Re: Bad press related to (missing) Debian security
On Monday 27 June 2005 20:39, Marek Olejniczak wrote: I don't understand the philosophy of Debian security team. It's really so difficult to push into sarge spamassassin 3.0.4 which is not vulnerable? This version is in Debian testing and why this version can't be push into stable? Seems that you don't understand the philosophy of the 'stable' release either. The basic rule for stable is: no new upstream versions allowed. This means security updates for spamassassin need to be backported to 3.0.3 (excluding any functional changes). Even if 3.0.4 contains only the security fix, it will still be backported and released as 3.0.3-1sarge1 or something like that. For me stable distribution means secure. Is now Sarge secure? No, it isn't! Four weeks after new release of Debian, Sarge has many security holes in packages and kernel, and some of this holes are critical. In my opinion Sarge isn't stable distribution now, it's dangerous distribution. --- Marek -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
also sprach Moritz Muehlenhoff [EMAIL PROTECTED] [2005.06.28.0156 +0200]: Have a look at the system we use for the testing security team (I always thought it originated in the security team): http://lists.alioth.debian.org/pipermail/secure-testing-commits/2005-June/thread.html This system is so efficient that most communication is basically made through svn log messages. Not meaning to disspell it, but isn't this essentially a bug tracking system or ticket system done slightly differently? What I think Debian (as a whole) needs is an improved issue tracker with the following features: - single-bug subscription, through association with the bug (like bugzilla) - ability to set a bug as private, meaning that only associated people can view it or even find out about its existence. add to that some automated way to open tickets for new CVEs and you have a team todo list. I know that this is not really what you guys want to hear and it's probably best to adopt testing-security's approach for stable-security. However, I am considering devoting more of my time to this stuff in the future, and such a system would be needed for some of the innovative approaches I have in mind. Thus, I'd love to hear opinions. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! DISCLAIMER: this entire message is privileged communication, intended for the sole use of its recipients only. If you read it even though you know you aren't supposed to, you're a poopy-head. signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
also sprach Marek Olejniczak [EMAIL PROTECTED] [2005.06.28.0854 +0200]: For me stable distribution means secure. Is now Sarge secure? No, it isn't! Most installations are secure. I know security is a delicate topic, but there is no point in polemic exaggeration. Four weeks after new release of Debian, Get your facts straight. Sarge has many security holes in packages and kernel, and some of this holes are critical. In my opinion Sarge isn't stable distribution now, it's dangerous distribution. Then don't use it. We are working to fix it. The last thing we need now are people complaining and moaning. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! it always takes longer than you expect, even when you take into account hofstadter's law. -- douglas hofstadter signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
On Mon, Jun 27, 2005 at 06:44:06PM -0400, Michael Stone wrote: On Tue, Jun 28, 2005 at 12:00:28AM +0200, martin f krafft wrote: Do you guys see this as a de facto state with no solution, or is a good solution simply waiting to be found? The security secretaries were originally going to be part of the solution, and there was talk from some people about writing a tracking system that didn't materialize. Mostly I think it just needs recognition that it's a problem that needs a solution. When I approached the security team last year I was told that there was indeed a tracking system, it just could not be made public because it mixed both publicly known vulnerabilities (i.e. those other's have released advisories on) and non-public vulns (i.e. those discussed in vendor-sec or reported privately). Regards Javier signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security - action
hi ya On Tue, 28 Jun 2005, Javier [iso-8859-1] Fernández-Sanguino Peña wrote: lots of people have their own requiremetns for security ... instead of adding to the security team's tasks, and instead of writting emails, why don't we spend the time to write some scripts to do what we're expecting to be done by the security team ?? - the security tasks are not that hard to implement but does require time and some fore thought - more importantly the testing prior to release of pacjkages should be 100% automated ... so that any volunteer can run the regression test suites prior to releasing patches - there is NOT one right security solution but there will be many possible solutions - yes.. i'm volunteering if there is enough folks that want to solve security problems and automate security patch releases - it's a task for debian-man .. more than what super-man or bat-man can do c ya alvin
Re: Bad press related to (missing) Debian security
On Tue, 28 Jun 2005, martin f krafft wrote: also sprach Marek Olejniczak [EMAIL PROTECTED] [2005.06.28.0854 +0200]: Sarge has many security holes in packages and kernel, and some of this holes are critical. In my opinion Sarge isn't stable distribution now, it's dangerous distribution. Then don't use it. I must use it. Sarge is working on a ISP production servers. We are working to fix it. The last thing we need now are people complaining and moaning. I'm working for many ISP providers. And now I have problems with security on this servers. What can I do? I can't patch by hand every bug on many servers! Other distros don't have such problems with security. I'm complain because I think it was mistake to install Debian Sarge on this servers. :-( --- Marek -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security - action
