date:20130909

There's a lot FUD out there and equally there is some truth. the NSA
"we can decrypt everything" statement was really very vague, and can
easily be done if you have a lot of taps (ala PRISM) and start doing
mitm attacks to reduce the level of security to something that is
crackable.
for 'compatibility' very many low powered encryption schemes are
supported and it is these that are the issue.
if you are using ipsec tunnels with aes encryption you can happily
ignore these.
if you are using mpls networks you can almost guarantee your isp and
therefore your network is compromised.
the question really is what do you define as security ?
if someone was to hit you on the head with a hammer, how long til you
willingly gave out your passwords ? [1]
I agree with the lack of faith in certificate CA's and i feel that the
reason that warnings over ssl are so severe is to spoon feed folks into
the owned networks. I far more trust the way mozilla do their web of
trust [2] but equally am aware that trolls live in the crowds.
while ssh authorized_keys are more secure than passwords, i can't (and
am hoping someone can point me to) find how to track failed logins as
folks bruteforce their way in. yes it's orders of magnitude more
difficult but then internet speed is now orders of magnitude faster, and
OTP are looking more sensible every day [3] to me.
i used to use windows live messenger and right near the end found that
if you send someone a web link to a file filled with /dev/random called
passwords.zip you would have some unknown ip connect and download it too.
who then is doing that and i trust skype and it's peer2peer nonsense
even less.
who even knows you can TLS encrypt SIP ?
there are many ways of encrypting email but this is not supported from
one site to another, even TLS support is often lacking, and GPG the
contents means that some folks you send email to cannot read it -- there
is always a trade off between usability and security.
i read in slashdot that there is a question mark over SELinux because it
came from the NSA [4] but this is nonsense, as it is a means of securing
processes not network connections. i find it difficult to believe that
a backdoor in a locked cupboard in your house can somehow give access
through the front door.
how far does trust need to be lost [5] before you start fabricating your
own chips ? the complexity involved in chip fabs is immense and if
bugs can slip through, what else can [6]
ultimately a multi layer security approach is required, and security
itself needs to be defined.
i like privacy so i have net curtains, i don't have a 3 foot thick
titanium door with strengthened hinges.
if someone looks in my windows, i can see them. either through the
window or on cctv.
security itself has to be defined so that risk can be managed.
so many people buy the biggest lock they can find and forget the hinges.
or leave the windows open.
even then it doesn't help in terms of power failure or leaking water or
gas mains exploding next door (i.e. the definition of security in the
sense of safety)
to some security means RAID, to others security means offsite backup
i like techniques such as port knocking [7] for reducing the size of the
scan target
if you have a cheap virtual server on each continent and put asterisk on
each one; linked by aes ipsec tunnels with a local sip provider in each
one then you could probably hide your phone calls quite easily from
snoops. until they saw your bank statement and wondered what all these
VPS providers and SIP accounts were for, and then the authorities if
they were tracking you would go after those. why would you do such a
thing? perhaps because you cannot trust the monopoly provider of a
country to screen its equipment [8]
even things like cookie tracking for advertising purposes - on the
lighter side what if your kids see the ads for the stuff you are buying
them for christmas ? surprise ruined? where does it stop - its one
thing for google to announce governments want your search history, and
another for advertising companies to sell your profile and tracking,
essentially ad companies are doing the governments snooping job for them.
ultimately it's down to risk mitigation. do you care if someone is
snooping on your grocery list? no? using cookie tracking ? yeah
profiling is bad - wouldn't want to end up on a terrorist watchlist
because of my amusement with the zombie apocalypse listmania [9]
encryption is important because you don't know what other folks in the
internet cafe are doing [10]
but where do you draw the line ?
if you go into a shop do you worry that you are on cctv ?

ok i'll stop ranting now, my main point is always have multi layered
security - and think about what you are protecting and from whom

[1] http://xkcd.com/538/
[2] https://addons.mozilla.org/en-US/firefox/addon/wot-safe-browsing-tool/
[3] http://blog.tremily.us/posts/OTP/
[4]
http://yro.slashdot.org/story/13/07/02/1241246/nsa-backdoors-in-open-source-and-open-standard

[gentoo-user] FlashPlayer crashes in FireFox

2013-09-09 Thread Dan Johansson

As of lately (I can not really remember since when) FlashPlayer has
stopped working in FireFox.

I'm running an "stable" AMD64 system with FireFox
(www-client/firefox-17.0.8), FlasPlayer
(www-plugins/adobe-flash-11.2.202.297) and NS-Plugin-Wraper
(www-plugins/nspluginwrapper-1.4.4-r3).

If I emerge the 64bit FlasPlayer I get the following errormessage when
trying to wiev a video on YouTube "The Adobe Flash plugin has crashed"
and I get the following in the .xsession-errors:

plugin-container: htab.c:83: vlGetDataHTAB: Assertion `handle' failed.
WARNING: pipe error (51): Connection reset by peer: file
/var/tmp/notmpfs/portage/www-client/firefox-17.0.8/work/mozilla-esr17/ipc/chromium/src/chrome/common/ipc_channel_posix.cc,
line 421


If I on the other hand emerge the 32bit version + nspluginwraper nothing
happens in FF (the "video-pane" just stays black) and I get the
following messages in .xsession-errors:

