RE: Debian Security Updates

[Howland, Curtis]

Then how are the packages so stored elsewhere differentiated?

Or are the packages under the debian-non-US directory distributed under the 
other headings when grabbing from this particular server?

 Previously Aurelio Turco wrote:
  Furthermore:
  
http://security.debian.org/debian-non-US
  
  does not appear to exist.
 
 security.debian.org is hosted in a non-US location and doesn't have
 a seperate non-US archive.
 
 Wichert.
 

RE: Support for Potato

[Howland, Curtis]

 On Thu, 25 Jul 2002 at 01:08:29AM +0200, martin f krafft wrote:
  least as usable and stable, and until potato-woody is guaranteed to
  progress without any problems...
  
 Problems?  What problems? G  Just A LOT of tweaks

I can't upgrade, it would require restarting and that would blow my
record on necraft.com


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: Didn't we have that whole spam discussion last week?

[Howland, Curtis]

I humbly beseech the Debian list maintainers to make this list subscriber only 
may post.

Thank you.

Curt-

 -Original Message-
 From: Phillip Hofmeister [mailto:[EMAIL PROTECTED]
 Sent: Friday, July 19, 2002 2:03 AM
 To: debian-security@lists.debian.org
 Subject: Re: Didn't we have that whole spam discussion last week?
 
 
 On Thu, 18 Jul 2002 at 12:39:20PM +0200, 
 [EMAIL PROTECTED] wrote:
  I think it's abount time for a 
 [EMAIL PROTECTED]
  
  At the moment the topic is discussed on several lists at 
 the same time.
  
  :) Joost.
  
 Perhaps a [EMAIL PROTECTED]  This group should probably 
 include someone from listmaster.  If the current listmasters 
 do not want to take this on then I could volunteer...ideas?
 
 -- 
 Phil
 
 PGP/GPG Key:
 http://www.zionlth.org/~plhofmei/
 wget -O - http://www.zionlth.org/~plhofmei/ | gpg --import
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact 
 [EMAIL PROTECTED]
 
 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: You've Been Removed!

[Howland, Curtis]

Whoever did this, thank you.

Curt-

 -Original Message-
 From: Italyminutes [mailto:[EMAIL PROTECTED]
 Sent: Thursday, July 18, 2002 06:02
 To: debian-security@lists.debian.org
 Subject: You've Been Removed!
 
 
 This message is to confirm the removal of your
 email address: debian-security@lists.debian.org from the 
 Italyminutes
 Subscribe Me mailing list.
 
 We're sorry to see you go!
 
 If you feel you have received this notice in error,
 please visit the Italyminutes
 Subscribe Me mailing list
 at our website: 
 
 http://www.bluebanner.net
 to add yourself automatically, or click on the link
 below to automatically re-subscribe yourself:
 
 http://www.bluebanner.net/cgi-lib/admail/s.cgi?a=1l=9e=debia
n-security=:lists.debian.org

Thank you,

Italyminutes


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: Good Day

[Howland, Curtis]

 What bothers me in all of this is that Debian lists are 
 managed so poorly
 to let this happen.

The Debian lists are deliberately not subscriber only may post on the theory 
that it's better to press DEL than to prevent someone from posting.

However, subscriber only is a simple config option in Majordomo, and 
something I politely suggested several months (years?) ago. That is when I was 
told of the above policy.

Mahapps some more politely worded requests to the listmaster are in order.

Curt-

 with a subject of unsubscribe. Trouble? Contact 
 [EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: Good Day

[Howland, Curtis]

If I remember correctly, doesn't that require sendmail?

As for bounce, while Kmail has that feature it does require a real reply-to 
address. For the vast majority of spam, the reply-to is deliberately obfuscated.

 apt-get install spamassassin
 
 It trapped that one for me as well as 99% of the spam I receive.
 
 Bob

Curt-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: Good Day

[Howland, Curtis]

Unlike most spam, this one has actually resulted in some arrests.
Well, not this one specifically, it's been going on for a while with
multiple different people/groups attempting the Spanish Prisoner con
game.

Thanks for the email address for the Fed.Gov investigation.

Curt-

  If anyone wonders what that mail was, read here: 
  http://www.snopes.com/inboxer/scams/nigeria.htm
 
 And forward it to [EMAIL PROTECTED], with full headers intact, of
 course.  The U.S. government, it seems, cares to hear about 
 this, since
 it seems that quite a few people actually fall for it.
 
 noah


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: Ssh not upgraded when doing apt-get upgrade?

[Howland, Curtis]

I noticed the same thing when doing the 3.3 thing two days ago that I commented 
on on this list.

The security server is in my apt.sources list, but when I executed apt-get 
upgrade, it said 0 new, 0 to be removed, 1 package(s) not updated.

Dselect showed the ssh package as ready to be updated, and when I selected 
install and update from the dselect menu it did the work without argument.

Maybe, since it was a major upgrade at the time (not just 3.3 to 3.4 for 
example), was there a cue in the package file not to perform the upgrade unless 
it was being done in an interactive mode? Certainly it did take substantial 
interaction to get it right, and that is one reason I do not put apt-get 
update in any kind of script.

Curt-

 -Original Message-
 From: Tom Dominico [mailto:[EMAIL PROTECTED]
 Sent: Friday, June 28, 2002 08:29
 To: debian-security@lists.debian.org
 Subject: RE: Ssh not upgraded when doing apt-get upgrade?
 
 
 Thanks for all the rapid replies folks, apparently I was 
 mixed up there.
 Adding the security line for testing did the trick.
 
 Tom


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: Ssh not upgraded when doing apt-get upgrade?

[Howland, Curtis]

Not security updates as such, but since the software has been changed,
doesn't testing have its package replaced with the new version?

I can't imagine that a known hole would be deliberately left in a
package when an update has already been compiled. This is testing, not
Hamm.

 Testing doesn't get security updates, so when the next testing comes
 along, its directory on security.debian.org, if it exists at all, will
 be empty.
 
 The only reason woody is getting security updates now is that it's so
 close to release this provides a good opportunity to give the 
 new build
 infrastructure a shake-down.
 
 noah


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: Problem with ssh

[Howland, Curtis]

First question:

Has it worked before now?

Second question:

What did you change between then and now?

Curt-

 Dear All,
 
 I have a problem with my ssh, when i try to connect to our 
 server using
 ssh have an error like this :
 
 ssh -l [EMAIL PROTECTED]
 2f65 7463 2f73 7368
 Disconnecting: Bad packet length 795178083.
 
 
 What's Wrong with my server or my ssh client. And how to solve them.
 
 
 Thank's
 
 Ryansimon Aku


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: PermitRootLogin enabled by default

[Howland, Curtis]

Alvin,

If the cracker can get in as a user, it's merely a matter of time before they 
can worm their way into becoming root. Defenses against this are difficult, the 
NSA version SELinux deliberately places great restrictions on user abilities 
to try to prevent just such things. But I don't think there is any certain way 
to prevent a user from gaining root access if they are capable and determined.

Layered defenses are best, of course. Network firewall (or packet filtering), 
restricted service offering (no fingerd, no telnetd, etc), then strong 
authentication for login, then restricted access to root.

Like you, I do not prefer to allow direct root logins so that an attacker must 
overcome each barrier in turn.

One of my favorite features of Debian is being able to go through the packages 
at install time and un-select such things as fingerd and telnetd, so that the 
services never exist on the server.

Curt-

 From: Alvin Oga [mailto:[EMAIL PROTECTED]

 hi all
 
 if an attacker got in ... as a user  game over... they got in ???
   - question is what damage can they do as user ...
 
 if an attacker get in the same way as root...  game is really over...
 as they now have complete control of yoru machine..
   - i prefer to disallow root logins... 
 
 ( assumption in the above is that they can get in thru an existing
 ( vulnerability .. either as root or a user ..
  
 -- patch the original vulnerability  fix it first ...
   worry about the follow-me around folks later ...
   ( like those in the van outside your home/office listening
   ( to the wireless connections...
 
 c ya
 alvin


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: DSA 131: Apache Vulnerability

[Howland, Curtis]

I like both. The server gets stable, but a firewall or at least firewall 
rules on the public interface.

Preferrably duel interface, one inside on private IP, one public, and no 
packet forwarding.

And I couldn't agree more about the remarkable efforts of the Debian team 
members.

Curt-

 On Thu, Jun 20, 2002 at 07:49:08PM -0400, Arthur H. Johnson II wrote:
  
  I have two relative policies:
  
  1. Always use a firewall to filter out everything but what 
 is absolutely
  necessary, ie web, email, etc.
  
  2. Always build stuff filtered to the internet from source 
 that way when a
  vulnerability is released, you can update it rather 
 quickly, no matter
  what the distro you are running is.
 
 
 Or...you could just run stable.  I have always been impressed 
 by Wichert, Michael, and company's response time and I applaud them.
 
 
 Phil 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: Quality of security assurance with Debian vs. RedHat vs. SuSE

[Howland, Curtis]

  Debian was the first Linux I installed, from floppies, in 1986.
 
 Do you mean 1996?

Ah, yep. Brain fart. Thanks for noticing.

 I personnaly use Linux since 1994, version 0.99pl14, was SLS 
 distribution.

Neat. In 1995, a network engineer and systems admin associate of mine said, I 
have found an operating system with the best support of anything I've used, and 
it's free. Linux. And this from a guy who's personal web page is still running 
on Solaris.

 BTW, when was the first Debian GNU/Linux launched? Just for 
 information. :)

Dunno... Maybe there's a who is us text on the Debian site.

Curt-
N�
[EMAIL PROTECTED]   

隊[hu��j{r���*ު笶X���^n���0��Z���y�h~�칻��N�.nW��{Zr�b�ٚ�׫�+-�כ��

RE: Quality of security assurance with Debian vs. RedHat vs. SuSE

[Howland, Curtis]

 On Tue 11 Jun 2002 19:54, Noah L. Meyerhans wrote:
  There is a lot of collaboration between the respective security
  teams for the major Linux distributions.  As a result of this,
  they all tend to release necessary security updates at the same
  time.  Known security updates are rarely, if ever, left unfixed
  by a distribution vendor.  Knowledge of a security vulnerability
  is never kept from another distribution vendor.  As a result of
  all this, the relative security of the different distributions
  is very similar.

 From: Jeff Bonner [mailto:[EMAIL PROTECTED]
 Well put.  From my understanding of how things work, I assumed as
 much, but I wasn't confident enough to write that all out.  ;)

They (we?) all use many of the same primary sources. The Kernel, Bind, Apache, 
OpenSSH, Xfree, gcc, zlib, etc. When a fix to a primary source is made by the 
people who write that source, the distributions major work is testing, then to 
package it and make it available to the user base. On second thought, RedHat 
does do some special customization of gcc, or so I've heard...

This is very granular. There is no reason for a distributor not to include a 
fix, and the wide variety of testing from multiple different distributors gives 
great feedback to the primary sources. I wouldn't be surprised to learn that 
there are lots of oops style bugs discovered, fed back and fixed, long before 
the public sees an updated package in any of the distributions.

This is the Bazaar. RedHat packagers have a different set of preconceptions and 
assumptions from Debian packagers, and from Slackware packagers, et al.

There is also no embarrassment. There may be a self-preservation reflex in a 
closed-source producer to deny a fault and slow a fix, because it's their own 
fault. Linux distributors are lauded when they release a fix quickly.

  The one advantage that I think Debian has is that apt-get makes it
  so easy to keep up to date on packages.

 I couldn't have said it better myself.  Apt is the number one reason
 I went with Debian:  ease of updates.

My number one reason was the collaborative nature of the Debian effort. Debian 
was the first Linux I installed, from floppies, in 1986. When I later 
discovered how broken package management in other distributions is compared 
to Debian, it was like sneaking a peek out through the gate of the Garden of 
Eden. There may be some installation snakes, but the desert outside is far 
harder to survive in.

Curt-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: beach towel

[Howland, Curtis]

Hoopy Froods always know where their towel is.

 Could be handy I spose if a server caught on fire, could 
 throw a couple 
 of towels on top to smoother the fire :)
 
 Nathan
 
 On Wednesday, May 15, 2002, at 06:01 PM, Peter Obermeier wrote:
 
  Hi all,
 
  it is a very courios form of security, isn't it?
 
  linda schrieb:
 
  Dear Sirs:
   We know your esteemed company in beach towels from Internet, and 
  pleased to introduce us as a leading producer of high quality 100% 
  cotton velour printed towels in China, we sincerely hope 
 to establish 
  a long-term business relationship with your esteemed 
 company in this 
  field.
 
  Our major items are 100% cotton full printed velour towels of the 
  following sizes and weights with a annual production 
 capacity of one 
  million dozens:
 
  Disney Standard:
  30X60 inches, weight  305grams/SM, 350gram/PC
  40X70 inches, weight  305grams/SM, 550gram/PC
 
  Please refer to our website 
 http://www.jacquard-towel.com/index.html 
  for more details ie patterns about our products.
  Once you are interested in our products, we will give you a more 
  favorable price.
 
