unsubscribe
__Erdbeben im Iran: Zehntausende Kinder brauchen Hilfe. UNICEF hilft denKindern - helfen Sie mit! https://www.unicef.de/spe/spe_03.php -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Strange 'su' error messages
Hello! Since updating my debian server yesterday I get the following error messages every hour (generated by logcheck): Jan 13 00:05:01 asterix su[2102]: + ??? root:bin Today there is even an additional line: Jan 13 06:05:01 asterix su[5684]: + ??? root:bin Jan 13 06:25:01 asterix su[5741]: + ??? root:nobody Does anyone have the same error messages/behavior? I'm concerned, but hope that it's just a wrong configuration after the update! I'm thankful for any help! Regards, Christian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Encrypted backups
Hi - I am investigating ways of producing encrypted backups. Currently I use afio and gpg (via tob) with something like: afio -b 10240 -c 1000 -U -Z -P gpg -Q --symmetric -Q \ --passphrase-fd=3 -Q --no-verbose -Q --batch -Q --no-options \ -3 3 -o /dev/nst0 $FILELIST 3$PASSPHRASE where $FILELIST is the list of files, and $PASSPHRASE is a path to a file containing the passphrase for the backup set. After a few tests, this method appears to be extremely slow (on a simple 4mb archive, non encrypted method takes less than .5 secs, encrypted takes about 7 secs) compared to non-encrypted backup sets (which I was expecting). Does anyone know of ways to speed the process up? Are there any other ways of getting an encrypted backup set that might be faster? Thanks Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Strange 'su' error messages
On Tue, 2004-01-13 at 10:29, Christian Schuerer wrote: Hello! Since updating my debian server yesterday I get the following error messages every hour (generated by logcheck): Jan 13 00:05:01 asterix su[2102]: + ??? root:bin Today there is even an additional line: Jan 13 06:05:01 asterix su[5684]: + ??? root:bin Jan 13 06:25:01 asterix su[5741]: + ??? root:nobody Does anyone have the same error messages/behavior? I'm concerned, but hope that it's just a wrong configuration after the update! I'm thankful for any help! Check your cronjobs, it's probably just one of those. Teun -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Encrypted backups
On 13/01/2004, [EMAIL PROTECTED] wrote: First of all, don't use the 'Z' option. GPG compresses itself and this would slow down the process a lot. I'm pretty sure the 'Z' option is needed - coupled with the 'P' option that tells afio to 'compress' using an external program that happens to be gpg. I've also tried switching off compression on gpg (by adding -Q -z0) but that doesnt speed up the backup either. Whats annoying is, I think the main slow down isnt from the encryption, its from having to start gpg for every file in the backup (afio compresses file by file). Encrypting a 4mb file on its own is relatively quick with gpg. I cant backup to a file based archive, encrypt that and write the encrypted archive to tape in case of media errors. I'm assuming that even a 1 bit error in an encrypted archive will break the whole archive, or at least the rest of the archive following the error. This is what afio is good for because a media error only corrupts the file that it occurs in, not the whole archive. [I also neglected to mention that I need to backup to tape as the tapes are taken offsite as a further security measure (in case of fire etc). This rules out backups to encrypted filesystems on a harddrive as hard drives are easily breakable (if dropped for instance)] Thanks, Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Strange 'su' error messages
On Tuesday 13 January 2004 9:29 am, Christian Schuerer wrote: Since updating my debian server yesterday I get the following error messages every hour (generated by logcheck): Jan 13 06:25:01 asterix su[5741]: + ??? root:nobody I now get similar messages in my logs after a recent upgrade of AIDE. .ib -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Encrypted backups
Hi Marcus, * Marcus Williams [EMAIL PROTECTED] wrote: I am investigating ways of producing encrypted backups. Currently I use afio and gpg (via tob) with something like: Did you try duplicity? - Alexander signature.asc Description: Digital signature
Re: Encrypted backups
On 13/01/2004, Alexander Neumann wrote: Did you try duplicity? No - I just took a look at it though and I suspect that its not an option because it uploads the encrypted archive offsite. Not really an option on our ADSL line (we're talking about 60+Gb of data on a full backup) Thanks Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Encrypted backups
