Re: Debian Security Support in Place
On Fri, 08 Jul 2005 at 01:58:40AM -0400, Martin Schulze wrote: The security team will continue to support Debian GNU/Linux 3.0 alias woody until May 2006, or if the security support for the next release, codenamed etch, starts, whatever happens first. Now I LOVE Debian a lot. It is my favorite distro, and I hope this isn't seen as a flame. But, two Debian releases in one year? That's kind of funny grins. -- Phillip Hofmeister -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: safety of encrypted filesystems
On Wed, 22 Jun 2005 at 06:32:08PM -0400, Bernd Eckenfels wrote: In article [EMAIL PROTECTED] you wrote: You could always run tripwire on the mounted file system, unmount it, change your block, remount it, and run a tripwire check. This should identify *WHICH* file changed. he has only one file and this was unaltered, the question is why. Perhaps the block that was changed was a free block? -- Phillip Hofmeister -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: safety of encrypted filesystems
On Fri, 17 Jun 2005 at 06:01:02AM -0400, martin f krafft wrote: also sprach Horst Pflugstaedt [EMAIL PROTECTED] [2005.06.17.1018 +0200]: encrypt /dev/hda7, mount, fill it with some hundred small files (with known content), unmount, change one bit/byte/block on /dev/hda7 (using dd), remount, look for the remaining files and their contents. I've tried that and the filesystem mounts without error. I have not yet figured out where the corruption occurs. You could always run tripwire on the mounted file system, unmount it, change your block, remount it, and run a tripwire check. This should identify *WHICH* file changed. -- Phillip Hofmeister pgpFA0uNAsSYs.pgp Description: PGP signature
Re: Crypto File System-Problems Creating One
On Mon, 06 Jun 2005 at 06:40:36AM -0400, nuno romano wrote: I got the following warning trying to create a crypto file system in hda10 partition of my hard disk: I did - losetup -e aes-256 /dev/loop0 /dev/hda10 loop: loaded (max 8 devices) Password: ioctl: LOOP_SET_STATUS: Invalid argument You're trying to mount a block device over a loopback? This may present a problemI'm not sure. -- Phillip Hofmeister pgpDHAZsI8iop.pgp Description: PGP signature
Re: [sec] Re: failed root login attempts
On Tue, 28 Sep 2004 at 09:18:51PM -0400, Noah Meyerhans wrote: That doesn't seem to be the case. The most common one uses root/test/guest, but there are more that seem to be based on the same code. They all disconnect by sending the string Bye Bye, e.g.: sshd[13613]: Received disconnect from 64.246.26.19: 11: Bye Bye I've seen many more aggressive root login attempts, as well as 'admin' and a number of other users. The somewhat unsetting thing that I'm wondering about is whether these machines are all sharing some big central password dictionary and are logging their attempted passwords to some central database. It ends up being some massive distributed dictionary attack, which I doubt is going to work on my systems, but I'm 100% sure that there are systems out there with weak root passwords. Best practices suggest: PermitRootLogin no Then again, the people who have weak root passwords are not ones to follow best practices. -- Phillip Hofmeister pgped9HHVcQPF.pgp Description: PGP signature
Re: telnetd vulnerability from BUGTRAQ
On Mon, 27 Sep 2004 at 04:08:38PM -0400, Greg Folkert wrote: I have no problems with scp, best part there isn't the mistaken problem of transfer in ASCII mode, when it should be in IMAGE mode (or BINARY mode) or Vice-Versa. ASCII mode actually serves a purpose when you are communicating with a machine that uses EBCDIC. If you specify ASCII file mode, the EBCDIC machine is responsible for doing the EBCDIC to ASCII conversation. If you just ask for Binary you'll get garbage when you open the file because it is in EBCDIC! (I have this experience from an IBM MVS Environment). -- Phillip Hofmeister pgp22WChho3mU.pgp Description: PGP signature
Re: telnetd vulnerability from BUGTRAQ
On Tue, 28 Sep 2004 at 03:23:15AM -0400, Daniel Pittman wrote: Fast I would concede, and easy is a matter of taste, mostly. I don't know what you imagine is encrypted in FTP, though, since that is not part of the specification or the standard implementations. Unless you run an SSL-enhanced or Kerberos FTP client and server, within the same realm, there is no encryption involved in FTP. I would put forth SSH is no more secure than FTP is when one is dealing with an unknown host. SSH is dependant on a know_host. If information about a host is not known (public/server key) then SSH is every bit as easy to eaves drop as FTP. There are many tools that will easily attempt a man-in-the-middle SSH attack. -- Phillip Hofmeister -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Rebuilding packages on *all* architectures
On Mon, 06 Sep 2004 at 04:13:12AM -0400, Javier Fern?ndez-Sanguino Pe?a wrote: BTW, one of the advantages of the releases freeze is that this kind of unexpected behaviour might be detected and fixed (given enought eyes and testers). Unless, of course, somebody coded a good-enough time bomb that knew when Debian was going to be released before we did, and was stealthy enough until a new version was released. Or a time bomb that tried to view a certain web site for certain content and blew up if such content was found. This type of bomb keeps the detonator in the hands of the intruder even after he has delivered the bomb. -- Phillip Hofmeister pgpvqSkqSutVT.pgp Description: PGP signature
Re: MD5 collisions found - alternative?
On Tue, 24 Aug 2004 at 06:18:50PM -0400, Matthew Palmer wrote: If I understand your postulate correctly: If I, the user, encrypt a message with algorithm X and the cipher text is intercepted by the attacker. The attacker can make his chances of brute forcing the text BETTER by encrypting my cipher text with algorithm Y. This simply does not hold up. snip However, the weakness typically occurs when the same (or otherwise equivalent or transformed) key is used for both algorithms. You don't so much brute-force the text as the key in most attacks, and application of the same (or equivalent) key multiple times often has the effect of weakening the key's secretness. This often occurs by being able to analyse the resultant message and cutting out large swathes of keyspace to search based on the properties of the ciphertext. Ahh...now we are talking apples to apples. Yes, the same key applied over different algorithms could create problems and provide easier crypt-analysis. I was under the impression we were talking about taking something and encrypting it with two different keys and two different algorithms. So an attacker applying another algorithm after the fact, not knowing the original key used (if he did, why would he need to break the ciphertext the hard way?) is unlikely to make it any easier on himself. In the case of hashing algorithms, there's one 'key' involved -- the plaintext -- and for password security, you don't need to retrieve the key necessarily, just an equivalent one. There's no guarantee that XORing MD5 and SHA-1 isn't going to produce something that is quite simple to generate equivalent plaintext for, by, for example, making it mathematically impossible for one bit in the resultant hash value to be a certain value (because MD5 and SHA-1 always set the same bit to the same value given the same input). That cuts your hash search space in half right there. I agree. There is value in maintaining two completely different data points by hashing the item with two functions though (but not XORing the result together). For example: EVEN IF hash1(x) == hash1(y), it is HIGHLY unlikely hash2(x) == hash2(y). Keeping a record of both hashes on hand provides value and strengthens your certainty of integrity on very large orders of magnitude. -- Phillip Hofmeister pgpLWjIwGrvEX.pgp Description: PGP signature
Re: MD5 collisions found - alternative?
On Tue, 24 Aug 2004 at 10:50:38AM -0400, Daniel Pittman wrote: Be aware that this sort of technique multi-encryption technique can lead to significant exposures when applied to traditional crypto; it can produce results that allow a vastly simpler attack on the protected information. I would not put my name to a recommendation about how to make a cryptographic product or protocol more secure unless I had sufficient background in the area to know the full implications of my recommended actions. If I understand your postulate correctly: If I, the user, encrypt a message with algorithm X and the cipher text is intercepted by the attacker. The attacker can make his chances of brute forcing the text BETTER by encrypting my cipher text with algorithm Y. This simply does not hold up. -- Phillip Hofmeister -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: newbie iptables question
On Fri, 13 Aug 2004 at 08:13:21AM -0700, Wanda Round wrote: After reading that I should look through /var/log/messages, I did and found many lines like these: Aug 12 04:36:53 towern kernel: |iptables -- IN=ppp0 OUT= MAC= SRC=201.129.122.85 DST=12.65.24.43 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=40023 DF PROTO=TCP SPT=4346 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0 Aug 12 04:40:59 towern kernel: |iptables -- IN=ppp0 OUT= MAC= SRC=83.36.139.197 DST=12.65.24.43 LEN=52 TOS=0x00 PREC=0x00 TTL=46 ID=19155 DF PROTO=TCP SPT=4845 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0 The 12.65.24.43 was my dialup connection. The 201.129.etc and 83.36.etc were from Mexico and Spain. MAN iptables didn't help me at all! What are these lines telling me? Where can I find a simpler explanation of iptables logs? It is saying a rule matched. Doesn't say what you did with the packet though, just tells you about the packet. If you want to know what you did with it you would need to include a log-prefix in your iptables scripts. Here is what we know: Interface Traffic came IN on: ppp0 The IP Address the traffic came from is: 83.36.139.197 THE IP Address it was destined to: 12.65.24.43 The length of the packet was: 53 bytes The Type of Service flag was set to null (00) The SYN flag was set, this was a connection attempt The IP ID Field (for IP Fragmentation) was: 19155 The layer 4 protocol was: TCP The layer 4 port was (source): 4346 The layer 4 port destination was: 445 The size of the TCP Window was: 16384 bytes Shorter version: Someone from 83.36.139.197 tried to connect to 12.65.24.43 (presumably you) on port 445 via interface ppp0. We cannot deduce what action was taken by your computer because you (or your IPTABLES Interface program) did not log this. It is for this reason I run my own IPTABLES script and edit it by hand (pretty masochistichuh?). My guess is this packet was related to an automated attack (worm). Hope this helps, -- Phillip Hofmeister -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pgp in Debian: obsolete?
On Thu, 12 Aug 2004 at 03:35:29AM -0400, Matthias Urlichs wrote: Hi, Phillip Hofmeister wrote: If you wanted to make a second version of GPG and place it in non-free, that would likely be an acceptable option. You don't need to make a second version of GPG; the IDEA module can be loaded dynamically. Then the module would need to be in non-free. -- Phillip Hofmeister -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pgp in Debian: obsolete?
On Tue, 10 Aug 2004 at 05:51:19PM -0400, Rick Moen wrote: Quoting Ian Beckwith ([EMAIL PROTECTED]): Do you have links to documentation of these issues or where to get the pirated versions? How pirated/illegal are they? License permitting, I could maybe take patches from them. Quoting the licence for pgpi 6.5.8: The source code contained herein is not intended to allow the development of source code or software for commercial distribution. No modifications to the source code contained in this book are allowed and any further redistribution of the source code in any modified form is expressly prohibited. Which is a clear violation of the social contract. If you wanted to make a second version of GPG and place it in non-free, that would likely be an acceptable option. -- Phillip Hofmeister -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: mod_ssl 2.8.19 for Apache 1.3.31
On Mon, 19 Jul 2004 at 03:33:40PM -0400, Peter Holm wrote: as you can see [1] there was a problem with mod_ssl. Are there any security updates for woody? I see nothing with apt-get upgrade, am I doing something wrong? Or do I have to install new mod_ssl package myself? my understanding of debian packaging system was that I will do NOT have to install packages myself as security fixes will be provided with apt-get update / upgrade. is this not correct? Is this line in your /etc/apt/sources.list (or a line like it...) deb http://security.debian.org stable/updates main non-free contrib HTH -- Phillip Hofmeister -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A question about : [Fwd: JULY 6th Lead Training 3 tips for working leads]
On Thu, 08 Jul 2004 at 12:39:50AM -0400, Mezig wrote: Bayesien filters, out of Moz 1.6, and FireHol recently installed, is still to hard for me, sorry :(! I'm just upset of receving, here also a spam, on the debian security-list... : (! By the way have you a good link about bayesian filters.., my spamassassin is very cheap as is my english :( ! i can read a little post, not all a documentation! To end, i thought, someone could made something special against such a post. Sorry i mismake :(! http://bogofilter.sourceforge.net/faq.php There is a French version as well... -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A question about : [Fwd: JULY 6th Lead Training 3 tips for working leads]
On Wed, 07 Jul 2004 at 06:04:17PM -0400, Mezig wrote: Hi Just a question : What's supposed to do such a message - a spam for me :( ! -on the Debian security list ? Is't there a way to practice the security topics on our own list ? Mi Beginer in Anti-spam Activism :)! You should start by updating any Bayesian filters you have on your machine and then deleting the message. After you have done this you should probably read the archives for when this topic was beaten to death last (you won't need to look further than a few weeks/months). Also, try not to do the spammers a favor by posting their original message back to the list. HTH, -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Why not push to stable?
