[EUG-LUG:939] Re: Demo Linux -security

[Jacob Meuser]

On Wed, May 09, 2001 at 07:01:52PM -0700, Timothy Bolz wrote:
 I have a question about Demo Linux and possible could be used for other
 distros.  If Demo Linux is runs from CD, it almost makes it hack proof is what
 I'm thinking.  Sure everthing that is memory and mounted file systems would be
 hackable.  But Let's say you have a cron job run a diagnostics on memory and
 file stucture.  Since Demo Linux is run from a CD I believe it would be
 read-only.  So If I got a Distro to where I like it I could burn it on a CD and
 it would read-only. 

You don't need to burn a CD to have a nonwritable filesystem.  You
can mount most filesystems read only, and some disks and BIOSes can
block writing.
  
To switch from writable to read only in linux:
# mount -r -o remount /mount/point
to go back:
# mount -w -o remount /mount/point

rw to ro in OpenBSD:
# mount -r -u /mount/point
and back:
# mount -w -u /mount/point

Just make sure you don't make /var and /tmp read only :)

[EMAIL PROTECTED]

[EUG-LUG:940] Re: python or perl or $yfsl?

[Jacob Meuser]

On Wed, May 09, 2001 at 06:06:33AM -0700, larry a price wrote:
 On Tue, 8 May 2001, Jacob Meuser wrote:
  One other thing to note - perl is standard on almost every Unix-like
  OS.  Python is not, at least not yet.  
 
 It's standard with redhat and it's relatives (it's behind that nice
 graphical install) It's also the implentation behind esr's latest project
 CML2 which is a build-time configurator for the linux kernel
 
  I would venture to say that mod_perl
  is in wider use than mod_python, if you're looking for web usage.
 
 There's also Zope, which is an application server written in python and
 provides it's own webserver and object persistence framework. Zope is sort
 of the cadillac of web programming environments, very nice but rather big
 and demanding of resources.
   
  Does the concept of tainted data exist in python?  Haven't looked into
  it thoroughly yet.  Are there any built in security features in python?
 
 What do you mean by tainted data I've heard the term before, but it was
 in Javascript context. There is a standard library module rexec which
 provides a restricted execution environment for executing untrusted
 code. As well as the standard regular  expressions available for filtering
 out nasties from cgi input. Otherwise, it's up to you (doesn't matter what
 language).

True, the security of code first comes from the coder.  But it doesn't
hurt to have some kind backing for any code, no matter how secure it
may seem.
Tainted data in perl is basically anything that comes into your program
from outside sources, be it a database, user input, data from a file,
whatever.  In taint mode, tainted data (at least theoretically) cannot
be used to affect anything else outside the program.  Perl goes into
taint mode automatically when it notices that real and effective
UIDs and GIDs are out of sync.  You can also enable taint mode with
the -T flag.  This is highly recommended for CGI scripts.

[EMAIL PROTECTED]

 
 --larry
 

[EUG-LUG:941] Re: python or perl or $yfsl?

[larry a price]

On Thu, 10 May 2001, Jacob Meuser wrote:
--snip--
 
 True, the security of code first comes from the coder.  But it doesn't
 hurt to have some kind backing for any code, no matter how secure it
 may seem.
 Tainted data in perl is basically anything that comes into your program
 from outside sources, be it a database, user input, data from a file,
 whatever.  In taint mode, tainted data (at least theoretically) cannot
 be used to affect anything else outside the program.  Perl goes into
 taint mode automatically when it notices that real and effective
 UIDs and GIDs are out of sync.  You can also enable taint mode with
 the -T flag.  This is highly recommended for CGI scripts.
 

This may just be a difference in outlook, but it sounds like the kind of
under-the-covers-magic that makes perl so difficult for the outsider.
Yes python won't stop you from doing something like

os.chdir(some_user_supplied_variable)
os.execv(user_supplied_path,user_supplied_env_dict)

but you're unlikely to do so by accident. Which does occasionally seem
like it might be possible in perl ;-)

Of course we all know that perl and python will eventually give way to
something better
http://www.oreilly.com/parrot

[EUG-LUG:942] Re: Demo Linux -security

[Cory Petkovsek]

This may be good for running a firewall or a webserver from, although kbob's point is 
very good.  Difficult to patch when exploits are found.