First of all, don't use the 'Z' option. GPG compresses itself and this would slow down the process a lot. On 13-Jan-2004 10:19:12, Marcus Williams wrote: Hi - I am investigating ways of producing encrypted backups. Currently I use afio and gpg (via tob) with something like: afio -b 10240 -c 1000 -U -Z -P gpg -Q --symmetric -Q \ --passphrase-fd=3 -Q --no-verbose -Q --batch -Q --no-options \ -3 3 -o /dev/nst0 $FILELIST 3$PASSPHRASE where $FILELIST is the list of files, and $PASSPHRASE is a path to a file containing the passphrase for the backup set. After a few tests, this method appears to be extremely slow (on a simple 4mb archive, non encrypted method takes less than .5 secs, encrypted takes about 7 secs) compared to non-encrypted backup sets (which I was expecting). Does anyone know of ways to speed the process up? Are there any other ways of getting an encrypted backup set that might be faster? Thanks Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- mit freundlichen Gruessen / with friendly regards Michael Buchholz MCI Group Office: +49 231 9721192 [EMAIL PROTECTED] Sebrathweg 20 Mobile: +49 231 9479858 EMEA DRSS Support44149 Dortmund, Germany Fax...: +49 231 9721207 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
tripwire .deb for Woody
Hi! Has anybody on this list managed to backport the tripwire package to Woody? I'm running into a strange problem where configure tries to locate an include file named locale. Yes, without an suffix. I don't know much C++, but this does not seem normal to me. Plus, when I try to backport to Sarge, configure does not contain this test. The backport to Sarge fails in a different way, BTW. I could not find a tripwire*.deb with Google. Please help! Thanks, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Encrypted backups
Hi Marcus, * Marcus Williams [EMAIL PROTECTED] wrote: On 13/01/2004, Alexander Neumann wrote: Did you try duplicity? No - I just took a look at it though and I suspect that its not an option because it uploads the encrypted archive offsite. Not really an option on our ADSL line (we're talking about 60+Gb of data on a full backup) You are able to store the backup-files on a local disk... - Alexander signature.asc Description: Digital signature
Re: Encrypted backups
[I meant to send this to the list] On 13/01/2004, Alexander Neumann wrote: You are able to store the backup-files on a local disk... Yes, but then we lose the ability to take them offsite. Well, unless I then move them to a tape. Worth thinking about though. Thanks Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Encrypted backups
* [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: First of all, don't use the 'Z' option. GPG compresses itself and this would slow down the process a lot. Don't you have a working email-addres or are you trying to DoS the owner of please.de? $ host -t mx please.de please.de MX 10 0700supergeil.de $ nc 0700supergeil.de smtp 220 good morning helo foo 250 hello! mail from: [EMAIL PROTECTED] 250 ok rcpt to: [EMAIL PROTECTED] 500 unknown user quit 250 ok That's ridiculous! - Alexander signature.asc Description: Digital signature
Re: Encrypted backups
Hi Marcus, * Marcus Williams [EMAIL PROTECTED] wrote: [I meant to send this to the list] Thanks. I was just writing a mail about honoring the Mail-Followup-To:-Header... ;) On 13/01/2004, Alexander Neumann wrote: You are able to store the backup-files on a local disk... Yes, but then we lose the ability to take them offsite. Hu? Why that? Using duplicity you usually end up with a lot of files (all around 5MB in size) and you are freee to move them whereever you like. - Alexander signature.asc Description: Digital signature
Re: Encrypted backups
On 13/01/2004, Alexander Neumann wrote: * Marcus Williams [EMAIL PROTECTED] wrote: [I meant to send this to the list] Thanks. I was just writing a mail about honoring the Mail-Followup-To:-Header... ;) [snip] Sigh.. one of my wish list items for TheBat! is proper reply actions such as this. One day I'll get my arse into gear and try to write a macro for it but until then. You are able to store the backup-files on a local disk... Yes, but then we lose the ability to take them offsite. Hu? Why that? Using duplicity you usually end up with a lot of files (all around 5MB in size) and you are freee to move them whereever you like. [snip] Oh, ok. Perhaps I will give it a try. Obviously the next problem will be how stable it is (theres mention of use in non-production environment on the homepage). This is for my company's backups so it has to be rock solid. Cheers Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: tripwire .deb for Woody
