Slashdot Mirror

So with Gnome 3 to configure it you need the control panel, which comes built in. Except that is highly limited and doesn't include the ability to do basic things like manage window buttons, modify icons to include command line options, etc. All basic things that every other GUI includes in the control panel/properties of icons/etc.

What you will need to manage Gnome 3: the gnome teak tool, gnome extensions, and alacarte to modify icons. Except alacarte is broken, and has been broken since about August of 2011. So you'll need to copy text files into your home dir and edit them by hand to have custom command line options for icons. I cover all the gory details on F17 here:

http://kurt.seifried.org/2012/06/01/making-fedora-17-gnome-3-work-you-cant-its-completely-broken/

TLDR: customizing Gnome 3 is a disaster. It's not that configuration options are hidden, they simply aren't present, you'll need additional tools, one of which is totally broken.

Or much simpler (in my case): 1) Up and coming author puts his first books on the net for free, hoping to gain readership. http://www.seifried.org/lasg/ 2) Author is offered weekly column by company, after 2 months author is offered another weekly column by same company, after another 2 months author is offered large contract. 3) Author works as full time technical writer for next 11 years for various companies based on the strength of the work he gives away 4) Author posts to slashdot.

So you think that Ellison, Schneier, Gutmann and Seifried are uninformed morons who are completely clueless about crypto and are making wild claims?

Like I wrote back in 2001 Hiring hackers - why it might not be a good idea

There has been a long, ongoing debate about this issue, and recently it has resurfaced in public. Should companies hire hackers convicted of computer crimes? The general theory is that these "hackers" are elite commando style computer security experts that can tighten up your network in a weekend marathon of pizza and pop. Often nothing is further from the truth.

The first concern I would have is: are these people really any good at computer security? Now this may sound like a rather silly question, but it bears asking. The most obvious clue would be that they have been caught and convicted of a computer related crime. If they are such great "hackers" why did they get caught? Kevin Mitnick, a very famous hacker, was caught several times, and spent time in jail. Most hackers possess very little actual skill. They simply follow in the footsteps of others. It is very easy to download precompiled exploit scripts from sites such as rootshell and then use them to break into systems. Even assuming for a moment that this person has any advanced computer security skills related to breaking into networks, this does not mean they have the skills needed to secure networks. It is one thing to find a weakness and exploit it, but it is an entirely different matter to fix it properly.

Securing a network takes a lot more then plugging a few technical holes. Even if I were to walk into your network and fix every single existing problem, it would not make your network secure. Security is a procedure with many steps, assessment, definition of needs, planning, implementation, review, and so forth, which amounts to a never ending cycle. Even if you hire a brilliant hacker that secures you against all known attacks, new problems will crop up. Even if your hacker has these qualities, their ethics are extremely questionable. There is a famous saying among lawyers: "never put a perjurer on the stand", which boils down to "if you know he's lied before, chances are, he might do it again". How can you trust your newly hired hacker not to slip backdoors into the system that they might later exploit. While it is true that any trusted employee might try to do something like this it certainly seems silly to put yourself in a higher risk category.

A company has a fiduciary responsibility to stockholders. They are entrusted with their stockholders' money and are expected to make decisions that will increase it without unnecessary risk. Engaging in high risk behavior means legal liability. For example, would it be reasonable to sue the corporation for not taking proper care and responsibility in hiring someone they know to have offended before? Considering the position of trust most security administrators are placed in (they have administrative access to servers, monitor users' network usage, read incoming and outgoing e-mail and so on) is it really wise to hire these people? A person with administrative access to a server, or physical access to the network can break into systems and leave backdoors with nary a trace. Would you expect a bank to hire criminals convicted of armed robbery to transport money on the grounds they know what to look out for? Would you hire a burglar to install the alarm system for your house?

While it would be nice if all criminals that got caught were rehabilitated, used their skills for good rather than evil, and never offended again, this is not a perfect world. By breaking the law, for whatever reason (curiosity, maliciousness, etc.) they have chosen to violate rules generally accepted in most countries and societies. They have (at a bare minimum) shown poor decision making, and while they may not specifically want to re-offend, they may be tempted by a short term gain and take a chance (as they have in past).

