From owner-freebsd-security Sun Aug 25 0:12:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F90E37B400; Sun, 25 Aug 2002 00:12:19 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5749443E3B; Sun, 25 Aug 2002 00:12:19 -0700 (PDT) (envelope-from cjc@FreeBSD.org) Received: from freefall.freebsd.org (cjc@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g7P7CJJU022200; Sun, 25 Aug 2002 00:12:19 -0700 (PDT) (envelope-from cjc@freefall.freebsd.org) Received: (from cjc@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g7P7CJvv022196; Sun, 25 Aug 2002 00:12:19 -0700 (PDT) Date: Sun, 25 Aug 2002 00:12:19 -0700 (PDT) From: "Crist J. Clark" Message-Id: <200208250712.g7P7CJvv022196@freefall.freebsd.org> To: cjc@FreeBSD.org, security@FreeBSD.org, cjc@FreeBSD.org Subject: Re: kern/22142: securelevel does not affect mount Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Synopsis: securelevel does not affect mount Responsible-Changed-From-To: security->cjc Responsible-Changed-By: cjc Responsible-Changed-When: Sun Aug 25 00:02:34 PDT 2002 Responsible-Changed-Why: I'll take it for two reasons: 1) I went through this same discussion some time ago. I'll look at a new knob or kernel config setting to enable this behavior. 2) Please do not assign PRs to "security" or "freebsd-security." Freebsd-security gets PR summaries because of a bug (and I just sent peter a patch to fix it). Yes, some lists for developers can be assigned PRs, but freebsd-security is not a developers list. It serves a wider audience. And the SNR is low enough without lots of PR threads. If you want to CC or forward a PR to freebsd-security, OK, but don't assign it to the list. If you want to assign security-related PRs to a group of developers, assign them to security-officer. http://www.freebsd.org/cgi/query-pr.cgi?pr=22142 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 25 21:12: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0CDFF37B400 for ; Sun, 25 Aug 2002 21:12:04 -0700 (PDT) Received: from hermod.asgardnet.org (user168.net314.fl.sprint-hsd.net [207.30.169.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id B12A043E75 for ; Sun, 25 Aug 2002 21:11:57 -0700 (PDT) (envelope-from geminidomino@earthlink.net) Received: from thorr.asgardnet.org (thorr.asgardnet.org [192.168.0.1]) by hermod.asgardnet.org (8.12.3/8.12.3) with SMTP id g7Q4Bsf0095534 for ; Mon, 26 Aug 2002 04:11:56 GMT (envelope-from geminidomino@earthlink.net) Date: Mon, 26 Aug 2002 00:12:12 -0400 From: Ciro Maeitta To: freebsd-security@freebsd.org Subject: Re: I Finally got It2096 Message-Id: <20020826001212.448553a3.geminidomino@earthlink.net> In-Reply-To: <00004bdf7370$00004bb3$00002422@fe.mail.jippii.net> References: <00004bdf7370$00004bb3$00002422@fe.mail.jippii.net> Organization: Asgardnet.org X-Mailer: Sylpheed version 0.8.1 (GTK+ 1.2.10; i586-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 24 Aug 2002 18:57:57 -1900 "Tony" wrote: > By purchasing the amazing new book everybody is talking > about "Guide To The Professional Bulk Email Business". > This book contains everything the Anti Commerce Radicals > DON'T WANT YOU TO KNOW about how to and how not to > advertise via BULK E-MAIL. [Spam-book spam snipped] Also known as "How to piss people off and lose your internet access for fun and profit!" Damn my killfile is gettin big. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 25 21:54:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3176237B400 for ; Sun, 25 Aug 2002 21:54:38 -0700 (PDT) Received: from daimon.fscker.com (macroshaft.org [216.179.62.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id EF49F43E65 for ; Sun, 25 Aug 2002 21:54:37 -0700 (PDT) (envelope-from adam@fscker.com) Received: by daimon.fscker.com (Postfix, from userid 1000) id 25E135791; Mon, 26 Aug 2002 00:52:53 -0400 (EDT) To: freebsd-security@freebsd.org Message-Id: <20020826045253.25E135791@daimon.fscker.com> Date: Mon, 26 Aug 2002 00:52:53 -0400 (EDT) From: adam@fscker.com (Adam Wien) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org subscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 26 3:51:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B3F3E37B400 for ; Mon, 26 Aug 2002 03:51:32 -0700 (PDT) Received: from sirius.pbegames.com (sirius.pbegames.com [64.124.9.107]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1423F43E4A for ; Mon, 26 Aug 2002 03:51:32 -0700 (PDT) (envelope-from thomas@pbegames.com) Received: from leviathan.pbegames.com (medusa.pbegames.com [141.156.178.3]) by sirius.pbegames.com (8.11.5/8.11.5) with ESMTP id g7QApUD96111 for ; Mon, 26 Aug 2002 06:51:31 -0400 (EDT) (envelope-from thomas@pbegames.com) Message-Id: <5.1.0.14.2.20020826064326.026348d0@pbegames.com> X-Sender: thomas@pbegames.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 26 Aug 2002 06:47:23 -0400 To: freebsd-security@FreeBSD.ORG From: Mark Thomas Subject: Re: I Finally got It2096 In-Reply-To: <20020826001212.448553a3.geminidomino@earthlink.net> References: <00004bdf7370$00004bb3$00002422@fe.mail.jippii.net> <00004bdf7370$00004bb3$00002422@fe.mail.jippii.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:12 AM 8/26/02 -0400, Ciro Maeitta wrote: >[Spam-book spam snipped] > >Also known as "How to piss people off and lose your internet access for >fun and profit!" > >Damn my killfile is gettin big. I really wish the powers that be would consider making security, stable, and other focused lists subscriber only. It would eliminate the spam and the administrative garbage that routinely flows through here these days. Yes it would make it a tiny bit harder to post, but the win of eliminating the garbage outweighs the extra two minutes work required to subscribe and post for the occasional submitter. Mark Thomas --- thomas@pbegames.com ----> http://www.pbegames.com/~thomas Play by Electron Games -> http://www.pbegames.com Free Trial Games To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 26 4: 3:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 42B6737B400 for ; Mon, 26 Aug 2002 04:03:21 -0700 (PDT) Received: from smtp.clifftop.net (machassociates-2.dsl.easynet.co.uk [217.204.162.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id E6DDC43E42 for ; Mon, 26 Aug 2002 04:03:19 -0700 (PDT) (envelope-from danny@clifftop.net) Received: from Gandalf (gandalf.clifftop.net [192.168.48.232]) (authenticated bits=0) by smtp.clifftop.net (8.12.5/8.12.5) with ESMTP id g7QB2AdP016750; Mon, 26 Aug 2002 12:02:10 +0100 (BST) From: "Danny Horne" To: "Mark Thomas" , Subject: RE: I Finally got It2096 Date: Mon, 26 Aug 2002 12:03:14 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <5.1.0.14.2.20020826064326.026348d0@pbegames.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Mark Thomas > Sent: Monday 26 August 2002 11:47am > To: freebsd-security@FreeBSD.ORG > Subject: Re: I Finally got It2096 > > > At 12:12 AM 8/26/02 -0400, Ciro Maeitta wrote: > > >[Spam-book spam snipped] > > > >Also known as "How to piss people off and lose your internet access for > >fun and profit!" > > > >Damn my killfile is gettin big. > > I really wish the powers that be would consider making security, stable, > and other focused lists subscriber only. It would eliminate the spam and > the administrative garbage that routinely flows through here these days. > Yes it would make it a tiny bit harder to post, but the win of > eliminating > the garbage outweighs the extra two minutes work required to > subscribe and > post for the occasional submitter. > I really wish people would stop replying to spam. It's getting to the point where I'm deleting more replies than spams themselves. Just my 2d worth --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.384 / Virus Database: 216 - Release Date: 21/08/2002 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 26 8: 6:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F4C937B400 for ; Mon, 26 Aug 2002 08:06:39 -0700 (PDT) Received: from smtp.javamoh.net (ns.javamoh.net [140.115.84.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id D70A043E72 for ; Mon, 26 Aug 2002 08:06:35 -0700 (PDT) (envelope-from ) Received: by smtp.javamoh.net (Postfix) id 9F4FD23100; Mon, 26 Aug 2002 23:09:41 +0800 (CST) Date: Mon, 26 Aug 2002 23:09:41 +0800 (CST) From: MAILER-DAEMON@smtp.javamoh.net (Mail Delivery System) Subject: Undelivered Mail Returned to Sender To: security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="97777230DC.1030374581/smtp.javamoh.net" Message-Id: <20020826150941.9F4FD23100@smtp.javamoh.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a MIME-encapsulated message. --97777230DC.1030374581/smtp.javamoh.net Content-Description: Notification Content-Type: text/plain This is the Postfix program at host smtp.javamoh.net. I'm sorry to have to inform you that the message returned below could not be delivered to one or more destinations. For further assistance, please send mail to If you do so, please include this problem report. You can delete your own text from the message returned below. The Postfix program : mail for ncumis.twbbs.org loops back to myself --97777230DC.1030374581/smtp.javamoh.net Content-Description: Delivery error report Content-Type: message/delivery-status Reporting-MTA: dns; smtp.javamoh.net Arrival-Date: Mon, 26 Aug 2002 23:09:27 +0800 (CST) Final-Recipient: rfc822; spam@ncumis.twbbs.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; mail for ncumis.twbbs.org loops back to myself --97777230DC.1030374581/smtp.javamoh.net Content-Description: Undelivered Message Content-Type: message/rfc822 Received: from nb (localhost [127.0.0.1]) by smtp.javamoh.net (Postfix) with ESMTP id 97777230DC for ; Mon, 26 Aug 2002 23:09:27 +0800 (CST) Message-Id: <20020826150927.97777230DC@smtp.javamoh.net> Date: Mon, 26 Aug 2002 23:09:27 +0800 (CST) From: security@FreeBSD.ORG To: undisclosed-recipients:; as;dlkfj Subject: spam --97777230DC.1030374581/smtp.javamoh.net-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 26 10: 1: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9368E37B400 for ; Mon, 26 Aug 2002 10:00:58 -0700 (PDT) Received: from dragon.ichi.net (dragon.ichi.net [209.42.196.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 353EC43E6E for ; Mon, 26 Aug 2002 10:00:46 -0700 (PDT) (envelope-from freebsd-security@ichi.net) Received: from coaster (localhost.localdomain [127.0.0.1]) by dragon.ichi.net (8.11.6/8.11.6) with ESMTP id g7QGmA530138; Mon, 26 Aug 2002 12:48:11 -0400 Content-Type: text/plain; charset="iso-8859-1" From: Ju Ichi To: "Sam Leffler (at Usenix)" , Subject: Re: IPSec SPD limit? Date: Mon, 26 Aug 2002 12:59:15 -0400 User-Agent: KMail/1.4.1 References: <200208231624.14487.freebsd-security@ichi.net> <006101c24aff$cce8cd00$52557f42@errno.com> In-Reply-To: <006101c24aff$cce8cd00$52557f42@errno.com> Cc: "Nielsen" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200208261259.15721.freebsd-security@ichi.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Friday 23 August 2002 7:49 pm, Sam Leffler (at Usenix) wrote: > > We are trying to setup a large IPSec SPD (in excess of 1000 SAs) on the > > following hardware/software config: > > > > Compaq DL360 with dual 1.4GHz processsors > > 2GB RAM > > 4GB swap space > > > > 4.6.1-RELEASE-p11 > > racoon-20020507a > > > > We get a "send: No buffer space available" when trying to read in the > > /etc/ipsec.conf file if it has more than about 1000 entries. Also, if we > do > > a setkey -DP after trying to read in /etc/ipsec.conf we get > > "recv: Resource temporarily unavailable" after it lists some of the SAs. > > > > Several kernel tweaks have been tried. For example, we have tried setting > > MAXUSERS from 0 to 1024 on bit boundaries (0, 128, 256, 512, and 1024). > > FWIW, setting it to 1024 seems to be evil. ;-) We have also tried > various > > settings in the kernel config file on NMBCLUSTERS, NMBUFS, NBUF, MAXDSIZ, > > MAXSSIZ, DFLDSIZ, and MAXFILES. In addition, we have tweaked > > kern.ipc.somaxconn, net.inet.tcp.sendspace, net.inet.tcp.recvspace, > > net.inet.udp.recvspace, and net.inet.udp.maxdgram after reading some > > performance tuning web pages. I can provide additional details as needed, > > but didn't want to make this initial request too long. > > > > Does anyone know of any limits on the number of entries the SPD can hold > and > > if so how to make the limits higher? > > > > setkey -DP returns the SA's via a PF_KEY socket. You're hitting the upper > bound on the amount of data that can be stored in a socket of this type as > all the data is returned en masse (i.e. the process isn't given an > opportunity to read data). PF_KEY sockets inherit the send+recv space > reserves of raw sockets: > > ebb# gdb -k /kernel /dev/mem > ... > (kgdb) p raw_sendspace > $1 = 8192 > (kgdb) p raw_recvspace > $2 = 8192 > > You can either work around this by upping these values or patch the PF_KEY > code to set the reserves on the socket explicitly (and provide sysctl's a la > udp+tcp to control the upper bounds). > > Sam Thanks! I changed /usr/src/sys/net/raw_cb.h as follows: < #define RAWSNDQ 8192 < #define RAWRCVQ 8192 --- > #define RAWSNDQ 65535 > #define RAWRCVQ 65535 So, now we have: (kgdb) p raw_sendspace $1 = 65535 (kgdb) p raw_recvspace $2 = 65535 We are able to get the policy loaded by using "setkey -c" with sleep statements as Nate suggested, but still are getting "recv: Resource temporarily unavailable" when doing a setkey -DP. Anymore ideas on other values to up? Also, Nate, do you know of a way to dump the poicy with setkey so it all shows? In other words, using setkey -c we can slow down the rate of putting entries in, but there doesn't seem to be a way to slow down the rate at which the policy is dumped. Thanks, Ju To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 26 10:31:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 574A837B400 for ; Mon, 26 Aug 2002 10:31:11 -0700 (PDT) Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by mx1.FreeBSD.org (Postfix) with SMTP id 2728C43EAC for ; Mon, 26 Aug 2002 10:31:10 -0700 (PDT) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 17046 invoked by uid 1001); 26 Aug 2002 17:31:04 -0000 Date: Mon, 26 Aug 2002 13:31:04 -0400 From: "Peter C. Lai" To: Mark Thomas Cc: freebsd-security@FreeBSD.ORG Subject: Re: I Finally got It2096 Message-ID: <20020826173104.GA17012@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <00004bdf7370$00004bb3$00002422@fe.mail.jippii.net> <00004bdf7370$00004bb3$00002422@fe.mail.jippii.net> <5.1.0.14.2.20020826064326.026348d0@pbegames.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.0.14.2.20020826064326.026348d0@pbegames.com> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I suppose you want all the spam mail replaced with tons of or mail. I occasionally send mail to -stable. Do I feel like playing with majordomo every time I want to do so? Not unless I'm bored like now :) Being bored and looking for a solution on -stable are mutually exclusive. On Mon, Aug 26, 2002 at 06:47:23AM -0400, Mark Thomas wrote: > I really wish the powers that be would consider making security, stable, > and other focused lists subscriber only. It would eliminate the spam and > the administrative garbage that routinely flows through here these days. > Yes it would make it a tiny bit harder to post, but the win of eliminating > the garbage outweighs the extra two minutes work required to subscribe and > post for the occasional submitter. > > > Mark Thomas > --- > thomas@pbegames.com ----> http://www.pbegames.com/~thomas > Play by Electron Games -> http://www.pbegames.com Free Trial Games > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology | Undergraduate Research Assistant Yale University School of Medicine Center for Medical Informatics | Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 26 11: 2:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7AA0537B413 for ; Mon, 26 Aug 2002 11:02:32 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 243B343E65 for ; Mon, 26 Aug 2002 11:02:32 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g7QI2VJU086326 for ; Mon, 26 Aug 2002 11:02:32 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g7QI2TwF086322 for security@freebsd.org; Mon, 26 Aug 2002 11:02:29 -0700 (PDT) Date: Mon, 26 Aug 2002 11:02:29 -0700 (PDT) Message-Id: <200208261802.g7QI2TwF086322@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: security@FreeBSD.org Subject: Current problem reports assigned to you Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Current FreeBSD problem reports No matches to your query To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 26 11:22:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2748B37B405 for ; Mon, 26 Aug 2002 11:22:21 -0700 (PDT) Received: from smtpout.mac.com (smtpout.mac.com [204.179.120.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD89D43E3B for ; Mon, 26 Aug 2002 11:22:20 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from smtp-relay01.mac.com (smtp-relay01-en1 [10.13.10.224]) by smtpout.mac.com (8.12.1/MantshX 2.0) with ESMTP id g7QIMK2q005552 for ; Mon, 26 Aug 2002 11:22:20 -0700 (PDT) Received: from asmtp01.mac.com (asmtp01-qfe3 [10.13.10.65]) by smtp-relay01.mac.com (8.12.1/8.12.1/1.0) with ESMTP id g7QIMKVw024482 for ; Mon, 26 Aug 2002 11:22:20 -0700 (PDT) Received: from bust ([12.38.161.88]) by asmtp01.mac.com (Netscape Messaging Server 4.15) with ESMTP id H1GR1700.A5I for ; Mon, 26 Aug 2002 11:22:19 -0700 Date: Mon, 26 Aug 2002 14:22:16 -0400 Subject: List administrivia, was: Re: I Finally got It 2096 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v482) From: Chuck Swiger To: freebsd-security@FreeBSD.ORG Content-Transfer-Encoding: 7bit In-Reply-To: <20020826173104.GA17012@cowbert.2y.net> Message-Id: X-Mailer: Apple Mail (2.482) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Monday, August 26, 2002, at 01:31 PM, Peter C. Lai wrote: > I suppose you want all the spam mail replaced with > tons of or mail. I occasionally > send mail to -stable. Do I feel like playing with majordomo > every time I want to do so? Not unless I'm bored like now :) > Being bored and looking for a solution on -stable are mutually exclusive. > Besides enabling "Restrict posting privilege to list members", it would be nice if the listadmin would also enable "Check postings and intercept ones that seem to be administrative requests". These are standard options for Mailman mailing lists (www.list.org), and result in a lot less junk traffic to the list subscribers. -Chuck PS: Yes, I know-- Majordomo isn't Mailman. Chuck Swiger | chuck@codefab.com | All your packets are belong to us. -------------+-------------------+----------------------------------- "The human race's favorite method for being in control of the facts is to ignore them." -Celia Green To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 26 13:51:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CBE9D37B400 for ; Mon, 26 Aug 2002 13:51:18 -0700 (PDT) Received: from msn.com (dsl-64-192-225-117.telocity.com [64.192.225.117]) by mx1.FreeBSD.org (Postfix) with SMTP id 4EF8343E6A for ; Mon, 26 Aug 2002 13:51:13 -0700 (PDT) (envelope-from kriven@msn.com) From: "Kriven International" To: "freebsd-security@freebsd.org" Subject: Looking for a Contact. Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="= Multipart Boundary 0826021650" Date: Mon, 26 Aug 2002 16:50:50 -0400 X-Priority: 1 (Highest) Message-Id: <20020826205113.4EF8343E6A@mx1.FreeBSD.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multipart MIME message. --= Multipart Boundary 0826021650 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit I must apologize for troubling you. I might have a wrong address. I am looking for a contact in a telecom company in your country. If you are connected with a telephone / telecom company, I have a business proposition for you and your company. Please reply and tell me a little about your-self and your company. Regards, MK --= Multipart Boundary 0826021650 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit

I must apologize for troubling you.  I might have a wrong address.

I am looking for a contact in a telecom company in your country.

If you are connected with a telephone / telecom company, I have a business proposition for you and your company.

Please reply and tell me a little about your-self and your company.

 

