - -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS d- s: a-- C++ UL++ P+++ L++ E W++ N+ o-- K- w O-- M V-- PS PE Y+ PGP+ t+ 5 X+ R- tv++ b+ DI D+ G e h-- r y+ - --END GEEK CODE BLOCK-- -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAjzJQ80ACgkQS7bkJa+XO88PywCfdV33Ua6RqWFaNdj++1FEuN13 RKkAnigx96Tems1sxSK9SPeAPhkCxWEm =9Z8H -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: problem to translate DSA 125 in french
On Fri, Apr 26, 2002 at 08:59:50AM +0200, Martin Quinson wrote: What is a cross-site scripting type attack ? One of the first analyses was published by Marc Slemko of the Apache Group at http://httpd.apache.org/info/css-security/ . You'll probably have to read the CERT links on that page as well. Marc deserves most of the credit for the current spate of cross-site scripting reports: He was reiterating the severity of the problem before most people understood it. If you're going to publish a translated explanation, I humbly suggest you read the material two or three times, to make sure you really get it. It's subtle. As for a translated term: Marc's article admits that cross-site scripting isn't all that great a name to begin with, so I'd say you're on your own. :-) Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A more secure form of .htaccess?
Hallo Brane, I'm actually a K-13 student, and so in my 'strategic' position I'm on both sides, admin of debian box and 3v1l cracker :) No, well.. I was just kidding, I have really better things to do than actually cracking Debian boxes in pubblic environments, but anyway I what do you think about using https for .htaccess authentication ? With https data will be encripted and it's impossible to find out login and password because they're not sent over the net in a clear way. Consider using https. Good work and protect your boxes ! - Ivo On Thu, Apr 25, 2002 at 09:09:03PM -0600, Schusselig Brane wrote: Tom Dominico wrote: Hello all, I have written some php-based internal systems for our users. Users are required to authenticate to access this system, and their login determines what they are allowed to do within the system. I am concerned that their logging in with cleartext passwords is a security risk. I work in a K-12 school enviroment, and many of these students are rather devious and resourceful (as I was at that age :) ). My fear is some bright student setting a sniffer up on my network and gleaning passwords from it. I am wondering if any of you have had similar problems. What is a more secure way for people to login? Is SSL an option, and if so, how do I go about using it? Do I have to purchase a certificate? Or is there some other option? Finally, should I be using .htaccess at all, or is there a better way? Thank you in advance for your advice. Another option would be to run switches instead of normal hub or bus topology. Switches tend not to allow other nodes on a network to see data that is passing over it. However, it will more than likely prove to be a PITA to convince budget makers to allow the expense of the new equipment. Useless input, I know. But, I didn't see anyone else mention this. As a side note, if your installation is new enough, switches may already be in place, and you don't have much to worry about as far as stuff getting sniffed off the network. That is, of course, if the network was designed with that in mind. -Will Wesley, CCNA To make tax forms true they should read Income Owed Us and Incommode You. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A more secure form of .htaccess?
