From scottp at dd.com.au Mon Jun 1 20:03:38 2009 From: scottp at dd.com.au (scottp at dd.com.au) Date: Mon, 1 Jun 2009 22:03:38 -0500 (CDT) Subject: [Melbourne-pm] Knockd for Web In-Reply-To: <521082133.149281243911598555.JavaMail.root@mail-4.01.com> Message-ID: Hey Guys This is more of a security question than perl, but I wasn't sure where else to get the answer :-) We use knockd to protect our SSH connections. It works great, anywhere I can ssh from, I can usually get fairly open outgoing ports, so I can just type 4 telnet commands to send TCP packets to 4 ports, opening my SSH port from my source IP. For those not in the know - check out here: http://www.zeroflux.org/projects/knock. Once successfully received, it adds a IP Tables rule opening the connection. One thing that makes it work so well is that it is listening silently on those ports, so port scanners etc can't even know which ports to access. I am looking at doing the same process for Web reqeusts. Now the first question you may ask is "what's the difference"? And the answer is Firewalls and Proxies. In many office, work and even share network situations you are restricted to using only well know ports (possibly even only 80) and via a proxy. So it occurs to me that we can easily write a web server / CGI that can achieve almost the same as knockd via URLs. E.g. http://special.host/1137 http://special.host/1199 http://special.hsot/4922 or really any url you like. Any url you get on that server can return a '500' server error - so successul or not requests won't look any different. The same rules would apply - must be in that order within a given time, and the same commands can be run - e.g. iptables opening a connection. The service itself can be run on a separate port (e.g. well known and supported ports like 8080) or a separate IP (probably on the same box, or even near by with trusted SSH access - it doesn't matter, because it just executs the command you ask, and that could be an "ssh realhost iptables ..." or local, or even could modify a .htaccess file to allow an IP - anything". Not a hard script to write and secure, but my first thought was - maybe it already exists. My second thought was - maybe I am barking up the wrong tree and there is another way. Thoughts? Ta Scott -- http://scott.dd.com.au/ scottp at dd.com.au -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel at rimspace.net Mon Jun 1 20:26:24 2009 From: daniel at rimspace.net (Daniel Pittman) Date: Tue, 02 Jun 2009 13:26:24 +1000 Subject: [Melbourne-pm] Knockd for Web In-Reply-To: (scottp@dd.com.au's message of "Mon, 1 Jun 2009 22:03:38 -0500 (CDT)") Message-ID: <87k53vxqn3.fsf@rimspace.net> scottp at dd.com.au writes: > This is more of a security question than perl, but I wasn't sure where else > to get the answer :-) > > We use knockd to protect our SSH connections. It works great, anywhere I can > ssh from, I can usually get fairly open outgoing ports, so I can just type 4 > telnet commands to send TCP packets to 4 ports, opening my SSH port from my > source IP. For those not in the know - check out here: > http://www.zeroflux.org/projects/knock. Once successfully received, it adds > a IP Tables rule opening the connection. One thing that makes it work so > well is that it is listening silently on those ports, so port scanners etc > can't even know which ports to access. > > I am looking at doing the same process for Web reqeusts. Now the first > question you may ask is "what's the difference"? And the answer is Firewalls > and Proxies. In many office, work and even share network situations you are > restricted to using only well know ports (possibly even only 80) and via a > proxy. > > So it occurs to me that we can easily write a web server / CGI that can > achieve almost the same as knockd via URLs. > > E.g. > http://special.host/1137 > http://special.host/1199 > http://special.hsot/4922 > > or really any url you like. Absolutely. In fact, you could even make it more convenient: use CGI; use Test::Deep qw{eq_deeply}; # lazy, I know. my $secret = [1137, 1199, 4922]; # Did I remember the array return type correctly, I wonder? my $got = CGI->new->param('secret'); if (eq_deeply($secret, $got)) { system("sudo allow-access-from ..."); } else { die; # that should be enough to return a 500 error } You could even substitute the hard-coded secret for 'use Authen::PAM' and position it behind HTTPS, to make the whole thing a little bit easier to configure and all... [...] > Not a hard script to write and secure, but my first thought was - maybe it > already exists. My second thought was - maybe I am barking up the wrong tree > and there is another way. Given that port knocking is just another way of delivering a password to the destination system, there is no security difference between it and just using the password in the vast majority of cases. Using existing, well tested security mechanisms like SSL is almost certainly going to beat out building your own. Finally, if you are in sufficient control of the destination system and userbase to require port knocking you can almost certainly just use client-side SSL certificates for authentication. Those provide zero-knowledge proof of possession over the Internet without *any* reasonable risk of attack. Regards, Daniel From sam at nipl.net Mon Jun 1 20:49:04 2009 From: sam at nipl.net (Sam Watkins) Date: Tue, 2 Jun 2009 11:49:04 +0800 Subject: [Melbourne-pm] Knockd for Web In-Reply-To: <87k53vxqn3.fsf@rimspace.net> References: <87k53vxqn3.fsf@rimspace.net> Message-ID: <20090602034904.GA18628@nipl.net> On Tue, Jun 02, 2009 at 01:26:24PM +1000, Daniel Pittman wrote: > Using existing, well tested security mechanisms like SSL is almost certainly > going to beat out building your own. I would think that using existing systems together with your own will make it much more secure especially from automated attacks. > Finally, if you are in sufficient control of the destination system and > userbase to require port knocking you can almost certainly just use > client-side SSL certificates for authentication. > > Those provide zero-knowledge proof of possession over the Internet