Regards,

MK

--= Multipart Boundary 0826021650-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 26 21:21: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 89C8D37B400 for ; Mon, 26 Aug 2002 21:21:04 -0700 (PDT) Received: from mail.npubs.com (npubs.com [207.111.208.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id E890F43E6E for ; Mon, 26 Aug 2002 21:21:03 -0700 (PDT) (envelope-from nielsen@memberwebs.com) From: "Nielsen" To: "Ju Ichi" , "Sam Leffler (at Usenix)" , References: <200208231624.14487.freebsd-security@ichi.net> <006101c24aff$cce8cd00$52557f42@errno.com> <200208261259.15721.freebsd-security@ichi.net> Subject: Re: IPSec SPD limit? MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-Id: <20020827042229.55E0A43B384@mail.npubs.com> Date: Tue, 27 Aug 2002 04:22:29 +0000 (GMT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Well, no the retrieval was what eventually caused us to consider a totally different alternative. We use a second machine now to do the actual ESP/tunnelling. This also made it possible to selectively edit the entries. Loading tens of thousands of entries via setkey each time took too long. Our main router now has tens of thousands of IPFW forward rules which selectively forward traffic through this second ipsec machine. The ipsec machine only needs only the SAD tables and a couple of IPSEC entries to encrypt all traffic going through it. Of course if you need a seperate encryption tunnel/transport for each IP/subnet then this won't work properly. Nate > We are able to get the policy loaded by using "setkey -c" with sleep > statements as Nate suggested, but still are getting "recv: Resource > temporarily unavailable" when doing a setkey -DP. Anymore ideas on other > values to up? > > Also, Nate, do you know of a way to dump the poicy with setkey so it all > shows? In other words, using setkey -c we can slow down the rate of putting > entries in, but there doesn't seem to be a way to slow down the rate at which > the policy is dumped. > > Thanks, > Ju To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 26 23:30:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 43BBE37B400 for ; Mon, 26 Aug 2002 23:30:43 -0700 (PDT) Received: from core.zp.ua (core.zp.ua [193.108.112.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 650AA43E3B for ; Mon, 26 Aug 2002 23:30:41 -0700 (PDT) (envelope-from oleg@core.zp.ua) Received: from core.zp.ua (oleg@localhost [127.0.0.1]) by core.zp.ua with ESMTPœ id g7R6UaU6022744; Tue, 27 Aug 2002 09:30:36 +0300 (EEST) (envelope-from oleg@core.zp.ua)œ Received: (from oleg@localhost) by core.zp.ua id g7R6UYTR022743; Tue, 27 Aug 2002 09:30:34 +0300 (EEST) Message-ID: X-Mailer: XFMail 1.5.2 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: Date: Tue, 27 Aug 2002 09:30:34 +0300 (EEST) Organization: ReIS Ltd. From: oleg@reis.zp.ua To: Chuck Swiger Subject: RE: List administrivia, was: Re: I Finally got It 2096 Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 26-Aug-2002 Chuck Swiger wrote: > On Monday, August 26, 2002, at 01:31 PM, Peter C. Lai wrote: >> I suppose you want all the spam mail replaced with >> tons of or mail. I occasionally >> send mail to -stable. Do I feel like playing with majordomo >> every time I want to do so? Not unless I'm bored like now :) >> Being bored and looking for a solution on -stable are mutually >> exclusive. >> > > Besides enabling "Restrict posting privilege to list members", it Think about corporate subscribers. > would be nice if the listadmin would also enable "Check postings > and intercept ones that seem to be administrative requests". These > are standard options for Mailman mailing lists (www.list.org), and > result in a lot less junk traffic to the list subscribers. > > -Chuck > > PS: Yes, I know-- Majordomo isn't Mailman. > > Chuck Swiger | chuck@codefab.com | All your packets are > belong to > us. > > -------------+-------------------+----------------------------------- > "The human race's favorite method for being in control of the > facts > is to ignore them." -Celia Green > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message With best wishes Oleg V. Nauman NO37-RIPE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 5: 8: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D0CD37B400 for ; Tue, 27 Aug 2002 05:08:00 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6845143E81 for ; Tue, 27 Aug 2002 05:07:53 -0700 (PDT) (envelope-from mark@grimreaper.grondar.org) Received: from storm.FreeBSD.org.uk (uucp@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.5/8.12.5) with ESMTP id g7RAo68C094484 for ; Tue, 27 Aug 2002 11:50:06 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Received: (from uucp@localhost) by storm.FreeBSD.org.uk (8.12.5/8.12.5/Submit) with UUCP id g7RAo6H3094483 for freebsd-security@freebsd.org; Tue, 27 Aug 2002 11:50:06 +0100 (BST) Received: from grimreaper.grondar.org (localhost [127.0.0.1]) by grimreaper.grondar.org (8.12.5/8.12.5) with ESMTP id g7RAnrl5019226 for ; Tue, 27 Aug 2002 11:49:54 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Message-Id: <200208271049.g7RAnrl5019226@grimreaper.grondar.org> To: freebsd-security@freebsd.org Subject: Administrivia: Discussion - Making this list subscriber-only Date: Tue, 27 Aug 2002 11:49:53 +0100 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Security list members I got an overwhelmingly positive (off-list, thanks!) response to my complaint that this list's signal-to-noise ratio was terrible. Some folks are still replying to spam on list, but the noise figure has dropped significantly. Thank you! I would very much like to make this list subscriber-only. This will cut down dramatically on spam and the inevitable misdirected 'subscribe' postings. The downside is that folks will not be able to reply to the list if they receive it via a list redirector (IE if a corporate role account/list-alias has been used to subscribe). In this case, those folks would become read-only members (which may in some cases be OK). Other folks would need to subscribe to the list with their 'real' email address. Comments? Suggestions? (Keep it brief and focussed, folks!) M -- o Mark Murray \_ O.\_ Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 5:26:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A151637B400 for ; Tue, 27 Aug 2002 05:26:27 -0700 (PDT) Received: from heresy.dreamflow.nl (heresy.dreamflow.nl [62.58.36.22]) by mx1.FreeBSD.org (Postfix) with SMTP id 236BF43E7B for ; Tue, 27 Aug 2002 05:26:26 -0700 (PDT) (envelope-from bart@dreamflow.nl) Received: (qmail 36850 invoked by uid 1000); 27 Aug 2002 12:26:23 -0000 Date: Tue, 27 Aug 2002 14:26:23 +0200 From: Bart Matthaei To: Mark Murray Cc: freebsd-security@freebsd.org Subject: Re: Administrivia: Discussion - Making this list subscriber-only Message-ID: <20020827122623.GC34393@heresy.dreamflow.nl> References: <200208271049.g7RAnrl5019226@grimreaper.grondar.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200208271049.g7RAnrl5019226@grimreaper.grondar.org> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Aug 27, 2002 at 11:49:53AM +0100, Mark Murray wrote: > Hello Security list members > > I got an overwhelmingly positive (off-list, thanks!) response to > my complaint that this list's signal-to-noise ratio was terrible. > > Some folks are still replying to spam on list, but the noise figure > has dropped significantly. Thank you! > > I would very much like to make this list subscriber-only. This will > cut down dramatically on spam and the inevitable misdirected > 'subscribe' postings. The downside is that folks will not be able > to reply to the list if they receive it via a list redirector (IE > if a corporate role account/list-alias has been used to subscribe). > In this case, those folks would become read-only members (which may > in some cases be OK). Other folks would need to subscribe to the > list with their 'real' email address. I dissagree with the idea of making this list subscriber-only. There are people who mail to this list with a single question, and without subscribing to the list. If you make this list subscriber-only, you are forcing these people to subscribe. I personally hate it when I have to subscribe to a list when I only have one single report or question. If you want to get rid of spam, just get a spamfilter, and stop complaining, because the actual discussion about spam is more annoying than the spam itself. Cheers, Bart -- Bart Matthaei bart@dreamflow.nl Things fall down. People look up. And when it rains, it pours. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 5:32:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 005AB37B400 for ; Tue, 27 Aug 2002 05:32:51 -0700 (PDT) Received: from genius.tao.org.uk (genius.tao.org.uk [212.135.162.51]) by mx1.FreeBSD.org (Postfix) with ESMTP id D304C43E65 for ; Tue, 27 Aug 2002 05:32:49 -0700 (PDT) (envelope-from joe@genius.tao.org.uk) Received: by genius.tao.org.uk (Postfix, from userid 100) id 4C62C42D0; Tue, 27 Aug 2002 13:32:41 +0100 (BST) Date: Tue, 27 Aug 2002 13:32:41 +0100 From: Josef Karthauser To: Mark Murray Cc: freebsd-security@freebsd.org Subject: Re: Administrivia: Discussion - Making this list subscriber-only Message-ID: <20020827123241.GA4807@genius.tao.org.uk> Mail-Followup-To: Josef Karthauser , Mark Murray , freebsd-security@freebsd.org References: <200208271049.g7RAnrl5019226@grimreaper.grondar.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="1yeeQ81UyVL57Vl7" Content-Disposition: inline In-Reply-To: <200208271049.g7RAnrl5019226@grimreaper.grondar.org> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --1yeeQ81UyVL57Vl7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 27, 2002 at 11:49:53AM +0100, Mark Murray wrote: > Hello Security list members >=20 > I got an overwhelmingly positive (off-list, thanks!) response to > my complaint that this list's signal-to-noise ratio was terrible. >=20 > Some folks are still replying to spam on list, but the noise figure > has dropped significantly. Thank you! >=20 > I would very much like to make this list subscriber-only. This will > cut down dramatically on spam and the inevitable misdirected > 'subscribe' postings. The downside is that folks will not be able > to reply to the list if they receive it via a list redirector (IE > if a corporate role account/list-alias has been used to subscribe). > In this case, those folks would become read-only members (which may > in some cases be OK). Other folks would need to subscribe to the > list with their 'real' email address. >=20 > Comments? Suggestions? (Keep it brief and focussed, folks!) As I noted in a private mail to you maybe a regular "list charter/FAQ" could be mailed here. That would be a reminder to the readership of what is and isn't allowed in conversation. I feel that it's worth trying that before closing the list. I've seen it work well in other places. Joe --=20 "As far as the laws of mathematics refer to reality, they are not certain; and as far as they are certain, they do not refer to reality." - Albert Einstein, 1921 --1yeeQ81UyVL57Vl7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iEYEARECAAYFAj1rcWkACgkQXVIcjOaxUBZHRgCggdJSYsDsCaRNpZeCT1X+w17F MV4AoIqXh56dcj+qCURR3+Q+sDEKIITh =siXK -----END PGP SIGNATURE----- --1yeeQ81UyVL57Vl7-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 5:45:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C7DC837B400 for ; Tue, 27 Aug 2002 05:45:15 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7518E43E6A for ; Tue, 27 Aug 2002 05:45:13 -0700 (PDT) (envelope-from mark@grimreaper.grondar.org) Received: from storm.FreeBSD.org.uk (uucp@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.5/8.12.5) with ESMTP id g7RCj78C095338; Tue, 27 Aug 2002 13:45:07 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Received: (from uucp@localhost) by storm.FreeBSD.org.uk (8.12.5/8.12.5/Submit) with UUCP id g7RCj7Yu095337; Tue, 27 Aug 2002 13:45:07 +0100 (BST) Received: from grimreaper.grondar.org (localhost [127.0.0.1]) by grimreaper.grondar.org (8.12.5/8.12.5) with ESMTP id g7RCiBl5019984; Tue, 27 Aug 2002 13:44:11 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Message-Id: <200208271244.g7RCiBl5019984@grimreaper.grondar.org> To: Bart Matthaei Cc: freebsd-security@freebsd.org Subject: Re: Administrivia: Discussion - Making this list subscriber-only References: <20020827122623.GC34393@heresy.dreamflow.nl> In-Reply-To: <20020827122623.GC34393@heresy.dreamflow.nl> ; from Bart Matthaei "Tue, 27 Aug 2002 14:26:23 +0200." Date: Tue, 27 Aug 2002 13:44:11 +0100 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > I would very much like to make this list subscriber-only. This will > > cut down dramatically on spam and the inevitable misdirected > > 'subscribe' postings. The downside is that folks will not be able > > to reply to the list if they receive it via a list redirector (IE > > if a corporate role account/list-alias has been used to subscribe). > > In this case, those folks would become read-only members (which may > > in some cases be OK). Other folks would need to subscribe to the > > list with their 'real' email address. > > I dissagree with the idea of making this list subscriber-only. There > are people who mail to this list with a single question, and without > subscribing to the list. If you make this list subscriber-only, you > are forcing these people to subscribe. I personally hate it when I > have to subscribe to a list when I only have one single report or > question. You are missing the point of the list :-). This is _not_ a questions list. This is a discussions list. If you have a one-off question, there are places to ask it. If you wish to discuss, then there is no problem with subscribing, no? One-off reports fall into 3 categories; 1) bugs, 2) build problems and 3) critical security holes. Each of these has its place in an existing list: 1) bugs (via send-pr), 2) -current or -stable, 3) security-officer. > If you want to get rid of spam, just get a spamfilter, and stop > complaining, because the actual discussion about spam is more annoying > than the spam itself. We already have that. Spammers are very inventive when it comes to evading filters. M -- o Mark Murray \_ O.\_ Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 6: 4:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C13C137B400 for ; Tue, 27 Aug 2002 06:04:51 -0700 (PDT) Received: from diarmadhi.mushhaven.net (diarmadhi.mushhaven.net [216.150.202.147]) by mx1.FreeBSD.org (Postfix) with SMTP id 0A28F43E6A for ; Tue, 27 Aug 2002 06:04:51 -0700 (PDT) (envelope-from mistwolf@mushhaven.net) Received: (qmail 6382 invoked by uid 1000); 27 Aug 2002 13:04:19 -0000 Date: Tue, 27 Aug 2002 09:04:19 -0400 From: Jamie Norwood To: freebsd-security@freebsd.org Subject: Re: Administrivia: Discussion - Making this list subscriber-only Message-ID: <20020827130419.GA6270@mushhaven.net> References: <200208271049.g7RAnrl5019226@grimreaper.grondar.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200208271049.g7RAnrl5019226@grimreaper.grondar.org> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Aug 27, 2002 at 11:49:53AM +0100, Mark Murray wrote: > I would very much like to make this list subscriber-only. This will > cut down dramatically on spam and the inevitable misdirected > 'subscribe' postings. The downside is that folks will not be able > to reply to the list if they receive it via a list redirector (IE > if a corporate role account/list-alias has been used to subscribe). > In this case, those folks would become read-only members (which may > in some cases be OK). Other folks would need to subscribe to the > list with their 'real' email address. > > Comments? Suggestions? (Keep it brief and focussed, folks!) I don't know how feasible it is with the softare used, but NANOG has a setup where there are two kinds of subscriptions, 'read' and 'post'. If you join read, you get all the messages and such, but cannot post. if you join post, you can do just that, but still need to join read to get the messages. This makes it easy for a company to subscribe a role account and have individual employees subscribe to the post list if they want to join the conversations. Jamie > > M > -- > o Mark Murray > \_ > O.\_ Warning: this .sig is umop ap!sdn > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 6:19: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D162437B400 for ; Tue, 27 Aug 2002 06:19:04 -0700 (PDT) Received: from tomts20-srv.bellnexxia.net (tomts20.bellnexxia.net [209.226.175.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 05D8643E86 for ; Tue, 27 Aug 2002 06:19:04 -0700 (PDT) (envelope-from melange@yip.org) Received: from lust.inside.int ([64.228.164.49]) by tomts20-srv.bellnexxia.net (InterMail vM.5.01.04.19 201-253-122-122-119-20020516) with ESMTP id <20020827131902.CTIT29362.tomts20-srv.bellnexxia.net@lust.inside.int> for ; Tue, 27 Aug 2002 09:19:02 -0400 Received: from yip.org (localhost.inside.int [127.0.0.1]) by lust.inside.int (8.11.6/8.11.6) with ESMTP id g7RDJcI35377 for ; Tue, 27 Aug 2002 09:19:56 -0400 (EDT) (envelope-from melange@yip.org) Message-ID: <3D6B7C59.2070202@yip.org> Date: Tue, 27 Aug 2002 09:19:21 -0400 From: Bob K User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.1b) Gecko/20020718 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: Administrivia: Discussion - Making this list subscriber-only References: <200208271049.g7RAnrl5019226@grimreaper.grondar.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mark Murray wrote: [snip] > 'subscribe' postings. The downside is that folks will not be able > to reply to the list if they receive it via a list redirector (IE > if a corporate role account/list-alias has been used to subscribe). > In this case, those folks would become read-only members (which may > in some cases be OK). Other folks would need to subscribe to the > list with their 'real' email address. Perhaps you could make a 'dummy list' that merely allows people to post to -security, but doesn't actually deliver mail. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 6:21:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4145137B400 for ; Tue, 27 Aug 2002 06:21:41 -0700 (PDT) Received: from itesec.hsc.fr (itesec.hsc.fr [192.70.106.33]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6BEB643E65 for ; Tue, 27 Aug 2002 06:21:40 -0700 (PDT) (envelope-from yb@sainte-barbe.org) Received: from taz.hsc.fr (ogoun.hsc.fr [192.70.106.75]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (Client CN "taz.hsc.fr", Issuer "HSC CA" (verified OK)) by itesec.hsc.fr (Postfix) with ESMTP id 47A3F2102B for ; Tue, 27 Aug 2002 15:21:39 +0200 (CEST) Received: by taz.hsc.fr (Postfix, from userid 1000) id F0BEE7C8; Tue, 27 Aug 2002 15:21:30 +0200 (CEST) Date: Tue, 27 Aug 2002 15:21:30 +0200 From: Yann Berthier To: freebsd-security@freebsd.org Subject: Re: Administrivia: Discussion - Making this list subscriber-only Message-ID: <20020827132130.GB488@hsc.fr> Mail-Followup-To: freebsd-security@freebsd.org References: <200208271049.g7RAnrl5019226@grimreaper.grondar.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200208271049.g7RAnrl5019226@grimreaper.grondar.org> X-Organization: Herve Schauer Consultants X-Web: http://www.hsc.fr/ X-Operating-System: FreeBSD 5.0-CURRENT User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 27 Aug 2002, Mark Murray wrote: > Hello Security list members > > I got an overwhelmingly positive (off-list, thanks!) response to > my complaint that this list's signal-to-noise ratio was terrible. > > Some folks are still replying to spam on list, but the noise figure > has dropped significantly. Thank you! > > I would very much like to make this list subscriber-only. This will > cut down dramatically on spam and the inevitable misdirected > 'subscribe' postings. The downside is that folks will not be able > to reply to the list if they receive it via a list redirector (IE > if a corporate role account/list-alias has been used to subscribe). > In this case, those folks would become read-only members (which may > in some cases be OK). Other folks would need to subscribe to the > list with their 'real' email address. Please go for a subscriber-only list. I am subscribed to a lot of list having this policy and: . nobody seems to complain . the signal / noise ratio is definitly better. - yann To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 6:26:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6CD9D37B400 for ; Tue, 27 Aug 2002 06:26:52 -0700 (PDT) Received: from chiark.greenend.org.uk (chiark.greenend.org.uk [212.135.138.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id C8DE843E4A for ; Tue, 27 Aug 2002 06:26:49 -0700 (PDT) (envelope-from mbm@chiark.greenend.org.uk) Received: from mbm by chiark.greenend.org.uk with local (Exim 3.12 #1) id 17jgMn-0003lN-00 (Debian); Tue, 27 Aug 2002 14:26:45 +0100 From: Matthew Byng-Maddick To: freebsd-security@freebsd.org Subject: Re: Administrivia: Discussion - Making this list subscriber-only In-Reply-To: <200208271049.g7RAnrl5019226@grimreaper.grondar.org> Organization: Linux Unlimited Cc: Message-Id: Date: Tue, 27 Aug 2002 14:26:45 +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In article <200208271049.g7RAnrl5019226@grimreaper.grondar.org> you write: >to reply to the list if they receive it via a list redirector (IE >if a corporate role account/list-alias has been used to subscribe). >In this case, those folks would become read-only members (which may >in some cases be OK). Other folks would need to subscribe to the >list with their 'real' email address. >Comments? Suggestions? (Keep it brief and focussed, folks!) It would be nice if there's a no-mail feature (like that that mailman has, as I currently read it gatewayed to a local newsgroup, but would occasionally like to contribute, but I don't want all of the mail coming into an inbox as well as to the news-gateway (which I don't run). MBM -- Matthew Byng-Maddick http://colondot.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 6:58:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E20137B400 for ; Tue, 27 Aug 2002 06:58:18 -0700 (PDT) Received: from mail.liwing.de (mail.liwing.de [213.70.188.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F3AF43E4A for ; Tue, 27 Aug 2002 06:58:17 -0700 (PDT) (envelope-from rehsack@liwing.de) Received: (qmail 80233 invoked from network); 27 Aug 2002 13:58:15 -0000 Received: from stingray.liwing.de (HELO liwing.de) ([213.70.188.164]) (envelope-sender ) by mail.liwing.de (qmail-ldap-1.03) with SMTP for ; 27 Aug 2002 13:58:15 -0000 Message-ID: <3D6B8535.D3E1DB4@liwing.de> Date: Tue, 27 Aug 2002 15:57:09 +0200 From: Jens Rehsack Organization: LiWing IT-Services X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Mark Murray Cc: freebsd-security@freebsd.org Subject: Re: Administrivia: Discussion - Making this list subscriber-only References: <200208271049.g7RAnrl5019226@grimreaper.grondar.org> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mark Murray wrote: > > Hello Security list members > > I got an overwhelmingly positive (off-list, thanks!) response to > my complaint that this list's signal-to-noise ratio was terrible. For that you should really use a spam filter. > Some folks are still replying to spam on list, but the noise figure > has dropped significantly. Thank you! > > I would very much like to make this list subscriber-only. This will > cut down dramatically on spam and the inevitable misdirected > 'subscribe' postings. The downside is that folks will not be able > to reply to the list if they receive it via a list redirector (IE > if a corporate role account/list-alias has been used to subscribe). > In this case, those folks would become read-only members (which may > in some cases be OK). Other folks would need to subscribe to the > list with their 'real' email address. > > Comments? Suggestions? (Keep it brief and focussed, folks!) Personally I like the solution on PHP mailing lists. Everybody can write mail to a list without having to subscribe. But the sending first ever mail to that list you must! allow validating your address by responding an auth request like when subscribing to fbsd lists. This allows to post validated senders only but keeps freedom to all people who wants post. I do not like restricted use. The end doesn't justifies the means! > M > -- > o Mark Murray > \_ > O.\_ Warning: this .sig is umop ap!sdn > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- L i W W W i Jens Rehsack L W W W L i W W W W i nnn gggg LiWing IT-Services L i W W W W i n n g g LLLL i W W i n n g g Friesenstraße 2 gggg 06112 Halle g g g Tel.: +49 - 3 45 - 5 17 05 91 ggg e-Mail: Fax: +49 - 3 45 - 5 17 05 92 http://www.liwing.de/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 7:25:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B390537B400 for ; Tue, 27 Aug 2002 07:25:56 -0700 (PDT) Received: from femme.sapphite.org (pcp02268182pcs.longhl01.md.comcast.net [68.50.99.190]) by mx1.FreeBSD.org (Postfix) with ESMTP id BEE6F43E6A for ; Tue, 27 Aug 2002 07:25:55 -0700 (PDT) (envelope-from trish@egobsd.org) Received: from localhost (trish@localhost [127.0.0.1]) by femme.sapphite.org (8.12.5/8.12.5) with ESMTP id g7REQ0pX023445; Tue, 27 Aug 2002 10:26:01 -0400 (EDT) (envelope-from trish@egobsd.org) Date: Tue, 27 Aug 2002 10:26:00 -0400 (EDT) From: Trish Lynch X-X-Sender: To: Mark Murray Cc: Subject: Re: Administrivia: Discussion - Making this list subscriber-only In-Reply-To: <200208271049.g7RAnrl5019226@grimreaper.grondar.org> Message-ID: <20020827102523.T483-100000@femme.sapphite.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 27 Aug 2002, Mark Murray wrote: > > Comments? Suggestions? (Keep it brief and focussed, folks!) > > M Brief and focused: Good Plan. -Trish -- Trish Lynch trish@egobsd.org Ecartis Core Team Key fingerprint = B04E 67CA 3A12 9930 E91C 7730 4606 3618 B74A 2493 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 8:22:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5EAEE37B400 for ; Tue, 27 Aug 2002 08:22:46 -0700 (PDT) Received: from mx9.mail.ru (mx9.mail.ru [194.67.57.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5663E43E3B for ; Tue, 27 Aug 2002 08:22:45 -0700 (PDT) (envelope-from jcukeng@mail.ru) Received: from [213.189.204.232] (helo=serge) by mx9.mail.ru with esmtp (Exim SMTP.9) id 17jiB2-000JGs-00 for freebsd-security@FreeBSD.ORG; Tue, 27 Aug 2002 19:22:44 +0400 Date: Tue, 27 Aug 2002 19:21:13 +0400 From: jcukeng@mail.ru X-Mailer: The Bat! (v1.53d) Reply-To: jcukeng@mail.ru X-Priority: 3 (Normal) Message-ID: <189103381795.20020827192113@mail.ru> To: freebsd-security@FreeBSD.ORG Subject: Re[2]: Administrivia: Discussion - Making this list subscriber-only In-Reply-To: <20020827102523.T483-100000@femme.sapphite.org> References: <20020827102523.T483-100000@femme.sapphite.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Greetings! Tuesday, August 27, 2002, 6:26:00 PM, you wrote: TL> On Tue, 27 Aug 2002, Mark Murray wrote: >> >> Comments? Suggestions? (Keep it brief and focussed, folks!) >> >> M TL> Brief and focused: TL> Good Plan. I think this plan is not so good as it looks at first glance; especially for people who has more than one e-mails. For example, let us suppose that somebody read freebsd-security list both at home and at work but his or her corporate's security policies allow sending e-mails from within only via corporate mail server and disallows sending e-mail from non-local IPs. So, if this plan turns into reality, this subscriber will be forced subscribe 2 times. Idea to check existense of 'reply-to' address is not so good, too. Everybody can set this to one of valid e-mail addresses (billgates@microsoft.com :)), and this address will differ from sender's one. So, in my opinion, much better looks idea to keep blacklist of spammers IPs on, say, mx1.FreeBSD.org, and reject ALL letters from these IPs. If spammer builds his rotten business on pestering people, it has no right ask this people for a help:) -- Best regards, jcukeng To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 8:35:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2817737B400 for ; Tue, 27 Aug 2002 08:35:37 -0700 (PDT) Received: from idealab.com (il-la.la.idealab.com [63.251.211.5]) by mx1.FreeBSD.org (Postfix) with SMTP id BBE6C43E65 for ; Tue, 27 Aug 2002 08:35:36 -0700 (PDT) (envelope-from pat@idealab.com) Received: (qmail 30128 invoked by uid 1085); 27 Aug 2002 15:35:30 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 27 Aug 2002 15:35:30 -0000 Date: Tue, 27 Aug 2002 08:35:30 -0700 (PDT) From: Patrick Cahalan X-X-Sender: To: Cc: Subject: Re[2]: Administrivia: Discussion - Making this list subscriber-only In-Reply-To: <189103381795.20020827192113@mail.ru> Message-ID: <20020827082846.Q4057-100000@erie.pas.lab> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > So, if this plan turns into reality, this subscriber will be forced > subscribe 2 times. Not necessarily, (s)he can merely subscribe with an email address that is universally accessible and read -security there, or forward their work/home email to the other location and spoof their own email address if they're replying from the "wrong" location. > So, in my opinion, much better looks idea to keep blacklist of spammers IPs > on, say, mx1.FreeBSD.org, and reject ALL letters from these IPs. What about spammers that don't have static IPs? I like Mark's idea of making the list subscriber-only. As has been pointed out, it _is_ a discussion list, so people interested in using it should be subscribing. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 8:36:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD26B37B400 for ; Tue, 27 Aug 2002 08:36:29 -0700 (PDT) Received: from moria.seul.org (MORIA.MIT.EDU [18.244.0.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E1BA43E6E for ; Tue, 27 Aug 2002 08:36:29 -0700 (PDT) (envelope-from gabe@seul.org) Received: by moria.seul.org (Postfix, from userid 734) id 4BF0715E760; Tue, 27 Aug 2002 11:36:28 -0400 (EDT) Date: Tue, 27 Aug 2002 11:36:28 -0400 From: Gabriel Rocha To: freebsd-security@freebsd.org Subject: Re: Administrivia: Discussion - Making this list subscriber-only Message-ID: <20020827113628.N31401@seul.org> Mail-Followup-To: freebsd-security@freebsd.org References: <200208271049.g7RAnrl5019226@grimreaper.grondar.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200208271049.g7RAnrl5019226@grimreaper.grondar.org>; from mark@grondar.za on Tue, Aug 27, 2002 at 11:49:53AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Aug 27, at 11:49AM, Mark Murray wrote: | Comments? Suggestions? (Keep it brief and focussed, folks!) I am very much in favor of this idea. Lots of people have spoken up about the reasons not to do this and thus far I have not seen a single reason that goes beyond the "damn you're lazy" or "that is petty" line. If people want to post it a discussion list, they can well be part of the discussion otherwise, in my mind, it is a safe (even if not catch-all) assumption that they're going to waste our time in here. Single questions have no place in here unless they are in the context of a discussion already in place. People with too many email address need to stop being lazy and organize and not expect the world to bow down before them because they have failed to do so. People who are forwarded emails form this list, assuming them to find such email valuable, can well subscribe and get more valuable emails. Do we shut out a good number of people with this policy? Probably. Should we care? No. This is a discussion list and those who are not interested in being part of the discussion don't have to subscribe. My two cents worth. --Gabe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 9: 4:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0967C37B400 for ; Tue, 27 Aug 2002 09:04:51 -0700 (PDT) Received: from mx9.mail.ru (mx9.mail.ru [194.67.57.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 01AF843E77 for ; Tue, 27 Aug 2002 09:04:50 -0700 (PDT) (envelope-from jcukeng@mail.ru) Received: from [213.189.204.232] (helo=serge) by mx9.mail.ru with esmtp (Exim SMTP.9) id 17jipk-0009AY-00; Tue, 27 Aug 2002 20:04:48 +0400 Date: Tue, 27 Aug 2002 20:03:12 +0400 From: jcukeng@mail.ru X-Mailer: The Bat! (v1.53d) Reply-To: jcukeng@mail.ru X-Priority: 3 (Normal) Message-ID: <134105900967.20020827200312@mail.ru> To: Mark Murray Cc: freebsd-security@FreeBSD.ORG Subject: Re[4]: Administrivia: Discussion - Making this list subscriber-only In-Reply-To: <200208271544.g7RFihl5021460@grimreaper.grondar.org> References: <189103381795.20020827192113@mail.ru> <200208271544.g7RFihl5021460@grimreaper.grondar.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, FreeBSD people! Mark, Tuesday, August 27, 2002, 7:44:43 PM, you wrote: >> So, if this plan turns into reality, this subscriber will be forced >> subscribe 2 times. MM> Sure? If you are reading at home and at work then are you not already MM> subscribed twice anyway? I meant hypothetic man, not myself:). BTW: ACLs can block smtp and don't block pop3. MM> reply-to:'s are largely not relevant. "From:" is what gets checked. You are right. MM> Spam is not the big problem. Chatter is the big problem. But not for this list:). Best wishes, jcukeng To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 9:29:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8985937B400 for ; Tue, 27 Aug 2002 09:29:23 -0700 (PDT) Received: from pursued-with.net (adsl-66-125-9-242.dsl.sndg02.pacbell.net [66.125.9.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C04643E86 for ; Tue, 27 Aug 2002 09:29:23 -0700 (PDT) (envelope-from Kevin_Stevens@pursued-with.net) Received: from babelfish (babelfish [192.168.168.42]) by pursued-with.net (8.12.5/8.12.5) with ESMTP id g7RGTMRf051882; Tue, 27 Aug 2002 09:29:22 -0700 (PDT) (envelope-from Kevin_Stevens@pursued-with.net) Date: Tue, 27 Aug 2002 09:29:22 -0700 (PDT) From: Kevin Stevens Reply-To: Kevin_Stevens@pursued-with.net To: Yann Berthier Cc: freebsd-security@FreeBSD.ORG Subject: Re: Administrivia: Discussion - Making this list subscriber-only In-Reply-To: <20020827132130.GB488@hsc.fr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 27 Aug 2002, Yann Berthier wrote: > Please go for a subscriber-only list. I am subscribed to a lot of > list having this policy and: > . nobody seems to complain > . the signal / noise ratio is definitly better. > > - yann You miss the point - nobody seems to complain because the ones who would can no longer post. I would fall into that category a good deal of the time, but am willing to put up with that if it serves the greater good. PITA, though. KeS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 9:54:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9EB9937B400 for ; Tue, 27 Aug 2002 09:54:52 -0700 (PDT) Received: from bubbles.electricutopia.net (bubbles.electricutopia.net [63.214.178.76]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4739B43E86 for ; Tue, 27 Aug 2002 09:54:51 -0700 (PDT) (envelope-from dave@slickness.org) Received: by bubbles.electricutopia.net (Postfix, from userid 1001) id 6ECA115485; Tue, 27 Aug 2002 09:53:47 -0700 (PDT) Date: Tue, 27 Aug 2002 09:53:47 -0700 From: David Olbersen To: freebsd-security@freebsd.org Subject: Ports are insecure? Message-ID: <20020827165347.GA12522@slickness.org> Mail-Followup-To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="G4iJoqBmSsgzjUCe" Content-Disposition: inline User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --G4iJoqBmSsgzjUCe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I read (in this list I think) that somebody was of the opinion that every port installed decreases the security of a machine. How exactly does that work? Is this based in the idea that nearly anybody can contribute a port, but the core system is reviewed by a team? And, if I'm to believe this and limit my use of ports, doesn't that mean I'll be doing a lot of build-worlding to update specific applications? I'm probably just not understanding all the upgrade paths. Could somebody help me understand? --=20 Dave --G4iJoqBmSsgzjUCe Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9a66brtSBoeosATgRAppDAJ4mRRDzkXudgIGc3pU2ETnZ5+LrIgCfYgOs K/tX7qb2RcNhrbmWqKMZ5XU= =9Gvi -----END PGP SIGNATURE----- --G4iJoqBmSsgzjUCe-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 9:58:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 793CD37B400 for ; Tue, 27 Aug 2002 09:58:32 -0700 (PDT) Received: from smtpout.mac.com (smtpout.mac.com [204.179.120.89]) by mx1.FreeBSD.org (Postfix) with ESMTP id 197B843E65 for ; Tue, 27 Aug 2002 09:58:32 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from smtp-relay02.mac.com (smtp-relay02-en1 [10.13.10.225]) by smtpout.mac.com (8.12.1/MantshX 2.0) with ESMTP id g7RGwV2t010887 for ; Tue, 27 Aug 2002 09:58:31 -0700 (PDT) Received: from asmtp01.mac.com (asmtp01-qfe3 [10.13.10.65]) by smtp-relay02.mac.com (8.12.1/8.12.1/1.0) with ESMTP id g7RGwVZH009534 for ; Tue, 27 Aug 2002 09:58:31 -0700 (PDT) Received: from bust ([12.38.161.88]) by asmtp01.mac.com (Netscape Messaging Server 4.15) with ESMTP id H1IHTI00.J0I for ; Tue, 27 Aug 2002 09:58:30 -0700 Date: Tue, 27 Aug 2002 12:58:29 -0400 Subject: Re: List administrivia, was: Re: I Finally got It 2096 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v482) From: Chuck Swiger To: freebsd-security@FreeBSD.ORG Content-Transfer-Encoding: 7bit In-Reply-To: Message-Id: <360A652A-B9DE-11D6-BCD9-000A27D85A7E@mac.com> X-Mailer: Apple Mail (2.482) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tuesday, August 27, 2002, at 02:30 AM, oleg@reis.zp.ua wrote: > On 26-Aug-2002 Chuck Swiger wrote: [ ... ] >> Besides enabling "Restrict posting privilege to list members"... > > Think about corporate subscribers. I have. When legitimate members of the list want to post from multiple email addresses, all they need to do is subscribe from each mail address, but disable the list from mailing to all but the account they want the list traffic to go to. Or receive digests at one account and individual messages at another, or any other combination, as you please. For example, I'm subscribed to CodeFab-internal lists from both and , so I can post from either, yet I only _receive_ CodeFab list traffic at my corporate mail account. YMMV. ---- Bart Matthaei wrote: > If you make this list subscriber-only, you are forcing these people to subscribe. No, posts from non-subscribers can simply be held for the listadmin to review. Non-subscribers might have their messages delayed a bit until their message is approved (or rejected), but that shouldn't matter much if most people intend to read the list instead of only posting to it. -Chuck "trying-to-be-brief" Swiger To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 10: 5:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E86C737B400 for ; Tue, 27 Aug 2002 10:05:09 -0700 (PDT) Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8866043E4A for ; Tue, 27 Aug 2002 10:05:09 -0700 (PDT) (envelope-from emechler@radix.cryptio.net) Received: from radix.cryptio.net (localhost [127.0.0.1]) by radix.cryptio.net (8.12.5/8.12.5) with ESMTP id g7RH59k6057774 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Tue, 27 Aug 2002 10:05:09 -0700 (PDT) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.12.5/8.12.5/Submit) id g7RH597h057773; Tue, 27 Aug 2002 10:05:09 -0700 (PDT) Date: Tue, 27 Aug 2002 10:05:08 -0700 From: Erick Mechler To: David Olbersen Cc: freebsd-security@FreeBSD.ORG Subject: Re: Ports are insecure? Message-ID: <20020827170508.GI90157@techometer.net> References: <20020827165347.GA12522@slickness.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020827165347.GA12522@slickness.org> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :: I read (in this list I think) that somebody was of the opinion that :: every port installed decreases the security of a machine. I'm not sure I would go that far, but I would say that for every network port you have open, the amount of admin time does increase. In a way it does make it more insecure, but only if you don't keep up with security upgrades, patches, etc. :: How exactly does that work? Is this based in the idea that nearly :: anybody can contribute a port, but the core system is reviewed by a :: team? Not just anybody can contribute to a FreeBSD port entry; the commit still has to be done by an authorized committer. However, it's true that just about anybody's software package can become a port, so if you just blindly start installing ports, you might, on rare occasions, install a piece of software that's been trojaned (take the recent OpenSSH trojan for example). I hope (maybe) this addressed some of your questions :) If you have more questions about the ports system, I'd check out the relevant section of the Handbook: http://www.freebsd.org/doc/handbook/ports.html Cheers - Erick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 11: 3:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D12E137B400 for ; Tue, 27 Aug 2002 11:03:06 -0700 (PDT) Received: from ns3.ideathcare.com (mail.allneo.com [216.185.96.68]) by mx1.FreeBSD.org (Postfix) with SMTP id D555143EB3 for ; Tue, 27 Aug 2002 11:03:03 -0700 (PDT) (envelope-from jps@funeralexchange.com) Received: (qmail 65611 invoked by uid 85); 27 Aug 2002 18:15:54 -0000 Received: from jps@funeralexchange.com by ns3.ideathcare.com with qmail-scanner-1.03 (uvscan: v4.1.40/v4121. . Clean. Processed in 0.166004 secs); 27 Aug 2002 18:15:54 -0000 Received: from unknown (HELO pimpin) (216.138.114.129) by mail.allneo.com with SMTP; 27 Aug 2002 18:15:54 -0000 Reply-To: From: "Jeremy Suo-Anttila" To: Subject: Linux_Base marked as forbidden. Anyone know when this will be resolved? Date: Tue, 27 Aug 2002 13:08:54 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Importance: Normal In-Reply-To: <20020827082846.Q4057-100000@erie.pas.lab> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I cvsup'd and was about to install the latest linux_base and i found this. Anyone know when this will be resolved i have a few machines that are using linux_base7.1 and i would like to upgrade them ASAP. [root@mortus]/usr/ports/emulators/linux_base% make ===> linux_base-7.1 is forbidden: security bugs--see and . [root@mortus]/usr/ports/emulators/linux_base% Thanks Jeremy Suo-Anttila jps@funeralexchange.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 11: 7:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4DE9E37B401 for ; Tue, 27 Aug 2002 11:07:11 -0700 (PDT) Received: from mail.liwing.de (mail.liwing.de [213.70.188.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id E59F543E3B for ; Tue, 27 Aug 2002 11:07:09 -0700 (PDT) (envelope-from rehsack@liwing.de) Received: (qmail 40500 invoked from network); 27 Aug 2002 18:07:07 -0000 Received: from stingray.liwing.de (HELO liwing.de) ([213.70.188.164]) (envelope-sender ) by mail.liwing.de (qmail-ldap-1.03) with SMTP for ; 27 Aug 2002 18:07:07 -0000 Message-ID: <3D6BBF89.F3A028@liwing.de> Date: Tue, 27 Aug 2002 20:06:01 +0200 From: Jens Rehsack Organization: LiWing IT-Services X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Mark Murray Cc: freebsd-security@freebsd.org Subject: Re: Administrivia: Discussion - Making this list subscriber-only References: <3D6B8535.D3E1DB4@liwing.de> <200208271536.g7RFail5021355@grimreaper.grondar.org> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mark Murray wrote: > > > > I got an overwhelmingly positive (off-list, thanks!) response to my > > > complaint that this list's signal-to-noise ratio was terrible. > > > > For that you should really use a spam filter. > > Spam is a small part of the problem. A much larger part is off-topic > chatter. > > > > Comments? Suggestions? (Keep it brief and focussed, folks!) > > > > Personally I like the solution on PHP mailing lists. Everybody can > > write mail to a list without having to subscribe. But the sending > > first ever mail to that list you must! allow validating your address > > by responding an auth request like when subscribing to fbsd lists. > > How will that stop off-topic chatter? Never. But neither your way does. I'm subscribed and I answer to your off-topic post. So we both are the off-topic chatters you want stop. Sure? > > This allows to post validated senders only but keeps freedom to all > > people who wants post. > > _Less_ freedom is actually needed. It is precisely that freedom which > has allowed the list to become a question-and-answer (or HOWTO) list > that has dropped the signal value so badly. Pardon, but IMHO this list is read by "security experts". So if I have a security related question, I ask here. I'm a good developer, I have many knowledge 'bout secure programming and know to protect my box enough for stupids. But one the one hand there're many people who have much less knowledge to security than me and on the other hand a lot of guru's to me. What I want to say with that: What is a stupid question to me or not security related ot sth. else may important to others with other kind of thoughts. What a sort of guys we'll be if we judge 'bout the security relate of a posting? So I cannot follow your way to close this list. If you want have a private list, why you don't found your own one? > > I do not like restricted use. The end doesn't justifies the means! > > Depends on the "end". Here I mean a dramatic drop in newbie questions Who decides what's a newbie question an what's not? You? Me? Santa Claus? And everyone started on a small ground... - that's the way. > and a consequent increase in the technical content/discussion ratio. I > also hope to attract back the security gurus, and thus further improve > the signal content. This will not work. Let me explain what I believe what such a list is for: I think, some people found a list for security related discussions to make it much easier to help each other. Over the month and years to original guru's are getting better and better while the quality of the list in in everyone's mouth. So some more guys and girls are subscribing to participate one every hint and a lot of stressed people are just asking sth. and discuss just a small (personal preferred) problem, an idea, sth. else. And some of the guru's get bored, but many new guru candidates subscribed, helped, talked and - sometimes - chatted 'bout security (I remember an obfuscation discusion not long ago). So in my opinion this list is good just as is. If you are much more expirienced and wiser so you have two choices. Go away to a wisdom / guru list or stay (what we all prefer) and let us have part of your wisdom. I do not want defend idiots, but - please - there is a difference between newbie (what I could be in the eyes of many) and idiots / torks. Kind regards Jens > M > -- > o Mark Murray > \_ > O.\_ Warning: this .sig is umop ap!sdn -- L i W W W i Jens Rehsack L W W W L i W W W W i nnn gggg LiWing IT-Services L i W W W W i n n g g LLLL i W W i n n g g Friesenstraße 2 gggg 06112 Halle g g g Tel.: +49 - 3 45 - 5 17 05 91 ggg e-Mail: Fax: +49 - 3 45 - 5 17 05 92 http://www.liwing.de/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 11:28:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D4DF637B400 for ; Tue, 27 Aug 2002 11:28:27 -0700 (PDT) Received: from gate.volant.org (gate.volant.org [207.111.218.246]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5BB6743E75 for ; Tue, 27 Aug 2002 11:28:27 -0700 (PDT) (envelope-from patl+freebsd@volant.org) Received: from 216-55-134-176.dsl.san-diego.abac.net ([216.55.134.176] helo=[192.168.0.13]) by gate.volant.org with asmtp (TLSv1:DES-CBC3-SHA:168) (Exim 3.33 #1) id 17jl4b-000Bgy-00; Tue, 27 Aug 2002 11:28:17 -0700 Date: Tue, 27 Aug 2002 11:27:57 -0700 From: Pat Lashley To: Mark Murray , freebsd-security@freebsd.org Subject: Re: Administrivia: Discussion - Making this list subscriber-only Message-ID: <1826220000.1030472877@mccaffrey.phoenix.volant.org> In-Reply-To: <200208271049.g7RAnrl5019226@grimreaper.grondar.org> References: <200208271049.g7RAnrl5019226@grimreaper.grondar.org> X-Mailer: Mulberry/2.2.1 (Linux/x86 Demo) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="==========3631359384==========" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --==========3631359384========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline --On Tuesday, August 27, 2002 11:49:53 AM +0100 Mark Murray=20 wrote: > I would very much like to make this list subscriber-only. This will > cut down dramatically on spam and the inevitable misdirected > 'subscribe' postings. The downside is that folks will not be able > to reply to the list if they receive it via a list redirector (IE > if a corporate role account/list-alias has been used to subscribe). > In this case, those folks would become read-only members (which may > in some cases be OK). Other folks would need to subscribe to the > list with their 'real' email address. One of the things I really like about Mailman is that it is easy for subscribers to set a 'no-deliver' flag. This is by far the easiest way for a user to handle posts from multiple addresses or posting from a redirector list. (I have one mailing list to which I'm subscribed under five different addresses. Only one recieves posts from the list.) -Pat --==========3631359384========== Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9a8S6ncYNbLD8wuMRAlJHAKDFyXYZ2eyIwEaZ/ETlTkz/ebpj3ACgnqUI Lp/PdiVQEqsmpi4Rutib5fc= =PFy0 -----END PGP SIGNATURE----- --==========3631359384==========-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 11:58:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6249737B400 for ; Tue, 27 Aug 2002 11:58:19 -0700 (PDT) Received: from web12903.mail.yahoo.com (web12903.mail.yahoo.com [216.136.174.70]) by mx1.FreeBSD.org (Postfix) with SMTP id 25A5643EAF for ; Tue, 27 Aug 2002 11:58:17 -0700 (PDT) (envelope-from sunny_mcl@yahoo.com) Message-ID: <20020827185816.91283.qmail@web12903.mail.yahoo.com> Received: from [216.69.69.220] by web12903.mail.yahoo.com via HTTP; Tue, 27 Aug 2002 11:58:16 PDT Date: Tue, 27 Aug 2002 11:58:16 -0700 (PDT) From: Y S Subject: IPsec tunnel between XP and FreeBSD To: freebsd-security@FreeBSD.ORG In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-1409106294-1030474696=:90318" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --0-1409106294-1030474696=:90318 Content-Type: text/plain; charset=us-ascii I am trying to setup an IPsec tunnel between XP client and FreeBSD box. Seems the Phase 2 Exchange doesn't work. My setup: Windows XP (10.10.10.6): ipseccmd -f 10.10.10.6=* -t 10.10.10.20 -n esp[3des,md5] -a preshare:"xxx" -1s 3des-md5-2 -1p Freebsd (10.10.10.20): SPD: 10.10.10.6[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/10.10.10.6-10.10.10.20/require spid=7 seq=1 pid=565 refcnt=1 0.0.0.0/0[any] 10.10.10.6[any] any out ipsec esp/tunnel/10.10.10.20-10.10.10.6/require spid=8 seq=0 pid=565 refcnt=1 racoon conf: path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 90 sec; phase2 60 sec; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 4 hour; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 30 sec; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate ; } and the racoon dump file (60K) may be too big for the email. looks like the only ERROR lines are: --------------------------------------------------------------------- ....... 2002-08-26 19:10:26: DEBUG: isakmp.c:1109:isakmp_parsewoh(): begin. 2002-08-26 19:10:26: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=8(hash) 2002-08-26 19:10:26: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=11(notify) 2002-08-26 19:10:26: DEBUG: isakmp.c:1175:isakmp_parsewoh(): succeed. 2002-08-26 19:10:26: ERROR: isakmp_inf.c:776:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. 2002-08-26 19:10:26: DEBUG: isakmp_inf.c:798:isakmp_info_recv_n(): notification message 18:INVALID-ID-INFORMATION, doi=1 proto_id=3 spi=00000000(size=4). 2002-08-26 19:10:37: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ACQUIRE message 2002-08-26 19:10:37: DEBUG2: plog.c:193:plogdump(): ...... 2002-08-26 19:11:20: DEBUG: pfkey.c:1503:pk_recvacquire(): ignore the acquire becuase ph2 found 2002-08-26 19:11:26: ERROR: pfkey.c:738:pfkey_timeover(): 10.10.10.6 give up to get IPsec-SA due to time up to wait. 2002-08-26 19:11:26: DEBUG: schedule.c:210:sched_scrub_param(): an undead schedule has been deleted. ....... ------------------------------------------------------------------------------------ I don't know why windows send an INVALID-ID-INFORMATION. Looks like that causes the Quick mode SA establishing fails? Any suggestion? Thanks a lot! (btw, transparent mode XP <-> freebsd and tunnel mode freebsd -> freebsd go pretty well) Sunny --------------------------------- Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes --0-1409106294-1030474696=:90318 Content-Type: text/html; charset=us-ascii

I am trying to setup an IPsec tunnel between XP client and FreeBSD box.

Seems the Phase 2 Exchange doesn't work.

My setup:

Windows XP (10.10.10.6):

ipseccmd -f 10.10.10.6=* -t 10.10.10.20 -n esp[3des,md5] -a preshare:"xxx" -1s 3des-md5-2 -1p

Freebsd (10.10.10.20):

SPD:

10.10.10.6[any] 0.0.0.0/0[any] any
        in ipsec
        esp/tunnel/10.10.10.6-10.10.10.20/require
        spid=7 seq=1 pid=565
        refcnt=1
0.0.0.0/0[any] 10.10.10.6[any] any
        out ipsec
        esp/tunnel/10.10.10.20-10.10.10.6/require
        spid=8 seq=0 pid=565
        refcnt=1

racoon conf:

path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
padding
{
 maximum_length 20; # maximum padding length.
 randomize off;  # enable randomize length.
 strict_check off; # enable strict check.
 exclusive_tail off; # extract last one octet.
}

timer
{
 # These value can be changed per remote node.
 counter 5;  # maximum trying count to send.
 interval 20 sec; # maximum interval to resend.
 persend 1;  # the number of packets per a send.

 # timer for waiting to complete each phase.
 phase1 90 sec;
 phase2 60 sec;
}

remote anonymous
{
 exchange_mode main;
 doi ipsec_doi;
 situation identity_only;

 nonce_size 16;
 lifetime time 4 hour; # sec,min,hour
 initial_contact on;
 support_mip6 on;
 proposal_check obey; # obey, strict or claim

 proposal {
  encryption_algorithm 3des;
  hash_algorithm md5;
  authentication_method pre_shared_key;
  dh_group 2 ;
 }
}

sainfo anonymous
{
        pfs_group 1;
        lifetime time 30 sec;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate ;
}

and the racoon dump file (60K) may be too big for the email. looks like the only ERROR lines are:

 

---------------------------------------------------------------------

.......

2002-08-26 19:10:26: DEBUG: isakmp.c:1109:isakmp_parsewoh(): begin.
2002-08-26 19:10:26: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=8(hash)
2002-08-26 19:10:26: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=11(notify)
2002-08-26 19:10:26: DEBUG: isakmp.c:1175:isakmp_parsewoh(): succeed.
2002-08-26 19:10:26: ERROR: isakmp_inf.c:776:isakmp_info_recv_n(): unknown notify message, no phase2 handle found.
2002-08-26 19:10:26: DEBUG: isakmp_inf.c:798:isakmp_info_recv_n(): notification message 18:INVALID-ID-INFORMATION, doi=1 proto_id=3 spi=00000000(size=4).
2002-08-26 19:10:37: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ACQUIRE message
2002-08-26 19:10:37: DEBUG2: plog.c:193:plogdump():

......

2002-08-26 19:11:20: DEBUG: pfkey.c:1503:pk_recvacquire(): ignore the acquire becuase ph2 found
2002-08-26 19:11:26: ERROR: pfkey.c:738:pfkey_timeover(): 10.10.10.6 give up to get IPsec-SA due to time up to wait.
2002-08-26 19:11:26: DEBUG: schedule.c:210:sched_scrub_param(): an undead schedule has been deleted.

.......

------------------------------------------------------------------------------------

I don't know why windows send an INVALID-ID-INFORMATION.

Looks like that causes the Quick mode SA establishing fails?

Any suggestion?

Thanks a lot!

(btw, transparent mode XP <-> freebsd and tunnel mode freebsd -> freebsd go pretty well)

 

Sunny

 


Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes --0-1409106294-1030474696=:90318-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 11:59:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF04337B400 for ; Tue, 27 Aug 2002 11:59:24 -0700 (PDT) Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by mx1.FreeBSD.org (Postfix) with SMTP id 1EDCE43E6A for ; Tue, 27 Aug 2002 11:59:24 -0700 (PDT) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 24294 invoked by uid 1001); 27 Aug 2002 18:59:23 -0000 Date: Tue, 27 Aug 2002 14:59:23 -0400 From: "Peter C. Lai" To: Chuck Swiger Cc: freebsd-security@FreeBSD.ORG Subject: Re: List administrivia, was: Re: I Finally got It 2096 Message-ID: <20020827185923.GA17201@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <360A652A-B9DE-11D6-BCD9-000A27D85A7E@mac.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <360A652A-B9DE-11D6-BCD9-000A27D85A7E@mac.com> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Aug 27, 2002 at 12:58:29PM -0400, Chuck Swiger wrote: > No, posts from non-subscribers can simply be held for the listadmin to > review. > > Non-subscribers might have their messages delayed a bit until their > message is approved (or rejected), but that shouldn't matter much if most > people intend to read the list instead of only posting to it. > Are you volunteering yourself to be the aforementioned 'listadmin' that screens every unsubscriber's attempted post to this list? Or are you willing to sponsor one? No one on the security team currently would have 'time' to sort out spam from non-spam in the review queue. > -Chuck "trying-to-be-brief" Swiger > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology | Undergraduate Research Assistant Yale University School of Medicine Center for Medical Informatics | Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 12:13: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3602037B400 for ; Tue, 27 Aug 2002 12:13:04 -0700 (PDT) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8649043E65 for ; Tue, 27 Aug 2002 12:13:03 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: from khavrinen.lcs.mit.edu (localhost [IPv6:::1]) by khavrinen.lcs.mit.edu (8.12.3/8.12.5) with ESMTP id g7RJD2Vo053550 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=OK); Tue, 27 Aug 2002 15:13:02 -0400 (EDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.12.3/8.12.5/Submit) id g7RJCxu0053547; Tue, 27 Aug 2002 15:12:59 -0400 (EDT) (envelope-from wollman) Date: Tue, 27 Aug 2002 15:12:59 -0400 (EDT) From: Garrett Wollman Message-Id: <200208271912.g7RJCxu0053547@khavrinen.lcs.mit.edu> To: Mark Murray Cc: freebsd-security@FreeBSD.ORG Subject: Re: Administrivia: Discussion - Making this list subscriber-only In-Reply-To: <200208271244.g7RCiBl5019984@grimreaper.grondar.org> References: <20020827122623.GC34393@heresy.dreamflow.nl> <200208271244.g7RCiBl5019984@grimreaper.grondar.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > This is _not_ a questions list. This is a discussions list. If you have > a one-off question, there are places to ask it. If you wish to discuss, > then there is no problem with subscribing, no? Yes. The address under which I'm subscribed is not necessarily the same as the one(s) under which I post. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 12:23: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AFFCD37B400 for ; Tue, 27 Aug 2002 12:22:49 -0700 (PDT) Received: from mail.liwing.de (mail.liwing.de [213.70.188.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id A06FD43E6E for ; Tue, 27 Aug 2002 12:22:48 -0700 (PDT) (envelope-from rehsack@liwing.de) Received: (qmail 58737 invoked from network); 27 Aug 2002 19:22:47 -0000 Received: from stingray.liwing.de (HELO liwing.de) ([213.70.188.164]) (envelope-sender ) by mail.liwing.de (qmail-ldap-1.03) with SMTP for ; 27 Aug 2002 19:22:47 -0000 Message-ID: <3D6BD145.C1991051@liwing.de> Date: Tue, 27 Aug 2002 21:21:41 +0200 From: Jens Rehsack Organization: LiWing IT-Services X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Mark Murray Cc: freebsd-security@freebsd.org Subject: Re: Administrivia: Discussion - Making this list subscriber-only References: <3D6BBF89.F3A028@liwing.de> <200208271849.g7RInvl5022584@grimreaper.grondar.org> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mark Murray wrote: > > > > How will that stop off-topic chatter? > > > > Never. But neither your way does. I'm subscribed and I answer to your > > off-topic post. So we both are the off-topic chatters you want stop. > > Sure? > > :-) > > I am conducting this discussion under the "Administrativia" flag, so > while it may be off-topic, it is of indirect-but-important relevance > to the list. > > This is a focussed discussion that will cease abruptly when a conclusion > is reached (hopefully!). > > > > > This allows to post validated senders only but keeps freedom to all > > > > people who wants post. > > > > > > _Less_ freedom is actually needed. It is precisely that freedom which > > > has allowed the list to become a question-and-answer (or HOWTO) list > > > that has dropped the signal value so badly. > > > > Pardon, but IMHO this list is read by "security experts". So if I have > > a security related question, I ask here. I'm a good developer, I have > > many knowledge 'bout secure programming and know to protect my box > > enough for stupids. But one the one hand there're many people who have > > much less knowledge to security than me and on the other hand a lot > > of guru's to me. > > Most of the real FreeBSD security experts avoid this list (or treat it > as a "scan-only" list). The reason for this is the treatment of the > list as "newbie questions welcome". That is not the original purpose > of the list. But it's a public list with sponsors from industry and persons... > > What I want to say with that: What is a stupid question to me or not > > security related ot sth. else may important to others with other kind > > of thoughts. What a sort of guys we'll be if we judge 'bout the security > > relate of a posting? > > Fair question (if I understand you correctly). > Relevant: > o Policy issues > o Security bug details or fixes to security holes. > o Experience of effective defences, including documentation of known > problems. > o Interesting security-related code. > ... etc. > Off-topic: > o Any common sysadmin task. May be ok, may not. Depends on the "common" of the task. If it's "so" common, someone could add it to FAQ or handbook, couldn't someone? > o "Which should I use FOO, or BAR?" I have seen many question like "Should I you ipfilter pr ipfirewall?", and those questions really have some reason: a) Neither IPFilter nor IPFirewall is really good documented. It tooks a lot of expirience and "wisdom" to know hints for use in special situations. But - in that case - there should be a "security-questions" list. b) Very less people knows that both filters could coexists. > o Any topic which is more relevant to another list. Who decides that? On which rules? I think, a collective reply with the right list could help more. > o Spam, or replies to spam. This could be managed using a) spam filter for list (what would be done already) b) spam filter (rtbl) at your gateway c) auth-requests on first post > ... etc. > > So I cannot follow your way to close this list. If you want have a private > > list, why you don't found your own one? > > I don't want a private list. I want a high-signal freebsd-specific one. So a good thing would be a security-questions list. Newbies can ask there and the "high-signal" R.I.P. Sounds a little bit ok to me... But: if someone found the list address, (s)he had read some manual before. So there's a place where some rules could be noted... > > > Depends on the "end". Here I mean a dramatic drop in newbie questions > > > > Who decides what's a newbie question an what's not? You? Me? Santa Claus? > > And everyone started on a small ground... - that's the way. > > There are places for newbie questions. This is not it. The list Not for newbie-security-related. When I was new I was happy 'bout security-list. > sort-of evolved towards this, and as this happened, the guru-factor > droppeed, and the question-factor rose. The list is now a low-signal > duplicate of -questions/-newbies. That's not really true, but I see, what you mean. But if you ask me for my real oppinion: Add all things you don't wanted ask anymore to the faq/doc/handbook and (let) commit it. So in 6 month those things aren't asked anymore... It's a more friendly way ... > > > and a consequent increase in the technical content/discussion > > > ratio. I also hope to attract back the security gurus, and thus > > > further improve the signal content. > > > > This will not work. Let me explain what I believe what such a list > > is for: I think, some people found a list for security related > > discussions to make it much easier to help each other. Over the > > month and years to original guru's are getting better and better > > while the quality of the list in in everyone's mouth. So some more > > guys and girls are subscribing to participate one every hint and a > > lot of stressed people are just asking sth. and discuss just a small > > (personal preferred) problem, an idea, sth. else. > > -Questions is a "help-each-other" list. So is USENET. We don't need > any more, and unfortunately over time some folks have gotten used > to this status quo. This may seem harsh, but such folks have a > little unlearning to deal with. Sorry! :-) I think that -question is a freebsd related "help-each-other" list. An security related one is missed at the moment. Remember: the usenet has many categories, too. > > And some of the guru's get bored, but many new guru candidates > > subscribed, helped, talked and - sometimes - chatted 'bout security (I > > remember an obfuscation discusion not long ago). > > That fact that some time in the past, this may have worked for individuals > is, erm, unfortunate. I can go to extremes ("Theft works for robbers" etc), > but I think you may understand me if I say the means does not justify > the ends. > > > So in my opinion this list is good just as is. If you are much more > > expirienced and wiser so you have two choices. Go away to a wisdom / > > guru list or stay (what we all prefer) and let us have part of your > > wisdom. > > You are welcome to stay, you are welcome to read. Pleas understand that > I don't want you to go naway; I want you to accept a higher signal ratio, > and nI want you to not (unwittingly) contribute to the noise :-) Of course, but please understand me if I say: let the other ones follow us. But I think (after that discussion) a -security-questions is necessary. Using force is not solution for the world, just for small numbers of people. Give 'em a chance. > > I do not want defend idiots, but - please - there is a difference > > between newbie (what I could be in the eyes of many) and idiots / > > torks. > > Lets not get extreme - we mostly agree. Lets see how this initiative > pans out. Agreed. > M > -- > o Mark Murray > \_ > O.\_ Warning: this .sig is umop ap!sdn -- L i W W W i Jens Rehsack L W W W L i W W W W i nnn gggg LiWing IT-Services L i W W W W i n n g g LLLL i W W i n n g g Friesenstraße 2 gggg 06112 Halle g g g Tel.: +49 - 3 45 - 5 17 05 91 ggg e-Mail: Fax: +49 - 3 45 - 5 17 05 92 http://www.liwing.de/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 12:23:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B8BA937B405 for ; Tue, 27 Aug 2002 12:23:01 -0700 (PDT) Received: from c3po.artlogix.com (sense-mcglk-240.oz.net [216.39.168.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4152843E6E for ; Tue, 27 Aug 2002 12:23:01 -0700 (PDT) (envelope-from mcglk@artlogix.com) Received: from ralf.artlogix.com.artlogix.com (ralf.artlogix.com [192.168.0.4]) by c3po.artlogix.com (Postfix) with ESMTP id 025751A984; Tue, 27 Aug 2002 12:24:56 -0700 (PDT) To: Mark Murray Cc: Bart Matthaei , freebsd-security@freebsd.org Subject: Re: Administrivia: Discussion - Making this list subscriber-only References: <20020827122623.GC34393@heresy.dreamflow.nl> <200208271244.g7RCiBl5019984@grimreaper.grondar.org> From: Ken McGlothlen Date: 27 Aug 2002 12:23:20 -0700 In-Reply-To: <200208271244.g7RCiBl5019984@grimreaper.grondar.org> Message-ID: <86hehgw1g7.fsf@ralf.artlogix.com> Lines: 36 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mark Murray writes: | We already have that. Spammers are very inventive when it comes to evading | filters. And ultimately, filters are not a good solution. They're easily defeatable, and the more stringent you make the filter, the more false positives you get. The only way to really deal with it is social engineering, and in general, that means blocking SMTP traffic from problematic hosts. The downside is that many of our South Korean, Chinese and Brazilian participants would no longer be able to submit mail until their ISPs start implementing anti-spam policies and secure their servers. And when their mail is blocked, people complain to their ISPs. But that's a good thing---the more responsible ISPs out there, the better. I have no problem removing blocks when ISPs become responsible netizens. I'm even willing to donate my blocklist to the FreeBSD group. It's pretty aggressive, mind you, but I'm pretty vigilant about trying hard not to block legitimate traffic. (This is occasionally a problem. For example, bn.com recently switched their mail lists over to doubleclick.net, which I've had spamming problems with in the past. So I no longer get bn.com stuff---but hopefully, bn.com will start using another provider, and then it won't be a problem. And if not, oh, well.) I update it regularly. I also think rather highly of the following RBLs: whois.rfc-ignorant.org ipwhois.rfc-ignorant.org formmail.relays.monkeys.com relays.ordb.org bl.spamcop.net My Postfix installation checks my own blocklist first, and then falls back to the RBLs listed above. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 12:40:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EFBAC37B401 for ; Tue, 27 Aug 2002 12:40:25 -0700 (PDT) Received: from c3po.artlogix.com (sense-mcglk-240.oz.net [216.39.168.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 07CCD43E6E for ; Tue, 27 Aug 2002 12:40:25 -0700 (PDT) (envelope-from mcglk@artlogix.com) Received: from ralf.artlogix.com.artlogix.com (ralf.artlogix.com [192.168.0.4]) by c3po.artlogix.com (Postfix) with ESMTP id 7C7D31A98B; Tue, 27 Aug 2002 12:42:21 -0700 (PDT) To: peter.lai@uconn.edu Cc: Chuck Swiger , freebsd-security@FreeBSD.ORG Subject: Re: List administrivia, was: Re: I Finally got It 2096 References: <360A652A-B9DE-11D6-BCD9-000A27D85A7E@mac.com> <20020827185923.GA17201@cowbert.2y.net> From: Ken McGlothlen Date: 27 Aug 2002 12:40:45 -0700 In-Reply-To: <20020827185923.GA17201@cowbert.2y.net> Message-ID: <86bs7ow0n6.fsf@ralf.artlogix.com> Lines: 12 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Peter C. Lai" writes: | Are you volunteering yourself to be the aforementioned 'listadmin' that | screens every unsubscriber's attempted post to this list? Or are you willing | to sponsor one? No one on the security team currently would have 'time' to | sort out spam from non-spam in the review queue. I'm certainly willing to moderate. The thing is, could the list put up with several-hour delays while I sleep? I suspect a pool of moderators would be a viable solution. And I'm willing to participate in that. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 12:42:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 494D137B401 for ; Tue, 27 Aug 2002 12:42:25 -0700 (PDT) Received: from mail.fpsn.net (mail.fpsn.net [63.224.69.57]) by mx1.FreeBSD.org (Postfix) with ESMTP id 72D0543E4A for ; Tue, 27 Aug 2002 12:42:24 -0700 (PDT) (envelope-from cfaber@fpsn.net) Received: from fpsn.net (mirc-sucks@unixgr.com [63.224.69.60]) (authenticated) by mail.fpsn.net (8.11.6/8.11.6) with ESMTP id g7RJg9B43903; Tue, 27 Aug 2002 13:42:09 -0600 (MDT) Message-ID: <3D6BD5E2.F64D7161@fpsn.net> Date: Tue, 27 Aug 2002 13:41:22 -0600 From: Colin Faber Organization: fpsn.net, Inc. X-Mailer: Mozilla 4.78 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Bart Matthaei Cc: Mark Murray , freebsd-security@FreeBSD.ORG Subject: Re: Administrivia: Discussion - Making this list subscriber-only References: <200208271049.g7RAnrl5019226@grimreaper.grondar.org> <20020827122623.GC34393@heresy.dreamflow.nl> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Bart Matthaei wrote: > > On Tue, Aug 27, 2002 at 11:49:53AM +0100, Mark Murray wrote: > > Hello Security list members > > > > I got an overwhelmingly positive (off-list, thanks!) response to > > my complaint that this list's signal-to-noise ratio was terrible. > > > > Some folks are still replying to spam on list, but the noise figure > > has dropped significantly. Thank you! > > > > I would very much like to make this list subscriber-only. This will > > cut down dramatically on spam and the inevitable misdirected > > 'subscribe' postings. The downside is that folks will not be able > > to reply to the list if they receive it via a list redirector (IE > > if a corporate role account/list-alias has been used to subscribe). > > In this case, those folks would become read-only members (which may > > in some cases be OK). Other folks would need to subscribe to the > > list with their 'real' email address. > > I dissagree with the idea of making this list subscriber-only. There > are people who mail to this list with a single question, and without > subscribing to the list. If you make this list subscriber-only, you > are forcing these people to subscribe. I personally hate it when I > have to subscribe to a list when I only have one single report or > question. > No this is not true. An alternative portal such as a CGI system which can post to the list could be used for such a task. Yes I know you can still exploit a system like this to spam the list however your average idiot spammer isn't going to know this, or even bother to look into it. > If you want to get rid of spam, just get a spamfilter, and stop > complaining, because the actual discussion about spam is more annoying > than the spam itself. spam filters can be an effective way of blocking spam they also can effectively block non spam related postings resulting in false positives. Required subscription to use a free service isn't the worst thing in the world and it's a far better solution than to simply continuing to allow the daily junk mail we've all seen over the last 6 to 8 months. Plus the fact that the junk mail it self is going up over all. > > Cheers, > > Bart > > -- > Bart Matthaei bart@dreamflow.nl > > Things fall down. People look up. And when it rains, it pours. > -- Colin Faber (303) 736-5160 fpsn.net, Inc. * Black holes are where God divided by zero. * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 12:47:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA1BE37B400 for ; Tue, 27 Aug 2002 12:47:15 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D7B643E6E for ; Tue, 27 Aug 2002 12:45:20 -0700 (PDT) (envelope-from mark@grimreaper.grondar.org) Received: from storm.FreeBSD.org.uk (uucp@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.5/8.12.5) with ESMTP id g7RJjCMA099107; Tue, 27 Aug 2002 20:45:12 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Received: (from uucp@localhost) by storm.FreeBSD.org.uk (8.12.5/8.12.5/Submit) with UUCP id g7RJjBG5099106; Tue, 27 Aug 2002 20:45:11 +0100 (BST) Received: from grimreaper.grondar.org (localhost [127.0.0.1]) by grimreaper.grondar.org (8.12.5/8.12.5) with ESMTP id g7RJeLl5023113; Tue, 27 Aug 2002 20:40:21 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Message-Id: <200208271940.g7RJeLl5023113@grimreaper.grondar.org> To: Jens Rehsack Cc: freebsd-security@freebsd.org Subject: Re: Administrivia: Discussion - Making this list subscriber-only References: <3D6BD145.C1991051@liwing.de> In-Reply-To: <3D6BD145.C1991051@liwing.de> ; from Jens Rehsack "Tue, 27 Aug 2002 21:21:41 +0200." Date: Tue, 27 Aug 2002 20:40:21 +0100 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > Most of the real FreeBSD security experts avoid this list (or treat it > > as a "scan-only" list). The reason for this is the treatment of the > > list as "newbie questions welcome". That is not the original purpose > > of the list. > > But it's a public list with sponsors from industry and persons... Sure. I'm not stopping folks from reading the list. I'm trying to stop lots of the unnecessary _posting_. > o Any common sysadmin task. > > May be ok, may not. Depends on the "common" of the task. If it's "so" > common, someone could add it to FAQ or handbook, couldn't someone? Indeed! :-) This is desparately needed. > > o "Which should I use FOO, or BAR?" > > I have seen many question like "Should I you ipfilter pr ipfirewall?", > and those questions really have some reason: > a) Neither IPFilter nor IPFirewall is really good documented. > It tooks a lot of expirience and "wisdom" to know hints for use > in special situations. > But - in that case - there should be a "security-questions" list. > b) Very less people knows that both filters could coexists. Right. This is a problem that needs to be fixed in its own right. Would you like to volunteer to provide some basic documentation? (I can see that English is not your first language. If you provide something that is factually correct (ignoring any English problems), we have a Zillion folks who can fix the English and will commit for you.) > > o Any topic which is more relevant to another list. > > Who decides that? On which rules? I think, a collective reply with the > right list could help more. Fair question. List-clarifying FAQ's are good. > > o Spam, or replies to spam. > > This could be managed using > a) spam filter for list (what would be done already) > b) spam filter (rtbl) at your gateway > c) auth-requests on first post I'll see how the list goes. I'm prepared to do all-or-any of the above. > > > So I cannot follow your way to close this list. If you want have a private > > > list, why you don't found your own one? > > > > I don't want a private list. I want a high-signal freebsd-specific one. > > So a good thing would be a security-questions list. Newbies can ask there > and the "high-signal" R.I.P. Sounds a little bit ok to me... Hmm. Most gurus will avoid it, and I suspect it will become a duplicate of freebsd-questions. > But: if someone found the list address, (s)he had read some manual before. > So there's a place where some rules could be noted... FAQ fixes are the real answer. > > > Who decides what's a newbie question an what's not? You? Me? Santa > > > Claus? And everyone started on a small ground... - that's the > > > way. > > > > There are places for newbie questions. This is not it. The list > > Not for newbie-security-related. When I was new I was happy 'bout > security-list. Sure. Ends do not justify means. A robber is happy with his income :-) > > sort-of evolved towards this, and as this happened, the guru-factor > > droppeed, and the question-factor rose. The list is now a low-signal > > duplicate of -questions/-newbies. > > That's not really true, but I see, what you mean. But if you ask me > for my real oppinion: Add all things you don't wanted ask anymore to > the faq/doc/handbook and (let) commit it. So in 6 month those things > aren't asked anymore... It's a more friendly way ... OK - you have a deal! If you annoy us properly by submitting enough good-quality documenation upgrades, I'll punish you by a) ensuring they are committed, and b) if enough of them come, ensuring that you can commit them your damn self ;-) > > -Questions is a "help-each-other" list. So is USENET. We don't need > > any more, and unfortunately over time some folks have gotten used > > to this status quo. This may seem harsh, but such folks have a > > little unlearning to deal with. Sorry! :-) > > I think that -question is a freebsd related "help-each-other" list. > An security related one is missed at the moment. Remember: the usenet > has many categories, too. Maybe. Lets see how this goes, and well adapt as we go. OK? :-) > > You are welcome to stay, you are welcome to read. Pleas understand that > > I don't want you to go naway; I want you to accept a higher signal ratio, > > and nI want you to not (unwittingly) contribute to the noise :-) > > Of course, but please understand me if I say: let the other ones follow us. > But I think (after that discussion) a -security-questions is necessary. > Using force is not solution for the world, just for small numbers of people. > Give 'em a chance. I suspect we may be able to drop the noise below the signal if we do it properly. M -- o Mark Murray \_ O.\_ Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 12:54:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3395637B400 for ; Tue, 27 Aug 2002 12:54:16 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 18E8B43E77 for ; Tue, 27 Aug 2002 12:53:10 -0700 (PDT) (envelope-from mark@grimreaper.grondar.org) Received: from storm.FreeBSD.org.uk (uucp@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.5/8.12.5) with ESMTP id g7RJPFMA098886; Tue, 27 Aug 2002 20:25:15 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Received: (from uucp@localhost) by storm.FreeBSD.org.uk (8.12.5/8.12.5/Submit) with UUCP id g7RJPFpb098885; Tue, 27 Aug 2002 20:25:15 +0100 (BST) Received: from grimreaper.grondar.org (localhost [127.0.0.1]) by grimreaper.grondar.org (8.12.5/8.12.5) with ESMTP id g7RJLsl5022865; Tue, 27 Aug 2002 20:21:54 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Message-Id: <200208271921.g7RJLsl5022865@grimreaper.grondar.org> To: David Olbersen Cc: freebsd-security@FreeBSD.ORG Subject: Re: Ports are insecure? References: <20020827165347.GA12522@slickness.org> In-Reply-To: <20020827165347.GA12522@slickness.org> ; from David Olbersen "Tue, 27 Aug 2002 09:53:47 PDT." Date: Tue, 27 Aug 2002 20:21:54 +0100 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > How exactly does that work? Is this based in the idea that nearly > anybody can contribute a port, but the core system is reviewed by a > team? I'm not sure where you read this, but as a general security principle, this is true. The more you run, the more there is to go wrong and the more there is to exploit. In practical terms, regular audits of your machine (look at the output of "netstat -an", "sockstat" and so on) and try to understand your own environment. Understand that the prime question is not "Am I being paranoid?", But "Am I being paranoid _Enough_?" > And, if I'm to believe this and limit my use of ports, doesn't that mean > I'll be doing a lot of build-worlding to update specific applications? There is no silver bullet, there is no algorithm. Swallow a paranoia-pill and start hunting. What you do on your own nets is your business - take charge. M (Any volunteers to maintain a FAQ? This is a doozy.) -- o Mark Murray \_ O.\_ Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 12:54:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 86AB137B407 for ; Tue, 27 Aug 2002 12:54:39 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0575443E81 for ; Tue, 27 Aug 2002 12:53:32 -0700 (PDT) (envelope-from mark@grimreaper.grondar.org) Received: from storm.FreeBSD.org.uk (uucp@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.5/8.12.5) with ESMTP id g7RJPFMA098891; Tue, 27 Aug 2002 20:25:15 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Received: (from uucp@localhost) by storm.FreeBSD.org.uk (8.12.5/8.12.5/Submit) with UUCP id g7RJPFn7098890; Tue, 27 Aug 2002 20:25:15 +0100 (BST) Received: from grimreaper.grondar.org (localhost [127.0.0.1]) by grimreaper.grondar.org (8.12.5/8.12.5) with ESMTP id g7RJNjl5022896; Tue, 27 Aug 2002 20:23:45 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Message-Id: <200208271923.g7RJNjl5022896@grimreaper.grondar.org> To: Chuck Swiger Cc: freebsd-security@FreeBSD.ORG Subject: Re: List administrivia, was: Re: I Finally got It 2096 References: <360A652A-B9DE-11D6-BCD9-000A27D85A7E@mac.com> In-Reply-To: <360A652A-B9DE-11D6-BCD9-000A27D85A7E@mac.com> ; from Chuck Swiger "Tue, 27 Aug 2002 12:58:29 EDT." Date: Tue, 27 Aug 2002 20:23:45 +0100 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Non-subscribers might have their messages delayed a bit until their > message is approved (or rejected), but that shouldn't matter much if most > people intend to read the list instead of only posting to it. Aha! Under my model, post-only subscribers are unwelcome. M -- o Mark Murray \_ O.\_ Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 12:54:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A01237B421 for ; Tue, 27 Aug 2002 12:54:46 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id B009643E65 for ; Tue, 27 Aug 2002 12:53:53 -0700 (PDT) (envelope-from mark@grimreaper.grondar.org) Received: from storm.FreeBSD.org.uk (uucp@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.5/8.12.5) with ESMTP id g7RJU8MA098976; Tue, 27 Aug 2002 20:30:08 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Received: (from uucp@localhost) by storm.FreeBSD.org.uk (8.12.5/8.12.5/Submit) with UUCP id g7RJU8Gt098975; Tue, 27 Aug 2002 20:30:08 +0100 (BST) Received: from grimreaper.grondar.org (localhost [127.0.0.1]) by grimreaper.grondar.org (8.12.5/8.12.5) with ESMTP id g7RJPnl5022949; Tue, 27 Aug 2002 20:25:50 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Message-Id: <200208271925.g7RJPnl5022949@grimreaper.grondar.org> To: jps@funeralexchange.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: Linux_Base marked as forbidden. Anyone know when this will be resolved? References: In-Reply-To: ; from "Jeremy Suo-Anttila" "Tue, 27 Aug 2002 13:08:54 CDT." Date: Tue, 27 Aug 2002 20:25:49 +0100 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I cvsup'd and was about to install the latest linux_base and i found this. > Anyone know when this will be resolved i have a few machines that are using > linux_base7.1 and i would like to upgrade them ASAP. This is a ports and Linux issue. Please look in /usr/ports/emulators/linux_base/Makefile for the URL's that contain the definitive knowlege on this. M -- o Mark Murray \_ O.\_ Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 12:55:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D24E37B400 for ; Tue, 27 Aug 2002 12:55:09 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id E8CCD43E84 for ; Tue, 27 Aug 2002 12:54:03 -0700 (PDT) (envelope-from mark@grimreaper.grondar.org) Received: from storm.FreeBSD.org.uk (uucp@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.5/8.12.5) with ESMTP id g7RJKBMA098827; Tue, 27 Aug 2002 20:20:11 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Received: (from uucp@localhost) by storm.FreeBSD.org.uk (8.12.5/8.12.5/Submit) with UUCP id g7RJKBEC098825; Tue, 27 Aug 2002 20:20:11 +0100 (BST) Received: from grimreaper.grondar.org (localhost [127.0.0.1]) by grimreaper.grondar.org (8.12.5/8.12.5) with ESMTP id g7RJFtl5022817; Tue, 27 Aug 2002 20:15:55 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Message-Id: <200208271915.g7RJFtl5022817@grimreaper.grondar.org> To: Kevin_Stevens@pursued-with.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: Administrivia: Discussion - Making this list subscriber-only References: In-Reply-To: ; from Kevin Stevens "Tue, 27 Aug 2002 09:29:22 PDT." Date: Tue, 27 Aug 2002 20:15:55 +0100 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Tue, 27 Aug 2002, Yann Berthier wrote: > > > Please go for a subscriber-only list. I am subscribed to a lot of > > list having this policy and: > > . nobody seems to complain > > . the signal / noise ratio is definitly better. > > > > - yann > > You miss the point - nobody seems to complain because the ones who would > can no longer post. I would fall into that category a good deal of the > time, but am willing to put up with that if it serves the greater good. > PITA, though. Most of the "complainers" are nervous that they will no longer be able to ask the questions that I am banging on about, and their "fear" is correct. This list needs to return to being a hardcore technology list (anybody welcome to join), but the "silly questions" need to go to the right groups. (No jibes about "No such thing as `silly questions', only `silly answers'.", please). With some luck, and a bit of reorganization, this list should become hardcore content, and well worth the read :-). M -- o Mark Murray \_ O.\_ Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 12:55:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D133237B406 for ; Tue, 27 Aug 2002 12:55:21 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id B7FAF43E72 for ; Tue, 27 Aug 2002 12:54:25 -0700 (PDT) (envelope-from mark@grimreaper.grondar.org) Received: from storm.FreeBSD.org.uk (uucp@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.5/8.12.5) with ESMTP id g7RIo8MA098593; Tue, 27 Aug 2002 19:50:08 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Received: (from uucp@localhost) by storm.FreeBSD.org.uk (8.12.5/8.12.5/Submit) with UUCP id g7RIo86Y098592; Tue, 27 Aug 2002 19:50:08 +0100 (BST) Received: from grimreaper.grondar.org (localhost [127.0.0.1]) by grimreaper.grondar.org (8.12.5/8.12.5) with ESMTP id g7RInvl5022584; Tue, 27 Aug 2002 19:49:57 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Message-Id: <200208271849.g7RInvl5022584@grimreaper.grondar.org> To: Jens Rehsack Cc: freebsd-security@FreeBSD.ORG Subject: Re: Administrivia: Discussion - Making this list subscriber-only References: <3D6BBF89.F3A028@liwing.de> In-Reply-To: <3D6BBF89.F3A028@liwing.de> ; from Jens Rehsack "Tue, 27 Aug 2002 20:06:01 +0200." Date: Tue, 27 Aug 2002 19:49:57 +0100 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > How will that stop off-topic chatter? > > Never. But neither your way does. I'm subscribed and I answer to your > off-topic post. So we both are the off-topic chatters you want stop. > Sure? :-) I am conducting this discussion under the "Administrativia" flag, so while it may be off-topic, it is of indirect-but-important relevance to the list. This is a focussed discussion that will cease abruptly when a conclusion is reached (hopefully!). > > > This allows to post validated senders only but keeps freedom to all > > > people who wants post. > > > > _Less_ freedom is actually needed. It is precisely that freedom which > > has allowed the list to become a question-and-answer (or HOWTO) list > > that has dropped the signal value so badly. > > Pardon, but IMHO this list is read by "security experts". So if I have > a security related question, I ask here. I'm a good developer, I have > many knowledge 'bout secure programming and know to protect my box > enough for stupids. But one the one hand there're many people who have > much less knowledge to security than me and on the other hand a lot > of guru's to me. Most of the real FreeBSD security experts avoid this list (or treat it as a "scan-only" list). The reason for this is the treatment of the list as "newbie questions welcome". That is not the original purpose of the list. > What I want to say with that: What is a stupid question to me or not > security related ot sth. else may important to others with other kind > of thoughts. What a sort of guys we'll be if we judge 'bout the security > relate of a posting? Fair question (if I understand you correctly). Relevant: o Policy issues o Security bug details or fixes to security holes. o Experience of effective defences, including documentation of known problems. o Interesting security-related code. ... etc. Off-topic: o Any common sysadmin task. o "Which should I use FOO, or BAR?" o Any topic which is more relevant to another list. o Spam, or replies to spam. ... etc. > So I cannot follow your way to close this list. If you want have a private > list, why you don't found your own one? I don't want a private list. I want a high-signal freebsd-specific one. > > Depends on the "end". Here I mean a dramatic drop in newbie questions > > Who decides what's a newbie question an what's not? You? Me? Santa Claus? > And everyone started on a small ground... - that's the way. There are places for newbie questions. This is not it. The list sort-of evolved towards this, and as this happened, the guru-factor droppeed, and the question-factor rose. The list is now a low-signal duplicate of -questions/-newbies. > > and a consequent increase in the technical content/discussion > > ratio. I also hope to attract back the security gurus, and thus > > further improve the signal content. > > This will not work. Let me explain what I believe what such a list > is for: I think, some people found a list for security related > discussions to make it much easier to help each other. Over the > month and years to original guru's are getting better and better > while the quality of the list in in everyone's mouth. So some more > guys and girls are subscribing to participate one every hint and a > lot of stressed people are just asking sth. and discuss just a small > (personal preferred) problem, an idea, sth. else. -Questions is a "help-each-other" list. So is USENET. We don't need any more, and unfortunately over time some folks have gotten used to this status quo. This may seem harsh, but such folks have a little unlearning to deal with. Sorry! :-) > And some of the guru's get bored, but many new guru candidates > subscribed, helped, talked and - sometimes - chatted 'bout security (I > remember an obfuscation discusion not long ago). That fact that some time in the past, this may have worked for individuals is, erm, unfortunate. I can go to extremes ("Theft works for robbers" etc), but I think you may understand me if I say the means does not justify the ends. > So in my opinion this list is good just as is. If you are much more > expirienced and wiser so you have two choices. Go away to a wisdom / > guru list or stay (what we all prefer) and let us have part of your > wisdom. You are welcome to stay, you are welcome to read. Pleas understand that I don't want you to go naway; I want you to accept a higher signal ratio, and nI want you to not (unwittingly) contribute to the noise :-) > I do not want defend idiots, but - please - there is a difference > between newbie (what I could be in the eyes of many) and idiots / > torks. Lets not get extreme - we mostly agree. Lets see how this initiative pans out. M -- o Mark Murray \_ O.\_ Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 12:56: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4801537B406 for ; Tue, 27 Aug 2002 12:56:01 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 36B9143E65 for ; Tue, 27 Aug 2002 12:54:47 -0700 (PDT) (envelope-from mark@grimreaper.grondar.org) Received: from storm.FreeBSD.org.uk (uucp@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.5/8.12.5) with ESMTP id g7RFj78C096926; Tue, 27 Aug 2002 16:45:07 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Received: (from uucp@localhost) by storm.FreeBSD.org.uk (8.12.5/8.12.5/Submit) with UUCP id g7RFj79K096925; Tue, 27 Aug 2002 16:45:07 +0100 (BST) Received: from grimreaper.grondar.org (localhost [127.0.0.1]) by grimreaper.grondar.org (8.12.5/8.12.5) with ESMTP id g7RFihl5021460; Tue, 27 Aug 2002 16:44:43 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Message-Id: <200208271544.g7RFihl5021460@grimreaper.grondar.org> To: jcukeng@mail.ru Cc: freebsd-security@FreeBSD.ORG Subject: Re: Re[2]: Administrivia: Discussion - Making this list subscriber-only References: <189103381795.20020827192113@mail.ru> In-Reply-To: <189103381795.20020827192113@mail.ru> ; from jcukeng@mail.ru "Tue, 27 Aug 2002 19:21:13 +0400." Date: Tue, 27 Aug 2002 16:44:43 +0100 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I think this plan is not so good as it looks at first glance; > especially for people who has more than one e-mails. > For example, let us suppose that somebody read > freebsd-security list both at home and at work but his or her > corporate's security policies allow sending e-mails from within only > via corporate mail server and disallows sending e-mail from non-local IPs. > So, if this plan turns into reality, this subscriber will be forced > subscribe 2 times. Sure? If you are reading at home and at work then are you not already subscribed twice anyway? We can constuct all sorts of interesting "edge cases" where this change (or any other change for that matter) will inconvenience somebody. I am aming for a change that will make the list better (on average) for the majority. > Idea to check existense of 'reply-to' address is not so good, too. > Everybody can set this to one of valid e-mail addresses > (billgates@microsoft.com :)), and this address will differ from > sender's one. reply-to:'s are largely not relevant. "From:" is what gets checked. > So, in my opinion, much better looks idea to keep blacklist of > spammers IPs on, say, mx1.FreeBSD.org, and reject ALL letters from > these IPs. If spammer builds his rotten business on pestering people, > it has no right ask this people for a help:) Spam is not the big problem. Chatter is the big problem. (Spam databases are very poor at best - FreeBSD already uses a very large one) M -- o Mark Murray \_ O.\_ Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 12:57: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C23A37B410 for ; Tue, 27 Aug 2002 12:56:59 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id E75DC43EA3 for ; Tue, 27 Aug 2002 12:55:08 -0700 (PDT) (envelope-from mark@grimreaper.grondar.org) Received: from storm.FreeBSD.org.uk (uucp@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.5/8.12.5) with ESMTP id g7RFeA8C096856; Tue, 27 Aug 2002 16:40:10 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Received: (from uucp@localhost) by storm.FreeBSD.org.uk (8.12.5/8.12.5/Submit) with UUCP id g7RFeAtX096855; Tue, 27 Aug 2002 16:40:10 +0100 (BST) Received: from grimreaper.grondar.org (localhost [127.0.0.1]) by grimreaper.grondar.org (8.12.5/8.12.5) with ESMTP id g7RFail5021355; Tue, 27 Aug 2002 16:36:44 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Message-Id: <200208271536.g7RFail5021355@grimreaper.grondar.org> To: Jens Rehsack Cc: freebsd-security@FreeBSD.ORG Subject: Re: Administrivia: Discussion - Making this list subscriber-only References: <3D6B8535.D3E1DB4@liwing.de> In-Reply-To: <3D6B8535.D3E1DB4@liwing.de> ; from Jens Rehsack "Tue, 27 Aug 2002 15:57:09 +0200." Date: Tue, 27 Aug 2002 16:36:44 +0100 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > I got an overwhelmingly positive (off-list, thanks!) response to my > > complaint that this list's signal-to-noise ratio was terrible. > > For that you should really use a spam filter. Spam is a small part of the problem. A much larger part is off-topic chatter. > > Comments? Suggestions? (Keep it brief and focussed, folks!) > > Personally I like the solution on PHP mailing lists. Everybody can > write mail to a list without having to subscribe. But the sending > first ever mail to that list you must! allow validating your address > by responding an auth request like when subscribing to fbsd lists. How will that stop off-topic chatter? > This allows to post validated senders only but keeps freedom to all > people who wants post. _Less_ freedom is actually needed. It is precisely that freedom which has allowed the list to become a question-and-answer (or HOWTO) list that has dropped the signal value so badly. > I do not like restricted use. The end doesn't justifies the means! Depends on the "end". Here I mean a dramatic drop in newbie questions and a consequent increase in the technical content/discussion ratio. I also hope to attract back the security gurus, and thus further improve the signal content. M -- o Mark Murray \_ O.\_ Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 13: 3:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E97BB37B493 for ; Tue, 27 Aug 2002 13:03:06 -0700 (PDT) Received: from rambo.401.cx (rambo.401.cx [80.65.205.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C38443F59 for ; Tue, 27 Aug 2002 13:02:07 -0700 (PDT) (envelope-from listsub@401.cx) Received: from 401.cx (rocky [192.168.0.2]) by rambo.401.cx (8.12.5/8.12.5) with ESMTP id g7RJxuqu059300; Tue, 27 Aug 2002 22:00:22 +0200 (CEST) (envelope-from listsub@401.cx) Message-ID: <3D6BDB16.2020304@401.cx> Date: Tue, 27 Aug 2002 22:03:34 +0200 From: "Roger 'Rocky' Vetterberg" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0rc2) Gecko/20020618 Netscape/7.0b1 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Mark Murray Cc: freebsd-security@FreeBSD.ORG Subject: Re: Administrivia: Discussion - Making this list subscriber-only References: <200208271049.g7RAnrl5019226@grimreaper.grondar.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mark Murray wrote: > Hello Security list members > > I got an overwhelmingly positive (off-list, thanks!) response to > my complaint that this list's signal-to-noise ratio was terrible. > > Some folks are still replying to spam on list, but the noise figure > has dropped significantly. Thank you! > > I would very much like to make this list subscriber-only. This will > cut down dramatically on spam and the inevitable misdirected > 'subscribe' postings. The downside is that folks will not be able > to reply to the list if they receive it via a list redirector (IE > if a corporate role account/list-alias has been used to subscribe). > In this case, those folks would become read-only members (which may > in some cases be OK). Other folks would need to subscribe to the > list with their 'real' email address. > > Comments? Suggestions? (Keep it brief and focussed, folks!) > > M I have read a lot of replys to this mail, with arguments for and against a subscriber-only list, and so far I have not seen the against side come up with one single valid argument. To have to be subscribed to post is for me fully understandable on a _discussion_ list. To be able to be part of a discussion you have to be subscribed, so I really cant see what the problem is here. If you have a single question you want answered, this is not to place to ask it. Try -questions. RBL and spamblocks really isnt a good solution. They all miss, they may block valid posts, and the spammers are starting to learn how to avoid them. People subscribed from different email addresses, checking from work etc etc, get a mail client that support several accounts and lets you choose which one to send/recieve from. To put it short, Im all for subscriber-only...I cant believe it isnt done already. Just my $0.02 -- R To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 13: 3:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 10EA937B494 for ; Tue, 27 Aug 2002 13:03:07 -0700 (PDT) Received: from web10104.mail.yahoo.com (web10104.mail.yahoo.com [216.136.130.54]) by mx1.FreeBSD.org (Postfix) with SMTP id 023F043F5B for ; Tue, 27 Aug 2002 13:02:08 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20020827195512.6124.qmail@web10104.mail.yahoo.com> Received: from [68.5.49.41] by web10104.mail.yahoo.com via HTTP; Tue, 27 Aug 2002 12:55:12 PDT Date: Tue, 27 Aug 2002 12:55:12 -0700 (PDT) From: twig les Subject: Re: Ports are insecure? To: Erick Mechler , David Olbersen Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20020827170508.GI90157@techometer.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I think the view that 'more ports = less security' has to do with the idea that if you don't need, don't install it (or with non-BSD systems...uninstall it). Almost any program has the potential to be a security hole, so if you need to run BIND, just run BIND and ssh, not AIM and FTP etc.... In this sense it's not a ports issue, but rather an overall approach (one that most vendors still ignore). --- Erick Mechler wrote: > :: I read (in this list I think) that somebody was > of the opinion that > :: every port installed decreases the security of a > machine. > > I'm not sure I would go that far, but I would say > that for every network > port you have open, the amount of admin time does > increase. In a way it > does make it more insecure, but only if you don't > keep up with security > upgrades, patches, etc. > > :: How exactly does that work? Is this based in the > idea that nearly > :: anybody can contribute a port, but the core > system is reviewed by a > :: team? > > Not just anybody can contribute to a FreeBSD port > entry; the commit still > has to be done by an authorized committer. However, > it's true that just > about anybody's software package can become a port, > so if you just blindly > start installing ports, you might, on rare > occasions, install a piece of > software that's been trojaned (take the recent > OpenSSH trojan for example). > > I hope (maybe) this addressed some of your questions > :) If you have more > questions about the ports system, I'd check out the > relevant section of the > Handbook: > > http://www.freebsd.org/doc/handbook/ports.html > > Cheers - Erick > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message ===== ----------------------------------------------------------- Heavy metal made me do it. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 13: 5: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A699A37B400 for ; Tue, 27 Aug 2002 13:04:59 -0700 (PDT) Received: from itesec.hsc.fr (itesec.hsc.fr [192.70.106.33]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF18743E72 for ; Tue, 27 Aug 2002 13:04:58 -0700 (PDT) (envelope-from yb@sainte-barbe.org) Received: from taz.hsc.fr (ogoun.hsc.fr [192.70.106.75]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (Client CN "taz.hsc.fr", Issuer "HSC CA" (verified OK)) by itesec.hsc.fr (Postfix) with ESMTP id 82DDE20F3A for ; Tue, 27 Aug 2002 22:04:57 +0200 (CEST) Received: by taz.hsc.fr (Postfix, from userid 1000) id 4887C758; Tue, 27 Aug 2002 22:04:46 +0200 (CEST) Date: Tue, 27 Aug 2002 22:04:46 +0200 From: Yann Berthier To: freebsd-security@FreeBSD.ORG Subject: Re: Administrivia: Discussion - Making this list subscriber-only Message-ID: <20020827200445.GA4546@hsc.fr> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20020827122623.GC34393@heresy.dreamflow.nl> <200208271244.g7RCiBl5019984@grimreaper.grondar.org> <200208271912.g7RJCxu0053547@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200208271912.g7RJCxu0053547@khavrinen.lcs.mit.edu> X-Organization: Herve Schauer Consultants X-Web: http://www.hsc.fr/ X-Operating-System: FreeBSD 5.0-CURRENT User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 27 Aug 2002, Garrett Wollman wrote: > < said: > > > This is _not_ a questions list. This is a discussions list. If you have > > a one-off question, there are places to ask it. If you wish to discuss, > > then there is no problem with subscribing, no? > > Yes. > > The address under which I'm subscribed is not necessarily the same as > the one(s) under which I post. Sorry to sound dump, but what is the problem with setting the "From:" with your favorite mua when the case arise ? We all do this all the time to cope with several addresses and a lot of technical subscribers_only list. Mark Murray is trying to sanitize the -security list, which is a laudable goal, so having to add a send-hook or whatever doesn't look like very costly to help reaching this goal, no ? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 13: 5:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9491A37B405 for ; Tue, 27 Aug 2002 13:05:04 -0700 (PDT) Received: from mail.liwing.de (mail.liwing.de [213.70.188.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1A3E543E42 for ; Tue, 27 Aug 2002 13:05:03 -0700 (PDT) (envelope-from rehsack@liwing.de) Received: (qmail 67318 invoked from network); 27 Aug 2002 19:58:20 -0000 Received: from stingray.liwing.de (HELO liwing.de) ([213.70.188.164]) (envelope-sender ) by mail.liwing.de (qmail-ldap-1.03) with SMTP for ; 27 Aug 2002 19:58:20 -0000 Message-ID: <3D6BD999.10753D8E@liwing.de> Date: Tue, 27 Aug 2002 21:57:13 +0200 From: Jens Rehsack Organization: LiWing IT-Services X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Mark Murray Cc: freebsd-security@freebsd.org Subject: Re: Administrivia: Discussion - Making this list subscriber-only References: <3D6BD145.C1991051@liwing.de> <200208271940.g7RJeLl5023113@grimreaper.grondar.org> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mark Murray wrote: > > > > Most of the real FreeBSD security experts avoid this list (or treat it > > > as a "scan-only" list). The reason for this is the treatment of the > > > list as "newbie questions welcome". That is not the original purpose > > > of the list. > > > > But it's a public list with sponsors from industry and persons... > > Sure. I'm not stopping folks from reading the list. I'm trying to > stop lots of the unnecessary _posting_. > > > o Any common sysadmin task. > > > > May be ok, may not. Depends on the "common" of the task. If it's "so" > > common, someone could add it to FAQ or handbook, couldn't someone? > > Indeed! :-) > > This is desparately needed. > > > > o "Which should I use FOO, or BAR?" > > > > I have seen many question like "Should I you ipfilter pr ipfirewall?", > > and those questions really have some reason: > > a) Neither IPFilter nor IPFirewall is really good documented. > > It tooks a lot of expirience and "wisdom" to know hints for use > > in special situations. > > But - in that case - there should be a "security-questions" list. > > b) Very less people knows that both filters could coexists. > > Right. This is a problem that needs to be fixed in its own right. > Would you like to volunteer to provide some basic documentation? > (I can see that English is not your first language. If you provide > something that is factually correct (ignoring any English problems), > we have a Zillion folks who can fix the English and will commit for you.) Not at the moment, but if the problem exists in a few week anymore, please remember me and I try... > > > o Any topic which is more relevant to another list. > > > > Who decides that? On which rules? I think, a collective reply with the > > right list could help more. > > Fair question. List-clarifying FAQ's are good. > > > > o Spam, or replies to spam. > > > > This could be managed using > > a) spam filter for list (what would be done already) > > b) spam filter (rtbl) at your gateway > > c) auth-requests on first post > > I'll see how the list goes. I'm prepared to do all-or-any of the above. > > > > > So I cannot follow your way to close this list. If you want have a private > > > > list, why you don't found your own one? > > > > > > I don't want a private list. I want a high-signal freebsd-specific one. > > > > So a good thing would be a security-questions list. Newbies can ask there > > and the "high-signal" R.I.P. Sounds a little bit ok to me... > > Hmm. Most gurus will avoid it, and I suspect it will become a > duplicate of freebsd-questions. I don't believe that. I can surely speak for the germans here - I know many of the would respond to questions if -security-questions. And if I'm honest, many questions I see in -questions I'd like to see in f.e. -security(-questions), because the -questions is a very low knowledge list. > > But: if someone found the list address, (s)he had read some manual before. > > So there's a place where some rules could be noted... > > FAQ fixes are the real answer. > > > > > Who decides what's a newbie question an what's not? You? Me? Santa > > > > Claus? And everyone started on a small ground... - that's the > > > > way. > > > > > > There are places for newbie questions. This is not it. The list > > > > Not for newbie-security-related. When I was new I was happy 'bout > > security-list. > > Sure. Ends do not justify means. A robber is happy with his income :-) > > > > sort-of evolved towards this, and as this happened, the guru-factor > > > droppeed, and the question-factor rose. The list is now a low-signal > > > duplicate of -questions/-newbies. > > > > That's not really true, but I see, what you mean. But if you ask me > > for my real oppinion: Add all things you don't wanted ask anymore to > > the faq/doc/handbook and (let) commit it. So in 6 month those things > > aren't asked anymore... It's a more friendly way ... > > OK - you have a deal! If you annoy us properly by submitting enough > good-quality documenation upgrades, I'll punish you by a) ensuring they > are committed, and b) if enough of them come, ensuring that you can commit > them your damn self ;-) a) ok b) not ok. I'm a developer and boss of a small company. I do not have enough time to "really" prove into last final detail and the risk that I submit (because it has to be fast) not enought tested and verified stuff. > > > -Questions is a "help-each-other" list. So is USENET. We don't need > > > any more, and unfortunately over time some folks have gotten used > > > to this status quo. This may seem harsh, but such folks have a > > > little unlearning to deal with. Sorry! :-) > > > > I think that -question is a freebsd related "help-each-other" list. > > An security related one is missed at the moment. Remember: the usenet > > has many categories, too. > > Maybe. Lets see how this goes, and well adapt as we go. OK? :-) > > > > You are welcome to stay, you are welcome to read. Pleas understand that > > > I don't want you to go naway; I want you to accept a higher signal ratio, > > > and nI want you to not (unwittingly) contribute to the noise :-) > > > > Of course, but please understand me if I say: let the other ones follow us. > > But I think (after that discussion) a -security-questions is necessary. > > Using force is not solution for the world, just for small numbers of people. > > Give 'em a chance. > > I suspect we may be able to drop the noise below the signal if we do it > properly. > > M > -- > o Mark Murray > \_ > O.\_ Warning: this .sig is umop ap!sdn -- L i W W W i Jens Rehsack L W W W L i W W W W i nnn gggg LiWing IT-Services L i W W W W i n n g g LLLL i W W i n n g g Friesenstraße 2 gggg 06112 Halle g g g Tel.: +49 - 3 45 - 5 17 05 91 ggg e-Mail: Fax: +49 - 3 45 - 5 17 05 92 http://www.liwing.de/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 13: 5:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F202037B400 for ; Tue, 27 Aug 2002 13:05:13 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 15FCA43E42 for ; Tue, 27 Aug 2002 13:05:13 -0700 (PDT) (envelope-from mark@grimreaper.grondar.org) Received: from storm.FreeBSD.org.uk (uucp@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.5/8.12.5) with ESMTP id g7RK5BMA099311; Tue, 27 Aug 2002 21:05:11 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Received: (from uucp@localhost) by storm.FreeBSD.org.uk (8.12.5/8.12.5/Submit) with UUCP id g7RK5BFh099310; Tue, 27 Aug 2002 21:05:11 +0100 (BST) Received: from grimreaper.grondar.org (localhost [127.0.0.1]) by grimreaper.grondar.org (8.12.5/8.12.5) with ESMTP id g7RK4gl5023435; Tue, 27 Aug 2002 21:04:42 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Message-Id: <200208272004.g7RK4gl5023435@grimreaper.grondar.org> To: Jens Rehsack Cc: freebsd-security@freebsd.org Subject: Re: Administrivia: Discussion - Making this list subscriber-only References: <3D6BD999.10753D8E@liwing.de> In-Reply-To: <3D6BD999.10753D8E@liwing.de> ; from Jens Rehsack "Tue, 27 Aug 2002 21:57:13 +0200." Date: Tue, 27 Aug 2002 21:04:42 +0100 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > Hmm. Most gurus will avoid it, and I suspect it will become a > > duplicate of freebsd-questions. > > I don't believe that. I can surely speak for the germans here - I know > many of the would respond to questions if -security-questions. And if > I'm honest, many questions I see in -questions I'd like to see in f.e. > -security(-questions), because the -questions is a very low knowledge list. Hmm. OK. I'll bite. Ask core for this formally, and convince them (us!) that this is needed, and I will champion your cause. > > OK - you have a deal! If you annoy us properly by submitting enough > > good-quality documenation upgrades, I'll punish you by a) ensuring they > > are committed, and b) if enough of them come, ensuring that you can commit > > them your damn self ;-) > > a) ok > b) not ok. I'm a developer and boss of a small company. I do not have > enough time to "really" prove into last final detail and the risk > that I submit (because it has to be fast) not enought tested and > verified stuff. :-) Enough of a) means that b) is inevitable! M -- o Mark Murray \_ O.\_ Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 13:15:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6797A37B400 for ; Tue, 27 Aug 2002 13:15:24 -0700 (PDT) Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id DBE2343E86 for ; Tue, 27 Aug 2002 13:15:22 -0700 (PDT) (envelope-from emechler@radix.cryptio.net) Received: from radix.cryptio.net (localhost [127.0.0.1]) by radix.cryptio.net (8.12.5/8.12.5) with ESMTP id g7RKFMk6061423 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Tue, 27 Aug 2002 13:15:22 -0700 (PDT) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.12.5/8.12.5/Submit) id g7RKFMpQ061422; Tue, 27 Aug 2002 13:15:22 -0700 (PDT) Date: Tue, 27 Aug 2002 13:15:22 -0700 From: Erick Mechler To: Jeff Taylor - IT Audit Cc: freebsd-security@FreeBSD.ORG Subject: Re: Ports are insecure? Message-ID: <20020827201522.GL90157@techometer.net> References: <6EEFFDE83E575E4994264B3485CB648B05D21BF7@HOUEXCH056.HALNET.COM> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6EEFFDE83E575E4994264B3485CB648B05D21BF7@HOUEXCH056.HALNET.COM> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :: Personally I'm tired of seeing all these messages go back and forth! :: :: Please remove me from this news feed!! :: To Unsubscribe: send mail to majordomo@FreeBSD.org :: with "unsubscribe freebsd-security" in the body of the message Read your own post. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 13:16:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6437E37B400 for ; Tue, 27 Aug 2002 13:16:54 -0700 (PDT) Received: from smtpout.mac.com (smtpout.mac.com [204.179.120.86]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8449343E42 for ; Tue, 27 Aug 2002 13:16:53 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from smtp-relay01.mac.com (smtp-relay01-en1 [10.13.10.224]) by smtpout.mac.com (8.12.1/MantshX 2.0) with ESMTP id g7RKGrrj007250 for ; Tue, 27 Aug 2002 13:16:53 -0700 (PDT) Received: from asmtp01.mac.com (asmtp01-qfe3 [10.13.10.65]) by smtp-relay01.mac.com (8.12.1/8.12.1/1.0) with ESMTP id g7RKGqVw019014 for ; Tue, 27 Aug 2002 13:16:53 -0700 (PDT) Received: from bust ([12.38.161.88]) by asmtp01.mac.com (Netscape Messaging Server 4.15) with ESMTP id H1IR0400.0B6 for ; Tue, 27 Aug 2002 13:16:52 -0700 Date: Tue, 27 Aug 2002 16:16:51 -0400 Subject: Re: List administrivia, was: Re: I Finally got It 2096 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v482) From: Chuck Swiger To: freebsd-security@FreeBSD.ORG Content-Transfer-Encoding: 7bit In-Reply-To: <20020827185923.GA17201@cowbert.2y.net> Message-Id: X-Mailer: Apple Mail (2.482) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tuesday, August 27, 2002, at 02:59 PM, Peter C. Lai wrote: > On Tue, Aug 27, 2002 at 12:58:29PM -0400, Chuck Swiger wrote: >> Non-subscribers might have their messages delayed a bit until their >> message is approved (or rejected), but that shouldn't matter much if most >> people intend to read the list instead of only posting to it. > > Are you volunteering yourself to be the aforementioned 'listadmin' > that screens every unsubscriber's attempted post to this list? I administer about half of the ~30 mailing lists at work. It wasn't my intention to replace the current administrator of this list, but I'm certainly willing to help. A pool of moderators works pretty well.... > Or are you willing to sponsor one? Yes. Give me 48 hours, since I'm upgrading a few machines to 4.6.2, including one of the two listservers here. > No one on the security team currently would have 'time' to sort out spam > from non-spam in the review queue. Okay; non-subscriber submissions get delayed until someone does have time. *shrug* -Chuck Chuck Swiger | chuck@codefab.com | All your packets are belong to us. -------------+-------------------+----------------------------------- "The human race's favorite method for being in control of the facts is to ignore them." -Celia Green To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 13:29:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8233A37B400 for ; Tue, 27 Aug 2002 13:29:55 -0700 (PDT) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 466A043E4A for ; Tue, 27 Aug 2002 13:29:55 -0700 (PDT) (envelope-from billf@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1098) id 12C68AE160; Tue, 27 Aug 2002 13:29:55 -0700 (PDT) Date: Tue, 27 Aug 2002 13:29:55 -0700 From: Bill Fumerola To: Y S Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPsec tunnel between XP and FreeBSD Message-ID: <20020827202954.GM6908@elvis.mu.org> References: <20020827185816.91283.qmail@web12903.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020827185816.91283.qmail@web12903.mail.yahoo.com> User-Agent: Mutt/1.3.27i X-Operating-System: FreeBSD 4.5-MUORG-20020805 i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Aug 27, 2002 at 11:58:16AM -0700, Y S wrote: > > I am trying to setup an IPsec tunnel between XP client and FreeBSD box. > Seems the Phase 2 Exchange doesn't work. the entire point of the thread you just replied to was that this is not a questions/how-to mailing list. try questions@freebsd.org. -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 13:30:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E47337B401 for ; Tue, 27 Aug 2002 13:30:24 -0700 (PDT) Received: from mxintern1.kundenserver.de (mxintern1.kundenserver.de [212.227.126.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB9F343E3B for ; Tue, 27 Aug 2002 13:30:22 -0700 (PDT) (envelope-from kiesel@schlund.de) Received: from [172.17.29.6] (helo=alex.i.schlund.de) by mxintern1.kundenserver.de with smtp (Exim 3.35 #1) id 17jmyg-00049B-00 for freebsd-security@FreeBSD.ORG; Tue, 27 Aug 2002 22:30:18 +0200 Received: (qmail 10947 invoked by uid 519); 27 Aug 2002 20:30:16 -0000 Date: Tue, 27 Aug 2002 22:30:16 +0200 From: Alex Kiesel To: Erick Mechler Cc: David Olbersen , freebsd-security@FreeBSD.ORG Subject: Re: Ports are insecure? Message-ID: <20020827203016.GA10858@schlund.de> References: <20020827165347.GA12522@slickness.org> <20020827170508.GI90157@techometer.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020827170508.GI90157@techometer.net> User-Agent: Mutt/1.4i X-Binford: 6100 (more power) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Aug 27, 2002, Erick Mechler wrote: > Not just anybody can contribute to a FreeBSD port entry; the commit still > has to be done by an authorized committer. However, it's true that just > about anybody's software package can become a port, so if you just blindly > start installing ports, you might, on rare occasions, install a piece of > software that's been trojaned (take the recent OpenSSH trojan for example). As the ports collection has a checksum for every file that is needed, it should not be a big problem to avoid installing trojanized software. IIRC you could not install OpenSSH without ignoring checksum alerts. Cheers, Alex -- Alex Kiesel PGP Key: 0x09F4FA11 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 13:35:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 08AE837B400 for ; Tue, 27 Aug 2002 13:35:31 -0700 (PDT) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 556D943E6A for ; Tue, 27 Aug 2002 13:35:30 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: from khavrinen.lcs.mit.edu (localhost [IPv6:::1]) by khavrinen.lcs.mit.edu (8.12.3/8.12.5) with ESMTP id g7RKZTVo054365 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=OK); Tue, 27 Aug 2002 16:35:29 -0400 (EDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.12.3/8.12.5/Submit) id g7RKZTk9054362; Tue, 27 Aug 2002 16:35:29 -0400 (EDT) (envelope-from wollman) Date: Tue, 27 Aug 2002 16:35:29 -0400 (EDT) From: Garrett Wollman Message-Id: <200208272035.g7RKZTk9054362@khavrinen.lcs.mit.edu> To: Yann Berthier Cc: freebsd-security@FreeBSD.ORG Subject: Re: Administrivia: Discussion - Making this list subscriber-only In-Reply-To: <20020827200445.GA4546@hsc.fr> References: <20020827122623.GC34393@heresy.dreamflow.nl> <200208271244.g7RCiBl5019984@grimreaper.grondar.org> <200208271912.g7RJCxu0053547@khavrinen.lcs.mit.edu> <20020827200445.GA4546@hsc.fr> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > Sorry to sound dump, but what is the problem with setting the "From:" > with your favorite mua when the case arise ? I am not . -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 13:50:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A8ED137B412 for ; Tue, 27 Aug 2002 13:50:12 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3716E43E4A for ; Tue, 27 Aug 2002 13:50:11 -0700 (PDT) (envelope-from mark@grimreaper.grondar.org) Received: from storm.FreeBSD.org.uk (uucp@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.5/8.12.5) with ESMTP id g7RKoAMA000848; Tue, 27 Aug 2002 21:50:10 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Received: (from uucp@localhost) by storm.FreeBSD.org.uk (8.12.5/8.12.5/Submit) with UUCP id g7RKo9NH000847; Tue, 27 Aug 2002 21:50:09 +0100 (BST) Received: from grimreaper.grondar.org (localhost [127.0.0.1]) by grimreaper.grondar.org (8.12.5/8.12.5) with ESMTP id g7RKlXl5024096; Tue, 27 Aug 2002 21:47:33 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Message-Id: <200208272047.g7RKlXl5024096@grimreaper.grondar.org> To: Garrett Wollman Cc: freebsd-security@FreeBSD.ORG Subject: Re: Administrivia: Discussion - Making this list subscriber-only References: <200208272035.g7RKZTk9054362@khavrinen.lcs.mit.edu> In-Reply-To: <200208272035.g7RKZTk9054362@khavrinen.lcs.mit.edu> ; from Garrett Wollman "Tue, 27 Aug 2002 16:35:29 EDT." Date: Tue, 27 Aug 2002 21:47:33 +0100 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > < said: > > > Sorry to sound dump, but what is the problem with setting the "From:" > > with your favorite mua when the case arise ? > > I am not . No problem. Be a read-only subscriber, or unsubscribe locally and resubscribe with your own email address to the "real" list. M -- o Mark Murray \_ O.\_ Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 14: 3:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 38F6437B400 for ; Tue, 27 Aug 2002 14:03:47 -0700 (PDT) Received: from web12905.mail.yahoo.com (web12905.mail.yahoo.com [216.136.174.72]) by mx1.FreeBSD.org (Postfix) with SMTP id EBEB143E3B for ; Tue, 27 Aug 2002 14:03:46 -0700 (PDT) (envelope-from sunny_mcl@yahoo.com) Message-ID: <20020827210346.24979.qmail@web12905.mail.yahoo.com> Received: from [216.69.69.220] by web12905.mail.yahoo.com via HTTP; Tue, 27 Aug 2002 14:03:46 PDT Date: Tue, 27 Aug 2002 14:03:46 -0700 (PDT) From: Y S Subject: Re: IPsec tunnel between XP and FreeBSD To: Bill Fumerola Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20020827202954.GM6908@elvis.mu.org> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-2022814554-1030482226=:24165" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --0-2022814554-1030482226=:24165 Content-Type: text/plain; charset=us-ascii Hi Bill, Thanks for your comment. The reasons I post this thread here are 1. I think inter-operability between freebsd and other OS is also a big issue of security. 2. I guess the people here are familiar with racoon and bsd IPsec implementation. 3. I've seen some similar discussion within this mailing list. (I know this is not a good reason though :)) I will cc the question to question list too. Thanks again, Sunny Bill Fumerola wrote: On Tue, Aug 27, 2002 at 11:58:16AM -0700, Y S wrote: > > I am trying to setup an IPsec tunnel between XP client and FreeBSD box. > Seems the Phase 2 Exchange doesn't work. the entire point of the thread you just replied to was that this is not a questions/how-to mailing list. try questions@freebsd.org. -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org --------------------------------- Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes --0-2022814554-1030482226=:24165 Content-Type: text/html; charset=us-ascii

