[00:50] <mgw> I'm trying to debug a weird dns issue… I have a .internal zone, which delegates .A.internal to another dns server
[00:51] <mgw> When I do a dig of foo.A.internal @ns.internal, it works — sometimes
[00:52] <mgw> But more often, ns.internal never sees the response from ns.A.internal — even though I can see the response in a tcpdump running on ns.internal
[00:53] <mgw> By "not see", I mean it does not show in bind's debug log
[00:53] <mgw> any ideas?
[17:27] <Quest>  i need to scan the system (from out side) to see if it has any vulnarebilities for an attack. then understand how to fix them.
[17:47] <Quest> nessus and metasploit, so they dont need to be installed ON the system that is TO BE Scanned?    I wonder how will the vulnerbilitites could be check from out side? only open ports can be checked. like nmap does.  can you elaborate?
[17:59] <nobodies> i have an old ubuntu distro "natty" how can i do an dist upgrade
[18:04] <nobodies> e.g. do-release-upgrade is not installed and i cant apt get it because the repo dosnt exist anymore
[18:06] <Patrickdk_> sure it exists
[18:06] <Patrickdk_> change to the archive repo's
[18:08] <nobodies> how?
[18:08] <tedski> nobodies: see here: http://old-releases.ubuntu.com/releases/11.04/
[18:09] <tedski> nobodies: edit your sources.list to include the relevant repos from here: http://old-releases.ubuntu.com/ubuntu/dists/
[18:12] <nobodies> great thanks i've done that now :)
[18:54] <Quest> http://masoodahmad.com/02.Session-Hijacking-Pt.2.mov how the hell can the email / password be visible in this middleman attack when the user was using HTTPS gmail website ?
[19:02] <qman__> Quest, it's a bit off topic, but that's a simple man in the middle
[19:02] <qman__> he clicked past the certificate warning
[19:06] <Quest> qman__,  sorry?  "past the certificate warning?"
[19:09] <qman__> Quest, when he browsed to gmail, he was presented with a certificate warning because his traffic was being intercepted
[19:09] <qman__> he clicked ok to continue anyway without a single word spoken on it
[19:10] <qman__> it's disingenuous, as is using windows 2000 and horribly outdated versions of internet explorer
[19:12] <Quest> what was the warning about?
[19:12] <qman__> the certificate name not matching, because it was invalid and presented by the attacker rather than gmail
[19:13] <qman__> but again, this is offtopic, it has nothing to do with ubuntu server or even linux in general
[19:13] <Quest> i think with https, the data , should have gone out of the computer after it has been encrypted. so once it goes out. how can it be seen in a text file by middle man . in plain text.
[19:14] <Quest> qman__,  oh. the cert was invalid?  he never setup the certificate...... did he in the video?
[19:15] <qman__> the man in the middle intercepts and modifies the transmission, the client never reaches gmail to initiate a secure connection
[19:17] <Quest> qman__,  the client does reaches gmail, how come he would load the login web page else then?
[19:18] <qman__> you clearly do not understand the basics of how https and SSL work
[19:18] <bekks> And it has nothing to do with ubuntu - it is a generic issue.
[19:20] <Quest> qman__,  can we private chat. (away from ubuntu and bekks )
[19:20] <qman__> no, you need to learn a lot more before you can understand how this attack works
[19:20] <qman__> take a course or read a good book on PKI
[19:21] <Quest> qman__,  only think i guess is that. the client did reached gmail. but the certificate was supplied by cain. as its default behaviour?
[19:21] <Quest> qman__,  it was a course video. iam doing what you said. but i neeed discussions. with you skills. can we chat else where?
[19:24] <Quest> am i correct about the cain and cert ? qman__
[19:25] <bekks> No.
[19:25] <Quest> bekks,  dont respond. its ubuntu channel
[19:25] <Quest> qman__,  so?
[19:25] <bekks> Quest: If you dont like the answer, dont ask.
[19:25] <Quest> not asking you )
[19:25] <Quest> :)
[19:26] <bekks> Ignoring you. Good luck.
