is it possible to make a "binary sub-distribution" from gentoo? Consider this situation: i have a lot (>100) of appliances with small footprint (~50-100MB, eg. on USB-stick) with nearly identical hardware. I would like to run gentoo, but i do NOT want to install a compiler. Instead i would like to compile on a "master" system and then distibute binary packages for installing/updating the appliances.
In other words i want to checkout a binary distribution from gentoo according to a special hardware profile.
Any hints how to do that? As an absolute gentoo-beginner, i was not even able to install gentoo without gcc (okok, it's a source distro...).
Just in case you are serious: You need tcpdump (and screen) to be installed for that command line to work. Instead, install a packetsniffer of Your choice (like windump) and tell it to grab tcp-packets with tcp-header "window size" set to 55808.
You could avoid a lot of trouble, if You installed a more usable operating system before. I expect a networking OS distribution to ship with a packetsniffer.
View that dump with ethereal. On a router in front of 533 IPs i got 1594 packets in 154000 seconds, thats an average hitrate of on packet every 14h (per IP). As (most?all) IPs are spoofed, not really faszinating. But wait:
only 31 of those 533 IPs got hit
only 11 of those 31 IPs got hit more than 3 times
these 11 "main targets" got 1561 of the 1594 packets
each of these main targets where hitten on _one_ single dest port (but from many - spoofed - src IPs)
... so the target ip seems to be _not_ randomly distributed. Supports the hypothersis of a kind of portscanner
Anybody decoding the secret message in the initial sequence numbers;-?
There are two facts which seem to be contrary (but aren't):
If there is _any_ way to commuticate to the outside world, an intruder can (steanografically) tunnel information though this way. There is software to tunnel ip(sec) over icmp, http, smtp, dns. There is _no_ way to stop it.
The more You restrict connections from inside to outside (by proxies, authentication etc) the fewer intruders will have the knowledge how to smuggel information out. Particulary trojans are (nowadays) too dumb to pierce well-crafted firewall/proxy concepts.
So the more You work on jailing, the less will be able to escape.
btw: the ip-over-dns stuff is really useful: there are lot's of (hotel/airport) wlans, where anyone can use a dns-server which resolves exterior zones... nothing more needed.
Of course You should read as much as possible about security concepts, cryptography... (i recommend strongly to consumt some theoretical background - it clear things up a lot). But the most important step is: GET FAMILIAR with protocols & packets.
So start whenever You have a reason or not tcpdump or [t]ethereal and watch the matrix. You will get more and more intuition about what's happening. Let ethereal decompose headers. Use fragroute to create fragmented traffic. Use telnet as a browser and mailreader (HTTP, POP3 and SMTP are quite simple, IMAP is less simple but still possible). Read original RFC about the protocols.
Ok, in the begin it will be hard and You won't understand much. But i promise: if You stay the course, You will understand networking _much_ better. This is THE precondition to understand network security.
Then play with ettercap, nessus, snort (write your own snort-patterns), try out some exploits (breaking into your own services), get familar with a good packetfilter like iptables/netfilter or pf. Learn how connection tracking and NAT works.
Implement one of those scripting-MSIE-exploits and put it on your webserver. Visit http://packetstorm.linuxsecurity.com/ and read phrack magazine http://www.phrack.org. Play with jails of all kinds (bsd-jails, chroot, se-linux) or MAC/ACL-systems to secure services.... and so on. There's a whole world, waiting for You to discover it;-)/graf0z.
This will break some things, i.e. traceroutes from NATed boxes to the outsinde world. Better: change default initial TTL on the packet originating box. I read a reply with the according MSwin-registry-entry, this is for linux:
that article measures HOP-distance to packet-originator instead of the # of packetoriginators. I don't think any ISP will use this method, because
dsl-router instead of dsl-modem or dsl-bridge = +1HOP (legal)
on of the famous micro-firewall-boxes between client and dsl-router = +1HOP (legal)
vmware in non-bridging-mode = +1HOP (legal)
to easy to overcome (change defalut initial TTL, magle TTL on NAT box
If an ISP really want to detect NAT, they would do a bit more intelligent passive-OS-fingerprining stuff (like the "IP-ID" method, see older article) witch are a bit harder bypass./graf0z.
