Novell OpenSUSE Server Hacked

abelikoff writes "Both LinuxWorld Australia and SuSE Linux Forums report that OpenSUSE website got hacked last night." This story was submitted quite a number of times.

Don't blame LINUX

[Work+Account]

People always try to blame the software right away but usually it's poor administration.

Linux is near-flawless in terms of security.

Re:Don't blame LINUX

"Linux is near-flawless in terms of security."

so it could have been a linux flaw...
buy you're right, on most pc's the weakest link is the user...

Re:Don't blame LINUX

[grub]

Linux is near-flawless in terms of security.

You don't follow security mailing lists, do you? Most Linux distros have decent security but "near-flawless"?

Re:Don't blame LINUX

Could very well be poor setup/administration, you have a point!

I have to note, I have not read the original article yet, so you may be 'spot-on' & it may note the very thing you point out. It usually is the case.

However, you also cannot fully discount this, or problems like it, might actually be some completely NEW problem found in Linux itself, or rather, this particular distro (this goes for MS &/or Apple wares as well, not just Linux/Unix/BSD etc.)!

(Man, because this happens ALL the time (browsers, apps, OS' & such of all types)... it's a real pain-in-the-A$$, but a fact of life today. One with SOME GOOD SIDES TO IT THOUGH, in that it points out flaws that may exist since someone used some particular method of penetration & it's now known if it was not before!)

APK

P.S.=> What 'spooks me'? Isn't the ones that are known, or found & exposed publicly (to get either MS, apple, or the numerous Linux vendors off their butts to do something about it etc. if needed)... but, the ones that do NOT talk about it period, & utilize vulnerabilities 'secretly', never publicly noting their methods (be they OS vulnerabilities, or apps like browsers etc.)... they're the TRUE danger imo... apk

APK

Re:Don't blame LINUX

Yeah.. I guess those various Kernel level vulns I've patched over the years didn't exist.

Near flawless my ass.

Re:Don't blame LINUX

[dasunt]

People always try to blame the software right away but usually it's poor administration.

Isn't this the same flaw Windows has?

Re:Don't blame LINUX

If the system makes it hard to secure, then it's not particularly effective.

Re:Don't blame LINUX

I would consider software that lets poor administration leave it open to vulnerabilities to have a major security flaw.

Re:Don't blame LINUX

[Reziac]

Just for reference... Netcraft says the site was running Apache/2.0.49 for Linux/SuSE.

Which part actually got hacked, the OS or the webserver itself??

Re:Don't blame LINUX

[$RANDOMLUSER]

Um, did he just use the word fanboy in a perjorative context?

Re:Don't blame LINUX

[grub]

Which part actually got hacked, the OS or the webserver itself??

Only those Iranians and the SUSE people know :) Regardless, running something like OpenBSD with its hardened & chroot'd apache could mitigate a lot of the damage. ie.: make most files read only to the httpd process, etc etc.

Re:Don't blame LINUX

IBM is the "biggest software company". Microsoft is only the biggest lawyer's office.

Re:Don't blame LINUX

[LeisureClass]

That's right - blame SUSE for not adopting SELinux :)

Re:Don't blame LINUX

[LittLe3Lue]

Nor does he follow history very well.

If there is one thing we can learn from history, its that anything flawless in its day has been prooven flawed eventually.

In the computer world its only that much more of a smack in the face.

Linux exploits are found all the time, and yes, maybe they are found less often, or fixed faster than on other operating systems (..maybe..) but they exist, and always will.

Re:Don't blame LINUX

[ScrewMaster]

The problem comes in when you are, yourself, an OS vendor. It's really hard (from a marketing/PR perspective) to have your site run a BSD when you happen to sell a major Linux distro. Or have a major online service you bought run Solaris when you happen to make Windows, for that matter. Customers (and potential customers) will rightfully wonder why you don't have confidence in your own product.

Re:Don't blame LINUX

[dave420]

Where are people like you when someone's harping on about microsoft security issues? :-P

Re:Don't blame LINUX

[at_slashdot]

"Isn't this the same flaw Windows has?"

Yes. But it's not the only one. Many people can say "I know how to configure Windows, I didn't get any virus or worm yet"

I just say: wait till you get hit (it's "when" not "if") and then that will shatter any confidence you have in Windows and in your ability to secure it.

Re:Don't blame LINUX

Ahahahaha.

You're a moron.

Re:Don't blame LINUX

You know, I could say the same thing about Windows. It can be [in]secure, but poor administration can be to blame.

Re:Don't blame LINUX

[imipak]

Hilarious, thanks for the best laugh I've had all week! :D

Re:Don't blame LINUX

[kimvette]

It's a wiki. There was probably a clear text password that got "hacked" via a dictionary attack. Not really a hack, but defacement resulting from weak password polices, and not any flaw in the web server nor the software (wiki) itself. That's my theory anyhow, and it's true what others have already stated: the only ones who know are the vandals and the kind folks at Novell (SuSE).

Re:Don't blame LINUX

[burnin1965]

Well, actually you can take the same steps in linux to mitigate damage when you server is comprimised. But more importantly, it has more to do with taking those steps than running BSD versus linux. Before you start flaming take a look for yourself....

http://defaced.projectgamma.com/
http://www.zone-h.com/en/defacements

burnin

Re:Don't blame LINUX

[Digital+Dharma]

Actually, I disagree. I've been running Windows networks for over a decade without a single virus or spyware infection. Interestingly, we've had a nearly identical amount of successful hacks on both our web-facing Windows and Linux machines. I would say I'm pretty much on par with the Linux admin in terms of skills and knowledge, and we are both in agreeance that no matter what you do, eventually you will get hacked. Just like you will eventually be a victim of some sort of crime in the Real World, if you spend enough time in it. With a combination of flaws and ignorance / mistakes, every OS under the sun is suceptable to penetration, regardless of how skilled the Admin is. Just ask the Linux admin at my place of work, who lost a server thanks to a vendor-coded exploit. It happens. Live, learn, patch and move on.

Re:Don't blame LINUX

Did they use the wiki to perform those SSH scans the article was about as well?

Re:Don't blame LINUX

Linux is near-flawless in terms of security.

there are 3 remote roots in Apache that haven't even been hinted at on the public lists! use your elite chrooting, we can break that. use your haxor-proof UML, we can break that too. use your beloved gr-security, W^X, NX, we can break those too. you silly newbs. you have no idea how to play defense, since you are so clueless about offense.

Re:Don't blame LINUX

Many people can say "I know how to configure Linux, I didn't get any rootkit or scriptkiddie hack yet". I just say: wait till you get hit (it's "when" not "if") and then that will shatter any confidence you have in Linux and in your ability to secure it.

Except you, at_slashdot. After your display of caveman-like ignorance about Windows, I'm sure Novell will hire you right off as their Linux security expert.

Re:Don't blame LINUX

[_Sprocket_]

Yes, it is the same flaw. But don't worry. I understand that with all the new work in pricing schemes, DRM, aggressive disregard for industry changes, etc Microsoft will be eliminating a large number of users (and thus Admins), thus creating a much more secure Windows environment.

Re:Don't blame LINUX

Isn't this the same flaw Windows has?

The flaw in that case is plugging in the Cat 5.

Re:Don't blame LINUX

[henni16]

Which part actually got hacked, the OS or the webserver itself??

Didn't RTFA but another poster mentionend something like "the Wiki server was hacked".
So I would put my money on an exploit of one of the recent Twiki vulnerabilities.
I know some websites that got hacked because of them.

Re:Don't blame LINUX

[Krach42]

TWIHI (the way I heard it) Hotmail was running on FreeBSD, not Solaris.

Re:Don't blame LINUX

[kaligraphic]

Yeah, Fluffy got kind of mad when I tried it, and fitting the other four cats in was certainly no cakewalk. And to top it off, I could have done it wirelessly!

Re:Don't blame LINUX

Ironically, www.openbsd.org runs Solaris, as evidenced by their own FAQ.

Re:Don't blame LINUX

[Daengbo]

"so it could have been a linux flaw...
buy you're right, on most pc's the weakest link is the user..."

Try as I might, I have no idea what this means. Could you repost in a standard form of English, please, so I can follow the discussion?

Re:Don't blame LINUX

[Halfbaked+Plan]

Or have a major online service you bought run Solaris when you happen to make Windows, for that matter.

Isn't the main (or one of the main) OpenBSD sites still running on Solaris?

Re:Don't blame LINUX

[despisethesun]

Yes, but it's not actually their site. This link should sum it up fairly well. Basically they're taking advantage of the University of Alberta's available bandwidth and as such the main OpenBSD ftp is at the mercy of whatever OS the U of A decides to use. If I remember correctly, that same FTP hosted a ton of other OS ISOs. I distinctly remember getting a Slackware ISO from that site back in the day, and there are/were others, I'm sure.

Re:Don't blame LINUX

"Linux is near-flawless in terms of security."

I'd hate to burst your bubble and all... but the only thing that fits your pedastalized impression of Linux is an unplugged computer.

I love Linux and I use it everywhere (home, work, etc) but I am under no false illusions when it comes to it's security. You need to be just as careful with Linux as you do with windows. Assertions like this are irresponsible and obviously come with little to no real security knowledge.

Re:Don't blame LINUX

[popejeremy]

openbsd.org runs on Solaris and it hasn't hurt their image.

http://www.openbsd.org/faq/faq8.html#wwwsolaris

Re:Don't blame LINUX

[Lucractius]

The only OS i know with "near-flawless" security is openVMS and if you chose to call it dead so be it but think about what other OS yould rather trust your Bank/insurance or your Hospital to run? Not only is it "unhackable" (dont believe me? google for "OpenVMS unhackable Defcon 9" and youll find the reports) its also the most reliable.

Who says the best software comes from open source never had software built not by "programers" .. but by engineers.

(dont pervert that quote with the phrase software engineer :P )

Re:Don't blame LINUX

[sumdumass]

I don't knoiw of any automated rootkits or scriptkiddie hacks that can proliferate by themselves for linux. I maybe wrong but at least with linux it would take someone activly working at exploiting the system. With windows, once it is figured out how to do, it is trivial to have a program search out and do it for you.

Re:Don't blame LINUX

[Reziac]

I vaguely recall someone said the wiki was down, yeah, tho right now all you see if you go there (I did, from whoever's posted link) is "service is unavailable".

opensuse.org itself is "normal" again as of this instant.

My own feeling is that it's not necessarily bad that it got hacked, because now they know what needs fixing or reconfiguring, whether it was in the OS, the webserver, or whatever was actually infiltrated. It would only be bad if it doesn't get fixed.

Re:Don't blame LINUX

[ScrewMaster]

TWIHI, Hotmail was running Solaris but I never personally checked it so I won't argue the point. But I was referring back to when Microsoft bought it, and I remember it was something of a black eye for Microsoft, PR-wise, when they weren't able to immediately scale Windows to replace what the original Hotmail service was running. Solaris, BSD, whatever.

Re:Don't blame LINUX

[Krach42]

Yeah, point remains the same no matter what they were using. Microsoft wanted to switch from a *nix, tried a few times, failed each time until the last.

*sigh*

[the-amazing-blob]

I still will never understand why people do stupid things like hack websites.

Re:*sigh*

[EvilMonkeySlayer]

I've yet to understand what they said. The grammar and spelling were atrocious.

Re:*sigh*

Cuz now we are all talking about it. It's called "viral marketing."

Re:*sigh*

[jupiter909]

Hacking websites is not stupid. It's proof of concept. It is often good when people hack/crack things, it forces for tighter control and security. If not for people hacking and cracking things we would not have things such as online shopping and ssh encrpytion etc. It is all part of a never ended life cycle. More often than not it is poor management/admin than the software/systems themselves. Human error.

Re:*sigh*

[the-amazing-blob]

But if nobody hacked anything, there wouldn't be a need for better security.

I'm too idealist for my own good.

Re:*sigh*

[gowen]

You know, murders are good too, because they encourage us to employ smarter policemen and develop better forensic science.

Re:*sigh*

[TetryonX]

Oh shush. These hacker folks are just a bunch of angry geeks. You know everyone who participated in the hack has no gf nor any chance of getting one.

All the world needs is a little lovin :)

Re:*sigh*

12 year olds have to have *something* to do.

Re:*sigh*

[Transcendent]

If not for people hacking and cracking things we would not have things such as online shopping and ssh encrpytion etc.

Online shopping? What?! Seriously... what?!?

As far as encryption, we wouldn't need it if no one "hacked", so your reasoning is flawed. It's like saying "bank robbers are good because it forces banks to have tighter security".

Re:*sigh*

[youknowmewell]

If people didn't hack and crack things we wouldn't need high security and we could have higher security. It's like saying, "If not for thieves and rapists we wouldn't get these great locks on our doors." Bull, if we didn't have thieves and rapists we wouldn't need locks in the first place, and it wouldn't stop the good guys from getting in when needed.

Re:*sigh*

[youknowmewell]

Meant to say, "we wouldn't need high security and we could have higher useability."

