ClamAV: freshclam concerns, plus how to disable it?

My original query is now moot, since I have wiped the disk and started over with MEPIS 3.4-3, but the same issue will no doubt arise again. For what it is worth, simply changing the permission of the binaries to be nonexecutable seemed to have no ill effects. (A bit worrying, actually; one would like weird modifications of security-related binaries to set off all kinds of alarm bells!)

I am worried that I seem to be being backed into the same situation as before where for some reason everything but webmail is broken for me. If I do not have a working MTA installed, is there any point to having CLAMAV? E.g. does this automatically scan files I request to download, in addition to mail? Probably not, huh? But does anyone know.

feheeszeno

Why don't you start with MEPIS 6.0? 3.4-3 is kind of obsolete.

--
Check out Mepis wiki: www.mepis.org/docs
Community site: www.mepislovers.com/forums

I had the same problem. (Mepis 6.0) I discovered the issue on vacations when i was on a dial-up connection. My machine was connecting to "strange" sites without my controll and I did not like that.

It is a long thread so take a look at the end in order to find the solution.

http://www.mepis.org/node/10938?page=1

Hello, kamikaze! Very glad to see that I am not the only raging paranoid hereabouts! Your solution (disable the cron job) is much better than mine (disable freshclam itself) since one might want to call freshclam manually.

This kind of trick is useful for those who prefer modems to DSL (yes, we exist!) and such tricks should ideally be collected in a MEPIS FAQ.

As for MEPIS 6, yes, I've just obtained a copy. Since I managed to irreparably mess up my package management in just one day, I'll need to reinstall anyway, so I will might give MEPIS 6 a try. As I recall, one reason why I stuck with MEPIS 3.4-3 until now was that later MEPIS are more out of synch with Debian. Since I want to work toward installing things like MediaWiki, this could be huge problem.

While I have your ear, kamikaze: did you see my question about tripwire? Do you know if MEPIS supports something comparable (maybe AIDE) "right off the disk"? My understanding is that one should to the initial install from a trusted disk while disconnected from the net, then configure tripire or whatever and make the initial snapshot, then connect to the Net and use synaptic to perform the Grand Initial Upgrade of all packages (hopefully snarking all the security patches), then update the tripwire database. Does that sound right?

Remark for non-paranoids: see the recent BBC study in which an intrepid reporter set up a honeypot and found his machine was attacked within seconds, with attacks every hour or so which hosed the test machine. Point being: while upgrading all your packages, you are vulnerable to having unplugged holes attacked before you can complete the upgrade! In the worst case scenario, this could be true even if you set strong intial firewall settings before connecting to the Net for the first time in order to perform the Grand Initial Upgrade.

feheeszeno

no, mepis is secure the way you get it.
it can be made more secure.
upgrading does not leave you at risk while the upgrades are done.
I do NOT support "the Grand Initial Upgrade". Too many systems are broken that way. Check to see which upgrades are to do with security and stick to them only if you are concerned.
Do not upgrade things because they can be upgraded. This is not windows. Upgrade for increased security, a new useful patch or some other reason.

Well, I'm certainly getting badly conflicting advice here. I know Mepis isn't Windows, but isn't failure to promptly obtain security patches (even for obscure utilities) one of the Top Ten Vulnerabilities for UNIX/Linux listed at SANS? (If you've seen their top ten, they have two lists, one for unix type systems and one for Windows.)

It sounds like package management is so difficult that everyone has more or less given up on keeping n00bs more or less safe, which would be unfortunate. Did you see the BBC News series (on-line at bbc.co.uk) in which they set up a honeypot? They specifically mentioned that it would be a serious mistake for Linux home users to assume that they don't need to worry about security just as much as Windows home users. They said that most attacks currently involve organized crime and target home computers, and these attacks generally target both Linux and Windows.

I hear such wildly conflicting claims that I am beginning to think that the only way to form an informed opinion would be to set up my own darn honeypot, which of course is pretty much the LAST thing I want to try to do. It's very frustrating because I can well believe that security companies might hype security fears via media scare stories, and on the other hand I can well believe that Microsoft's approach tends to be to try to cover up the scope of the problems, or that Linux users tend to prefer to place their faith in "security by obscurity". So who is most wrong here? I have no idea.

Getting back to the point: in case this wasn't clear, I am experimenting with various test installations and keeping notes, prior to trying to perform a serious installation sometime in the next few weeks. As of a few days ago, I have a test installation of Mepis 3.4-3. I do seem to have already fatally broken synaptic while trying to install MediaWiki, even get a warning on boot that certain headers will probably never match due to fatal inconsistency. That's OK because I always intended to completely reinstall in few days (perhaps with Mepis 6.0 rather than Mepis 3.4-3). Hmm...

Question: I seem to recall right after Mepis 3.-3, Mepis switched from Debian repositories to Ubuntu type repositories or something like that. Is that correct? Does synaptic under Mepis 6.0 support more or fewer packages than current Ubuntu? In particular, do you know if any of these support (open source) Tripwire or Aide or MediaWiki?

Question: Are you implying that it is better to AVOID using package management with anything tricky. If I install extra stuff I feel I really really need from tarballs, that bypasses package management, correct? I thought that was a bad thing, but it sounds like you might be implying that this is the only way to avoid instantly breaking package management. If everyone else is bending over backwards like this, I suppose I will have to follow suit. I do have another good reason for wishing to avoid the grand initial upgrade. But I note that one of the attractions of SUSE is that they appear to claim to support critical security patches.

How ironic, ClamAV started doing its thing while I was writing this:

su -c "netstat -anp | grep freshclam"

Password:
tcp 0 0 ***.***.***.***:nnn ***.***.***.***:80 ESTABLISHEDpppp/freshclam

This shows freshclam (PID pppp) running on localhost and downloading clam data through port nnn on localhost from an external host. (I think. I actually have no idea what I am talking about, so correct me if I am wrong!)

Question: I've never been able to set up an MTA (mail transfer agent), although I've been able to use web mail. If I fail again in my current round of installs, is there any point at all to enabling ClamAV? Does it do anything other than scan incoming email?

Please bear with me, these are serious questions!

feheeszeno

I don't call them "answers" because I'm sure that others with better knowledge than I can do that.

But to start with the issues of "reinstalling 3.4". As any distribution gets older, the support for the older repositories also slows down. When 3.3 and 3.4 came out, they were based on the "testing" (etch) version of Debian. But now that they are older, it is better to change the repositories to "stable" or "sarge". If you do this, you will not find that much has changed but you must make that change before the initial upgrade. If you don't, you will overwrite OLD 3.3 or 3.4 stuff with WAY TOO NEW Debian Etch stuff.

The BBC article about security is right that any computer hooked to the Internet without proper preparation can be compromised. What is "proper preparation"? Making sure that you have a good root password, a "regular user" account that you use rather than root for day-to-day stuff, not running applications that you are not aware of, running a firewall... In other words, many of the things that you are already doing.

Many years ago, when I was first playing with Linux, I loaded a version of SuSE Professional (I think 7.3 or so). I ignorantly had it hooked to my cable modem FOR MONTHS and never checked anything. One day, my modem was acting up or I went to check something that required that I disconnect from the modem (I don't recall which). I started getting mail every couple seconds to the root account telling me that some process was unable to connect to some unknown IP address. WTF? To make a very short story, my box had been rooted, who knows how long ago! I didn't notice it until I disabled its ability to "phone home". Needless to say, I wiped the drive clean and started fresh (lost a lot of stuff too).

What many people on this forum suggest is only update specific applications. I tend to update more things than that, but it is a Very Good Suggestion. Even more important than that IMHO is reading any messages you see. There is one package that I recommend that you load. It is called apt-listbugs. It acts as a go-between during apt updates. It checks the bug lists for any/all packages being installed or upgraded and presents you with information on any open (or closed) bugs. You then are given the opportunity to say Yes or No to the install/upgrade. But read the messages. If you see anything "scary" or if you see too many messages about things being "removed" (without any replacement then don't do the update or upgrade.