It was more than 300 years ago when Euler and Fermat (and later Lagrange) found some facts about finite groups (e.g. if you have any two primes p and q, and two numbers e,d such that e*d==1 mod (p-1)*(q-1), then for any number x and for the number y:=x^e mod p*q, the following holds: x==y^d mod p*q). That's number theory.
In the first half of the last century, Hardy
was very proud for being a "pure mathematician", whos results would never ever have practical implications. He worked on number theory.
1975, Rivest, Shamir and Adleman realized that the results of Euler, Fermat and Lagrange (see above) are not only true, but can be used as an asymmetric cipher. It's known as the "RSA algorithm". I think You can call that "a useful application".
It may take centuries until a mathematical truth finds it's useful application. If You only demand results with obvious practical use, you won't get far.
On the one hand, redhat tries to give us lot's of features. But there is a line You should not cross - example:
I have lot's of boxes running services w/o X. For debugging i prefer ethereal over tcpdump. Oh great, RH extracted the GUI-version into a seperate rpm (ethereal-gnome), so i just install "ethereal*rpm" including the TUI-version/usr/sbin/tethereal...
oh, etheral needs net-snmp...
oh, net-snmp needs gnome-libs... ???
oh, gnome-libs needs esound, gtk+, XFree86-libs... holy f*cking shit! (this was RH80, they did better now in RH9)
On the other hand, RH does not keep up. Some of the missing feature is miss in RH8 are still missing:
* no ipsec support (no freeswan, no ipsec_tunnel, no usagi backport - no, i _won't_ use cipe) * postfix still 1.1x (not 2.0x) * every damned packet linked against ldap - except postfix! * comes with sasl2 (and sasl1), but everything (ie. openldap, sendmail, postfix) linked against sasl1 (sasl2 has is superior in security considerarion. if using sasl1 e.g. for SMTP-AUTH, you have to give the daemon read-access to the password-db. No chroot, no shadowing...)
I really like RH as a server-os, it's my favorite since years. But sometimes i would like to beat somebody at RH up.../graf0z.
If looking into privacy, it is irrelevant what purpose bennetton is using the RFIDs in their clothing for (anybody can read them!) and how overwhelming useful they are for inventory work.
Imagine the day (which will come soon), when the propability of a randomly choosen person being tagged by an RFID in some of his clothes gets close to 100%. Then tracing visitors, customers, pupils, employees in malls, school, university, at work... gets very easy and CHEAP. Just install at every narrow passageway (i mean doors) a RFID scanner. And if You can correlate at one point a name to an ID (at the entrace, near a cam with face-recognition, at the cashpoint if You use credit card,...), that trace gets personalized. Over the time the observers could have a databases of IDs correlated to names (so that You have to buy a full set of new clothes if You want to get traced only anonymized).
If big brother now wants to find out, who's the owner of ID xyz (because that owner did something big brother doesn't like) there a lot of database to search for. Or he just calls benetton and asks "Did the buyer of RFID xyz pay with credit card? If so, gimme that number!")
It does not help, if some geeks disable them. They should be disabled as soon as I buy that shirt.
/graf0z
ps: i read here on slashdot about RFIDs that are so small that You can tag food with it. Eaten a salad for lunch at the snackbar? Tagged! Ok, You could open that microwave in front of You...
I have to give 2d apache/linux crash-courses regularly to admins, which are mostly MS-only with none up to medium network knowledge (yes, they are admins in their companies...). Most of the suggestions of mr sam work, espacillay the ssh stuff, but they have to do it on their own! If they manage to do all these nice gimmicks, you got them! So: show them what you want to show and then let them do the same (but free choice of details like pathnames and such). So let admins...
install a linux distri on their own (i use RH)
edit "index.html", start preinstalled apache and ask their neighbor how do you like my new homepage?(this is the second point after installing, just to impress)
set up useraccouts, start sshd and then change places for going on administrating their boxes remotely
You get the idea... there should be similar tasks for coders.
But a warning: they will get it slowly. The command line (you will do all the importing things only in bash, don't you?) is absolutely new to them, so you will have to explain over and over again (ext2, absolute/relative path (although it is the same in win)). emacs/vi it definitely necessary, but it's a showstopper.
Another thing: Some facts you can tell them over and over again like "do not use telnet, it's fucking unsafe, use ssh", but if you do not demonstrate it or let them explore it, they won't understand the importance. So proof
your statement using tcpdump (they will love it!).