Re:*sigh*

[jayloden]

If not for people hacking and cracking things we would not have things such as online shopping and ssh encrpytion etc.

and we wouldn't need them,either.

Re:*sigh*

[aeoo]

Don't label yourself "idealist", because that will create a false impression. I'd say, if anuything, you are pragmatic.

Essentially you're protesting this logic:

"Everyone should once in a while punch a passerby, so that all people are forced to become better at self-defense. If we all punch each other, eventually we'll all be martial arts experts, and life will be safe."

I think that challenging others only belongs in a debate or in a game.

Re:*sigh*

[The_Quinn]

What if someone "hacked" into your house and hijacked your family? Would you blandly chalk it up to a lesson in needing "tighter control and security"?

Re:*sigh*

[antic]

I know you've gone for a more extreme contrast to present your point, but how about just likening it to the graffiti it is?

It's art or a bragging opportunity to some, but it's an absolute nuisance to the majority of people.

Re:*sigh*

[EvilAlien]

Well, one thing I know for sure is that their English is a hell of a lot better than my Iranian, Arabic, or even French (I'm Canadian)...

Re:*sigh*

[Thanatos+Starfire]

At that point I would run a traceroute.

ouch

They could just run OpenBSD.

Re:ouch

[WilliamSChips]

Sure, if they don't mind running hopelessly obsolete versions of their software. And if they don't mind using a dying OS... ;)

Re:ouch

[DrSkwid]

Hmm let me see, run latest version, get owned or run older but audited version and keep control.

New features or safety

Safety or new features

gaw, what a choice!

Re:ouch

[Metzli]

Exactly how is OpenBSD "hopelessly obsolete?"

Re:ouch

[ScootyPuffJr]

Because Netcraft says so :)

Re:ouch

[thesqlizer]

True indeed, and still the question remains: "How is OpenBSD 'hopelessly obsolete?'"

From what I've seen in every case where there's a security or genuine set of features needed to motivate the bumping of a software version, they do. A quick run through the CVS commits would show that.

Sure, they don't update every minor non-security bugfix to the latest and greatest after a given CD version has been released, but I can't recalll that ever having been an issue.

And heck, if it is or you're really pining for the latest and greatest of something there's always the fine Ports collection.

[shrugs]

Re:ouch

[KillShill]

wouldn't it be more prudent to run CLOSEDBSD?

Re:ouch

[burnin1965]

I take it your admitting to be the Iranian hacker? You seem to be aware of a linux exploit which allowed you to hack into the opensuse.org web server.

Or I suppose its more likely you don't have a clue and there is a greater probability that the exploit was in the php application they were running on top of linux+apache and rather than being hacked the website was defaced.

And if that turns out to be the case then it would have made no difference whether they were running on linux, BSD, or any other OS. The site still would have been defaced.

But I guess thinking that way isn't as much fun.

burnin

Re:ouch

[Salo2112]

Hush, Theo.

Re:ouch

[rm69990]

Notice the Score:5,Funny. This means it was a joke. Lighten up, my grandma is less uptight than you.

How does this help ?

How does hacking this website help to put your voice ? Other than geeks, how many people check that website. If they had hacked CNN or BBC, it would have been noticed significantly. Soon this would go into oblivion. Makes me wonder what has nuclear progam to do with open source linux ?

Re:How does this help ?

[wetdirtmud]

I didn't know they had computers in Iran. Maybe they only use them for hacking, and not for checking up on news, or reading about the diffrences between Government Agencies and Operating Systems.

Re:How does this help ?

[WindBourne]

Because, this will make the regular news. That will include CNN, and BBC.

Why? because it does not happen often to a major linux site. It would be like having millions stolen from a site that runs a none Windows such as a unix site. It will make news just because it is none windows.

Re:How does this help ?

CNN and BBC where running OpenBSD that night, so they where forced to find a server running an insecure operating system.

Re:How does this help ?

[houghi]

I didn't know they had computers in Iran.

The picture on the site was linked to ihsteam.com.
A trace leads to teamnet.net. A whois shows a US company.

Their DNS server is ns3.simorgh.co.uk, although they could just have hacked that as well. Just look at http://simorgh.co.uk/

So even though the whois data is in Iran, there is no need for them to have a PC.

Re:How does this help ?

[theonetruekeebler]

This will make the regular news. That will include CNN, and BBC.

"Pro-Iranian cyberterrorists attack website, demand nuclear arms."

Yeah. This'll push their agenda forward by about ten thousand years.

P.S. I transcribed the Engrish into my grammar checker and my laptop nearly caught fire. "we want from iran government than quit NPT." Sheesh.

Re:How does this help ?

[aliquis]

They had a good point, I welcome it.

Re:How does this help ?

Wow.

I hope you're joking, I'm bad about catching internet sarcasm. But if you're not joking, you're retarded.

Re:How does this help ?

"How does hacking this website help to put your voice"

Perhaps it was an act of cyber terrorism, where an innocent bystanding website gets hurt just to instill fear in the web community as a whole! I think the plan may be to hack a random website a day untill their demands are met! We just havn't gotten the demand letter yet(probably to be written in a combination of different html tags and script languages taken from popular websites so as to be untraceable)

Ok, that was bad... very very bad... [Ducks]

Site's Fine Now...

[Eddy+Da+KillaBee]

Looks like they were quick to fix it -- I just checked out the site now and it looks as though nothing ever happened.

Re:Site's Fine Now...

[LnxAddct]

To me, the fact that it looks like nothing has happened is a very immature handling of the problem. They should have a notice on the front page about what happened, how they are researching how it happened, and the possible effects that it may have on you as a user. It seems like they are trying to cover this up with absolutely no recognition of what happened. If they do have a forum or something about this and I didn't see it, then thats a good thing but it should be made more visible. If I ran Suse, the first thing through my mind would be, "Shit, what servers are their repositories ran on. Could my update last night have rooted my system? Is this flaw something to do with the configuration that this specific site was using, or is it a flaw in all servers running Suse. What do I need to do to make sure that this doesn't happen to my Suse server." I think they are handling this all wrong and covering it up like Cisco or Microsoft would do, but I don't run Suse and am not sure how they typically handle things like this. Maybe they use a different channel like e-mail, if so please correct me.
Regards,
Steve

Re:Site's Fine Now...

gee asshole, thanks for the info. never would have thought of checking it myself.

Rights or not

[michaelzhao]

The Iranian hackers should first learn English. I was banging my head on the table reading that grammatically incorrect junk.

Re:Rights or not

[meadandale]

"All your uranium are belong to us!"

Step away from the fissionable material...It is obviously causing you brain damage.

Re:Rights or not

[dustmite]

Right, so how good is your Arabic again?

Re:Rights or not

[Halfbaked+Plan]

Probably, if he hacks an Arabic site and plans to blather on the pages, he'll have a competent Arabic speaker help compose the text. Really, that's the point.

Re:Rights or not

[technoextreme]

Right, so how good is your Arabic again?
Not very good but almost anyone that has common sense would realize it's best to make sure you actually sound intelligent and not come off as an idiot.

Re:Rights or not

Often, that's a good comeback, but this time...the crackers' message is in English. michaelzhao's response is in English. Where does Arabic come into the equation? Somehow, because he may or may not be able to speak Arabic, shitty English is okay?

Re:Rights or not

[Otter]

Often, that's a good comeback, but this time...the crackers' message is in English. michaelzhao's response is in English. Where does Arabic come into the equation?

Especially since Iranians a) speak Farsi, not Arabic, and b) aren't Arabs.

Re:Rights or not

[klykken]

You might have confused the Arabic language with the Persian language (Farsi). They share the same alphabet but are entirely different.

Re:Rights or not

[ratbag]

So I realize it's a joke and everything, but the official Iranian language is not Arabic. Rather it is Persian.

Rob.

Re:Rights or not

[Redundant+offtopic+t]

"The Iranian hackers should first learn English. I was banging my head on the table reading that grammatically incorrect junk."

And yet, I assume you regularly read slashdot without complaint?

(I know, I know, too easy and obvious)

Re:Rights or not

and c) language has indo-european roots not semitic (such as hebrew and arabic)

how rude.....

[The_Candyman]

Of corse this had to happen just a few days before OpenSuSe released the latest version 10.0 final. Now I'm assuming that there will be a delay there to make sure nobody added any "extra" software. I've been waiting for it to come out since I tried beta 1 of 10.0.

Re:how rude.....

[alonso]

I don't think so. The gold version is already ready, it was announced, I think, 2 weeks ago.They only have to put it in the new server.

Re:how rude.....

[SpooForBrains]

Or, looked at another way, pretty awesome way to get a whole bunch of extra visitors to ones website ...

I'm convinced!

[Necrotica]

The US and EU better let Iran develop a nuclear energy program or these senseless acts of web terrorism will never stop!

exploit?

[botmfeedr]

Without knowing what was exploited we really don't know who to blame.

Novell Wiki was hacked too.

[Utopia]

http://wiki.novell.com/
Site is currently down.

So lets help out the terrorists even more

So lets help them out more by spreading their message all over one of the most popular news sites on the internet.

Don't Blame Windows

People always try to blame the software right away but usually it's poor administration.

Re:Don't blame WINDOWS

People always try to blame the software right away but usually it's poor administration.

Windows is near-flawless in terms of security.

That's about as true as your comment, yet I don't hear a lot of that said around here.

Next time you want to post how Linux is "near-flawless", why don't you take a breath, not post it (because somebody else is sure to), and then, the next time a Windows hack story comes up, not post in that story either (because somebody else is sure to)?

The end result will be a greater signal:noise ratio, less hypocrisy, and your abstinence in both cases cancel each other out in terms of bias.

Re:Don't blame Windows

Windows has excellent security.....as long as the power cord is unplugged.

Re:Don't Blame Windows

[jofi]

Even for Windows, no laughing matter.

The administrators mistake Windows for a "set it and forget it" OS.

Re:Don't blame WINDOWS

amen!

Re:Don't blame WINDOWS

[ozmanjusri]

That's about as true as your comment, yet I don't hear a lot of that said around here.

It's said constantly around here. Take a look at any archived discussion about Windows or Linux and you'll see half the commenters are claiming XP/2003 is as/more secure and stable than other OSs, and if it's ever had a virus, spyware or been hacked, it's the user's fault.

Details of the hack?

[Trigulus]

Was this a targeted attack? Did they just fall victim to a script? Unpatched vulnerability? Weak password? what? Im just asking cause none of the links provided answer this.

Re:Details of the hack?

[Trigulus]

bah. nevermind. sure *now* the link is more usefull.

Re:Details of the hack?

[DrSkwid]

passwords are weak by design

script kiddies

Just goes to show you that any jackass can type "./the_great_script" and replace a home page. More evident that Iran has its fair share of jackasses like the rest of the world.

Re:script kiddies

[ettlz]

...any jackass can type "./the_great_script"...

Don't you mean ./t3h_l33t_5cr1pxx0r?

Re:script kiddies

Someone still has to write that script.

Re:script kiddies

[Dmitri_Yuriescu]

Continue your work at... http://www.c0d3r.org/priv8area ;)

ssh scan

[perp]

This server probably had a weak root password and was hacked by one of the several automated ssh bruteforcers out there http://www.linux.com/article.pl?sid=05/09/15/16552 34

I see these attacks all the time on all Internet facing servers.

Re:ssh scan

[schon]

Why the hell do they allow root logins over SSH in the first place?

Any security admin worth their salt would have turned this off when it was installed - not to reduce break-ins (although it does help mitigate a weak root password), but to provide an audit trail for people who are allowed to use root.

*sigh*

Re:ssh scan

[Bloodywolf_82]

Easy fix. Create a web script. Deny all hosts in hosts.deny and use the script to add entries in hosts.allow. I used to get thousands of brute force attempts, now I get 0.

Re:ssh scan

[gcauthon]

Why would you need root access to replace the content of a website? Wouldn't you just need to log in as a "web publisher" or whatever security they have set up for that group of users? It's a little early to jump to the conclusion that this was a root exploit.

Re:ssh scan

[DrSkwid]

root is a design flaw on its own

Re:ssh scan

[Nikademus]

That means, they were not smart enough to:
1: change default ssh port
2: disallow direct root logins via ssh

Those 2 simple principles prevent many things.

Re:ssh scan

[Homology]

Why the hell do they allow root logins over SSH in the first place?

Yeah, much better with a bunch of sudo-users so instead one root password you now have bunch of them. Besides, they should disable password login in any case.

Re:ssh scan

[VStrider]

and last but not least

3. install a port knocking daemon, like fwknop, or knockd

Re:ssh scan

It's always cute hearing this from Slashdotters, but none of you do it either.

Re:ssh scan

[nlinecomputers]

Well I disable root access to that, use only ssh2, use keys, use deny all users/allow only users to limit who can logon, and use a nonstandard port.

Not perfect but works well for me.

