> daedalus mumbles..
> >
> > I support the maintaining of security on ProgSoc systems, and I
> > agree that cracking is to be discouraged. Hacking is a different matter.
>
> What is the difference? The result is the same.
Which result are you referring to? I hope you are not intimating
that hacking and cracking are the same thing. Please clear this up this
point and I'll be happy to clarify what I meant.
>
> > If there _was_ a security hole here, I would like to know what it _was_
> > (note the emphasis of past tense) for the following reasons:
>
> It is not the role of the system ppl to teach you how to break into this
> or any other system, join a CERT advisory list.
I did not mean to say that it was. I am not asking to be told how
to break into systems. Being told about a _previous_ system flaw should
not allow me or anyone to break into this system. True, it may allow a
person to break into another system in which the security flaw has not
been detected and/or fixed, but presuming that all ProgSoc members would
attempt to do so, and thus censoring the information about what the
problem was _and_ how it was fixed seems a bit excessive, if not outright
paranoia.
Nonetheless, I appreciate your point. All I would like is that if
a major change like this occurs (minor bug fixes and the like would
usually not be worthy of mention) which affects the majority of ProgSoc
users, is that it be reported in a reasonably detailed fashion.
Perhaps all of ProgSoc do not want to hear about such things. As
an example of a good idea, take the recent upgrade of the server to
Apache. This was mentioned as a recent change in the ProgSoc news, and
details could be found about it. Those details happen to be on a web page
on the other side of the world, which is slow to access, but the location
of these details _was_ published. Can a similar tack not be taken for
other major events, such as the removal of all cgi capabilities for a
while? A pointer to cgi-wrap documentation perhaps.
This information has been relatively forthcoming, but it took
emails from a few people and a minor flame war to happen. Why not save the
hassles and just do it from the very beginning?
>
> You may be right in believing that progsoc was initially setup for learning
> the more in-depth details of Unix, such as kernel hacking, or even just
> hacking. But, the initial intention of progsoc getting a machine to learn
> on, was that the machine was to remain off the network. As the machine is on
> the network, then system ppl must maintain a reasonable amount of
> responsibility, especially towards our connectors.
Agreed, hence my agreement with security measures, including this
latest effort. My objection was to the way in which details of the fixes
were kept only to the sysadmins under a "need-to-know" type pretext.
Sysadmins are (IMHO) just ProgSoc members who are doing a necessary and
valuable job. This is not meant to devalue their efforts in any way. I
would simply like the rest of ProgSoc treated with the same respect and
trust that has been invested in the sysadmins. If individual members step
way out of line (such as by cracking ProgSoc or other machines) then feel
free to step on them, but do not lump us all into the same basket. Some of
us like to know things simply for the joy of knowing.
>
> The aim is to setup a machine that will be cut off from the outside world
> that can be used for such endeavours. However, due to lack of enthusiasm
> from most, this may take some time. If you are half as keen as you seem,
> you should volunteer to help.
Firstly, a separate machine is essentially like a home PC, is it
not? Exactly what is meant by separate? Is this a completely standalone
box (like the PC on my desk at home) or is it actually a machine connected
to the local sub-net, but to nowhere else? The latter would seem to be the
more useful approach.
Secondly, in reference to volunteering for things. <sigh>. I have
already. Some six months ago in fact. I have, with my fellow ProgSoccer
Belafon, so far done the following:
a) Communicated my desire to set up a Linux box connected to the
ProgSoc sub-net.
b) Spoken to various sysadmins/execs/persons of knowledge/etc
about how it could be done, under what conditions, to do what etc. These
issues have not, as yet, been resolved, but that is something I have
intended to do from the start. (well, duh. How else is anything going to
happen.)
c) Purchased an IBM compat. 486DX, 8MB RAM, 500 (roughly) MB disk,
tape backup drive, monitor, bits and pieces.
d) Installed Debian release Linux. (Can't remeber the version. Can
check it if needed.)
e) Installed various software packages for net-connection stuff
and a few useful odds and ends.
The machine is basically ready for connection, provided the
aforementioned issues can be worked out to mutual satisfaction, and I
actually get my ass in gear and bring the thing into uni. I think this
constitutes a small contribution towards the purposes of ProgSoc does it
not? I want to get a feel for sysadminning on an internet machine, so I
bought and set up my own. I plan to run it and have fun with all the
problems running a 'real' server provides. I also bought a separate
machine so that what happens on it can be tightly controlled, so security
issues like this recent one do not arise from the relatively free
environment it will contain.
The plan is that this machine is essentially for Belafon and
myself to get a taste of sysadminning a net-server. Accounts will be kept
to a minimum, since the machine is likely to have a lot of problems,
Belafon and I having relatively little realtime sysadmin experience, but
the machine will be available for certain projects or to take a little
load off ftoomsh. Whatever seems appropriate at the time, basically.
Enough about that though. This is a whole separate topic for
debate, but I felt this needed to be said. Enthusiasm for such things does
seem to be low among ProgSoc members, but in this case that doesn't bother
me. This is basically my project for my own personal enjoyment, and if a
few people want to come along for the ride and (hopefully) have some fun
too, so much the better. Isn't this what ProgSoc is about, or have I
completely missed the point?
>
> The unfortunate thing about progsoc is that alot of the current members
> joined for a free account. Are they really members or are they just users?
> If so are we moving towards becoming an ISP?
I'm not real keen about restricting membership to ProgSoc, since
what possible criteria could realistically be used for separating
ProgSoccers from general users? ProgSoc is, in a way, an ISP. Accounts are
provided for internet access. There are always going to be people who
simply join for a 'free' account under the present system. So be it. Those
with 'real' ProgSoc type aspirations should be permitted to do such
ProgSoccy things, and those who do not may even learn something by
osmosis, or perhaps even become 'real' ProgSoccers.
I don't want to get into a war over the distinction between a
'real' ProgSoccer and a common garden variety user. They may even be the
same thing. That isn't the point though is it? ISP or not, ProgSoc will
always be ProgSoc if it is a place where people with a love of computers
are able to do things they might not have ordinarily been able to do if
they only had access to something like ITD. At least, that's what I
believe.
==========================================
daedalus
director - eigenmagic
daedalus@nospam.progsoc.uts.edu.au
http://www.progsoc.uts.edu.au/~daedalus
==========================================
Just because you're paranoid doesn't
mean they're not after you...
==========================================