Then how are the packages so stored elsewhere differentiated?
Or are the packages under the debian-non-US directory distributed under the
other headings when grabbing from this particular server?
Previously Aurelio Turco wrote:
Furthermore:
http://security.debian.org/debian-non-US
On Thu, 25 Jul 2002 at 01:08:29AM +0200, martin f krafft wrote:
least as usable and stable, and until potato-woody is guaranteed to
progress without any problems...
Problems? What problems? G Just A LOT of tweaks
I can't upgrade, it would require restarting and that would blow my
I humbly beseech the Debian list maintainers to make this list subscriber only
may post.
Thank you.
Curt-
-Original Message-
From: Phillip Hofmeister [mailto:[EMAIL PROTECTED]
Sent: Friday, July 19, 2002 2:03 AM
To: debian-security@lists.debian.org
Subject: Re: Didn't we have
Whoever did this, thank you.
Curt-
-Original Message-
From: Italyminutes [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 18, 2002 06:02
To: debian-security@lists.debian.org
Subject: You've Been Removed!
This message is to confirm the removal of your
email address:
What bothers me in all of this is that Debian lists are
managed so poorly
to let this happen.
The Debian lists are deliberately not subscriber only may post on the theory
that it's better to press DEL than to prevent someone from posting.
However, subscriber only is a simple config option
If I remember correctly, doesn't that require sendmail?
As for bounce, while Kmail has that feature it does require a real reply-to
address. For the vast majority of spam, the reply-to is deliberately obfuscated.
apt-get install spamassassin
It trapped that one for me as well as 99% of the
Unlike most spam, this one has actually resulted in some arrests.
Well, not this one specifically, it's been going on for a while with
multiple different people/groups attempting the Spanish Prisoner con
game.
Thanks for the email address for the Fed.Gov investigation.
Curt-
If anyone wonders
I noticed the same thing when doing the 3.3 thing two days ago that I commented
on on this list.
The security server is in my apt.sources list, but when I executed apt-get
upgrade, it said 0 new, 0 to be removed, 1 package(s) not updated.
Dselect showed the ssh package as ready to be updated,
Not security updates as such, but since the software has been changed,
doesn't testing have its package replaced with the new version?
I can't imagine that a known hole would be deliberately left in a
package when an update has already been compiled. This is testing, not
Hamm.
Testing doesn't
First question:
Has it worked before now?
Second question:
What did you change between then and now?
Curt-
Dear All,
I have a problem with my ssh, when i try to connect to our
server using
ssh have an error like this :
ssh -l [EMAIL PROTECTED]
2f65 7463 2f73 7368
Disconnecting:
Alvin,
If the cracker can get in as a user, it's merely a matter of time before they
can worm their way into becoming root. Defenses against this are difficult, the
NSA version SELinux deliberately places great restrictions on user abilities
to try to prevent just such things. But I don't
I like both. The server gets stable, but a firewall or at least firewall
rules on the public interface.
Preferrably duel interface, one inside on private IP, one public, and no
packet forwarding.
And I couldn't agree more about the remarkable efforts of the Debian team
members.
Curt-
On
Debian was the first Linux I installed, from floppies, in 1986.
Do you mean 1996?
Ah, yep. Brain fart. Thanks for noticing.
I personnaly use Linux since 1994, version 0.99pl14, was SLS
distribution.
Neat. In 1995, a network engineer and systems admin associate of mine said, I
have
On Tue 11 Jun 2002 19:54, Noah L. Meyerhans wrote:
There is a lot of collaboration between the respective security
teams for the major Linux distributions. As a result of this,
they all tend to release necessary security updates at the same
time. Known security updates are rarely, if
Hoopy Froods always know where their towel is.
Could be handy I spose if a server caught on fire, could
throw a couple
of towels on top to smoother the fire :)
Nathan
On Wednesday, May 15, 2002, at 06:01 PM, Peter Obermeier wrote:
Hi all,
it is a very courios form of security,
How about group access privileges on the offending executables?
Seems to me to be the natural method of restricting access to stuff.
Curt-
I have a question. Is there any way to restrict outbound
access for all but
a few users? I know with iptables you can block outbound
traffic
Hoopy Froods always know where their towel is.
