From cvkluka at cerebellum.biz Thu May 1 10:17:07 2008 From: cvkluka at cerebellum.biz (Christine Kluka) Date: Thu May 1 10:15:16 2008 Subject: [Uaflug] Hello...? In-Reply-To: <596026.60322.qm@web30002.mail.mud.yahoo.com> References: <596026.60322.qm@web30002.mail.mud.yahoo.com> Message-ID: <1209665827.5523.40.camel@localhost> I've been at UAF for about a year also. Had volunteered to help with server management but didn't hear anything. I'm working and going to school but have time to help out in the summer, if any is needed. Good to hear some signs of life :) On Mon, 2008-04-28 at 13:21 -0700, Christopher Howard wrote: > I've only been a UAF student for about a year now. I recently heard > about a Linux Users Group mailing list. The website didn't suggest > much recent activity, so I was wondering if this list was active. > > Anybody out there? > > --- > Christopher Howard > > > > > > > > ______________________________________________________________________ > Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try > it now. > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > _______________________________________________ > uaflug mailing list > uaflug@linux0.cs.uaf.edu > http://linux0.cs.uaf.edu/mailman/listinfo/uaflug -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ffosl at uaf.edu Mon May 5 14:21:43 2008 From: ffosl at uaf.edu (Orion Sky Lawlor) Date: Mon May 5 14:18:46 2008 Subject: [Uaflug] Re: [Fwd: linux0.cs.uaf.edu Compromised] (fwd) Message-ID: linux0's wiki was packed with porn linkspam. Annoying, but the machine was *not* compromised--it is supposed to be running a wiki, but we haven't kept the spammers off it like we should have. I've disabled world write-access to the wiki for now. Who wants an account to help put content back on the Wiki? Alternatively, should we just go back to plain HTML content? -- -Orion Sky Lawlor http://lawlor.cs.uaf.edu/~olawlor/ ffosl@uaf.edu ---------- Forwarded message ---------- Date: Mon, 05 May 2008 10:51:59 -0800 From: Kathleen Boyle To: Brian Hay Cc: ffosl@uaf.edu, Security Subject: Re: [Fwd: linux0.cs.uaf.edu Compromised] Brian and Orion (cc: sdsec), Thank you for addressing this. I will make the Help Desk aware of the KUAC stream. With regard to how it was detected, someone noticed the content and reported it to the OIT Support Center. If this system contains personal information as defined in University Regulation 05.08.023, please let us know. Definition of personal information from the reg is provided below for reference: "For purposes of this regulation, "personal information" means information in any form on an individual that is not encrypted or redacted, or is encrypted and the encryption key has been accessed or acquired, and that consists of a combination of the individual's name and one or more of the following: social security number; driver's license number or state identification card number; the individual's financial account number, credit card account number, or debit card account number in combination with any required security code, access code, or password that would permit access to an individual's financial account;" Again, thank you. Kathleen Brian Hay wrote: > Hi Kathleen, > > I disconnected the machine from the network this morning (which also > means that the KUAC stream is now down). Orion or I will investigate > this issue today and determine what's going on. > > Do you have any other indicators of the compromise - e.g., was the > machine scanning, or did someone notice the content and complain? > > Thanks > > Brian > > On Mon, May 5, 2008 at 9:58 AM, Kathleen Boyle wrote: >> Hello Orion (cc: Brian Hay, sdsec); >> >> This is to follow