News from PANUG/BizNix - August 5, 2002 http://panug.org - http://biznix.org BIZNIX MEETING The monthly BizNix meeting is this Thursday, August 8 at 6:30 pm. The location and detailed directions are on the BizNix web site at: http://biznix.org The main presentation will be Debian Linux presented by David May. Emphasis will be on Debian-unique features such as the easy to use package management. A second presentation will be about authenticating downloaded software. See this next item for details: TROJANS AND CHECKSUMS On August 2nd, SecurityFocus.org reported that the "portable" OpenSSH source code tarball on the OpenSSH Web site contained a trojan. The trojaned source tarball had an incorrect MD5 checksum, so it was easy to spot. That is, easy to spot if you bother to check MD5 checksums when you download a file. Most Web sites for major Open Source software packages include a checksum file that can be used to validate that the associated software package file is genuine and not a hacked copy. It's up to you to take advantage of this. If you don't, you could be attacked. Since this is an important issue, we'll be covering how to validate downloaded software packages at the next BixNix meeting on Thursday, August 8. Note that most software for Windows that you download does not have a similar technique for validating downloaded files. ENTHUSIASTS GNU EMACS users can be rather committed to their favorite software. On the HighWLAN web page (which describes a LAN between moving vehicles) you'll find the following passage: "...this quickly escalated into a Holy War with Emacs users on one side and Jeep Wrangler drivers on the other. It was hard to tell but I think Emacs came out as the better utility vehicle." FEEDBACK In response to the "Hotmail Not So Hot" article last week, Gregg Berkholtz writes: I was beginning to wonder why I got so many connection refused messages when our SMTP server sent bounces back to Hotmail. I was beginning to think it was something wrong on my end, but now that you point out the qmail to Exchange conversion - that explains it - considering I don't have this problem anywhere else. That's funny though - an SMTP daemon put together by one person outperforms a multi-million (billion?) dollar development effort. Not only that, but it's far more secure and flexible in it's configuration as well. Sigh... NEWS Add Barnes & Noble to the long list of companies with significant security holes in their eCommerce Web server (IIS 5) and who ignore warnings of the problems. http://www.wired.com/news/privacy/0,1848,54251,00.html Maybe you should protect yourself by driving to a local book store. An article called "When Dreamcasts Attack" describes how an attacker can plant an innocent looking device inside your company to allow attacks from the outside even when you've deployed a firewall. The article does not go into much detail about how you can protect yourself from this method of attack, but this will be discussed in a secuity course that will be offered in Portland in September. We'll keep you posted. http://www.theregister.co.uk/content/55/26478.html Patrick Corrigan points out the following paper on Infrastructure Risks. This is a lengthy document. You may want to skip to the section that focuses on computer security. Note this is a PDF document. http://www.aaas.org/spp/yearbook/2003/stvw.pdf