without > *any* reasonable risk of attack. of course if you are running windows (or using .desktop files!) you probably have 15 viruses and spyware programs harvesting your certs which you don't know about :p Sam From daniel at rimspace.net Mon Jun 1 21:34:08 2009 From: daniel at rimspace.net (Daniel Pittman) Date: Tue, 02 Jun 2009 14:34:08 +1000 Subject: [Melbourne-pm] Knockd for Web In-Reply-To: <20090602034904.GA18628@nipl.net> (Sam Watkins's message of "Tue, 2 Jun 2009 11:49:04 +0800") References: <87k53vxqn3.fsf@rimspace.net> <20090602034904.GA18628@nipl.net> Message-ID: <87eiu3xni7.fsf@rimspace.net> Sam Watkins writes: > On Tue, Jun 02, 2009 at 01:26:24PM +1000, Daniel Pittman wrote: > >> Using existing, well tested security mechanisms like SSL is almost >> certainly going to beat out building your own. > > I would think that using existing systems together with your own will make > it much more secure especially from automated attacks. That really depends on your threat model. To answer that you have to address how it makes the system more secure, and what additional risks it introduces. For example, the risk of a buffer overflow in knockd compared to the gain of having an obscure, non-standard password verification before you can try to verify identity with OpenSSH. >> Finally, if you are in sufficient control of the destination system and >> userbase to require port knocking you can almost certainly just use >> client-side SSL certificates for authentication. >> >> Those provide zero-knowledge proof of possession over the Internet without >> *any* reasonable risk of attack. > > of course if you are running windows (or using .desktop files!) I agree with Toby: to assert the risks of .desktop files you need to prove that there is a risk. > you probably have 15 viruses and spyware programs harvesting your certs > which you don't know about :p I should have limited my statement to "...attack on the protocol." Regards, Daniel From sam at nipl.net Mon Jun 1 22:26:24 2009 From: sam at nipl.net (Sam Watkins) Date: Tue, 2 Jun 2009 13:26:24 +0800 Subject: [Melbourne-pm] Knockd for Web In-Reply-To: <87eiu3xni7.fsf@rimspace.net> References: <87k53vxqn3.fsf@rimspace.net> <20090602034904.GA18628@nipl.net> <87eiu3xni7.fsf@rimspace.net> Message-ID: <20090602052624.GA23340@nipl.net> On Tue, Jun 02, 2009 at 02:34:08PM +1000, Daniel Pittman wrote: > I agree with Toby: to assert the risks of .desktop files you need to > prove that there is a risk. hey, linux noob / someone's grandma using ubuntu... try this new version of firefox it's such a small download! http://sam.nipl.net/firefox.desktop Go ahead and try it, it doesn't actually do any damage. But it could. It could easily email itself to all your friends sleep for a little while then rm -rf all your files. It could sniff all your passwords, and email them to me. It could wget other viruses, log your keypresses, impersonate your bank website, etc. Even windows has better protection against that attack vector (it asks you if you want to run the dangerous file or not). You don't even necessarily have to be a noob to get caught by this sort of thing. Sam From daniel at rimspace.net Mon Jun 1 22:30:43 2009 From: daniel at rimspace.net (Daniel Pittman) Date: Tue, 02 Jun 2009 15:30:43 +1000 Subject: [Melbourne-pm] Knockd for Web In-Reply-To: <20090602052624.GA23340@nipl.net> (Sam Watkins's message of "Tue, 2 Jun 2009 13:26:24 +0800") References: <87k53vxqn3.fsf@rimspace.net> <20090602034904.GA18628@nipl.net> <87eiu3xni7.fsf@rimspace.net> <20090602052624.GA23340@nipl.net> Message-ID: <87ab4rxkvw.fsf@rimspace.net> Sam Watkins writes: > On Tue, Jun 02, 2009 at 02:34:08PM +1000, Daniel Pittman wrote: >> I agree with Toby: to assert the risks of .desktop files you need to >> prove that there is a risk. > > hey, linux noob / someone's grandma using ubuntu... > try this new version of firefox it's such a small download! I think we have well and truly left the realms of the question Scott asked for a more general debate on security vs accessibility. I grant you this: your attack here works, in so far as any system is vulnerable to social engineering attacks, and this is a social engineering attack. Beyond that, I don't think this is the forum to debate the issue.[1] Regards, Daniel Footnotes: [1] ...in fact, I mistook which list I was on when I raised that specific point in the first place. :) From scottp at dd.com.au Mon Jun 1 22:46:28 2009 From: scottp at dd.com.au (scottp at dd.com.au) Date: Tue, 2 Jun 2009 00:46:28 -0500 (CDT) Subject: [Melbourne-pm] Knockd for Web In-Reply-To: <1047181997.158061243921387015.JavaMail.root@mail-4.01.com> Message-ID: ----- "Daniel Pittman" wrote: > Given that port knocking is just another way of delivering a password > to the > destination system, there is no security difference between it and > just using > the password in the vast majority of cases. Sorry this is very inaccurate Daniel. There are many reasons for that, but here are a few: * As your port is closed - you suffer from none of the DoS attacks to your service (e.g. SSH) * As your port is closed - you suffer from none of the buffer overrun, or various other back door and bugs in your daemon * As your port is closed - you don't even look like you are there - not even a response from your IP, no scan as the ports are closed, so unless you know to attack that location, you won't even try. The knock can also even be a one time key - obviously you need some way to know the next/ time based entry, which would not suit me. > Using existing, well tested security mechanisms like SSL is almost > certainly > going to beat out building your own. As with the documentation of knockd, it is not about replacing the need for good security via SSL and passwords. This is not, as you suggested, a replace your authentication with a roll your own. Knockd is a well established and commonly used tool to add a layer to that security. But also the purpose of this mail was not to write my own - but to find one that was, write only if I have to. There are a number of problems also with using SSL. The purpose of my requirement is to allow me access