up to my voice mail concerning linux0.cs.uaf.edu. As I >> mentioned, Mitchell Roth suggested contacting you with regard to this website. >> If either you or Brian could please address we would appreciate it. >> >> Thank you. >> >> Kathleen >> >> -------- Original Message -------- >> Return-Path: >> Received: from sdsec@email.alaska.edu by email.alaska.edu (CommuniGate Pro >> GROUP 5.0.13) with GROUP id 50580812; Mon, 05 May 2008 09:51:49 -0800 >> X-Autogenerated: group >> Received: from [137.229.47.253] (account sxkmb [137.229.47.253] verified) by >> email.alaska.edu (CommuniGate Pro SMTP 5.0.13) with ESMTPA id 50580811; Mon, 05 >> May 2008 09:51:49 -0800 >> Message-ID: <481F4934.6020809@email.alaska.edu> >> Date: Mon, 05 May 2008 09:51:48 -0800 >> From: Kathleen Boyle >> User-Agent: Thunderbird 1.5.0.12 (X11/20070530) >> MIME-Version: 1.0 >> To: Brian Hay >> CC: Security >> Subject: linux0.cs.uaf.edu Compromised >> X-Enigmail-Version: 0.94.2.0 >> Content-Type: text/plain; charset=ISO-8859-1 >> Content-Transfer-Encoding: 7bit >> >> >> >> Hello Brian (cc: sdsec); >> >> We have just received a peregrine ticket that the UAF LUG site contains sexually >> explicit material. >> >> linux0.cs.uaf.edu >> >> Please remove it from the network and investigate. I will also attempt to >> contact Mitchell Roth who I believe at one time was the faculty adviser for the >> group to make him aware as well. >> >> If you have any questions, please let us know. >> >> Thank you. >> >> Kathleen >> >> >> >> >> -- >> >> Kathleen Boyle >> Senior Information Security Officer >> University of Alaska >> Office of Information Technology >> Phone: (907) 474-7404 >> Email: sxkmb@email.alaska.edu >> >> -- >> >> Kathleen Boyle >> Senior Information Security Officer >> University of Alaska >> Office of Information Technology >> Phone: (907) 474-7404 >> Email: sxkmb@email.alaska.edu >> > > > -- Kathleen Boyle Senior Information Security Officer University of Alaska Office of Information Technology Phone: (907) 474-7404 Email: sxkmb@email.alaska.edu From roger at eskimo.com Mon May 5 21:40:29 2008 From: roger at eskimo.com (roger) Date: Mon May 5 21:40:36 2008 Subject: [Uaflug] Re: [Fwd: linux0.cs.uaf.edu Compromised] (fwd) In-Reply-To: References: Message-ID: <1210052429.9318.6.camel@localhost2.localdomain> D*ng! .. missed my chance to see explicit material. :-/ Probably best to only allow a few members write access. Using this method, the calendar can possibly be kept up-to-date if others are busy. On Mon, 2008-05-05 at 14:21 -0800, Orion Sky Lawlor wrote: > linux0's wiki was packed with porn linkspam. Annoying, but the > machine was *not* compromised--it is supposed to be running a wiki, > but we haven't kept the spammers off it like we should have. > > I've disabled world write-access to the wiki for now. Who wants an > account to help put content back on the Wiki? Alternatively, should > we just go back to plain HTML content? > -- > -Orion Sky Lawlor -- Roger http://www.eskimo.com/~roger/index.html Key fingerprint = 9E34 2419 6616 7260 F089 FEEA 56A2 1907 DBBE 9744 Mon May 5 21:40:22 AKDT 2008 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://linux0.cs.uaf.edu/pipermail/uaflug/attachments/20080505/d76a4113/attachment.pgp From ffosl at uaf.edu Tue May 13 14:29:06 2008 From: ffosl at uaf.edu (Orion Sky Lawlor) Date: Tue May 13 14:26:00 2008 Subject: [Uaflug] Debian SSH Advisory... Message-ID: Debian screwed up the openSSH key generation algorithm in 2007, so SSH keys generated with Ubuntu 7.04, 7.10, and 8.04 are weak, coming from a small set of known "blacklisted" keys that are fairly easy to bruteforce. They realized the bug 2008-05-13: