search for: wyml

On Wed, Feb 4, 2015 at 6:32 PM, Warren Young <wyml at etr-usa.com> wrote: > >>> Most such vulns are against Apache, PHP, etc, which do not run as root. >> >> Those are common. Combine them with anything called a 'local >> privilege escalation' vulnerability and you've got a remote root >> exploit...

On Mon, Feb 2, 2015 at 4:17 PM, Warren Young <wyml at etr-usa.com> wrote: >> > Let?s flip it around: what?s your justification *for* weak passwords? > You don't need to write them down. Or trust some 3rd party password keeper to keep them. Whereas when 'not weak' is determined by someone else in the middle of trying t...

> On Jul 30, 2015, at 12:20, Warren Young <wyml at etr-usa.com> wrote: > > Meanwhile over here in CentOS land, you still see SSH password guessers banging on every public IP that responds to port 22. Why? Because it still occasionally works. Increase the password strength minima, and this class of worm, too, will quickly die out. I...

On Thu, Jul 30, 2015 at 1:20 PM, Warren Young <wyml at etr-usa.com> wrote: > On Jul 29, 2015, at 5:40 PM, Chris Murphy <lists at colorremedies.com> wrote: > > > > On Wed, Jul 29, 2015 at 4:37 PM, Warren Young <wyml at etr-usa.com> wrote: > > > >> Security is *always* opposed to convenience. > > &gt...

On Fri, Sep 11, 2015 at 2:45 PM, Warren Young <wyml at etr-usa.com> wrote: > 24 - 16 = 8, which sounds suspiciously like the size of a swap file. What > does mount say? What do you mean with "mount says"? Can you point me on the right command to execute?

On Mar 12, 2015, at 11:52 AM, Jason Warr <jason at warr.net> wrote: > > On Thu, 12 Mar 2015 12:43:27 -0500, Robert Moskowitz <rgm at htt-consult.com> wrote: > >> I found: >> >> http://www.cyberciti.biz/tips/configuring-static-routes-in-debian-or-red-hat-linux-systems.html >> >> where it says to add to ifcfg-eth0: >> >>

On Wed, Feb 4, 2015 at 4:55 PM, Warren Young <wyml at etr-usa.com> wrote: >>> >> There have been remotely exploitable vulnerabilities where an arbitrary file could be read > > CVEs, please? > > I?m aware of vulnerabilities that allow a remote read of arbitrary files that are readable by the exploited process?s user, bu...

On 5 February 2015 at 10:36, Warren Young <wyml at etr-usa.com> wrote: > When the hashes are properly salted, the only option is brute force. All having /etc/shadow does for you is let you make billions of guesses per second instead of 5 guesses per minute, as you get with proper throttling on remote login avenues. Kinda highlights that...

A couple more thoughts... On Jan 16, 2015, at 10:42 AM, Warren Young <wyml at etr-usa.com> wrote: > On Jan 15, 2015, at 11:40 AM, Glenn Eychaner <geychaner at mac.com> wrote: > >> When the DOS box exits, crashes, or is rebooted, it fails to shut down the >> socket properly. > > Yes, that?s what happens when you use an OS that doesn?t im...

On Aug 31, 2015, at 10:05 AM, Mike - st257 <silvertip257 at gmail.com> wrote: > > On Mon, Aug 31, 2015 at 11:15 AM, Warren Young <wyml at etr-usa.com> wrote: > >> ibase=A and obase=A > > Not sure how this helps me with my most recent example of bin_to_hex where > the ibase within the define clause wasn't honored. That?s because your bin_to_hex function is erroneously assuming that its input is just a st...

On Dec 2, 2014, at 1:36 PM, Les Mikesell <lesmikesell at gmail.com> wrote: > On Tue, Dec 2, 2014 at 2:26 PM, Warren Young <wyml at etr-usa.com> wrote: >> Again, I?m not really after a way to make this work without NetworkManager. > > What part of the breakage that NetworkManager does is good for a > wired, static-addressed server? If you disable NM, the network configuration GUI stops working in EL7....

Warren Young <wyml at etr-usa.com> wrote: > > The schily tools act as a container to publish the current code state. There is > > no such maintained web page. > > I was referring to the summary on the SourceForge page, where you just list the contents of the package without explaining why one w...

On Wed, Jul 29, 2015 at 4:37 PM, Warren Young <wyml at etr-usa.com> wrote: > Security is *always* opposed to convenience. False. OS X by default runs only signed binaries, and if they come from the App Store they run in a sandbox. User gains significant security with this, and are completely unaware of it. There is no inconvenience. What is...

On Tue, Jul 28, 2015 at 6:32 PM, Warren Young <wyml at etr-usa.com> wrote: > On Jul 28, 2015, at 4:37 PM, Nathan Duehr <denverpilot at me.com> wrote: >> Equating this to ?vaccination? is a huge stretch. > > Why? It's not just an imperfect analogy it really doesn't work on closer scrutiny. Malware itself is not a go...

> On Jul 28, 2015, at 11:27, Warren Young <wyml at etr-usa.com> wrote: > > On Jul 25, 2015, at 6:22 PM, Bob Marcan wrote: >> >> 1FuckingPrettyRose >> "Sorry, you must use no fewer than 20 total characters." >> 1FuckingPrettyRoseShovedUpYourAssIfYouDon'tGiveMeAccessRightFuckingNow! >> &quot...

Once upon a time, Warren Young <wyml at etr-usa.com> said: > Much of the evil on the Internet today ? DDoS armies, spam spewers, phishing botnets ? is done on pnwed hardware, much of which was compromised by previous botnets banging on weak SSH passwords. Since most of that crap comes from Windows hosts, the security of Linux S...

On Nov 24, 2014, at 3:46 PM, Warren Young <wyml at etr-usa.com> wrote: > Now compare telnet: always vulnerable, all the time, since the day it was created, before most of the people on this list were born: Technically, you can run kerberized (krb5) telnet/telnetd, and it's not quite as insecure as unkerberized telnet. The telnet prot...

> On Feb 4, 2015, at 5:43 PM, Warren Young <wyml at etr-usa.com> wrote: > > SSH as shipped on CentOS doesn?t allow 1,000 guesses per second, as this calculator assumes Hmm, just thought of a counterattack: If CentOS?s SSH currently allows 10 guesses per minute *per IP*, all you need to do to get 1,000 guesses per second is to rent tim...

On Mon, Apr 27, 2015 at 11:41 AM, Warren Young <wyml at etr-usa.com> wrote: > > >>> 4. CDDL annoys a lot of people. >> >> The CDDL does not annoy people, this is just a fairy tale from some OSS enemies. > > The following irritates me, I am a ?people,? and I am not an OSS enemy: > > http://zfsonlinux.org/faq...

On Mon, Aug 31, 2015 at 1:06 PM, Warren Young <wyml at etr-usa.com> wrote: > On Aug 31, 2015, at 10:05 AM, Mike - st257 <silvertip257 at gmail.com> wrote: > > > > On Mon, Aug 31, 2015 at 11:15 AM, Warren Young <wyml at etr-usa.com> wrote: > > > >> ibase=A and obase=A > > > > Not sure how this...