It's called "contract law" for a reason. Just because it's against the "law" doesn't make it against _criminal_ law. You *can* be hauled into court for contract law violations.
Most providers just kick you off, but there's nothing stopping them from suing for damagaes in breech of contract (unless the contract prohibits it.)
> been told by HR that I cannot tell ONE employee to "leave the > cell phone in your car" I must make the rule for EVERY > employee in the department
Your HR department lied, or you have strange company policies. I know, because I spent a lot of time at my last employer dealing with policy issues with the legal department, and I specifically asked about things like that (because I didn't follow the company dress code, and wanted to make sure it wasn't a big issue for my boss.)
Yes, but a single-use machine doesn't need passwd to be setuid! Single use machines rarely need anything other than/bin/login to be setuid. So, removing the setuid bit gains you all the security with none of the headaches- for the entire suite of stuff that's setuid by default. Viola! No more local exploit (and it's still a local exploit- you still have to gain access to get up to root.)
> I guess that's why I like the idea of SELinux. Different domains > can prevent someone with even root access from messing with > your logs. Much less your libraries.
Sun's sold Trusted Solaris for years. If you want compartmented security, you have to pay for it in administrative overhead.
This is yet-another-local-exploit- it's perfectly valid to (a) swap out passwd if you don't need LDAP[1]/NIS, or (b) worry about a remote exploit that'll gain a local shell before patching this. This is "next maintenance window" in my book- but you can replace passwd without any downtime at all- or just remove the SUID bit if you don't have local accounts who need to do credential changes who don't have root access.
Most Solaris systems aren't shell systems- they're single or low function servers like Web servers, DNS servers, mail servers, etc. For those cases, chmod -s/bin/passwd, and let the admins who have access modify their passwords as root.
Paul [1] Guess where the problem appears to live?
Re:it took you this long to switch from sendmail?
on
Postfix
·
· Score: 2, Interesting
I found the most attractive features of Postfix were having to do far less security patches, and the fact that my MTAs used far less resources, necessitating fewer upgrades.
1. Spend 15 minutes learning how to remaster Knoppix. 2. Grab one of the Knoppix installer scripts. 3. Write a post install script if you want to do more. 4. Combine #1 and #2, add #3 to taste. 5. Make lots of copies of the resultant CD. 6. Run around putting it in drives and rebooting.
Alternately, put enough of a thing on bootable media to run netcat and a small copy script, and place an image on a central machine, dd it on to the drive, and then do post-install stuff.
You're a foreign aid worker in Iraq; You're a weather station monitor in Antartica; You're a Special Forces soldier in Afghanistan; You stock the shelves at your local megastore; You're the President of Pakistan; You sell shoes at the local mall.
Some of those "whats" are much more dangerous than others.
It's a Class 6 Felony, that's 1-5, unless the judge or jury wants to knock it down to less than a year and/or $2500.
http://leg1.state.va.us/cgi-bin/legp504.exe?000+ co d+18.2-10
Considering the statute wants intent *and* 10,000 to 100,000 messages, it's really difficult to do this accidently.- you also have to make at least $1,000 for sending or $50,000 in product/service sales. Finally, you can't get around it by having some kid do it for you.
http://leg1.state.va.us/cgi-bin/legp504.exe?000+ co d+18.2-152.3C1
It all seems pretty reasonable to me- if you get sentenced, the judge/jury can be lenient and give you a slap on the wrist fine, or they can put you away for years- depending on the offense.
When you type a file name at a command prompt, or you use a file name as a command line in a batch file or Windows NT command script, Cmd.exe calls the CreateProcess function to open the file. The CreateProcess function examines the file's contents. If the file's binary image contains an executable header (which indicates that the file is really a.com or.exe file), the file is run as a program. This behavior is compatible with previous versions of Windows NT.
As you can clearly see, the existance of a PE header in the file is used as a decision point to run the file rather than handle it a different way.
