Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
quote who=Rick Welykochy Adrian Chadd wrote: The trouble is that the entry barrier for coding is so low, you can code without any clue. This very issue gave rise to some heated debate over on the LINK mailing list, which some of you attend. Many of us computer professionals were peeved by this low barrier to entry into the software industry. Computer software creation is not a certified profession like engineering. There are far toomany shiesters out there peddling crap software because they can. This gives rise to many many problems in IT. Yet there are so many who go nuts when the idea of accreditation is raised. :-) [This cheap shot does not indicate my support for or against the idea!] - Jeff -- OSCON 2008: Portland OR, USA http://conferences.oreilly.com/oscon/ The GPL is good. Use it. Don't be silly. - Michael Meeks -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
On 02/06/2008, at 3:25 PM, Rev Simon Rumble wrote: This one time, at band camp, Daniel Pittman wrote: [2] formmail. I say no more. Matt's Script Archive, anyone? God... no. make it stop! I was a #perl op on Efnet back in 2000/2001. The channel had officially disowned Matt and anything to do with him. The standard recommendation being Don't. Just... don't. There was even an April Fools Day patch released at some point to prevent the execution of code written by Matt Wright based on the standard copyright message he used to put in everything. I vaguely recall somebody hunting down that patch to apply it to a production Perl install. C. -- Chris Collins [EMAIL PROTECTED] -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
On Mon, Jun 02, 2008, Jeff Waugh wrote: Yet there are so many who go nuts when the idea of accreditation is raised. :-) [This cheap shot does not indicate my support for or against the idea!] Heh. They don't suspect the real issue with accreditation? That suddenly Universities will have to teach a real CompSci and Software Engineering degree, and that degree will probably be 4 or 5 years long, including internships and honours-level project (mandated like the Electronic/Electrical engineering degrees seem to here at UWA); because Writing Good Software is Hard ? Ah, if only writing software held the same risks and building bridges. :) Adrian (Who should really get a CompSci degree from a reputable CompSci university sometime.. anyone know any?) -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
This one time, at band camp, Chris Collins wrote: Matt's Script Archive, anyone? God... no. make it stop! I was a #perl op on Efnet back in 2000/2001. The channel had officially disowned Matt and anything to do with him. The standard recommendation being Don't. Just... don't. And a whole project to re-implement them properly: http://nms-cgi.sourceforge.net/ -- Rev Simon Rumble [EMAIL PROTECTED] www.rumble.net The Tourist Engineer Nerds need vacations too. http://engineer.openguides.org/ Hockey is a sport for white men. Basketball is a sport for black men. Golf is a sport for white men dressed like black pimps. - Tiger Woods -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
This one time, at band camp, Adrian Chadd wrote: Ah, if only writing software held the same risks and building bridges. :) You mean engineers don't test their newly-built bridge by driving a dozen variously-shaped vehicles across it, before opening it up to all and sundry? -- Rev Simon Rumble [EMAIL PROTECTED] www.rumble.net The Tourist Engineer Because nerds travel too. http://engineer.openguides.org/ The idea that Bill Gates has appeared like a knight in shining armour to lead all customers out of a mire of technological chaos neatly ignores the fact that it was he who, by peddling second-rate technology, led them into it in the first place. - Douglas Adams on Windows '95. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
Adrian Chadd wrote: Ah, if only writing software held the same risks and building bridges. :) It does. Here is the classic: http://en.wikipedia.org/wiki/Therac-25 http://catless.ncl.ac.uk/Risks/3.09.html This dates from way back in 1986. Mike -- Michael Lake Computational Research Centre of Expertise Science Faculty, UTS Ph: 9514 2238 -- UTS CRICOS Provider Code: 00099F DISCLAIMER: This email message and any accompanying attachments may contain confidential information. If you are not the intended recipient, do not read, use, disseminate, distribute or copy this message or attachments. If you have received this message in error, please notify the sender immediately and delete this message. Any views expressed in this message are those of the individual sender, except where the sender expressly, and with authority, states them to be the views of the University of Technology Sydney. Before opening any attachments, please check them for viruses and defects. Think. Green. Do. Please consider the environment before printing this email. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
On Mon, Jun 02, 2008, Michael Lake wrote: Adrian Chadd wrote: Ah, if only writing software held the same risks and building bridges. :) It does. Here is the classic: http://en.wikipedia.org/wiki/Therac-25 http://catless.ncl.ac.uk/Risks/3.09.html This dates from way back in 1986. Oh yes, there are specific areas like this where screwups kill people. I meant writing software in general. Adrian -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
On Mon, 2008-06-02 at 20:33 +1000, James Purser wrote: So how would you develop such a system whilst also allowing for the freedom and low barrier to entry that signifies the Free and Open Source Software movement? I expect that when regulation is forced upon us, barriers to entry iwill be the whole point/i. Unless we get in first. Will the parallel be: you get malpractice insurance, or you can have your future wages garnished forever if you get sued. Doctors have to pay their malpractice insurance to have their pro-bono work covered. I expect software folks will too. As a rough and ready idea, could this be something that OSIA could get involved with? Could OSIA be a partner in such a scheme? Or is it something that should be tackled by an independent body. I expect that OSIA *is* an independent body, at least as much as ACS is if not more so, in this context. Regards Peter Miller [EMAIL PROTECTED] /\/\*http://miller.emu.id.au/pmiller/ PGP public key ID: 1024D/D0EDB64D fingerprint = AD0A C5DF C426 4F03 5D53 2BDB 18D8 A4E2 D0ED B64D See http://www.keyserver.net or any PGP keyserver for public key. You can either have software quality or you can have pointer arithmetic, but you cannot have both at the same time. -- Bertrand Meyer signature.asc Description: This is a digitally signed message part -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
