RE: Debian Security Updates
Then how are the packages so stored elsewhere differentiated? Or are the packages under the debian-non-US directory distributed under the other headings when grabbing from this particular server? Previously Aurelio Turco wrote: Furthermore: http://security.debian.org/debian-non-US does not appear to exist. security.debian.org is hosted in a non-US location and doesn't have a seperate non-US archive. Wichert.
RE: Support for Potato
On Thu, 25 Jul 2002 at 01:08:29AM +0200, martin f krafft wrote: least as usable and stable, and until potato-woody is guaranteed to progress without any problems... Problems? What problems? G Just A LOT of tweaks I can't upgrade, it would require restarting and that would blow my record on necraft.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Didn't we have that whole spam discussion last week?
I humbly beseech the Debian list maintainers to make this list subscriber only may post. Thank you. Curt- -Original Message- From: Phillip Hofmeister [mailto:[EMAIL PROTECTED] Sent: Friday, July 19, 2002 2:03 AM To: debian-security@lists.debian.org Subject: Re: Didn't we have that whole spam discussion last week? On Thu, 18 Jul 2002 at 12:39:20PM +0200, [EMAIL PROTECTED] wrote: I think it's abount time for a [EMAIL PROTECTED] At the moment the topic is discussed on several lists at the same time. :) Joost. Perhaps a [EMAIL PROTECTED] This group should probably include someone from listmaster. If the current listmasters do not want to take this on then I could volunteer...ideas? -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/ | gpg --import -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: You've Been Removed!
Whoever did this, thank you. Curt- -Original Message- From: Italyminutes [mailto:[EMAIL PROTECTED] Sent: Thursday, July 18, 2002 06:02 To: debian-security@lists.debian.org Subject: You've Been Removed! This message is to confirm the removal of your email address: debian-security@lists.debian.org from the Italyminutes Subscribe Me mailing list. We're sorry to see you go! If you feel you have received this notice in error, please visit the Italyminutes Subscribe Me mailing list at our website: http://www.bluebanner.net to add yourself automatically, or click on the link below to automatically re-subscribe yourself: http://www.bluebanner.net/cgi-lib/admail/s.cgi?a=1l=9e=debia n-security=:lists.debian.org Thank you, Italyminutes -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Good Day
What bothers me in all of this is that Debian lists are managed so poorly to let this happen. The Debian lists are deliberately not subscriber only may post on the theory that it's better to press DEL than to prevent someone from posting. However, subscriber only is a simple config option in Majordomo, and something I politely suggested several months (years?) ago. That is when I was told of the above policy. Mahapps some more politely worded requests to the listmaster are in order. Curt- with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Good Day
If I remember correctly, doesn't that require sendmail? As for bounce, while Kmail has that feature it does require a real reply-to address. For the vast majority of spam, the reply-to is deliberately obfuscated. apt-get install spamassassin It trapped that one for me as well as 99% of the spam I receive. Bob Curt- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Good Day
Unlike most spam, this one has actually resulted in some arrests. Well, not this one specifically, it's been going on for a while with multiple different people/groups attempting the Spanish Prisoner con game. Thanks for the email address for the Fed.Gov investigation. Curt- If anyone wonders what that mail was, read here: http://www.snopes.com/inboxer/scams/nigeria.htm And forward it to [EMAIL PROTECTED], with full headers intact, of course. The U.S. government, it seems, cares to hear about this, since it seems that quite a few people actually fall for it. noah -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Ssh not upgraded when doing apt-get upgrade?
I noticed the same thing when doing the 3.3 thing two days ago that I commented on on this list. The security server is in my apt.sources list, but when I executed apt-get upgrade, it said 0 new, 0 to be removed, 1 package(s) not updated. Dselect showed the ssh package as ready to be updated, and when I selected install and update from the dselect menu it did the work without argument. Maybe, since it was a major upgrade at the time (not just 3.3 to 3.4 for example), was there a cue in the package file not to perform the upgrade unless it was being done in an interactive mode? Certainly it did take substantial interaction to get it right, and that is one reason I do not put apt-get update in any kind of script. Curt- -Original Message- From: Tom Dominico [mailto:[EMAIL PROTECTED] Sent: Friday, June 28, 2002 08:29 To: debian-security@lists.debian.org Subject: RE: Ssh not upgraded when doing apt-get upgrade? Thanks for all the rapid replies folks, apparently I was mixed up there. Adding the security line for testing did the trick. Tom -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Ssh not upgraded when doing apt-get upgrade?
Not security updates as such, but since the software has been changed, doesn't testing have its package replaced with the new version? I can't imagine that a known hole would be deliberately left in a package when an update has already been compiled. This is testing, not Hamm. Testing doesn't get security updates, so when the next testing comes along, its directory on security.debian.org, if it exists at all, will be empty. The only reason woody is getting security updates now is that it's so close to release this provides a good opportunity to give the new build infrastructure a shake-down. noah -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Problem with ssh
First question: Has it worked before now? Second question: What did you change between then and now? Curt- Dear All, I have a problem with my ssh, when i try to connect to our server using ssh have an error like this : ssh -l [EMAIL PROTECTED] 2f65 7463 2f73 7368 Disconnecting: Bad packet length 795178083. What's Wrong with my server or my ssh client. And how to solve them. Thank's Ryansimon Aku -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: PermitRootLogin enabled by default
Alvin, If the cracker can get in as a user, it's merely a matter of time before they can worm their way into becoming root. Defenses against this are difficult, the NSA version SELinux deliberately places great restrictions on user abilities to try to prevent just such things. But I don't think there is any certain way to prevent a user from gaining root access if they are capable and determined. Layered defenses are best, of course. Network firewall (or packet filtering), restricted service offering (no fingerd, no telnetd, etc), then strong authentication for login, then restricted access to root. Like you, I do not prefer to allow direct root logins so that an attacker must overcome each barrier in turn. One of my favorite features of Debian is being able to go through the packages at install time and un-select such things as fingerd and telnetd, so that the services never exist on the server. Curt- From: Alvin Oga [mailto:[EMAIL PROTECTED] hi all if an attacker got in ... as a user game over... they got in ??? - question is what damage can they do as user ... if an attacker get in the same way as root... game is really over... as they now have complete control of yoru machine.. - i prefer to disallow root logins... ( assumption in the above is that they can get in thru an existing ( vulnerability .. either as root or a user .. -- patch the original vulnerability fix it first ... worry about the follow-me around folks later ... ( like those in the van outside your home/office listening ( to the wireless connections... c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: DSA 131: Apache Vulnerability
I like both. The server gets stable, but a firewall or at least firewall rules on the public interface. Preferrably duel interface, one inside on private IP, one public, and no packet forwarding. And I couldn't agree more about the remarkable efforts of the Debian team members. Curt- On Thu, Jun 20, 2002 at 07:49:08PM -0400, Arthur H. Johnson II wrote: I have two relative policies: 1. Always use a firewall to filter out everything but what is absolutely necessary, ie web, email, etc. 2. Always build stuff filtered to the internet from source that way when a vulnerability is released, you can update it rather quickly, no matter what the distro you are running is. Or...you could just run stable. I have always been impressed by Wichert, Michael, and company's response time and I applaud them. Phil -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Quality of security assurance with Debian vs. RedHat vs. SuSE
Debian was the first Linux I installed, from floppies, in 1986. Do you mean 1996? Ah, yep. Brain fart. Thanks for noticing. I personnaly use Linux since 1994, version 0.99pl14, was SLS distribution. Neat. In 1995, a network engineer and systems admin associate of mine said, I have found an operating system with the best support of anything I've used, and it's free. Linux. And this from a guy who's personal web page is still running on Solaris. BTW, when was the first Debian GNU/Linux launched? Just for information. :) Dunno... Maybe there's a who is us text on the Debian site. Curt- N� [EMAIL PROTECTED] 隊[hu��j{r���*ު笶X���^n���0��Z���y�h~�칻��N�.nW��{Zr�b�ٚ��+-�כ��
RE: Quality of security assurance with Debian vs. RedHat vs. SuSE
On Tue 11 Jun 2002 19:54, Noah L. Meyerhans wrote: There is a lot of collaboration between the respective security teams for the major Linux distributions. As a result of this, they all tend to release necessary security updates at the same time. Known security updates are rarely, if ever, left unfixed by a distribution vendor. Knowledge of a security vulnerability is never kept from another distribution vendor. As a result of all this, the relative security of the different distributions is very similar. From: Jeff Bonner [mailto:[EMAIL PROTECTED] Well put. From my understanding of how things work, I assumed as much, but I wasn't confident enough to write that all out. ;) They (we?) all use many of the same primary sources. The Kernel, Bind, Apache, OpenSSH, Xfree, gcc, zlib, etc. When a fix to a primary source is made by the people who write that source, the distributions major work is testing, then to package it and make it available to the user base. On second thought, RedHat does do some special customization of gcc, or so I've heard... This is very granular. There is no reason for a distributor not to include a fix, and the wide variety of testing from multiple different distributors gives great feedback to the primary sources. I wouldn't be surprised to learn that there are lots of oops style bugs discovered, fed back and fixed, long before the public sees an updated package in any of the distributions. This is the Bazaar. RedHat packagers have a different set of preconceptions and assumptions from Debian packagers, and from Slackware packagers, et al. There is also no embarrassment. There may be a self-preservation reflex in a closed-source producer to deny a fault and slow a fix, because it's their own fault. Linux distributors are lauded when they release a fix quickly. The one advantage that I think Debian has is that apt-get makes it so easy to keep up to date on packages. I couldn't have said it better myself. Apt is the number one reason I went with Debian: ease of updates. My number one reason was the collaborative nature of the Debian effort. Debian was the first Linux I installed, from floppies, in 1986. When I later discovered how broken package management in other distributions is compared to Debian, it was like sneaking a peek out through the gate of the Garden of Eden. There may be some installation snakes, but the desert outside is far harder to survive in. Curt- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: beach towel
Hoopy Froods always know where their towel is. Could be handy I spose if a server caught on fire, could throw a couple of towels on top to smoother the fire :) Nathan On Wednesday, May 15, 2002, at 06:01 PM, Peter Obermeier wrote: Hi all, it is a very courios form of security, isn't it? linda schrieb: Dear Sirs: We know your esteemed company in beach towels from Internet, and pleased to introduce us as a leading producer of high quality 100% cotton velour printed towels in China, we sincerely hope to establish a long-term business relationship with your esteemed company in this field. Our major items are 100% cotton full printed velour towels of the following sizes and weights with a annual production capacity of one million dozens: Disney Standard: 30X60 inches, weight 305grams/SM, 350gram/PC 40X70 inches, weight 305grams/SM, 550gram/PC Please refer to our website http://www.jacquard-towel.com/index.html for more details ie patterns about our products. Once you are interested in our products, we will give you a more favorable price. Looking forward to hearing from you soon Thanks and best regards, Linda Henan Ziyang Textiles http:/www.jacquard-towel.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Mit freundlichen Grüßen i.A. Peter Obermeier -Engineering- TelemaxX Telekommunikation GmbH Amalienstraße 81 76133 Karlsruhe Telefon: +49 721 130 88 36 Telefax: +49 721 130 88 77 www.telemaxx.de [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: restricting outbound access?