  Looking forward to hearing from you soon
 
  Thanks and best regards,
  Linda
  Henan Ziyang Textiles
  http:/www.jacquard-towel.com
 
  --
  To UNSUBSCRIBE, email to [EMAIL PROTECTED]
  with a subject of unsubscribe. Trouble? Contact 
  [EMAIL PROTECTED]
 
  --
  Mit freundlichen Grüßen
 
  i.A. Peter Obermeier
  -Engineering-
 
  TelemaxX Telekommunikation GmbH
  Amalienstraße 81
  76133 Karlsruhe
 
  Telefon: +49 721 130 88 36
  Telefax: +49 721 130 88 77
  www.telemaxx.de
  [EMAIL PROTECTED]
 
 
 
  --
  To UNSUBSCRIBE, email to [EMAIL PROTECTED]
  with a subject of unsubscribe. Trouble? Contact 
  [EMAIL PROTECTED]
 
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact 
 [EMAIL PROTECTED]
 
 


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: restricting outbound access?

[Howland, Curtis]

How about group access privileges on the offending executables?

Seems to me to be the natural method of restricting access to stuff.

Curt-

 I have a question.  Is there any way to restrict outbound 
 access for all but 
 a few users?  I know with iptables you can block outbound 
 traffic completely 
 but that wont work in my situation.  There are about 150 
 users of my server 
 and only 3 of them need outbound access so I am kind of in a sticky 
 situation.  Any help would be greatly appreciated.
 
 Thanks in advance
 
 Steve Meyer


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: beach towel

[Howland, Curtis]

Hoopy Froods always know where their towel is.

 Could be handy I spose if a server caught on fire, could 
 throw a couple 
 of towels on top to smoother the fire :)
 
 Nathan
 
 On Wednesday, May 15, 2002, at 06:01 PM, Peter Obermeier wrote:
 
  Hi all,
 
  it is a very courios form of security, isn't it?
 
  linda schrieb:
 
  Dear Sirs:
   We know your esteemed company in beach towels from Internet, and 
  pleased to introduce us as a leading producer of high quality 100% 
  cotton velour printed towels in China, we sincerely hope 
 to establish 
  a long-term business relationship with your esteemed 
 company in this 
  field.
 
  Our major items are 100% cotton full printed velour towels of the 
  following sizes and weights with a annual production 
 capacity of one 
  million dozens:
 
  Disney Standard:
  30X60 inches, weight  305grams/SM, 350gram/PC
  40X70 inches, weight  305grams/SM, 550gram/PC
 
  Please refer to our website 
 http://www.jacquard-towel.com/index.html 
  for more details ie patterns about our products.
  Once you are interested in our products, we will give you a more 
  favorable price.
 
  Looking forward to hearing from you soon
 
  Thanks and best regards,
  Linda
  Henan Ziyang Textiles
  http:/www.jacquard-towel.com
 
  --
  To UNSUBSCRIBE, email to [EMAIL PROTECTED]
  with a subject of unsubscribe. Trouble? Contact 
  [EMAIL PROTECTED]
 
  --
  Mit freundlichen Grüßen
 
  i.A. Peter Obermeier
  -Engineering-
 
  TelemaxX Telekommunikation GmbH
  Amalienstraße 81
  76133 Karlsruhe
 
  Telefon: +49 721 130 88 36
  Telefax: +49 721 130 88 77
  www.telemaxx.de
  [EMAIL PROTECTED]
 
 
 
  --
  To UNSUBSCRIBE, email to [EMAIL PROTECTED]
  with a subject of unsubscribe. Trouble? Contact 
  [EMAIL PROTECTED]
 
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact 
 [EMAIL PROTECTED]
 
 


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: restricting outbound access?

[Howland, Curtis]

How about group access privileges on the offending executables?

Seems to me to be the natural method of restricting access to stuff.

Curt-

 I have a question.  Is there any way to restrict outbound 
 access for all but 
 a few users?  I know with iptables you can block outbound 
 traffic completely 
 but that wont work in my situation.  There are about 150 
 users of my server 
 and only 3 of them need outbound access so I am kind of in a sticky 
 situation.  Any help would be greatly appreciated.
 
 Thanks in advance
 
 Steve Meyer


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: Why is there a prompt for a root shell when the default linuxkernel boots?

[Howland, Curtis]

Where might one find documentation on this bf2.4 kernel? 

 Javier Fernández-Sanguino Peña wrote:
  Now that I think of it this might be an issue with 
 self-installed
  kernels. I'm going to document this behavior in the Manual, 
 commit the
  changes and close the bug. Of course, woody does *not* 
 install 2.4 kernels
  IIRC.
 
 The default install does not, but the bf2.4 flavor does. Please take
 a look at the  dists/woody/main/disks-i386/current  directory in the
 Debian archives.
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact 
 [EMAIL PROTECTED]
 
 


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: connection refuse by tcp_wrapper

[Howland, Curtis]

I know this may sound like a silly question, but did it work before you applied the 
TCP wrappers? 

If you remove the all:all from hosts.deny, does it work?

It's been a while since I last set up wrappers, but in all other systems I make sure 
it works first, then apply changes one by one and test them. That way I know under 
what conditions it still worked.

Curt-

 Dear all,
 
 I am a beginner in linux os,
 
 I try to configure tcp_wrapper in myconfiguration like this :
 
 hosts.deny
 ALL : ALL
 
 hosts.allow
 ALL : 192.168.1.10
 ALL : 192.168.1.11
 
 but when i try to connect from 192.168.1.10 and 11 my server 
 is allways
 give a message :
 ssh_exchange_identification: Connection closed by remote host
 
 What is the problem with my tcp_wrapper ? anyone can help ?
 
 
 Thank all,
 
 Akoe Rymond
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of "unsubscribe". Trouble? Contact 
 [EMAIL PROTECTED]
 
 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: connection refuse by tcp_wrapper

[Howland, Curtis]

I know this may sound like a silly question, but did it work before you applied 
the TCP wrappers? 

If you remove the all:all from hosts.deny, does it work?

It's been a while since I last set up wrappers, but in all other systems I make 
sure it works first, then apply changes one by one and test them. That way I 
know under what conditions it still worked.

Curt-

 Dear all,
 
 I am a beginner in linux os,
 
 I try to configure tcp_wrapper in myconfiguration like this :
 
 hosts.deny
 ALL : ALL
 
 hosts.allow
 ALL : 192.168.1.10
 ALL : 192.168.1.11
 
 but when i try to connect from 192.168.1.10 and 11 my server 
 is allways
 give a message :
 ssh_exchange_identification: Connection closed by remote host
 
 What is the problem with my tcp_wrapper ? anyone can help ?
 
 
 Thank all,
 
 Akoe Rymond
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact 
 [EMAIL PROTECTED]
 
 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: Lost root password!!

[Howland, Curtis]

Stef,

I've noticed during the boot sequence of 2.4.18, after the ramdisk is loaded there is 
a 5 second pause during which time you can get a root shell.

Do you get this opportunity? I realize it asks for a password, but it is one more 
thing to try.

Other than that, using a rescue disk or the install CD as a boot disk is all I can 
think of.

Curt-

  Last night when I attempted to change my root password 
 passwd bunked out on me. It crashed and I received the 
 following message on the console:
...
  Is passwd in Woody broken? How can I fix my broken root 
 password without harming my system? 
 
  Any feedback would be greatly appreciated.
 
  Thanks,
 
  Stef


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Lost root password!!

[Howland, Curtis]

Stef,

I've noticed during the boot sequence of 2.4.18, after the ramdisk is loaded 
there is a 5 second pause during which time you can get a root shell.

Do you get this opportunity? I realize it asks for a password, but it is one 
more thing to try.

Other than that, using a rescue disk or the install CD as a boot disk is all I 
can think of.

Curt-

  Last night when I attempted to change my root password 
 passwd bunked out on me. It crashed and I received the 
 following message on the console:
...
  Is passwd in Woody broken? How can I fix my broken root 
 password without harming my system? 
 
  Any feedback would be greatly appreciated.
 
  Thanks,
 
  Stef


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: Guarding against evil software installation scripts?

[Howland, Curtis]

 From: Tim Freeman [mailto:[EMAIL PROTECTED]]
...
 But whose reputation?

The package maintainer directly, the Debian project indirectly.

I'm not really talking about individuals, I'm talking about generalities.

On a really secure machine, you're not going to be installing games, or utilities 
willy-nilly anyway. A secure machine will run its own iptables/ipchains filter to 
prevent unauthorized or unknown packets from entering or leaving the system itself, 
and sit behind a firewall or filtering router too. At least.

One of the things I liked about Debian from the first time I used it, was the 
granularity of package install. Telnet, fingerd, ftpd, NFS, rsh, etc., have never been 
installed. A service that does not exist cannot be exploited.

 If we could make it so that only some packages need to install as
 root, and the rest are prevented from arbitrarily modifying the
 machine, then the intruder has to arrange to be in the root package
 group to do much harm. This could at least require more social
 interaction and more time than creating ordinary user-mode packages.

I agree, this would be a GoodThing(tm, reg us pat off).

The kinds of segmentation and isolation are addressed quite carefully in Security 
Enhanced Linux (SELinux) that is being developed and released by the American National 
Security Agency. Their white papers discuss the details, and for a machine you must 
leave accessible from the outside world, but must also secure to such a degree, it 
might be worth the trouble.

http://www.nsa.gov/selinux/

As I've said for many years, "Security Is Inconvenient." Your level of security truly 
depends on how much effort you're willing to expend. Running as root is very 
convenient indeed.

 I don't know the required size of the developer group before you can
 expect to have a patient evil person in the group.  Apparently we
 aren't there yet, and that's a good thing.

Such evil tends to be self limiting. When(if) discovered, the individuals ability to 
continue to perpetrate evil is decreased. In a situation like Linux, where no one 
individual has complete control over anything, or the ability to use force, such evil 
would be very short lived. People would simply use something else.

In a closed source system, a back-door can be put in easily. If its carefully and 
deliberately placed, it could well go undiscovered. A login program with a hard-coded 
username, for instance. Something like that wouldn't withstand any level of 
examination of the source.

OpenSource lends itself to being secure against the most likely threats: well known 
exploits by script kiddies. OpenSource systems are updated more rapidly, and with far 
more granularity than closed systems. The results of Honey pot projects are 
fascinating reading. Hint: Never leave a system in its "default" configuration.

There is a great deal to be learned on both sides, by comparing physical and data 
security models. The data model, for instance, has to deal with the fact that an 
attack is not just "likely", it's inevitable. The likelihood of any particular exploit 
being attempted depends on how well known it is, and how long it's been around.

It is common practice in physical security to identify what level of attack is 
expected, and then engineer for it. There is a point for most people at which it is 
more cost effective to carry insurance against something that is massively 
destructive, but very unlikely. Like a meteor strike, or airplane crash. 

Argumentum ad absurdum, security at American airbases in the middle east is designed 
around attack by, "a motivated, well organized, well supplied and capable group."

Physical security is still breached often by "the oldest trick in the book" such as 
someone carrying a clipboard and wearing a lab coat who "tailgates" into a secure area 
by looking like everyone else.

And SirCam shows, such socially engineered viruses work on computers too.

Oh heck, I'm rambling. Three times in three days, will the Debian Security list ever 
forgive me?

Curt-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Guarding against evil software installation scripts?

[Howland, Curtis]

 I don't see a clear path to doing this the right way, where chaos is
 prevented by something more substantial than a social convention.  
 
 I have to admit that the social convention is working very well at the
 moment, though.
  -- 
 Tim Freeman   
 [EMAIL PROTECTED]

At some point you have to trust. Unless you're ready to read every line of 
code, every script, yourself every time you install anything, trust is explicit.

I trust binary .deb's from the Debian archives and x.debian.org mirrors. I 
trust .deb's and .rpm's when I get them from sources pointed to by their 
creators. I really like PGP, GPG, MD5 and other signatures on/with binary 
packages, at least it gives me a clearer false sense of security.

At a stretch, I'll even run a game demo or some such binary as myself which I 
pull down from somewhere that looks like fun.

Yes, the social convention is working very well indeed. A single source build 
that many people use (ftp.debian.org, ftp.kde.org, etc) also means that if 
anyone finds a problem in it and does something about it, they do me good too 
by making the next apt-get upgrade more than just exercise for my modem.

Reputation counts. I'm sure that if a maintainer was discovered to have 
uploaded code with such things in it, that maintainer would loose coolness 
points galore.

Darn, second ramble in two days. Your pardon.

Curt-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: Guarding against evil software installation scripts?

[Howland, Curtis]

 From: Tim Freeman [mailto:[EMAIL PROTECTED]
...
 But whose reputation?

The package maintainer directly, the Debian project indirectly.

I'm not really talking about individuals, I'm talking about generalities.

On a really secure machine, you're not going to be installing games, or 
utilities willy-nilly anyway. A secure machine will run its own 
iptables/ipchains filter to prevent unauthorized or unknown packets from 
entering or leaving the system itself, and sit behind a firewall or filtering 
router too. At least.

One of the things I liked about Debian from the first time I used it, was the 
granularity of package install. Telnet, fingerd, ftpd, NFS, rsh, etc., have 
never been installed. A service that does not exist cannot be exploited.

 If we could make it so that only some packages need to install as
 root, and the rest are prevented from arbitrarily modifying the
 machine, then the intruder has to arrange to be in the root package
 group to do much harm. This could at least require more social
 interaction and more time than creating ordinary user-mode packages.

I agree, this would be a GoodThing(tm, reg us pat off).

The kinds of segmentation and isolation are addressed quite carefully in 
Security Enhanced Linux (SELinux) that is being developed and released by the 
American National Security Agency. Their white papers discuss the details, and 
for a machine you must leave accessible from the outside world, but must also 
secure to such a degree, it might be worth the trouble.

http://www.nsa.gov/selinux/

As I've said for many years, Security Is Inconvenient. Your level of security 
truly depends on how much effort you're willing to expend. Running as root is 
very convenient indeed.