quote who=Rev Simon Rumble This one time, at band camp, Adrian Chadd wrote: Ah, if only writing software held the same risks and building bridges. :) You mean engineers don't test their newly-built bridge by driving a dozen variously-shaped vehicles across it, before opening it up to all and sundry? No way dude, they drive a dozen variously-shaped vehicles into the harbour, then build out the sides of the bridge until the cars stop falling off! TDD for the win! - Jeff -- OSCON 2008: Portland OR, USA http://conferences.oreilly.com/oscon/ Maybe you should put some shorts on or something, if you want to keep fighting evil today. - The Bowler, Mystery Men -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] upgrading complicated installs
On Mon, 2008-06-02 at 10:06 +0800, jam wrote: Frankly, no one I know, has ever had, or knows someone who has ever had a compromised linux box. Frankly I doubt if all of SLUG ever has ... Here compromised means: someone has taken control of the machine and is using it for some nepharious purpose eg spam DoS etc I have had to clean up such an infestation in my career. An entire Unix-based computing facility was compromised. Basically it was because the lunatics were running the asylum. Regards Peter Miller [EMAIL PROTECTED] /\/\*http://miller.emu.id.au/pmiller/ PGP public key ID: 1024D/D0EDB64D fingerprint = AD0A C5DF C426 4F03 5D53 2BDB 18D8 A4E2 D0ED B64D See http://www.keyserver.net or any PGP keyserver for public key. Once you change how you think it makes sense. -- Final Cut Pro easter egg signature.asc Description: This is a digitally signed message part -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
On Mon, 2008-06-02 at 20:21 +1000, Peter Miller wrote: On Mon, 2008-06-02 at 16:31 +1000, Jeff Waugh wrote: Yet there are so many who go nuts when the idea of accreditation is raised. :-) [This cheap shot does not indicate my support for or against the idea!] As a profession, we have two choices: 1. start licensing and accrediting ourselves, with a structure we can live with, OR 2. wait for Some Really Bad Shit to happen, with a software defect as the root cause, and have the politicians force something upon us... something baroque, bureaucratic and onerous. I know which I would prefer. So how would you develop such a system whilst also allowing for the freedom and low barrier to entry that signifies the Free and Open Source Software movement? This was going to be the biggest problem with the ACS proposal, in that there hadn't at the time been any thought of how those in the FOSS world who may not be cert or degree qualified but were equally skilled and knowledgable could partake. I'm not saying that there isn't room for a certification/accreditation type scheme, especially within the big corp and government sectors, I'm just curious as to how it could be done. As a rough and ready idea, could this be something that OSIA could get involved with? Could OSIA be a partner in such a scheme? Or is it something that should be tackled by an independent body. -- James Purser http://jamespurser.com.au Mob: 0406 576 553 Ph: +61 2 8210 6725 Skype: purserj1977 signature.asc Description: This is a digitally signed message part -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Re: slug Digest, Vol 29, Issue 5
I had the pleasure some years ago of a cracker gaining access to a Linux box on my work Network running SME Server. I am a lawyer, not a software professional, though computers have been an enjoyable hobby for me since my late teens, and I have administered our work network and a number of others for some years. I have read this thread with some discomfort. Though I would like to think I am reasonably well informed I am very conscious that there is a great deal I do not know. The compromise occurred over the Christmas/New Year period when I was interstate. The server had ssh access enabled via password entry and fell victim to a brute force password attack. Fortunately I had software installed which alerted me to the problems. I was particularly fortunate in that I was able to shut down access whilst the cracker was logged-in, and the activities were clearly shown in the log files. I took copies of the logs and shut down the machine, then took it off the network and did a more thorough review on my return to Sydney. Needless to say, even though I was fairly confident that I had traced all of the nefarious activities I did a complete reinstall of the whole system. I also made some substantial changes to the way the network was set up, including ssh access. I learnt some valuable lessons. I was doing quite a few things well, and was thus able to detect the compromise quickly. But I was also doing a number of things wrong, including allowing external ssh login by password. (But I also noted with interest the recent bug in Debian systems when generating keys, which would have made even this method insecure on these boxes). My point is that these things do happen. The server was a private one, and was not hosting any external services other than email and ssh. I still do not know how the attacker located the machine. I presume it was probably through a port scan which may have taken place some time before. It is a big mistake to believe that these problems are limited to Windows machines. If you are running Linux servers particularly you need to take this type of problem very seriously. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
On Mon, 2008-06-02 at 16:31 +1000, Jeff Waugh wrote: Yet there are so many who go nuts when the idea of accreditation is raised. :-) [This cheap shot does not indicate my support for or against the idea!] As a profession, we have two choices: 1. start licensing and accrediting ourselves, with a structure we can live with, OR 2. wait for Some Really Bad Shit to happen, with a software defect as the root cause, and have the politicians force something upon us... something baroque, bureaucratic and onerous. I know which I would prefer. Regards Peter Miller [EMAIL PROTECTED] /\/\*http://miller.emu.id.au/pmiller/ PGP public key ID: 1024D/D0EDB64D fingerprint = AD0A C5DF C426 4F03 5D53 2BDB 18D8 A4E2 D0ED B64D See http://www.keyserver.net or any PGP keyserver for public key. Caffeine is the only way to make my brain run in single-threaded mode. -- David Brady signature.asc Description: This is a digitally signed message part -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
