On Monday 08 December 2003 18:20, Colin Watson wrote:
You can go further by requiring physical presentation
of smartcards or similar in order to use the key, which is less
convenient but makes a passphrase more or less useless on its own.
Aren't smartcards similar to dongles in some respects?
On Wed, Dec 10, 2003 at 11:35:12AM -0500, Mike Mueller wrote:
On Monday 08 December 2003 18:20, Colin Watson wrote:
You can go further by requiring physical presentation
of smartcards or similar in order to use the key, which is less
convenient but makes a passphrase more or less useless on
On Mon, Dec 08, 2003 at 05:25:38PM -0800, Karsten M. Self wrote:
on Mon, Dec 08, 2003 at 11:13:07PM +, Colin Watson ([EMAIL PROTECTED]) wrote:
My understanding is that the developer's account on the machine in
question had been disused for some time, and that the machine wasn't
very
on Tue, Dec 09, 2003 at 02:03:43PM +, Colin Watson ([EMAIL PROTECTED]) wrote:
On Mon, Dec 08, 2003 at 05:25:38PM -0800, Karsten M. Self wrote:
on Mon, Dec 08, 2003 at 11:13:07PM +, Colin Watson ([EMAIL PROTECTED]) wrote:
My understanding is that the developer's account on the machine
On Wed, Dec 03, 2003 at 06:08:54PM -0700, Monique Y. Herman wrote:
After reading a few more responses, I realize that of course a debian
developer's machine could get compromised. I guess I just thought they
were infallible *grin*
Now, the real question is, what exploit was used to get onto
On Wed, Dec 03, 2003 at 09:46:21PM -0500, Carl Fink wrote:
On Wed, Dec 03, 2003 at 05:52:30PM -0800, Vineet Kumar wrote:
I'm considering keeping my private keys (ssh, gpg, etc) on removable
storage, maybe one of those USB keys (then my keys could actually go on
my keyring...). It's
on Mon, Dec 08, 2003 at 11:13:07PM +, Colin Watson ([EMAIL PROTECTED]) wrote:
On Wed, Dec 03, 2003 at 06:08:54PM -0700, Monique Y. Herman wrote:
After reading a few more responses, I realize that of course a debian
developer's machine could get compromised. I guess I just thought they
On Mon, 8 Dec 2003, Colin Watson wrote:
What you'd actually want is hardware that stores the keys and does the
signing and decryption for you, but refuses to expose the private key
material itself to the host. Then, while a cracker could sniff your
passphrase, the key itself would still be
Alvin Oga wrote:
[SNIP]
you can also use a [warm blooded] fingerprint scanner ...
since smartcards can be lost ..
- but if you lose your finger or you lose your fingerprint
on a glass with fingerprint stealing glue, you're in deep kaka
Hello Benedict!
On Sun, Dec 07, 2003 at 03:15:22AM +0100, Benedict Verheyen wrote:
I found a mail on the developers mailing list that shows how to make
an initrd without the cramfs patch. One can use the following in the
mkinitrd.conf file:
MKIMAGE=genromfs -d %s -f %s
This would mean that
- Original Message -
From: csj [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, December 05, 2003 07:56
Subject: Re: Debian Investigation Report after Server Compromises
On 4. December 2003 at 3:22PM -0600,
Hoyt Bailey [EMAIL PROTECTED] wrote:
From: csj [EMAIL PROTECTED
- Original Message -
From: Hugo Vanwoerkom [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, December 05, 2003 12:47
Subject: Re: Debian Investigation Report after Server Compromises
Hoyt Bailey wrote:
- Original Message -
From: csj [EMAIL PROTECTED]
To: [EMAIL
- Original Message -
From: Florian Ernst [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, December 04, 2003 11:37 AM
Subject: Re: The lost cramfs patch (was: Debian Investigation Report
after Server Compromises)
Hello Benedict!
On Thu, Dec 04, 2003 at 12:06:35AM +0100, Benedict
On Thu, 4 Dec 2003, csj wrote:
Now I'm curious: is it possible to get rooted while on dialup?
fastest breakin i know about took about 15 seconds for them
(the crackers) to get in and play with that new box ...
once that machine went online ... they were already cracked
and had to reinstalll
On 4. December 2003 at 3:22PM -0600,
Hoyt Bailey [EMAIL PROTECTED] wrote:
From: csj [EMAIL PROTECTED]
[...]