 I don't know the required size of the developer group before you can
 expect to have a patient evil person in the group.  Apparently we
 aren't there yet, and that's a good thing.

Such evil tends to be self limiting. When(if) discovered, the individuals 
ability to continue to perpetrate evil is decreased. In a situation like Linux, 
where no one individual has complete control over anything, or the ability to 
use force, such evil would be very short lived. People would simply use 
something else.

In a closed source system, a back-door can be put in easily. If its carefully 
and deliberately placed, it could well go undiscovered. A login program with a 
hard-coded username, for instance. Something like that wouldn't withstand any 
level of examination of the source.

OpenSource lends itself to being secure against the most likely threats: well 
known exploits by script kiddies. OpenSource systems are updated more rapidly, 
and with far more granularity than closed systems. The results of Honey pot 
projects are fascinating reading. Hint: Never leave a system in its default 
configuration.

There is a great deal to be learned on both sides, by comparing physical and 
data security models. The data model, for instance, has to deal with the fact 
that an attack is not just likely, it's inevitable. The likelihood of any 
particular exploit being attempted depends on how well known it is, and how 
long it's been around.

It is common practice in physical security to identify what level of attack is 
expected, and then engineer for it. There is a point for most people at which 
it is more cost effective to carry insurance against something that is 
massively destructive, but very unlikely. Like a meteor strike, or airplane 
crash. 

Argumentum ad absurdum, security at American airbases in the middle east is 
designed around attack by, a motivated, well organized, well supplied and 
capable group.

Physical security is still breached often by the oldest trick in the book 
such as someone carrying a clipboard and wearing a lab coat who tailgates 
into a secure area by looking like everyone else.

And SirCam shows, such socially engineered viruses work on computers too.

Oh heck, I'm rambling. Three times in three days, will the Debian Security list 
ever forgive me?

Curt-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Offtopic RE: About user monitoring

[Howland, Curtis]

 Nathan Norman - Micromuse Ltd.  mailto:[EMAIL PROTECTED]
 Gil-galad was an Elven-king.|  The Fellowship
 Of him the harpers sadly sing:  |of
 the last whose realm was fair and free  | the Ring
 between the Mountains and the Sea.  |  J.R.R. Tolkien

A king of Elves there was of old,
Saranwrap by name,
who slew the Narcs at Mellowmarsh
and Soreheads Host did tame

With him marched the stubby Dwarfs
drafted from their mines,
but when the fearsome battle raged
they hid behind the lines.

Sing: Clearasil, Metrical, Lavoris in Choris, they hid behind the lines.

 -Bored of the Rings, Harvard Lampoon.

--

Your pardon, all, it brought back such beautiful memories... I can also
recomend their Doon if you can find a copy. Doon. Dessert planet. A
world almost entirely devoid of entres.

Curt-


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Offtopic RE: About user monitoring

[Howland, Curtis]

 Nathan Norman - Micromuse Ltd.  mailto:[EMAIL PROTECTED]
 Gil-galad was an Elven-king.|  The Fellowship
 Of him the harpers sadly sing:  |of
 the last whose realm was fair and free  | the Ring
 between the Mountains and the Sea.  |  J.R.R. Tolkien

A king of Elves there was of old,
Saranwrap by name,
who slew the Narcs at Mellowmarsh
and Soreheads Host did tame

With him marched the stubby Dwarfs
drafted from their mines,
but when the fearsome battle raged
they hid behind the lines.

Sing: Clearasil, Metrical, Lavoris in Choris, they hid behind the lines.

 -Bored of the Rings, Harvard Lampoon.

--

Your pardon, all, it brought back such beautiful memories... I can also
recomend their Doon if you can find a copy. Doon. Dessert planet. A
world almost entirely devoid of entres.

Curt-


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: on potato's proftpd

[Howland, Curtis]

I would bet that the vast majority of flame wars begin because someone mistakes 
terse or concise for hostility.

The reverse, being the endless spewing of meaningless words, all the while saying 
nothing at all or even the opposite of what it sounds like, is the art of politicians 
and diplomats.

I'll take a flame war any day, when compared to the alternative.

Curt-

 they really weren't intended to be flames. i am sorry if they felt
 that way. i am really just trying to be concise since i don't have
 much more to say than i did.
 
 -- 
 martin;  (greetings from the heart of the sun.)
   \ echo mailto: !#^.*|tr * mailto:; net@madduck


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: on potato's proftpd

[Howland, Curtis]

I would bet that the vast majority of flame wars begin because someone 
mistakes terse or concise for hostility.

The reverse, being the endless spewing of meaningless words, all the while 
saying nothing at all or even the opposite of what it sounds like, is the art 
of politicians and diplomats.

I'll take a flame war any day, when compared to the alternative.

Curt-

 they really weren't intended to be flames. i am sorry if they felt
 that way. i am really just trying to be concise since i don't have
 much more to say than i did.
 
 -- 
 martin;  (greetings from the heart of the sun.)
   \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED]


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: failed ssh breakins on my exposed www box ..

[Howland, Curtis]

I'm impressed. Even here in Tokyo, where a cop on ever street corner is not just an 
Orwellian slur, the only people who get that kind of service are the ones who directly 
pay their salaries.

Seriously, the only person you can rely on is you. You're the one on the scene, be it 
a mugging or a cracking. If you don't defend yourself, your property or your data, no 
one else will.

Going to court is a difficult process. As England is learning right now, so long as 
the attacker thinks you cannot endanger them they will continue their attacks and even 
escalate. Script kiddies are no different, they are emboldened by their successes.

So unless someone actively hurts these malicious crackers, it's only going to get 
worse. We need to make sure that when someone gives us enough evidence to prove 
their guilt, that they get prosecuted. No, I don't know enough to gather that 
evidence, but I know there are people who can and do.

I saw a really funny site (linked from Slashdot, no idea how to find it now) where a 
spammer was white-hat hacked. This guy posted the spammers names, addresses, telephone 
numbers, advertising solicitation materials, photographs... who knows if it didn't 
increase their business? Exposure is exposure, after all.

Curt-

 From: Gary MacDougall [mailto:[EMAIL PROTECTED]]
...
 Agreed.
 
 I'll never understand why people will let crackers reap havoc
 on a network without issue, but if someone comes up and tries
 to break into my house, the police will be there in 2 seconds.
 
 g.
 


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: failed ssh breakins on my exposed www box ..

[Howland, Curtis]

I'm impressed. Even here in Tokyo, where a cop on ever street corner is not 
just an Orwellian slur, the only people who get that kind of service are the 
ones who directly pay their salaries.

Seriously, the only person you can rely on is you. You're the one on the scene, 
be it a mugging or a cracking. If you don't defend yourself, your property or 
your data, no one else will.

Going to court is a difficult process. As England is learning right now, so 
long as the attacker thinks you cannot endanger them they will continue their 
attacks and even escalate. Script kiddies are no different, they are emboldened 
by their successes.

So unless someone actively hurts these malicious crackers, it's only going to 
get worse. We need to make sure that when someone gives us enough evidence to 
prove their guilt, that they get prosecuted. No, I don't know enough to 
gather that evidence, but I know there are people who can and do.

I saw a really funny site (linked from Slashdot, no idea how to find it now) 
where a spammer was white-hat hacked. This guy posted the spammers names, 
addresses, telephone numbers, advertising solicitation materials, 
photographs... who knows if it didn't increase their business? Exposure is 
exposure, after all.

Curt-

 From: Gary MacDougall [mailto:[EMAIL PROTECTED]
...
 Agreed.
 
 I'll never understand why people will let crackers reap havoc
 on a network without issue, but if someone comes up and tries
 to break into my house, the police will be there in 2 seconds.
 
 g.
 


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: weird connection attempt

[Howland, Curtis]

Many ISP's do not know enough to filter the RFC1918 space, or only do so on the border 
routers and not internally.

Another good idea is to filter out-going packets by source address, allowing through 
only those whose source is supposed to be inside the network.

Anything with a source of address which is RFC1918 is suspect.

 I run a potato server on an ethernet behind a firewall 
 connected by dsl to the internet.  The only service exposed 
 is ftp,  In the middle of last night ippl reported an ftp 
 connection attempt from 192.168.1,1   The network behind my 
 firewall uses 192.168.75.xx addressses for one Redhat and a 
 couple of Windows machines as well as the debian ftp server.  
 Any idea where the 192.168.1.1 attempt is coming from?  Is it 
 likely to have been spoofed over the internet as part of an attack?
 
 -- 
 --- Hal   [EMAIL PROTECTED] ---


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: weird connection attempt

[Howland, Curtis]

Many ISP's do not know enough to filter the RFC1918 space, or only do so on the 
border routers and not internally.

Another good idea is to filter out-going packets by source address, allowing 
through only those whose source is supposed to be inside the network.

Anything with a source of address which is RFC1918 is suspect.

 I run a potato server on an ethernet behind a firewall 
 connected by dsl to the internet.  The only service exposed 
 is ftp,  In the middle of last night ippl reported an ftp 
 connection attempt from 192.168.1,1   The network behind my 
 firewall uses 192.168.75.xx addressses for one Redhat and a 
 couple of Windows machines as well as the debian ftp server.  
 Any idea where the 192.168.1.1 attempt is coming from?  Is it 
 likely to have been spoofed over the internet as part of an attack?
 
 -- 
 --- Hal   [EMAIL PROTECTED] ---

RE: dpkg-buildpackage (-rfakeroot) leaves setuid binaries

[Howland, Curtis]

For the non-mathmatical, or rather gramatical, style to say it, I use the phrase:

Security is Inconvenient.

The first time I say it to someone, they usually pause for a moment, digest it, and it 
really helps in further discussions about what to do about

It's my answer, for instance, when someone notices just how much I type to open an SSH 
session. Wow, that's a long password. Yep, security is inconvenient. Sometimes 
this leads to *their* inquiring as to what it buys, and leads to another informed user 
who doesn't feel pressured.

It isn't just UNIX, have you ever looked at how every openable thing on a Catarpiller 
earth-moving machine has a way to padlock it closed? One key for simple operation, 
another key for routine engine maintenance, maybe a pass-key (su) for the shop forman, 
etc... 

Curt-

 -Original Message-
 From: martin f krafft [mailto:[EMAIL PROTECTED]]
...
 yes, that's UNIX life. convenience ~ security^-1,
 
 where operator~ here is proportional
 
 -- 
 martin;  (greetings from the heart of the sun.)
   \ echo mailto: !#^.*|tr * mailto:; net@madduck
   
 i have the power to channel my imagination
 into ever-soaring levels of suspicion and paranoia.
 


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: IPTABLES

[Howland, Curtis]

Oh bloody hell, I thought it might be. Trouble is, every time I look for it I 
can't find it one way or the other. This time I'm going to write it down.

Curt-

 -Original Message-
 From: Jussi Tawaststjerna [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, January 09, 2002 16:16
 To: Howland, Curtis
 Cc: [EMAIL PROTECTED]; Debian-Security
 Subject: RE: IPTABLES
 
 
 Just the other way around, 2.2.x == ipchains, 2.4.x == iptables.
 
 Craig, just look at your kernel, and make sure every 
 netfilter/iptables
 module is compiled/listed, and then look at your 
 /lib/modules/2.4.12/ and
 make sure everything modprobes or insmods (if they haven't already) ..
 
 On Wed, 9 Jan 2002, Howland, Curtis wrote:
 
  Please flame me if I have this backwards, but I believe 
 ip_tables only works under 2.2.x and earlier kernels, and the 
 2.4.x kernel introduced ip_chains and is incompatible with ip_tables.
 
  You have to use the right one, even thought the 
 package/module for both shows up (at least in Woody) and 
 loads, but if you're using the 2.4 kernel the earlier stuff 
 just fails like you're describing.
 
  http://www.linux.org/docs/ldp/howto/Firewall-HOWTO-8.html
 
  Curt-
 
   -Original Message-
   From: Craigsc [mailto:[EMAIL PROTECTED]
   Sent: Wednesday, January 09, 2002 16:09
   To: Debian-Security
   Subject: IPTABLES
  
  
   Hi Fellows
  
   I am having a problem with getting iptables working with
   kernel 2.4.12. Getting the following error message:
  
   Can't locate module ip_tables iptables v1.2.4: can't
   initialize iptables
   table
   `nat': Table does not exist (do you need to insmod?)
  
   Perhaps I'm missing a module ?
  
   Any help would be appreciated :)
  
   Kind regards
   Craig
  
  
  
   --
   To UNSUBSCRIBE, email to [EMAIL PROTECTED]
   with a subject of unsubscribe. Trouble? Contact
   [EMAIL PROTECTED]
  
  
 
 
  --
  To UNSUBSCRIBE, email to [EMAIL PROTECTED]
  with a subject of unsubscribe. Trouble? Contact 
 [EMAIL PROTECTED]
 
 
 
  Jussi Tawaststjerna
 [EMAIL PROTECTED]
  Senior Support Engineer (NOC)  Annankatu 44 00100 Helsinki
  Jippii Group Oyj  Phone +358 9 4243 0662
 
 

RE: IPTABLES

[Howland, Curtis]

Please flame me if I have this backwards, but I believe ip_tables only works under 
2.2.x and earlier kernels, and the 2.4.x kernel introduced ip_chains and is 
incompatible with ip_tables.

