Re: Any idea when CVE-2016-5696 is going to get fixed?

[John T. Haggerty]

On Fri, Aug 26, 2016 at 9:11 PM, Perry E. Metzger 
wrote:

> On Fri, 26 Aug 2016 21:06:15 +0200 Frederic Marchal
>  wrote:
> > On Friday 26 August 2016 11:04:04 Perry E. Metzger wrote:
> > > According to:
> > >
> > > https://security-tracker.debian.org/tracker/CVE-2016-5696
> > >
> > > Wheezy and Jessie are still vulnerable. The attack in question is
> > > kind of bad (it allows blind injection of arbitrary data into
> > > things like http downloads) and has been known for a few weeks
> > > now to the general public.
> >
> > I don't think the issue is that bad.
> >
> > It allows an attacker to find out if you are connected to a
> > particular web site and makes it easier to interrupt the transfer
> > by sending a RST or SYN packet or inject junk data to corrupt the
> > flow. It's simple denial of service.
>
> You are completely wrong. This attack allows you to inject
> *meaningful* things into the data flow. It isn't denial of service,
> it is one of the most flexible data injection attacks in years.
>
> At the security conference where the attack was presented, as a show
> of force, the presenters demonstrated that they could hijack arbitrary
> http: connections from several US newspapers and inject whatever
> traffic they like using this.
>
> Indeed, as a bit of comedy, they used this to do their presentation!
> They had a web browser to go to a newspaper's site and injected their
> slides for the talk into the newspaper's web page return and
> presented their talk that way! You will be able watch the video
> yourself online when Usenix posts it soon.
>
> This means, for example, that you can inject javascript into the pages
> coming off of (say) a newspaper's unencrypted web site, and this
> lets you do untold mischief. With this attack, you could, for
> example, have weaponized the attacks described against iOS yesterday
> (resulting in an iOS emergency update) without getting a user to
> click on a malicious page, simply by injecting malicious javascript
> into a real page of a site hosted on a debian server. (I link to the
> report of that particular incident below, to give one a taste of the
> modern threat environment.)
>
> This is a horribly bad attack. Thinking this is nothing but denial of
> service could not be more incorrect.
>
> > But to achieve that, you must be downloading something from a web
> > site the attacker is actually targeting. The attacker must know you
> > are doing so or find out by sheer luck.
>
> "Sheer luck" isn't hard at all. There are a half dozen good ways
> understood to people in the field where you can figure out what
> sites someone is looking at regularly if you are targeting them
> without needing to listen in on their connection directly.
>
>
Having read several texts on internet security, I'd be interested in what
you are referring to. You mean compromise the physical machine they are on
to view their browser history? Break into their home? Packet sniffing?



> > The download must be long
> > enough (more than one minute) for the attacker to discover the set
> > of parameters that will make the attack successful.
>
> You've forgotten how the modern web works. People have http:
> connections live for very long periods of time, with dynamic content
> flittering back and forth over the channel. It isn't like 1996 any
> more where someone downloaded some static HTML and closed the TCP
> connection until the next page was downloaded when they clicked
> again. It hasn't been like that in a very long time.
>
>
So you are referring to the "netstat" output from the system itself? So
physically redraw the page they are on even if they haven't refreshed the
page?


> > That's unlikely to succeed on a massive scale if you ask me!
>
> You clearly didn't watch the presentation of people
> doing this attack successfully against real web pages while people
> were using them. This isn't theoretical. You should also remember
> that we're no longer in the "but who would do *that*" world. If you
> want to understand the threat model people live under now, read
>
> https://citizenlab.org/2016/08/million-dollar-dissident-
> iphone-zero-day-nso-group-uae/
>
>
Seems to be the NSA from reading about that.


> > Beside, the attacker can't possibly know what you are downloading
> > and how much data has already been downloaded. There is no way he
> > can inject anything useful into the downloaded data.
>
> Watch the real world demos. As I said, the videos are online. What
> you say is wrong.
>
> Perry
> --
> Perry E. Metzgerpe...@piermont.com
>
>

I'd love to see that as well. I don't keep up with many conferences that I
don't personally attend. Is there a cost?

-- 
"The death of one man is a tragedy, the death of 10 million is a statistic"
-- Joseph Stalin

"Omnia mutantur, nihil interit"
(Translation:
Everything changes, nothing is lost.)
-- Ovid, _Metamorphoses_

Re: Getting fqdn, postfix, Comcast to all play nice together

[John T. Haggerty]

On Fri, Aug 26, 2016 at 7:08 PM, Mark Fletcher <mark2...@gmail.com> wrote:

>
>
> On Sat, Aug 27, 2016 at 8:38 AM John T. Haggerty <jpcoo...@gmail.com>
> wrote:
>
>> Any thoughts for or against Amazon?
>>
>>
> Please don't top post on this list, it breaks up the flow of the thread
> for people who read the thread after it's finished. The primary purpose of
> the list is to get your questions answered, but the secondary purpose is to
> help those who come after, and top posting impedes that.
>

So I need to reply to the comment block in this manner then to avoid that?
I've not heard much about that term, and it's been a while that I've used
mailing lists. I can understand however, if that's the case.


>
> Anyway, I'm a fairly heavy Amazon web services user, using multiple
> Workspaces instances (remote desktops), EC2 instances (servers), RDS
> instances (database, in my case MySQL), and Elastic Beanstalk (self-scaling
> web site). I find it performant and highly reliable. I can't vouch for the
> tech support as I haven't really had to use them. They have a user forum
> which is not terrible but not great. The documentation can be a bit
> frustrating but if you are willing to devote the time to wading through the
> adverto-babble the information is there.
>
> Interesting so, the "Workspace" is basically like a vnc into the computer
you could access from ec2 but entirely separate and used for
desktop/non-server use? If so that would be theoretically awesome for some
interesting cases. It could help me not to have to pony up the dough to
Microsoft et all directly for a piece of software I may not use all the
time, not to mention doing interesting interactive things.