I believe it was during the transition to Mepis 6.0 that the Ubuntu repositories were used. Mepis 3.4 was still using (mostly) Debian repos. I can't speak for "more or fewer" packages. The Ubuntu repos have been "groomed" for Ubuntu. They are (originally) Debian based, but may have been adjusted a bit to fit Ubuntu. I will not comment on whether that's good or bad (I don't know enough). It is usually recommended not to "mix and match" Debian and Ubuntu repos without being careful. Otherwise you risk incompatibility problems.

I personally DO NOT RECOMMEND installation from source and tarballs. At lease if the binary package is available in a repository and on a production system. There are lots of wild, wonderful and crazy things going on in development. My hat's off to the developers, but it does not belong in a production environment. A lot of us moderators and developers break things to see how/why/when (not if) the packages will break. That way, we can fix them so they will not. Most "end users"; however, don't like when things break

You have a greater chance of incompatibilities with source and tarballs than with a repository install. That is because dpkg, apt, synaptic, kpackage, etc. check for dependencies. If you don't have what the package needs, it will attempt to get it; if you can't get it, you will not load the original package.

As to security patches, if you have the security pools enabled in your /etc/apt/sources.list file, then you WILL get security notifications. You may choose whether to install them.

As to MTAs. Which ones have you looked into using, and for what purpose (and for how many accounts)? I am definitely not an expert, but I'm willing to amuse you with my opinions on the matter if you wish to be amused

Does that answer some of your questions? (No, I'm sorry, they're NOT ANSWERS they're OPINIONS! BAD Jon! Bad, BAD!)

Jon

Thanks, Jon! As always, you gave me useful information and you even made me laugh!

OK, I'm convinced! In truth, those security books are a few years out of date, oriented toward servers with static IP addresses, and as a clueless n00b, I only understand about one word in ten anyway.

Where do I find the urls for these debian security pools? I am looking at synaptic right now and I think I see the window pane into which I am supposed to type the proper url. What about the url for debian sarge or stable? You probably told me this months ago but despite my attempt to keep notes I can't find it now. I tried locate but didn't see any file which looked like a list of alternative repos.

Hmmm... I just reloaded synaptic and searched for apt-listbug, but apparently it wasn't found (a bit hard to interpret what actually happened, which I lack energy to try to describe). I tried again with kpackage and it seems neither of them recognize this package. How can I find/obtain it?

Installing Mepis 3.4-3 vice Mepis 6.0 might be moot since I possess a Mepis 6.0 disk (from Linux Pro Magazine, I think) and if I decide to go with that I plan to buy an "official" disk (as I did with Mepis 3.4-3; obviously I am running a bit behind the ball...), but I should probably know about sarge/stable just to be safe.

feheeszeno

OK feheeszeno, here's the /etc/apt/sources.list from my 3.3 system. I think 3.4 is different only in the mepis repository. The lines with leading "#" are commented out.

$ cat /etc/apt/sources.list
# See sources.list(5) for more information, especialy


# This file should be edited through synaptic

# New sources should be added only in the section at the end of this file!

# Primary

# deb ftp://ftp.debian.org/debian/ sarge main contrib non-free

deb ftp://ftp.debian.org/debian/ testing main contrib non-free

# deb ftp://ftp.debian.org/debian/ unstable main contrib non-free

# Security pool

# deb http://security.debian.org/ sarge/updates main contrib non-free

deb http://security.debian.org/ etch/updates main contrib non-free

# MEPIS apt pool - specific packages available on-line

deb http://apt.mepis.org/3.3/ unstable main

# DO NOT EDIT ABOVE THIS LINE

# mplayer

# deb ftp://ftp.nerim.net/debian-marillat/ sid main

$

The important lines for security are the security.debian.org entries. Please note the spacing in the repos. above. It may be easier to cut/paste the info above into a file and then copy it into /etc/apt/sources.list, but I would not use my list exclusively (I've tweaked it a bit). Rather, check your own file and see what needs to be added/deleted.

The package you need to track bugs is apt-listbugs (plural). From a konsole, as user root, perform "apt-get install apt-listbugs" (without quotes) and you'll be fine. It will probably need to install some Ruby files and such, so don't be alarmed

I can't remember if apt-listbugs is in the Ubuntu repositories. I haven't started up my 6.0 laptop yet so I can't check, but I know that I did install it. I'll check and get back to you on that.

Jon

This might be moot, but synaptic is now terribly broken.

I thought you earlier advised me (sticking with Mepis 3.4-3 because Mepis 6.0 doesn't support MySQL, which I need) to use stable repos since this is an older release, I tried to use synaptic to edit /etc/sources.list so that it reads:

# See sources.list(5) for more information

# This file should be edited through synaptic

# Primary Debian package pool, free but often unstable
deb ftp://ftp.us.debian.org/debian/ sarge main contrib non-free

# MEPIS apt pool - specific packages available on-line
deb http://apt.mepis.org/3.4/ etch main

# mplayer
# deb ftp://ftp.nerim.net/debian-marillat/ etch main

deb http://security.debian.org/ sarge/updates main contrib non-free

Then trying to reload hangs (as if one repo is not responding). Hitting cancel gives:

W: Couldn't stat source package list ftp://ftp.us.debian.org sarge/main Packages (/var/lib/apt/lists/ftp.us.debian.org_debian_dists_sarge_main_binary-i386_Packages) - stat (2 No such file or directory)
W: Couldn't stat source package list ftp://ftp.us.debian.org sarge/contrib Packages (/var/lib/apt/lists/ftp.us.debian.org_debian_dists_sarge_contrib_binary-i386_Packages) - stat (2 No such file or directory)
W: Couldn't stat source package list ftp://ftp.us.debian.org sarge/non-free Packages (/var/lib/apt/lists/ftp.us.debian.org_debian_dists_sarge_non-free_binary-i386_Packages) - stat (2 No such file or directory)

I was planning to reinstall anyway, but because of what you said about Mepis 6.0 not supporting mysql, I think I might move on to try some other distros.

feheeszeno

Hmm, what is the problem with MySQL? It works very well, just select to install it from Synaptic.
--
Check out Mepis wiki: www.mepis.org/docs
Community site: www.mepislovers.com/forums

Context: a few days ago I wiped my old partitions (after making a backup of course) and installed Mepis 3.4-3 from the official live CD. I then tried to play around with databases and broke synaptic trying to install MediaWiki. (I am trying to set up a private wiki to conveniently document changes to my system, not to serve public pages.) When I reboot I actually get an error message saying there is no way to fix the MediaWiki config file without reinstalling since I broke it too badly. Then trying to fix the repos, as Jon suggested, I got confused and made things even worse. I fact I now appear to have fatally broken synaptic itself. This isn't serious since this was only a test install and I always intended to "do it right" in a reinstall. The trouble is I don't seem to making progress on learning how to do it right.

Question: At one point, I said I was going to reinstall with Mepis 6.0, but then Jon duQ said MySQL is not included with that. I have the impression that Mepis 6.0 might support more packages, or at least that the default settings for synaptic might be more appropriate. Is that true?

Question: are you saying that if I reinstall using Mepis 6.0, even though MySQL is not included in the default install, if I use the default repos for Mepis 6.0 and use synaptic, MySQL should install with no problems? Does OpenOffice Base then enable me to create MySQL databases with a GUI? (I knkow how to do this with a shell, but if you've ever tried this, you probably agree that data entry via the shell is a real pain.)

Question: What about MediaWiki?

Question: What IDS (e.g. tripwire, aide, fcheck) is available "out of the box" (i.e. ideally an IDS should be installed and the initial hash database built before one ever connects to the net).