http://article.gmane.org/gmane.linux.debian.security.announce/1614 http://www.ubuntu.com/usn/usn-612-2 Debian/Ubuntu users, upgrade your packages! The new package "ssh-vulnkey" will look for weak "blacklisted" keys on your machine. I'm a big Ubuntu fan, and I found a few bad keys on my machines! -- -Orion Sky Lawlor http://lawlor.cs.uaf.edu/~olawlor/ ffosl@uaf.edu ---------- Forwarded message ---------- Date: Tue, 13 May 2008 12:45:17 -0500 From: Isaac Dooley To: David Kunzman Cc: Parallel Programming Lab Subject: Re: SSH Advisory... Here is the ubuntu advisory: http://www.ubuntu.com/usn/usn-612-2 Isaac From roger at eskimo.com Tue May 13 14:54:06 2008 From: roger at eskimo.com (roger) Date: Tue May 13 14:54:13 2008 Subject: [Uaflug] Debian SSH Advisory... In-Reply-To: References: Message-ID: <1210719246.15705.3.camel@localhost2.localdomain> Should of got Gentoo? ;-) Nothing posted within (Gentoo) GLSA's yet. http://www.gentoo.org/security/en/index.xml On Tue, 2008-05-13 at 14:29 -0800, Orion Sky Lawlor wrote: > Debian screwed up the openSSH key generation algorithm in 2007, > so SSH keys generated with Ubuntu 7.04, 7.10, and 8.04 are weak, > coming from a small set of known "blacklisted" keys that are fairly > easy to bruteforce. > > They realized the bug 2008-05-13: > http://article.gmane.org/gmane.linux.debian.security.announce/1614 > http://www.ubuntu.com/usn/usn-612-2 > > Debian/Ubuntu users, upgrade your packages! The new package > "ssh-vulnkey" will look for weak "blacklisted" keys on your machine. > I'm a big Ubuntu fan, and I found a few bad keys on my machines! -- Roger http://www.eskimo.com/~roger/index.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://linux0.cs.uaf.edu/pipermail/uaflug/attachments/20080513/8c54f18e/attachment.pgp From ffosl at uaf.edu Tue May 13 15:11:54 2008 From: ffosl at uaf.edu (Orion Sky Lawlor) Date: Tue May 13 15:08:48 2008 Subject: [Uaflug] Debian SSH Advisory... In-Reply-To: <1210719246.15705.3.camel@localhost2.localdomain> References: <1210719246.15705.3.camel@localhost2.localdomain> Message-ID: No other distributions are at risk--it's a Debian-caused problem: "This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166)." So Debian, Ubuntu, and Knoppix users have to patch; Gentoo, RedHat, Fedora, etc are safe (from this bug!). -- -Orion Sky Lawlor http://lawlor.cs.uaf.edu/~olawlor/ ffosl@uaf.edu On Tue, 13 May 2008, roger wrote: > Should of got Gentoo? ;-) > > Nothing posted within (Gentoo) GLSA's yet. > http://www.gentoo.org/security/en/index.xml > > > On Tue, 2008-05-13 at 14:29 -0800, Orion Sky Lawlor wrote: > > Debian screwed up the openSSH key generation algorithm in 2007, > > so SSH keys generated with Ubuntu 7.04, 7.10, and 8.04 are weak, > > coming from a small set of known "blacklisted" keys that are fairly > > easy to bruteforce. > > > > They realized the bug 2008-05-13: > > http://article.gmane.org/gmane.linux.debian.security.announce/1614 > > http://www.ubuntu.com/usn/usn-612-2 > > > > Debian/Ubuntu users, upgrade your packages! The new package > > "ssh-vulnkey" will look for weak "blacklisted" keys on your machine. > > I'm a big Ubuntu fan, and I found a few bad keys on my machines! > > -- > Roger > http://www.eskimo.com/~roger/index.html > From jspaleta at gmail.com Tue May 13 15:09:30 2008 From: jspaleta at gmail.com (Jeff Spaleta) Date: Tue May 13 15:09:26 2008 Subject: [Uaflug] Debian SSH Advisory... In-Reply-To: <1210719246.15705.3.camel@localhost2.localdomain> References: <1210719246.15705.3.camel@localhost2.localdomain> Message-ID: <604aa7910805131609t352ea491rf70718ee0981a8b8@mail.gmail.com> On Tue, May 13, 2008 at 2:54 PM, roger wrote: > Should of got Gentoo? ;-) So