There are many statement like MR is a good boy, lindows is good for the FS movement, they worked for wine (category "niceguy") or who needs the source, lets give them time or that's only trifle (category "trifle"). Does that count? The question is: are there any reasons to let somebody get away with violating the GPL? (if lindows does not release the code of their preview although the FSF asked for it, they violate the GPL, no matter if its free or not, if its beta or not, if they release the final code or not)
I think there is NO such reason. Even if we love lindows & MR, the principles of the GPL are too important to weaken them by saying: "usual people have to fulfill it point for point, but some for some special people we turn a blind eye".
Damned - who decides what is "beta", "final", "contributing enough open source", "good project for the free software movement" an so on? If we Let Lindows do what they want we will see more and more GPL violations and excuses "they let lindows go, why do they sue me?" (there is a post above exacly like this), "hey, i already published some GPL ware", "oh just wait a few month until my project reaches a status i define as 'release'" or "my project is so nice and good PR for the FS movement".
We should not behave like officials in the old soviet union: "everybody has the same rights and has to fulfill the same duties - except good old merited communists..."
Slashdot Mirror
Hi,
...).
/graf0z.
is it possible to make a "binary sub-distribution" from gentoo? Consider this situation: i have a lot (>100) of appliances with small footprint (~50-100MB, eg. on USB-stick) with nearly identical hardware. I would like to run gentoo, but i do NOT want to install a compiler. Instead i would like to compile on a "master" system and then distibute binary packages for installing/updating the appliances.
In other words i want to checkout a binary distribution from gentoo according to a special hardware profile.
Any hints how to do that? As an absolute gentoo-beginner, i was not even able to install gentoo without gcc (okok, it's a source distro
Thanks,
You could avoid a lot of trouble, if You installed a more usable operating system before. I expect a networking OS distribution to ship with a packetsniffer.
If You have enough IPs, You'll see the gimmick ...
Anybody decoding the secret message in the initial sequence numbers ;-?
- If there is _any_ way to commuticate to the outside world, an intruder can (steanografically) tunnel information though this way. There is software to tunnel ip(sec) over icmp, http, smtp, dns. There is _no_ way to stop it.
- The more You restrict connections from inside to outside (by proxies, authentication etc) the fewer intruders will have the knowledge how to smuggel information out. Particulary trojans are (nowadays) too dumb to pierce well-crafted firewall/proxy concepts.
So the more You work on jailing, the less will be able to escape.btw: the ip-over-dns stuff is really useful: there are lot's of (hotel/airport) wlans, where anyone can use a dns-server which resolves exterior zones ... nothing more needed.
rwiedower: Who exactly are the "stars" of the security community?
Some of them (in random order) are (most of them have achieved _much_ more than the supplied example):
Of course You should read as much as possible about security concepts, cryptography ... (i recommend strongly to consumt some theoretical background - it clear things up a lot). But the most important step is: GET FAMILIAR with protocols & packets.
... and so on. There's a whole world, waiting for You to discover it ;-) /graf0z.
So start whenever You have a reason or not tcpdump or [t]ethereal and watch the matrix. You will get more and more intuition about what's happening. Let ethereal decompose headers. Use fragroute to create fragmented traffic. Use telnet as a browser and mailreader (HTTP, POP3 and SMTP are quite simple, IMAP is less simple but still possible). Read original RFC about the protocols.
Ok, in the begin it will be hard and You won't understand much. But i promise: if You stay the course, You will understand networking _much_ better. This is THE precondition to understand network security.
Then play with ettercap, nessus, snort (write your own snort-patterns), try out some exploits (breaking into your own services), get familar with a good packetfilter like iptables/netfilter or pf. Learn how connection tracking and NAT works.
Implement one of those scripting-MSIE-exploits and put it on your webserver. Visit http://packetstorm.linuxsecurity.com/ and read phrack magazine http://www.phrack.org. Play with jails of all kinds (bsd-jails, chroot, se-linux) or MAC/ACL-systems to secure services.
