Re: Backup encryption key

[nir grinberg]

Easy,
1. connect the USB
2. Run the TrueCrypt (http://www.truecrypt.org/)
3. Mount the un-partitioned disk (on the USB) drive.  I will be asked
for the password in the mounting process.
[10 seconds, so far]

Unless the station has something that will copy the disk, while
connected; the password by itself wouldn't help anybody (its a local
disk, not a web application accessed by anybody with my password).

That said, but since i always worry about key logger and such, I very
much try to avoid using it from a PC/station I do not trust (I know
how easy key-loggers are to deploy ;)

BTW, I use this setup on a WD 320G Passport external disk, not as
backup, but as my Data disk.  The whole setup is fairly secured, while
still being comfortable for daily usage.


nir



-- 
Regards,

Nir Grinberg
I.T.C. IP Technologies Ltd.
n...@israelnumber.com
www.IsraelNumber.com
972.3.9707000



On Fri, Apr 24, 2009 at 3:56 PM, Dotan Cohen  wrote:
>> Nice add-on, i initially partitioned the disk and left the
>> TrueCrypt.exe in it.  I can come to any computer, connect the drive
>> via its USB, run the application and get the data (password etc).
>>
>
> That sounds like it depends upon the application being already
> installed on the computer. How do you connect the drive on computers
> that you do not own, or do not regularly use, such as public library
> computers or customers' sites?
>
> --
> Dotan Cohen
>
> http://what-is-what.com
> http://gibberish.co.il
>

___
Linux-il mailing list
Linux-il@cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

Re: Can't view movies at HUJI archive (castup). Do they work for you?

[Oleg Goldshmidt]

Michael Shiloh  writes:

> I've always assumed it's a Linux issue, but before I complain to them,
> does this work for anyone else?

Works for me (apart from network QoS issues, hiccups, etc. - my
connection is not the greatest) with Fedora 10 / Firefox - I didn't
try to watch the whole movie, just a couple of minutes of it.

-- 
Oleg Goldshmidt | p...@goldshmidt.org

___
Linux-il mailing list
Linux-il@cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

Gnome users: How do GTK apps handle mixed LTR and RTL hierarchies? Dev advice needed.

[Dotan Cohen]

I am having troubles with mixed LTR and RTL hierarchies in the
otherwise terrific Zim application:
https://bugs.launchpad.net/zim/+bug/360581

To triage, I checked in Evolution and found a similar situation:
http://bugzilla.gnome.org/show_bug.cgi?id=580122

The Zim developer is interested in resolving the issue, but he does
not know how. If someone on-list could enlighten him it would be much
appreciated. Thanks!

-- 
Dotan Cohen

http://what-is-what.com
http://gibberish.co.il

___
Linux-il mailing list
Linux-il@cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

Re: Backup encryption key

[Dotan Cohen]

> Nice add-on, i initially partitioned the disk and left the
> TrueCrypt.exe in it.  I can come to any computer, connect the drive
> via its USB, run the application and get the data (password etc).
>

That sounds like it depends upon the application being already
installed on the computer. How do you connect the drive on computers
that you do not own, or do not regularly use, such as public library
computers or customers' sites?

-- 
Dotan Cohen

http://what-is-what.com
http://gibberish.co.il

___
Linux-il mailing list
Linux-il@cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

Fwd: Backup encryption key

[nir grinberg]

1. I use external drive
2. Using TrueCrypt I mount the external drive, encrypt its content and
password-protected it.
3. I backup all my data to this drive.
4. Data is encrypted, password protected and on un-recognized drive.

Once the drive is connected to a PC, you need to re-mount it using
TrueCrypt.  To mount the drive you will be requested the password.  if
you try to open the disk without mounting it first, it is show as
un-formatted drive.