far this is known to involve only Debian derivatives...most likely all of them... that's a lot of distributions.. not just Ubuntu. But the patch could have easily been picked up and applied outside of Debian so if you are using Gentoo you should probably reach out and confirm that the patch wasn't lifted from Debian and applied. Fedora has confirmed that the patch in question hasn't been used in any Fedora packages. We've also started the discussion inside Fedora concerning how to add safeguards into the packaging procedures concerning how we track Fedora specific patchsets so this sort of long-lived downstream patch situation doesn't bite us in the future. Whatever your distribution of choice is, you should try to start a discussion about how to keep this from happening if the distribution maintainers aren't already discussing it. And let me just say that it would be a horrible thing to suggest that this patch was planted over a year ago and exposed today deliberately to steal press from the Fedora 9 release that is happening. I would not support any such outlandish rumor-mongering. -jef"Fedora Project Board Member"spaleta From joshua at eeinternet.com Tue May 13 17:41:03 2008 From: joshua at eeinternet.com (Joshua J. Kugler) Date: Tue May 13 17:41:00 2008 Subject: [Uaflug] Debian SSH Advisory... In-Reply-To: References: <1210719246.15705.3.camel@localhost2.localdomain> Message-ID: <200805131741.03414.joshua@eeinternet.com> On Tuesday 13 May 2008, Orion Sky Lawlor said something like: > No other distributions are at risk--it's a Debian-caused > problem: "This is caused by an incorrect Debian-specific change to > the openssl package (CVE-2008-0166)." Incorrect patch, yes, but it seems that it was approved by someone at openssl. See http://marc.info/?l=openssl-dev&m=114652287210110&w=2 The thread doesn't provide much context, but removing that lines in question was either approved, or approved for testing only, and that context didn't make it across the wire. j -- Joshua Kugler Part-Time System Admin/Programmer http://www.eeinternet.com PGP Key: http://pgp.mit.edu/ ?ID 0xDB26D7CE From jspaleta at gmail.com Wed May 14 10:22:13 2008 From: jspaleta at gmail.com (Jeff Spaleta) Date: Wed May 14 10:22:14 2008 Subject: [Uaflug] Debian SSH Advisory... In-Reply-To: <604aa7910805131609t352ea491rf70718ee0981a8b8@mail.gmail.com> References: <1210719246.15705.3.camel@localhost2.localdomain> <604aa7910805131609t352ea491rf70718ee0981a8b8@mail.gmail.com> Message-ID: <604aa7910805141122i6d7d1e56l97fd74fd5a703cef@mail.gmail.com> On Tue, May 13, 2008 at 3:09 PM, Jeff Spaleta wrote: > So far this is known to involve only Debian derivatives...most likely > all of them... that's a lot of distributions.. not just Ubuntu. But > the patch could have easily been picked up and applied outside of > Debian so if you are using Gentoo you should probably reach out and > confirm that the patch wasn't lifted from Debian and applied. Okay I think there's still another shoe to drop. I think there is a growing understanding that the problem is potentially a very wide impact across distributions. SSH keys generated on an affected debian-based system but deployed on other systems may make the accounts on those systems vulnerable. Its the act of key generation that's the problem on Deb-ish systems. So if you generated ssh keys on an affected Ubuntu system and then use the key on any other system, you need to regenerate the key and stop using the older ssh keys everywhere. Did I mention that keys generated on Fedora systems aren't problematic...but if you use the same ssh key pair on multiple linux distros can you be sure you didn't generate your keys on a