Slashdot Mirror

ever tried ./configure ?

though this relies upon the developer, it will warn you and not generate the correct makefile if you don't have the right libraries.

it doesn't give the same level of warning and protection that dpkg gives you, but it simply gives the admin more power - assuming he's actually up for the task.

i slacked for a long time. i'm currently a bit into debian, though i'm thinking about returning to slackland. it's THE best server distrobution. it's a fine desktop distrobution. look at the stats for security problems on Security Focus. which one would YOU like to use for a server?

Obviously the most subjective part of this whole discussion is the behavior of the author(s) involved. That's something each individual administrator has to decide on. I don't quite feel comfortable putting my mail system in the hands of someone who gets so riled up about his product. I get the impression he's perfectly willing to put his users unwittingly in the line of fire to prove his point. It's just my opinion; you'll undoubtedly feel the need to offer corrections to it, but my perception of qmail's author just brings to mind one of the Things I Will (not) Do when I am an Evil Overlord ("I will never utter the phrase 'what? How can this be? I'm invincible!!!' as it will almost certainly be immediately followed by my horrific destruction").

Yes, I've heard of this "root hole in POP3 or IMAP" concept before. Funny thing is I don't recall any particular MTA being the cause. A qmail system is just as vulnerable to such exploits as a postfix system is when the actual exploit involves Cyrus IMAP, for example. Both MTAs will happily sit there and do absolutely nothing, since accessing one's mail once it's been delivered is a task neither MTA cares about.

Let's go over your other points.

1. Easy configuration - read README (ships with postfix)
2. Easy administration - read README (ships with postfix)
3. Security - it's odd, but I don't see any entries in the vulnerability database at Security Focus (bugtraq) for postfix either. I never suggested postfix was inpenetrable or flawless; my counterpoint here is that just because nobody's found and publicly complained about an exploit in qmail doesn't mean one doesn't exist. Organizations and authors, big and small, have walked away red-faced from such assumptions many times. I find it a bit worrying that qmail's author is so cocky about his product. Whether that concern is unfounded or valid isn't your place to decide. It's every single person's choice when they're deciding whether to install a particular system or not. It seems both postfix and qmail have had their share of problems, and those get fixed and updates are released to give those fixes to the world. Where's the problem with either system on this count?
4. Fast - Yup, I've heard about qmail running on Hotmail and/or the other big free web sites. I also can't shake my read of the comparison you referenced that throws that "three times faster than qmail" figure around. Yes, they discuss that they can't duplicate the performance, but that it's still faster than qmail. This comparison doesn't matter too much anyway; qmail and postfix both scream, and they've both met the goals they set out to achieve -- they're faster than sendmail. That's been widely acknowledged by everyone involved.
5. Great support - postfix is remarkably well documented and has plenty of FAQs and examples around. Your qualifier for qmail's support implies that if you dare ask a newbie question, you're going to be given yet another reason why you shouldn't have chosen qmail in the first place. I can't stand elitism; it especially has no place with a product such as an MTA. As the author of an MTA, it's in your best interest to tolerate newbies, and guide them to configuring your MTA properly so your product isn't helping to putting yet another badly behaved, misconfigured server on the internet.
6. Maildir - drat, typos in the wrong place. I did mean "maildir" instead of "mailbox". Postfix supports maildir as well. I am well aware of its NFS-friendly design, and it is quite a good one.

I am afforded an equal amount of good sleep by postfix; hasn't flaked on me yet, and I don't expect it to.

We're comparing very similar systems here. They're both setting out to do the same things, and it looks to me like they're both accomplishing what they've set out to accomplish. Bickering over each system's choice of implementation is a waste of time. If an implementation proves inappropriate, it will over time be fixed or abandoned.

Holy wars suck anyway; perhaps your time would be better spent away from embarking on one here. If you're game for an attempt at an objective discussion of the merits of the individual systems, then great, I'll carry one on as well. But if we're going to jump into a nasty flamewar (that the qmail & postfix communities have seen far too many of anyway), I'll respectully bow out here.

