Slashdot Mirror

Satan, & later an early type of ids, known respectively as Satan & archangel.
http://ftp.porcupine.org/pub/s...

Rest in Peace Dan, you were fewked over by idiots & died way too soon.

Perhaps it was "SANTA" ?

        http://www.porcupine.org/satan...

I still remember the SATAN network scanning tool, which had a little script called "repent" to change the name and gifs to "SANTA"

Could there possibly be such a tool in place to "repent" the Slashdot Beta to something usable? We can only hope.

Windows Services for UNIX 3.5:

http://technet.microsoft.com/en-us/interopmigration/bb380242.aspx

http://technet.microsoft.com/en-us/magazine/cc160802.aspx

Utilities
SFU comes with more than 300 UNIX utilities as part of the Interix subsystem, with additional utilities available either from InteropSystems or by compiling from available source code. These utilities cover all the major UNIX utilities and areasâ"everything from addr to yaccâ"and behave exactly as you and your UNIX users would expect them to behave.
The utilities include familiar text processing tools, including grep, less, awk, sed, pr, and tr, batch processing tools such as at, cron, and batch, as well as job control tools like ps, nice, kill, and so on. They're all there and they work exactly as you would expect. Even the man command is just as ugly (but infinitely useful) as it's always been.
Utilities such as ps and kill work against both Interix and Win32 processes, making SFU particularly appealing for the system administrator. Need to find and kill all instances of a particular process? The script to do it in Interix is straightforward, whether the process is running in the Win32 subsystem or the Interix subsystem.
As a simplistic but useful example, suppose you have an unknown number of copies of a process running on a machine with SFU. Figure 2 shows a script that will kill them. This script would work exactly the same running on a UNIX or Linux system.

Free Grep and Tail tools for Windows:

http://blogs.officezealot.com/marc/archive/2004/01/31/2046.aspx

Real Digital Forensics:

http://www.jonesdykstra.com/index.php/real-digital-forensics-mainmenu-54

Forensic Discovery:

Wietse Venema:

http://www.porcupine.org/forensics/

Forensic Discovery (he posts it for free, but worth buying)
http://www.porcupine.org/forensics/forensic-discovery/

ftp://ftp.porcupine.org/pub/security/index.html

Dan Farmer:

http://www.fish2.com/security/

Windows Services for UNIX 3.5:

http://technet.microsoft.com/en-us/interopmigration/bb380242.aspx

http://technet.microsoft.com/en-us/magazine/cc160802.aspx

Utilities
SFU comes with more than 300 UNIX utilities as part of the Interix subsystem, with additional utilities available either from InteropSystems or by compiling from available source code. These utilities cover all the major UNIX utilities and areasâ"everything from addr to yaccâ"and behave exactly as you and your UNIX users would expect them to behave.
The utilities include familiar text processing tools, including grep, less, awk, sed, pr, and tr, batch processing tools such as at, cron, and batch, as well as job control tools like ps, nice, kill, and so on. They're all there and they work exactly as you would expect. Even the man command is just as ugly (but infinitely useful) as it's always been.
Utilities such as ps and kill work against both Interix and Win32 processes, making SFU particularly appealing for the system administrator. Need to find and kill all instances of a particular process? The script to do it in Interix is straightforward, whether the process is running in the Win32 subsystem or the Interix subsystem.
As a simplistic but useful example, suppose you have an unknown number of copies of a process running on a machine with SFU. Figure 2 shows a script that will kill them. This script would work exactly the same running on a UNIX or Linux system.