Again from Microsoft:
Cmd.exe recognizes files with.com,.exe,.bat,.cmd,.vbs,.js, and.ws extensions, and any other extensions that are defined by the PATHEXT environment variable as executable files, but it can also run files without these known extensions if the file's binary image contains an executable header.
Windows and Microsoft Internet Explorer perform additional checks before opening a file. This includes determining if any program is associated with the file name extension in the registry. This MIME-type detection permits Windows Explorer and Internet Explorer to find and start the object server or program that is associated with the file name extension.
You'll want to pay special attention to the phrase "but it can also run files without these known extensions..."
Thanks anyway.
Paul [1.] http://support.microsoft.com/default.aspx?scid=kb; en-us;811528
The number of viruses doesn't map directly to "OS is safer." There are lots of factors, like motivation to create malware, and ease of injection that come into play, and ease of injection is an application issue more than it is an OS issue. Small modifications to the most popular mail application on each platform would have more effect (discounting worms) than anything else outside of motivation of malware authors.
Secondly, the author obviously lacks clue- modern Windows OS' do *not* execute files based on file type, its a combination of reading the first N bytes of the file, and file type. Rename any.exe to anything else and click on it on a Windows host.
If you have to go back 4 years to get security bulletin examples, it's because you don't have sufficient information- there are ~30 unpatched IE vulnerabilites that affect IE and Outlook that are public, and another ~20 that aren't. You don't have to go back to 1999 to find examples of why the platform is seriously hosed.
It's also too bad the author doesn't address rootkits, because it's important to give some overall malware pictures to show that everything isn't rosy on either side of the fence.
*nix is definitely in a better default state, but it's not the OS that makes that possible (heck, NTFS has filesystem attributes that could likely help.) It's too bad someone with a better understanding of the issues didn't write this article, there are too many holes for serious *doze admins to poke in this one to make it worth passing around.
[Addressing exec-shield and worms would have given a really good argument for Linux, for instance.]
Hit F2, and look at the boot options, the frame buffer stuff normally works for older laptops, and may solve your problem as well. For laptops, I usually end up forcing the 1280x1024 mode as well.
"Perhaps he doesn't like the fact that Lamo is doing this for free instead of making the NYTimes pay through the nose?"
Perhaps you should look at what Marcus has done for the community before you cast such aspersions.
Besides making the Firewall Toolkit free, he's always been extremely helpful and well-principled. Maybe you just don't like the fact that honest people are vocal about those who aren't being honest.
As the principle architect of three firewall products, Marcus has done more to protect the 'Net than probably almost anyone. What have you done?
It's not like the laws are a surprise- if you're doing something illegal, then intent only gets considered during the penalty phase- if you're not smart enough to understand that, you really should be flipping burgers, not pission off multi-billion dollar corporations.
Ad hominum personal attacks just because you don't agree with someone's position on something shows you to be foolish.
When people stop attacking systems, we can spend money on making the world better, instead of protecting things from malcontents. The more folks that go to jail for attacking systems (no matter what their claimed motivations) the more risky attacking systems is, the less they'll do it, the better off everyone will be.
If you discover them in the normal course of business, you explain what you were doing and how you discovered them. Do it on paper, sign and date the paper, keep a copy on your person, send a copy to your boss and whoever else it makes sense to send it to.
If you took it upon yourself to "audit" the system without specificly getting permission, then you probably violated a policy and potentially broken the law. The real answer is "don't do that."
Obviously "good" is tied to "doing what you're authorized to do," NOT "finding things that could potentially be held over someone's head but not yet taking advantage of them.
The company is repsonsible for ensuring its shareholder value is protected from people who violate policies and laws.
Randall Schwartz got a felony conviction- I don't believe anyone argued that he was going to maliciously use the information he gathered, but he violated policy and the current law in that jurisdiction. Exceeding your authority accessing computer systems is wrong. If you want to look around *get written permission* from someone who's authorized to grant it.
