El día 30 abr 2003, Michael Toomim escribía:
> Jose Carlos Garcia Sogo wrote:
> >On Tue, Apr 29, 2003 at 02:50:02PM -0700, Michael Toomim wrote:
> >
> > And how services are being runned in each one? Is the Linux one a net
> > server and the windows one a desktop box? Are you taking care of
>
> Yes. That's my point. People break into servers more than desktop
> machines because then they can host warez on servers. But of course,
> any unix *desktop* also has the potential to be a server, so it doesn't
> matter if I only use it as a desktop. Crackers will turn it into a
> server if they can.
So crackers do that to host warez? The first time I heard that.
>
> > installing security fixes? Are you taking care of closing services you
> > don't need to be provided to the Internet?
>
> Yes, I turned off all unneeded services, etc. The latest breakin was a
> debian stable (woody) machine that had been upgraded daily with all the
> latest security updates. I think this was because of a flaw in the
> commercial ssh package (ssh2). I realized after a while that it was a
> really old version, and nobody at debian seemed to be maintaining it
> even though it was a huge security hole. I reported a bug, but it took
> a couple months for them to remove it from debian, and I had already
> been rootkitted by then.
Debian cannot make anything to commercial ssh2 package. It's enough to
be distributing it. Sometimes I think that we should drop that
non-free section.
Just FYI, non-free has no security tracking, and non-free is not part
of Debian. It's only there to support our users.
--
Jose Carlos Garcia Sogo
jsogo@debian.org
Attachment:
pgpAewXc2xzHj.pgp
Description: PGP signature