also sprach Alvin Oga [EMAIL PROTECTED] [2005.06.28.1031 +0200]: lots of people have their own requiremetns for security ... security *is* subjective. instead of adding to the security team's tasks, and instead of writting emails, why don't we spend the time to write some scripts to do what we're expecting to be done by the security team ?? thanks for the proposal. why did you write it and not just get on with those scripts already? - yes.. i'm volunteering if there is enough folks that want to solve security problems and automate security patch releases - it's a task for debian-man .. more than what super-man or bat-man can do people volunteering are useless. people actually doing something are not. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! a bachelor is a man who never made the same mistake once. signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
On Tue, Jun 28, 2005 at 10:36:34AM +0200, Marek Olejniczak wrote: On Tue, 28 Jun 2005, martin f krafft wrote: We are working to fix it. The last thing we need now are people complaining and moaning. I'm working for many ISP providers. And now I have problems with security on this servers. What can I do? I can't patch by hand every bug on many servers! So don't. Roll security-patched packages and run your own repository. Contribute your changes and experiences back to the BTS. Hell, start an alternative security updates archive. Other distros don't have such problems with security. I'm complain because I think it was mistake to install Debian Sarge on this servers. :-( You're complaining to *us* because someone *else* made a decision you don't agree with? - Matt signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
also sprach Marek Olejniczak [EMAIL PROTECTED] [2005.06.28.1036 +0200]: Then don't use it. I must use it. Sarge is working on a ISP production servers. I am sorry. The best I can tell you is that it currently looks as if the situation will soon be under control and resolved. And soon is likely to be very soon/this week. We are working to fix it. The last thing we need now are people complaining and moaning. I'm working for many ISP providers. And now I have problems with security on this servers. What can I do? I can't patch by hand every bug on many servers! You have to. Other distros don't have such problems with security. I'm complain because I think it was mistake to install Debian Sarge on this servers. :-( If that's what you think then it's best to reinstall these servers with something else because that'll be cheaper than the risk of having them compromised. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! time wounds all heels. -- groucho marx signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
also sprach Matthew Palmer [EMAIL PROTECTED] [2005.06.28.1104 +0200]: Other distros don't have such problems with security. I'm complain because I think it was mistake to install Debian Sarge on this servers. :-( You're complaining to *us* because someone *else* made a decision you don't agree with? No, he installed Sarge because it was cool back at the time. I do wonder what kind of ISP switches to sarge right after the release... those who need security probably stay with woody just a little longer for all the childhood problems to resolve themselves (read: sarge r1). That said... of course woody is currently also potentially vulnerable. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! fashions have done more harm than revolutions. -- victor hugo signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security - action
On Tuesday 28 June 2005 11:02, martin f krafft wrote: instead of adding to the security team's tasks, and instead of writting emails, why don't we spend the time to write some scripts to do what we're expecting to be done by the security team ?? thanks for the proposal. why did you write it and not just get on with those scripts already? - yes.. i'm volunteering if there is enough folks that want to solve security problems and automate security patch releases - it's a task for debian-man .. more than what super-man or bat-man can do people volunteering are useless. people actually doing something are not. Hey! You were being so constructive and positive. Why are you now falling back to old fashioned Debian-like flaming? Before you actually start something in an area like this I think it's perfectly fair to first mail the list and get reactions. Maybe you should take a break and let others get their ideas into this thread. (Not saying that your contribution so far isn't appreciated.) Cheers, FJP pgpsrDknzNXdk.pgp Description: PGP signature
Re: safety of encrypted filesystems
also sprach martin f krafft [EMAIL PROTECTED] [2005.06.17.0944 +0200]: also sprach Michael Buchholz [EMAIL PROTECTED] [2005.06.17.0857 +0200]: And also, when you write any block, you have to reencrypt all the remaining blocks. Yes, don't you? From all I can tell, this is the case for EBC and CBC, but symmetric cryptography is fast enough these days for this not to be a problem. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! an avocado-tone refrigerator would look good on your resume. signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
On Tue, 28 Jun 2005, Matthew Palmer wrote: On Tue, Jun 28, 2005 at 10:36:34AM +0200, Marek Olejniczak wrote: On Tue, 28 Jun 2005, martin f krafft wrote: We are working to fix it. The last thing we need now are people complaining and moaning. I'm working for many ISP providers. And now I have problems with security on this servers. What can I do? I can't patch by hand every bug on many servers! You're complaining to *us* because someone *else* made a decision you don't agree with? No, it was *my* decision! I'm using Debian since 4 years and I like this distribution. And it suprised me that my favourite distro has problems with security. --- Marek -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
custom sec updates, was Bad press related to (missing) Debian security