George Guninski regularly finds and releases exploits for many different services/os's. Whenever I see his name on Bugtraq, I know it's gonna be a crazy day. According to Rain Forest Puppy's policy, the waiting time is just a _suggestion_, not a law. I'd personally wait, and release the exploit announcement along with a vendor supplied patch (thus being RFP compliant), but that's just me.

- grunby

-l

"Tested against Apache 1.3.20 on Windows 98 SE (has case insensitive fs) appears not to be vulnerable."

The posts on SecurityFocus don't illuminate how the Win32 version of Apache gets around the problem, but I'm sure some enterprising soul could find the saving code in the source somewhere...

been a long time (3+ years) since I have seen a Linux as stable as Windows

Uhh... Windows 3.1? I have yet to see a properly-configured Win32 (sic) machine hold it's own against a properly-configured Linux machine. Especially considering that any Win32 machine put under any sort of actual use tends to get unstable after, oh, I'll give it 48 hours max.

I get security announcements and patches from Microsoft when problems are discovered. I read about them months after the fact for Linux - and if an RPM patch isn't available oh well.

It all depends on where you go looking for information. There are plenty of security related sites out there that cover Linux.

And what's this bullshit about RPM patches? Have you ever heard of just compiling your own and being done with it? That is why such things are provided for download -- if something goes wrong, you can fix it.

And as far as the level of expertise, I can hire Microsoft engineers all day long. Finding a competent Linux person is near impossible - make sure you add that cost into your evaluation.

I can hire MS engineers all day long too. Can I hire competent engineers of any sort all day long? I highly doubt it. MCSE's are a dime a dozen, but if something just happens to go wrong on that W2k server over there, what are they going to do to fix it? "Oh, reboot the machine, it'll all be fine." Er.. stability?

the sack of shit it is

This is inflammitory speech. This kind of language is designed to invoke an emotional response. People who know they do not have a logical argument use this kind of language. People with logical arguments do not need to result to this kind of name calling.

For the mission critical stuff [open source is] far too insecure and lacking in enterprise-level features.

Buzzword mania. Note how this poster tells us that all open-source software is insecure without backing up this claim with facts.

The facts are this:

• Sun, as an example of one of the expensive closed-sourced vendors this poster considers better than Linux, has 23 vulnerabilities reported in the year 2001.
• OpenBSD, in the same time period, has only had eight vulnerabilities reported.

This person talks about vague "enterprise features" that open-source is supposibly missing without telling us exactly which enterprise features open-source is supposed to be missing.

In other words, this person is making a number of inflammitory emotional statements, and stating a number of opinions without backuping up those opinions with facts.

Moderators should not be moderating a post like this up.

the sack of shit it is

This is inflammitory speech. This kind of language is designed to invoke an emotional response. People who know they do not have a logical argument use this kind of language. People with logical arguments do not need to result to this kind of name calling.

For the mission critical stuff [open source is] far too insecure and lacking in enterprise-level features.

Buzzword mania. Note how this poster tells us that all open-source software is insecure without backing up this claim with facts.

The facts are this:

• Sun, as an example of one of the expensive closed-sourced vendors this poster considers better than Linux, has 23 vulnerabilities reported in the year 2001.
• OpenBSD, in the same time period, has only had eight vulnerabilities reported.

This person talks about vague "enterprise features" that open-source is supposibly missing without telling us exactly which enterprise features open-source is supposed to be missing.

In other words, this person is making a number of inflammitory emotional statements, and stating a number of opinions without backuping up those opinions with facts.

Moderators should not be moderating a post like this up.

the sack of shit it is

This is inflammitory speech. This kind of language is designed to invoke an emotional response. People who know they do not have a logical argument use this kind of language. People with logical arguments do not need to result to this kind of name calling.

For the mission critical stuff [open source is] far too insecure and lacking in enterprise-level features.

Buzzword mania. Note how this poster tells us that all open-source software is insecure without backing up this claim with facts.