Free Grep and Tail tools for Windows:

http://blogs.officezealot.com/marc/archive/2004/01/31/2046.aspx

Real Digital Forensics:

http://www.jonesdykstra.com/index.php/real-digital-forensics-mainmenu-54

Forensic Discovery:

Wietse Venema:

http://www.porcupine.org/forensics/

Forensic Discovery (he posts it for free, but worth buying)
http://www.porcupine.org/forensics/forensic-discovery/

ftp://ftp.porcupine.org/pub/security/index.html

Dan Farmer:

http://www.fish2.com/security/

Windows Services for UNIX 3.5:

http://technet.microsoft.com/en-us/interopmigration/bb380242.aspx

http://technet.microsoft.com/en-us/magazine/cc160802.aspx

Utilities
SFU comes with more than 300 UNIX utilities as part of the Interix subsystem, with additional utilities available either from InteropSystems or by compiling from available source code. These utilities cover all the major UNIX utilities and areasâ"everything from addr to yaccâ"and behave exactly as you and your UNIX users would expect them to behave.
The utilities include familiar text processing tools, including grep, less, awk, sed, pr, and tr, batch processing tools such as at, cron, and batch, as well as job control tools like ps, nice, kill, and so on. They're all there and they work exactly as you would expect. Even the man command is just as ugly (but infinitely useful) as it's always been.
Utilities such as ps and kill work against both Interix and Win32 processes, making SFU particularly appealing for the system administrator. Need to find and kill all instances of a particular process? The script to do it in Interix is straightforward, whether the process is running in the Win32 subsystem or the Interix subsystem.
As a simplistic but useful example, suppose you have an unknown number of copies of a process running on a machine with SFU. Figure 2 shows a script that will kill them. This script would work exactly the same running on a UNIX or Linux system.

Free Grep and Tail tools for Windows:

http://blogs.officezealot.com/marc/archive/2004/01/31/2046.aspx

Real Digital Forensics:

http://www.jonesdykstra.com/index.php/real-digital-forensics-mainmenu-54

Forensic Discovery:

Wietse Venema:

http://www.porcupine.org/forensics/

Forensic Discovery (he posts it for free, but worth buying)
http://www.porcupine.org/forensics/forensic-discovery/

ftp://ftp.porcupine.org/pub/security/index.html

Dan Farmer:

http://www.fish2.com/security/

Where did the submitter get their information from for saying that it's one of the most widely used mail servers ? I suppose if you "widen" your limits a fair way it could come in as being moderately popular. Sendmail, Postfix, Exchange... sure, they're up there in the high levels. Anyhow, would love to see a site/page showing the breakdown of mail servers around the net.

They got their information by smoking crack; Postfix is hot the tail of sendmail, which is currently #1: http://www.porcupine.org/postfix-mirror/postfix-mailchannels.pdf

Qmail is damn well near the bottom, behind MXLogic, Exchange, Postini, Postfix, "other", "unknown", and Sendmail. Disclaimer: the survey represents fingerprinted public servers.

I've just always used chrootuid, since there's a Debian package for it. Made by Wietse.

ftp://ftp.porcupine.org/pub/security/index.html
http://packages.debian.org/chrootuid

You ask:
"Who knows what the more sophisticated hackers are up to!"

Since this story is off the main page [and I can avoid the flame war] ... the link is to the comments - the story is also worthwhile.
From what I've gathered a handful of people were hit with this [myself included] - it's reeks of a test run, most everything in the comments is true, even the crazy ass sounding stuff has some merit.
X-platform, anything, my colleagues and I know it's a hardware based attack.
Truly, a wonder to see operating - it even mocks you when you think you're making "headway".
Good luck and check your boot blocks.

http://www.securityfocus.com/cgi-bin/index.cgi?c=a rticlecomments&op=display_comments&ArticleID=11372 &expand_all=true&mode=threaded

Forensic Discovery [free book download]
Dan Farmer and Wietse Venema

http://www.porcupine.org/forensics/forensic-discov ery/

Must Read:

Forensic Discovery [download!]
Dan Farmer and Wietse Venema

http://www.porcupine.org/forensics/forensic-discov ery/

Must Go:

http://www.porcupine.org/forensics/

Must Read:

Forensic Discovery [download!]
Dan Farmer and Wietse Venema

http://www.porcupine.org/forensics/forensic-discov ery/

Must Go:

http://www.porcupine.org/forensics/

She said that she was struck by how intelligent and articulate he was, and that she found him to be extremely charming.