- dsl-router instead of dsl-modem or dsl-bridge = +1HOP (legal)
- on of the famous micro-firewall-boxes between client and dsl-router = +1HOP (legal)
- vmware in non-bridging-mode = +1HOP (legal)
- to easy to overcome (change defalut initial TTL, magle TTL on NAT box
If an ISP really want to detect NAT, they would do a bit more intelligent passive-OS-fingerprining stuff (like the "IP-ID" method, see older article) witch are a bit harder bypass.In the first half of the last century, Hardy was very proud for being a "pure mathematician", whos results would never ever have practical implications. He worked on number theory.
1975, Rivest, Shamir and Adleman realized that the results of Euler, Fermat and Lagrange (see above) are not only true, but can be used as an asymmetric cipher. It's known as the "RSA algorithm". I think You can call that "a useful application".
It may take centuries until a mathematical truth finds it's useful application. If You only demand results with obvious practical use, you won't get far.
On the one hand, redhat tries to give us lot's of features. But there is a line You should not cross - example:
/usr/sbin/tethereal ... ... ... ??? ... holy f*cking shit! (this was RH80, they did better now in RH9)
...)
... /graf0z.
I have lot's of boxes running services w/o X. For debugging i prefer ethereal over tcpdump. Oh great, RH extracted the GUI-version into a seperate rpm (ethereal-gnome), so i just install "ethereal*rpm" including the TUI-version
oh, etheral needs net-snmp
oh, net-snmp needs gnome-libs
oh, gnome-libs needs esound, gtk+, XFree86-libs
On the other hand, RH does not keep up. Some of the missing feature is miss in RH8 are still missing:
* no ipsec support (no freeswan, no ipsec_tunnel, no usagi backport - no, i _won't_ use cipe)
* postfix still 1.1x (not 2.0x)
* every damned packet linked against ldap - except postfix!
* comes with sasl2 (and sasl1), but everything (ie. openldap, sendmail, postfix) linked against sasl1 (sasl2 has is superior in security considerarion. if using sasl1 e.g. for SMTP-AUTH, you have to give the daemon read-access to the password-db. No chroot, no shadowing
I really like RH as a server-os, it's my favorite since years. But sometimes i would like to beat somebody at RH up
Imagine the day (which will come soon), when the propability of a randomly choosen person being tagged by an RFID in some of his clothes gets close to 100%. Then tracing visitors, customers, pupils, employees in malls, school, university, at work ... gets very easy and CHEAP. Just install at every narrow passageway (i mean doors) a RFID scanner. And if You can correlate at one point a name to an ID (at the entrace, near a cam with face-recognition, at the cashpoint if You use credit card, ...), that trace gets personalized. Over the time the observers could have a databases of IDs correlated to names (so that You have to buy a full set of new clothes if You want to get traced only anonymized).
If big brother now wants to find out, who's the owner of ID xyz (because that owner did something big brother doesn't like) there a lot of database to search for. Or he just calls benetton and asks "Did the buyer of RFID xyz pay with credit card? If so, gimme that number!")
It does not help, if some geeks disable them. They should be disabled as soon as I buy that shirt.
ps: i read here on slashdot about RFIDs that are so small that You can tag food with it. Eaten a salad for lunch at the snackbar? Tagged! Ok, You could open that microwave in front of You ...
- install a linux distri on their own (i use RH)
- edit "index.html", start preinstalled apache and ask their neighbor how do you like my new homepage?(this is the second point after installing, just to impress)
- set up useraccouts, start sshd and then change places for going on administrating their boxes remotely
You get the ideaAnother thing: Some facts you can tell them over and over again like "do not use telnet, it's fucking unsafe, use ssh", but if you do not demonstrate it or let them explore it, they won't understand the importance. So proof your statement using tcpdump (they will love it!).
I think there is NO such reason. Even if we love lindows & MR, the principles of the GPL are too important to weaken them by saying: "usual people have to fulfill it point for point, but some for some special people we turn a blind eye".
Damned - who decides what is "beta", "final", "contributing enough open source", "good project for the free software movement" an so on? If we Let Lindows do what they want we will see more and more GPL violations and excuses "they let lindows go, why do they sue me?" (there is a post above exacly like this), "hey, i already published some GPL ware", "oh just wait a few month until my project reaches a status i define as 'release'" or "my project is so nice and good PR for the FS movement".
We should not behave like officials in the old soviet union: "everybody has the same rights and has to fulfill the same duties - except good old merited communists..."