On Tuesday, 2004-01-13 at 13:34:18 +0100, Lupe Christoph wrote: Has anybody on this list managed to backport the tripwire package to Woody? I'm running into a strange problem where configure tries to locate an include file named locale. Yes, without an suffix. I don't know much C++, but this does not seem normal to me. Plus, when I try to backport to Sarge, configure does not contain this test. The backport to Sarge fails in a different way, BTW. Ha! I found that one out. First, the include file is OK. I found it on my home machine. Second, compiling tripwire with g++ 2.95 does not work. You need g++ 3.0. libstdc++3-dev contains that include file. CXX=g++-3.0 CC=gcc-3.0 dpkg-buildpackage -rfakeroot -us -uc CC=... is possibly not needed, but it's probably better to have the same version of g++ and gcc in case it is needed. I would submit this port and a few others to backports.org, but I'm not a Debian Developer. Maybe I should aspire to become one ;-) Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Encrypted backups
Hello, Here's something I like: - make sure your kernel support encrypted loopback your encryption of choice - configure a crypto loop to your tape device losetup -e twofish /dev/loop0 /dev/nst0 - backup or restore as usual, using /dev/loop0 as a tape device - unconfigure the loop losetup -d /dev/loop0 It's kernel-side, very simple, and sould be fast enough... Bill Hi - I am investigating ways of producing encrypted backups. Currently I use afio and gpg (via tob) with something like: afio -b 10240 -c 1000 -U -Z -P gpg -Q --symmetric -Q \ --passphrase-fd=3 -Q --no-verbose -Q --batch -Q --no-options \ -3 3 -o /dev/nst0 $FILELIST 3$PASSPHRASE where $FILELIST is the list of files, and $PASSPHRASE is a path to a file containing the passphrase for the backup set. After a few tests, this method appears to be extremely slow (on a simple 4mb archive, non encrypted method takes less than .5 secs, encrypted takes about 7 secs) compared to non-encrypted backup sets (which I was expecting). Does anyone know of ways to speed the process up? Are there any other ways of getting an encrypted backup set that might be faster? Thanks Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Billy Nadeau - [EMAIL PROTECTED] Services internet Sanac / Sanac internet Services -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Encrypted backups
On 13/01/2004, Bill wrote: - make sure your kernel support encrypted loopback your encryption of choice - configure a crypto loop to your tape device losetup -e twofish /dev/loop0 /dev/nst0 Well, you learn a new thing every day. Never thought you could do that! What happens with media errors on the tape when you read it back? Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: better apt security with 3rd-party sites
On Mon, Jan 12, 2004 at 07:18:07PM +, Steve Kemp wrote: Note that I ignore trojaned binaries/libraries. The reason is that, without setuid, you would have to purposefully run these as root, hopefully knowing the consequences for doing so; there are warnings everywhere that you should not run untrusted code as root. Maintainer scripts, OTOH, are run with full root privileges nearly invisibly to the typical user and as a part of software installation. So simply installing software, not even running it, from a compromised source could get your machine rooted. What about an evil script modifying an existing setuid binary? For example /bin/login? To prevent against this type of attack you need aide/tripwire/etc. Hmm, along this line, what about forcing package installations to only install binary/library files somewhere else, like /usr/local, or maybe a /usr/untrusted. Or, can dpkg be given an alternate root altogether for installation? Something just makes me cringe when I see suggestions all over the web of Debian users, just put random wonky site into your /etc/apt/sources.list and apt-get install foo to install this software. Sure, maybe it's ok *now*, but what about 6 months later when you've forgotten all about it and you apt-get upgrade, and the site had been trojaned in the meantime? I mean, yeah, adding another apt source is super easy and lets all the dependencies be tracked automatically, but I'm not sure if the risks are laid out clearly enough to the user. Unfortunately, this is the best method in terms of convenience; otherwise the user has to download a bunch of .debs individually, hope they are matched, and dpkg -i *.deb which is considerably less convenient. Actually, it might be better if apt-get could use a source from the command line, instead of Dir::Etc::SourceList. # apt-get --source deb http://.; update # apt-get --source deb http://.; install foobar-client libfoo foobard Then that suggestion could be made by non-Debian package maintainers, instead of the (IMHO dangerous) suggestion of adding something to sources.list. We could even put a little box in synaptic Install From Non-Debian Location in which to paste the source line and the packages to install. That way the packages are installed now because you trust the site now, and you don't have to worry about the site being trojaned behind your back when you upgrade later. I think this is the method that should be suggested to new users; experienced people who know what sites they trust should also know how to add something to their sources.list for automatic upgrade tracking. thoughts? -- Ryan Underwood, [EMAIL PROTECTED] signature.asc Description: Digital signature
