Re: SSL for debian.org/security?

2013-11-11 Thread Mike Mestnik
I don't see how this is relevant? Obviously if hardware is seized then the owners no longer have control. If you have suggestions as to how to secure hardware that's great, but if you just want to point out that "Nothing can be done." That's not helpful. On Tue, Oct 29, 2013 at 4:52 AM, Tormen

Re: Debian APT Key Revocation Procedure

2013-11-03 Thread Mike Mestnik
I think the big issue here is that you need to be part of the 'in crowd' to know that the DSA team is reached via the debian-admin list. It's not logical, IMHO, for these to be related. I don't believe that these two teams completely ignore the debian-security lists, as they obviously(IMHO) have

Re: dropbear delayed startup

2013-02-12 Thread Mike Mestnik
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/12/13 15:11, Lukas Schwaighofer wrote: > Hello Mike, > > thanks for your answer. > > On 12.02.2013 21:05, Mike Mestnik wrote: >> What issue do you have, sounds like you are just generally >> concerned. You should dir

Re: dropbear delayed startup

2013-02-12 Thread Mike Mestnik
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Lukas, cryptsetup does not encrypted filesystems, so you must be mistaken if you believe that you are "remote unlocking of encrypted filesystems" with cryptsetup. Be specific about your configuration, this is important in this case. Those looking f

Re: NULL Scan issues or something else?

2013-02-05 Thread Mike Mestnik
This is exactly why a higher level interface should be considered. If you go about setting your own low level iptables rules then you would also have the task of testing those rules. I use shorewall and I've used firhol, both are good. Please consult there results(the tables they generate) for s

Re: Iceweasel ESR 10 security update.

2013-01-12 Thread Mike Mestnik
On 01/12/13 12:12, Daniel Curtis wrote: > Hi > > Whether the Iceweasel 10.0.11 ESR package can be updated a little faster due > to several security issues? On January 8 Mozilla published about 20 > Security Advisories[1]. Many distributions already have updated Firefox > to the > latest 18 and 10.

Re: flashplugin-nonfree get-upstream-version.pl security concern

2012-12-13 Thread Mike Mestnik
On 12/12/12 13:10, Henrik Ahlgren wrote: > On Wed, Dec 12, 2012 at 05:52:31PM +, adrelanos wrote: >> Since get-upstream-version.pl runs as root it can do anything. >> >> I don't accuse him personally for anything. But should he ever be >> compromised (forced, evil maid, etc...) it's very easy t

Re: flashplugin-nonfree get-upstream-version.pl security concern

2012-12-13 Thread Mike Mestnik
On 12/12/12 12:02, Moritz Mühlenhoff wrote:> On Wed, Dec 12, 2012 at 05:52:31PM +, adrelanos wrote: >> Hi, >> >> I do not want to discuss security implications of the upstream closed >> source Adobe Flash plugin. This is about how the Flash plugin is >> downloaded and installed in Debian. >> >>

Re: About default init umask , and kernel umask, cron umask

2012-12-05 Thread Mike Mestnik
Also keep in mind on modern systems init is started from the initrd and not by the kernel, so a good umask may be set there for init. http://linux.die.net/man/8/pivot_root On 12/05/12 10:28, Min Wang wrote: > HI > > Could any one tell what is the default umask for kernel, init, cron? is > it con

Re: About default init umask , and kernel umask, cron umask

2012-12-05 Thread Mike Mestnik
On many Unix systems, the default umask is 022. This would be set explicitly by init or not at all (000). If your writing an init replacement, make sure to set umask then later you can read a config file and set the umask to the user configured value. See: http://www.juniper.net/security/auto/vu

Re: New rootkit targetting Debian squeeze (amd64 only)

2012-11-23 Thread Mike Mestnik
On 11/23/12 11:14, Cindy-Sue Causey wrote: > On 11/23/12, Mike Mestnik wrote: >> On 11/23/12 06:14, Milan P. Stanic wrote: >>> On Fri, 2012-11-23 at 02:22, Jordon Bedwell wrote: >>> >>> Two days passed and no one say anything about infection vector. >&

Re: New rootkit targetting Debian squeeze (amd64 only)