Htaccess: --- You should be aware, that when you use normal .htaccess protection, browser never logout..With eg. Internet Explorer, all intances of IE have to be closed to make the browser forget the login.. There are several tricks to make the browser forget the login, but none really secure.. One is to make a logout link that links to eg. https://logout:[EMAIL PROTECTED]/logout In the logout folder you make a new htaccess file that uses another htpassword file which contains a user called logout with a password called logout, but keeping the same REALM.. (the realm is importent).. This rewrite's the browser credentials for your realm with username and password logout.. (Make sure users in /logout have no vital access offcourse) The hard part is to get ppl to use the logout link and not just closing the instance of the browser.. Second more, if your users are allowed to have pages on the same address as the login system, the browser can, without much effort, be tricked into giving away your systems username and password to a personal user page... Switches: The subject on switches.. It is a general misunderstanding that switches provide security.. There are several easy tricks to make a switch spill its guts.. They were designed for performance and no one ever promised security :) SSL: --- No you do not need to purchase a certificate.. Simply generate your own.. Yet, in an enviroment where users share the same pc, security is hard to achive (i am assuming that youre runnig a windows enviroment), since varios keyloggers can be installed on the clients, you have access to the cache and the cookies. On this i have no wonderous advise :).. (i didnt follow the thread, only the content of this mail, so i hope im not repeating anything already said) - Dan Faerch A/S ScanNet (Denmark) - Original Message - From: eim [EMAIL PROTECTED] To: Schusselig Brane [EMAIL PROTECTED] Cc: debian-security@lists.debian.org Sent: Friday, April 26, 2002 5:57 PM Subject: Re: A more secure form of .htaccess? Hallo Brane, I'm actually a K-13 student, and so in my 'strategic' position I'm on both sides, admin of debian box and 3v1l cracker :) No, well.. I was just kidding, I have really better things to do than actually cracking Debian boxes in pubblic environments, but anyway I what do you think about using https for .htaccess authentication ? With https data will be encripted and it's impossible to find out login and password because they're not sent over the net in a clear way. Consider using https. Good work and protect your boxes ! - Ivo On Thu, Apr 25, 2002 at 09:09:03PM -0600, Schusselig Brane wrote: Tom Dominico wrote: Hello all, I have written some php-based internal systems for our users. Users are required to authenticate to access this system, and their login determines what they are allowed to do within the system. I am concerned that their logging in with cleartext passwords is a security risk. I work in a K-12 school enviroment, and many of these students are rather devious and resourceful (as I was at that age :) ). My fear is some bright student setting a sniffer up on my network and gleaning passwords from it. I am wondering if any of you have had similar problems. What is a more secure way for people to login? Is SSL an option, and if so, how do I go about using it? Do I have to purchase a certificate? Or is there some other option? Finally, should I be using .htaccess at all, or is there a better way? Thank you in advance for your advice. Another option would be to run switches instead of normal hub or bus topology. Switches tend not to allow other nodes on a network to see data that is passing over it. However, it will more than likely prove to be a PITA to convince budget makers to allow the expense of the new equipment. Useless input, I know. But, I didn't see anyone else mention this. As a side note, if your installation is new enough, switches may already be in place, and you don't have much to worry about as far as stuff getting sniffed off the network. That is, of course, if the network was designed with that in mind. -Will Wesley, CCNA To make tax forms true they should read Income Owed Us and Incommode You. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: RSA not an easy crack
Michael Robinson wrote: On Fri, Apr 26, 2002 at 11:18:16AM +0200, DSC Siltec wrote: Now, define this function to be F, and define P to be the product of a whole bunch of functions F. Now, define that a function F is to be centered at any integer location where the value of the function is 1. Consider the case of a 512-bit product of two 256-bit primes. In this case, your whole bunch of functions is going to have a cardinality (if I read your pseudo-Sieve of Erathostenes idea correctly) on the order of P * 2^128 (where P is the fraction of integers that are prime), or P * 340,282,366,920,938,463,463,374,607,431,768,211,456 functions F. Back to the drawing board, I would say. -Michael Robinson Actually, the beauty of the Parker Souchacki method is that it would allow the simultaneous solution of a system of equations that has one functional solution. Which means that you only need one set of equations, and it solves for all values at once, Which means you might have only about 40 equations to solve, and when you add the RSA algorithm, perhaps another 10-20. The algorithm then starts with a single known point (for example, the value at x=2 is y=1) and then performs a simple operation on each function, cranking out one term of the MacLauren series of one function for each simple operation. One of those output functions will be a function that is 1 at every prime, and zero everywhere else. If done correctly, though, another one of the functions is y=[Solution key] that means that after 60 simple math operations you get 1 bit of the solution. Another 60 operations yields two more bits. Another 60 operations yields another 4 bits. *Again -- that is if you know the raw data.* It's that bad. However, the double-layered encryption, which always takes a randomly generated number as its raw data, does sound secure, because the RNGs are going to be practically unbreakable (we hope -- and that can be improved with white-noise CDs recorded from your local waterfall.). The thing, then, would be to upgrade all security to double-layer, or let it be understood that single-layer encryption is fragile -- if indeed this algorithm works out. - Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A more secure form of .htaccess?
