]
| To: [EMAIL PROTECTED]
| Subject: Re: Debian audititing tool?
| Message-ID: [EMAIL PROTECTED]
| Mail-Followup-To: Christian Kurz [EMAIL PROTECTED],
| [EMAIL PROTECTED]
I must be missing something here. You're the second person in
about as many days
Hi Christian!
On Wed, 27 Dec 2000, Christian Kurz wrote:
You probably misconfigured your mutt.
No, I mixed up Mail-Followup-To and Mail-Copies-To. Now this mail has
the correct "Mail-Copies-To: never", which means that I don't want any
copies of the answers.
Your mail followup2 header
Quoting Christian Kurz ([EMAIL PROTECTED]):
[ Stop sending me unnecessary Ccs.]
| Date: Tue, 26 Dec 2000 16:02:30 +0100
| From: Christian Kurz [EMAIL PROTECTED]
| To: debian-security@lists.debian.org
| Subject: Re: Debian audititing tool?
| Message-ID: [EMAIL PROTECTED]
| Mail
On 00-12-27 David Wright wrote:
Quoting Christian Kurz ([EMAIL PROTECTED]):
[ Stop sending me unnecessary Ccs.]
| Date: Tue, 26 Dec 2000 16:02:30 +0100
| From: Christian Kurz [EMAIL PROTECTED]
| To: debian-security@lists.debian.org
| Subject: Re: Debian audititing tool?
| Message
@lists.debian.org
| Subject: Re: Debian audititing tool?
| Message-ID: [EMAIL PROTECTED]
| Mail-Followup-To: Christian Kurz [EMAIL PROTECTED],
| debian-security@lists.debian.org
I must be missing something here. You're the second person in
about as many days to ask
]
| To: debian-security@lists.debian.org
| Subject: Re: Debian audititing tool?
| Message-ID: [EMAIL PROTECTED]
| Mail-Followup-To: Christian Kurz [EMAIL PROTECTED],
| debian-security@lists.debian.org
I must be missing something here. You're the second person
On Wed, Dec 27, 2000 at 11:12:28AM +0100, Christian Kurz wrote:
You probably misconfigured your mutt.
No, I mixed up Mail-Followup-To and Mail-Copies-To. Now this mail has
the correct Mail-Copies-To: never, which means that I don't want any
copies of the answers.
you still need to fix your
On Tue, Dec 26, 2000 at 09:27:53PM +0200, Pavel Minev Penev wrote:
On Tue, Dec 26, 2000 at 05:27:07PM +0300, [EMAIL PROTECTED] wrote:
Of course plain md5 hashes are not very helpful. But we can keep MAC[1] for
binaries. Tampering with MAC database is useless.
...
[1] Message
On 00-12-26 Rainer Weikusat wrote:
Christian Kurz [EMAIL PROTECTED] writes:
Debsums seems to help a little bit - you can expect to catch some less-clueful
intruders with it, but it doesn't help in general.
debsums just uses md5sums which can be manipulated on the one hand and
on the
On Thu, Dec 21, 2000 at 01:39:19PM +0100, Christian Kurz wrote:
Debsums seems to help a little bit - you can expect to catch some
less-clueful
intruders with it, but it doesn't help in general.
debsums just uses md5sums which can be manipulated on the one hand and
on the other hand you
Christian Kurz [EMAIL PROTECTED] writes:
Debsums seems to help a little bit - you can expect to catch some
less-clueful
intruders with it, but it doesn't help in general.
debsums just uses md5sums which can be manipulated on the one hand and
on the other hand you modify binaries so that
[ Stop sending me unnecessary Ccs.]
On 00-12-26 Rainer Weikusat wrote:
Christian Kurz [EMAIL PROTECTED] writes:
Debsums seems to help a little bit - you can expect to catch some
less-clueful intruders with it, but it doesn't help in general.
debsums just uses md5sums which can be
Christian Kurz [EMAIL PROTECTED] writes:
[ Stop sending me unnecessary Ccs.]
