Anonymous Reader writes, “We’ve all heard about public-key encryption, and most of us have used it. Rob Landley has an article on Linux and Main that explains its origins and how it works. A good treatment of the subject for Linux users who aren’t technically savvy.”

LPH writes, “TuxReports has a small overview of Kondara MNU/Linux 2.1, a Japanese distribution. It is a 13 page overview. This is the beginning of a document that they hope to grow in size as more and more people use this distribution. If you have never heard of this distribution then this document is for you.

The overview is at TuxReports.com.”

Anonymous Reader writes, “Gentoo Linux is a versatile and fast, completely free x86-based Linux distribution geared towards developers and network professionals. Unlike other distros, Gentoo Linux has an advanced package management system called Portage.” Install instructions and ISOs are available at Gentoo.org.

NewsFactor Network writes, “Chastised by both current and potential customers, Apple attempted to deflect concern by pointing to fellow computer manufacturers, who were scaling back RAM and other components rather than raising prices. “We’ve chosen to raise prices by $100 and stick with our three fully configured new iMac models,” said Philip Schiller, Apple’s senior vice president of worldwide product marketing, when the price hike was announced. A new report from Gartner indicates that Apple may have taken the most direct and expedient route in addressing a problem that the entire personal computer industry is facing.”

Pekka Riikonen writes , “The SILC (Secure Internet Live Conferencing) protocol version 1.1 development is starting soon, and to prepare the work for this the SILC CVS at cvs.silcnet.org was branched for the current stable protocol version 1.0. The new protocol version is to add new features like multi-media support, more wider channel founder rights and permanency for created channels. Read the email to the silc-devel mailing list for more about the new protocol version development process, and how you can contribute to it.”

I. Valdes writes, “March 30th is Linux Medical News 2nd birthday. 430 articles have been posted since the first article on March 30th, 2000. The site has grown considerably since then…The dream of free and open source medical software unifying medicine under standard, non-proprietary software with its attendant increases in quality of care and decrease in cost is very much alive. Considerable progress toward these goals have been made in these two short years. If large scale events such as the now commonplace embrace of free and open source software by the likes of IBM, Sun Microsystems and Wall Street continues, then the possibility of a free and open source medical software industry being born is high. Linux Medical News will continue to be honored to be a chronicler and participant in these transforming events.Complete story.”

– By Scott Baust –

There’s a disturbing truth about ADSL, IDSL routers and open ports that everyone should know. Let me first begin by introducing myself and my personal feelings toward hacking or cracking.

I have been heavily involved in the computer industry since the mid 1980s, back when a Commodore 128 was something to be proud of. During this time, hacking bulletin boards was a big deal. I have never had much interest in cracking my way into systems, except for those owned by friends and associates just for the fun of it or to play a joke.

As the Internet progressed and insecurities prevailed, I took a defensive posture rather than offensive. Among the problems: lax passwords or no passwords. Tricking admins and gaining access to high-level accounts was such an easy thing to do.

So why should people bother worrying about security? I will give the reason by sharing four fairly recent examples:

Example No. 1: The Internet is wide open. It is so open it scares me. During the Red Alert scare, I took a proactive measure for the sake of curiosity to find out how many people on my ADSL subnet lacked security. So from the pocket of utilities, I set NMAP to work scanning. I stopped the scan after 10 IPs to see what ports would be open for business. Wouldn’t you know it, two of the 10 Cayman DSL routers installed by the technicians of a major telecom/ISP did not have administrator passwords on the router! “Unbelievable,” I thought. Were these routers cracked? I tricked one of my friends who just had this router installed by that company to check out my Web site so I could pick up his IP address. So I checked his router as well and explained how I used his router to check out the whole internal network as well as his less-than-password-protected machines. He was astonished; the technician never told him that a password was needed!

I was very angry by this fact. I called the ISP and explained that the technicians were installing routers without admin passwords, and they basically said they would take care of it. It did not happen, at least not immediately.

Example No. 2: When the directory traversal attack first appeared, I went to work hardening the servers for the company I was then working for. A couple of months went by, and a friend of mine who was doing some work with flash and airport times and arrivals, explained to me an airport had not updated the servers. He was running into problems extracting info from the pages. Out of curiosity, I checked the directory traversal attack to see if their servers had been updated with patches from Microsoft. You guessed it, the attack worked the first time around. I never went back, I was afraid the FBI may come knocking on my door accusing me of cyber-terrorism.