Hope someone can answer these. At this point I feel I've gotten quite a bit of conflicting advice (sometimes from the same person) so I am pretty confused. I think I kinda need to get these all thoughtfully answered before I can continue.

feheeszeno

feheeszeno, from your last post it appears that your sources.list is not set up correctly. Please post the file for comparison.

Note, that my primary repo is as follows:

deb ftp://ftp.debian.org/debian/ testing main contrib non-free

You are showing:

deb ftp://ftp.us.debian.org/debian/ sarge main contrib non-free

The US is no longer needed on many of the repos.

And as I stated in your other thread, mysql is available in 6.0.

Jon

I run a Wiki only for my personal use, therefore I can attest that Apache, MySQL, PHP and MediaWiki work on this MEPIS 6.0 box just peachy. again I'm not sure what Jon said, and I can't talk in his name, I talk from my experience.

As for IDS "apt-get install tripwire" should take care of that. Personally I think it's kinda useless, especially for people who upgrade the system constantly, the programs will change so you'll get false alarms and newbies will freak out. This kind of programs should be installed manually by people who know what they do (but that's personal opinion).
--
Check out Mepis wiki: www.mepis.org/docs
Community site: www.mepislovers.com/forums

Hi, Jon, looks like I misunderstood at least two things you told me (sorry about that!):

1. MySQL is included with Mepis 6.0-- hurrah, back to the plan to reinstall the next test installation with Mepis 6.0!

2. I thought you advised me to switch from testing to sarge, and I missed the "us". Here is the messed up file /etc/apt/sources.list (using === as quote marks):

===

# See sources.list(5) for more information

# This file should be edited through synaptic

# Primary Debian package pool, free but often unstable
deb ftp://ftp.us.debian.org/debian/ sarge main contrib non-free

# MEPIS apt pool - specific packages available on-line
deb http://apt.mepis.org/3.4/ etch main

# mplayer
# deb ftp://ftp.nerim.net/debian-marillat/ etch main

deb http://security.debian.org/ sarge/updates main contrib non-free

===

(Note the extra blank lines.) OK, now I'm going to try to use synaptic to edit it again... hmm... I assume I want to choose "binaries" not "source" here, right? OK here is the new file

===

# See sources.list(5) for more information

# This file should be edited through synaptic

# Primary Debian package pool, free but often unstable
# deb ftp://ftp.us.debian.org/debian/ sarge main contrib non-free

# MEPIS apt pool - specific packages available on-line
deb http://apt.mepis.org/3.4/ etch main

# mplayer
# deb ftp://ftp.nerim.net/debian-marillat/ etch main

deb http://security.debian.org/ sarge/updates main contrib non-free

deb ftp://ftp.debian.org/debian/ testing main contrib non-free

===

(Note the extra blank lines; presumably this is harmless.) OK, now I have clicked "reload".... hmmm.... OK, looks like synaptic is trying to download... oh dear, I got another error message from synaptic:

"The repository might be no longer available or could not be contacted because of network problems. If available an older version of the failed index will be used. Otherwise the repository will be ignored. Check your network connection and the correct writing of the repository address in the preferences."

The windowpane lists the following problems:

ftp://ftp.debian.org/debian/dists/testing/Release.gpg: Data socket timed out
ftp://ftp.debian.org/debian/dists/testing/main/binary-i386/Packages.gz: Server closed the connection
ftp://ftp.debian.org/debian/dists/testing/contrib/binary-i386/Packages.gz: Server closed the connection
ftp://ftp.debian.org/debian/dists/testing/non-free/binary-i386/Packages.gz: Server closed the connection

Hmm... did the server close the connection because something went wrong downloading gpg keys ("data socket timed out")?

I'll post this and try again a bit later if I haven't heard from anyone in this forum.

feheeszeno

Hi feheeszeno. A couple things. First, for the security repo, I currently use the etch branch. So it looks like this:

deb http://security.debian.org/ etch/updates main contrib non-free

Second, general-purpose updates/upgrades at the moment seem to be slow. Why? Because there is a lot of development going on in the Debian community. I usually try to go through the clean, update, upgrade process about once-a-week. Even if I don't actually update anything, I like to see what's there. For the last week or so, many updates just get stuck. There are probably LOTS of people in the world updating the testing and security branches of the repositories. It is not unusual for me to be unable to get anything before I "time out".

I wouldn't worry about it too much. The slowness indicates to me that lots of "worker bees" are busy fixing things

Jon

I accidently posted this information in my other active thread (sorry). This is what I mean to say here: I tried reloading synaptic again and got a similar error window pane message:

ftp.debian.org_debian_dists_testing_contrib_binary-i386_Packages) - stat (2 No such file or directory)
W: Couldn't stat source package list ftp://ftp.debian.org testing/non-free Packages (/var/lib/apt/lists/ftp.debian.org_debian_dists_testing_non-free_binary-i386_Packages) - stat (2 No such file or directory)

(I cancelled this one when it appeared to have hung.) Looks to me like the problem is that synaptic is trying to download files which don't exist. So, probably I have the right urls for the repos, but something else is wrong with my sources.list file?

(Come to think of it, while I find this site easier to navigate than most, I do somehow seem to fragment discussions because my questions never seem to fit neatly into one of the forum sections, and this leads to unneccessary confusion. Of course, if I forget which thread I meant to post a message in, that is my own goof, so I am not pointing fingers, just trying to be helpful with respect to the redesign of this website. Maybe there should be a "misc" section for users like me who tend to ask many questions all at once, because we don't know enough to ask just one focused question? Or is that the "hapless newbie" section? Hmm... been using linux for two years and still a newbie? That's sad.)

feheeszeno

OK, it now reads

more sources.list
# See sources.list(5) for more information

# This file should be edited through synaptic

# Primary Debian package pool, free but often unstable
# deb ftp://ftp.us.debian.org/debian/ sarge main contrib non-free

# MEPIS apt pool - specific packages available on-line
deb http://apt.mepis.org/3.4/ etch main

# mplayer
# deb ftp://ftp.nerim.net/debian-marillat/ etch main

# deb http://security.debian.org/ sarge/updates main contrib non-free

deb ftp://ftp.debian.org/debian/ testing main contrib non-free

deb http://security.debian.org/ etch/updates main contrib non-free

Hmmm.... reloading... I can't seem to easily copy and paste this information, but looks like it downloaded from security.debian.org just fine, but is having trouble contacting ftp.debian.org, which would agree with what you said.

(mutter, mutter, while I was continuing to write this post, I noticed that synaptic had managed to connect to ftp.debian.org and is downloading the information it requested:

ftp://ftp.debian.org/debian/dists/testing/main/binary-i386/Packages.gz: Data socket timed out
ftp://ftp.debian.org/debian/dists/testing/contrib/binary-i386/Packages.gz: Server closed the connection
ftp://ftp.debian.org/debian/dists/testing/non-free/binary-i386/Packages.gz: Server closed the connection

W: Couldn't stat source package list ftp://ftp.debian.org testing/main Packages (/var/lib/apt/lists/ftp.debian.org_debian_dists_testing_main_binary-i386_Packages) - stat (2 No such file or directory)
W: Couldn't stat source package list ftp://ftp.debian.org testing/contrib Packages (/var/lib/apt/lists/ftp.debian.org_debian_dists_testing_contrib_binary-i386_Packages) - stat (2 No such file or directory)
W: Couldn't stat source package list ftp://ftp.debian.org testing/non-free Packages (/var/lib/apt/lists/ftp.debian.org_debian_dists_testing_non-free_binary-i386_Packages) - stat (2 No such file or directory)
W: Couldn't stat source package list ftp://ftp.debian.org testing/main Packages (/var/lib/apt/lists/ftp.debian.org_debian_dists_testing_main_binary-i386_Packages) - stat (2 No such file or directory)
W: Couldn't stat source package list ftp://ftp.debian.org testing/contrib Packages (/var/lib/apt/lists/ftp.debian.org_debian_dists_testing_contrib_binary-i386_Packages) - stat (2 No such file or directory)
W: Couldn't stat source package list ftp://ftp.debian.org testing/non-free Packages (/var/lib/apt/lists/ftp.debian.org_debian_dists_testing_non-free_binary-i386_Packages) - stat (2 No such file or directory)

for what it is worth...)