Now I'm curious: is it possible to get rooted while on
dialup? I'm thinking of a user with access to a slow but
dirt cheap dialup connection and so is online for significant
Hoyt Bailey wrote:
- Original Message -
From: csj [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, December 03, 2003 22:40
Subject: Re: Debian Investigation Report after Server Compromises
On 3. December 2003 at 5:52PM -0800,
Vineet Kumar [EMAIL PROTECTED] wrote:
* Monique Y
On Thu, 04 Dec 2003 18:05:15 -0800, Vineet Kumar wrote:
* Paul Morgan ([EMAIL PROTECTED]) [031204 12:32]:
I have all services locked down to localhost; my only connections to
the outside world are mail, news via nntpcached, web via squid... I run
Apache but it too is locked down to localhost.
* Paul Morgan ([EMAIL PROTECTED]) [031205 14:24]:
On Thu, 04 Dec 2003 18:05:15 -0800, Vineet Kumar wrote:
* Paul Morgan ([EMAIL PROTECTED]) [031204 12:32]:
I have all services locked down to localhost; my only connections to
the outside world are mail, news via nntpcached, web via
On Fri, 05 Dec 2003 16:28:06 -0800, Vineet Kumar wrote:
* Paul Morgan ([EMAIL PROTECTED]) [031205 14:24]:
On Thu, 04 Dec 2003 18:05:15 -0800, Vineet Kumar wrote:
* Paul Morgan ([EMAIL PROTECTED]) [031204 12:32]:
I have all services locked down to localhost; my only connections to
the
Hello Benedict!
On Thu, Dec 04, 2003 at 12:06:35AM +0100, Benedict Verheyen wrote:
Heh. Then it's kind of logical that i don't find any package ;)
Well, It's simply that I don't know about a place for downloading it,
but this doesn't necessarily mean there isn't any... ;)
It's indeed mentioned
on Wed, Dec 03, 2003 at 10:33:34AM -0700, Dr. MacQuigg ([EMAIL PROTECTED]) wrote:
After reading the report at
http://lists.debian.org/debian-announce/debian-announce-2003/msg3.html
and following this newsgroup discussion, I have some very basic questions:
1) What is a sniffed
Sorry for the duplicate post. The first one did not appear for a long
time, and I assumed it was because I used the wrong email address.
-- Dave
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Paul == Paul Morgan [EMAIL PROTECTED] writes:
Paul With regard to your question 3, a buffer overflow exploit is
Paul always a stack exploit and is designed to execute arbitrary code
Paul with the called program's privilege.
But this time it is an integer overflow, not a buffer
Isaac == Isaac To [EMAIL PROTECTED] writes:
Paul == Paul Morgan [EMAIL PROTECTED] writes:
Paul With regard to your question 3, a buffer overflow exploit is
Paul always a stack exploit and is designed to execute arbitrary code
Paul with the called program's privilege.
Isaac But
i never did undestand why, people wanna run rootkits once they
got in
Usually they want to use the rooted machine to send spam, run DoS bots, or
to cover their trail while cracking other, more interesting machines. I
agree that when cracking a DD's machine in order to get his Debian password
On 3. December 2003 at 5:52PM -0800,
Vineet Kumar [EMAIL PROTECTED] wrote:
* Monique Y. Herman ([EMAIL PROTECTED]) [031203 16:59]:
I have been wondering about the password-sniffing thing, too.
If you send a password using ssh, isn't it encrypted?
I suppose some debian developer's kid
On Thu, Dec 04, 2003 at 12:40:42PM +0800, csj wrote:
Now I'm curious: is it possible to get rooted while on dialup?
Sure. An ip address is an ip address. It's just slower.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
csj writes:
Now I'm curious: is it possible to get rooted while on dialup?
Of course. It's a little harder because the dialup gets a different IP
number on each connection, but not impossible. Dialups are rarely attacked
because they are uninteresting to most crackers due to their slow speed
* csj ([EMAIL PROTECTED]) [031204 08:37]:
On 3. December 2003 at 5:52PM -0800,
Vineet Kumar [EMAIL PROTECTED] wrote:
* Monique Y. Herman ([EMAIL PROTECTED]) [031203 16:59]:
I have been wondering about the password-sniffing thing, too.
If you send a password using ssh, isn't it
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Thu, Dec 04, 2003 at 12:40:42PM +0800, csj wrote:
Now I'm curious: is it possible to get rooted while on dialup?