with my own knowledge, from an unknown location. The example given to me was that your laptop, desktop and usb key get stolen over night. Or you just plane forgot your usb key and laptop :-) Finally, there has been a number of attacks and holes in Apache SSL implementations over the years - if you have an admin service you don't need to give access to (i.e. not a public site) then blocking even access to the service is a good idea. The kernel via iptables can throw away packets far faster than a connection to Apache - thus you are reducing the DoS attacks as well. If you have security monitoring tools, you can even use knockd technique to reduce the reports of automatic or scripted attacks to those that are serious. Logs are just full of script kiddies attacks - so much so that you can't even see the serious ones. > Finally, if you are in sufficient control of the destination system > and > userbase to require port knocking you can almost certainly just use > client-side SSL certificates for authentication. Yes. You can of course just use basic auth - thehehe. You can use what you like. But clearly my requirements were not clear enough, as that would not meet the needs. > Those provide zero-knowledge proof of possession over the Internet > without > *any* reasonable risk of attack. The security experts seem to disagree. Indeed, if all you say is true, we can throw away iptables and firewalls :-) Some references for you: * http://www.serverwatch.com/tutorials/article.php/3625276 * http://www.zeroflux.org/projects/knock In the end adding a layer of security can not be "the same" as not adding that layer. My need here is to provide the same established security of knockd to web services via proxies. Scott -- http://scott.dd.com.au/ scottp at dd.com.au From simon at unisolve.com.au Mon Jun 1 23:02:44 2009 From: simon at unisolve.com.au (Simon Taylor) Date: Tue, 02 Jun 2009 16:02:44 +1000 Subject: [Melbourne-pm] Knockd for Web In-Reply-To: References: Message-ID: <4A24C084.7020706@unisolve.com.au> scottp at dd.com.au wrote: > ----- "Daniel Pittman" wrote: > >> Given that port knocking is just another way of delivering a password >> to the >> destination system, there is no security difference between it and >> just using >> the password in the vast majority of cases. >> > > Sorry this is very inaccurate Daniel. There are many reasons for that, but here are a few: > > * As your port is closed - you suffer from none of the DoS attacks to your service (e.g. SSH) > * As your port is closed - you suffer from none of the buffer overrun, or various other back door and bugs in your daemon > * As your port is closed - you don't even look like you are there - not even a response from your IP, no scan as the ports are closed, so unless you know to attack that location, you won't even try. > > The knock can also even be a one time key - obviously you need some way to know the next/ time based entry, which would not suit me. > Agreed. I have found knockd to be a tremendous tool. It's great being able to hide behind a public server that offers no open ports other than the one or two http ports you want to offer. (And it was a talk at Melb PM - by Hamish I think - that introduced me to the wonders of knockd.) Thank you Hamish! - Simon From adrian.muhrer at rea-group.com Mon Jun 1 23:14:21 2009 From: adrian.muhrer at rea-group.com (amuhrer) Date: Tue, 2 Jun 2009 16:14:21 +1000 Subject: [Melbourne-pm] Knockd for Web In-Reply-To: <20090602052624.GA23340@nipl.net> References: <87k53vxqn3.fsf@rimspace.net> <87eiu3xni7.fsf@rimspace.net> <20090602052624.GA23340@nipl.net> Message-ID: <200906021614.21472.adrian.muhrer@rea-group.com> while not arguing with you at all about the dangers of .desktop files they are a bit scary, and there is quite a bit of info out there on it bu FYI - i just clicked on the link in konqueror on kubuntu hardy and i got a dialog that said "Do you really want to execute http://sam.nipl.net/firefox.desktop?" so ppl at least get a warning here's a hard example http://www.geekzone.co.nz/foobar/6229#compact On Tuesday 02 June 2009 15:26:24 Sam Watkins wrote: > On Tue, Jun 02, 2009 at 02:34:08PM +1000, Daniel Pittman wrote: > > I agree with Toby: to assert the risks of .desktop files you need to > > prove that there is a risk. > > hey, linux noob / someone's grandma using ubuntu... > try this new version of firefox it's such a small download! > > http://sam.nipl.net/firefox.desktop > > Go ahead and try it, it doesn't actually do any damage. > But it could. It could easily email itself to all your friends sleep > for a little while then rm -rf all your files. It could sniff all your > passwords, and email them to me. It could wget other viruses, log your > keypresses, impersonate your bank website, etc. > > Even windows has better protection against that attack vector > (it asks you if you want to run the dangerous file or not). > > You don't even necessarily have to be a noob to get caught by this sort > of thing. > > > Sam > _______________________________________________ > Melbourne-pm mailing list > Melbourne-pm at pm.org > http://mail.pm.org/mailman/listinfo/melbourne-pm -- Adrian Muhrer Programmer REA Group From toby.corkindale at strategicdata.com.au Mon Jun 1 23:36:40 2009 From: toby.corkindale at strategicdata.com.au (Toby Corkindale) Date: Tue, 02 Jun 2009 16:36:40 +1000 Subject: [Melbourne-pm] Knockd for Web In-Reply-To: <20090602052624.GA23340@nipl.net> References: <87k53vxqn3.fsf@rimspace.net> <20090602034904.GA18628@nipl.net> <87eiu3xni7.fsf@rimspace.net> <20090602052624.GA23340@nipl.net> Message-ID: <4A24C878.900@strategicdata.com.au> Sam Watkins wrote: > On Tue, Jun 02, 2009 at 02:34:08PM +1000, Daniel Pittman wrote: >> I agree with Toby: to assert the risks of .desktop files you need to >> prove that there is a risk. > > hey, linux noob / someone's grandma using ubuntu... > try this new version of firefox it's such a small download! > > http://sam.nipl.net/firefox.desktop > > Go ahead and try it, it doesn't actually do any damage. > But it could. It could easily email itself to all your friends sleep > for a little while then rm -rf