Re: Encrypted backups
Hi - I am investigating ways of producing encrypted backups. Currently I use afio and gpg (via tob) with something like: take a look at loop-aes and aespipe. http://loop-aes.sourceforge.net/loop-AES.README http://loop-aes.sourceforge.net/aespipe.README gaetano -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
suscribe
Strange 'su' error messages
Hello! Since updating my debian server yesterday I get the following error messages every hour (generated by logcheck): Jan 13 00:05:01 asterix su[2102]: + ??? root:bin Today there is even an additional line: Jan 13 06:05:01 asterix su[5684]: + ??? root:bin Jan 13 06:25:01 asterix su[5741]: + ??? root:nobody Does anyone have the same error messages/behavior? I'm concerned, but hope that it's just a wrong configuration after the update! I'm thankful for any help! Regards, Christian
Encrypted backups
Hi - I am investigating ways of producing encrypted backups. Currently I use afio and gpg (via tob) with something like: afio -b 10240 -c 1000 -U -Z -P gpg -Q --symmetric -Q \ --passphrase-fd=3 -Q --no-verbose -Q --batch -Q --no-options \ -3 3 -o /dev/nst0 $FILELIST 3$PASSPHRASE where $FILELIST is the list of files, and $PASSPHRASE is a path to a file containing the passphrase for the backup set. After a few tests, this method appears to be extremely slow (on a simple 4mb archive, non encrypted method takes less than .5 secs, encrypted takes about 7 secs) compared to non-encrypted backup sets (which I was expecting). Does anyone know of ways to speed the process up? Are there any other ways of getting an encrypted backup set that might be faster? Thanks Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*]
unsubscribe
__Erdbeben im Iran: Zehntausende Kinder brauchen Hilfe. UNICEF hilft denKindern - helfen Sie mit! https://www.unicef.de/spe/spe_03.php
Re: Strange 'su' error messages
On Tuesday 13 January 2004 9:29 am, Christian Schuerer wrote: Since updating my debian server yesterday I get the following error messages every hour (generated by logcheck): Jan 13 06:25:01 asterix su[5741]: + ??? root:nobody I now get similar messages in my logs after a recent upgrade of AIDE. .ib
RE: Encrypted backups
First of all, don't use the 'Z' option. GPG compresses itself and this would slow down the process a lot. On 13-Jan-2004 10:19:12, Marcus Williams wrote: Hi - I am investigating ways of producing encrypted backups. Currently I use afio and gpg (via tob) with something like: afio -b 10240 -c 1000 -U -Z -P gpg -Q --symmetric -Q \ --passphrase-fd=3 -Q --no-verbose -Q --batch -Q --no-options \ -3 3 -o /dev/nst0 $FILELIST 3$PASSPHRASE where $FILELIST is the list of files, and $PASSPHRASE is a path to a file containing the passphrase for the backup set. After a few tests, this method appears to be extremely slow (on a simple 4mb archive, non encrypted method takes less than .5 secs, encrypted takes about 7 secs) compared to non-encrypted backup sets (which I was expecting). Does anyone know of ways to speed the process up? Are there any other ways of getting an encrypted backup set that might be faster? Thanks Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- mit freundlichen Gruessen / with friendly regards Michael Buchholz MCI Group Office: +49 231 9721192 [EMAIL PROTECTED] Sebrathweg 20 Mobile: +49 231 9479858 EMEA DRSS Support44149 Dortmund, Germany Fax...: +49 231 9721207
Re: Encrypted backups
Hi Marcus, * Marcus Williams [EMAIL PROTECTED] wrote: On 13/01/2004, Alexander Neumann wrote: Did you try duplicity? No - I just took a look at it though and I suspect that its not an option because it uploads the encrypted archive offsite. Not really an option on our ADSL line (we're talking about 60+Gb of data on a full backup) You are able to store the backup-files on a local disk... - Alexander signature.asc Description: Digital signature
Re: Encrypted backups
[I meant to send this to the list] On 13/01/2004, Alexander Neumann wrote: You are able to store the backup-files on a local disk... Yes, but then we lose the ability to take them offsite. Well, unless I then move them to a tape. Worth thinking about though. Thanks Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*]
Re: Encrypted backups
On 13/01/2004, Alexander Neumann wrote: Did you try duplicity? No - I just took a look at it though and I suspect that its not an option because it uploads the encrypted archive offsite. Not really an option on our ADSL line (we're talking about 60+Gb of data on a full backup) Thanks Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*]
