I use SpamAssassin, combined with some scripts available here. Since I implemented this system last month, I have gotten exactly one piece of spam, and it got through because the body contained nothing except a URL.
> "If you see a product more than a couple of times on e-mail, that means that product is selling," Finn said. "No one would be sending it repeatedly if it was not selling"
Would someone please tell that to the 419ers that are flooding my mail server?
> So these dangerous exploits were found by a source code review (as opposed to a script kiddy striking it lucky), which was only possible due to the open source nature of CUPS.
"Script kiddie striking it lucky"? Last I checked, script kiddies don't discover security holes. The let other people do that then download working exploits and once in a while one of them is simple enough to be operated without a brain.
> Now that this advisory has taught hackers how to compromise a great many lunix machines
Read the advisory. There's just the mention of the vulnerablity, no published exploit. Overlap the group of people capable of understanding the vulnerability and writing an exploit for it with the group of people who would waste their time doing so, and you're left with a very small number.
> isn't it worth considering that CUPs would have been so much more secure had it been a closed source project? It's simple logic that only the most blatant troll could disagree with; source closed --> exploits never found --> hackers can't exploit CUPs.
Reverse engineering? Cracking a machine that contain the source code? Intercepting communications between developers? Security through obscurity doesn't work, period. I can go on for days about that, but there are people far more articulate than I who would be happy to do so.
Looks like another most-of-the-nighter upgrading CUPS, installing espgs because the version of cups I had installed didn't require it, recreating the configuration files that the @#$%^! installer just overwrite, and making the standard offerings to Cthulhu so the blasted thing will figure out where pstoraster is located. Of course, it will be my fault if someone manages to get a shell account on the router/firewall/printserver and proceeds to trash the read-writable netbios shares that my family is too lazy to set a password on. Isn't being a sysadmin great?
I can't resist the urge to make the first non-anonymous post on this thread, but I'm going to try to keep this from being totally meaningless by suggesting that so few comments are being posted because everyone else is busy seeing the movie./me kisses his karma goodbye.
First let me give you some background on my technological upbringing.
I was born in 1985. My father was a salesman for Sun, which was still a private company at the time. We got our first PC when I was 2 years old, running MS-DOS with 1MB of memory. As soon as I learned to read, my mother bought me a book on QBASIC and taught it to me during the summer after kindergarten. On my own initiative, I learned a few other languages, namely C. In '99, I got my own computer, running 98SE. A few months later, a friend at the place I volunteer evangelized me with Linux and I immediately set aside half my drive and installed SuSE. Today, I have my entire drive dedicated to LFS.
In retrospect, I never would have had the patience to learn Linux if I hadn't known a programming language. By learning to program, you learn how pieces of the system interact with one another. You learn the concept of directory structure. You learn the boundary between a program and the operating system. You learn why things crash. You learn why programs written for one operating system won't run on another.
So, if you want your kids to adapt to Linux, teach them to program - preferably a compiled language, but even QBASIC is fine. Once they've been programming for a few months, they'll learn all the skills they need in order to adapt to any piece of software you throw at them. They'll understand why you can't run Linux and pop in a Halflife CD and have it run. This, combined with some by-the-book indoctrination into open source, should be all they need.
At my old school, there were about 150 computers, all on one subnet, all running NT 4. So one day I discovered NET SEND *. I couldn't stop laughing for a week.
No, I'm an LFSer so I compiled it myself. However, I can't find any evidence that the cracker actually bothered with my system. No warez, no modified passwords, nothing suspicious in the logs, no suspicious timestamps. Of course, none of this really means anything since I was negligent enough to compile sendmail as root and root can reverse any of the above. For all I know,/usr/bin/insert_obscure_utility_here has been modified to make me a drone in a future DDoS.
On the bright side, I tested the malicious code and it seems to error out on my system, but I can't be sure since port 6667 on Eli's system is no longer open.
Oh, and Eli - perhaps the cat is responsible. My port scan of you indicated no obvious vulnerabilities unless your OpenSSL is unpatched. But Snuffy has physical access, no? Also, perhaps you might want to put a disclaimer on your webpage?