Start thinking about getting a decent mail client.
and on the other hand you modify binaries so that the md5sum will
still be the same.
So you've effectively broken MD5 in a way that would yield useful
On 00-12-26 Rainer Weikusat wrote:
Christian Kurz [EMAIL PROTECTED] writes:
[ Stop sending me unnecessary Ccs.]
Start thinking about getting a decent mail client.
My client is so decent, that it support a pure list-reply-function.
Looks like your client is missing such a feature.
and
On Tue, Dec 26, 2000 at 05:27:07PM +0300, [EMAIL PROTECTED] wrote:
Of course plain md5 hashes are not very helpful. But we can keep MAC[1] for
binaries. Tampering with MAC database is useless.
...
[1] Message Authentication Code. One of possible ways to compute MAC is
H(K,H(K,M)) where H is
On Tue, Dec 26, 2000 at 05:37:54PM +0100, Christian Kurz wrote:
On 00-12-26 Rainer Weikusat wrote:
Christian Kurz [EMAIL PROTECTED] writes:
... blah blah blah ...
Let's stop arguing about this. Instead of flaming anyone, I'll try to
state the relevant facts, since this argument is only
On 00-12-26 Peter Cordes wrote:
have produced collisions in MD5. This is a Bad Thing for MD5, but it isn't
a real break against MD5. It means that you can find two messages that hash
to the same value. To do so, you _have_ to choose both messages yourself.
If one of the messages is /bin/su,
On Tue, Dec 26, 2000 at 09:27:53PM +0200, Pavel Minev Penev wrote:
On Tue, Dec 26, 2000 at 05:27:07PM +0300, [EMAIL PROTECTED] wrote:
Of course plain md5 hashes are not very helpful. But we can keep MAC[1] for
binaries. Tampering with MAC database is useless.
...
[1] Message
On Tue, Dec 26, 2000 at 10:52:47PM +0100, Christian Kurz wrote:
On 00-12-26 Peter Cordes wrote:
have produced collisions in MD5. This is a Bad Thing for MD5, but it isn't
a real break against MD5. It means that you can find two messages that hash
to the same value. To do so, you _have_
Also with the Debian Firewall/Gibrator?(sorry for the spelling) does
it include SNMP and remote managibility.
SNMP will be included in the next version, and a web interface too. At
the moment it is fully manageable over ssh.
best greets,
Rene
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
On Fri, Dec 22, 2000 at 05:54:55PM -0400, Peter Cordes wrote:
That's why you run the checker from a known-good floppy or CD. The bogus
kernel can't protect itself if it isn't running :)
don't be so sure, is the BIOS or firmware on your computer flashable?
if so an attacker could replace the
Also with the Debian Firewall/Gibrator?(sorry for the spelling) does
it include SNMP and remote managibility.
SNMP will be included in the next version, and a web interface too. At
the moment it is fully manageable over ssh.
best greets,
Rene
On Fri, Dec 22, 2000 at 11:05:32PM -0900, Ethan Benson wrote:
On Fri, Dec 22, 2000 at 05:54:55PM -0400, Peter Cordes wrote:
That's why you run the checker from a known-good floppy or CD. The bogus
kernel can't protect itself if it isn't running :)
don't be so sure, is the BIOS or
On Sat, Dec 23, 2000 at 03:30:08PM -0400, Peter Cordes wrote:
On Fri, Dec 22, 2000 at 11:05:32PM -0900, Ethan Benson wrote:
On Fri, Dec 22, 2000 at 05:54:55PM -0400, Peter Cordes wrote:
That's why you run the checker from a known-good floppy or CD. The bogus
kernel can't protect
"Dan Hutchinson" [EMAIL PROTECTED] writes:
Sorry I miss read your response.
Well you can get the source kernel and run it threw the fornesics program
then compile it possible.
Anyway it will help with open trojans and virus anyway.