Re:ssh scan

[kimvette]

I quite agree. The idea that there should be an administrative account where one can configure machine settings and services, and edit user accounts, is just stupid. Instead, we should revert to something like Windows in combination with SecurID cards, where passwords won't get lost, you just need to have your SecurID (or similar) card available when you would like to log in, and by the way, the ability to change system settings should be only up to Microsoft, so why not limit Administrator's privileges and create an account that has higher privileges, collects data on what you install and when you installed it and how often you've run it, and send all of that info back to Microsoft? Oh, and that system should phone home every night to not only report that information. but also to "ensure" that you are not violating any licensing agreements - even by accident - and that you are not violating any of the EULA clauses that you may or may not be aware of since Microsoft reserves the right to change it at any time, not to mention a lot of any CDs, DVDs, and MP3 files you may have listened to, and if you've made more than one backup of a CD or more than two CDs with the same track, that info will be forwarded on to the RIAA and/or MPAA (in the event of a movie soundtrack). Oh, by the way: don't lose your SecurID card, because a password won't let you in. How would that work for you? Oops, I just described Longhorn's supposed successor. Yeah, that whole "root" thing where you have control over your system is a really stupid idea. That responsibility is better left up to a "trusted" outside organization who is looking out for your own well being.

Re:ssh scan

[DeadMeat+(TM)]

Why the hell do they allow root logins over SSH in the first place?

Allowing or disallowing root logins is configurable in OpenSSH. Incidentally, SuSE ships with root login over SSH disabled by default.

Re:ssh scan

[Dave2+Wickham]

SSH in as user, then su. Adds an extra layer of security to get through, provided there's no easy writable suid file and any root apps are kept up to date, and that kind of attack is harder to automate.

Re:ssh scan

[Stinking+Pig]

[hacker@iran.gov $] ssh -l joeuser boxtoroot
Welcome to boxtoroot, how may I serve you?
[joeuser@boxtoroot $] sudo vi /path/to/index.html
Please enter your password: *******

Does that make it clearer to you?

Re:ssh scan

[Homology]

SSH in as user, then su. Adds an extra layer of security to get through, provided there's no easy writable suid file and any root apps are kept up to date, and that kind of attack is harder to automate.

An extra layer with questionable benefit, assuming that your root password is strong in the first place.

Re:ssh scan

[jaclu]

I have a hard time to see the gain in security by disalowing root but allowing users to login and then sudo.

In the case of three admins, you would end up with three accounts that could be exploited, rather increasing if anything the risk of direct ssh exploits.

Once the bad guy is in, he has all the local exploit possibilities to gain root, so your already in trouble if they get in.

So as long as you do ssh with passwords, disalowing root-login dosent really buy you any security, but it hassels the admins each and every day.

On the other hand, prefered method would be to login with keys and disallow passwords completely whenever possible.

Re:ssh scan

[Dave2+Wickham]

Indeed, but questional benefit or not, given that it has hardly any usability impact, it makes sense to have it.

Re:ssh scan

[DrSkwid]

I don't know what you're on about but you're still wrong.

There is more to life than Linux & Windows you know.

I have machines without root and they run neither and they were written by people that know more about Unix than most, you know, what with haven written it and eveything.

Never mind, nice try.

Re:ssh scan

[Gogo0]

Part of the security comes from non-root logins being unknown.

One could try to use a non-root user to bruteforce their way into my system, but they'll either get one (probably created by an application) with /dev/null as a shell or they will be trying usernames that dont exist.

Re:ssh scan

[51mon]

Hey I don't do that messing around, although most of the boxes I admin only allow named accounts to ssh in, and most only from specific IP addresses.

But it does look like this box wasn't terribly important, nor attentively admin'ed, and there is nothing suggesting it wasn't owned due to use of weak passwords.

An IDS system might have spotted the scanning, or intrusion earlier, and mitigated the damage.

And before anyone say "OS/distro X doesn't allow weak passwords", I've never seen any admin with strong passwords, different on every machine, that didn't have them written down in a list that introduces different methods of attack, although I don't doubt there are a few around with very good memories.

Without more details this is a non-story blown out of proportion by typically accurate /. readers misrepresentations.

Re:ssh scan

1: change default ssh port

Security through obscurity doesn't work. A port scan would find your sshd soon enough.

2: disallow direct root logins via ssh

Pointless. Allowing multiple users to su to root only increases the possibility of a compromised password. Nobody will get through if you're using a strong root password or public key authentication anyway. This is the official position of the OpenSSH devs. Also, OpenBSD allows remote root logins by default. And security by default is their primary goal.

Disallowing password authentication removes the possibility of a weak password leading to a remote exploit over SSH. That's really the only hardening step necessary.

Re:ssh scan

[MichaelSmith]

This server probably had a weak root password and was hacked by one of the several automated ssh bruteforcers out there

I wish the openssh team would wake up to this and put in a feature to ignore hosts which repeatedly fail logins.

Re:ssh scan

[despisethesun]

I have a hard time to see the gain in security by disalowing root but allowing users to login and then sudo.

You must not have much experience with sudo. One of the benefits of it is that it allows you to give root permission to people for specific tasks that they would need that access level for. While there are certainly a lot of people who set their sudoers file to "allow all" for everyone, if sudo is properly implemented no one should be able to do anything they don't NEED to do as root. Sudo also has the benefit of keeping track of what users used it to do what tasks, making it easier to trace the path an attack came from.

Gogo0 also mentioned an added benefit to this scheme so I'm not going to repeat it here.

Re:ssh scan

[calmdude]

Sorry, but as someone who designs enterprise-edge security, rarely, if ever, is SSH allowed from the internet to enterprise web servers. If it is, that's a mistake. Also, for improved security, it doesn't cost much to do basic http inspects on the firewall, install a reverse HTTP proxy in a DMZ, and then deploy the web server in an enclave. You can even do it using open source software. For a good reverse proxy, take a look at pound.

Re:ssh scan

[drsmithy]

I have a hard time to see the gain in security by disalowing root but allowing users to login and then sudo.

The two biggies are greater control over what can and can't be executed with root privileges and an audit trail.

Re:ssh scan

[janic]

Unfortunately, it also has PAM authentication on by default which essentially overrides the PasswordAuthentication off parameter.

Fark!

Re:ssh scan

[schon]

Yeah, much better with a bunch of sudo-users so instead one root password you now have bunch of them.

Score -1 "Just doesn't get it"

Thanks for playing. Perhaps you should come back once you understand what I wrote?

Re:ssh scan

[schon]

No, it doesn't. Perhaps you could explain why having a brain-dead sudo policy has anything to do with proper security measures? Are you suggesting that someone who *TAKES SECURITY SERIOUSLY* would do one thing correctly, but then do something even supider than allowing remote root login via SSH?

Re:ssh scan

[Homology]

Score -1 "Just doesn't get it"

Thanks for playing. Perhaps you should come back once you understand what I wrote?

Why don't you just leave the telnet mentality behind and enter the age of ssh? Once upon a time one used su to make it harder for a packet sniffer to get the root password in a telnet session, but with ssh that is not the case. If you are worried that someone can get the root password while using ssh you have more serious problems to deal with, like you are rooted in the first place or using ssh authentication agent in an unsecure way.

Not permitting root logins does not give much added security, but probably gives you some much needed sense of security?

This is not 1995 anymore.

different hacks, different times

[sjvn]

The LinuxWorld Australia story is actually about an earlier break-in of a Novell system that was being used for World of Warcraft related stuff, not the OpenSUSE site at all.

Steven

Re:different hacks, different times

Excuses...excuses...excuses...As always on Slashdot whenever there is some bad news on Linux. The same attitude prevails in majority of open source community. Thats why Linix is (and never will be) never more than 10% of mainstream...

Re:different hacks, different times

[jsd303]

Oh absolutely... just look at Apache... I mean Linux distros are hoping for 10%, behind that 90% IIS stranglehold on the market!

Most shit

[ILKO_deresolution]

Dude most of the stuff online is worse than that...that psp MPH downgrader for instance! That message wasnt half that bad! I get mad flamed on geek.com just for slightly miss spelling tough words! Those people are nazi or just can't think of better comebacks (MS people hehe).

Who the hell is "Brandon Internet Security"?

That organization is mentioned in the article, yet has no web presense that I can find.

There are some old usenet postings also wondering the same thing. Sounds like an imaginary company to me, wonder why the folks who reported the story didn't do a better job of checking their sources.

I think we should

[haX0rsaw]

..give them all the nuclear energy they desire. Captian.. Ready the Minute-Man missles..

Oh sweet sweet irony...

[GregNorc]

Or is it? If a site running Windows Server 2003 was hacked, would it make the front page of /.?

Re:Oh sweet sweet irony...

[UWSarge]

If it was a website about Linux, it probably wouldn't even need to be hacked to make the front page of /. if it was running Windows

Re:Oh sweet sweet irony...

If a server running win2k3 were hacked, running a major nerd site, and had some poorly written message possibly originating from some Iranian idiots, then yes it probably would make frontpage.

But do not forget, real nerd sites don't run win2k3...

Re:Oh sweet sweet irony...

[$RANDOMLUSER]

The point is, it was a Suse website, running Suse that got hacked.
If a Microsoft windows 2003 site, running Windows 2003 was the victim, then yeah, I think it would make the front page.

Re:Oh sweet sweet irony...

[ArsenneLupin]

If a site running Windows Server 2003 was hacked, would it make the front page of /.?

No, it wouldn't. People would get pissed about having to dig through 100000 stories of "Yet another cheesy Windows server hacked" until they found a real story.

Re:Oh sweet sweet irony...

[houghi]

Yeah, reposts are heavily frowned upon.

Re:Oh sweet sweet irony...

[MSG]

I'm pretty sure that when Microsoft's WindowsUpdate servers were cracked by a worm, it made the front page.

Re:Oh sweet sweet irony...

[JPriest]

Actually, in comparison to NT4 and 2K, 2K3 is a brick wall. I don't believe there has been a remote compromise in the default install of 2K3 since its launch.

Re:Oh sweet sweet irony...

Or is it? If a site running Windows Server 2003 was hacked, would it make the front page of /.?

Nope but if the site was *the* Windows Server 2003 site, then I bet it would. You really failed to see the irony here.

apparently they were using a netware server

The server was running on netware the one that got hacked, so it could be poor administration, or it could be a vulnerability in novell netware. Linux is free from blame

Linux Secure By Design?

[Ed+Almos]

Ummm, what happened to 'Linux Secure By Design'? I'm not saying MS Windows is more secure here but maybe some of the pro-Linux stuff has been overdone a tad.

Ed Almos

Re:Linux Secure By Design?

It's idiots like you who throw up linux servers and don't administer them properly that ruin it. Secure by design and even default does NOT protect your boxes from the admins stupidity. A gaming server open to the public on the Novell network clearly was a case of stupid users/admins, not poor design. Learn the difference.

Re:Linux Secure By Design?

[andersbergh]

You still need strong passwords for real security. With a weak password, there is no real security...

Re:Linux Secure By Design?

[Halfbaked+Plan]

'Linux Secure By Design'???

When has anybody actually done design work on Linux in the first place? Isn't the plan just to copy UNIX?

Re:Linux Secure By Design?

[scronline]

Speaking from personal experience, 85% of all hacks come from poor administration. ie. not patching flaws, weak passwords, poor security measure such as file permissions and lack of firewalls. The remaining 15% come from a mixture of things, and like it or not, 14.999% of that is Windows. Security through obscurity doesn't work when you have thousands of people pounding at your code just trying to find a way in.

All these Worms on the net is a perfect example. And when you get down to it, even some of the poor administration is Microsoft's fault for making it "so easy you don't need an experienced technician...." When in fact they bury stuff so deep unless you know where it is, the necessary changes don't get made leaving everything as default.

I can't even begin to count how many times I've gone to a customer's location where they had an employee that was a self proclaimed geek that did all the setup and everything was not only wrong, it opened gaping holes on their network. Including things like having a USER logging in as Administrator on the server and using it as a workstation.

Plus I won't go into all the people who hold an MCSE that never touched a computer until they went to a 2 week bootcamp on how to pass the tests.

But, point in fact, any closed source application is subject to flaws that don't get patched because it's a small enough flaw that putting a programmer on it to fix it would cost more than keeping the flaw hidden.

Re:Linux Secure By Design?

[william_w_bush]

Ok, I'm not sure the argument was ever that linux was secure by design. You need the best security, you should probably go secure solaris or openbsd.

The argument is not so much pro-linux, as much as it is "Windows? Are you fucking crazy?"

Linux can be very secure if configured and admin'd properly, and given the same resources far more secure than windows. The argument is that it's the closest to a mainstream alternative with market presence and a large application base.

Not holier than thou, just holier than you.

Re:Linux Secure By Design?

[slavemowgli]

"secure by design"? You're thinking of OpenBSD, not Linux. Not that Linux' security is bad, but the Linux kernel developers do not have the same paranoid attitude towards security that the OpenBSD developers have.

Re:Linux Secure By Design?

[Danimoth]

You're sites have been hacked so often that you can stats its accuracy to 3 decimal places? I think you need to rethink your place in the world of technology...