Yes. However, being on dialup adds some additional difficulties for
an attacker:
1) Most dialup systems have big, dynamic pools
On Wed, 03 Dec 2003 21:46:21 -0500, Carl Fink wrote:
If the system is rooted, it would be trivial to write a replacement
for ssh (GPG, etc.) that copies your private keys onto the hard drive
for later retrieval. Definition of trivial is: I, a bad
programmer, could do it.
Well bad in this
- Original Message -
From: csj [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, December 03, 2003 22:40
Subject: Re: Debian Investigation Report after Server Compromises
On 3. December 2003 at 5:52PM -0800,
Vineet Kumar [EMAIL PROTECTED] wrote:
* Monique Y. Herman ([EMAIL
* Paul Morgan ([EMAIL PROTECTED]) [031204 12:32]:
I have all services locked down to localhost; my only connections to
the outside world are mail, news via nntpcached, web via squid... I run
Apache but it too is locked down to localhost. My mail is run through my
this ...
ISP's
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, Dec 02, 2003 at 04:11:33PM -0500, Paul Morgan wrote:
Ther is always a conflict between security and openness. MS's approach
has always been not to say anything until a fix has been propagated; they
are often criticized for that, but I'm
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, Dec 02, 2003 at 04:16:44PM -0500, Greg Folkert wrote:
On Tue, 2003-12-02 at 14:12, Alex Malinovich wrote:
I'm afraid I'm part of the group that just doesn't understand. This
snippet reeks of security through obscurity for me. If the hole
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, Dec 02, 2003 at 09:41:15PM +, Oliver Elphick wrote:
Because there will be lots of people who haven't yet had the chance to
upgrade. They won't thank us for making an exploit available to every
would-be cracker.
Why should we cater to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, Dec 02, 2003 at 06:17:44PM -0500, Paul Morgan wrote:
It would be a lot less stable and secure if debian started
publishing exploits. The announcement explains quite clearly what
happened and how to protect your system.
Why does BugTraq do
On Wed, 2003-12-03 at 07:04, Paul Johnson wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, Dec 02, 2003 at 09:41:15PM +, Oliver Elphick wrote:
Because there will be lots of people who haven't yet had the chance to
upgrade. They won't thank us for making an exploit
Hmmm. A friend of mine works at a company with over 500 machines in the
field. Many of them are customer facing. There are more than 1
configuration on the servers. He has to compile each config and run it
through a dev/test and a full regression before he can update any
production
On Wed, 2003-12-03 at 02:03, Paul Johnson wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, Dec 02, 2003 at 04:16:44PM -0500, Greg Folkert wrote:
On Tue, 2003-12-02 at 14:12, Alex Malinovich wrote:
I'm afraid I'm part of the group that just doesn't understand. This
snippet
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wed, Dec 03, 2003 at 09:16:15AM -0500, Greg Folkert wrote:
On Wed, 2003-12-03 at 02:03, Paul Johnson wrote:
On Tue, Dec 02, 2003 at 04:16:44PM -0500, Greg Folkert wrote:
On Tue, 2003-12-02 at 14:12, Alex Malinovich wrote:
I'm afraid I'm
On Wed, 2003-12-03 at 02:04, Paul Johnson wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, Dec 02, 2003 at 09:41:15PM +, Oliver Elphick wrote:
Because there will be lots of people who haven't yet had the chance to
upgrade. They won't thank us for making an exploit
On Wed, 2003-12-03 at 02:08, Paul Johnson wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, Dec 02, 2003 at 06:17:44PM -0500, Paul Morgan wrote:
It would be a lot less stable and secure if debian started
publishing exploits. The announcement explains quite clearly what
on Wed, Dec 03, 2003 at 09:16:15AM -0500, Greg Folkert ([EMAIL PROTECTED]) wrote:
On Wed, 2003-12-03 at 02:03, Paul Johnson wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, Dec 02, 2003 at 04:16:44PM -0500, Greg Folkert wrote:
On Tue, 2003-12-02 at 14:12, Alex Malinovich
on Tue, Dec 02, 2003 at 01:12:40PM -0600, Alex Malinovich ([EMAIL PROTECTED]) wrote:
On Tue, 2003-12-02 at 11:31, Greg Folkert wrote:
Shoulda Been:
http://lists.debian.org/debian-announce/debian-announce-2003/msg3.html
What a wanker I am. No, Peter no comment needed.