Beanstalk sounds interesting as well but almost overlapping ec2, almost
like ec2 on demand just for apache I would guess.



> All that sets me back about $250 a month. No doubt not the cheapest but
> you have to decide if what you want is cheap or good -- you don't typically
> get both, except sometimes temporarily by luck.
>
> Mark
>


Nice, but I guess you must get some sort of residual income from that
otherwise it wouldn't be important? Good to know that would show a real
world use case to give me an idea.


-- 
"The death of one man is a tragedy, the death of 10 million is a statistic"
-- Joseph Stalin

"Omnia mutantur, nihil interit"
(Translation:
Everything changes, nothing is lost.)
-- Ovid, _Metamorphoses_

Re: Getting fqdn, postfix, Comcast to all play nice together

[John T. Haggerty]

I like that. I'm worried about one of the requirements here (under "Things
you will need"):

"

   - A  permanent *internet connection *and an* IP address* for your mail
   server that does not change. The IP address should *not be blacklisted* on
   the internet. Check the IP address at web sites like
   http://www.anti-abuse.org/multi-rbl-check/ or http://rbl-check.org/. If
   your IP address shows up on black lists then other mail servers on the
   internet will likely refuse your emails or consider them spam."

Out of curiosity I ran against the second website and tried to see if the
present IP the router has has an issue. So far only two marginal servers
have an issue with the current one out of what looks like (about) dozens.
I'm currently on a "free" year trial of Amazon EC2 from AWS. I was
concerned about the costs. Compared to others. It looks like this could be
done for under 15.00 USD for a cost. Any thoughts for or against Amazon?

On Fri, Aug 26, 2016 at 5:57 AM, メット <m...@pmars.jp> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
>
>
> On 2016年8月25日 18:15:48 JST, "John T. Haggerty" <jpcoo...@gmail.com> wrote:
> >I have the following issue (seems to be common although my details seem
> >to
> >differ):
> >
> >1. I recently registered a new domain as WWW.whatever.org or whatever.
> >
> >2. Postfix gets installed.
> >
> >3. "Internet site " is enabled fqdn added.
> >
> >4. Email cannot be sent out to my Gmail address since it magically
> >"times
> >out" when contacting the servers (even though telnetting to mine and
> >Gmail's works fine at port 25)
> >
> >5. In theory thus should mean that they aren't blocking 25, and it
> >should
> >work.
> >
> >6. In the core wiki for Postfix I have the MX record of my server
> >updated
> >from the registrar to mail.whatever.org (pita since it's dynamic and
> >not
> >static).
> >
> >7. I want to avoid using gmail's smtp and comcast's servers since I'd
> >love
> >to host this on my own.
> >
> >How can this be accomplished in Debian (not Ubuntu, or something else)?
> >(I
> >get irritated at Ubuntu specific explanations {which usually don't
> >work}
> >getting all the search results)
> >
> >Any help would be appreciated as I spent ~3 days of work and wiping the
> >entire OS in case I went wrong somewhere.
>
>
> Hi,
> Try the following site, they have well explained tut:
> workaround.org
> HTH
> -BEGIN PGP SIGNATURE-
> Version: APG v1.1.1
>
> iQE9BAEBCgAnBQJXwC6RIBxNZXR0IEhlbF9LZWl0YWkgPG1ldHRAcG1hcnMuanA+
> AAoJEPao4OPC92NkC9QH/1iM8M4M/lARITPasXVl0+2ugl6SDozrobu2Iiwr6Iqo
> uDA1LNuGViX5yaF3ozA5X2krRj1EqadGVnQXs/iIh390YbJPFIRmD47nfnMzl9FR
> VKSE/RnZIdyDhfrUEmX6TOm8OrT1cwocPdh/TNwtdWpsaWJ4lZIMPP5J3VX+ovVz
> BjNqzvggrRxTsqY8NT4Da4OVha3UH4ptjXW215jmPKM0XIrKHEL4vO/TUVw5xal3
> AFhkmwNatoCaJuS8g+B675JKKmu3TG449+V9GsRcm9sPM0mTLFxYfulrX/p8P5n+
> 8pv2wSm1uTLmYMpE9sfCmQRGgDLqTIpdeZvjxrxbjPc=
> =v8BH
> -END PGP SIGNATURE-
>
>


-- 
"The death of one man is a tragedy, the death of 10 million is a statistic"
-- Joseph Stalin

"Omnia mutantur, nihil interit"
(Translation:
Everything changes, nothing is lost.)
-- Ovid, _Metamorphoses_

Re: Getting fqdn, postfix, Comcast to all play nice together

[John T. Haggerty]

I have been able to create websites, and am able to use the fqdn to show up
my web page I have hosed on the server. I just have to have ddclient update
the ip address with the dns settings. I just have the box NATed behind the
router.

On Fri, Aug 26, 2016 at 4:47 PM, emetib <chadbra...@gmail.com> wrote:

> On Thursday, August 25, 2016 at 4:20:05 AM UTC-5, John T. Haggerty wrote:
> > I have the following issue (seems to be common although my details seem
> to differ):
> >
> > 1. I recently registered a new domain as WWW.whatever.org or whatever.
> >
> > 2. Postfix gets installed.
> >
> > 3. "Internet site " is enabled fqdn added.
> >
> > 4. Email cannot be sent out to my Gmail address since it magically
> "times out" when contacting the servers (even though telnetting to mine and
> Gmail's works fine at port 25)
> >
> > 5. In theory thus should mean that they aren't blocking 25, and it
> should work.
> >
> > 6. In the core wiki for Postfix I have the MX record of my server
> updated from the registrar to mail.whatever.org (pita since it's dynamic
> and not static).
> >
> > 7. I want to avoid using gmail's smtp and comcast's servers since I'd
> love to host this on my own.
> >
> > How can this be accomplished in Debian (not Ubuntu, or something else)?
> (I get irritated at Ubuntu specific explanations {which usually don't work}
> getting all the search results)
> >
> > Any help would be appreciated as I spent ~3 days of work and wiping the
> entire OS in case I went wrong somewhere.
>
> from what i have read in the past it's comcast(cable providers in general)
> that have their ports closed for people trying to run mail servers on home
> accounts, business accounts can have them.
>
> you could try to have your dynamic hostname provider send your incoming
> mail to a different port and then just configure your postfix to listen
> there.  this might also work for your outgoing, yet not sure.
>
> check with comcast blocking what ports.  sometimes they will block
> 80(http) also.
>
> good luck.
>
>