On Sat, 26 Jun 2004 at 08:52:47AM -0400, martin f krafft wrote: After all, stable without security.d.o is a bad idea. Therefore, there will be only few exceptions of systems that don't have both in sources.list. So then I ask what the advantages are of keeping stable static at all costs? It seems to me to be somewhat purely academic. This is why at install time people are asked Would you like to add s.d.o to your apt sources As strange as it may seem, some people may not. By following your suggestion we would be forcing this behavior on them. People use Debian (partially) because they like the wide range of control it offers them. If you take away some of that control then it diminishes the reason why some ppl prefer Debian. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import pgpEx5Bt6tIax.pgp Description: PGP signature
Re: Unusual spam recently - hummm
On Thu, 03 Jun 2004 at 12:57:46PM -0400, Alvin Oga wrote: - email from [EMAIL PROTECTED] should be bounced since its not coming from bresnan.net This is a bad suggestion. My ISP requires us (by blocking port 25 outbound) to use their SMTP server. Therefore I cannot connect to the normal SMTP Server for the zionlth.org domain. Implementing your suggestion wide spread would cause my emails (and all emails from people in my situation) to be rejected just because their ISP has their head on backwards and thinks blocking port 25 outbound will reduce spam abuse. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Unusual spam recently - hummm
On Thu, 03 Jun 2004 at 04:10:30PM -0400, s. keeling wrote: I don't use spamassisin, just bogofilter. Here is my relevant procmailrc snippet... Downloading it now, thanks. Hopefully this gets me back to a maintainable system without all the exception handling, whitelisting, false positives etc. Let me warn you. Bogofilter requires training a database. You may not get accurate results for the first few weeks or a month+ (depending on your spam volume and your ham volume). It would be great if you have a handful of a few hundred spam messages and a few hundred ham messages to shoot at it right away. use cat to pipe the messages/MBOX files through bogofilter -n and bogofilter -s. I would adjust the ~/.bogofilter.cf defaults as well. Here is mine: robx= 0.415000 robs= 0.01 min_dev = 0.10 ham_cutoff = 0.50 spam_cutoff = 0.70 block_on_subnets = yes replace_nonascii_characters = no timestamp=Y spam_header_name = X-Bogosity header_format = %h: %c, tests=bogofilter, spamicity=%p, version=%v terse_format = %1.1c %f log_header_format = %h: %c, spamicity=%p, version=%v log_update_format = register-%r, %w words, %m messages spamicity_tags= Yes, No, Unsure spamicity_formats = %0.6f, %0.6f If you are interested I can try bzip2ing my wordlist.db and sending it to you via http. Email me off-list if you would like this. This database is of coursed tuned to MY spam preferences. I have found it very reliable (for me). -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Unusual spam recently - hummm - postprocess
While I am sure finding out whose is bigger is exciting to you. I feel comfortable in speaking for the rest of the list when I say this thread has become WAY OT. Please mark it as such (in the subject) or take your discussion elsewhere. Thanks On Thu, 03 Jun 2004 at 09:11:57PM -0400, Rick Moen wrote: Quoting Michael Stone ([EMAIL PROTECTED]): On Thu, Jun 03, 2004 at 05:32:17PM -0700, Rick Moen wrote: Was there a particular part of the immediately preceding reference to SPF that you didn't get, or was it the concept as a whole? I get the concept of vaporware. Seen a lot of it over the years. Sorry to hear about your sysadmin shortage, then. -- Cheers, Rick MoenBu^so^stopu min per kulero. [EMAIL PROTECTED] -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Unusual spam recently - hummm
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 03 Jun 2004 at 07:26:30PM -0400, s. keeling wrote: Let me warn you. Bogofilter requires training a database. You may not Much appreciated. That prompted me to read the man page before I let it bite me. :-) NP. handful of a few hundred spam messages and a few hundred ham messages to shoot at it right away. use cat to pipe the messages/MBOX files through bogofilter -n and bogofilter -s. That would be bogofilter -Mn ~/Mail/spam for mbox style, no? Yes, the -M option would indicate to bogo that this is an MBOX. If you are interested I can try bzip2ing my wordlist.db and sending it to you via http. Email me off-list if you would like this. This Again, much appreciated. I'll just start banging my head on it and see what I can come up with. You can visit http://www.spamarchive.org/ and download other people's spam to train your filters G. Warning: Just throwing a bunch of spam at your filters w/o giving it any ham will likely result in falsely high bogosity scores (false-rejects) since there is no ham tokens to reduce the score. HTH, - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Key available at http://www.zionlth.org/~plhofmei/key.asc iD8DBQFAv+OsS3Jybf3L5MQRAjjpAJ4q5u3JQ10jx8Ey/g2XF8ncTFvU8gCcCQaz 53qpMlf3kiA4Hfgvl8uyRCs= =wJAI -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Unusual spam recently - hummm
On Thu, 03 Jun 2004 at 12:57:46PM -0400, Alvin Oga wrote: - email from [EMAIL PROTECTED] should be bounced since its not coming from bresnan.net This is a bad suggestion. My ISP requires us (by blocking port 25 outbound) to use their SMTP server. Therefore I cannot connect to the normal SMTP Server for the zionlth.org domain. Implementing your suggestion wide spread would cause my emails (and all emails from people in my situation) to be rejected just because their ISP has their head on backwards and thinks blocking port 25 outbound will reduce spam abuse. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
Re: Unusual spam recently - hummm
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 03 Jun 2004 at 01:32:55PM -0400, s. keeling wrote: Assuming my incoming mail is POPped off my ISP's mailhost and my outgoing mail goes to my ISP's mailhost, how do I implement this? If I can't, what does my ISP have to do to implement this? Is it feasible for busy sites to implement this or is this going to cost them too much, in comparison to simply accepting it and dropping it? In other words, what's my ISP's busy admin likely to say when I suggest this? That's at least one good reason why this crap gets through. I'd love to implement this, or have my ISP implement this, but I doubt it's going to happen soon. User-Agent: Mutt/1.3.28i You use Mutt, a wonderful MUA if I must say so myself... I don't know how you currently handle your email. Whether you use IMAP folders in Mutt or fetchmail to fetch your mail and store it locally. If you do the later you can easily implement bogofilter and spamassisin on your local machine. I have all my suspect email deposited in ~/Mail/Junk. I don't use spamassisin, just bogofilter. Here is my relevant procmailrc snippet... :0 f | bogofilter -p -u -l :0 c * ^X-Bogosity: Yes Mail/Junk :0: * ^X-Bogosity: Unsure Mail/Unsure Hope this helps! - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Key available at http://www.zionlth.org/~plhofmei/key.asc iD8DBQFAv2X6S3Jybf3L5MQRAhZqAJwPbSpLrGU3pIS4oWFrfXIucfPQMgCfYlK0 ewGnt+M5C8ovvCb/uj1YTP8= =PYjD -END PGP SIGNATURE-
Re: Unusual spam recently - hummm
On Thu, 03 Jun 2004 at 04:10:30PM -0400, s. keeling wrote: I don't use spamassisin, just bogofilter. Here is my relevant procmailrc snippet... Downloading it now, thanks. Hopefully this gets me back to a maintainable system without all the exception handling, whitelisting, false positives etc. Let me warn you. Bogofilter requires training a database. You may not get accurate results for the first few weeks or a month+ (depending on your spam volume and your ham volume). It would be great if you have a handful of a few hundred spam messages and a few hundred ham messages to shoot at it right away. use cat to pipe the messages/MBOX files through bogofilter -n and bogofilter -s. I would adjust the ~/.bogofilter.cf defaults as well. Here is mine: robx= 0.415000 robs= 0.01 min_dev = 0.10 ham_cutoff = 0.50 spam_cutoff = 0.70 block_on_subnets = yes replace_nonascii_characters = no timestamp=Y spam_header_name = X-Bogosity header_format = %h: %c, tests=bogofilter, spamicity=%p, version=%v terse_format = %1.1c %f log_header_format = %h: %c, spamicity=%p, version=%v log_update_format = register-%r, %w words, %m messages spamicity_tags= Yes, No, Unsure spamicity_formats = %0.6f, %0.6f If you are interested I can try bzip2ing my wordlist.db and sending it to you via http. Email me off-list if you would like this. This database is of coursed tuned to MY spam preferences. I have found it very reliable (for me). -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
Re: Unusual spam recently - hummm - postprocess
While I am sure finding out whose is bigger is exciting to you. I feel comfortable in speaking for the rest of the list when I say this thread has become WAY OT. Please mark it as such (in the subject) or take your discussion elsewhere. Thanks On Thu, 03 Jun 2004 at 09:11:57PM -0400, Rick Moen wrote: Quoting Michael Stone ([EMAIL PROTECTED]): On Thu, Jun 03, 2004 at 05:32:17PM -0700, Rick Moen wrote: Was there a particular part of the immediately preceding reference to SPF that you didn't get, or was it the concept as a whole? I get the concept of vaporware. Seen a lot of it over the years. Sorry to hear about your sysadmin shortage, then. -- Cheers, Rick MoenBu^so^stopu min per kulero. [EMAIL PROTECTED] -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
Re: Unusual spam recently - hummm
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 03 Jun 2004 at 07:26:30PM -0400, s. keeling wrote: Let me warn you. Bogofilter requires training a database. You may not Much appreciated. That prompted me to read the man page before I let it bite me. :-) NP. handful of a few hundred spam messages and a few hundred ham messages to shoot at it right away. use cat to pipe the messages/MBOX files through bogofilter -n and bogofilter -s. That would be bogofilter -Mn ~/Mail/spam for mbox style, no? Yes, the -M option would indicate to bogo that this is an MBOX. If you are interested I can try bzip2ing my wordlist.db and sending it to you via http. Email me off-list if you would like this. This Again, much appreciated. I'll just start banging my head on it and see what I can come up with. You can visit http://www.spamarchive.org/ and download other people's spam to train your filters G. Warning: Just throwing a bunch of spam at your filters w/o giving it any ham will likely result in falsely high bogosity scores (false-rejects) since there is no ham tokens to reduce the score. HTH, - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Key available at http://www.zionlth.org/~plhofmei/key.asc iD8DBQFAv+OsS3Jybf3L5MQRAjjpAJ4q5u3JQ10jx8Ey/g2XF8ncTFvU8gCcCQaz 53qpMlf3kiA4Hfgvl8uyRCs= =wJAI -END PGP SIGNATURE-
Re: grsecurity2 and per-user tmp dirs
On Sat, 22 May 2004 at 01:11:30PM -0400, funky soul wrote: hi folx i have installed the grsecurity2 patches and am now running a kernel with CONFIG_GRKERNSEC_FIFO and CONFIG_GRKERNSEC_LINK ON. users cannot write to /tmp directly which is fine. now i want per-user tmp dirs like /tmp/$USER. alas $TMPDIR seems to be ignored. any hints? CONFIG_GRKERNSEC_FIFO and CONFIG_GRKERNSEC_LINK DO NOT prevent writing to /tmp. Read the Configure.help: CONFIG_GRKERNSEC_FIFO If you say Y here, users will not be able to write to FIFOs they don't own in world-writable +t directories (i.e. /tmp), unless the owner of the FIFO is the same owner of the directory it's held in. If the sysctl option is enabled, a sysctl option with name fifo_restrictions is created. CONFIG_GRKERNSEC_LINK If you say Y here, /tmp race exploits will be prevented, since users will no longer be able to follow symlinks owned by other users in world-writable +t directories (i.e. /tmp), unless the owner of the symlink is the owner of the directory. users will also not be able to hardlink to files they do not own. If the sysctl option is enabled, a sysctl option with name linking_restrictions is created. CONFIG...LINK deals with SymLinks. Users (even root) cannot follow a Symlink created by a user who does not own the file they are linking to (it a globally writable +t directory) UNLESS the owner of the SymLink is the owner of the globally writable +t directory. In most cases, the owner of /tmp would be root. This is done so another user will not predict a tmp file you will open and then create a symlink to a file they want you to edit/corrupt, IE: ~/something... CONFIG_GRKERNSEC_FIFO does similar things except it deals with FIFOs. This is done so someone does not create a FIFO with the name of a tmp file they are predicting you will open and then you write all your information to THEIR FIFO. I hope this helps. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