How about group access privileges on the offending executables? Seems to me to be the natural method of restricting access to stuff. Curt- I have a question. Is there any way to restrict outbound access for all but a few users? I know with iptables you can block outbound traffic completely but that wont work in my situation. There are about 150 users of my server and only 3 of them need outbound access so I am kind of in a sticky situation. Any help would be greatly appreciated. Thanks in advance Steve Meyer -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: beach towel
Hoopy Froods always know where their towel is. Could be handy I spose if a server caught on fire, could throw a couple of towels on top to smoother the fire :) Nathan On Wednesday, May 15, 2002, at 06:01 PM, Peter Obermeier wrote: Hi all, it is a very courios form of security, isn't it? linda schrieb: Dear Sirs: We know your esteemed company in beach towels from Internet, and pleased to introduce us as a leading producer of high quality 100% cotton velour printed towels in China, we sincerely hope to establish a long-term business relationship with your esteemed company in this field. Our major items are 100% cotton full printed velour towels of the following sizes and weights with a annual production capacity of one million dozens: Disney Standard: 30X60 inches, weight 305grams/SM, 350gram/PC 40X70 inches, weight 305grams/SM, 550gram/PC Please refer to our website http://www.jacquard-towel.com/index.html for more details ie patterns about our products. Once you are interested in our products, we will give you a more favorable price. Looking forward to hearing from you soon Thanks and best regards, Linda Henan Ziyang Textiles http:/www.jacquard-towel.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Mit freundlichen Grüßen i.A. Peter Obermeier -Engineering- TelemaxX Telekommunikation GmbH Amalienstraße 81 76133 Karlsruhe Telefon: +49 721 130 88 36 Telefax: +49 721 130 88 77 www.telemaxx.de [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: restricting outbound access?
How about group access privileges on the offending executables? Seems to me to be the natural method of restricting access to stuff. Curt- I have a question. Is there any way to restrict outbound access for all but a few users? I know with iptables you can block outbound traffic completely but that wont work in my situation. There are about 150 users of my server and only 3 of them need outbound access so I am kind of in a sticky situation. Any help would be greatly appreciated. Thanks in advance Steve Meyer -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Why is there a prompt for a root shell when the default linuxkernel boots?
Where might one find documentation on this bf2.4 kernel? Javier Fernández-Sanguino Peña wrote: Now that I think of it this might be an issue with self-installed kernels. I'm going to document this behavior in the Manual, commit the changes and close the bug. Of course, woody does *not* install 2.4 kernels IIRC. The default install does not, but the bf2.4 flavor does. Please take a look at the dists/woody/main/disks-i386/current directory in the Debian archives. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: connection refuse by tcp_wrapper
I know this may sound like a silly question, but did it work before you applied the TCP wrappers? If you remove the all:all from hosts.deny, does it work? It's been a while since I last set up wrappers, but in all other systems I make sure it works first, then apply changes one by one and test them. That way I know under what conditions it still worked. Curt- Dear all, I am a beginner in linux os, I try to configure tcp_wrapper in myconfiguration like this : hosts.deny ALL : ALL hosts.allow ALL : 192.168.1.10 ALL : 192.168.1.11 but when i try to connect from 192.168.1.10 and 11 my server is allways give a message : ssh_exchange_identification: Connection closed by remote host What is the problem with my tcp_wrapper ? anyone can help ? Thank all, Akoe Rymond -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: connection refuse by tcp_wrapper
I know this may sound like a silly question, but did it work before you applied the TCP wrappers? If you remove the all:all from hosts.deny, does it work? It's been a while since I last set up wrappers, but in all other systems I make sure it works first, then apply changes one by one and test them. That way I know under what conditions it still worked. Curt- Dear all, I am a beginner in linux os, I try to configure tcp_wrapper in myconfiguration like this : hosts.deny ALL : ALL hosts.allow ALL : 192.168.1.10 ALL : 192.168.1.11 but when i try to connect from 192.168.1.10 and 11 my server is allways give a message : ssh_exchange_identification: Connection closed by remote host What is the problem with my tcp_wrapper ? anyone can help ? Thank all, Akoe Rymond -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Lost root password!!
Stef, I've noticed during the boot sequence of 2.4.18, after the ramdisk is loaded there is a 5 second pause during which time you can get a root shell. Do you get this opportunity? I realize it asks for a password, but it is one more thing to try. Other than that, using a rescue disk or the install CD as a boot disk is all I can think of. Curt- Last night when I attempted to change my root password passwd bunked out on me. It crashed and I received the following message on the console: ... Is passwd in Woody broken? How can I fix my broken root password without harming my system? Any feedback would be greatly appreciated. Thanks, Stef -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Lost root password!!
Stef, I've noticed during the boot sequence of 2.4.18, after the ramdisk is loaded there is a 5 second pause during which time you can get a root shell. Do you get this opportunity? I realize it asks for a password, but it is one more thing to try. Other than that, using a rescue disk or the install CD as a boot disk is all I can think of. Curt- Last night when I attempted to change my root password passwd bunked out on me. It crashed and I received the following message on the console: ... Is passwd in Woody broken? How can I fix my broken root password without harming my system? Any feedback would be greatly appreciated. Thanks, Stef -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Guarding against evil software installation scripts?
From: Tim Freeman [mailto:[EMAIL PROTECTED]] ... But whose reputation? The package maintainer directly, the Debian project indirectly. I'm not really talking about individuals, I'm talking about generalities. On a really secure machine, you're not going to be installing games, or utilities willy-nilly anyway. A secure machine will run its own iptables/ipchains filter to prevent unauthorized or unknown packets from entering or leaving the system itself, and sit behind a firewall or filtering router too. At least. One of the things I liked about Debian from the first time I used it, was the granularity of package install. Telnet, fingerd, ftpd, NFS, rsh, etc., have never been installed. A service that does not exist cannot be exploited. If we could make it so that only some packages need to install as root, and the rest are prevented from arbitrarily modifying the machine, then the intruder has to arrange to be in the root package group to do much harm. This could at least require more social interaction and more time than creating ordinary user-mode packages. I agree, this would be a GoodThing(tm, reg us pat off). The kinds of segmentation and isolation are addressed quite carefully in Security Enhanced Linux (SELinux) that is being developed and released by the American National Security Agency. Their white papers discuss the details, and for a machine you must leave accessible from the outside world, but must also secure to such a degree, it might be worth the trouble. http://www.nsa.gov/selinux/ As I've said for many years, "Security Is Inconvenient." Your level of security truly depends on how much effort you're willing to expend. Running as root is very convenient indeed. I don't know the required size of the developer group before you can expect to have a patient evil person in the group. Apparently we aren't there yet, and that's a good thing. Such evil tends to be self limiting. When(if) discovered, the individuals ability to continue to perpetrate evil is decreased. In a situation like Linux, where no one individual has complete control over anything, or the ability to use force, such evil would be very short lived. People would simply use something else. In a closed source system, a back-door can be put in easily. If its carefully and deliberately placed, it could well go undiscovered. A login program with a hard-coded username, for instance. Something like that wouldn't withstand any level of examination of the source. OpenSource lends itself to being secure against the most likely threats: well known exploits by script kiddies. OpenSource systems are updated more rapidly, and with far more granularity than closed systems. The results of Honey pot projects are fascinating reading. Hint: Never leave a system in its "default" configuration. There is a great deal to be learned on both sides, by comparing physical and data security models. The data model, for instance, has to deal with the fact that an attack is not just "likely", it's inevitable. The likelihood of any particular exploit being attempted depends on how well known it is, and how long it's been around. It is common practice in physical security to identify what level of attack is expected, and then engineer for it. There is a point for most people at which it is more cost effective to carry insurance against something that is massively destructive, but very unlikely. Like a meteor strike, or airplane crash. Argumentum ad absurdum, security at American airbases in the middle east is designed around attack by, "a motivated, well organized, well supplied and capable group." Physical security is still breached often by "the oldest trick in the book" such as someone carrying a clipboard and wearing a lab coat who "tailgates" into a secure area by looking like everyone else. And SirCam shows, such socially engineered viruses work on computers too. Oh heck, I'm rambling. Three times in three days, will the Debian Security list ever forgive me? Curt- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Guarding against evil software installation scripts?
I don't see a clear path to doing this the right way, where chaos is prevented by something more substantial than a social convention. I have to admit that the social convention is working very well at the moment, though. -- Tim Freeman [EMAIL PROTECTED] At some point you have to trust. Unless you're ready to read every line of code, every script, yourself every time you install anything, trust is explicit. I trust binary .deb's from the Debian archives and x.debian.org mirrors. I trust .deb's and .rpm's when I get them from sources pointed to by their creators. I really like PGP, GPG, MD5 and other signatures on/with binary packages, at least it gives me a clearer false sense of security. At a stretch, I'll even run a game demo or some such binary as myself which I pull down from somewhere that looks like fun. Yes, the social convention is working very well indeed. A single source build that many people use (ftp.debian.org, ftp.kde.org, etc) also means that if anyone finds a problem in it and does something about it, they do me good too by making the next apt-get upgrade more than just exercise for my modem. Reputation counts. I'm sure that if a maintainer was discovered to have uploaded code with such things in it, that maintainer would loose coolness points galore. Darn, second ramble in two days. Your pardon. Curt- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Guarding against evil software installation scripts?