There's a couple of things that could go wrong here:
-
On 00-12-21 Peter Cordes wrote:
On Thu, Dec 21, 2000 at 03:37:56PM +0100, Christian Kurz wrote:
On 00-12-21 Dan Hutchinson wrote:
Sorry it was fornesics, but the code is basically matching the machine
code, a unique pattern of 1's and 0's to the machine code of the kernal.
Well, but
On Thu, Dec 21, 2000 at 08:12:14PM +0100, Christian Kurz wrote:
On 00-12-21 Colin Phipps wrote:
On Thu, Dec 21, 2000 at 04:09:07PM +0100, Christian Kurz wrote:
And who will create this key? Who will have the passphrase? Who will
sign the packages?
Someone on master.debian.org,
Jacob Kuntz wrote:
from the secret journal of Rene Mayrhofer ([EMAIL PROTECTED]):
http://www.gibaltar.at/
is that address correct? i didn't think there was a .at tld, but there are
two 'r's in gibraltar.
You are right. Sorry, It was a typo
It should read http://www.gibraltar.at/
best
Dan Hutchinson [EMAIL PROTECTED] writes:
Sorry I miss read your response.
Well you can get the source kernel and run it threw the fornesics program
then compile it possible.
Anyway it will help with open trojans and virus anyway.
There's a couple of things that could go wrong here:
- gcc
On Sat, Dec 23, 2000 at 10:35:26AM +1300, Carey Evans wrote:
Dan Hutchinson [EMAIL PROTECTED] writes:
Sorry I miss read your response.
Well you can get the source kernel and run it threw the fornesics program
then compile it possible.
Anyway it will help with open trojans and virus
On Thu, Dec 21, 2000 at 02:33:32PM +0100, Christian Kurz wrote:
1. Reboot with a clean kernel
2. Run tripwire with my read-only record
3. Install my Debian packages
4. Update my read-only record
And you are running the system with an unclean kernel? If you not add
your kernel
On 00-12-22 Peter Eckersley wrote:
On Thu, Dec 21, 2000 at 02:33:32PM +0100, Christian Kurz wrote:
My suggested alternative is a system which knows about official Debian
packages, and will register that change as simply "installed/upgraded
package XYZ".
Where should it register
Sorry I miss read your response.
Well you can get the source kernel and run it threw the fornesics program
then compile it possible.
Anyway it will help with open trojans and virus anyway.
Dan
"Dan Hutchinson" [EMAIL PROTECTED] wrote:
Sorry it was fornesics, but the code is basically
On 00-12-21 Dan Hutchinson wrote:
Sorry it was fornesics, but the code is basically matching the machine
code, a unique pattern of 1's and 0's to the machine code of the kernal.
Well, but then you need to know all patterns of malicous code that could
occur. I think this will be a lot of
On Thu, Dec 21, 2000 at 03:37:56PM +0100, Christian Kurz wrote:
Well, but then you need to know all patterns of malicous code that could
occur. I think this will be a lot of patterns that you have to search
for, so that the search will take a long time.
Unless you have a kernal file that
On Thu, Dec 21, 2000 at 04:09:07PM +0100, Christian Kurz wrote:
[ Would you please stop those Ccs to me?]
If you don't want CC's then fix your mail headers:
Mail-Followup-To: Christian Kurz [EMAIL PROTECTED], [EMAIL PROTECTED]
On 00-12-21 Colin Phipps wrote:
No, I tried to explain why it
On Thu, Dec 21, 2000 at 03:22:10PM +, Colin Phipps wrote:
Well and the one that you won't catch to much more damage to your system
and create a higher risk then the one you catch.