Re: grsecurity2 and per-user tmp dirs
On Sat, 22 May 2004 at 01:11:30PM -0400, funky soul wrote: hi folx i have installed the grsecurity2 patches and am now running a kernel with CONFIG_GRKERNSEC_FIFO and CONFIG_GRKERNSEC_LINK ON. users cannot write to /tmp directly which is fine. now i want per-user tmp dirs like /tmp/$USER. alas $TMPDIR seems to be ignored. any hints? CONFIG_GRKERNSEC_FIFO and CONFIG_GRKERNSEC_LINK DO NOT prevent writing to /tmp. Read the Configure.help: CONFIG_GRKERNSEC_FIFO If you say Y here, users will not be able to write to FIFOs they don't own in world-writable +t directories (i.e. /tmp), unless the owner of the FIFO is the same owner of the directory it's held in. If the sysctl option is enabled, a sysctl option with name fifo_restrictions is created. CONFIG_GRKERNSEC_LINK If you say Y here, /tmp race exploits will be prevented, since users will no longer be able to follow symlinks owned by other users in world-writable +t directories (i.e. /tmp), unless the owner of the symlink is the owner of the directory. users will also not be able to hardlink to files they do not own. If the sysctl option is enabled, a sysctl option with name linking_restrictions is created. CONFIG...LINK deals with SymLinks. Users (even root) cannot follow a Symlink created by a user who does not own the file they are linking to (it a globally writable +t directory) UNLESS the owner of the SymLink is the owner of the globally writable +t directory. In most cases, the owner of /tmp would be root. This is done so another user will not predict a tmp file you will open and then create a symlink to a file they want you to edit/corrupt, IE: ~/something... CONFIG_GRKERNSEC_FIFO does similar things except it deals with FIFOs. This is done so someone does not create a FIFO with the name of a tmp file they are predicting you will open and then you write all your information to THEIR FIFO. I hope this helps. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
Re: debian and viruses ...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 19 May 2004 at 03:19:46PM -0400, Marcin wrote: Hello, Greetings! I am trying to find solution for finding wiruses in my LAN networks. I am administrator of ISP router (generaly Debian of course), and in LAN there are litle storm of wiruses, trojans, spammers, etc shits ... Is any possible method to find them ? Any debian tools ? I was thinking about snort - it is possible to configure it to detect this traffic ? Are there anywhere examples (or ready databases) of wirus signatures, rules, etc ? A few tools: Spam: bogofilter spamassassin Virus: amavisd-new and clamav (or your favorite supported antivirus software, clam just happens to be O/S and free...) HTH, - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAq7UuS3Jybf3L5MQRAlWJAJ9AzPGTjElGXfai0EqgE1YjpFuBWwCeI+jt dYTLJ8/q4VgX27UJnQD5gJ8= =kLDX -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: debian and viruses ...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 19 May 2004 at 03:19:46PM -0400, Marcin wrote: Hello, Greetings! I am trying to find solution for finding wiruses in my LAN networks. I am administrator of ISP router (generaly Debian of course), and in LAN there are litle storm of wiruses, trojans, spammers, etc shits ... Is any possible method to find them ? Any debian tools ? I was thinking about snort - it is possible to configure it to detect this traffic ? Are there anywhere examples (or ready databases) of wirus signatures, rules, etc ? A few tools: Spam: bogofilter spamassassin Virus: amavisd-new and clamav (or your favorite supported antivirus software, clam just happens to be O/S and free...) HTH, - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAq7UuS3Jybf3L5MQRAlWJAJ9AzPGTjElGXfai0EqgE1YjpFuBWwCeI+jt dYTLJ8/q4VgX27UJnQD5gJ8= =kLDX -END PGP SIGNATURE-
Re: Woody Backport of tripwire
On Fri, 23 Apr 2004 at 11:07:23AM -0400, Lupe Christoph wrote: I recently did a backport, but it's not up for downloads. I could mail it to you, or you can do it yourself from the package source. If you do that, you will need to use CXX=g++-3.0 GCC=gcc-3.0 dpkg-buildpackage -rfakeroot -us -uc (Or similar) g++ 2.95 will not do. Thanks for shedding light on this. I had G++ installed (2.95) and it kept telling me no C++ Compiler, and I was getting quite frustrated (what the ^*^*(%(* do you mean no compiler, g++ is working?!?!?!)) I did not realize 3.0+ was needed. The build dependencies did not specify that. I might file a bug against tripwire for that build dependency. Thanks. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
Re: Woody Backport of tripwire
On Fri, 23 Apr 2004 at 01:19:13PM -0400, Giacomo Mulas wrote: On Fri, 23 Apr 2004, Phillip Hofmeister wrote: I did not realize 3.0+ was needed. The build dependencies did not specify that. I might file a bug against tripwire for that build dependency. it is meant for sid, the default compiler in sid is 3.3. I suppose this is the reason it does not need to be specified. This is what the maintainer might tell you if you file such a bug. It is common for woody folk to backport packages from sid/sarge to woody by compiling them use apt-get source --compile or dpkg-buildpackage. I have seen packages with build depends of libxyz (=3.4). With few exceptions most packages that require a certain version of something to build it list that something as a build dependency (maybe a developer can help me out hereisn't it Debian policy to do so?) Therefore, in my mind, it is mean for sid is not an excuse to omit a build dependency. What is to say there won't be a g++2 and g++3 package in sarge when it is released? -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
Re: Major TCP Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 22 Apr 2004 at 03:01:46PM -0400, no name supplied wrote: C) Guess. I just ran netstat, and the first outgoing connection I made after booting is using source port 1025. As it always does. Am I the only one running programs from startup scripts? Probably not. Yet another great reason to apply the GRSecurity Kernel patch, randomized source ports. - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAiE2QS3Jybf3L5MQRAmVBAJ9IVu7BLCnPDT4MAe/JGtpzqD2o4QCdGQbG gs66Id6lSxz+ytLYYZSbLP8= =Bl5G -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Woody Backport of tripwire
Can anyone refer me to a woody backport of tripwire (or a version such as 2.3.1.2+)? I know it is non-free, I like it anyhow. Any help would be appreciated. Thanks, -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Major TCP Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 22 Apr 2004 at 03:01:46PM -0400, no name supplied wrote: C) Guess. I just ran netstat, and the first outgoing connection I made after booting is using source port 1025. As it always does. Am I the only one running programs from startup scripts? Probably not. Yet another great reason to apply the GRSecurity Kernel patch, randomized source ports. - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAiE2QS3Jybf3L5MQRAmVBAJ9IVu7BLCnPDT4MAe/JGtpzqD2o4QCdGQbG gs66Id6lSxz+ytLYYZSbLP8= =Bl5G -END PGP SIGNATURE-
Woody Backport of tripwire
Can anyone refer me to a woody backport of tripwire (or a version such as 2.3.1.2+)? I know it is non-free, I like it anyhow. Any help would be appreciated. Thanks, -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
Re: Major TCP Vulnerability
On Tue, 20 Apr 2004 at 02:49:48PM -0400, Thomas Sj?gren wrote: Since the article is for subscribers only, this is a wild guess: http://www.uniras.gov.uk/vuls/2004/236929/index.htm This article isn't anything I am going to loose sleep over. Any mission critical long term TCP connections over an untrusted network (The Internet) should already be using IPSec. As for non-mission critical connections, the two parties will just reconnect at a later time. Also, unless the attackers know the source port of the client side of the TCP connection, this attack is useless. The only way for them to get the client/source port would be to: A) Have access to the datastream (if this is the case, you have more to worry about than them resetting your connection). B) Have login access to either machine and then run netstat (or a similar) utility which will tell them the information. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import - End forwarded message - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Major TCP Vulnerability
On Tue, 20 Apr 2004 at 06:37:50PM -0400, Steve Ramage wrote: Stupid Question, I don't understand how IPSec is secure. Can't you just kill the IPSec connection, or is IPSec connectionless? As I understand it you have [TCP HEADER | TCP DATA ] in a TCP Packet. With Ipsec you have [ TCP Header | encrypted([TCP HEADER | TCP DATA]) ] that you could still kill. IPSec uses AH (Auth Headers) to authenticate packets using encryption/signing. These packets are the outer packets. The encapsulated packets would still be vulnerable, but all information about these packets are encrypted. Furthermore, the IPSec endpoints will typically not allow packets through from a peer network unless they come via the IPSec tunnel (at least properly configured setups won't...). One the connection is on the LAN side of either IPSec endpoint it is once again vulnerable to intruders on the LAN. IPSec will get you across the untrusted Internet though (unless someone pulls the plug at OSI layer 1 or 2...) Hope this answers your question. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Major TCP Vulnerability
On Tue, 20 Apr 2004 at 02:49:48PM -0400, Thomas Sj?gren wrote: Since the article is for subscribers only, this is a wild guess: http://www.uniras.gov.uk/vuls/2004/236929/index.htm This article isn't anything I am going to loose sleep over. Any mission critical long term TCP connections over an untrusted network (The Internet) should already be using IPSec. As for non-mission critical connections, the two parties will just reconnect at a later time. Also, unless the attackers know the source port of the client side of the TCP connection, this attack is useless. The only way for them to get the client/source port would be to: A) Have access to the datastream (if this is the case, you have more to worry about than them resetting your connection). B) Have login access to either machine and then run netstat (or a similar) utility which will tell them the information. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import - End forwarded message - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
Re: Major TCP Vulnerability
On Tue, 20 Apr 2004 at 06:37:50PM -0400, Steve Ramage wrote: Stupid Question, I don't understand how IPSec is secure. Can't you just kill the IPSec connection, or is IPSec connectionless? As I understand it you have [TCP HEADER | TCP DATA ] in a TCP Packet. With Ipsec you have [ TCP Header | encrypted([TCP HEADER | TCP DATA]) ] that you could still kill. IPSec uses AH (Auth Headers) to authenticate packets using encryption/signing. These packets are the outer packets. The encapsulated packets would still be vulnerable, but all information about these packets are encrypted. Furthermore, the IPSec endpoints will typically not allow packets through from a peer network unless they come via the IPSec tunnel (at least properly configured setups won't...). One the connection is on the LAN side of either IPSec endpoint it is once again vulnerable to intruders on the LAN. IPSec will get you across the untrusted Internet though (unless someone pulls the plug at OSI layer 1 or 2...) Hope this answers your question. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