Example No. 3: Recently, I noticed some strange activity on one of my customer’s servers. I expected it to be some sort of SYN flood (TCPDump was not available for closer inspection). With the IP address of the would-be attacker under my belt, out comes NMAP. Determining the system had telnet service available, I took my first shot and the router had no password. In an instant, I was using the administration application built into the router. I shut off logging and added my IP address to the outbound firewall filters to halt the attack against my customer’s system. I wondered what this attacker was thinking when I did this, if he thought, “I’m busted.”

I called the service provider in North Carolina and enlightened the people there to the problem, though it took 20 minutes to get through to an technician. Problem solved, some poor company saved.

Example No. 4: In MySQL, people rarely add root passwords. People need to read documentation, for God’s sake. Developers do not want to waste their time writing it, because they would rather be programming. But they do it, for you, the users.

The reason I wrote this article is for purely selfish reasons. Those people, such as ISPs, who expose themselves to attack expose us as well! I still do random checks on my subnets, and I still find weaknesses. People are not perfect and not all of them are network professionals, but we could limit attacks if people would at least do some system hardening.

My motto: If you see an open window, do not crawl in, tell the owner.

“Commentary” articles are contributed by Linux.com and NewsForge.com readers. The opinions they contain are strictly those held by their authors, and may not be the same as those held by OSDN management. We welcome “Commentary” contributions from anyone who deals with Linux and Open Source at any level, whether as a corporate officer; as a programmer or sysadmin; or as a home/office desktop user. If you would like to write one, please email editors@newsforge.com with “Commentary” in the subject line.

From LogError: “Aleksandar Stancin writes: ‘I can recommend this book to anyone getting interested into penetration testing as a great one to learn from. You should find many answers and clues you need in order to get ready and sink your teeth into some serious testing. Have fun!’ ” (The Hack I.T. book is reviewed at Net-security.org.)

Rajesh Goyal writes: LinuxCertified,Inc. a leading provider of Linux training, will offer weekend system administration bootcamp on April 13 – 14, 2002 in San Francisco bay area (south bay). This workshop is designed for busy information technology professionals and is designed to cover the most important Linux administration areas. All attendees get a free Linux laptop.

In addition to carefully designed lecture material delivered by experienced Linux professionals, there is a heavy emphasis on hands-on learning. The training starts two weeks before the actual class, with access to an online Linux server, where students complete few challenging pre-class activities. Attendees get a powerful Linux laptop on their arrival, along with other class materials. They load Linux on their laptop during the class, and use it for all the class activities and assignments. At the end of the class they take this laptop with them to further enhance their Linux expertise. Absolute beginners with no UNIX experience can first come to the popular “Linux Fundamentals” class and subsequently join the system administration bootcamp.

Rapid growth of Linux into corporate and government IT environments is fueling the need for Linux certified professionals. CIOs and managers are eager to have Linux experts in their organizations. A certification provides a tangible mechanism for their hiring evaluation, as well as a means to market the prowess of organizations.

“As an independent IT consultant I am always on my toes to learn new technologies, without much free time to devote to classes. The LinuxCertified bootcamp was a perfect way for me to jump start my Linux knowledge. I can now use Linux as a valuable tool in my career,” said Taylor Cottam, an independent consultant who joined one of the LinuxCertified, Inc. weekend bootcamps.

This weekend bootcamp is specially designed to prepare the attendees for the objectives of Level 1 certification exams offered by Linux Professional Institute (LPI). The workshop also meets the objectives of the Red Hat Certified Engineer (RHCE) exam and Sair Linux & GNU certification (LCA). Our attendees build a strong sense of community with our instructors, fellow students, and our network of recruiters and companies looking for Linux consultants.

About LinuxCertified, Inc.

The mission of LinuxCertified, Inc. is to bring Linux to mainstream IT usage. We firmly believe that Linux has an enormous potential, once it crosses over from the early adopters to the more mainstream users. Our goal is to help this transition by providing:

– Linux trained and certified professionals
– Linux certified products that cater to mainstream users rather than early adopters.

Contact:
info@linuxcertified.com
http://www.linuxcertified.com/
Tel: 408 314 6700

Linux is a registered trademark of Linus Torvalds.
All other names and trademarks are the property of their respective owners.

bero writes, “I’ve put up a rebuttal to ZDNet’s recent piece of FUD entitled Too much trust on Open Source at http://www.bero.org/rebuttals/security.html.”