I do computer forensics relatively often on behalf of corporate clients. If something ominous happened to a machine you'd just probed that evidence wouldn't do you any good- even if you weren't linked to the orginal problem.
If the work environment is right, go in and admit improper access, explain why it won't happen again without permisson and explain the findings. Otherwise, an unrelated event could put a bad spin on it that could do you real damage.
> Give me a product, open source or not, that provides my clients (on whose interests I act) with the functionality of > Exchange, and I'll get the Purchase Order ready by close of business today.
Have you evaluated the old HP OpenMail product now sold by Samsung (http://www.samsungcontact.com)?
Cell phones aren't designed to be used in the air, and you'll have real problems because the phone can see too many towers at once- fraud detection is likely to be your worst enemy. The times I've tried to call from civil aircraft, the connection has been dropped pretty often.
The title business planes, not commercial planes- normally that means corporate aircraft (I'm not subscribing to the NYT to read one article.) My last employer spent quite a bit of money and effort adding modem access to the corporate planes through something similar I'd bet.
If it's FAA approved, and it would need to be if it's installed on the plane rather than carried on, then interferrence issues aren't there- and are probably part of what's normally a higher cost.
> # They are packaged as RPM 3 files, to allow > standard installation, deinstallation, > auditing, and management of relationships with > other necessary software. Not some interactive > self extracting tarball I can only use once > unless I do the vendors job and package it > myself (which unfortunately is necessary for > modern sysadmins if they want to do their job > properly).
No *nix is an island. RPM isn't the norm on even all Linux systems, let alone the rest of the *nix world. Don't forget that the x86 BSDs run Linux binaries too. Chaining dependencies like package managers and package management databases makes it more difficult for a lot of people who don't really need the overhead. The point of distributions is to allow someone to package software for it- so it's really the distributor's job to package for a specific package manager, not the vendor.
> Take IBM, for example. Lots of devotion lately
> to Linux, but that's far from their bottom line.
> They benefit from OSS just as much as we do,
> but most likely, their returns to the community
> are just for good press. Their bottom line is
> profit, nothing more, and they should not be so
> readily trusted.
I think you rush perhaps a little quickly to judgement. There is no Ubermind in large companies. While there is often a cost/benefit anaylysis with anything, don't think that's the sole reason for doing anything. Folks who work at big companies don't have their hearts and minds removed during the pre-employment screening. Take for instance, IBM- While there is indeed a benefit for them from Open Source versus Microsoft, the people working for IBM likely use that as a reason to justify their time doing something they want, not every choice is made by a bean-counter.
You can *buy* good press, it's probably significantly cheaper than contributing to the community. I don't know what Weitse's time on Postfix has cost IBM, but I'm fairly confident that whatever they've spent hasn't been recouped in PR value. I also highly doubt that Weitse decided to write Postfix as a PR exercise.
While indeed someone at IBM had to at some point say "Hey, contributing to OSS projects is more cost effective for our people than doing proprietary stuff" that doesn't mean the people contributing are any less a part of the community than those who haven't managed to convince their bosses that OSS software is a good thing.
There's no doubt that IBM has gained from Apache, Postfix, Java, and their other OSS projects. There's also no doubt that strategically their support for OSS operating systems are good for the bottom line. That doesn't make the people working on OSS projects who work for IBM any less committed to those projects, nor any less a part of the community.
Slashdot Mirror
Actually, it's not a "very big company" and there aren't "lots of lawyers"- there's one.
Paul
It's called "contract law" for a reason. Just because it's against the "law" doesn't make it against _criminal_ law. You *can* be hauled into court for contract law violations.
Most providers just kick you off, but there's nothing stopping them from suing for damagaes in breech of contract (unless the contract prohibits it.)
Paul
/dev/wife
Did anyone else find the saluation "Truely yours" funny?