On Fri, Apr 26, 2002 at 07:55:06PM +0200, Dan Faerch wrote: You should be aware, that when you use normal .htaccess protection, browser never logout..With eg. Internet Explorer, all intances of IE have to be closed to make the browser forget the login.. Actually, I think instances of IE that were each run from the desktop or quicklaunch bar don't share authentication info. At least this has been my experience with IE4 and 5.x. However, if you use File / New to start a new window, that window will share authentication info with the parent. -- Mike Renfro / RD Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: connection refuse by tcp_wrapper
First check if your reverse DNS is working, after that, try to put the line: sshd: 192.168.1.10 192.168.1.11 In your /etc/hosts.allow. Regards [EMAIL PROTECTED] escreveu em Wed, 24 Apr 2002 22:18:14 +0700 (JAVT): Dear all, I am a beginner in linux os, I try to configure tcp_wrapper in myconfiguration like this : hosts.deny ALL : ALL hosts.allow ALL : 192.168.1.10 ALL : 192.168.1.11 but when i try to connect from 192.168.1.10 and 11 my server is allways give a message : ssh_exchange_identification: Connection closed by remote host What is the problem with my tcp_wrapper ? anyone can help ? Thank all, Akoe Rymond -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] --- Gleydson Mazioli da Silva [EMAIL PROTECTED] [EMAIL PROTECTED] Errar é humano, mas para se fazer uma monstruosa cagada é preciso um computador. (autor desconhecido) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A more secure form of .htaccess?
also sprach eim [EMAIL PROTECTED] [2002.04.26.1757 +0200]: With https data will be encripted and it's impossible to find out login and password because they're not sent over the net in a clear way. never say impossible. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] crying is the refuge of plain women but the ruin of pretty ones. -- oscar wilde pgpayMVTHVbHF.pgp Description: PGP signature
Re: RSA not an easy crack
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 DSC == DSC Siltec [EMAIL PROTECTED] writes: DSC Actually, the beauty of the Parker Souchacki method is that it DSC would allow the simultaneous solution of a system of equations that DSC has one functional solution. Which means that you only need one DSC set of equations, and it solves for all values at once, DSC Which means you might have only about 40 equations to solve, and DSC when you add the RSA algorithm, perhaps another 10-20. The I think that Michael's point was that you'd need P * 340,282,366,920,938,463,463,374,607,431,768,211,456 equations; not 10-20. BTW, why are you discussing this on debian-security, and not with some real mathematicians? (Not that there aren't any real mathematicians on this list, but d-s is populated mostly with admins.) Someone like Schneier would be in a much better position than pretty much anyone on this list to tell you whether or not you're right. Even a professor from a local University would probably know better. DSC However, the double-layered encryption, which always takes a DSC randomly generated number as its raw data, does sound secure, DSC because the RNGs are going to be practically unbreakable (we hope DSC -- and that can be improved with white-noise CDs recorded from your DSC local waterfall.). ??? According to your proposal, an attacker only needs the public key, the plaintext, and the ciphertext, all of which are easy to obtain. The public key is know due to it being public. He can generate his own plaintext, and generate a ciphertext by hand, so the fact that every PGP implementation uses a double layer encryption doesn't help. Whether or not the digital signature on this message has been forged is up to you to guess. ;-) - -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8yfEjZRhU33H9o38RAvUYAKCSTa1fPORg7ebHrwU6+m38RpzCYQCgw2Mb aQOPRN6JLnYzenpnpMlvBOI= =aHSP -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A more secure form of .htaccess?
also sprach Dan Faerch [EMAIL PROTECTED] [2002.04.26.1955 +0200]: Second more, if your users are allowed to have pages on the same address as the login system, the browser can, without much effort, be tricked into giving away your systems username and password to a personal user page... how? The subject on switches.. It is a general misunderstanding that switches provide security.. There are several easy tricks to make a switch spill its guts.. They were designed for performance and no one ever promised security true, and i love this one because it's the first thing everyone says in response to hearing something said on 'sniffing'. uhm, every previously not so exposed person as we are, i mean. but have you tried your luck on one of the better cisco and hewlett-packard switches? you know their algorithm against MAC table overflow? if yes, then just think about it, and about how good it is. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] micro$oft productivity software - see reductio ad absurdum, conclusions. pgpO7L5yHkmrY.pgp Description: PGP signature