Hmm, that sounds just like someone else, but I can't quite remember who... hmm... could it be... oh, I don't know... maybe.... . . . .

netr00t's got solid advice for you.

http://slashdot.org/~netr00t

I would add, get a Lawyer, as in, have a Lawyer (anyway).
If you're in the USA, you should know by now, mostly morons make the "rules" of conduct, try not to participate.
Pay the Man:

http://www.forescout.com/index.php?url=products&se ction=activescout

http://www.winternals.com/

Useful:
http://www.sysinternals.com/SecurityUtilities.html

http://www.porcupine.org/forensics/forensic-discov ery/

http://www.fish2.com/tct/help-when-broken-into

Firewalls and Internet Security
http://www.wilyhacker.com/

First Ed. (online)
http://www.wilyhacker.com/1e/

Practical UNIX and Internet Security
http://www.oreilly.com/catalog/puis3/

FWIW
http://exuberant.ms11.net/index.html

http://exuberant.ms11.net/98sesp.html

http://exuberant.ms11.net/links.html

http://www.oldversion.com/

it's intelligently designed (by this guy, if you were wondering)

Why did I find myself hoping that link went to God?

Personally, I use Postfix. It's Free, it's intelligently designed (by this guy, if you were wondering), it's much easier to set up to be secure, and it has a certain level of Sendmail compatibility, so that older programs that assume you're running Sendmail don't barf when you switch.

The biggest architectural difference between Sendmail and Postfix is that Postfix has many small executables (arguably, many not-so-small executables) while Sendmail is monolithic. From a user's perspective this is basically transparent: the biggest benefit to a sysadmin of running Postfix is the config files, which are as close to being self-explanatory as a MTA config file can be, in my opinion.

Sendmail always struck me as a bit of a challenge to set up securely/properly (i.e. "not an open relay"); Postfix is pretty simple to get going securely, and has well-chosen default parameters (at least as I've seen it installed, on Debian) that let you set up a server that won't be immediately spewing Russian penis-enlargement emails quickly. I've never tried to set up Sendmail with SSL support, but I'm going to go out on a limb and guess that it's easier to do this with Postfix as well.

I can't personally vouch for its speed, because I don't run a high-volume mailserver, nor do I have the hardware to really give the MTA that much of a workout (it just becomes disk-bound on my systems). Plus I use flat mbox files and the situation may be totally different with the more modern database-type mailstores. (Yeah, yeah, I know -- 1986 called and they want their file format back and all that. But it works for me.)

There are other choices out there for MTAs, and I'm sensitive to arguments in favor of them and I'm not trying to say that Postfix is necessarily the best possible thing out there for everyone, but at least in my experience it beats the hell out of Sendmail. If somebody wants to jump in here and discuss qmail or exim, and why they think they're great, please do.

Someone who has always impressed me as a class act is Wietse Venema. When someone on the Postfix mailing list asks a question that's already answered in the man pages, his response is polite and concise: "The answer to your question can be found in the (postconf|postfix|postsuper) man page". It's a response that is neither insulting nor dismissive, and it shows that Wietse thought about your question long enough to determine which man page has the answer, and maybe even asked himself if the explanation in the man page is sufficient.

If you actually want to read something interesting, try The Art of Unix Programming or Forensic Discovery.

Like you haven't heard this a thousand times before - do you have backups:)?
Assuming it's a corrupt parition table:
If you've got a mirror, you would be able to dd out the (known location of the) partion table on mirrored disk 1, and dd it back to the failed drive.

If none of those work/are not applicable, follow this:

http://surfer.nmr.mgh.harvard.edu/partition/partit ion-6.html

If that fails/isn't applicable, try using gpart, included in the coroners toolkit:

http://www.porcupine.org/forensics/tct.html

p.s. When you're mounting it, you're doing "mount -t ext2 /dev/hdaX /mnt/foo", right? Make sure you have the "X" (1,2,3, etc) variable in there. Sometimes even I forget to add the 1,2,3 and spend a few minutes thinking my data is lost!

p.p.s I used your Xbox howtos back in the day and appreciated them!