Re: tripwire .deb for Woody
On Tuesday, 2004-01-13 at 13:34:18 +0100, Lupe Christoph wrote: Has anybody on this list managed to backport the tripwire package to Woody? I'm running into a strange problem where configure tries to locate an include file named locale. Yes, without an suffix. I don't know much C++, but this does not seem normal to me. Plus, when I try to backport to Sarge, configure does not contain this test. The backport to Sarge fails in a different way, BTW. Ha! I found that one out. First, the include file is OK. I found it on my home machine. Second, compiling tripwire with g++ 2.95 does not work. You need g++ 3.0. libstdc++3-dev contains that include file. CXX=g++-3.0 CC=gcc-3.0 dpkg-buildpackage -rfakeroot -us -uc CC=... is possibly not needed, but it's probably better to have the same version of g++ and gcc in case it is needed. I would submit this port and a few others to backports.org, but I'm not a Debian Developer. Maybe I should aspire to become one ;-) Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett |
tripwire .deb for Woody
Hi! Has anybody on this list managed to backport the tripwire package to Woody? I'm running into a strange problem where configure tries to locate an include file named locale. Yes, without an suffix. I don't know much C++, but this does not seem normal to me. Plus, when I try to backport to Sarge, configure does not contain this test. The backport to Sarge fails in a different way, BTW. I could not find a tripwire*.deb with Google. Please help! Thanks, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett |
Re: Encrypted backups
Hi Marcus, * Marcus Williams [EMAIL PROTECTED] wrote: [I meant to send this to the list] Thanks. I was just writing a mail about honoring the Mail-Followup-To:-Header... ;) On 13/01/2004, Alexander Neumann wrote: You are able to store the backup-files on a local disk... Yes, but then we lose the ability to take them offsite. Hu? Why that? Using duplicity you usually end up with a lot of files (all around 5MB in size) and you are freee to move them whereever you like. - Alexander signature.asc Description: Digital signature
Re: Encrypted backups
Hello, Here's something I like: - make sure your kernel support encrypted loopback your encryption of choice - configure a crypto loop to your tape device losetup -e twofish /dev/loop0 /dev/nst0 - backup or restore as usual, using /dev/loop0 as a tape device - unconfigure the loop losetup -d /dev/loop0 It's kernel-side, very simple, and sould be fast enough... Bill Hi - I am investigating ways of producing encrypted backups. Currently I use afio and gpg (via tob) with something like: afio -b 10240 -c 1000 -U -Z -P gpg -Q --symmetric -Q \ --passphrase-fd=3 -Q --no-verbose -Q --batch -Q --no-options \ -3 3 -o /dev/nst0 $FILELIST 3$PASSPHRASE where $FILELIST is the list of files, and $PASSPHRASE is a path to a file containing the passphrase for the backup set. After a few tests, this method appears to be extremely slow (on a simple 4mb archive, non encrypted method takes less than .5 secs, encrypted takes about 7 secs) compared to non-encrypted backup sets (which I was expecting). Does anyone know of ways to speed the process up? Are there any other ways of getting an encrypted backup set that might be faster? Thanks Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Billy Nadeau - [EMAIL PROTECTED] Services internet Sanac / Sanac internet Services
Re: Encrypted backups
On 13/01/2004, Alexander Neumann wrote: * Marcus Williams [EMAIL PROTECTED] wrote: [I meant to send this to the list] Thanks. I was just writing a mail about honoring the Mail-Followup-To:-Header... ;) [snip] Sigh.. one of my wish list items for TheBat! is proper reply actions such as this. One day I'll get my arse into gear and try to write a macro for it but until then. You are able to store the backup-files on a local disk... Yes, but then we lose the ability to take them offsite. Hu? Why that? Using duplicity you usually end up with a lot of files (all around 5MB in size) and you are freee to move them whereever you like. [snip] Oh, ok. Perhaps I will give it a try. Obviously the next problem will be how stable it is (theres mention of use in non-production environment on the homepage). This is for my company's backups so it has to be rock solid. Cheers Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*]
Re: tripwire .deb for Woody