[19:26] <qman__> no, you do not understand how it works
[19:26] <Quest> bekks,  atlast. thanks
[19:26] <qman__> stop pestering me, and learn how PKI functions
[19:26] <qman__> I have already explained how it works
[19:26] <Quest> hm.. i thought i knew https and read docs
[19:26] <Quest> last question. qman__   is cain or abel sending its own certificate to client?
[19:27] <Quest> y/n?
[19:28] <LargePrime> hey all.  my /tmp is full?
[19:28] <LargePrime>  http://paste.ubuntu.com/6076170/
[19:28] <bekks> LargePrime: Thats not a standard ubuntu filesystem. What did you do?
[19:29] <bekks> LargePrime: Please provide the output of "lsb_release -a"
[19:29] <bekks> LargePrime: In a pastebin please.
[19:30] <qman__> LargePrime, http://stackoverflow.com/questions/17536139/releasing-unneccesary-space-used-in-tmp
[19:30] <qman__> the second answer, in particular
[19:31] <LargePrime> bekks: "No LSB modules are available."
[19:31] <Quest> last question. qman__   is cain or abel sending its own certificate to client?
[19:31] <bekks> LargePrime: The entire output. Not just one line.
[19:35] <bekks> LargePrime: So where is the entire output? :)
[19:36] <LargePrime> http://paste.ubuntu.com/6076180/
[19:37] <bekks> LargePrime: And pastebin your /etc/fstab too, please, along with "uname -a"
[19:37] <LargePrime> qman__:   /tmp: device is busy. when i try and unmount
[19:40] <LargePrime> bekks: http://paste.ubuntu.com/6076217/ is uname -a  .  I dont understand "pastebin your /etc/fstab"
[19:40] <bekks> LargePrime: Copy the content of /etc/fstab into a pastebin.
[19:40] <bekks> You are running a pretty old kernel, on your 12.04.3
[19:41] <LargePrime> `i should update it?
[19:41] <bekks> The current kernel for 12.04.3 is 3.5.0
[19:41] <bekks> Yes, you should.
[19:41] <LargePrime> right now i cant update anything, cause /tmp issue
[19:43] <LargePrime> bekks:  fstab http://paste.ubuntu.com/6076226/
[19:44] <bekks> So you did mount your /tmp on your own, dont you?
[19:45] <LargePrime> nope
[19:45] <LargePrime> it happened cause / was full
[19:48] <bekks> It didnt. /tmp did not mount because / is full. And your / has 6.1GB free space.
[19:48] <LargePrime> my / WAS full
[19:49] <LargePrime> as qman__  link points out
[19:49] <LargePrime> ubuntu mounts /tmp in ram
[19:49] <LargePrime> when that happens
[19:49] <LargePrime> but i am not sure how to unmount it
[19:49] <LargePrime> and unmount says it is in use
[19:52] <LargePrime> http://paste.ubuntu.com/6076245/ is what i get when i try an unmount
[19:52] <bekks> Then you have to reboot.
[19:53] <LargePrime> poop
[19:53] <LargePrime> so reboot then unmount it
[19:53] <LargePrime> ?
[19:53] <bekks> No.
[19:54] <bekks> Reboot unmounts everything, and reboots your computer.
[20:10] <LargePrime> is there any other option to rebooting?
[20:14] <Pastafarian> Anyone Ubuntu staffers online?
[20:16] <Pastafarian> The lack of an apache 2.4 port is getting more and more worrying.
[20:16] <Pastafarian> When is a 2.4 port to 12.04 lts and others planned?
[20:27] <Pastafarian> https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1197884
[20:27] <Pastafarian> This needs to be sorted right now.
[20:28] <LargePrime> Pastafarian:
[20:28] <LargePrime> My imaginary friend still loves you.
[20:30] <Pastafarian> FSM ?
[20:47] <Pastafarian> This bug is not "wishlist"
[20:47] <Pastafarian> https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1197884
[20:47] <Pastafarian> It's security critical. RC4 is being implied as being cracked by the NSA etc...  meaning we could do with the newer ciphers.
[21:01] <mdeslaur> Pastafarian: Bruce Schneier said "Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can"
[21:02] <mdeslaur> Pastafarian: if someone backports the ECDHE stuff to apache 2.2, we may consider adding it
[21:03] <ScottK> OTOH, some of the black hat (or defcon, I can't recall) presentations this year gave me the impression that RSA/DSA's days are numbered.