npviewer.bin: htab.c:83: vlGetDataHTAB: Assertion `handle' failed.
*** NSPlugin Wrapper *** ERROR: NPP_WriteReady() invoke: Broken pipe
*** NSPlugin Wrapper ***
WARNING:(/var/tmp/portage/www-plugins/nspluginwrapper-1.4.4-r3/work/nspluginwrapper-1.4.4/src/npw-wrapper.c:2705):invoke_NPP_Write:
assertion failed: (rpc_method_invoke_possible(plugin->connection))
*** NSPlugin Wrapper ***
WARNING:(/var/tmp/portage/www-plugins/nspluginwrapper-1.4.4-r3/work/nspluginwrapper-1.4.4/src/npw-wrapper.c:2478):invoke_NPP_NewStream:
assertion failed: (rpc_method_invoke_possible(plugin->connection))
*** NSPlugin Wrapper ***
WARNING:(/var/tmp/portage/www-plugins/nspluginwrapper-1.4.4-r3/work/nspluginwrapper-1.4.4/src/npw-wrapper.c:2550):invoke_NPP_DestroyStream:
assertion failed: (rpc_method_invoke_possible(plugin->connection))
*** NSPlugin Wrapper ***
WARNING:(/var/tmp/portage/www-plugins/nspluginwrapper-1.4.4-r3/work/nspluginwrapper-1.4.4/src/npw-wrapper.c:2434):invoke_NPP_URLNotify:
assertion failed: (rpc_method_invoke_possible(plugin->connection))
*** NSPlugin Wrapper ***
WARNING:(/var/tmp/portage/www-plugins/nspluginwrapper-1.4.4-r3/work/nspluginwrapper-1.4.4/src/npw-wrapper.c:2434):invoke_NPP_URLNotify:
assertion failed: (rpc_method_invoke_possible(plugin->connection))
*** NSPlugin Wrapper ***
WARNING:(/var/tmp/portage/www-plugins/nspluginwrapper-1.4.4-r3/work/nspluginwrapper-1.4.4/src/npw-wrapper.c:2550):invoke_NPP_DestroyStream:
assertion failed: (rpc_method_invoke_possible(plugin->connection))
*** NSPlugin Wrapper ***
WARNING:(/var/tmp/portage/www-plugins/nspluginwrapper-1.4.4-r3/work/nspluginwrapper-1.4.4/src/npw-wrapper.c:2434):invoke_NPP_URLNotify:
assertion failed: (rpc_method_invoke_possible(plugin->connection))
*** NSPlugin Wrapper ***
WARNING:(/var/tmp/portage/www-plugins/nspluginwrapper-1.4.4-r3/work/nspluginwrapper-1.4.4/src/npw-wrapper.c:2478):invoke_NPP_NewStream:
assertion failed: (rpc_method_invoke_possible(plugin->connection))
*** NSPlugin Wrapper ***
WARNING:(/var/tmp/portage/www-plugins/nspluginwrapper-1.4.4-r3/work/nspluginwrapper-1.4.4/src/npw-wrapper.c:2434):invoke_NPP_URLNotify:
assertion failed: (rpc_method_invoke_possible(plugin->connection))
Send additional request to http://www.youtube.com/watch?v=mRbnLYHzsfI

*** NSPlugin Wrapper ***
WARNING:(/var/tmp/portage/www-plugins/nspluginwrapper-1.4.4-r3/work/nspluginwrapper-1.4.4/src/npw-wrapper.c:2219):invoke_NPP_SetWindow:
assertion failed: (rpc_method_invoke_possible(plugin->connection))
*** NSPlugin Wrapper *** ERROR: NPObject proxy 0x7f33d3c27de0 is no
longer valid!
*** NSPlugin Wrapper *** ERROR: NPObject proxy 0x7f33d3c27de0 is no
longer valid!
*** NSPlugin Wrapper *** ERROR: NPObject proxy 0x7f33d3c27de0 is no
longer valid!

(The last line just keeps repeating)

Any suggestions what my problem could be and how to solve it?

Regards,
-- 
Dan Johansson, 
***
This message is printed on 100% recycled electrons!
***


0x2FB894AD.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

Re: [gentoo-user] re: can't find /boot/grub/grub.conf after kernel upgrade [3.10.7]

On Sat, Sep 07, 2013 at 09:53:28PM +0300, Alexander Kapshuk wrote:
> 
> Based on the 'dmesg' output below, EXT2-fs attempted to mount the '/'
> partition instead of the '/boot' one.
>
> box0 ~ # dmesg|grep 'EXT.*fs'
> [2.444214] EXT2-fs (sda3): error: couldn't mount because of
> unsupported optional features (240)
> [2.444736] EXT4-fs (sda3): couldn't mount as ext3 due to feature
> incompatibilities
> [2.481412] EXT4-fs (sda3): mounted filesystem with ordered data
> mode. Opts: (null)
> [9.448819] EXT4-fs (sda3): re-mounted. Opts: (null)
> [9.731383] EXT4-fs (sda5): mounted filesystem with ordered data
> mode. Opts: (null)
>
> Would that suggest a corrupted /boot/grub/grub.conf file?
>
> How did the system boot then?

Most likely your /boot partition is not ext2 as stated in fstab and it
therefore fails to mount (the unsupported optional features hint in that
direction).
Simply try to mount it by hand (mount /boot). If that fails try to mount it
with option -t  (for filesystem try ext3 or ext4).

Your system still boots because grub is able to read the filesystem (which
makes corruption unlikely). grub doesn't use fstab or the drivers in the
kernelimage (which isn't even loaded at that point of time).

WKR
Hinnerk

signature.asc
Description: Digital signature

Re: [gentoo-user] GRE link state detection

asking the same question on the bird mailing list, was recommended some
values to make bird down the GRE tunnels faster.
multiple tunnels are required due to the very unreliable internet, so
one tunnel goes over one dsl link, another goes over another.
DPD timeouts are 30seconds minimum, which is too long.
i'll keep you posted if the bird recommendations works better


On 09/07/2013 07:23 PM, Mick wrote:
> On Thursday 05 Sep 2013 15:49:55 thegeezer wrote:
>> Howdy all,
>> i was wondering if anyone has any idea if there is a means by which i
>> can detect GRE link state ?
>>
>> what i have is two sites each with two very unstable internet links
>> in order to vpn between them i have ipsec tunnels linking each side
>> twice (four ipsec tunnels in total)
> I am not sure why you need 4 tunnels, you could just use 1 tunnel as a 
> gateway 
> to gateway setup, but I assume that your particular network topology 
> satisfies 
> your requirements.
>
>
>> i then have 4x GRE tunnels over the top of those in order that i have a
>> secured routable VPN
>> this gives me net.vpn0 net.vpn1 net.vpn2 and net.vpn3
>> finally i run BIRD over the top which works very well, and synchronises
>> routing tables between the two sites, and allows for me to do such fun as
>> # /etc/init.d/net.vpn0 stop
>> and watch all traffic automagically cut over to another link.
>>
>> so far so awesome.
>>
>> however, as i said the internet links are very unstable, and sometimes
>> just blackhole. so what i was hoping to do is just enable keepalives on
>> the gre tunnel.  which sadly seems to be cisco only.
> I'm no Cisco expert, but I thought that the keepalives are disabled when you 
> use IPSec, because IPSec had Dead Peer Detection for this purpose?
>
>
>> can anyone suggest a way of detecting if the GRE is not fully connected ?
>> BIRD only fails over if the net.vpn0 device is down (ifconfig up/down)
>> and for the life of me i cannot find how to detect if a GRE tunnel is
>> 'connected', it seems to just blindly send packets to the remote IP.
>> is my only choice to use L2TP instead ?
> Set your IKE lifetime to something like 86400 sec and your SA lifetime at 
> something like 3600, with dpd enabled and it should (hopefully) work.  L2TP 
> is 
> not needed.
>

Re: [gentoo-user] Internet security.