-- 
"The death of one man is a tragedy, the death of 10 million is a statistic"
-- Joseph Stalin

"Omnia mutantur, nihil interit"
(Translation:
Everything changes, nothing is lost.)
-- Ovid, _Metamorphoses_

Re: Getting fqdn, postfix, Comcast to all play nice together

[John T. Haggerty]

So how do you dynamically specify getting a connection to be secured or
not. If it's only Gmail, why van I telnet to their port and get their mail
server?

Seems counterintuitive.

On Aug 25, 2016 5:54 AM, "Mark Fletcher" <mark2...@gmail.com> wrote:

>
> On Thu, 25 Aug 2016 at 18:16, John T. Haggerty <jpcoo...@gmail.com> wrote:
>
>> I have the following issue (seems to be common although my details seem
>> to differ):
>>
>> 1. I recently registered a new domain as WWW.whatever.org or whatever.
>>
>> 2. Postfix gets installed.
>>
>> 3. "Internet site " is enabled fqdn added.
>>
>> 4. Email cannot be sent out to my Gmail address since it magically "times
>> out" when contacting the servers (even though telnetting to mine and
>> Gmail's works fine at port 25)
>>
>> 5. In theory thus should mean that they aren't blocking 25, and it should
>> work.
>>
>> 6. In the core wiki for Postfix I have the MX record of my server updated
>> from the registrar to mail.whatever.org (pita since it's dynamic and not
>> static).
>>
>> 7. I want to avoid using gmail's smtp and comcast's servers since I'd
>> love to host this on my own.
>>
>> How can this be accomplished in Debian (not Ubuntu, or something else)?
>> (I get irritated at Ubuntu specific explanations {which usually don't work}
>> getting all the search results)
>>
>> Any help would be appreciated as I spent ~3 days of work and wiping the
>> entire OS in case I went wrong somewhere.
>>
> Gmail doesn't block port 25 but they do refuse all non-secured attempts to
> connect.
>
> Mark
>

Getting fqdn, postfix, Comcast to all play nice together

[John T. Haggerty]

I have the following issue (seems to be common although my details seem to
differ):

1. I recently registered a new domain as WWW.whatever.org or whatever.

2. Postfix gets installed.

3. "Internet site " is enabled fqdn added.

4. Email cannot be sent out to my Gmail address since it magically "times
out" when contacting the servers (even though telnetting to mine and
Gmail's works fine at port 25)

5. In theory thus should mean that they aren't blocking 25, and it should
work.

6. In the core wiki for Postfix I have the MX record of my server updated
from the registrar to mail.whatever.org (pita since it's dynamic and not
static).

7. I want to avoid using gmail's smtp and comcast's servers since I'd love
to host this on my own.

How can this be accomplished in Debian (not Ubuntu, or something else)? (I
get irritated at Ubuntu specific explanations {which usually don't work}
getting all the search results)

Any help would be appreciated as I spent ~3 days of work and wiping the
entire OS in case I went wrong somewhere.

Re: Failure to install request-tracker4 in Jessie Newest

[John T. Haggerty]

I really hope I don't have to mess around with the source in this case,
because in theory Debian has this already from the package I installed
right?

I'm referring to the following citation:
https://www.question-defense.com/2009/12/29/invalid-command-fastcgiexternalserver-perhaps-misspelled-or-defined-by-a-module-not-included-in-the-server-configuration


On Thu, Apr 7, 2016 at 4:10 PM, John T. Haggerty <jpcoo...@gmail.com> wrote:

> So I was able to get into the advice on these installations but it seems
> that I've hit another snag on this, namely activating fast cgi, and getting
> it to be loaded by RT. Apparently fastcgi is installed in Apache, but
> getting Apache to load RT's call to fastcgi (? I guess) is failing.
>
> The apache.conf is below:
>
> # This is the main Apache server configuration file.  It contains the
> # configuration directives that give the server its instructions.
> # See http://httpd.apache.org/docs/2.4/ for detailed information about
> # the directives and /usr/share/doc/apache2/README.Debian about Debian
> specific
> # hints.
> #
> #
> # Summary of how the Apache 2 configuration works in Debian:
> # The Apache 2 web server configuration in Debian is quite different to
> # upstream's suggested way to configure the web server. This is because
> Debian's
> # default Apache2 installation attempts to make adding and removing
> modules,
> # virtual hosts, and extra configuration directives as flexible as
> possible, in
> # order to make automating the changes and administering the server as
> easy as
> # possible.
>
> # It is split into several files forming the configuration hierarchy
> outlined
> # below, all located in the /etc/apache2/ directory:
> #
> #   /etc/apache2/
> #   |-- apache2.conf
> #   |   `--  ports.conf
> #   |-- mods-enabled
> #   |   |-- *.load
> #   |   `-- *.conf
> #   |-- conf-enabled
> #   |   `-- *.conf
> #   `-- sites-enabled
> #   `-- *.conf
> #
> #
> # * apache2.conf is the main configuration file (this file). It puts the
> pieces
> #   together by including all remaining configuration files when starting
> up the
> #   web server.
> #
> # * ports.conf is always included from the main configuration file. It is
> #   supposed to determine listening ports for incoming connections which
> can be
> #   customized anytime.
> #
> # * Configuration files in the mods-enabled/, conf-enabled/ and
> sites-enabled/
> #   directories contain particular configuration snippets which manage
> modules,
> #   global configuration fragments, or virtual host configurations,
> #   respectively.
> #
> #   They are activated by symlinking available configuration files from
> their
> #   respective *-available/ counterparts. These should be managed by using
> our
> #   helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf.
> See
> #   their respective man pages for detailed information.
> #
> # * The binary is called apache2. Due to the use of environment variables,
> in
> #   the default configuration, apache2 needs to be started/stopped with
> #   /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly
> will not
> #   work with the default configuration.
>
>
> # Global configuration
> #
>
> #
> # ServerRoot: The top of the directory tree under which the server's
> # configuration, error, and log files are kept.
> #
> # NOTE!  If you intend to place this on an NFS (or otherwise network)
> # mounted filesystem then please read the Mutex documentation (available
> # NOTE!  If you intend to place this on an NFS (or otherwise network)
> # mounted filesystem then please read the Mutex documentation (available
> # at <URL:http://httpd.apache.org/docs/2.4/mod/core.html#mutex>);
> # you will save yourself a lot of trouble.
> #
> # Do NOT add a slash at the end of the directory path.
> #
> #ServerRoot "/etc/apache2"
>
> #
> # The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
> #
> Mutex file:${APACHE_LOCK_DIR} default
>
> #
> # PidFile: The file in which the server should record its process
> # identification number when it starts.
> # This needs to be set in /etc/apache2/envvars
> #
> PidFile ${APACHE_PID_FILE}
>
> #
> # Timeout: The number of seconds before receives and sends time out.
> #
> Timeout 300
>
> #
> # KeepAlive: Whether or not to allow persistent connections (more than
> # one request per connection). Set to "Off" to deactivate.
> #
> KeepAlive On
>
> #
> # MaxKeepAliveRequests: The maximum number of requests to allow
> # during a persistent connection.