However, cracking a firewall or a webserver is rarely the goal (for larger companies, 
and for really serious crackers).  The real goal is that database full of customer 
credit cards behind the webserver and the firewall.  The firewall and webserver are 
merely the portals into your network.  They are gateways into the pot of gold inside.  
That's one of the key things we are trying to protect: information.  A website 
defacement is not really a big deal, although it is bad for PR.  

Other goals may be to crack your system in order to use it as a spam gateway for a few 
hours, or to install DDoS tools to make your system part of a larger attack.  Or your 
system may just be a gateway for an attacker to crack into government or international 
systems.  This is where you need the firewall logs (difficult to log onto a 
non-writeable system), and a patchable system.

Cory


On Wed, May 09, 2001 at 07:01:52PM -0700, Timothy Bolz wrote:
 I have a question about Demo Linux and possible could be used for other
 distros.  If Demo Linux is runs from CD, it almost makes it hack proof is what
 I'm thinking.  Sure everthing that is memory and mounted file systems would be
 hackable.  But Let's say you have a cron job run a diagnostics on memory and
 file stucture.  Since Demo Linux is run from a CD I believe it would be
 read-only.  So If I got a Distro to where I like it I could burn it on a CD and
 it would read-only.  I was talking to Larry about this and he said put it out
 on the list.  Because what I was thinking you could have a cron job check most
 everything.  Is this possible?  So if you had a website that was going to
 remain static and it was read only no one could deface it.  I know it would be
 slow as CD.  What's your thoughts?
 
 Tim

[EUG-LUG:943] Re: The Open Source Community responds to Craig Mundie's Speech

[Dennis Soper]

On 10 May 2001, at 0:06, Randolph Fritz wrote:

 On Wed, May 09, 2001 at 08:45:20PM -0700, Dexter Graphic wrote:
  Here's another one: Ransome Love, CEO of Caldera Systems, agrees
  with Mundie that the GPL doesn't make much business sense.

Ransome Love just canned Nicolas Peterley.  I wonder if he'll have 
anything to say about this comment in his InfoWorld column next 
week?

Cheers,
Dennis

Custard pies are a sort of esperanto: a  universal language. 
 --Noel Godin  

[EUG-LUG:945] I think i fixed my xmms issue :)

[Jamie Chamoulos -- Internet.Now!]

Hey... I was having a heck of a time wiht xmms locking up... It turns out
I have 2 output plugin options, since im using enlightenment, i changed it
from the oss driver to the esd driver... now it hasnt locked up yet, and
its played for over an hour! 

 *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Hark, the Herald Tribune sings,
Advertising wondrous things.
-- Tom Leher
Generated by /usr/games/fortune

Jamie Chamoulos
Internet.Now!
[EMAIL PROTECTED]
http://www.efn.org/~jamie
 *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

[EUG-LUG:947] Country Fair

[Jamie]

We need to start compiling the stuff we want to hand out at the country 
fair... Do we want to do a new flyer or anything.. We probably have about 1/2 
gazillion of those little ones from last year... do we have an recent distros 
ot hand out? GNU/Opensource materials?

Jamie

[EUG-LUG:949] imwheel....

[Jamie]

I have been trying to use imweel, (well... mandrake is trying i guess...), I 
had too much trouble with it under 7.2, but 8.0 was using it fine, however 
its locked up my machine 3 times this week... I was wondering if anyone else 
using imwheel with a generic wheel mouse might have figurerd out a simular 
issue?

Jamie

[EUG-LUG:951] Performance Monitors (was: KDE question (SOLVED!))

[Bob Miller]

Jamie wrote:

 I just tried gkrellm today... Its pretty cool... Its certainly nicer than 
 xosview, and more comprehensive than a bunch of epplets... ( although I like 
 the epplets, they are cool...

Now if you want a classy performance meter, there's nothing better
than the Moaning Goat Meter.  To quote the web page:

 MGM, the Moaning Goat Meter, is the ultimate sixty-ton cast
 iron lawn ornament for the desktops of today's hacker set: A
 gorgeous, highly configurable load and status meter written
 entirely in Perl. Serious pink-flamingo territory. For evil
 geniuses only.

Available at http://www.xiph.org/mgm/ , it was written by Chris
Montgomery, the hacker who brings you the Ogg Vorbis audio file
format.

-- 
Bob Miller  Kbob
kbobsoft software consulting
http://kbobsoft.com [EMAIL PROTECTED]

[EUG-LUG:952] Re: Country Fair

[Patrick R. Wade]

On Thu, May 10, 2001 at 01:43:44PM -0700, Jamie wrote:

We need to start compiling the stuff we want to hand out at the country 
fair... Do we want to do a new flyer or anything.. We probably have about 1/2 
gazillion of those little ones from last year... do we have an recent distros 
ot hand out? GNU/Opensource materials?