Yup, I got slimed, and I'm not an easy person to slime. This dude is the first person ever to get one up on me. But I'll have my revenge. I diffed the malicious source tree with the authentic one and found the malicious code. It looks amazingly innocuous until you base64 decode the shell script:-). His IP address is 66.37.138.99.
Let's set aside for a moment the question of whether these games teach what they're intended to teach and take it as a given that they do. I still have an issue whis this: what the hell is wrong with the time-tested pencil-and-paper homework assignments? The students will tell you that they're boring. Students will find homework boring for one or both of two reasons: either it's too easy or the student isn't interested in learning what's being taught. In the former case, changing the format of the presentation isn't going to help anything. The latter case can be broken down into two subcases: either the material really is trivial, or it's valuable but the student is too indolent to bother learning it. In the former subcase, changing the presentation format still doesn't help. In the latter case, changing the presentation _may_ get the student to learn the material, but this has one nasty side effect: it teaches them absolutely wretched study habits. It tells them that it's okay not to give a damn about learning and that if we want them to learn something that they're entitled to a dumbed down presentation laced with eye candy that costs millions of dollars to put together. And as soon as they don't get that, they'll rebel.
>1 gallon of gasoline will pollute 1,000,000 gallons of water to undrinkable levels
I'll take your word for it that this is the standard set by the EPA, but if someone told me that my glass of water contained two parts per million of gasoline, I don't think I'd be deterred from drinking it.
If you've studied your calculus, you'll know that anything that can be done in polynomial time can be done faster than in exponential time after a certain length. Since we're talking order of magnitude, it doesn't really _matter_ what the polynomial exponent is as long as it's a constant. Formally, for any constants {a,b}, there exists an n such that a^n > n^b. Therefore, for any NP-complete cryptosystem, it is possible to create a key length such that it will take any desired number of times longer to crack the system than to use it normally.
I'm having some trouble believing that in two years there will be a consumer chip 100 times as fast as the ones today. Moore's law would say that it will be twice as fast. I'd believe 5 times and maybe even 10. But not 100. ZDNet is way too gullible.
I'm not quite seeing your logic here. I'm harshly criticizing an article that advocates Linux. You talk as though I'm slamming Microsoft while blindly supporting Linux.
"The Unix servers took 17 hours to calculate how much cash the bank needed in reserve to offset its investment risk. The Linux servers made the same calculation in 11 minutes."
I really don't appreciate that statement. Clearly, the hardware upgrade was the primary factor in the speed increase. USA Today tries to make it sound like it was all because of Linux. Absolutely detestable journalism.
Linux Boot CD are not difficult to write. Here's how you can write your own in a few hours:
1. Compile the system. There's a fanastic guide at linuxfromscratch.org. 2. Set the fstab up to place all read-write
hierarchies on a tmpfs filesystem. This include tmp, var, and portions of etc. Have copies of the
initial state of thse filesystems in a separate directory on the CD and set the bootscripts up to untar them at bootup. 3. Compile a highly compatible kernel. Basically, enable most things that cannot be compiled as modules and compile all modules. 4. Use devfs with compatibility links. it cuts down on confusion as to what devices exist. 5. Create an ISO of the filesystem, being sure to enable all options required for bootable CDs. 6. Install lilo into the boot sector of the ISO. 7. Burn the CD. 8. Reboot and pray.
Slashdot Mirror
discovery.com wants to set a cookie. Do you want to allow it?
No, I most certainly do not.
www.discovery.com wants to set a cookie. Do you want to allow it?
No, I most certainly do not.
This page requires flash. Click ok to download the plugin.
[Cancel].
Bye.
I use SpamAssassin, combined with some scripts available here. Since I implemented this system last month, I have gotten exactly one piece of spam, and it got through because the body contained nothing except a URL.
> "If you see a product more than a couple of times on e-mail, that means that product is selling," Finn said. "No one would be sending it repeatedly if it was not selling"
Would someone please tell that to the 419ers that are flooding my mail server?