Re: Eterm others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]
I believe that the permissions are changed to allow a logged in user to access that terminal. The permissions are handled and reset by the appropriate log in service. [EMAIL PROTECTED]:~$ ls -lh /dev/pts/3 crw---1 plhofmei tty 136, 3 Apr 19 16:47 /dev/pts/3 [EMAIL PROTECTED]:~$ Other than that...I have always noted the /dev/tty and /dev/pts devices to always be secured and owned by root. I have been using Debian since Potato-- (been so long, I forgot what the code name was...) On Mon, 19 Apr 2004 at 04:15:41PM -0400, Stephen Gran wrote: This one time, at band camp, Matt Zimmerman said: On Mon, Apr 19, 2004 at 09:31:27PM +0200, Jan Minar wrote: % ssh kh [EMAIL PROTECTED]'s password: Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 unknown % echo 'Morning, Mister root, welcome to a jail 8-)' /dev/tty63 % while :; do echo -e '\033[12;63]' /dev/tty63; done The relevant permissions are more restrictive with udev: crw---1 root root 4, 63 2004-03-17 16:23 /dev/tty63 And on a newly installed sid box: crw---1 root tty4, 63 2004-03-23 16:49 /dev/tty63 No udev here. Previous installs may have had bad permissions, but current ones do not. Perhaps, Jan, if you're interested, file a bug against makedev or one fo the other associated packages, asking them to check the permissions on these devices on upgrade, and correct if necessary. Seems trivial enough to do. A patch would probably not hurt. -- - | ,''`. Stephen Gran | | : :' : [EMAIL PROTECTED] | | `. `' Debian user, admin, and developer | |`- http://www.debian.org | - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
Re: makedev: /dev/tty([0-9])* should not have 666 permissions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED]:~$ ls -l /dev/tty0 crw---1 root root 4, 0 Jul 19 2002 /dev/tty0 [EMAIL PROTECTED]:~$ ls -l /dev/tty1 crw---1 root root 4, 1 Apr 18 21:03 /dev/tty1 [EMAIL PROTECTED]:~$ ls -l /dev/tty2 crw---1 root root 4, 2 Apr 18 21:03 /dev/tty2 [EMAIL PROTECTED]:~$ ls -l /dev/tty3 crw---1 root root 4, 3 Apr 18 21:03 /dev/tty3 [EMAIL PROTECTED]:~$ ls -l /dev/tty4 crw---1 root root 4, 4 Apr 18 21:03 /dev/tty4 [EMAIL PROTECTED]:~$ ls -l /dev/tty5 crw---1 root root 4, 5 Apr 18 21:03 /dev/tty5 [EMAIL PROTECTED]:~$ ls -l /dev/tty6 crw---1 root root 4, 6 Apr 18 21:03 /dev/tty6 yes, the others are 666. Does it matter? Are they used or just pointless character devices? On Mon, 19 Apr 2004 at 05:07:13PM -0400, Jan Minar wrote: Package: makedev Version: 2.3.1-58 Severity: important Tags: security Hi Please check the permissions of /dev/tty([0-9])*, they seem to be a free-for-all, which is no good. Thanks to Stephen Gran for telling me who to bug. The following patch would do, afaict: --- /sbin/MAKEDEV.ORIGMon Apr 19 22:58:21 2004 +++ /sbin/MAKEDEV Mon Apr 19 22:58:39 2004 @@ -14,7 +14,7 @@ private= root root 0600 system= root root 0660 kmem= root kmem 0640 -tty= root tty0666 +tty= root tty0600 cons= root tty0600 vcs= root root 0600 dialout= root dialout 0660 This is the discussion on debian-security that lead to this bugreport: On Mon, Apr 19, 2004 at 04:15:41PM -0400, Stephen Gran wrote: This one time, at band camp, Matt Zimmerman said: On Mon, Apr 19, 2004 at 09:31:27PM +0200, Jan Minar wrote: % ssh kh [EMAIL PROTECTED]'s password: Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 unknown % echo 'Morning, Mister root, welcome to a jail 8-)' /dev/tty63 % while :; do echo -e '\033[12;63]' /dev/tty63; done The relevant permissions are more restrictive with udev: crw---1 root root 4, 63 2004-03-17 16:23 /dev/tty63 And on a newly installed sid box: crw---1 root tty4, 63 2004-03-23 16:49 /dev/tty63 No udev here. Previous installs may have had bad permissions, but current ones do not. Perhaps, Jan, if you're interested, file a bug against makedev or one fo the other associated packages, asking them to check the permissions on these devices on upgrade, and correct if necessary. Seems trivial enough to do. A patch would probably not hurt. -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2 Versions of packages makedev depends on: ii base-passwd 3.4.1 Debian Base System Password/Group - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAhEP5S3Jybf3L5MQRAtfuAJ40TFzSQFCNN0UmbyQtM2QM0mSrUACgjmY2 ssBFqnnpuHMCHOf3qbaKiU4= =2O8y -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Eterm others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]
I believe that the permissions are changed to allow a logged in user to access that terminal. The permissions are handled and reset by the appropriate log in service. [EMAIL PROTECTED]:~$ ls -lh /dev/pts/3 crw---1 plhofmei tty 136, 3 Apr 19 16:47 /dev/pts/3 [EMAIL PROTECTED]:~$ Other than that...I have always noted the /dev/tty and /dev/pts devices to always be secured and owned by root. I have been using Debian since Potato-- (been so long, I forgot what the code name was...) On Mon, 19 Apr 2004 at 04:15:41PM -0400, Stephen Gran wrote: This one time, at band camp, Matt Zimmerman said: On Mon, Apr 19, 2004 at 09:31:27PM +0200, Jan Minar wrote: % ssh kh [EMAIL PROTECTED]'s password: Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 unknown % echo 'Morning, Mister root, welcome to a jail 8-)' /dev/tty63 % while :; do echo -e '\033[12;63]' /dev/tty63; done The relevant permissions are more restrictive with udev: crw---1 root root 4, 63 2004-03-17 16:23 /dev/tty63 And on a newly installed sid box: crw---1 root tty4, 63 2004-03-23 16:49 /dev/tty63 No udev here. Previous installs may have had bad permissions, but current ones do not. Perhaps, Jan, if you're interested, file a bug against makedev or one fo the other associated packages, asking them to check the permissions on these devices on upgrade, and correct if necessary. Seems trivial enough to do. A patch would probably not hurt. -- - | ,''`. Stephen Gran | | : :' : [EMAIL PROTECTED] | | `. `' Debian user, admin, and developer | |`- http://www.debian.org | - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
Re: makedev: /dev/tty([0-9])* should not have 666 permissions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED]:~$ ls -l /dev/tty0 crw---1 root root 4, 0 Jul 19 2002 /dev/tty0 [EMAIL PROTECTED]:~$ ls -l /dev/tty1 crw---1 root root 4, 1 Apr 18 21:03 /dev/tty1 [EMAIL PROTECTED]:~$ ls -l /dev/tty2 crw---1 root root 4, 2 Apr 18 21:03 /dev/tty2 [EMAIL PROTECTED]:~$ ls -l /dev/tty3 crw---1 root root 4, 3 Apr 18 21:03 /dev/tty3 [EMAIL PROTECTED]:~$ ls -l /dev/tty4 crw---1 root root 4, 4 Apr 18 21:03 /dev/tty4 [EMAIL PROTECTED]:~$ ls -l /dev/tty5 crw---1 root root 4, 5 Apr 18 21:03 /dev/tty5 [EMAIL PROTECTED]:~$ ls -l /dev/tty6 crw---1 root root 4, 6 Apr 18 21:03 /dev/tty6 yes, the others are 666. Does it matter? Are they used or just pointless character devices? On Mon, 19 Apr 2004 at 05:07:13PM -0400, Jan Minar wrote: Package: makedev Version: 2.3.1-58 Severity: important Tags: security Hi Please check the permissions of /dev/tty([0-9])*, they seem to be a free-for-all, which is no good. Thanks to Stephen Gran for telling me who to bug. The following patch would do, afaict: --- /sbin/MAKEDEV.ORIGMon Apr 19 22:58:21 2004 +++ /sbin/MAKEDEV Mon Apr 19 22:58:39 2004 @@ -14,7 +14,7 @@ private= root root 0600 system= root root 0660 kmem= root kmem 0640 -tty= root tty0666 +tty= root tty0600 cons= root tty0600 vcs= root root 0600 dialout= root dialout 0660 This is the discussion on debian-security that lead to this bugreport: On Mon, Apr 19, 2004 at 04:15:41PM -0400, Stephen Gran wrote: This one time, at band camp, Matt Zimmerman said: On Mon, Apr 19, 2004 at 09:31:27PM +0200, Jan Minar wrote: % ssh kh [EMAIL PROTECTED]'s password: Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 unknown % echo 'Morning, Mister root, welcome to a jail 8-)' /dev/tty63 % while :; do echo -e '\033[12;63]' /dev/tty63; done The relevant permissions are more restrictive with udev: crw---1 root root 4, 63 2004-03-17 16:23 /dev/tty63 And on a newly installed sid box: crw---1 root tty4, 63 2004-03-23 16:49 /dev/tty63 No udev here. Previous installs may have had bad permissions, but current ones do not. Perhaps, Jan, if you're interested, file a bug against makedev or one fo the other associated packages, asking them to check the permissions on these devices on upgrade, and correct if necessary. Seems trivial enough to do. A patch would probably not hurt. -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2 Versions of packages makedev depends on: ii base-passwd 3.4.1 Debian Base System Password/Group - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAhEP5S3Jybf3L5MQRAtfuAJ40TFzSQFCNN0UmbyQtM2QM0mSrUACgjmY2 ssBFqnnpuHMCHOf3qbaKiU4= =2O8y -END PGP SIGNATURE-
Re: suid
On Sat, 17 Apr 2004 at 08:28:03AM -0400, Mario Ohnewald wrote: On Saturday 17 April 2004 01:33, Bernd Eckenfels wrote: In article [EMAIL PROTECTED] you wrote: -rwsr-xr-x1 root root22460 Oct 1 2001 /usr/bin/crontab yes, because only in this condition normal user can set crontab rules. this deends on the cron used. The cron in qustion needs to restrict the access to the spool directory because it is shared. One could change the owner of the crontab file, but then it is hard to atomically replace the file without write access to the spool dir. The best solution is to have the crontab in a user owned directory. That sounds good! IMHO, this would be bad. The Cron Daemon would have to sanitize the input of the crontab each time it checks the file for running (presumably every minute, unless their is a way of notifying the cron daemon of a new crontab.) The default crontab in debian creates a file in /tmp, the user modifies it using their favorite editor, saves it, crontab then performs a sanity check on it. If all is good it copies the file into the crontab directory and notifies the daemon of the new crontab. I think the current system works well... -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
Bug #243954: DoS on Linux kernel 2.4 and 2.6 using sigqueue overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 All, I am bringing this issue before you for discussion and guidance. There is a security issue described in the mentioned bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=243954 Please review the bug and contribute if you have any suggestions. If you contribute please be sure to CC the Bug report. At question here is where should this bug be directed? The kernel pseudo package or glibc (linuxthreads). Credits: Thanks to Matt Zimmerman and Herbert Xu for contributing already. Thanks, - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAgB5lS3Jybf3L5MQRAl1RAJ4yEiGhMo6n6k4AcwgoS3Uuo/UD/gCeJRcC Ema8ICrUs2l1uLQtfgrxJjk= =dOC/ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug #243954: DoS on Linux kernel 2.4 and 2.6 using sigqueue overflow