You have to use the right one, even thought the package/module for both shows up (at 
least in Woody) and loads, but if you're using the 2.4 kernel the earlier stuff just 
fails like you're describing.

http://www.linux.org/docs/ldp/howto/Firewall-HOWTO-8.html

Curt-

 -Original Message-
 From: Craigsc [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, January 09, 2002 16:09
 To: Debian-Security
 Subject: IPTABLES
 
 
 Hi Fellows
 
 I am having a problem with getting iptables working with
 kernel 2.4.12. Getting the following error message:
 
 Can't locate module ip_tables iptables v1.2.4: can't 
 initialize iptables
 table
 `nat': Table does not exist (do you need to insmod?)
 
 Perhaps I'm missing a module ?
 
 Any help would be appreciated :)
 
 Kind regards
 Craig
 
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact 
 [EMAIL PROTECTED]
 
 


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: IPTABLES

[Howland, Curtis]

Oh bloody hell, I thought it might be. Trouble is, every time I look for it I can't 
find it one way or the other. This time I'm going to write it down.

Curt-

 -Original Message-
 From: Jussi Tawaststjerna [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, January 09, 2002 16:16
 To: Howland, Curtis
 Cc: [EMAIL PROTECTED]; Debian-Security
 Subject: RE: IPTABLES
 
 
 Just the other way around, 2.2.x == ipchains, 2.4.x == iptables.
 
 Craig, just look at your kernel, and make sure every 
 netfilter/iptables
 module is compiled/listed, and then look at your 
 /lib/modules/2.4.12/ and
 make sure everything modprobes or insmods (if they haven't already) ..
 
 On Wed, 9 Jan 2002, Howland, Curtis wrote:
 
  Please flame me if I have this backwards, but I believe 
 ip_tables only works under 2.2.x and earlier kernels, and the 
 2.4.x kernel introduced ip_chains and is incompatible with ip_tables.
 
  You have to use the right one, even thought the 
 package/module for both shows up (at least in Woody) and 
 loads, but if you're using the 2.4 kernel the earlier stuff 
 just "fails" like you're describing.
 
  http://www.linux.org/docs/ldp/howto/Firewall-HOWTO-8.html
 
  Curt-
 
   -Original Message-
   From: Craigsc [mailto:[EMAIL PROTECTED]]
   Sent: Wednesday, January 09, 2002 16:09
   To: Debian-Security
   Subject: IPTABLES
  
  
   Hi Fellows
  
   I am having a problem with getting iptables working with
   kernel 2.4.12. Getting the following error message:
  
   Can't locate module ip_tables iptables v1.2.4: can't
   initialize iptables
   table
   `nat': Table does not exist (do you need to insmod?)
  
   Perhaps I'm missing a module ?
  
   Any help would be appreciated :)
  
   Kind regards
   Craig
  
  
  
   --
   To UNSUBSCRIBE, email to [EMAIL PROTECTED]
   with a subject of "unsubscribe". Trouble? Contact
   [EMAIL PROTECTED]
  
  
 
 
  --
  To UNSUBSCRIBE, email to [EMAIL PROTECTED]
  with a subject of "unsubscribe". Trouble? Contact 
 [EMAIL PROTECTED]
 
 
 
  Jussi Tawaststjerna
 [EMAIL PROTECTED]
  Senior Support Engineer (NOC)  Annankatu 44 00100 Helsinki
  Jippii Group Oyj  Phone +358 9 4243 0662
 
 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Secure 2.4.x kernel

[Howland, Curtis]

 -Original Message-
 From: Gary MacDougall 
 soapbox
 I'm gong to get flamed like hell for this, but I think the general
 attitude of people that consider themselves Linux Security 
 Guru's sucks!
 If you've ever visited #linux on IRC or talked with people in 
 a chat room
 about Linux (in general) its amazing the amount of venom these Linux
 Pundits have towards people that are newbies.

One of the reasons that I prefer Debian-security and Debian-user, and maybe the rest 
of the Debian lists too, is their generally very high signal to noise ratio.

For all its faults, slashdot also demonstrates the benefits of moderation.

 interesting opinions (ammunition) about apt-get vs. rpm (My 
 reasoning was
 security updates are easier etc. etc.)...

My personal fuel for that fire is that there are no dependency problems with apt. Yes, 
it's an oversimplification, however I feel that once someone accustomed to needing 
several iterations with RPM's gets a taste of the just do it apt process, they won't 
notice the rare instance when there is a conflict.

My hat's off to the Debian maintainers. I deeply respect their work.

 I guess its a form of geek revenge.

Naa, it's simian posturing. It happens with humans everywhere. I enjoyed watching it 
in Good Will Hunting, and two days ago rented Finding Forrester (same movie, different 
actors), and sure enough lots of simian posturing. You dare to challenge me in MY 
classroom? etc.

The problem is cultural and social. We've moved away from the teaching traditions that 
channeled such territoriality and aggression in constructive ways. Hormone-addled male 
teens no longer get whupped into shape when they really need it.

I can suggest the writings of Jeff Cooper for a better exploration of the kinds of 
attitudes and processes that are now missing, and R.A.Heinlein for lots of fictional 
explorations of the issue. 

There's some really nasty little flame freaks out there who simply do not understand 
the repercussions of their words, and how they hurt people. They've never been taught 
how to argue with their (recently evolved) brains.

Curt-


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: Secure 2.4.x kernel

[Howland, Curtis]

 -Original Message-
 From: Gary MacDougall 
 soapbox
 I'm gong to get flamed like hell for this, but I think the general
 attitude of people that consider themselves Linux Security 
 Guru's sucks!
 If you've ever visited #linux on IRC or talked with people in 
 a chat room
 about Linux (in general) its amazing the amount of venom these Linux
 Pundits have towards people that are newbies.

One of the reasons that I prefer Debian-security and Debian-user, and maybe the 
rest of the Debian lists too, is their generally very high signal to noise 
ratio.

For all its faults, slashdot also demonstrates the benefits of moderation.

 interesting opinions (ammunition) about apt-get vs. rpm (My 
 reasoning was
 security updates are easier etc. etc.)...

My personal fuel for that fire is that there are no dependency problems with 
apt. Yes, it's an oversimplification, however I feel that once someone 
accustomed to needing several iterations with RPM's gets a taste of the just 
do it apt process, they won't notice the rare instance when there is a 
conflict.

My hat's off to the Debian maintainers. I deeply respect their work.

 I guess its a form of geek revenge.

Naa, it's simian posturing. It happens with humans everywhere. I enjoyed 
watching it in Good Will Hunting, and two days ago rented Finding Forrester 
(same movie, different actors), and sure enough lots of simian posturing. You 
dare to challenge me in MY classroom? etc.

The problem is cultural and social. We've moved away from the teaching 
traditions that channeled such territoriality and aggression in constructive 
ways. Hormone-addled male teens no longer get whupped into shape when they 
really need it.

I can suggest the writings of Jeff Cooper for a better exploration of the kinds 
of attitudes and processes that are now missing, and R.A.Heinlein for lots of 
fictional explorations of the issue. 

There's some really nasty little flame freaks out there who simply do not 
understand the repercussions of their words, and how they hurt people. They've 
never been taught how to argue with their (recently evolved) brains.

Curt-

RE: Secure 2.4.x kernel

[Howland, Curtis]

A major point concerning laws is that they prevent nothing. Laws against murder have 
been around since the idea of laws was invented, yet murder still happens. Sometimes 
in new and spectacular ways.

Individual security, be it physical or logical, must be considered an individual 
responsibility. Each server, each PC, each system must have its own security addressed 
not in a standard legislated pattern, but with the unique attributes of that 
specific system in mind.

At the very least, turning off all services that are not specifically and 
deliberately turned on is the first step.

Curt-

 -Original Message-
 From: Ralf Dreibrodt [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, December 25, 2001 23:07
 To: Gary MacDougall
 Cc: [EMAIL PROTECTED]
 Subject: Re: Secure 2.4.x kernel
 
 
 Hi,
 
 Gary MacDougall wrote:
  
  Hmmm... Mom has a good point.
  
  I think the bottom line is that we'll never have 100% security until
  there are laws that protect the break-in's and hacking that occurs.
  Still laws... not crappy little wrist slapping type laws.
 
 laws can´t do anything against unknown people.
 i think there is no way to find a hacker if he really doesn´
 t want to.
 
 btw, with that argumentation you are saying come on, delete alle
 securitymailinglists and let us ask for better laws, don´t close your
 windows, when you are leaving your home , don´t close the doors.
 
 and that´s the totally wrong way (at least today).
 
 bye
 Ralf


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: Secure 2.4.x kernel

[Howland, Curtis]

A major point concerning laws is that they prevent nothing. Laws against 
murder have been around since the idea of laws was invented, yet murder still 
happens. Sometimes in new and spectacular ways.

Individual security, be it physical or logical, must be considered an 
individual responsibility. Each server, each PC, each system must have its own 
security addressed not in a standard legislated pattern, but with the unique 
attributes of that specific system in mind.

At the very least, turning off all services that are not specifically and 
deliberately turned on is the first step.

Curt-

 -Original Message-
 From: Ralf Dreibrodt [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, December 25, 2001 23:07
 To: Gary MacDougall
 Cc: debian-security@lists.debian.org
 Subject: Re: Secure 2.4.x kernel
 
 
 Hi,
 
 Gary MacDougall wrote:
  
  Hmmm... Mom has a good point.
  
  I think the bottom line is that we'll never have 100% security until
  there are laws that protect the break-in's and hacking that occurs.
  Still laws... not crappy little wrist slapping type laws.
 
 laws can´t do anything against unknown people.
 i think there is no way to find a hacker if he really doesn´
 t want to.
 
 btw, with that argumentation you are saying come on, delete alle
 securitymailinglists and let us ask for better laws, don´t close your
 windows, when you are leaving your home , don´t close the doors.
 
 and that´s the totally wrong way (at least today).
 
 bye
 Ralf

RE: Secure 2.4.x kernel

[Howland, Curtis]

Gary,

While I understand your theory, reality is that laws only provide a framework 
for punishment. If their existence in fact did not allow something, such as 
murder, murder would therefore not happen. Murder does in fact happen, just 
like trespass, yet is not ok. If, as you say, people were not allowed to 
break the law, there would be no traffic tickets since such violations would 
not have been allowed to happen.

Your conclusion that I believe an action is ok merely because it is capable 
of happening is in error. What I said was that laws do not prevent action, I 
said nothing about specific actions being ok or not ok.

I will gladly continue this debate offline if you wish, I have a great store of 
source material for the non-initiation of force philosophy which you might find 
interesting.

Curt-

 -Original Message-
 From: Gary MacDougall [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, December 26, 2001 11:47
 To: Howland, Curtis; Ralf Dreibrodt
 Cc: debian-security@lists.debian.org
 Subject: Re: Secure 2.4.x kernel
 
 
 Actually your point of view basically states that its ok 
 for anyone to
 tresspass.
 
 In the US, we have laws against such activity. People are 
 *not* allowed to
 break
 the law, regardless of how stupid the victim is.
 
 Law's were created to protect. Regardless of the type of 
 crime or injustice.
 
 Just because people are dumb or not as fortunate as other 
 more privy
 people,
 doesn't mean that the law should bypass the unfortunate.  
 The law (at
 least in the US) were
 specifically created to protect people in such circumstances. 
  Why should
 computer
 law be any different?
 
 I see you point, do you see mine?
 
 g.
 
 
 
 - Original Message -
 From: Howland, Curtis [EMAIL PROTECTED]
 To: Ralf Dreibrodt [EMAIL PROTECTED]; Gary MacDougall
 [EMAIL PROTECTED]
 Cc: debian-security@lists.debian.org
 Sent: Tuesday, December 25, 2001 7:03 PM
 Subject: RE: Secure 2.4.x kernel
 
 
 A major point concerning laws is that they prevent nothing. 
 Laws against
 murder have been around since the idea of laws was 
 invented, yet murder
 still happens. Sometimes in new and spectacular ways.
 
 Individual security, be it physical or logical, must be considered an
 individual responsibility. Each server, each PC, each system 
 must have its
 own security addressed not in a standard legislated 
 pattern, but with the
 unique attributes of that specific system in mind.
 
 At the very least, turning off all services that are not 
 specifically and
 deliberately turned on is the first step.
 
 Curt-
 
  -Original Message-
  From: Ralf Dreibrodt [mailto:[EMAIL PROTECTED]
  Sent: Tuesday, December 25, 2001 23:07
  To: Gary MacDougall
  Cc: debian-security@lists.debian.org
  Subject: Re: Secure 2.4.x kernel
 
 
  Hi,
 
  Gary MacDougall wrote:
  
   Hmmm... Mom has a good point.
  
   I think the bottom line is that we'll never have 100% 
 security until
   there are laws that protect the break-in's and hacking 
 that occurs.
   Still laws... not crappy little wrist slapping type laws.
 
  laws can´t do anything against unknown people.
  i think there is no way to find a hacker if he really doesn´
  t want to.
 
  btw, with that argumentation you are saying come on, delete alle
  securitymailinglists and let us ask for better laws, don´t 
 close your
  windows, when you are leaving your home , don´t close the doors.
 
  and that´s the totally wrong way (at least today).
 
  bye
  Ralf
 
 
 --
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact
 [EMAIL PROTECTED]
 
 
 
 

RE: iptables missing library

[Howland, Curtis]

This may seem an obvious question, but have you coordinated that "ipchains" works with 
the 2.2.x kernels, and "iptables" with the 2.4.x kernels?