[21:03] <mdeslaur> ScottK: that turned out to be overly exaggerated
[21:03] <ScottK> Interesting.
[21:04] <mdeslaur> see https://www.schneier.com/blog/archives/2013/08/the_cryptopocal.html
[21:06] <mdeslaur> the fact that ECC is patented doesn't help the situation at all
[21:06] <mdeslaur> unless everyone starts giving royalties to Blackberry
[21:06] <ScottK> Agreed.
[21:06] <mdeslaur> It's been a pretty depressing few months :P
[21:07] <ScottK> Thanks.
[21:31] <Pastafarian> That being said
[21:31] <Pastafarian> we need it updating in one of the two ways
[21:31] <Pastafarian> asap
[21:32] <Pastafarian> The major hint is that RSA is over
[21:32] <Pastafarian> and that RC4 can be broken.
[21:33] <Pastafarian> mdeslaur, if ubuntu is meant to have a server version which they're selling support to shouldnt the devs give more of a crap about this
[21:34] <mdeslaur> Pastafarian: yes, ubuntu devs should definitely be looking at that
[21:34] <Pastafarian> ultimately someone needs to get elgamal going
[21:34] <mdeslaur> Pastafarian: someone needs to backport the support to apache 2.2
[21:35] <Pastafarian> that should have been done certainly
[21:35] <Pastafarian> however it's not like they shouldnt drop 2.4 into raring and earlier
[21:35] <Pastafarian> especially lts
[21:36] <mdeslaur> releases rarely get newer versions, especially for something like this
[21:36] <mdeslaur> this is far from a critical issue
[21:36] <Pastafarian> Where as I would disagree ;)
[21:37] <Pastafarian> RC4 is flogging a dead horse.
[21:37] <mdeslaur> I don't see any other distros rushing out to do the backporting work, or to release apache 2.4 into older releases
[21:37] <Pastafarian> The alternatives are locked into 2.2.22
[21:37] <Pastafarian> however debian has it in testing
[21:37] <Pastafarian> and has for a long while
[21:37] <mdeslaur> Pastafarian: saucy will have 2.4
[21:37] <Pastafarian> I know, and I still don't want to wait until October
[21:38] <Pastafarian> and I cannot jerk around on production machines compiling it instead
[21:38] <mdeslaur> Pastafarian: you're not in the US, are you?
[21:38] <Pastafarian> Nope.
[21:40] <Pastafarian> So I have slightly less to be concerned about, regardless. It's committed. Just needs speeding the hell up.
[21:40] <mdeslaur> committed?
[21:41] <Pastafarian> Fix committed, i,e, in saucy
[21:41] <Pastafarian> I'd expect it to be shoved in 12.04 quickly too.
[21:42] <mdeslaur> that's likely not going to happen
[21:42] <Pastafarian> Then someone needs to pull a cranium out of somewhere.
[21:42] <Pastafarian> >LTS when we feel like it.
[21:43] <mdeslaur> Pastafarian: your definition of what an LTS is is flawed
[21:48] <Pastafarian> In which case by 5 years of support they mean, at our discretion regardless of security?
[21:49] <mdeslaur> Pastafarian: that's not a security issue
[21:50] <Pastafarian> Not for the Operating System
[21:50] <Pastafarian> For anyone using it
[21:50] <Pastafarian> If the ubuntu devs are making their definitions strictly to the security of a SERVER operating system only to the OS
[21:50] <Pastafarian> they're being at best, stupid.
[22:29] <ScottK> So you want the stability of an LTS on a system that's updated all the time?
[22:29] <ScottK> Pick one.
[23:21] <Pastafarian> ScottK, don't be dense.
[23:22] <Pastafarian> You want stability and security.
[23:22] <Pastafarian> These are not mutually exclusive
[23:22] <ScottK> No, but dumping a new version of apache into an already release LTS is insanity.
[23:23] <Pastafarian> and when tested has it presented issues?
[23:23] <Pastafarian> have someone even tried?
[23:23] <Pastafarian> plenty of PPAs out there
[23:25] <Pastafarian> why is it insanity? I can choose 2.2 or 2.4 in windows
[23:25] <Pastafarian> or debian
[23:25] <Pastafarian> and expect on many other distros