Re: Failure to install request-tracker4 in Jessie Newest

[John T. Haggerty]

So I was able to get into the advice on these installations but it seems
that I've hit another snag on this, namely activating fast cgi, and getting
it to be loaded by RT. Apparently fastcgi is installed in Apache, but
getting Apache to load RT's call to fastcgi (? I guess) is failing.

The apache.conf is below:

# This is the main Apache server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See http://httpd.apache.org/docs/2.4/ for detailed information about
# the directives and /usr/share/doc/apache2/README.Debian about Debian
specific
# hints.
#
#
# Summary of how the Apache 2 configuration works in Debian:
# The Apache 2 web server configuration in Debian is quite different to
# upstream's suggested way to configure the web server. This is because
Debian's
# default Apache2 installation attempts to make adding and removing modules,
# virtual hosts, and extra configuration directives as flexible as
possible, in
# order to make automating the changes and administering the server as easy
as
# possible.

# It is split into several files forming the configuration hierarchy
outlined
# below, all located in the /etc/apache2/ directory:
#
#   /etc/apache2/
#   |-- apache2.conf
#   |   `--  ports.conf
#   |-- mods-enabled
#   |   |-- *.load
#   |   `-- *.conf
#   |-- conf-enabled
#   |   `-- *.conf
#   `-- sites-enabled
#   `-- *.conf
#
#
# * apache2.conf is the main configuration file (this file). It puts the
pieces
#   together by including all remaining configuration files when starting
up the
#   web server.
#
# * ports.conf is always included from the main configuration file. It is
#   supposed to determine listening ports for incoming connections which
can be
#   customized anytime.
#
# * Configuration files in the mods-enabled/, conf-enabled/ and
sites-enabled/
#   directories contain particular configuration snippets which manage
modules,
#   global configuration fragments, or virtual host configurations,
#   respectively.
#
#   They are activated by symlinking available configuration files from
their
#   respective *-available/ counterparts. These should be managed by using
our
#   helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See
#   their respective man pages for detailed information.
#
# * The binary is called apache2. Due to the use of environment variables,
in
#   the default configuration, apache2 needs to be started/stopped with
#   /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly
will not
#   work with the default configuration.


# Global configuration
#

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE!  If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the Mutex documentation (available
# NOTE!  If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the Mutex documentation (available
# at );
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
#ServerRoot "/etc/apache2"

#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
Mutex file:${APACHE_LOCK_DIR} default

#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars
#
PidFile ${APACHE_PID_FILE}

#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300

#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On

#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100

#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 5


# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}

#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups On

# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a 
# container, error messages relating to that virtual host will be
# If you do not specify an ErrorLog directive within a 
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error 

Re: Failure to install request-tracker4 in Jessie Newest

[John T. Haggerty]

That was able to work, however at the moment I've run into an issue that I
think I had years before namely the inability of the base installation
(even with the questions that the system asks during configuration of
request-tracker4) failing to give anything but a 404 error when hitting up
localhost/rt. I can get the basic apache page under localhost however.

So far the tutorials seem to be tailored for anything other than debian, or
a "it worked,no problems" response from most of them.

Ideas?

On Wed, Apr 6, 2016 at 4:36 PM, Christian Seiler <christ...@iwakd.de> wrote:

> Hi,
>
> On 04/07/2016 12:14 AM, John T. Haggerty wrote:
> > deb cdrom:[Debian GNU/Linux 8.3.0 _Jessie_ - Official amd64 DVD Binary-1
> > 20160123-19:03]/ jessie contrib main
> >
> > deb cdrom:[Debian GNU/Linux 8.3.0 _Jessie_ - Official amd64 DVD Binary-2
> > 20160123-19:03]/ jessie contrib main
> >
> > deb cdrom:[Debian GNU/Linux 8.3.0 _Jessie_ - Official amd64 DVD Binary-3
> > 20160123-19:03]/ jessie contrib main
>
> So here you still have the DVDs as your primary archive source, and no
> network mirror. This is possible to do, but if for any reason you (or
> something you ran where you didn't necessarily know the side effects
> of) deleted your /var/lib/apt/lists/ at some point, apt-get update will
> not automatically restore the package lists from the CDs.
>
> You have two options:
>
> A. Switch over to use a network mirror for installations. In that case,
> remove the cdrom lines (but _only_ the cdrom lines) and add something
> like the following to your sources.list:
> deb http://httpredir.debian.org/debian jessie main
> Then run apt-get update again.
>
> B. Continue using the DVDs, but have APT re-read the lists of packages.
> For that, also remove the cdrom lines, and then run the following
> command:
> apt-cdrom add
> It will prompt you to insert the DVD. After it has copied the list
> from the DVD and you get the command line back, run it again and repeat
> the process for all 3 DVDs. Then run apt-get update again.
>
> After either of these procedures, you should be able to install the
> package you wanted to install.
>
> IMPORTANT:
>
> There's a subtle difference between both of the methods: the network
> mirrors carry only the _latest_  Jessie point release, which is now
> 8.4. So if you add a network mirror, there will be a few upgrades
> available and you'll upgrade to that next point release. If you stick
> with the DVDs, you'll remain on 8.3 with the exception of security
> updates, which you have enabled.
>
> > # jessie-updates, previously known as 'volatile'
> > # A network mirror was not selected during install.  The following
> entries
> > # are provided as examples, but you should amend them as appropriate
> > # for your mirror of choice.
> > #
> > # deb http://ftp.debian.org/debian/ jessie-updates main contrib
> > # deb-src http://ftp.debian.org/debian/ jessie-updates main contrib
> > # wheezy-backports
> > deb http://ftp.debian.org/debian/ wheezy-backports main
>
> This has nothing to do with your problem, but I would not recommend
> using wheezy-backports in combination with Jessie. (It shouldn't
> hurt, as all packages in wheezy-backports should also be in jessie
> in basically the same version, but it's not what you should have
> there.) If you need backports _for_ jessie, replace that with
> jessie-backports. See http://backports.debian.org/ and
> http://backports.debian.org/Instructions/ for details.
>
> Regards,
> Christian
>
>


-- 
"The death of one man is a tragedy, the death of 10 million is a statistic"
-- Joseph Stalin

"Omnia mutantur, nihil interit"
(Translation:
Everything changes, nothing is lost.)
-- Ovid, _Metamorphoses_

Re: Failure to install request-tracker4 in Jessie Newest

[John T. Haggerty]

The update commend as root updated the list and the like, Reattempting the
install also failed.

The contents are:

#

# deb cdrom:[Debian GNU/Linux 8.3.0 _Jessie_ - Official amd64 DVD Binary-1
20160123-19:03]/ jessie contrib main

deb cdrom:[Debian GNU/Linux 8.3.0 _Jessie_ - Official amd64 DVD Binary-1
20160123-19:03]/ jessie contrib main

deb cdrom:[Debian GNU/Linux 8.3.0 _Jessie_ - Official amd64 DVD Binary-2
20160123-19:03]/ jessie contrib main

deb cdrom:[Debian GNU/Linux 8.3.0 _Jessie_ - Official amd64 DVD Binary-3
20160123-19:03]/ jessie contrib main

deb http://security.debian.org/ jessie/updates main contrib
deb-src http://security.debian.org/ jessie/updates main contrib

# jessie-updates, previously known as 'volatile'
# A network mirror was not selected during install.  The following entries
# are provided as examples, but you should amend them as appropriate
# for your mirror of choice.
#
# deb http://ftp.debian.org/debian/ jessie-updates main contrib
# deb-src http://ftp.debian.org/debian/ jessie-updates main contrib
# wheezy-backports
deb http://ftp.debian.org/debian/ wheezy-backports main
On Apr 6, 2016 14:26, "Christian Seiler" <christ...@iwakd.de> wrote:

> On 04/06/2016 10:23 PM, John T. Haggerty wrote:
> > There is a /etc/apt/sources.list.d/ but only have a chrome.txt or
> something
> > like that in there.
>
> That's good to know, but that doesn't answer my other questions: what
> is the contents of your /etc/apt/sources.list (without .d) and what
> happens when you do the following as root?
>
> apt-get update
>
> Without that information, we won't be able to help you.
>
> Regards,
> Christian
>
>

Re: Failure to install request-tracker4 in Jessie Newest

[John T. Haggerty]

There is a /etc/apt/sources.list.d/ but only have a chrome.txt or something
like that in there.

On Wed, Apr 6, 2016 at 2:18 PM, Christian Seiler <christ...@iwakd.de> wrote:

> On 04/06/2016 10:12 PM, John T. Haggerty wrote:
> > I would like to get request tracker working but the main package fails to
> > install. I am getting the following errors: [...]
> >
> >  request-tracker4 : Depends: libhtml-mason-perl (>= 1:1.43) which is a
> > virtual package.
>
> libhtml-mason-perl is not actually a virtual package - and the only
> way APT would think that is if you don't have an APT source that
> includes it, but you do have another APT source that references it.
>
> Since the current version of request-tracker4 is available in both
> the main Debian archive as well as the security repository (because
> of a security update from last August, see DSA 3335-1), my suspicion
> is that you _only_ have the security archive enabled in your
> sources.list _or_ the download of the main sources.list failed for
> some reason.
>
> Therefore, answers to the following questions will allow us to figure
> out what is wrong on your system:
>
>  - what is your /etc/apt/sources.list?
>(Also, are there files in /etc/apt/sources.list.d?)
>  - what happens if you do "apt-get update" or "apt update" or
>"aptitude update"?
>
> Regards,
> Christian
>
>


-- 
"The death of one man is a tragedy, the death of 10 million is a statistic"
-- Joseph Stalin

"Omnia mutantur, nihil interit"
(Translation:
Everything changes, nothing is lost.)
-- Ovid, _Metamorphoses_


sources.list
Description: Binary data

Failure to install request-tracker4 in Jessie Newest

[John T. Haggerty]