2013-09-09 Thread Bruce Hill

On Mon, Sep 09, 2013 at 10:36:09AM +0100, thegeezer wrote:
> There's a lot FUD out there and equally there is some truth.  the NSA
> "we can decrypt everything" statement was really very vague, and can
> easily be done if you have a lot of taps (ala PRISM) and start doing
> mitm attacks to reduce the level of security to something that is
> crackable.
> for 'compatibility' very many low powered encryption schemes are
> supported and it is these that are the issue.
> if you are using ipsec tunnels with aes encryption you can happily
> ignore these.
> if you are using mpls networks you can almost guarantee your isp and
> therefore your network is compromised.
> the question really is what do you define as security ?
> if someone was to hit you on the head with a hammer, how long til you
> willingly gave out your passwords ? [1]
> I agree with the lack of faith in certificate CA's and i feel that the
> reason that warnings over ssl are so severe is to spoon feed folks into
> the owned networks. I far more trust the way mozilla do their web of
> trust [2] but equally am aware that trolls live in the crowds.
> while ssh authorized_keys are more secure than passwords, i can't (and
> am hoping someone can point me to) find how to track failed logins as
> folks bruteforce their way in.  yes it's orders of magnitude more
> difficult but then internet speed is now orders of magnitude faster, and
> OTP are looking more sensible every day [3] to me.
> i used to use windows live messenger and right near the end found that
> if you send someone a web link to a file filled with /dev/random called
> passwords.zip you would have some unknown ip connect and download it too.
> who then is doing that and i trust skype and it's peer2peer nonsense
> even less.
> who even knows you can TLS encrypt SIP ?
> there are many ways of encrypting email but this is not supported from
> one site to another, even TLS support is often lacking, and GPG the
> contents means that some folks you send email to cannot read it -- there
> is always a trade off between usability and security.
> i read in slashdot that there is a question mark over SELinux because it
> came from the NSA [4] but this is nonsense, as it is a means of securing
> processes not network connections.  i find it difficult to believe that
> a backdoor in a locked cupboard in your house can somehow give access
> through the front door.
> how far does trust need to be lost [5] before you start fabricating your
> own chips ?   the complexity involved in chip fabs is immense and if
> bugs can slip through, what else can [6]
> ultimately a multi layer security approach is required, and security
> itself needs to be defined.
> i like privacy so i have net curtains, i don't have a 3 foot thick
> titanium door with strengthened hinges.
> if someone looks in my windows, i can see them. either through the
> window or on cctv.
> security itself has to be defined so that risk can be managed.
> so many people buy the biggest lock they can find and forget the hinges.
> or leave the windows open. 
> even then it doesn't help in terms of power failure or leaking water or
> gas mains exploding next door (i.e. the definition of security in the
> sense of safety)
> to some security means RAID, to others security means offsite backup
> i like techniques such as port knocking [7] for reducing the size of the
> scan target
> if you have a cheap virtual server on each continent and put asterisk on
> each one; linked by aes ipsec tunnels with a local sip provider in each
> one then you could probably hide your phone calls quite easily from
> snoops.  until they saw your bank statement and wondered what all these
> VPS providers and SIP accounts were for, and then the authorities if
> they were tracking you would go after those.  why would you do such a
> thing? perhaps because you cannot trust the monopoly provider of a
> country to screen its equipment [8]
> even things like cookie tracking for advertising purposes - on the
> lighter side what if your kids see the ads for the stuff you are buying
> them for christmas ?  surprise ruined?  where does it stop - its one
> thing for google to announce governments want your search history, and
> another for advertising companies to sell your profile and tracking,
> essentially ad companies are doing the governments snooping job for them.
> ultimately it's down to risk mitigation. do you care if someone is
> snooping on your grocery list? no? using cookie tracking ?  yeah
> profiling is bad - wouldn't want to end up on a terrorist watchlist
> because of my amusement with the zombie apocalypse listmania [9]
> encryption is important because you don't know what other folks in the
> internet cafe are doing [10]
> but where do you draw the line ?
> if you go into a shop do you worry that you are on cctv ?
> 
> ok i'll stop ranting now, my main point is always have multi layered
> security - and think about what you are protecting and from whom
> 
> [1] http:/

Re: [gentoo-user] Internet security.

> When a top-post is that long did you read it before noticing?
>
> Well, if you opened this email, "All ur base r belong to us!"

:$  oops, was more focussed on my rant than the etiquette

Re: [gentoo-user] re: can't find /boot/grub/grub.conf after kernel upgrade [3.10.7]

2013-09-09 Thread Francisco Ares

2013/9/9 Hinnerk van Bruinehsen 

> On Sat, Sep 07, 2013 at 09:53:28PM +0300, Alexander Kapshuk wrote:
> > 
> > Based on the 'dmesg' output below, EXT2-fs attempted to mount the '/'
> > partition instead of the '/boot' one.
> >
> > box0 ~ # dmesg|grep 'EXT.*fs'
> > [2.444214] EXT2-fs (sda3): error: couldn't mount because of
> > unsupported optional features (240)
> > [2.444736] EXT4-fs (sda3): couldn't mount as ext3 due to feature
> > incompatibilities
> > [2.481412] EXT4-fs (sda3): mounted filesystem with ordered data
> > mode. Opts: (null)
> > [9.448819] EXT4-fs (sda3): re-mounted. Opts: (null)
> > [9.731383] EXT4-fs (sda5): mounted filesystem with ordered data
> > mode. Opts: (null)
> >
> > Would that suggest a corrupted /boot/grub/grub.conf file?
> >
> > How did the system boot then?
>
> Most likely your /boot partition is not ext2 as stated in fstab and it
> therefore fails to mount (the unsupported optional features hint in that
> direction).
> Simply try to mount it by hand (mount /boot). If that fails try to mount it
> with option -t  (for filesystem try ext3 or ext4).
>
> Your system still boots because grub is able to read the filesystem (which
> makes corruption unlikely). grub doesn't use fstab or the drivers in the
> kernelimage (which isn't even loaded at that point of time).
>
> WKR
> Hinnerk
>

Could it be that the partition was formated using EXT2 extended properties
from a previous kernel built with those options, and now this new kernel
that has just been built, has those extended options missing?