From: Tim Freeman [mailto:[EMAIL PROTECTED] ... But whose reputation? The package maintainer directly, the Debian project indirectly. I'm not really talking about individuals, I'm talking about generalities. On a really secure machine, you're not going to be installing games, or utilities willy-nilly anyway. A secure machine will run its own iptables/ipchains filter to prevent unauthorized or unknown packets from entering or leaving the system itself, and sit behind a firewall or filtering router too. At least. One of the things I liked about Debian from the first time I used it, was the granularity of package install. Telnet, fingerd, ftpd, NFS, rsh, etc., have never been installed. A service that does not exist cannot be exploited. If we could make it so that only some packages need to install as root, and the rest are prevented from arbitrarily modifying the machine, then the intruder has to arrange to be in the root package group to do much harm. This could at least require more social interaction and more time than creating ordinary user-mode packages. I agree, this would be a GoodThing(tm, reg us pat off). The kinds of segmentation and isolation are addressed quite carefully in Security Enhanced Linux (SELinux) that is being developed and released by the American National Security Agency. Their white papers discuss the details, and for a machine you must leave accessible from the outside world, but must also secure to such a degree, it might be worth the trouble. http://www.nsa.gov/selinux/ As I've said for many years, Security Is Inconvenient. Your level of security truly depends on how much effort you're willing to expend. Running as root is very convenient indeed. I don't know the required size of the developer group before you can expect to have a patient evil person in the group. Apparently we aren't there yet, and that's a good thing. Such evil tends to be self limiting. When(if) discovered, the individuals ability to continue to perpetrate evil is decreased. In a situation like Linux, where no one individual has complete control over anything, or the ability to use force, such evil would be very short lived. People would simply use something else. In a closed source system, a back-door can be put in easily. If its carefully and deliberately placed, it could well go undiscovered. A login program with a hard-coded username, for instance. Something like that wouldn't withstand any level of examination of the source. OpenSource lends itself to being secure against the most likely threats: well known exploits by script kiddies. OpenSource systems are updated more rapidly, and with far more granularity than closed systems. The results of Honey pot projects are fascinating reading. Hint: Never leave a system in its default configuration. There is a great deal to be learned on both sides, by comparing physical and data security models. The data model, for instance, has to deal with the fact that an attack is not just likely, it's inevitable. The likelihood of any particular exploit being attempted depends on how well known it is, and how long it's been around. It is common practice in physical security to identify what level of attack is expected, and then engineer for it. There is a point for most people at which it is more cost effective to carry insurance against something that is massively destructive, but very unlikely. Like a meteor strike, or airplane crash. Argumentum ad absurdum, security at American airbases in the middle east is designed around attack by, a motivated, well organized, well supplied and capable group. Physical security is still breached often by the oldest trick in the book such as someone carrying a clipboard and wearing a lab coat who tailgates into a secure area by looking like everyone else. And SirCam shows, such socially engineered viruses work on computers too. Oh heck, I'm rambling. Three times in three days, will the Debian Security list ever forgive me? Curt- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Offtopic RE: About user monitoring
Nathan Norman - Micromuse Ltd. mailto:[EMAIL PROTECTED] Gil-galad was an Elven-king.| The Fellowship Of him the harpers sadly sing: |of the last whose realm was fair and free | the Ring between the Mountains and the Sea. | J.R.R. Tolkien A king of Elves there was of old, Saranwrap by name, who slew the Narcs at Mellowmarsh and Soreheads Host did tame With him marched the stubby Dwarfs drafted from their mines, but when the fearsome battle raged they hid behind the lines. Sing: Clearasil, Metrical, Lavoris in Choris, they hid behind the lines. -Bored of the Rings, Harvard Lampoon. -- Your pardon, all, it brought back such beautiful memories... I can also recomend their Doon if you can find a copy. Doon. Dessert planet. A world almost entirely devoid of entres. Curt- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Offtopic RE: About user monitoring
Nathan Norman - Micromuse Ltd. mailto:[EMAIL PROTECTED] Gil-galad was an Elven-king.| The Fellowship Of him the harpers sadly sing: |of the last whose realm was fair and free | the Ring between the Mountains and the Sea. | J.R.R. Tolkien A king of Elves there was of old, Saranwrap by name, who slew the Narcs at Mellowmarsh and Soreheads Host did tame With him marched the stubby Dwarfs drafted from their mines, but when the fearsome battle raged they hid behind the lines. Sing: Clearasil, Metrical, Lavoris in Choris, they hid behind the lines. -Bored of the Rings, Harvard Lampoon. -- Your pardon, all, it brought back such beautiful memories... I can also recomend their Doon if you can find a copy. Doon. Dessert planet. A world almost entirely devoid of entres. Curt- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: on potato's proftpd
I would bet that the vast majority of flame wars begin because someone mistakes terse or concise for hostility. The reverse, being the endless spewing of meaningless words, all the while saying nothing at all or even the opposite of what it sounds like, is the art of politicians and diplomats. I'll take a flame war any day, when compared to the alternative. Curt- they really weren't intended to be flames. i am sorry if they felt that way. i am really just trying to be concise since i don't have much more to say than i did. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; net@madduck -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: on potato's proftpd
I would bet that the vast majority of flame wars begin because someone mistakes terse or concise for hostility. The reverse, being the endless spewing of meaningless words, all the while saying nothing at all or even the opposite of what it sounds like, is the art of politicians and diplomats. I'll take a flame war any day, when compared to the alternative. Curt- they really weren't intended to be flames. i am sorry if they felt that way. i am really just trying to be concise since i don't have much more to say than i did. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: failed ssh breakins on my exposed www box ..
I'm impressed. Even here in Tokyo, where a cop on ever street corner is not just an Orwellian slur, the only people who get that kind of service are the ones who directly pay their salaries. Seriously, the only person you can rely on is you. You're the one on the scene, be it a mugging or a cracking. If you don't defend yourself, your property or your data, no one else will. Going to court is a difficult process. As England is learning right now, so long as the attacker thinks you cannot endanger them they will continue their attacks and even escalate. Script kiddies are no different, they are emboldened by their successes. So unless someone actively hurts these malicious crackers, it's only going to get worse. We need to make sure that when someone gives us enough evidence to prove their guilt, that they get prosecuted. No, I don't know enough to gather that evidence, but I know there are people who can and do. I saw a really funny site (linked from Slashdot, no idea how to find it now) where a spammer was white-hat hacked. This guy posted the spammers names, addresses, telephone numbers, advertising solicitation materials, photographs... who knows if it didn't increase their business? Exposure is exposure, after all. Curt- From: Gary MacDougall [mailto:[EMAIL PROTECTED]] ... Agreed. I'll never understand why people will let crackers reap havoc on a network without issue, but if someone comes up and tries to break into my house, the police will be there in 2 seconds. g. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: failed ssh breakins on my exposed www box ..
I'm impressed. Even here in Tokyo, where a cop on ever street corner is not just an Orwellian slur, the only people who get that kind of service are the ones who directly pay their salaries. Seriously, the only person you can rely on is you. You're the one on the scene, be it a mugging or a cracking. If you don't defend yourself, your property or your data, no one else will. Going to court is a difficult process. As England is learning right now, so long as the attacker thinks you cannot endanger them they will continue their attacks and even escalate. Script kiddies are no different, they are emboldened by their successes. So unless someone actively hurts these malicious crackers, it's only going to get worse. We need to make sure that when someone gives us enough evidence to prove their guilt, that they get prosecuted. No, I don't know enough to gather that evidence, but I know there are people who can and do. I saw a really funny site (linked from Slashdot, no idea how to find it now) where a spammer was white-hat hacked. This guy posted the spammers names, addresses, telephone numbers, advertising solicitation materials, photographs... who knows if it didn't increase their business? Exposure is exposure, after all. Curt- From: Gary MacDougall [mailto:[EMAIL PROTECTED] ... Agreed. I'll never understand why people will let crackers reap havoc on a network without issue, but if someone comes up and tries to break into my house, the police will be there in 2 seconds. g. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: weird connection attempt
Many ISP's do not know enough to filter the RFC1918 space, or only do so on the border routers and not internally. Another good idea is to filter out-going packets by source address, allowing through only those whose source is supposed to be inside the network. Anything with a source of address which is RFC1918 is suspect. I run a potato server on an ethernet behind a firewall connected by dsl to the internet. The only service exposed is ftp, In the middle of last night ippl reported an ftp connection attempt from 192.168.1,1 The network behind my firewall uses 192.168.75.xx addressses for one Redhat and a couple of Windows machines as well as the debian ftp server. Any idea where the 192.168.1.1 attempt is coming from? Is it likely to have been spoofed over the internet as part of an attack? -- --- Hal [EMAIL PROTECTED] --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: weird connection attempt
Many ISP's do not know enough to filter the RFC1918 space, or only do so on the border routers and not internally. Another good idea is to filter out-going packets by source address, allowing through only those whose source is supposed to be inside the network. Anything with a source of address which is RFC1918 is suspect. I run a potato server on an ethernet behind a firewall connected by dsl to the internet. The only service exposed is ftp, In the middle of last night ippl reported an ftp connection attempt from 192.168.1,1 The network behind my firewall uses 192.168.75.xx addressses for one Redhat and a couple of Windows machines as well as the debian ftp server. Any idea where the 192.168.1.1 attempt is coming from? Is it likely to have been spoofed over the internet as part of an attack? -- --- Hal [EMAIL PROTECTED] ---
RE: dpkg-buildpackage (-rfakeroot) leaves setuid binaries
For the non-mathmatical, or rather gramatical, style to say it, I use the phrase: Security is Inconvenient. The first time I say it to someone, they usually pause for a moment, digest it, and it really helps in further discussions about what to do about It's my answer, for instance, when someone notices just how much I type to open an SSH session. Wow, that's a long password. Yep, security is inconvenient. Sometimes this leads to *their* inquiring as to what it buys, and leads to another informed user who doesn't feel pressured. It isn't just UNIX, have you ever looked at how every openable thing on a Catarpiller earth-moving machine has a way to padlock it closed? One key for simple operation, another key for routine engine maintenance, maybe a pass-key (su) for the shop forman, etc... Curt- -Original Message- From: martin f krafft [mailto:[EMAIL PROTECTED]] ... yes, that's UNIX life. convenience ~ security^-1, where operator~ here is proportional -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; net@madduck i have the power to channel my imagination into ever-soaring levels of suspicion and paranoia. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: IPTABLES
Oh bloody hell, I thought it might be. Trouble is, every time I look for it I can't find it one way or the other. This time I'm going to write it down. Curt- -Original Message- From: Jussi Tawaststjerna [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 09, 2002 16:16 To: Howland, Curtis Cc: [EMAIL PROTECTED]; Debian-Security Subject: RE: IPTABLES Just the other way around, 2.2.x == ipchains, 2.4.x == iptables. Craig, just look at your kernel, and make sure every netfilter/iptables module is compiled/listed, and then look at your /lib/modules/2.4.12/ and make sure everything modprobes or insmods (if they haven't already) .. On Wed, 9 Jan 2002, Howland, Curtis wrote: Please flame me if I have this backwards, but I believe ip_tables only works under 2.2.x and earlier kernels, and the 2.4.x kernel introduced ip_chains and is incompatible with ip_tables. You have to use the right one, even thought the package/module for both shows up (at least in Woody) and loads, but if you're using the 2.4 kernel the earlier stuff just fails like you're describing. http://www.linux.org/docs/ldp/howto/Firewall-HOWTO-8.html Curt- -Original Message- From: Craigsc [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 09, 2002 16:09 To: Debian-Security Subject: IPTABLES Hi Fellows I am having a problem with getting iptables working with kernel 2.4.12. Getting the following error message: Can't locate module ip_tables iptables v1.2.4: can't initialize iptables table `nat': Table does not exist (do you need to insmod?) Perhaps I'm missing a module ? Any help would be appreciated :) Kind regards Craig -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] Jussi Tawaststjerna [EMAIL PROTECTED] Senior Support Engineer (NOC) Annankatu 44 00100 Helsinki Jippii Group Oyj Phone +358 9 4243 0662
RE: IPTABLES
Please flame me if I have this backwards, but I believe ip_tables only works under 2.2.x and earlier kernels, and the 2.4.x kernel introduced ip_chains and is incompatible with ip_tables. You have to use the right one, even thought the package/module for both shows up (at least in Woody) and loads, but if you're using the 2.4 kernel the earlier stuff just fails like you're describing. http://www.linux.org/docs/ldp/howto/Firewall-HOWTO-8.html Curt- -Original Message- From: Craigsc [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 09, 2002 16:09 To: Debian-Security Subject: IPTABLES Hi Fellows I am having a problem with getting iptables working with kernel 2.4.12. Getting the following error message: Can't locate module ip_tables iptables v1.2.4: can't initialize iptables table `nat': Table does not exist (do you need to insmod?) Perhaps I'm missing a module ? Any help would be appreciated :) Kind regards Craig -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: IPTABLES