Re:Linux Secure By Design?

Ok, I'm not sure the argument was ever that linux was secure by design.

Yes it was.

Linux can be very secure if configured and admin'd properly

The same can be said of Windows.

Re:Linux Secure By Design?

Your statistics are very impressive! I would like to subscribe to your newsletter.

So, what you're saying is that you've kept track of all hacks, and then analyzed the data, to arrive at these numbers?

What I want to know is this: How do you manage to track all that data? You must be VERY busy. After all, there must a many hacks, perhaps hundreds, thousands, of attempts, all over the world, each day.

I call bullshit. Here's what's more likely: You've see a few such attempts at various customer sites around Santa Rosa, perhaps a few dozen, and have extended your limited experience to "all hacks", and then pulled the numbers out of our ass to impress the other clueless 6-digit UID clueless wannabes.

Also, your website doesn't validate.

Re:Linux Secure By Design?

Remember kids, when Linux gets hacked, start spewing bile at Windows!

Re:Linux Secure By Design?

[linuxpyro]

Yes, I agree with you there. Last year I did an internship at my high school with the IT department. We had to switch a bunch of users from one Windows domain to another, and it involved having users change passwords in the proccess. So, as I went around setting the various workstations to talk to the new domain, I would instruct users to type a new password. As I did this with one secretary, I happened to glance down at what she was typing for her 5 digit password. It was 11111. I told her she had to use something more complicated, but I didn't see what she typed after that. God only knows what some of the people with whom I wasn't staring at their keyboards typed...

Re:Linux Secure By Design?

[scronline]

First off, that was a slight exageration and the fact that you thought it was actual facts tells me that maybe you take some things a little too seriously and/or can't tell the difference between fact and making a point.

The point to that was, I've not had a single "virus" hit my linux servers. Basically, at this point, I'm batting 1000 on my linux servers for everything. Not one hack or virus. On the other hand, don't get me started on Windows servers. Even after hot fixes have been applied to a clean server, I'll turn around and 24 hours later find they've been infected. Clean up, apply the hot fix again, another 24 hours later, worm again. So before you try to wax intellectual and point the blame at someone that you "think" should be doing something else since their figures look skewed. Maybe you should ASK.

The old phrase comes to mind about the wise man listening while the fool chatters. I was mearly pointing out real world scenerios. Hell, half I'll be called in the first time something gets broken. I've never touched the network before. And you wouldn't like me to tell you the alarming rate of them that have had personal data stolen that are real estate agents or mortgage brokers. You know, the kind of people that get their hands on your most precious of data. Then we wonder why so many people are having their identities stolen. After all, real estate agents and mortgage brokers tend to be notoriously cheap and will spent thousands of dollars a month on their image, but are loathe to spend $10 on the infrastructure.

As you can see

[marchetta]

Novell is ready for Linux Servers

Re:As you can see

[LnxAddct]

It's a little worse than that. The IHS guys aren't just script kiddies, their lead guy's blog is here. He is apparently very active in writing exploits and gives code to all of them. He was just accepted into a university, but worse, one of his blog entries is about how he likes slackware and is trying to write some code to help the project out. Now I don't know about you, but I find that suspicious as hell. Unless someone goes over every line of code submitted with a magnifying glass than it can be fairly easy to sneak in a little area for a buffer overflow or something. (Preventive measures like SELinux and exec-shield are necessary and even they don't fully solve the problem). I can only hope that the slackware community does decent background checks on submitters, and also good code checking. The last thing we need is for Open Source to start being purposely made vulnerable and attacked from within.
Regards,
Steve

Re:As you can see

Those bluffing blog comments are almost certainly BS. Script kiddies bluff all the time desperately trying to get recognition in the community but never achieve anything more than writing shitty viruses or hacking poorly administrated websites.

OpenSUSE website Hacked? No.

[blanks]

The open SuSE website wasnt hacked, it was a damn gamming machine they had on their network.

From TFA:

"The employees that set it up apparently had no idea of security," Brandon said. "But what is really surprising is that Novell would allow employees to set up game servers on their corporate network and then allow the public to access it."

"There was no major breach of security here," Barney said. "Needless to say, we are taking the appropriate steps" to address the situation.

No big deal

[LittleLebowskiUrbanA]

Looks like that SSH login/password brute force scanning attack that's been going for the past year or so. So some employees setup an easily SSH login on a gaming server? So what. Only part I can't figure out is why was the box public?

Re:No big deal

[Antique+Geekmeister]

It's a gaming server: you need to make the IP addresses public, or at least make a tunnelable port on your external facing NAT address, to publish the server for others.

Such servers, even if allowed on a corporate network, should be in a locked down DMZ area of their network, and any such machines should not have the same logins or passwords as other machines. Public SSH key access is preferred if the machine has to have user accounts.

Re:No big deal

[LittleLebowskiUrbanA]

Agreed about the DMZ. Although as a sysadmin, I would not ever allow a gaming server on MY network.

Yes, Yes, It's all SuSE's fault...

[Sr.+Pato]

"Let's annoy the Linux community to hell. Then the world's governments will take us seriously!"

Duality of message

I love that hack. You have this apparently politically motivated hack. And what's the title they leave behind? "IHS ownd U". Sweet.

Lol thanks, that explains a lot of log entries

[SmallFurryCreature]

Got some really weird attempts to login on ssh from egypt. Nothing special except it did seem odd to try to do this with SSH seeing has how any sensible person would use keys, if you still have to guess the username AND then a 3kb key I wish you good luck.

Goes to show that you always need to check your machine. I had no need for remote ssh access so why did I leave it enabled.

Oh well, luckily I have no business with the arab nations so they are now all banned. Blame the ISP in question for not reacting.

Re:Lol thanks, that explains a lot of log entries

[rve]

Iran is not an arab nation!

sshd should ofcourse be all:deny except a list of IP's you trust, and not allow:all except a list of IP's you don't trust.

Re:Lol thanks, that explains a lot of log entries

sshd should ofcourse be all:deny except a list of IP's you trust, and not allow:all except a list of IP's you don't trust.

of course. btw, care to share whatever wonderful method you have for keeping the same trusted (static) IP for a laptop no matter what location it's plugged into the net from? And it goes without saying that no real men would ever use an ISP that does DHCP or, God forbid, NAT.

methinks you should get out into the world more often.

P.S. Here's a free hint: if you do need to block automated scans (and are too lazy to implement some active blocking) yet still have to allow for flexible use, a far better solution is to move ssh to a different port.

Re:Lol thanks, that explains a lot of log entries

[rve]

A different port only protects a little bit against some worms. It is no security against sentient intruders. VPN sounds like just the solution for what you want to do.

Don't blame Windows

[goMac2500]

People always try to blame the software right away but usually it's poor administration. Windows is near-flawless in terms of security. Sound familiar?

Hey,

[Create+an+Account]

Your logic and reason are not welcome here.

This would not have happened if ...

[ravee]

This would not have happened if the people at Novell had used Ubuntu Linux. :)

Query

[The+Ape+With+No+Name]

Do trolls even try anymore?

Re:Neat

rc28@linux:~> ps -eaf | grep ncsd
rc28 27377 7202 0 12:44 pts/0 00:00:00 grep ncsd
rc28@linux:~>

wtf are you talking about?

From: yourfriendly neighborhood Suse 9.3 user

Re:Neat

[colemanguy]

Just because you don't prefer suse doesn't mean it sucks. I love to recommend suse to all the beginners that want to go to linux as i personaly have had the best luck with them using it and sticking with suse vs other distros.

I got a translation right here:

[SmallFurryCreature]

Thanks to being nerds AND locked in country with extreme muslim laws we are never EVER going to loose our virginity, not even to the goats, so we are going to bug harmless sites to convince the rest of the world that not only we shouldn't have nuclear reactors, we shouldn't have internet access either.

Re:I got a translation right here:

Thanks to being lunatics AND locked in a country with an extremely idiot president we are never EVER going to be human enough, not even as much as goats, so we are going to kill innocent people to convince the rest of the world that we shouldn't have weapons.

They have a website

[gcnaddict]

the hacker team has a website to add to that, its likely being hosted in iran so no one can do jack shit

Re:They have a website

[Ph33r+th3+g(O)at]

Someone in the U.S. should be able to whack their DNS, at least. Last I checked, the root servers for .com weren't in Iran.

Re:They have a website

There are plenty of things we can do. Someone just has to take the innitiative.

if a website such as that was hacked, what would they do?

Re:They have a website

[klykken]

This is exactly why the root servers should be handed over to the UN. It would be totally unacceptable for one nation to use them for information warfare.

Re:They have a website

Or we can all click GP's link and watch the magic happen. Site's already feeling slow...

Re:They have a website

ab -c 100 -n 10000 http://www.ihsteam.com/cms/modules/news/

Re:They have a website

[kd5ujz]

Now I have seen everything. A "Hacker" sight, that runs a packaged content managment setup and ad banners. Nothing against content managment scripts, but this is just unusual.

Re:They have a website

its likely being hosted in iran so no one can do jack shit

The Bush Administration is working on that

Re:They have a website

You're free to setup your own "root" dns, as is everyone else.

Re:They have a website

[ziggamon2.0]

Well, we can slashdot it pretty good!

Re:They have a website

[Ph33r+th3+g(O)at]

What "information warfare?" .com is a de facto U.S. domain. .ir is wide open for business without risk of interference from the Great Satan United States. The mullahs, though, might still be a problem for them.

Re:They have a website

[guardian653dave]

the hacker team has a website [ihsteam.com] to add to that, its likely being hosted in iran so no one can do jack shit

Um.. they can hack it?

Re:They have a website

[Halvy]

The Bush Administration is working on that

The bush admin days are numbered...

As is anyone who supports their murdering ways.

Who the hell is "Brandon Internet Security"

That organization is mentioned in the article, yet has no web presense that I can find.

There are some old usenet postings also wondering the same thing. Sounds like an imaginary company to me, wonder why the folks who reported the story didn't do a better job of checking their sources.

step 1

nano /etc/ssh/sshd_config

step 2

PermitRootLogin no

Re:step 1

I think you made a MAJOR mistake... The first step is:
vi /etc/ssh/sshd_config ;)

Re:step 1

[corsec67]

But.. but, what about:
emacs -nw /etc/ssh/sshd_config ?

Although, I prefer vi for editing config files and emacs for programming, personally.

Maybe they were just tired of the poor performance

[alhaz]

The OpenSuSE server has been sucking wind for weeks, and i know for a fact that trouble tickets have been submitted about it within Novell.

Maybe they were just trying to lend a hand with the administration . . . .

Blog of the hacker

[Vario]

The head of the defacement crew has a blog that is kind of interesting to look at: http://www.c0d3r.org/

He is a movie fan and was just accepted to a university.

Some bits of information can be found here:
http://www.zone-h.org/en/defacements/view/id=29173 90/

Besides the OpenSuSE website they also hacked into wiki.novell.com and forge.novell.com.

Too bad that the Iranian hackers used OpenSuSE for their political stuff. It seems a bit misplaced, what does a linux distribution has to do with the question whether Iran should have nuclear stuff or not?

Re:Blog of the hacker

[KillShill]

yes that is a very good question...

Re:Blog of the hacker

Especially when the hacker who owns the blog claims to be a Linux user, albeit Slashdot. Its just another way to lose respect for his clause.

They would have been better to hack Microsoft's site, which in many people's eyes are still the epitome of American capitalism.

Told you so

[CSHARP123]

I had told novell not to run their websites on Windows OS. They wont listen. See now

Well I'm shocked, simply shocked

[BrentRJones]

[satire] that Novel has screwed up Linux! Of course the user name was "administrator" and password "linusrules" I only hacked it to show that strong passwords are better. Strong like user: admin6traitor password: billgatessucks69.

Practical upshot? Am I safe?

[thc69]

Pardon my obvious post-placement, trying to get this near the top and visible, but I suspect this is an important question for people to see, assuming answers are posted:

What is the practical upshot of all this? Is the damage limited to the "Give us nuclear rights" web defacement, or was that just a front to make people think nothing else was damaged?

I'm running SuSe 9.3, and this morning, I let the automated update program do it's thing. Did I download and install any breached files?

TFA don't say anything. One is dead already, and the other is useless.

I mean, I understand that there's a lot to discuss regarding security policies and server operating systems, but there are people who could be immediately affected here.

Re:Practical upshot? Am I safe?

[houghi]

I'm running SuSe 9.3, and this morning, I let the automated update program do it's thing. Did I download and install any breached files?

No. It was just the WiKi server that went down.

Re:Practical upshot? Am I safe?

[Spudley]

No. It was just the WiKi server that went down.

My question is: Why bother hacking a Wiki? Can't you just make your own changes to it anyway?

Re:Practical upshot? Am I safe?

[houghi]

1) It is easy
2) If you just do your own changes, you must do them one page at a time. Now they did all of the pages.

So even if you went to http://www.opensuse.org/Making_a_DVD_from_CDs you would see the kacked site.

Re:Practical upshot? Am I safe?