For convenience, below is the original issue as it was posted on BugTraq... Bugtraq Post From: Nikita V. Youshchenko [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Possible DoS on Linux kernel 2.4 and 2.6 using sigqueue overflow. Date: Mon, 12 Apr 2004 06:06:04 -0400 User-Agent: KMail/1.5.4 Hello. We faced a bug (?) in Linux kernel causing different misbehaviours on our server. After exploration, it seems that we found some security implications of this issue. When a process exits, it's parent is notified by SIGCHLD, and finished child is kept in process table in zombie state until parent process (or init, if parent is already ended) handles child exit. Similary, with linuxthreads, when a thread exits, another thread in the same process is notified by signal 33 (SIGRT_1), and exitted thread exists in the process table in zombie state until the exit is handled. When a signal that notifies about exit is generated by the kernel, kernel code allocates a struct sigqueue object. This object keeps information about the signal until the signal is delivered. Only a limited number of such objects may be allocated at a time. There is some code in the kernel that still allows signals with numbers less than 32 to be delivered when struct sigqueue object can't be allocated. However, for signal 33 signal generation routine just returns -EAGAIN in this case. As the result, process is not notified about thread exits, and ended thread is left in zombie state. Details are at http://www.ussg.iu.edu/hypermail/linux/kernel/0404.0/0208.html For long-living processes that create short-living threads (such as mysqld), this causes process table overflow in several minutes. struct sigqueue overflow may be easily caused from userspace, if a process blocks a signal and then receives a large number of such signals. The following sample code does that: #include signal.h #include unistd.h #include stdlib.h int main() { sigset_t set; int i; pid_t pid; sigemptyset(set); sigaddset(set, 40); sigprocmask(SIG_BLOCK, set, 0); pid = getpid(); for (i = 0; i 1024; i++) kill(pid, 40); while (1) sleep(1); } So if a user runs such code (or just runs a buggy program that blocks a signal and then receives 1000 such signals - which happens here), this will cause a DoS againt anything running on the same system that uses linuxthreads, including daemons running as root. On systems that use NPTL (such as Linux 2.6 kernel) there is no 'thread zombie' problem, because in NPTL another notification mechanism is used. However, DoS is still possible (and really happens - in form of daemon crashes), because when it is not possible to allocatre a struct sigqueue object, kernel behaviour in signal-passing changes, causing random hangs and segfaults in different programs. /Bugtraq Post -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
Bug #243954: DoS on Linux kernel 2.4 and 2.6 using sigqueue overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 All, I am bringing this issue before you for discussion and guidance. There is a security issue described in the mentioned bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=243954 Please review the bug and contribute if you have any suggestions. If you contribute please be sure to CC the Bug report. At question here is where should this bug be directed? The kernel pseudo package or glibc (linuxthreads). Credits: Thanks to Matt Zimmerman and Herbert Xu for contributing already. Thanks, - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAgB5lS3Jybf3L5MQRAl1RAJ4yEiGhMo6n6k4AcwgoS3Uuo/UD/gCeJRcC Ema8ICrUs2l1uLQtfgrxJjk= =dOC/ -END PGP SIGNATURE-
Re: Bug #243954: DoS on Linux kernel 2.4 and 2.6 using sigqueue overflow
For convenience, below is the original issue as it was posted on BugTraq... Bugtraq Post From: Nikita V. Youshchenko [EMAIL PROTECTED] To: bugtraq@securityfocus.com Subject: Possible DoS on Linux kernel 2.4 and 2.6 using sigqueue overflow. Date: Mon, 12 Apr 2004 06:06:04 -0400 User-Agent: KMail/1.5.4 Hello. We faced a bug (?) in Linux kernel causing different misbehaviours on our server. After exploration, it seems that we found some security implications of this issue. When a process exits, it's parent is notified by SIGCHLD, and finished child is kept in process table in zombie state until parent process (or init, if parent is already ended) handles child exit. Similary, with linuxthreads, when a thread exits, another thread in the same process is notified by signal 33 (SIGRT_1), and exitted thread exists in the process table in zombie state until the exit is handled. When a signal that notifies about exit is generated by the kernel, kernel code allocates a struct sigqueue object. This object keeps information about the signal until the signal is delivered. Only a limited number of such objects may be allocated at a time. There is some code in the kernel that still allows signals with numbers less than 32 to be delivered when struct sigqueue object can't be allocated. However, for signal 33 signal generation routine just returns -EAGAIN in this case. As the result, process is not notified about thread exits, and ended thread is left in zombie state. Details are at http://www.ussg.iu.edu/hypermail/linux/kernel/0404.0/0208.html For long-living processes that create short-living threads (such as mysqld), this causes process table overflow in several minutes. struct sigqueue overflow may be easily caused from userspace, if a process blocks a signal and then receives a large number of such signals. The following sample code does that: #include signal.h #include unistd.h #include stdlib.h int main() { sigset_t set; int i; pid_t pid; sigemptyset(set); sigaddset(set, 40); sigprocmask(SIG_BLOCK, set, 0); pid = getpid(); for (i = 0; i 1024; i++) kill(pid, 40); while (1) sleep(1); } So if a user runs such code (or just runs a buggy program that blocks a signal and then receives 1000 such signals - which happens here), this will cause a DoS againt anything running on the same system that uses linuxthreads, including daemons running as root. On systems that use NPTL (such as Linux 2.6 kernel) there is no 'thread zombie' problem, because in NPTL another notification mechanism is used. However, DoS is still possible (and really happens - in form of daemon crashes), because when it is not possible to allocatre a struct sigqueue object, kernel behaviour in signal-passing changes, causing random hangs and segfaults in different programs. /Bugtraq Post -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
Re: [SECURITY] [DSA 479-1] New Linux 2.4.18 packages fix local root exploit (source+alpha+i386+powerpc)
If you checked the reference CVE numbers you should be able to tell when the exposure first occurred (or close to it). On Wed, 14 Apr 2004 at 04:30:16PM -0400, Jan L?hr wrote: Greetings,.. Am Mittwoch, 14. April 2004 20:57 schrieben Sie: Jan L?hr [EMAIL PROTECTED] writes: Greetings, Okay... This is the result of a cursory check, do your homework, yada, yada... Thanks for doing so ;) Anyway, this wasn't the intetention of my post. My point is, that five local root exploits at once are a little bit scary, as far as there are no patch- days for debian ;). So I'd like to know, which of them might have been fixed earlier. It's just my interest to track the linux-sec-efforts from my point of view. Keep smiling yanosz -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
Re: Does apt check gpg signatures before install
On Mon, 29 Mar 2004 at 01:39:00PM -0500, Florian Weimer wrote: apt 0.6 (available in experimental) checks the signatures on the Release files. Is there a backport of this apt to stable? -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Does apt check gpg signatures before install
On Mon, 29 Mar 2004 at 01:39:00PM -0500, Florian Weimer wrote: apt 0.6 (available in experimental) checks the signatures on the Release files. Is there a backport of this apt to stable? -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
Re: kernel 2.4.22 patch
pgp0.pgp Description: PGP message
Re: kernel 2.4.22 patch
pgpXhKEcgiYVU.pgp Description: PGP message
Re: mozilla - the forgotten package?
On Thu, 11 Mar 2004 at 12:24:15PM -0500, Matt Zimmerman wrote: This introduces a whole new set of problems, given Mozilla's upgrade history (not preserving user configuration data, breaking compatibility with dependent applications, etc.) We could offer a second Mozilla package, leaving the current on in place for compatibility sakes. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: mozilla - the forgotten package?
On Thu, 11 Mar 2004 at 12:24:15PM -0500, Matt Zimmerman wrote: This introduces a whole new set of problems, given Mozilla's upgrade history (not preserving user configuration data, breaking compatibility with dependent applications, etc.) We could offer a second Mozilla package, leaving the current on in place for compatibility sakes. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
Re: How to tell what process accessed a file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, 14 Feb 2004 at 01:31:52PM -0500, Wade Richards wrote: Hi, This isn't a major problem for me, but since it's related to auditing file access, I thought the security people would have an answer. Every once in a while I get a bunch of errors because some process tried to access my CDROM, triggering automount when there's no disk in the drive. I'd like to figure out what program is doing this. I've already spent a lot of time searching through my cron logs, to no avail. Is there any way to audit file access, so I can see (after the fact) which program was responsible for trying to view /var/autofs/misc/cd? A few things. 1. You can see which file descriptors are currently open by running lsof. This won't help you after the fact though. 2. I Believe if you compile your kernel with the GRSecurity Patch (http://www.grsecurity.org) you can audit successful file opens (as one of the kernel config options). WARNING: BE PREPARED FOR A HUGE LOG FILE! 3. Myself, I audit every command that gets executed. The log has a week rotation period. In a week the log usually becomes around 90 MB (This is just a log saying what run, not what files were opened). Good luck! - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFALneuS3Jybf3L5MQRAiSoAJ0YDmSSEcigR0ymK53zeWDMkbD0/ACfd5w6 D2rH/l1zgi1nQOwyXprVQWc= =U7ap -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How to tell what process accessed a file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, 14 Feb 2004 at 02:50:06PM -0500, hanasaki wrote: what package and deamon does the audit of every file executed? As I said, it is the GRSecurity Kernel patch (http://www.hgrsecurity.org). When you apply the patch audits get sent to the SYSLOG Kern Facility syslog(3). - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFALoIAS3Jybf3L5MQRAqHEAJ9ZmPEGrMPU9OWSKIi2LDJ/qjnzHQCgg2D8 Ufp609lvnEBmWHHa/g37xdw= =1ru1 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How to tell what process accessed a file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, 14 Feb 2004 at 01:31:52PM -0500, Wade Richards wrote: Hi, This isn't a major problem for me, but since it's related to auditing file access, I thought the security people would have an answer. Every once in a while I get a bunch of errors because some process tried to access my CDROM, triggering automount when there's no disk in the drive. I'd like to figure out what program is doing this. I've already spent a lot of time searching through my cron logs, to no avail. Is there any way to audit file access, so I can see (after the fact) which program was responsible for trying to view /var/autofs/misc/cd? A few things. 1. You can see which file descriptors are currently open by running lsof. This won't help you after the fact though. 2. I Believe if you compile your kernel with the GRSecurity Patch (http://www.grsecurity.org) you can audit successful file opens (as one of the kernel config options). WARNING: BE PREPARED FOR A HUGE LOG FILE! 3. Myself, I audit every command that gets executed. The log has a week rotation period. In a week the log usually becomes around 90 MB (This is just a log saying what run, not what files were opened). Good luck! - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFALneuS3Jybf3L5MQRAiSoAJ0YDmSSEcigR0ymK53zeWDMkbD0/ACfd5w6 D2rH/l1zgi1nQOwyXprVQWc= =U7ap -END PGP SIGNATURE-
Re: How to tell what process accessed a file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, 14 Feb 2004 at 02:50:06PM -0500, hanasaki wrote: what package and deamon does the audit of every file executed? As I said, it is the GRSecurity Kernel patch (http://www.hgrsecurity.org). When you apply the patch audits get sent to the SYSLOG Kern Facility syslog(3). - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFALoIAS3Jybf3L5MQRAqHEAJ9ZmPEGrMPU9OWSKIi2LDJ/qjnzHQCgg2D8 Ufp609lvnEBmWHHa/g37xdw= =1ru1 -END PGP SIGNATURE-
Re: Which Distro?
I have not subscribed to the list in a while (A LOT of traffic) but you may wish to look at debian-devel for this conversation. On Fri, 06 Feb 2004 at 06:08:47AM -, K.K. Senthil Velan wrote: Hello all, Iam new to Debain this great community. Now Iam working as a Information Security engineer. My domain of Work will be in C, C++, Java Linux, Windows. We majorly do Implementation of Cryptographic algorithms, Network packet analyzers, Vulnerability assessment etc... So i wud like to know how far Debian will be useful to me in Development environment. I need the entire nuts bolts usefuls of Debian. nybody here to help me? -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Distro?
