Domain: ev6.net
Stories and comments across the archive that link to ev6.net.
Comments · 15
-
Re:attachments?
Or you use a file delivery server, which your company owns and controls (i know this sounds like an advert, but i had to build something like this recently)...
You upload a file to it, it gets encrypted and stored there and you need a unique code and password to access it...
You can also email a file to it, the attached file is automatically imported into the system...You might pre-agree the password, or send it out of band, or not bother at all if the file isnt private...
You send the URL to the recipient, he visits it, enters the password and the file is downloaded in his browser over HTTPS...
The server logs that the user retrieved the file, and can optionally alert you via email that its been downloaded...
Files which remain unretrieved for a user-specified period of time expire and get deleted from the server, you can also be notified of this happening...
You can specify how many times a file can be downloaded, after that it gets securely erased from the server.
There is also a two server mode, for people on slow connections... You have a server on your lan (lets say you have slow upload, or a dsl line with very mismatched up/down speeds) and a faster server on the internet... You upload to the local server, and so long as you don't specify that the file is urgent it doesn't get forwarded on to the remote server until a predefined time (ie at night when noone is at work, or in the background at a very slow rate so as not to lag your line)...I have such a system online, although i am still in the middle of developing it..
if you want me to put a test file on there, drop me a mail to sdm [at] ev6 [dot] net
-
Re:Arguing is stupid: Discuss points on errs made
Ok...
I still fail to see how vmware can have any effect on the things tested by the cis tool... None of the things tested would be in any way effected by the use of vmware, in which case creating a vmware image was both much quicker.
As i noted, a default install of SUSE 10.3 gets a score of around 60, i forget the exact number.
The issues you have with windows 2003 are very similar to things i encountered with suse 10, in that the tool was intended for an earlier version and things have changed. In the case of suse it's possible to comply with the test by rolling back the applications it fails on (bastille, syslog etc) although this actually decreases security while increasing your test score.
You mention Ubuntu and SELinux, the cis test doesn't support Ubuntu. It only supports SUSE 9 and aparrently RedHat, but i couldn't get the RH version working. That said, i did run the suse test on a gentoo box and the results are here:
http://enigma.ev6.net/result2.html
The score was 46, and is incredibly misleading, most of the tests fail because they cannot find suse specific files such as /etc/permissions.local, or the suse specific locations for configuration files. The actual goals sought to be achieved by the tests are for the most part implemented on this system, just not in the same way as the cis test expects, for instance:
3.4 Disable GUI Login If Possible Failed
I don't have any form of GUI installed on the system whatsoever, no X11 nothing.
But i have no doubt that an install of suse 9 could get a 100% score simply by cutting+pasting the help provided in the html output. I would imagine windows 2000 or any other supported os would be exactly the same. However I'm also certain that i could configure suse 9 in a more secure way but which would fail this test.
I believe suse 9 supports selinux by default btw, tho it's not enabled and the cis test doesnt make any mention of it.
-----
I said in the original post how closed source stifles progress, not in relation to bug finding, but in relation to several other points. Your points about bug finding are correct, it is easier to find bugs but also easier to fix them too. This can be a plus or down side depending on who you are, what your requirements are and who you're scared of etc. It's also important to remember that not all bugs are security related, a majority of them have no security impact whatsoever but are still incredibly annoying to users.
I would say that overall it's a plus to have the source, because blackhats will search for bugs in any case, but with the bugs being easier to find the chance of white hats finding and fixing those bugs is also higher. Then you have the advantage that you and/or others can fix non security related "annoying" bugs.
You are also missing out on another interesting point. With closed source there will only be a small number of "builds", so the memory layout will often be the same or predictable. Conversely, programs compiled by hand can be compiled in many different ways, different compiler flags, different configure options, making an exploit coder's work that much harder. // I could not understand in your init. post HOW ON EARTH you could say that "closed source stifles progress", & especially vs. those looking for security holes in code...
I _NEVER_ made the point your trying to argue against, please reread the original post. It stifles the general advancement of computing as a whole. Although finding and fixing bugs could also be considered a form of advancement too. -
Re:Time to tear you up more, "No proof Bert64", ag
Without "cheating" as you put it, you could make a system far more secure and it would get a very low score on the cis test. I have already pointed out multiple flaws in this test and you have failed to answer them, why should anyone bother pointing out more when you have yet to answer the few that have been posted already?