The facts are this:

• Sun, as an example of one of the expensive closed-sourced vendors this poster considers better than Linux, has 23 vulnerabilities reported in the year 2001.
• OpenBSD, in the same time period, has only had eight vulnerabilities reported.

This person talks about vague "enterprise features" that open-source is supposibly missing without telling us exactly which enterprise features open-source is supposed to be missing.

In other words, this person is making a number of inflammitory emotional statements, and stating a number of opinions without backuping up those opinions with facts.

Moderators should not be moderating a post like this up.

Well I have my own Cisco based [1 2 3] information which sums up networking to a tee. Security Focus, Packet Storm, SpyKing, and Cryptome all cover the other areas for information when I need it. Is it me or in the past 2 years did everyone jump on the "Hacker" bandwagon writing books on information that's already a point and click away? Not taking anything away from the book, but Information Security Management Handbook 2001, Cisco's Routing TCP/IP, and other security books in my library have done me justice. Makes I guess a nice intro for newer users, but personally I don't like books with "Hacker" in them, they tend to be geared for those with little clues, and who are often too lazy or dumb to find information and study it on their own.

• Users can't trust any program because backdoors can be hidden. Remember Interbase ?
• When users discover a hole, they can't fix it. Even if they are very skilled programmers and the fix is an oneliner. They can't. They have to wait for a patch from the vendor / authors. And while the patch isn't released, they are vulnerable.
• Users can't help the development team to fix holes.

It is hard to disprove the open source myth that it leads to bad security because of easier-to-find holes when PHBs read things like this, that happen to major Linux servers.

Right...because it never happens to Microsoft. That's very clearly known.

In May, 1998, the Internet was reeling from a devastating vulnerability discovered in a ubiquitous piece of software called the BIND "named" domain server. Formally known as the "iquery BIND Buffer Overflow vulnerability" the hole had been publicly announced by Carnegie Mellon's Computer Emergency Response Team (CERT) a month earlier, and a software patch to fix it was available for download. But according to an FBI affidavit, the hole was still in place on Air Force systems, nuclear laboratories, the U.S. Departments of Commerce, Transportation and the Interior, as well as the National Institute of Health.

Near the end of May, the hacker group ADM raised the stakes by publishing a computer program capable of spreading through vulnerable systems automatically. It was concern over the damage the worm could wreak on an unprepared Internet that spurred Butler to his fateful course. "Mr. Butler modified the worm program to download and install the official software patch that repaired the BIND/named vulnerability from the software vendors' web site," Granick's motion reads. "Mr. Butler used his modified worm to automatically get root access on machines through the named vulnerability and fix the named hole."

It could have been an unsullied act of mass guerilla patching -- a relatively harmless hack that would have left the Internet a little more secure, while dappling only a few spots of gray on Butler's white hat.

But Butler's worm also installed back doors on every system it patched, and reported their location back to Butler, giving him a way into the machines even as he locked out other hackers. That feature simultaneously made the crime harder to defend, and easier to solve.

Mmmm.. Sad that the FBI caught up with him..

Could it be the author wrote this book left it on the shelf and avoided the problems which are plaguing the industry at this current time?


This is a future in which the sovereign individual is freed to become as much as she allows.

Wrong, this is a future where many are going to have to tiptoe through all sorts of scenarios to avoid having a future littered with legal worries from all sides of the spectrum. How can you become "freed" from anything when at the rate the tech field is going, we've seen a surge of lawsuits from all walks of life ranging from patents, to copyrights, to any other fabled scenario a company wants to spend money litigating?

Looking at that aspect, I'd say many would become rather restricted and reluctant to promote "the next best thing", or even themselves out of fear of retribution.

Secondly amidst all that nonsense, for those who either don't notice, or ignore the warnings, taking a look at the legal system itself regarding tech, it will only get worse, as laws (which are often so broad and obsolete to a circumstances) prohibits many from acting. (e.g. Jerome Hackenkamp, Max Vision, Keith Henson, Napster [corporations aren't free from actions either], Jim Bell and the list goes on) to promote or revolutionize, or even speak in today's world.