Summary

While it is possible to find a convicted hacker with the skills you want, it is exceedingly ra

I'm still waiting.

Seriously, under what legal theory is this proceeding? With all due respect for the author, I just read the original license.. We, uh, probably should have gone with a "this license may be revoked at any time" sort of license rather than the GPL.

Didn't Tatu of SSH fame attempt to suppress previous versions? Lot of respect for SSH and Tatu, no respect for changing of minds on licenses.

Information doesn't want to be free. Commercial/Open/Public domain licensure is a decision we all must make

Read the first line Hello World, the numbers 51596 correspond to:
http://www.seifried.org/security/ports/51000/51596 .html

Summary

VMware is an invaluable tool for investigators wishing to deploy honeypots for research purposed, or as early warning devices. But like most complex tools it can end up creating a lot of unneeded work, or even maiming your foot if you are not careful. Fortunately VMware is relatively straightforward to use, and there are a number of simple techniques that will make life much easier when performing a forensic analysis of a honeypot running under VMware.

Relevant links:
http://lists.seifried.org/pipermail/security/2005- May/008466.html
http://www.computerterrorism.com/research/ie/ct21- 11-2005
http://www.computerterrorism.com/research/ie/poc.h tm

http://www.seifried.org/security/ports/0/79.html

"Common client(s): finger"

While not directly a content management system (or rather it is a CMS, but aimed heavily at the Encyclopedia market) it does very well as a CMS for pretty much any application. I use mediawiki to handle about ... well let's ask my Mediawiki:

http://www.seifried.org/security/index.php/Special :Statistics

"There are 13,208 total pages in the database. This includes "talk" pages, pages about Seifried Security Site, minimal "stub" pages, redirects, and others that probably don't qualify as content pages. Excluding those, there are 11,475 pages that are probably legitimate content pages."

Well there ya go. Setup takes about 5 minutes if you have a working UNIX/Linux/BSD server with Apache, MySQL and PHP installed.

http://en.wikipedia.org/wiki/MediaWiki

http://meta.wikimedia.org/wiki/MediaWiki

Actually port 445 is CIFS, Common Internet File System, it replaces SMB.

http://www.seifried.org/security/ports/0/445.html

Actually port 445 is CIFS, Common Internet File System, it replaces SMB.

http://www.seifried.org/security/ports/0/445.html

Next time you have to deal with this feel free to point them at:

Microsoft Windows Security Anti Spyware Quick Reference Card

Click here for the printable version.

Next time you have to deal with this feel free to point them at:

Microsoft Windows Security Anti Spyware Quick Reference Card

Click here for the printable version.

You can exclude them from your website using the robots.txt:

User-agent: ia_archiver
Disallow: /

For example if you go to archive.org and plug my site into the wayback machine:

We're sorry, access to http://www.seifried.org/ has been blocked by the site owner via robots.txt.

and you can also request them to expunge your site from the archive.

They go out of their way to make it easy to prevent your site being copied (more so then most search engines).

Let me know when the apache.org website is cracked. That would be the FOSS equivalent to this incident IMO

okay

The news here is that it wasn't just a vulnerability published, nor a proof of concept, it was a full fledged crack attack against one of the sites that represent the corporation itself.

And how is this not equivalent?

They want to pretend like security is something that can be applied like a coat of paint, but in the end, incidents like this prove that it's the same old crap rolling out of Redmond.

I'm not arguing that Microsoft does a good job of producing secure systems (it's really unrelated to this thread, but I'd say that they have poor security practices, too-complex-to-secure systems, APIs that lend themselves to insecure programming practices, and an unfortunate tendency to twist "security" to mean "DRM"). I'm arguing that a website defacement is not a good argument against a company's software.

From the advisory:

The JPEG parsing engine included in GDIPlus.dll contains an exploitable buffer overflow. When a specially crafted JPEG image is accessed through the Windows XP shell, a buffer overflow occurs potentially allowing an attacker to run arbitrary code on the affected system. Due to the pervasiveness of the affected dll there may be other vulnerable attack vectors.