Is there a way to implement one time passwords with ssh?

Yes, there's several. Some SSH software has S/Key support (eg OpenSSH "./configure --with-skey"). The most current S/Key implementation seems to be the one in Wietse Venema's logdaemon package.

You can also do OTP through PAM or BSDauth if your platform supports those, eg pam_skey, pam_opie (OPIE: One-time Passwords In Everything)

Several systems have either S/Key or OPIE support natively (OPIE seems to be becoming the more popular of the two).

After reading the review of Dan Farmer and Wietse's Forensic Discovery, you should hear about The Grugq who got fired from @stake after writing a Phrack Article in which he exposed numerous flaws in The Coroner's Toolkit by Dan & Wietse. Before you read this book, check out the video (bittorrent) of The Grugq on The Art of Defiling and see how to defeat "industry grade" forensic tools and techniques . You can also meet him at a hacker convention near you (in March at BCS2005 in Jakarta, in April at Black Hat in S'pore and Amsterdam and at HITB2005 Bahrain.

After reading the review of Dan Farmer and Wietse's Forensic Discovery, you should hear about The Grugq who got fired from @stake after writing a Phrack Article in which he exposed numerous flaws in The Coroner's Toolkit by Dan & Wietse. Before you read this book, check out the video (bittorrent) of The Grugq on The Art of Defiling and see how to defeat "industry grade" forensic tools and techniques . You can also meet him at a hacker convention near you (in March at BCS2005 in Jakarta, in April at Black Hat in S'pore and Amsterdam and at HITB2005 Bahrain.

In any case, do you really think that IBM and Sun care about Open Source?

By hiring the core developers of various OSS projects, they gurantee that they have access to the top experts in those programs. Anyone can send in a mail guru to hack Postfix to meet some special requirement you have, but only IBM can sic Wietse on the problem.

Most FOSS programs are the result of someone who really wants to write something good. Rarely have I seen someone being forced to write FOSS code to meet a release date schedule or to remain competitive. It's about It'll be done when it's done, sort of Code Poetry. Most of the code was written to run in a hostile environment where black hats can read the code (like the above peice) and screw everyone who runs bad code. The term security in obscurity as far as coding style does not even enter your mind.

Also vulnerabilities are easier to find when you have the source - like that professor who set his students to find vulnerabilities in FOSS. Unlike a corporate setup - you have a practically unlimited number of reviewers if your program is popular (and if it is not, a vulnerability is no big deal anyway, right). Also everyone runs a different binary, slightly different from what everyone else runs (security often needs you to recompile stuff with stack canaries)

So FOSS software evolves (yes, Natural Selection) to avoid these vulnerabilities by dying out or it "adapts" - Someone adds more good ideas and makes it better like.. (s/ideas/genes == Sexual reproduction) . Also the good ones read Wietse's papers.

On FreeBSD, it's all about mtree...

• The Coroner's Toolkit (getting a bit dated)
  
• The Sleuth Kit
  
• Helix
  

not to mention this

Yeah, that's good. I always had trouble finding my way into the postfix documentation, now it's a lot clearer. I especially like the listing of all main.cf settings (now if there would be a manpage for master.cf too...) and the bottleneck analysis tool.

I do miss however the "big pictures" yellow + blue graphs that seduced me into trying out postfix long time ago. Now we're stuck with pityful text-only rendering

Still great, after all those years, postfix is my MTA of choice: ease of use, power and security.

Yeah, that's good. I always had trouble finding my way into the postfix documentation, now it's a lot clearer. I especially like the listing of all main.cf settings (now if there would be a manpage for master.cf too...) and the bottleneck analysis tool.

I do miss however the "big pictures" yellow + blue graphs that seduced me into trying out postfix long time ago. Now we're stuck with pityful text-only rendering

Still great, after all those years, postfix is my MTA of choice: ease of use, power and security.

Yeah, that's good. I always had trouble finding my way into the postfix documentation, now it's a lot clearer. I especially like the listing of all main.cf settings (now if there would be a manpage for master.cf too...) and the bottleneck analysis tool.