What world is the author living in I'd like to visit?

However, Gilder does miss one important point; in the abundance of bandwidth, there becomes a new scarcity of content. In the end, Gilder's book
may best be thought of as a call to arms: start wasting bandwidth, and start working on solving the next problem -- one of novel creation.

How can you expect to solve the next problem when the ones in front of you are ignored? What about taking a realistic approach to focusing on whats on the table now before crying over spilled milk later?

You're missing the point. RedHat ships binaries to users. They also ship source, but that's not really their focus. They may modify the source and ship modified binaries if they feel it improves their distribution. With Bernstein's license, they can't do this.

In addition, you're quoting the GNU project out of context when you say Bernstein's license matches freedom 2 "The freedom to redistribute copies so you can help your neighbor." the same page that lists the freedoms also clearly says, "The freedom to redistribute copies must include binary or executable forms of the program, as well as source code." Clearly Bernstein's license doesn't allow binary forms of modified code.

Fortunately, as you point out, Bernstein's code "NEVER" has holes in it, so we don't need to worry about it. Of course, I'm more impressed with your ability to travel into the future and confirm this. Unfortunately Red Hat is not able to visit to future to check this, so errs on the side or caution.

In addition, while Bernstein's software has never had any holes under Bernstein's narrow definition, Linux itself might have problems which require modifying qmail as a workaround. This is quite common, and while Bernstein can complain all he wants that it's the operating system's fault, the rest of us need to deal with the reality of the hole and find a workaround. This has happened before, and under Bernstein's license, Red Hat can't ship patched binary to fix it.

I don't have numbers (probably only large espionage organizations do), but I'm willing to bet that's not true.

Buffer overruns undeniably get a lot of coverage on bugtraq--if you casually read the list, you'll be forgiven for thinking that buffer overruns are the overwhelming bane of computer security. But there are two biases to this observation:

1. Buffer overruns get more talk than vulnerability reports. Go to the vulnerability database at SecurityFocus and browse the recent reports. On the first page, there are 28 vulnerabilities, of which only three explicitly mention buffer overruns. Even assuming that this is an unusually low number, and that a few buffer overruns aren't labeled as overruns, and allowing that buffer overruns tend to be more serious than the average vulnerability, this is hardly a preponderance.

   I frankly think the reason the discussion on bugtraq seems dominated by buffer overruns is that the community enjoys, and is comfortable, discussing buffer overruns. Even though the same religious issues (bounded arrays, language choice, non-executable stack, stack-guarding libraries) are rehashed over and over, people never get tired of them. Buffer overruns have a cherished place in security folklore. This is kinda nice in that it gives the community a common ground, but dangerous because it leads people to overlook the importance of other program flaws that can result vulnerabilities.

2. bugtraq report statistics probably over-represent buffer overruns. This is related to the above discussion--buffer overruns are popular and well-worn ground. If you report one, everyone will understand it and you'll win sure ego points. So if you're going to search for vulnerabilities, you'll probably search for buffer overruns.

   Further, buffer overruns are plain easy to find. If you have source code, a few greps often take you right to the hole. Even if you don't, tools like fuzz do pretty well (many bugtraq reports indicate that tools like this were used to find the overrun). Plus, contrary to what you might think, buffer overrun exploits are ususally easy to write, so don't think that turns of any would-be security gurus. Other classes of vulnerability usually require more analysis of program logic to find.

I don't have numbers (probably only large espionage organizations do), but I'm willing to bet that's not true.

Buffer overruns undeniably get a lot of coverage on bugtraq--if you casually read the list, you'll be forgiven for thinking that buffer overruns are the overwhelming bane of computer security. But there are two biases to this observation:

1. Buffer overruns get more talk than vulnerability reports. Go to the vulnerability database at SecurityFocus and browse the recent reports. On the first page, there are 28 vulnerabilities, of which only three explicitly mention buffer overruns. Even assuming that this is an unusually low number, and that a few buffer overruns aren't labeled as overruns, and allowing that buffer overruns tend to be more serious than the average vulnerability, this is hardly a preponderance.