Debian/Ubuntu system? -jef From joshua at eeinternet.com Wed May 14 11:25:27 2008 From: joshua at eeinternet.com (Joshua J. Kugler) Date: Wed May 14 11:25:26 2008 Subject: [Uaflug] Debian SSH security upgrade breaks SSH! Message-ID: <200805141125.28144.joshua@eeinternet.com> This is both a warning and a cry for help! :) I installed the upgraded SSH packages and it regenerated the SSH keys. Not a big problem, right? Wrong. Even the newly generated keys are on the blacklist, AND the server will not connect with keys that are on the blacklist, so no new connections can be created. So, existing connections are OK, but don't logout, or you'll never get back in. Anyone have a fix yet? j -- Joshua Kugler Part-Time System Admin/Programmer http://www.eeinternet.com PGP Key: http://pgp.mit.edu/ ?ID 0xDB26D7CE From joshua at eeinternet.com Wed May 14 11:51:30 2008 From: joshua at eeinternet.com (Joshua J. Kugler) Date: Wed May 14 11:51:27 2008 Subject: [Uaflug] FIXED. Re: Debian SSH security upgrade breaks SSH! In-Reply-To: <200805141125.28144.joshua@eeinternet.com> References: <200805141125.28144.joshua@eeinternet.com> Message-ID: <200805141151.30222.joshua@eeinternet.com> Problem fixed. It wasn't my fault (directly) but it wasn't a debian problem either. For those who care: after the server was set up (before it was under my control), it was, for a while, pulling from testing repository, and along the way got a version of openssl installed that appeared to be newer then the version in stable, but of course still had the vulnerability. So, since it was now pulling from stable, the package didn't get upgraded. Pulling and installing openssl, libssl0.9.8 and libssl-dev manually fixed the problem. j -- Joshua Kugler Part-Time System Admin/Programmer http://www.eeinternet.com PGP Key: http://pgp.mit.edu/ ?ID 0xDB26D7CE From jeff at arcticpc.com Thu May 22 21:53:05 2008 From: jeff at arcticpc.com (Jeff) Date: Thu May 22 21:53:10 2008 Subject: [Uaflug] 1u server Message-ID: <20080522215305.e30c1019.jeff@arcticpc.com> any body interested in a 1u Dual AMD 1.8 dual core 2g ram 80g ide also scsi onboard dual gb nics usb etc. $265.00 -- Jeff From smithj at freethemallocs.com Fri May 23 09:29:35 2008 From: smithj at freethemallocs.com (Jonathan Smith) Date: Fri May 23 09:29:44 2008 Subject: [Uaflug] 1u server In-Reply-To: <20080522215305.e30c1019.jeff@arcticpc.com> References: <20080522215305.e30c1019.jeff@arcticpc.com> Message-ID: <4836FEFF.1000709@freethemallocs.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jeff wrote: | any body interested in a 1u Dual AMD 1.8 dual core 2g ram 80g ide also scsi onboard | dual gb nics usb etc. | $265.00 64 bit? smithj -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkg2/v8ACgkQCG91qXPaRekM7gCgqpfKcjBSOOg0ElCm+l4QBsCy PggAn3HswdG3ETAOMrkuUksM9mopMNZi =e9TR -----END PGP SIGNATURE----- From smithj at freethemallocs.com Fri May 23 14:25:21 2008 From: smithj at freethemallocs.com (Jonathan Smith) Date: Fri May 23 14:25:30 2008 Subject: [Uaflug] 1u server In-Reply-To: <20080522215305.e30c1019.jeff@arcticpc.com> References: <20080522215305.e30c1019.jeff@arcticpc.com> Message-ID: <48374451.2070605@freethemallocs.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jeff wrote: | any body interested in a 1u Dual AMD 1.8 dual core 2g ram 80g ide also scsi onboard | dual gb nics usb etc. | $265.00 Also, where did you host it? I wasn't aware that there was a datacenter in-town. I'm in the process of looking for one for a new project. smithj -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkg3REYACgkQCG91qXPaRemjogCfeswF1j+gGi6WzdlMtksp0ACG DuAAnRActS0yigU5Ae23dwi3ZvroKt9B =wOll -----END PGP SIGNATURE-----