Agreed, if someone gets root on your system there's no way you can
guarantee detecting it. But you can
On Friday, 2000-12-22 at 00:11:38 +1100, Peter Eckersley wrote:
I understand the requirement for read-only media. Tripwire should give
me a "clean" snapshot of a system. But when I administer a machine, I
regularly make changes to the "clean" image. If I want tripwire to
track this, I
On Thu, Dec 21, 2000 at 03:37:56PM +0100, Christian Kurz wrote:
On 00-12-21 Dan Hutchinson wrote:
Sorry it was fornesics, but the code is basically matching the machine
code, a unique pattern of 1's and 0's to the machine code of the kernal.
Well, but then you need to know all patterns of
On Thu, Dec 21, 2000 at 03:48:40PM -0500, Jacob Kuntz wrote:
from the secret journal of Rene Mayrhofer ([EMAIL PROTECTED]):
http://www.gibaltar.at/
is that address correct? i didn't think there was a .at tld, but there are
two 'r's in gibraltar.
the correct URL is http://www.gibraltar.at/
You are correct in that the binary would have to be scanned as well,
but I was thinking of recompiling the binary from the scanned source.
As to doing the search to find possible "signatures" that virus have,
since many virus are deviation of an original virus you can use pattern
matching from
Hi...
I've been wishing for a nice, largely automated, untamperable Debian auditing
tool. Whenever I get paranoid about a box, I'd like some kind of check that
didn't require vast amounts of forethought and effort.
Basically, I started reading the tripwire documentation, stopped, and
thought
On 00-12-21 Peter Eckersley wrote:
Basically, I started reading the tripwire documentation, stopped, and
thought Debian ought to make this *much* simpler. It seemed that if I
wanted to use tripwire, I'd need to tell it every time I was installing
a new package. I'd then need to update a
I would agree with your comments except the scan of the Linux Kernel.
You can use computer fornesics to scan the kernal against familiar trojan
and virus patterns realitively quickly and at least identify problem
code. It would be up to you to review to see if it is good or bad code.
The scans
On 00-12-21 Dan Hutchinson wrote:
I would agree with your comments except the scan of the Linux Kernel.
Thanks. :)
You can use computer fornesics to scan the kernal against familiar trojan
and virus patterns realitively quickly and at least identify problem
Hm, you know that some parts are
On Thu, Dec 21, 2000 at 01:39:19PM +0100, Christian Kurz wrote:
On 00-12-21 Peter Eckersley wrote:
Basically, I started reading the tripwire documentation, stopped, and
thought Debian ought to make this *much* simpler. It seemed that if I
wanted to use tripwire, I'd need to tell it every
On 00-12-22 Peter Eckersley wrote:
On Thu, Dec 21, 2000 at 01:39:19PM +0100, Christian Kurz wrote:
On 00-12-21 Peter Eckersley wrote:
Basically, I started reading the tripwire documentation, stopped, and
thought Debian ought to make this *much* simpler. It seemed that if I
wanted to
On 00-12-22 Peter Eckersley wrote:
On Thu, Dec 21, 2000 at 02:33:32PM +0100, Christian Kurz wrote:
My suggested alternative is a system which knows about official Debian
packages, and will register that change as simply installed/upgraded
package XYZ.
Where should it register that?
Sorry it was fornesics, but the code is basically matching the machine
code, a unique pattern of 1's and 0's to the machine code of the kernal.
Unless you have a kernal file that doesn't have 1's and 0's in machine
language, you can scan the code. I am not sure how ASM code is written
thou.
Dan
Sorry I miss read your response.
Well you can get the source kernel and run it threw the fornesics program
then compile it possible.
Anyway it will help with open trojans and virus anyway.
Dan
Dan Hutchinson [EMAIL PROTECTED] wrote:
Sorry it was fornesics, but the code is basically
On 00-12-21 Dan Hutchinson wrote:
Sorry it was fornesics, but the code is basically matching the machine
code, a unique pattern of 1's and 0's to the machine code of the kernal.
Well, but then you need to know all patterns of malicous code that could
occur. I think this will be a lot of
On Thu, Dec 21, 2000 at 03:30:25PM +0100, Christian Kurz wrote:
if I were trying to do mirror authentication, I'd ship apt with an
official .debian.org public key, and then ask .debian.org whether a
the public key presented by a mirror was kosher. There are other ways
of doing it...