2012-11-23 Thread Mike Mestnik
On 11/23/12 06:14, Milan P. Stanic wrote: > On Fri, 2012-11-23 at 02:22, Jordon Bedwell wrote: >> On Fri, Nov 23, 2012 at 12:31 AM, Mike Mestnik >> wrote: >>> On 11/22/12 11:33, Laurentiu Pancescu wrote: >>>> More likely: a vulnerability in their web ser

Re: New rootkit targetting Debian squeeze (amd64 only)

2012-11-22 Thread Mike Mestnik
On 11/22/12 11:33, Laurentiu Pancescu wrote: > On 11/22/12 14:13 , Milan P. Stanic wrote: >> Nothing about infection vector, so it is non-issue, probably. Yes, >> root can be faked to install it from some third party module or even >> DKMS, but root shouldn't do such things without careful checking

Re: Use of DSA number for general announcements

2012-09-15 Thread Mike Mestnik
On 09/14/12 00:47, Thijs Kinkhorst wrote: > Hi David, > > On Fri, September 14, 2012 03:28, David Prevot wrote: >>> This is a notice to inform you, that our previous PGP/GPG key expired. >> >> Thanks for notifying us on debian-security-announce@l.d.o, but I >> disagree that such an announcement de

Re: [SECURITY] [DSA 2523-1] globus-gridftp-server security update

2012-08-08 Thread Mike Mestnik
On 08/06/12 22:47, maestro wrote: > #please unsubscribe me from this list > # i do not find any link to do so. > # thank you. > Instructions can be found at the bottom, there is no link or URL. This link explains things, I know it looks like useless fluff but read at least the first 3 lines this

Re: Disabling IPv6 and other networking protocols: Best Practice?

2012-08-08 Thread Mike Mestnik
On 08/07/12 11:09, Laurie Mercer wrote: > > However, the other entries in this file are not in this format, rather > they use 'alias XXX off' format, e.g. rds is 'alias net-pf-21 off'. I > cannot see where the mapping between rds and net-pf-21 is, and according > to the man pages alias simply give

Re: Daemon umask

2012-08-08 Thread Mike Mestnik
On 08/07/12 08:49, Jordon Bedwell wrote: > Hi, > > On 08/07/2012 08:15 AM, Laurie Mercer wrote: >> Is it possible to set the umask to a value (in this case 27) at boot >> time so that all daemon processes started at boot time will have this >> umask by default (unless they override it)? >> >> In R

Fwd: Re: bitcoind: 0.3.24~dfsg-1~bpo60+1 policy on backports?

2012-07-30 Thread Mike Mestnik
No reply on these, what should happen to get backports to carry secure versions of bitcoin? Thank you! Original Message Subject: Re: bitcoind: 0.3.24~dfsg-1~bpo60+1 policy on backports? Date: Sun, 22 Jul 2012 22:52:20 + From: Luke-Jr To: Mike Mestnik CC: debian-security

Re: bitcoind: 0.3.24~dfsg-1~bpo60+1 policy on backports?

2012-07-22 Thread Mike Mestnik
ight? At the vary least I'd like to see these being tracked, if that's appropriate. Thank you. On 07/22/12 16:55, Mike Mestnik wrote: > What's the policy(or usual outcome) on security issues in > squeeze-backports/main? > > I'm told that 0.3.24 may be vulnerable

bitcoind: 0.3.24~dfsg-1~bpo60+1 policy on backports?

2012-07-22 Thread Mike Mestnik
What's the policy(or usual outcome) on security issues in squeeze-backports/main? I'm told that 0.3.24 may be vulnerable to these at the vary least... CVE-2012-1909, BIP-0016, CVE-2012-2459, and CVE-2012-3789 https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures It doesn't look like th

CVE-2012-2459: Critical Vulnerability, but still reserved.

2012-07-02 Thread Mike Mestnik
Currently this(bitcoind) package is in back-ports. I think things may have gotten mixed up, here is the publication: https://bitcointalk.org/index.php?topic=81749.0 Here is what the bitcoin daemon says: cheako@hades:~$ bitcoind getinfo { "version" : 32400, "balance" : 0., "blo

Xorg: Security past client auth.