Oh bloody hell, I thought it might be. Trouble is, every time I look for it I can't find it one way or the other. This time I'm going to write it down. Curt- -Original Message- From: Jussi Tawaststjerna [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 09, 2002 16:16 To: Howland, Curtis Cc: [EMAIL PROTECTED]; Debian-Security Subject: RE: IPTABLES Just the other way around, 2.2.x == ipchains, 2.4.x == iptables. Craig, just look at your kernel, and make sure every netfilter/iptables module is compiled/listed, and then look at your /lib/modules/2.4.12/ and make sure everything modprobes or insmods (if they haven't already) .. On Wed, 9 Jan 2002, Howland, Curtis wrote: Please flame me if I have this backwards, but I believe ip_tables only works under 2.2.x and earlier kernels, and the 2.4.x kernel introduced ip_chains and is incompatible with ip_tables. You have to use the right one, even thought the package/module for both shows up (at least in Woody) and loads, but if you're using the 2.4 kernel the earlier stuff just "fails" like you're describing. http://www.linux.org/docs/ldp/howto/Firewall-HOWTO-8.html Curt- -Original Message- From: Craigsc [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 09, 2002 16:09 To: Debian-Security Subject: IPTABLES Hi Fellows I am having a problem with getting iptables working with kernel 2.4.12. Getting the following error message: Can't locate module ip_tables iptables v1.2.4: can't initialize iptables table `nat': Table does not exist (do you need to insmod?) Perhaps I'm missing a module ? Any help would be appreciated :) Kind regards Craig -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] Jussi Tawaststjerna [EMAIL PROTECTED] Senior Support Engineer (NOC) Annankatu 44 00100 Helsinki Jippii Group Oyj Phone +358 9 4243 0662 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Secure 2.4.x kernel
-Original Message- From: Gary MacDougall soapbox I'm gong to get flamed like hell for this, but I think the general attitude of people that consider themselves Linux Security Guru's sucks! If you've ever visited #linux on IRC or talked with people in a chat room about Linux (in general) its amazing the amount of venom these Linux Pundits have towards people that are newbies. One of the reasons that I prefer Debian-security and Debian-user, and maybe the rest of the Debian lists too, is their generally very high signal to noise ratio. For all its faults, slashdot also demonstrates the benefits of moderation. interesting opinions (ammunition) about apt-get vs. rpm (My reasoning was security updates are easier etc. etc.)... My personal fuel for that fire is that there are no dependency problems with apt. Yes, it's an oversimplification, however I feel that once someone accustomed to needing several iterations with RPM's gets a taste of the just do it apt process, they won't notice the rare instance when there is a conflict. My hat's off to the Debian maintainers. I deeply respect their work. I guess its a form of geek revenge. Naa, it's simian posturing. It happens with humans everywhere. I enjoyed watching it in Good Will Hunting, and two days ago rented Finding Forrester (same movie, different actors), and sure enough lots of simian posturing. You dare to challenge me in MY classroom? etc. The problem is cultural and social. We've moved away from the teaching traditions that channeled such territoriality and aggression in constructive ways. Hormone-addled male teens no longer get whupped into shape when they really need it. I can suggest the writings of Jeff Cooper for a better exploration of the kinds of attitudes and processes that are now missing, and R.A.Heinlein for lots of fictional explorations of the issue. There's some really nasty little flame freaks out there who simply do not understand the repercussions of their words, and how they hurt people. They've never been taught how to argue with their (recently evolved) brains. Curt- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Secure 2.4.x kernel
-Original Message- From: Gary MacDougall soapbox I'm gong to get flamed like hell for this, but I think the general attitude of people that consider themselves Linux Security Guru's sucks! If you've ever visited #linux on IRC or talked with people in a chat room about Linux (in general) its amazing the amount of venom these Linux Pundits have towards people that are newbies. One of the reasons that I prefer Debian-security and Debian-user, and maybe the rest of the Debian lists too, is their generally very high signal to noise ratio. For all its faults, slashdot also demonstrates the benefits of moderation. interesting opinions (ammunition) about apt-get vs. rpm (My reasoning was security updates are easier etc. etc.)... My personal fuel for that fire is that there are no dependency problems with apt. Yes, it's an oversimplification, however I feel that once someone accustomed to needing several iterations with RPM's gets a taste of the just do it apt process, they won't notice the rare instance when there is a conflict. My hat's off to the Debian maintainers. I deeply respect their work. I guess its a form of geek revenge. Naa, it's simian posturing. It happens with humans everywhere. I enjoyed watching it in Good Will Hunting, and two days ago rented Finding Forrester (same movie, different actors), and sure enough lots of simian posturing. You dare to challenge me in MY classroom? etc. The problem is cultural and social. We've moved away from the teaching traditions that channeled such territoriality and aggression in constructive ways. Hormone-addled male teens no longer get whupped into shape when they really need it. I can suggest the writings of Jeff Cooper for a better exploration of the kinds of attitudes and processes that are now missing, and R.A.Heinlein for lots of fictional explorations of the issue. There's some really nasty little flame freaks out there who simply do not understand the repercussions of their words, and how they hurt people. They've never been taught how to argue with their (recently evolved) brains. Curt-
RE: Secure 2.4.x kernel
A major point concerning laws is that they prevent nothing. Laws against murder have been around since the idea of laws was invented, yet murder still happens. Sometimes in new and spectacular ways. Individual security, be it physical or logical, must be considered an individual responsibility. Each server, each PC, each system must have its own security addressed not in a standard legislated pattern, but with the unique attributes of that specific system in mind. At the very least, turning off all services that are not specifically and deliberately turned on is the first step. Curt- -Original Message- From: Ralf Dreibrodt [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 25, 2001 23:07 To: Gary MacDougall Cc: [EMAIL PROTECTED] Subject: Re: Secure 2.4.x kernel Hi, Gary MacDougall wrote: Hmmm... Mom has a good point. I think the bottom line is that we'll never have 100% security until there are laws that protect the break-in's and hacking that occurs. Still laws... not crappy little wrist slapping type laws. laws can´t do anything against unknown people. i think there is no way to find a hacker if he really doesn´ t want to. btw, with that argumentation you are saying come on, delete alle securitymailinglists and let us ask for better laws, don´t close your windows, when you are leaving your home , don´t close the doors. and that´s the totally wrong way (at least today). bye Ralf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Secure 2.4.x kernel
A major point concerning laws is that they prevent nothing. Laws against murder have been around since the idea of laws was invented, yet murder still happens. Sometimes in new and spectacular ways. Individual security, be it physical or logical, must be considered an individual responsibility. Each server, each PC, each system must have its own security addressed not in a standard legislated pattern, but with the unique attributes of that specific system in mind. At the very least, turning off all services that are not specifically and deliberately turned on is the first step. Curt- -Original Message- From: Ralf Dreibrodt [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 25, 2001 23:07 To: Gary MacDougall Cc: debian-security@lists.debian.org Subject: Re: Secure 2.4.x kernel Hi, Gary MacDougall wrote: Hmmm... Mom has a good point. I think the bottom line is that we'll never have 100% security until there are laws that protect the break-in's and hacking that occurs. Still laws... not crappy little wrist slapping type laws. laws can´t do anything against unknown people. i think there is no way to find a hacker if he really doesn´ t want to. btw, with that argumentation you are saying come on, delete alle securitymailinglists and let us ask for better laws, don´t close your windows, when you are leaving your home , don´t close the doors. and that´s the totally wrong way (at least today). bye Ralf
RE: Secure 2.4.x kernel
Gary, While I understand your theory, reality is that laws only provide a framework for punishment. If their existence in fact did not allow something, such as murder, murder would therefore not happen. Murder does in fact happen, just like trespass, yet is not ok. If, as you say, people were not allowed to break the law, there would be no traffic tickets since such violations would not have been allowed to happen. Your conclusion that I believe an action is ok merely because it is capable of happening is in error. What I said was that laws do not prevent action, I said nothing about specific actions being ok or not ok. I will gladly continue this debate offline if you wish, I have a great store of source material for the non-initiation of force philosophy which you might find interesting. Curt- -Original Message- From: Gary MacDougall [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 26, 2001 11:47 To: Howland, Curtis; Ralf Dreibrodt Cc: debian-security@lists.debian.org Subject: Re: Secure 2.4.x kernel Actually your point of view basically states that its ok for anyone to tresspass. In the US, we have laws against such activity. People are *not* allowed to break the law, regardless of how stupid the victim is. Law's were created to protect. Regardless of the type of crime or injustice. Just because people are dumb or not as fortunate as other more privy people, doesn't mean that the law should bypass the unfortunate. The law (at least in the US) were specifically created to protect people in such circumstances. Why should computer law be any different? I see you point, do you see mine? g. - Original Message - From: Howland, Curtis [EMAIL PROTECTED] To: Ralf Dreibrodt [EMAIL PROTECTED]; Gary MacDougall [EMAIL PROTECTED] Cc: debian-security@lists.debian.org Sent: Tuesday, December 25, 2001 7:03 PM Subject: RE: Secure 2.4.x kernel A major point concerning laws is that they prevent nothing. Laws against murder have been around since the idea of laws was invented, yet murder still happens. Sometimes in new and spectacular ways. Individual security, be it physical or logical, must be considered an individual responsibility. Each server, each PC, each system must have its own security addressed not in a standard legislated pattern, but with the unique attributes of that specific system in mind. At the very least, turning off all services that are not specifically and deliberately turned on is the first step. Curt- -Original Message- From: Ralf Dreibrodt [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 25, 2001 23:07 To: Gary MacDougall Cc: debian-security@lists.debian.org Subject: Re: Secure 2.4.x kernel Hi, Gary MacDougall wrote: Hmmm... Mom has a good point. I think the bottom line is that we'll never have 100% security until there are laws that protect the break-in's and hacking that occurs. Still laws... not crappy little wrist slapping type laws. laws can´t do anything against unknown people. i think there is no way to find a hacker if he really doesn´ t want to. btw, with that argumentation you are saying come on, delete alle securitymailinglists and let us ask for better laws, don´t close your windows, when you are leaving your home , don´t close the doors. and that´s the totally wrong way (at least today). bye Ralf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: iptables missing library
This may seem an obvious question, but have you coordinated that "ipchains" works with the 2.2.x kernels, and "iptables" with the 2.4.x kernels? Woody standard kernel is still 2.2.x. Curt- -Original Message- From: Jeff [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 25, 2001 12:44 To: debian security list Subject: iptables missing library I've recently discovered the "badflags" capabilities in iptables and I'm playing with some rules. However, when I load the rules, I get the following error message: Try `iptables -h' or 'iptables --help' for more information. iptables v1.2.3: Couldn't load target `badflags':/lib/iptables/libipt_badflags.so: cannot open shared object file: No such file or directory Indeed, I do not have libipt_badflags.so on my woody system. I've been looking all over to find it, but have had no luck. I checked in the unstable version of iptables, and it's not there either. Can someone point me to where I can find it? thanks, jc -- Jeff Coppock Systems Engineer Diggin' DebianAdmin and User -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: iptables missing library
This may seem an obvious question, but have you coordinated that ipchains works with the 2.2.x kernels, and iptables with the 2.4.x kernels? Woody standard kernel is still 2.2.x. Curt- -Original Message- From: Jeff [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 25, 2001 12:44 To: debian security list Subject: iptables missing library I've recently discovered the badflags capabilities in iptables and I'm playing with some rules. However, when I load the rules, I get the following error message: Try `iptables -h' or 'iptables --help' for more information. iptables v1.2.3: Couldn't load target `badflags':/lib/iptables/libipt_badflags.so: cannot open shared object file: No such file or directory Indeed, I do not have libipt_badflags.so on my woody system. I've been looking all over to find it, but have had no luck. I checked in the unstable version of iptables, and it's not there either. Can someone point me to where I can find it? thanks, jc -- Jeff Coppock Systems Engineer Diggin' DebianAdmin and User -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Another good thing about apt and dselect
http://www.cnn.com/2001/TECH/internet/12/17/cert.plug.holes.idg/index.ht ml Reading this sort of article reminds me of another really good thing about apt, dselect, and the (forgive me please) Debian Way: I don't have to be told that there is an SSH security fix in order to fix it. Every time I fire up dselect to install a new game, or try out a new mail client, or just to see where we are at the moment, the latest available versions, including security fixes, are automatically set for installation. I believe this is well worth the "slow release cycle" reputation of Debian, un-earned in my personal experience. Thank you, Debian Developers. Your work does not go un-noticed. Curt- --- Curt Howland +81-3-5772-5832 KVH Telecom Japan, Ltd.IDC Division -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Another good thing about apt and dselect
http://www.cnn.com/2001/TECH/internet/12/17/cert.plug.holes.idg/index.ht ml Reading this sort of article reminds me of another really good thing about apt, dselect, and the (forgive me please) Debian Way: I don't have to be told that there is an SSH security fix in order to fix it. Every time I fire up dselect to install a new game, or try out a new mail client, or just to see where we are at the moment, the latest available versions, including security fixes, are automatically set for installation. I believe this is well worth the slow release cycle reputation of Debian, un-earned in my personal experience. Thank you, Debian Developers. Your work does not go un-noticed. Curt- --- Curt Howland +81-3-5772-5832 KVH Telecom Japan, Ltd.IDC Division
RE: Spam?!?