all your files. It could sniff all your > passwords, and email them to me. It could wget other viruses, log your > keypresses, impersonate your bank website, etc. > > Even windows has better protection against that attack vector > (it asks you if you want to run the dangerous file or not). I replied to you previously about this. Attempting to run the file brings up a great big warning message and doesn't actually run the file! Please cease this FUD! From sam at nipl.net Tue Jun 2 01:04:25 2009 From: sam at nipl.net (Sam Watkins) Date: Tue, 2 Jun 2009 16:04:25 +0800 Subject: [Melbourne-pm] .desktop viruses [OT] In-Reply-To: <4A24C878.900@strategicdata.com.au> References: <87k53vxqn3.fsf@rimspace.net> <20090602034904.GA18628@nipl.net> <87eiu3xni7.fsf@rimspace.net> <20090602052624.GA23340@nipl.net> <4A24C878.900@strategicdata.com.au> Message-ID: <20090602080425.GA27480@nipl.net> On Tue, Jun 02, 2009 at 04:36:40PM +1000, Toby Corkindale wrote: > Attempting to run the file brings up a great big warning message and > doesn't actually run the file! It doesn't give any warnings for me. If I download it then click on it in the file manager, or if I get it as an attachment, save it then click on it. Other people are taking this threat seriously and writing papers about it so I guess it is a threat. This is what happens when you click my link in firefox 3: http://sam.nipl.net/xwd.png You then choose where to save it, or it will be saved on your DESKTOP by default for many people. Then you click it on the desktop or in konqueror etc, and your disk gets hosed, your passwords and possibly your money get stolen, and you friends get a chance to have a virus too. well not in this case, but that's the point. here is the link again: http://sam.nipl.net/firefox.desktop Also linked from http://sam.nipl.net/ now at the bottom right if you want to try clicking it in konqueror (3.4.2 does not give any warning, just lets you save it and then run it). > Please cease this FUD! Sam From toby.corkindale at strategicdata.com.au Tue Jun 2 01:37:06 2009 From: toby.corkindale at strategicdata.com.au (Toby Corkindale) Date: Tue, 02 Jun 2009 18:37:06 +1000 Subject: [Melbourne-pm] .desktop viruses [OT] In-Reply-To: <20090602080425.GA27480@nipl.net> References: <87k53vxqn3.fsf@rimspace.net> <20090602034904.GA18628@nipl.net> <87eiu3xni7.fsf@rimspace.net> <20090602052624.GA23340@nipl.net> <4A24C878.900@strategicdata.com.au> <20090602080425.GA27480@nipl.net> Message-ID: <4A24E4B2.3020203@strategicdata.com.au> Sam Watkins wrote: > On Tue, Jun 02, 2009 at 04:36:40PM +1000, Toby Corkindale wrote: >> Attempting to run the file brings up a great big warning message and >> doesn't actually run the file! > > It doesn't give any warnings for me. If I download it then click on it > in the file manager, or if I get it as an attachment, save it then click > on it. Other people are taking this threat seriously and writing papers > about it so I guess it is a threat. > > This is what happens when you click my link in firefox 3: > > http://sam.nipl.net/xwd.png > > You then choose where to save it, or it will be saved on your DESKTOP by > default for many people. Then you click it on the desktop or in > konqueror etc, and your disk gets hosed, your passwords and possibly > your money get stolen, and you friends get a chance to have a virus too. > well not in this case, but that's the point. As I said on LUV about this topic: When clicking it, on the desktop, a large warning comes up complaining that the application launcher is not trusted and probably unsafe.. You have the option of cancelling, running it once, or marking it as permanently trustworthy. If *your* Linux distribution doesn't do that, then perhaps you should consider upgrading to another one which takes security seriously? :) -Toby From daniel at rimspace.net Tue Jun 2 03:14:09 2009 From: daniel at rimspace.net (Daniel Pittman) Date: Tue, 02 Jun 2009 20:14:09 +1000 Subject: [Melbourne-pm] Knockd for Web In-Reply-To: (scottp@dd.com.au's message of "Tue, 2 Jun 2009 00:46:28 -0500 (CDT)") References: Message-ID: <87ljob54em.fsf@rimspace.net> scottp at dd.com.au writes: > ----- "Daniel Pittman" wrote: >> Given that port knocking is just another way of delivering a password >> to the >> destination system, there is no security difference between it and >> just using >> the password in the vast majority of cases. > > Sorry this is very inaccurate Daniel. There are many reasons for that, but > here are a few: > > * As your port is closed - you suffer from none of the DoS attacks to your > service (e.g. SSH) That isn't true: you have a daemon listening on a raw socket, accepting packets. That does prevent DoS attacks to other daemons, but does not eliminate them for the port knocking daemon. > * As your port is closed - you suffer from none of the buffer overrun, or > various other back door and bugs in your daemon You have a daemon listening on a raw socket. You might move these risks to a different daemon, but you can't eliminate them. > * As your port is closed - you don't even look like you are there - not even > a response from your IP, no scan as the ports are closed, so unless you > know to attack that location, you won't even try. This is a valid claim. The same, of course, is true of an arbitrary CGI script running on your system, or an HTTP service listening on an arbitrary port. > The knock can also even be a one time key - obviously you need some way to > know the next/ time based entry, which would not suit me. Absolutely. Just like a password collecting service could be. >> Using existing, well tested security mechanisms like SSL is almost >> certainly going to beat out building your own. > > As with the documentation of knockd, it is not about replacing the need for > good security via SSL and passwords. This is not, as you suggested, a > replace your authentication with a roll your own. Well, it replaces user authentication via a known and tested protocol with user authentication through the knock protocol. It then, subsequently, modifies the firewall to grant further access, at which point you go beyond the scope of my comments; I