Peter Miller wrote: iwill be the whole point/i. Unless we get in first. Will the parallel be: you get malpractice insurance, or you can have your future wages garnished forever if you get sued. Doctors have to pay their malpractice insurance to have their pro-bono work covered. I expect software folks will too. Regulation won't be forced apon us. You already need to get professional indemnity to work with most govt depts. The biggest problem with software development is that any type of regulation is not going to stop people making mistakes. What is needed is better methods, tools and processes to stop errors becoming problems. I think everyone is getting mature enough to realise that this is a better way to go. The barrier of entry to software development is always going to remain low. Its going to get lower and lower as well. The horse has bolted on regulation of software producers as an industry. Regulating the individuals by means of contracts is already in place and largely works pretty well I think. I think a good combination of contracts and good practices is going to be how it is for a long time yet. The thing is, that something bad happening should be blamed not on the programmer, but on the testers, the project managers etc. Anything where something really bad is going to happen is going to be a team effort :) And software remains and should always remain as a field where accurate tests of the components and the whole can ensure correctly working functionality. Its a pretty unique thing, where you get to drive train after car after hurricane over that bridge and see what happens dave -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
On Mon, Jun 02, 2008, Peter Miller wrote: Will the parallel be: you get malpractice insurance, or you can have your future wages garnished forever if you get sued. Doctors have to pay their malpractice insurance to have their pro-bono work covered. I expect software folks will too. If the analogy holds too closely, the inability of people to start their careers in Free Software is the same: the insurance would only possible to get if you happen to be trained and accredited in the approved manner and could well depend on having prior supervised professional experience. If a world that looks anything like the medical litigation landscape happens in software, Free Software will look awfully different, that's for sure, and it likely won't have the appeal of being a good place to learn without a heavy cash investment. I think I'm on the opposite side of the fence from most people here: if the world was likely to demand that kind of quality assurance from the industry, I suspect it would have already done so in a manner impossible to ignore. I suppose a demonstration that that kind of quality is achievable for a suitable price would change things. -Mary -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
On Mon, 2 Jun 2008 at 14:59, Jason Ball [EMAIL PROTECTED] wrote: Not wishing to start an OS war, but I rarely if ever have seen a BSD or Sun box compromised. Is this due to sheer numbers of Linux and Doze? More than likely. I've seen a range of plausible reasons and hard statistics to back up Linux supporters' assertions that the frequency of compromises on Windows systems is due to far more than just its sheer install base. I'd hate to see Linux users start to solely use the 'market share' argument against other, less used, operating systems. -- Your toaster doesn't crash. Your television doesn't crash. Why should your computer? http://www.linux.org.au/linux signature.asc Description: This is a digitally signed message part. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: slug Digest, Vol 29, Issue 5
Darryl Barlow [EMAIL PROTECTED] writes: [...] The server had ssh access enabled via password entry and fell victim to a brute force password attack. [...] I still do not know how the attacker located the machine. I presume it was probably through a port scan which may have taken place some time before. The most likely case is that they found the machine by brute force as well; a fair proportion of hostile modern software simply picks random IP addresses and attacks them in the hope that there is something vulnerable. This has the benefit, for the attacker, of turning up things that don't get advertised, and of having a very low cost to identify targets -- especially when the economies of scale result in your large network being able to randomly scan more and more of the overall network. Regards, Daniel Sadly, the hackers these days just don't care any more. Nothing personal about it, most of the time. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Sydney Python 5th June meetup postponed... but wait theres more
Hi Python lovers, First off, many thanks to Mark Rees for doing a great job organising SyPy until now. Normally SyPy is 1st Thursday of the month but it looks like we're going to have a special talk in a couple of weeks at google so this weeks meeting has been postponed. Stay tuned. It would be great to have a 2nd talk so if you've played with something pythonic lately and want to share, send me an email. So this week instead we've been welcomed to join AJUG on this Thursday. The talk on amazon ec2 should be interesting to anyone wanting to host any kind of application server (inc django, zope) Atlassian HQ 173-185 Sussex Street (cnr Market) Sydney CBD http://maps.google.com.au/maps?q=173+Sussex+Street,+Sydney+NSW WHEN: Thursday, June 5, 6:00pm. First talk starts at 6:30pm SPEAKERS: Talk #1: Running Java web apps on Amazon Web Services Peter McKeown Talk #2: Holy Grails Mike Cannon-Brookes And then we'll file out to parking lot for a python vs java good old fashioned no weapons rumble (joking). Or we could just go to the pub. http://tech.groups.yahoo.com/group/ajug/message/7109 Dylan Jay -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