2012-06-10 Thread Mike Mestnik
To be honest I can't say one way or another about weather there are security issues in X if one has malicious clients connected. However I'm not having success discussing these matters over at xorg-de...@lists.x.org. I'm not the most likable person and I've even recently discovered that there a p

Re: Security Implications of DKMS?

2012-03-29 Thread Mike Mestnik
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/27/12 08:48, Yves-Alexis Perez wrote: > On mar., 2012-03-27 at 14:18 +0300, Rares Aioanei wrote: >> I see that as a myth. Look at it this way: if an attacker already has >> access to your machine, he/she can install anything he/she wants, >> inc

Re: Securing Debian Manual: 3.2.1 Choose an intelligent partition scheme

2012-03-06 Thread Mike Mestnik
On 03/05/12 20:41, Fernando Mercês wrote: > Hi Stayvoid, how are you? > > If you'll install grub in MBR, there is no need for primary partitions > since grub can nicely boot logical partitions. > Forget about that old technology, use GPT. > Regards, > > Fernando Mercês > Linux Registered User #432

Re: OpenSSH not logging denied public keys, even with logging set to verbose.

2012-03-01 Thread Mike Mestnik
On 03/01/12 21:16, Mike Mestnik wrote: > On 03/01/12 21:00, Bedwell, Jordon wrote: >> On Thu, Mar 1, 2012 at 8:18 PM, Mike Mestnik wrote: >>> On 03/01/12 18:57, Russell Coker wrote: >>>> On Fri, 2 Mar 2012, Jordon Bedwell wrote: >>>>>> Run the

Re: OpenSSH not logging denied public keys, even with logging set to verbose.

2012-03-01 Thread Mike Mestnik
On 03/01/12 21:00, Bedwell, Jordon wrote: > On Thu, Mar 1, 2012 at 8:18 PM, Mike Mestnik wrote: >> On 03/01/12 18:57, Russell Coker wrote: >>> On Fri, 2 Mar 2012, Jordon Bedwell wrote: >>>>> Run the command below. >>>>> >>>>&

Re: OpenSSH not logging denied public keys, even with logging set to verbose.

2012-03-01 Thread Mike Mestnik
On 03/01/12 18:57, Russell Coker wrote: > On Fri, 2 Mar 2012, Jordon Bedwell wrote: >>> Run the command below. >>> >>> grep "ssh:1.%.30s@%.128s.s password:" /usr/sbin/sshd; echo $? >>> >>> If you don't get 1 as output, your sshd is compromised. >> It returned 1, this happens on freshly installed

Re: OpenSSH not logging denied public keys, even with logging set to verbose.

2012-03-01 Thread Mike Mestnik
On 03/01/12 18:23, Bedwell, Jordon wrote: > On Thu, Mar 1, 2012 at 3:16 PM, Mike Mestnik wrote: >> On 03/01/2012 02:51 PM, Aníbal Monsalve Salazar wrote: >>> On Thu, Mar 01, 2012 at 06:56:07AM -0600, Jordon Bedwell wrote: >>> >>>> The problem is I cannot get

Re: OpenSSH not logging denied public keys, even with logging set to verbose.

2012-03-01 Thread Mike Mestnik
On 03/01/2012 02:51 PM, Aníbal Monsalve Salazar wrote: On Thu, Mar 01, 2012 at 06:56:07AM -0600, Jordon Bedwell wrote: The problem is I cannot get sshd to log publickey denied errors to /var/log/auth.log so our daemons can ban these users. I want to know what happened to messages like "publ

Re: how to fix rootkit?

2012-02-08 Thread Mike Mestnik
On 02/08/12 18:07, Russell Coker wrote: > On Thu, 9 Feb 2012, Stephen Hemminger wrote: >> The advice I heard is trust nothing (even reflash the BIOS). > Do you know of any real-world exploits that involve replacing the BIOS? It's > been theoretically possible for a long time but I haven't seen a

Re: how to fix rootkit?