Marek Olejniczak wrote: I must use it. Sarge is working on a ISP production servers. I work for a medium-sized company and moved nearly all our application hosting server from wind0ze and SuSE to Debian. Debian is our choice for production servers. I'm working for many ISP providers. And now I have problems with security on this servers. What can I do? I can't patch by hand every bug on many servers! I suggest you create your own apt server (basically its just a HTTPD), when you administer a larger number of servers, you often face the problem that you need to deploy customized packages to many machines. So using you own apt source in addition to the stable debian sources is the way to go IMHO. Once you have such a thing in place, rolling out your own security patches / customisations on many systems gets much easier. I have my own apache, postgresql, java and jboss packages for example. I also distributed a patched version of sudo this way. Even if you did not use those techniques (.deb building, running an apt source) up to now, I think its rewarding for you, especially if you run a larger number of servers. I do not have any links ready to point you to, but i'll check my (unsorted) bookmark file later ;) Peace, Tom -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Tue, 28 Jun 2005, martin f krafft wrote: No, he installed Sarge because it was cool back at the time. You are right - I'm waiting with installation on new servers for the new Debian release. On my other servers is runnig Woody. That said... of course woody is currently also potentially vulnerable. Unfortunately you are right :-( At this moment there is no secure Debian distribution. --- Marek -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
also sprach Marek Olejniczak [EMAIL PROTECTED] [2005.06.28.1148 +0200]: No, it was *my* decision! I'm using Debian since 4 years and I like this distribution. And it suprised me that my favourite distro has problems with security. It surprised everyone, even though it was not a real surprise -- if that makes sense. The security team has been a major weakness of Debian for a while. It was only a question of time until it all came down on Joey. Anyway, if you like Debian, then you should keep using it. The current situation is unacceptable, and we are all aware of this. But the good news is that a lot of people are working on it, and after the stereotypical blow in the face, we'll have something to learn to prevent such problems in the future. So bear with us for just a little while more, consider disabling the affected services for now, or roll your own security updates until we caught up. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! der beruf ist eine schutzwehr, hinter welche man sich erlaubterweise zurückziehen kann, wenn bedenken und sorgen allgemeiner art einen anfallen. - friedrich nietzsche signature.asc Description: Digital signature
Re: custom sec updates, was Bad press related to (missing) Debian security
also sprach Thomas Seliger [EMAIL PROTECTED] [2005.06.28.1208 +0200]: Even if you did not use those techniques (.deb building, running an apt source) up to now, I think its rewarding for you, especially if you run a larger number of servers. I do not have any links ready to point you to, but i'll check my (unsorted) bookmark file later ;) man apt-ftparchive is all you basically need. Put the files into a directory which apache can access, e.g. /srv/apt -- http://server/apt, then run: apt-ftparchive packages . Packages and you're done. Make sure to set the proper permissions. Now add deb http://server/apt ./ to your machines and `apt-get update`. Finally, make sure to use the proper version incrememts. My suggestion is the following shell function (part of dpkg-reversion/debedit, which is not yet part of Debian): bump_version() { VERSTR='+0.local.' case $1 in *${VERSTR}[0-9]*) REV=${1##*${VERSTR}} echo ${1%${VERSTR}*}${VERSTR}$((++REV));; *-*) echo ${1}${VERSTR}1;; *) echo ${1}-0${VERSTR}1;; esac } piper:~ bump_version 1.0-1 1.0-1+0.local.1 piper:~ dpkg --compare-versions 1.0-1 lt 1.0-1+0.local.1 echo yes yes piper:~ dpkg --compare-versions 1.0-1+0.local.1 lt 1.0-2 echo yes yes piper:~ bump_version 1.0 1.0-0+0.local.1 piper:~ dpkg --compare-versions 1.0 lt 1.0-0+0.local.1 echo yes yes piper:~ dpkg --compare-versions 1.0-0+0.local.1 lt 1.0-1 echo yes yes piper:~ dpkg --compare-versions 1.0-0+0.local.1 lt 1.1 echo yes yes Alternatively, use APT pinning. FWIW, my book[0] includes information about how to run your own package repositories, and how to modify packages and properly integrate them with APT. 0. http://debiansystem.info Cheers, -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! man muss noch chaos in sich haben um einen tanzenden stern zu gebähren. -- friedrich nietzsche signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
also sprach Marek Olejniczak [EMAIL PROTECTED] [2005.06.28.1215 +0200]: Unfortunately you are right :-( At this moment there is no secure Debian distribution. unstable. :) -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! obviously i was either onto something, or on something. -- larry wall on the creation of perl signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
* Moritz Muehlenhoff: The whole embargo thing about stable security is overrated anyway; Yes, that's my impression as well. as far as I can see it for May and June only mailutils, qpopper and ppxp were embargoed, so that they hadn't been publicly known when the DSA was published (and even for mailutils and qpopper there was a small time frame of 1-2 days between first vendor fix and the DSA). The BSD telnet bug was embargoed as well, but it's not clear if Debian had access to this information. It's pretty strange that the disclosure of future BSD userland vulnerabilities will likely be scheduled according to Microsoft's needs. The majority of all issues could be handled a lot more transparent, IMO. I agree. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Join the thousands already saving. Save up to 50% on prescriptions
Now your woman will be really happy with your intimate life! http://xjdi.bqwmfubm8lbjxcb.gymnetrousnc.com We are always in our own company. Confound those who have said our remarks before us. Duty is ours, results are God's. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
How to help the security team (was Re: Bad press related to (missing) Debian security)