Just my 2 cents.

Francisco

Re: [gentoo-user] Internet security.

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/09/2013 01:28 AM, Mick wrote:
> 
> Are you saying that 2048 RSA keys are no good anymore?
> 

They're probably fine, but when you're making them yourself, the extra
bits are free. I would assume that the NSA can crack 1024-bit RSA[1],
so why not jump to 4096 so you don't have to do this again in a few years?

The performance overhead is also mostly negligible: the only thing the
public key crypto is used for is to exchange a secret which is then
used to do simpler (and faster) crypto.


[1]
http://blog.erratasec.com/2013/09/tor-is-still-dhe-1024-nsa-crackable.html

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.20 (GNU/Linux)

iQIcBAEBAgAGBQJSLdBEAAoJEBxJck0inpOiGg4P/1fBRpLoSsNnzjhFGro6vHOr
uf5/xUR8y2M+7sBXsyS6d7uU1GfKcyWW2UnhuMabz6/bLWSmhCeGAZrAw1n1/oqp
DcxvT9Z/SWM/taYCGkMcxAh3pMxCTohS7Dpq1NxjjB2J7+GgITCNfn6b1bxrAjjO
cWCjrAh9ozESiP7AGM2vt2CR9mC0AsWMEoUk5zF0wd0BZq7cCSbcnxV54E784OVz
TXcmhvISHz5cgC5nWTylCgy4BqLp94A7ZjtuvZntTBhAeU9MFWX1FpnrBbbnOwW4
WPCYF3mRJKKapE6IIN2jHp1l0w8oM/EFrMoGYYQkAG393TWaRgDLqGqAJBDpLDwP
+fmeT/xdfn7nyQNV1IwfdeAdcHFPoKw9dcr2kWVYlx8oJQteibSaQmT9L/LLdJfk
5+XgFg2Va6xTx1YsBfRGXc/PIjrQwlJ0rZ2osjKYfE6G1747+sz0fD74rDRoLTrl
j8I4QVuMeOqxdXp9hQv6TNuEHXw9vlbKRlOwT/E7sTHWerK5EXFqgUS8txl3Os+3
2iNgz7v/0AhMrH0evtzn2k88agjXY1UrqUotHuGndJxyc1ZhXZuoJAOSFcgLv/ko
L1Vzl3lOdaj1nF23RMWZoqdaI4BZyBM4zDx7K+0g3e7YadQ/EkD6mof0sVNGpO4a
q6PNGNy9oZaWflDAOHaN
=Ni4r
-END PGP SIGNATURE-

[gentoo-user] Portage 2.2.1 stabilized?

2013-09-09 Thread Tanstaafl

Wow... just noticed an update is available which, for me, means it has 
been stabilized (at least on amd64)...


You'd think this would rate a news item and/or other major announcement, 
considering how long it has taken to get here...


Anyway, really glad to see this happen, and thanks to the devs for 
getting it here!


Now to wait a few days to see if there is any breakage to report (not 
worried about it really, though, since it has actually gotten a ton of 
testing over the last year or two)...

Re: [gentoo-user] Internet security.

On 09/09/2013 02:50 AM, Adam Carter wrote:
> [2]
> 
> http://michael.orlitzky.com/articles/why_im_against_ca-signed_certificates.php
> .
> 
> 
> I like to state some of what you say here as "website certificates are
> only as trusted as the LEAST trustworthy CA in the trusted certificate
> store"

Right, and most of them you wouldn't even consider trustworthy a priori.
If the NSA can hack or "persuade" *any* of them, every single website on
the net is compromised.

Here's a list of the ones included with Firefox:

http://www.mozilla.org/projects/security/certs/included/index.html

The ones in the USA, we already know, can be forced to do whatever under
gag order. Of the ones outside the USA, well, I see a couple that belong
to countries where I would be executed for the things I did this weekend.

Re: [gentoo-user] Internet security.

On 09/09/2013 03:19 AM, Pavel Volkov wrote:
> On Mon, Sep 9, 2013 at 6:05 AM, Michael Orlitzky  > wrote:
> 
> The CA infrastructure was never secure. It exists to transfer money away
> from website owners and into the bank accounts of the CAs and browser
> makers. Security may be one of their goals, but it's certainly not the
> motivating one.
> 
> 
> Well, at least CAcert doesn't exist for money.
>  

You sort of make my point for me:

  If you want to access a website that uses a SSL certificate signed by
  CAcert, you might get an SSL warning. We are sorry, but currently
  that's still 'normal' as mainstream browsers don't automatically
  include the CAcert Root Certificate yet. [1]

So, CACert certificates don't eliminate the browser warning, which is
the only reason you would ever pay for a certificate in the first place.
But why don't browsers include CACert?

  Traditionally vendors seeking to have their root certificates
  included in browsers (directly or via the underlying OS
  infrastructure like Safari via OS X's Keychain) would have to seek an
  expensive Webtrust audit (~$75,000 up-front plus ~$10,000 per
  year). [2]

They don't pay up! So I wouldn't include CACert in my blanket statement,
but they're not really part of the CA infrastructure and you might as
well use a self-signed cert instead if you're gonna get a warning anyway.

> I've got a question about Gentoo in this case. If we assume that stage3
> is trusted, does portage check that mirrors are trusted?

No. There's a GLEP for some of these issues:

  https://www.gentoo.org/proj/en/glep/glep-0057.html

The relevant part is,

  ...any non-Gentoo controlled rsync mirror can modify executable code;
  as much of this code is per default run as root a malicious mirror
  could compromise hundreds of systems per day - if cloaked well
  enough, such an attack could run for weeks before being noticed.

[1] http://wiki.cacert.org/FAQ/BrowserClients
[2] http://wiki.cacert.org/InclusionStatus

Re: [gentoo-user] Internet security.