For the full advisory please see: http://lists.seifried.org/pipermail/security/2004- September/004765.html

According to http://lists.seifried.org/pipermail/security/2004- August/004631.html and http://www.blackboxvoting.org/?q=node/view/78, there is even more than just missing security in the Diebold election machines. If these are true, than Diebold might have more troubles than it seems so far.

I've written an article on this topic covering about a dozen alternatives, it's available at:
http://www.seifried.org/security/redhat/20031230-r edhat-support.html.

Your basic options are:

Continue using Red Hat Linux 7.x and 8.0
Continue using Red Hat Linux 9
Red Hat Advanced Workstation
Red Hat Advanced Server and Enterprise Server
Red Hat Fedora Linux
WhiteBox Linux
SuSE Linux
SuSE Linux Enterprise
Mandrake Linux
Mandrake Linux Enterprise
OpenBSD
FreeBSD
Solaris for Intel and Sparc
Windows 2003
Mac OS X Server

I've covered a much larger set of options including Debian, SuSE, Mandrake, Red Hat Enterprise, the Progeny transition service, etc, etc. The article is available at: http://seifried.org/security/redhat/20031230-redha t-support.html.

It's also available on a rented slashsite, which I doubt can take a slashdot style beating, but if you want to post comments feel free: http://security-site.seifried.org/article.pl?sid=0 3/12/31/067227.

The solutions I cover include:

• Continue using Red Hat Linux 7.x and 8.0
• Continue using Red Hat Linux 9
• Red Hat Advanced Workstation
• Red Hat Advanced Server and Enterprise Server
• Red Hat Fedora Linux
• WhiteBox Linux
• SuSE Linux
• SuSE Linux Enterprise
• Mandrake Linux
• Mandrake Linux Enterprise
• OpenBSD
• FreeBSD
• Solaris for Intel and Sparc
• Windows 2003
• Mac OS X Server

I've covered a much larger set of options including Debian, SuSE, Mandrake, Red Hat Enterprise, the Progeny transition service, etc, etc. The article is available at: http://seifried.org/security/redhat/20031230-redha t-support.html.

It's also available on a rented slashsite, which I doubt can take a slashdot style beating, but if you want to post comments feel free: http://security-site.seifried.org/article.pl?sid=0 3/12/31/067227.

The solutions I cover include:

• Continue using Red Hat Linux 7.x and 8.0
• Continue using Red Hat Linux 9
• Red Hat Advanced Workstation
• Red Hat Advanced Server and Enterprise Server
• Red Hat Fedora Linux
• WhiteBox Linux
• SuSE Linux
• SuSE Linux Enterprise
• Mandrake Linux
• Mandrake Linux Enterprise
• OpenBSD
• FreeBSD
• Solaris for Intel and Sparc
• Windows 2003
• Mac OS X Server

My company has over a dozen Red Hat servers, about $900 a year in RHN seats. That's $900 a year Red Hat's getting just for providing us updates, no support.

We're migrating slowly to Debian since this latest Red Hat policy change was announced.

This article pretty much sums up what I am facing.

I would have to say that VMWare is a pretty heavyweight solution for most needs. If you've got the time to properly make use of a honeypot, maybe you've also got the resources and skills to make VMWare worthwhile. On the other hand, check out Honeyd, a small daemon that can emulate an entire Honeynet easily on one box. This may be a better solution for you, depending on your needs.

Check out this page for the basics, this thread over at insecure.org, and the Honeypot page at sourceforge.net has an interesting article on monitorting such honeypots. Good luck!

Most major vendors (with the notable exception of Debian =( ) sign packages using GNuPG. You can check these signatures using rpm. There is no need to get Eric raymond to sign stuff (and he's supposed to read all the source code, then build all the packages on his own machines? excuse me?). I suggest reading the following two security advisories, which point out some mistakes that have been made, and one possible attack, but also largely corrected by vendors, and can be easily verified by users with minimal effort.