Woody standard kernel is still 2.2.x.

Curt-

 -Original Message-
 From: Jeff [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, December 25, 2001 12:44
 To: debian security list
 Subject: iptables missing library
 
 
 I've recently discovered the "badflags" capabilities in iptables
 and I'm playing with some rules.  However, when I load the rules,
 I get the following error message:
 
 Try `iptables -h' or 'iptables --help' for more information.
 iptables v1.2.3: Couldn't load target
 `badflags':/lib/iptables/libipt_badflags.so: cannot open shared
 object file: No such file or directory
 
 Indeed, I do not have libipt_badflags.so on my woody system.  I've
 been looking all over to find it, but have had no luck.  I
 checked in the unstable version of iptables, and it's not there
 either.
 
 Can someone point me to where I can find it?
 
 thanks,
 jc
 
 
 -- 
 Jeff Coppock  Systems Engineer
 Diggin' DebianAdmin and User
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of "unsubscribe". Trouble? Contact 
 [EMAIL PROTECTED]
 
 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: iptables missing library

[Howland, Curtis]

This may seem an obvious question, but have you coordinated that ipchains 
works with the 2.2.x kernels, and iptables with the 2.4.x kernels?

Woody standard kernel is still 2.2.x.

Curt-

 -Original Message-
 From: Jeff [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, December 25, 2001 12:44
 To: debian security list
 Subject: iptables missing library
 
 
 I've recently discovered the badflags capabilities in iptables
 and I'm playing with some rules.  However, when I load the rules,
 I get the following error message:
 
 Try `iptables -h' or 'iptables --help' for more information.
 iptables v1.2.3: Couldn't load target
 `badflags':/lib/iptables/libipt_badflags.so: cannot open shared
 object file: No such file or directory
 
 Indeed, I do not have libipt_badflags.so on my woody system.  I've
 been looking all over to find it, but have had no luck.  I
 checked in the unstable version of iptables, and it's not there
 either.
 
 Can someone point me to where I can find it?
 
 thanks,
 jc
 
 
 -- 
 Jeff Coppock  Systems Engineer
 Diggin' DebianAdmin and User
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact 
 [EMAIL PROTECTED]
 
 

Another good thing about apt and dselect

[Howland, Curtis]

http://www.cnn.com/2001/TECH/internet/12/17/cert.plug.holes.idg/index.ht
ml

Reading this sort of article reminds me of another really good thing
about apt, dselect, and the (forgive me please) Debian Way:

I don't have to be told that there is an SSH security fix in order to
fix it.

Every time I fire up dselect to install a new game, or try out a new
mail client, or just to see where we are at the moment, the latest
available versions, including security fixes, are automatically set for
installation.

I believe this is well worth the "slow release cycle" reputation of
Debian, un-earned in my personal experience.

Thank you, Debian Developers. Your work does not go un-noticed.

Curt-

---
Curt Howland  +81-3-5772-5832
KVH Telecom Japan, Ltd.IDC Division


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Another good thing about apt and dselect

[Howland, Curtis]

http://www.cnn.com/2001/TECH/internet/12/17/cert.plug.holes.idg/index.ht
ml

Reading this sort of article reminds me of another really good thing
about apt, dselect, and the (forgive me please) Debian Way:

I don't have to be told that there is an SSH security fix in order to
fix it.

Every time I fire up dselect to install a new game, or try out a new
mail client, or just to see where we are at the moment, the latest
available versions, including security fixes, are automatically set for
installation.

I believe this is well worth the slow release cycle reputation of
Debian, un-earned in my personal experience.

Thank you, Debian Developers. Your work does not go un-noticed.

Curt-

---
Curt Howland  +81-3-5772-5832
KVH Telecom Japan, Ltd.IDC Division

RE: Spam?!?

[Howland, Curtis]

And pleanty of open relay servers, too.

obSec: You do have your SMTP transfer agent configured not to act as a
relay, right?

Curt-

-Original Message-
From: Petro [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 18, 2001 03:09
To: Yooseong Yang
Cc: k l u r t; [EMAIL PROTECTED]
Subject: Re: Spam?!?


On Mon, Dec 17, 2001 at 11:48:13PM +0900, Yooseong Yang wrote:
 can you speak korean? if so give them a call or a nasty email for us.
 I am be shameful of this kinda spam stuffs as a korean. 
 I send an email to hanmail mail administrator about this kinda
 problem. If I got some mails from whom is concerned, I'll get posted
of it. 
 with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]

Don't be ashamed, there are plently of people in every country with
internet access who are spammers.

-- 
Share and Enjoy. 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Spam?!?

[Howland, Curtis]

And pleanty of open relay servers, too.

obSec: You do have your SMTP transfer agent configured not to act as a
relay, right?

Curt-

-Original Message-
From: Petro [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 18, 2001 03:09
To: Yooseong Yang
Cc: k l u r t; debian-security@lists.debian.org
Subject: Re: Spam?!?


On Mon, Dec 17, 2001 at 11:48:13PM +0900, Yooseong Yang wrote:
 can you speak korean? if so give them a call or a nasty email for us.
 I am be shameful of this kinda spam stuffs as a korean. 
 I send an email to hanmail mail administrator about this kinda
 problem. If I got some mails from whom is concerned, I'll get posted
of it. 
 with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]

Don't be ashamed, there are plently of people in every country with
internet access who are spammers.

-- 
Share and Enjoy. 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]

RE: Apt-get is insecure

[Howland, Curtis]

Any PGPG keys used by package maintainers will themselves be signed and
trusted by the Debian official community. What a "secure apt" must do is
alert if the key used is not so trusted, even if it uses the same name
and email address as it "should".

This assumes that the crackers PGPG key has, somehow, made it onto your
keyring where only your friends and the Debian maintainers aught to be
anyway.

Curt-

-Original Message-
From: Jor-el [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 14, 2001 09:05
To: [EMAIL PROTECTED]
Subject: Re: Apt-get is insecure


On Thu, 13 Dec 2001, Wichert Akkerman wrote:

 
 There is a seperate plan for verifying signatures using apt. From
 memory this goes as follows:
 
 * deb packages are installed in the archive
 * the MD5 checksum for each package is listed in the Packages file
 * the MD5 checksum for each Packages file for a release is listed in
   the Release file
 * the archive creates a signature for the Release file that apt can
   verify
 
Hi,

Forgive me if my question is rather naive. I have the following
scenario and am curious to know whethere this has already been addressed
:

1.  Mr. Cracker sets up a mirror and claims it is a mirror for Debian
distros.
2.  Mr. Cracker recompiles trojaned packages and recomputes the MD5
checksums for them. These trojaned .debs are placed on the mirror.

How would a person getting .debs from this mirror be able to
protect him/herself from such a situation? Would they have to
exclusively
get .debs from the Debian site itself?

Note that if the packages are PGP / GPG signed, the problem is
only a little less acute. Mr. Cracker could sign the package with his /
her key. How would a user know that Mr. Cracker is not infact the
maintainer?

Regards,
Jor-el


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Apt-get is insecure

[Howland, Curtis]

Any PGPG keys used by package maintainers will themselves be signed and
trusted by the Debian official community. What a secure apt must do is
alert if the key used is not so trusted, even if it uses the same name
and email address as it should.

This assumes that the crackers PGPG key has, somehow, made it onto your
keyring where only your friends and the Debian maintainers aught to be
anyway.

Curt-

-Original Message-
From: Jor-el [mailto:[EMAIL PROTECTED]
Sent: Friday, December 14, 2001 09:05
To: debian-security@lists.debian.org
Subject: Re: Apt-get is insecure


On Thu, 13 Dec 2001, Wichert Akkerman wrote:

 
 There is a seperate plan for verifying signatures using apt. From
 memory this goes as follows:
 
 * deb packages are installed in the archive
 * the MD5 checksum for each package is listed in the Packages file
 * the MD5 checksum for each Packages file for a release is listed in
   the Release file
 * the archive creates a signature for the Release file that apt can
   verify
 
Hi,

Forgive me if my question is rather naive. I have the following
scenario and am curious to know whethere this has already been addressed
:

1.  Mr. Cracker sets up a mirror and claims it is a mirror for Debian
distros.
2.  Mr. Cracker recompiles trojaned packages and recomputes the MD5
checksums for them. These trojaned .debs are placed on the mirror.

How would a person getting .debs from this mirror be able to
protect him/herself from such a situation? Would they have to
exclusively
get .debs from the Debian site itself?

Note that if the packages are PGP / GPG signed, the problem is
only a little less acute. Mr. Cracker could sign the package with his /
her key. How would a user know that Mr. Cracker is not infact the
maintainer?

Regards,
Jor-el


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]

RE: How do I disable (close) ports?

[Howland, Curtis]

This is one remnant of the "trusted" world of Unix, and the legacy that
Linux has to deal with. It's ipchains/iptables to the rescue.

I do not have NFS turned on in the kernel modules, nor the package
installed. Yet this port is still open *to the outside world*. Can
anyone suggest a reason why this has not been restricted only to the
loopback interface, to be "opened" to other interfaces by the daemons if
installed?

That is, if it cannot be eliminated entirely. For the most part, I've
found that Linux is good for not turning things on unless you want them
on, but this seems to be the exception that proves the rule.

Any other opinions?

Curt-

-Original Message-
From: Thomas Bushnell, BSG [mailto:[EMAIL PROTECTED]]

Portmapper is an essential server for SunRPC services, including NFS,
mountd, nfsd, etc.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: How do I disable (close) ports?

[Howland, Curtis]

This is one remnant of the trusted world of Unix, and the legacy that
Linux has to deal with. It's ipchains/iptables to the rescue.

I do not have NFS turned on in the kernel modules, nor the package
installed. Yet this port is still open *to the outside world*. Can
anyone suggest a reason why this has not been restricted only to the
loopback interface, to be opened to other interfaces by the daemons if
installed?

That is, if it cannot be eliminated entirely. For the most part, I've
found that Linux is good for not turning things on unless you want them
on, but this seems to be the exception that proves the rule.

Any other opinions?

Curt-

-Original Message-
From: Thomas Bushnell, BSG [mailto:[EMAIL PROTECTED]

Portmapper is an essential server for SunRPC services, including NFS,
mountd, nfsd, etc.

RE: Secure wu-ftpd for Testing?

[Howland, Curtis]

The article I read about it on the Register...

http://www.theregister.co.uk/content/4/23082.html

The hole affects thousands of users of virtually
every Linux release.
Because of the wide implications, Core, working with
CERT, and, at
one point, SecurityFocus' Vulnerability Help team,
arranged a
coordinated release with Caldera, SuSE, TurboLinux,
Debian, Red
Hat, and other Linux vendors, so that patches would
be available for
every distribution simultaneously. December 3rd was
picked for the
release. 

That plan went out the window Tuesday, when Red Hat
unilaterally
issued its own advisory.

So I will assume that Debian has a fix that is being tested, if not in
testing. I'm very surprised it hasn't been released or mentioned yet
myself.

Curt-

-Original Message-
From: David Ehle [mailto:[EMAIL PROTECTED]
Sent: Friday, November 30, 2001 14:20
To: debian-security@lists.debian.org
Cc: Debian-Security (E-mail)
Subject: Secure wu-ftpd for Testing?



Hello all,

Is the wu-ftpd in testing secure? It seems to be 2.6.1 a stinker.
Testing is using 2.6.1-5, is that also compromised?  I have been
watching it all day but haven't seen any updates.

If it is not secure has a patched version been made available anywhere?
I can't seem to find any mention at http://www.debian.org/security/

Thanks!
David.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]

Encrypted Filesystems zing pow woosh

[Howland, Curtis]

Just FYI, Slashdot has a discussionn up on encrypted file systems that
might be of interest to folks who partisipated in the discussion here.

This direct link might work:

http://slashdot.org/article.pl?sid=01/11/28/1549252mode=thread

Curt-

---
Curt Howland  +81-3-5772-5832
KVH Telecom Japan, Ltd.IDC Division


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Secure wu-ftpd for Testing?

[Howland, Curtis]

The article I read about it on the Register...

http://www.theregister.co.uk/content/4/23082.html

"The hole affects thousands of users of virtually
every Linux release.
Because of the wide implications, Core, working with
CERT, and, at
one point, SecurityFocus' "Vulnerability Help" team,
arranged a
coordinated release with Caldera, SuSE, TurboLinux,
Debian, Red
Hat, and other Linux vendors, so that patches would
be available for
every distribution simultaneously. December 3rd was
picked for the
release. 

That plan went out the window Tuesday, when Red Hat
unilaterally
issued its own advisory."

So I will assume that Debian has a fix that is being tested, if not in
"testing". I'm very surprised it hasn't been released or mentioned yet
myself.

Curt-

-Original Message-
From: David Ehle [mailto:[EMAIL PROTECTED]]
Sent: Friday, November 30, 2001 14:20
To: [EMAIL PROTECTED]
Cc: Debian-Security (E-mail)
Subject: Secure wu-ftpd for Testing?



Hello all,

Is the wu-ftpd in testing secure? It seems to be 2.6.1 a stinker.
Testing is using 2.6.1-5, is that also compromised?  I have been
watching it all day but haven't seen any updates.

If it is not secure has a patched version been made available anywhere?
I can't seem to find any mention at http://www.debian.org/security/

Thanks!
David.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Encrypted Filesystems zing pow woosh

[Howland, Curtis]

Just FYI, Slashdot has a discussionn up on encrypted file systems that
might be of interest to folks who partisipated in the discussion here.