I recall we were talking about tshirts for this year; maybe Tux on the
front with a tie-dyed belly, and the peace-love-linux logo on the back,
or perhaps the qoute about there are two main exports of Berkeley; UNIX
and LSD.  We don't think this is a coincidence.  Doesn anyone know a tshirt
vendor?
-- 
Christos anesti ek nekron
Thanato thanaton patisas;
Kai tis en tis mnimasi
Zoin charisamenos!

[EUG-LUG:953] Re: imwheel....

[Jamie]

I suppose it could be... Ironicly the mouse moves around, but clicking and 
scrolling fail, and the system gets really busy... (so busy it takes minutes 
for xdaliclock to update the time on the screen )
I did a:
ps aux |grep gpm
and it only displayed my grep... so im guessing gpm isnt running...

Jamie
On Thursday 10 May 2001 02:23 pm, you wrote:
 Mine works fine even using Mandrake 7.2... Are you sure not a gpm conflict?

 At 01:58 PM 5/10/2001 -0700, Jamie [EMAIL PROTECTED] wrote:
 I have been trying to use imweel, (well... mandrake is trying i guess...),
  I had too much trouble with it under 7.2, but 8.0 was using it fine,
  however its locked up my machine 3 times this week... I was wondering if
  anyone else using imwheel with a generic wheel mouse might have figurerd
  out a simular issue?
 
 Jamie

[EUG-LUG:954] Re: imwheel....

[Jamie]

Damnit just did it again!

On Thursday 10 May 2001 02:59 pm, you wrote:
 I suppose it could be... Ironicly the mouse moves around, but clicking and
 scrolling fail, and the system gets really busy... (so busy it takes
 minutes for xdaliclock to update the time on the screen )
 I did a:
 ps aux |grep gpm
 and it only displayed my grep... so im guessing gpm isnt running...

 Jamie

 On Thursday 10 May 2001 02:23 pm, you wrote:
  Mine works fine even using Mandrake 7.2... Are you sure not a gpm
  conflict?
 
  At 01:58 PM 5/10/2001 -0700, Jamie [EMAIL PROTECTED] wrote:
  I have been trying to use imweel, (well... mandrake is trying i
   guess...), I had too much trouble with it under 7.2, but 8.0 was using
   it fine, however its locked up my machine 3 times this week... I was
   wondering if anyone else using imwheel with a generic wheel mouse might
   have figurerd out a simular issue?
  
  Jamie

[EUG-LUG:955] Macromedia flash player

[Lindsay Crawford]

Darn these graphic heavy sites, complicating life.

I recently followed these instructions. At least the download, that 
part was easy.  

The next part not so.

Unpackage the file.

From where?  I downloaded it into the user directory I was in, 
home/prime/ etc.

Now what, go into console and run these commands?

Does this work?  File under look before you leap.

Thanks,

Lindsay
16.09 PDT Thursday 10 May 2001 @97478

bleow is all copied from Flash site. (sorry)

With Macromedia Flash Player, you can view the best animation
and entertainment on the Web.
Click the button to begin installation. 

Download Time Estimate: 2 minutes @ 56K modem
Version: 5.0r47
Platform: Linux
Browser: Netscape or Netscape-compatible
File size: 561 K
Date Posted: 1/29/2001
Language: English

Read the End User License Agreement 
Need a different player?


1. Click the Download Now button. A dialog box will appear
asking you where to save the Installer.

2. Save the Installer to your desktop and wait for the file to
downloadcompletely.

3. Unpackage the file.

4. Copy the Macromedia Flash Player (libflashplayer.so) into the
Netscape plug-in directory.
cp $HOME/flash_linux/libflashplayer.so /usr/lib/netscape/plugins

5. Copy the Macromedia Flash Player Java class file
(ShockwaveFlash.class) into the Netscape plug-in directory. cp
$HOME/flash_linux/ShockwaveFlash.class
/usr/lib/netscape/plugins

6. Launch Netscape.

Find answers about Macromedia Flash Player privacy, licensing,
developing Flash content, and more in our list of Frequently Asked
Questions (FAQ).

©1995-2001 Macromedia, Inc. All rights reserved.
Privacy policy | Contact us | Feedback