Could be handy I spose if a server caught on fire, could
throw a couple
of towels on top to smoother the fire :)
Nathan
On Wednesday, May 15, 2002, at 06:01 PM, Peter Obermeier wrote:
Hi all,
it is a very courios form of security,
How about group access privileges on the offending executables?
Seems to me to be the natural method of restricting access to stuff.
Curt-
I have a question. Is there any way to restrict outbound
access for all but
a few users? I know with iptables you can block outbound
traffic
Where might one find documentation on this bf2.4 kernel?
Javier Fernández-Sanguino Peña wrote:
Now that I think of it this might be an issue with
self-installed
kernels. I'm going to document this behavior in the Manual,
commit the
changes and close the bug. Of course, woody does
I know this may sound like a silly question, but did it work before you applied the
TCP wrappers?
If you remove the all:all from hosts.deny, does it work?
It's been a while since I last set up wrappers, but in all other systems I make sure
it works first, then apply changes one by one and
I know this may sound like a silly question, but did it work before you applied
the TCP wrappers?
If you remove the all:all from hosts.deny, does it work?
It's been a while since I last set up wrappers, but in all other systems I make
sure it works first, then apply changes one by one and
Stef,
I've noticed during the boot sequence of 2.4.18, after the ramdisk is loaded there is
a 5 second pause during which time you can get a root shell.
Do you get this opportunity? I realize it asks for a password, but it is one more
thing to try.
Other than that, using a rescue disk or the
Stef,
I've noticed during the boot sequence of 2.4.18, after the ramdisk is loaded
there is a 5 second pause during which time you can get a root shell.
Do you get this opportunity? I realize it asks for a password, but it is one
more thing to try.
Other than that, using a rescue disk or the
From: Tim Freeman [mailto:[EMAIL PROTECTED]]
...
But whose reputation?
The package maintainer directly, the Debian project indirectly.
I'm not really talking about individuals, I'm talking about generalities.
On a really secure machine, you're not going to be installing games, or utilities
I don't see a clear path to doing this the right way, where chaos is
prevented by something more substantial than a social convention.
I have to admit that the social convention is working very well at the
moment, though.
--
Tim Freeman
[EMAIL PROTECTED]
At some point you
From: Tim Freeman [mailto:[EMAIL PROTECTED]
...
But whose reputation?
The package maintainer directly, the Debian project indirectly.
I'm not really talking about individuals, I'm talking about generalities.
On a really secure machine, you're not going to be installing games, or
utilities
Nathan Norman - Micromuse Ltd. mailto:[EMAIL PROTECTED]
Gil-galad was an Elven-king.| The Fellowship
Of him the harpers sadly sing: |of
the last whose realm was fair and free | the Ring
between the Mountains and the Sea. | J.R.R. Tolkien
A king of
Nathan Norman - Micromuse Ltd. mailto:[EMAIL PROTECTED]
Gil-galad was an Elven-king.| The Fellowship
Of him the harpers sadly sing: |of
the last whose realm was fair and free | the Ring
between the Mountains and the Sea. | J.R.R. Tolkien
A king of
I would bet that the vast majority of flame wars begin because someone mistakes
terse or concise for hostility.
The reverse, being the endless spewing of meaningless words, all the while saying
nothing at all or even the opposite of what it sounds like, is the art of politicians
and
I would bet that the vast majority of flame wars begin because someone
mistakes terse or concise for hostility.
The reverse, being the endless spewing of meaningless words, all the while
saying nothing at all or even the opposite of what it sounds like, is the art
of politicians and diplomats.
I'm impressed. Even here in Tokyo, where a cop on ever street corner is not just an
Orwellian slur, the only people who get that kind of service are the ones who directly
pay their salaries.
Seriously, the only person you can rely on is you. You're the one on the scene, be it
a mugging or a
I'm impressed. Even here in Tokyo, where a cop on ever street corner is not
just an Orwellian slur, the only people who get that kind of service are the
ones who directly pay their salaries.
Seriously, the only person you can rely on is you. You're the one on the scene,
be it a mugging or a
Many ISP's do not know enough to filter the RFC1918 space, or only do so on the border
routers and not internally.
Another good idea is to filter out-going packets by source address, allowing through
only those whose source is supposed to be inside the network.