This direct link might work:

http://slashdot.org/article.pl?sid=01/11/28/1549252mode=thread

Curt-

---
Curt Howland  +81-3-5772-5832
KVH Telecom Japan, Ltd.IDC Division

Security hole in Linux kernel itself? FW: [FreeBSD-users-jp 65877] Re: nslookup

[Howland, Curtis]

Excuse me if this is old hat, has anyone else heard of a vulnerability
like this?

If it's on the FreeBSD lists, it must be well known...

Curt-

-Original Message-
From: Kondou, Katsuhiro (IDC) 
Sent: Wednesday, November 28, 2001 22:16
To: Hu, Geng; Howland, Curtis
Subject: Fw: [FreeBSD-users-jp 65877] Re: nslookup 


Attached is a message on FreeBSD mailing list(in Japanese).
This guy blames who designs new(maybe) kernel of linux which
utilize region after 0x8000 for caching network file
system so that any process can access(read/write).

I've never heard of it, but I tend to say linux is *NOT*
secure, if it's true.
-- 
Katsuhiro Kondou
---BeginMessage---
$B1|;3(J@IBM$B$G$9!#(J

 "HK" == Hiroyuki Komatsu [EMAIL PROTECTED] writes:
 $B!X%O%C%+!e$K!"!X$?$$$7$?$3$H$8$c$J$$!Y(J
$B$J$I$H8@$$D%$k?M$NF,$r(J

$B!V6qBNE*$J$d$jJ}$N=q$$$F$"$kK\$,$"$C$F!"$@$+$i$3$s$J$N$OEv$?$jA0$N$3(J
  $B$H$@!#$=$l$0$i$$CN$C$F$*$1!"CT$l<T$a!W(J

$B$H8@$C$F$V$s2%$k0Y$K$O<B$KET9g$NNI$$=E$5$H!"8G$5$N%O!<%I%+%P!<$@!"$H(J
$B$$$@$G$7$g$&(J(^^;)


# Second Edition $B$K$O!"@'Hs!"F|K\$G?6$j2s$7$?$i!"(JUS $B$K$$$kGO$7$?$$$J!#(JLinux $B>e$GF0$/(J Network $BBP1~(J File
# System $B$,;H$&%-%c%C%7%e4IM}NN0h$r(J 0x8000 - $B$NNN0h$K!V$I$s$J%W(J
# $B%m%;%9$G$b<+M3$K(J read/write $B$G$-$k$h$&$K!W3MF@$9$k!"$J$I$H$$$&%G%6(J
# $B%$%s$r$7$?O"Cf$H!"$=$l$r!V(Jsecure $B$@!W$H8@$$D%$C$?GOE7$r%+(J
# $B%A3d$j$?$$$N$G!#(J
 
$B1|;3(J 
$B7r0l(J@$BEl5~4pAC8&5f=j(J.$BF|K\(JIBM($B3t(J)[$BGaGX2q(J:No.0x0001]
#URL http://www.dd.iij4u.or.jp/~okuyamak/
#$B:#F|$N$*8@MU!X$A$J$_$K!Y(J:Linux 2.4.5 $B$^$G$O(J SIGSEGV $B$N07$$$,(J
#$B$H$A68$C$F$F!"(J1 process SIGSEGV $B$O(J 1$BEY$^$G$7$+<u$1$i$l$J$$!#(J
#$B3d$j9~$_%^%9%/$,$I$&$7$F$b2sI|$7$J$$$N$@!#(JSecure $B$JM}M3$O(J
#$B!V$@$+$i!"C<$+$i=g$KF'$_DY$=$&$H$7$F$b!"L\E*$N%Z!<%8$KFO$/(J
#  $BA0$K;_$^$k!W(J
#$B$N$@$=$&$@!#(J1page 1process $B$E$D:n$l$P$@$1$8$c$J$$$+!#(J
---End Message---

Security hole in Linux kernel itself? FW: [FreeBSD-users-jp 65877] Re: nslookup

[Howland, Curtis]

Excuse me if this is old hat, has anyone else heard of a vulnerability
like this?

If it's on the FreeBSD lists, it must be well known...

Curt-

-Original Message-
From: Kondou, Katsuhiro (IDC) 
Sent: Wednesday, November 28, 2001 22:16
To: Hu, Geng; Howland, Curtis
Subject: Fw: [FreeBSD-users-jp 65877] Re: nslookup 


Attached is a message on FreeBSD mailing list(in Japanese).
This guy blames who designs new(maybe) kernel of linux which
utilize region after 0x8000 for caching network file
system so that any process can access(read/write).

I've never heard of it, but I tend to say linux is *NOT*
secure, if it's true.
-- 
Katsuhiro Kondou
---BeginMessage---
[EMAIL PROTECTED]

 HK == Hiroyuki Komatsu [EMAIL PROTECTED] writes:
 『ハッカー・プログラミング大全』  ISBN4-88718-633-9 C0036 \3800E
 by UNYUN
HK 目次と値段見て購入をためらってるんですが
HK コストパフォーマンスはいかがでしたか?


内容的にはたいしたことはありません。Stack Overflood だけだもの。
# CodeRed に「極めて良く似た」コードも出てくるけどさ。

大事なのは、この程度のことすら知らない上に、『たいしたことじゃない』
などと言い張る人の頭を

「具体的なやり方の書いてある本があって、だからこんなのは当たり前のこ
  とだ。それぐらい知っておけ、痴れ者め」

と言ってぶん殴る為には実に都合の良い重さと、固さのハードカバーだ、と
いう点でしょう(^^;)


# Second Edition には、是非、日本で振り回したら、US にいる馬鹿タレの
# 頭も殴れる機能を希望したいな。Linux 上で動く Network 対応 File
# System が使うキャッシュ管理領域を 0x8000 - の領域に「どんなプ
# ロセスでも自由に read/write できるように」獲得する、などというデザ
# インをした連中と、それを「secure だ」と言い張った馬鹿共の脳天をカ
# チ割りたいので。
 
奥山 [EMAIL PROTECTED](株)[煤背会:No.0x0001]
#URL http://www.dd.iij4u.or.jp/~okuyamak/
#今日のお言葉『ちなみに』:Linux 2.4.5 までは SIGSEGV の扱いが
#とち狂ってて、1 process SIGSEGV は 1度までしか受けられない。
#割り込みマスクがどうしても回復しないのだ。Secure な理由は
#「だから、端から順に踏み潰そうとしても、目的のページに届く
#  前に止まる」
#のだそうだ。1page 1process づつ作ればいいだけじゃないか。
---End Message---

RE: is 3des secure??

[Howland, Curtis]

While this may be whipping a greasy stain on the road, it is true that
3DES was created by the government back when private cryptology was
difficult or unknown. I believe it is prudent to consider that it was
allowed to be used because of practical cracking available to the crypto
experts.

I'm not referring to a back-door, just a known method such as a hardware
based method for cracking in near-real time.

However, 3DES is likely strong enough for normal people. If you're
trying to keep things from them, they are already reading your screen
and keyboard strokes directly by their radion emissions from accross the
street.

Paranoid? Yes. That's what security is all about.

Curt-


-Original Message-
From: Noah L. Meyerhans [mailto:[EMAIL PROTECTED]]
Sent: Saturday, November 24, 2001 21:43
To: Johannes Weiss
Cc: [EMAIL PROTECTED]
Subject: Re: is 3des secure??


On Sat, Nov 24, 2001 at 10:28:56AM +0100, Johannes Weiss wrote:
 -BEGIN PGP SIGNED MESSAGE-
 
 UNfortunately, WIN-SSH is very buggy, it only works if I take the 3des

 algorithm, if I take one of the others (blowfish,...) it crashed.
 

What is unfortunate about that?  From my experience, 3DES is used more
commonly than any other crypto algorithm for things like SSH and IPSEC.
I know that some people feel that Blowfish, Twofish, and friends are too
new to be thoroughly tested.

DES (and thus 3DES) has withstood 30 years of cryptanalysis.  The only
weakness found in DES, a weakness known from the very beginning, is that
the short keylength makes it vulnerable to a brute force attack, which
is why 3DES was creates.  3DES is basically DES cubed, and effectively
uses a 168 bit key, which is quite secure by modern standards.

noah

-- 
 ___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: rogue Chinese crawler

[Howland, Curtis]

Is there a "drop from..." command as well? I much prefer simply
black-holing packets rather than giving back to the perp "I'm here, but
I know about you" data by "deny". Or is that what the Apache "deny"
does?

Curt-

-Original Message-
From: Christoph Moench-Tegeder [mailto:[EMAIL PROTECTED]]
Sent: Saturday, November 24, 2001 03:36
To: [EMAIL PROTECTED]
Subject: Re: rogue Chinese crawler


## Martin WHEELER ([EMAIL PROTECTED]):

 Is anyone else having problems with the robot from
  openfind.com.tw

That one has not been seen here.

 Anyone know of a sure-fire robot killer under woody?

Apache himself (assuming your webserver runs apache, other servers
should have something similar).
Just take mod_access and add a "deny from" line to the Directory
/-section
of your config.

Gruss,
cmt

-- 
Spare Space


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: is 3des secure??

[Howland, Curtis]

While this may be whipping a greasy stain on the road, it is true that
3DES was created by the government back when private cryptology was
difficult or unknown. I believe it is prudent to consider that it was
allowed to be used because of practical cracking available to the crypto
experts.

I'm not referring to a back-door, just a known method such as a hardware
based method for cracking in near-real time.

However, 3DES is likely strong enough for normal people. If you're
trying to keep things from them, they are already reading your screen
and keyboard strokes directly by their radion emissions from accross the
street.

Paranoid? Yes. That's what security is all about.

Curt-


-Original Message-
From: Noah L. Meyerhans [mailto:[EMAIL PROTECTED]
Sent: Saturday, November 24, 2001 21:43
To: Johannes Weiss
Cc: debian-security@lists.debian.org
Subject: Re: is 3des secure??


On Sat, Nov 24, 2001 at 10:28:56AM +0100, Johannes Weiss wrote:
 -BEGIN PGP SIGNED MESSAGE-
 
 UNfortunately, WIN-SSH is very buggy, it only works if I take the 3des

 algorithm, if I take one of the others (blowfish,...) it crashed.
 

What is unfortunate about that?  From my experience, 3DES is used more
commonly than any other crypto algorithm for things like SSH and IPSEC.
I know that some people feel that Blowfish, Twofish, and friends are too
new to be thoroughly tested.

DES (and thus 3DES) has withstood 30 years of cryptanalysis.  The only
weakness found in DES, a weakness known from the very beginning, is that
the short keylength makes it vulnerable to a brute force attack, which
is why 3DES was creates.  3DES is basically DES cubed, and effectively
uses a 168 bit key, which is quite secure by modern standards.

noah

-- 
 ___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 

RE: rogue Chinese crawler

[Howland, Curtis]

Is there a drop from... command as well? I much prefer simply
black-holing packets rather than giving back to the perp I'm here, but
I know about you data by deny. Or is that what the Apache deny
does?

Curt-

-Original Message-
From: Christoph Moench-Tegeder [mailto:[EMAIL PROTECTED]
Sent: Saturday, November 24, 2001 03:36
To: debian-security@lists.debian.org
Subject: Re: rogue Chinese crawler


## Martin WHEELER ([EMAIL PROTECTED]):

 Is anyone else having problems with the robot from
  openfind.com.tw

That one has not been seen here.

 Anyone know of a sure-fire robot killer under woody?

Apache himself (assuming your webserver runs apache, other servers
should have something similar).
Just take mod_access and add a deny from line to the Directory
/-section
of your config.

Gruss,
cmt

-- 
Spare Space


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]

RE: Mutt tmp files -- Root is not my Enemy

[Howland, Curtis]

There is also this How-To:

http://www.linux.org/docs/ldp/howto/Loopback-Encrypted-Filesystem-HOWTO.
html

I've been thinking that a 100 or 500MB encrypted loop device per user,
mounted as a subdirectory under the individual users home, would be
effective. It doesn't encrypt the entirety of the disk, nor all of the
home directory, but could be (for instance) the KDE or GNOME "Desktop"
folder, and anything there would be hid from prying eyes.

The same caviats, "when you're logged in it's wide open" and "it's only
as good as your passphrase" apply.

Thoughts?

Curt-

-Original Message-
From: Petro [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, November 21, 2001 04:51
To: Florian Bantner
Cc: [EMAIL PROTECTED]
Subject: Re: Mutt  tmp files -- Root is not my Enemy


On Tue, Nov 20, 2001 at 02:47:56PM +0100, Florian Bantner wrote:
 On Die, 20 Nov 2001, Rolf Kutz wrote:
  Florian Bantner ([EMAIL PROTECTED]) wrote:
   A fact about which I'm concerned
   even more than about a hack from outside via the internet etc. is
   real physical access to the box. Something hackers normaly don't
pay
   enough attention is that just somebody steps - let's say 6 o'clock
   in the morning - into your room, shows you his police card - or
what ever
   govermental id card - and tells you that your computer is now his.
  Use TMPFS. Encrypt your disk or do everything in
  RAM (maybe set up a diskless system booting from
  cd. See the bootcd-package). They might still be
  bugging your hardware.
 I don't know tmpfs. What I'm currently thinging about is:
 * Create for every user a directory under his home.
 * Use some kind of ram-disk device.
 * Perhaps (just to be sure) encrypt it. Perhaps that's where I need
   some kind of encrypting filesystem (do I?). I'm not experienced in
   fs encryption. How do I mount such devices. Which encryption is
   used? When to enter passphrase?