So how would you develop such a system whilst also allowing for the freedom and low barrier to entry that signifies the Free and Open Source Software movement? I expect that when regulation is forced upon us, barriers to entry iwill be the whole point/i. Unless we get in first. Will the parallel be: you get malpractice insurance, or you can have your future wages garnished forever if you get sued. Doctors have to pay their malpractice insurance to have their pro-bono work covered. I expect software folks will too. I think you miss the entire point here. Firstly how are you going to police this? expoits are found in most pieces of software daily. The problem is that software is not perfect you have one flaw that is behind the development of all software, and that is the human brain. there is a famous quote in IT and that is no one has been fired for buying Microsoft, but if you installed anything else... With the amount of Outages experienced why hasn't organisations started Class action for the total outage due to software realted issues? This is unworkable you can't do it. Firstly with issues addressing compromised boxes I squarely place the blame at the sys admin or the owner of the box regardless of their technical skills. Regular updates are part and parcel of owning a system. if your box is compromised it's your fault and no one elses. I don't care if it's linux, windows, or OSX if you installed it, it's yours to maintain thus your responsibility. Time to reclaim ownership. As a rough and ready idea, could this be something that OSIA could get involved with? Could OSIA be a partner in such a scheme? Or is it something that should be tackled by an independent body. I expect that OSIA *is* an independent body, at least as much as ACS is if not more so, in this context. roflmao -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: slug Digest, Vol 29, Issue 5
Quoting Darryl Barlow [EMAIL PROTECTED]: I had the pleasure some years ago of a cracker gaining access to a Linux box on my work Network running SME Server. I still do not know how the attacker located the machine. I presume it was probably through a port scan . I have seen the same thing with other installs of SME Server. The machines I saw it on were properly firewalled and not even visible. People I know have come to the conclusion that it was software already embedded within the system at distribution. It got activated in idle time. It was doing spam mass mailing. I wonder if this is what you experienced ? David -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
Adrian Chadd wrote: The trouble is that the entry barrier for coding is so low, you can code without any clue. This very issue gave rise to some heated debate over on the LINK mailing list, which some of you attend. Many of us computer professionals were peeved by this low barrier to entry into the software industry. Computer software creation is not a certified profession like engineering. There are far toomany shiesters out there peddling crap software because they can. This gives rise to many many problems in IT. I guess I am lucky enough to see the other side of the story.. both here and overseas.. When I was growing up, there wasn't enough money for university. So accreditation was frankly impossible - only open to kids with richer parents. Those more privileged than myself. Through hard work.. way more than getting a degree.. I hacked out a career in software. Against all the odds.. Living I get from it now is not too bad.. Recently, in my travels and open source exploits, I have had the privilege to help young programming hopefuls in poor countries get runs on the board to enable them to then go off and get proper paid work in their own countries. They do some coding, i pay them and give them a reference. Often they go off to bigger and better things.. It's been tremendously rewarding... I wouldn't say that the quality of these young hopefuls is any less good than a university student of the same age At the end of the day... software is judged by whether it works for the customer or not. Not whether it has a long list of accreditations. If you want to find toomany shiesters out there peddling crap... I suggest you go look in the accreditation industry is it little more than selling pretentious scout badges to detract from the quality of the software ? Seriously... how many of the worlds best open source projects are properly accredited from the start ? please... lets keep the self balancing system. David -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
At the end of the day... software is judged by whether it works for the customer or not. Not whether it has a long list of accreditations. Thats nonsense. Management will continue to buy software and force it upon their engineers and techs based on the all important characteristics of... - market hype - sales pitches - pretty colors - friendships and strategic alliances - flashy logos and websites - expensive lunches - cheapest quote If you want to find toomany shiesters out there peddling crap... I suggest you go look in the accreditation industry is it little more than selling pretentious scout badges to detract from the quality of the software ? open source software does tend to speak for itself. it will tend to get to a certain stage when it will self cleanse. Seriously... how many of the worlds best open source projects are properly accredited from the start ? The difference is, open source will tend to get better. However once you have paid for some piece of junk software - you may be stuck with it. Dean -- http://fragfest.com.au -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
On Monday 02 June 2008 21:43:25 [EMAIL PROTECTED] wrote: Yet there are so many who go nuts when the idea of accreditation is raised. :-) [This cheap shot does not indicate my support for or against the : idea!] As a profession, we have two choices: 1. start licensing and accrediting ourselves, with a structure we can live with, OR 2. wait for Some Really Bad Shit to happen, with a software defect as the root cause, and have the politicians force something upon us... something baroque, bureaucratic and onerous. I know which I would prefer. I ponder and wrestle with the issue: The uni's do not teach how to write *good* code, instead they do teach how to write robust garden code (and job preservation 'cause only *they* can read Hungerian Notation). I watched my children and their mates, all graduates of different uni's write code: creative, elegant, complicated and eshrew simple and clean. Now since the requirements for different code are different ie my daughter writes billing code for iinet: It needs to be part of a team solution, and needs to be independent of her ... I wrote the code used by PTC trains throughout NSW to read track transponders (and else where in Oz). That is very complicated signal processing, and since it is in ROM no defects are allowed (and none found in the last 10+ years) So I would (probably) never gain accreditation (Too simple, ridged, pedantic, exact) and she could never write the train transponder code (but is an ideal candidate for accreditation) She helped with the code for an olive picking robot http://tigger.ws/vtigger/main.php?g2_itemId=991 Over and over I had to redo her code as it failed simple, clean, designed-for-3-major-revisions', read as bedtime stories. So how on earth would we achieve the accreditation that meets both requirements. And if a accredited programmer stuffs up then ALL are branded. I go even further to suggest If you lean to program in basic, you are ruined as a programmer for ever applies to the current situation :-) Ponder ponder James -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