I have not subscribed to the list in a while (A LOT of traffic) but you may wish to look at debian-devel for this conversation. On Fri, 06 Feb 2004 at 06:08:47AM -, K.K. Senthil Velan wrote: Hello all, Iam new to Debain this great community. Now Iam working as a Information Security engineer. My domain of Work will be in C, C++, Java Linux, Windows. We majorly do Implementation of Cryptographic algorithms, Network packet analyzers, Vulnerability assessment etc... So i wud like to know how far Debian will be useful to me in Development environment. I need the entire nuts bolts usefuls of Debian. nybody here to help me? -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
Re: Hacked - is it my turn? - interesting
On Tue, 03 Feb 2004 at 08:55:51AM -0500, Philipp Schulte wrote: nmap is not a sniffer but a portscanner. It's true that nmap is slowed down by DROP but this doesn't improve security very much and can have some annoying side effects (i.e. timeouts with ident-lookups). $IPTABLES -A ETH0-IN -p tcp --dport 113 -j REJECT --reject-with tcp-reset -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Hacked - is it my turn? - interesting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 03 Feb 2004 at 09:03:31AM -0500, Rolf Kutz wrote: Your fooling yourself. What prevents sniffers from sending multiple packets at once[0]. And you're breaking the TCP-Protocol, which makes debugging much harder. As mentioned before, it is a port-scanner. Anyhow, TCP-Reset cans turn a asymmetric DoS attack/flood (one-way) into an symmetric DoS/flood because now your host is generating traffic by replying to these otherwise useless packets. You could set a limit rule on sending a TCP-Reset..I know. I am not one that enjoys people breaking RFCs, but in this case it does make *some* sense. If someone is randomly port scanning class C's and they hit your IP, get no response from an ICMP (1) echo-request (8) and then try a few ports and get no TCP-Resets, they are likely to think you are a dead IP[1]. 1. Unless they are on your subnet and they can send an ARP request for the IP and your machine responds. The statement above assumes the attacker/researcher is not on your subnet. - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAIBccS3Jybf3L5MQRAn+0AJ9vtu7B447kmAmkoEwdV/eeRP5m6QCaAh1F rvPYB97zggBJWMeJBKK8HvA= =r1v0 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Hacked - is it my turn? - interesting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greetings Rolf, On Tue, 03 Feb 2004 at 06:11:34PM -0500, Rolf Kutz wrote: TCP-Reset..I know. I am not one that enjoys people breaking RFCs, but in this case it does make *some* sense. If someone is randomly port scanning class C's and they hit your IP, get no response from an ICMP (1) echo-request (8) and then try a few ports and get no TCP-Resets, they are likely to think you are a dead IP[1]. You would get a ICMP host-unreachable from the last router in that case. I don't believe this is always the case. [EMAIL PROTECTED]:~$ sudo hping 63.165.217.29 -S -p 80 Enter password for SUDO: HPING 63.165.217.29 (eth0 63.165.217.29): S set, 40 headers + 0 data bytes - --- 63.165.217.29 hping statistic --- 56 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms [EMAIL PROTECTED]:~$ ping 63.165.217.29 PING 63.165.217.29 (63.165.217.29): 56 data bytes - --- 63.165.217.29 ping statistics --- 4 packets transmitted, 0 packets received, 100% packet loss I KNOW that IP address is currently not in service (I am the network admin). I also did a tcpdump (in the case hping did not report ICMP host-unreachable received. No ICMP packets were seen... It may be the RFC specification that an ICMP host-unreachable be sent, but in practice this is no where near always the case. Note: The last router is a Cisco router maintained by an ISP. No, I am not on the same subnet as 63.165.219.29. Take care, - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAIDPyS3Jybf3L5MQRAns7AJ9sAkTwrpyUyXpVq80KaBE4jNK21QCgktRB hQqMg9NdcAjWBX/BMOutGIQ= =HlvF -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Hacked - is it my turn? - interesting
On Tue, 03 Feb 2004 at 08:55:51AM -0500, Philipp Schulte wrote: nmap is not a sniffer but a portscanner. It's true that nmap is slowed down by DROP but this doesn't improve security very much and can have some annoying side effects (i.e. timeouts with ident-lookups). $IPTABLES -A ETH0-IN -p tcp --dport 113 -j REJECT --reject-with tcp-reset -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
Re: Hacked - is it my turn? - interesting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 03 Feb 2004 at 09:03:31AM -0500, Rolf Kutz wrote: Your fooling yourself. What prevents sniffers from sending multiple packets at once[0]. And you're breaking the TCP-Protocol, which makes debugging much harder. As mentioned before, it is a port-scanner. Anyhow, TCP-Reset cans turn a asymmetric DoS attack/flood (one-way) into an symmetric DoS/flood because now your host is generating traffic by replying to these otherwise useless packets. You could set a limit rule on sending a TCP-Reset..I know. I am not one that enjoys people breaking RFCs, but in this case it does make *some* sense. If someone is randomly port scanning class C's and they hit your IP, get no response from an ICMP (1) echo-request (8) and then try a few ports and get no TCP-Resets, they are likely to think you are a dead IP[1]. 1. Unless they are on your subnet and they can send an ARP request for the IP and your machine responds. The statement above assumes the attacker/researcher is not on your subnet. - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAIBccS3Jybf3L5MQRAn+0AJ9vtu7B447kmAmkoEwdV/eeRP5m6QCaAh1F rvPYB97zggBJWMeJBKK8HvA= =r1v0 -END PGP SIGNATURE-
Re: Hacked - is it my turn? - interesting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greetings Rolf, On Tue, 03 Feb 2004 at 06:11:34PM -0500, Rolf Kutz wrote: TCP-Reset..I know. I am not one that enjoys people breaking RFCs, but in this case it does make *some* sense. If someone is randomly port scanning class C's and they hit your IP, get no response from an ICMP (1) echo-request (8) and then try a few ports and get no TCP-Resets, they are likely to think you are a dead IP[1]. You would get a ICMP host-unreachable from the last router in that case. I don't believe this is always the case. [EMAIL PROTECTED]:~$ sudo hping 63.165.217.29 -S -p 80 Enter password for SUDO: HPING 63.165.217.29 (eth0 63.165.217.29): S set, 40 headers + 0 data bytes - --- 63.165.217.29 hping statistic --- 56 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms [EMAIL PROTECTED]:~$ ping 63.165.217.29 PING 63.165.217.29 (63.165.217.29): 56 data bytes - --- 63.165.217.29 ping statistics --- 4 packets transmitted, 0 packets received, 100% packet loss I KNOW that IP address is currently not in service (I am the network admin). I also did a tcpdump (in the case hping did not report ICMP host-unreachable received. No ICMP packets were seen... It may be the RFC specification that an ICMP host-unreachable be sent, but in practice this is no where near always the case. Note: The last router is a Cisco router maintained by an ISP. No, I am not on the same subnet as 63.165.219.29. Take care, - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAIDPyS3Jybf3L5MQRAns7AJ9sAkTwrpyUyXpVq80KaBE4jNK21QCgktRB hQqMg9NdcAjWBX/BMOutGIQ= =HlvF -END PGP SIGNATURE-
Re: Web based password changer
On Fri, 23 Jan 2004 at 02:24:58AM -0500, Will Aoki wrote: Hopefully the script would not actually invoke echo - otherwise, like anything else passed on the command line, the password will show up in the process table for anyone or anything to see. Yet another reason to use the GRSecurity patch. It hides processes not belonging to you (unless you are root). -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -- Excuse #194: Too much radiation coming from the soil. pgp0.pgp Description: PGP signature
Re: Web based password changer
On Fri, 23 Jan 2004 at 02:24:58AM -0500, Will Aoki wrote: Hopefully the script would not actually invoke echo - otherwise, like anything else passed on the command line, the password will show up in the process table for anyone or anything to see. Yet another reason to use the GRSecurity patch. It hides processes not belonging to you (unless you are root). -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -- Excuse #194: Too much radiation coming from the soil. pgpIGx3K0Bgik.pgp Description: PGP signature
Re: suspicious smbd connections
You may wish to enable an iptables filter to block all ports except those you explicitly allow. On Tue, 23 Dec 2003 at 01:01:01PM -0500, outsider wrote: Hi, Last time I frequently get messages like smbd[949]: refused connect from in my /var/log/syslog. Every time with new IP-address. What are these connections? Is somebody trying to scan me or what is the reason for these messages? Thank you in advance! -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -- Excuse #138: Popper unable to process jumbo kernel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: suspicious smbd connections
You may wish to enable an iptables filter to block all ports except those you explicitly allow. On Tue, 23 Dec 2003 at 01:01:01PM -0500, outsider wrote: Hi, Last time I frequently get messages like smbd[949]: refused connect from in my /var/log/syslog. Every time with new IP-address. What are these connections? Is somebody trying to scan me or what is the reason for these messages? Thank you in advance! -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -- Excuse #138: Popper unable to process jumbo kernel
Re: exim virus scanning and spam scanning
On Sun, 21 Dec 2003 at 10:09:38AM -0500, hanasaki wrote: whats the difference between amavis-ng and milter and amavisd-new? are some going away? which one do you use for what? or clamscan directly? how can virus scanning be added? clamscan and spam Spam assassin seem to be the norms from googling. the configuration files to integrate with exim are befuddling. ##Transport section #ADDED FOR MAVIS AV Scan# amavis: driver = pipe command = /usr/bin/amavis -f ${sender_address} -d ${pipe_addresses} prefix = suffix = check_string = escape_string = return_output = false return_path_add = false user = amavis group = amavis path = /bin:/sbin:/usr/bin:/usr/sbin current_directory = /var/spool/amavis-ng ##Directors Section #Put this first, ORDER MATTERS! ###ADDED FOR MAVIS AV SCANNER amavis_director: condition = ${if eq {$received_protocol}{scanned-ok} {0}{1}} driver = smartuser transport = amavis the plan is too hook a virus scanner into exim4 from sarge. any thoughts are appreciated. A copy of someone's working exim4 config would be great! how does one integrate the following with exim? And which do you folks recommend for what reasons? SPAM Spamassassin bogofilter Defiantly bogofilter. Bogofilter has the ability to learn and adjust to new spam. I would suggest you set up a set of bogofilter dbs for each user since what each user considers spam is different. Then you have your users use IMAP and create a few mailboxes for them: MisMarkedAsGood (runs bogofilter -Ns) MisMarkedAsBad (runs bogofilter -Sn) MarkGood (bogofilter -n) MarkBad (bogofilter -s) The last two mbox files are only used if you use tristate filtering (Good, Bad, Unsure). Then you run cron jobs like this in the user's crontab... 4 4 * * * stripdaemonmail.pl ~/Mail/MisMarkedAsBad | bogofilter -Sn ; stripdaemonmail.pl ~/Mail/MisMarkedAsBad /var/mail/username ; rm ~/Mail/MisMarkedAsBad ; touch ~/Mail/MisMarkedAsBad 5 4 * * * stripdaemonmail.pl ~/Mail/MisMarkedAsGood | bogofilter -Ns ; rm ~/Mail/MisMarkedAsGood ; touch ~/Mail/MisMarkedAsGood 6 4 * * * stripdaemonmail.pl ~/Mail/MarkBad | bogofilter -s ; rm ~/Mail/MarkBad ; touch ~/Mail/MarkBad 7 4 * * * stripdaemonmail.pl ~/Mail/MarkGood | bogofilter -n ; stripdaemonmail.pl ~/Mail/MarkGood /var/mail/username ; rm ~/Mail/MarkGood ; touch ~/Mail/MarkGood stripmail.pl (attached) is a simple perl script that removes mbox emails that are left by the imap daemon. If you find a bug in the perl script I would definitely appreciate it if you would let me know. Even though it is not formally documented the script should be considered GPL. The user's .procmailrc (you are using procmail, yes?) can be configured like so: -start procmailrc :0 f | bogofilter -p -u -3 -l :0: * ^X-Bogosity: Yes Mail/Junk :0: * ^X-Bogosity: Unsure Mail/Unsure end procmailrc-- After this users move items in Junk to MisMarkedAsBad if it is a good email that ended up in the Junk folder. Likewise they move mails that are spam that ended up in the Inbox to MisMarkedAsGood. MarkGood/MarkBad are for emails that end up in the Unsure folder. Hope this helps! VIRUS amavis amavisd-new No comment about amavis/amavisd-new. clamscans This is not related to amavis. Amavis is responsible for parsing the MIME and saving them to files in /tmp. Clamscan is then used to scan the files placed in /tmp by amavis. Clamscan has come a long way. They now have over 10,000 definitions. However, you can use commercial av's (like Sophis) with amavis if you wish. Last I checked several months ago Sophis has over 80,000 definitions. Hope this helps. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -- Excuse #137: Broadcast packets on wrong frequency stripdaemonmail.pl Description: Perl program
Re: secure file permissions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 08 Dec 2003 at 03:16:05AM -0500, Domonkos Czinke wrote: Hi, I recommend using the chattr program. You should set them immutable chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow. Man chattr. Setting /etc/shadow +i would not be advisable as it renders your passwd command useless. Setting /etc/passwd +i renders your chsh and chfn commands useless. Also, if someone r00ts you and they know more then someone who started using Linux last week, they'll realize the files are +i and take the +i bit off them. I fail to see how this would make things any better on your system. - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import - -- Excuse #148: endothermal recalibration -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/1MZRS3Jybf3L5MQRArVaAJ9xtUSJHqTFJ+F8MZYC5fhUKhqjIQCaApxn I6ZF1hm701F7HPyW6jNjPoo= =Nhd1 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure file permissions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 08 Dec 2003 at 03:16:05AM -0500, Domonkos Czinke wrote: Hi, I recommend using the chattr program. You should set them immutable chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow. Man chattr. Setting /etc/shadow +i would not be advisable as it renders your passwd command useless. Setting /etc/passwd +i renders your chsh and chfn commands useless. Also, if someone r00ts you and they know more then someone who started using Linux last week, they'll realize the files are +i and take the +i bit off them. I fail to see how this would make things any better on your system. - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import - -- Excuse #148: endothermal recalibration -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/1MZRS3Jybf3L5MQRArVaAJ9xtUSJHqTFJ+F8MZYC5fhUKhqjIQCaApxn I6ZF1hm701F7HPyW6jNjPoo= =Nhd1 -END PGP SIGNATURE-
Re: When will kernel-image-2.4.23 be available ?