OK, I suspect my synaptic database is fatally broken because it is still trying to fix the apparently unfixable problem with MediaWiki due to my previous mistakes.

Jon, I think I should probably move on the test install of MEPIS 6.0. The goal of this test is too see if I can get working LAMP and MediaWiki on localhost (but not actually exposed to the net). So never mind MEPIS 3.-4.3; let's move on.

I'd like to avoid instantly breaking synaptic. Before I go charging off, I'd let to get your comments on my current plan, which uses various things I think (!) you have advised me:

A. off-line:

0. (optional) try to use qparted to change partitions just to get little experience in a situation where any mistakes will be inconsquential

1. reboot with Knoppix 5.whatever and shred my harddrive (maybe after testing repartitioning since there's never a better time than right before you plan to shred the disk anyway!)

2. reboot with MEPIS 6.0 live DVD (er.. or should I have already made a bootable live CD at this point?--- I guess I have been assuming the DVD functions just like a live CD, which could be a big mistake), install MEPIS 6.0 from the Linux Magazine (Oct 2006 issue) DVD, which should include both the installer from the live CD and the packages incluced with the "extra CDs" someone mentioned, yielding a default MEPIS 6.0 installation with the option of adding more packages from the disk (would that perhaps be smarter than trying to add them from the repos?)

3. hopefully find one or more of open-source tripwire, aide, or, uhmm... fcheck... can that last be right? Will fcheck really allow me to keep a secured database of hashes of critical binaries which are often modified by intruders?

4. lock down guarddog into "full portstealth mode"

5. lock down firefox, but allow a few sites like this one to set cookies

6. check that I have apache server running; I know nothing about apache but if I did, at this point I'd try to make sure it is locked down in case my firewalls were penetrated (I hear I shouldn't put much faith in my router firewall, but guarddog does seem to perform as claimed for me).

7. add security.debian.org to repos using synaptic if not already there. Reread synaptic help :-/

B. Cautiously connect to net:

1. Visit grc.com and test that my firewall really has put me in "full portstealth mode".

2. Try to load package info using synaptic; I take it that this will allow me to see security messages? Also check security.debian.org via firefox to try to identity any critical system patches (e.g. patches to firefox itself).

3. Try to guesstimate an intelligent order to try to update a modest number of individual packages. (I almost always try "test only" option first to avoid trouble, but this hardly ever seems to prevent me from getting into terrible trouble in short order, with either kpackage or synaptic; there is obviously something fundamentally wrong with what I am doing, just wish I could my finger on it.) Hopefully at this point I have a fairly secure system without breaking my package management.

4. Cautiously try to use synaptic to download MySQL (with whatever else needed to meet all dependencies). Or, if this is included in the "extra CDs" on the DVD, would trying to install from the DVD be smarter?

C. Disconnect from net.

1. Try to use clunky old book to figure how out to change mysql root user password and create ordinary mysql user. Test creating a tiny database using shell commands.

2. Try to find local help from default install (e.g. K Help Center) for apache and php to try to learn enough to check that php is installed and working properly.

D. Reconnect to net.

1. Cautiously try to use synaptic to download MediaWiki (with whatever else need to meet all dependencies). Or, if this is included in the extra CDs, would trying to install from the DVD be smarter?

Comments?

Question: In particular, I take it I should go with the default repos in synaptic after I do the install and am ready to connect to the net? Except for adding the security.debian.org repo you listed?

feheeszeno

This might be moot, as explained above, but I am still using my MEPIS 3.4-3 test intall, and I seem to have been able to use synaptic to fix my problem. Instead of trying to follow instructions in the help, which didn't work at all, I managed to mark all the MediaWiki packages for complete removal and then clicked "Apply". This ability seems to be the biggest advantage of synaptic over kpackage.

However, as far as I can see, kpackage is much more convenient for upgrading packages piecemeal, because you can easily test the installation before doing it for real, which gives you a chance to review in advance the number of changes (a dozen more seems to indicate likely trouble). So, next, using kpackage I tried upgrading a utility which has few dependencies. Since the test looked good (1 package to install, error code 0) I did it for real and indeed the upgrade installed without error. Hmmm... just tried upgrading another package and this also installed without error. Well, this is good to know: sometimes you CAN fix broken package management, you just need to ignore the directions offered by the synaptic manual! Hmmm... come to think of it, maybe I don't understand what "fix broken packages" is supposed to do under synaptic? So maybe the problem is that despite reading the manual I still don't understand how to use synaptic properly for basic tasks? I am about to start another thread in the "Upgrading software" forum about another package management question.

feheeszeno

Hi, Jon, hope you see this.

Your comment about worker bees was helpful. I also have had intermittent problems running "update" in kpackage to get the latest debian repo situation. In the past few days I have been unable to update my apt database, which is a problem.

1. You never said: does my current /etc/apt/sources.list look OK to you? I edited this with synaptic trying to follow your advice. Here it is again:

=== BEGIN EXACT COPY OF FILE ===

# See sources.list(5) for more information

# This file should be edited through synaptic

# Primary Debian package pool, free but often unstable
# deb ftp://ftp.us.debian.org/debian/ sarge main contrib non-free

# MEPIS apt pool - specific packages available on-line
deb http://apt.mepis.org/3.4/ etch main

# mplayer
# deb ftp://ftp.nerim.net/debian-marillat/ etch main

# deb http://security.debian.org/ sarge/updates main contrib non-free

deb ftp://ftp.debian.org/debian/ testing main contrib non-free

deb http://security.debian.org/ etch/updates main contrib non-free

=== END EXACT COPY OF FILE ===

In particular, do I have security.debian.org correct? When I try to "update" my apt database, this is the one which seems to be "IGN" most often. I just want to check that the problem is not that I simply goofed yet again in my /etc/apt/sources.list file.

2. You never said: what should I expect to see using synaptic if and when I can load the security advisory information? Is this incorporated into the "blurbs" under kpackage or something? I have noticed no change with either kpackage or synaptic, although this might reflect the "busy bees" unintentionally preventing my apt from accessing this information.

advTHANKSance, feheeszeno

P.S.: Just Googled posting <1991Mar29.151930.5767@cc.helsinki.fi> to comp.os.minix on 29 Mar 1991 15:19:30 GMT which should be of interest to historians of technology :-/ Thucydides never had it so easy... Does anyone know what is the very earliest UseNet post on record at Google? They ought to put up a page linking to some posts of particular historical interest, like the very first known spam post to UseNet, or the more benevolent example noted above.

The machine involved was running windoze xp (SP2? as I recall?). The risks are not even remotely equivalent.

It's child's play to compromise a windoze-based system from outside. It takes rare skill to compromise a Linux-based system from outside--usually with specific knowledge of the system being attacked.

In my informal tracking of windoze security risks -vs- Linux security risks, you are subject to roughly 8 potential exploits which can directly affect Linux itself; as compared to far in excess of 50,000 windoze exploits that regularly hammer thousands of clueless computer owners.

Most of the 40-odd, non-redundant exploits directed against Linux-based systems are crafted to attack publicly-provided services (Apache, PHPBB, sendmail, etc.) and not Linux itself. If you are not running a web server in your closet, and surfing the Internet, logged in as root, your risks are nearly non-existent.

Where a successful exploit is seen, it's usually as a direct result of 'pilot error' and dismally unspectacular, at best.