Thanks for the
on Tue, Dec 02, 2003 at 11:08:07PM -0800, Paul Johnson ([EMAIL PROTECTED]) wrote:
On Tue, Dec 02, 2003 at 06:17:44PM -0500, Paul Morgan wrote:
It would be a lot less stable and secure if debian started
publishing exploits. The announcement explains quite clearly what
happened and how to
I'm one of those who's got all his systems on safe kernels, even if this
means I don't have full use. NICs on one box aren't supported by
2.4.18, and building 2.4.23 is turning into a bitch.
Is there a page anywhere (if not, there should be one) or info on what
type of patches are added to a
Hello Benedict!
On Wed, Dec 03, 2003 at 04:25:21PM +0100, Benedict Verheyen wrote:
Is there a page anywhere (if not, there should be one) or info on what
type of patches are added to a debianized kernel and where to find them.
I don't know about a page, but I find a long list in
Original Message -
From: Florian Ernst [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, December 03, 2003 5:31 PM
Subject: Re: Debian Investigation Report after Server Compromises
Hello Benedict!
On Wed, Dec 03, 2003 at 04:25:21PM +0100, Benedict Verheyen wrote:
Is there a page
On Tue, 02 Dec 2003 23:08:07 -0800, Paul Johnson wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, Dec 02, 2003 at 06:17:44PM -0500, Paul Morgan wrote:
It would be a lot less stable and secure if debian started
publishing exploits. The announcement explains quite clearly what
On Wed, 03 Dec 2003 09:57:55 +, Oliver Elphick wrote:
Suppose I go off for two weeks holiday? I'm the only one who can change
my system's kernel, but I leave it on because it is the gateway for
everyone else. The day after I leave, some idiot publishes details of
this exploit and for
On Tue, 02 Dec 2003 23:01:43 -0800, Paul Johnson wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, Dec 02, 2003 at 04:11:33PM -0500, Paul Morgan wrote:
Ther is always a conflict between security and openness. MS's approach
has always been not to say anything until a fix has
* Paul Johnson ([EMAIL PROTECTED]) [031202 23:01]:
On Tue, Dec 02, 2003 at 04:11:33PM -0500, Paul Morgan wrote:
Ther is always a conflict between security and openness. MS's approach
has always been not to say anything until a fix has been propagated; they
are often criticized for that,
On Wed, 03 Dec 2003 16:25:21 +0100, Benedict Verheyen wrote:
I'm one of those who's got all his systems on safe kernels, even if this
means I don't have full use. NICs on one box aren't supported by
2.4.18, and building 2.4.23 is turning into a bitch.
Is there a page anywhere (if not,
After reading the report at
http://lists.debian.org/debian-announce/debian-announce-2003/msg3.html
and following this newsgroup discussion, I have some very basic questions:
1) What is a sniffed password, and how do they know the attacker used a
password that was sniffed, rather than just
Hello Benedict!
On Wed, Dec 03, 2003 at 08:08:05PM +0100, Benedict Verheyen wrote:
So: Where is this patch hiding and how can you get it?
I don't know about a place where you could download it from, but you
can easily extract it from init/do_mounts.c from your Debian
kernel-sources, just take
- Original Message -
From: Paul Morgan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, December 03, 2003 6:01 PM
Subject: Re: Debian Investigation Report after Server Compromises
On Wed, 03 Dec 2003 16:25:21 +0100, Benedict Verheyen wrote:
I'm one of those who's got all his
On Wed, 2003-12-03 at 11:33, Dr. MacQuigg wrote:
After reading the report at
http://lists.debian.org/debian-announce/debian-announce-2003/msg3.html
and following this newsgroup discussion, I have some very basic questions:
1) What is a sniffed password, and how do they know the
- Original Message -
From: Florian Ernst [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, December 03, 2003 11:13 PM
Subject: Re: The lost cramfs patch (was: Debian Investigation Report
after Server Compromises)
Hello Benedict!
On Wed, Dec 03, 2003 at 08:08:05PM +0100, Benedict
(Not speaking for Debian at all.)
Dr. MacQuigg [EMAIL PROTECTED] writes:
1) What is a sniffed password, and how do they know the attacker
used a password that was sniffed, rather than just stolen out of
someone's notebook?
It sounds like someone's personal machine got broken into, and a
Dr. MacQuigg writes:
What is a sniffed password
A password gotten by reading each character as it is typed on the keyboard
or by intercepting an unencrypted transmission. In this case it was the
former.