restrict those exclusively to the use of knockd vs something else for the initial "authenticate and open the firewall" part. > Knockd is a well established and commonly used tool to add a layer to that > security. Yes. Only, perhaps not so well establish and tested (or standardized) as using ssh to achieve the same result via authpf[1], or using SSL certificates via HTTPS, or any number of other choices. [...] > There are a number of problems also with using SSL. The purpose of my > requirement is to allow me access with my own knowledge, from an unknown > location. The example given to me was that your laptop, desktop and usb key > get stolen over night. Or you just plane forgot your usb key and laptop :-) Now, that is a legitimate object to client side SSL. ;) If I was going to do this I would certainly allow, if not prefer, password based authentication to open the firewall. > Finally, there has been a number of attacks and holes in Apache SSL > implementations over the years - if you have an admin service you don't need > to give access to (i.e. not a public site) then blocking even access to the > service is a good idea. *nod* > The kernel via iptables can throw away packets far faster than a connection > to Apache - thus you are reducing the DoS attacks as well. Granted. > If you have security monitoring tools, you can even use knockd technique to > reduce the reports of automatic or scripted attacks to those that are > serious. Logs are just full of script kiddies attacks - so much so that you > can't even see the serious ones. Yes, you can. Specifically, the technique of collecting authentication information and then opening the firewall works *regardless* of how you collect that authentication ? SSL certificates, passwords, or "port knocking". >> Finally, if you are in sufficient control of the destination system and >> userbase to require port knocking you can almost certainly just use >> client-side SSL certificates for authentication. > > Yes. You can of course just use basic auth - thehehe. You can use what you > like. But clearly my requirements were not clear enough, as that would not > meet the needs. Well, that is fair. SSL certificates don't, in this case, meet your needs. >> Those provide zero-knowledge proof of possession over the Internet without >> *any* reasonable risk of attack. > > The security experts seem to disagree. Ah. I thought you were going to post links to disagree with the claim that SSL is reasonable secure. > Indeed, if all you say is true, we can throw away iptables and firewalls :-) That certainly isn't my argument, and I am vaguely surprised you found anything to support a belief that it was in what I wrote. :) [...] > In the end adding a layer of security can not be "the same" as not adding > that layer. My need here is to provide the same established security of > knockd to web services via proxies. My contention, for what it is worth, is that you gain as much security using a more common method such as SSH or SSL secured HTTP to perform the same authentication collection as the knock service. Regards, Daniel Footnotes: [1] http://www.openbsd.org/faq/pf/authpf.html From scottp at dd.com.au Tue Jun 2 03:38:27 2009 From: scottp at dd.com.au (Scott Penrose) Date: Tue, 2 Jun 2009 20:38:27 +1000 Subject: [Melbourne-pm] Knockd for Web In-Reply-To: <87ljob54em.fsf@rimspace.net> References: <87ljob54em.fsf@rimspace.net> Message-ID: On 02/06/2009, at 8:14 PM, Daniel Pittman wrote: All what you wrote above (removed) is reasonable. I only differ very slightly in opinion, not enough to worry about :-) >> The security experts seem to disagree. > > Ah. I thought you were going to post links to disagree with the > claim that > SSL is reasonable secure. Oh no. Sorry I didn't mean to imply any one way or the other about SSL security. In fact in a different circumstance (e.g. an admin web interface for a company) I would be using certificates as auth. >> Indeed, if all you say is true, we can throw away iptables and >> firewalls :-) > > That certainly isn't my argument, and I am vaguely surprised you found > anything to support a belief that it was in what I wrote. :) Quite right, I was going a little over board to make a point. What I had missed from your previous post sorry, was that you were using an SSL certificate to then open a firewall port (e.g. to SSH). My personal conclusion, after reading what a number of experts have to say, is that it is not as safe as having no open ports. Having that one service (e.g. an SSL server) makes the machine vulnerable. You did talk in the deleted section about security of knockd - and it does have to run as root, but accepts no user input - so while there is a potential for DoS (although very small in compared to any socket interface), it is not likely to have any other hole. Of course... famous last words :-) > My contention, for what it is worth, is that you gain as much > security using a > more common method such as SSH or SSL secured HTTP to perform the same > authentication collection as the knock service. Thanks Daniel. I am afraid I still want to block all open ports with iptables, so no open SSL or SSH connection, plus as I originally mentioned, I am coming in from networks that don't support anything but HTTP via a proxy. Which leaves me still with a way of "knocking" via a firewall - for which a CGI type solution may work. And because it still then uses secure passwords over SSL I can probably be confident that it is good enough. Which is what security is all about, there is no perfect solution, just tools. Which comes around full circle back to my original question, which is probably no, has anyone seen an existing script. Yes I can write it easily (And Daniel did too), but I like to find someone who has found all those hidden issues I have not yet thought of. Thanks Scott From daniel at rimspace.net Tue Jun 2 05:48:05 2009 From: daniel at rimspace.net (Daniel Pittman) Date: Tue, 02 Jun 2009 22:48:05 +1000 Subject: [Melbourne-pm] Knockd for Web In-Reply-To: (Scott Penrose's message of "Tue, 2 Jun 2009 20:38:27 +1000") References: <87ljob54em.fsf@rimspace.net> Message-ID: <87d49m6bui.fsf@rimspace.net> Scott Penrose writes: > On 02/06/2009, at 8:14 PM, Daniel Pittman wrote: > > All what you wrote above (removed) is reasonable. I only differ very > slightly in opinion, not enough to worry about :-) *nod* Also, in case it isn't clear, I don't think that port knocking is useless in terms of security ? just that there are simpler solutions that provide the same benefits. In my opinion, of course. >>> The security experts seem to disagree. >> >> Ah. I thought you were going to post links to disagree with the claim that >> SSL is reasonable secure. > > Oh no. Sorry I didn't mean to imply any one way or the other about SSL > security. In fact in a different circumstance (e.g. an admin web interface > for a company) I would be using certificates as auth. *nod* >>> Indeed, if all you say is true, we can throw away iptables and firewalls >>> :-) >> >> That certainly isn't my argument, and I am vaguely surprised you found >> anything to support a belief that it was in what I wrote. :) > > Quite right, I was going a little over board to make a point. What I had > missed from your previous post sorry, was that you were using an SSL > certificate to then open a firewall port (e.g. to SSH). My personal > conclusion, after reading what a number of experts have to say, is that it > is not as safe as having no open ports. *nod* I agree here. > Having that one service (e.g. an SSL server) makes the machine > vulnerable. You did talk in the deleted section about security of knockd - > and it does have to run as root, but accepts no user input - so while there > is a potential for DoS (although very small in compared to any socket > interface), it is not likely to have any other hole. Of course... famous > last words :-) Ah. The knockd you reference does open a port, however: it opens a raw socket to receive link-layer packets using the same kernel interface that tcpdump and friends do. Now, you /could/ implement a version of the tool that either used the iptables userspace queue or netlink logging facilities directly, or that parsed an on-disk log, that didn't require an open port[1], but the common implementation is not done that way. That all transfers the risk to the daemon that handles the link-layer packets, which are untrusted user input. You can argue, probably successfully, that such a daemon has a smaller codebase and, consequently, less risk, and I wouldn't entirely disagree. >> My contention, for what it is worth, is that you gain as much security >> using a more common method such as SSH or SSL secured HTTP to perform the >> same authentication collection as the knock service. > > Thanks Daniel. I am afraid I still want to block all open ports with > iptables, so no open SSL or SSH connection, plus as I originally mentioned, > I am coming in from networks that don't support anything but HTTP via a > proxy. *nod* > Which leaves me still with a way of "knocking" via a firewall - for which a > CGI type solution may work. And because it still then uses secure passwords > over SSL I can probably be confident that it is good enough. Which is what > security is all about, there is no perfect solution, just tools. Absolutely. > Which comes around full circle back to my original question, which is > probably no, has anyone seen an existing script. Yes I can write it easily > (And Daniel did too), but I like to find someone who has found all those > hidden issues I have not yet thought of. I am afraid not. All the dynamic IPTables CGI stuff I know is all about outbound connectivity, not inbound, so isn't really appropriate, and that all does real HTTP anyhow... Regards, Daniel Footnotes: [1] At least, not an Internet facing port. From sam at nipl.net Tue Jun 2 06:24:16 2009 From: sam at nipl.net (Sam Watkins) Date: Tue, 2 Jun 2009 21:24:16 +0800 Subject: [Melbourne-pm] Knockd for Web Message-ID: <20090602132414.GA24466@nipl.net> On Mon, Jun 01, 2009 at 10:03:38PM -0500, scottp at dd.com.au wrote: > http://special.host/1137 > http://special.host/1199 > http://special.hsot/4922 I don't really like the idea of port knocking because anyone who can snoop your network can easily discover what ports or urls you are using. That includes ISPs at both ends and some inbetween, intelligence agencies, colleagues at work, anyone on the same LAN segment, etc. Scott maybe you could do your idea over https? but an https server is heavy machinery. I would much rather "knock" by connecting with ssh or https first and then typing my extra codes there if necessary. I have a patch for sshd on my website which implements "exponential backoff" to prevent brute-force attacks. You could also protect it using fail2ban + iptables. People at your ISPs could still pretend to be you after you have knocked by spoofing IP addresses, so it's important of course to use crypto after that too. I guess the advantage of knockd is that you can easily "knock" with a web browser or telnet or whatever you don't need a special client which does crypto. (but ssh/putty is very portable, and you'll most likely be needing it anyway) Sam From scottp at dd.com.au Tue Jun 2 19:57:51 2009 From: scottp at dd.com.au (Scott Penrose) Date: Tue, 2 Jun 2009 21:57:51 -0500 (CDT) Subject: [Melbourne-pm] Knockd for Web In-Reply-To: <20090602132414.GA24466@nipl.net> Message-ID: ----- "Sam Watkins" wrote: > People at your ISPs could still pretend to be you after you have > knocked > by spoofing IP addresses, so it's important of course to use crypto > after that too. Yes, you must have as much security you would normally anyway. For example, an SSH key and no root login is still a good idea. But also, like all security, it is about context and opportunity. If I am in a cafe in Melbourne and port knock on my web site. Yes the cafe, the ISP and my ISP could see that sequence - all very low risk. I am not sure about you guys, but my attacks are not coming from Melbourne ISPs :-) So it still helps. And then of course all I am doing is then opening a port which would otherwise have been open anyway, and still using normal login measures. > I guess the advantage of knockd is that you can