On Tue, Jun 28, 2005 at 11:48:23AM +0200, Marek Olejniczak wrote: No, it was *my* decision! I'm using Debian since 4 years and I like this distribution. And it suprised me that my favourite distro has problems with security. Like any other *volunteer* project, there are ups and downs. Don't complain, help fix the problem instead. I'm amazed at how people are complaining about this. In other news: Microsoft doesn't publish advisories for known security vulnerabilities, it will wait even a full month (or more) to do so. And their security team is being *payed* for what they do. I, for one, would actually appreciate if people instead of complaining in this mailing list would go through the latest public vulnerabilities that *might* affect Debian and provide a status report. You just need to pick a vulnerability and ask yourself these questions: a) how grave is this vulnerability? is it local or remote? b) is an upstream patch is available? c) does the vulnerability indeed affects Debian woody or sarge? d) has it been reported in Debian's BTS? does it have a patch? e) has a package fixing this has been uploaded to sid? is a package waiting for approval from the security team? Some information is available at http://newraff.debian.org/~joeyh/stable-security.html but that's not 100% accurate (as described in the header). So, for starters, all you need is. Vulnerability info, which is available at: - Securityfocus Database: http://www.securityfocus.com/bid - LWN's advisories (http://lwn.net/Alerts/) and vulnerabilities (http://lwn.net/Vulnerabilities/) The relevant Debian BTS entries should be tagged 'security' and can be found at: http://bugs.debian.org/cgi-bin/pkgreport.cgi?which=tagdata=securityarchive=noexclude=potatoexclude=experimentalexclude=fixedexclude=wontfix But, of course, the BTS entries for the relevant bugs should be reviewed too (people sometimes do not tag security bugs appropiately). Also, past advisories with CVE references for Debian should be reviewed. They are found at: http://www.debian.org/security/crossreferences (Note: Bugtraq references in that page are not necessarily up-to-date as I review these from time to time) Here's a sample: - - Vulnerability: latest dbus vulnerability - Severity: High - Type: local - References: CAN-2005-0201, also BID-12345: http://www.securityfocus.com/bid/12435 [ not in Debian's CVE reference map ] - Other references: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=146766 (includes test and patch) - Affected version: 0.22 (based on other vendors alerts) - Debian versions: 0.23.4-1 in sarge, 0.23.4-3 in sid, not present in woody (http://packages.qa.debian.org/d/dbus.html) [ review of the source package to see if the bug is applied there ] [ ] [ the code is fixed and upstream Changelog says that it was fixed in 2005-01-31 and included in the 2.3.1 ] Status: Debian is _not_ affected Actions that need to be taken: none Another example: - Vulnerability: cacti - SQL injection and XSS - Severity: High - Type:remote - References: CAN 2005-{1524,1525,1526} - Other references: Gentoo advisory: http://www.gentoo.org/security/en/glsa/glsa-200506-20.xml Gentoo Bug: http://bugs.gentoo.org/show_bug.cgi?id=96243 Patch: http://www.cacti.net/downloads/patches/0.8.6d/cacti_0_8_6e_security.patch - Affected version: prior to 0.8.6e http://www.cacti.net/release_notes_0_8_6e.php - Debian versions: 0.6.7-2.2 in oldstable, 0.8.6c-7 in stable, 0.8.6e-1 in testing/sid - Bug reported: #315703 (not tagged 'security') [ Review oldstable code ] [ Code is not affected to these vulnerabilities, the vulnerable code is not present ] Status: Debian _is_ affected, a fix is pending approval from the security team upload Actions that need to be taken: a) tag 'security' the BTS entries Now that you all know how to improve the situation and help why don't you start doing it? Start with all the vulnerabilites in Joey's stable security pages. Follow up with all the vulnerabilities which are not listed there but are related to software present in Debian for which other vendors have published advisories already. And then send the reports to the security team CC'ing this list. I'm anxious to see how many who have voiced their concerns will end up publishing here a status report. Regards Javier PS: I'm not adding Secunia to the vulnerability info since it's obviously not current / correct, see http://secunia.com/product/143/ for example. signature.asc Description: Digital signature
unsuscribe
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How to help the security team (was Re: Bad press related to (missing) Debian security)
I picked one of the bugs (see bottom of email). Is this sort of information is useful to the security team and if so, how? vulnerability: sudo race condition. Severity: High Type: local References: CAN-2005-1993 BID:13993 URL:http://www.securityfocus.com/bid/13993 http://www.sudo.ws/sudo/alerts/path_race.html Affected version: 1.3.1 up to and including 1.6.8p8. Debian versions: woody: sudo_1.6.6-1.3 sarge: sudo_1.6.8p7-1.1 testing: sudo_1.6.8p7-1.1 unstable: sudo_1.6.8p7-1.1 No mention of the bug in the changelog: http://smallr.com/so Status: Debian is affected Actions that need to be taken: Package Maintainer Action: Create new sudo package version 1.6.8p9 or greater. Request a patch from the maintainers. http://www.sudo.ws/sudo/authors.html User Action: Upgrade: The bug is fixed in sudo 1.6.8p9. There is no package available so a local build or install will be required. Current Workaround: The administrator can order the sudoers file such that all entries granting Sudo ALL privileges precede all other entries. Harry Join team plico. http://www.hjackson.org/cgi-bin/folding/index.pl __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security - action
On Tue, 28 Jun 2005, Alvin Oga wrote: On Tue, 28 Jun 2005, martin f krafft wrote: thanks for the proposal. why did you write it and not just get on with those scripts already? idea if somebody at debian.org can create yaml, say [EMAIL PROTECTED], than the rest of us moaners, complainers and wanna-volunteer can get started ... debian's gods can watch and see if they like or dislike what we're doing and incorporate it into the main hierarchy or not the machine can be called sec-test.debian.org so that we have a way to test another security update/process/procedures out /idea personally, i pull down all the important tar balls from the originating author's site and compile it ... if the distro's version of any app is too far behind flame suit on c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security - action