Hi Bill,

Thanks for your comment. The reasons I post this thread here are

1. I think inter-operability between freebsd and other OS is also a big issue of security.

2. I guess the people here are familiar with racoon and bsd IPsec implementation.  

3. I've seen some similar discussion within this mailing list.  (I know this is not a good reason though :))

I will cc the question to question list too. Thanks again,

Sunny

 Bill Fumerola wrote:

On Tue, Aug 27, 2002 at 11:58:16AM -0700, Y S wrote:
>
> I am trying to setup an IPsec tunnel between XP client and FreeBSD box.
> Seems the Phase 2 Exchange doesn't work.

the entire point of the thread you just replied to was that this is not
a questions/how-to mailing list. try questions@freebsd.org.

--
- bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org


Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes --0-2022814554-1030482226=:24165-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 14:21:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 94CE937B400 for ; Tue, 27 Aug 2002 14:21:40 -0700 (PDT) Received: from dragon.ichi.net (dragon.ichi.net [209.42.196.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9645A43E81 for ; Tue, 27 Aug 2002 14:21:39 -0700 (PDT) (envelope-from freebsd-security@ichi.net) Received: from coaster (localhost.localdomain [127.0.0.1]) by dragon.ichi.net (8.11.6/8.11.6) with ESMTP id g7RL8x517691; Tue, 27 Aug 2002 17:09:02 -0400 Content-Type: text/plain; charset="iso-8859-1" From: Ju Ichi To: Mark Murray , freebsd-security@FreeBSD.ORG Subject: Re: Administrivia: Discussion - Making this list subscriber-only Date: Tue, 27 Aug 2002 17:20:20 -0400 User-Agent: KMail/1.4.1 References: <200208271049.g7RAnrl5019226@grimreaper.grondar.org> In-Reply-To: <200208271049.g7RAnrl5019226@grimreaper.grondar.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200208271720.20363.freebsd-security@ichi.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tuesday 27 August 2002 6:49 am, Mark Murray wrote: > Hello Security list members > > I got an overwhelmingly positive (off-list, thanks!) response to > my complaint that this list's signal-to-noise ratio was terrible. As a newbie here, I'd like to respond after having read all of the responses so far. Hopefully, the flames won't be too bad. I've posted a couple of times recently looking for a solution to what I believe is/was a fairly involved, security-related problem. If by doing so, I contrubuted to the noise on the list, I am truly sorry. Being fairly new to FreeBSD, I was not sure where to go. So, I posted to freebsd-questions first, then to freebsd-net, and finally to freebsd-security. The latter is the only one that I received any answers from. I really appreciate the answers too! They helped my by giving me food for thought and while my problem is not solved, I was able to dig into places I didn't know about owing to my being fairly new to FreeBSD and the IPSec implmentation/utilities not being throughly documented. Don't get me wrong, I'm not complaining about the lack of documentation. I understand that most everyone is doing this out of a love of it and with limited time. To cut to the chase, there doesn't seem to be a charter or detailed set of guidlines for this list. Without quoting the handbook completely, it says that a) this is a list for "security issues", and b) it is a "technical mailing list for which strictly technical content is expected." So, even given all the discussion, I am unsure as to whether I added to the noise problem or not. It would be nice if some of the people concerned about off-topic discussions could put together something for the uninformed among us. The bottom line to me, is that aside to the UCE/UBE (aka -spam) problem certain members of this list want everyone to adhere to rules that have not IMHO properly voiced in a formal way or in a permanent location. I'm sure there have been discussions on this topic before, but most people are not going to search the archives of a list looking for rules before posting. If you expect that, I think you will be routinely disappointed and frustrated. Just my newbie $0.02 Ju To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 14:25:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6080A37B400 for ; Tue, 27 Aug 2002 14:25:14 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7BCAA43E65 for ; Tue, 27 Aug 2002 14:25:13 -0700 (PDT) (envelope-from mark@grimreaper.grondar.org) Received: from storm.FreeBSD.org.uk (uucp@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.5/8.12.5) with ESMTP id g7RLPCMA001495; Tue, 27 Aug 2002 22:25:12 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Received: (from uucp@localhost) by storm.FreeBSD.org.uk (8.12.5/8.12.5/Submit) with UUCP id g7RLPCAY001494; Tue, 27 Aug 2002 22:25:12 +0100 (BST) Received: from grimreaper.grondar.org (localhost [127.0.0.1]) by grimreaper.grondar.org (8.12.5/8.12.5) with ESMTP id g7RLKdl5024447; Tue, 27 Aug 2002 22:20:39 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Message-Id: <200208272120.g7RLKdl5024447@grimreaper.grondar.org> To: Y S Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPsec tunnel between XP and FreeBSD References: <20020827210346.24979.qmail@web12905.mail.yahoo.com> In-Reply-To: <20020827210346.24979.qmail@web12905.mail.yahoo.com> ; from Y S "Tue, 27 Aug 2002 14:03:46 PDT." Date: Tue, 27 Aug 2002 22:20:39 +0100 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Thanks for your comment. The reasons I post this thread here are > 1. I think inter-operability between freebsd and other OS is also a > big issue of security. General interoperability, while important, is not security-critical. > 2. I guess the people here are familiar with racoon and bsd IPsec > implementation. Most likely. > 3. I've seen some similar discussion within this mailing list. (I > know this is not a good reason though :)) Bad reason :-). This does not mean you are not welcome. Once the general system administration questions are worked out, and you have some specific security issues, please post them here. > I will cc the question to question list too. Thanks again, > Sunny Good move. M -- o Mark Murray \_ O.\_ Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 14:26:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C000637B400 for ; Tue, 27 Aug 2002 14:26:10 -0700 (PDT) Received: from pursued-with.net (adsl-66-125-9-242.dsl.sndg02.pacbell.net [66.125.9.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id B07A343E77 for ; Tue, 27 Aug 2002 14:26:09 -0700 (PDT) (envelope-from Kevin_Stevens@pursued-with.net) Received: from babelfish (babelfish [192.168.168.42]) by pursued-with.net (8.12.5/8.12.5) with ESMTP id g7RLQ9Rf052753; Tue, 27 Aug 2002 14:26:09 -0700 (PDT) (envelope-from Kevin_Stevens@pursued-with.net) Date: Tue, 27 Aug 2002 14:26:09 -0700 (PDT) From: Kevin Stevens Reply-To: Kevin_Stevens@pursued-with.net To: Yann Berthier Cc: freebsd-security@FreeBSD.ORG Subject: Re: Administrivia: Discussion - Making this list subscriber-only In-Reply-To: <20020827200445.GA4546@hsc.fr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 27 Aug 2002, Yann Berthier wrote: > Sorry to sound dump, but what is the problem with setting the "From:" > with your favorite mua when the case arise ? We all do this all the > time to cope with several addresses and a lot of technical > subscribers_only list. Because if you're behind a corporate proxy server/firewall, using a corporate mail system, you may not have the latitude to play games with the mail headers. If I'm at work anywhere other than the main office, I *can't* access my home machine and send mail from it during the day. Effectively, I would be able to send messages only in the evening. This isn't a profound issue, but it does prevent participation in real-time discussions. KeS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 14:31:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E6EC37B400 for ; Tue, 27 Aug 2002 14:31:13 -0700 (PDT) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id CE35843E6A for ; Tue, 27 Aug 2002 14:31:12 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: from khavrinen.lcs.mit.edu (localhost [IPv6:::1]) by khavrinen.lcs.mit.edu (8.12.3/8.12.5) with ESMTP id g7RLVBVo054744 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=OK); Tue, 27 Aug 2002 17:31:12 -0400 (EDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.12.3/8.12.5/Submit) id g7RLVB9o054741; Tue, 27 Aug 2002 17:31:11 -0400 (EDT) (envelope-from wollman) Date: Tue, 27 Aug 2002 17:31:11 -0400 (EDT) From: Garrett Wollman Message-Id: <200208272131.g7RLVB9o054741@khavrinen.lcs.mit.edu> To: Mark Murray Cc: freebsd-security@FreeBSD.ORG Subject: Re: Administrivia: Discussion - Making this list subscriber-only In-Reply-To: <200208272047.g7RKlXl5024096@grimreaper.grondar.org> References: <200208272035.g7RKZTk9054362@khavrinen.lcs.mit.edu> <200208272047.g7RKlXl5024096@grimreaper.grondar.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > No problem. Be a read-only subscriber, or unsubscribe locally and > resubscribe with your own email address to the "real" list. Unacceptable. The whole point of our list gateway is to get all this crap out of people's inbox and into a medium (netnews) where it can be managed effectively. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 14:33:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B747537B400 for ; Tue, 27 Aug 2002 14:33:21 -0700 (PDT) Received: from posti.pp.htv.fi (posti.pp.htv.fi [212.90.64.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7943A43E42 for ; Tue, 27 Aug 2002 14:33:20 -0700 (PDT) (envelope-from Petri.Riihikallio@Metis.fi) Received: from [192.168.0.2] ([212.90.71.47]) by posti.pp.htv.fi (8.11.1/8.11.1) with ESMTP id g7RLXM613930 for ; Wed, 28 Aug 2002 00:33:22 +0300 (EETDST) Mime-Version: 1.0 X-Sender: metis@pop.clinet.fi Message-Id: In-Reply-To: References: Date: Wed, 28 Aug 2002 00:33:17 +0300 To: security@FreeBSD.ORG From: Petri Riihikallio Subject: Re: Administrivia: Discussion - Making this list subscriber-only Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >I would very much like to make this list subscriber-only. This will >cut down dramatically on spam and the inevitable misdirected >'subscribe' postings. >Comments? Suggestions? (Keep it brief and focussed, folks!) Do you know what the black hats are up to? I occasionally page through some UCE. I have seen many offers for mass-email software that can subscribe to mailing lists from a temporary address to do their dirty work. Temporary addresses are available from the web-mail providers on short notice. The subscription would need to employ some tricks to avoid subscription robots. (E.g "reverse the characters in this confirmation string and append a capital E to the end.) These excercises would no doubt frustrate several real subscribers as well. To add to the pain: The new "List-Subscribe: "-header makes it trivial to locate lists with search engines. -- Cheers, Petri Metis / Petri Riihikallio GSM: +358 400 505 939 FAX: +358 9 777 3028 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 14:34:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 83E8E37B400 for ; Tue, 27 Aug 2002 14:34:18 -0700 (PDT) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B6C343E6E for ; Tue, 27 Aug 2002 14:34:17 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.12.3/8.12.2) with ESMTP id g7RLUYex059735; Tue, 27 Aug 2002 23:30:35 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Garrett Wollman Cc: Mark Murray , freebsd-security@FreeBSD.ORG Subject: Re: Administrivia: Discussion - Making this list subscriber-only In-Reply-To: Your message of "Tue, 27 Aug 2002 17:31:11 EDT." <200208272131.g7RLVB9o054741@khavrinen.lcs.mit.edu> Date: Tue, 27 Aug 2002 23:30:34 +0200 Message-ID: <59734.1030483834@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I think the obvious solution being missed here is: Only subscribers can post directly to the list. All other posts gets directed to a mailbox where a dedicated band of merry men applies advanced Nth generation wet-ware filters to determine if the email should be forwarded to the list. Now, somebody please just do it, instead of bikeshedding... -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 14:40:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 70B6837B405 for ; Tue, 27 Aug 2002 14:40:13 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7841B43E65 for ; Tue, 27 Aug 2002 14:40:12 -0700 (PDT) (envelope-from mark@grimreaper.grondar.org) Received: from storm.FreeBSD.org.uk (uucp@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.5/8.12.5) with ESMTP id g7RLeBMA001658; Tue, 27 Aug 2002 22:40:11 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Received: (from uucp@localhost) by storm.FreeBSD.org.uk (8.12.5/8.12.5/Submit) with UUCP id g7RLeAUW001657; Tue, 27 Aug 2002 22:40:11 +0100 (BST) Received: from grimreaper.grondar.org (localhost [127.0.0.1]) by grimreaper.grondar.org (8.12.5/8.12.5) with ESMTP id g7RLZXl5024627; Tue, 27 Aug 2002 22:35:33 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Message-Id: <200208272135.g7RLZXl5024627@grimreaper.grondar.org> To: Ju Ichi Cc: freebsd-security@FreeBSD.ORG Subject: Re: Administrivia: Discussion - Making this list subscriber-only References: <200208271720.20363.freebsd-security@ichi.net> In-Reply-To: <200208271720.20363.freebsd-security@ichi.net> ; from Ju Ichi "Tue, 27 Aug 2002 17:20:20 EDT." Date: Tue, 27 Aug 2002 22:35:33 +0100 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I've posted a couple of times recently looking for a solution to what > I believe is/was a fairly involved, security-related problem. If by > doing so, I contrubuted to the noise on the list, I am truly sorry. No Problemo. > Being fairly new to FreeBSD, I was not sure where to go. So, I > posted to freebsd-questions first, then to freebsd-net, and finally > to freebsd-security. The latter is the only one that I received any > answers from. I really appreciate the answers too! They helped my > by giving me food for thought and while my problem is not solved, I > was able to dig into places I didn't know about owing to my being > fairly new to FreeBSD and the IPSec implmentation/utilities not being > throughly documented. Don't get me wrong, I'm not complaining about > the lack of documentation. I understand that most everyone is doing > this out of a love of it and with limited time. Cool. This gives some pointers for useful ways to proceed. Are you any good at documenting stuff? > To cut to the chase, there doesn't seem to be a charter or detailed > set of guidlines for this list. Good feedback. I will fix this. > Without quoting the handbook completely, it says that a) this is a > list for "security issues", and b) it is a "technical mailing list for > which strictly technical content is expected." So, even given all the > discussion, I am unsure as to whether I added to the noise problem or > not. A really useful activity is to help compile an FAQ (both the Q and the A). Wanna contribute? :-) M -- o Mark Murray \_ O.\_ Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 15: 2:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA3E837B400 for ; Tue, 27 Aug 2002 15:02:40 -0700 (PDT) Received: from dragon.ichi.net (dragon.ichi.net [209.42.196.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 16D4643E3B for ; Tue, 27 Aug 2002 15:02:40 -0700 (PDT) (envelope-from freebsd-security@ichi.net) Received: from coaster (localhost.localdomain [127.0.0.1]) by dragon.ichi.net (8.11.6/8.11.6) with ESMTP id g7RLo9520548; Tue, 27 Aug 2002 17:50:09 -0400 Content-Type: text/plain; charset="iso-8859-1" From: Ju Ichi To: Mark Murray Subject: Re: Administrivia: Discussion - Making this list subscriber-only Date: Tue, 27 Aug 2002 18:01:30 -0400 User-Agent: KMail/1.4.1 Cc: freebsd-security@FreeBSD.ORG References: <200208271720.20363.freebsd-security@ichi.net> <200208272135.g7RLZXl5024627@grimreaper.grondar.org> In-Reply-To: <200208272135.g7RLZXl5024627@grimreaper.grondar.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200208271801.30895.freebsd-security@ichi.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tuesday 27 August 2002 5:35 pm, Mark Murray wrote: > > I've posted a couple of times recently looking for a solution to what > > I believe is/was a fairly involved, security-related problem. If by > > doing so, I contrubuted to the noise on the list, I am truly sorry. > > No Problemo. Ok. Just to clarify, are you saying I *did* add to the noise? I'm still unclear as to what, if any, questions are legitimate. > > Cool. This gives some pointers for useful ways to proceed. > > Are you any good at documenting stuff? Not especially, but I'm not terrible either. :-) > > To cut to the chase, there doesn't seem to be a charter or detailed > > set of guidlines for this list. > > Good feedback. I will fix this. Excellent. > A really useful activity is to help compile an FAQ (both the Q and the A). > > Wanna contribute? :-) Sure. I'll help if I can. Bear in mind, I'm new to the list and fairly new to FreeBSD for that matter. One other thing, (and not to stir anything up, but) do you mean FAQs from the list? If so, that should mean that people ask questions on the list. Correct? :-) Ju To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 15: 5:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E22237B400 for ; Tue, 27 Aug 2002 15:05:37 -0700 (PDT) Received: from norton.palomine.net (norton.palomine.net [66.93.48.52]) by mx1.FreeBSD.org (Postfix) with SMTP id C4B7C43E3B for ; Tue, 27 Aug 2002 15:05:36 -0700 (PDT) (envelope-from cjohnson@palomine.net) Received: (qmail 65523 invoked by uid 1000); 27 Aug 2002 22:05:35 -0000 Date: Tue, 27 Aug 2002 18:05:35 -0400 From: Chris Johnson To: Roger 'Rocky' Vetterberg Cc: Mark Murray , freebsd-security@FreeBSD.ORG Subject: Re: Administrivia: Discussion - Making this list subscriber-only Message-ID: <20020827220535.GA65374@palomine.net> References: <200208271049.g7RAnrl5019226@grimreaper.grondar.org> <3D6BDB16.2020304@401.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3D6BDB16.2020304@401.cx> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Aug 27, 2002 at 10:03:34PM +0200, Roger 'Rocky' Vetterberg wrote: > I have read a lot of replys to this mail, with arguments for and > against a subscriber-only list, and so far I have not seen the > against side come up with one single valid argument. Here's one: whenever I post a message on a public list, I use an expiring address. The address in the From header of this message will work for five days; after that, any mail sent to it will bounce. Every message I post has a different address, depending on when I post it. This allows me to post freely in public places with a real address that people can respond to (for a while) without the risk of being abused by harvesters. This may not be to some people's liking, but the qmail list requires every message sent to it to be confirmed by the sender. This has completely eliminated spam from the list with only a small inconvenience to the users of the list. It avoids the problem of people who post with multiple addresses being unable to post that a subscriber-only list has, and some of the regular list members have automated the job of responding to the confirmation messages so that there's no inconvenience at all. Chris Johnson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 15:26:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7EC1037B400 for ; Tue, 27 Aug 2002 15:26:54 -0700 (PDT) Received: from olmec.nighttide.net (jasper.nighttide.net [207.5.141.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9898943E4A for ; Tue, 27 Aug 2002 15:26:53 -0700 (PDT) (envelope-from darren@nighttide.net) Received: from localhost (localhost [127.0.0.1]) by olmec.nighttide.net (8.12.5/8.12.5) with ESMTP id g7RMQnF3081947; Tue, 27 Aug 2002 18:26:52 -0400 (EDT) (envelope-from darren@nighttide.net) Date: Tue, 27 Aug 2002 18:26:49 -0400 (EDT) From: Darren Henderson To: Mark Murray Cc: freebsd-security@FreeBSD.ORG Subject: Re: Administrivia: Discussion - Making this list subscriber-only In-Reply-To: <200208271049.g7RAnrl5019226@grimreaper.grondar.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 27 Aug 2002, Mark Murray wrote: > I would very much like to make this list subscriber-only. This will > cut down dramatically on spam and the inevitable misdirected : : > Comments? Suggestions? (Keep it brief and focussed, folks!) Please do so. Most people who get agitated about doing this are reading from one place and posting from many. Its relatively simple to arrange something that allows you to read and post from a single location. The general benefit to the list out weighs the perceived effort that must be used by a few to accommodate the change. ______________________________________________________________________ Darren Henderson darren@nighttide.net Help fight junk e-mail, visit http://www.cauce.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 15:30:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D219637B400 for ; Tue, 27 Aug 2002 15:30:12 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 90A0043E6A for ; Tue, 27 Aug 2002 15:30:11 -0700 (PDT) (envelope-from mark@grimreaper.grondar.org) Received: from storm.FreeBSD.org.uk (uucp@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.5/8.12.5) with ESMTP id g7RMUAMA002272; Tue, 27 Aug 2002 23:30:10 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Received: (from uucp@localhost) by storm.FreeBSD.org.uk (8.12.5/8.12.5/Submit) with UUCP id g7RMUAMX002271; Tue, 27 Aug 2002 23:30:10 +0100 (BST) Received: from grimreaper.grondar.org (localhost [127.0.0.1]) by grimreaper.grondar.org (8.12.5/8.12.5) with ESMTP id g7RMRil5025119; Tue, 27 Aug 2002 23:27:44 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Message-Id: <200208272227.g7RMRil5025119@grimreaper.grondar.org> To: Ju Ichi Cc: freebsd-security@FreeBSD.ORG Subject: Re: Administrivia: Discussion - Making this list subscriber-only References: <200208271801.30895.freebsd-security@ichi.net> In-Reply-To: <200208271801.30895.freebsd-security@ichi.net> ; from Ju Ichi "Tue, 27 Aug 2002 18:01:30 EDT." Date: Tue, 27 Aug 2002 23:27:44 +0100 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Ok. Just to clarify, are you saying I *did* add to the noise? I'm still > unclear as to what, if any, questions are legitimate. Whether you did or did not, I do not care right now. Blaming individuals is not what I'm after. > > Wanna contribute? :-) > > Sure. I'll help if I can. Bear in mind, I'm new to the list and fairly new > to FreeBSD for that matter. OK - If you see a question, please reduce the question to its most general form, and supply both the question and the answer to the DOCS folks for committing. On lists: HEY D00DZ, L1KE, WH|CH IS, LlKE, B3ZT, L1NUX 0R, L1KE 8SD????!!! Your submission: Q: "Which is best, FreeBSD or Linux?" A: "Well, it depends. Which best suits your purpose... " See what I mean? :-) > One other thing, (and not to stir anything up, but) do you mean FAQs from the > list? If so, that should mean that people ask questions on the list. > Correct? :-) Any question that is asked more than once and that annoys you (joke!) is an FAQ. Useful non-security FAQ's can be handed over to the DOCs folks for safekeeping :-). M -- o Mark Murray \_ O.\_ Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 15:50:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F10AE37B400 for ; Tue, 27 Aug 2002 15:50:22 -0700 (PDT) Received: from dragon.ichi.net (dragon.ichi.net [209.42.196.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1E03D43E6A for ; Tue, 27 Aug 2002 15:50:22 -0700 (PDT) (envelope-from freebsd-security@ichi.net) Received: from coaster (localhost.localdomain [127.0.0.1]) by dragon.ichi.net (8.11.6/8.11.6) with ESMTP id g7RMbo523839; Tue, 27 Aug 2002 18:37:50 -0400 Content-Type: text/plain; charset="iso-8859-1" From: Ju Ichi To: Mark Murray Subject: Re: Administrivia: Discussion - Making this list subscriber-only Date: Tue, 27 Aug 2002 18:49:12 -0400 User-Agent: KMail/1.4.1 Cc: freebsd-security@FreeBSD.ORG References: <200208271801.30895.freebsd-security@ichi.net> <200208272227.g7RMRil5025119@grimreaper.grondar.org> In-Reply-To: <200208272227.g7RMRil5025119@grimreaper.grondar.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200208271849.12854.freebsd-security@ichi.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tuesday 27 August 2002 6:27 pm, Mark Murray wrote: > Blaming individuals is not what I'm after. Fair enough. > > OK - If you see a question, please reduce the question to its most > general form, and supply both the question and the answer to the > DOCS folks for committing. > > See what I mean? :-) Sure thing. > > > One other thing, (and not to stir anything up, but) do you mean FAQs from the > > list? If so, that should mean that people ask questions on the list. > > Correct? :-) > > Any question that is asked more than once and that annoys you (joke!) > is an FAQ. Useful non-security FAQ's can be handed over to the DOCs folks > for safekeeping :-). I know what you mean. I've been involved in Usenet for quite a while and got into running local news servers in the mid-1990s. These sort of problems are the same whether it is on Usenet or in mailing lists. It's a matter of educating people as much as you can and realizing there will still be people who don't/can't read. :-) As I believe someone else already suggested, a weekly or monthly automated message to the list that sets out guidelines may be a good idea. IMHO, most peole mean well, they just don't know. The first thing though is to figure out what is acceptable to the majority of the active list members and get it in a short, readable format. If there are things that *must* not be sent to this list then document them. If there are things that just *should* not be sent to the list then document them that way as well. Then fight your major battles over the things that have been documented as "*must* not happen". See what I mean? Ju To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 16:21: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C366737B400 for ; Tue, 27 Aug 2002 16:20:55 -0700 (PDT) Received: from router.drapple.com (12-224-198-27.client.attbi.com [12.224.198.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B6A143E75 for ; Tue, 27 Aug 2002 16:20:55 -0700 (PDT) (envelope-from mark@work.drapple.com) Received: from work.drapple.com (work [192.168.1.10]) by router.drapple.com (8.9.3/8.9.3) with ESMTP id QAA00626; Tue, 27 Aug 2002 16:20:47 -0700 (PDT) (envelope-from mark@work.drapple.com) Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <200208271849.12854.freebsd-security@ichi.net> Date: Tue, 27 Aug 2002 16:20:43 -0700 (PDT) From: Mark Hartley To: Ju Ichi Subject: Re: Administrivia: Discussion - Making this list subscriber-only Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 27-Aug-02 Ju Ichi wrote: > On Tuesday 27 August 2002 6:27 pm, Mark Murray wrote: >> Blaming individuals is not what I'm after. > > Fair enough. > >> >> OK - If you see a question, please reduce the question to its most >> general form, and supply both the question and the answer to the >> DOCS folks for committing. >> >> See what I mean? :-) > > Sure thing. > >> >> > One other thing, (and not to stir anything up, but) do you mean FAQs from > the >> > list? If so, that should mean that people ask questions on the list. >> > Correct? :-) >> >> Any question that is asked more than once and that annoys you (joke!) >> is an FAQ. Useful non-security FAQ's can be handed over to the DOCs folks >> for safekeeping :-). > > I know what you mean. > > I've been involved in Usenet for quite a while and got into running local > news > servers in the mid-1990s. These sort of problems are the same whether it is > on Usenet or in mailing lists. It's a matter of educating people as much as > you can and realizing there will still be people who don't/can't read. :-) > > As I believe someone else already suggested, a weekly or monthly automated > message to the list that sets out guidelines may be a good idea. IMHO, most > peole mean well, they just don't know. The first thing though is to figure > out what is acceptable to the majority of the active list members and get it > in a short, readable format. If there are things that *must* not be sent to > this list then document them. If there are things that just *should* not be > sent to the list then document them that way as well. Then fight your major > battles over the things that have been documented as "*must* not happen". > See what I mean? > > Ju Can you explain to me how a weekly/monthly message to the list would be helpful if people don't have to be subscribed to post to the list. The people who need this information most are the ones who AREN'T subscribed already. While I can see value in sending such a message, I think this list still needs to require you to be subscribed before you post. Maybe we could have that informational message be sent when you subscribe to the list, so that everyone new to the list would at least have been sent the info once. Just a thought. Mark. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 16:54:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7CD637B401 for ; Tue, 27 Aug 2002 16:54:53 -0700 (PDT) Received: from CPE0004761ac738-CM00109515bc65.cpe.net.cable.rogers.com (CPE0004761ac738-CM00109515bc65.cpe.net.cable.rogers.com [24.103.39.131]) by mx1.FreeBSD.org (Postfix) with SMTP id F22CB43E4A for ; Tue, 27 Aug 2002 16:54:52 -0700 (PDT) (envelope-from shadow@cpe0004761ac738-cm00109515bc65.cpe.net.cable.rogers.com) Received: (qmail 23740 invoked by uid 1001); 27 Aug 2002 23:54:58 -0000 Date: Tue, 27 Aug 2002 19:54:58 -0400 From: Miroslav Pendev To: security@freebsd.org Subject: Re: Administrivia: Discussion - Making this list subscriber-only Message-ID: <20020827235458.GA23546@cybershade.us> References: <200208271801.30895.freebsd-security@ichi.net> <200208272227.g7RMRil5025119@grimreaper.grondar.org> <200208271849.12854.freebsd-security@ichi.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200208271849.12854.freebsd-security@ichi.net> X-Divine-Shadow-Zone: Beware of Lexxx! X-Operating-System: FreeBSD 4.6 STABLE X-System-Uptime: 6:49PM up 7 days, 21:51, 7 users, load averages: 0.08, 0.02, 0.01 User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Guys, As I can see it, there are two problems: 1.Subscribers only security list. As a metter of fact this is the only list (lists) I am subcribed to, that you can post a message without being subscribed, first. If You are good enough to need FreeBSD security, you must know at least how to check your home (corporate) email(s) no matter what kind of corporate policy and internet access you have. You can use ssh or Webmail or whatever to check your subscribed email acount. So, I don't think that this (1.) can be a problem at all. At least it is NOT a problem to FreeBSD's core team or mailadmins or whoever is responsible for this decision. Subscribers only security list may not stop 100% of the spam, but definately will stop most of the '...hot teens...credits...etc' crap. 2.OS security specific list only! As I understand it this list will not be the right place to ask why your Win-Dos box can not go trough your firewall, right! I am ok with that, too! If this can make the signal bigger and better, and will make the security engineers to do a better job - ok, let's do it! But, someone has to put in bold somewhere for what this list is and for what isn't, so the new folks knows what to aks here and what to ask in 'questions'! Preferably in the web site around sunscription info... Just my thoughts! --Miro To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 27 20:25:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C9C437B400 for ; Tue, 27 Aug 2002 20:24:57 -0700 (PDT) Received: from relay3.kornet.net (relay3.kornet.net [211.48.62.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 34B0043E6E for ; Tue, 27 Aug 2002 20:24:55 -0700 (PDT) (envelope-from hyun10310@kornet.net) Received: from your-afc98a0fg0 (61.73.108.210) by relay3.kornet.net; 28 Aug 2002 12:24:47 +0900 Message-ID: <3d6c42803d7c5b0e@relay3.kornet.net> (added by relay3.kornet.net) From: =?ks_c_5601-1987?B?vLy9ur+1vu4=?= To: freebsd-security@freebsd.org Subject: =?ks_c_5601-1987?B?W7GksO1dIGZyZWVic2Qtc2VjdXJpdHm01CC+yLPnx8+8vL/kPyC3zrq4xq7H0riuwMcgvNO8ur+1vu668bn9ILD4sLMhILmrt+G7+cfDIFRBUEXAuyC6uLO7teW4s7TPtNkh?