easily "knock" with a > web browser or telnet or whatever you don't need a special client > which > does crypto. (but ssh/putty is very portable, and you'll most likely > be > needing it anyway) Yes, so I imagine the scenario that I have my secure key with me (Either SSL key for HTTPs or SSH key) on a key, I download putty, I open my port to the Internet Cafe (just a silly example) - and now I have access to my server. Thanks Scott -- http://scott.dd.com.au/ scottp at dd.com.au From toby.corkindale at strategicdata.com.au Tue Jun 2 21:10:49 2009 From: toby.corkindale at strategicdata.com.au (Toby Corkindale) Date: Wed, 03 Jun 2009 14:10:49 +1000 Subject: [Melbourne-pm] Knockd for Web In-Reply-To: References: Message-ID: <4A25F7C9.5010304@strategicdata.com.au> Scott Penrose wrote: > ----- "Sam Watkins" wrote: > >> People at your ISPs could still pretend to be you after you have >> knocked >> by spoofing IP addresses, so it's important of course to use crypto >> after that too. > > Yes, you must have as much security you would normally anyway. > For example, an SSH key and no root login is still a good idea. > > But also, like all security, it is about context and opportunity. If I am in a cafe in Melbourne and port knock on my web site. Yes the cafe, the ISP and my ISP could see that sequence - all very low risk. I am not sure about you guys, but my attacks are not coming from Melbourne ISPs :-) So it still helps. And then of course all I am doing is then opening a port which would otherwise have been open anyway, and still using normal login measures. > >> I guess the advantage of knockd is that you can easily "knock" with a >> web browser or telnet or whatever you don't need a special client >> which >> does crypto. (but ssh/putty is very portable, and you'll most likely >> be >> needing it anyway) > > Yes, so I imagine the scenario that I have my secure key with me (Either SSL key for HTTPs or SSH key) on a key, I download putty, I open my port to the Internet Cafe (just a silly example) - and now I have access to my server. So... How does the port knocking /stop/ such attackers? I mean, you seem to be assuming that your attackers can bypass your existing authentication mechanisms on ssh. If they can do that, then surely they will find it absolutely trivial to capture a few packets indicating which ports to knock upon too? I can't help but feel that your time would be more effectively spent in other ways to increase your security - eg. Auditing your CGI scripts, keeping track of new exploits, carrying hardcopies of server cert fingerprints, automated warnings about suspicious activity, seLinux, appArmour, honeypots, tripwires, and god knows what else that more paranoid people than I can recommend.. and only worrying about your security-through-obscurity once you've exhausted the mountain of security-through-security methods available ;) From scottp at dd.com.au Tue Jun 2 21:26:27 2009 From: scottp at dd.com.au (Scott Penrose) Date: Tue, 2 Jun 2009 23:26:27 -0500 (CDT) Subject: [Melbourne-pm] Knockd for Web In-Reply-To: <4A25F7C9.5010304@strategicdata.com.au> Message-ID: Hi Toby, We are getting off topic here, but ... ----- "Toby Corkindale" wrote: > So... > How does the port knocking /stop/ such attackers? I mean, you seem to > be > assuming that your attackers can bypass your existing authentication > mechanisms on ssh. If they can do that, then surely they will find it > absolutely trivial to capture a few packets indicating which ports to > knock upon too? > > I can't help but feel that your time would be more effectively spent > in > other ways to increase your security - eg. Auditing your CGI scripts, > keeping track of new exploits, carrying hardcopies of server cert > fingerprints, automated warnings about suspicious activity, seLinux, > appArmour, honeypots, tripwires, and god knows what else that more > paranoid people than I can recommend.. and only worrying about your > security-through-obscurity once you've exhausted the mountain of > security-through-security methods available ;) I am only replying to this one to say that I won't even try to explain. I was asking here a perl CGI question, in case someone new an answer. This is not really the place to describe security. All I can tell you is - look it up on the net. You will find hundreds of articles, from experts, explaining why knockd adds security/convenience/(add your reason here). You can even find articles that say it does not add anything. You are welcome to then decide why it does or does not add your desired feature. My request and email was not IF I should do something, or asking for a debate on security, but just a question in case someone already had written a CGI equivelent. No one has answered my question so I will assume no one has heard of one. But for me to try and tell here you would be a waste because: a) There is heaps of articles on the net about it already; b) I am not as expert as they are. Sometimes I think we need a way to change topics better on email threads. E.g. we are now having conversations on the security (or not) of adding knockd - which was not my request, and the thread gets very confused :-) Thanks for all your time though, I appreciate the efforts. Scott -- http://scott.dd.com.au/ scottp at dd.com.au From simon at unisolve.com.au Tue Jun 2 21:31:05 2009 From: simon at unisolve.com.au (Simon Taylor) Date: Wed, 03 Jun 2009 14:31:05 +1000 Subject: [Melbourne-pm] Knockd for Web In-Reply-To: <4A25F7C9.5010304@strategicdata.com.au> References: <4A25F7C9.5010304@strategicdata.com.au> Message-ID: <4A25FC89.6090801@unisolve.com.au> Hello all, > Scott Penrose wrote: >> ----- "Sam Watkins" wrote: >> >>> People at your ISPs could still pretend to be you after you have >>> knocked >>> by spoofing IP addresses, so it's important of course to use crypto >>> after that too. >> >> Yes, you must have as much security you would normally anyway. >> For example, an SSH key and no root login is still a good idea. >> >> But also, like all security, it is about context and opportunity. If >> I am in a cafe in Melbourne and port knock on my web site. Yes the >> cafe, the