Page 1 of 1

Does the forums.debian.net server still use Lenny?

PostPosted: 2012-02-01 16:53
by Ahtiga Saraz
If so, security support will stop in a few days!

I might be misinterpreting what I saw in my cache.

Re: Does the forums.debian.net server still use Lenny?

PostPosted: 2012-02-01 17:05
by vbrummond
If you can maintain support yourself it might be possible to continue to use it will little ill effect. For a server it is more critical to actually do so.

Re: Does the forums.debian.net server still use Lenny?

PostPosted: 2012-02-01 17:18
by cynwulf
It's currently using Lenny - but have no fear - there is an upgrade planned...

It will be installed at around the same time as the new spam counter measures... :lol:

Re: Does the forums.debian.net server still use Lenny?

PostPosted: 2012-02-01 20:52
by jheaton5
cynwulf wrote:It will be installed at around the same time as the new spam counter measures... :lol:


You mean they are going to wrap the servers with tin-foil? :lol:

The rest is silence?

PostPosted: 2012-02-02 21:18
by Ahtiga Saraz
I think he means they will block me.

I asked for encrypted log-in sessions, and... we'll see what we get.

Re: The rest is silence?

PostPosted: 2012-02-02 21:28
by cynwulf
Ahtiga Saraz wrote:I think he means they will block me.

:?:

Ahtiga Saraz wrote:I asked for encrypted log-in sessions, and... we'll see what we get.

:?: :?:

Seeking clarification

PostPosted: 2012-02-03 21:25
by Ahtiga Saraz
Assuming I am not missing some private joke, what are these proposed anti-spam measures?

As of today, it seems that the forum is still using Lenny. Security support ends in a few days for Lenny, so I hope they hurry up.

Encrypted login sessions would go a long ways towards guarding against casual intrusion/impersonation, for example by spycos which routinely attempt to scrape the user databases of forums like this. There are other measures which I think any self-respecting Debian forum should take, such as encouraging legit users to list public keys so they can recover their accounts if an intruder attempts to hijack it. Such things have happened and owing to my encounter yesterday with what appeared to be an attempt to snag my username/password here, I am once again trying to raise this issue before my own account is hijacked.

Re: Seeking clarification

PostPosted: 2012-02-03 22:10
by Kuze
Ahtiga Saraz wrote:Assuming I am not missing some private joke, what are these proposed anti-spam measures?

As of today, it seems that the forum is still using Lenny. Security support ends in a few days for Lenny, so I hope they hurry up.

Encrypted login sessions would go a long ways towards guarding against casual intrusion/impersonation, for example by spycos which routinely attempt to scrape the user databases of forums like this. There are other measures which I think any self-respecting Debian forum should take, such as encouraging legit users to list public keys so they can recover their accounts if an intruder attempts to hijack it. Such things have happened and owing to my encounter yesterday with what appeared to be an attempt to snag my username/password here, I am once again trying to raise this issue before my own account is hijacked.


I agree , ssl would also help safeguard tor users from rouge exit nodes.

Re: Does the forums.debian.net server still use Lenny?

PostPosted: 2012-02-03 22:15
by notthatguy
oh yea I am sure every hacker team in the world is targeting not Bank of America, not the Citigroup, not JP morgan, but forums.debian.net so they can read all our secret PMs :shock:

Re: Does the forums.debian.net server still use Lenny?

PostPosted: 2012-02-03 22:21
by vbrummond
notthatguy wrote:oh yea I am sure every hacker team in the world is targeting not Bank of America, not the Citigroup, not JP morgan, but forums.debian.net so they can read all our secret PMs :shock:


Amen. :lol:

Is DUF at risk? Possibly so. Am I? Probably so.

PostPosted: 2012-02-03 22:55
by Ahtiga Saraz
yea I am sure every hacker team in the world is targeting not Bank of America, not the Citigroup, not JP morgan, but forums.debian.net so they can read all our secret PMs

That's not what I said.

Some points which you appear to have overlooked:
  • Various organizations (especially large ones) initiate various projects at various times which have various goals. For example, BoA no doubt hires security auditors to engage in RedTeam/BlueTeam tests of their transactional protections, so contrary to what a naive person might think, banks in effect at times try to steal from themselves, as it were. And the "Team Themis" scandal (and a long-running BAE scandal, a Hewlett-Packard scandal, and many other incidents) show that at times the top officers of large corporations do order "ratfucking" or "domestic espionage" targeting specific investigative journalists or members of small nonprofit organizations which are criticising their corporate practices.
  • Government intelligence/secret police, corporate espionage cells, and well-connected private eyes the world over use essentially the same software sold by the same "Western" spycos. This software has been provided not only to "Western" governments but also to the most repressive authoritarian regimes, including Zimbabwe, Syria, Vietnam, even Iran. And many spycos are based in authoritarian countries like Russia and China where many government officials have ties to organized crime organizations, or even to "terror groups".
  • Sophisticated monitoring/ratfucking/shilling operations do require sophistication on the part of the programmers who write the software used to do such things. But once the software and the manuals are written and sold/licensed to anyone willing to pay (or able to steal them, as may have happened with Iran and Syria), they can be used to target anyone for any "reason" with minimal effort or required expertise.
  • It is hardly a state secret that there are Western spycos which specialize in snagging username/password combos (their customer base includes large corporations who want to make sure that any Walmart employee who badmouths Walmart will be fired, for example), or in monitoring social networking forums (see Wikileaks SpyFiles for a dozen marketing fliers from several of the larger ones which offer such services). A Surveillance-Industrial whitepaper recently predicted that by 2014, such monitoring will be an almost trillion dollar global industry, servicing mid to large corporations and targeting among others citizens who oppose specific corporate practices by specific corporations.
  • It is hardly a state secret that other companies which operate in even more legally murky waters regularly attempt to scrape the user base of public forums like DUF, in order to create spamlists targeting particular interest groups. Their methods can be fairly sophisticated.

Clarify?

PostPosted: 2012-02-06 20:53
by Ahtiga Saraz
@ cynwulf:
It's currently using Lenny - but have no fear - there is an upgrade planned...
It will be installed at around the same time as the new spam counter measures... :lol:

Please correct me if I misunderstand what I took to be sarcasm (aimed at DUF, not me):
  • I guess you are suggesting that the forum will continue to use Lenny for some time (security support ended today, but someone suggested that the forum owners are capable of patching any vuls independently of debian package management)
  • I guess you are suggesting that the forum owners have talked about anti-spam measures but have never gotten around to implementing them.

Assuming that new anti-spam measures really are coming, will these affect Tor users?

Re: Clarify?

PostPosted: 2012-02-06 22:02
by cynwulf
Ahtiga Saraz wrote:@ cynwulf:
It's currently using Lenny - but have no fear - there is an upgrade planned...
It will be installed at around the same time as the new spam counter measures... :lol:

Please correct me if I misunderstand what I took to be sarcasm (aimed at DUF, not me):
  • I guess you are suggesting that the forum will continue to use Lenny for some time (security support ended today, but someone suggested that the forum owners are capable of patching any vuls independently of debian package management)
  • I guess you are suggesting that the forum owners have talked about anti-spam measures but have never gotten around to implementing them.

Assuming that new anti-spam measures really are coming, will these affect Tor users?

Substitute my second paragraph for something along the lines of "it should be done around the time hell freezes over" and you will get the idea...

I'm not sure if the upgrade will happen or not - I would guess that it will, but who can say except those whose job it is to carry out the upgrades...

p.s. this is FDN, not DUF, the latter is different Debian forum.