On Mon, Sep 09, 2013 at 10:36:09AM +0100, thegeezer wrote:
> There's a lot FUD out there and equally there is some truth.  the NSA "we can
> decrypt everything" statement was really very vague, and can easily be done if
> you have a lot of taps (ala PRISM) and start doing mitm attacks to reduce the
> level of security to something that is crackable.
> for 'compatibility' very many low powered encryption schemes are supported and
> it is these that are the issue.

I think you're right because it'll be much easier to read the data at one
endpoint than to decrypt everything. If big corporations like Google or Cisco
can be forced to cooperate (and they can - that much is fact), it'd be the
likelier way to get your data.
On the other hand e.g. Bruce Schneier warns of ECC because the NSA promoted it
intensively. So there may be some secret that helps to decrypt it in the hands
of the NSA (possible something about the NIST curve definitions that reduce the
effective keylength).
> if you are using ipsec tunnels with aes encryption you can happily ignore
> these.
This would be true if you have an secure endpoint. And I think that nowadays
nothing is secure...
> if you are using mpls networks you can almost guarantee your isp and therefore
> your network is compromised.
> the question really is what do you define as security ?
> if someone was to hit you on the head with a hammer, how long til you 
> willingly
> gave out your passwords ? [1]
> I agree with the lack of faith in certificate CA's and i feel that the reason
> that warnings over ssl are so severe is to spoon feed folks into the owned
> networks. I far more trust the way mozilla do their web of trust [2] but
> equally am aware that trolls live in the crowds.
> while ssh authorized_keys are more secure than passwords, i can't (and am
> hoping someone can point me to) find how to track failed logins as folks
> bruteforce their way in.  yes it's orders of magnitude more difficult but then
> internet speed is now orders of magnitude faster, and OTP are looking more
> sensible every day [3] to me.
> i used to use windows live messenger and right near the end found that if you
> send someone a web link to a file filled with /dev/random called passwords.zip
> you would have some unknown ip connect and download it too.
> who then is doing that and i trust skype and it's peer2peer nonsense even 
> less.
> who even knows you can TLS encrypt SIP ?
> there are many ways of encrypting email but this is not supported from one 
> site
> to another, even TLS support is often lacking, and GPG the contents means that
> some folks you send email to cannot read it -- there is always a trade off
> between usability and security.
> i read in slashdot that there is a question mark over SELinux because it came
> from the NSA [4] but this is nonsense, as it is a means of securing processes
> not network connections.  i find it difficult to believe that a backdoor in a
> locked cupboard in your house can somehow give access through the front door.
This point you get wrong. SELinux implement the LSM API (in fact the LSM API
was tailored to SELinux needs). It has hooks in nearly everything
(file/directory access, process access and also sockets). One of the biggest
concerns at the time of creation of the LSM API was rootkits hooking that
functions. It's definitively a thread. I'm not saying that SELinux contains
a backdoor (I for myself would have hidden it in the LSM part, not in SELinux
because that would enable me to use it even if other LSMs are used). If you
google for "underhanded C contest" you'll see that it's possible to hide
malicious behaviour in plain sight. And if the kernel is compromised all other
defenses mean nothing. (As I said,  I don't want to spread fearbut that is
something to consider imho).
> how far does trust need to be lost [5] before you start fabricating your own
> chips ?   the complexity involved in chip fabs is immense and if bugs can slip
> through, what else can [6]
> ultimately a multi layer security approach is required, and security itself
> needs to be defined.
You need an anchor from which you can establish trust. If there is a hardware
backdoor you'll not be able to fix that problem with software. There is an
excellent paper from Ken Thompson called "Reflections on trusting trust" that
theorizes about the possibility of a trojanized compiler that injects malicous
code and therefore makes code audits pointless. Security sadly is hard..
> i like privacy so i have net curtains, i don't have a 3 foot thick titanium
> door with strengthened hinges.
> if someone looks in my windows, i can see them. either through the window or 
> on
> cctv.
> security itself has to be defined so that risk can be managed.
> so many people buy the biggest lock they can find and forget the hinges. or
> leave the windows open. 
> even then it doesn't help in terms of power failure or leaking water or gas
> mains exploding next door (i.e. the definition of security in th

Re: [gentoo-user] Portage 2.2.1 stabilized?

2013-09-09 Thread Jeff Horelick

On 9 September 2013 09:44, Tanstaafl  wrote:

> Wow... just noticed an update is available which, for me, means it has
> been stabilized (at least on amd64)...
>
> You'd think this would rate a news item and/or other major announcement,
> considering how long it has taken to get here...
>
> Anyway, really glad to see this happen, and thanks to the devs for getting
> it here!
>
> Now to wait a few days to see if there is any breakage to report (not
> worried about it really, though, since it has actually gotten a ton of
> testing over the last year or two)...
>
>
I agree that this kind of deserves a news post just because of how
momentous the occasion is, however there should not be many breakages from
this as most of the features have already been in the last stable portage
(such as sets and preserved-rebuild on by default). The biggest changes are
probably userpriv and usersync being on by default (which is a recent
change). I don't really believe that anyone will be using programmatic
custom sets for a while now, which is the last feature to not be
back-patched to 2.1

Re: [gentoo-user] Internet security.

On Mon, Sep 09, 2013 at 04:30:31PM +0100, thegeezer wrote:
> >> i read in slashdot that there is a question mark over SELinux because it 
> >> came
> >> from the NSA [4] but this is nonsense, as it is a means of securing 
> >> processes
> >> not network connections.  i find it difficult to believe that a backdoor 
> >> in a
> >> locked cupboard in your house can somehow give access through the front 
> >> door.
> > This point you get wrong. SELinux implement the LSM API (in fact the LSM API
> > was tailored to SELinux needs). It has hooks in nearly everything
> > (file/directory access, process access and also sockets). One of the biggest
> > concerns at the time of creation of the LSM API was rootkits hooking that
> > functions. It's definitively a thread. I'm not saying that SELinux contains
> > a backdoor (I for myself would have hidden it in the LSM part, not in 
> > SELinux
> > because that would enable me to use it even if other LSMs are used). If you
> > google for "underhanded C contest" you'll see that it's possible to hide
> > malicious behaviour in plain sight. And if the kernel is compromised all 
> > other
> > defenses mean nothing. (As I said,  I don't want to spread fearbut that is
> > something to consider imho).
> Interesting, I didn't realise LSM provisioned hooks for SELinux -
> thought it it was more modular (and less 'shoehorned') than that. 
> I need to go read about that some more now


You can start here:

http://www.freetechbooks.com/efiles/selinuxnotebook/The_SELinux_Notebook_The_Foundations_3rd_Edition.pdf

for a general overview (page 64ff has a list of the hooks).
Other than that http://www.kroah.com/linux/talks/ols_2002_lsm_paper/lsm.pdf and
http://www.nsa.gov/research/_files/publications/implementing_selinux.pdf may be
of interest (though both are quite old).