You challenged people to get a higher score than you, which is what i have done, nowhere did you ask for the flaws to be pointed out, but that has also been done too, and now you are trying to backpedal.
But i will reiterate what i have said already.
CIS DOES NOT TEST "SECURITY", IT IS MERELY A COMPLIANCE TEST
Since you failed to understand that, CIS publish a set of configuration guidelines and this test merely checks if your system complies with these configuration guidelines. Because of the flexibility of linux, there are often multiple ways to achieve the same goals, and the cis guidelines only specify a small subset of those. // Funniest part is, ALL I ever asked for was a valid result from *NIX folks, & asking them to discuss where they felt this test was in error on their OS, & if possible, to share know-how.
This is what i did the first time, my system scored 60.something, and i went through the points where it failed one by one and pointed out why they were incorrect, i write it in response to one of your posts in august. I wrote the response within 12 hours of your original post, but i can't locate it now because slashdot no longer lets me see my entire posting history.
As for cheating, i did not cheat, i merely implemented the configuration changes as specified by CIS. I wouldn't say the resulting box is as secure as it could be made, but it complies with the cis test 90%.
I notice from the web logs that you didn't bother downloading the test results, they are at:
http://enigma.ev6.net/benchmark-report.html
Nor did you download the vmware image, it is at:
http://enigma.ev6.net/vmware-suse-cis.tar.bz2
The fact you could only get 86%, even tho full instructions on how to comply with the cis configuration is supplied both as a PDF and within the output from the testing tool, suggests a high level of incompetence on your part. I am certain that a score of 100% would be easily achievable on any supported system, including windows. After all, someone at cis must have configured a machine in the described way when writing the test.
Before you accuse me of cheating, why don't you actually read the results and have a look at the 90% compliant machine? // Think anyone believes you, now, Bert64... After you stated that which I quote from you above & your "VMWare testing methods" & PROBABLY PHOTOSHOP JOB ON YOUR "RESULTS", too??
This is the funniest part... Can i have a copy of your version of photoshop which edits HTML files and VMware images?
The results i submitted are in HTML format, that stands for "Hyper Text Markup Language" and is plain text with markup for formatting. When you run the CIS tool it creates output in HTML and XML formats, i chose to post the HTML form so it would be convenient to browse from the web.
Photoshop on the other hand is for editing IMAGE files, there are absolutely NO IMAGE FILES in the results I posted.
Obviously i could have edited the HTML results, but i would have done this using a TEXT EDITOR and not PHOTOSHOP. And because the HTML is so easy to change, i posted a vmware image so that you could verify the results.
So face it, your argument has been proven wrong and like a cocky little child, having been proven wrong your trying to deny ever making the argument in the first place. You remind me of someone i used to work with, he used to go away and cry when people would see through his bullshit.
Your writing style is very childish too, hardly what you'd expect from someone with supposedly 20+ years experie -
Re:Time to tear you up more, "No proof Bert64", ag
Without "cheating" as you put it, you could make a system far more secure and it would get a very low score on the cis test. I have already pointed out multiple flaws in this test and you have failed to answer them, why should anyone bother pointing out more when you have yet to answer the few that have been posted already?
You challenged people to get a higher score than you, which is what i have done, nowhere did you ask for the flaws to be pointed out, but that has also been done too, and now you are trying to backpedal.
But i will reiterate what i have said already.
CIS DOES NOT TEST "SECURITY", IT IS MERELY A COMPLIANCE TEST
Since you failed to understand that, CIS publish a set of configuration guidelines and this test merely checks if your system complies with these configuration guidelines. Because of the flexibility of linux, there are often multiple ways to achieve the same goals, and the cis guidelines only specify a small subset of those. // Funniest part is, ALL I ever asked for was a valid result from *NIX folks, & asking them to discuss where they felt this test was in error on their OS, & if possible, to share know-how.
This is what i did the first time, my system scored 60.something, and i went through the points where it failed one by one and pointed out why they were incorrect, i write it in response to one of your posts in august. I wrote the response within 12 hours of your original post, but i can't locate it now because slashdot no longer lets me see my entire posting history.