And pleanty of open relay servers, too. obSec: You do have your SMTP transfer agent configured not to act as a relay, right? Curt- -Original Message- From: Petro [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 18, 2001 03:09 To: Yooseong Yang Cc: k l u r t; [EMAIL PROTECTED] Subject: Re: Spam?!? On Mon, Dec 17, 2001 at 11:48:13PM +0900, Yooseong Yang wrote: can you speak korean? if so give them a call or a nasty email for us. I am be shameful of this kinda spam stuffs as a korean. I send an email to hanmail mail administrator about this kinda problem. If I got some mails from whom is concerned, I'll get posted of it. with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] Don't be ashamed, there are plently of people in every country with internet access who are spammers. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Spam?!?
And pleanty of open relay servers, too. obSec: You do have your SMTP transfer agent configured not to act as a relay, right? Curt- -Original Message- From: Petro [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 18, 2001 03:09 To: Yooseong Yang Cc: k l u r t; debian-security@lists.debian.org Subject: Re: Spam?!? On Mon, Dec 17, 2001 at 11:48:13PM +0900, Yooseong Yang wrote: can you speak korean? if so give them a call or a nasty email for us. I am be shameful of this kinda spam stuffs as a korean. I send an email to hanmail mail administrator about this kinda problem. If I got some mails from whom is concerned, I'll get posted of it. with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] Don't be ashamed, there are plently of people in every country with internet access who are spammers. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Apt-get is insecure
Any PGPG keys used by package maintainers will themselves be signed and trusted by the Debian official community. What a "secure apt" must do is alert if the key used is not so trusted, even if it uses the same name and email address as it "should". This assumes that the crackers PGPG key has, somehow, made it onto your keyring where only your friends and the Debian maintainers aught to be anyway. Curt- -Original Message- From: Jor-el [mailto:[EMAIL PROTECTED]] Sent: Friday, December 14, 2001 09:05 To: [EMAIL PROTECTED] Subject: Re: Apt-get is insecure On Thu, 13 Dec 2001, Wichert Akkerman wrote: There is a seperate plan for verifying signatures using apt. From memory this goes as follows: * deb packages are installed in the archive * the MD5 checksum for each package is listed in the Packages file * the MD5 checksum for each Packages file for a release is listed in the Release file * the archive creates a signature for the Release file that apt can verify Hi, Forgive me if my question is rather naive. I have the following scenario and am curious to know whethere this has already been addressed : 1. Mr. Cracker sets up a mirror and claims it is a mirror for Debian distros. 2. Mr. Cracker recompiles trojaned packages and recomputes the MD5 checksums for them. These trojaned .debs are placed on the mirror. How would a person getting .debs from this mirror be able to protect him/herself from such a situation? Would they have to exclusively get .debs from the Debian site itself? Note that if the packages are PGP / GPG signed, the problem is only a little less acute. Mr. Cracker could sign the package with his / her key. How would a user know that Mr. Cracker is not infact the maintainer? Regards, Jor-el -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Apt-get is insecure
Any PGPG keys used by package maintainers will themselves be signed and trusted by the Debian official community. What a secure apt must do is alert if the key used is not so trusted, even if it uses the same name and email address as it should. This assumes that the crackers PGPG key has, somehow, made it onto your keyring where only your friends and the Debian maintainers aught to be anyway. Curt- -Original Message- From: Jor-el [mailto:[EMAIL PROTECTED] Sent: Friday, December 14, 2001 09:05 To: debian-security@lists.debian.org Subject: Re: Apt-get is insecure On Thu, 13 Dec 2001, Wichert Akkerman wrote: There is a seperate plan for verifying signatures using apt. From memory this goes as follows: * deb packages are installed in the archive * the MD5 checksum for each package is listed in the Packages file * the MD5 checksum for each Packages file for a release is listed in the Release file * the archive creates a signature for the Release file that apt can verify Hi, Forgive me if my question is rather naive. I have the following scenario and am curious to know whethere this has already been addressed : 1. Mr. Cracker sets up a mirror and claims it is a mirror for Debian distros. 2. Mr. Cracker recompiles trojaned packages and recomputes the MD5 checksums for them. These trojaned .debs are placed on the mirror. How would a person getting .debs from this mirror be able to protect him/herself from such a situation? Would they have to exclusively get .debs from the Debian site itself? Note that if the packages are PGP / GPG signed, the problem is only a little less acute. Mr. Cracker could sign the package with his / her key. How would a user know that Mr. Cracker is not infact the maintainer? Regards, Jor-el -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: How do I disable (close) ports?
This is one remnant of the "trusted" world of Unix, and the legacy that Linux has to deal with. It's ipchains/iptables to the rescue. I do not have NFS turned on in the kernel modules, nor the package installed. Yet this port is still open *to the outside world*. Can anyone suggest a reason why this has not been restricted only to the loopback interface, to be "opened" to other interfaces by the daemons if installed? That is, if it cannot be eliminated entirely. For the most part, I've found that Linux is good for not turning things on unless you want them on, but this seems to be the exception that proves the rule. Any other opinions? Curt- -Original Message- From: Thomas Bushnell, BSG [mailto:[EMAIL PROTECTED]] Portmapper is an essential server for SunRPC services, including NFS, mountd, nfsd, etc. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: How do I disable (close) ports?
This is one remnant of the trusted world of Unix, and the legacy that Linux has to deal with. It's ipchains/iptables to the rescue. I do not have NFS turned on in the kernel modules, nor the package installed. Yet this port is still open *to the outside world*. Can anyone suggest a reason why this has not been restricted only to the loopback interface, to be opened to other interfaces by the daemons if installed? That is, if it cannot be eliminated entirely. For the most part, I've found that Linux is good for not turning things on unless you want them on, but this seems to be the exception that proves the rule. Any other opinions? Curt- -Original Message- From: Thomas Bushnell, BSG [mailto:[EMAIL PROTECTED] Portmapper is an essential server for SunRPC services, including NFS, mountd, nfsd, etc.
RE: Secure wu-ftpd for Testing?
The article I read about it on the Register... http://www.theregister.co.uk/content/4/23082.html The hole affects thousands of users of virtually every Linux release. Because of the wide implications, Core, working with CERT, and, at one point, SecurityFocus' Vulnerability Help team, arranged a coordinated release with Caldera, SuSE, TurboLinux, Debian, Red Hat, and other Linux vendors, so that patches would be available for every distribution simultaneously. December 3rd was picked for the release. That plan went out the window Tuesday, when Red Hat unilaterally issued its own advisory. So I will assume that Debian has a fix that is being tested, if not in testing. I'm very surprised it hasn't been released or mentioned yet myself. Curt- -Original Message- From: David Ehle [mailto:[EMAIL PROTECTED] Sent: Friday, November 30, 2001 14:20 To: debian-security@lists.debian.org Cc: Debian-Security (E-mail) Subject: Secure wu-ftpd for Testing? Hello all, Is the wu-ftpd in testing secure? It seems to be 2.6.1 a stinker. Testing is using 2.6.1-5, is that also compromised? I have been watching it all day but haven't seen any updates. If it is not secure has a patched version been made available anywhere? I can't seem to find any mention at http://www.debian.org/security/ Thanks! David. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Encrypted Filesystems zing pow woosh
Just FYI, Slashdot has a discussionn up on encrypted file systems that might be of interest to folks who partisipated in the discussion here. This direct link might work: http://slashdot.org/article.pl?sid=01/11/28/1549252mode=thread Curt- --- Curt Howland +81-3-5772-5832 KVH Telecom Japan, Ltd.IDC Division -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Secure wu-ftpd for Testing?
The article I read about it on the Register... http://www.theregister.co.uk/content/4/23082.html "The hole affects thousands of users of virtually every Linux release. Because of the wide implications, Core, working with CERT, and, at one point, SecurityFocus' "Vulnerability Help" team, arranged a coordinated release with Caldera, SuSE, TurboLinux, Debian, Red Hat, and other Linux vendors, so that patches would be available for every distribution simultaneously. December 3rd was picked for the release. That plan went out the window Tuesday, when Red Hat unilaterally issued its own advisory." So I will assume that Debian has a fix that is being tested, if not in "testing". I'm very surprised it hasn't been released or mentioned yet myself. Curt- -Original Message- From: David Ehle [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 14:20 To: [EMAIL PROTECTED] Cc: Debian-Security (E-mail) Subject: Secure wu-ftpd for Testing? Hello all, Is the wu-ftpd in testing secure? It seems to be 2.6.1 a stinker. Testing is using 2.6.1-5, is that also compromised? I have been watching it all day but haven't seen any updates. If it is not secure has a patched version been made available anywhere? I can't seem to find any mention at http://www.debian.org/security/ Thanks! David. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Encrypted Filesystems zing pow woosh
Just FYI, Slashdot has a discussionn up on encrypted file systems that might be of interest to folks who partisipated in the discussion here. This direct link might work: http://slashdot.org/article.pl?sid=01/11/28/1549252mode=thread Curt- --- Curt Howland +81-3-5772-5832 KVH Telecom Japan, Ltd.IDC Division
Security hole in Linux kernel itself? FW: [FreeBSD-users-jp 65877] Re: nslookup
Excuse me if this is old hat, has anyone else heard of a vulnerability like this? If it's on the FreeBSD lists, it must be well known... Curt- -Original Message- From: Kondou, Katsuhiro (IDC) Sent: Wednesday, November 28, 2001 22:16 To: Hu, Geng; Howland, Curtis Subject: Fw: [FreeBSD-users-jp 65877] Re: nslookup Attached is a message on FreeBSD mailing list(in Japanese). This guy blames who designs new(maybe) kernel of linux which utilize region after 0x8000 for caching network file system so that any process can access(read/write). I've never heard of it, but I tend to say linux is *NOT* secure, if it's true. -- Katsuhiro Kondou ---BeginMessage--- $B1|;3(J@IBM$B$G$9!#(J "HK" == Hiroyuki Komatsu [EMAIL PROTECTED] writes: $B!X%O%C%+!e$K!"!X$?$$$7$?$3$H$8$c$J$$!Y(J $B$J$I$H8@$$D%$k?M$NF,$r(J $B!V6qBNE*$J$d$jJ}$N=q$$$F$"$kK\$,$"$C$F!"$@$+$i$3$s$J$N$OEv$?$jA0$N$3(J $B$H$@!#$=$l$0$i$$CN$C$F$*$1!"CT$l<T$a!W(J $B$H8@$C$F$V$s2%$k0Y$K$O<B$KET9g$NNI$$=E$5$H!"8G$5$N%O!<%I%+%P!<$@!"$H(J $B$$$@$G$7$g$&(J(^^;) # Second Edition $B$K$O!"@'Hs!"F|K\$G?6$j2s$7$?$i!"(JUS $B$K$$$kGO$7$?$$$J!#(JLinux $B>e$GF0$/(J Network $BBP1~(J File # System $B$,;H$&%-%c%C%7%e4IM}NN0h$r(J 0x8000 - $B$NNN0h$K!V$I$s$J%W(J # $B%m%;%9$G$b<+M3$K(J read/write $B$G$-$k$h$&$K!W3MF@$9$k!"$J$I$H$$$&%G%6(J # $B%$%s$r$7$?O"Cf$H!"$=$l$r!V(Jsecure $B$@!W$H8@$$D%$C$?GOE7$r%+(J # $B%A3d$j$?$$$N$G!#(J $B1|;3(J $B7r0l(J@$BEl5~4pAC8&5f=j(J.$BF|K\(JIBM($B3t(J)[$BGaGX2q(J:No.0x0001] #URL http://www.dd.iij4u.or.jp/~okuyamak/ #$B:#F|$N$*8@MU!X$A$J$_$K!Y(J:Linux 2.4.5 $B$^$G$O(J SIGSEGV $B$N07$$$,(J #$B$H$A68$C$F$F!"(J1 process SIGSEGV $B$O(J 1$BEY$^$G$7$+<u$1$i$l$J$$!#(J #$B3d$j9~$_%^%9%/$,$I$&$7$F$b2sI|$7$J$$$N$@!#(JSecure $B$JM}M3$O(J #$B!V$@$+$i!"C<$+$i=g$KF'$_DY$=$&$H$7$F$b!"L\E*$N%Z!<%8$KFO$/(J # $BA0$K;_$^$k!W(J #$B$N$@$=$&$@!#(J1page 1process $B$E$D:n$l$P$@$1$8$c$J$$$+!#(J ---End Message---
Security hole in Linux kernel itself? FW: [FreeBSD-users-jp 65877] Re: nslookup