Paul
You've obviously missed the bigger joke-
. blug.linux.no/rfc1149/</a>
<A href=http://www.blug.linux.no/rfc1149/>http://www
It's been implemented!
Paul
> been told by HR that I cannot tell ONE employee to "leave the
> cell phone in your car" I must make the rule for EVERY
> employee in the department
Your HR department lied, or you have strange company policies. I know, because I spent a lot of time at my last employer dealing with policy issues with the legal department, and I specifically asked about things like that (because I didn't follow the company dress code, and wanted to make sure it wasn't a big issue for my boss.)
Paul
Yes, but a single-use machine doesn't need passwd to be setuid! /bin/login to be setuid. So, removing the setuid bit gains you all the security with none of the headaches- for the entire suite of stuff that's setuid by default. Viola! No more local exploit (and it's still a local exploit- you still have to gain access to get up to root.)
Single use machines rarely need anything other than
Paul
> I guess that's why I like the idea of SELinux. Different domains > can prevent someone with even root access from messing with > your logs. Much less your libraries.
/bin/passwd, and let the admins who have access modify their passwords as root.
Sun's sold Trusted Solaris for years. If you want compartmented security, you have to pay for it in administrative overhead.
This is yet-another-local-exploit- it's perfectly valid to (a) swap out passwd if you don't need LDAP[1]/NIS, or (b) worry about a remote exploit that'll gain a local shell before patching this. This is "next maintenance window" in my book- but you can replace passwd without any downtime at all- or just remove the SUID bit if you don't have local accounts who need to do credential changes who don't have root access.
Most Solaris systems aren't shell systems- they're single or low function servers like Web servers, DNS servers, mail servers, etc. For those cases, chmod -s
Paul
[1] Guess where the problem appears to live?
http://www.porcupine.org/postfix-mirror/newdoc/UUC P_README.html
I found the most attractive features of Postfix were having to do far less security patches, and the fact that my MTAs used far less resources, necessitating fewer upgrades.
YMMV.
Paul
They don't. One of them (K) is running NSD, which totally rocks.
http://www.nlnetlabs.nl/nsd/index.html
Paul
You mentioned Debian, so how about:
1. Spend 15 minutes learning how to remaster Knoppix.
2. Grab one of the Knoppix installer scripts.
3. Write a post install script if you want to do more.
4. Combine #1 and #2, add #3 to taste.
5. Make lots of copies of the resultant CD.
6. Run around putting it in drives and rebooting.
Alternately, put enough of a thing on bootable media to run netcat and a small copy script, and place an image on a central machine, dd it on to the drive, and then do post-install stuff.
Paul
The issue of what work may indeed be relevant;
You're a foreign aid worker in Iraq;
You're a weather station monitor in Antartica;
You're a Special Forces soldier in Afghanistan;
You stock the shelves at your local megastore;
You're the President of Pakistan;
You sell shoes at the local mall.
Some of those "whats" are much more dangerous than others.
It's a Class 6 Felony, that's 1-5, unless the judge or jury wants to knock it down to less than a year and/or $2500.
+ co d+18.2-10
+ co d+18.2-152.3C1
http://leg1.state.va.us/cgi-bin/legp504.exe?000
Considering the statute wants intent *and* 10,000 to 100,000 messages, it's really difficult to do this accidently.- you also have to make at least $1,000 for sending or $50,000 in product/service sales. Finally, you can't get around it by having some kid do it for you.
http://leg1.state.va.us/cgi-bin/legp504.exe?000
It all seems pretty reasonable to me- if you get sentenced, the judge/jury can be lenient and give you a slap on the wrist fine, or they can put you away for years- depending on the offense.
Paul
Is there a flip side to this where you have to buy the whole album?
Rush's 2112, where the first side of the album (2112) is one track.
Paul
From Microsoft:
.com or .exe file), the file is run as a program. This behavior is compatible with previous versions of Windows NT.
