[Mainly offtopic] Jeremy Buchmann said:
I don't understand this weird uber-advocacy stance that says we have to convert every single Windows user to Linux and make Linux the one and only operating system on earth. It's completely irrational and goes against the very idea of having a choice of computer operating systems.
While I agree with you that blind advocacy is a stupid thing, I must say that more people using Linux and seeing it as a viable alternative to Windows could well make a difference for many of us: my work is maintaining a network of about 100 client PC, and as of today linux could be used to do a good 95% of all we need to do with these computer. But we have to use Windows, mainly for Office and for easy interoperability with "external" software and software houses (accounting, payrolls, etc are windows only, or at best unix-but-not-linux). If Linux will become (still) easier to use - and it's becoming more and more so - there'll be many more people and software house that will be accepting it, using it and developing for it. And I could use linux instead of Windows on a good 95% of my PCs. Doing this is not only better for me (easier administration) but also for the company I work for, that will be able to save millions in stupid licenses and associated management/"ownership" costs (did you ever try the new Windows 2000 Terminal Server License? ;) Moreover, if you're not a US citizen, maybe you could like (as I do) not having your country dumping lotsa money on the US paying for insecure, disfunctional and often plain stupid software (PLEASE flame me on private mail and not on the list, thanks! ;-) This goes without speaking of security risks (wow! back on topic! ;): we may put up very aggressive firewalls using Linux (see active probing of incoming attacks and maybe active defenses ;) but we have to accept mails and documents from the internet, and if you're using ANY mail program that uses IE HTML rendering object, or Office, you're exposing yourself to *A LOT* of threats. I follow NTBUGTRAQ to stay ahead of these problems, and I often found myself thanking the gods we don't use dangerous mail programs. But MANY times there were series of so many horrible bugs in only a few days that I was *praying* noone will want to use the combination of those to write a nasty stealth virus, or else we'll all close shop in a few months. And we cannot set up a mailfilter to check for buffer overflows and/or the use of badly signed/catalogued objects that already are on our computers. And I wouldn't put my faith in Antivirus firms either: if the exploit writer is smart and stealthy enough, they'll never see the virus before activation. Remember the CIH virus? It was very stealthy, and was caught only because a version of it was programmed to wipe your disks (and BIOSes) every month instead of every year. What if the monthly version of the virus didn't exist? Even with that and the antiviruses ready in August 1998, more than 300.000 were wiped out. This is not to say that Linux is absolutely secure and doesn't have these kinds of problems, but it *can* be more secure if we care. With windows we don't have the opition (try using tripwire on %SYSTEMROOT%\SYSTEM32 ;-). Moreover, I firmly believe that diversity is strenght, and having different people, companies, governments etc. of the world using different but faily interoperable OSes and programs will avoid having a single virus wiping out us all. Ciao, Roberto (and sorry for the rant! :-)
Jeremy Buchmann said:
I don't understand this weird uber-advocacy stance that says we have to convert every single Windows user to Linux and make Linux the one and only operating system on earth. It's completely irrational and goes against the very idea of having a choice of computer operating systems.
While I agree with you that blind advocacy is a stupid thing, I must say that more people using Linux and seeing it as a viable alternative to Windows could well make a difference for many of us: my work is maintaining a network of about 100 client PC, and as of today linux could be used to do a good 95% of all we need to do with these computer. But we have to use Windows, mainly for Office and for easy interoperability with "external" software and software houses (accounting, payrolls, etc are windows only, or at best unix-but-not-linux).