WKR
Hinnerk


signature.asc
Description: Digital signature

Re: [gentoo-user] Internet security.

>> i read in slashdot that there is a question mark over SELinux because it came
>> from the NSA [4] but this is nonsense, as it is a means of securing processes
>> not network connections.  i find it difficult to believe that a backdoor in a
>> locked cupboard in your house can somehow give access through the front door.
> This point you get wrong. SELinux implement the LSM API (in fact the LSM API
> was tailored to SELinux needs). It has hooks in nearly everything
> (file/directory access, process access and also sockets). One of the biggest
> concerns at the time of creation of the LSM API was rootkits hooking that
> functions. It's definitively a thread. I'm not saying that SELinux contains
> a backdoor (I for myself would have hidden it in the LSM part, not in SELinux
> because that would enable me to use it even if other LSMs are used). If you
> google for "underhanded C contest" you'll see that it's possible to hide
> malicious behaviour in plain sight. And if the kernel is compromised all other
> defenses mean nothing. (As I said,  I don't want to spread fearbut that is
> something to consider imho).
Interesting, I didn't realise LSM provisioned hooks for SELinux -
thought it it was more modular (and less 'shoehorned') than that. 
I need to go read about that some more now

Re: [gentoo-user] Internet security.

2013-09-09 Thread Dale

Dale wrote:
> Someone found this and sent it to me. 
>
> http://news.yahoo.com/internet-experts-want-security-revamp-nsa-revelations-020838711--sector.html
>
>
>  SNIP
>
> Am I right on this, wrong or somewhere in the middle?
>
> Dale
>
> :-)  :-) 
>

I got this in my email today. 

https://www.eff.org/deeplinks/2013/08/one-key-rule-them-all-threats-against-service-provider-private-encryption-keys

It seems, I may be wrong on this tho, that some changes are being made. 
While there is a lot of info there, it also seems that each site has one
key and once you have that one key, you can then handle the whole sites
encryption.  Example:  Google, Facebook, a bank, the EFF site or whatever. 

It seems we are back to face to face and even that isn't a sure thing. 

I'm still reading some of the other posts.  It seems this is a mess with
no real sure answer since it all depends on a lot of other things. 
Mostly we don't know for sure what information the spy folks have and
what is compromised and what is not.  < sighs >

Dale

:-)  :-) 

-- 
I am only responsible for what I said ... Not for what you understood or how 
you interpreted my words!

[gentoo-user] To be an update or not to be an update...

2013-09-09 Thread meino . cramer


Hi,

I submitted this command:
eix-sync ; emerge --color=n --newuse --update --tree --deep world --keep-going 
-va

and got (beside a lot other lines) this as result:

Writing database file /var/cache/eix/portage.eix ..
Database contains 16797 packages in 159 categories.
* Calling eix-diff
Diffing databases (16797 -> 16797 packages)
[>]   == dev-python/m2crypto (0.21.1 -> 0.21.1-r1^t): M2Crypto: A Python 
crypto and SSL toolkit
[U]   == virtual/perl-ExtUtils-Manifest (1.610.0@08/04/13; 1.610.0 -> 
1.630.0): Virtual for ExtUtils-Manifest
* Time statistics:
191 seconds for syncing
126 seconds for eix-update
15 seconds for eix-diff
335 seconds total

These are the packages that would be merged, in reverse order:

Calculating dependencies... done!

Total: 0 packages, Size of downloads: 0 kB

Nothing to merge; quitting.


beagleboneblack:/root>eix virtual/perl-ExtUtils-Manifest
[U] virtual/perl-ExtUtils-Manifest
Available versions:  ~1.580.0-r1 ~1.590.0 1.600.0 1.610.0 1.630.0
Installed versions:  1.610.0(06:25:46 08/04/13)
Description: Virtual for ExtUtils-Manifest

I am a little confused here...
Why is virtual/perl-ExtUtils-Manifest marked "U" and the result is "Total: 0 
packages, Size of downloads: 0 kB"?

Best regards,
mcc

Re: [gentoo-user] To be an update or not to be an update...

On Mon, Sep 09, 2013 at 06:01:26PM +0200, meino.cra...@gmx.de wrote:
>
> Hi,
>
> I submitted this command:
> eix-sync ; emerge --color=n --newuse --update --tree --deep world 
> --keep-going -va
>
> and got (beside a lot other lines) this as result:
>
> Writing database file /var/cache/eix/portage.eix ..
> Database contains 16797 packages in 159 categories.
> * Calling eix-diff
> Diffing databases (16797 -> 16797 packages)
> [>]   == dev-python/m2crypto (0.21.1 -> 0.21.1-r1^t): M2Crypto: A Python 
> crypto and SSL toolkit
> [U]   == virtual/perl-ExtUtils-Manifest (1.610.0@08/04/13; 1.610.0 -> 
> 1.630.0): Virtual for ExtUtils-Manifest
> * Time statistics:
> 191 seconds for syncing
> 126 seconds for eix-update
> 15 seconds for eix-diff
> 335 seconds total
>
> These are the packages that would be merged, in reverse order:
>
> Calculating dependencies... done!
>
> Total: 0 packages, Size of downloads: 0 kB
>
> Nothing to merge; quitting.
>
>
> beagleboneblack:/root>eix virtual/perl-ExtUtils-Manifest
> [U] virtual/perl-ExtUtils-Manifest
> Available versions:  ~1.580.0-r1 ~1.590.0 1.600.0 1.610.0 1.630.0
> Installed versions:  1.610.0(06:25:46 08/04/13)
> Description: Virtual for ExtUtils-Manifest
>
> I am a little confused here...
> Why is virtual/perl-ExtUtils-Manifest marked "U" and the result is "Total: 0 
> packages, Size of downloads: 0 kB"?

My guess would be that it's just a build time dependency (BDEP) for something.
Try to add --with-bdeps=y to your emerge commandline (most likely there will be
some other packages pulled in too).
These packages don't need to be updated unless the package depending on it
need to be rebuild.