As for cheating, i did not cheat, i merely implemented the configuration changes as specified by CIS. I wouldn't say the resulting box is as secure as it could be made, but it complies with the cis test 90%.
I notice from the web logs that you didn't bother downloading the test results, they are at:
http://enigma.ev6.net/benchmark-report.html
Nor did you download the vmware image, it is at:
http://enigma.ev6.net/vmware-suse-cis.tar.bz2
The fact you could only get 86%, even tho full instructions on how to comply with the cis configuration is supplied both as a PDF and within the output from the testing tool, suggests a high level of incompetence on your part. I am certain that a score of 100% would be easily achievable on any supported system, including windows. After all, someone at cis must have configured a machine in the described way when writing the test.
Before you accuse me of cheating, why don't you actually read the results and have a look at the 90% compliant machine? // Think anyone believes you, now, Bert64... After you stated that which I quote from you above & your "VMWare testing methods" & PROBABLY PHOTOSHOP JOB ON YOUR "RESULTS", too??
This is the funniest part... Can i have a copy of your version of photoshop which edits HTML files and VMware images?
The results i submitted are in HTML format, that stands for "Hyper Text Markup Language" and is plain text with markup for formatting. When you run the CIS tool it creates output in HTML and XML formats, i chose to post the HTML form so it would be convenient to browse from the web.
Photoshop on the other hand is for editing IMAGE files, there are absolutely NO IMAGE FILES in the results I posted.
Obviously i could have edited the HTML results, but i would have done this using a TEXT EDITOR and not PHOTOSHOP. And because the HTML is so easy to change, i posted a vmware image so that you could verify the results.
So face it, your argument has been proven wrong and like a cocky little child, having been proven wrong your trying to deny ever making the argument in the first place. You remind me of someone i used to work with, he used to go away and cry when people would see through his bullshit.
Your writing style is very childish too, hardly what you'd expect from someone with supposedly 20+ years experie -
Re:Time to tear you up more, "No proof Bert64", ag
Right, so you pointed to a couple of not very well known tools and plenty of forums slagging you off, great.
Where's the answer to the direct question regarding the CIS tool you were asking me to run?
So i ran the cis tool on a downloaded SUSE vmware image, followed the cis guide and got a score of 90.86, which beats your score or 86 or so.
I could have continued and got a higher score, but why bother? You said you'd eat your words if someone posted a score higher than your 86, so i'm waiting.
You can see the results here:
http://enigma.ev6.net/benchmark-report.html
And if you want more proof, and are willing to download a *LARGE* file, the vmware image will be on
http://enigma.ev6.net/vmware-suse-cis.tar.bz2
Wait a while for it to upload, its big... check back tomorrow!
The CIS tool is installed in /opt/CISngtool, but feel free to download a fresh copy to make sure it hasnt been tampered with.
A few notes about the cis benchmark tool, which is an absolute pile of toss btw:
The check for gdm is broken, looks for both /etc/X11/xdm/gdm.conf and /etc/X11/gdm/gdm.conf
The check for bastille is broken, modern versions have an uppercase B in the package name, the guide even tells you to install one of these versions.
Many parts of this benchmark are broken, and assume something to be more secure if it's installed and configured in a particular way, rather than not installed at all. The gdm config for instance, fails if it can't find the config, even if the gdm package is not installed at all (and thus the config would be redundant in any case).
I could go on, but why bother. I beat your score, i am uploading a vmware image as proof which is more than you ever did for your rather feeble score of 86. I could quite easily get a much higher score than 90, but as i said i stopped at the point by which you said you'd eat your words. -
Re:Time to tear you up more, "No proof Bert64", ag
Right, so you pointed to a couple of not very well known tools and plenty of forums slagging you off, great.
Where's the answer to the direct question regarding the CIS tool you were asking me to run?
So i ran the cis tool on a downloaded SUSE vmware image, followed the cis guide and got a score of 90.86, which beats your score or 86 or so.
I could have continued and got a higher score, but why bother? You said you'd eat your words if someone posted a score higher than your 86, so i'm waiting.
You can see the results here:
http://enigma.ev6.net/benchmark-report.html
And if you want more proof, and are willing to download a *LARGE* file, the vmware image will be on
http://enigma.ev6.net/vmware-suse-cis.tar.bz2
Wait a while for it to upload, its big... check back tomorrow!