I know how you feel. I used to be a tech support peon (sp?) at a company where we had about 350 PCs, 300 of which had no relation whatsoever to the other 50 and could (read: should) have been running Linux. With Windows NT 4.0 (and only 32MB of RAM), they were horridly slow and unstable. They only had to run a few applications, all of which could have been run on Linux. We had to reboot those machines *nightly* to keep them stable during the day. Every couple months we had to make some stupid configuration change to the system which either required re-imaging the whole drive or 4 reboots per machine...an eternity on NT+Netware client. Had we been running Linux, we could have made all these changes via shell scripts. I eventually was able to convince 3 uppers (my boss, his boss, and his boss's boss) that running Linux/UNIX would be better for these machines, but the Microsoft Mentality was so pervasive, no one really considered it as a viable option. However, this still has nothing to to with dragging Joe User from Windows 98 to Linux on his home system. There is nothing wrong with having sshd sitting in /usr/sbin and not doing anything. One of the things I actually liked about RH's old install was you could choose what services you wanted running on the machine during the installation...of course, it would start all of them anyway, but the idea was nice :)
Perhaps SuSE could set up an advocacy list so this doesn't clutter up the security list? As far as SSH packaging goes is there any reason to NOT split it up to client and server? It makes sense to me. Is there any compelling reason to NOT split it up? Kurt Seifried, seifried@securityportal.com SecurityPortal - your focal point for security on the 'net
Well, the default openssh spec file splits it. Its nice to beable to just install the client on a computer where you will definately not need the server loaded. Though, it honestly only saves about 600k of diskspace if you are lucky(if the software is strip'd). On Fri, Jan 05, 2001 at 02:28:16PM -0700, Kurt Seifried wrote:
Perhaps SuSE could set up an advocacy list so this doesn't clutter up the security list?
As far as SSH packaging goes is there any reason to NOT split it up to client and server? It makes sense to me. Is there any compelling reason to NOT split it up?
Kurt Seifried, seifried@securityportal.com SecurityPortal - your focal point for security on the 'net
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Can someone explain where to look to solve the following error: root@zues:/home/mlong > /sbin/init.d/rc.firewall status depmod: *** Unresolved symbols in /lib/modules/2.2.16/pcmcia/mpsuni_cs.o Try `/sbin/ipchains -h' or '/sbin/ipchains --help' for more information. I do not understand what this is trying to tell me. Thanks, Mike
On Thu, Jan 11, 2001 at 10:17 -0500, Michael Long wrote:
Can someone explain where to look to solve the following error:
root@zues:/home/mlong > /sbin/init.d/rc.firewall status depmod: *** Unresolved symbols in /lib/modules/2.2.16/pcmcia/mpsuni_cs.o Try `/sbin/ipchains -h' or '/sbin/ipchains --help' for more information.
You obviously reference an (yet) unconfigured network interface and your kernel has autoload support for modules. But still upping the interface fails. Get your configuration right and try again! :> virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
Thanks to all who replied. Things are now working. Mike On Thu, 11 Jan 2001, Gerhard Sittig wrote:
On Thu, Jan 11, 2001 at 10:17 -0500, Michael Long wrote:
Can someone explain where to look to solve the following error:
root@zues:/home/mlong > /sbin/init.d/rc.firewall status depmod: *** Unresolved symbols in /lib/modules/2.2.16/pcmcia/mpsuni_cs.o Try `/sbin/ipchains -h' or '/sbin/ipchains --help' for more information.
You obviously reference an (yet) unconfigured network interface and your kernel has autoload support for modules. But still upping the interface fails.
Get your configuration right and try again! :>
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Can someone explain where to look to solve the following error:
root@zues:/home/mlong > /sbin/init.d/rc.firewall status depmod: *** Unresolved symbols in /lib/modules/2.2.16/pcmcia/mpsuni_cs.o Try `/sbin/ipchains -h' or '/sbin/ipchains --help' for more information.
You obviously reference an (yet) unconfigured network interface and your kernel has autoload support for modules. But still upping the interface fails.
upping the interface doesn't cause a `depmod -a´ to be called. Soemthing else is wrong. If you don't need the pcmcia modules, then remove /lib/modules/2.2.16/pcmcia/. Seems you have installed the pcmcia modules without the pcmcia subsystem configured into the kernel. Then try again. /sbin/init.d/rc.firewall is not a SuSE path, so we can't really tell what's going on in it... Thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -
Perhaps SuSE could set up an advocacy list so this doesn't clutter up the security list?