You are light years past the point of diminishing returns in your paranoia.

"You have two labs?"
"Each has its place. At the university, I try to please the Federal Government. Here, I negotiate with God."

Hi, EnigmaOne, you are right about the BBC experiment; they mention in their story that their machine was running Windows and not well protected. I am certainly heartened by the figures you provided! It sounds a little too good to be true; can you cite a CERT whitepaper or something similarly authoritative?

I recently revisited the Top 20 Vulnerabilities list, and noted that they have revised this to emphasize that many attacks target services like apache and sendmail which are common to many Windows and Linux systems. And I know that the lion's share of the scare stories directly affecting the average linux home user in the past year have concerned Firebox, which is apparently also used by many Windows users.

I do not question that for the average home user, IN PRACTICE, linux tends to be more secure out of the box than Windows, simply because many default linux installs are now fairly secure and because so many attacks target Windows specific vulnerabilities. However, I feel that you are making some assumptions which mean that your remarks could provide possibly dangerous false reassurance to SOME linux users.

As for initial upgrade: Jon and I already established that trying to upgrade everything upgradeable (Grand Initial Upgrade) is neither neccessary nor a good idea. Rather one could use something like debsecan to identity packages one should try immediately upgrade (probably one by one, testing each one to try to prevent breaking package management) to obtain security patches for "highly critical" vulnerabilities applicable to the software just installed. I should mention that at least one professional sysadmin agreed with me in private conversation that my concern about being cracked while trying to obtain patches is not so absurd as you think. I think he said he's seen something similar (in the context of installing a server on a large Red Hat system, not a home system.)

I might also add that there seem to be fair number of "highly critical" vulnerabilities over the years in the linux kernel itself, e.g.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3626

(a race condition in Linux kernel 2.6.17.4) probably affects at least some MEPIS users, and as I mentioned in various threads, I am interested in exploring Xen, which can have both security benefits and (mostly unknown) security risks (since Xen is still a fairly little-used and little-audited hypervisor system).

Hmmm... the more I think about it, the more I doubt your numbers. I know of long lists of "highly critical" problems affecting users of various linux distros, IN ADDITION TO problems in common services, browsers, etc. Maybe you meant that you believe that most of these, while in principle very dangerous, are unlikely to actually be exploited by script kiddies? Maybe so, but that's hard to assess, and you appear to be making assumptions which in my opinion are not appropriate for every linux home user.

Once again I seem to have inadvertently wound up discussing various issues scattered over various threads (sooooorrry!), but for your convenience: if you have downloaded the package debsecan (which installed without trouble in my test MEPIS 3.4-3 system), try this:

debsecan --suite etch > vulnerabilitylist
grep "high urgency" vulnerabilitylist | wc
grep "remotely exploitable" vulnerabilitylist | wc

This might be a better way to try to estimate the number of known vulnerabilties in Debian systems, which is no doubt an underestimate of the vulnerabilties directly affecting the typical MEPIS user. Whether typical grave vulnerabilities are in fact widely exploited by bad guys is another issue (a legitimate one, but obviously very hard to assess.)

We might be getting off the topic... I am hoping to hear from Jon Du Quense regarding my question above before I dash and try my MEPIS 6.0 and/or Ubuntu test installs.

feheeszeno

- - -airgap your modem.

Don't misconstrue this as a flame. It isn't in the slightest. I simply think that you're using a combination of a shotgun and chainsaw, where a scalpel is far more appropriate.

Your CVE reference relates to a possible risk of local users gaining root access to the machine in question. This has nothing to do with remote threats from the Internet, or even the local subnet. (Forget telnet. Competent admins have disabled telnet at install for years, now.)

You cannot get local access to my machine. (Yes, you personally. I could give you my IP address and it would be an impossible task for you, from where you're sitting now.) You have to be in front of the keyboard to pull that one off. Anyone who tries to get local access to my machine doesn't need to worry about tripwire, or any other IDS. They need to worry about my aim, and the 18 rounds that will be following the first one; because kicking down my front door is just about the only way to make the attempt.

This is the exact kind of misrepresentation (unintentional or otherwise) of presumed remote exploits, with respect to Linux, that has been going on since RH5.1; and, it is probably this exact misunderstanding of the risk involved that is fueling your fears. All presumed security 'vulnerabilities' are not equal.

I've haunted the security lists and various vulnerability tracking sites for years. One of the foibles of such sources is that many vulnerabilities--particularly, for some reason, presumed Linux-oriented vulnerabilities--are listed multiple times for the very same exploit code.

It's actually funny to see the differences between CERT, Symantec and McAffee listings. The >ahem< microsoft 'partners' seem to trump-up the results of Open Source software audits that churn-up a theoretically exploitable bit of code that has already been patched; and the bar for 'criticality' seems to be quite a bit lower in our neck of the woods, than it seems to be in Redmond.

Not all that long ago, I did do a survey of such listings, and discovered that some 56 to 64 Linux vulnerability entries condensed down to less than 20 (I think it was something like 16 or 18), with only 8 of those actually holding the potential to affect anything I had on my system. One, I think applied to sendmail and another was a Netscape issue. There was another directed at Mozilla, one that was Gnome-specific, another taking a shot at the GIMP, and the rest potentially reached into the core system binaries. That's not a lot, and that's not an exaggeration.

The catch is this: None of them were a threat because all of the vulnerabilities had been long ago patched, and said patches already applied to all of my systems.

Then again, there was that so-called RedHat update that was emailed to some folks (even Debian and Slackware users, IIRC). The one that you had to login as root and do

./configure
make
make install

to infect yourself with.
I have yet to hear of anyone who fell for that.
I also think there was an incident of an .rpm being emailed around too. Never heard of anyone being stupid enough to bite that hook either. No matter. The tech press made a ridiculous hoopla over it, anyway; much to the detriment of their own credibility.

Where a microsoft exploit possesses a time to patch measured in months (in some cases times exceeding a year); Open Source exploits are more theoretical (proof of concept) in nature, and possess a time to patch interval of mere hours or days. It is not unusual to have Open Source patches precede the vulnerability announcement itself.

Results are the only thing I care about, and here they are:

Connect a windoze computer to the Internet, and you'll be owned in a matter of hours. Nobody (except the Redmondites and microserfs) will ever dispute that simple fact. The HoneyPot project certainly isn't new. They've been having fun with the script kiddies for years. I wonder why the BBC is just now getting around to paying attention to things like this.

I've been using Linux on a boat load of machines since the RedHat Mother's Day Release (around 11 years, by my rune-casting) and going something like the first-half of that time frame without having ipchains or iptables running at all.

I have never had an exploit or compromise on any Linux-based machine.

I don't curtail my use of any machine out of fear, nor do I worry about it in the slightest. I know how to monitor my network traffic and system integrity, and I do so regularly.

One of my customers has been running Linspire without so much as a firewall, Surf Safe or any kind AV for a little over three years. The only paranoid thing he does is run the CNR client every week or so. I check his system everytime I get my hands on it, and I have yet to spot anything that would give me the barest of pauses. He has never had a crash. He has never had any sort of compromise. Period.

Having dealt with exploited machines 3 or 4 times a week, over the past 8 or so years, (all windoze-based machines, incidentally) I know what to look for, and how to fix it (in a majority of the instances) without re-parting, formatting and reloading the OS. That is, quite frankly, what I get paid for: Saving vital customer data.

In the windoze world, people would do well to be ten times as paranoid about exploit potential as you seem to be.

In the Linux/FreeBSD world, you have misjudged the level of threat. A simple lack of complacency will suffice, thanks.

Now...if you're managing a heterogeneous networking environment, with lots of windoze users wandering all over the place...you are obviously not paranoid enough...run for your life!