also sprach Alvin Oga [EMAIL PROTECTED] [2005.06.28.1420 +0200]: if somebody at debian.org can create yaml, say [EMAIL PROTECTED], than the rest of us moaners, complainers and wanna-volunteer can get started ... Just use this list. the machine can be called sec-test.debian.org so that we have a way to test another security update/process/procedures out Mh, I am not sure this is viable as you guys would probably need root on the machine, which is a credibility problem when someone else hosts it... -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! we americans, we're a simple people... but piss us off, and we'll bomb your cities. -- robin williams, good morning vietnam signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security - action
On Tue, 28 Jun 2005, martin f krafft wrote: Just use this list. i think the point of this list is its not moving fast enough for some folks wanting security updates the machine can be called sec-test.debian.org so that we have a way to test another security update/process/procedures out Mh, I am not sure this is viable as you guys would probably need root on the machine, which is a credibility problem when someone else hosts it... hosting a server is trivially simple... esp for a test server point test-sec.debian.org to any ip# sitting on a t1 or t3 or OC-xxx and everybody can start working on it - all other debian boxes does NOT trust it and nbody else should trust it either... it is for testing and development c y alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security - action
also sprach Alvin Oga [EMAIL PROTECTED] [2005.06.28.1451 +0200]: - all other debian boxes does NOT trust it and nbody else should trust it either... it is for testing and development I know. But what happens when someone decides to abuse it? I could host a machine, no problem. But giving root access to others is the problem. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! why didn't noah swat those two mosquitoes? signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security - action
On Tue, Jun 28, 2005 at 05:20:51AM -0700, Alvin Oga wrote: personally, i pull down all the important tar balls from the originating author's site and compile it ... if the distro's version of any app is too far behind the main point about stable security is that exactly this does not happen: i want security fixes for the versions that i have installed, not newer versions. and that's also were things get complicated... cu robert -- Robert Lemmen http://www.semistable.com signature.asc Description: Digital signature
handling private keys
Hello I working on a small project, and i have a problem related to keeping gpg private keys stored on usb drives secure when working with them. My problem is that in case the machine is compromised, if the usb with the key is mounted the attacker has access to it. Has anyone heard of an implementation, or at least a whitepaper related to creating some kind of secure zone where i can keep these keys ? Thanks, Radu -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: handling private keys
On 6/28/05, Radu Spineanu [EMAIL PROTECTED] wrote: Has anyone heard of an implementation, or at least a whitepaper related to creating some kind of secure zone where i can keep these keys ? If you're using strong enough passwords, your keys would still be pretty safe. An attacker could try cracking them offline, but that could take a very long time. As to your question, once someone roots your box all bets are off. If you're really paranoid about these keys, keep them on a dedicated machine that's extremely locked down. Or even a machine with no network at all, and move data back and forth on a usb drive. -Ed
Re: handling private keys
Edward Faulkner wrote: As to your question, once someone roots your box all bets are off. If you're really paranoid about these keys, keep them on a dedicated machine that's extremely locked down. Or even a machine with no network at all, and move data back and forth on a usb drive. I was thinking about doing local authentication using gpg keys stored on the usb memory. I remember something about an OS that handled all authentication using one daemon, i can't remember how it was called. Radu -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
martin f krafft wrote: Not meaning to disspell it, but isn't this essentially a bug tracking system or ticket system done slightly differently? No, if it were a bug tracking system we could use the Debian BTS and not bother with it. It's a vulnerability/non vulnerability tracking system; we use it to not only track holes that affect testing, but just as importantly, holes that do not. It allows us to know that every security issue has been checked out by someone with no gaps (our historical checks of all security holes since woody found holes that were missed from being tracked in the BTS). Of course it works with the BTS, and once the BTS gets version tracking certain bits of it will become more automated. -- see shy jo signature.asc Description: Digital signature
sudo fix
Hello, I've done a fix for sudo of sarge. Code from new upstream version. Who is willing to check and update? Version: 1.6.8p7-1.2 Distribution: unstable Urgency: high Maintainer: Markus Kolb [EMAIL PROTECTED] Changed-By: Markus Kolb [EMAIL PROTECTED] Description: sudo - Provide limited super user privileges to specific users Closes: 315115 Changes: sudo (1.6.8p7-1.2) unstable; urgency=high . * Non-maintainer upload. * security fix race condition command pathname. Closes: #315115 Bye Markus -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: handling private keys