Anything with a source of
Many ISP's do not know enough to filter the RFC1918 space, or only do so on the
border routers and not internally.
Another good idea is to filter out-going packets by source address, allowing
through only those whose source is supposed to be inside the network.
Anything with a source of
For the non-mathmatical, or rather gramatical, style to say it, I use the phrase:
Security is Inconvenient.
The first time I say it to someone, they usually pause for a moment, digest it, and it
really helps in further discussions about what to do about
It's my answer, for instance, when
To: Howland, Curtis
Cc: [EMAIL PROTECTED]; Debian-Security
Subject: RE: IPTABLES
Just the other way around, 2.2.x == ipchains, 2.4.x == iptables.
Craig, just look at your kernel, and make sure every
netfilter/iptables
module is compiled/listed, and then look at your
/lib/modules/2.4.12
Please flame me if I have this backwards, but I believe ip_tables only works under
2.2.x and earlier kernels, and the 2.4.x kernel introduced ip_chains and is
incompatible with ip_tables.
You have to use the right one, even thought the package/module for both shows up (at
least in Woody) and
To: Howland, Curtis
Cc: [EMAIL PROTECTED]; Debian-Security
Subject: RE: IPTABLES
Just the other way around, 2.2.x == ipchains, 2.4.x == iptables.
Craig, just look at your kernel, and make sure every
netfilter/iptables
module is compiled/listed, and then look at your
/lib/modules/2.4.12
-Original Message-
From: Gary MacDougall
soapbox
I'm gong to get flamed like hell for this, but I think the general
attitude of people that consider themselves Linux Security
Guru's sucks!
If you've ever visited #linux on IRC or talked with people in
a chat room
about Linux
-Original Message-
From: Gary MacDougall
soapbox
I'm gong to get flamed like hell for this, but I think the general
attitude of people that consider themselves Linux Security
Guru's sucks!
If you've ever visited #linux on IRC or talked with people in
a chat room
about Linux (in
A major point concerning laws is that they prevent nothing. Laws against murder have
been around since the idea of laws was invented, yet murder still happens. Sometimes
in new and spectacular ways.
Individual security, be it physical or logical, must be considered an individual
A major point concerning laws is that they prevent nothing. Laws against
murder have been around since the idea of laws was invented, yet murder still
happens. Sometimes in new and spectacular ways.
Individual security, be it physical or logical, must be considered an
individual
]
Sent: Wednesday, December 26, 2001 11:47
To: Howland, Curtis; Ralf Dreibrodt
Cc: debian-security@lists.debian.org
Subject: Re: Secure 2.4.x kernel
Actually your point of view basically states that its ok
for anyone to
tresspass.
In the US, we have laws against such activity. People
This may seem an obvious question, but have you coordinated that "ipchains" works with
the 2.2.x kernels, and "iptables" with the 2.4.x kernels?
Woody standard kernel is still 2.2.x.
Curt-
-Original Message-
From: Jeff [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 25, 2001
This may seem an obvious question, but have you coordinated that ipchains
works with the 2.2.x kernels, and iptables with the 2.4.x kernels?
Woody standard kernel is still 2.2.x.
Curt-
-Original Message-
From: Jeff [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 25, 2001 12:44
http://www.cnn.com/2001/TECH/internet/12/17/cert.plug.holes.idg/index.ht
ml
Reading this sort of article reminds me of another really good thing
about apt, dselect, and the (forgive me please) Debian Way:
I don't have to be told that there is an SSH security fix in order to
fix it.
Every time I
http://www.cnn.com/2001/TECH/internet/12/17/cert.plug.holes.idg/index.ht
ml
Reading this sort of article reminds me of another really good thing
about apt, dselect, and the (forgive me please) Debian Way:
I don't have to be told that there is an SSH security fix in order to
fix it.
Every time I
And pleanty of open relay servers, too.
obSec: You do have your SMTP transfer agent configured not to act as a
relay, right?
Curt-
-Original Message-
From: Petro [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 18, 2001 03:09
To: Yooseong Yang
Cc: k l u r t; [EMAIL PROTECTED]
Subject:
And pleanty of open relay servers, too.
obSec: You do have your SMTP transfer agent configured not to act as a
relay, right?