Website: http://www.gabston-howell.org/
WebLog: http://www.gabston-howell.org/wl/
Must Reads for Newbies:
http://www.catb.org/~esr/faqs/smart-questions.html
http://www.tldp.org/

Hi, Allan, you raise some very good points and I really appreciate your input. Let me try to summarize:

1. You are quite right, I didn't realize that the CVE advisory I cited concerned possible malfeasance by a local user rather than intrusion from a remote machine.

2. These advisories rate problems on a scale like 1-5, but this isn't really enough information; it would be helpful for baffled newbies if they also explained whether the flaw could be exploited by remote or only by local attackers, or more to the point whether the hypothetical exploit could target home users, or would presumably be aimed at other targets, and whether or not there is a reasonable expectation of encountering exploits of this particular vulnerability "in the wild" within some time period.

3. Closer examination shows that many vulnerabilities are listed redundantly.

4. Most open-source vulnerabilities are quickly patched, unlike proprietary software for which no patches may be available for some time; this is very good, but still leaves me and probably many other newbies with a problem: typically, I don't know how to obtain and implement the patches! This website has never made any attempt that I can see to even pay lip service to issues of security, and the attitude in the Forum has been "that doesn't apply to US", which I see as irresponsible and unhelpful. Example: no-one was able to tell me how to patch Firefox last year (it certainly didn't help that my package management was completely broken soon after I started using MEPIS by the repo fiasco associated with earlier versions). I couldn't even seem to explain the distinction I see between patching (fixing a bug or closing a security hole, without changing any dependencies) and upgrading (introducing new features, which often introduces new bugs and security holes as well). Even worse are those users who react with sarcasm, e.g. suggesting that I disconnect myself from the net entirely.

5. There is good reason to expect that security firms may tend to overhype vulnerabilities in order to drum up business; certainly local news tends to overhype anything they can on any given slow news day. I suppose you were saying that security firms partnered with Microsoft may hype open-source problems in deference to their overlord in Redmond, but I understand that Microsoft tends to have a very shaky relation with the "independent" security firms (e.g. trying to prevent them from doing their job with Vista, according to a BBC story I didn't read very closely because I don't use Windows). I have actually been aware of this point for a long time, but it is a good point nonetheless.

6. I was shocked to learn that Linspire users always run as root. But later I saw a study of honeypot machines running various unpatched distros of linux repeat linux which found that the Linspire distro was the only one which survived for one day with default settings, apparently because linspire has by default very strong firewall settings (as I mentioned, I set guarddog settings to be much stronger than default, which would probably help me survive many attacks from a remote site). Unfortunately I have lost the link to this study, and my memory is vague on a key point: did they really claim that announced security holes in the other honeypot machines were actually exploited by genuine attacks within a day or so? That is my memory, but I have noticed that news stories often become unaccountably vague on key points like this. Be this as it may, I recall getting the impression that the point of the study was that patching flaws on the day they are announced is just as important for linux users as for Windows users. Another story I saw recently--- might have been the BBC story on the Honeypot Project--- specifically said that it is now common for attack scripts to attack known linux-specific vulnerabilities as well as known Windows-vulnerabilities.

7. Many of the vulnerabilities under discussion concern not the OS itself (whether linux kernel or Windows) but some service or utility often used by both linux and Windows users. In such cases, I don't really know enough to judge whether these typically endanger linux users as much as Windows users. For example, for those who failed to immediately patch Firefox (which has had a string of widely publicized problems in the last year, as I am sure you know), I don't know how serious the threat was to the average linux user versus the average Windows user. I am fairly confident that my interior firewall at least is strong, since I've tested it via ShieldsUP at grc.com, but I know that I have been running a lot of software with known problems which I haven't patched because I don't know how to do that (other than by upgrading, which isn't always possible).

8. The gravest threat to my computer security probably comes from... myself! Because I sometimes commit errors or do something very stupid because I happen to be very tired, etc., or through excusable ignorance (not knowing how to patch because no-one is willing to tell me enough so that I can actually learn to do it for myself). And because by being paranoid, I tend to try to disable things (following advice in the scary books I read, even though I know that this advice tacitly assumes I am the sysadmin for a large system!-- advice appropriate for myself appears to be simply unavailable, so I make the best I can of what advice I can find), which might have the paradoxical effect of DECREASING my security, because I have unintentionally broken some valuable security feature whose author wasn't expecting the user to disable whatever I disabled. Actually, I have been unpleasantly aware of this point for quite some time (and have unfortunately caught myself validating it more than once in the past year), but it is a good point nonetheless.

I have been trying to make some points of my own:

A. The distinction between home users, small businesses and medical practices, and high profile large companies, banks, universities, or government facilities, is important and useful, but it can also prevent a clear-sighted appraisal of risk. For example, you appear to be assuming that a home user need not worry about local attackers. In most cases I certainly hope you are right, but in the case of say a husband/wife undergoing a messy and acrimonious divorce, this assumption might not be warranted. (Another recent BBC news story reported on a survey which claimed to establish that most spouses have illicitly read their partner's email or performed other acts of domestic espionage, even if their marraige is not--- yet--- on the rocks.) Or this: not every instance of a "doting father" spying on his daughter's computer is innocuous. Also, many home users operate one or more laptops, and these obviously pose peculiar security risks, especially if they are ever taken outside the house (as most laptops presumably often are).

B. In my experience, most users who participate in discussions like this seem to make various assumptions which I tend to feel are unwarranted in many situations. Not all home users are alike. In my case, I think power users tend to find my posts unsettling, because they can't understand why I seem to know more than many about security issues (easily explained: I read some books on the subject!) yet seem to know less than most about programming (easily explained: I am not a programmer or even particularly enamored of software per se). On occasion this has even led to statements to the effect that I must be trolling (not true; I've never been a troll and never will be). I simply want to use a computer to do things where are inconvenient or impossible without a computer (such as writing), but playing it safe has always been a life motto for me. Such individuals tend to avoid activities which could potentially lead to loss of their savings (say), particularly if they are not confident of their level of expertise in said activity. Yet, this is not an option in the modern world when it comes to computing. Here, everyone MUST use a computer (or become disconnected from society, as the other commentator sarcastically advised), yet very few believe they have much expertise in the field. This is the real source of my "paranoia"; individuals with different life mottos (say those who like to gamble or believe in their personal invulnerability) are much more likely to simply shrug off computer security concerns on the grounds that they aren't going to stop using their computer simply because they have no idea how to use it safely. Frankly I suspect that many linux users who claim "oh, security? That doesn't apply HERE!" basically fall into the group of people who have convinced themselves that since clearly very few really understand this stuff, they aren't going to worry about whether they should worry about it. I'd like to see more effort in the linux community to recognize that not all home users are alike, and part of recruiting new users involves recognizing that in addition to adventurous personalities, there is probably also a pool of current Windows users who prefer to play it safe, but have been making an exception when it comes to computers because they are utterly baffled by the issue of computer security. If you accept this, it follows that websites like this should pay much more attention to trying to educate drop-ins with some thoughtful and wise tutorials on the subject (MEPIS oriented of course in the case of this website).

C. There are many other aspects to computer/data security in addition to preventing your home system from being compromised. Indeed, the greatest threats to your health (financial or otherwise) most likely involve systems not under your control, such as websites you visit, government agencies which compromise vital data through the carelessness of an employee, and so on and on and on. This loops back to 8 above when someone like myself tries to install something like Tor, without realizing that using Tor apparently entails a high security risk to any computer running a Tor server. This risk is particularly acute for users who have very little idea what they are doing.