= Date: Wed, 28 Aug 2002 12:24:55 +0900 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0127_01C0F24A.93A55C00" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0127_01C0F24A.93A55C00 Content-Type: text/plain; charset="ks_c_5601-1987" Content-Transfer-Encoding: base64 VW50aXRsZWQgRG9jdW1lbnQvLy0tPiAgICAgIA0KICANCiAgDQogICAgICAgICAgICANCiAg ICAgICAgILfOurjGrsfSuK6woSAgvK603ri4v6EgTWFzdGVyx9EgvNO8ur+1vu7H0L3AuvG5 /cC7IMfSuK6woSDB98GiILD4sLPH1bTPtNkuICAgICAgICAgICAgICAgILy8vbq/tb7utMIg seLBuMDHIMfQvcC55rn9wLsgIMW7x8fH0SC79bfOv+4gx9C9wLnmuf3AuLfOILTcseKwo7+h IA0KIDEyMDCwsyC/tb7uua7A5cC7IL7PseLHz7DtIL+1vu7IuMituKYgv8+8uiDH0iC89iDA 1rW1t88gx9jB3bTPtNkuDQogDQogICAgICAgICAgICAgICAgv7W+7rChILPRIL3Fs6202Q0K IC4uLjHAzyAzMLrQvr8gMTAwwM/AzLjpIDEyMDCwsyDHyrz2ILmuwOUgwNq1vyC+z7HitMIg ubC30CC/+MfPtMIgIA0KIMbQxc/AxyC7/ciwv7W+7iDHpcf2ILG4u+ex7sH2ILChtMnH2MH4 tNkuDQogDQogIL+1vu6068ituea/obytIL3HwPy/rL3ADQogLi4uwPzIrb+1vu4gtOvIrbnm v6G8rSDH0L3As7u/68C7IL+1vu63ziC068itx8+46bytIL3HwPy/rL3Ax9G02S4NCiC5zLG5 wM6wrbvnILmrt+G56MGkKSANCiANCiAgQUZLTiwgQ05OLi6z0SDA37XpuLC02Q0KIC4uLkFG S0655rzbwLsgtenAuyC2pywgs7jAzcC6ILTcvu4guO4gsLO4uCC16biusO0gLrOquNPB9rTC ILXpuK7B9iANCiC+yrTCtaUguK6167CosKIsv6zAvb/4uK4gtqe5rr+hIMGkxesgucyxub+1 vu4gteix4rChILChtMnH2MH4tNkuICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgDQoNCiANCgkJICAgICAgICC5q7fhu/nHwyC9xcO7x8+x4g0KIA0K CSAgICCh2CDAzLinLMHWvNIgwPzIrbn4yKMgIMfXuPHAuiDHyrz2wNS3wsDUtM+02S4gICAg ICC8uiAgx9QgICAgICgqud215b3DIL3HuO3AuyCx4sDnx9ggwda9w7HiILnZtvi0z7TZLikg ICAgZS1tYWlsICAgICAov7k6IGNlc3NAY2Vzcy5jb20pICAgIMH3vvcgICAgIMH3wOXAziDA 2r+1vvcgtOvH0Lv9IMPKte7H0Lv9IMHfLLDtte7H0Lv9IMHWus4gseLFuCAgICAgIA0Ku/nH wyC53sC4vccNCiDB1rzSDQogICAgICAtICAgv+zG7bn4yKMgICAgICAgDQogICAos6q408H2 IMHWvNK4piDBpMiuyPcgwPu+7sHWvLy/5C4pICAgIMD8yK25+MijICAgICAtICAgLSAgICi/ uTogMDItNTE1LTE2MDApICAgIMfateXG+SAgICAgLSAgIC0gICAov7k6IDAxMS0xMjMtNDU2 NykgICAgIA0KICAgICAgICAgICAgCSAgDQogIA0KIA0KILHNx8/AxyC9wrb0vvjAzCDIq7q4 vLogwPzA2iC/7MbtwLsgurizu7DUILXIIMGhIMGkwd/I9yC757D6ILXluLO0z7TZLg0KIMGk urjF673FuMHAzL/rw8vB+Ln9ILHUwaTAuyDB2Lz2x8+/qSCxpLDtuN7Az8DTwLsgx6W9w8fP v7TAuLjnLCAgvPa9xbDFus4gwOXEobimILi2t8PHz7DtIMDWvcC0z7TZLg0KILHNx8/AxyDA /MDaIL/sxu0gwda80rTCIMDOxc2z3SC788DHILD4sLO1yCDA5bzSv6G8rSC9wLXmx8+/tMC4 uOcsIMD6yPG0wiCxzcfPwMcgwPzA2r/sxu0gwda80iC/3A0KIL7utrDH0SCws8DOwaS6uLW1 ILChwfaw7SDA1sH2IL7KwLi5x7fOIL7IvcnHz73DseIgudm2+LTPtNkuDQogvPa9xcC7IL/4 xKEgvsrAuL3DuOkgvPa9xbDFus64piAgxay4r8fYIMHWvcq9w7/kLg0KICA= ------=_NextPart_000_0127_01C0F24A.93A55C00 Content-Type: text/html; charset="ks_c_5601-1987" Content-Transfer-Encoding: base64 PGh0bWw+DQo8aGVhZD4NCjx0aXRsZT5VbnRpdGxlZCBEb2N1bWVudDwvdGl0bGU+DQo8bWV0 YSBodHRwLWVxdWl2PSJDb250ZW50LVR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNl dD1ldWMta3IiPg0KPHNjcmlwdCBsYW5ndWFnZT0iSmF2YVNjcmlwdCI+DQo8IS0tDQovL8i4 v/ggw7zFqQ0KDQogIGZ1bmN0aW9uIHNlbmRpdCgpDQp7DQogICBpZihkb2N1bWVudC5mb3Jt MS5uYW1lLnZhbHVlPT0iIil7DQogICAgICBhbGVydCgiwMy4p8C7IMDUt8LHz7+pIMHWvcq9 w7/kLi5wbGVhc2UuIik7DQogICAgICByZXR1cm4gZmFsc2U7DQogICB9DQoJICAgICAgZG9j dW1lbnQuZm9ybTEuc3VibWl0KCk7DQp9DQovLy0tPg0KDQovLy0tPg0KPC9TQ1JJUFQ+DQoN CjwvaGVhZD4NCg0KPGJvZHkgYmdjb2xvcj0iI0ZGRkZGRiIgdGV4dD0iIzAwMDAwMCI+DQoN Cjx0YWJsZSB3aWR0aD0iNjM5IiBib3JkZXI9IjAiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3Bh Y2luZz0iMCIgaGVpZ2h0PSIxMTk2Ij4NCiAgPHRyPiANCiAgICA8dGQgd2lkdGg9IjYzOSIg aGVpZ2h0PSIxMDMiIHZhbGlnbj0idG9wIj4gDQogICAgICA8dGFibGUgd2lkdGg9IjEwMCUi IGJvcmRlcj0iMCIgY2VsbHBhZGRpbmc9IjAiIGNlbGxzcGFjaW5nPSIwIj4NCiAgICAgICAg PHRyPiANCiAgICAgICAgICA8dGQgd2lkdGg9IjYzOSIgaGVpZ2h0PSIyNTQiPiANCiAgICAg ICAgICAgIDxkaXYgYWxpZ249ImNlbnRlciI+PGltZyBzcmM9Imh0dHA6Ly93d3cubWFpbHBh cnRuZXIuY28ua3IvZW1haWwvY2VzZ2FuZ25hbS9pbWc0LmdpZiIgd2lkdGg9IjYzNCIgaGVp Z2h0PSIyMTAiPjxicj4NCiAgICAgICAgICAgICAgPGltZyBzcmM9Imh0dHA6Ly93d3cubWFp bHBhcnRuZXIuY28ua3IvZW1haWwvY2VzZ2FuZ25hbS9pbWczLmdpZiIgd2lkdGg9IjQ5OSIg aGVpZ2h0PSIyNCI+IA0KICAgICAgICAgICAgICA8YnI+DQogICAgICAgICAgICAgIDxociBu b3NoYWRlPg0KICAgICAgICAgICAgPC9kaXY+DQogICAgICAgICAgPC90ZD4NCiAgICAgICAg PC90cj4NCiAgICAgIDwvdGFibGU+DQogICAgPC90ZD4NCiAgPC90cj4NCiAgPHRyPiANCiAg ICA8dGQgdmFsaWduPSJ0b3AiIGhlaWdodD0iMzEyIj4gDQogICAgICA8dGFibGUgd2lkdGg9 IjEwMCUiIGJvcmRlcj0iMCIgY2VsbHBhZGRpbmc9IjAiIGNlbGxzcGFjaW5nPSIwIj4NCiAg ICAgICAgPHRyPiANCiAgICAgICAgICA8dGQgd2lkdGg9IjUyIiBoZWlnaHQ9IjMyIj48L3Rk Pg0KICAgICAgICAgIDx0ZCB2YWxpZ249InRvcCIgY29sc3Bhbj0iNSI+IA0KICAgICAgICAg ICAgPGRpdiBhbGlnbj0iY2VudGVyIj48aW1nIHNyYz0iaHR0cDovL3d3dy5tYWlscGFydG5l ci5jby5rci9lbWFpbC9jZXNnYW5nbmFtL2NoaWxzdW5nX3RibDAxLmdpZiIgd2lkdGg9IjUz MyIgaGVpZ2h0PSIzMiI+PC9kaXY+DQogICAgICAgICAgPC90ZD4NCiAgICAgICAgICA8dGQg d2lkdGg9IjUyIj48L3RkPg0KICAgICAgICA8L3RyPg0KICAgICAgICA8dHI+IA0KICAgICAg ICAgIDx0ZCBoZWlnaHQ9IjM1Ij48L3RkPg0KICAgICAgICAgIDx0ZCB3aWR0aD0iMTAiIHJv d3NwYW49IjUiIHZhbGlnbj0idG9wIj4mbmJzcDsgPC90ZD4NCiAgICAgICAgICA8dGQgY29s c3Bhbj0iMyIgdmFsaWduPSJ0b3AiPjxpbWcgc3JjPSJodHRwOi8vd3d3Lm1haWxwYXJ0bmVy LmNvLmtyL2VtYWlsL2Nlc2dhbmduYW0vaWNfYm94LmdpZiIgPjxmb250IGNvbG9yPSIjMDAw MEZGIj48Yj48Zm9udCBzaXplPSIyIj63zrq4xq7H0riusKEgDQogICAgICAgICAgICC8rrTe uLi/oSBNYXN0ZXLH0SC807y6v7W+7sfQvcC68bn9wLsgx9K4rrChIMH3waIgsPiws8fVtM+0 2S48L2ZvbnQ+PC9iPjwvZm9udD48L3RkPg0KICAgICAgICAgIDx0ZCB3aWR0aD0iMTAiIHJv d3NwYW49IjUiIHZhbGlnbj0idG9wIj4mbmJzcDs8L3RkPg0KICAgICAgICAgIDx0ZD48L3Rk Pg0KICAgICAgICA8L3RyPg0KICAgICAgICA8dHI+IA0KICAgICAgICAgIDx0ZCBoZWlnaHQ9 IjE2Ij48L3RkPg0KICAgICAgICAgIDx0ZCB3aWR0aD0iMjgiPjwvdGQ+DQogICAgICAgICAg PHRkIHdpZHRoPSI0NTkiPjwvdGQ+DQogICAgICAgICAgPHRkIHdpZHRoPSIyOCI+PC90ZD4N CiAgICAgICAgICA8dGQ+PC90ZD4NCiAgICAgICAgPC90cj4NCiAgICAgICAgPHRyPiANCiAg ICAgICAgICA8dGQgaGVpZ2h0PSI0NSI+PC90ZD4NCiAgICAgICAgICA8dGQ+PC90ZD4NCiAg ICAgICAgICA8dGQgdmFsaWduPSJ0b3AiYm9yZGVyPSIxImJvcmRlcmNvbG9yPSJncmF5IiBu b3dyYXAgYmdjb2xvcj0iI0UzRTNFMyI+IA0KICAgICAgICAgICAgPGRpdiBhbGlnbj0iY2Vu dGVyIj48Zm9udCBjb2xvcj0iIzY2NjY2NiIgc2l6ZT0iMiI+PGI+vLy9ur+1vu60wiCx4sG4 wMcgx9C9wLnmuf3AuyANCiAgICAgICAgICAgICAgxbvHx8fRILv1t86/7iDH0L3Auea5/cC4 t84gtNyx4rCjv6EgPGJyPg0KICAgICAgICAgICAgICA8Zm9udCBjb2xvcj0iI0ZGMDAwMCI+ MTIwMLCzIL+1vu65rsDlPC9mb250PsC7IL7PseLHz7DtIL+1vu7IuMituKYgv8+8uiDH0iC8 9iDA1rW1t88gx9jB3bTPtNkuPC9iPjwvZm9udD48Yj48YnI+DQogICAgICAgICAgICAgIDwv Yj4gPC9kaXY+DQogICAgICAgICAgPC90ZD4NCiAgICAgICAgICA8dGQ+PC90ZD4NCiAgICAg ICAgICA8dGQ+PC90ZD4NCiAgICAgICAgPC90cj4NCiAgICAgICAgPHRyPiANCiAgICAgICAg ICA8dGQgaGVpZ2h0PSIyMSI+PC90ZD4NCiAgICAgICAgICA8dGQ+PC90ZD4NCiAgICAgICAg ICA8dGQ+PC90ZD4NCiAgICAgICAgICA8dGQ+PC90ZD4NCiAgICAgICAgICA8dGQ+PC90ZD4N CiAgICAgICAgPC90cj4NCiAgICAgICAgPHRyPiANCiAgICAgICAgICA8dGQgaGVpZ2h0PSIx NDciPjwvdGQ+DQogICAgICAgICAgPHRkPjwvdGQ+DQogICAgICAgICAgPHRkIHZhbGlnbj0i dG9wIj48aW1nIHNyYz0iaHR0cDovL3d3dy5tYWlscGFydG5lci5jby5rci9lbWFpbC9jZXNn YW5nbmFtL2xvX3JhZGlfaWNvbi5naWYiIHdpZHRoPSIxMCIgaGVpZ2h0PSIxMCI+PGZvbnQg c2l6ZT0iMiIgY29sb3I9IiMwMDk5RkYiPiANCiAgICAgICAgICAgIL+1vu6woSCz0SC9xbOt tNk8L2ZvbnQ+PGZvbnQgc2l6ZT0iMiI+PGJyPg0KICAgICAgICAgICAgPGZvbnQgY29sb3I9 IiM2NjY2NjYiPi4uLjHAzyAzMLrQvr8gMTAwwM/AzLjpIDEyMDCwsyDHyrz2ILmuwOUgwNq1 vyC+z7HitMIgubC30CC/+MfPtMIgDQogICAgICAgICAgICA8YnI+DQogICAgICAgICAgICDG 0MXPwMcgu/3IsL+1vu4gx6XH9iCxuLvnse7B9iCwobTJx9jB+LTZLjwvZm9udD48YnI+DQog ICAgICAgICAgICA8YnI+DQogICAgICAgICAgICA8aW1nIHNyYz0iaHR0cDovL3d3dy5tYWls cGFydG5lci5jby5rci9lbWFpbC9jZXNnYW5nbmFtL2xvX3JhZGlfaWNvbi5naWYiIHdpZHRo PSIxMCIgaGVpZ2h0PSIxMCI+PGZvbnQgY29sb3I9IiMwMDk5RkYiPiANCiAgICAgICAgICAg IL+1vu6068ituea/obytIL3HwPy/rL3APC9mb250Pjxicj4NCiAgICAgICAgICAgIDxmb250 IGNvbG9yPSIjNjY2NjY2Ij4uLi7A/Mitv7W+7iC068ituea/obytIMfQvcCzu7/rwLsgv7W+ 7rfOILTryK3Hz7jpvK0gvcfA/L+svcDH0bTZLjxicj4NCiAgICAgICAgICAgILnMsbnAzrCt u+cguau34bnowaQpIDwvZm9udD48YnI+DQogICAgICAgICAgICA8YnI+DQogICAgICAgICAg ICA8aW1nIHNyYz0iaHR0cDovL3d3dy5tYWlscGFydG5lci5jby5rci9lbWFpbC9jZXNnYW5n bmFtL2xvX3JhZGlfaWNvbi5naWYiIHdpZHRoPSIxMCIgaGVpZ2h0PSIxMCI+PGZvbnQgY29s b3I9IiMwMDk5RkYiPiANCiAgICAgICAgICAgIEFGS04sIENOTi4us9EgwN+16biwtNk8L2Zv bnQ+PGJyPg0KICAgICAgICAgICAgPGZvbnQgY29sb3I9IiM2NjY2NjYiPi4uLkFGS0655rzb wLsgtenAuyC2pywgs7jAzcC6ILTcvu4guO4gsLO4uCC16biusO0gLrOquNPB9rTCILXpuK7B 9iA8YnI+DQogICAgICAgICAgICC+yrTCtaUguK6167CosKIsv6zAvb/4uK4gtqe5rr+hIMGk xesgucyxub+1vu4gteix4rChILChtMnH2MH4tNkuIDwvZm9udD48L2ZvbnQ+PC90ZD4NCiAg ICAgICAgICA8dGQ+PC90ZD4NCiAgICAgICAgICA8dGQ+PC90ZD4NCiAgICAgICAgPC90cj4N CiAgICAgICAgPHRyPiANCiAgICAgICAgICA8dGQgaGVpZ2h0PSIxNSI+PC90ZD4NCiAgICAg ICAgICA8dGQgY29sc3Bhbj0iNSIgdmFsaWduPSJ0b3AiPjxpbWcgc3JjPSJodHRwOi8vd3d3 Lm1haWxwYXJ0bmVyLmNvLmtyL2VtYWlsL2Nlc2dhbmduYW0vbG90dGVyaWFfdGJsMDIuZ2lm IiB3aWR0aD0iNTMzIiBoZWlnaHQ9IjE1Ij48L3RkPg0KICAgICAgICAgIDx0ZD48L3RkPg0K ICAgICAgICA8L3RyPg0KICAgICAgPC90YWJsZT4NCiAgICA8L3RkPg0KICA8L3RyPg0KICA8 dHI+IA0KICAgIDx0ZCBoZWlnaHQ9IjE3NyIgdmFsaWduPSJ0b3AiPiANCiAgICAgIDx0YWJs ZSB3aWR0aD0iMTAwJSIgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9 IjAiPg0KICAgICAgICA8dHI+IDxicj4NCiAgICAgICAgICA8dGQgd2lkdGg9IjYzOSIgaGVp Z2h0PSIxMSIgdmFsaWduPSJ0b3AiPiANCiAgICAgICAgICAgIDxocj4NCiAgICAgICAgICA8 L3RkPg0KICAgICAgICA8L3RyPg0KICAgICAgICA8dHI+IA0KICAgICAgICAgIDx0ZCBoZWln aHQ9Ijc3Ij4gDQogICAgICAgICAgICA8dGFibGUgd2lkdGg9IjEwMCUiIGJvcmRlcj0iMCI+ DQogICAgICAgICAgICAgIDx0cj4gDQogICAgICAgICAgICAgICAgPHRkIHdpZHRoPSIyNyUi IGhlaWdodD0iMzAiPiZuYnNwOzwvdGQ+DQogICAgICAgICAgICAgICAgPHRkIHdpZHRoPSI3 MyUiIHJvd3NwYW49IjMiPjxpbWcgc3JjPSJodHRwOi8vd3d3Lm1haWxwYXJ0bmVyLmNvLmty L2VtYWlsL2Nlc2dhbmduYW0vZnJlZXNhbXBsZS5naWYiIHdpZHRoPSI0MzAiIGhlaWdodD0i MTE5Ij48L3RkPg0KICAgICAgICAgICAgICA8L3RyPg0KICAgICAgICAgICAgICA8dHI+IA0K ICAgICAgICAgICAgICAgIDx0ZCB3aWR0aD0iMjclIiBoZWlnaHQ9IjY0Ij48aW1nIHNyYz0i aHR0cDovL3d3dy5tYWlscGFydG5lci5jby5rci9lbWFpbC9jZXNnYW5nbmFtL2xlZnRfY2Fs bC5naWYiIHdpZHRoPSIxNzAiIGhlaWdodD0iNTMiPjwvdGQ+DQogICAgICAgICAgICAgIDwv dHI+DQogICAgICAgICAgICAgIDx0cj4gDQogICAgICAgICAgICAgICAgPHRkIHdpZHRoPSIy NyUiPiZuYnNwOzwvdGQ+DQogICAgICAgICAgICAgIDwvdHI+DQogICAgICAgICAgICA8L3Rh YmxlPg0KICAgICAgICAgIDwvdGQ+DQogICAgICAgIDwvdHI+DQogICAgICA8L3RhYmxlPg0K ICAgICANCiAgICA8L3RkPg0KICA8L3RyPg0KICA8dHI+IA0KICAgIDx0ZCBoZWlnaHQ9IjIw OSI+IA0KICAgICAgPGRpdiBhbGlnbj0iY2VudGVyIj4NCiAgICAgICAgPHA+PGltZyBzcmM9 Imh0dHA6Ly93d3cubWFpbHBhcnRuZXIuY28ua3IvZW1haWwvY2VzZ2FuZ25hbS9tYWlsXzA3 LTIuZ2lmIiB3aWR0aD0iNTc0IiBoZWlnaHQ9IjIyOSI+PC9wPg0KICAgICAgICA8cD4NCgkJ PHRhYmxlIHdpZHRoPSI1NzAiIGJvcmRlcj0iMCIgY2VsbHNwYWNpbmc9IjAiIGNlbGxwYWRk aW5nPSIwIj4NCiAgPHRyPg0KICAgIDx0ZCB2YWxpZ249InRvcCI+DQoNCiAgICAgIDx0YWJs ZSB3aWR0aD0iNTYwIiBib3JkZXI9IjAiIGNlbGxzcGFjaW5nPSIwIiBjZWxscGFkZGluZz0i MCIgYWxpZ249ImNlbnRlciI+DQogICAgICAgIDx0cj4gDQogICAgICAgICAgPHRkPjwvdGQ+ DQogICAgICAgIDwvdHI+DQogICAgICA8L3RhYmxlPg0KICAgICAgPGRpdiBhbGlnbj0iY2Vu dGVyIj48Yj48Zm9udCBzaXplPSI1IiBjb2xvcj0iIzAwMzM5OSI+uau34bv5x8MgvcXDu8fP seI8L2ZvbnQ+PC9iPjxicj4NCiAgICAgIDwvZGl2Pg0KCSAgPEZPUk0gTUVUSE9EPVBPU1Qg TkFNRT1mb3JtMSBBQ1RJT049Imh0dHA6Ly93d3cubWFpbHBhcnRuZXIuY28ua3IvZW1haWwv Y2VzZ2FuZ25hbS9jZXNfb2suYXNwIj4NCiAgICAgIDx0YWJsZSB3aWR0aD0iNTQwIiBib3Jk ZXI9IjEiIGJvcmRlcmNvbG9ybGlnaHQ9IjY2NjY2NiIgYm9yZGVyY29sb3JkYXJrPSJmZmZm ZmYiIGNlbGxzcGFjaW5nPSIwIiBjZWxscGFkZGluZz0iMCIgYWxpZ249ImNlbnRlciIgPg0K ICAgICAgICA8dHIgYWxpZ249InJpZ2h0IiBiZ2NvbG9yPSIjRDlFOEZEIiBoZWlnaHQ9MzA+ IA0KICAgICAgICAgIDx0ZCBjb2xzcGFuPSIyIj48Zm9udCBzaXplPSIyIj6h2CA8Zm9udCBj b2xvcj0iI0ZGMDAwMCI+wMy4pyzB1rzSIMD8yK25+MijPC9mb250PiANCiAgICAgICAgICAg IMfXuPHAuiDHyrz2wNS3wsDUtM+02S4gPC9mb250PiZuYnNwOzwvdGQ+DQogICAgICAgIDwv dHI+DQogICAgICAgIA0KICAgICAgICAgIDx0ciBoZWlnaHQ9IjMwIj4gDQogICAgICAgICAg ICA8dGQgd2lkdGg9IjEwMCIgYWxpZ249ImNlbnRlciIgYmdjb2xvcj0iI0VERUZGRSI+IDxm b250IHNpemU9IjIiPry6IA0KICAgICAgICAgICAgICDH1DwvZm9udD48L3RkPg0KICAgICAg ICAgICAgPHRkIHdpZHRoPSI0NDAiPiZuYnNwOyA8Zm9udCBzaXplPSIyIj4gDQogICAgICAg ICAgICAgIDxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJuYW1lIiBzaXplPSI4IiBtYXhsZW5n dGg9MTAgPg0KICAgICAgICAgICAgICAoKrndteW9wyC9x7jtwLsgseLA58fYIMHWvcOx4iC5 2bb4tM+02S4pIDwvZm9udD48L3RkPg0KICAgICAgICAgIDwvdHI+DQogICAgICAgICAgPHRy IGhlaWdodD0iMzAiPiANCiAgICAgICAgICAgIDx0ZCAgYWxpZ249ImNlbnRlciIgYmdjb2xv cj0iI0VERUZGRSI+IDxmb250IHNpemU9IjIiPmUtbWFpbDwvZm9udD48L3RkPg0KICAgICAg ICAgICAgPHRkPiZuYnNwOyANCiAgICAgICAgICAgICAgPGlucHV0IHR5cGU9InRleHQiIG5h bWU9ImVtYWlsIiBzaXplPSIyNSIgbWF4bGVuZ3RoPTUwIGNsYXNzPSJpbnB1dDEiPg0KICAg ICAgICAgICAgICA8Zm9udCBzaXplPSIyIj4gKL+5OiBjZXNzQGNlc3MuY29tKSA8L2ZvbnQ+ PC90ZD4NCiAgICAgICAgICA8L3RyPg0KICAgICAgICAgIDx0ciBoZWlnaHQ9IjMwIj4gDQog ICAgICAgICAgICA8dGQgd2lkdGg9IjEwMCIgYWxpZ249ImNlbnRlciIgYmdjb2xvcj0iI0VE RUZGRSI+PGZvbnQgc2l6ZT0iMiI+wfe+9zwvZm9udD48L3RkPg0KICAgICAgICAgICAgPHRk PiZuYnNwOyA8Zm9udCBzaXplPSIyIj4gDQogICAgICAgICAgICAgIDxzZWxlY3QgbmFtZT0i am9iIiBzaXplPSIxIiA+DQogICAgICAgICAgICAgICAgPG9wdGlvbiB2YWx1ZT0iMSJzZWxl Y3RlZD7B98DlwM48L29wdGlvbj4NCiAgICAgICAgICAgICAgICA8b3B0aW9uIHZhbHVlPSIy Ij7A2r+1vvc8L29wdGlvbj4NCiAgICAgICAgICAgICAgICA8b3B0aW9uIHZhbHVlPSIzIj60 68fQu/08L29wdGlvbj4NCiAgICAgICAgICAgICAgICA8b3B0aW9uIHZhbHVlPSI0Ij7DyrXu x9C7/Twvb3B0aW9uPg0KICAgICAgICAgICAgICAgIDxvcHRpb24gdmFsdWU9IjUiPsHfLLDt te7H0Lv9PC9vcHRpb24+DQogICAgICAgICAgICAgICAgPG9wdGlvbiB2YWx1ZT0iNiI+wda6 zjwvb3B0aW9uPg0KICAgICAgICAgICAgICAgIDxvcHRpb24gdmFsdWU9IjciPrHixbg8L29w dGlvbj4NCiAgICAgICAgICAgICAgPC9zZWxlY3Q+DQogICAgICAgICAgICAgIDwvZm9udD48 L3RkPg0KICAgICAgICAgIDwvdHI+DQogICAgICAgICAgPHRyIGhlaWdodD0iMzAiPiANCiAg ICAgICAgICAgIDx0ZCByb3dzcGFuPSIyIiBhbGlnbj0iY2VudGVyIiAgYmdjb2xvcj0iI0VE RUZGRSI+IA0KICAgICAgICAgICAgICA8cD48Zm9udCBzaXplPSIyIj67+cfDILnewLi9xzxi cj4NCiAgICAgICAgICAgICAgICA8L2ZvbnQ+PGZvbnQgc2l6ZT0iMiI+wda80jwvZm9udD48 L3A+DQogICAgICAgICAgICA8L3RkPg0KICAgICAgICAgICAgPHRkPiZuYnNwOyANCiAgICAg ICAgICAgICAgPGlucHV0IHR5cGU9InRleHQiIG5hbWU9InppcDEiIHNpemU9IjMiICA+DQog ICAgICAgICAgICAgIC0gDQogICAgICAgICAgICAgIDxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1l PSJ6aXAyIiBzaXplPSIzIiA+DQogICAgICAgICAgICAgIDxmb250IHNpemU9IjIiPr/sxu25 +MijPC9mb250PjwvdGQ+DQogICAgICAgICAgPC90cj4NCiAgICAgICAgICA8dHIgaGVpZ2h0 PSIzMCI+IA0KICAgICAgICAgICAgPHRkICA+Jm5ic3A7IA0KICAgICAgICAgICAgICA8aW5w dXQgdHlwZT0idGV4dCIgbmFtZT0iQWRkcmVzcyIgc2l6ZT0iNTAiICBtYXhsZW5ndGg9NTA+ DQogICAgICAgICAgICAgIDxicj4NCiAgICAgICAgICAgICAgJm5ic3A7Jm5ic3A7PGZvbnQg c2l6ZT0iMiI+KLOquNPB9iDB1rzSuKYgwaTIrsj3IMD7vu7B1ry8v+QuKSA8L2ZvbnQ+PC90 ZD4NCiAgICAgICAgICA8L3RyPg0KICAgICAgICAgIDx0ciBoZWlnaHQ9IjMwIj4gDQogICAg ICAgICAgICA8dGQgICAgYWxpZ249ImNlbnRlciIgYmdjb2xvcj0iI0VERUZGRSI+PGZvbnQg c2l6ZT0iMiI+wPzIrbn4yKM8L2ZvbnQ+PC90ZD4NCiAgICAgICAgICAgIDx0ZCAgPiZuYnNw OyANCiAgICAgICAgICAgICAgPGlucHV0IHR5cGU9InRleHQiIG5hbWU9InRlbDEiIHNpemU9 IjQiIG1heGxlbmd0aD0iNCIgPg0KICAgICAgICAgICAgICAtIA0KICAgICAgICAgICAgICA8 aW5wdXQgdHlwZT0idGV4dCIgbmFtZT0idGVsMiIgc2l6ZT0iNCIgbWF4bGVuZ3RoPSI0IiA+ DQogICAgICAgICAgICAgIC0gDQogICAgICAgICAgICAgIDxpbnB1dCB0eXBlPSJ0ZXh0IiBu YW1lPSJ0ZWwzIiBzaXplPSI0IiBtYXhsZW5ndGg9IjQiID4NCiAgICAgICAgICAgICAgPGZv bnQgc2l6ZT0iMiI+ICi/uTogMDItNTE1LTE2MDApIDwvZm9udD48L3RkPg0KICAgICAgICAg IDwvdHI+DQogICAgICAgICAgPHRyIGhlaWdodD0iMzAiPiANCiAgICAgICAgICAgIDx0ZCAg ICBhbGlnbj0iY2VudGVyIiBiZ2NvbG9yPSIjRURFRkZFIj48Zm9udCBzaXplPSIyIj7H2rXl xvk8L2ZvbnQ+PC90ZD4NCiAgICAgICAgICAgIDx0ZCAgPiZuYnNwOyANCiAgICAgICAgICAg ICAgPGlucHV0IHR5cGU9InRleHQiIG5hbWU9Imh0ZWwxIiBzaXplPSI0IiBtYXhsZW5ndGg9 IjQiID4NCiAgICAgICAgICAgICAgLSANCiAgICAgICAgICAgICAgPGlucHV0IHR5cGU9InRl eHQiIG5hbWU9Imh0ZWwyIiBzaXplPSI0IiBtYXhsZW5ndGg9IjQiID4NCiAgICAgICAgICAg ICAgLSA8Zm9udCBzaXplPSIyIj4gDQogICAgICAgICAgICAgIDxpbnB1dCB0eXBlPSJ0ZXh0 IiBuYW1lPSJodGVsMyIgc2l6ZT0iNCIgbWF4bGVuZ3RoPSI0IiA+DQogICAgICAgICAgICAg ICi/uTogMDExLTEyMy00NTY3KSA8L2ZvbnQ+PC90ZD4NCiAgICAgICAgICA8L3RyPg0KICAg ICAgICANCiAgICAgIDwvdGFibGU+DQogICAgICA8cD4NCiAgICAgIDx0YWJsZSB3aWR0aD0i NTYwIiBib3JkZXI9IjAiIGNlbGxzcGFjaW5nPSIwIiBjZWxscGFkZGluZz0iMCIgYWxpZ249 ImNlbnRlciI+DQogICAgICAgIDx0cj4gDQogICAgICAgICAgPHRkIGFsaWduPSJjZW50ZXIi Pg0KICAgICAgICAgICAgPGlucHV0IHR5cGU9aW1hZ2UgU1JDPSJodHRwOi8vd3d3Lm1haWxw YXJ0bmVyLmNvLmtyL2VtYWlsLzA1MDEvaW1nL3NpZ24uZ2lmIiBXSURUSD0iNTkiIEhFSUdI VD0iMjAiIEJPUkRFUj0wID4NCiAgICAgICAgICAgICZuYnNwOyZuYnNwOyZuYnNwOyA8SU1H IFNSQz0iaHR0cDovL3d3dy5tYWlscGFydG5lci5jby5rci9lbWFpbC8wNTAxL2ltZy9yZXdy aXRlLmdpZiIgV0lEVEg9IjU5IiBIRUlHSFQ9IjIwIiBCT1JERVI9MCBBTFQ9IiIgb25jbGlj az0iamF2YXNjcmlwdDpyZXNldCgpIiA+IA0KICAgICAgICAgIDwvdGQ+DQogICAgICAgIDwv dHI+DQogICAgICA8L3RhYmxlPg0KCSAgDQogICAgPHA+PC9mb3JtPjwvdGQ+DQogIDwvdHI+ DQoNCg0KPC90YWJsZT4NCiAgICAgICAgPGJyPg0KICAgICAgICAgIDxicj4NCiAgICAgICAg ICA8c3BhbiBzdHlsZT0iZm9udC1zaXplOjlwdDsiPrHNx8/AxyC9wrb0vvjAzCDIq7q4vLog wPzA2iC/7MbtwLsgurizu7DUILXIIMGhIMGkwd/I9yC757D6ILXluLO0z7TZLjxicj4NCiAg ICAgICAgICDBpLq4xeu9xbjBwMy/68PLwfi5/SCx1MGkwLsgwdi89sfPv6kgPGI+PGZvbnQg Y29sb3I9IiNGRjAwMDAiPrGksO243sDPPC9mb250PjwvYj7A08C7IMelvcPHz7+0wLi45ywg DQogICAgICAgICAgvPa9xbDFus4gwOXEobimILi2t8PHz7DtIMDWvcC0z7TZLjxicj4NCiAg ICAgICAgICCxzcfPwMcgwPzA2iC/7MbtIMHWvNK0wiDAzsXNs90gu/PAxyCw+LCztcggwOW8 0r+hvK0gvcC15sfPv7TAuLjnLCDA+sjxtMIgsc3Hz8DHIMD8wNq/7MbtIMHWvNIgv9w8YnI+ DQogICAgICAgICAgvu62sMfRILCzwM7BpLq4tbUgsKHB9rDtIMDWwfYgvsrAuLnHt84gvsi9 ycfPvcOx4iC52bb4tM+02S48YnI+DQogICAgICAgILz2vcXAuyC/+MShIL7KwLi9w7jpIDxh IGhyZWY9Im1haWx0bzpoeXVuMTAzMTBAa29ybmV0Lm5ldD9zdWJqZWN0Pbz2vcWwxbrOIj48 Zm9udCBjb2xvcj0iYmx1ZSI+vPa9xbDFus48L2ZvbnQ+PC9hPrimIA0KICAgICAgICDFrLiv x9ggwda9yr3Dv+QuPC9zcGFuPjwvZGl2Pg0KICAgIDwvdGQ+DQogIDwvdHI+DQo8L3RhYmxl Pg0KPC9ib2R5Pg0KPC9odG1sPg0K ------=_NextPart_000_0127_01C0F24A.93A55C00-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 28 0:28:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D761B37B401 for ; Wed, 28 Aug 2002 00:28:28 -0700 (PDT) Received: from localhost.neotext.ca (h24-70-64-200.ed.shawcable.net [24.70.64.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 78EE843E42 for ; Wed, 28 Aug 2002 00:28:27 -0700 (PDT) (envelope-from campbell@babayaga.neotext.ca) Received: from babayaga.neotext.ca (localhost.neotext.ca [127.0.0.1]) by localhost.neotext.ca (8.12.5/8.12.5) with ESMTP id g7S7TTAx031784; Wed, 28 Aug 2002 01:29:29 -0600 (MDT) (envelope-from campbell@babayaga.neotext.ca) From: "Duncan Patton a Campbell is Dhu" To: ¼¼½º¿µ¾î , freebsd-security@FreeBSD.ORG Subject: Re: Administrivia: Discussion - Making this list subscriber-only Date: Wed, 28 Aug 2002 01:29:29 -0600 Message-Id: <20020828072929.M30954@babayaga.neotext.ca> In-Reply-To: <3d6c42803d7c5b0e@relay3.kornet.net> (added by relay3.kornet.net) References: <3d6c42803d7c5b0e@relay3.kornet.net> (added by relay3.kornet.net) X-Mailer: Open WebMail 1.70 20020712 X-OriginatingIP: 127.0.0.1 (campbell) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I haven't seen so much futile bs for a long time. Mr. Murray has managed to create a lot of sound and fury here, signifying that he really does want to be a net-nanny. This might work out ok. Can MajorDomo be tricked out to allow subscriber based posts with unverified posts being relayed to the net-nanny's box for vetting? If so, fine. Following is an example of the kind of sh*t that my antiquated netscape seems to choke on. I also suspect that some of the brown-hats have feltched the mail list from the majordomo: my recent subscription here has coincided with a considerable increase in the number of offers I've recieved to elongate my penis with revolutionary pharmaceutical preparations. Duncan Patton a Campbell is Duibh ;-) ---------- Original Message ----------- From: ¼¼½º¿µ¾î To: freebsd-security@FreeBSD.ORG Sent: Wed, 28 Aug 2002 12:24:55 +0900 Subject: [±¤°í] freebsd-security´Ô ¾È³çÇϼ¼¿ä? ·Îº¸Æ®ÇÒ¸®ÀÇ ¼Ó¼º¿µ¾îºñ¹ý °ø°³! ¹«·á»ùÇà TAPEÀ» º¸³»µå¸³´Ï´Ù! > Untitled Document//--> > > > > ·Îº¸Æ®ÇÒ¸®°¡ ¼®´Þ¸¸¿¡ MasterÇÑ > ¼Ó¼º¿µ¾îÇнÀºñ¹ýÀ» ÇÒ¸®°¡ Á÷Á¢ °ø°³ÇÕ´Ï´Ù. > ¼¼½º¿µ¾î´Â ±âÁ¸ÀÇ ÇнÀ¹æ¹ýÀ» Å»ÇÇÇÑ »õ·Î¿î > ÇнÀ¹æ¹ýÀ¸·Î ´Ü±â°£¿¡ 1200°³ ¿µ¾î¹®ÀåÀ» ¾Ï±âÇÏ°í > ¿µ¾îȸȭ¸¦ ¿Ï¼º ÇÒ ¼ö ÀÖµµ·Ï ÇØÁÝ´Ï´Ù. > > ¿µ¾î°¡ ³Ñ ½Å³­´Ù > ...1ÀÏ 30ºÐ¾¿ 100ÀÏÀ̸é 1200°³ Çʼö ¹®Àå ÀÚµ¿ ¾Ï±â´Â > ¹°·Ð ¿øÇÏ´Â ÆÐÅÏÀÇ »ýÈ°¿µ¾î Ç¥Çö ±¸»ç±îÁö > °¡´ÉÇØÁø´Ù. > > ¿µ¾î´ëÈ­¹æ¿¡¼­ ½ÇÀü¿¬½À > ...ÀüÈ­¿µ¾î ´ëÈ­¹æ¿¡¼­ ÇнÀ³»¿ëÀ» ¿µ¾î·Î ´ëÈ­Çϸ鼭 > ½ÇÀü¿¬½ÀÇÑ´Ù. ¹Ì±¹Àΰ­»ç ¹«·á¹èÁ¤) > > AFKN, CNN..³Ñ Àߵ鸰´Ù > ...AFKN¹æ¼ÛÀ» µéÀ» ¶§, ³¸ÀÍÀº ´Ü¾î ¸î °³¸¸ µé¸®°í > .³ª¸ÓÁö´Â µé¸®Áö ¾Ê´Âµ¥ ¸®µë°¨°¢,¿¬À½¿ø¸® ¶§¹®¿¡ > Á¤Åë ¹Ì±¹¿µ¾î µè±â°¡ °¡´ÉÇØÁø´Ù. > > > > ¹«·á»ùÇà ½ÅûÇϱâ > > ¡Ø À̸§,ÁÖ¼Ò ÀüÈ­¹øÈ£ Ç׸ñÀº ÇʼöÀÔ·ÂÀÔ´Ï´Ù. > ¼º ÇÔ (*¹Ýµå½Ã ½Ç¸íÀ» ±âÀçÇØ Áֽñ⠹ٶø´Ï´Ù.) > e-mail (¿¹: cess@cess.com) Á÷¾÷ Á÷ÀåÀÎ > ÀÚ¿µ¾÷ ´ëÇлý ÃʵîÇлý Áß,°íµîÇлý ÁֺΠ±âŸ > »ùÇà ¹ÞÀ¸½Ç ÁÖ¼Ò - ¿ìÆí¹øÈ£ > (³ª¸ÓÁö ÁÖ¼Ò¸¦ Á¤È®È÷ Àû¾îÁÖ¼¼¿ä.) ÀüÈ­¹øÈ£ - > - (¿¹: 02-515-1600) ÇÚµåÆù - - (¿¹: > 011-123-4567) > > > > ±ÍÇÏÀÇ ½Â¶ô¾øÀÌ È«º¸¼º ÀüÀÚ ¿ìÆíÀ» º¸³»°Ô µÈ Á¡ > Á¤ÁßÈ÷ »ç°ú µå¸³´Ï´Ù. Á¤º¸Åë½Å¸ÁÀÌ¿ëÃËÁø¹ý ±ÔÁ¤À» > ÁؼöÇÏ¿© ±¤°í¸ÞÀÏÀÓÀ» Ç¥½ÃÇÏ¿´À¸¸ç, ¼ö½Å°ÅºÎ ÀåÄ¡¸¦ > ¸¶·ÃÇÏ°í ÀÖ½À´Ï´Ù. ±ÍÇÏÀÇ ÀüÀÚ ¿ìÆí ÁÖ¼Ò´Â ÀÎÅÍ³Ý > »óÀÇ °ø°³µÈ Àå¼Ò¿¡¼­ ½ÀµæÇÏ¿´À¸¸ç, ÀúÈñ´Â ±ÍÇÏÀÇ > ÀüÀÚ¿ìÆí ÁÖ¼Ò ¿Ü ¾î¶°ÇÑ °³ÀÎÁ¤º¸µµ °¡Áö°í ÀÖÁö > ¾ÊÀ¸¹Ç·Î ¾È½ÉÇϽñ⠹ٶø´Ï´Ù. ¼ö½ÅÀ» ¿øÄ¡ ¾ÊÀ¸½Ã¸é > ¼ö½Å°ÅºÎ¸¦ Ŭ¸¯ÇØ Áֽʽÿä. ------- End of Original Message ------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 28 0:53: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 339C637B400 for ; Wed, 28 Aug 2002 00:53:06 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id A74F043E4A for ; Wed, 28 Aug 2002 00:53:01 -0700 (PDT) (envelope-from mark@grimreaper.grondar.org) Received: from storm.FreeBSD.org.uk (uucp@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.5/8.12.5) with ESMTP id g7RN5AMA002517; Wed, 28 Aug 2002 00:05:10 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Received: (from uucp@localhost) by storm.FreeBSD.org.uk (8.12.5/8.12.5/Submit) with UUCP id g7RN5Adj002516; Wed, 28 Aug 2002 00:05:10 +0100 (BST) Received: from grimreaper.grondar.org (localhost [127.0.0.1]) by grimreaper.grondar.org (8.12.5/8.12.5) with ESMTP id g7RN4Al5025577; Wed, 28 Aug 2002 00:04:10 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Message-Id: <200208272304.g7RN4Al5025577@grimreaper.grondar.org> To: Ju Ichi Cc: freebsd-security@FreeBSD.ORG Subject: Re: Administrivia: Discussion - Making this list subscriber-only References: <200208271849.12854.freebsd-security@ichi.net> In-Reply-To: <200208271849.12854.freebsd-security@ichi.net> ; from Ju Ichi "Tue, 27 Aug 2002 18:49:12 EDT." Date: Wed, 28 Aug 2002 00:04:10 +0100 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > As I believe someone else already suggested, a weekly or monthly automated > message to the list that sets out guidelines may be a good idea. IMHO, most > peole mean well, they just don't know. The first thing though is to figure > out what is acceptable to the majority of the active list members and get it > in a short, readable format. If there are things that *must* not be sent to > this list then document them. If there are things that just *should* not be > sent to the list then document them that way as well. Then fight your major > battles over the things that have been documented as "*must* not happen". > See what I mean? I think we have violent agreement :-). All we need now as a FAQ. All readers to this list, HEAR YE! I'll spend some time coming up with the next step. Other folks, please come up with whatever signal needs to be added to the monthly reminder. Remember, Process not Conclusion. All things are mutable :-) M -- o Mark Murray \_ O.\_ Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 28 4:33:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C00237B400 for ; Wed, 28 Aug 2002 04:33:14 -0700 (PDT) Received: from antalya.lupe-christoph.de (pD9E883D0.dip0.t-ipconnect.de [217.232.131.208]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8654743E72 for ; Wed, 28 Aug 2002 04:33:12 -0700 (PDT) (envelope-from lupe@lupe-christoph.de) Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id 9683C5E9; Wed, 28 Aug 2002 13:33:10 +0200 (CEST) Date: Wed, 28 Aug 2002 13:33:10 +0200 To: Mark Murray Cc: Jens Rehsack , freebsd-security@freebsd.org Subject: Re: Administrivia: Discussion - Making this list subscriber-only Message-ID: <20020828113310.GP26115@lupe-christoph.de> References: <3D6BD999.10753D8E@liwing.de> <200208272004.g7RK4gl5023435@grimreaper.grondar.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200208272004.g7RK4gl5023435@grimreaper.grondar.org> User-Agent: Mutt/1.4i From: lupe@lupe-christoph.de (Lupe Christoph) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tuesday, 2002-08-27 at 21:04:42 +0100, Mark Murray wrote: > > > Hmm. Most gurus will avoid it, and I suspect it will become a > > > duplicate of freebsd-questions. > > I don't believe that. I can surely speak for the germans here - I know > > many of the would respond to questions if -security-questions. And if > > I'm honest, many questions I see in -questions I'd like to see in f.e. > > -security(-questions), because the -questions is a very low knowledge list. I think that just one general questions list is too little. I was subscribed to it once (when I started with FreeBSD, of course ;-) and quickly unsubscribed again because the signal/noise ratio was bad, but even more importantly because of many subjects that didn't interest me the least. I don't have time to answer many questions, so I tend to restrict this to areas where few people have knowledge, like SCSI problems on Solaris, etc. I'd bet the same happened to a lot of people who tried -questions. So either the more focussed lists must accept questions in their area, or lists like -security-questions should be created. I run a couple of Debian machines, and debian-security is *very* similar to freebsd-security, sans the excitement about Spam and off-topic posts. About the same Signal/Noise, about the same volume. (Not right now, but most of the time ;-) > Hmm. OK. I'll bite. OK, I'll reel in... > Ask core for this formally, and convince them (us!) that this is needed, > and I will champion your cause. 1) This list could use a charter. There are too many meta-discussions about what is appropriate content. Anybody know where to steal one? 2a) If the charter says that only security incidents, loopholes, etc are to be discussed, there should be a security-questions. 2b) If not, then not ;-) > > > OK - you have a deal! If you annoy us properly by submitting enough > > > good-quality documenation upgrades, I'll punish you by a) ensuring they > > > are committed, and b) if enough of them come, ensuring that you can commit > > > them your damn self ;-) > > a) ok > > b) not ok. I'm a developer and boss of a small company. I do not have > > enough time to "really" prove into last final detail and the risk > > that I submit (because it has to be fast) not enought tested and > > verified stuff. Same here, except that I'm on the sysadmin side of things. Like many people, I've run into the deficit of documentation for KAME IPSec, and I've been collecting mails with snippets of docs. I've seen about the same questions reoccur every few weeks. So, yes, we could use an FAQ. Attached to -security or -security-questions. Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | Big Misunderstandings #6398: The Titanic was not supposed to be | | unsinkable. The designer had a speech impediment. He said: "I have | | thith great unthinkable conthept ..." | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 28 5:15:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C1DEE37B400 for ; Wed, 28 Aug 2002 05:15:10 -0700 (PDT) Received: from antalya.lupe-christoph.de (pD9E883D0.dip0.t-ipconnect.de [217.232.131.208]) by mx1.FreeBSD.org (Postfix) with ESMTP id E326143E6A for ; Wed, 28 Aug 2002 05:15:08 -0700 (PDT) (envelope-from lupe@lupe-christoph.de) Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id CC2D05E9; Wed, 28 Aug 2002 14:15:06 +0200 (CEST) Date: Wed, 28 Aug 2002 14:15:06 +0200 To: Mark Murray Cc: Y S , freebsd-security@FreeBSD.ORG Subject: Re: IPsec tunnel between XP and FreeBSD Message-ID: <20020828121506.GQ26115@lupe-christoph.de> References: <20020827210346.24979.qmail@web12905.mail.yahoo.com> <200208272120.g7RLKdl5024447@grimreaper.grondar.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200208272120.g7RLKdl5024447@grimreaper.grondar.org> User-Agent: Mutt/1.4i From: lupe@lupe-christoph.de (Lupe Christoph) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tuesday, 2002-08-27 at 22:20:39 +0100, Mark Murray wrote: > > Thanks for your comment. The reasons I post this thread here are > > 1. I think inter-operability between freebsd and other OS is also a > > big issue of security. > General interoperability, while important, is not security-critical. Seconded. But he is asking about interoperability of security software. > > 3. I've seen some similar discussion within this mailing list. (I > > know this is not a good reason though :)) > Bad reason :-). This does not mean you are not welcome. Once the > general system administration questions are worked out, and you have > some specific security issues, please post them here. I thought the discussion about what is off-topic and what to do with that has not been closed. While some people argue that this is a list for security problems, there is definite need for a list that answers questions related to security, software, sysadmin, etc. -questions is not that list. > > I will cc the question to question list too. Thanks again, > > Sunny > Good move. Stoopid(tm) move. He will most probably hnot get an answer. People wake up to it. Just sending people with valid problems off-list will not make this list better or even more important, help those people. Do you really care more about this list being on-topic (however you define that) than systems having better security? The fact that there is no alternative to this list when it comes to security-related questions will *always* attract people to this list. Now, unless you get some joy from bashing people for being off-topic, you will have no joy at all. So let's do something about it. Either accept questions like this. Or create a list like debian-security where the focus is helping people to make there system more secure. Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | Big Misunderstandings #6398: The Titanic was not supposed to be | | unsinkable. The designer had a speech impediment. He said: "I have | | thith great unthinkable conthept ..." | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 28 8: 2: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7287A37B400 for ; Wed, 28 Aug 2002 08:01:59 -0700 (PDT) Received: from olmec.nighttide.net (jasper.nighttide.net [207.5.141.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5344A43E75 for ; Wed, 28 Aug 2002 08:01:58 -0700 (PDT) (envelope-from darren@nighttide.net) Received: from localhost (localhost [127.0.0.1]) by olmec.nighttide.net (8.12.5/8.12.5) with ESMTP id g7SF1mF3083704; Wed, 28 Aug 2002 11:01:48 -0400 (EDT) (envelope-from darren@nighttide.net) Date: Wed, 28 Aug 2002 11:01:48 -0400 (EDT) From: Darren Henderson To: Lupe Christoph Cc: Mark Murray , Jens Rehsack , Subject: Re: Administrivia: Discussion - Making this list subscriber-only In-Reply-To: <20020828113310.GP26115@lupe-christoph.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It probably wouldn't be workable but, if with subscribers only turned on, if folks first post could be held for moderation a lot of the off topic, out of charter stuff could be redirected or stopped. After the first on topic message they could be taken off moderation. Stops the hit and run stuff. Means a lot of extra work for the list admin though. On Wed, 28 Aug 2002, Lupe Christoph wrote: > I think that just one general questions list is too little. I was This is a problem that a lot of large projects have. One general question list is created and it rapidly becomes an unwieldy mess. Ever looked at the general PHP list? Its awful. Just way to much traffic to be of use. I'm subscribed to an HP-UX admin list that has almost the opposite problem. By design or happenstance the list consists of questions and summary responses. Practically no discussion on list - which I find a bit uncomfortable - lose that community, synergy kind of thing - often times pick up bits of info in the discussions that I wouldn't normally know. It would be nice if core would be amenable to creating, say: freebsd-questions-security freebsd-questions-hardware freebsd-questions-installation freebsd-questions-administration freebsd-questions-networking And whatever other high volume questions keep coming up. Benefits everyone in the long run, people can follow and try to help out where they are most comfortable, people who need something answered and are actually paying attention will be able to go where they will most likely find what they need. Of course the general question list will stay a mess. The other problem is that a lot of questions will span categories. "How do I get natd to do x" could fit in three or four of the categories I suggested above. Strangely the freebsd-newbies list seems to get relatively low traffic. Which is a pity, would be a good venue for folks coming up to speed. Must be some kind of stigma attached to "newbie" that keeps people away. ______________________________________________________________________ Darren Henderson darren@nighttide.net Help fight junk e-mail, visit http://www.cauce.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 28 8:54:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B59E737B400 for ; Wed, 28 Aug 2002 08:54:37 -0700 (PDT) Received: from mile.nevermind.kiev.ua (office.netstyle.com.ua [213.186.199.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 630C643E65 for ; Wed, 28 Aug 2002 08:54:34 -0700 (PDT) (envelope-from never@mile.nevermind.kiev.ua) Received: from mile.nevermind.kiev.ua (never@localhost [127.0.0.1]) by mile.nevermind.kiev.ua (8.12.3/8.12.3) with ESMTP id g7SFsKmA074724; Wed, 28 Aug 2002 18:54:21 +0300 (EEST) (envelope-from never@mile.nevermind.kiev.ua) Received: (from never@localhost) by mile.nevermind.kiev.ua (8.12.3/8.12.3/Submit) id g7SFsJAl074723; Wed, 28 Aug 2002 18:54:20 +0300 (EEST) Date: Wed, 28 Aug 2002 18:54:19 +0300 From: Alexandr Kovalenko To: Mark Murray Cc: freebsd-security@FreeBSD.ORG Subject: Re: Administrivia: Discussion - Making this list subscriber-only Message-ID: <20020828155419.GA74564@nevermind.kiev.ua> References: <200208271049.g7RAnrl5019226@grimreaper.grondar.org> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <200208271049.g7RAnrl5019226@grimreaper.grondar.org> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, Mark Murray! On Tue, Aug 27, 2002 at 11:49:53AM +0100, you wrote: > I would very much like to make this list subscriber-only. This will > cut down dramatically on spam and the inevitable misdirected > 'subscribe' postings. The downside is that folks will not be able [snip] > Comments? Suggestions? (Keep it brief and focussed, folks!) Please, just do it. (almost (c) Nike) -- NEVE-RIPE Ukrainian FreeBSD User Group http://uafug.org.ua/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 28 9:44:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 108F537B405; Wed, 28 Aug 2002 09:44:11 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B6D2243E4A; Wed, 28 Aug 2002 09:44:09 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g7SGi9JU006576; Wed, 28 Aug 2002 09:44:09 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g7SGi9Y1006574; Wed, 28 Aug 2002 09:44:09 -0700 (PDT) Date: Wed, 28 Aug 2002 09:44:09 -0700 (PDT) Message-Id: <200208281644.g7SGi9Y1006574@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Notice FreeBSD-SN-02:05 Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SN-02:05 Security Notice The FreeBSD Project Topic: security issues in ports Announced: 2002-08-28 I. Introduction Several ports in the FreeBSD Ports Collection are affected by security issues. These are listed below with references and affected versions. All versions given refer to the FreeBSD port/package version numbers. The listed vulnerabilities are not specific to FreeBSD unless otherwise noted. These ports are not installed by default, nor are they ``part of FreeBSD'' as such. The FreeBSD Ports Collection contains thousands of third-party applications in a ready-to-install format. FreeBSD makes no claim about the security of these third-party applications. See for more information about the FreeBSD Ports Collection. II. Ports +------------------------------------------------------------------------+ Port name: acroread5 Affected: versions < acroread-5.06 Status: Fixed Insecure temporary file handling. The acrobatviewer, acroread4, ghostscript, gv, mgv and xpdf ports can also display PDF files. +------------------------------------------------------------------------+ Port name: aide Affected: versions < aide-0.7_1 Status: Fixed The default aide.conf silently fails to check subdirectories, even though it appears to be configured to do so. +------------------------------------------------------------------------+ Port name: apache+mod_ssl Affected: versions < 1.3.26+2.8.10 Status: Fixed A child process of the Apache server can crash if it receives a request for the contents of a directory in which a maliciously constructed .htaccess file has been placed. In the default configuration, another child will be spawned, and the crash will be logged. Therefore the bug should be insignificant for most users. +------------------------------------------------------------------------+ Port name: bugzilla Affected: versions < bugzilla-2.14.2 Status: Fixed "Various security issues of varying importance." +------------------------------------------------------------------------+ Port name: Canna Affected: versions < ja-Canna-3.5b2_3 Status: Fixed A remotely exploitable buffer overflow exists in the cannaserver daemon. Although previously corrected, the patch containing the correction was inadvertently removed from the port skeleton. +------------------------------------------------------------------------+ Port name: ethereal Affected: versions < ethereal-0.9.6 Status: Fixed Buffer overflows in BGP, IS-IS, and WCP dissectors. +------------------------------------------------------------------------+ Port name: fam Affected: versions < fam-2.6.8 Status: Fixed "Unprivileged users can potentially learn names of files that only users in root's group should be able to view." +------------------------------------------------------------------------+ Port name: isakmpd Affected: versions < isakmpd-20020403_1 Status: Fixed ``Receiving IKE payloads out of sequence can cause isakmpd(8) to crash.'' +------------------------------------------------------------------------+ Port name: irssi Affected: versions < irssi-0.8.5 Status: Fixed Maliciously long topic can crash program remotely. +------------------------------------------------------------------------+ Port name: kdelibs2 and kdelibs3 Affected: versions < kdelibs2-2.2.2_1 versions < kdelibs3-3.0.2_4 Status: Fixed A man-in-the-middle attack is possible against Konqueror and other KDE