...and how do they know the attacker used a password that was sniffed,
rather than just
After reading the report at
http://lists.debian.org/debian-announce/debian-announce-2003/msg3.html
and following this newsgroup discussion, I have some very basic questions:
1) What is a sniffed password, and how do they know the attacker used a
password that was sniffed, rather than just
On Wed, 03 Dec 2003 10:33:34 -0700, Dr. MacQuigg wrote:
After reading the report at
http://lists.debian.org/debian-announce/debian-announce-2003/msg3.html
and following this newsgroup discussion, I have some very basic questions:
1) What is a sniffed password, and how do they know
On Wed, 03 Dec 2003 at 22:36 GMT, Alex Malinovich penned:
--=-0wVW9GplMT9KFGFuBZNx Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Wed, 2003-12-03 at 11:33, Dr. MacQuigg wrote:
After reading the report at=20
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wed, Dec 03, 2003 at 01:58:11PM -0800, Vineet Kumar wrote:
Sidestepping lawsuits from a million angry customers isn't really a
win.
You're right. Which is why I really wish Bugtraq didn't wait around
before publishing their findings. Customers
On Wed, 3 Dec 2003, Robert L. Harris wrote:
Your argument sounds like my 6yr old doing a I want it now, I don't
care what your reasons are soon followed by a temper tantrum.
thats normal for the grown-ups too .. just a different form of temper
tantrum and usually a shorter fuse than the
* Monique Y. Herman ([EMAIL PROTECTED]) [031203 16:59]:
I have been wondering about the password-sniffing thing, too. If you
send a password using ssh, isn't it encrypted?
I suppose some debian developer's kid sister could have installed a
keystroke logger on the dev machine ... um ...
On Wed, 3 Dec 2003, John Hasler wrote:
good thread john :-)
How does an attacker with a user-level password gain root access?
In this case by exploiting a bug in sbrk(). The kernel developers knew
about the bug but did not believe it to be exploitable. They were wrong.
...how does
On Wed, 03 Dec 2003 at 23:05 GMT, Monique Y. Herman penned:
I have been wondering about the password-sniffing thing, too. If you
send a password using ssh, isn't it encrypted?
I suppose some debian developer's kid sister could have installed a
keystroke logger on the dev machine ... um
hi ya benedict
On Wed, 3 Dec 2003, Benedict Verheyen wrote:
I'm one of those who's got all his systems on safe kernels, even if this
means I don't have full use. NICs on one box aren't supported by
2.4.18, and building 2.4.23 is turning into a bitch.
Is there a page anywhere (if not,
Vineet Kumar [EMAIL PROTECTED] writes:
BTW, Monique, your UA seems to have really screwed up on the message you
replied to. Is it not MIME-aware? The reply had a quoted MIME header
in it, along with a lot of non-decoded QP equals signs littered about it.
I think she posts through the gmane
On Wed, Dec 03, 2003 at 05:52:30PM -0800, Vineet Kumar wrote:
I'm considering keeping my private keys (ssh, gpg, etc) on removable
storage, maybe one of those USB keys (then my keys could actually go on
my keyring...). It's certainly not foolproof, but at least a sniffed
passphrase could
On Wed, 3 Dec 2003, Carl Fink wrote:
If the system is rooted, it would be trivial to write a replacement
for ssh (GPG, etc.) that copies your private keys onto the hard drive
for later retrieval. Definition of trivial is: I, a bad
programmer, could do it.
why copy and get it later ??
On Thu, 04 Dec 2003 at 01:52 GMT, Vineet Kumar penned:
BTW, Monique, your UA seems to have really screwed up on the message
you replied to. Is it not MIME-aware? The reply had a quoted MIME
header in it, along with a lot of non-decoded QP equals signs littered
about it.
us ho agrairé.
,--- Missatge reenviat (principi)
Assumpte: Debian Investigation Report after Server Compromises
De: Martin Schulze [EMAIL PROTECTED]
Data: Tue, 02 Dec 2003 16:30:10 +0100
Grup de notÃcies: linux.debian.announce
http://lists.debian.org/debian-announce/debian-announce-2003/msg3.htmlDebian
--
[EMAIL PROTECTED]
REMEMBER ED CURRY! http://www.iwethey.org/ed_curry
signature.asc
Description: This is a digitally signed message part
Shoulda Been:
http://lists.debian.org/debian-announce/debian-announce-2003/msg3.html
What a wanker I am. No, Peter no comment needed.