[darco]

> Because it is not a good source of energy in its present state.

That would explain why the French and Japanese have abandoned it.

Nuclear power is orders of magnitude safer than it was decades ago. I'd much rather have a source of energy with a waste that I can dispose of in a controlled fashion rather than one which pours pollutants into the air we breathe. The only reason we don't use more nuclear energy here in the US is because of politics, not science or practicality.

Not to say anything about Iran having nuclear capability. I'll pass speculating on that hot-potato.

Re:Practical upshot? Am I safe?

They would be a lot more stable if our CIA wasn't fucking with them all the time. The only reason they had their rebellion all those years ago was to throw off a puppet regiem that the united states put in after assassinating their elected leaders.

Or would you rather just ignore historical fact and go on with your insane little fantasies that allow you to justify damn near any action against the women, children and old men of Iran if they don't allow us to govern them?

Re:Practical upshot? Am I safe?

[I_Human]

The article mentions that it was just a gaming server set up by a few employees who didn't put any security on it:

"There was no major breach of security here," Barney said. "Needless to say, we are taking the appropriate steps" to address the situation.

So, you should be safe.

Re:Practical upshot? Am I safe?

[user1003]

That would explain why the French and Japanese have abandoned it.

Sorry, dude, but thats just false. Both Japan and France use nuclear power. France also has nuclear weapons. Check http://en.wikipedia.org/wiki/List_of_countries_wit h_nuclear_weapons

Beside that I agree with what you said, though.

Re:Practical upshot? Am I safe?

[Dolphinzilla]

I agree, Iran is located in the most oil rich part of the Earth,One of the most oil rich countries, no reasonable person can argue that Iran needs nuke power plants to continue its industrial growth bahhhh. The only reason they want nuclear anything is to make weapons.

Re:Practical upshot? Am I safe?

[darco]

I was being sarcastic. Not only do they both use nuclear power, but they rely on nuclear power.

Re:Practical upshot? Am I safe?

[_Sprocket_]

Way to hijack a conversation. :P

Your call for isolationism has a certain appeal. I'm generally a believer that far too many people are overly concerned with whats going on in their neighbor's yard. However, isolationism is not a panacea. Interestingly enough, the US' involvement in the Middle East began within decades of the formation of the US in the form of the Barbary Wars even though the new US Government often expressed a belief in isolationism. Yet they soon discovered that the US interacted in the world around them and could not be separate from it.

That's not to say that the US hasn't managed periods of isolationist policies. US history shows some remarkable stretches of isolationism. But such policies only served to create the hardest lesson in recent US history - World War II. The cost associated with World War II was only increased by attempts to limit direct involvement of the US in what was viewed to be an European affair (although Europeans themselves also contributed with their own reluctance to act).

World War II leads directly in to the Cold War and the US' attempts to curtail Soviet influence. And perhaps that is where the US commits the sins we will be paying for today and tomorrow. Although I find it rather interesting that when critics of US policy point to various fumbles and embarrassments, they fail to note Soviet involvement. Which isn't to say that the US is excused for their actions - but rather some perspective would provide a better understanding of why things were done.

So does the US have a "right" to dictate to others what they can and can not do? Hardly. There is such a thing as a sovereignty. But to claim that the US should have no involvement in the world around it is simply setting up the US to become victim to the day when its people and shores are under attack. I hate to sound anything like the Bush Administration. Yet there are certainly others who have less qualms about rights than the US. And history shows how that turns out for anyone who ignores it.

On Iraq, I mostly agree. The current Administration's handling of the situation is unsettling, to say the least. There seems to be a certain degree of willful ignorance and a lack of understanding and planning that shows itself not only in foreign policy, but domestic policy too.

However, Iraq was bound to happen. While critics of the Bush Administration are, more or less, right to criticize the reasoning given for this war - they tend to gloss over the fact that the Iraq war comes at an end of a CEASE FIRE agreed to in the early '90s. No folks, this is not a new thing; US military personnel have been in the region maintaining vigilance for over a decade without daily CNN coverage. That entire time is under a state of war. And during that time, Saddam willfully defied UN mandates and conditions of that cease fire agreement.

Yet Saddam was probably not intended to stay in power. The Senior Bush was wise enough to not completely dismantle the world's fourth largest standing army, and create a vacuum for neighboring influence (such as Iran). And it was probably wise to try and void the troubles we are facing today by giving the Iraqi people a chance to handle Saddam themselves. But Saddam is exceptionally gifted at survival (and also ruthlessly brutal). It would take direct involvement to remove Saddam's regime after all.

There might be a slim chance that the Iraqi government to be will become a secular democracy, with enough economic power behind it to flourish. There are possible echoes of Germany and Japan. But the reality is that the odds are against this happening. Partly due to external influences. And (arguably) largely due to the planning of the Bush Administration.

What about Iran? I don't find it too surprising that Iran's intentions meet a certain degree of skepticism. It seems odd that Iran's quest for energy would have to involve a process that can be directly applied to acquiring massively powerful weapons when it is itself the World's fourth largest producer of fossil fuel (right behind the US - Iraq is at 14th) as well as having ample opportunity to develop other alternative (and less dangerous) alternative energy systems.

Re:Practical upshot? Am I safe?

They are an unstable country, with open hostility to other countries.

Yeah, going to war with our buddy Saddam. How evil can you get?

Re:Practical upshot? Am I safe?

[starman97]

Witht he proper scrubbers, Coal and oil fired generating plants are clean.
It's the 'grandfathering' of all the old dirty plants and new construction
that is done under weakened air quality laws that spew all the heavy metals
into the air. It could esaily be fixed, but that would reduce profits and
we cant have that now..

Re:Practical upshot? Am I safe?

I let the automated update program do it's thing

"its".

Re:Practical upshot? Am I safe?

"Or would you rather just ignore historical fact and go on with your insane little fantasies that allow you to justify damn near any action against the women, children and old men of Iran if they don't allow us to govern them?"

Speaking for myself and my Dad, I'd rather just ignore historical fact and go on with my insane little fantasies that allow me to justify damn near any action against the women, children and old men of Iran if they don't allow me to govern them, 'cause God told me to.

Your President (no matter where in the world you live),
George Walker Bush

How Long?

How long is it before MS uses this for another FUD campaign?

MOD PARENT UP

"The end result will be a greater signal:noise ratio..."

Finally, someone explains /. in a way that I can understand.

Not Good for Iran

[KidSock]

Dear Hackers,

If you're going to hack websites, don't try to justify your idiotic hobby by turning it into a political posterboard. It has the opposite effect you're looking for. The thing that scares people most is unpredictable behavior. If Iran were calm, clear in stating there intentions, and followed all the diplomatic protocols with a smile there would be no way for anyone to stop them from builting reactors (wheather it be for processing fuel for weapons or not). But stupid stuff like this make Iranians look like evil subversives. Just look at the graphic they posted. It looks like the shadow of some kind of daemon with horns. This is not a good image for Iran.

Or if it's a different group impersonating iranians, you're just losers.

Re:Not Good for Iran

[gcnaddict]

The iranians conveyed their views many times already but then again no one listened...

Re:Not Good for Iran

[xonen]

Exactly. Big chances this is a 'western' group trying to evilize iran. The average iraning hacker would, imho, have other priorities.

Re:Not Good for Iran

[Brane2]

But Iran is the one that is calm. Every time they agreed and complied with foreign demands, new demands were made. Why are they effectively forbidden from using the nuclear energy ? Because they MIGHT bomb us ? What about just anyone else ? North Korea for example ? Or even US ? After all, US president will have /if he doesn't already/ the power to use nuclear force without consulting anyone. So, why again are the Iranians bad guys ?

Re:Not Good for Iran

> and followed all the diplomatic protocols with a smile

Who set up those protocols and why?

> builting
> wheather

+5 Insightful stuff if ever I saw it.

Re:Not Good for Iran

Iran hangs gays and girls as young as 13 for the "crime" of being raped. They regularly threaten to nuke Israel till every Israeli is dead, and do the same for the US. They invaded our Embassy and took our people hostage. Iran's government blows up Argentinian Jews and Americans all over the globe. They murder Iranian dissidents and Canadian journalists.

Yeah, that's exactly who *I* want to have nukes.

Let's face it Iran is a major problem. It has been for decades (they've been at nuke weapons since 1979).

Re:Not Good for Iran

[bani]

why does an oil-rich nation so desperately need nuclear power?

iran has the second largest proven reserves in the world (132 billion barrels). this is nearly a century of proven reserves, though the number is increasing regularly due to discoveries of new deposits in iran (it increased 30% for example since 2003).

Re:Not Good for Iran

Bullshit. Iran doesn't even admit to having Nukes. How can they possibly be threatening Israel with nukes. On the other hand, Israel has actually bombed Iranian nuclear facilities in the past, and not during a war either.

US did overthrow their democratically elected government and replaced with their unrepresentative and dictatorial puppet. You know, that might have something to do with it...

I haven't heard about the other stuff, so I'll let it slide, but your record isn't good.

You're right, Iran has a major problem and have had it for decades. Major world powers keep insisting upon either controlling their governments or destabilising the entire region in the thirst for oil. Maybe with nukes, US and others won't invade. But there's no way that Iran is dumb enough to nuke anyone other than in self-defense, because they'll become a glass carpark overnight.

Re:Not Good for Iran

Because:

- Diversifying their energy use is a good idea.
- Nuclear energy might be cheaper than oil because they can then onsell that oil to other customers.
- Nuclear energy is good for electricity, but oil should be saved for portable energy (like cars).
- Pumping all their oil now won't save it for the future when they'll be able to get a better price.
- They want to limit air pollution in their cities?

Lots of reasons, but it's their own country, why do they need to justify to you why they need nuclear energy.

Damnit, even if it was for nuclear bombs, it isn't as if Iran hasn't had foreign powers threaten it and install puppet governments (US) in the past. Or had other governments (Israel) unilaterally bomb their country. Or be the first country in the Middle East with nuclear weapons (Israel).

Re:Not Good for Iran

they dont need to justify it to him, or to you.

they need to justify it to the IAEA and the UN, and so far none of their given explanations wash. sorry.

the only explanation that does make sense so far is nuclear weapons, but that's the one they are denying. just like they ran a secret enrichment program for 10 years and denied it to the IAEA.

if they hadnt covered up their enrichment operation in the first place then there wouldnt be this serious problem they have now. iran has been caught red-handed in a huge lie, and it's going to take a long time for them to get their credibility back.

echo "PermitRootLogin no" /etc/ssh/sshd_config

[vieux+schnock]

Easy enough.

That IS the breach of security.

[khasim]

Allowing "users" to setup their own box, on your network, outside your firewall, using your IP address IS a breach of security.

near-flawless?

[nurb432]

No modern OS is flawless. Due to feature creep and the massive amounts of code involved, none can really be considered 'near flawless'. ( agreed, some are better then others )

Its the job of the administrators to mitigate and compensate for known, and unknown, security flaws.

The SSH root password was god

[TehBeer]

let me guess, iptables not enabled, no firewall service up, no bfd, SSH was up unfiltered and the root pass was a 3 letter word like god, to quote the movie "hackers" with angelina jolie. Hack the gibson. Hack the planet. Go Iran. Just kidding.

Alot of people are reluctant to use a firewall, even though you can easily do it with SuSE and YaST2.

I have the pay version of SuSE9.3 Pro, which is well worth the $99 price tag.
I mostly run fedora core boxes though, and this is a really good alternative to other iptables interfaces.

http://www.webhostgear.com/60.html
http://www.webhostgear.com/61.html

Get yourself those, make sure non of your dir's are 777, have strong 20+ char long passwords, don't RPM fetch from shady repositories, and you're on your way!

Re:The SSH root password was god

[angrykeyboarder]

20+ long character passwords? Holy Sh**!

I'll settle for my 10-character ones like S82b*%eU9j, which is a vast impovement over past ones like "Michelle75"...

Re:The SSH root password was god

[TehBeer]

My passes are at least 20 chars long

passwd

87asdfhnj3h4yuu80sdafu45dufhuasuhfu8a7yrewwa7 (me slamming on the KB with my palms)

[beer@localhost ~]$ passwd
Changing password for user beer.
Changing password for beer
(current) UNIX password:
New UNIX password:
BAD PASSWORD: it's WAY too short
New UNIX password:
BAD PASSWORD: it is based on a dictionary word
New UNIX password:
Retype new UNIX password:

Don't you just love the new passwd updates???

This is just a silly example, but root passes should be EXTREMELY long.

Re:Speaking of poor administration

You do not want to work for VA Software (OSTG). The company is mostly comprised of ass-kissing managers and ass-kissing underlings that get promotions and raises. Your entire OSTG career will be about how much abuse you take from the low-level managers without speaking up about it. It is not about doing good work.

Again, for clarity: OSTG is not about doing good work. It is about kissing manager ass. Does that explain the Slashdot dupes, Linux.com crappiness, and dumb NewsForge stories for you? You don't have to be good. You have to act like Rob and Robin are your heroes.