Sridhar Dhanapalan wrote: On Mon, 2 Jun 2008 at 14:59, Jason Ball [EMAIL PROTECTED] wrote: Not wishing to start an OS war, but I rarely if ever have seen a BSD or Sun box compromised. Is this due to sheer numbers of Linux and Doze? More than likely. I've seen a range of plausible reasons and hard statistics to back up Linux supporters' assertions that the frequency of compromises on Windows systems is due to far more than just its sheer install base. I'd hate to see Linux users start to solely use the 'market share' argument against other, less used, operating systems. As pointed out previously, one contributing factor to x86 Windows and Linux architectures being popular targets is that there is significant payback in writing attack software for platforms that are ubiquitous. The rarer the system, the less likely there is blackhat experience to crack it. Market share is a factor. But as we all know, a house of cards built of shakey foundations is another factor. BSD and Sun zealots do claim that their software systems are much more robust/stable than Linux and Windows. I cannot respond to that claim. Regarding your sig: Your toaster doesn't crash. Your television doesn't crash. Why should your computer? http://www.linux.org.au/linux The answer should be obvious. A dedicated computer running an appliance runs heavily tested software dedicated to one purpose and a well-known hardware set. A general purpose computer running any variety of software you install along with a conglomerate of possibly never before tried hardware suffers the combinatorial explosion of interactions and complexity that a toaster never experiences. The devil is in the detail of general-purpose vs purpose-built. cheers rick -- Rick Welykochy || Praxis Services || Internet Driving Instructor The user's going to pick dancing pigs over security every time. -- Bruce Schneier -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: slug Digest, Vol 29, Issue 5
[EMAIL PROTECTED] writes: Quoting Darryl Barlow [EMAIL PROTECTED]: I had the pleasure some years ago of a cracker gaining access to a Linux box on my work Network running SME Server. I still do not know how the attacker located the machine. I presume it was probably through a port scan . I have seen the same thing with other installs of SME Server. The machines I saw it on were properly firewalled and not even visible. People I know have come to the conclusion that it was software already embedded within the system at distribution. It got activated in idle time. It was doing spam mass mailing. Which release of SME Server was this? Having done some auditing, and worked with customers who ran SME Server systems for some years without incident -- but only on older versions -- I am surprised at this claim. Do you have any supporting evidence for that? Alternately, did the folks you know write this up anywhere? Regards, Daniel -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
On Tue, Jun 3, 2008 at 10:47 AM, Rick Welykochy [EMAIL PROTECTED] wrote: Sridhar Dhanapalan wrote: On Mon, 2 Jun 2008 at 14:59, Jason Ball [EMAIL PROTECTED] wrote: Not wishing to start an OS war, but I rarely if ever have seen a BSD or Sun box compromised. Is this due to sheer numbers of Linux and Doze? More than likely. I've seen a range of plausible reasons and hard statistics to back up Linux supporters' assertions that the frequency of compromises on Windows systems is due to far more than just its sheer install base. I'd hate to see Linux users start to solely use the 'market share' argument against other, less used, operating systems. As pointed out previously, one contributing factor to x86 Windows and Linux architectures being popular targets is that there is significant payback in writing attack software for platforms that are ubiquitous. The rarer the system, the less likely there is blackhat experience to crack it. Market share is a factor. But as we all know, a house of cards built of shakey foundations is another factor. BSD and Sun zealots do claim that their software systems are much more robust/stable than Linux and Windows. I cannot respond to that claim. Regarding your sig: Your toaster doesn't crash. Your television doesn't crash. Why should your computer? http://www.linux.org.au/linux The answer should be obvious. A dedicated computer running an appliance runs heavily tested software dedicated to one purpose and a well-known hardware set. A general purpose computer running any variety of software you install along with a conglomerate of possibly never before tried hardware suffers the combinatorial explosion of interactions and complexity that a toaster never experiences. The devil is in the detail of general-purpose vs purpose-built. That said, I know a great knife-related toaster bug. For some reason instead of fixing it the designers just added warnings to the user manual saying don't use this combination of inputs. Sam -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
I have often found that feeding the output of the toaster, back into the toaster demonstrates an overflow bug, requiring opening all of the windows and doors. On Tue, Jun 3, 2008 at 10:53 AM, Sam Gentle [EMAIL PROTECTED] wrote: On Tue, Jun 3, 2008 at 10:47 AM, Rick Welykochy [EMAIL PROTECTED] wrote: Sridhar Dhanapalan wrote: On Mon, 2 Jun 2008 at 14:59, Jason Ball [EMAIL PROTECTED] wrote: Not wishing to start an OS war, but I rarely if ever have seen a BSD or Sun box compromised. Is this due to sheer numbers of Linux and Doze? More than likely. I've seen a range of plausible reasons and hard statistics to back up Linux supporters' assertions that the frequency of compromises on Windows systems is due to far more than just its sheer install base. I'd hate to see Linux users start to solely use the 'market share' argument against other, less used, operating systems. As pointed out previously, one contributing factor to x86 Windows and Linux architectures being popular targets is that there is significant payback in writing attack software for platforms that are ubiquitous. The rarer the system, the less likely there is blackhat experience to crack it. Market share is a factor. But as we all know, a house of cards built of shakey foundations is another factor. BSD and Sun zealots do claim that their software systems are much more robust/stable than Linux and Windows. I cannot respond to that claim. Regarding your sig: Your toaster doesn't crash. Your television doesn't crash. Why should your computer? http://www.linux.org.au/linux The answer should be obvious. A dedicated computer running an appliance runs heavily tested software dedicated to one purpose and a well-known hardware set. A general purpose computer running any variety of software you install along with a conglomerate of possibly never before tried hardware suffers the combinatorial explosion of interactions and complexity that a toaster never experiences. The devil is in the detail of general-purpose vs purpose-built. That said, I know a great knife-related toaster bug. For some reason instead of fixing it the designers just added warnings to the user manual saying don't use this combination of inputs. Sam -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- Regards, Martin Martin Visser -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