Curt-
-Original Message-
From: Petro [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 18, 2001 03:09
To: Yooseong Yang
Cc: k l u r t;
Any PGPG keys used by package maintainers will themselves be signed and
trusted by the Debian official community. What a "secure apt" must do is
alert if the key used is not so trusted, even if it uses the same name
and email address as it "should".
This assumes that the crackers PGPG key has,
Any PGPG keys used by package maintainers will themselves be signed and
trusted by the Debian official community. What a secure apt must do is
alert if the key used is not so trusted, even if it uses the same name
and email address as it should.
This assumes that the crackers PGPG key has,
This is one remnant of the "trusted" world of Unix, and the legacy that
Linux has to deal with. It's ipchains/iptables to the rescue.
I do not have NFS turned on in the kernel modules, nor the package
installed. Yet this port is still open *to the outside world*. Can
anyone suggest a reason why
This is one remnant of the trusted world of Unix, and the legacy that
Linux has to deal with. It's ipchains/iptables to the rescue.
I do not have NFS turned on in the kernel modules, nor the package
installed. Yet this port is still open *to the outside world*. Can
anyone suggest a reason why
The article I read about it on the Register...
http://www.theregister.co.uk/content/4/23082.html
The hole affects thousands of users of virtually
every Linux release.
Because of the wide implications, Core, working with
CERT, and, at
Just FYI, Slashdot has a discussionn up on encrypted file systems that
might be of interest to folks who partisipated in the discussion here.
This direct link might work:
http://slashdot.org/article.pl?sid=01/11/28/1549252mode=thread
Curt-
---
Curt Howland +81-3-5772-5832
The article I read about it on the Register...
http://www.theregister.co.uk/content/4/23082.html
"The hole affects thousands of users of virtually
every Linux release.
Because of the wide implications, Core, working with
CERT, and, at
Just FYI, Slashdot has a discussionn up on encrypted file systems that
might be of interest to folks who partisipated in the discussion here.
This direct link might work:
http://slashdot.org/article.pl?sid=01/11/28/1549252mode=thread
Curt-
---
Curt Howland +81-3-5772-5832
Excuse me if this is old hat, has anyone else heard of a vulnerability
like this?
If it's on the FreeBSD lists, it must be well known...
Curt-
-Original Message-
From: Kondou, Katsuhiro (IDC)
Sent: Wednesday, November 28, 2001 22:16
To: Hu, Geng; Howland, Curtis
Subject: Fw: [FreeBSD
Excuse me if this is old hat, has anyone else heard of a vulnerability
like this?
If it's on the FreeBSD lists, it must be well known...
Curt-
-Original Message-
From: Kondou, Katsuhiro (IDC)
Sent: Wednesday, November 28, 2001 22:16
To: Hu, Geng; Howland, Curtis
Subject: Fw: [FreeBSD
While this may be whipping a greasy stain on the road, it is true that
3DES was created by the government back when private cryptology was
difficult or unknown. I believe it is prudent to consider that it was
allowed to be used because of practical cracking available to the crypto
experts.
I'm
Is there a "drop from..." command as well? I much prefer simply
black-holing packets rather than giving back to the perp "I'm here, but
I know about you" data by "deny". Or is that what the Apache "deny"
does?
Curt-
-Original Message-
From: Christoph Moench-Tegeder [mailto:[EMAIL
While this may be whipping a greasy stain on the road, it is true that
3DES was created by the government back when private cryptology was
difficult or unknown. I believe it is prudent to consider that it was
allowed to be used because of practical cracking available to the crypto
experts.
I'm
Is there a drop from... command as well? I much prefer simply
black-holing packets rather than giving back to the perp I'm here, but
I know about you data by deny. Or is that what the Apache deny
does?