Also, You may wish to look at the make-kpkg(kernel-package) package. It takes your stock 2.4.23 source and makes it into a nice .deb file for you. Note: This option is for those who have a working .config file. Experience in making your own config make (config|menuconfig|xconfig) is recommended. Take care On Wed, 03 Dec 2003 at 06:42:26AM -0500, Santiago Vila wrote: On Tue, 2 Dec 2003, Jan H. van Gils wrote: After some research a found that kernel-image-2.4.18 is patched regarding the security problem with the kernel. I am wonder when kernel 2.4.23 wil be available as a packages for sarge ? Nobody knows for sure, but the things which should happen, in order, are: (1) The upload queue is reopened. (2) The maintainer uploads the packages for unstable. (3) The packages propagates from unstable (sid) to testing (sarge). Except for (1), this has been, almost always, the path for security upgrades to enter testing. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #198: Interference from lunar radiation -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: When will kernel-image-2.4.23 be available ?
Also, You may wish to look at the make-kpkg(kernel-package) package. It takes your stock 2.4.23 source and makes it into a nice .deb file for you. Note: This option is for those who have a working .config file. Experience in making your own config make (config|menuconfig|xconfig) is recommended. Take care On Wed, 03 Dec 2003 at 06:42:26AM -0500, Santiago Vila wrote: On Tue, 2 Dec 2003, Jan H. van Gils wrote: After some research a found that kernel-image-2.4.18 is patched regarding the security problem with the kernel. I am wonder when kernel 2.4.23 wil be available as a packages for sarge ? Nobody knows for sure, but the things which should happen, in order, are: (1) The upload queue is reopened. (2) The maintainer uploads the packages for unstable. (3) The packages propagates from unstable (sid) to testing (sarge). Except for (1), this has been, almost always, the path for security upgrades to enter testing. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #198: Interference from lunar radiation
Re: apache+ssl+tomcat+jk+php
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This topic might be best covered on the debian-apache list. On Wed, 12 Nov 2003 at 11:26:23AM -0500, ilie.dumitru wrote: hi I have a server apache2+ssl+tomcat+jk who works fine. 2 days I tried to add a php module but i am not able to do it. Why ??? (it works without tomcat , anyway) ! Can anybody help ? regards - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import - -- Excuse #194: Too much radiation coming from the soil. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/sn+TS3Jybf3L5MQRAnMZAJ9OqDEp+HmPXVb5V3bBIMKJW7t3FgCfXv6J YBCXvUemt0KOy9FbZfWVVVU= =CgG0 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache+ssl+tomcat+jk+php
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This topic might be best covered on the debian-apache list. On Wed, 12 Nov 2003 at 11:26:23AM -0500, ilie.dumitru wrote: hi I have a server apache2+ssl+tomcat+jk who works fine. 2 days I tried to add a php module but i am not able to do it. Why ??? (it works without tomcat , anyway) ! Can anybody help ? regards - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import - -- Excuse #194: Too much radiation coming from the soil. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/sn+TS3Jybf3L5MQRAnMZAJ9OqDEp+HmPXVb5V3bBIMKJW7t3FgCfXv6J YBCXvUemt0KOy9FbZfWVVVU= =CgG0 -END PGP SIGNATURE-
Re: apache security issue (with upstream new release)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, 01 Nov 2003 at 05:15:34PM -0500, Adam ENDRODI wrote: I tend to disagree, I'm afraid. The presence of remotely exploitable bugs in user applications (be it a client of some networked game, or a PDF viewer) impose a great risk on the user, i.e. not on the system (which protects its integrity), but the user who is actually running the program. For the sake of assurance, just imagine how an accidentally executed `rm -rf /' on behalf of your desktop uid would affect the rest of the day for you.. I really hate to be the voice of technicality...but... If you are really looking for assurance than 'rm -rf /' would not affect your day because weekly full backups and nightly incremental should be made. If you don't have valid off system, perhaps off-site backups, then what kind of assurance do you really have? - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import - -- Excuse #247: Your process is not ISO 9000 compliant -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/pFSVS3Jybf3L5MQRAsB6AJwNyi+JmzHRueapkrpwTbh6XT9IkACfRLBe LJi14tZl/pCqLaiyoiCTf8Y= =X0Xy -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: passwd character limitations
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, 01 Nov 2003 at 07:02:49AM -0500, Lupe Christoph wrote: 0. With the obvious exception that C strings don't like null bytes. So try to avoid hitting the null key on your keyboard. :) You forgot that a ':' as part of the encrypted password will cause problems ;-) Adding to what Michael said, a MD5 hash will only contain hexadecimal digits. /[0-9a-f]/i Even if you were to include bytes with the value 128-255, MD5 will include them into it's remainder calculation...yada yada yada...and all you will get out is hexadecimal digits. - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import - -- Excuse #21: Improperly oriented keyboard -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/pFWlS3Jybf3L5MQRAoWXAJ4k74yGA22dvG5EOnF/tjVDXuasyACgjOfb 1o0Lw2aymJZMXRc1PEsF528= =lO19 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache security issue (with upstream new release)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, 01 Nov 2003 at 05:15:34PM -0500, Adam ENDRODI wrote: I tend to disagree, I'm afraid. The presence of remotely exploitable bugs in user applications (be it a client of some networked game, or a PDF viewer) impose a great risk on the user, i.e. not on the system (which protects its integrity), but the user who is actually running the program. For the sake of assurance, just imagine how an accidentally executed `rm -rf /' on behalf of your desktop uid would affect the rest of the day for you.. I really hate to be the voice of technicality...but... If you are really looking for assurance than 'rm -rf /' would not affect your day because weekly full backups and nightly incremental should be made. If you don't have valid off system, perhaps off-site backups, then what kind of assurance do you really have? - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import - -- Excuse #247: Your process is not ISO 9000 compliant -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/pFSVS3Jybf3L5MQRAsB6AJwNyi+JmzHRueapkrpwTbh6XT9IkACfRLBe LJi14tZl/pCqLaiyoiCTf8Y= =X0Xy -END PGP SIGNATURE-
Re: passwd character limitations
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, 01 Nov 2003 at 07:02:49AM -0500, Lupe Christoph wrote: 0. With the obvious exception that C strings don't like null bytes. So try to avoid hitting the null key on your keyboard. :) You forgot that a ':' as part of the encrypted password will cause problems ;-) Adding to what Michael said, a MD5 hash will only contain hexadecimal digits. /[0-9a-f]/i Even if you were to include bytes with the value 128-255, MD5 will include them into it's remainder calculation...yada yada yada...and all you will get out is hexadecimal digits. - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import - -- Excuse #21: Improperly oriented keyboard -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/pFWlS3Jybf3L5MQRAoWXAJ4k74yGA22dvG5EOnF/tjVDXuasyACgjOfb 1o0Lw2aymJZMXRc1PEsF528= =lO19 -END PGP SIGNATURE-
Re: apache security issue (with upstream new release)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 30 Oct 2003 at 01:59:01PM -0500, Roman Medina wrote: I'm not subscribed to debian-apache neither I'm going to subscribe only to ask this. If this is a security issue in Debian, why not to discuss it in a Debian security ml? I repeat it: I have segfaults in my apache error-logs and this happened only recently (this week) so I probably have reasons to be scared... or not? I believe your justification can be found: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=218188 I'm not saying I agree fully with it...but I do understand it... - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import - -- Excuse #227: You must've hit the wrong anykey. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/ofGVS3Jybf3L5MQRAsmrAJ4w10DScjzozMIoP3FwEos0GiDEqACfbZQB ldPevKRBm+kss/AuWzG/Eyw= =4tp+ -END PGP SIGNATURE-
Apache: Apears to be vulnerable to CAN-2003-0542 (WAS: apache security issue (with upstream new release))
Cc: [EMAIL PROTECTED] Package: apache Version: 1.3.26-0woody3 Tags: security Severity: grave I have checked th full bug list also. It does not appear a bug has been filed yet. Therefore I have filed a bug with this email. If you have anything additional to add please wait until it shows up on BTS and send the info to [EMAIL PROTECTED] Thanks On Wed, 29 Oct 2003 at 10:13:57AM -0500, Hideki Yamane wrote: Hi list, Do you know about apache security issue? apache 1.3.29 release announcement is here. http://www.apache.org/dist/httpd/Announcement.txt this apache 1.3 release includes security fix. Apache 1.3.29 Major changes Security vulnerabilities * CAN-2003-0542 (cve.mitre.org) Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures. My *guess* is Woody is vulnerable to this. apache 2.0.48 release announcement is here. http://www.apache.org/dist/httpd/Announcement2.txt and apache 2.0.48 also includes security fix. Apache 2.0.48 Major changes Security vulnerabilities closed since Apache 2.0.47 *) SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of the AF_UNIX socket used to communicate with the cgid daemon and the CGI script. [Jeff Trawick] *) SECURITY [CAN-2003-0542]: Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures. [Andre' Malo] I would be less likly to believe woody is vulnerable to these since these seem to be explicitly aimed at 2.0 and I want to know how it goes in Debian. I cannot find any posts in BTS and debian-apache lists. # and when I posted apache 2.0.47 release announce with vulnerabitliy issue to BTS, maintainer said Kindly don't submit new version bugs with in about 10 minutes of the release. It's childish and unhelpful. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=200593archive=yes so I don't want to post it to BTS... -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #113: Daemons loose in system. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: chkrootkit reporting processes hidden
On Wed, 29 Oct 2003 at 02:59:17PM -0500, Michael Bordignon wrote: I have chkrootkit running nightly and mailing results to me - last night it reported this: Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed Checking `sniffer'... PROMISC mode detected in one of these interfaces: eth0 eth1 I have no idea how to proceed further, could someone suggest the steps I should take now? I think there is a race condition that was discussed before about rootkit checkers. First it reads in data from the PS command. It then stores this data in a buffer. Then it reads /proc (or visa-versa, I forget the order). It then compares the two places. If a new process should happen to start between these two reads it will generate this message. Now, I am not saying there is *NOT* a security problem with your machine. AFA the PROMISC mode one the NICs...are you running snort or something to the like? If so, these NIDs (Network Intrusion Detectors) place cards in PROMISC mode to watch traffic. Just a few things to be aware of... -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #47: Cosmic ray particles crashed through the hard disk platter -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Apache: Apears to be vulnerable to CAN-2003-0542 (WAS: apache security issue (with upstream new release))
Cc: [EMAIL PROTECTED] Package: apache Version: 1.3.26-0woody3 Tags: security Severity: grave I have checked th full bug list also. It does not appear a bug has been filed yet. Therefore I have filed a bug with this email. If you have anything additional to add please wait until it shows up on BTS and send the info to [EMAIL PROTECTED] Thanks On Wed, 29 Oct 2003 at 10:13:57AM -0500, Hideki Yamane wrote: Hi list, Do you know about apache security issue? apache 1.3.29 release announcement is here. http://www.apache.org/dist/httpd/Announcement.txt this apache 1.3 release includes security fix. Apache 1.3.29 Major changes Security vulnerabilities * CAN-2003-0542 (cve.mitre.org) Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures. My *guess* is Woody is vulnerable to this. apache 2.0.48 release announcement is here. http://www.apache.org/dist/httpd/Announcement2.txt and apache 2.0.48 also includes security fix. Apache 2.0.48 Major changes Security vulnerabilities closed since Apache 2.0.47 *) SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of the AF_UNIX socket used to communicate with the cgid daemon and the CGI script. [Jeff Trawick] *) SECURITY [CAN-2003-0542]: Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures. [Andre' Malo] I would be less likly to believe woody is vulnerable to these since these seem to be explicitly aimed at 2.0 and I want to know how it goes in Debian. I cannot find any posts in BTS and debian-apache lists. # and when I posted apache 2.0.47 release announce with vulnerabitliy issue to BTS, maintainer said Kindly don't submit new version bugs with in about 10 minutes of the release. It's childish and unhelpful. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=200593archive=yes so I don't want to post it to BTS... -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #113: Daemons loose in system.