   I frankly think the reason the discussion on bugtraq seems dominated by buffer overruns is that the community enjoys, and is comfortable, discussing buffer overruns. Even though the same religious issues (bounded arrays, language choice, non-executable stack, stack-guarding libraries) are rehashed over and over, people never get tired of them. Buffer overruns have a cherished place in security folklore. This is kinda nice in that it gives the community a common ground, but dangerous because it leads people to overlook the importance of other program flaws that can result vulnerabilities.

2. bugtraq report statistics probably over-represent buffer overruns. This is related to the above discussion--buffer overruns are popular and well-worn ground. If you report one, everyone will understand it and you'll win sure ego points. So if you're going to search for vulnerabilities, you'll probably search for buffer overruns.

   Further, buffer overruns are plain easy to find. If you have source code, a few greps often take you right to the hole. Even if you don't, tools like fuzz do pretty well (many bugtraq reports indicate that tools like this were used to find the overrun). Plus, contrary to what you might think, buffer overrun exploits are ususally easy to write, so don't think that turns of any would-be security gurus. Other classes of vulnerability usually require more analysis of program logic to find.

Good thing thing is that OSX is still compatible with OS 9 so al the old exploits still work.

Best thing is that with good multithreading the user will never notice that the box is hacked. Even if it is slow that will be nothing new to the user.

That's Security through Obscurity. However, the prevailing thought is that any system which depends on its workings being hidden is not necessarily a truly secure one, while a truly secure system can stand up to having its internals shown. (Note that I said its internals, obviously not the data it actually operates on.)
--

I certainly wouldn't argue that most breaches--and I would go so far as to say ALL breaches--are preventable; it's just that it's much easier to see what would have prevented them in retrospect than it is beforehand. Certainly people should follow minimal best practices, at least--I completely agree with you on that point.

I guess I just find it disturbing that you seem to hold the victims more responsible for the problem than the attackers. Prudence is one thing, culpability another. To draw a poor analogy, if you're going to walk at night in a bad part of town, you should be prepared for muggers--but that doesn't mean you should just accept being mugged. You should still call the cops, try to find the guys who did it, and take them off the streets. That's not whining, it's civic responsibility. Vengeance is not the point--justice is. There may always be someone else, but that doesn't excuse these guys in particular--they should be pursued and removed from the scene.

Aside; that's an interesting argument against NT/IIS--usually what people say is that it's less secure because there are fewer reported vulnerabilities weekly than other, more open platforms... implying that more open platforms are better reviewed for security. If you really believe that, though, you should take a look at the actual numbers: securityfocus stats Considering the percentage of all webservers that are hosted on NT, it actually has fewer reported vulnerabilities for its market penetration than some Other operating systems (not naming any names here ;) And if I remember the attrition.org numbers correctly, it's actually cracked less often per share, too.

I don't like how MS handles flaws, either, but it's really just a mirror for corporate America. I've never worked anywhere where the PHBs were more concerned with fixes than features--until after they got hit.

As you can see in the relevant bugtraq post, this was made public about 4 days ago.
The fix is already in the archives (a check that ensures that 'RELATED' connection have the same source address as the initiating original connection), and works fine.

--

Running a DSL from Qwest since October 2000, and have been very pleased with it. I pay a little extra, but, last Sunday, I toasted my 675 with a CBOS update at 5:30 am, and, had a 678 replacement by 11:30 am Tuesday, courtesy of UPS as an RMA. My Hat's off to Qwest, for this. They truly came through for me.

Friday, I had a power outtage (first since I moved here). Was only about a minute and a half, but, that was enough to knock all the machines and the router off-line. So, yesterday, I headed to Fry's and picked up APC 500VA BACK-APC Back-Ups and started my planning.