I do miss however the "big pictures" yellow + blue graphs that seduced me into trying out postfix long time ago. Now we're stuck with pityful text-only rendering

Still great, after all those years, postfix is my MTA of choice: ease of use, power and security.

Yeah, that's good. I always had trouble finding my way into the postfix documentation, now it's a lot clearer. I especially like the listing of all main.cf settings (now if there would be a manpage for master.cf too...) and the bottleneck analysis tool.

I do miss however the "big pictures" yellow + blue graphs that seduced me into trying out postfix long time ago. Now we're stuck with pityful text-only rendering

Still great, after all those years, postfix is my MTA of choice: ease of use, power and security.

I know this sounds like a commercial, but it's hard not to sound that way when everything just kind've worked the first time. I now have authenticated, encrypted SMTP and POP and my users are, literally, thanking me. My experience has been that using Postfix was an easy way for me to look good.

Here's a Postfix SASL HOWTO which came in handy, but there are a lot of resources on the Web, especially at the Postfix site.

This may help..

TCT is a collection of programs by Dan Farmer and Wietse Venema for a post-mortem analysis of a UNIX system after break-in. The software was presented first in a Computer Forensics Analysis class in August 1999 Examples of using TCT can also be found on-line in a series of columns in the Doctor Dobb's Journal. Notable TCT components are the grave-robber tool that captures information, the ils and mactime tools that display access patterns of files dead or alive, the unrm and lazarus tools that recover deleted files, and the findkey tool that recovers cryptographic keys from a running process or from files.

Site here

>Postfix, on the other hand, suffers from the windows design pardigim.
>One big package to do it all.

I guess if you define "one big package" to be modularized like this and "do it all" to mean "be an MTA" then you're right. Are you saying that qmail does less, with more than 36 different executables (which is how many postfix uses), and that that's better?

>Even Wietse doesn't trust his own software.
>http://marc.theaimsgroup.com/?l=bugtra q&m=1060186 77502632&w=2

Riiight. So you're saying that when Dan ships a bug fix, all qmail installations are magically updated, and all distributions out there on FTP servers and CDs are updated too. No? That's all that Wietse was lamenting - read the message again. He's saying that you can fix a bug in the current code but you can't make it go away retroactively. He doesn't say he doesn't use or trust his own software.

>Postfix on the other hand is still underdevelopment,

I guess you would prefer an abandoned product? Or are you saying it's not ready for production use yet? IBM released it FIVE YEARS AGO as the IBM Secure Mailer. It does get updated, though. Horrors! Do you use an OS that is "done" too, because not ever being updated is a good thing?

>suffers from a poor design,

According to you. How exactly is the design poor in your opinion? Hint: You can't just say "it's like Windows". What are some specific design choices and examples of why that's bad? Or are you just hand-waving?

>and probably will include the kitchen sink by next year.

Based on what, exactly? Please explain why you think Postfix is adding all sorts of non-MTA features lately, and preferrably show a link to a message by Wietse where he says he's going to do so in the future.

Heck, if sendmail were so insecure, why is OpenBSD still including it in it's base?

What the hell is it? The Coroner's Toolkit (TCT) is a collection of tools designed to assist in a forensic examination of a computer. It is primarily designed for Unix systems, but it can [do] some small amount of data collection & analysis from non-Unix disks/media.

Features: Notable TCT components are the grave-robber tool that captures information, the ils and mactime tools that display access patterns of files dead or alive, the unrm and lazarus tools that recover deleted files, and the findkey tool that recovers cryptographic keys from a running process or from files.

AmaVis: Antivirus filtering daemon; packaged by most linux distros; multi-threaded (recognized multiple CPU's); sends out email alerts; very configurable; supports many antivirus scanners; works well with postfix; written in Perl; GPL

Clam Antivirus (clamav): virus scanner; written in C; fast; virus definition update tool included; uses virus definitions from the Open Antivirus project; (does not disinfect, just identifies); GPL

SpamAssassin: Perl-based Spam filter; use with Procmail; client-server architecture (one daemon); Perl Artistic License

Our application of the above software seems to work quite well. We server about a thousand users (about 100 "heavy users"), and the average server load rarely gets above 0.21 with a Dual AMD 1500+ MP that provides SMTP, IMAP, and POP all w/SSL enabled.