* Radu Spineanu [EMAIL PROTECTED]: I working on a small project, and i have a problem related to keeping gpg private keys stored on usb drives secure when working with them. My problem is that in case the machine is compromised, if the usb with the key is mounted the attacker has access to it. Has anyone heard of an implementation, or at least a whitepaper related to creating some kind of secure zone where i can keep these keys ? You might be interested in the recent support of the TPM security chips by the kernel (from 2.6.12 I think). If you have such hardware, all the crypto related stuff could be done on the chip without any software access (even from root) until someone gets the admin password of the chip. Best, Sylvain. -- Sylvain Soliman [EMAIL PROTECTED] GnuPG Public Key: 0x0F53AF99 Secretaire adjoint Fede. Francaise de Go http://ffg.jeudego.org/ Co-mainteneur de PilotGOne http://minas.ithil.org/pilotgone/ Page personellehttp://contraintes.inria.fr/~soliman/ signature.asc Description: Digital signature
Security team support
Hi, why security team doesn't ask for help if they have not enough time for and problems with package fixing? I can help. I need only a security team member for contact and maybe a debian member to sign my gnupg key. Bye Markus -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: handling private keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Radu Spineanu wrote: Hello I working on a small project, and i have a problem related to keeping gpg private keys stored on usb drives secure when working with them. My problem is that in case the machine is compromised, if the usb with the key is mounted the attacker has access to it. Has anyone heard of an implementation, or at least a whitepaper related to creating some kind of secure zone where i can keep these keys ? It's a logical problem: If somone has compromised your machine there would be no possibility to make a difference between a legitimate user and an intruder. So he would possibly be able to read your private key! The only absolute solution would be a kind of intelligent usb drive which is accepting a file to decrypt or sign and offer the result. So somebody could use the key as long as you leave your usb drive in your machine, but not any longer! Unfortunatly science fiction at the moment. ;) Christian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCwW7oYqkpSde2O/gRAmaDAJ9G7MbEKx+4WGoxBenwOJYG4HgNdwCgzQlq JT+Ei0XB5OeqdTMwFmtfa2E= =zWZe -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
unsubscribe
Re: handling private keys
On Tue, Jun 28, 2005 at 05:38:16PM +0200, Christian Storch wrote: The only absolute solution would be a kind of intelligent usb drive which is accepting a file to decrypt or sign and offer the result. So somebody could use the key as long as you leave your usb drive in your machine, but not any longer! Unfortunatly science fiction at the moment. ;) Such a device actually does exist: Have a look at http://www.g10code.de/p-card.html It's not a usb device but a smart card, but as there are usb smart card readers, this is exactly what you describe. Jan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Securing Private Keys
I think what you are looking for is a USB Smartcard. I had a problem like this when using encryption on ATM (banking) devices. The keys were vulnerable to someone coming after them on the filesystem. I found the solution in USB format smartcards. The private key is loaded into the secure memory space, or generated there. Messages are then passed into the device to decrypt the symetric key. The private key is never exposed and it is very difficult to use voltage differential to get the key off the smartcard. The down side is that the operations are slow. Something on the order of 1second per transaction. If you are doing a lot of processes, that can quickly become a bottleneck. My application only needed a single decrypt per hour so overhead wasn't an issue. GL Steven These might be useful http://www.opensc.org/news.php http://www.musclecard.com/sourcedrivers.html -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Radu Spineanu wrote: Hello I working on a small project, and i have a problem related to keeping gpg private keys stored on usb drives secure when working with them. My problem is that in case the machine is compromised, if the usb with the key is mounted the attacker has access to it. Has anyone heard of an implementation, or at least a whitepaper related to creating some kind of secure zone where i can keep these keys ? It's a logical problem: If somone has compromised your machine there would be no possibility to make a difference between a legitimate user and an intruder. So he would possibly be able to read your private key! The only absolute solution would be a kind of intelligent usb drive which is accepting a file to decrypt or sign and offer the result. So somebody could use the key as long as you leave your usb drive in your machine, but not any longer! Unfortunatly science fiction at the moment. ;) Christian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCwW7oYqkpSde2O/gRAmaDAJ9G7MbEKx+4WGoxBenwOJYG4HgNdwCgzQlq JT+Ei0XB5OeqdTMwFmtfa2E= =zWZe -END PGP SIGNATURE-
Re: handling private keys
ti, 2005-06-28 kello 17:38 +0200, Christian Storch kirjoitti: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Radu Spineanu wrote: Hello I working on a small project, and i have a problem related to keeping gpg private keys stored on usb drives secure when working with them. My problem is that in case the machine is compromised, if the usb with the key is mounted the attacker has access to it. Has anyone heard of an implementation, or at least a whitepaper related to creating some kind of secure zone where i can keep these keys ? It's a logical problem: If somone has compromised your machine there would be no possibility to make a difference between a legitimate user and an intruder. So he would possibly be able to read your private key! The only absolute solution would be a kind of intelligent usb drive which is accepting a file to decrypt or sign and offer the result. So somebody could use the key as long as you leave your usb drive in your machine, but not any longer! Unfortunatly science fiction at the moment. ;) Not really: you just need to use a gpg-compatible smart card and buy a smart card reader. In this case your secret keys are always on the smartcard and any signing or whatever can only be done with the card. I just bought a gemplus GemPC PCMCIA smartcard reader, and still waiting for OpenPGP cards for basic use. In addition the Finnish HST identity cards just got new models with 64k storage, will get that as well... (http://www.sahkoinenhenkilokortti.fi/default.asp?todo=setlanglang=uk) The reader will sit in one of my laptop's pcmcia slots permanently, that's why I got such model and not USB reader: just insert the card when you need it... btw the reader was easy to install with sarge and ubuntu. In addition to pgp-key storage smart cards can support for example login with the card (libpam-opensc and libpam-musclecard, depending what you really want). So, for each user, you will spend about 10-40 dollars/euros for the smartcards and in addition all systems must have a smart card reader. *hile* -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security team support