Several years ago Matt Blaze published a bit of code that mounted
encrypted files via the loop interface as home directories. It was
fairly resource intensive, and hence not really scaleable. It is
good for protecting against casual browsing, but while you're logged
in to the machine (and hence have your home dir mounted) then it's
just like a normal home directory. 

Found it
 
http://www.ibiblio.org/pub/Linux/docs/faqs/security/Cryptographic-File-S
ystem

Seems I mis-remember bits of it. 

 

-- 
Share and Enjoy. 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Mutt tmp files -- Root is not my Enemy

[Howland, Curtis]

There is also this How-To:

http://www.linux.org/docs/ldp/howto/Loopback-Encrypted-Filesystem-HOWTO.
html

I've been thinking that a 100 or 500MB encrypted loop device per user,
mounted as a subdirectory under the individual users home, would be
effective. It doesn't encrypt the entirety of the disk, nor all of the
home directory, but could be (for instance) the KDE or GNOME Desktop
folder, and anything there would be hid from prying eyes.

The same caviats, when you're logged in it's wide open and it's only
as good as your passphrase apply.

Thoughts?

Curt-

-Original Message-
From: Petro [mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 21, 2001 04:51
To: Florian Bantner
Cc: debian-security@lists.debian.org
Subject: Re: Mutt  tmp files -- Root is not my Enemy


On Tue, Nov 20, 2001 at 02:47:56PM +0100, Florian Bantner wrote:
 On Die, 20 Nov 2001, Rolf Kutz wrote:
  Florian Bantner ([EMAIL PROTECTED]) wrote:
   A fact about which I'm concerned
   even more than about a hack from outside via the internet etc. is
   real physical access to the box. Something hackers normaly don't
pay
   enough attention is that just somebody steps - let's say 6 o'clock
   in the morning - into your room, shows you his police card - or
what ever
   govermental id card - and tells you that your computer is now his.
  Use TMPFS. Encrypt your disk or do everything in
  RAM (maybe set up a diskless system booting from
  cd. See the bootcd-package). They might still be
  bugging your hardware.
 I don't know tmpfs. What I'm currently thinging about is:
 * Create for every user a directory under his home.
 * Use some kind of ram-disk device.
 * Perhaps (just to be sure) encrypt it. Perhaps that's where I need
   some kind of encrypting filesystem (do I?). I'm not experienced in
   fs encryption. How do I mount such devices. Which encryption is
   used? When to enter passphrase?

Several years ago Matt Blaze published a bit of code that mounted
encrypted files via the loop interface as home directories. It was
fairly resource intensive, and hence not really scaleable. It is
good for protecting against casual browsing, but while you're logged
in to the machine (and hence have your home dir mounted) then it's
just like a normal home directory. 

Found it
 
http://www.ibiblio.org/pub/Linux/docs/faqs/security/Cryptographic-File-S
ystem

Seems I mis-remember bits of it. 

 

-- 
Share and Enjoy. 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]

RE: In Praise of Dos (RE: Mutt tmp files)

[Howland, Curtis]

From: John Galt [mailto:[EMAIL PROTECTED]]
delete.  You're missing a large point here: root doesn't have to have
RWX 
access on everything to be able to do their job, -WX may do the trick.

So, root does not need total file access in order to do some subset of
functions which you, or the NSA, consider "their job."

Who, prey tell, set up those permissions? (hint: root)

I believe that an administrator account with such limited permissions is
a very good idea on a large-scale or multi-admin machine. In an ISP, for
instance, your grunt sysop is neither trained nor absolutely trusted.
But someone has to be able to administer *that* account too, so I still
assert there should be a Root As God as final arbiter, to install the
key-sig software, intrusion detection, etc.

No, DOS taught us how to allow for a system to be compromised at the
drop 
of a hat.

Interesting. Physical compromise is not at issue, because a machine
which is physically compromised is merely a matter of time before it is
broken. It is my impression we (all) agree on that.

If you cannot trust root, don't use that machine for anything you want
to be secure.

Probably a good dictum, but not really feasable in most cases.  Do you 
trust your ISP?  They have root on the system that forwards mail to
you...  

Quite right. Luckly, there are ways to secure specific functions, such
as PGP'd email, ssh for remote login, https for document viewing and
forms, IPSec for datastreams, etc. The comodity internet cannot ever be
considered secure.

Had people only ever used terminals on shared servers, such as the IBM,
DEC, Unix "mainframe" model, I believe we would have better individual
user tools for security against root. Single user machines, thus my
comment about Dos, give the imperssion of end-point security.

Win 3.0 was broken and unusable, you know that?

Unusable? Then I seem to have been able to do the impossible. It
certainly did not work well, but "unusable"? Hmmm...

Win 3.X is the last system that had hardware requirements based on 
objective criteria and allowed the system control that you lauded in
your 
main email.

I'm glad the theoretical considerations were able to be communicated, I
do wish you had added your reservations and elaborations rather than
using the absolute negative "No."

  Win 95+ started doing things for you, and NEVER does them the 
way they should be done.  Perhaps it just takes longer to do things 
right...

I think the distributed effort of the open source projects, while
chaotic so that key-strokes will not always be consistant (so what?),
does allow for people to use the systems that give them the least
astonishment.

And, best of all, if someone realizes how they "should" be done, they
can advocate it to someone who really can make it a reality.

Unlike arguing for something durnig "Face Time" with Bill.

I was able to limit Win95, after lots of experimenting, to three running
"services" and relative un-hackability. But it was a single user
machine, and the keyboard was God. An object lesson in choosing a good
PGP pass phrase.

void hamlet()
{#define question=((bb)||(!bb))}

UmmmI believe that parses as b^2, not b*2... :^)

Who is John Galt?  [EMAIL PROTECTED] that's who!

http://www.lfcity.org/

Curt-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: In Praise of Dos (RE: Mutt tmp files)

[Howland, Curtis]

From: John Galt [mailto:[EMAIL PROTECTED]
delete.  You're missing a large point here: root doesn't have to have
RWX 
access on everything to be able to do their job, -WX may do the trick.

So, root does not need total file access in order to do some subset of
functions which you, or the NSA, consider their job.

Who, prey tell, set up those permissions? (hint: root)

I believe that an administrator account with such limited permissions is
a very good idea on a large-scale or multi-admin machine. In an ISP, for
instance, your grunt sysop is neither trained nor absolutely trusted.
But someone has to be able to administer *that* account too, so I still
assert there should be a Root As God as final arbiter, to install the
key-sig software, intrusion detection, etc.

No, DOS taught us how to allow for a system to be compromised at the
drop 
of a hat.

Interesting. Physical compromise is not at issue, because a machine
which is physically compromised is merely a matter of time before it is
broken. It is my impression we (all) agree on that.

If you cannot trust root, don't use that machine for anything you want
to be secure.

Probably a good dictum, but not really feasable in most cases.  Do you 
trust your ISP?  They have root on the system that forwards mail to
you...  

Quite right. Luckly, there are ways to secure specific functions, such
as PGP'd email, ssh for remote login, https for document viewing and
forms, IPSec for datastreams, etc. The comodity internet cannot ever be
considered secure.

Had people only ever used terminals on shared servers, such as the IBM,
DEC, Unix mainframe model, I believe we would have better individual
user tools for security against root. Single user machines, thus my
comment about Dos, give the imperssion of end-point security.

Win 3.0 was broken and unusable, you know that?

Unusable? Then I seem to have been able to do the impossible. It
certainly did not work well, but unusable? Hmmm...

Win 3.X is the last system that had hardware requirements based on 
objective criteria and allowed the system control that you lauded in
your 
main email.

I'm glad the theoretical considerations were able to be communicated, I
do wish you had added your reservations and elaborations rather than
using the absolute negative No.

  Win 95+ started doing things for you, and NEVER does them the 
way they should be done.  Perhaps it just takes longer to do things 
right...

I think the distributed effort of the open source projects, while
chaotic so that key-strokes will not always be consistant (so what?),
does allow for people to use the systems that give them the least
astonishment.

And, best of all, if someone realizes how they should be done, they
can advocate it to someone who really can make it a reality.

Unlike arguing for something durnig Face Time with Bill.

I was able to limit Win95, after lots of experimenting, to three running
services and relative un-hackability. But it was a single user
machine, and the keyboard was God. An object lesson in choosing a good
PGP pass phrase.

void hamlet()
{#define question=((bb)||(!bb))}

UmmmI believe that parses as b^2, not b*2... :^)

Who is John Galt?  [EMAIL PROTECTED] that's who!

http://www.lfcity.org/

Curt-

In Praise of Dos (RE: Mutt tmp files)

[Howland, Curtis]

To be blunt, I don't think one can entirely protect ones self from root,
nor do I believe it's an All Good idea.

Root Is God. This is a multi-user, full-time, networked device. Root
bears the responsibility of everything that happens to that machine.
They are answerable to everyone, not just one user.

For all its faults, Dos taught us what it was like to be in complete
control of ones own machine. No other users, no daemons, no services.
Programs ran in a vacuum. I really like such control for single-user
machines from a security standpoint, even though I prefer the
functionality of Linux.

However, I also like the fact that when my wife's Win98 device crapped
out and was sent to the shop for repair, it was no effort to simply
adduser x . The beauty of a multi-user machine. She can get the
functions she needs until her machine comes back, but she now has to
trust me that I won't less /var/spool/mail/x as root.

If you cannot trust root, don't use that machine for anything you want
to be secure.

Curt-

ps: From a personal perspective, I think Linux is about where Windows
3.0 was. This is not a troll, just a usability thing.

-Original Message-
From: Daniel D Jones [mailto:[EMAIL PROTECTED]
...  We're talking about trying to protect 
yourself from legitimate root on a system where you're merely a user.
-

RE: Mutt tmp files -- Root is not my Enemy

[Howland, Curtis]

Which reminds me to ask, are the www.kerneli.org cryptographic patches
applied to the pre-compiled kernels, eg kernel-2-4-14-AMDK6.deb?

-Original Message-
From: Florian Bantner [mailto:[EMAIL PROTECTED]
Sent: Friday, November 16, 2001 16:26
To: debian-security@lists.debian.org
Subject: Re: Mutt  tmp files -- Root is not my Enemy

...
I do belive strongly in 'Democracy through Privacy'.
Isn't that - before any other linux-distribution - something debian 
should stand for?


-- 
捌 捌 捌 捌 捌 捌 捌 捌 捌 捌 捌 捌 捌 捌 捌
AXON-E Interaktive Medien
Arnulfsplatz 6
93047 Regensburg

RE: Mutt tmp files

[Howland, Curtis]

As has been said many times, many ways, once "root" is compromised, all
bets are off. Also, the only computer that isn't vulnerable is the one
that isn't connected to a network, and can't be physically touched.

Did anyone else see that awful Wesley Snipes movie, where he plays a
black-bag (pun in original) operative for the U.N.? He hacks into a
laptop that someone left on in their office, using the infrared port
from outside the office window. When I first heard about Tempest
shielding, I knew nothing was "impossible". Security is just a matter of
making it so inconvenient that the cracker has to give up.

Curt-

-Original Message-
From: Craig Dickson [mailto:[EMAIL PROTECTED]]
Sent: Friday, November 16, 2001 08:36
To: [EMAIL PROTECTED]
Subject: Re: Mutt  tmp files


Florian Bantner wrote:

  Hmm, have you considered ramdisks?
 
 That's the idea I was looking for. Heard also today of the
 possibility to encrypt whole filessystems. In the moment I'm
 thinking about that. A combination was nice. When I'm right this
 would make it even for root hard to do something. Not impossible but
 hard. That's really not bad at all.

It depends what kind of skills you expect root to have. Remember that
root is in a position to modify the kernel if he wants to. I can easily
imagine a kernel patch that watches the ramdisk (or any fs) for certain
types of files (by name, ownership, or whatever), and makes extra copies
of them under /root without the user's knowledge. It probably wouldn't
even be a hard change to make. And of course, for the ramdisk to exist
in the first place, you need root's cooperation, so he probably knows
why you want it and what you're using it for.

Even without a kernel patch, he can always just modify mutt, vim, or gpg
to do what he needs. Or just replace vim with a shell script that calls
the real vim and then copies the file for him afterwards (the easiest
method, though also the most obvious).

You can make it so that root has to do more than look in /tmp for
cleartext files, but I doubt you can make it hard if root is a competent
programmer.

Craig


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Mutt tmp files

[Howland, Curtis]

As has been said many times, many ways, once root is compromised, all
bets are off. Also, the only computer that isn't vulnerable is the one
that isn't connected to a network, and can't be physically touched.

Did anyone else see that awful Wesley Snipes movie, where he plays a
black-bag (pun in original) operative for the U.N.? He hacks into a
laptop that someone left on in their office, using the infrared port
from outside the office window. When I first heard about Tempest
shielding, I knew nothing was impossible. Security is just a matter of
making it so inconvenient that the cracker has to give up.

Curt-

-Original Message-
From: Craig Dickson [mailto:[EMAIL PROTECTED]
Sent: Friday, November 16, 2001 08:36
To: debian-security@lists.debian.org
Subject: Re: Mutt  tmp files


Florian Bantner wrote:

  Hmm, have you considered ramdisks?
 