Re: chkrootkit reporting processes hidden
On Wed, 29 Oct 2003 at 02:59:17PM -0500, Michael Bordignon wrote: I have chkrootkit running nightly and mailing results to me - last night it reported this: Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed Checking `sniffer'... PROMISC mode detected in one of these interfaces: eth0 eth1 I have no idea how to proceed further, could someone suggest the steps I should take now? I think there is a race condition that was discussed before about rootkit checkers. First it reads in data from the PS command. It then stores this data in a buffer. Then it reads /proc (or visa-versa, I forget the order). It then compares the two places. If a new process should happen to start between these two reads it will generate this message. Now, I am not saying there is *NOT* a security problem with your machine. AFA the PROMISC mode one the NICs...are you running snort or something to the like? If so, these NIDs (Network Intrusion Detectors) place cards in PROMISC mode to watch traffic. Just a few things to be aware of... -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #47: Cosmic ray particles crashed through the hard disk platter
Re: How efficient is mounting /usr ro?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 09 Oct 2003 at 04:34:12AM -0400, Tarjei Huse wrote: Hi, The Securing Debian manual suggest one should set the /usr partition to ro and use remount when you install new programs. I was just wondering how much security one gains with this. Wouldn't most hackers go after the programs in the /bin and /sbin directories anyway? If I r00t your system I'll have access to remount it rw anyhow. Any hacker who doesn't know how to remount a file system is really lame. You may slow someone down for 3 seconds until they type: cat /proc/mounts (Oh, it's ro!) and then types mount -o remount/rw /usr Just my $.02... - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import - -- Excuse #34: Heavy gravity fluctuation move computer to floor rapidly -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/hU9LS3Jybf3L5MQRApOgAJ46cRmVhLyAla8TkotPFDfIpGvYYwCdFSLc X9qMr61K+a0SKMQiegqcMDg= =uLGH -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How efficient is mounting /usr ro?
On Thu, 09 Oct 2003 at 01:58:40PM -0400, Brandon High wrote: On Thu, Oct 09, 2003 at 08:06:46AM -0400, Phillip Hofmeister wrote: If I r00t your system I'll have access to remount it rw anyhow. Any hacker who doesn't know how to remount a file system is really lame. You may slow someone down for 3 seconds until they type: It'll stop a worm or automated intrusion though... Maybe not...A worm may write itself to somewhere it has access (not /tmp, that gets cleared...) and then place a cron entry to start itself. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #226: Due to the CDA we no longer have a root account. pgp0.pgp Description: PGP signature
Re: How efficient is mounting /usr ro?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 09 Oct 2003 at 04:34:12AM -0400, Tarjei Huse wrote: Hi, The Securing Debian manual suggest one should set the /usr partition to ro and use remount when you install new programs. I was just wondering how much security one gains with this. Wouldn't most hackers go after the programs in the /bin and /sbin directories anyway? If I r00t your system I'll have access to remount it rw anyhow. Any hacker who doesn't know how to remount a file system is really lame. You may slow someone down for 3 seconds until they type: cat /proc/mounts (Oh, it's ro!) and then types mount -o remount/rw /usr Just my $.02... - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import - -- Excuse #34: Heavy gravity fluctuation move computer to floor rapidly -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/hU9LS3Jybf3L5MQRApOgAJ46cRmVhLyAla8TkotPFDfIpGvYYwCdFSLc X9qMr61K+a0SKMQiegqcMDg= =uLGH -END PGP SIGNATURE-
Re: How efficient is mounting /usr ro?
On Thu, 09 Oct 2003 at 01:58:40PM -0400, Brandon High wrote: On Thu, Oct 09, 2003 at 08:06:46AM -0400, Phillip Hofmeister wrote: If I r00t your system I'll have access to remount it rw anyhow. Any hacker who doesn't know how to remount a file system is really lame. You may slow someone down for 3 seconds until they type: It'll stop a worm or automated intrusion though... Maybe not...A worm may write itself to somewhere it has access (not /tmp, that gets cleared...) and then place a cron entry to start itself. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #226: Due to the CDA we no longer have a root account. pgp7oUZYKsUUJ.pgp Description: PGP signature
Re: services installed and running out of the box
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 26 Sep 2003 at 12:53:26PM -0400, Dale Amon wrote: Precisely. One cannot just install the packages and services one wants. One must step outside the package system to fix the problem, and continue to do so thereafter in the future. A major port service should not be installed on a system unless I specifically request its presence. There are too many packages which require things which they do not actually require. I would consider implementing an iptables firewall (whether it be shorewall or home brewed (if you know what you are doing)) to be a bare minimum for best-practices. Unfortunately (unlike RedHat and Mandrake) Debian offers no firewall as part of the default installation. My advise, have a good generic firewall shell script and use it and place it in /etc/rc(S|2).d/ of every system you install. - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import - -- Excuse #139: NOTICE: alloc: /dev/null: filesystem full -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/d6/ES3Jybf3L5MQRAiQjAKCOBUy4i8G1PokOCJJrX2loOnFzOwCeMmhX zPqbaxHBcGYZTyhGiwgCrkQ= =EXjG -END PGP SIGNATURE-
Re: services installed and running out of the box
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 26 Sep 2003 at 12:53:26PM -0400, Dale Amon wrote: Precisely. One cannot just install the packages and services one wants. One must step outside the package system to fix the problem, and continue to do so thereafter in the future. A major port service should not be installed on a system unless I specifically request its presence. There are too many packages which require things which they do not actually require. I would consider implementing an iptables firewall (whether it be shorewall or home brewed (if you know what you are doing)) to be a bare minimum for best-practices. Unfortunately (unlike RedHat and Mandrake) Debian offers no firewall as part of the default installation. My advise, have a good generic firewall shell script and use it and place it in /etc/rc(S|2).d/ of every system you install. - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import - -- Excuse #139: NOTICE: alloc: /dev/null: filesystem full -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/d6/ES3Jybf3L5MQRAiQjAKCOBUy4i8G1PokOCJJrX2loOnFzOwCeMmhX zPqbaxHBcGYZTyhGiwgCrkQ= =EXjG -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Will Bind9 in stable get patched?
On Sun, 21 Sep 2003 at 12:58:54PM +0200, J.H.M. Dassen (Ray) wrote: On Sat, Sep 20, 2003 at 11:13:35 -0700, Bill Moseley wrote: Will Bind9 in stable get the delegation-only patch? Probably not. Stable only gets updated for security issues. A Bind9 with the delegation-only patch is available for woody from http://people.debian.org/~lamont/ . Is the unstable version patched? If so one could 'apt-get source --compile -t unstable bind9' Thanks -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #63: Daemons did it -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Watch out! vsftpd anonymous access always enabled!
On Mon, 22 Sep 2003 at 08:53:19AM -0400, Dale Amon wrote: On Mon, Sep 22, 2003 at 01:33:43PM +0200, Dariush Pietrzak wrote: ssh for pretty much everything I can, and otherwise wget. I only Could all those security experts recommending using sftp/scp for data transfers please explain how did they come to conclusion that creating shell accounts is the best way of giving access to few files? Rsync doesn't require a shell account. You can run an rsyncd. WebDAV is also a great tool. You can use the htpasswd to create a passwd file for apache. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #59: Only available on a need to know basis -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Will Bind9 in stable get patched?
On Sun, 21 Sep 2003 at 12:58:54PM +0200, J.H.M. Dassen (Ray) wrote: On Sat, Sep 20, 2003 at 11:13:35 -0700, Bill Moseley wrote: Will Bind9 in stable get the delegation-only patch? Probably not. Stable only gets updated for security issues. A Bind9 with the delegation-only patch is available for woody from http://people.debian.org/~lamont/ . Is the unstable version patched? If so one could 'apt-get source --compile -t unstable bind9' Thanks -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #63: Daemons did it
Re: Watch out! vsftpd anonymous access always enabled!
On Mon, 22 Sep 2003 at 08:53:19AM -0400, Dale Amon wrote: On Mon, Sep 22, 2003 at 01:33:43PM +0200, Dariush Pietrzak wrote: ssh for pretty much everything I can, and otherwise wget. I only Could all those security experts recommending using sftp/scp for data transfers please explain how did they come to conclusion that creating shell accounts is the best way of giving access to few files? Rsync doesn't require a shell account. You can run an rsyncd. WebDAV is also a great tool. You can use the htpasswd to create a passwd file for apache. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #59: Only available on a need to know basis
Re: Strange segmentation faults and Zombies
On Thu, 18 Sep 2003 at 09:08:28AM +0200, Markus Schabel wrote: scp goodserver:/bin/gzip /bin/gzip NO! Since there's the chance that the server got hacked I'm not interested to give him other passwords. copied from the other server via scp. scp from the clean system into the dirty one. This way he won't get access to the clean systems because the passwd for the clean system will not be given to the dirty one. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #145: Short leg on process table -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Stable server hacked
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 22 Aug 2003 at 10:32:27AM -0400, Matt Zimmerman wrote: It is often the case that the attacker doesn't know the exact location of structures in memory; there are techniques for finding out. I'm sure that the authors of PaX do not misrepresent it as complete protection. It's pointless to argue about it; it's clear that PaX provides some value in protection against security vulnerabilities, and I think it's also clear that because it will break many existing applications, it is not suitable for use by default. But there is no reason why a PaX-enabled kernel could not be provided as an option. All it needs is someone willing to do the work (hint, hint). I would be willing to maintain a grsec kernel image with PaX and temp. file symlink blocking if someone would be willing to sponsor it (hint, hint) - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import - -- Excuse #100: We just switched to FDDI. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/Rpq3S3Jybf3L5MQRAqkxAJ96rsDDKGr583UiBxDZEiaPuiS0sACeKD0r 1VLdCtM3Kg1jQ/oztj24NFk= =mBQL -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]