I'll forward it to the right people.
As far as SSH packaging goes is there any reason to NOT split it up to client and server? It makes sense to me. Is there any compelling reason to NOT split it up?
I need a reason _for_ it in the first place. How about START_SSHD=no in /etc/rc.config, or rm /sbin/init.d/sshd /usr/sbin/sshd* /sbin/rcsshd ? The secure shell daemon is ran at boot time per default intentionally. Reason: ssh is the only way to access a freshly installed machine remotely. We find that this makes sense.
Kurt Seifried, seifried@securityportal.com SecurityPortal - your focal point for security on the 'net
Thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -
Roman Drahtmueller:
As far as SSH packaging goes is there any reason to NOT split it up to client and server? It makes sense to me. Is there any compelling reason to NOT split it up?
I need a reason _for_ it in the first place. How about START_SSHD=no in /etc/rc.config, or rm /sbin/init.d/sshd /usr/sbin/sshd* /sbin/rcsshd ?
The secure shell daemon is ran at boot time per default intentionally. Reason: ssh is the only way to access a freshly installed machine remotely. We find that this makes sense. Roman.
Hi Roman, the question is if my system is safe from access from outside. If I configure ssh only to accept connections from my local network, fine. But isn't the default to accept all connections? If so, my box is vulnerable to bruteforce attacks via ssh. And only because I wanted the ssh client tools? (ok, one should use a properly configured firewall to catch things like that.) Peter
Dear Roman, As the person who first made the suggestion and unwittingly released the advocacy hounds my main concern is that people should not be starting network services by mistake. So I would accept START_SSHD=no as a compromise. I think a good general rule of usability design is that software defaults should 'do the right thing' for the unsophisticated user, and that this rule is especially true where security is concerned. Sophisticated users should know enough to be able to change the defaults. In my job I have to administer many computer systems at work, but I also have to advise people who use Linux at home. I want these people to be able to experience the good things of Linux without me worrying about whether they have enabled security precautions. Perhaps a solution to this and other problems is a better selection of pre-packaged security configurations. We have 'easy', 'secure' and 'paranoid', but a typical home computer user should be paranoid about network services yet relaxed about internal security. They definitely don't want sshd etc but can be quite happy to run setuid games and have world-readable logs etc. This message has turned out longer than I intended...hope it doesn't contain any trolls. Bob P.S. This probably warrants a separate message, but the openssh security advisory seems to be missing from your web site. I upgraded a system to 7.0 just before christmas and thought I applied all the security advisories, but later discovered I had missed one. On Sat, 6 Jan 2001, Roman Drahtmueller wrote:
Perhaps SuSE could set up an advocacy list so this doesn't clutter up the security list?
I'll forward it to the right people.
As far as SSH packaging goes is there any reason to NOT split it up to client and server? It makes sense to me. Is there any compelling reason to NOT split it up?
I need a reason _for_ it in the first place. How about START_SSHD=no in /etc/rc.config, or rm /sbin/init.d/sshd /usr/sbin/sshd* /sbin/rcsshd ?
The secure shell daemon is ran at boot time per default intentionally. Reason: ssh is the only way to access a freshly installed machine remotely. We find that this makes sense.
Kurt Seifried, seifried@securityportal.com SecurityPortal - your focal point for security on the 'net
Thanks, Roman. -- - - | Roman Drahtm�ller <draht@suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | N�rnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
============================================================== Bob Vickers R.Vickers@dcs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691
participants (9)
-
Bob Vickers -
Gerhard Sittig -
Jeremiah Johnson -
Jeremy Buchmann -
Kurt Seifried -
Michael Long -
Peter Wiersig -
r.maurizzi@gvs.it -
Roman Drahtmueller