It occurs to me that when security tools such as nmap, or crack or airsnort or SATAN come from places OTHER than the government, they are seen as threats to Internet security. Some people in government even want to make them illegal.

But when the government itself comes out with software to expose security holes, it's called the "Gold Standard".

What gives?

The RCMP as a body aren't fumblers. I had a chance to meet some of the RCMP agents who do computer related crime here, and the civilian guys they'd hired to help. They were a bunch of really smart seeming people who were genuinely interested in the technology. It was they who first turned me on to TCT

One of the first things a forensic analyst will do, mostly in search of deleted blocks is `strings /dev/hda1`. More likely off a ro image, but out everything ASCII will pop.

Have a look at The Coroner's Toolkit

For Everyone's benefit, the link is The Coroner's Toolkit

Please check your link. Should be coroners toolkit [www.porcupine.org]

And for those who noticed, I can't type URLs, so here it is again :) http://www.porcupine.org/forensics/tct.html

In reality, the biggest difference between grep and so-called "forensics" software is the emphasis on examining the data without modifying it and maintaining the chain of custody and audit trail. In fact, many experienced computer investigators do their jobs with little more than DD, grep, and various other Unix utilities. Most of the digital forensics software out there simply attempts to make this funcionality more accessable to your less tech saavy investigator. (The problems caused by inexperienced/unqualified investigators performing this type of analysis are beyond the scope of this response.)

I am currently the designer and project lead for a cross-platform open source (GPL) digital evidence processing suite. It is intended to bring together the various functionalities required to perform this type of work, and (ideally) operate on whatever platform the investigator desires. Our primary development platform is RedHat 7.1.

There are currently software packages out there that attempt to do this, including EnCase and The Forensic Toolkit in the commercial arena and The Coroner's Toolkit in the open source arena, however they lack the broad filesystem support and/or true ease of use to make them usable by everyone. The other barrier is price as EnCase, for example, costs thousands of dollars per copy.

We're well funded, and have already done a significant amount of work. We have some of our core components functional and plan on starting beta testing and releasing our first code drop later this year. If this field interests you and you'd like more information, or you work in the investigative field and have thoughts on what you'd like to see in such a tool, I'd love to hear from you.

Personally, I think you need to get a grip and not get all hung up over similar sounding words. So what if "AtheOS" sounds a little like the word "atheist"? If you say, "I've got dandruff, some of it itches," with the proper tone, inflection and speed it sounds almost exactly like you're saying "God damn it, son of bitches." (It's really easy to do; try it.[1]) Does that mean you'll never use the former phrase because it's blasphemous?

Of course not. Let's not be silly.

Lighten up, dude. It's no more unfortunate than the existence of any word, real or otherwise, that could be mistakenly heard as any other word you happen to find offensive. Stop whining or stop speaking English. You're going to run up against this problem again and again in your life if you're so sensitive about it.

This isn't meant as a flame, just an honest (perhaps a little brutally so, I admit) opinion about your apparent hypersensitivity to the fact that English words can and often do rhyme.

__

[1] And believe it or not, a Baptist minister taught me that phrase and he is as honestly devout as I've ever seen a person be. He just happens to not be easily offended.

The Coroner's Toolkit (TCT) Have fun :)

You can also type:

# find /etc -mmin 10
to see all the files that were changed in /etc in the last ten minutes.

("apt-get install postfix-tls" if you use Debian.)

Take a look at RFC 2446 (Transport Layer Security) and RFC 2487 (SMTP Service Extension for Secure SMTP over TLS) for details.

For an implementation, look at postfix-tls:

Authors:
Postfix : Wietse Venema Wietse Venema;
TLS extension : Lutz Jänicke Lutz Jänicke

Start with the postfix site and then the TLS site if you don't have the ability to apt-get source I guess.