applications which use SSL. +------------------------------------------------------------------------+ Port name: krb5 Affected: versions < krb5-1.2.5_2 Status: Fixed Contains an overflow in Sun RPC XDR decoder. +------------------------------------------------------------------------+ Port name: linux-netscape6, netscape7, linux-mozilla, and mozilla Affected: versions < mozilla-1.0_1,1 (mozilla) versions < linux-mozilla-1.1 (linux-mozilla) All versions (others) Status: Fixed (linux-mozilla and mozilla) Not fixed (others) Malicious Web pages or files can cause loss of X session. When the X server receives a request to display an enormously large scalable font, the server exits abruptly, killing all its clients. This has been confirmed only with XFree86 4.2.0, but there is evidence that XFree86 3.3.6, the X font server, and Xvnc behave the same way. Unpatched Netscape (major version 6 or 7) and Mozilla browsers do not limit the size of fonts which Web pages or files can specify, thus triggering the bug. Scalable fonts may be disabled as a workaround. +------------------------------------------------------------------------+ Port name: mm Affected: versions < mm-1.2.0 Status: Fixed May allow the local Apache user to gain privileges via temporary files. +------------------------------------------------------------------------+ Port name: mpack Affected: versions < mpack-1.5_2 Status: Fixed Buffer overflow which might be triggered when mpack is used to process data from a remote source (email, news, and so on). +------------------------------------------------------------------------+ Port name: mozilla, linux-mozilla Affected: versions < mozilla-1.0.rc1_2,1 (mozilla) versions < linux-mozilla-1.0_1 (linux-mozilla) Status: Not fixed An overflow exists in the Chatzilla IRC client. It can cause Mozilla to crash even if the demonstration page does not cause the crash. According to Robert Ginda, the bug does not allow execution of malicious code. +------------------------------------------------------------------------+ Port name: newsx Affected: versions < newsx-1.4.8 Status: Fixed Format string bug reported by Niels Heinen . +------------------------------------------------------------------------+ Port name: openssh, openssh-portable Affected: versions < openssh-3.4 (openssh) versions < openssh-3.4p1 (openssh-portable) Status: Fixed Buffer overflow can lead to denial of service or root compromise. +------------------------------------------------------------------------+ Port name: php Affected: versions mod_php4-4.2.0 and mod_php4-4.2.1 versions php4-4.2.0 and php4-4.2.1 Status: Fixed On i386 architecture, may be remotely crashed; on other architectures, may allow execution of arbitrary code with the privileges of the Web server by anyone who can send HTTP POST requests. +------------------------------------------------------------------------+ Port name: linux-png and png Affected: versions < linux-png-1.0.14 versions < png-1.2.4 Status: Fixed Malformed images (for example, in Web pages) can cause applications to crash. Execution of malicious code may be possible. +------------------------------------------------------------------------+ Port name: postgresql7 Affected: versions < postgresql7-7.2.2 Status: Fixed Multiple buffer overruns may allow execution of malicious code. Remote attack is possible only when the server is configured to accept TCP/IP connections, which is not the default. +------------------------------------------------------------------------+ Port name: samba Affected: versions < samba-2.2.5 Status: Fixed Possible buffer overflow. +------------------------------------------------------------------------+ Port name: squid24 Affected: versions < squid-2.4_10 Status: Fixed Buffer overflows may allow remote execution of code. +------------------------------------------------------------------------+ Port name: super Affected: versions < super-3.20.0 Status: Fixed Local root exploit. +------------------------------------------------------------------------+ Port name: webmin Affected: versions < webmin-0.990_3 Status: Fixed "If a webmin user is able to view print jobs, he can execute any command as root." +------------------------------------------------------------------------+ Port name: zmailer Affected: versions < zmailer-2.99.51_1 Status: Fixed When using IPv6, a remote buffer overflow during the processing of the HELO command is possible. Reported by 3APA3A <3APA3A@SECURITY.NNOV.RU>. +------------------------------------------------------------------------+ III. Upgrading Ports/Packages To upgrade a fixed port/package, perform one of the following: 1) Upgrade your Ports Collection and rebuild and reinstall the port. Several tools are available in the Ports Collection to make this easier. See: /usr/ports/devel/portcheckout /usr/ports/misc/porteasy /usr/ports/sysutils/portupgrade 2) Deinstall the old package and install a new package obtained from [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/All/ Packages are not automatically generated for other architectures at this time. +------------------------------------------------------------------------+ FreeBSD Security Notices are communications from the Security Officer intended to inform the user community about potential security issues, such as bugs in the third-party applications found in the Ports Collection, which will not be addressed in a FreeBSD Security Advisory. Feedback on Security Notices is welcome at . -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPWz8glUuHi5z0oilAQGD3wP/XLvIayMoXfSUuuw4VVr84c3vqVk0t0rL qZmLe+GaQ6Z5Fu/DfEta3HXhAPrlZx6dMWQfAbhjSyLfW8RpVkBlhbKR2ZImiddz t2vz9LaADnWIdyRkI+4zpd9xIgpzB3MQwrkh6ZnnE3pqQ12S4TwfAKqwGm7DSShg Ymz4mxfkiug= =J67P -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 28 12: 2:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 56A4537B400 for ; Wed, 28 Aug 2002 12:02:34 -0700 (PDT) Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by mx1.FreeBSD.org (Postfix) with SMTP id 7A07743E6E for ; Wed, 28 Aug 2002 12:02:33 -0700 (PDT) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 5635 invoked by uid 1001); 28 Aug 2002 19:02:32 -0000 Date: Wed, 28 Aug 2002 15:02:32 -0400 From: "Peter C. Lai" To: Lupe Christoph Cc: Mark Murray , Jens Rehsack , freebsd-security@freebsd.org Subject: Re: Administrivia: Discussion - Making this list subscriber-only Message-ID: <20020828190232.GA533@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <3D6BD999.10753D8E@liwing.de> <200208272004.g7RK4gl5023435@grimreaper.grondar.org> <20020828113310.GP26115@lupe-christoph.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020828113310.GP26115@lupe-christoph.de> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Aug 28, 2002 at 01:33:10PM +0200, Lupe Christoph wrote: > I run a couple of Debian machines, and debian-security is *very* similar > to freebsd-security, sans the excitement about Spam and off-topic posts. > About the same Signal/Noise, about the same volume. (Not right now, but > most of the time ;-) > A better comparison would be freebsd-stable. Every and any problem that people have they will send there as long as uname -r says xxx-STABLE. This includes things like 'i can't do foo anymore after upgrading' to debugging of a kernel. The SNR of that list is much lower than here. Some questions typically get drowned out by other ones that people on this list would deem off-topic. I don't see discussions there about appropriate content either. If you are lamenting about SNR, propose to make this list technical and not general. Furthermore, you can also set an example by not group-replying to mail you think is off-topic. It all comes down to the mentality of the subscribers. If people here habitually digress, then that is the nature of this list. > > 1) This list could use a charter. There are too many meta-discussions > about what is appropriate content. Anybody know where to steal one? > 2a) If the charter says that only security incidents, loopholes, etc are > to be discussed, there should be a security-questions. > 2b) If not, then not ;-) > There is a "charter" but all it says is: "FREEBSD-SECURITY Security issues FreeBSD computer security issues (DES, Kerberos, known security holes and fixes, etc). This is a technical mailing list for which strictly technical content is expected." Well, at least it says that chatter is discouraged (such as complaining about spam) but it doesn't limit what 'technical' questions are being asked. "I can't implement foo in IPSEC. Has someone done 'foo' with IPSEC before, and how?" seems to be a legitimate technical question to me. > > > > OK - you have a deal! If you annoy us properly by submitting enough > > > > good-quality documenation upgrades, I'll punish you by a) ensuring they > > > > are committed, and b) if enough of them come, ensuring that you can commit > > > > them your damn self ;-) Yes, telling people to RTFM where there is no FM to read is silly (or if you need to be Jordan Hubbard to understand it). -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology | Undergraduate Research Assistant Yale University School of Medicine Center for Medical Informatics | Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 28 13: 8:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC38E37B400 for ; Wed, 28 Aug 2002 13:08:14 -0700 (PDT) Received: from ws1-9.us4.outblaze.com (205-158-62-37.outblaze.com [205.158.62.37]) by mx1.FreeBSD.org (Postfix) with SMTP id 0CC8743E65 for ; Wed, 28 Aug 2002 13:08:10 -0700 (PDT) (envelope-from skrueger@europe.com) Received: (qmail 90965 invoked by uid 1001); 28 Aug 2002 20:07:48 -0000 Message-ID: <20020828200748.90964.qmail@mail.com> Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit MIME-Version: 1.0 X-Mailer: MIME-tools 5.41 (Entity 5.404) Received: from [217.87.29.58] by ws1-9.us4.outblaze.com with http for skrueger@europe.com; Wed, 28 Aug 2002 21:07:47 +0100 From: =?iso-8859-1?B?U3RlZmFuIEty/Gdlcg== ?= To: freebsd-security@FreeBSD.org, tech-security@NetBSD.org, misc@openbsd.org Date: Wed, 28 Aug 2002 21:07:47 +0100 Subject: 1024 bit key considered insecure (sshd) X-Originating-Ip: 217.87.29.58 X-Originating-Server: ws1-9.us4.outblaze.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi folks, I've just read: http://www.counterpane.com/crypto-gram-0204.html#3 and http://online.securityfocus.com/archive/1/263924 and maybe we should update our rc scripts, so that ssh-keygen generates at least 1280 Bit keys regards, SK -- __________________________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 28 13:26:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 443F437B400 for ; Wed, 28 Aug 2002 13:26:32 -0700 (PDT) Received: from c7.campus.utcluj.ro (c7.campus.utcluj.ro [193.226.6.226]) by mx1.FreeBSD.org (Postfix) with SMTP id 7008743EA3 for ; Wed, 28 Aug 2002 13:26:25 -0700 (PDT) (envelope-from veedee@c7.campus.utcluj.ro) Received: (qmail 9460 invoked by uid 1008); 28 Aug 2002 20:26:24 -0000 Date: Wed, 28 Aug 2002 23:26:24 +0300 From: veedee@c7.campus.utcluj.ro Cc: freebsd-security@FreeBSD.org Subject: Re: 1024 bit key considered insecure (sshd) Message-ID: <20020828232624.A9280@c7.campus.utcluj.ro> References: <20020828200748.90964.qmail@mail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20020828200748.90964.qmail@mail.com>; from skrueger@europe.com on Wed, Aug 28, 2002 at 09:07:47PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Aug 28, 2002 at 09:07:47PM +0100, Stefan Krüger wrote: > Hi folks, > > I've just read: > > http://www.counterpane.com/crypto-gram-0204.html#3 and > http://online.securityfocus.com/archive/1/263924 > > and maybe we should update our rc scripts, > so that ssh-keygen generates at least 1280 Bit keys Just out of curiosity, can anyone with access to a gigabit network run some tests and tell us the difference between using several different keys? Like 1024, 1280, 2048, 4096. I'm curious if a bigger key really slows down the operation as Bruce Schneier implies ("Doubling the key size roughly corresponds to a six-times speed slowdown in software"). -- Radu Bogdan RUSU | veedee@c7.campus.utcluj.ro NSA/P @ campus.utcluj.ro | http://c7.campus.utcluj.ro/~veedee To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 28 13:43:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A0DE37B400 for ; Wed, 28 Aug 2002 13:43:19 -0700 (PDT) Received: from pd2mo3so.prod.shaw.ca (h24-71-223-10.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6220943E4A for ; Wed, 28 Aug 2002 13:43:18 -0700 (PDT) (envelope-from Colin_Percival@sfu.ca) Received: from pd5mr2so.prod.shaw.ca (pd5mr2so-qfe3.prod.shaw.ca [10.0.141.233]) by l-daemon (iPlanet Messaging Server 5.1 HotFix 0.8 (built May 12 2002)) with ESMTP id <0H1K0069CMW5WL@l-daemon> for freebsd-security@FreeBSD.ORG; Wed, 28 Aug 2002 14:43:17 -0600 (MDT) Received: from pn2ml6so.prod.shaw.ca (pn2ml6so-qfe0.prod.shaw.ca [10.0.121.150]) by l-daemon (iPlanet Messaging Server 5.1 HotFix 0.8 (built May 12 2002)) with ESMTP id <0H1K00EF5MW6ES@l-daemon> for freebsd-security@FreeBSD.ORG; Wed, 28 Aug 2002 14:43:18 -0600 (MDT) Received: from piii600.sfu.ca (h24-79-84-133.vc.shawcable.net [24.79.84.133]) by l-daemon (iPlanet Messaging Server 5.1 HotFix 0.8 (built May 12 2002)) with ESMTP id <0H1K0087OMW5D1@l-daemon> for freebsd-security@FreeBSD.ORG; Wed, 28 Aug 2002 14:43:18 -0600 (MDT) Date: Wed, 28 Aug 2002 13:42:48 -0700 From: Colin Percival Subject: Re: 1024 bit key considered insecure (sshd) In-reply-to: <20020828232624.A9280@c7.campus.utcluj.ro> X-Sender: cperciva@popserver.sfu.ca To: veedee@c7.campus.utcluj.ro Cc: freebsd-security@FreeBSD.ORG Message-id: <5.0.2.1.1.20020828132755.0284b2a8@popserver.sfu.ca> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT References: <20020828200748.90964.qmail@mail.com> <20020828200748.90964.qmail@mail.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 23:26 28/08/2002 +0300, veedee@c7.campus.utcluj.ro wrote: >Just out of curiosity, can anyone with access to a gigabit network run some >tests and tell us the difference between using several different keys? Like >1024, 1280, 2048, 4096. >I'm curious if a bigger key really slows down the operation as Bruce Schneier >implies ("Doubling the key size roughly corresponds to a six-times speed >slowdown >in software"). It does slow things down to that extent (assuming O(n^1.585) multiplication, which is typical), for the asymmetric encryption operations. Once the connection is set up, symmetric encryption is used. Moving from 1024 bits up to 4096 bits would, on a typical machine, cause the connection setup to take half a second instead of a hundredth of a second, but beyond that there would be no difference. When I brought this up earlier (http://groups.google.com/groups?threadm=5.0.2.1.1.20020326024955.02392830%40popserver.sfu.ca) there was a concern about breaking v1 clients using the RSAREF library. Colin Percival To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 28 13:58: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB28F37B400 for ; Wed, 28 Aug 2002 13:57:57 -0700 (PDT) Received: from reiher.informatik.uni-wuerzburg.de (wi4d22.informatik.uni-wuerzburg.de [132.187.101.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id 299F743E6A for ; Wed, 28 Aug 2002 13:57:57 -0700 (PDT) (envelope-from mkb@mukappabeta.de) Received: from mukappabeta.de (localhost [127.0.0.1]) by reiher.informatik.uni-wuerzburg.de (Postfix) with ESMTP id 958D1B204; Wed, 28 Aug 2002 22:57:55 +0200 (CEST) Message-ID: <3D6D3953.6090005@mukappabeta.de> Date: Wed, 28 Aug 2002 22:57:55 +0200 From: Matthias Buelow User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.0) Gecko/20020607 X-Accept-Language: de, en, en-us, fr MIME-Version: 1.0 To: =?ISO-8859-1?Q?Stefan_Kr=FCger?= Cc: freebsd-security@FreeBSD.org, tech-security@NetBSD.org, misc@openbsd.org Subject: Re: 1024 bit key considered insecure (sshd) References: <20020828200748.90964.qmail@mail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Stefan Krüger wrote: > Hi folks, > > I've just read: > > http://www.counterpane.com/crypto-gram-0204.html#3 and > http://online.securityfocus.com/archive/1/263924 > > and maybe we should update our rc scripts, > so that ssh-keygen generates at least 1280 Bit keys I think this is highly overrated and only of theoretical value for most *BSD users. It would be ok to document, for some paranoid users which fall for the hype but then please leave it at that. Some of us run NetBSD on old hardware and don't want to be crippled by excessive default values with little or no practical impact. --mkb To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 28 14:58:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 697E737B400 for ; Wed, 28 Aug 2002 14:58:54 -0700 (PDT) Received: from rambo.401.cx (rambo.401.cx [80.65.205.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id 78AB943E42 for ; Wed, 28 Aug 2002 14:58:53 -0700 (PDT) (envelope-from listsub@401.cx) Received: from 401.cx (rocky [192.168.0.2]) by rambo.401.cx (8.12.5/8.12.5) with ESMTP id g7SLw5qu077126; Wed, 28 Aug 2002 23:58:09 +0200 (CEST) (envelope-from listsub@401.cx) Message-ID: <3D6D482E.5070205@401.cx> Date: Thu, 29 Aug 2002 00:01:18 +0200 From: "Roger 'Rocky' Vetterberg" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0rc2) Gecko/20020618 Netscape/7.0b1 X-Accept-Language: en-us, en MIME-Version: 1.0 To: peter.lai@uconn.edu Cc: Mark Murray , freebsd-security@FreeBSD.ORG Subject: Re: Administrivia: Discussion - Making this list subscriber-only References: <3D6BD999.10753D8E@liwing.de> <200208272004.g7RK4gl5023435@grimreaper.grondar.org> <20020828113310.GP26115@lupe-christoph.de> <20020828190232.GA533@cowbert.2y.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Peter C. Lai wrote: *snip* > > There is a "charter" but all it says is: > "FREEBSD-SECURITY > Security issues > > FreeBSD computer security issues (DES, Kerberos, known security > holes and fixes, etc). This is a technical mailing list for which > strictly technical content is expected." > English is not my native language, so I could be misstaken, but the way I read it is that this is a list for technical discussions, _not_ questions. I guess "FreeBSD computer security issues", with a little good will, could mean that it is ok to ask questions, but I would have to really want it to mean that before I would come to such a conclusion. If I had never subscribed to -security and someone asked me what I though the list was about just by reading the charter, the last thing I would say would be "a place where you can get help". -- R To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 28 15:59: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7C2E37B400 for ; Wed, 28 Aug 2002 15:59:04 -0700 (PDT) Received: from hamon.hagakure.org (adsl-63-198-196-38.dsl.snfc21.pacbell.net [63.198.196.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id EEFBE43E65 for ; Wed, 28 Aug 2002 15:58:53 -0700 (PDT) (envelope-from bodhi@hagakure.org) Received: from localhost (bodhi@localhost [127.0.0.1]) by hamon.hagakure.org (8.12.2/8.12.1) with ESMTP id g7SMwqdX030458; Wed, 28 Aug 2002 15:58:52 -0700 (PDT) Date: Wed, 28 Aug 2002 15:58:51 -0700 (PDT) From: Dave Taira To: Mipam Cc: freebsd-security@FreeBSD.org, , Subject: Re: 1024 bit key considered insecure (sshd) In-Reply-To: <20020828224330.GE249@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 29 Aug 2002, Mipam wrote: > A very valid fact. But perhaps a note could be added which addresses > the info leaving it up to the user what to do? If it matters to you, then read ssh-keygen(1), change /etc/rc, and generate new keys. [ Dave Taira 2002.08.28/15:58:52 PDT ] [ Morlock for Hire ] [ if a hard drive is a bag of beef, inodes are nihilistic fish, swimming ] [ in darkness. --Andr00 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 28 16:53:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9672C37B400 for ; Wed, 28 Aug 2002 16:53:08 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 118A343E42 for ; Wed, 28 Aug 2002 16:53:03 -0700 (PDT) (envelope-from mark@grimreaper.grondar.org) Received: from storm.FreeBSD.org.uk (uucp@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.5/8.12.5) with ESMTP id g7SJtJMA030411; Wed, 28 Aug 2002 20:55:20 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Received: (from uucp@localhost) by storm.FreeBSD.org.uk (8.12.5/8.12.5/Submit) with UUCP id g7SJtJwl030410; Wed, 28 Aug 2002 20:55:19 +0100 (BST) Received: from grimreaper.grondar.org (localhost [127.0.0.1]) by grimreaper.grondar.org (8.12.5/8.12.5) with ESMTP id g7SJp5l5033179; Wed, 28 Aug 2002 20:51:05 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Message-Id: <200208281951.g7SJp5l5033179@grimreaper.grondar.org> To: peter.lai@uconn.edu Cc: freebsd-security@freebsd.org Subject: Re: Administrivia: Discussion - Making this list subscriber-only References: <20020828190232.GA533@cowbert.2y.net> In-Reply-To: <20020828190232.GA533@cowbert.2y.net> ; from "Peter C. Lai" "Wed, 28 Aug 2002 15:02:32 EDT." Date: Wed, 28 Aug 2002 20:51:05 +0100 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > A better comparison would be freebsd-stable. Every and any problem > that people have they will send there as long as uname -r says > xxx-STABLE. This includes things like 'i can't do foo anymore after > upgrading' to debugging of a kernel. The SNR of that list is much > lower than here. Some questions typically get drowned out > by other ones that people on this list would deem off-topic. > I don't see discussions there about appropriate content either. > If you are lamenting about SNR, propose to make this list > technical and not general. Furthermore, you can also set an example > by not group-replying to mail you think is off-topic. It all > comes down to the mentality of the subscribers. If people here > habitually digress, then that is the nature of this list. Very nicely put! HOWEVER, this list is _supposed_ to be technical and not general already. My efforts are now aimed towards enforcing this. > There is a "charter" but all it says is: > "FREEBSD-SECURITY > Security issues > > FreeBSD computer security issues (DES, Kerberos, known security > holes and fixes, etc). This is a technical mailing list for which > strictly technical content is expected." Once we conclude this discussion, I will fix this :-) > Well, at least it says that chatter is discouraged (such as complaining > about spam) but it doesn't limit what 'technical' questions are being asked. > "I can't implement foo in IPSEC. Has someone done 'foo' with IPSEC before, > and how?" seems to be a legitimate technical question to me. Point taken. When the time comes, I will propose a replacement for the above charter and see what you folks think. > Yes, telling people to RTFM where there is no FM to read is silly > (or if you need to be Jordan Hubbard to understand it). Quite. Remember that FreeBSD is a community project; this is folks' chance to contribute! With a bit of leadership (which I am attempting to provide), useful FMs for folks to read should be available. :-) M -- o Mark Murray \_ O.\_ Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 28 23: 8:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D27BB37B400 for ; Wed, 28 Aug 2002 23:08:30 -0700 (PDT) Received: from snark.piermont.com (snark.piermont.com [166.84.151.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id D0BF043E6E for ; Wed, 28 Aug 2002 23:08:29 -0700 (PDT) (envelope-from perry@piermont.com) Received: by snark.piermont.com (Postfix, from userid 1000) id 64310D97C9; Thu, 29 Aug 2002 02:08:27 -0400 (EDT) To: mipam@ibb.net Cc: Matthias Buelow , Stefan =?iso-8859-1?q?Kr=FCger?= , freebsd-security@FreeBSD.org, tech-security@netbsd.org, misc@openbsd.org Subject: Re: 1024 bit key considered insecure (sshd) References: <20020828200748.90964.qmail@mail.com> <3D6D3953.6090005@mukappabeta.de> <20020828224330.GE249@localhost> From: "Perry E. Metzger" Date: 29 Aug 2002 02:08:27 -0400 In-Reply-To: <20020828224330.GE249@localhost> Message-ID: <87k7mamc2s.fsf@snark.piermont.com> Lines: 26 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mipam writes: > On Wed, Aug 28, 2002 at 10:57:55PM +0200, Matthias Buelow wrote: > > >and maybe we should update our rc scripts, > > >so that ssh-keygen generates at least 1280 Bit keys > > > > I think this is highly overrated and only of theoretical > > value for most *BSD users. > > I dont think its too much overrated and theoretical. I do. If someone with millions of dollars to spend on custom designed hardware wants to break into your computer, I assure you that increasing the size of your ssh keys will not stop them. Nor, for that matter, would the slow and tedious process of cracking your ssh keys be nearly as efficient as the more pragmatic alternatives. That said, those running on newer hardware can probably reasonably use larger keys if they wish. -- Perry E. Metzger perry@piermont.com -- "Ask not what your country can force other people to do for you..." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 29 0:12:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B750D37B400 for ; Thu, 29 Aug 2002 00:12:13 -0700 (PDT) Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by mx1.FreeBSD.org (Postfix) with SMTP id 410C143E4A for ; Thu, 29 Aug 2002 00:12:12 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 54021 invoked by uid 1000); 29 Aug 2002 07:12:32 -0000 Date: Thu, 29 Aug 2002 09:12:32 +0200 From: "Karsten W. Rohrbach" To: "Perry E. Metzger" Cc: mipam@ibb.net, Matthias Buelow , =?iso-8859-1?Q?Stefan_Kr=FCger?= , freebsd-security@FreeBSD.org, tech-security@netbsd.org, misc@openbsd.org Subject: Re: 1024 bit key considered insecure (sshd) Message-ID: <20020829091232.A53344@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , "Perry E. Metzger" , mipam@ibb.net, Matthias Buelow , =?iso-8859-1?Q?Stefan_Kr=FCger?= , freebsd-security@FreeBSD.org, tech-security@netbsd.org, misc@openbsd.org References: <20020828200748.90964.qmail@mail.com> <3D6D3953.6090005@mukappabeta.de> <20020828224330.GE249@localhost> <87k7mamc2s.fsf@snark.piermont.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="8t9RHnE3ZwKMSgU+" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <87k7mamc2s.fsf@snark.piermont.com>; from perry@piermont.com on Thu, Aug 29, 2002 at 02:08:27AM -0400 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --8t9RHnE3ZwKMSgU+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Perry E. Metzger(perry@piermont.com)@2002.08.29 02:08:27 +0000: > I do. If someone with millions of dollars to spend on custom designed > hardware wants to break into your computer, I assure you that > increasing the size of your ssh keys will not stop them. Nor, for that you missed the concept behind crypto in general, i think. it's not about stopping someone from accessing private resources, but rather making that approach to make access to these resources /very/ unattractive, by increasing the amount of time (and thus $$$) an attacker has to effort to get access. > matter, would the slow and tedious process of cracking your ssh keys > be nearly as efficient as the more pragmatic alternatives. the slower, the better, as a direct consequence of my last paragraph. > That said, those running on newer hardware can probably reasonably use > larger keys if they wish. increasing the server's key width imposes a higher processing cost for the initial handshake. efficiency of the cipher used for transit encryption is not directly affected. regards, /k --=20 > Hackers know all the right MOVs. WebMonster Community Project -- Reliable and quick since 1998 -- All on BSD http://www.webmonster.de/ - ftp://ftp.webmonster.de/ - http://www.rohrbach.= de/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C 5F 0B E0 6B 4D CD 8C 44 My mail is GnuPG signed - Unsigned ones might be bogus - http://www.gnupg.o= rg/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --8t9RHnE3ZwKMSgU+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: For info see http://www.gnupg.org iD8DBQE9bclgs5Nr9N7JSKYRAl8AAJ9dhYWcjTJISSlHe6CcgtN260zwjACfcqMU 7hEFoxpqdhX75nCvqd8TgJY= =VVrX -----END PGP SIGNATURE----- --8t9RHnE3ZwKMSgU+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 29 2:20:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A45C37B400 for ; Thu, 29 Aug 2002 02:20:29 -0700 (PDT) Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by mx1.FreeBSD.org (Postfix) with SMTP id 0886E43E6E for ; Thu, 29 Aug 2002 02:20:28 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 57573 invoked by uid 1000); 29 Aug 2002 09:20:48 -0000 Date: Thu, 29 Aug 2002 11:20:48 +0200 From: "'Karsten W. Rohrbach'" To: "George F. Costanzo" Cc: freebsd-security@FreeBSD.ORG, tech-security@NetBSD.org, misc@openbsd.org Subject: Re: 1024 bit key considered insecure (sshd) Message-ID: <20020829112048.B57322@mail.webmonster.de> Mail-Followup-To: "'Karsten W. Rohrbach'" , "George F. Costanzo" , freebsd-security@FreeBSD.ORG, tech-security@NetBSD.org, misc@openbsd.org References: <20020829091232.A53344@mail.webmonster.de> <004c01c24f3a$1508f040$0100a8c0@soap> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="UHN/qo2QbUvPLonB" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <004c01c24f3a$1508f040$0100a8c0@soap>; from afx@pkl.net on Thu, Aug 29, 2002 at 06:57:18PM +1000 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --UHN/qo2QbUvPLonB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable George F. Costanzo(afx@pkl.net)@2002.08.29 18:57:18 +0000: > > you missed the concept behind crypto in general, i think. it's not > > about stopping someone from accessing private resources, but rather > > making that approach to make access to these resources /very/ > > unattractive, by increasing the amount of time (and thus $$$) an > > attacker has to effort to get access. >=20 > Yes, to increase the time/cost in breaking the key to outweigh the cost > of the information that will be gained. one might remark, as a sidenote, that crypto is just one of the building blocks to system security. what if the crypto in use is really tough, but the software framework employing it is full of bugs, or misdesigned is one question. the other question (as raised in the verious discussions around pgp/gpg in the last years) is, that - if somebody wants to access encrypted resources - it might be a better approach for him to get access by brute (physical) force. > If the information you're trying to protect is worth that much to you, > you'll take the extra steps needed to increase key length. Otherwise, > the default will be fine for most users. seconded, whereas the security measures need to go a little further if the resources protected really are /that/ valuable ;-) > Schneier is blowing this out of proportion a little, quoting Lucky's > decision throughout. Lucky is overly paranoid and Schneier knows it. He > also uses the article to bring up (read: plug) his pretty accurate key > length estimates. Schneier's motives have been slightly dubious for > awhile. :-> regards, /k --=20 > A Puritan is someone who is deathly afraid that someone, somewhere, is > having fun. WebMonster Community Project -- Reliable and quick since 1998 -- All on BSD http://www.webmonster.de/ - ftp://ftp.webmonster.de/ - http://www.rohrbach.= de/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C 5F 0B E0 6B 4D CD 8C 44 My mail is GnuPG signed - Unsigned ones might be bogus - http://www.gnupg.o= rg/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --UHN/qo2QbUvPLonB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: For info see http://www.gnupg.org iD8DBQE9bedws5Nr9N7JSKYRAq4HAJwMblJZKg8rdleWtw8rrANTmbkyxQCdGZDg p5kqGrbaDh4Gpl5+WbjxnXQ= =YptX -----END PGP SIGNATURE----- --UHN/qo2QbUvPLonB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 29 2:34:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F289F37B400 for ; Thu, 29 Aug 2002 02:34:27 -0700 (PDT) Received: from HAL9000.homeunix.com (12-232-220-15.client.attbi.com [12.232.220.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1FAEC43E6A for ; Thu, 29 Aug 2002 02:34:27 -0700 (PDT) (envelope-from dschultz@uclink.Berkeley.EDU) Received: from HAL9000.homeunix.com (localhost [127.0.0.1]) by HAL9000.homeunix.com (8.12.5/8.12.5) with ESMTP id g7T9Z91v061428; Thu, 29 Aug 2002 02:35:09 -0700 (PDT) (envelope-from dschultz@uclink.Berkeley.EDU) Received: (from das@localhost) by HAL9000.homeunix.com (8.12.5/8.12.5/Submit) id g7T9Z8su061427; Thu, 29 Aug 2002 02:35:08 -0700 (PDT) (envelope-from dschultz@uclink.Berkeley.EDU) Date: Thu, 29 Aug 2002 02:35:08 -0700 From: David Schultz To: "Karsten W. Rohrbach" Cc: "Perry E. Metzger" , mipam@ibb.net, Matthias Buelow , "Stefan =?us-ascii:iso-8859-1?Q?Kr=FCger?=" , freebsd-security@FreeBSD.ORG, tech-security@netbsd.org, misc@openbsd.org Subject: Re: 1024 bit key considered insecure (sshd) Message-ID: <20020829093508.GB58871@HAL9000.homeunix.com> Mail-Followup-To: "Karsten W. Rohrbach" , "Perry E. Metzger" , mipam@ibb.net, Matthias Buelow , "Stefan =?us-ascii:iso-8859-1?Q?Kr=FCger?=" , freebsd-security@FreeBSD.ORG, tech-security@netbsd.org, misc@openbsd.org References: <20020828200748.90964.qmail@mail.com> <3D6D3953.6090005@mukappabeta.de> <20020828224330.GE249@localhost> <87k7mamc2s.fsf@snark.piermont.com> <20020829091232.A53344@mail.webmonster.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020829091232.A53344@mail.webmonster.de> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thus spake Karsten W. Rohrbach : > Perry E. Metzger(perry@piermont.com)@2002.08.29 02:08:27 +0000: > > I do. If someone with millions of dollars to spend on custom designed > > hardware wants to break into your computer, I assure you that > > increasing the size of your ssh keys will not stop them. Nor, for that > > you missed the concept behind crypto in general, i think. it's not about > stopping someone from accessing private resources, but rather making > that approach to make access to these resources /very/ unattractive, by > increasing the amount of time (and thus $$$) an attacker has to effort > to get access. I believe his point is that increasing the costs of the hardware required to break your key from 1 million dollars to 1 trillion dollars is not worthwhile because the process is effectively infeasible either way. Though it's true that the performance penalty of larger keys isn't too bad, you're going to break lots of older software for essentially no good reason. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 29 3:14: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 688AC37B400 for ; Thu, 29 Aug 2002 03:14:05 -0700 (PDT) Received: from web13002.mail.yahoo.com (web13002.mail.yahoo.com [216.136.174.12]) by mx1.FreeBSD.org (Postfix) with SMTP id 3D4FA43E6E for ; Thu, 29 Aug 2002 03:14:05 -0700 (PDT) (envelope-from sonam_singh_s@yahoo.com) Message-ID: <20020829101405.73518.qmail@web13002.mail.yahoo.com> Received: from [202.88.149.172] by web13002.mail.yahoo.com via HTTP; Thu, 29 Aug 2002 03:14:05 PDT Date: Thu, 29 Aug 2002 03:14:05 -0700 (PDT) From: soanm singh To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-1035516581-1030616045=:73497" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --0-1035516581-1030616045=:73497 Content-Type: text/plain; charset=us-ascii testing do no reply --------------------------------- Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes --0-1035516581-1030616045=:73497 Content-Type: text/html; charset=us-ascii testing do no reply


Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes --0-1035516581-1030616045=:73497-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 29 4: 0: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0135337B400 for ; Thu, 29 Aug 2002 04:00:04 -0700 (PDT) Received: from portal.eltex.ru (eltex-gw2.nw.ru [195.19.203.86]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C04A43E42 for ; Thu, 29 Aug 2002 03:59:42 -0700 (PDT) (envelope-from ark@eltex.ru) Received: (from root@localhost) by portal.eltex.ru (8.12.3/8.11.3) id g7TAxVUi044694; Thu, 29 Aug 2002 14:59:31 +0400 (MSD) (envelope-from ark@eltex.ru) Received: from yaksha.eltex.ru (root@yaksha.eltex.ru [195.19.198.2]) by portal.eltex.ru (8.12.3/8.11.3av) with SMTP id g7TAxPsk044686; Thu, 29 Aug 2002 14:59:25 +0400 (MSD) (envelope-from ark@eltex.ru) From: ark@eltex.ru Received: by yaksha.eltex.ru (ssmtp TIS-1.1alpha, 17 Jan 2002); Thu, 29 Aug 2002 14:43:39 +0400 Received: from undisclosed-intranet-sender id smtpdWZ5632; Thu Aug 29 14:43:28 2002 Date: Thu, 29 Aug 2002 14:48:23 +0400 Message-Id: <200208291048.OAA26785@paranoid.eltex.ru> In-Reply-To: <87k7mamc2s.fsf@snark.piermont.com> from ""Perry E. Metzger" " Organization: "Klingon Imperial Intelligence Service" Subject: Re: 1024 bit key considered insecure (sshd) To: perry@piermont.com Cc: misc@openbsd.org, mipam@ibb.net, Matthias@paranoid.eltex.ru, Buelow@paranoid.eltex.ru, , Stefan@paranoid.eltex.ru, =?iso-8859-1?q?Kr=FCger?=@paranoid.eltex.ru, , freebsd-security@freebsd.org, tech-security@netbsd.org X-Virus-Scanned: by Eltex TC Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Keep in mind that there are people who *spend* money on custom designed hardware and there are people who just have _access_ to custom designed hardware that costs millions of dollars. (i.e. in mid-90s when my hat was black i used to have access to data downloaded from damn expensive military satellite sniffer, no kidding) "Perry E. Metzger" said : > > Mipam writes: > > On Wed, Aug 28, 2002 at 10:57:55PM +0200, Matthias Buelow wrote: > > > >and maybe we should update our rc scripts, > > > >so that ssh-keygen generates at least 1280 Bit keys > > > > > > I think this is highly overrated and only of theoretical > > > value for most *BSD users. > > > > I dont think its too much overrated and theoretical. > > I do. If someone with millions of dollars to spend on custom designed > hardware wants to break into your computer, I assure you that > increasing the size of your ssh keys will not stop them. Nor, for that > matter, would the slow and tedious process of cracking your ssh keys > be nearly as efficient as the more pragmatic alternatives. > > That said, those running on newer hardware can probably reasonably use > larger keys if they wish. _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 29 6:30:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0AAB837B400 for ; Thu, 29 Aug 2002 06:30:24 -0700 (PDT) Received: from snark.piermont.com (snark.piermont.com [166.84.151.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2A16743E4A for ; Thu, 29 Aug 2002 06:30:23 -0700 (PDT) (envelope-from perry@piermont.com) Received: by snark.piermont.com (Postfix, from userid 1000) id 792F4D97CB; Thu, 29 Aug 2002 09:30:17 -0400 (EDT) To: "Karsten W. Rohrbach" Cc: mipam@ibb.net, Matthias Buelow , Stefan =?iso-8859-1?q?Kr=FCger?= , freebsd-security@FreeBSD.org, tech-security@netbsd.org, misc@openbsd.org Subject: Re: 1024 bit key considered insecure (sshd) References: <20020828200748.90964.qmail@mail.com> <3D6D3953.6090005@mukappabeta.de> <20020828224330.GE249@localhost> <87k7mamc2s.fsf@snark.piermont.com> <20020829091232.A53344@mail.webmonster.de> From: "Perry E. Metzger" Date: 29 Aug 2002 09:30:17 -0400 In-Reply-To: <20020829091232.A53344@mail.webmonster.de> Message-ID: <87bs7ln66u.fsf@snark.piermont.com> Lines: 23 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Karsten W. Rohrbach" writes: > Perry E. Metzger(perry@piermont.com)@2002.08.29 02:08:27 +0000: > > I do. If someone with millions of dollars to spend on custom designed > > hardware wants to break into your computer, I assure you that > > increasing the size of your ssh keys will not stop them. Nor, for that > > you missed the concept behind crypto in general, i think. it's not about > stopping someone from accessing private resources, but rather making > that approach to make access to these resources /very/ unattractive, by > increasing the amount of time (and thus $$$) an attacker has to effort > to get access. I would have thought spending at least hundreds of millions off dollars and (as importantly) at least months of time would have been considered "unattractive" enough to encourage other methods of getting at your data like breaking in to your physical location. Silly me. I guess I missed the concept behind crypto. -- Perry E. Metzger perry@piermont.com -- "Ask not what your country can force other people to do for you..." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 29 6:51: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 18F8037B400 for ; Thu, 29 Aug 2002 06:51:00 -0700 (PDT) Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by mx1.FreeBSD.org (Postfix) with SMTP id 8E48343E3B for ; Thu, 29 Aug 2002 06:50:58 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 63709 invoked by uid 1000); 29 Aug 2002 13:51:18 -0000 Date: Thu, 29 Aug 2002 15:51:18 +0200 From: "Karsten W. Rohrbach" To: "Perry E. Metzger" Cc: mipam@ibb.net, Matthias Buelow , =?iso-8859-1?Q?Stefan_Kr=FCger?= , freebsd-security@FreeBSD.org, tech-security@netbsd.org, misc@openbsd.org Subject: Re: 1024 bit key considered insecure (sshd) Message-ID: <20020829155118.B63360@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , "Perry E. Metzger" , mipam@ibb.net, Matthias Buelow , =?iso-8859-1?Q?Stefan_Kr=FCger?= , freebsd-security@FreeBSD.org, tech-security@netbsd.org, misc@openbsd.org References: <20020828200748.90964.qmail@mail.com> <3D6D3953.6090005@mukappabeta.de> <20020828224330.GE249@localhost> <87k7mamc2s.fsf@snark.piermont.com> <20020829091232.A53344@mail.webmonster.de> <87bs7ln66u.fsf@snark.piermont.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="RASg3xLB4tUQ4RcS" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <87bs7ln66u.fsf@snark.piermont.com>; from perry@piermont.com on Thu, Aug 29, 2002 at 09:30:17AM -0400 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --RASg3xLB4tUQ4RcS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Perry E. Metzger(perry@piermont.com)@2002.08.29 09:30:17 +0000: >=20 > "Karsten W. Rohrbach" writes: > > Perry E. Metzger(perry@piermont.com)@2002.08.29 02:08:27 +0000: > > > I do. If someone with millions of dollars to spend on custom designed > > > hardware wants to break into your computer, I assure you that > > > increasing the size of your ssh keys will not stop them. Nor, for that > >=20 > > you missed the concept behind crypto in general, i think. it's not about > > stopping someone from accessing private resources, but rather making > > that approach to make access to these resources /very/ unattractive, by > > increasing the amount of time (and thus $$$) an attacker has to effort > > to get access. >=20 > I would have thought spending at least hundreds of millions off > dollars and (as importantly) at least months of time would have been > considered "unattractive" enough to encourage other methods of getting > at your data like breaking in to your physical location. Silly me. I > guess I missed the concept behind crypto. wasn't meant as a personal assault. defining attractive/unattractive strongly depends on the content you want to protect, sure. of course, at some point gaining physical access becomes more attractive.=20 tracking the evolution of computing machinery nowadays, implementing cryptanalysis in hardware becomes cheaper and faster at an amazing speed. my wild guess is, that through the upcoming broad availability of software programmable hardware that is available today, attacks to crypto in general will become very cheap in a timeframe of months. regards, /k --=20 > "It says he made us all to be just like him. So if we're dumb, then > god is dumb, and maybe even a little ugly on the side." --Frank Zappa WebMonster Community Project -- Reliable and quick since 1998 -- All on BSD http://www.webmonster.de/ - ftp://ftp.webmonster.de/ - http://www.rohrbach.= de/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C 5F 0B E0 6B 4D CD 8C 44 My mail is GnuPG signed - Unsigned ones might be bogus - http://www.gnupg.o= rg/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --RASg3xLB4tUQ4RcS Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: For info see http://www.gnupg.org iD8DBQE9bibWs5Nr9N7JSKYRAvAMAJ41pcA7RL7JZlOp6jiyNKNA5m07VgCfaBd3 blemDploLK4z4oe0gsSaWSc= =oHhC -----END PGP SIGNATURE----- --RASg3xLB4tUQ4RcS-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 29 6:59:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 46C0C37B400; Thu, 29 Aug 2002 06:59:16 -0700 (PDT) Received: from patrocles.silby.com (d140.as15.nwbl0.wi.voyager.net [169.207.136.78]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6F66843E42; Thu, 29 Aug 2002 06:59:14 -0700 (PDT) (envelope-from silby@silby.com) Received: from patrocles.silby.com (localhost [127.0.0.1]) by patrocles.silby.com (8.12.5/8.12.5) with ESMTP id g7TE34rA052614; Thu, 29 Aug 2002 09:03:04 -0500 (CDT) (envelope-from silby@silby.com) Received: from localhost (silby@localhost) by patrocles.silby.com (8.12.5/8.12.5/Submit) with ESMTP id g7TE2xZ7052611; Thu, 29 Aug 2002 09:03:00 -0500 (CDT) X-Authentication-Warning: patrocles.silby.com: silby owned process doing -bs Date: Thu, 29 Aug 2002 09:02:59 -0500 (CDT) From: Mike Silbersack To: Colin Percival Cc: veedee@c7.campus.utcluj.ro, , Subject: Re: 1024 bit key considered insecure (sshd) In-Reply-To: <5.0.2.1.1.20020828132755.0284b2a8@popserver.sfu.ca> Message-ID: <20020829084153.B52019-100000@patrocles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 28 Aug 2002, Colin Percival wrote: > When I brought this up earlier > (http://groups.google.com/groups?threadm=5.0.2.1.1.20020326024955.02392830%40popserver.sfu.ca) > there was a concern about breaking v1 clients using the RSAREF library. > > Colin Percival Note that the 1024 bit host key is not what people should be worrying so much about. Due to the RSAREF limitations, it could not be increased in size much (if at all), and changing host keys is really more of a security risk than sticking with existing 1024 bit ones. What this thread should be about are the 768 bit session keys, regenerated once/hour. This key is probably what a passive attacker would be attempting to break, and it should be safe to change it to 892 bits without breaking anything. If you set it to values larger than that, sshd appears to round up to 1152, which I believe is too large for RSAREF to handle. I would go ahead and make such a change to the default sshd_config, but I'm unfamiliar with the procedures relating to changes in contributed code... des, would you be willing to make such a change? Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 29 7: 6:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2680637B400 for ; Thu, 29 Aug 2002 07:06:29 -0700 (PDT) Received: from blade-runner.mit.edu (BLADE-RUNNER.MIT.EDU [18.78.0.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7CB3E43E75 for ; Thu, 29 Aug 2002 07:06:28 -0700 (PDT) (envelope-from petr@blade-runner.mit.edu) Received: from blade-runner.mit.edu (localhost [127.0.0.1]) by blade-runner.mit.edu (8.12.3/8.12.3) with ESMTP id g7TEASnY030196; Thu, 29 Aug 2002 10:10:28 -0400 (EDT) (envelope-from petr@blade-runner.mit.edu) Received: (from petr@localhost) by blade-runner.mit.edu (8.12.3/8.12.3/Submit) id g7TEAShK030193; Thu, 29 Aug 2002 10:10:28 -0400 (EDT) To: "Perry E. Metzger" Cc: "Karsten W. Rohrbach" , mipam@ibb.net, Matthias Buelow , Stefan =?iso-8859-1?q?Kr=FCger?= , freebsd-security@FreeBSD.ORG, tech-security@netbsd.org, misc@openbsd.org Subject: Re: 1024 bit key considered insecure (sshd) References: <20020828200748.90964.qmail@mail.com> <3D6D3953.6090005@mukappabeta.de> <20020828224330.GE249@localhost> <87k7mamc2s.fsf@snark.piermont.com> <20020829091232.A53344@mail.webmonster.de> <87bs7ln66u.fsf@snark.piermont.com> From: Petr Swedock Date: 29 Aug 2002 10:10:28 -0400 In-Reply-To: <87bs7ln66u.fsf@snark.piermont.com> Message-ID: <86hehdbvsb.fsf@blade-runner.mit.edu> Lines: 22 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Perry E. Metzger" writes: > "Karsten W. Rohrbach" writes: > > I would have thought spending at least hundreds of millions off > dollars and (as importantly) at least months of time would have been > considered "unattractive" enough to encourage other methods of getting > at your data like breaking in to your physical location. Silly me. I > guess I missed the concept behind crypto. The concept behind crypto is to confuse, scramble and obfuscate. When it was first designed for and employed in computers the existing mathematical models, computer muscle and modes of analysis were thought to assure unbreakability. Now the use has morphed into a race condition where present mathematical models and future computer muscle, coupled with existing modes of analysis are thought to assure breakability. Peace, Petr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 29 7:15:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0B4E337B410 for ; Thu, 29 Aug 2002 07:15:36 -0700 (PDT) Received: from snark.piermont.com (snark.piermont.com [166.84.151.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 479BA43E65 for ; Thu, 29 Aug 2002 07:15:35 -0700 (PDT) (envelope-from perry@piermont.com) Received: by snark.piermont.com (Postfix, from userid 1000) id 57727D97CB; Thu, 29 Aug 2002 10:15:34 -0400 (EDT) To: "Karsten W. Rohrbach" Cc: mipam@ibb.net, Matthias Buelow , Stefan =?iso-8859-1?q?Kr=FCger?= , freebsd-security@FreeBSD.org, tech-security@netbsd.org, misc@openbsd.org Subject: Re: 1024 bit key considered insecure (sshd) References: <20020828200748.90964.qmail@mail.com> <3D6D3953.6090005@mukappabeta.de> <20020828224330.GE249@localhost> <87k7mamc2s.fsf@snark.piermont.com> <20020829091232.A53344@mail.webmonster.de> <87bs7ln66u.fsf@snark.piermont.com> <20020829155118.B63360@mail.webmonster.de> From: "Perry E. Metzger" Date: 29 Aug 2002 10:15:34 -0400 In-Reply-To: <20020829155118.B63360@mail.webmonster.de> Message-ID: <871y8hn43d.fsf@snark.piermont.com> Lines: 14 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Karsten W. Rohrbach" writes: > tracking the evolution of computing machinery nowadays, implementing > cryptanalysis in hardware becomes cheaper and faster at an amazing > speed. my wild guess is, that through the upcoming broad availability of > software programmable hardware that is available today, attacks to > crypto in general will become very cheap in a timeframe of months. If you can attack 1024 bit keys cheaply a few months from now, please let us know. Where I live, Moore's law still observes things double every 18 months, not every 18 hours. Perry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 29 7:21:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7928C37B400 for ; Thu, 29 Aug 2002 07:21:14 -0700 (PDT) Received: from www.formula1.com (cerberus.formula1.com [195.217.251.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8121743E6A for ; Thu, 29 Aug 2002 07:21:13 -0700 (PDT) (envelope-from abs@www.formula1.com) Received: (from abs@localhost) by www.formula1.com (8.11.6/8.11.6) id g7TEJv627464; Thu, 29 Aug 2002 15:19:57 +0100 (BST) Date: Thu, 29 Aug 2002 15:19:57 +0100 (BST) From: David Brownlee To: Mipam Cc: Matthias Buelow , Stefan =?iso-8859-1?Q?Kr=FCger?= , , , Subject: Re: 1024 bit key considered insecure (sshd) In-Reply-To: <20020828224330.GE249@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 29 Aug 2002, Mipam wrote: > > I think this is highly overrated and only of theoretical > > value for most *BSD users. It would be ok to document, > > for some paranoid users which fall for the hype but then > > please leave it at that. > > I dont think its too much overrated and theoretical. > > > Some of us run NetBSD on old > > hardware and don't want to be crippled by excessive > > default values with little or no practical impact. > > A very valid fact. But perhaps a note could be added which addresses > the info leaving it up to the user what to do? It would be great if someone were to contribute code to sysinst which would allow the enabling of ssh, selection of keybit size (and optional enabling of root login). -- David/absolute -- www.netbsd.org: No hype required -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 29 7:29:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 77BAF37B400 for ; Thu, 29 Aug 2002 07:29:40 -0700 (PDT) Received: from snark.piermont.com (snark.piermont.com [166.84.151.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7673E43E7B for ; Thu, 29 Aug 2002 07:29:39 -0700 (PDT) (envelope-from perry@piermont.com) Received: by snark.piermont.com (Postfix, from userid 1000) id 72F5CD97CB; Thu, 29 Aug 2002 10:29:38 -0400 (EDT) To: Petr Swedock Cc: "Karsten W. Rohrbach" , mipam@ibb.net, Matthias Buelow , Stefan =?iso-8859-1?q?Kr=FCger?= , freebsd-security@FreeBSD.ORG, tech-security@netbsd.org, misc@openbsd.org Subject: Re: 1024 bit key considered insecure (sshd) References: <20020828200748.90964.qmail@mail.com> <3D6D3953.6090005@mukappabeta.de> <20020828224330.GE249@localhost> <87k7mamc2s.fsf@snark.piermont.com> <20020829091232.A53344@mail.webmonster.de> <87bs7ln66u.fsf@snark.piermont.com> <86hehdbvsb.fsf@blade-runner.mit.edu> From: "Perry E. Metzger" Date: 29 Aug 2002 10:29:38 -0400 In-Reply-To: <86hehdbvsb.fsf@blade-runner.mit.edu> Message-ID: <87wuq9lovh.fsf@snark.piermont.com> Lines: 27 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Petr Swedock writes: > > I would have thought spending at least hundreds of millions off > > dollars and (as importantly) at least months of time would have been > > considered "unattractive" enough to encourage other methods of getting > > at your data like breaking in to your physical location. Silly me. I > > guess I missed the concept behind crypto. > > The concept behind crypto is to confuse, scramble and obfuscate. I'm glad you've explained it to me. > When it was first designed for and employed in computers the existing > mathematical models, computer muscle and modes of analysis were > thought to assure unbreakability. Now the use has morphed into > a race condition where present mathematical models and future > computer muscle, coupled with existing modes of analysis are > thought to assure breakability. So, this means that because a person with a billion in spare change lying about might (MIGHT!) be able to break a 1024 bit key every year, we should all panic? -- Perry E. Metzger perry@piermont.com -- "Ask not what your country can force other people to do for you..." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 29 7:30:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 84BB437B400 for ; Thu, 29 Aug 2002 07:30:36 -0700 (PDT) Received: from barry.mail.mindspring.net (barry.mail.mindspring.net [207.69.200.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id E42F843E75 for ; Thu, 29 Aug 2002 07:30:35 -0700 (PDT) (envelope-from dfeustel@mindspring.com) Received: from 1cust36.tnt5.fort-wayne.in.da.uu.net ([65.238.146.36] helo=dafco6w9sb81bw) by barry.mail.mindspring.net with smtp (Exim 3.33 #1) id 17kQIj-00014a-00; Thu, 29 Aug 2002 10:29:37 -0400 Message-ID: <000a01c24f68$803cb350$2492ee41@dafco6w9sb81bw> From: "Dave Feustel" To: "Perry E. Metzger" , "Petr Swedock" Cc: "Karsten W. Rohrbach" , , "Matthias Buelow" , "Stefan Krüger" , , , References: <20020828200748.90964.qmail@mail.com> <3D6D3953.6090005@mukappabeta.de> <20020828224330.GE249@localhost> <87k7mamc2s.fsf@snark.piermont.com> <20020829091232.A53344@mail.webmonster.de> <87bs7ln66u.fsf@snark.piermont.com> <86hehdbvsb.fsf@blade-runner.mit.edu> Subject: Re: 1024 bit key considered insecure (sshd) Date: Thu, 29 Aug 2002 09:29:33 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org And this analysis doesn't even take into account remote viewing :-). ----- Original Message ----- From: "Petr Swedock" To: "Perry E. Metzger" Cc: "Karsten W. Rohrbach" ; ; "Matthias Buelow" ; "Stefan Krüger" ; ; ; Sent: Thursday, August 29, 2002 9:10 AM Subject: Re: 1024 bit key considered insecure (sshd) > "Perry E. Metzger" writes: > > > "Karsten W. Rohrbach" writes: > > > > I would have thought spending at least hundreds of millions off > > dollars and (as importantly) at least months of time would have been > > considered "unattractive" enough to encourage other methods of getting > > at your data like breaking in to your physical location. Silly me. I > > guess I missed the concept behind crypto. > > The concept behind crypto is to confuse, scramble and obfuscate. When > it was first designed for and employed in computers the existing > mathematical models, computer muscle and modes of analysis were > thought to assure unbreakability. Now the use has morphed into > a race condition where present mathematical models and future > computer muscle, coupled with existing modes of analysis are > thought to assure breakability. > > Peace, > > Petr > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 29 8:21:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0BCD37B400 for ; Thu, 29 Aug 2002 08:21:35 -0700 (PDT) Received: from mail.getnet.net (mail.getnet.net [216.19.223.10]) by mx1.FreeBSD.org (Postfix) with SMTP id 4B69A43E42 for ; Thu, 29 Aug 2002 08:21:35 -0700 (PDT) (envelope-from seth@cql.com) Received: (qmail 2641 invoked from network); 29 Aug 2002 15:21:34 -0000 Received: from 216-19-209-140.getnet.net (HELO Lawrence) (216.19.209.140) by 0 with SMTP; 29 Aug 2002 15:21:34 -0000 From: Seth Kurtzberg Organization: M. I. S. Corp To: "Perry E. Metzger" , "Karsten W. Rohrbach" Subject: Re: 1024 bit key considered insecure (sshd) Date: Thu, 29 Aug 2002 08:02:23 -0700 User-Agent: KMail/1.4.6 Cc: mipam@ibb.net, Matthias Buelow , Stefan =?iso-8859-1?q?Kr=FCger?= , freebsd-security@FreeBSD.org, tech-security@netbsd.org, misc@openbsd.org References: <20020828200748.90964.qmail@mail.com> <20020829091232.A53344@mail.webmonster.de> <87bs7ln66u.fsf@snark.piermont.com> In-Reply-To: <87bs7ln66u.fsf@snark.piermont.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: inline Message-Id: <200208290802.23540.seth@cql.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The other piece of the crypto puzzle that is frequently misunderstood (not flames! I'm not saying misunderstood by anyone participating in this discussion!) is that data is typically sensitive for a limited period of time. The fact that you could crack a password in a year becomes quite irrelevant if the protected data is no longer sensitive after a month. Intelligently archiving older data that doesn't need to remain on-line helps this situation. On Thursday 29 August 2002 06:30, Perry E. Metzger wrote: > "Karsten W. Rohrbach" writes: > > Perry E. Metzger(perry@piermont.com)@2002.08.29 02:08:27 +0000: > > > I do. If someone with millions of dollars to spend on custom designed > > > hardware wants to break into your computer, I assure you that > > > increasing the size of your ssh keys will not stop them. Nor, for that > > > > you missed the concept behind crypto in general, i think. it's not about > > stopping someone from accessing private resources, but rather making > > that approach to make access to these resources /very/ unattractive, by > > increasing the amount of time (and thus $$$) an attacker has to effort > > to get access. > > I would have thought spending at least hundreds of millions off > dollars and (as importantly) at least months of time would have been > considered "unattractive" enough to encourage other methods of getting > at your data like breaking in to your physical location. Silly me. I > guess I missed the concept behind crypto. -- ----------------------------------- Seth Kurtzberg M. I. S. Corp. 1-480-661-1849 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 29 8:31: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B546937B401 for ; Thu, 29 Aug 2002 08:30:56 -0700 (PDT) Received: from mile.nevermind.kiev.ua (office.netstyle.com.ua [213.186.199.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 53E0643E77 for ; Thu, 29 Aug 2002 08:30:46 -0700 (PDT) (envelope-from never@mile.nevermind.kiev.ua) Received: from mile.nevermind.kiev.ua (never@localhost [127.0.0.1]) by mile.nevermind.kiev.ua (8.12.3/8.12.3) with ESMTP id g7TFU7mA026389; Thu, 29 Aug 2002 18:30:08 +0300 (EEST) (envelope-from never@mile.nevermind.kiev.ua) Received: (from never@localhost) by mile.nevermind.kiev.ua (8.12.3/8.12.3/Submit) id g7TFU741026388; Thu, 29 Aug 2002 18:30:07 +0300 (EEST) Date: Thu, 29 Aug 2002 18:30:06 +0300 From: Alexandr Kovalenko To: "Perry E. Metzger" Cc: mipam@ibb.net, Matthias Buelow , Stefan Kr?ger , freebsd-security@FreeBSD.ORG, tech-security@netbsd.org, misc@openbsd.org Subject: Re: 1024 bit key considered insecure (sshd) Message-ID: <20020829153006.GB26145@nevermind.kiev.ua> References: <20020828200748.90964.qmail@mail.com> <3D6D3953.6090005@mukappabeta.de> <20020828224330.GE249@localhost> <87k7mamc2s.fsf@snark.piermont.com> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <87k7mamc2s.fsf@snark.piermont.com> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, Perry E. Metzger! On Thu, Aug 29, 2002 at 02:08:27AM -0400, you wrote: > > > >and maybe we should update our rc scripts, > > > >so that ssh-keygen generates at least 1280 Bit keys > > > I think this is highly overrated and only of theoretical > > > value for most *BSD users. > > I dont think its too much overrated and theoretical. > I do. If someone with millions of dollars to spend on custom designed > hardware wants to break into your computer, I assure you that > increasing the size of your ssh keys will not stop them. Nor, for that > matter, would the slow and tedious process of cracking your ssh keys > be nearly as efficient as the more pragmatic alternatives. Much more simplier is to get physical access with those millions of dollars. -- NEVE-RIPE Ukrainian FreeBSD User Group http://uafug.org.ua/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 29 9:38:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0DB5F37B400 for ; Thu, 29 Aug 2002 09:38:40 -0700 (PDT) Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by mx1.FreeBSD.org (Postfix) with SMTP id D22C343E4A for ; Thu, 29 Aug 2002 09:38:37 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 68381 invoked by uid 1000); 29 Aug 2002 16:38:58 -0000 Date: Thu, 29 Aug 2002 18:38:58 +0200 From: "Karsten W. Rohrbach" To: "Perry E. Metzger" Cc: mipam@ibb.net, Matthias Buelow , =?iso-8859-1?Q?Stefan_Kr=FCger?= , freebsd-security@FreeBSD.org, tech-security@netbsd.org, misc@openbsd.org Subject: Re: 1024 bit key considered insecure (sshd) Message-ID: <20020829183858.A68055@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , "Perry E. Metzger" , mipam@ibb.net, Matthias Buelow , =?iso-8859-1?Q?Stefan_Kr=FCger?= , freebsd-security@FreeBSD.org, tech-security@netbsd.org, misc@openbsd.org References: <20020828200748.90964.qmail@mail.com> <3D6D3953.6090005@mukappabeta.de> <20020828224330.GE249@localhost> <87k7mamc2s.fsf@snark.piermont.com> <20020829091232.A53344@mail.webmonster.de> <87bs7ln66u.fsf@snark.piermont.com> <20020829155118.B63360@mail.webmonster.de> <871y8hn43d.fsf@snark.piermont.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="M9NhX3UHpAaciwkO" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <871y8hn43d.fsf@snark.piermont.com>; from perry@piermont.com on Thu, Aug 29, 2002 at 10:15:34AM -0400 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --M9NhX3UHpAaciwkO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Perry E. Metzger(perry@piermont.com)@2002.08.29 10:15:34 +0000: >=20 > "Karsten W. Rohrbach" writes: > > tracking the evolution of computing machinery nowadays, implementing > > cryptanalysis in hardware becomes cheaper and faster at an amazing > > speed. my wild guess is, that through the upcoming broad availability of > > software programmable hardware that is available today, attacks to > > crypto in general will become very cheap in a timeframe of months. >=20 > If you can attack 1024 bit keys cheaply a few months from now, please > let us know. Where I live, Moore's law still observes things double > every 18 months, not every 18 hours. http://rcc.lanl.gov/index.php as a starting point. screw moores law, if the problem can be parallelized. ;-) regards, /k --=20 > Obscenity is the crutch of inarticulate motherfuckers. WebMonster Community Project -- Reliable and quick since 1998 -- All on BSD http://www.webmonster.de/ - ftp://ftp.webmonster.de/ - http://www.rohrbach.= de/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C 5F 0B E0 6B 4D CD 8C 44 My mail is GnuPG signed - Unsigned ones might be bogus - http://www.gnupg.o= rg/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --M9NhX3UHpAaciwkO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: For info see http://www.gnupg.org iD8DBQE9bk4hs5Nr9N7JSKYRAi8EAKCW8Cg0g7SzXTpGgs5QQuchxif+QQCfUqu4 A748n9xT01St3vrds7Q4TrM= =9ayk -----END PGP SIGNATURE----- --M9NhX3UHpAaciwkO-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 29 9:54:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C3F537B400 for ; Thu, 29 Aug 2002 09:54:12 -0700 (PDT) Received: from hall.mail.mindspring.net (hall.mail.mindspring.net [207.69.200.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id CE4A943E42 for ; Thu, 29 Aug 2002 09:54:11 -0700 (PDT) (envelope-from dfeustel@mindspring.com) Received: from 1cust168.tnt5.fort-wayne.in.da.uu.net ([65.238.146.168] helo=dafco6w9sb81bw) by hall.mail.mindspring.net with smtp (Exim 3.33 #1) id 17kSXL-0000XK-00; Thu, 29 Aug 2002 12:52:51 -0400 Message-ID: <001301c24f7c$81b866c0$5892ee41@dafco6w9sb81bw> From: "Dave Feustel" To: "Karsten W. Rohrbach" , "Perry E. Metzger" Cc: , "Matthias Buelow" , "Stefan Krüger" , , , References: <20020828200748.90964.qmail@mail.com> <3D6D3953.6090005@mukappabeta.de> <20020828224330.GE249@localhost> <87k7mamc2s.fsf@snark.piermont.com> <20020829091232.A53344@mail.webmonster.de> <87bs7ln66u.fsf@snark.piermont.com> <20020829155118.B63360@mail.webmonster.de> <871y8hn43d.fsf@snark.piermont.com> <20020829183858.A68055@mail.webmonster.de> Subject: Re: 1024 bit key considered insecure (sshd) Date: Thu, 29 Aug 2002 11:52:43 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > If you can attack 1024 bit keys cheaply a few months from now, please > > let us know. Where I live, Moore's law still observes things double > > every 18 months, not every 18 hours. See _Cracking DES_ (http://www.amazon.com/exec/obidos/tg/detail/-/1565925203/qid=1030639763/sr=1-1/ref=sr_1_1/102-5391104-6813765?v=glance&s=books for a (by now obsolete) low-cost home-brew system for cracking DES. The available FPGA hardware has advanced considerably since this book was written. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 29 12:27:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6479537B400 for ; Thu, 29 Aug 2002 12:27:14 -0700 (PDT) Received: from snark.piermont.com (snark.piermont.com [166.84.151.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4FA4443E72 for ; Thu, 29 Aug 2002 12:27:13 -0700 (PDT) (envelope-from perry@piermont.com) Received: by snark.piermont.com (Postfix, from userid 1000) id 3EA52D97C9; Thu, 29 Aug 2002 15:27:07 -0400 (EDT) To: "Dave Feustel" Cc: "Karsten W. Rohrbach" , , "Matthias Buelow" , "Stefan =?iso-8859-1?q?Kr=FCger?=" , , , Subject: Re: 1024 bit key considered insecure (sshd) References: <20020828200748.90964.qmail@mail.com> <3D6D3953.6090005@mukappabeta.de> <20020828224330.GE249@localhost> <87k7mamc2s.fsf@snark.piermont.com> <20020829091232.A53344@mail.webmonster.de> <87bs7ln66u.fsf@snark.piermont.com> <20020829155118.B63360@mail.webmonster.de> <871y8hn43d.fsf@snark.piermont.com> <20020829183858.A68055@mail.webmonster.de> <001301c24f7c$81b866c0$5892ee41@dafco6w9sb81bw> From: "Perry E. Metzger" Date: 29 Aug 2002 15:27:07 -0400 In-Reply-To: <001301c24f7c$81b866c0$5892ee41@dafco6w9sb81bw> Message-ID: <87elchzcs4.fsf@snark.piermont.com> Lines: 36 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Dave Feustel" writes: > See _Cracking DES_ Wow. I'd never heard of that book before. I wonder why no one mentioned brute force attacks on DES to me. It might have been interesting to mention to my students in my annual graduate course in cryptography. > (http://www.amazon.com/exec/obidos/tg/detail/-/1565925203/qid=1030639763/sr=1-1/ref=sr_1_1/102-5391104-6813765?v=glance&s=books > > for a (by now obsolete) low-cost home-brew system > for cracking DES. The available FPGA hardware has advanced > considerably since this book was written. Don't try teaching grandpa to suck eggs. For extra credit, present the difference in computational complexity between cracking a 56 bit DES key and factoring a 1024 bit integer. And no, the difference is not a factor of 2^968. You should especially go to the back of the room if you thought it was a straight factor of 968, and if you thought it was a factor of 18 because 1024 is about 18 times larger than 56 you should confine your future job searches to the food service and waste disposal industries. For extra extra credit, figure out how many Virtex II FPGAs you would need to try out Dan's new number field sieve trick with a 1024 bit key if you want a result in one year. The Virtex II is ideal because of its size and the presence of several IBM PPC cores on board. Hint: it is not clear Xilinx can produce that many Virtex IIs for you at the moment, though I'm sure they could scale up production for it. -- Perry E. Metzger perry@piermont.com -- "Ask not what your country can force other people to do for you..." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 29 12:37:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DBD0D37B400 for ; Thu, 29 Aug 2002 12:37:34 -0700 (PDT) Received: from snark.piermont.com (snark.piermont.com [166.84.151.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1961B43E75 for ; Thu, 29 Aug 2002 12:37:34 -0700 (PDT) (envelope-from perry@piermont.com) Received: by snark.piermont.com (Postfix, from userid 1000) id 58725D97C9; Thu, 29 Aug 2002 15:37:33 -0400 (EDT) To: "Karsten W. Rohrbach" Cc: mipam@ibb.net, Matthias Buelow , Stefan =?iso-8859-1?q?Kr=FCger?= , freebsd-security@FreeBSD.org, tech-security@netbsd.org, misc@openbsd.org Subject: Re: 1024 bit key considered insecure (sshd) References: <20020828200748.90964.qmail@mail.com> <3D6D3953.6090005@mukappabeta.de> <20020828224330.GE249@localhost> <87k7mamc2s.fsf@snark.piermont.com> <20020829091232.A53344@mail.webmonster.de> <87bs7ln66u.fsf@snark.piermont.com> <20020829155118.B63360@mail.webmonster.de> <871y8hn43d.fsf@snark.piermont.com> <20020829183858.A68055@mail.webmonster.de> From: "Perry E. Metzger" Date: 29 Aug 2002 15:37:33 -0400 In-Reply-To: <20020829183858.A68055@mail.webmonster.de> Message-ID: <87adn5zcaq.fsf@snark.piermont.com> Lines: 26 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Karsten W. Rohrbach" writes: > Perry E. Metzger(perry@piermont.com)@2002.08.29 10:15:34 +0000: > > "Karsten W. Rohrbach" writes: > > > tracking the evolution of computing machinery nowadays, implementing > > > cryptanalysis in hardware becomes cheaper and faster at an amazing > > > speed. my wild guess is, that through the upcoming broad availability of > > > software programmable hardware that is available today, attacks to > > > crypto in general will become very cheap in a timeframe of months. > > > > If you can attack 1024 bit keys cheaply a few months from now, please > > let us know. Where I live, Moore's law still observes things double > > every 18 months, not every 18 hours. > > http://rcc.lanl.gov/index.php as a starting point. screw moores law, if > the problem can be parallelized. ;-) Gee, THAT is a really useful idea. Why, I bet that Xilinx will sell me FPGAs for free! That way if I want to buy ten times more, it won't cost me ten times as much! And I bet no one thought of that idea before -- why, I bet when people came up with estimates for the price of a piece of hardware to execute djb's algorithms they never thought of parallel processing at all. Perry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 29 12:40:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A0E0437B401 for ; Thu, 29 Aug 2002 12:40:31 -0700 (PDT) Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by mx1.FreeBSD.org (Postfix) with SMTP id E0D0143E6A for ; Thu, 29 Aug 2002 12:40:30 -0700 (PDT) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 4684 invoked by uid 1001); 29 Aug 2002 19:40:30 -0000 Date: Thu, 29 Aug 2002 15:40:30 -0400 From: "Peter C. Lai" To: "Karsten W. Rohrbach" Cc: "Perry E. Metzger" , mipam@ibb.net, Matthias Buelow , Stefan Kr?ger , freebsd-security@FreeBSD.org, tech-security@netbsd.org, misc@openbsd.org Subject: Re: 1024 bit key considered insecure (sshd) Message-ID: <20020829194030.GA4593@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <20020828200748.90964.qmail@mail.com> <3D6D3953.6090005@mukappabeta.de> <20020828224330.GE249@localhost> <87k7mamc2s.fsf@snark.piermont.com> <20020829091232.A53344@mail.webmonster.de> <87bs7ln66u.fsf@snark.piermont.com> <20020829155118.B63360@mail.webmonster.de> <871y8hn43d.fsf@snark.piermont.com> <20020829183858.A68055@mail.webmonster.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020829183858.A68055@mail.webmonster.de> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Aug 29, 2002 at 06:38:58PM +0200, Karsten W. Rohrbach wrote: > Perry E. Metzger(perry@piermont.com)@2002.08.29 10:15:34 +0000: > > > > "Karsten W. Rohrbach" writes: > > > tracking the evolution of computing machinery nowadays, implementing > > > cryptanalysis in hardware becomes cheaper and faster at an amazing > > > speed. my wild guess is, that through the upcoming broad availability of > > > software programmable hardware that is available today, attacks to > > > crypto in general will become very cheap in a timeframe of months. > > > > If you can attack 1024 bit keys cheaply a few months from now, please > > let us know. Where I live, Moore's law still observes things double > > every 18 months, not every 18 hours. > > http://rcc.lanl.gov/index.php as a starting point. screw moores law, if > the problem can be parallelized. ;-) The problem can already be parallelized. These are all searching algorithms (either pure brute force or using sieve to shrink the keyspace that needs to be tested), and are not 'cryptanalyst' attacks per se. The sieve may reduce the keyspace that needs to be checked by a linear factor, but as someone pointed out, the number of keys to be tested grows exponentially with each bit added to the key. Furthermore, why worry about 1024bit keys now? In 10 years when people *can* crack 1024 keys like peanuts, we will all have switched to OTPs or use some absurd key length. I'd rather worry about the 2038 deadline imho. -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology | Undergraduate Research Assistant Yale University School of Medicine Center for Medical Informatics | Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 29 12:56:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6F21937B400 for ; Thu, 29 Aug 2002 12:56:33 -0700 (PDT) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 145BF43E42 for ; Thu, 29 Aug 2002 12:56:32 -0700 (PDT) (envelope-from jan.wildeboer@gmx.de) Received: (qmail 31790 invoked by uid 0); 29 Aug 2002 19:56:30 -0000 Received: from b144-2.adsl.worldonline.nl (HELO gmx.de) (195.241.144.2) by mail.gmx.net (mp006-rz3) with SMTP; 29 Aug 2002 19:56:30 -0000 Message-ID: <3D6E7CF3.5020209@gmx.de> Date: Thu, 29 Aug 2002 21:58:43 +0200 From: Jan Wildeboer User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.1) Gecko/20020826 X-Accept-Language: en, de-de, en-us MIME-Version: 1.0 To: Michael W Mitton Cc: freebsd-security@FreeBSD.ORG, tech-security@netbsd.org, misc@openbsd.org Subject: Re: 1024 bit key considered insecure (sshd) References: <20020828200748.90964.qmail@mail.com> <3D6D3953.6090005@mukappabeta.de> <20020828224330.GE249@localhost> <87k7mamc2s.fsf@snark.piermont.com> <20020829153006.GB26145@nevermind.kiev.ua> <20020829121117.B20048@rainmaker.dreamwvr.ca> <1030649841.18234.4.camel@mmitton.hmcon.