Nice add-on, i initially partitioned the disk and left the
TrueCrypt.exe in it.  I can come to any computer, connect the drive
via its USB, run the application and get the data (password etc).

being using it for a while, works good.

nir

--
Regards,

Nir Grinberg
I.T.C. IP Technologies Ltd.
n...@israelnumber.com
www.IsraelNumber.com
972.3.9707000



2009/4/23 Yuval Hager :
> Hi,
>
> I've been considering encrypting my backups (e.g. using duplicity), but I am
> always afraid to lose the backup key when I lose the data I need to
> restore. This has the unfortunate implications of practically having no
> backups at all.
>
> I'd like to ask the list, when you backup your data (and you do, don't
> you?) - do you use encryption? If so, what measures do you take to ensure
> the key is safer than the data itself?
>
> Cheers,
>
> --
> yuval
>
> ___
> Linux-il mailing list
> Linux-il@cs.huji.ac.il
> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
>
>

___
Linux-il mailing list
Linux-il@cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

Re: Can't view movies at HUJI archive (castup). Do they work for you?

[Shlomi Fish]

On Thursday 23 April 2009 23:48:03 Michael Shiloh wrote:
> I've always assumed it's a Linux issue, but before I complain to them,
> does this work for anyone else?
>
> I'm running Ubuntu 9.04.
>
> http://w3.castup.net/spielberg/index.aspx?lang=en&id=20
>
> The "trailer" at the begining runs (duration: a couple of seconds), but
> then the main feature stalls.
>

With Mandriva Linux Cooker running Firefox 3.0.x with the mplayer-plugin, I 
see that the trailer plays again and again (but never finishes) and I'm never 
getting to the main feature.

Regards,

Shlomi Fish

-- 
-
Shlomi Fish   http://www.shlomifish.org/
First stop for Perl beginners - http://perl-begin.org/

God gave us two eyes and ten fingers so we will type five times as much as we
read.


___
Linux-il mailing list
Linux-il@cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

Re: Can't view movies at HUJI archive (castup). Do they work for you?

[Yehuda Bar-Nir]

Works for me on a Mac with Firefox or Safari without any script. Haven't
tried on Linux yet (I've just upgraded to Fedora 11 Beta, so I need to get
all the decoders to work first). The problem might be with the specific
player you are using.

Yehuda

On Fri, Apr 24, 2009 at 12:10 AM, Tomer Cohen  wrote:

> Have you tried the greasemonkey script for castup? It might help.
>
> I am bcc'ing Yehuda, who is responsible for most of the greasemonkey
> scripts for video in Israeli websites.
>
>
>
> On Thu, Apr 23, 2009 at 23:48, Michael Shiloh  > wrote:
>
>> I've always assumed it's a Linux issue, but before I complain to them,
>> does this work for anyone else?
>>
>> I'm running Ubuntu 9.04.
>>
>> http://w3.castup.net/spielberg/index.aspx?lang=en&id=20
>>
>> The "trailer" at the begining runs (duration: a couple of seconds), but
>> then the main feature stalls.
>>
>> Michael
>>
>> ___
>> Linux-il mailing list
>> Linux-il@cs.huji.ac.il
>> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
>>
>
>
>
> --
> Tomer Cohen
> http://tomercohen.com
> Sent from Haifa, Israel
> Woody Allen  - 
> "I am not afraid of death, I just don't want to be there when it
> happens."
>
___
Linux-il mailing list
Linux-il@cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

Re: suid root - bash script

[Ariel Biener]

RunAs = sudo


--Ariel

Noam Rathaus wrote:


Hi Yedidyah,

See below

On Thu, Apr 23, 2009 at 12:34 PM, Yedidyah Bar-David
 wrote:
  

Hi Noam,

On Thu, Apr 23, 2009 at 12:08:21PM +0300, Noam Rathaus wrote:


Hi Yedidyah,

This "stupid" - in my opinion - restriction also applies to perl script.
  

This is a free country, you know. You are entitled have your own
opinion. As I exaplained below, the main problem with setuid scripts is
irrespective of interpreter, be it /bin/sh, perl, or your own binary for
whatever language you invented.



And there they also recommend using a C program that will be setuid
that will run the  perl script.
  

Indeed. Or use sudo (which is the same, only general).



This is of course an over-complicated manner of doing things,
  

I guess there are other ways to do this, but that's how it is in unix.
As far as I know, Windows does not have something similar at all - if
you want there to run some program as another user, you have to do much
more than setuid it.




Windows has the Run As service which does something similar, its a bit
more.. complex, but it allows you to do what you mentioned. I am
skipping on Windows' ability to run Service as other users :)


  

not to
mention the fact that if this perl script or c program wrapper is then
called from Apache the restriction still applies and I haven't been
able to get around it.
  