Excuse me if this is old hat, has anyone else heard of a vulnerability like this? If it's on the FreeBSD lists, it must be well known... Curt- -Original Message- From: Kondou, Katsuhiro (IDC) Sent: Wednesday, November 28, 2001 22:16 To: Hu, Geng; Howland, Curtis Subject: Fw: [FreeBSD-users-jp 65877] Re: nslookup Attached is a message on FreeBSD mailing list(in Japanese). This guy blames who designs new(maybe) kernel of linux which utilize region after 0x8000 for caching network file system so that any process can access(read/write). I've never heard of it, but I tend to say linux is *NOT* secure, if it's true. -- Katsuhiro Kondou ---BeginMessage--- [EMAIL PROTECTED] HK == Hiroyuki Komatsu [EMAIL PROTECTED] writes: 『ハッカー・プログラミング大全』 ISBN4-88718-633-9 C0036 \3800E by UNYUN HK 目次と値段見て購入をためらってるんですが HK コストパフォーマンスはいかがでしたか? 内容的にはたいしたことはありません。Stack Overflood だけだもの。 # CodeRed に「極めて良く似た」コードも出てくるけどさ。 大事なのは、この程度のことすら知らない上に、『たいしたことじゃない』 などと言い張る人の頭を 「具体的なやり方の書いてある本があって、だからこんなのは当たり前のこ とだ。それぐらい知っておけ、痴れ者め」 と言ってぶん殴る為には実に都合の良い重さと、固さのハードカバーだ、と いう点でしょう(^^;) # Second Edition には、是非、日本で振り回したら、US にいる馬鹿タレの # 頭も殴れる機能を希望したいな。Linux 上で動く Network 対応 File # System が使うキャッシュ管理領域を 0x8000 - の領域に「どんなプ # ロセスでも自由に read/write できるように」獲得する、などというデザ # インをした連中と、それを「secure だ」と言い張った馬鹿共の脳天をカ # チ割りたいので。 奥山 [EMAIL PROTECTED](株)[煤背会:No.0x0001] #URL http://www.dd.iij4u.or.jp/~okuyamak/ #今日のお言葉『ちなみに』:Linux 2.4.5 までは SIGSEGV の扱いが #とち狂ってて、1 process SIGSEGV は 1度までしか受けられない。 #割り込みマスクがどうしても回復しないのだ。Secure な理由は #「だから、端から順に踏み潰そうとしても、目的のページに届く # 前に止まる」 #のだそうだ。1page 1process づつ作ればいいだけじゃないか。 ---End Message---
RE: is 3des secure??
While this may be whipping a greasy stain on the road, it is true that 3DES was created by the government back when private cryptology was difficult or unknown. I believe it is prudent to consider that it was allowed to be used because of practical cracking available to the crypto experts. I'm not referring to a back-door, just a known method such as a hardware based method for cracking in near-real time. However, 3DES is likely strong enough for normal people. If you're trying to keep things from them, they are already reading your screen and keyboard strokes directly by their radion emissions from accross the street. Paranoid? Yes. That's what security is all about. Curt- -Original Message- From: Noah L. Meyerhans [mailto:[EMAIL PROTECTED]] Sent: Saturday, November 24, 2001 21:43 To: Johannes Weiss Cc: [EMAIL PROTECTED] Subject: Re: is 3des secure?? On Sat, Nov 24, 2001 at 10:28:56AM +0100, Johannes Weiss wrote: -BEGIN PGP SIGNED MESSAGE- UNfortunately, WIN-SSH is very buggy, it only works if I take the 3des algorithm, if I take one of the others (blowfish,...) it crashed. What is unfortunate about that? From my experience, 3DES is used more commonly than any other crypto algorithm for things like SSH and IPSEC. I know that some people feel that Blowfish, Twofish, and friends are too new to be thoroughly tested. DES (and thus 3DES) has withstood 30 years of cryptanalysis. The only weakness found in DES, a weakness known from the very beginning, is that the short keylength makes it vulnerable to a brute force attack, which is why 3DES was creates. 3DES is basically DES cubed, and effectively uses a 168 bit key, which is quite secure by modern standards. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: rogue Chinese crawler
Is there a "drop from..." command as well? I much prefer simply black-holing packets rather than giving back to the perp "I'm here, but I know about you" data by "deny". Or is that what the Apache "deny" does? Curt- -Original Message- From: Christoph Moench-Tegeder [mailto:[EMAIL PROTECTED]] Sent: Saturday, November 24, 2001 03:36 To: [EMAIL PROTECTED] Subject: Re: rogue Chinese crawler ## Martin WHEELER ([EMAIL PROTECTED]): Is anyone else having problems with the robot from openfind.com.tw That one has not been seen here. Anyone know of a sure-fire robot killer under woody? Apache himself (assuming your webserver runs apache, other servers should have something similar). Just take mod_access and add a "deny from" line to the Directory /-section of your config. Gruss, cmt -- Spare Space -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: is 3des secure??
While this may be whipping a greasy stain on the road, it is true that 3DES was created by the government back when private cryptology was difficult or unknown. I believe it is prudent to consider that it was allowed to be used because of practical cracking available to the crypto experts. I'm not referring to a back-door, just a known method such as a hardware based method for cracking in near-real time. However, 3DES is likely strong enough for normal people. If you're trying to keep things from them, they are already reading your screen and keyboard strokes directly by their radion emissions from accross the street. Paranoid? Yes. That's what security is all about. Curt- -Original Message- From: Noah L. Meyerhans [mailto:[EMAIL PROTECTED] Sent: Saturday, November 24, 2001 21:43 To: Johannes Weiss Cc: debian-security@lists.debian.org Subject: Re: is 3des secure?? On Sat, Nov 24, 2001 at 10:28:56AM +0100, Johannes Weiss wrote: -BEGIN PGP SIGNED MESSAGE- UNfortunately, WIN-SSH is very buggy, it only works if I take the 3des algorithm, if I take one of the others (blowfish,...) it crashed. What is unfortunate about that? From my experience, 3DES is used more commonly than any other crypto algorithm for things like SSH and IPSEC. I know that some people feel that Blowfish, Twofish, and friends are too new to be thoroughly tested. DES (and thus 3DES) has withstood 30 years of cryptanalysis. The only weakness found in DES, a weakness known from the very beginning, is that the short keylength makes it vulnerable to a brute force attack, which is why 3DES was creates. 3DES is basically DES cubed, and effectively uses a 168 bit key, which is quite secure by modern standards. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
RE: rogue Chinese crawler
Is there a drop from... command as well? I much prefer simply black-holing packets rather than giving back to the perp I'm here, but I know about you data by deny. Or is that what the Apache deny does? Curt- -Original Message- From: Christoph Moench-Tegeder [mailto:[EMAIL PROTECTED] Sent: Saturday, November 24, 2001 03:36 To: debian-security@lists.debian.org Subject: Re: rogue Chinese crawler ## Martin WHEELER ([EMAIL PROTECTED]): Is anyone else having problems with the robot from openfind.com.tw That one has not been seen here. Anyone know of a sure-fire robot killer under woody? Apache himself (assuming your webserver runs apache, other servers should have something similar). Just take mod_access and add a deny from line to the Directory /-section of your config. Gruss, cmt -- Spare Space -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Mutt tmp files -- Root is not my Enemy
There is also this How-To: http://www.linux.org/docs/ldp/howto/Loopback-Encrypted-Filesystem-HOWTO. html I've been thinking that a 100 or 500MB encrypted loop device per user, mounted as a subdirectory under the individual users home, would be effective. It doesn't encrypt the entirety of the disk, nor all of the home directory, but could be (for instance) the KDE or GNOME "Desktop" folder, and anything there would be hid from prying eyes. The same caviats, "when you're logged in it's wide open" and "it's only as good as your passphrase" apply. Thoughts? Curt- -Original Message- From: Petro [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 21, 2001 04:51 To: Florian Bantner Cc: [EMAIL PROTECTED] Subject: Re: Mutt tmp files -- Root is not my Enemy On Tue, Nov 20, 2001 at 02:47:56PM +0100, Florian Bantner wrote: On Die, 20 Nov 2001, Rolf Kutz wrote: Florian Bantner ([EMAIL PROTECTED]) wrote: A fact about which I'm concerned even more than about a hack from outside via the internet etc. is real physical access to the box. Something hackers normaly don't pay enough attention is that just somebody steps - let's say 6 o'clock in the morning - into your room, shows you his police card - or what ever govermental id card - and tells you that your computer is now his. Use TMPFS. Encrypt your disk or do everything in RAM (maybe set up a diskless system booting from cd. See the bootcd-package). They might still be bugging your hardware. I don't know tmpfs. What I'm currently thinging about is: * Create for every user a directory under his home. * Use some kind of ram-disk device. * Perhaps (just to be sure) encrypt it. Perhaps that's where I need some kind of encrypting filesystem (do I?). I'm not experienced in fs encryption. How do I mount such devices. Which encryption is used? When to enter passphrase? Several years ago Matt Blaze published a bit of code that mounted encrypted files via the loop interface as home directories. It was fairly resource intensive, and hence not really scaleable. It is good for protecting against casual browsing, but while you're logged in to the machine (and hence have your home dir mounted) then it's just like a normal home directory. Found it http://www.ibiblio.org/pub/Linux/docs/faqs/security/Cryptographic-File-S ystem Seems I mis-remember bits of it. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Mutt tmp files -- Root is not my Enemy
There is also this How-To: http://www.linux.org/docs/ldp/howto/Loopback-Encrypted-Filesystem-HOWTO. html I've been thinking that a 100 or 500MB encrypted loop device per user, mounted as a subdirectory under the individual users home, would be effective. It doesn't encrypt the entirety of the disk, nor all of the home directory, but could be (for instance) the KDE or GNOME Desktop folder, and anything there would be hid from prying eyes. The same caviats, when you're logged in it's wide open and it's only as good as your passphrase apply. Thoughts? Curt- -Original Message- From: Petro [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 21, 2001 04:51 To: Florian Bantner Cc: debian-security@lists.debian.org Subject: Re: Mutt tmp files -- Root is not my Enemy On Tue, Nov 20, 2001 at 02:47:56PM +0100, Florian Bantner wrote: On Die, 20 Nov 2001, Rolf Kutz wrote: Florian Bantner ([EMAIL PROTECTED]) wrote: A fact about which I'm concerned even more than about a hack from outside via the internet etc. is real physical access to the box. Something hackers normaly don't pay enough attention is that just somebody steps - let's say 6 o'clock in the morning - into your room, shows you his police card - or what ever govermental id card - and tells you that your computer is now his. Use TMPFS. Encrypt your disk or do everything in RAM (maybe set up a diskless system booting from cd. See the bootcd-package). They might still be bugging your hardware. I don't know tmpfs. What I'm currently thinging about is: * Create for every user a directory under his home. * Use some kind of ram-disk device. * Perhaps (just to be sure) encrypt it. Perhaps that's where I need some kind of encrypting filesystem (do I?). I'm not experienced in fs encryption. How do I mount such devices. Which encryption is used? When to enter passphrase? Several years ago Matt Blaze published a bit of code that mounted encrypted files via the loop interface as home directories. It was fairly resource intensive, and hence not really scaleable. It is good for protecting against casual browsing, but while you're logged in to the machine (and hence have your home dir mounted) then it's just like a normal home directory. Found it http://www.ibiblio.org/pub/Linux/docs/faqs/security/Cryptographic-File-S ystem Seems I mis-remember bits of it. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: In Praise of Dos (RE: Mutt tmp files)
From: John Galt [mailto:[EMAIL PROTECTED]] delete. You're missing a large point here: root doesn't have to have RWX access on everything to be able to do their job, -WX may do the trick. So, root does not need total file access in order to do some subset of functions which you, or the NSA, consider "their job." Who, prey tell, set up those permissions? (hint: root) I believe that an administrator account with such limited permissions is a very good idea on a large-scale or multi-admin machine. In an ISP, for instance, your grunt sysop is neither trained nor absolutely trusted. But someone has to be able to administer *that* account too, so I still assert there should be a Root As God as final arbiter, to install the key-sig software, intrusion detection, etc. No, DOS taught us how to allow for a system to be compromised at the drop of a hat. Interesting. Physical compromise is not at issue, because a machine which is physically compromised is merely a matter of time before it is broken. It is my impression we (all) agree on that. If you cannot trust root, don't use that machine for anything you want to be secure. Probably a good dictum, but not really feasable in most cases. Do you trust your ISP? They have root on the system that forwards mail to you... Quite right. Luckly, there are ways to secure specific functions, such as PGP'd email, ssh for remote login, https for document viewing and forms, IPSec for datastreams, etc. The comodity internet cannot ever be considered secure. Had people only ever used terminals on shared servers, such as the IBM, DEC, Unix "mainframe" model, I believe we would have better individual user tools for security against root. Single user machines, thus my comment about Dos, give the imperssion of end-point security. Win 3.0 was broken and unusable, you know that? Unusable? Then I seem to have been able to do the impossible. It certainly did not work well, but "unusable"? Hmmm... Win 3.X is the last system that had hardware requirements based on objective criteria and allowed the system control that you lauded in your main email. I'm glad the theoretical considerations were able to be communicated, I do wish you had added your reservations and elaborations rather than using the absolute negative "No." Win 95+ started doing things for you, and NEVER does them the way they should be done. Perhaps it just takes longer to do things right... I think the distributed effort of the open source projects, while chaotic so that key-strokes will not always be consistant (so what?), does allow for people to use the systems that give them the least astonishment. And, best of all, if someone realizes how they "should" be done, they can advocate it to someone who really can make it a reality. Unlike arguing for something durnig "Face Time" with Bill. I was able to limit Win95, after lots of experimenting, to three running "services" and relative un-hackability. But it was a single user machine, and the keyboard was God. An object lesson in choosing a good PGP pass phrase. void hamlet() {#define question=((bb)||(!bb))} UmmmI believe that parses as b^2, not b*2... :^) Who is John Galt? [EMAIL PROTECTED] that's who! http://www.lfcity.org/ Curt- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: In Praise of Dos (RE: Mutt tmp files)