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Michael W Mitton wrote: > Beside, I'm sure the federal government ( any federal government ) > wouldn't blink an eye at 1 billion dollars if they could read everyones > email. ;) They would pay Bill a fraction of that and we can be sure that all windows machines will send unencryted copies of each and every mail to a federal server. And then they will make a law that will make sure you will be arrested when you send mail with a non-M$ mail client ;-) Gosh, is this OT :-) Sorry to feed it ... Jan Wildeboer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 29 13: 3:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB4D337B400 for ; Thu, 29 Aug 2002 13:03:05 -0700 (PDT) Received: from snark.piermont.com (snark.piermont.com [166.84.151.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id B06A743E75 for ; Thu, 29 Aug 2002 13:03:04 -0700 (PDT) (envelope-from perry@piermont.com) Received: by snark.piermont.com (Postfix, from userid 1000) id 5EADED97DC; Thu, 29 Aug 2002 16:03:03 -0400 (EDT) To: mipam@ibb.net, Matthias Buelow , Stefan =?iso-8859-1?q?Kr=FCger?= , freebsd-security@FreeBSD.org, tech-security@netbsd.org, misc@openbsd.org Subject: Long RSA keys From: "Perry E. Metzger" Date: 29 Aug 2002 16:03:03 -0400 Message-ID: <8765xtzb48.fsf@snark.piermont.com> Lines: 32 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I want to make something absolutely clear. I think it is always a good idea to use the best crypto your application can comfortably handle. If your machine is fast enough to use 2048 bit RSA keys, well, no harm is done by it, and if Dan Bernstein is correct, 1024 bit keys will be obsolete sooner than we thought so it may be worthwhile. There is always a tradeoff, and 2048 bit keys are unacceptably slow on old hardware or for many embedded apps, but its not an awful idea if you don't care about the speed penalty, like if you have only very modern hardware. All that said, anyone claiming that it is now affordable to routinely crack 1024 bit RSA keys is unfamiliar with the facts. Maybe (and its a big maybe) the NSA can afford to dedicate multi-hundred million or billion dollar boxes for a months or longer do it for a high value key (assuming that it is possible at all), or maybe the NSA knows things about factoring we don't, but it is not bloody likely that everyday crackers or even Fortune 100 companies will be doing this stuff any time soon. If you think that you have something new and exciting to tell me that I've never heard of before, check if it has been published in Crypto or Eurocrypt or something first. If you don't know enough to read those conference proceedings, you don't know enough to have an intelligent opinion on the cost of building a machine to run djb's NFS factoring ideas. -- Perry E. Metzger perry@piermont.com -- "Ask not what your country can force other people to do for you..." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 29 13:33:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B3E3737B400 for ; Thu, 29 Aug 2002 13:33:53 -0700 (PDT) Received: from blade-runner.mit.edu (BLADE-RUNNER.MIT.EDU [18.78.0.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0E1B343E6A for ; Thu, 29 Aug 2002 13:33:53 -0700 (PDT) (envelope-from petr@blade-runner.mit.edu) Received: from blade-runner.mit.edu (localhost [127.0.0.1]) by blade-runner.mit.edu (8.12.3/8.12.3) with ESMTP id g7TKbrnY031399; Thu, 29 Aug 2002 16:37:53 -0400 (EDT) (envelope-from petr@blade-runner.mit.edu) Received: (from petr@localhost) by blade-runner.mit.edu (8.12.3/8.12.3/Submit) id g7TKbqvv031396; Thu, 29 Aug 2002 16:37:52 -0400 (EDT) To: "Perry E. Metzger" Cc: "Karsten W. Rohrbach" , mipam@ibb.net, Matthias Buelow , Stefan =?iso-8859-1?q?Kr=FCger?= , freebsd-security@FreeBSD.ORG, tech-security@netbsd.org, misc@openbsd.org Subject: Re: 1024 bit key considered insecure (sshd) References: <20020828200748.90964.qmail@mail.com> <3D6D3953.6090005@mukappabeta.de> <20020828224330.GE249@localhost> <87k7mamc2s.fsf@snark.piermont.com> <20020829091232.A53344@mail.webmonster.de> <87bs7ln66u.fsf@snark.piermont.com> <86hehdbvsb.fsf@blade-runner.mit.edu> <87wuq9lovh.fsf@snark.piermont.com> From: Petr Swedock Date: 29 Aug 2002 16:37:51 -0400 In-Reply-To: <87wuq9lovh.fsf@snark.piermont.com> Message-ID: <861y8h9za8.fsf@blade-runner.mit.edu> Lines: 32 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Perry E. Metzger" writes: > Petr Swedock writes: > > > at your data like breaking in to your physical location. Silly me. I > > > guess I missed the concept behind crypto. > > > > The concept behind crypto is to confuse, scramble and obfuscate. > > I'm glad you've explained it to me. Glad I could help =-) > > When it was first designed for and employed in computers the existing > > mathematical models, computer muscle and modes of analysis were > > thought to assure unbreakability. Now the use has morphed into > > a race condition where present mathematical models and future > > computer muscle, coupled with existing modes of analysis are > > thought to assure breakability. > > So, this means that because a person with a billion in spare change > lying about might (MIGHT!) be able to break a 1024 bit key every year, > we should all panic? I'm quite sure I'm not advocating panic. I'm only addressing your (perhaps flippant) remark about the concept behind crypto: which remark seemed to indicate the existence of a non-nil utility function from the moment crypto was first conceptualized. Peace, Petr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 29 16:54: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A043437B400 for ; Thu, 29 Aug 2002 16:53:57 -0700 (PDT) Received: from mail-blue.research.att.com (H-135-207-30-102.research.att.com [135.207.30.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id E5C8743E42 for ; Thu, 29 Aug 2002 16:53:56 -0700 (PDT) (envelope-from smb@research.att.com) Received: from postal.research.att.com (postal.research.att.com [135.207.23.30]) by mail-blue.research.att.com (Postfix) with ESMTP id 8299E4CE02; Thu, 29 Aug 2002 19:53:55 -0400 (EDT) Received: from berkshire.research.att.com (postal.research.att.com [135.207.23.30]) by postal.research.att.com (8.8.7/8.8.7) with ESMTP id TAA14847; Thu, 29 Aug 2002 19:53:53 -0400 (EDT) Received: from research.att.com (localhost [127.0.0.1]) by berkshire.research.att.com (Postfix) with ESMTP id 026E37B4C; Thu, 29 Aug 2002 19:53:52 -0400 (EDT) X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 X-Exmh-Isig-CompType: repl X-Exmh-Isig-Folder: netbsd From: "Steven M. Bellovin" To: "Perry E. Metzger" Cc: freebsd-security@FreeBSD.org, tech-security@netbsd.org, misc@openbsd.org Subject: Re: Long RSA keys Mime-Version: 1.0 Content-Type: text/plain Date: Thu, 29 Aug 2002 19:53:52 -0400 Message-Id: <20020829235353.026E37B4C@berkshire.research.att.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <8765xtzb48.fsf@snark.piermont.com>, "Perry E. Metzger" writes: > > >If you think that you have something new and exciting to tell me that >I've never heard of before, check if it has been published in Crypto >or Eurocrypt or something first. If you don't know enough to read >those conference proceedings, you don't know enough to have an >intelligent opinion on the cost of building a machine to run djb's NFS >factoring ideas. > In that vein, it's worth noting that Bernstein's results have not been embraced by the community qualified to have an opinion: the cryptographic mathematicians. (I'm not qualified -- the crypto I do is cryptographic protocol work, which is a very different beast indeed. I have a decent knowledge of the literature, which leaves me in a position of having to choose which authority I believe. But we're not dealing here with matters of opinion; my vote doesn't count for nearly as much as, say, the authors of the paper I cite below.) Let me refer folks to some people who are qualifed to have an opinion: Arjen Lenstra, Adi Shamir, Jim Tomlinson, and Eran Tromer. You can find their paper at http://www.cryptosavvy.com/meshps.gz (or .pdf); here's the abstract: Abstract. In [1], Bernstein proposed a circuit-based implementation of the matrix step of the number field sieve factorization algorithm. These circuits offer an asymptotic cost reduction under the measure construction cost × run time. We evaluate the cost of these circuits, in agreement with [1], but argue that compared to previously known methods these circuits can factor integers that are 1.17 times larger, rather than 3.01 as claimed (and even this, only under the non-standard cost measure). We also propose an improved circuit design based on a new mesh routing algorithm, and show that for factorization of 1024-bit integers the matrix step can, under an optimistic assumption about the matrix size, be completed within a day by a device that costs a few thousand dollars. We conclude that from a practical standpoint, the security of RSA relies exclusively on the hardness of the relation collection step of the number field sieve. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 29 17: 4:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7123337B400 for ; Thu, 29 Aug 2002 17:04:51 -0700 (PDT) Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by mx1.FreeBSD.org (Postfix) with SMTP id F0E8E43E65 for ; Thu, 29 Aug 2002 17:04:49 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 79700 invoked by uid 1000); 30 Aug 2002 00:05:10 -0000 Date: Fri, 30 Aug 2002 02:05:10 +0200 From: "Karsten W. Rohrbach" To: "Perry E. Metzger" Cc: mipam@ibb.net, Matthias Buelow , =?iso-8859-1?Q?Stefan_Kr=FCger?= , freebsd-security@FreeBSD.org, tech-security@netbsd.org, misc@openbsd.org Subject: Re: Long RSA keys Message-ID: <20020830020510.A76963@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , "Perry E. Metzger" , mipam@ibb.net, Matthias Buelow , =?iso-8859-1?Q?Stefan_Kr=FCger?= , freebsd-security@FreeBSD.org, tech-security@netbsd.org, misc@openbsd.org References: <8765xtzb48.fsf@snark.piermont.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="6TrnltStXW4iwmi0" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <8765xtzb48.fsf@snark.piermont.com>; from perry@piermont.com on Thu, Aug 29, 2002 at 04:03:03PM -0400 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --6TrnltStXW4iwmi0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Perry E. Metzger(perry@piermont.com)@2002.08.29 16:03:03 +0000: [...] > If you think that you have something new and exciting to tell me that > I've never heard of before, check if it has been published in Crypto > or Eurocrypt or something first. If you don't know enough to read > those conference proceedings, you don't know enough to have an > intelligent opinion on the cost of building a machine to run djb's NFS > factoring ideas. nice attitude. sounds a little bit like "640k is enough for everyone", etc. understanding as much as to conceive a certain concept, or at least to work out an "intelligent opinion" is based on thinking, cognitive processes, not just being able to read and understand technoid gibberish. 2002, not 1972. time to re-think certain concepts. together, not against each other. ;-) i clearly see your experience, your knowledge. you're in the business for quite a while. clinging to your experience so tightly, evolving hardline thinking, such as above, might prove to be an obstacle, though. new inventions, technologies, just came into existence through people who got their own ego out of the way, and did what they envisioned. regards, /k --=20 > UNiX *IS* user friendly. It's just selective about who it's friends are. WebMonster Community Project -- Reliable and quick since 1998 -- All on BSD http://www.webmonster.de/ - ftp://ftp.webmonster.de/ - http://www.rohrbach.= de/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C 5F 0B E0 6B 4D CD 8C 44 My mail is GnuPG signed - Unsigned ones might be bogus - http://www.gnupg.o= rg/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --6TrnltStXW4iwmi0 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: For info see http://www.gnupg.org iD8DBQE9bra2s5Nr9N7JSKYRAuIoAKCHOnrxpW0nWz0t/KwObQJ4ljUGtQCgrksA 1Xg1XsGX28O8x83IdEIAgcY= =R6ln -----END PGP SIGNATURE----- --6TrnltStXW4iwmi0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 29 18:48:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E3F237B400 for ; Thu, 29 Aug 2002 18:48:37 -0700 (PDT) Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by mx1.FreeBSD.org (Postfix) with SMTP id 748CC43E84 for ; Thu, 29 Aug 2002 18:48:36 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 83865 invoked by uid 1000); 30 Aug 2002 01:48:57 -0000 Date: Fri, 30 Aug 2002 03:48:57 +0200 From: "Karsten W. Rohrbach" To: "Perry E. Metzger" Cc: mipam@ibb.net, Matthias Buelow , =?iso-8859-1?Q?Stefan_Kr=FCger?= , freebsd-security@FreeBSD.org, tech-security@netbsd.org, misc@openbsd.org Subject: Re: Long RSA keys Message-ID: <20020830034857.A82685@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , "Perry E. Metzger" , mipam@ibb.net, Matthias Buelow , =?iso-8859-1?Q?Stefan_Kr=FCger?= , freebsd-security@FreeBSD.org, tech-security@netbsd.org, misc@openbsd.org References: <8765xtzb48.fsf@snark.piermont.com> <20020830020510.A76963@mail.webmonster.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Nq2Wo0NMKNjxTN9z" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020830020510.A76963@mail.webmonster.de>; from karsten@rohrbach.de on Fri, Aug 30, 2002 at 02:05:10AM +0200 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Nq2Wo0NMKNjxTN9z Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable forget my last mail in this thread. at least for freebsd-security it's quite offtopic, and it won't lead us anywhere. regards, /k --=20 > knowledge is power. power corrupts. study hard, be evil WebMonster Community Project -- Reliable and quick since 1998 -- All on BSD http://www.webmonster.de/ - ftp://ftp.webmonster.de/ - http://www.rohrbach.= de/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C 5F 0B E0 6B 4D CD 8C 44 My mail is GnuPG signed - Unsigned ones might be bogus - http://www.gnupg.o= rg/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --Nq2Wo0NMKNjxTN9z Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: For info see http://www.gnupg.org iD8DBQE9bs8Is5Nr9N7JSKYRAoaVAJ41iJZw8bMSIiItdFAyCN2YspOpsgCgh8N3 Yh6Upmn6EFwBxyAA1nb+R50= =AR7c -----END PGP SIGNATURE----- --Nq2Wo0NMKNjxTN9z-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 29 23:19:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2524137B400 for ; Thu, 29 Aug 2002 23:19:09 -0700 (PDT) Received: from grover.snew.com (grover.snew.com [206.136.66.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D9B643E4A for ; Thu, 29 Aug 2002 23:19:08 -0700 (PDT) (envelope-from chuck@snew.com) Received: from grover.snew.com (localhost [127.0.0.1]) by grover.snew.com (8.12.4/8.12.4) with ESMTP id g7U6J2tI032093; Thu, 29 Aug 2002 23:19:02 -0700 (PDT) Received: (from chuck@localhost) by grover.snew.com (8.12.4/8.12.4/Submit) id g7U6IxSc032092; Thu, 29 Aug 2002 23:18:59 -0700 (PDT) Date: Thu, 29 Aug 2002 23:18:59 -0700 From: Chuck Yerkes To: "Perry E. Metzger" Cc: freebsd-security@FreeBSD.org, tech-security@netbsd.org, misc@openbsd.org Subject: Re: 1024 bit key considered insecure (sshd) Message-ID: <20020829231859.A31958@snew.com> References: <20020828200748.90964.qmail@mail.com> <3D6D3953.6090005@mukappabeta.de> <20020828224330.GE249@localhost> <87k7mamc2s.fsf@snark.piermont.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <87k7mamc2s.fsf@snark.piermont.com>; from perry@piermont.com on Thu, Aug 29, 2002 at 02:08:27AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Quoting Perry E. Metzger (perry@piermont.com): > Mipam writes: > > On Wed, Aug 28, 2002 at 10:57:55PM +0200, Matthias Buelow wrote: > > > >and maybe we should update our rc scripts, > > > >so that ssh-keygen generates at least 1280 Bit keys ... > > I dont think its too much overrated and theoretical. > I do. If someone with millions of dollars to spend on custom designed > hardware wants to break into your computer, I assure you that For just 1 million, I'll roll them a tape. Hell, I'll mail it to them. OTOH, we can certainly use SSH with OPIE. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 30 7:16:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E72737B405 for ; Fri, 30 Aug 2002 07:16:32 -0700 (PDT) Received: from snark.piermont.com (snark.piermont.com [166.84.151.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id DF7A943E4A for ; Fri, 30 Aug 2002 07:16:30 -0700 (PDT) (envelope-from perry@piermont.com) Received: by snark.piermont.com (Postfix, from userid 1000) id C0A44D97DC; Fri, 30 Aug 2002 10:16:28 -0400 (EDT) To: "Karsten W. Rohrbach" Cc: mipam@ibb.net, Matthias Buelow , Stefan =?iso-8859-1?q?Kr=FCger?= , freebsd-security@FreeBSD.org, tech-security@netbsd.org, misc@openbsd.org Subject: Re: Long RSA keys References: <8765xtzb48.fsf@snark.piermont.com> <20020830020510.A76963@mail.webmonster.de> From: "Perry E. Metzger" Date: 30 Aug 2002 10:16:28 -0400 In-Reply-To: <20020830020510.A76963@mail.webmonster.de> Message-ID: <873cswph37.fsf@snark.piermont.com> Lines: 64 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Karsten W. Rohrbach" writes: > Perry E. Metzger(perry@piermont.com)@2002.08.29 16:03:03 +0000: > [...] > > If you think that you have something new and exciting to tell me that > > I've never heard of before, check if it has been published in Crypto > > or Eurocrypt or something first. If you don't know enough to read > > those conference proceedings, you don't know enough to have an > > intelligent opinion on the cost of building a machine to run djb's NFS > > factoring ideas. > > nice attitude. sounds a little bit like "640k is enough for everyone", > etc. Do you actually understand the NFS factoring algorithm or not? If you do not, on what basis are you estimating the cost of hardware to execute it? If you have no basis, then why do you think you know anything on the subject? > understanding as much as to conceive a certain concept, or at least > to work out an "intelligent opinion" is based on thinking, cognitive > processes, not just being able to read and understand technoid gibberish. If you think that the information needed to come to an intelligent conclusion on the subject is "technoid gibberish", perhaps your "cognitive processes" aren't operating on the information you need to state something reasonable on the subject. > i clearly see your experience, your knowledge. you're in the business for > quite a while. clinging to your experience so tightly, evolving hardline > thinking, such as above, might prove to be an obstacle, though. new > inventions, technologies, just came into existence through people who > got their own ego out of the way, and did what they envisioned. This is not a question of old scientist/new scientist. This is the old scientist telling a guy with a rope trying to lasso the moon that it is pretty far away, his rope is pretty short, and his arm is unlikely to be able to throw the rope that far in any case, and the guy with the rope saying "you're just not a creative thinker!" More to the point, when the computer scientist sees a guy claim in public that you can program computers to telepathically read minds and perhaps the claimant should learn how computers work, when the scientist hands him an intro text, it does nothing for the telepathy-claimants credibility to call the intro text "technoid gibberish". To be the young turk new scientist who embarrasses the old scientist, you first have to know the same basic facts the old scientist knows. Einstein didn't start out by saying "oh, that Newton guy, his stuff was `technoid gibberish'" to employ the term you seem to have used for a basic understanding of the field you are claiming to make pronouncements about. It is one thing for Dan Bernstein to claim a number field sieve machine has one likely cost and for Arjen Lenstra to disagree with him. Both of them have enough information to discuss the area intelligently -- both can read the literature and come to conclusions about it. Saying that the basic information on how this all works is "technoid gibberish" doesn't lend much credibility to your comments. Perry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 30 11:35:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 664C637B400 for ; Fri, 30 Aug 2002 11:35:34 -0700 (PDT) Received: from snark.piermont.com (snark.piermont.com [166.84.151.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id D76D843E75 for ; Fri, 30 Aug 2002 11:35:30 -0700 (PDT) (envelope-from perry@piermont.com) Received: by snark.piermont.com (Postfix, from userid 1000) id 75F0ED97C9; Fri, 30 Aug 2002 14:35:29 -0400 (EDT) To: Michael W Mitton Cc: freebsd-security@FreeBSD.ORG, tech-security@netbsd.org, misc@openbsd.org Subject: Re: 1024 bit key considered insecure (sshd) References: <20020828200748.90964.qmail@mail.com> <3D6D3953.6090005@mukappabeta.de> <20020828224330.GE249@localhost> <87k7mamc2s.fsf@snark.piermont.com> <20020829153006.GB26145@nevermind.kiev.ua> <20020829121117.B20048@rainmaker.dreamwvr.ca> <1030649841.18234.4.camel@mmitton.hmcon.com> From: "Perry E. Metzger" Date: 30 Aug 2002 14:35:29 -0400 In-Reply-To: <1030649841.18234.4.camel@mmitton.hmcon.com> Message-ID: <87lm6onqj2.fsf@snark.piermont.com> Lines: 37 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Michael W Mitton writes: > My data may not be worth a billion dollars, but I can be fairly certain > that I am part of a group ( a rather _large_ group ) whose combined > information is worth that. The combination is not of much importance because the combination doesn't share a single key. A machine can only crack so many keys per unit time. If you build a device that costs you a billion dollars and can only crack one key every six months, you are going to to be very careful about which key you choose to crack because each key costs you hundreds of millions in amortized cost to crack. > Beside, I'm sure the federal government ( any federal government ) > wouldn't blink an eye at 1 billion dollars if they could read everyones > email. ;) Again, at best this offers you the THEORETICAL possibility of reading any particular individual's mail. You still have to spend huge resources on cracking that one key, assuming that this is even possible. (The jury is still out on that.) There is a distinction between saying that one can crack ANYONE'S key and saying you can crack EVERYONE'S key. One implies being able to break a few if you really really want to, the other implies being able to break all cheaply and quickly. I would like to repeat that using longer key lengths is not necessarily stupid -- just not something to be contemplated as an imminent emergency. Certainly the jury is still out on just how practical factoring 1024 bit numbers is using the latest algorithms and hardware acceleration. -- Perry E. Metzger perry@piermont.com -- "Ask not what your country can force other people to do for you..." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 30 12: 0:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8C13E37B400 for ; Fri, 30 Aug 2002 12:00:40 -0700 (PDT) Received: from smtpmail2.iol.cz (smtp.iol.cz [194.228.2.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id 894EC43E6A for ; Fri, 30 Aug 2002 12:00:39 -0700 (PDT) (envelope-from ahaken@zacatek.cz) Received: from zacatek.cz ([194.228.159.226]) by smtpmail2.iol.cz (InterMail vK.4.03.05.03 201-232-132-103 license d644f6ed01e70e5935170669e145ddd5) with ESMTP id <20020830190030.CADE15589.smtpmail2@zacatek.cz> for ; Fri, 30 Aug 2002 21:00:30 +0200 Message-ID: <3D6FC117.2040103@zacatek.cz> Date: Fri, 30 Aug 2002 21:01:43 +0200 From: Adam Haken User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.0) Gecko/20020530 X-Accept-Language: cs, en-us, en MIME-Version: 1.0 To: FreeBSD-security@FreeBSD.org Subject: (no subject) Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org subscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 30 14:50:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0707C37B405 for ; Fri, 30 Aug 2002 14:50:37 -0700 (PDT) Received: from mailout10.sul.t-online.com (mailout10.sul.t-online.com [194.25.134.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id ADAD243E65 for ; Fri, 30 Aug 2002 14:50:35 -0700 (PDT) (envelope-from ahb@ahb.net) Received: from fwd03.sul.t-online.de by mailout10.sul.t-online.com with smtp id 17ktf0-0002pU-04; Fri, 30 Aug 2002 23:50:34 +0200 Received: from proxybox.de.ahb.net (02161572360-0001@[80.142.137.179]) by fmrl03.sul.t-online.com with esmtp id 17ktgZ-0j3otkC; Fri, 30 Aug 2002 23:52:11 +0200 Received: from deepthought (notebookab.de.ahb.net [10.100.10.29]) by proxybox.de.ahb.net (8.11.1/8.9.3/SuSE Linux 8.9.3-0.1) with ESMTP id g7ULrcv10655 for ; Fri, 30 Aug 2002 23:53:38 +0200 (CEST) From: ahb@ahb.net To: freebsd-security@freebsd.org Date: Fri, 30 Aug 2002 23:50:09 +0200 MIME-Version: 1.0 Subject: Cisco <-> FreeBSD / Kame / Raccon Ipsec Interoperabilty Message-ID: <3D7004B1.4052.750D3BD@localhost> X-mailer: Pegasus Mail for Windows (v4.01) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-Sender: 02161572360-0001@t-dialin.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi ! Perhaps a bit off topic on this list, but perhaps one of you guys has an answer to the following question. I have two sites. One is running a cisco router and a second that has a FreeBSD box with a DSL dialup line. Behind both boxes is a LAN that I would like to connect together with an ipsec tunnel. The cisco router is not under my control and perhaps everything would be fine if the cisco router would not assign the unencrypted end of the tunnel from a pool of a class "C" network. So I have basicly the following configuration 10.1/16 Private LAN "A" | FreeBSD box | Some dynamic IP from the dialup provider | Internet | 1.2.3.4 Fixed IP on the public end of the cisco | cisco | 10.2.1/24 dynamic assigned IP | Some other firewall stuff here and the LAN behind it The configuration is normally used as a dialin pool for home office PC's, but there are some guys that do have a working dialup LAN on their home office rather than a single PC. So setting up the public side of the gif interface is a piece of cake. The dynamic IP is assigned during the setup of the IPsec connection. What I could not find out until now is how to set up the private part of the gif interface. Usually one would have to use : ifconfig netmask But since the dest-priv address is assigned during the tunnel setup I could not figure out how to configure the private destination address. Also it would be a question how the setkey parameters for the spdadd have to be, as I would need this destination address there as well. So if someone has this kind of setup in use, could you please send me the scripts ? Or if someone has an idea where to start searching, this would be nice as well. I have been searching the internet for nearly two days now, but I could not find an answer for this. I forgot to mention that the FreeBSD box is running 4.2. If this is too old, it would not hurt to upgrade it to some newer version. Thanks in advance Achim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 30 15:10:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 417E737B400 for ; Fri, 30 Aug 2002 15:10:50 -0700 (PDT) Received: from m-net.arbornet.org (m-net.arbornet.org [209.142.209.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD12143E65 for ; Fri, 30 Aug 2002 15:10:49 -0700 (PDT) (envelope-from polytarp@m-net.arbornet.org) Received: from m-net.arbornet.org (localhost [127.0.0.1]) by m-net.arbornet.org (8.12.3/8.11.2) with ESMTP id g7UMBaHu056313; Fri, 30 Aug 2002 18:11:40 -0400 (EDT) (envelope-from polytarp@m-net.arbornet.org) Received: from localhost (polytarp@localhost) by m-net.arbornet.org (8.12.3/8.12.3/Submit) with ESMTP id g7ULdqkj054564; Fri, 30 Aug 2002 17:39:53 -0400 (EDT) Date: Fri, 30 Aug 2002 17:39:52 -0400 (EDT) From: pgreen To: "Perry E. Metzger" Cc: Michael W Mitton , , , Subject: Re: 1024 bit key considered insecure (sshd) In-Reply-To: <87lm6onqj2.fsf@snark.piermont.com> Message-ID: <20020830173912.I54491-100000@m-net.arbornet.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org From polytarp@m-net.arbornet.org Fri Aug 30 17:38:44 2002 Newsgroups: Date: Fri, 30 Aug 2002 17:38:44 -0400 (EDT) From: pgreen To: "Perry E. Metzger" cc: Michael W Mitton , , , Subject: Re: 1024 bit key considered insecure (sshd) Fcc: sent-mail In-Reply-To: <87lm6onqj2.fsf@snark.piermont.com> Message-ID: <20020830173221.S54273@m-net.arbornet.org> X-Reply-UID: (2 > )(1 1029589391 385)/home/guest/polytarp/mbox X-Reply-Mbox: inbox MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII What I'm thinking, is that we need a solution based on real fact. Even a normal high-school kid could see that this isn't scientific atol. What I'm suggesting: something based on universal rhetoric. What does this mean? Well, I think some formulae should do the trick of explaining it: 8 ** x ---- \ \ / sin(6 ** x) * ( 4 5 6 - ( 5 4 5) / 8 2 5 ) ---- (define square (x) (+ x x x) (square (x)) ) I think this prooves my point. It is a non-rhetorical system of encryption. Will we still rely on the old system? I think not. On 30 Aug 2002, Perry E. Metzger wrote: > > Michael W Mitton writes: > > My data may not be worth a billion dollars, but I can be fairly certain > > that I am part of a group ( a rather _large_ group ) whose combined > > information is worth that. > > The combination is not of much importance because the combination > doesn't share a single key. A machine can only crack so many keys per > unit time. If you build a device that costs you a billion dollars and > can only crack one key every six months, you are going to to be very > careful about which key you choose to crack because each key costs you > hundreds of millions in amortized cost to crack. > > > Beside, I'm sure the federal government ( any federal government ) > > wouldn't blink an eye at 1 billion dollars if they could read everyones > > email. ;) > > Again, at best this offers you the THEORETICAL possibility of reading > any particular individual's mail. You still have to spend huge > resources on cracking that one key, assuming that this is even > possible. (The jury is still out on that.) There is a distinction > between saying that one can crack ANYONE'S key and saying you can > crack EVERYONE'S key. One implies being able to break a few if you > really really want to, the other implies being able to break all > cheaply and quickly. > > I would like to repeat that using longer key lengths is not > necessarily stupid -- just not something to be contemplated as an > imminent emergency. Certainly the jury is still out on just how > practical factoring 1024 bit numbers is using the latest algorithms > and hardware acceleration. > > > -- > Perry E. Metzger perry@piermont.com > -- > "Ask not what your country can force other people to do for you..." > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 30 17:52: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6365E37B400 for ; Fri, 30 Aug 2002 17:51:59 -0700 (PDT) Received: from mta203-rme.xtra.co.nz (mta203-rme.xtra.co.nz [210.86.15.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 459A243E72 for ; Fri, 30 Aug 2002 17:51:53 -0700 (PDT) (envelope-from mike@netxsecure.net) Received: from mta1-rme.xtra.co.nz ([210.86.15.143]) by mta203-rme.xtra.co.nz with ESMTP id <20020831005152.GNKO27683.mta203-rme.xtra.co.nz@mta1-rme.xtra.co.nz> for ; Sat, 31 Aug 2002 12:51:52 +1200 Received: from netxsecure.net ([210.55.243.150]) by mta1-rme.xtra.co.nz with ESMTP id <20020831005151.CXTR10827.mta1-rme.xtra.co.nz@netxsecure.net> for ; Sat, 31 Aug 2002 12:51:51 +1200 Message-ID: <3D70167D.FF9351A9@netxsecure.net> Date: Sat, 31 Aug 2002 13:06:05 +1200 From: "Michael A. Williams" Reply-To: mike@netxsecure.net X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.4-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd security Subject: Updated for FreeBSD 4.6.2 Anti Trojan kernel option patches. Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org We have released several updated versions of our signed_exec kernel option anti trojan and trojan detection kernel patches for FreeBSD 4.6 and 4.6.2 Releases. For Details on the updates see http://www.trojanproof.org/errata The original reference code has been updated for FreeBSD 4.6.2-Release and is available here http://www.trojanproof.org/sigexec-fbsd4.6.2r-0.1.tgz MD5 (sigexec-fbsd4.6.2r-0.1.tgz) = 0ec7c794033d9bb573c3626f32fbf520 The V2 code beta has been updated to beta2 and updated for FreeBSD 4.6.2-Release, available here http://www.trojanproof.org/sigexec-fbsd4.6.2rV2-beta2.tgz MD5 (sigexec-fbsd4.6.2rV2-beta2.tgz) = 6542b96aabc465c0c1de9b11949e87d1 The V2 code beta for FreeBSD 4.6-Release has been updated to beta2 and is available here http://www.trojanproof.org/sigexec-fbsd4.6rV2-beta2.tgz MD5 (sigexec-fbsd4.6rV2-beta2.tgz) = fe1f4a78f6f4eb0a589b273e12bda106 These download files are all available GPG signed. For an explanation on what these patches do see http://www.trojanproof.org/sigexec.pdf and http://www.trojanproof.org/v2readme -- Michael A. Williams Security Software Engineering and InfoSec Manager NetXSecure NZ Limited, http://www.nxs.co.nz http://www.trojanproof.org Ph: +64.3.318.2973 Fax: +64.3.318.2975 Mob: +64.21.995.914 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 30 22:52: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4EE2037B401 for ; Fri, 30 Aug 2002 22:51:52 -0700 (PDT) Received: from localhost.neotext.ca (h24-70-64-200.ed.shawcable.net [24.70.64.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id EDE1443E72 for ; Fri, 30 Aug 2002 22:51:50 -0700 (PDT) (envelope-from campbell@babayaga.neotext.ca) Received: from babayaga.neotext.ca (localhost.neotext.ca [127.0.0.1]) by localhost.neotext.ca (8.12.5/8.12.5) with ESMTP id g7V5r0Xv079209; Fri, 30 Aug 2002 23:53:01 -0600 (MDT) (envelope-from campbell@babayaga.neotext.ca) From: "Duncan Patton a Campbell is Dhu" To: pgreen , "Perry E. Metzger" Cc: Michael W Mitton , , , Subject: Re: 1024 bit key considered insecure (sshd) Date: Fri, 30 Aug 2002 23:53:00 -0600 Message-Id: <20020831055300.M94495@babayaga.neotext.ca> In-Reply-To: <20020830173912.I54491-100000@m-net.arbornet.org> References: <87lm6onqj2.fsf@snark.piermont.com> <20020830173912.I54491-100000@m-net.arbornet.org> X-Mailer: Open WebMail 1.70 20020712 X-OriginatingIP: 127.0.0.1 (campbell) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hunh? Duncan Patton a Campbell is Duibh ;-) ---------- Original Message ----------- From: pgreen To: "Perry E. Metzger" Sent: Fri, 30 Aug 2002 17:39:52 -0400 (EDT) Subject: Re: 1024 bit key considered insecure (sshd) > >From polytarp@m-net.arbornet.org Fri Aug 30 17:38:44 2002 > Newsgroups: > Date: Fri, 30 Aug 2002 17:38:44 -0400 (EDT) > From: pgreen > To: "Perry E. Metzger" > cc: Michael W Mitton , security@FreeBSD.ORG>, , > Subject: Re: 1024 bit key > considered insecure (sshd) Fcc: sent-mail In-Reply-To: > <87lm6onqj2.fsf@snark.piermont.com> Message-ID: > <20020830173221.S54273@m-net.arbornet.org> X-Reply- > UID: (2 > )(1 1029589391 385)/home/guest/polytarp/mbox > X-Reply-Mbox: inbox MIME-Version: 1.0 Content-Type: > TEXT/PLAIN; charset=US-ASCII > > What I'm thinking, is that we need a solution based on > real fact. Even a normal high-school kid could see > that this isn't scientific atol. What I'm suggesting: > something based on universal rhetoric. > > What does this mean? Well, I think some formulae > should do the trick of explaining it: > > 8 ** x > ---- > \ > \ > / sin(6 ** x) * ( 4 5 6 - ( 5 4 5) > / 8 2 5 ) > ---- > > (define square (x) > (+ x x x) > (square (x)) > ) > > I think this prooves my point. > It is a non-rhetorical system of encryption. > Will we still rely on the old system? > I think not. > > On 30 Aug 2002, Perry E. Metzger wrote: > > > > > Michael W Mitton writes: > > > My data may not be worth a billion dollars, but I can be fairly certain > > > that I am part of a group ( a rather _large_ group ) whose combined > > > information is worth that. > > > > The combination is not of much importance because the combination > > doesn't share a single key. A machine can only crack so many keys per > > unit time. If you build a device that costs you a billion dollars and > > can only crack one key every six months, you are going to to be very > > careful about which key you choose to crack because each key costs you > > hundreds of millions in amortized cost to crack. > > > > > Beside, I'm sure the federal government ( any federal government ) > > > wouldn't blink an eye at 1 billion dollars if they could read everyones > > > email. ;) > > > > Again, at best this offers you the THEORETICAL possibility of reading > > any particular individual's mail. You still have to spend huge > > resources on cracking that one key, assuming that this is even > > possible. (The jury is still out on that.) There is a distinction > > between saying that one can crack ANYONE'S key and saying you can > > crack EVERYONE'S key. One implies being able to break a few if you > > really really want to, the other implies being able to break all > > cheaply and quickly. > > > > I would like to repeat that using longer key lengths is not > > necessarily stupid -- just not something to be contemplated as an > > imminent emergency. Certainly the jury is still out on just how > > practical factoring 1024 bit numbers is using the latest algorithms > > and hardware acceleration. > > > > > > -- > > Perry E. Metzger perry@piermont.com > > -- > > "Ask not what your country can force other people to do for you..." > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the > message ------- End of Original Message ------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 31 8:53:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 12CFC37B400 for ; Sat, 31 Aug 2002 08:53:13 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0411343E42 for ; Sat, 31 Aug 2002 08:53:08 -0700 (PDT) (envelope-from mark@grimreaper.grondar.org) Received: from storm.FreeBSD.org.uk (uucp@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.5/8.12.5) with ESMTP id g7V959MA009114 for ; Sat, 31 Aug 2002 10:05:09 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Received: (from uucp@localhost) by storm.FreeBSD.org.uk (8.12.5/8.12.5/Submit) with UUCP id g7V9586S009113 for freebsd-security@freebsd.org; Sat, 31 Aug 2002 10:05:08 +0100 (BST) Received: from grimreaper.grondar.org (localhost [127.0.0.1]) by grimreaper.grondar.org (8.12.5/8.12.5) with ESMTP id g7V94xl5064447 for ; Sat, 31 Aug 2002 10:04:59 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Message-Id: <200208310904.g7V94xl5064447@grimreaper.grondar.org> To: freebsd-security@freebsd.org From: Mark R V Murray Subject: Administrativia: New list charter Date: Sat, 31 Aug 2002 10:04:59 +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org FREEBSD-SECURITY Security issues This is a technical discussion list covering FreeBSD security issues. The intention is for the list to contain a high-signal, low-noise discussion of issues affecting the security of FreeBSD. Welcome topics include Cryptography (as it relates to FreeBSD), OS bugs that affect security, and security design issues. Denial-of-service (DoS) issues are less important than problems that allow an attacker to achieve elevated privelige, but are still on-topic. General system administrator questions of a FAQ nature are off-topic for this list, but the creation and maintenance of a FAQ is on-topic. Thus, the submission of questions (with answers) for inclusion into the FAQ is welcome. Such question/answer sets should be clearly marked as (at least "FAQ submission" or the like) such in the subject. The FAQ will be posted to the list regularly (There is not one at the moment - this will be rectified). Flamewars, personal attacks, low-signal postings (such as gratuitous "Me Too!" messages) and other off-topic subissions are unwelcome. Heated discussions and discussions of questionable relevance are invited to be conducted off-line until an on-topic conclusion is reached. This is a members-only list, so only list members may post (using the address they subscribed under). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message