This kind of discussion tends to become self-referential, e.g. I am unable (or unwilling) to discuss some further points about discussions in a public forum which gravely concern me. Some of these points have however been raised in other forums. But I've already broken enough rules of safe-surfing "for the day" in this discussion. (Point being: nothing said on the web is really "for the day"; potentially, it is all "forever".)

feheeszeno

feeheeszeno,
you have realised that you are the person most likely to cause risk to your computers.
I've just been reading some of Kevin Mitnick's work, and he covers well that the main risk is people risk not computer security risk.
now, i have a moderate degree of paranoia, and have logcheck watching my logs for me and some very interesting packages which deal with the regular attacks on my ssh server. they are usually script kiddie attacks, because they use the same list of potential logins over and over again.
rarely is the ftp server attacked or is apache under siege.
i know just who comes, they are all logged, and i read the logs.
Just because we don't discuss security doesn't mean that we aren't interested or not practising it, but i have hardened my servers according to the ongoing risk which i have assessed as being real, and not imaginary.
If you get copies of Kevin Mitnick's books you will find them very interesting.

Still trying to make sure Jon saw my question above, since I really want his feedback and the rest of us got into an interesting but long digression with might falsely suggest I have lost interest in my question.

I am preparing to try to install MEPIS 6.0 and want to "do it right" this time. (I'll settle for "more right", but package management is pretty essential.)

Meanwhile another issue regarding package management has arisen in yet another thread (sorry!): as I understand it, with default MEPIS install, apt via its frontends kpackage or synaptic always verifies the MD-5 sum or SHA-1 hash of any package downloaded, and issues a warning if the sums don't match, but it seems that it does NOT support "out of the box" checking gpg signatures. I'd expect that users would need to take the trouble to configure gpg and then to import a Debian developers keyring. Specifically, I would expect that the command mentioned in http://www.debian-administration.org/articles/174 would work:

gpg --keyserver keyring.debian.org --recv 4F368D5D

But even though ping shows keyring.debian.org is up, I get this:

gpg: requesting key 4F368D5D from hkp server keyring.debian.org
gpg: keyserver timed out
gpg: keyserver receive failed: keyserver error

Someone else mentioned importing keys of individual developers, using warning messages in synaptic:

gpg --keyserver wwwkeys.eu.pgp.net --recv-keys A506E6D4DD4D5088
gpg --armor --export A506E6D4DD4D5088 | apt-key add -

Unfortunately, I don't remember seeing the keys mentioned in the warning messages I've seen.

I am currently trying to contact the repos using synaptic so that I can test the second procedure on some innocuous package.

feheeszeno

Hello feheeszeno, EnigmaOne, drlizau, and others. I've been away for the long weekend so am just now picking up the slack and I don't mean that "Other Linux Distro" (ba dum bum!)

Allan's and Liz's comments are well placed (and much better than I could do). Regarding your repositories feheeszeno, they look fine. On my older boxes, I have "etch" set up as my security link because etch is newer.

Keep in mind that, when you run synaptic "reload" or "apt-get update" you are getting info on ALL the potential packages, but that when you choose synaptic's "Mark All Upgrades" or "apt-get upgrade" that you can only choose those things you have already installed. If you install "apt-listbugs" (apt-get install apt-listbugs as user root) then you will see security and bug reports for various packages. As Allan pointed out above, often when you load a package you will find that the "bugs" have already been fixed. They will be shown by "apt-listbugs" as "done".

So the reason I use "etch" for security is because it's going to have the most recent security info, and it will include potential packages that you would need to update. They are "potential packages" because, if you don't have the packages installed in the first place, then you won't need to update them

I am not a security guru. I am, like many of the folks here, "security conscious". I gotta get some of Mitnick's books Liz! You might also be interested in subscribing to Bruce Schneier's Crypto-Gram Newsletter feheeszeno:
Schneier.com
http://www.schneier.com/crypto-gram.html
Lots of stuff to make your eyeballs and brain pop

Jon

Forgive the state of the following. I jotted this down, last night, while phone-phixing a couple of customers. Between distraction and lack of sleep, some of this may have translated to the written form in a bit of a scattered fashion. I post this merely after the fashion of completing a thread of thought.

As I was jotting these things down, I was doing the nostalgia-thing over my college days.

Mr. Vahe Tatoian was my Calculus Professor and, at the time, I literally reviled the ground he even considered walking on. My memories of Professor Vahe Tatoian are, as with every one of my other demanding mentors, much fonder; given the passage of some two and a-half decades.

I'm certain that some of this is flavored by my reminiscences of those difficult days. Perhaps I will include him in a future article, but not here.

Well, I see that Jon's back....I'm-a gonna go cower in the corner for a li'l bit.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security is, for many of us, much like breathing. At some level, it simply isn't necessary to talk about it...we just do it. An imperfect analogy, at best, but you get the idea.

This falls into the "Freedom goes hand in hand with responsibility" venue; and, much has been said elsewhere about the responsible exercise of freedoms--particularly in its application to the Open Source community. I think I feel another--woefully unoriginal--article brewing in the back of my brain.

The repo fiasco was an abberation; yet, you seem to be reacting to it as though this is the way things have always been. It has not. I, again, recommend that you install 6.0-Final.

You are unlikely to experience 'patching', per se, with Linux, without dealing with diffs at the source code level. You will be upgrading more often than not.

As to taking care of issues with programs like Firefox, ghostview, et al, I generally remove my personally-crafted list of certain programs (like Firefox and, for certain installations, even KDE) and install from source or tarball into /opt. A program upgrade is then as easy as overwriting the binary contents of /opt/{program_name} with the upgraded version. In such cases, I'm downloading directly from Mozilla.org or gimp.org, ad infinitum. There are those programs that I upgrade through apt-get or dpkg; however, it is my understanding that you are in a difficult position with respect to the repos, and this prevents you from taking full advantage of the resources immediately available to you.

Let us consider the case of patching/upgrading Firefox:
(1.) You become aware of an issue with Firefox.
(2.) You wish to solve said issue with Firefox.
(3.) You visit the support site of your distro provider (whom you do, I hope, financially support).
(4.) You discover that, probably due to the nature of Debian-based distributions, there is no 'instant solution' available to you.
Your next steps are obvious:
(5.) Download the updated tarball release of Firefox from mozilla.org.
(6.) Install the tarball, following the instructions provided by the Mozilla Foundation.
(7.) Test the newly-installed Firefox.
(8.) Remove the old Firefox installation in the manner most appropriate to your circumstances.
(9.) Problem solved.

I believed this for some time, too. The short answer is: It is not currently true, nor has it been true for more than three or four years. (Michael Robertson would roll-over on the deck of his yacht!) I do not care for the implicitly light treatment given to the creation of a normal user account by Lindows/Linspire, on installation; however, the statement--as set-forth--is not an accurate presentation of the default state of affairs with the current Linspire/Freespire distribution, nor the general habits of its userbase.

Therein lies the crux of the problem for you...(Please take this as gentle advice.)...it is not the responsibility of the Open Source Community to teach you what you want to know, or that which you state that you do not know. Neither is it the responsibility of the Open Source Community (or even MEPIS, LLC) to do the object 'I-want-it' for you, or even provide a canned-solution that will not be a best-fit for the majority of the users out there. The tools and information have already been liberally provided--in most cases, at no financial cost to you.

It is your responsibility to use those resources which are already available to you--to learn. That is the epitome of the exercise of your freedoms.

In general, the security model of Linux prevents unfettered access to the system binaries; the likes of which cannot be prevented under the NT security model. Userspace and Kernelspace are quite well partitioned from one another in the Unix/Linux/FreeBSD/Minix paradigm. This cannot be truthfully said about the rampant RPC-NT way of doing things.

Most of the security issues that you have observed, with respect to Firefox, are only issues because of the windoze APIs and RPC mechanisms. Very few of those published exploits could compromise user files on a Linux-based system; simply because of the differences between the security models of the two OS platforms. Regretfully, however, many windoze-only Firefox issues were incorrectly set-forth as being potential avenues of exploitation on Linux, when nothing could have been further from the truth. Microsoft has, of course, attempted to leverage the widespread ignorance, of the true mechanisms of potential compromise involved, against Firefox/Mozilla.org. I am certain that you will see more falsehoods from microsoft, after this same fashion, as more Open Source applications are ported to a ridiculously insecure Operating System--windoze.

