Forwarded from: matthew patton <pattonmeat_private> I don't normally comment on these but I feel a couple bear some words... > * Open-Source Trojans: A Growing Problem? > November 25th, 2002 > > Experts say the insertion of Trojans into two popular tools > reinforces the need to run readily available programs, such as MD5 > hashes, to ensure that code hasn't been altered. Experts recommend > using MD5 hashes to expose Trojans. > > http://www.linuxsecurity.com/articles/projects_article-6256.html I'm sure readers here are aware that MD5 etc. hashes do next to nothing to expose trojans unless the user actually checks their generated hash with a couple different authoritative locations and discovers the discrepency. Obviously anyone who had access to a distro server can generate their own hash and the user will as a matter of course compute their copy and it will match and blithely continue secure in knowing nothing useful about what they just downloaded. Trojans introduced into CVS trees are the real and far more nefarious threat. > * Combating Reverse Telnet Using OpenBSD Packet Filter (pf) > November 25th, 2002 > > This article is meant for those who are going to implement firewall > using OpenBSD. The main purpose for this article is to protect > servers (such as web, mail, dns and others) within a firewalled > network. This article is based on my personal experiences and I > could not guarantee it will suit all system that you have. > > http://www.linuxsecurity.com/articles/documentation_article-6255.html They should have added to their disclaimer: "We are inexperienced firewall rule-base authors and clearly have not read the extensive literature out there on IPF/PF nor appreciate what our rulesets do." I have emailed the two gents a strong critique of their purported article and hope they see fit to heavily revise it if not yank it altogether. IMO a far better ruleset and hardening the OS process was presented by me at SANS 97 and somewhere on the 'net should be mirrors of my firewall-guide that went thru OpenBSD from start to finish and resulted in a floppy-sized bootable image with all the necessary pieces. I probably have it on 4mm tape somewhere but no idea where that tape is hiding... - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Dec 04 2002 - 03:30:06 PST