El día 30 abr 2003, Michael Toomim escribía: > Jose Carlos Garcia Sogo wrote: > >On Tue, Apr 29, 2003 at 02:50:02PM -0700, Michael Toomim wrote: > > > > And how services are being runned in each one? Is the Linux one a net > > server and the windows one a desktop box? Are you taking care of > > Yes. That's my point. People break into servers more than desktop > machines because then they can host warez on servers. But of course, > any unix *desktop* also has the potential to be a server, so it doesn't > matter if I only use it as a desktop. Crackers will turn it into a > server if they can. So crackers do that to host warez? The first time I heard that. > > > installing security fixes? Are you taking care of closing services you > > don't need to be provided to the Internet? > > Yes, I turned off all unneeded services, etc. The latest breakin was a > debian stable (woody) machine that had been upgraded daily with all the > latest security updates. I think this was because of a flaw in the > commercial ssh package (ssh2). I realized after a while that it was a > really old version, and nobody at debian seemed to be maintaining it > even though it was a huge security hole. I reported a bug, but it took > a couple months for them to remove it from debian, and I had already > been rootkitted by then. Debian cannot make anything to commercial ssh2 package. It's enough to be distributing it. Sometimes I think that we should drop that non-free section. Just FYI, non-free has no security tracking, and non-free is not part of Debian. It's only there to support our users. -- Jose Carlos Garcia Sogo jsogo@debian.org
Attachment:
pgpAewXc2xzHj.pgp
Description: PGP signature