Martin Visser wrote: I have often found that feeding the output of the toaster, back into the toaster demonstrates an overflow bug, requiring opening all of the windows and doors. Funny that. And I have found that feeding the output of Windows back into Windows often results in toast! cheers rickw -- Rick Welykochy || Praxis Services || Internet Driving Instructor The user's going to pick dancing pigs over security every time. -- Bruce Schneier -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: slug Digest, Vol 29, Issue 5
Quoting Daniel Pittman [EMAIL PROTECTED]: Which release of SME Server was this? Having done some auditing, and worked with customers who ran SME Server systems for some years without incident -- but only on older versions -- I am surprised at this claim. It is some years ago now... As I recall the older versions didn't seem to have the problem. I only found the problem with the 'last two' versions... whatever numbers they were.. sorry can't remember. Do you have any supporting evidence for that? Alternately, did the folks you know write this up anywhere? We weren't able to track down the exact process that was doing the sending... Every time you touched the mouse.. or keyed 'ps ax' the sending seemed to stop. When it was spamming, we got disconnection threats from our isp... We noticed that if the machine was totally isolated to the local network it didn't send anything. If it had internet access then it would spam. I'm very certain that if one were to install it fresh from CD on a fresh machine it would start spamming again. The rogue code (I think) would still be there. These are just my opinions... i don't have any logs or enough evidence to catch it quite frankly it was too clever for me. David -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs
On Tuesday 03 June 2008 08:50:26 [EMAIL PROTECTED] wrote: [...] The server had ssh access enabled via password entry and fell victim to a brute force password attack. [...] I still do not know how the attacker located the machine. I presume it was probably through a port scan which may have taken place some time before. The most likely case is that they found the machine by brute force as well; a fair proportion of hostile modern software simply picks random IP addresses and attacks them in the hope that there is something vulnerable. This has the benefit, for the attacker, of turning up things that don't get advertised, and of having a very low cost to identify targets -- especially when the economies of scale result in your large network being able to randomly scan more and more of the overall network. First thanks to everyone who contributed to this interesting thread :-) Some (and this is critique :-) not criticism) had credible offers eg Mary and turning sendmail into an open relay, but many just had a BadThing happen. Daniel talks about 'brute forcing' a password: say [EMAIL PROTECTED]*()_/?] and 6 chars passwords 6**70 umm 70 * log (2) and 10**8 brute forces / sec thats 10 to the power 60 secs! Sorry the universe went flat. The the famous Win Mac Linux security shoot off: Win and Mac broken but no body wanted the $10,000 and Sony Viao for breaking the linux box. H. James -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs
quote who=jam The the famous Win Mac Linux security shoot off: Win and Mac broken but no body wanted the $10,000 and Sony Viao for breaking the linux box. H. These events are more about reputation and strutting than money. Reckon that cracking into a Linux machine is going to do more for your rep than finding a seriously scary and damaging vector into a Mac or Windows machine? That's what those dudes were after (and found). - Jeff -- GUADEC 2008: Istanbul, Turkey http://www.guadec.org/ The Unix Way: Everything is a file. The Linux Way: Everything is a filesystem. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs
jam wrote: Daniel talks about 'brute forcing' a password: say [EMAIL PROTECTED]*()_/?] and 6 chars passwords 6**70 umm 70 * log (2) and 10**8 brute forces / sec thats 10 to the power 60 secs! Sorry the universe went flat. Or collapsed to a singularity. As Bruce Schneier points out here: http://www.schneier.com/blog/archives/2007/01/choosing_secure.html most passwords are much more limited in variety than the 6**70 in your estimate. That article discusses offline password cracking, but many of the points he raises apply to online password cracking. * a surpiring number of admins leave the password unchanged as installed out of the box * there are passwords out there that are simply 'password' And, When attacking programs with deliberately slow ramp-ups, it's important to make every guess count. A simple six-character lowercase exhaustive character attack, aa through zz, has more than 308 million combinations. And it's generally unproductive, because the program spends most of its time testing improbable passwords like pqzrwj. According to Eric Thompson of AccessData, a typical password consists of a root plus an appendage. A root isn't necessarily a dictionary word, but it's something pronounceable. An appendage is either a suffix (90 percent of the time) or a prefix (10 percent of the time). So the first attack PRTK performs is to test a dictionary of about 1,000 common passwords, things like letmein, password, 123456 and so on. Then it tests them each with about 100 common suffix appendages: 1, 4u, 69, abc, ! and so on. Believe it or not, it recovers about 24 percent of all passwords with these 100,000 combinations. I am running a server that was getting heaps of password cracking attempts on SSH port 22. Since changing the port, the attempts have stopped. cheers rickw -- Rick Welykochy || Praxis Services || Internet Driving Instructor The user's going to pick dancing pigs over security every time. -- Bruce Schneier -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs
jam wrote: First thanks to everyone who contributed to this interesting thread :-) Isn't it about time this opinionboring/opinion thread went onto slug-chat? :-) -- Sonia Hamilton. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: slug Digest, Vol 29, Issue 5
[EMAIL PROTECTED] writes: Quoting Daniel Pittman [EMAIL PROTECTED]: Which release of SME Server was this? Having done some auditing, and worked with customers who ran SME Server systems for some years without incident -- but only on older versions -- I am surprised at this claim. It is some years ago now... As I recall the older versions didn't seem to have the problem. I only found the problem with the 'last two' versions... whatever numbers they were.. sorry can't remember. No worries. Do you have any supporting evidence for that? Alternately, did the folks you know write this up anywhere? We weren't able to track down the exact process that was doing the sending... Every time you touched the mouse.. or keyed 'ps ax' the sending seemed to stop. When it was spamming, we got disconnection threats from our isp... I'm very certain that if one were to install it fresh from CD on a fresh machine it would start spamming again. The rogue code (I think) would still be there. Well, I certainly never observed that, and would be surprised if there had been rogue code along those lines in there -- even after the product ended up mostly unmaintained in the hands of the community. Regards, Daniel -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs
On Tue, Jun 03, 2008, Sonia Hamilton wrote: jam wrote: First thanks to everyone who contributed to this interesting thread :-) Isn't it about time this opinion boring/opinion thread went onto slug-chat? There's probably additional boredom to be had in saying which bits of it, but in terms of on-topicness: - details of how to compromise a Linux machine, how not to, and whether we know of it being done are probably on topic here, regardless of whether they're particularly interesting - the accreditation discussion is off-topic according to http://www.slug.org.au/mailinglists.html except for the minor side-thread about how it would affect FOSS development: The main discussion list, slug@slug.org.au, is where all the discussion goes on. Everything related to installing, maintaining, developing on Linux or Free/Open Source Software is on topic for this list... -Mary -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs
I am running a server that was getting heaps of password cracking attempts on SSH port 22. Since changing the port, the attempts have stopped. Denyhosts is a great daemon/cronscript that will manage hosts.allow for your ssh server. you can set thresholds and instant triggers etc which will result in that ip being blocked. Also, you could turn off password auth and just use keys. Dean -- http://fragfest.com.au -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Spider a website
You could use wget to do this, it's installed on most distributions by default. Usually you'd run it like this: wget --mirror -np http://some.url/ (the -np tells it not to recurse up to the parent, which is useful if you only want to mirror a subdirectory. I add it on out of habit.) It's not always perfect however, as it can sometimes mess the URLs up, but it's worth a try anyway. On 03/06/2008, at 2:20 PM, Peter Rundle wrote: I'm looking for some recommendations for a *simple* Linux based tool to spider a web site and pull the content back into plain html files, images, js, css etc. I have a site written in PHP which needs to be hosted temporarily on a server which is incapable (read only does static content). This is not a problem from a temp presentation point of view as the default values for each page will suffice. So I'm just looking for a tool which will quickly pull the real site (on my home php capable server) into a directory that I can zip and send to the internet addressable server. I know there's a lot of code out there, I'm asking for recommendations. TIA's Pete -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Spider a website
Excerpts from Peter Rundle's message of Tue Jun 03 14:20:08 +1000 2008: I'm looking for some recommendations for a *simple* Linux based tool to spider a web site and pull the content back into plain html files, images, js, css etc. I have a site written in PHP which needs to be hosted temporarily on a server which is incapable (read only does static content). This is not a problem from a temp presentation point of view as the default values for each page will suffice. So I'm just looking for a tool which will quickly pull the real site (on my home php capable server) into a directory that I can zip and send to the internet addressable server. I know there's a lot of code out there, I'm asking for recommendations. wget can do that. Use the recurse option. rgh TIA's Pete -- +61 (0) 410 646 369 [EMAIL PROTECTED] You're worried criminals will continue to penetrate into cyberspace, and I'm worried complexity, poor design and mismanagement will be there to meet them - Marcus Ranum -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Spider a website
On Tue, Jun 3, 2008 at 2:20 PM, Peter Rundle [EMAIL PROTECTED] wrote: I'm looking for some recommendations for a *simple* Linux based tool to spider a web site and pull the content back into plain html files, images, js, css etc. I have a site written in PHP which needs to be hosted temporarily on a server which is incapable (read only does static content). This is not a problem from a temp presentation point of view as the default values for each page will suffice. So I'm just looking for a tool which will quickly pull the real site (on my home php capable server) into a directory that I can zip and send to the internet addressable server. I know there's a lot of code out there, I'm asking for recommendations. I'd use 'wget'. From what you describe, 'wget -r' should be very close to what you want. Consult the manpage for details about fiddling with links etc. jml -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Spider a website
On Tue, 2008-06-03 at 14:20 +1000, Peter Rundle wrote: I'm looking for some recommendations for a *simple* Linux based tool to spider a web site and pull the content back into plain html files, images, js, css etc. I have a site written in PHP which needs to be hosted temporarily on a server which is incapable (read only does static content). This is not a problem from a temp presentation point of view as the default values for each page will suffice. So I'm just looking for a tool which will quickly pull the real site (on my home php capable server) into a directory that I can zip and send to the internet addressable server. I know there's a lot of code out there, I'm asking for recommendations. wget :) -Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Spider a website