I would like to get request tracker working but the main package fails to
install. I am getting the following errors:

sudo aptitude install request-tracker4
The following NEW packages will be installed:
  request-tracker4{b}
0 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 3,071 kB of archives. After unpacking 22.9 MB will be used.
The following packages have unmet dependencies:
 request-tracker4 : Depends: libhtml-mason-perl (>= 1:1.43) which is a
virtual package.
Depends: libapache-session-perl (>= 1.53) which is a
virtual package.
Depends: libdbix-searchbuilder-perl (>= 1.66) but it is
not going to be installed.
Depends: liblocale-maketext-fuzzy-perl (>= 0.11) which
is a virtual package.
Depends: libtext-wikiformat-perl which is a virtual
package.
Depends: libmodule-versions-report-perl (>= 1.03) which
is a virtual package.
Depends: libtree-simple-perl (>= 1.04) which is a
virtual package.
Depends: libperlio-eol-perl which is a virtual package.
Depends: libdata-ical-perl which is a virtual package.
Depends: libhtml-quoted-perl which is a virtual package.
Depends: libtext-password-pronounceable-perl which is a
virtual package.
Depends: libregexp-common-net-cidr-perl which is a
virtual package.
Depends: libregexp-ipv6-perl which is a virtual package.
Depends: libcgi-psgi-perl (>= 0.12) which is a virtual
package.
Depends: libhtml-mason-psgihandler-perl (>= 0.52) which
is a virtual package.
Depends: libdata-guid-perl which is a virtual package.
Depends: libhtml-formattext-withlinks-perl (>= 0.14)
which is a virtual package.
Depends: libhtml-formattext-withlinks-andtables-perl
which is a virtual package.
Depends: libcrypt-x509-perl which is a virtual package.
Depends: libcss-squish-perl which is a virtual package.
The following actions will resolve these dependencies:

 Keep the following packages at their current version:
1) request-tracker4 [Not Installed]



Accept this solution? [Y/n/q/?] q


There is no other "solution" aside from quiting. For some bizarre reason
those packages seem to not exist as names :(

Any help would be appreciated in advance.

-- 
"The death of one man is a tragedy, the death of 10 million is a statistic"
-- Joseph Stalin

"Omnia mutantur, nihil interit"
(Translation:
Everything changes, nothing is lost.)
-- Ovid, _Metamorphoses_

Fwd: new laptop: DVD or Blu-ray

[John T. Haggerty]

Future proofing mostly. Blueray drives should be backwards compatible with
DVD.

-- Forwarded message -
From: ken geb...@mousecar.com
Date: Thu, Aug 20, 2015, 04:54
Subject: new laptop: DVD or Blu-ray
To: CentOS mailing list cen...@centos.org, Debian Users 
debian-user@lists.debian.org


One of the build options for a laptop I'm looking at buying is DVD vs
Blu-Ray.  I've never used Blue-ray before, so is there some compelling
reason, as a Linux guy, to want to get Blu-ray?

Re: Issues with openvpn and virtualbox as the sole networking provider

[John T. Haggerty]

Hopefully my replies are being received. I would hate to think that there
is another issue as well :-( presently I have got the BP and to the point
where I can ping the VPNs specific IP address I don't have any other
internet connection to the entire guest image after the connection is made
aside from this. I'm not sure why there's such an asymmetry between Android
version of this process and Linux version since they have some of the same
utilities in much the same internal structure. if I'm leaving information
out the necessary I'd love to know what I have to provide.
On May 21, 2015 10:24 AM, John T. Haggerty jpcoo...@gmail.com wrote:

 It seems that this could get fixed fairly easily as this must happen a
 great deal
 On May 20, 2015 18:31, John T. Haggerty jpcoo...@gmail.com wrote:

 Also this workaround fails to work

 http://www.blackmoreops.com/2015/03/01/setup-vpn-on-kali-linux/ Again
 provider agnostic

 On Wed, May 20, 2015 at 6:28 PM, John T. Haggerty jpcoo...@gmail.com
 wrote:

 For example here
 http://www.ibvpn.com/billing/knowledgebase/50/Set-up-the-PPTP-VPN-connection-on-Linux-Network-Manager-GUI.html
 fails to work for me on Debian gnome. This is not the provider in question
 however.

 On Tue, May 19, 2015 at 2:31 PM, John T. Haggerty jpcoo...@gmail.com
 wrote:

 I don't know if I am able to convey this correctly but here goes:

 I have been using Linux for a while but had a hiatus of about 10 years
 so it's been a slow requisition of learned skills. To that end I was
 thrilled that VirtualBox technology came out recently in order to give this
 a much easier time in connecting to the network and using operating systems
 seamlessly.

 I installed the virtual box package and got the newest Debian DVD ISO
 and was able to get it all installed from what looks like a complete
 install. My issues are with my VPN provider that I use. They provide all
 the configuration on their end so I have no need to be able to offer server
 configs and the like nor can I randomly copy files over. I have a oven
 file, a .crt or certification file and of course my username and password.
 This seems to be good enough to get my android devices connected with a
 port of ovpn.

 The issues are with getting networking to recognize the vpn as the sole
 transparent provider on the instance end. It can initialize and create the
 tun0. I tried to get this configured but it seems that getting this done
 assumes several things which are not accurate in my case:

 1. I want to run both a client and server and have complete access to
 both (the provider I work with handles all the server stuff and I don't
 have to do that, and it technically works without it).

 2. All the key generation, random other stuff that the wiki assumes is
 required is apparently not required.

 3. I'm not able to get any documentation from the net that seems to
 disagree with my need to do this at all (Google searches keep
 re-referencing the document with every single re-phrasing of the request I
 need).