WKR
Hinnerk


signature.asc
Description: Digital signature

Re: [gentoo-user] Internet security.

On 09/09/2013 05:04 PM, Hinnerk van Bruinehsen wrote:
> On Mon, Sep 09, 2013 at 04:30:31PM +0100, thegeezer wrote:
>>
>> Interesting, I didn't realise LSM provisioned hooks for SELinux -
>> thought it it was more modular (and less 'shoehorned') than that. 
>> I need to go read about that some more now
>
> You can start here:
>
> http://www.freetechbooks.com/efiles/selinuxnotebook/The_SELinux_Notebook_The_Foundations_3rd_Edition.pdf
>
> for a general overview (page 64ff has a list of the hooks).
> Other than that http://www.kroah.com/linux/talks/ols_2002_lsm_paper/lsm.pdf 
> and
> http://www.nsa.gov/research/_files/publications/implementing_selinux.pdf may 
> be
> of interest (though both are quite old).
>
> WKR
> Hinnerk
thanks muchly :)

Re: [gentoo-user] Internet security.

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/09/2013 01:36 PM, Pavel Volkov wrote:
> 
> I noticed there's another GLEP which eliminates the mirror problem:
>  http://www.gentoo.org/proj/en/glep/glep-0058.html
> 
> It's marked as accepted. I hope they'll implement it in reasonable
> time.
> 

This is the latest news; not much there unfortunately:

  http://thread.gmane.org/gmane.linux.gentoo.devel/87099

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.20 (GNU/Linux)

iQIcBAEBAgAGBQJSLgqfAAoJEBxJck0inpOiNCgP/jkRSRr1P1HZbsqNicwyTusQ
CZek3G1Lii31hOZbcauhvdrTL0exmVw9Z2/Mc1c2CxeEa3DhX4WXSxuA2bHo29Ba
v2AFeFDFtS8PYEolb+MvN/AEk/urAxEz4kSVGFBOpin2y4FvjuKoQsFfho4VSaQ5
YxrCBkUKz2wMwQFtC80Kof8hbDpKJjVIJ1BsDbDplaUQl5hV9u4SmCQKBzl7JPzO
v45bdwNjDJcPneVS0N/BByY6zaP+9FcpA27wgkbmwbvGYn3/KWSEKCsaaoifV/kv
xq8BD9ZgRn9uWnoeov3fy8D/CBdZKsIdckD61lgeChmWqJmzPrXQd1hzu5j6uBdx
y+UXE1Jp2b0Eg97ybVhne3kHsSyODJUo+bSTdjr85SNX3dVACQTrGC4WDFWyF6iW
xG8joyT7Ufg6KBYpdM9MRxhYEU3CJg8KPVu4PN+No+q/Y2/e4cmDLBQqroDIDqA0
eQq/alQYXFxuuiq6geWDUCviCjfVauj+yWHKdGThX13rfyD6eyjlzgNSG1dUy5pS
0xmxhoCkpT3hK+o05+Fy66+Ex98n+KL4ImSztcnzT3DbAHbHoxRFL6P/vu2PdvmL
Ys+DGqxJe/lRIzLnMeLf4Lk1ablunD7VJK4c6StvzdEhpzlRal7pPSv9wDNWSQZW
jIUMsw6UJ5wD4dyqmEO4
=SbM7
-END PGP SIGNATURE-

Re: [gentoo-user] Internet security.

2013-09-09 Thread Mick

On Monday 09 Sep 2013 14:42:28 Michael Orlitzky wrote:
> On 09/09/2013 01:28 AM, Mick wrote:
> > Are you saying that 2048 RSA keys are no good anymore?
> 
> They're probably fine, but when you're making them yourself, the extra
> bits are free. I would assume that the NSA can crack 1024-bit RSA[1],
> so why not jump to 4096 so you don't have to do this again in a few years?

Right, but my router won't work with keys larger than 2048 and its admin GUI 
is controlled with 1024-bit public certificate.

-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] creating an image of the system

2013-09-09 Thread Benjamin Block

On 08:30 Mon 09 Sep , Michael Hampicke wrote:
> Am 08.09.2013 20:51, schrieb Benjamin Block:
> > Hej folks,
> > 
> > I wonder what is a good way to create an image of a gentoo-system, so
> > that one can apply it later to the same or other computers.
> > 
> > In my case it is a rather simple setup: one partition, no encryption or
> > lvm. Its a debug-setup, so its only used for certain programming-tasks
> > and not for daily work, so no need for something fancy. The time I setup
> > that system I also used only conservative compilation-flags and
> > optimisation, so that it can be used on other CPUs (well, they have to
> > be x86_64 and have to have mmx/sse[23] - but I think every setup that I
> > intend to use this on will have these properties).
> > 
> > So I reckon that one could just use tar with permission-preservation and
> > some excludes like dev/sys/proc/tmp. But is this a good idea or is there
> > a better way to do this? I never cloned a gentoo-system, so thats why I
> > would like to be at least somewhat sure about it, so that I don't have
> > to reconfigure it later again, because I messed it up :D
> > 
> 
> Tar with permission preservation is fine. Just exlude everything in
> dev/sys/proc/tmp as you said. But make sure, that these directories are
> in your tar file, it does not matter if they are empty, but they have to
> exist in order to boot proplery.
> 
> One special case. To boot you most likely will need /dev/console and
> /dev/null. Just inlcude those two device nodes in your tar file.
> 

Thanks for pointing that out, but why are these both special? Seems to
me like these are also (char)device-nodes and shouldn't they also be
generated by the kernel with DEVTMPFS and then udev at a very early
init-stage?

> Optionally use compression (gz, bz2, xz, ...) on your tar to safe some
> space.
> 


- Ben

Re: [gentoo-user] why does revdep-rebuild object to mounting /var on /mnt/var ?

2013-09-09 Thread Canek Peláez Valdés

On Mon, Sep 9, 2013 at 1:51 PM,   wrote:
> I use lvm and use it for /var.
> In fstab I have
>   /dev/vg/var  /mnt/var  ext4  defaults  0 2
> I also have
>   lrwxrwxrwx 1 root root 7 Aug 31 16:13 /var -> mnt/var
>
> (Similar setup for /tmp and /opt)
>
> This has worked ok but revdep-rebuild is not happy
>
> root@E6510 cache # revdep-rebuild
>  * Configuring search environment for revdep-rebuild
>  * Working directory expected to be /var/cache/revdep-rebuild, but it is 
> /mnt/var/cache/revdep-rebuild
> root@E6510 cache #
>
> I don't intend to fight revdep-rebuild so will change and mount directly
> onto /var, but I wonder what is the concern.