It doesn't take a genius...

[itistoday]

to understand why people hack websites. Here, I'll list out some possibilities for you:

• Bragging rights
• Revenge
• Getting a message across (free advertising)
• etc. etc.

Re:What an idiotic Iranian

[technoextreme]

Is it just me or is it a bit off kilter for a hacker or anyone to related to a hacker to actually have his personal information online. I managed to get the name of of an Iranian by performing a whois search.

The public image of the open source community.

[CyricZ]

I think it is time for the open source community, as a whole, to better consider its public image. Incidents like this, involving one of the premiere Linux vendors, do unfortunately tarnish the image of our community quite badly. And then you have rogue open source developers publically insulting users. Such incidents make people remember open source software for all the wrong reasons.

Now, perhaps this is just a case of amateurs being allowed to join a community that mainly consisted of academics and professionals. The high standards that the open source community once enjoyed are being degraded on a daily basis by developers who cannot write secure code (ie. many PHP developers), by developers who blatantly insult and ridicule their users (ie. the KOffice example earlier in this post), or companies that provide insecure, open source-based products.

Is there much that can be done about this? I'm not sure.

Re:The public image of the open source community.

[Thnikkaman]

Just because someone called you an idiot who also happened to develop open source software, doesn't mean that he's a "rogue open source developer" who's tarnishing "the image of our community." Someone called you an idiot. Big whoop. Get over it.

Re:The public image of the open source community.

[CyricZ]

The insults themselves do not bother me. What bothers me is that he threw out those insults at a KOffice user while representing himself as a KOffice developer. That, obviously, does tarnish the image and reputation of the KOffice and KDE projects, and the entire open source community.

That incident would be no different than an Apple employee actively stating that he was working on iTunes, only to turn around and publically insult an iTunes user. It would make Apple look horrible.

Public insults are not the way to give the open source community a trustworthy, professional reputation.

Re:The public image of the open source community.

[Thnikkaman]

While I agree with your fundamental point, the results would not be the same. See, the thing is, nobody cares about a KOffice developer sounding off on a slashdot message board. It's not as if everyone saw him being rude and then banded together to not use KOffice. Nobody really ever saw it and even fewer people probably cared. If an Apple developer sounded off he would most likely be fired. But there's also a significant chance that more people would take interest in it, because people actually use iTunes. The point I'm going for is that even if insulting your customers/users is bad, which I agree it is, in this incident very few people saw it and even fewer could give a damn.

Re:The public image of the open source community.

Dear Karma Whore AKA CyricZ AKA 887944,

It is people like YOU who give this community a bad name, Mister "I think it is time for the open source community, as a whole, to better consider its public image", When users learn to use the internet as a tool, to communicate with eachother with a civil tongue, not be so paranoid being giving away information that in the end is only going to help them selves as a whole.

I can never really understand when so called experts cannot help newbies who only want to understand how to use what ever it is they are trying to use. I myself contribute back to the community, not necessarily writing coding, but writing documentation --even if the information you place somewhere is not 100% accurate, someone, somewhere will look at it and make it even more accurate-- or in some other way that can get a project up off the ground. Ten to fifteen mintues of your time is nothing, and the feel good factor you get in return is almost like saving a persons life.

No doubt some Fuck Stick of a Administrator needs to be shot for not doing their JOB properly, although will probably stick this on the new Junior Admin they just started to train.

treats

Re:The public image of the open source community.

[CyricZ]

I agree, the magnitude of the damage would be far greater if his insults had been printed in DDJ or the New York Times, for instance. Nevertheless, Slashdot is one of the most widely known open source community sites. And as such, his comments are quite damaging to the KOffice's projects professional image.

Building and maintaining a respectable image is necessary if they want to make inroads into the commercial, educational and consumer markets. Nobody will use their product if the developers are known as public debauchees of rudeness.

KOffice is in a good position right now, since they have a mostly neutral public image. Incidents like the aforementioned only serve to ruin their chances of becoming one of the big names in open source, up there with Firefox, OpenOffice, Linux, Apache and Perl.

Re:The public image of the open source community.

It's not an insult if it's true...

Re:The public image of the open source community.

[VON-MAN]

Well, i agreed with him yesterday, when he called you an idiot (and i wasn't the only one, judging by the moderation). You later accepted his apology. In my opinion he didn't have to make the apology, but that's beside the point.

But here you are again! Talking about "incidents", naming people "rogue", insulting PHP developers, naming people amateurs, etc.
What is your problem, i can only see you tarnishing the community.

Re:The public image of the open source community.

[Halvy]

I think it is time for the open source community, as a whole, to better consider its public image. Incidents like this, involving one of the premiere Linux vendors, do unfortunately tarnish the image of our community quite badly.

Frankly my fellow /.'r, HARDLY ANYONE IN THE COMMUNITY GIVES A DAMM!!

Other than the big bouys like red hat and suse, the community is quite content with itself since it is NOT in it for the $$, but for the betterment of ALL!! :)

You don't deserve to modded 'Interesting' since you clearly foster the fud that m$ creates which doesn't really hurt 'the community' (that you claim to be a part of).

Apparently /. is infected with more m$ spies than any of us would care to admit. :(

Re:The public image of the open source community.

[justins]

I think it is time for the open source community, as a whole, to better consider its public image. Incidents like this, involving one of the premiere Linux vendors, do unfortunately tarnish the image of our community quite badly. And then you have rogue open source developers publically insulting users [slashdot.org]. Such incidents make people remember open source software for all the wrong reasons.

The fact that "users" in this case was just you makes your post kind of pathetic. Nobody else cares, just so you know.

Re:The public image of the open source community.

[jistanidiot]

Just to point out that OpenBSD != Linux. Distrowatch only recently started tracking BSD and their FAQ explains

"Originally, the site covered Linux distributions only. However, after numerous requests from readers, BSDs and BSD-based projects were added to DistroWatch in May 2004. The reasoning behind this move was simple - Linux and BSDs have much in common - both are free and open source operating systems, and they both use many of the same open source packages available on the Internet. Best of all, the various BSD flavours are widely used and considered by many to be great operating systems."

Please lets not confuse people by using the trademarked word Linux to describe all free and open source OS'es.

Thread on forums.suselinuxsupport.de moved ...

[modicr]

http://forums.suselinuxsupport.de/index.php?showto pic=20645

Re:Neat

Sure, recommend SuSe to them because it has a slick user interface that unfortunately is extremely broken. Configuring LDAP? Bad. Setting up views in BIND? Broken. Adding kernel modules to the kernel bundles? Extremely broken. Putting kernel modules as not-quite-integrated chunks of separate huge software bundles like XFree86, so that to update that module you have to either over-write the RPM files or recompile the entire RPM from scratch, rather than putting them in a small separate package? Yup, they've completely mucked that up. Crippling those same SRPM's so they don't recompile without hand-editing to remove dependencies on packages that they refuse to publish, such as the kernel-spec and ghostlib-mini packages? Check, they're doing that. Insisting that all standard X login selections publish the namem of every valid user account on the machine so you can just scroll down it to guess at valid users? Check, that's enforced and attempts to disable it break the update system. Fake a chroot cage for BIND, DHCP, and other services that is not only intermingled with the file sources, but absolutely relies on symlinks *OUTSIDE* of the chroot cage? Check, that security stupidity is absolutely present. Break grub-install so that the only way to re-install a grub-based boot loader is their rather broken interface that auto-flushes all added on boot variants? Yup, been doing that for at least 3 releases.

SuSE is very glossy, but they've followed the unfortunate model of not only tweaking things to match their models, but ignoring the software author's models and breaking them, badly. That may be OK if the SuSE authors had the experience of the software authors, but when it comes to BIND and DHCP and grub, they really don't.

Nope, it isn't in Iran

[Toba82]

It's not being hosted in Iran. It's hosted in the US by Virtuoso Net Solutions inc. I sent this email to abuse@virtuosonetsolutions.com yesterday about 7 PM (I sent them my real info, obviously):

        Dear Sir/Madam:
The OpenSuSE website was defaced either today or yesterday by an Iranian
hacker clan whose website is located on your servers. I checked the
whois data for the hacker clan's domain (ihsteam.com):

      Majid NT
      Bl Sajjad-milad 7 no. 12
      Mashhad 8735452575
      Iran

IP of the website (according to whois records of the ip, it is owned by
your company):

        147.202.64.138

References:

http://www.opensuse.org/
http://www.ihsteam.com/

In case the sites above have been changed, I've attached an compressed
archive saves of their main pages. I hope you'll see that ihsteam.com
is in direct violation of your AUP.

        Sincerely,
        Name
        Phone
        Email

They haven't replied yet, and the website is still up. But it IS a weekend.

Re:Neat

[colemanguy]

Hey good call how many home users need to do any of things you mentioned. We are talking fred average who wants to check his email and type word documents and is tired of windows.

It's obious

Well, it's much easier to hack an open-source OS, because the code is right there for you to use!

Re:It's obious

[Halvy]

Well, it's much easier to hack an open-source OS, because the code is right there for you to use!

Oh REALLLY??

When was the last time you even met someone that found it so 'EASY' to hack an oss?

Actually the reason that unix/linux hacks are quite unusual (compared to m$), is because microsoft doesn't even have the code to secure their systems!! :)

Conspiracy

wow! i think it's just a biggo conspiracy. no iranian hacker broke tht site.
it is more likely that this is the result of some black-ops cia/nsa mission.
oil is getting really expensive and it will continue to get more expensive,
without anybody doing anything about it. i meann everybody knows since
ages that this is going to happen. fear is a great motivator. the us
goverment is now pushing this idea that nuklear could/can solve our
future energy needs, but not thru a direct lobbying in the ownz
country because of congress. no it is better to dump the signular
idea on a "hacked" webpage under the guise of a iranian hacker.
the iranian hacker just voices what cheap-o politician in the
us have been progagating for the last fwe years; only in america
it was soled under the banner of the "hydrogen economy".
think again!
remeber the weapons of mass distruction in iraq?
remeber how this war against nuclear weapons now has the WHOLE
world in the grip of super expensive gasoline?
internal american bolletiks is very nasty with people with power
without any understanding for real reality, but only human made
economic reality ... sad to be an american now, sure!

Re:OpenSUSE website Hacked? No.

[gregorio]

The open SuSE website wasnt hacked, it was a damn gamming machine they had on their network.

From TFA:

Click the "hacked" link in the submitter's text.

Re:*sigh* (Vanity)

[Reverant]

I still will never understand why people do stupid things like hack websites.

Vanity: Empty pride inspired by an overweening conceit of one's personal attainments or decorations.

Source: 1913 Webster

linux means choice

[xmp_phrack]

With SuSE 10.0, you get your choice of 5 different rootkits.

Re:echo "PermitRootLogin no" /etc/ssh/sshd_config

[mark_lybarger]

might wanna work on your syntax a bit before posting suggestions like that.my machine responds with: PermitRootLogin ermitRootLogin no /etc/ssh/sshd_config now with something like: echo "PermitRootLogin no" >> /etc/ssh/sshd_config maybe you'll get the job done. but then again, maybe not.

Re: The rug-pee-ers didn't do this, man

It is incredibly unlikely that the Rug-Pee-ers (Iranians) did this. People in the West are afraid of Iranians/Iraqis/Pakistanis/Afghanis/etc. We don't understand them and know very little about them (in general, yeehaw). In order to increase the panic caused by this stupid web-'attack', the perpetrators assume the identity of these scary boogeymen instead of "Moe and Mitch" from Huntsville, Wisconsin.

It's an old trick, designed to garner attention.

Small earthquake, no one dead

[FishandChips]

I don't know how the hackers hacked, but OpenSUSE is a very young outfit and this may serve as a useful wake up call so that by the time they get to be big and flourishing they'll have things locked down real tight. It must be hard locking down php scripts like MediaWiki, though. Php seems to run Microsoft Windows close as a great way to get hacked.

Anyway, as one of the main contributors to the OpenSUSE project pointed out, a few script kiddies planting half-baked slogans on a site not even appropriate for them palls beside the things elsewhere in the world that happened overnight, such as the dreadful loss of life in Bali. It's a sign of the sheer immaturity of the hackers that they should think what they're doing is important. So in hoping to publicize their cause, they're in fact just making it a laughing stock.

Which makes them two-time losers in my book. If they are who they claim to be, of course.

Re:Small earthquake, no one dead

[Halvy]

Which makes them two-time losers in my book

Do we detect a little jealousy.. hmmm? ;)

I mean I wish I possessed the knowledge to do what these so called 'script kids' did!

It is NO small earthquake when ANYONE can break into one of the worlds premier network OS companies (ie novel, suse)!!

What was then the point of your post.

*(Note: there is no question mark at the end of my last sentence because we all understand what your 'point' was.. that was, to hear yourself speak).

Re:Practical upshot? Am I safe? Not from our gov't

[theshowmecanuck]

Does that take away your inalienable right to keep & bear arms as a United States citizen (assuming you are that is)??? ... No!