 4. I tried to mess with iptables and the like and get that to work
 which only succeeded in shutting off all access to websites that I tried to
 use

 5. No one has apparently had any issues with Network Manger or it's kin
 that weren't easily solved, and or have never used the virtualization
 technology.g

 I'm sure I have to check things out but I need to know if anyone has
 done this before, what else I need to share (and what I can and must keep
 private due to not wanting to void my privacy)

 Thanks for the help

 --
 The death of one man is a tragedy, the death of 10 million is a
 statistic -- Joseph Stalin

 Omnia mutantur, nihil interit
 (Translation:
 Everything changes, nothing is lost.)
 -- Ovid, _Metamorphoses_




 --
 The death of one man is a tragedy, the death of 10 million is a
 statistic -- Joseph Stalin

 Omnia mutantur, nihil interit
 (Translation:
 Everything changes, nothing is lost.)
 -- Ovid, _Metamorphoses_




 --
 The death of one man is a tragedy, the death of 10 million is a
 statistic -- Joseph Stalin

 Omnia mutantur, nihil interit
 (Translation:
 Everything changes, nothing is lost.)
 -- Ovid, _Metamorphoses_

Re: Issues with openvpn and virtualbox as the sole networking provider

[John T. Haggerty]

It seems that this could get fixed fairly easily as this must happen a
great deal
On May 20, 2015 18:31, John T. Haggerty jpcoo...@gmail.com wrote:

 Also this workaround fails to work

 http://www.blackmoreops.com/2015/03/01/setup-vpn-on-kali-linux/ Again
 provider agnostic

 On Wed, May 20, 2015 at 6:28 PM, John T. Haggerty jpcoo...@gmail.com
 wrote:

 For example here
 http://www.ibvpn.com/billing/knowledgebase/50/Set-up-the-PPTP-VPN-connection-on-Linux-Network-Manager-GUI.html
 fails to work for me on Debian gnome. This is not the provider in question
 however.

 On Tue, May 19, 2015 at 2:31 PM, John T. Haggerty jpcoo...@gmail.com
 wrote:

 I don't know if I am able to convey this correctly but here goes:

 I have been using Linux for a while but had a hiatus of about 10 years
 so it's been a slow requisition of learned skills. To that end I was
 thrilled that VirtualBox technology came out recently in order to give this
 a much easier time in connecting to the network and using operating systems
 seamlessly.

 I installed the virtual box package and got the newest Debian DVD ISO
 and was able to get it all installed from what looks like a complete
 install. My issues are with my VPN provider that I use. They provide all
 the configuration on their end so I have no need to be able to offer server
 configs and the like nor can I randomly copy files over. I have a oven
 file, a .crt or certification file and of course my username and password.
 This seems to be good enough to get my android devices connected with a
 port of ovpn.

 The issues are with getting networking to recognize the vpn as the sole
 transparent provider on the instance end. It can initialize and create the
 tun0. I tried to get this configured but it seems that getting this done
 assumes several things which are not accurate in my case:

 1. I want to run both a client and server and have complete access to
 both (the provider I work with handles all the server stuff and I don't
 have to do that, and it technically works without it).

 2. All the key generation, random other stuff that the wiki assumes is
 required is apparently not required.

 3. I'm not able to get any documentation from the net that seems to
 disagree with my need to do this at all (Google searches keep
 re-referencing the document with every single re-phrasing of the request I
 need).

 4. I tried to mess with iptables and the like and get that to work which
 only succeeded in shutting off all access to websites that I tried to use

 5. No one has apparently had any issues with Network Manger or it's kin
 that weren't easily solved, and or have never used the virtualization
 technology.g

 I'm sure I have to check things out but I need to know if anyone has
 done this before, what else I need to share (and what I can and must keep
 private due to not wanting to void my privacy)

 Thanks for the help

 --
 The death of one man is a tragedy, the death of 10 million is a
 statistic -- Joseph Stalin

 Omnia mutantur, nihil interit
 (Translation:
 Everything changes, nothing is lost.)
 -- Ovid, _Metamorphoses_




 --
 The death of one man is a tragedy, the death of 10 million is a
 statistic -- Joseph Stalin

 Omnia mutantur, nihil interit
 (Translation:
 Everything changes, nothing is lost.)
 -- Ovid, _Metamorphoses_




 --
 The death of one man is a tragedy, the death of 10 million is a
 statistic -- Joseph Stalin

 Omnia mutantur, nihil interit
 (Translation:
 Everything changes, nothing is lost.)
 -- Ovid, _Metamorphoses_

Re: Issues with openvpn and virtualbox as the sole networking provider

[John T. Haggerty]

Also this workaround fails to work

http://www.blackmoreops.com/2015/03/01/setup-vpn-on-kali-linux/ Again
provider agnostic

On Wed, May 20, 2015 at 6:28 PM, John T. Haggerty jpcoo...@gmail.com
wrote:

 For example here
 http://www.ibvpn.com/billing/knowledgebase/50/Set-up-the-PPTP-VPN-connection-on-Linux-Network-Manager-GUI.html
 fails to work for me on Debian gnome. This is not the provider in question
 however.

 On Tue, May 19, 2015 at 2:31 PM, John T. Haggerty jpcoo...@gmail.com
 wrote:

 I don't know if I am able to convey this correctly but here goes:

 I have been using Linux for a while but had a hiatus of about 10 years so
 it's been a slow requisition of learned skills. To that end I was thrilled
 that VirtualBox technology came out recently in order to give this a much
 easier time in connecting to the network and using operating systems
 seamlessly.

 I installed the virtual box package and got the newest Debian DVD ISO and
 was able to get it all installed from what looks like a complete install.
 My issues are with my VPN provider that I use. They provide all the
 configuration on their end so I have no need to be able to offer server
 configs and the like nor can I randomly copy files over. I have a oven
 file, a .crt or certification file and of course my username and password.
 This seems to be good enough to get my android devices connected with a
 port of ovpn.

 The issues are with getting networking to recognize the vpn as the sole
 transparent provider on the instance end. It can initialize and create the
 tun0. I tried to get this configured but it seems that getting this done
 assumes several things which are not accurate in my case:

 1. I want to run both a client and server and have complete access to
 both (the provider I work with handles all the server stuff and I don't
 have to do that, and it technically works without it).