A sticky issue, at best, and not one given to facile answers. It takes planning and work. However, using my own home as an analogy, it is my responsibility to maintain the security of my own premises--or hire a security professional (who will not, in all likelihood, do as good a job as I can) to maintain the security of my home for me. My home is my property, as are my computers--the responsibilities are the same. It is also the responsibility of my neighbor to maintain the security of his own property. I will not insult his intelligence, nor competence, by presuming to do it for him; nor to give him unsolicited advice in his own domestic responsibilities.

Last night, I telephoned the customer I mentioned elsewhere, and walked him through installing the firewall measures appropriate to his Linspire installation. He probably doesn't need it, being two hardware firewalls away from his broadband connection; but, it is probably best for my conscience that this be done. I will visit his home, later in the week, and compare his installation against his back up media; and correlate those changes against his CNR logs.

I think you misunderstand us, and cast us in a far worse light than is, objectively speaking, necessary or accurate.

Security is, by comparison, more of a "way of life"...our default behavior, if you will...in our community, than you would find in even the staunchest of security-conscious circles in the windoze world. Where you find wide variance from this habit and practice, is within that constant influx of 'windoze refugees' that we deal with. Many 'windoze refugees' are looking for an excuse not to confront issues of security, and hope that their interpretation of our words means that they will never have to think about things like RBLs, MessageLabs stats, ICSI pubs, EECS Berkeley research, CSE@UCSD collaborative efforts, CAIDA reports, security, app upgrades; CVE, CERT, CIAC, f-prot, secunia, sophos and f-secure advisories.

In many cases, it can be accurately stated that, they do not wish to learn. That is their right.

Albeit, among other factors, were security not a "Way of Life" for us, you would see Sapphire-like outbreaks more often from our quarter; as well as the kind of global disruption that is the norm from exploited microsoft hosts. It may interest you to know that the windoze-targeted Sapphire contained several errors in coding which both restricted and slowed its 8.5 second cycle, geometrically-progressive spread. That fact raises grave concerns for the integrity of the public Internet: As bad as it was, it could have been worse; and we Linux/FreeBSD users suffered along with those who directly caused as well as those who aided and abetted the transgression. It may further interest you to know that the kind of global disruption; caused by Sapphire, Code Red, and other variants; has never been imposed upon the world from the Linux/FreeBSD community.

I think we are in substantial agreement upon that implicit point: Naivete or/and ignorance is/are the antithesis of computer security.

Website: http://www.gabston-howell.org/
WebLog: http://www.gabston-howell.org/wl/
Must Reads for Newbies:
http://www.catb.org/~esr/faqs/smart-questions.html
http://www.tldp.org/

Hi again to you both,

Jon: thanks much for checking my current /etc/sources.list file--- good to know that I haven't simply goofed in trying to add the security list. But you missed the second question above: what difference am I supposed to see as the result of adding the security repo? Part of the problem is that that server seems to be so busy that I am having a very hard time accessing it, which makes it almost impossible for me to use synaptic.

However, I might have a fairly simple procedure for rapidly identifying candidates for immediate upgrade (the numbers might even be small enough for cautiously upgrading them one by one to be workable):

1. Use apt via kpackage or synaptic to download the package debsecan if this is not installed by default with your MEPIS. I was able to download this with kpackage (much faster to intialize than synaptic, possibly because--- how ironic!--- I don't think it "wastes time" trying verify signatures, whereas my still misconfigured synaptic may be trying to compute signatures and wasting time (timing out waiting for a response from the debian keyring server, apparently).

2. As root:

debsecan --suite etch > advisories
grep "high urgency" advisories > high_urgency_advisories
cat high_urgency_advisories | awk '{ print $2 }' | sort -u > high_urgency_upgradeables
wc high_urgency_upgradeables
grep "remotely exploitable" advisories > remotely_exploitable_advisories
cat remotely_exploitable_advisories | awk '{ print $2 }' | sort -u > remotely_exploitable_upgradeables
wc remotely_exploitable_upgradeables

This could be turned into a script and maybe even a daily cron job, of course. Someone said that

apt-get install $(debsecan --suite etch --format packages --only-fixed)

will accomplish the same thing more elegantly, but I hesitate to try this until I am more confident this won't break the system. For example, when it comes to upgrading the kernel itself you probably need to adopt somewhat different procedures.

To elaborate on what Alan said the other day about the relatively small number of truly serious vulnerabilies affecting the average home user of linux, I note that the remotely exploitable advisories all concern "low urgency" vulnerabilities. The "high urgency" advisories seem to concern possible misbehavior by local users. However, based upon my preliminary readings, these really do seem to be not much less urgent for home linux users than for Windows users. Thus, the packages in high_urgency_advisories would be particularly good candidates to try to upgrade one by one IMMEDIATELY after installation. Unfortunately, by default MEPIS makes even root files world readable; obviously, you want to make sure that they cannot actually be read, say by someone you invited to share some files, or by some "wardriver".

I guess I'll find out shortly how bad it is to be running an unpatched MEPIS 6.0 install! For an unpatched MEPIS 3.4-3, I note that the 2.6.15-1-586tsc kernel itself has a high urgency vulnerability and there are 18 packages in this group including clamav (how ironic, given my previous "paranoia" about clamav!), firefox, gzip, some libraries, rsync, and tar. From

lsof | grep libnss3 | sort -u

I learn that at this very moment, an unpatched Firefox has opened an unpatched library! This is not of course the kind of thing I would be inclined to share if I weren't about to shred the disk (after checking that my backup of possibly useful user files like my system wiki) and start over. In any event, since the kernel, Firefox, clamav, and gzip are all in daily use by most of us, I feel strongly that no MEPIS user should be encouraged to omit to patch these.

I've never upgraded a kernel image before; I take it you use your apt front-end to download the new version, and then reboot? Or do you have to mess with GRUB? Maybe the idea is that you start by putting the new kernel as an option at boot time, rebooting and trying that option, and if all seems well, shredding the old kernel? Like any old file?

Allan: er, not sure I see the connection between your former instructor and what we were talking about yesterday, but now you are making me paranoid again! Grrr!!!

However, you will be amused to learn that I downloaded the package thpot, which turns out to install a world executable binary, not the kind of thing a paranoid user wants lying around! As the man page suggests, this is best put in its very own partition, if only because of the apparently unrestrained keylogging, and should not be even installed by anyone who doesn't already know how to run a honeypot safely. Probably the "blurb" for thpot should say what the documentation does: "DANGER WILL ROBINSON!!" (I had to look that up and had to chuckle when I found that Wikipedia, DWR, has an entire ARTICLE devoted to this catchphrase, which turns out to be a cultural reference about as hoary as unix itself, which seems kinda appropriate!)

The trouble is, the only way to decrease paranoia would seem to be to gain some experience watching real script kiddie attacks. (I think that was one of the points you might have been trying to suggest.) If it can be made uber safe, perhaps everyone should be encouraged to play with something like thpot in a virtual machine safely (we hope) quarantined from the rest of localhost; see my remarks in another thread about Xen allegedly leading the Way into the Future.

Jon, Allan, or anyone who knows: drlizau seemed to be saying that synaptic does automatically check at least the MD-5 or SHA-1 hashes of each package before downloading. I do NOT receive an error message of the type quoted in another thread specifically on verifying GnuPG (or PGP) signatures by the developers of each package. The last obstacle to my install of a proper MEPIS 6.0 appears to be ensuring that my apt front-end is at least verifying hashes, and hopefully signatures too. Does anyone know what I need to do?

feheeszeno