Yup. But until I apt-get a life, I'm not parting from LFS :-)
Alright I'll feed the trolls.
> So these dangerous exploits were found by a source code review (as opposed to a script kiddy striking it lucky), which was only possible due to the open source nature of CUPS.
"Script kiddie striking it lucky"? Last I checked, script kiddies don't discover security holes. The let other people do that then download working exploits and once in a while one of them is simple enough to be operated without a brain.
> Now that this advisory has taught hackers how to compromise a great many lunix machines
Read the advisory. There's just the mention of the vulnerablity, no published exploit. Overlap the group of people capable of understanding the vulnerability and writing an exploit for it with the group of people who would waste their time doing so, and you're left with a very small number.
> isn't it worth considering that CUPs would have been so much more secure had it been a closed source project? It's simple logic that only the most blatant troll could disagree with; source closed --> exploits never found --> hackers can't exploit CUPs.
Reverse engineering? Cracking a machine that contain the source code? Intercepting communications between developers? Security through obscurity doesn't work, period. I can go on for days about that, but there are people far more articulate than I who would be happy to do so.
Looks like another most-of-the-nighter upgrading CUPS, installing espgs because the version of cups I had installed didn't require it, recreating the configuration files that the @#$%^! installer just overwrite, and making the standard offerings to Cthulhu so the blasted thing will figure out where pstoraster is located. Of course, it will be my fault if someone manages to get a shell account on the router/firewall/printserver and proceeds to trash the read-writable netbios shares that my family is too lazy to set a password on. Isn't being a sysadmin great?
I can't resist the urge to make the first non-anonymous post on this thread, but I'm going to try to keep this from being totally meaningless by suggesting that so few comments are being posted because everyone else is busy seeing the movie. /me kisses his karma goodbye.
Reminds me of this thread.
It's very tempting for me to turn this into a gun control flame war, but I'll restrain myself...
First let me give you some background on my technological upbringing.
I was born in 1985. My father was a salesman for Sun, which was still a private company at the time. We got our first PC when I was 2 years old, running MS-DOS with 1MB of memory. As soon as I learned to read, my mother bought me a book on QBASIC and taught it to me during the summer after kindergarten. On my own initiative, I learned a few other languages, namely C. In '99, I got my own computer, running 98SE. A few months later, a friend at the place I volunteer evangelized me with Linux and I immediately set aside half my drive and installed SuSE. Today, I have my entire drive dedicated to LFS.
In retrospect, I never would have had the patience to learn Linux if I hadn't known a programming language. By learning to program, you learn how pieces of the system interact with one another. You learn the concept of directory structure. You learn the boundary between a program and the operating system. You learn why things crash. You learn why programs written for one operating system won't run on another.
So, if you want your kids to adapt to Linux, teach them to program - preferably a compiled language, but even QBASIC is fine. Once they've been programming for a few months, they'll learn all the skills they need in order to adapt to any piece of software you throw at them. They'll understand why you can't run Linux and pop in a Halflife CD and have it run. This, combined with some by-the-book indoctrination into open source, should be all they need.
Overall, I'm satisfied with this book, but there are a few annoyances:
*When they say "by example", they mean it! The discussions are quite brief - most of the book is sample code.
*I could do without the chapter on makefiles. It's not very informative and doesn't mention GNU autotools. You're much better off RFTM.
*Likewise, the RCS chapter is a waste. Does anybody actually use RCS anymore?
*The information on Berkeley DB is very outdated.
The rest of the book is quite useful, but I'd recommend the Linux Programming Bible instead.
At my old school, there were about 150 computers, all on one subnet, all running NT 4. So one day I discovered NET SEND *. I couldn't stop laughing for a week.
No, I'm an LFSer so I compiled it myself. However, I can't find any evidence that the cracker actually bothered with my system. No warez, no modified passwords, nothing suspicious in the logs, no suspicious timestamps. Of course, none of this really means anything since I was negligent enough to compile sendmail as root and root can reverse any of the above. For all I know, /usr/bin/insert_obscure_utility_here has been modified to make me a drone in a future DDoS.