I used Xfig to draft up a decent network layout and to plan my UPSes and which machines to plug into them based on power needs, and availability priorities. Then, I set out on the physical changes by starting from the left and moving right. I was able to remove 4 power strips (along with the concommitant electrical hazard and wiring mess) by using the 3 UPS-powered outlets in the APC's for the machines, and, the 3 surge-protected outlets for monitors, printers, alarm clocks, sound-card power adaptors, etc. I ran the RJ-11 phone chord through the small UPS that only has the router and the primary server to thwart electrical charges from coming through at the DeMarc.

I also made sure to take up all slack on CAT-V cables so there was little cable left dangling that might attract the cat (feline type of device) to chew on it. Trust me: this is important if you have one of these biological devices with access to the server room. Just coil them up and use twisties to secure them (the CAT-V cables; not the cat).

I use my 2nd bedroom that has a stand-alone air-conditioner in it that keeps the temperature at 78 degrees so they don't overheat. Also, don't smoke (if you do) in the room you reserve for your machines. I have one of these machines (can you guess which) in a different room with a 19" monitor that I use for all my other needs.

Lastly, I'm using Multi Router Traffic Grapher (MRTG) to keep an eye on things and check it in the morning to make sure no one's using the DSL router, but, me. A quick check on traffic usage, and, then, another check to make sure there are no machine crashes let's me start the day. Then, I start by checking mail to deal with the port-scanners, my customers, and, make my tour of the latest security news.

Linux rocks!!! www.dedserius.com

Yahoo has the story about the "missing" laptop here . It seems that A Defence Ministry laptop computer packed with national security secrets had gone missing after an official left it in the back of a taxi. The official had notified police about the missing laptop but nothing has come out of it. Anyway as the story said this is not the first time: In March last year there were reports that agents of MI5, the domestic security service, and MI6, the overseas security service, had lost laptops containing secret information.

Part of me is incredulous that slashdot staff would recommend installing a system daemon with a known unfixed vulnerability, but hey, these guys aren't journalists, and have no obligation to us.

Actually, now that I look at it, my parent post seems to be making an allusion to being hacked due to running NTP on a home linux box hosted on a DSL line. Not bad, but parent has a long way to go before getting close to the sublety of a real USENET troll.

http://www.securityfocus.com/templates/forum_messa ge.html?forum=2&head=32&id=32
this article was about that big internet security audit, around week three there is a story of a security intrusion originating from a smb server that everyone forgot about, sitting in an isp in australia. may as well have been behind a fucking wall. wonder if anyone had done one of these.

.brad

Drink more tea
organicgreenteas.com

But today I have been unable to resolve opensource.org either from home or from work.

I wonder how many of these problems are as a result of these canned 'sploits against bind. I see 5-10 port 53 probes a day against my home network. (In general I think these no-brains attacks are getting much more common. Sunday saw a Windows unicode attack against my apache server :-)

We might see even more fun with this latest ipfilter problem. People who previously thought they were safe because their nameservers wouldn't respond to external queries due to firewall rules might find themselves suddenly vulnerable again. A fragmentation attack against IP Filter

In the past two months somewhere.com has received over 300,000 misdirected mail messages.
In the past 24 hours my top ten is
786 someone@somewhere.com
107 name@somewhere.com
85 somebody@somewhere.com
78 me@somewhere.com
78 nowhere@somewhere.com
70 bounced@somewhere.com
65 kelly@somewhere.com
63 somone@somewhere.com
61 PianoMan52357298@somewhere.com
50 something@somewhere.com

--
Simon

:: http://www.terroristsupply.com ::

And we're supposed to trust a site which proudly displays this on their front page? Maybe the author should've wrote a better article submitted it to SecurityFocus, and the Associated Press.

Just because this may or may not affect Ameritech it has nothing to do with news being posted here. Imagine if /. accepted every single security based qualm in the world, we'd have no room for linux or MS stuff homeslice ;)

But when the 2.2.x kernels have a _BIG_ security hole that allows users to exploit it against _ANY_ SUID binary, well that must not be news worthy...