On Tue, Jan 13, 2004 at 01:34:18PM +0100, Lupe Christoph wrote: Has anybody on this list managed to backport the tripwire package to Woody? I'm running into a strange problem where configure tries to locate an include file named locale. Yes, without an suffix. I don't know much C++, but this does not seem normal to me. Plus, when I try to backport to Sarge, configure does not contain this test. The backport to Sarge fails in a different way, BTW. I've got tripwire packages that I use internally at work. They're built for woody, and I'd be happy to share them with anybody who's interested. They aren't in any way based on the tripwire packages from unstable, so I don't know how they compare, but we're using them on our production servers, so they're certainly of reasonably good quality. noah pgpZdbsqoFEKm.pgp Description: PGP signature
Re: better apt security with 3rd-party sites
On Mon, Jan 12, 2004 at 07:18:07PM +, Steve Kemp wrote: Note that I ignore trojaned binaries/libraries. The reason is that, without setuid, you would have to purposefully run these as root, hopefully knowing the consequences for doing so; there are warnings everywhere that you should not run untrusted code as root. Maintainer scripts, OTOH, are run with full root privileges nearly invisibly to the typical user and as a part of software installation. So simply installing software, not even running it, from a compromised source could get your machine rooted. What about an evil script modifying an existing setuid binary? For example /bin/login? To prevent against this type of attack you need aide/tripwire/etc. Hmm, along this line, what about forcing package installations to only install binary/library files somewhere else, like /usr/local, or maybe a /usr/untrusted. Or, can dpkg be given an alternate root altogether for installation? Something just makes me cringe when I see suggestions all over the web of Debian users, just put random wonky site into your /etc/apt/sources.list and apt-get install foo to install this software. Sure, maybe it's ok *now*, but what about 6 months later when you've forgotten all about it and you apt-get upgrade, and the site had been trojaned in the meantime? I mean, yeah, adding another apt source is super easy and lets all the dependencies be tracked automatically, but I'm not sure if the risks are laid out clearly enough to the user. Unfortunately, this is the best method in terms of convenience; otherwise the user has to download a bunch of .debs individually, hope they are matched, and dpkg -i *.deb which is considerably less convenient. Actually, it might be better if apt-get could use a source from the command line, instead of Dir::Etc::SourceList. # apt-get --source deb http://.; update # apt-get --source deb http://.; install foobar-client libfoo foobard Then that suggestion could be made by non-Debian package maintainers, instead of the (IMHO dangerous) suggestion of adding something to sources.list. We could even put a little box in synaptic Install From Non-Debian Location in which to paste the source line and the packages to install. That way the packages are installed now because you trust the site now, and you don't have to worry about the site being trojaned behind your back when you upgrade later. I think this is the method that should be suggested to new users; experienced people who know what sites they trust should also know how to add something to their sources.list for automatic upgrade tracking. thoughts? -- Ryan Underwood, [EMAIL PROTECTED] signature.asc Description: Digital signature
Re: Encrypted backups
* [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: First of all, don't use the 'Z' option. GPG compresses itself and this would slow down the process a lot. Don't you have a working email-addres or are you trying to DoS the owner of please.de? $ host -t mx please.de please.de MX 10 0700supergeil.de $ nc 0700supergeil.de smtp 220 good morning helo foo 250 hello! mail from: [EMAIL PROTECTED] 250 ok rcpt to: [EMAIL PROTECTED] 500 unknown user quit 250 ok That's ridiculous! - Alexander signature.asc Description: Digital signature
Re: Encrypted backups
On 13/01/2004, Bill wrote: - make sure your kernel support encrypted loopback your encryption of choice - configure a crypto loop to your tape device losetup -e twofish /dev/loop0 /dev/nst0 Well, you learn a new thing every day. Never thought you could do that! What happens with media errors on the tape when you read it back? Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*]
Re: Encrypted backups
Hi Marcus, * Marcus Williams [EMAIL PROTECTED] wrote: I am investigating ways of producing encrypted backups. Currently I use afio and gpg (via tob) with something like: Did you try duplicity? - Alexander signature.asc Description: Digital signature
Re: Encrypted backups
Hi - I am investigating ways of producing encrypted backups. Currently I use afio and gpg (via tob) with something like: take a look at loop-aes and aespipe. http://loop-aes.sourceforge.net/loop-AES.README http://loop-aes.sourceforge.net/aespipe.README gaetano