 That's the idea I was looking for. Heard also today of the
 possibility to encrypt whole filessystems. In the moment I'm
 thinking about that. A combination was nice. When I'm right this
 would make it even for root hard to do something. Not impossible but
 hard. That's really not bad at all.

It depends what kind of skills you expect root to have. Remember that
root is in a position to modify the kernel if he wants to. I can easily
imagine a kernel patch that watches the ramdisk (or any fs) for certain
types of files (by name, ownership, or whatever), and makes extra copies
of them under /root without the user's knowledge. It probably wouldn't
even be a hard change to make. And of course, for the ramdisk to exist
in the first place, you need root's cooperation, so he probably knows
why you want it and what you're using it for.

Even without a kernel patch, he can always just modify mutt, vim, or gpg
to do what he needs. Or just replace vim with a shell script that calls
the real vim and then copies the file for him afterwards (the easiest
method, though also the most obvious).

You can make it so that root has to do more than look in /tmp for
cleartext files, but I doubt you can make it hard if root is a competent
programmer.

Craig


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]

RE: Suggestion for debian-security

[Howland, Curtis]

I'm glad to hear it. I will forward your message to Debian-Security,
where I saw it discussed.

Curt-

-Original Message-
From: Jaakko Niemi [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 15, 2001 04:28
To: Howland, Curtis
Cc: [EMAIL PROTECTED]
Subject: Re: Suggestion for debian-security


On Tue, 13 Nov 2001, Howland, Curtis wrote:
 Dear Debian,
 
 Due to the low off-topic traffic normally found on debian-security,
and
 the increasing number of spam messages, I would like to suggest that
 debian-security be changed to allow only postings from email accounts
 that are subscribed.

 Such policy decision need wider acceptance. I believe this is already
 being discussed in appropriate forums.

 While I have at times utilized the feature of non-subscriber posting
on
 high traffic lists like debian-user, this is a convenience I would
 gladly forgo for making it just that much harder for spamming.

 Many people need to post on non-suscribed addresses. 
 
 We implemented recently some filters which ought to improve the 
 situation hopefully to the point that posting limitations should
 not be needed. 

-- 

"And if the messenger would shoot first?"


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Suggestion for debian-security

[Howland, Curtis]

I'm glad to hear it. I will forward your message to Debian-Security,
where I saw it discussed.

Curt-

-Original Message-
From: Jaakko Niemi [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 15, 2001 04:28
To: Howland, Curtis
Cc: [EMAIL PROTECTED]
Subject: Re: Suggestion for debian-security


On Tue, 13 Nov 2001, Howland, Curtis wrote:
 Dear Debian,
 
 Due to the low off-topic traffic normally found on debian-security,
and
 the increasing number of spam messages, I would like to suggest that
 debian-security be changed to allow only postings from email accounts
 that are subscribed.

 Such policy decision need wider acceptance. I believe this is already
 being discussed in appropriate forums.

 While I have at times utilized the feature of non-subscriber posting
on
 high traffic lists like debian-user, this is a convenience I would
 gladly forgo for making it just that much harder for spamming.

 Many people need to post on non-suscribed addresses. 
 
 We implemented recently some filters which ought to improve the 
 situation hopefully to the point that posting limitations should
 not be needed. 

-- 

And if the messenger would shoot first?

RE: Vulnerable SSH versions

[Howland, Curtis]

I will gladly grant that the tar file may not exist for the boot
floppies, and that I do not have on hand the CD to check it. It also may
have been a Potato(e) phenominon, no longer in use. However, it did
exist.

Which makes me wonder, why ship Woody with 2.2.20 at all? Oh well, not
my decision.

I'm not sure that the problem is the 2.2.x modules "being found" by the
2.4.x modutils, I had the distinct impression that they were just "still
included" for some reason. However, again to my shame, I have not the
machine accessable to check.

However, this is way off topic no matter how interesting. Thanks to
everyone for their help and advice, we shall see.

Curt-

-Original Message-
From: Henrique de Moraes Holschuh [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, November 13, 2001 09:53
To: Howland, Curtis
Cc: [EMAIL PROTECTED]
Subject: Re: Vulnerable SSH versions


On Tue, 13 Nov 2001, Howland, Curtis wrote:
 The tar file that contains the "base" Woody install, which is used as
 the jumping off point for installation.

There isn't one, at least not for bootflopies. We use debootstrap to
fetch
the most up-to-date packages of that distribution and install them, not
a
tarball.

 As far as the change from 2.2.x to 2.4.x, if you don't think it was
all
 that confusing then you don't use pcmcia services. The 2.2.x kernel

That looks like a quite bad usability bug on the pcmcia-related packages
to
me, but I have not looked deeply (read: not at all) into the problem.

 modules are all still there, but they no longer work. That means that
 not only do you need to find out the new modules names, you have to
 ensure you don't use any of the old ones.

The 2.2.x modules should not be kept somewhere the 2.4 kernels will find
them. This is certainly a big problem.

 Seriously flawed, IMNSHO, and very confusing. It also led to a version
 conflict with modutils, where I had to boot back into 2.2.x in order
to
 install modutils v2.4.10. I still get error messages from modutils on
 both boot-up and shutdown about version conflicts and missing modules.

Please file bugs against the appropriate packages, so as to have them
insure
they have a new-enough modutils, at the very least.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Vulnerable SSH versions

[Howland, Curtis]

A quick question concerning such things...

I have a remote server that I do not trust myself to upgrade from
Potato(e) to Woody, and such vulnerabilities do worry me a little. Is
there any general expectation that such back porting will continue
once Woody is released?

Curt-

-Original Message-
From: Jo Fahlke [mailto:[EMAIL PROTECTED]
Sent: Monday, November 12, 2001 19:45
To: Michal Kara
Cc: debian-security@lists.debian.org
Subject: Re: Vulnerable SSH versions


Am Mon, 12. Nov 2001, 11:30:49 +0100 schrieb Michal Kara:
   Hi there!
 
   During this weekend, there has been paper posted to bugtraq named
Analysis of
 SSH crc32 compensation attack detector exploit. It talks about a
recorded
 successful exploit using overflow in CRC32 compensation attack
detection code, a
 hole, which was discovered in February this year.
 
   In the appendices, there is also program checking if you are
vulnerable by
 checking the version string SSH daemon produces on connect. The newest
Dewbian
 Potato version produces string SSH-1.5-OpenSSH-1.2.3 which is listed
as
 vulnerable to this security hole. However, the Debian advisory
released in
 February says refers to version 1.2.3 as having this fixed...
 
   So how it is? Who is wrong?
 
 Thanks,
   Michal

Check out the thread starting at
http://lists.debian.org/debian-security/2001/debian-security-200111/msg0
0025.html

Basicly, in Debian potato the fix was backported to the old Version of
ssh so it should be safe.

Jö.

-- 
If God had intended Man to Smoke, He would have set him on Fire.
-- fortune

RE: Vulnerable SSH versions

[Howland, Curtis]

Thanks.

I've been keeping it up to date weekly or so, but just to be sure I
changed the sources.list to be ... potato/... instead of ...
stable/... for when stable changes.

Even a blank-disk install of Woody wasn't straight forward. The kernel
in the distribution tar file was 2.2.xx, changing to 2.4.9 was a bitch,
and it's already up to 2.4.12 or .14... I wonder if the tar file has
been changed to reflect the new kernel realities?

Curt-

-Original Message-
From: Ethan Benson [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 13, 2001 09:15
To: debian-security@lists.debian.org
Subject: Re: Vulnerable SSH versions


On Tue, Nov 13, 2001 at 09:02:56AM +0900, Howland, Curtis wrote:
 A quick question concerning such things...
 
 I have a remote server that I do not trust myself to upgrade from
 Potato(e) to Woody, and such vulnerabilities do worry me a little. Is
 there any general expectation that such back porting will continue
 once Woody is released?

when potato was released security updates for slink were discontinued
two monthes later.  since potato is going to be even more fosselized
then slink was by the time woody is released i would expect a similar
timeframe (that and potato only has 6(?) architectures woody will have
something like 12 or more).

expect to have two months to upgrade your potato boxes before being on
your own in regards to security updates.

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

RE: Vulnerable SSH versions

[Howland, Curtis]

The tar file that contains the base Woody install, which is used as
the jumping off point for installation.

The tar file has binary kernel, /boot, /proc and other directories, I'm
not sure exactly what the limit to its contents is. I found this out by
building a CD via the assemble the CD image from individual .deb
packages procedure.

As far as the change from 2.2.x to 2.4.x, if you don't think it was all
that confusing then you don't use pcmcia services. The 2.2.x kernel
modules are all still there, but they no longer work. That means that
not only do you need to find out the new modules names, you have to
ensure you don't use any of the old ones.

Seriously flawed, IMNSHO, and very confusing. It also led to a version
conflict with modutils, where I had to boot back into 2.2.x in order to
install modutils v2.4.10. I still get error messages from modutils on
both boot-up and shutdown about version conflicts and missing modules.

Curt-

-Original Message-
From: Ethan Benson [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 13, 2001 09:33
To: debian-security@lists.debian.org
Subject: Re: Vulnerable SSH versions


On Tue, Nov 13, 2001 at 09:25:29AM +0900, Howland, Curtis wrote:
 Thanks.
 
 I've been keeping it up to date weekly or so, but just to be sure I
 changed the sources.list to be ... potato/... instead of ...
 stable/... for when stable changes.
 
 Even a blank-disk install of Woody wasn't straight forward. The kernel
 in the distribution tar file was 2.2.xx, changing to 2.4.9 was a
bitch,
 and it's already up to 2.4.12 or .14... I wonder if the tar file has
 been changed to reflect the new kernel realities?

what tarfile?

woody will ship with 2.2.20, but it will fully support 2.4 kernels, i
don't know whats so difficult about installing one.

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

RE: Vulnerable SSH versions

[Howland, Curtis]

I will gladly grant that the tar file may not exist for the boot
floppies, and that I do not have on hand the CD to check it. It also may
have been a Potato(e) phenominon, no longer in use. However, it did
exist.

Which makes me wonder, why ship Woody with 2.2.20 at all? Oh well, not
my decision.

I'm not sure that the problem is the 2.2.x modules being found by the
2.4.x modutils, I had the distinct impression that they were just still
included for some reason. However, again to my shame, I have not the
machine accessable to check.

However, this is way off topic no matter how interesting. Thanks to
everyone for their help and advice, we shall see.

Curt-

-Original Message-
From: Henrique de Moraes Holschuh [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 13, 2001 09:53
To: Howland, Curtis
Cc: debian-security@lists.debian.org
Subject: Re: Vulnerable SSH versions


On Tue, 13 Nov 2001, Howland, Curtis wrote:
 The tar file that contains the base Woody install, which is used as
 the jumping off point for installation.

There isn't one, at least not for bootflopies. We use debootstrap to
fetch
the most up-to-date packages of that distribution and install them, not
a
tarball.

 As far as the change from 2.2.x to 2.4.x, if you don't think it was
all
 that confusing then you don't use pcmcia services. The 2.2.x kernel

That looks like a quite bad usability bug on the pcmcia-related packages
to
me, but I have not looked deeply (read: not at all) into the problem.

 modules are all still there, but they no longer work. That means that
 not only do you need to find out the new modules names, you have to
 ensure you don't use any of the old ones.

The 2.2.x modules should not be kept somewhere the 2.4 kernels will find
them. This is certainly a big problem.

 Seriously flawed, IMNSHO, and very confusing. It also led to a version
 conflict with modutils, where I had to boot back into 2.2.x in order
to
 install modutils v2.4.10. I still get error messages from modutils on
 both boot-up and shutdown about version conflicts and missing modules.

Please file bugs against the appropriate packages, so as to have them
insure
they have a new-enough modutils, at the very least.

-- 
  One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie. -- The Silicon Valley Tarot
  Henrique Holschuh

RE: SPAM was RE: INSURE GOOD RECEPTION! VITAL EMERGENCY STRATEGY!!!

[Howland, Curtis]

While the traffic load on debian-user, for instance, makes subscribing
just to ask one question somewhat hazardous to ones mailspool, I agree
with making debian-security posting by subscriber only. It really
isn't moderating, and doesn't take anyones time.

To whom should we address the suggestion?

Curt-

-Original Message-
From: Oyvind A. Holm [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 13, 2001 11:26
To: Vineet Kumar
Cc: debian-security@lists.debian.org
Subject: Re: SPAM was RE: INSURE GOOD RECEPTION! VITAL EMERGENCY
STRATEGY!!!


On 2001-11-10 00:17 Vineet Kumar wrote:

 * Sebastiaan ([EMAIL PROTECTED]) [011109 14:44]:
  High,
 
  On Fri, 9 Nov 2001, Ed Street wrote:
 
   Hey,
  
   Is there *anything* we can do about all this Spam that's getting
on this
   list?
  

 Yes. We can silently ignore them rather than turn each one into a
 lengthy off-topic thread.

No. The number of spam messages on these lists is really beginning to
irritate me, it's getting bigger day by day. The task of
(un)subscribing to the list is pretty easy, so I really don't see the
problem of only allowing messages from members on the list.

Regards,
Øyvind

+== http://www.sunbase.org/sunny ===+
| OpenPGP: 0xAD19826C 2000-01-24 Øyvind A. Holm [EMAIL PROTECTED] |
| Fingerprint: EAE5 DCA0 0626 5DAA 72F8  0435 2E2B E476 AD19 826C   |
+=== 2 + 2 = 5 for extremely large values of 2. +


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]