I did not understand what exact restriction you talk about, what you
tried to achieve and what was the problem. If you want anyone to try and
help you, please provide some more details.



My scenario is this:
1) Apache runs a perl (which needs to be setuid => it changes IP addresses, etc)
2) This perl needs to call another perl responsible for updating the
sytem => and managing that it works correctly
3) This perl runs several other Perl scripts that are also setuid as
they replace files

When apache tries to execute the perl's line which says:
system("/usr/local/bin/update.pl")

I get the setuid warning that I need to put a wrapper

I then did:
system("/usr/local/bin/update")

Where update

Just executes update.pl

Both update (written in C) and update.pl (written in perl) are setuid root.

I still get the warning

Thanks for the help.



  

Best,
--
Didi



On Thu, Apr 23, 2009 at 11:54 AM, Yedidyah Bar-David
 wrote:
  

On Thu, Apr 23, 2009 at 11:31:38AM +0300, Shachar Shemesh wrote:


Oron Peled wrote:
  

There's a reason why the kernel does not respect suid/sgid bit on shell
scripts -- It's because there are gazillions of ways a user can use
this script to gain total root access.



Name two?
  

The main famous one, inherent in the way scripts work, is that the
kernel has to look at the first line of the script, run the interpreter
mentioned there with the args provided, and this interpreter then runs,
looks at the script, and decides what to do. Running the interpreter
takes time, and so an attacker can make a symlink to it, run the
symlink, and replace it immediately, and have a chance to make the
interpreter run the attacker's version instead of the original. This is
different from running a binary directly, where the kernel knows where
it was and won't have to look again if you tried replacing a symlink to
it.



Maybe writing a wrapper suid program that totally sanitize
both the environment and command line arguments before
exec'ing the script would make it. Although I wouldn't bet
on it since it only covers the obvious attack vectors against
shell scripts.



Fine. Make the two cover these obvious vectors, one each.

I have to say that I first heard about this restriction, I thought it
made a lot of sense. Since then, I have searched for these famed attack
vectors, and have come up short.
  

Well, I now googled for 'setuid scripts security' and found this FAQ:
http://www.faqs.org/faqs/unix-faq/faq/part4/section-7.html
It also mentions other, more-specific issues.



Sure, if the script itself has security
holes, then a suid script will be vulnerable. As I'm sure you know well,
this is also true of C written code, however.
  

Indeed, but there are some differences - usually, finding bugs in
scripts is easier (especially if you do not have the sources for the
C-coded binary), and in the past there used to be bugs in various
interpreters of various OSes. The last point is hopefully less relevant
today, but so are setuid-scripts (I think no modern unix respects
these).



So my question is: are there attack vectors against the following script?

#!/bin/sh -e

echo "Hello, cruel world"
  

--
Didi


___
Linux-il mailing list
Linux-il@cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il






___
Linux-il mailing list
Linux-il@cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/list

Re: Backup encryption key

[Diego Iastrubni]

On Friday 24 April 2009 09:34:40 you wrote:
> P.s.
> Blowfish? In this day and age?

Twofish, I stand corrected. Their specks are very confusing:

 * They claim that the transport is based on https
 * They claim that the encryption key is stored on my computer, but i see no 
documentation on the location.
 * I don't know how the encryption key is made, my guess is that the input is 
the password used, I might be wrong.
 * I know that that the tech support can see the encrypted password of each 
user (john to the rescue!), and can see the list of files. I am not sure 
about the content. 

I guess that they are not as transparent as Lingnu, and their technology is 
great, but the docs sux. I brought Lingu's service to the debate, since it 
offers much more then just a secured layer. I assume that readers of this 
thread are more interested about the service provided by some companies, and 
not just the technical details.


___
Linux-il mailing list
Linux-il@cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

Wireless+usb mouse for linux?

[Amos Shapira]

Hi,

Can anyone recommend a good small laptop mouse which can be used both
as wireless and wired usb mouse (does such a thing exist?) with sony
vaio running Ubuntu, and can be purchased in the Dan area?

Thanks,
Amos

-- 
Sent from my mobile device

___
Linux-il mailing list
Linux-il@cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il