After looking over the ARIS site, I'm left with a bunch of questions.

First, what the heck is the definition of an "incident"? Their FAQ doesn't indicate what this means. If some goofball script kiddie runs a script that sends out 100,000 pings of death, is that one incident, or 100,000? If he tries a Syn flood attack on my site, setting up 1,000 sessions, is that one incident, or 1,000? It sounds like AOL's goofy customer count: "Here, set up seven screen names so that we can claim you're seven different customers."

Secondly, does handing all your log files over to these guys remind anyone of the movie The Net? How do we know SecurityFocus can be trusted? How do we know we're not handing our log files over to someone who's already hacked SecurityFocus? What does this service do for us?

After looking over the ARIS site, I'm left with a bunch of questions.

First, what the heck is the definition of an "incident"? Their FAQ doesn't indicate what this means. If some goofball script kiddie runs a script that sends out 100,000 pings of death, is that one incident, or 100,000? If he tries a Syn flood attack on my site, setting up 1,000 sessions, is that one incident, or 1,000? It sounds like AOL's goofy customer count: "Here, set up seven screen names so that we can claim you're seven different customers."

Secondly, does handing all your log files over to these guys remind anyone of the movie The Net? How do we know SecurityFocus can be trusted? How do we know we're not handing our log files over to someone who's already hacked SecurityFocus? What does this service do for us?

In fact, they're creating the biggest repository of cracker data in the Web!! If they get compromised, everybody using their services will be painted in red as potential targets.

As it says in their FAQ :

1) ...your account information is stored separately from the IDS logs you submit for analysis...

2) ...You always have the choice of how much information you wish to send. You may decide to strip address information when cleaning logs in ARIS extractor...

Also, they only know who you are if you choose to tell them, and, even so, that information is stored separately from the attacks on your system.

but you can't be too careful... Amen to that.

Which is totally useless if the rootkit hides itself my loading a kernel module.

For the goatse.cx wary, go to www.securityfocus.com and search for "Analysis of the KNARK rootkit".

Then again, if Palm doesn't consider it to be worthwhile to create security upgrade for old PalmOS versions, we can always use our money for one of those Linux or *BSD based PDAs, when its time to buy new PDA. With those, you have little bit more options regarding updates and such...

P.S. Yes, I am aware of GNU Keyring for PalmOS project, but it won't protect calendar and todo entries that I have in standard PalmOS applications.

I agree with your idea of focusing on the fundamentals instead of new, trendy languages, but I think it should go even one step further; we need to focus on using the fundamentals *correctly*. The vast majority of security problems are due to easily avoidable mistakes that fall into catagories that have been familiar for years. Lyons was talking about race conditions back in 1983, and we still see them. I attended a security conference last year where the speaker said he had sat in on several differen't Boston school's introductory programming classes, and they all taught students to use insecure techniques when they code. His recommended solution was to start a "visiting professor" program where people with real world security experience would come to a school for a few months teach beginning coders how to do things safely

I still don't know which of my systems are vulnerable and which I can securely leave on the net assured that noone is misusing them as a DDoS tool without me being able to do something about it (and no, you can't require IPSEC for people connecting to a web server).

If Guardent doesn't release the details, they could at least tell us what systems are affected before touting this as a 'major problem'.

--

Having said that, I believe trials are in progress of face -recognition software. Course (pardon the troll :) that could only happen here in the UK, right? You'd never get that sort of thing in the freedom-loving USA...
--
If the good lord had meant me to live in Los Angeles

An estimated one-third of all shopping cart applications at Internet retailing sites have software holes that make them vulnerable to the price switching scam, said Peggy Weigle, chief executive of Sanctum, a security software company in Santa Clara, Calif.

"Thieves are coming in the front door," Weigle said. "A lot of security products have been geared to the network level, not the application level."