On Thu, Dec 21, 2000 at 03:30:25PM +0100, Christian Kurz wrote:
Hence my comment. Less-clueful intruders won't modify
/var/lib/dpkg/info/package.md5sums ; debsums will catch these people,
but will not help if the cracker is smart.
No, as it would say that if this md5sums will
On Thu, Dec 21, 2000 at 03:37:56PM +0100, Christian Kurz wrote:
Well, but then you need to know all patterns of malicous code that could
occur. I think this will be a lot of patterns that you have to search
for, so that the search will take a long time.
Unless you have a kernal file that
[ Would you please stop those Ccs to me?]
On 00-12-21 Colin Phipps wrote:
On Thu, Dec 21, 2000 at 03:30:25PM +0100, Christian Kurz wrote:
Hence my comment. Less-clueful intruders won't modify
/var/lib/dpkg/info/package.md5sums ; debsums will catch these people,
but will not help
On Thu, Dec 21, 2000 at 04:09:07PM +0100, Christian Kurz wrote:
[ Would you please stop those Ccs to me?]
If you don't want CC's then fix your mail headers:
Mail-Followup-To: Christian Kurz [EMAIL PROTECTED],
debian-security@lists.debian.org
On 00-12-21 Colin Phipps wrote:
No, I tried to
On Thu, Dec 21, 2000 at 03:22:10PM +, Colin Phipps wrote:
Well and the one that you won't catch to much more damage to your system
and create a higher risk then the one you catch.
Agreed, if someone gets root on your system there's no way you can
guarantee detecting it. But you can
On Friday, 2000-12-22 at 00:11:38 +1100, Peter Eckersley wrote:
I understand the requirement for read-only media. Tripwire should give
me a clean snapshot of a system. But when I administer a machine, I
regularly make changes to the clean image. If I want tripwire to
track this, I must do
On Thu, Dec 21, 2000 at 03:37:56PM +0100, Christian Kurz wrote:
On 00-12-21 Dan Hutchinson wrote:
Sorry it was fornesics, but the code is basically matching the machine
code, a unique pattern of 1's and 0's to the machine code of the kernal.
Well, but then you need to know all patterns of
Peter Cordes wrote:
I think a signed database of stuff that's supposed to be in Debian, and a
decent way to make a bootable CD that downloads what it needs, and checks
what's on your drive, is a good start. If the MD5 sum lists are signed, you
don't need to trust the server you download them
from the secret journal of Rene Mayrhofer ([EMAIL PROTECTED]):
http://www.gibaltar.at/
is that address correct? i didn't think there was a .at tld, but there are
two 'r's in gibraltar.
--
Jacob Kuntz
underworld.net/~jake
[EMAIL PROTECTED]
Strategery -- George W. Bush
Lockbox -- Al Gore
On Thu, Dec 21, 2000 at 03:48:40PM -0500, Jacob Kuntz wrote:
from the secret journal of Rene Mayrhofer ([EMAIL PROTECTED]):
http://www.gibaltar.at/
is that address correct? i didn't think there was a .at tld, but there are
two 'r's in gibraltar.
the correct URL is http://www.gibraltar.at/
You are correct in that the binary would have to be scanned as well,
but I was thinking of recompiling the binary from the scanned source.
As to doing the search to find possible signatures that virus have,
since many virus are deviation of an original virus you can use pattern
matching from an
On 00-12-21 Colin Phipps wrote:
On Thu, Dec 21, 2000 at 04:09:07PM +0100, Christian Kurz wrote:
[ Would you please stop those Ccs to me?]
If you don't want CC's then fix your mail headers:
Mail-Followup-To: Christian Kurz [EMAIL PROTECTED],
debian-security@lists.debian.org
They are, as
64 matches
Mail list logo