2012-02-08 Thread Mike Mestnik
On 02/08/12 02:41, Laurentiu Pancescu wrote: > On 2/8/12 09:53 , v...@lab127.karelia.ru wrote: >> Today I found next things at squeeze. Please help to fix, I've no >> experience in such tasks. > > As Fabian already mentioned, you cannot know what an attacker changed > in the system (especially now

Re: NIS password hashes fails from Redhat/Mandriva Linux

2012-01-12 Thread Mike Mestnik
On 01/12/12 17:32, Bichoy Waguih wrote: > Hello Debian World, > > I have a small problem with Debian NIS authentication. Mainly, I have NIS > server running on a Mandriva Linux machine and I want to configure a > Debian > machine to be a client for this NIS server. > > The Debian client receives th

Re: Default valid shells and home dir permissions

2012-01-12 Thread Mike Mestnik
On 01/12/12 16:16, Karl Goetz wrote: > On Thu, 12 Jan 2012 11:19:41 +0100 > Poison Bit wrote: > >> On Thu, Jan 12, 2012 at 7:48 AM, Davit Avsharyan >> wrote: >>> I know how to change it :). I just wanted to understand why it >>> comes with 755 and not 700 ? >>> Few years ago, if I'm not mistaken,

Re: Default valid shells and home dir permissions

2012-01-12 Thread Mike Mestnik
On 01/12/12 04:19, Poison Bit wrote: > On Thu, Jan 12, 2012 at 7:48 AM, Davit Avsharyan wrote: >> I know how to change it :). I just wanted to understand why it comes with >> 755 and not 700 ? >> Few years ago, if I'm not mistaken, everything was 700. The commit log(2000) is: Load adduser-3.12 int

Re: local authentication spoofing using libnss-ldap

2012-01-02 Thread Mike Mestnik
On 01/02/12 15:52, Yann Autissier wrote: > On 22/12/2011 18:02, Mariusz Kruk wrote: >> W dniu 2011-12-22 17:01, Yann Autissier pisze: >>> I am using the libnss-ldap and libpam-ldap packages with default >>> configuration. >>> >>> NSS is configured to allow passwd and group resolution over ldap. >>>

Re: AW: Vulnerable PHP version according to nessus

2012-01-01 Thread Mike Mestnik
On 12/28/11 05:51, Jordon Bedwell wrote: > On Wed, Dec 28, 2011 at 2:54 AM, Adam D. Barratt > wrote: >> On 28.12.2011 07:56, Patrick Geschke wrote: >>> Hey, >>> >>> @Maintainers: Whats the overall Status of the package? >>> >>> According to php.net 5.3.8 is stable. >> >> 5.3.8 is in both testing a

Re: [Squeeze] ip6tables-save syntax

2011-11-17 Thread Mike Mestnik
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/17/11 13:32, Kees de Jong wrote: > Hi, > > > > > I'm running Debian Squeeze and I want to save my ip6table configuration with the iptables-persistent tool. > To save an ipv4 table I use 'iptables-save > /etc/iptables/rules', the configuration fi

Re: Fwd: Problem with multiple root-users (UID=0)

2011-11-16 Thread Mike Mestnik
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/16/11 00:13, Ritesh Raj Sarraf wrote: > Hello Mike, > > Yes, That'd be debian-security@lists.debian.org, Cced with this email. > > > Ritesh > > On 11/16/2011 11:15 AM, Mike Christie wrote: >> Hey Ritesh, >> >> Does Debian have some sort of secur

Recent libssl update.

2011-11-13 Thread Mike Mestnik
It is usual to have to restart services to load security updates? Is this something to be corrected or should I be diligent and restart services periodically? -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.

Re: World writable pid and lock files.

2011-05-15 Thread Mike Mestnik
Henrique de Moraes Holschuh wrote: You know, it would help if you actually read what you replied to. start-stop-daemon(8) says /proc/pid/exe is used. On my system that is a symbolic link. What I wold do if I was to write start-stop-daemon is read the link and match that value with the na

Re: World writable pid and lock files.

2011-05-11 Thread Mike Mestnik
On 05/11/11 13:23, Henrique de Moraes Holschuh wrote: > On Wed, 11 May 2011, Mike Mestnik wrote: >> On 05/11/11 01:37, helpermn wrote: >>> On Tue, 10 May 2011, Henrique de Moraes Holschuh wrote: >>>> On Tue, 10 May 2011, helpermn wrote: >>>>> I imag

Re: World writable pid and lock files.