Here's how it works: After choosing a product and receiving pricing information, a hacker can use a standard browser's "edit page" feature to show the hidden HTML code on the page. The thief then saves the page to his computer, alters the price information and then hits the "publish" key on the browser. In many cases, that page is then accepted by the shopping cart software - and that $999 watch becomes a $3 special.

The problem isn't just in the U.S. - an estimated 40 percent of all e-commerce sites in the U.K. are susceptible to the price changing glitch, according to Saalim Chowdhury, CEO of e-commerce software development company Alphakinetic, which has been studying the flaw.

The strips:

Monday

Tuesday

Wednesday

Thursday

Friday

Saturday

--

according to this bugtraq post, lcap is not that secure, you can easily reset capabilities if you have CAP_SYS_RAWIO enabled, which gives you access to /dev/kmem. if you disable it, you won't be able to run X and a bunch of other apps. but on servers this shouldn't be a problem...

It was written:

Using that key sequence to bring up a login dialog effectively prevents the "false login screen" style of password sniffers. If one of those were running, you'd press C-A-D to login, and get the wrong screen, so immediately you'd know something was wrong.

I feel that I should say something strongly worded and possibly obscene, but I really bare you personally no ill will; this misunderstanding is easy enough to make (once).

The fact is, though, that this is simply and utterly as untrue as saying that rot13 is encryption. For the actual MS documentation on how to write a logon replacement window, see the msdn site. For some preliminary information on a windows NT rootkit observed in the wild which intercepts the login screen, see the archives of the incidents mailing list. (Some of the followup posts are very helpful; use the thread index)

One thing I do hope is that Microsoft can be forced to admit that the little helpful info tip they give on Win2k logon screens about keeping your password secure with Ctrl-Alt-Del is about as close to a total lie as is possible.

Windows file sharing is so fucking stupid -- why on earth would they set it up so the default share is "all users: full access"?

I have no idea what the default setting is, because I don't use Windows. But according to the folks at ShareSniffer, this is not true: "Microsoft Windows by default will not expose files to the Internet. It has to be consciously configured to expose files to the Internet."

Jamie McCarthy

The Security Focus article at http://www.securityfocus.com/templates/article.htm l?id=143 and slashdot article at http://slashdot.org/article.pl?sid=01/01/25/134321 8&mode=thread tell about what happened fairly well.

Requirements of bind-members will be:

1. Not-for-profit members can have their fees waived
2. Use of PGP (or possibly S/MIME) will be mandatory
3. Members will receive information security training
4. Members will sign strong nondisclosure agreements

"And the recent security problems with Linux, coupled with the lack of key enterprise elements in the new kernel, really call into question whether Linux should be used at all," Miller added. "

I find it quite amusing that Miller is citing examples based on 3rd party applications, commonly bundled with the Linux kernel. Microsoft should be eating it's own words -- I have no doubts that the security advisories for ActiveX, IIS, etc... definitely exceed those of the Linux kernel itself.. It's funny how MS really has no choice but to point the finger at Linus Torvalds, when third party applications make up the popularity of Linux (distributions), while Win2K, IIS, Exchange, etc. flaws all point back to MS.

- Slash

Also, that link about the BIND problem calling it a linux problem only has me wondering about the credibility of this article... Sure, linux runs BIND, but don't a few other OSs run it, too?

Not to mention that it's a problem pertaining to older versions of BIND...anything reasonably current isn't affected. (I'm using BIND 9.1 on my home server.)

There's also the small matter of BIND!=Linux (other systems that use old versions of BIND are also vulnerable, and other nameservers (such as djbdns) are available for use under Linux), but since when do FUD-spreaders let such small things as the truth get in the way?

Given the holes I've seen in out-of-the-box NT Server installs (like a sieve) compared to most out-of-the-box Linux installs, Microsoft is the pot that's calling the kettle black.

But we should all remember that Windows has a rock solid security system, and you'd never read anything bad about it.

This, and this are really just figments of your imagination.

"And the recent security problems with Linux, coupled with the lack of key enterprise elements in the new kernel, really call into question whether Linux should be used at all," Miller added.