On the bright side, I tested the malicious code and it seems to error out on my system, but I can't be sure since port 6667 on Eli's system is no longer open.
Oh, and Eli - perhaps the cat is responsible. My port scan of you indicated no obvious vulnerabilities unless your OpenSSL is unpatched. But Snuffy has physical access, no? Also, perhaps you might want to put a disclaimer on your webpage?
Yup, I got slimed, and I'm not an easy person to slime. This dude is the first person ever to get one up on me. But I'll have my revenge. I diffed the malicious source tree with the authentic one and found the malicious code. It looks amazingly innocuous until you base64 decode the shell script :-). His IP address is 66.37.138.99.
Let's set aside for a moment the question of whether these games teach what they're intended to teach and take it as a given that they do. I still have an issue whis this: what the hell is wrong with the time-tested pencil-and-paper homework assignments? The students will tell you that they're boring. Students will find homework boring for one or both of two reasons: either it's too easy or the student isn't interested in learning what's being taught. In the former case, changing the format of the presentation isn't going to help anything. The latter case can be broken down into two subcases: either the material really is trivial, or it's valuable but the student is too indolent to bother learning it. In the former subcase, changing the presentation format still doesn't help. In the latter case, changing the presentation _may_ get the student to learn the material, but this has one nasty side effect: it teaches them absolutely wretched study habits. It tells them that it's okay not to give a damn about learning and that if we want them to learn something that they're entitled to a dumbed down presentation laced with eye candy that costs millions of dollars to put together. And as soon as they don't get that, they'll rebel.
Ronald Rivest, creator of MD5 and RC5, wrote an excellent paper on this topic. It is available here.
>1 gallon of gasoline will pollute 1,000,000 gallons of water to undrinkable levels
I'll take your word for it that this is the standard set by the EPA, but if someone told me that my glass of water contained two parts per million of gasoline, I don't think I'd be deterred from drinking it.
...but they'll be hard-pressed to beat last year's Leonids.
I'm not sure what you meant by that last line, but you're wrong. Your argument is the converse of the argument made, which doesn't follow.
If you've studied your calculus, you'll know that anything that can be done in polynomial time can be done faster than in exponential time after a certain length. Since we're talking order of magnitude, it doesn't really _matter_ what the polynomial exponent is as long as it's a constant. Formally, for any constants {a,b}, there exists an n such that a^n > n^b. Therefore, for any NP-complete cryptosystem, it is possible to create a key length such that it will take any desired number of times longer to crack the system than to use it normally.
I'm having some trouble believing that in two years there will be a consumer chip 100 times as fast as the ones today. Moore's law would say that it will be twice as fast. I'd believe 5 times and maybe even 10. But not 100. ZDNet is way too gullible.
I'm not quite seeing your logic here. I'm harshly criticizing an article that advocates Linux. You talk as though I'm slamming Microsoft while blindly supporting Linux.
"The Unix servers took 17 hours to calculate how much cash the bank needed in reserve to offset its investment risk. The Linux servers made the same calculation in 11 minutes."
I really don't appreciate that statement. Clearly, the hardware upgrade was the primary factor in the speed increase. USA Today tries to make it sound like it was all because of Linux. Absolutely detestable journalism.
You can legally (?) get all the infocom games at latz.org
1. Compile the system. There's a fanastic guide at linuxfromscratch.org.
2. Set the fstab up to place all read-write hierarchies on a tmpfs filesystem. This include tmp, var, and portions of etc. Have copies of the initial state of thse filesystems in a separate directory on the CD and set the bootscripts up to untar them at bootup.
3. Compile a highly compatible kernel. Basically, enable most things that cannot be compiled as modules and compile all modules.
4. Use devfs with compatibility links. it cuts down on confusion as to what devices exist.
5. Create an ISO of the filesystem, being sure to enable all options required for bootable CDs.
6. Install lilo into the boot sector of the ISO.
7. Burn the CD.
8. Reboot and pray.