2011-05-11 Thread Mike Mestnik
On 05/11/11 01:37, helpermn wrote: > On Tue, 10 May 2011, Henrique de Moraes Holschuh wrote: > >> On Tue, 10 May 2011, helpermn wrote: >>> I imagine why files listed below have 666 file mode bits set: >>> /var/run/checkers.pid >>> /var/run/vrrp.pid >>> /var/run/keepalived.pid >>> /var/run/starter.

Re: integrity checks and inodes

2011-02-01 Thread Mike Mestnik
Pascal Weller wrote: Hi All The various tools for integrity checks (aide, integrit, tripwire, etc) do check timestamp, uid/gui, permissions, checksum, inode etc. of the files on an system, compare them to the last know-good state and warn about changes. I'm wondering why I should care about

Re: Lenny version info

2010-12-20 Thread Mike Mestnik
Michael Cassano wrote: Clearly what is needed is a better explanation of this list and what it is for, including sections for Rules and Etiquette. Though I feel Rules and Etiquette may be common to all lists.debian.org . More documentation woul

Re: Lenny version info

2010-12-15 Thread Mike Mestnik
Jim Popovitch wrote: On Wed, Dec 15, 2010 at 07:00, John Keimel wrote: On Wed, Dec 15, 2010 at 6:49 AM, Ashley Taylor wrote: Hi, http://tinyurl.com/ybpctcz Please particularly note items on "jeopardy reply" or "Top posting" and "trimming". +1 -Jim P. +1 Clearly what

Re: Re : Lenny version info

2010-12-14 Thread Mike Mestnik
Julien Patriarca wrote: Maybe the all of that starting point was obviously out of the scope of this mailing list, but it seems to catch the interest of everyone seeing how many answers have been posted. Just stop with all that rubbish and get back to the main topic : security in Debian. A g

Re: Lenny version info

2010-12-13 Thread Mike Mestnik
Ash Narayanan wrote: Wow, what has this thread turned into!? It started off as a simple question that could have been answered with one of two possible replies, namely, the solution itself or a suggestion to move this query to a more appropriate mailing list. Thank you to all of you whose rep

Re: Lenny version info

2010-12-13 Thread Mike Mestnik
Ashvin Narayanan wrote: This probably isn't the best place to ask but I couldn't find a better one. How do I obtain information about my Lenny installation? Is there a command that tells me the version number? Thanks, Ash http://www.debian.org/doc/FAQ/ch-software.en.html#s-isitdebian htt

Re: About how to protect network resources in LDAP environment?

2010-08-28 Thread Mike Mestnik
o identify the user, which is > why it is mostly only secure if "root" is shared between the NFS server and > all its clients. > -- > Boyd Stephen Smith Jr.                   ,= ,-_-. =. > b...@iguanasuicide.net                   ((_/)o o(\_)) > ICQ: 514984 YM/AIM: DaTwink

Live Penetration Testing.

2009-10-21 Thread Mike Mestnik
Are there any applications or projects to provide this *badly needed service? I'm willing to assist in using or putting together an nmap type applications that scans for known vulnerabilities and attempts to make use of them for security awareness and _,*"prof"*,_ of concept means. Rant: * Too oft

Re: Debian and recent TCP vulnerability

2009-09-11 Thread Mike Mestnik
On Fri, Sep 11, 2009 at 9:11 AM, Nick Boyce wrote: > Mlor Apac wrote: > >> What's the status of debian (and linux kernel in general) regarding this >> recent TCP vulnerability? I have been unable to find any precise >> information. > > I too am wondering about this. > > The basic Linux stance is pr

Re: Handling personal/self(WebOfTrust) pgp/gpg private keys.

2009-07-06 Thread Mike Mestnik
system in your home : or anywhere else if theft could be a problem. * A shell being a highly reliable shell account on a server.(Some examples/suggestions would be nice) On Wed, Jun 24, 2009 at 2:18 AM, Mike Mestnik wrote: > Are there any guide lines for the Web-Of-Trust projects surrounding > Deb

Handling personal/self(WebOfTrust) pgp/gpg private keys.

2009-06-24 Thread Mike Mestnik
Are there any guide lines for the Web-Of-Trust projects surrounding Debian or in general? I have had a number of problems with private keys over these past years that I've used PKI, forgetting the password, loosing(what partition/server/drive) the file, drive corruption, accidental deletes. I've