.com, .exe, .bat, .cmd, .vbs, .js, and .ws extensions, and any other extensions that are defined by the PATHEXT environment variable as executable files, but it can also run files without these known extensions if the file's binary image contains an executable header.
; en-us;811528
When you type a file name at a command prompt, or you use a file name as a command line in a batch file or Windows NT command script, Cmd.exe calls the CreateProcess function to open the file. The CreateProcess function examines the file's contents. If the file's binary image contains an executable header (which indicates that the file is really a
As you can clearly see, the existance of a PE header in the file is used as a decision point to run the file rather than handle it a different way.
Again from Microsoft:
Cmd.exe recognizes files with
Windows and Microsoft Internet Explorer perform additional checks before opening a file. This includes determining if any program is associated with the file name extension in the registry. This MIME-type detection permits Windows Explorer and Internet Explorer to find and start the object server or program that is associated with the file name extension.
You'll want to pay special attention to the phrase "but it can also run files without these known extensions..."
Thanks anyway.
Paul
[1.] http://support.microsoft.com/default.aspx?scid=kb
The number of viruses doesn't map directly to "OS is safer." There are lots of factors, like motivation to create malware, and ease of injection that come into play, and ease of injection is an application issue more than it is an OS issue. Small modifications to the most popular mail application on each platform would have more effect (discounting worms) than anything else outside of motivation of malware authors.
.exe to anything else and click on it on a Windows host.
Secondly, the author obviously lacks clue- modern Windows OS' do *not* execute files based on file type, its a combination of reading the first N bytes of the file, and file type. Rename any
If you have to go back 4 years to get security bulletin examples, it's because you don't have sufficient information- there are ~30 unpatched IE vulnerabilites that affect IE and Outlook that are public, and another ~20 that aren't. You don't have to go back to 1999 to find examples of why the platform is seriously hosed.
It's also too bad the author doesn't address rootkits, because it's important to give some overall malware pictures to show that everything isn't rosy on either side of the fence.
*nix is definitely in a better default state, but it's not the OS that makes that possible (heck, NTFS has filesystem attributes that could likely help.) It's too bad someone with a better understanding of the issues didn't write this article, there are too many holes for serious *doze admins to poke in this one to make it worth passing around.
[Addressing exec-shield and worms would have given a really good argument for Linux, for instance.]
Paul
Hit F2, and look at the boot options, the frame buffer stuff normally works for older laptops, and may solve your problem as well. For laptops, I usually end up forcing the 1280x1024 mode as well.
your boot line should look something like
knoppix lang=us xmodule=fbdev screen=1280x1024
HTH,
Paul
"Perhaps he doesn't like the fact that Lamo is doing this for free instead of making the NYTimes pay through the nose?"
Perhaps you should look at what Marcus has done for the community before you cast such aspersions.
Besides making the Firewall Toolkit free, he's always been extremely helpful and well-principled.
Maybe you just don't like the fact that honest people are vocal about those who aren't being honest.
As the principle architect of three firewall products, Marcus has done more to protect the 'Net than probably almost anyone. What have you done?
It's not like the laws are a surprise- if you're doing something illegal, then intent only gets considered during the penalty phase- if you're not smart enough to understand that, you really should be flipping burgers, not pission off multi-billion dollar corporations.
Ad hominum personal attacks just because you don't agree with someone's position on something shows you to be foolish.
When people stop attacking systems, we can spend money on making the world better, instead of protecting things from malcontents. The more folks that go to jail for attacking systems (no matter what their claimed motivations) the more risky attacking systems is, the less they'll do it, the better off everyone will be.
Paul
If you discover them in the normal course of business, you explain what you were doing and how you discovered them. Do it on paper, sign and date the paper, keep a copy on your person, send a copy to your boss and whoever else it makes sense to send it to.
If you took it upon yourself to "audit" the system without specificly getting permission, then you probably violated a policy and potentially broken the law. The real answer is "don't do that."