From: John Galt [mailto:[EMAIL PROTECTED] delete. You're missing a large point here: root doesn't have to have RWX access on everything to be able to do their job, -WX may do the trick. So, root does not need total file access in order to do some subset of functions which you, or the NSA, consider their job. Who, prey tell, set up those permissions? (hint: root) I believe that an administrator account with such limited permissions is a very good idea on a large-scale or multi-admin machine. In an ISP, for instance, your grunt sysop is neither trained nor absolutely trusted. But someone has to be able to administer *that* account too, so I still assert there should be a Root As God as final arbiter, to install the key-sig software, intrusion detection, etc. No, DOS taught us how to allow for a system to be compromised at the drop of a hat. Interesting. Physical compromise is not at issue, because a machine which is physically compromised is merely a matter of time before it is broken. It is my impression we (all) agree on that. If you cannot trust root, don't use that machine for anything you want to be secure. Probably a good dictum, but not really feasable in most cases. Do you trust your ISP? They have root on the system that forwards mail to you... Quite right. Luckly, there are ways to secure specific functions, such as PGP'd email, ssh for remote login, https for document viewing and forms, IPSec for datastreams, etc. The comodity internet cannot ever be considered secure. Had people only ever used terminals on shared servers, such as the IBM, DEC, Unix mainframe model, I believe we would have better individual user tools for security against root. Single user machines, thus my comment about Dos, give the imperssion of end-point security. Win 3.0 was broken and unusable, you know that? Unusable? Then I seem to have been able to do the impossible. It certainly did not work well, but unusable? Hmmm... Win 3.X is the last system that had hardware requirements based on objective criteria and allowed the system control that you lauded in your main email. I'm glad the theoretical considerations were able to be communicated, I do wish you had added your reservations and elaborations rather than using the absolute negative No. Win 95+ started doing things for you, and NEVER does them the way they should be done. Perhaps it just takes longer to do things right... I think the distributed effort of the open source projects, while chaotic so that key-strokes will not always be consistant (so what?), does allow for people to use the systems that give them the least astonishment. And, best of all, if someone realizes how they should be done, they can advocate it to someone who really can make it a reality. Unlike arguing for something durnig Face Time with Bill. I was able to limit Win95, after lots of experimenting, to three running services and relative un-hackability. But it was a single user machine, and the keyboard was God. An object lesson in choosing a good PGP pass phrase. void hamlet() {#define question=((bb)||(!bb))} UmmmI believe that parses as b^2, not b*2... :^) Who is John Galt? [EMAIL PROTECTED] that's who! http://www.lfcity.org/ Curt-
In Praise of Dos (RE: Mutt tmp files)
To be blunt, I don't think one can entirely protect ones self from root, nor do I believe it's an All Good idea. Root Is God. This is a multi-user, full-time, networked device. Root bears the responsibility of everything that happens to that machine. They are answerable to everyone, not just one user. For all its faults, Dos taught us what it was like to be in complete control of ones own machine. No other users, no daemons, no services. Programs ran in a vacuum. I really like such control for single-user machines from a security standpoint, even though I prefer the functionality of Linux. However, I also like the fact that when my wife's Win98 device crapped out and was sent to the shop for repair, it was no effort to simply adduser x . The beauty of a multi-user machine. She can get the functions she needs until her machine comes back, but she now has to trust me that I won't less /var/spool/mail/x as root. If you cannot trust root, don't use that machine for anything you want to be secure. Curt- ps: From a personal perspective, I think Linux is about where Windows 3.0 was. This is not a troll, just a usability thing. -Original Message- From: Daniel D Jones [mailto:[EMAIL PROTECTED] ... We're talking about trying to protect yourself from legitimate root on a system where you're merely a user. -
RE: Mutt tmp files -- Root is not my Enemy
Which reminds me to ask, are the www.kerneli.org cryptographic patches applied to the pre-compiled kernels, eg kernel-2-4-14-AMDK6.deb? -Original Message- From: Florian Bantner [mailto:[EMAIL PROTECTED] Sent: Friday, November 16, 2001 16:26 To: debian-security@lists.debian.org Subject: Re: Mutt tmp files -- Root is not my Enemy ... I do belive strongly in 'Democracy through Privacy'. Isn't that - before any other linux-distribution - something debian should stand for? -- 捌 捌 捌 捌 捌 捌 捌 捌 捌 捌 捌 捌 捌 捌 捌 AXON-E Interaktive Medien Arnulfsplatz 6 93047 Regensburg
RE: Mutt tmp files
As has been said many times, many ways, once "root" is compromised, all bets are off. Also, the only computer that isn't vulnerable is the one that isn't connected to a network, and can't be physically touched. Did anyone else see that awful Wesley Snipes movie, where he plays a black-bag (pun in original) operative for the U.N.? He hacks into a laptop that someone left on in their office, using the infrared port from outside the office window. When I first heard about Tempest shielding, I knew nothing was "impossible". Security is just a matter of making it so inconvenient that the cracker has to give up. Curt- -Original Message- From: Craig Dickson [mailto:[EMAIL PROTECTED]] Sent: Friday, November 16, 2001 08:36 To: [EMAIL PROTECTED] Subject: Re: Mutt tmp files Florian Bantner wrote: Hmm, have you considered ramdisks? That's the idea I was looking for. Heard also today of the possibility to encrypt whole filessystems. In the moment I'm thinking about that. A combination was nice. When I'm right this would make it even for root hard to do something. Not impossible but hard. That's really not bad at all. It depends what kind of skills you expect root to have. Remember that root is in a position to modify the kernel if he wants to. I can easily imagine a kernel patch that watches the ramdisk (or any fs) for certain types of files (by name, ownership, or whatever), and makes extra copies of them under /root without the user's knowledge. It probably wouldn't even be a hard change to make. And of course, for the ramdisk to exist in the first place, you need root's cooperation, so he probably knows why you want it and what you're using it for. Even without a kernel patch, he can always just modify mutt, vim, or gpg to do what he needs. Or just replace vim with a shell script that calls the real vim and then copies the file for him afterwards (the easiest method, though also the most obvious). You can make it so that root has to do more than look in /tmp for cleartext files, but I doubt you can make it hard if root is a competent programmer. Craig -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Mutt tmp files
As has been said many times, many ways, once root is compromised, all bets are off. Also, the only computer that isn't vulnerable is the one that isn't connected to a network, and can't be physically touched. Did anyone else see that awful Wesley Snipes movie, where he plays a black-bag (pun in original) operative for the U.N.? He hacks into a laptop that someone left on in their office, using the infrared port from outside the office window. When I first heard about Tempest shielding, I knew nothing was impossible. Security is just a matter of making it so inconvenient that the cracker has to give up. Curt- -Original Message- From: Craig Dickson [mailto:[EMAIL PROTECTED] Sent: Friday, November 16, 2001 08:36 To: debian-security@lists.debian.org Subject: Re: Mutt tmp files Florian Bantner wrote: Hmm, have you considered ramdisks? That's the idea I was looking for. Heard also today of the possibility to encrypt whole filessystems. In the moment I'm thinking about that. A combination was nice. When I'm right this would make it even for root hard to do something. Not impossible but hard. That's really not bad at all. It depends what kind of skills you expect root to have. Remember that root is in a position to modify the kernel if he wants to. I can easily imagine a kernel patch that watches the ramdisk (or any fs) for certain types of files (by name, ownership, or whatever), and makes extra copies of them under /root without the user's knowledge. It probably wouldn't even be a hard change to make. And of course, for the ramdisk to exist in the first place, you need root's cooperation, so he probably knows why you want it and what you're using it for. Even without a kernel patch, he can always just modify mutt, vim, or gpg to do what he needs. Or just replace vim with a shell script that calls the real vim and then copies the file for him afterwards (the easiest method, though also the most obvious). You can make it so that root has to do more than look in /tmp for cleartext files, but I doubt you can make it hard if root is a competent programmer. Craig -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Suggestion for debian-security
I'm glad to hear it. I will forward your message to Debian-Security, where I saw it discussed. Curt- -Original Message- From: Jaakko Niemi [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 15, 2001 04:28 To: Howland, Curtis Cc: [EMAIL PROTECTED] Subject: Re: Suggestion for debian-security On Tue, 13 Nov 2001, Howland, Curtis wrote: Dear Debian, Due to the low off-topic traffic normally found on debian-security, and the increasing number of spam messages, I would like to suggest that debian-security be changed to allow only postings from email accounts that are subscribed. Such policy decision need wider acceptance. I believe this is already being discussed in appropriate forums. While I have at times utilized the feature of non-subscriber posting on high traffic lists like debian-user, this is a convenience I would gladly forgo for making it just that much harder for spamming. Many people need to post on non-suscribed addresses. We implemented recently some filters which ought to improve the situation hopefully to the point that posting limitations should not be needed. -- "And if the messenger would shoot first?" -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Suggestion for debian-security
I'm glad to hear it. I will forward your message to Debian-Security, where I saw it discussed. Curt- -Original Message- From: Jaakko Niemi [mailto:[EMAIL PROTECTED] Sent: Thursday, November 15, 2001 04:28 To: Howland, Curtis Cc: [EMAIL PROTECTED] Subject: Re: Suggestion for debian-security On Tue, 13 Nov 2001, Howland, Curtis wrote: Dear Debian, Due to the low off-topic traffic normally found on debian-security, and the increasing number of spam messages, I would like to suggest that debian-security be changed to allow only postings from email accounts that are subscribed. Such policy decision need wider acceptance. I believe this is already being discussed in appropriate forums. While I have at times utilized the feature of non-subscriber posting on high traffic lists like debian-user, this is a convenience I would gladly forgo for making it just that much harder for spamming. Many people need to post on non-suscribed addresses. We implemented recently some filters which ought to improve the situation hopefully to the point that posting limitations should not be needed. -- And if the messenger would shoot first?