On Tue, 2003-12-02 at 11:08, Greg Folkert wrote:
http://lists.debian.org/debian-announce/debian-announce-2003/msg3.htmlDebian
--
[EMAIL PROTECTED]
On Tue, Dec 02, 2003 at 11:08:57AM -0500, Greg Folkert wrote:
http://lists.debian.org/debian-announce/debian-announce-2003/msg3.htmlDebian
That's a killer incident report. I'm satisfied.
Couldn't help thinking about horses and barn doors though. I expect
we'll see the what next next :-)
On Tue, 02 Dec 2003 11:08:57 -0500,
Greg Folkert [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]:
http://lists.debian.org/debian-announce/debian-announce-2003/msg3.htmlDebian
..he meant:
http://lists.debian.org/debian-announce/debian-announce-2003/msg3.html
--
..med vennlig
On Tue, 2003-12-02 at 11:31, Greg Folkert wrote:
Shoulda Been:
http://lists.debian.org/debian-announce/debian-announce-2003/msg3.html
What a wanker I am. No, Peter no comment needed.
On Tue, 2003-12-02 at 11:08, Greg Folkert wrote:
Greg Folkert wrote:
Shoulda Been:
http://lists.debian.org/debian-announce/debian-announce-2003/msg3.html
What a wanker I am. No, Peter no comment needed.
On Tue, 2003-12-02 at 11:08, Greg Folkert wrote:
http://lists.debian.org/debian-announce/debian-announce-2003/msg3.htmlDebian
:-D
Title: RE: Debian Investigation Report after Server Compromises
snipped
Though I am somewhat concerned about the following bit from the message:
Please understand that we cannot give away the used exploit to random
people who we don't know. So please don't ask us about it.
I'm afraid
On Tue, 2003-12-02 at 14:12, Alex Malinovich wrote:
On Tue, 2003-12-02 at 11:31, Greg Folkert wrote:
Shoulda Been:
http://lists.debian.org/debian-announce/debian-announce-2003/msg3.html
What a wanker I am. No, Peter no comment needed.
On Tue, 2003-12-02 at 11:08, Greg Folkert
On Tue, 2003-12-02 at 19:12, Alex Malinovich wrote:
I'm afraid I'm part of the group that just doesn't understand. This
snippet reeks of security through obscurity for me. If the hole has been
identified and, presumably, fixed, why not tell people about it?
Because there will be lots of people
On Tue, 02 Dec 2003 13:12:40 -0600, Alex Malinovich wrote:
On Tue, 2003-12-02 at 11:31, Greg Folkert wrote:
Shoulda Been:
http://lists.debian.org/debian-announce/debian-announce-2003/msg3.html
What a wanker I am. No, Peter no comment needed.
On Tue, 2003-12-02 at 11:08, Greg Folkert
On Tue, Dec 02, 2003 at 01:12:40PM -0600, Alex Malinovich wrote:
| Thanks for the link. It certainly makes for interesting reading. Though
| I am somewhat concerned about the following bit from the message:
|
| Please understand that we cannot give away the used exploit to random
| people who we
On Tue, 02 Dec 2003 15:01:48 -0600, Preston Boyington wrote:
I agree. I support and recommend Debian to my peers and clients on the
basis that Debian is a stable and secure distribution. Therefore when
something (such as this) happens I want to have full disclosure so I can
confidently
dman writes:
The only thing I have to add, apart from noting above that the exploit
was divulged...
The _bug_ was divulged. The exploit is so difficult that the kernel
hackers didn't think the bug was exploitable.
--
John Hasler
[EMAIL PROTECTED] (John Hasler)
Dancing Horse Hill
Elmwood, WI
John Hasler wrote:
dman writes:
The only thing I have to add, apart from noting above that the exploit
was divulged...
The _bug_ was divulged. The exploit is so difficult that the kernel
hackers didn't think the bug was exploitable.
There would seem to be a misnomer, script-kiddies can come up
Hugo writes:
There would seem to be a misnomer, script-kiddies can come up with an
exploit like this and still be kiddies?
Script-kiddies don't come up with anything. Crackers come up with exploits
and give to the kiddies to play with.
--
John Hasler
[EMAIL PROTECTED] (John Hasler)
Dancing
On Tue, Dec 02, 2003, at 15:01 -0600, Preston Boyington wrote:
Though I am somewhat concerned about the following bit from the
message:
Please understand that we cannot give away the used exploit to
random people who we don't know. So please don't ask us about it.
I'm afraid I'm
91 matches
Mail list logo