 2. All the key generation, random other stuff that the wiki assumes is
 required is apparently not required.

 3. I'm not able to get any documentation from the net that seems to
 disagree with my need to do this at all (Google searches keep
 re-referencing the document with every single re-phrasing of the request I
 need).

 4. I tried to mess with iptables and the like and get that to work which
 only succeeded in shutting off all access to websites that I tried to use

 5. No one has apparently had any issues with Network Manger or it's kin
 that weren't easily solved, and or have never used the virtualization
 technology.g

 I'm sure I have to check things out but I need to know if anyone has done
 this before, what else I need to share (and what I can and must keep
 private due to not wanting to void my privacy)

 Thanks for the help

 --
 The death of one man is a tragedy, the death of 10 million is a
 statistic -- Joseph Stalin

 Omnia mutantur, nihil interit
 (Translation:
 Everything changes, nothing is lost.)
 -- Ovid, _Metamorphoses_




 --
 The death of one man is a tragedy, the death of 10 million is a
 statistic -- Joseph Stalin

 Omnia mutantur, nihil interit
 (Translation:
 Everything changes, nothing is lost.)
 -- Ovid, _Metamorphoses_




-- 
The death of one man is a tragedy, the death of 10 million is a statistic
-- Joseph Stalin

Omnia mutantur, nihil interit
(Translation:
Everything changes, nothing is lost.)
-- Ovid, _Metamorphoses_

Re: Issues with openvpn and virtualbox as the sole networking provider

[John T. Haggerty]

For example here
http://www.ibvpn.com/billing/knowledgebase/50/Set-up-the-PPTP-VPN-connection-on-Linux-Network-Manager-GUI.html
fails to work for me on Debian gnome. This is not the provider in question
however.

On Tue, May 19, 2015 at 2:31 PM, John T. Haggerty jpcoo...@gmail.com
wrote:

 I don't know if I am able to convey this correctly but here goes:

 I have been using Linux for a while but had a hiatus of about 10 years so
 it's been a slow requisition of learned skills. To that end I was thrilled
 that VirtualBox technology came out recently in order to give this a much
 easier time in connecting to the network and using operating systems
 seamlessly.

 I installed the virtual box package and got the newest Debian DVD ISO and
 was able to get it all installed from what looks like a complete install.
 My issues are with my VPN provider that I use. They provide all the
 configuration on their end so I have no need to be able to offer server
 configs and the like nor can I randomly copy files over. I have a oven
 file, a .crt or certification file and of course my username and password.
 This seems to be good enough to get my android devices connected with a
 port of ovpn.

 The issues are with getting networking to recognize the vpn as the sole
 transparent provider on the instance end. It can initialize and create the
 tun0. I tried to get this configured but it seems that getting this done
 assumes several things which are not accurate in my case:

 1. I want to run both a client and server and have complete access to both
 (the provider I work with handles all the server stuff and I don't have to
 do that, and it technically works without it).

 2. All the key generation, random other stuff that the wiki assumes is
 required is apparently not required.

 3. I'm not able to get any documentation from the net that seems to
 disagree with my need to do this at all (Google searches keep
 re-referencing the document with every single re-phrasing of the request I
 need).

 4. I tried to mess with iptables and the like and get that to work which
 only succeeded in shutting off all access to websites that I tried to use

 5. No one has apparently had any issues with Network Manger or it's kin
 that weren't easily solved, and or have never used the virtualization
 technology.g

 I'm sure I have to check things out but I need to know if anyone has done
 this before, what else I need to share (and what I can and must keep
 private due to not wanting to void my privacy)

 Thanks for the help

 --
 The death of one man is a tragedy, the death of 10 million is a
 statistic -- Joseph Stalin

 Omnia mutantur, nihil interit
 (Translation:
 Everything changes, nothing is lost.)
 -- Ovid, _Metamorphoses_




-- 
The death of one man is a tragedy, the death of 10 million is a statistic
-- Joseph Stalin

Omnia mutantur, nihil interit
(Translation:
Everything changes, nothing is lost.)
-- Ovid, _Metamorphoses_

Issues with openvpn and virtualbox as the sole networking provider

[John T. Haggerty]

I don't know if I am able to convey this correctly but here goes:

I have been using Linux for a while but had a hiatus of about 10 years so
it's been a slow requisition of learned skills. To that end I was thrilled
that VirtualBox technology came out recently in order to give this a much
easier time in connecting to the network and using operating systems
seamlessly.

I installed the virtual box package and got the newest Debian DVD ISO and
was able to get it all installed from what looks like a complete install.
My issues are with my VPN provider that I use. They provide all the
configuration on their end so I have no need to be able to offer server
configs and the like nor can I randomly copy files over. I have a oven
file, a .crt or certification file and of course my username and password.
This seems to be good enough to get my android devices connected with a
port of ovpn.

The issues are with getting networking to recognize the vpn as the sole
transparent provider on the instance end. It can initialize and create the
tun0. I tried to get this configured but it seems that getting this done
assumes several things which are not accurate in my case:

1. I want to run both a client and server and have complete access to both
(the provider I work with handles all the server stuff and I don't have to
do that, and it technically works without it).

2. All the key generation, random other stuff that the wiki assumes is
required is apparently not required.

3. I'm not able to get any documentation from the net that seems to
disagree with my need to do this at all (Google searches keep
re-referencing the document with every single re-phrasing of the request I
need).

4. I tried to mess with iptables and the like and get that to work which
only succeeded in shutting off all access to websites that I tried to use

5. No one has apparently had any issues with Network Manger or it's kin
that weren't easily solved, and or have never used the virtualization
technology.g

I'm sure I have to check things out but I need to know if anyone has done
this before, what else I need to share (and what I can and must keep
private due to not wanting to void my privacy)

Thanks for the help

-- 
The death of one man is a tragedy, the death of 10 million is a statistic
-- Joseph Stalin

Omnia mutantur, nihil interit
(Translation:
Everything changes, nothing is lost.)
-- Ovid, _Metamorphoses_