RE: Vulnerable SSH versions
I will gladly grant that the tar file may not exist for the boot floppies, and that I do not have on hand the CD to check it. It also may have been a Potato(e) phenominon, no longer in use. However, it did exist. Which makes me wonder, why ship Woody with 2.2.20 at all? Oh well, not my decision. I'm not sure that the problem is the 2.2.x modules "being found" by the 2.4.x modutils, I had the distinct impression that they were just "still included" for some reason. However, again to my shame, I have not the machine accessable to check. However, this is way off topic no matter how interesting. Thanks to everyone for their help and advice, we shall see. Curt- -Original Message- From: Henrique de Moraes Holschuh [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 13, 2001 09:53 To: Howland, Curtis Cc: [EMAIL PROTECTED] Subject: Re: Vulnerable SSH versions On Tue, 13 Nov 2001, Howland, Curtis wrote: The tar file that contains the "base" Woody install, which is used as the jumping off point for installation. There isn't one, at least not for bootflopies. We use debootstrap to fetch the most up-to-date packages of that distribution and install them, not a tarball. As far as the change from 2.2.x to 2.4.x, if you don't think it was all that confusing then you don't use pcmcia services. The 2.2.x kernel That looks like a quite bad usability bug on the pcmcia-related packages to me, but I have not looked deeply (read: not at all) into the problem. modules are all still there, but they no longer work. That means that not only do you need to find out the new modules names, you have to ensure you don't use any of the old ones. The 2.2.x modules should not be kept somewhere the 2.4 kernels will find them. This is certainly a big problem. Seriously flawed, IMNSHO, and very confusing. It also led to a version conflict with modutils, where I had to boot back into 2.2.x in order to install modutils v2.4.10. I still get error messages from modutils on both boot-up and shutdown about version conflicts and missing modules. Please file bugs against the appropriate packages, so as to have them insure they have a new-enough modutils, at the very least. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Vulnerable SSH versions
A quick question concerning such things... I have a remote server that I do not trust myself to upgrade from Potato(e) to Woody, and such vulnerabilities do worry me a little. Is there any general expectation that such back porting will continue once Woody is released? Curt- -Original Message- From: Jo Fahlke [mailto:[EMAIL PROTECTED] Sent: Monday, November 12, 2001 19:45 To: Michal Kara Cc: debian-security@lists.debian.org Subject: Re: Vulnerable SSH versions Am Mon, 12. Nov 2001, 11:30:49 +0100 schrieb Michal Kara: Hi there! During this weekend, there has been paper posted to bugtraq named Analysis of SSH crc32 compensation attack detector exploit. It talks about a recorded successful exploit using overflow in CRC32 compensation attack detection code, a hole, which was discovered in February this year. In the appendices, there is also program checking if you are vulnerable by checking the version string SSH daemon produces on connect. The newest Dewbian Potato version produces string SSH-1.5-OpenSSH-1.2.3 which is listed as vulnerable to this security hole. However, the Debian advisory released in February says refers to version 1.2.3 as having this fixed... So how it is? Who is wrong? Thanks, Michal Check out the thread starting at http://lists.debian.org/debian-security/2001/debian-security-200111/msg0 0025.html Basicly, in Debian potato the fix was backported to the old Version of ssh so it should be safe. Jö. -- If God had intended Man to Smoke, He would have set him on Fire. -- fortune
RE: Vulnerable SSH versions
Thanks. I've been keeping it up to date weekly or so, but just to be sure I changed the sources.list to be ... potato/... instead of ... stable/... for when stable changes. Even a blank-disk install of Woody wasn't straight forward. The kernel in the distribution tar file was 2.2.xx, changing to 2.4.9 was a bitch, and it's already up to 2.4.12 or .14... I wonder if the tar file has been changed to reflect the new kernel realities? Curt- -Original Message- From: Ethan Benson [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 13, 2001 09:15 To: debian-security@lists.debian.org Subject: Re: Vulnerable SSH versions On Tue, Nov 13, 2001 at 09:02:56AM +0900, Howland, Curtis wrote: A quick question concerning such things... I have a remote server that I do not trust myself to upgrade from Potato(e) to Woody, and such vulnerabilities do worry me a little. Is there any general expectation that such back porting will continue once Woody is released? when potato was released security updates for slink were discontinued two monthes later. since potato is going to be even more fosselized then slink was by the time woody is released i would expect a similar timeframe (that and potato only has 6(?) architectures woody will have something like 12 or more). expect to have two months to upgrade your potato boxes before being on your own in regards to security updates. -- Ethan Benson http://www.alaska.net/~erbenson/
RE: Vulnerable SSH versions
The tar file that contains the base Woody install, which is used as the jumping off point for installation. The tar file has binary kernel, /boot, /proc and other directories, I'm not sure exactly what the limit to its contents is. I found this out by building a CD via the assemble the CD image from individual .deb packages procedure. As far as the change from 2.2.x to 2.4.x, if you don't think it was all that confusing then you don't use pcmcia services. The 2.2.x kernel modules are all still there, but they no longer work. That means that not only do you need to find out the new modules names, you have to ensure you don't use any of the old ones. Seriously flawed, IMNSHO, and very confusing. It also led to a version conflict with modutils, where I had to boot back into 2.2.x in order to install modutils v2.4.10. I still get error messages from modutils on both boot-up and shutdown about version conflicts and missing modules. Curt- -Original Message- From: Ethan Benson [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 13, 2001 09:33 To: debian-security@lists.debian.org Subject: Re: Vulnerable SSH versions On Tue, Nov 13, 2001 at 09:25:29AM +0900, Howland, Curtis wrote: Thanks. I've been keeping it up to date weekly or so, but just to be sure I changed the sources.list to be ... potato/... instead of ... stable/... for when stable changes. Even a blank-disk install of Woody wasn't straight forward. The kernel in the distribution tar file was 2.2.xx, changing to 2.4.9 was a bitch, and it's already up to 2.4.12 or .14... I wonder if the tar file has been changed to reflect the new kernel realities? what tarfile? woody will ship with 2.2.20, but it will fully support 2.4 kernels, i don't know whats so difficult about installing one. -- Ethan Benson http://www.alaska.net/~erbenson/
RE: Vulnerable SSH versions
I will gladly grant that the tar file may not exist for the boot floppies, and that I do not have on hand the CD to check it. It also may have been a Potato(e) phenominon, no longer in use. However, it did exist. Which makes me wonder, why ship Woody with 2.2.20 at all? Oh well, not my decision. I'm not sure that the problem is the 2.2.x modules being found by the 2.4.x modutils, I had the distinct impression that they were just still included for some reason. However, again to my shame, I have not the machine accessable to check. However, this is way off topic no matter how interesting. Thanks to everyone for their help and advice, we shall see. Curt- -Original Message- From: Henrique de Moraes Holschuh [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 13, 2001 09:53 To: Howland, Curtis Cc: debian-security@lists.debian.org Subject: Re: Vulnerable SSH versions On Tue, 13 Nov 2001, Howland, Curtis wrote: The tar file that contains the base Woody install, which is used as the jumping off point for installation. There isn't one, at least not for bootflopies. We use debootstrap to fetch the most up-to-date packages of that distribution and install them, not a tarball. As far as the change from 2.2.x to 2.4.x, if you don't think it was all that confusing then you don't use pcmcia services. The 2.2.x kernel That looks like a quite bad usability bug on the pcmcia-related packages to me, but I have not looked deeply (read: not at all) into the problem. modules are all still there, but they no longer work. That means that not only do you need to find out the new modules names, you have to ensure you don't use any of the old ones. The 2.2.x modules should not be kept somewhere the 2.4 kernels will find them. This is certainly a big problem. Seriously flawed, IMNSHO, and very confusing. It also led to a version conflict with modutils, where I had to boot back into 2.2.x in order to install modutils v2.4.10. I still get error messages from modutils on both boot-up and shutdown about version conflicts and missing modules. Please file bugs against the appropriate packages, so as to have them insure they have a new-enough modutils, at the very least. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh
RE: SPAM was RE: INSURE GOOD RECEPTION! VITAL EMERGENCY STRATEGY!!!
While the traffic load on debian-user, for instance, makes subscribing just to ask one question somewhat hazardous to ones mailspool, I agree with making debian-security posting by subscriber only. It really isn't moderating, and doesn't take anyones time. To whom should we address the suggestion? Curt- -Original Message- From: Oyvind A. Holm [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 13, 2001 11:26 To: Vineet Kumar Cc: debian-security@lists.debian.org Subject: Re: SPAM was RE: INSURE GOOD RECEPTION! VITAL EMERGENCY STRATEGY!!! On 2001-11-10 00:17 Vineet Kumar wrote: * Sebastiaan ([EMAIL PROTECTED]) [011109 14:44]: High, On Fri, 9 Nov 2001, Ed Street wrote: Hey, Is there *anything* we can do about all this Spam that's getting on this list? Yes. We can silently ignore them rather than turn each one into a lengthy off-topic thread. No. The number of spam messages on these lists is really beginning to irritate me, it's getting bigger day by day. The task of (un)subscribing to the list is pretty easy, so I really don't see the problem of only allowing messages from members on the list. Regards, Øyvind +== http://www.sunbase.org/sunny ===+ | OpenPGP: 0xAD19826C 2000-01-24 Øyvind A. Holm [EMAIL PROTECTED] | | Fingerprint: EAE5 DCA0 0626 5DAA 72F8 0435 2E2B E476 AD19 826C | +=== 2 + 2 = 5 for extremely large values of 2. + -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]