On Tue, Jun 28, 2005 at 05:45:41PM +0200, Markus Kolb wrote: Hi, why security team doesn't ask for help if they have not enough time for and problems with package fixing? I can help. I need only a security team member for contact and maybe a debian member to sign my gnupg key. And then the whole community should trust you? No that's not the way it should work. OpenSource is still about having reputation and other people who trust you. Sven -- Das Fernsehen ist die größte kulturelle Katastrophe, die die Erde in der Zeit, an die wir uns erinnern können, erlebt hat. [ Joseph Weizenbaum ]
Re: handling private keys
Quoting Radu Spineanu ([EMAIL PROTECTED]): Has anyone heard of an implementation, or at least a whitepaper related to creating some kind of secure zone where i can keep these keys ? Mine is called a PalmPilot with Keyring (3DES password store) installed, where I'm careful about what I install on it. It strikes me that threat models are more easily isolated and dealth with on a PDA than on a networked computer, especially a multiuser one. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security team support
Sven Hoexter wrote on Tue, Jun 28, 2005 at 20:05:47 +0200: On Tue, Jun 28, 2005 at 05:45:41PM +0200, Markus Kolb wrote: Hi, why security team doesn't ask for help if they have not enough time for and problems with package fixing? I can help. I need only a security team member for contact and maybe a debian member to sign my gnupg key. And then the whole community should trust you? No that's not the way it should work. OpenSource is still about having reputation and other people who trust you. Does this make any sense? What do you want to say? What do you have read in my post to conclude something strange like that? Is it the heat? Why the whole community should trust me? Trust in what? You know that Debian consists of many thousand packages developed by thousands of untrusted developers and then you have problems when one of those developers send patches to Debian security team for check and upload. A fact is that there are many fixes available which are not introduced in Debian. I do now the fixing myself and it is an offer to send my patches to speed it up. That's all. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: handling private keys
On 6/28/05, Rick Moen [EMAIL PROTECTED] wrote: Mine is called a PalmPilot with Keyring (3DES password store) installed, where I'm careful about what I install on it. It strikes me that threat models are more easily isolated and dealth with on a PDA than on a networked computer, especially a multiuser one. I do the same thing with my passwords, but that doesn't quite answer the question. Radu wants a place to keep GPG keys safe - not just their passwords. It would be pretty cool to use a PDA as a trusted device - it would download a document from the PC, ask you to verify it, then sign it and send it back. It's even better than a smart card, because you can use the PDA's display to verify that you're signing what you think you're signing. I don't know of any program to do this, but it's certainly possible. -Ed
Re: handling private keys
Quoting Edward Faulkner ([EMAIL PROTECTED]): I do the same thing with my passwords, but that doesn't quite answer the question. Radu wants a place to keep GPG keys safe - not just their passwords. Yes, good point. I don't have a good answer to Radu's situation other than don't use the passphrase other than on your own system at times when you have reasonable confidence of not being root-compromised -- and keep the revocation certificate around on offline media in case you're wrong. It would be pretty cool to use a PDA as a trusted device - it would download a document from the PC, ask you to verify it, then sign it and send it back. I've pondered this possibility for a few years, ever since I lived at a building with a (Linux-based) Internet cafe. Such a crypto appliance would definitely be on my shopping list. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
martin f krafft wrote: It surprised everyone, even though it was not a real surprise -- if that makes sense. The security team has been a major weakness of Debian for a while. It was only a question of time until it all came down on Joey. Anyway, if you like Debian, then you should keep using it. The current situation is unacceptable, and we are all aware of this. But the good news is that a lot of people are working on it, and after the stereotypical blow in the face, we'll have something to learn to prevent such problems in the future. So bear with us for just a little while more, consider disabling the affected services for now, or roll your own security updates until we caught up. I think this is a much better reply than telling people to * use other distributions (Suse, RHEL, Fedora, Ubuntu, whatever), * use sid, or * roll your own security I've been using Debian since Slink and I think this is one of the very few times Debian was cought with its security pants down. I don't think I am affected yet, with exception of spamassassin so let's hope Debian can catch up before the next remote hole in squid, apache2 or racoon. - Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Mon, Jun 27, 2005 at 08:39:43PM +0200, Marek Olejniczak wrote: On Mon, 27 Jun 2005, Matt Zimmerman wrote: The security team has always been a difficult one to expand. A strong level of trust is necessary due to confidentiality issues, and security support is a lot of (mostly boring and thankless) work. However, expanding it seems like the only way to make it sustainable. I don't understand the philosophy of Debian security team. It's really so difficult to push into sarge spamassassin 3.0.4 which is not vulnerable? This version is in Debian testing and why this version can't be push into stable? This article does a fairly good job of explaining: http://www.redhat.com/advice/speaks_backport.html -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: handling private keys