I think it's the symlink the thing that is making revdep-rebuild
unhappy. Have you tried to bind mount /mnt/var into /var?

mount -o bind /mnt/var /var

Perhaps that will appease revdep-rebuild.

> Should I also mount directly onto /tmp and /opt?

I don't think so, although /tmp is preferred to be a tmpfs now, I
believe (in both systemd and OpenRC, if I'm not mistaken).

Regards.
-- 
Canek Peláez Valdés
Posgrado en Ciencia e Ingeniería de la Computación
Universidad Nacional Autónoma de México

[gentoo-user] why does revdep-rebuild object to mounting /var on /mnt/var ?

2013-09-09 Thread gottlieb

I use lvm and use it for /var.
In fstab I have
  /dev/vg/var  /mnt/var  ext4  defaults  0 2
I also have
  lrwxrwxrwx 1 root root 7 Aug 31 16:13 /var -> mnt/var

(Similar setup for /tmp and /opt)

This has worked ok but revdep-rebuild is not happy

root@E6510 cache # revdep-rebuild
 * Configuring search environment for revdep-rebuild
 * Working directory expected to be /var/cache/revdep-rebuild, but it is 
/mnt/var/cache/revdep-rebuild
root@E6510 cache #

I don't intend to fight revdep-rebuild so will change and mount directly
onto /var, but I wonder what is the concern.

Should I also mount directly onto /tmp and /opt?

thanks,
allan

Re: [gentoo-user] creating an image of the system

2013-09-09 Thread Benjamin Block

On 17:07 Sun 08 Sep , Dale wrote:
> Mick wrote:
> > On Sunday 08 Sep 2013 19:51:25 Benjamin Block wrote:
> >> Hej folks,
> >>
> >> I wonder what is a good way to create an image of a gentoo-system, so
> >> that one can apply it later to the same or other computers.
> >>
> >> In my case it is a rather simple setup: one partition, no encryption or
> >> lvm. Its a debug-setup, so its only used for certain programming-tasks
> >> and not for daily work, so no need for something fancy. The time I setup
> >> that system I also used only conservative compilation-flags and
> >> optimisation, so that it can be used on other CPUs (well, they have to
> >> be x86_64 and have to have mmx/sse[23] - but I think every setup that I
> >> intend to use this on will have these properties).
> >>
> >> So I reckon that one could just use tar with permission-preservation and
> >> some excludes like dev/sys/proc/tmp. But is this a good idea or is there
> >> a better way to do this? I never cloned a gentoo-system, so thats why I
> >> would like to be at least somewhat sure about it, so that I don't have
> >> to reconfigure it later again, because I messed it up :D
> >>
> >> best regards,
> >> - Ben
> >
> > You're referring to a 'stage 4' iso.  Have a look at this M/L perhaps
> 5 years
> > back when I recall someone posting a thread about it.
> >
> > There may also be a thread in the forums and potentially the (old) wiki.
> >
> 
> http://www.gentoo-wiki.info/HOWTO_Custom_Stage4
> 
> http://wiki.gentoo.org/wiki/Backup
> 
> One of those should help.  If not, Google for "Gentoo starge4" without
> the quotes of course.
> 

ok, thank you both for pointing out how this is called and the links.
Could have thought of "stage 4" myself, it's somewhat logic ;)


- Ben

Re: [gentoo-user] GRE link state detection

2013-09-09 Thread Mick

On Monday 09 Sep 2013 11:12:47 thegeezer wrote:
> asking the same question on the bird mailing list, was recommended some
> values to make bird down the GRE tunnels faster.
> multiple tunnels are required due to the very unreliable internet, so
> one tunnel goes over one dsl link, another goes over another.
> DPD timeouts are 30seconds minimum, which is too long.
> i'll keep you posted if the bird recommendations works better

You can tune dpd_delay and dpd_retry in racoon.conf (if you are using ipsec-
tools) or the equivalent in open/strongswan.  I think strongswan sends 
keepalives every 20 seconds or so and it can be increased if you prefer it so.

-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] creating an image of the system

2013-09-09 Thread Michael Hampicke

Am 09.09.2013 21:05, schrieb Benjamin Block:
> On 08:30 Mon 09 Sep , Michael Hampicke wrote:
>> Am 08.09.2013 20:51, schrieb Benjamin Block:
>>> Hej folks,
>>>
>>> I wonder what is a good way to create an image of a gentoo-system, so
>>> that one can apply it later to the same or other computers.
>>>
>>> In my case it is a rather simple setup: one partition, no encryption or
>>> lvm. Its a debug-setup, so its only used for certain programming-tasks
>>> and not for daily work, so no need for something fancy. The time I setup
>>> that system I also used only conservative compilation-flags and
>>> optimisation, so that it can be used on other CPUs (well, they have to
>>> be x86_64 and have to have mmx/sse[23] - but I think every setup that I
>>> intend to use this on will have these properties).
>>>
>>> So I reckon that one could just use tar with permission-preservation and
>>> some excludes like dev/sys/proc/tmp. But is this a good idea or is there
>>> a better way to do this? I never cloned a gentoo-system, so thats why I
>>> would like to be at least somewhat sure about it, so that I don't have
>>> to reconfigure it later again, because I messed it up :D
>>>
>>
>> Tar with permission preservation is fine. Just exlude everything in
>> dev/sys/proc/tmp as you said. But make sure, that these directories are
>> in your tar file, it does not matter if they are empty, but they have to
>> exist in order to boot proplery.
>>
>> One special case. To boot you most likely will need /dev/console and
>> /dev/null. Just inlcude those two device nodes in your tar file.
>>
> 
> Thanks for pointing that out, but why are these both special? Seems to
> me like these are also (char)device-nodes and shouldn't they also be
> generated by the kernel with DEVTMPFS and then udev at a very early
> init-stage?

If you have DEVTMPFS enabled you should be fine. But not everybody has
that enabled, or even uses udev :-)



signature.asc
Description: OpenPGP digital signature

Re: [gentoo-user] Internet security.