Obviously "good" is tied to "doing what you're authorized to do," NOT "finding things that could potentially be held over someone's head but not yet taking advantage of them.
The company is repsonsible for ensuring its shareholder value is protected from people who violate policies and laws.
Randall Schwartz got a felony conviction- I don't believe anyone argued that he was going to maliciously use the information he gathered, but he violated policy and the current law in that jurisdiction. Exceeding your authority accessing computer systems is wrong. If you want to look around *get written permission* from someone who's authorized to grant it.
I do computer forensics relatively often on behalf of corporate clients. If something ominous happened to a machine you'd just probed that evidence wouldn't do you any good- even if you weren't linked to the orginal problem.
If the work environment is right, go in and admit improper access, explain why it won't happen again without permisson and explain the findings. Otherwise, an unrelated event could put a bad spin on it that could do you real damage.
Paul
Cell phones aren't designed to be used in the air, and you'll have real problems because the phone can see too many towers at once- fraud detection is likely to be your worst enemy. The times I've tried to call from civil aircraft, the connection has been dropped pretty often.
The title business planes, not commercial planes- normally that means corporate aircraft (I'm not subscribing to the NYT to read one article.) My last employer spent quite a bit of money and effort adding modem access to the corporate planes through something similar I'd bet.
If it's FAA approved, and it would need to be if it's installed on the plane rather than carried on, then interferrence issues aren't there- and are probably part of what's normally a higher cost.
Paul
> # They are packaged as RPM 3 files, to allow
> standard installation, deinstallation,
> auditing, and management of relationships with
> other necessary software. Not some interactive
> self extracting tarball I can only use once
> unless I do the vendors job and package it
> myself (which unfortunately is necessary for
> modern sysadmins if they want to do their job
> properly).
No *nix is an island. RPM isn't the norm on even all Linux systems, let alone the rest of the *nix world. Don't forget that the x86 BSDs run Linux binaries too. Chaining dependencies like package managers and package management databases makes it more difficult for a lot of people who don't really need the overhead. The point of distributions is to allow someone to package software for it- so it's really the distributor's job to package for a specific package manager, not the vendor.
Paul
Sorry, there's way too much prior art!
> Take IBM, for example. Lots of devotion lately
> to Linux, but that's far from their bottom line.
> They benefit from OSS just as much as we do,
> but most likely, their returns to the community
> are just for good press. Their bottom line is
> profit, nothing more, and they should not be so
> readily trusted.
I think you rush perhaps a little quickly to judgement. There is no Ubermind in large companies. While there is often a cost/benefit anaylysis with anything, don't think that's the sole reason for doing anything. Folks who work at big companies don't have their hearts and minds removed during the pre-employment screening. Take for instance, IBM- While there is indeed a benefit for them from Open Source versus Microsoft, the people working for IBM likely use that as a reason to justify their time doing something they want, not every choice is made by a bean-counter.
You can *buy* good press, it's probably significantly cheaper than contributing to the community. I don't know what Weitse's time on Postfix has cost IBM, but I'm fairly confident that whatever they've spent hasn't been recouped in PR value. I also highly doubt that Weitse decided to write Postfix as a PR exercise.
While indeed someone at IBM had to at some point say "Hey, contributing to OSS projects is more cost effective for our people than doing proprietary stuff" that doesn't mean the people contributing are any less a part of the community than those who haven't managed to convince their bosses that OSS software is a good thing.
There's no doubt that IBM has gained from Apache, Postfix, Java, and their other OSS projects. There's also no doubt that strategically their support for OSS operating systems are good for the bottom line. That doesn't make the people working on OSS projects who work for IBM any less committed to those projects, nor any less a part of the community.
Paul
The worm (like most of the recent ones) doesn't care what OS is running, so NT isn't really relevant.
Could you please contact me via e-mail, I'd like to ask a few more questions and your e-mail isn't available.
Thanks,
Paul
proberts@patriot.net