I'm looking for some recommendations for a *simple* Linux based tool to spider a web site and pull the content back into plain html files, images, js, css etc. I have a site written in PHP which needs to be hosted temporarily on a server which is incapable (read only does static content). This is not a problem from a temp presentation point of view as the default values for each page will suffice. So I'm just looking for a tool which will quickly pull the real site (on my home php capable server) into a directory that I can zip and send to the internet addressable server. I know there's a lot of code out there, I'm asking for recommendations. TIA's Pete -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs
Dean Hamstead wrote: Denyhosts is a great daemon/cronscript that will manage hosts.allow for your ssh server. you can set thresholds and instant triggers etc which will result in that ip being blocked. Also, can't one use a TCP wrapper with ssh? Either way, it does compromise one of the beauties of working on the Internet. When I head up north for a break, for example, and need to access the server, heaven knows what my IP will be when away from home. There is a door knocking technique that was discussed a couple of years ago on this list to allow you to tap tap tap the server ask it to let you in temporarily. More work of course. Also, you could turn off password auth and just use keys. Yup. Great idea. cheers rickw -- Rick Welykochy || Praxis Services || Internet Driving Instructor The user's going to pick dancing pigs over security every time. -- Bruce Schneier -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs
Rick == Rick Welykochy [EMAIL PROTECTED] writes: Rick Dean Hamstead wrote: Denyhosts is a great daemon/cronscript that will manage hosts.allow for your ssh server. you can set thresholds and instant triggers etc which will result in that ip being blocked. Rick Also, can't one use a TCP wrapper with ssh? Either way, it does Rick compromise one of the beauties of working on the Internet. When Rick I head up north for a break, for example, and need to access the Rick server, heaven knows what my IP will be when away from home. Depends how you set it up. Mine has a `three tries and you're out' policy. And as I use an ssh-agent on my (carry around) laptop, there's no chance of being locked out accidentally. Peter C -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Spider a website
On 03/06/2008, at 3:19 PM, Mary Gardiner wrote: On Tue, Jun 03, 2008, Ycros wrote: It's not always perfect however, as it can sometimes mess the URLs up, but it's worth a try anyway. The -k option to convert any absolute paths to relative ones can be helpful with this (depending on what you meant by mess the URLs up). I think it was URLs in stylesheets and in javascript (well, there's not much you can do with the javascript really) -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Spider a website
On Tue, Jun 03, 2008, Ycros wrote: It's not always perfect however, as it can sometimes mess the URLs up, but it's worth a try anyway. The -k option to convert any absolute paths to relative ones can be helpful with this (depending on what you meant by mess the URLs up). -Mary -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Spider a website
Peter Rundle [EMAIL PROTECTED] writes: I'm looking for some recommendations for a *simple* Linux based tool to spider a web site and pull the content back into plain html files, images, js, css etc. Others have suggested wget, which works very well. You might also consider 'puf': Package: puf Priority: optional Section: universe/web Description: Parallel URL fetcher puf is a download tool for UNIX-like systems. You may use it to download single files or to mirror entire servers. It is similar to GNU wget (and has a partly compatible command line), but has the ability to do many downloads in parallel. This is very interesting, if you have a high-bandwidth internet connection. This works quite well when, as it notes, presented with sufficient bandwidth (and server resources) to have multiple links fetched at once. Regards, Daniel -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs
[EMAIL PROTECTED] wrote: Depends how you set it up. Mine has a `three tries and you're out' policy. And as I use an ssh-agent on my (carry around) laptop, there's no chance of being locked out accidentally. I assume three times password fails and you're out, right? That's interesting. Can one configure ssh so that the password attempts are TCP wrapped, but the cert-based (ssh-agent) logins are always allowed, no matter where you are? cheers rick -- Rick Welykochy || Praxis Services || Internet Driving Instructor If stupidity got us into this mess, then why can't it get us out? --Will Rogers -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Spider a website
wget-smubble-yew-get. Wget works great for getting a single file or a very simple all-under-this-tree setup, but it can take forever. Try httrack - http://www.httrack.com/. Ignore the pretty little screenshots, the linux commandline version does the same job, just requires much command-line-fu. It handles simple javascript links, is intelligent about fetching requisites (images, css etc) from off-domain without trying to cache the whole internet, is multi-threaded - and is actually designed specifically for the purpose of making a static, offline copy of a website. The user's guide at http://www.httrack.com/html/fcguide.html goes through most common scenarios for you, and $DISTRO should be able to apt-get install it for you. Urrr.. or whatever broken tool distros unfortunate enough not to have apt-get use. On Tue, Jun 3, 2008 at 2:20 PM, Peter Rundle [EMAIL PROTECTED] wrote: I'm looking for some recommendations for a *simple* Linux based tool to spider a web site and pull the content back into plain html files, images, js, css etc. I have a site written in PHP which needs to be hosted temporarily on a server which is incapable (read only does static content). This is not a problem from a temp presentation point of view as the default values for each page will suffice. So I'm just looking for a tool which will quickly pull the real site (on my home php capable server) into a directory that I can zip and send to the internet addressable server. I know there's a lot of code out there, I'm asking for recommendations. TIA's Pete -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- There is nothing more worthy of contempt than a man who quotes himself - Zhasper, 2004 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html