The CIS tool is installed in /opt/CISngtool, but feel free to download a fresh copy to make sure it hasnt been tampered with.
A few notes about the cis benchmark tool, which is an absolute pile of toss btw:
The check for gdm is broken, looks for both /etc/X11/xdm/gdm.conf and /etc/X11/gdm/gdm.conf
The check for bastille is broken, modern versions have an uppercase B in the package name, the guide even tells you to install one of these versions.
Many parts of this benchmark are broken, and assume something to be more secure if it's installed and configured in a particular way, rather than not installed at all. The gdm config for instance, fails if it can't find the config, even if the gdm package is not installed at all (and thus the config would be redundant in any case).
I could go on, but why bother. I beat your score, i am uploading a vmware image as proof which is more than you ever did for your rather feeble score of 86. I could quite easily get a much higher score than 90, but as i said i stopped at the point by which you said you'd eat your words. -
Re:TOS
We provide such a service in the UK, http://www.ev6.net/
The price list on the website needs updating tho... Drop me a mail if your interested.
You can share your connection with as many people as you want, so long as your use of the line is legal. The only caveat is, if you sign up for a traffic-limited service (you dont have to, there are unlimited plans too) then your still responsible for the traffic usage, so don't let your neighbours push you over your quota. -
Re:works great
This dialog says it all:
http://gallery.ev6.net/v/stupid-doze-crap.png.html
Even tho your logged in as non admin, and dont have privilege to reboot the machine, it pops up the dialog telling you about new updates and asking if you want to reboot. Only you can't reboot, nor can you cancel the dialog, it will sit there until someone reboots for you.
It just shows how the whole interface was never designed with multiple users in mind, it's one big nasty kludge. -
Re:Missed a link :)
The experimental mpm-peruser for apache is good for this...
http://www.telana.com/peruser.php
It runs each vhost under a different userid, including any php/cgi which are executed by each vhost..
http://tw1.ev6.net/test.php
http://tw2.ev6.net/test.php
http://tw3.ev6.net/test.php
http://tw4.ev6.net/test.php
These are some example urls, a simply php script which executes the "id" command. -
Re:Missed a link :)
The experimental mpm-peruser for apache is good for this...
http://www.telana.com/peruser.php
It runs each vhost under a different userid, including any php/cgi which are executed by each vhost..
http://tw1.ev6.net/test.php
http://tw2.ev6.net/test.php
http://tw3.ev6.net/test.php
http://tw4.ev6.net/test.php
These are some example urls, a simply php script which executes the "id" command. -
Re:Missed a link :)
The experimental mpm-peruser for apache is good for this...
http://www.telana.com/peruser.php
It runs each vhost under a different userid, including any php/cgi which are executed by each vhost..
http://tw1.ev6.net/test.php
http://tw2.ev6.net/test.php
http://tw3.ev6.net/test.php
http://tw4.ev6.net/test.php
These are some example urls, a simply php script which executes the "id" command. -
Re:Missed a link :)
The experimental mpm-peruser for apache is good for this...
http://www.telana.com/peruser.php
It runs each vhost under a different userid, including any php/cgi which are executed by each vhost..
http://tw1.ev6.net/test.php
http://tw2.ev6.net/test.php
http://tw3.ev6.net/test.php
http://tw4.ev6.net/test.php
These are some example urls, a simply php script which executes the "id" command. -
Re:Write it anyway...
Well, my site (www.ev6.net) renders very poorly in the windows version of msie (mac version handles it fine)..
My solution was to create a block of text and use css to mark it as non displayable, broken browsers like ie totally ignore the non displayable setting and display the block of text anyway, which explains what it is and why this site will only look correct in a browser with decent css support.. The text comes up in lynx too, but lynx just ignores the css instead of trying to render it and making a pigs-ear of it. -
Re:Yeah...
Or you can do mouseovers using CSS, http://www.meyerweb.com/eric/css/edge/complexspir
a l/demo.html does it for instance and looks quite impressive.. Also i use css mouseovers on www.ev6.net -
Re:hunh...
...or if you're three-handed like this guy then you can use two hands to cover the third!