Edward Faulkner wrote: It would be pretty cool to use a PDA as a trusted device - it would download a document from the PC, ask you to verify it, then sign it and send it back. It's even better than a smart card, because you can use the PDA's display to verify that you're signing what you think you're signing. This is absolutely the kind of thing i wanted. However could signing be done using symbian phones for example ? In case anyone has some experience, is it hard to write such a symbian application ? Radu -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: handling private keys
Radu Spineanu wrote: In case anyone has some experience, is it hard to write such a symbian application ? Being more specific, porting gpg to symbian. I noticed an implementation of pgp: http://my-symbian.com/9210/applications/applications.php?faq=5fldAuto=336 Radu -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: handling private keys
Radu Spineanu wrote on 28/06/2005 21:41: Radu Spineanu wrote: In case anyone has some experience, is it hard to write such a symbian application ? Being more specific, porting gpg to symbian. I noticed an implementation of pgp: http://my-symbian.com/9210/applications/applications.php?faq=5fldAuto=336 Back when SymbianOS was still named EPOC, you had two options to program for it: OPL (a basic-like language) and C (or was it C++) with an API which allowed almost anything the device could handle (graphics, network, file operations, serial I/O), most of what I did was possible using the standard methods you would also use on Linux. I'm not 100% sure what prerequisites gpg needs, but I would say that porting should not be too difficult, at least for someone who is relatively used to programming for SymbianOS/EPOC. Anyway, for the kind of use you would like to put your smartphone to, you also need some interface for the host application to contact the smartphone by and to transmit the data in both directions, some UI on the smartphone to present the data to you (which would need to be smart enough to handle at least some of the more common data types) etc I would definately like to see such a thing happen, but it probably would take a skilled programmer several weeks to come up with a half-way usable prototype and probably several months to get close to a releasable state (given only one programmer working in his spare time that is). cu, sven signature.asc Description: OpenPGP digital signature
Wanna be more man? Check this dude
Increase the length and girth of your penis http://www.asdokm.com/ss/ Truth is a pathless land. Practice yourself what you preach. We cannot direct the wind, but we can adjust the sails. The greatest griefs are those we cause ourselves. Indifference, then, is not only a sin, it is a punishment. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security team support
On Tue, Jun 28, 2005 at 09:16:04PM +0200, Markus Kolb wrote: Sven Hoexter wrote on Tue, Jun 28, 2005 at 20:05:47 +0200: On Tue, Jun 28, 2005 at 05:45:41PM +0200, Markus Kolb wrote: Hi, why security team doesn't ask for help if they have not enough time for and problems with package fixing? I can help. I need only a security team member for contact and maybe a debian member to sign my gnupg key. And then the whole community should trust you? No that's not the way it should work. OpenSource is still about having reputation and other people who trust you. Does this make any sense? What do you want to say? What do you have read in my post to conclude something strange like that? Is it the heat? Right. You made a generous offer. And the whole world doesn't have to trust you just because you have a liaison with the debian security team. That sounds like a great idea, in fact the debian security 'team' should implement a mentor program to facilitate. I don't think Markus understood that you where looking for a direct way to communicate not commit. (not sure why you need your pgp signed though, web of trust is based on established relationships, your signed patches should be sufficient at this stage...:) // George -- George Georgalis, systems architect, administrator Linux BSD IXOYE http://galis.org/george/ cell:646-331-2027 mailto:[EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security - action
Alvin Oga schrieb am Tuesday, den 28. June 2005: [snip] etch/testing where are the security patches ?? - i want it to also have latest apps i care about ( latest kernels, latest apache, latest xxx, .. ) - this is the parts i'm interested in structuring for security updates as some/most security patches are fixed in later releases from the originating authors/sites and they already maintain and keep their eyes on all the announced vulnerabilities and exploits If you are interested in testing security, then there is a group working on this project. Here is some information about the history of the team, and if you read through the message there is information about how to help: http://lists.debian.org/debian-devel-announce/2005/03/msg00014.html micah signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security - action
On Tue, 28 Jun 2005, Micah Anderson wrote: Alvin Oga schrieb am Tuesday, den 28. June 2005: If you are interested in testing security, then there is a group working on this project. Here is some information about the history of the team, and if you read through the message there is information about how to help: http://lists.debian.org/debian-devel-announce/2005/03/msg00014.html saw that before ... and no response ... so i let it die, the assumption being, that people looking for helpers will reply to those volunteering, but i guess one has to pass the screeners requirements before getting onto the next level c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]