Wrong. In most states, ex-convicts are not allowed to own guns as they have proven they are not trustworthy individuals.

Iran, as a state sponsorer of terrorism, has proven itself to be an un-trustworthy state. If they build a reactor, we should turn it into a parking lot before it is even close to operational.

"Linux is near-flawless in terms of security."?

[gh0st16]

Anyone else find this hilarious? You obviously have no idea what your talking about if you think that linux has nearly flawless security. Go home please.

Why nuclear energy?

[libra-dragon]

Aren't they sitting on top of a shitload of oil?

Re:Why nuclear energy?

under the shah, the USA was planning to build 20 nuclear reactors in Iran. Although Iran doesn't really need it, the fastest path to being a "major player" in the world is obtaining nuclear weapons. Look what it did for India and Pakistan.

Additionally, the money being spent is not going to America under this scenario. Rather, the Russians are providing the expertise and materials to build them. This is annoying to the US and Britain as well.

There were several star trek TOG episodes about giving essentially retarded people weapons, and the astounding negative outcomes that result. Iran, Iraq, Saudi Arabia are all managed basically the same way they were 2000 years ago, powerful, religious partiarchies. No talking back allowed, or it's the sword.

Re:Why nuclear energy?

Proplem is, it takes a shitload of oil to produce the same kind of damage a couple of kilograms of fissile material can do...

Re:Practical upshot? Am I safe? Agreed man! apk

"They would be a lot more stable if our CIA wasn't fucking with them all the time. The only reason they had their rebellion all those years ago was to throw off a puppet regiem that the united states put in after assassinating their elected leaders." - by Anonymous Coward on Sunday October 02, @02:53PM

Agreed 110%... Ah, again, sometimes? Man, It makes me sad to be a human being... especially a U.S. citizen based one on this earth, right now.

Especially when a VERY thinly veiled layer of shit, is attempted to be hidden by perfume (spins on the subject matter @ hand): That subject being was the U.S. gov't CORRECT in attacking IRAQ & imo? No f'ing way...

I'm with you on some of the actions our gov't. brings upon itself - again, my prime example being that the entire "WMD" fiasco turned up to be 100% b.s. & then our 'fearless leaders' in the President, Vice President, & congress/house (senate) suddenly now say:

"We misinterpreted the data given us"

& point the fingers @ our CIA/FBI/NSA/ATF, etc., because to me? That's 110% BULLSHIT! We should have pulled out of there, right then, & apologized to the planet for it.

And, those "men of steel, men of power are losing control by the hour" (quoting Phil Collins) in the CIA/FBI/NSA etc.?

Again - They don't make the actual decisions to pull triggers, they only provided them data... & they do what they are TOLD, that is all.

Data (again) which was "allegedly misinterpreted" & when the 1st lady herself says on T.V. here that her husband isn't much on the literacy front?

The very person (president) who has to interpret said reports from law enforcement agencies &/or intelligence agencies the U.S.A. utilizes??

Shit - To other U.S. Citizens, I have 1 thing to say:

People: We have a maniac @ the helm. A child with firearms put into his hands... one that hit someone (Saddam Hussein), w/out investigating fully or properly no less... & the saddest part?

Uh, again: Refresh my memory - wasn't it Osama Bin Laden who drove the jets into our buildings here? NOT Mr. Hussein??

(E.G.-> And, the 'alleged ties' Hussein may or may not have had to Bin Laden? Pure speculation - I may have talked to Bill Gates, but does that make ME responsible for Windows holes? No, by no means!)

However, proving the Bush family has had business dealings & ties with the Bin Laden clan for over 50 years++ now? Easy to do, verifiable & concrete.

No, there's more going on people, than most people have info. on, far more... use your heads, look thru the crap & know what is what I think!

I don't like what I see, & am ASHAMED of our gov't. in many ways... and, mostly of ourselves as U.S. Citizenry for putting up with his shit THIS LONG!

You LIKE funding his 'war'? You like skyrocketing gas prices?? You like outsourcing running rampant & sticking you in shitty pay jobs???

I am sure you don't. BUT, here we are - under Darth Bush & Darth Cheney's kingdom basically, complete with "patriot act" level of fear imposed on ALL in their way.

APK

P.S.=> I.E.-> "Good Ole' Boy" Georgie, couldn't run businesses, how can he run a nation properly, which is a MUCH larger & complex body to attempt to govern... seriously people - look @ the economic & political mess this lunatic incompetent has created in our country, & realize 1 thing: The rest of the world either pities us, or is laughing their asses off @ us, & either one? We merit... like it or not, after all, we "elected" them (another questionable resultset from anything BUSH, or need I remind folks of the Florida fiasco in his 1st term election, & also the Ohio fiasco of tons of voting machines breaking down - always in KEY states no less, each time... and the "electoral college"? Give me a break - b.s. in & of itself & unneeded. Heck, a 486 PC could count the vote with ease, SO why use the electoral college period still? Because, imo, it's easy to 'twist the arm' of some district rep, compared to twisting the arm of EVERY registered voter is why...) apk

Is OpenSuSe trying to hush up things?

[metalmaniac1759]

1. Their website does not mention *anything* about the break-in
2. The first link thrown up by a Google search for "opensuse hack" is a thread on suselinuxsupport.de that, apparently, has been deleted!

Nandz.

Don't listen to fanboys

Linux is a great operating system, my favorite in fact. But that doesn't mean I'm one of those dipshits who believes that Linux is the one true OS and never passes up a chance to proselytize. I don't see much difference between a Linux enthusiast who goes around saying "Linux is great, Linux is great! Windows sucks, Windows sucks!" and some raghead chanting "God is great, God is great! death to the infidels, death to the infidels!" Brain dead ideology is noxious in all its forms.

To the Linux Bashers:

[Liam+Slider]

Just a note. Anything can be hacked given enough patience, enough time, enough resources, and enough basic knowledge. There is no such thing as a 100% secure system, unless you are talking about a system that has been unplugged, encased in concrete, and sunk to the bottum of the ocean. Even then, I wouldn't be too sure. In other words, best that can be done is to make it a challenging thing to do. There is no system that cannot be penetrated by a talented hacker. This one, evidentally, from what I've read, was fairly talented...not your average script kiddie.

So lay off alright?

Re:What an idiotic Iranian

[kd5ujz]

it could be an Alias.

Re:Practical upshot? Am I safe? Not from our gov't

OK - What if you're not an Ex-Con?

According to the rules, I agree... but, telling others who are NOT "known offenders" they cannot keep & bear arms (which is something being attempted in our nation time & again) is WRONG!

Its one of the unalienable rights you are given as a U.S. Citizen. I have seen FAR larger criminals who are considered "respectable" in my time, than street thugs, felons, etc. (enron execs, or tycho execs anyone?)...

It's all a matter of your perspective here.

Now above all - If anyone or any gov't. body is guilty of using WMD's? It's us!

(Or, has the the Nagasaki & Hiroshima bombings escaped your memory??)

Sure, we warned them, & even gave them a demo of them iirc, & I mentioned it last post of mine... but, does it make it right actually USING those weapons (Atomic bombs)?

I still think not. No way...

APK

P.S.=> IRAQ is untrusthworthy? WELL, Who says so??

Our "fearless leaders" in the House/Senate (Congress) & President + Vice President??

Hmmm, wasn't it our gov't. (who pointed the finger UNFAIRLY @ the "intelligence community" (CIA/NSA/FBI etc.)) the ones who proved "untrustworthy" by 'misinterpreting' (admittedly on their part) the info. on WMD's?

Yes, it was... they f'd up, huge.

No questioning it, they publicly admitted to it... to the rest of their prowess in governing a nation? I have to say 1 set of things:

1.) Do you like financing this 'righteous' (sarcasm) war?

2.) Do you like skyrocketing gas prices??

3.) Do you like an economic climate that breeds pestilence (e.g.-> Crime because people who are working class turn to drug dealing & such out of desperation (not always, but many times so)) & outsourcing runs rampant taking away GOOD paying jobs from American workers??

Nobody can tell me in regard to point #3, that American workers are "lazy" & overpaid - we work harder & longer hours than ANYONE on the planet... I know so, I am one of that bunch! apk

Linux hacked more often than Windows

Linux hacked more often than Windows - the title of an article posted on ZDNet (http://www.zdnet.com.au/news/software/0,200006173 3,39116229,00.htm)

Sorry to breach the bad news guys.

-1 Flamebait???

[Hosiah]

How'd that moderation get past the Ubuntu Mafia?

Re:OpenSUSE website Hacked? No.

[Arkaic]

Two separate issues. Two different servers. www.opensuse.org was not on the gaming server which had been used to scan other hosts.

Re:Practical upshot? Am I safe? Not from our gov't

[theshowmecanuck]

Why do people like you always back the criminals?

RE: (Or, has the the Nagasaki & Hiroshima bombings escaped your memory??)

I suppose you would like to go the memorial services each year Nagasaki & Hiroshima? Do you ever think about the Nanking massacre? How about Japanese war crimes? A quote from the article:

These events are often compared to similar suffering imposed by Nazi Germany during 1933-45. The historian Chalmers Johnson has written that:

It may be pointless to try to establish which World War Two Axis aggressor, Germany or Japan, was the more brutal to the peoples it victimised. The Germans killed six million Jews and 20 million Russians; the Japanese slaughtered as many as 30 million Filipinos, Malays, Vietnamese, Cambodians, Indonesians and Burmese, at least 23 million of them ethnic Chinese. Both nations looted the countries they conquered on a monumental scale, though Japan plundered more, over a longer period, than the Nazis. Both conquerors enslaved millions and exploited them as forced labourers -- and, in the case of the Japanese, as [forced] prostitutes for front-line troops. If you were a Nazi prisoner of war from Britain, America, Australia, New Zealand or Canada (but not Russia) you faced a 4 per cent chance of not surviving the war; [by comparison] the death rate for Allied POWs held by the Japanese was nearly 30 per cent.[1]

Other sources claim the Japanese military was responsible for the deaths of more than 20 million non-combatants during 1937-45, although all such figures are controversial.

I don't care how or why Hussein was removed from power... I am just glad he was. Same will go for Iran's reactors if they build them... and Iran itself... if they build a bomb.

OK... I'll stop feeding the troll now... I... just... couldn't... help... it.

"If there were no hackers?" Get real.

[loqi]

Just a reply to all the replies I've seen thus far to the parent. Your comparisons are poor for a few reasons.

Murder and bank robbery always negatively affect someone. Removal of life and removal of property and all that. Hacking/cracking/whatever-you-want-to-call-it sometimes involves property damage of a sort, if the hacker actually does do any real damage.

A much better comparison would be "people that break into your house". If real life reflected cyberspace, there would still be essentially murderers and thieves trying to break into places, and there would also be people hopping through your window at night to leave a sticky-note on your coffee table that reads, "Window latch is broken, you really oughta fix that." People that, for fun, are trying to circumvent the security of others, simply for the thrill and opportunity to improve said security.

So, let's come around to, "if nobody hacked, we wouldn't have this problem!" Seriously. In reality, there will always be an incentive to break into stuff, to steal, to cause various sorts of trouble. This incentive will create a certain type of hacker; it's not as if all the "bad" hackers were once "good" and then realized all the harm they could be doing. The bad apples were created in exactly the same way most criminals are created. Some guy with a passion for computer security is a differed breed of "hacker" than an organized crime syndicate. Don't confuse the former with the latter, and don't act like they're part of the problem.

They're not.

Re:"If there were no hackers?" Get real.

[Cyn]

I'm fairly anti voilence.

If I woke up one day to realize someone had just popped into my house overnight, without my knowing, I would go fix whatever weak spot they used to get in. Then I would buy weapons. Then I wouldn't sleep at night.

Nobody got hurt!

Re:"If there were no hackers?" Get real.

[loqi]

If I woke up one day to realize someone had just popped into my house overnight, without my knowing, I would go fix whatever weak spot they used to get in. Then I would buy weapons. Then I wouldn't sleep at night.

So what you're essentially saying is that ignorance is bliss. Fair enough, but not a popular meme around these parts.

Nobody got hurt!

Are you facetiously implying that those who forcefully visit knowledge upon you are disrupting your bliss, and are therefore "hurting" you? (An honest question, I couldn't read the intent of your last sentence).

Re:"If there were no hackers?" Get real.

[Cyn]

So what you're essentially saying is that ignorance is bliss. Fair enough, but not a popular meme around these parts.
No I was strictly relating this to the real-world example given, as the parent poster used - pointing out that it was not the same at all. My problem with the parent poster was - essentially - you don't need to slip in through the window and leave a note on my coffee table, to warn me about the latch. Here's a crazy idea - tell me the next day, in person - or leave a note outside. We have this material called "glass" on lots of our homes. It's not there because it's a great protector. Obviously anyone CAN get into your home if they want - that's not the point, it's that people don't.

The parent poster was suggesting that we should just pop around into our neighbors to see if anything's wrong, and if there is - feel free to just enter their home and leave a note. This is not socially acceptable or responsible. In the real world, you tell them under reasonable terms - and the same should go for the digital world. You don't need to exploit the latest buffer overflow in FOO to warn someone that they've vulnerable to it.