Devil in the details - why package signing matters

Red Hat 7.2 GnuPG signed RPM verification fails on distribution files

RPM PGP/GnuPG verification bug

Most major vendors (with the notable exception of Debian =( ) sign packages using GNuPG. You can check these signatures using rpm. There is no need to get Eric raymond to sign stuff (and he's supposed to read all the source code, then build all the packages on his own machines? excuse me?). I suggest reading the following two security advisories, which point out some mistakes that have been made, and one possible attack, but also largely corrected by vendors, and can be easily verified by users with minimal effort.

Devil in the details - why package signing matters

Red Hat 7.2 GnuPG signed RPM verification fails on distribution files

RPM PGP/GnuPG verification bug

Most major vendors (with the notable exception of Debian =( ) sign packages using GNuPG. You can check these signatures using rpm. There is no need to get Eric raymond to sign stuff (and he's supposed to read all the source code, then build all the packages on his own machines? excuse me?). I suggest reading the following two security advisories, which point out some mistakes that have been made, and one possible attack, but also largely corrected by vendors, and can be easily verified by users with minimal effort.

Devil in the details - why package signing matters

Red Hat 7.2 GnuPG signed RPM verification fails on distribution files

RPM PGP/GnuPG verification bug

Interview with Elias Levy (Alpeh1)

Bugtraq is probably the best security mailing list around. However while the quasi-founder (technically Aleph1 didn't start Bugtraq as I was surprised to find out) is quite prominent online I wasn't able to find any detailed information about him or Bugtraq (except for one old interview). So here for you to enjoy is an interview with Aleph1.

Kurt: Where does the name Aleph1 come from?

Elias: Its comes from transfinite mathematics. There exists many "infinite" numbers or sets. The first infinite number is small omega or alef null. It is also called countable infinity. Many infinite sets can be mapped one-to-one with each other. For example, the set of all natural numbers can be mapped one-to-one with the set of odd natural numbers. Yet one is a subset of the other. Both these sets are said to have a cardinality of alef null. Alef One is the first cardinal number after alef null (i.e. the first set that cannot be mapped one-to-one to a set of cardinality alef null).

Click here (http://www.seifried.org/security/articles/2001101 5-elias-levy-interview.html) for more.

Interview with Elias Levy (Alpeh1)

Bugtraq is probably the best security mailing list around. However while the quasi-founder (technically Aleph1 didn't start Bugtraq as I was surprised to find out) is quite prominent online I wasn't able to find any detailed information about him or Bugtraq (except for one old interview). So here for you to enjoy is an interview with Aleph1.

Kurt: Where does the name Aleph1 come from?

Elias: Its comes from transfinite mathematics. There exists many "infinite" numbers or sets. The first infinite number is small omega or alef null. It is also called countable infinity. Many infinite sets can be mapped one-to-one with each other. For example, the set of all natural numbers can be mapped one-to-one with the set of odd natural numbers. Yet one is a subset of the other. Both these sets are said to have a cardinality of alef null. Alef One is the first cardinal number after alef null (i.e. the first set that cannot be mapped one-to-one to a set of cardinality alef null).

Click here (http://www.seifried.org/security/articles/2001101 5-elias-levy-interview.html) for more.

Use shadow passwords. That way, a malicious web writer can't grab the encrypted passwords and try to break them. It's easy: "pwconv" is the (only) command to run if your system is relatively modern (this may be somewhat specific to the Linux implementation of the shadow password system?).

If you need to protect the users from each other, you might consider:

• Using Apache's suexec system. However, some people say that the system is so complex that there is risk of actually decreasing security due to misunderstandings; your milage may vary.
• If you use PHP, consider running it in 'safe mode'

Some general purpose Linux/unix related security links:

• The Security-HOWTO
• Kurt Seifried's Linux Administrators Security Guide (LASG)
• The IPCHAINS-HOWTO (packet filtering)
• The Firewall-HOWTO (rather out-dated)
• The World Wide Web Security FAQ

Finally: Keep your system up-to-date with the latest official patches. Consider joining the BugTraq mailing list.

the LASG is available here, a free 150+ page document on securing Linux.


-Kurt Seifried