Curt-
-Original Message-
From: Christoph Moench-Tegeder [mailto:[EMAIL PROTECTED]
There is also this How-To:
http://www.linux.org/docs/ldp/howto/Loopback-Encrypted-Filesystem-HOWTO.
html
I've been thinking that a 100 or 500MB encrypted loop device per user,
mounted as a subdirectory under the individual users home, would be
effective. It doesn't encrypt the entirety of the
There is also this How-To:
http://www.linux.org/docs/ldp/howto/Loopback-Encrypted-Filesystem-HOWTO.
html
I've been thinking that a 100 or 500MB encrypted loop device per user,
mounted as a subdirectory under the individual users home, would be
effective. It doesn't encrypt the entirety of the
From: John Galt [mailto:[EMAIL PROTECTED]]
delete. You're missing a large point here: root doesn't have to have
RWX
access on everything to be able to do their job, -WX may do the trick.
So, root does not need total file access in order to do some subset of
functions which you, or the NSA,
From: John Galt [mailto:[EMAIL PROTECTED]
delete. You're missing a large point here: root doesn't have to have
RWX
access on everything to be able to do their job, -WX may do the trick.
So, root does not need total file access in order to do some subset of
functions which you, or the NSA,
To be blunt, I don't think one can entirely protect ones self from root,
nor do I believe it's an All Good idea.
Root Is God. This is a multi-user, full-time, networked device. Root
bears the responsibility of everything that happens to that machine.
They are answerable to everyone, not just one
Which reminds me to ask, are the www.kerneli.org cryptographic patches
applied to the pre-compiled kernels, eg kernel-2-4-14-AMDK6.deb?
-Original Message-
From: Florian Bantner [mailto:[EMAIL PROTECTED]
Sent: Friday, November 16, 2001 16:26
To: debian-security@lists.debian.org
Subject:
As has been said many times, many ways, once "root" is compromised, all
bets are off. Also, the only computer that isn't vulnerable is the one
that isn't connected to a network, and can't be physically touched.
Did anyone else see that awful Wesley Snipes movie, where he plays a
black-bag (pun in
As has been said many times, many ways, once root is compromised, all
bets are off. Also, the only computer that isn't vulnerable is the one
that isn't connected to a network, and can't be physically touched.
Did anyone else see that awful Wesley Snipes movie, where he plays a
black-bag (pun in
I'm glad to hear it. I will forward your message to Debian-Security,
where I saw it discussed.
Curt-
-Original Message-
From: Jaakko Niemi [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 15, 2001 04:28
To: Howland, Curtis
Cc: [EMAIL PROTECTED]
Subject: Re: Suggestion for debian
I'm glad to hear it. I will forward your message to Debian-Security,
where I saw it discussed.
Curt-
-Original Message-
From: Jaakko Niemi [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 15, 2001 04:28
To: Howland, Curtis
Cc: [EMAIL PROTECTED]
Subject: Re: Suggestion for debian
topic no matter how interesting. Thanks to
everyone for their help and advice, we shall see.
Curt-
-Original Message-
From: Henrique de Moraes Holschuh [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, November 13, 2001 09:53
To: Howland, Curtis
Cc: [EMAIL PROTECTED]
Subject: Re: Vulnerable SSH versions
A quick question concerning such things...
I have a remote server that I do not trust myself to upgrade from
Potato(e) to Woody, and such vulnerabilities do worry me a little. Is
there any general expectation that such back porting will continue
once Woody is released?
Curt-
-Original
Subject: Re: Vulnerable SSH versions
On Tue, Nov 13, 2001 at 09:02:56AM +0900, Howland, Curtis wrote:
A quick question concerning such things...
I have a remote server that I do not trust myself to upgrade from
Potato(e) to Woody, and such vulnerabilities do worry me a little. Is
there any
about version conflicts and missing modules.
Curt-
-Original Message-
From: Ethan Benson [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 13, 2001 09:33
To: debian-security@lists.debian.org
Subject: Re: Vulnerable SSH versions
On Tue, Nov 13, 2001 at 09:25:29AM +0900, Howland, Curtis
. Thanks to
everyone for their help and advice, we shall see.
Curt-
-Original Message-
From: Henrique de Moraes Holschuh [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 13, 2001 09:53
To: Howland, Curtis
Cc: debian-security@lists.debian.org
Subject: Re: Vulnerable SSH versions
On Tue, 13
While the traffic load on debian-user, for instance, makes subscribing
just to ask one question somewhat hazardous to ones mailspool, I agree
with making debian-security posting by subscriber only. It really
isn't moderating, and doesn't take anyones time.
To whom should we address the
79 matches
Mail list logo