--
The "nobody got hurt!" was referring to the tearing down of all the perceived comforts our 'civilized society' provides, things like... sleeping well at night despite having glass windows on all sides of your house. Just because you can do something, doesn't make it right.

last night?

seems the dates on the articles are 9/29/05, the post is 10/02/05, thats hardly last night. i guess the mods/posters, cant read(dupes), tell time, or do basic math...

OMG Hacked

[pawnroot]

...The poor children.

Re: Novell OpenSUSE Server not Hacked

> Novell OpenSUSE Server Hacked, said CmdrTaco

Actually the header is incorrect. A serve belonging to Novell got havked - not the official OpenSUSE site. A big difference you would agree, CmdrTaco.

Camel Jockies have PC's?

hmm... wired.

How secure by default?

[starfishsystems]

Isn't this [poor administration] the same flaw Windows has?

It's a reasonable question to ask.

Yes, fundamentally it's true that configuration management has a significant effect on security. To be precise, this is not a flaw, but a characteristic. A site which is in full control of system configuration will have formal security advantages over one which isn't, and this is universally true regardless of platform.

However, the story is told from a much different perspective when it comes to evaluating the security of a given platform. Configuration remains a major factor in security, but it has to be weighed in light of platform capability. So, for example, a very simple network appliance with a very small configuration space has the prospect of being very secure. An ideal appliance cannot be configured insecurely. In practice, that may or not be the case, depending as always on design tradeoffs and correctness of implementation.

Apart from pure appliances, all computing platforms must, for reasons of generality, offer configuration possibilities that put some security tradeoffs in the hands of site administrators. Such is the case for both Linux and Windows, so indeed poor administration can always result in poor security on a sufficiently general platform.

The practical focus, therefore, has turned to how securely these platforms are configured by default. Interestingly, even though Windows is marketed for nonexpert use, it has a long tradition of being configured insecure by default, exactly the opposite of what would be appropriate for a nonexpert market. It also, in my opinion, embodies a lot of fundamentally insecure design tradeoffs, neglecting principles such as modularity, containment, and least privilege, for example. These are extremely deep design problems, not easily fixed.

Linux and Unix, although designed by developers for developers, and therefore intended for expert use, have a record of delivering much better security by default. I can think of lots of particular exceptions, but they have tended to be minor design tradeoffs that could be, and were, easily corrected. Security incident statistics seem to reinforce these observations very strongly.

In my line of work, I get to see what goes on behind the scenes at a lot of sites. It's not often that I come upon a site which is not suffering to some significant degree from a chronic neglect of configuration management. All discussion of platform characteristics aside, this is a real problem on the ground for security.

The issue, in terms of value for effort, then becomes to identify which of these sites is (a) at most immediate risk, and (b) has the best potential of improvement. In the former case, I find that the answer is Windows, and in the latter, it's Linux.

microsoft.com doesn't run Windows

[a.d.trick]

I don't blame them though

Re:microsoft.com doesn't run Windows

[cbiltcliffe]

Uuuhhh, yes, it does.

http://uptime.netcraft.com/up/graph?site=microsoft .com

Which isn't to say it's not a stupid idea, but still....

Re:microsoft.com doesn't run Windows

[WillerZ]

However, akamai doesn't run windows, and that's usually what you'll be talking to (at least from outside the US).

Re:microsoft.com doesn't run Windows

[cbiltcliffe]

True, but that's not microsoft.com, is it?

Besides, netcraft is in the UK, and they always pick it up as Windows.

I think the best one I've seen was microsoft.ca a few years ago. It was actually running Apache/Linux for a year or more. Microsoft has juggled their hosting packages around that domain name a few times since, and now they're finally hosting it themselves.

Re:echo "PermitRootLogin no" /etc/ssh/sshd_config

[vieux+schnock]

Yeah, my bad. Slashcode considered my "greater than" > > as some sort of html tags and deleted it.

Re:Practical upshot? Am I safe? Not from our gov't

[burgess]

And the Catholic Church incinerated around seven million women during the Inquisition. Shall we round them up too?

(I'm not saying the modern Catholic Church is just as bad; if you like that kind of logic - oh, you ARE in the right forum! never mind)

Re:Practical upshot? Am I safe? Not from our gov't

"Why do people like you always back the criminals?" - by theshowmecanuck (703852) on Sunday October 02, @05:33PM

Funny how people like you are easily duped by the TRUE criminals... You know:

The ones that CONVENIENTLY 'misinterpreted' data given them by agencies of law enforcement (and admitted to it, but did not have the grace & conscience to withdraw from IRAQ once having admitted their mistake publicly) in the CIA/NSA/FBI etc., here in THIS nation, & continue to profit by their "righteous" war, that tells others how to live etc. & what "Freedom" is...

Very funny!

"OK... I'll stop feeding the troll now... I... just... couldn't... help... it." - by theshowmecanuck (703852) on Sunday October 02, @05:33PM

Ahem, yea! OK, I agree - same to you. I wonder if you also went to those memorials? If so, great, I have not had the opportunity myself, though having travelled fairly extensively.

Also funny from you?

How you just "glossed over this" from my first post you replied to, a quote of mine:

"(That is, unless they have a proven trackrecord of wrongdoing on YOUR part in your neighbors in YOUR community, dangerous wrongdoing to others on YOUR part (this is purely relative too, depends on who's looking) but the point's there imo @ least)." - by Anonymous Coward on Sunday October 02, @02:19PM (ME)

LOL! I laugh, because I cover this point of yours below with that above from myself, but you conveniently skimmed over it:

"Wrong. In most states, ex-convicts are not allowed to own guns as they have proven they are not trustworthy individuals." - by theshowmecanuck (703852) on Sunday October 02, @03:49PM

Did I, or did I not, cover THAT in my init. posting (see the quote above yours)? Who the HECK did you think I meant in my quote above, anyhow??

Read 'em & weep!

* :)

READ CLOSER NEXT TIME, ok? I covered your initial point, right off the bat - skimming only did you in!

APK

P.S.=> Heck - You're just like "Good Ole' Boy" Georgie Jr., & Darth Cheney (as well as the Congress (House/Senate)):

RATHER conveniently overlooking data I provided, or otherwise misinterpreting it, with that statement from you initially in reply to myself as you have.

OR, are those NOT your words in reply to my own? Seems to have YOUR name attached to that 3rd quote now, doesn't it??

As you see, your init. point?? COVERED well by myself - I already stated that anyone that's dangerous (inclusive of felons & such or other violent crime offenders (ESPECIALLY THE LATTER & only if they started things, quite another story if they really didn't imo) though I didn't state that specifically) shouldn't have a gun...

Again - it's VERY convenient for you to overlook that quote of mine too isn't it?

Perhaps you have ADD?? Do you?? apk

Re:Practical upshot? Am I safe? Not from our gov't

[theshowmecanuck]

I'm not sure what your point is. The OP brought up that America was wrong to drop the atom bomb on Japan. The OP was using this to claim that America and the Europeans have no moral autority to deny Iran the use of nuclear power... even though currently Iran is a sponsor of terrorism, and 65 or so years ago, Japan was even worse. So in direct response to a point brought up by the OP, I pointed out that in the context of what the Japanese were capable of during WWII, dropping the atom bomb was no worse. (Unlike your response that seems to be something from out in left field... that took place 500 to 900 years prior and has no bearing on current politics.) In fact, dropping the atom bombs was probably a lot more merciful than what the Japanese did to their enemies (considering they tortured and murdered more than 20 million more civilians, POW's, and slave laborers than were killed by the atom bombs). It also probably ended the war a lot more quickly, and ulitmately prevented far more bloodshed.

I don't understand why many people now-a-days seem to side with the criminals and not the victims. Why else would the OP seems to try to raise sympathy for Iran (sponsors of Hezbollah) by trying (boo hoo) to show how one of the most brutal war-like societies in modern history (Japan of the 30's and 40's) was sooooo hard done by. I suppose you think that Japan was just misunderstood? Maybe they were all abused as children and it wasn't their fault they raped, tortured, murdered millions of Koreans and Chinese and Filipinos and ... Or maybe Iran is just having some fun supplying explosives to brainwashed college kids to strap on and blow up Israelis with? But maybe we can't see that because we're from another culture and are just too narrow minded to understand? Come on, enough with political correctness already. All you need to understand is that until Iran moves their human rights to the 21rst century, they have no business having nuclear programs. Political correctness is ridiculous in these circumstances. If I have a choice of generalizing, not letting them have nuclear power, and for sure not being nuked by a terrorist; or giving a state with a known track record of terrorism the capability of building a nuclear bomb, I will generalize night and day... and support those who want to keep nuclear capability out of their Iran's hands.

Two can play at that game.

The U.S. government dropped two atomic bombs on cities filled with civilians. They dropped toxic chemicals on Vietnamese villagers. They've propped up fascist dictators across the planet. They're raping young children in Iraqi jails.

Yeah, that's exactly who *I* want to have nukes.

Let's face it, the United States is a major problem. It has been for decades.

o_O

[Blaaguuu]

What kind of backwards logic is that?

If we didnt have hackers, we wouldnt need "things such as online shopping and ssh encrpytion etc".

Ofcourse this is no perfect world, and we do have hackers... but thats quite a stretch, trying to justify their existence.

Openness

[RichiP]

In the spirit of openness, I hope that Novell releases information about the crack. How it happened, what was compromised, what information can lead to the perpetrators.

Now that they've already been "hacked", as much information as can be gleaned should be disseminated so we would know how to avoid this. If we're using OpenSUSE products, we'd like to know how to protect ourselves and provide a test that would hack into our systems to make sure any solutions are really working.

Novell needs to change the name

[DiamondGeezer]

I would suggest "WideOpenSuSE"

Re:Practical upshot? Am I safe? Not from our gov't

[kundor]

The United States, as a state sponsor of terrorism, has proven itself to be an untrustworthy state. Since the US already has many reactors, should it be turned into a parking lot?

did you mean...

[pikine]

"All your craniums are belong to us!"

Some things cause more brain damage than others.

Re:Practical upshot? Am I safe? Not from our gov't

[bornbitter]

you have interesting logic and have come to some really good conclusions, but I think you need to look at it fairly from BOTH points-of-view, (very un-slashdot-like, I know, but try it).

Put yourself in the president's position; because of the past president the international community doesn't take you seriously when you threaten action. Most everyone, including your own advisors and intelligence agency, (and need I mention- the country in question), claim that a *certain country* has biochemical wmd's and are willing to use them. There is even past evidence of wmd's and past use of them on that country's own civilians. The past president and the UN threatened military actions against that country if they did re-start their wmd programs or continue human-rights violations, both of which they have done, largely with impunity; failure to enforce this promise on your part will cripple your ability to enforce international policy in the future.

There is more, but I will not bore you. Looking at this information and knowing that leaders MUST make decisions before they know all the facts, (if they ever do); what would you do?

As for the atomic bombs, most of the radiation dissapated quickly because it was an air-burst explosion, and there was interesting circumstances on that one too. The Japanese were actively training their civilians to fight, (women, children, anyone able to hold a knife or stick - anyone able to kick, bite, hit). Remember, these are people with a fierce honor system and religious loyalty to the emperor, (who was seen as the son of god by them). the president saw casualty estimates and decided to act. Personally, I would probably do the same. Was it horrible? Only the devil could answer no. Of course it was.

I am not advocating or endorsing war or nuclear holocaust of any kind, but I also know how worth while the 'monday-morning quarterback' is and it is just about as much as the duke I flush every day.

The fact is, these both happened. Learning from history is important, yes, but let's get out of the situation before we tear the nation apart. Protest is great. Dialogue is great, just don't cripple the war effort and the support for our troops. Your brother may be home, but so many others are not. Remeber; they read our media and react to the encouragement they find there. (ie:Bush Approval ratings Hit Basement! Iraq War A Loosing Battle, Thousands of Troops Die!)

The number one rule in international polotics is cover your own ass first. If you are eradicating starvation in Africa, but your own people are killing each other, it will do you no good. Think of it another way; the best defense is a good offence, right? How many terrorist attacks have happened on US soil since we attacked Afghanistan and Iraq? Right, now how many happened in the eight years prior to that? Yeah. Makes sense, doesn't it?

The bottom line is this; Not only do I care about the people suffering over there, but I CAN care, and I am STILL HERE to care. Not only that, but this post and yours have NOTHING to do with the above article... why did I write this here???

LOL!!

[toadlife]

Hilarious! My new sig has arrived!

PR Perspective

[abscondment]

Oh, yeah?

Try telling that to SCO.

They seem to be doing just fine running Linux. Hope they don't accidentally involve themselves in their automatic lawsuit machine...

Obscurity is a plus

[Pan+T.+Hose]

1: change default ssh port

Security through obscurity doesn't work. A port scan would find your sshd soon enough.

But an automated worm would miss you. And that's the point.