ISP and my ISP could see that sequence - all very low risk. >> I am not sure about you guys, but my attacks are not coming from >> Melbourne ISPs :-) So it still helps. And then of course all I am >> doing is then opening a port which would otherwise have been open >> anyway, and still using normal login measures. >> >>> I guess the advantage of knockd is that you can easily "knock" with a >>> web browser or telnet or whatever you don't need a special client >>> which >>> does crypto. (but ssh/putty is very portable, and you'll most likely >>> be >>> needing it anyway) >> >> Yes, so I imagine the scenario that I have my secure key with me >> (Either SSL key for HTTPs or SSH key) on a key, I download putty, I >> open my port to the Internet Cafe (just a silly example) - and now I >> have access to my server. > > So... > How does the port knocking /stop/ such attackers? I mean, you seem to > be assuming that your attackers can bypass your existing > authentication mechanisms on ssh. If they can do that, then surely > they will find it absolutely trivial to capture a few packets > indicating which ports to knock upon too? > > I can't help but feel that your time would be more effectively spent > in other ways to increase your security - eg. Auditing your CGI > scripts, keeping track of new exploits, carrying hardcopies of server > cert fingerprints, automated warnings about suspicious activity, > seLinux, appArmour, honeypots, tripwires, and god knows what else that > more paranoid people than I can recommend.. and only worrying about > your security-through-obscurity once you've exhausted the mountain of > security-through-security methods available ;) Using knockd is emphatically not security through obscurity. As Scott has said, all of your normal security infrastructure remains in place. In our uses of it, we routinely have HID systems like psad and ossec running on public servers and these do a great job of reporting on suspicious traffic. But it is knockd that dramatically reduces the attention you get from black hats and allows the often time-poor, overworked sys admin in an organisation to focus on the attacks that remain. Cheers, Simon From scottp at dd.com.au Tue Jun 2 21:36:47 2009 From: scottp at dd.com.au (Scott Penrose) Date: Tue, 2 Jun 2009 23:36:47 -0500 (CDT) Subject: [Melbourne-pm] Knockd for Web In-Reply-To: <4A25FC89.6090801@unisolve.com.au> Message-ID: ----- "Simon Taylor" wrote: > Using knockd is emphatically not security through obscurity. As Scott > has said, all of your normal security infrastructure remains in > place. > > In our uses of it, we routinely have HID systems like psad and ossec > running on public servers and these do a great job of reporting on > suspicious traffic. > > But it is knockd that dramatically reduces the attention you get from > black hats and allows the often time-poor, overworked sys admin in an > organisation to focus on the attacks that remain. > > Cheers, > Simon Yes, well written. I have been trying to put into words what you have done here well. Scott -- http://scott.dd.com.au/ scottp at dd.com.au From daniel at rimspace.net Tue Jun 2 21:55:17 2009 From: daniel at rimspace.net (Daniel Pittman) Date: Wed, 03 Jun 2009 14:55:17 +1000 Subject: [Melbourne-pm] Knockd for Web In-Reply-To: (Scott Penrose's message of "Tue, 2 Jun 2009 23:36:47 -0500 (CDT)") Message-ID: <87vdnd3oi2.fsf@rimspace.net> Scott Penrose writes: > ----- "Simon Taylor" wrote: > >> Using knockd is emphatically not security through obscurity. As Scott has >> said, all of your normal security infrastructure remains in place. Even regardless of the rest of the security infrastructure, using a single service to authenticate a user (or IP address) and grant access to other services is a security feature. knockd is certainly an example of this sort of strategy, just like the traditional "SSH and port forward" or "VPN in" approaches. >> In our uses of it, we routinely have HID systems like psad and ossec >> running on public servers and these do a great job of reporting on >> suspicious traffic. >> >> But it is knockd that dramatically reduces the attention you get from black >> hats and allows the often time-poor, overworked sys admin in an >> organisation to focus on the attacks that remain. *nod* If you can reduce the number of public services using knockd, or any other "authenticate before access" service, then you will probably improve your life. Regards, Daniel From jarich at perltraining.com.au Mon Jun 8 18:17:41 2009 From: jarich at perltraining.com.au (Jacinta Richardson) Date: Tue, 09 Jun 2009 11:17:41 +1000 Subject: [Melbourne-pm] social sesssion and some plans for the future Message-ID: <4A2DB835.9020507@perltraining.com.au> G'day folk, Sorry about the late notice, but this is a reminder that we have a Perl Mongers meeting tomorrow night. Usual time, usual place. I'll try to give a quick overview of what I think you need to put in an abstract to make your talk more likely to be accepted; and we should also do a bunch of introductions, because it's been a while since we've done that. I also want to propose that we consider running some bug fixing sessions maybe every few months or so, where as many of us as possible bring along a laptop and we work in teams to see if we can fix any bugs from the top 100 failing Perl modules. I'll explain this further tomorrow night. See you there! J From ben at benbalbo.com Mon Jun 8 18:58:39 2009 From: ben at benbalbo.com (Ben Balbo) Date: Tue, 09 Jun 2009 11:58:39 +1000 Subject: [Melbourne-pm] Slideshow Karaoke Group Message-ID: <4A2DC1CF.7060906@benbalbo.com> I was talking to some fine folks last week about the phenomenon that is slideshow karaoke and thought it would be an awesome way to foster personal growth while having fun at the same time. For those of you that haven't heard the phrase, slideshow karaoke is like a cross between lightning talks and toast masters. You are given a random, short presentation and have to present the contents to the audience without preparation or a preview of the slides. Most of the time you will know nothing of the subject matter and will need to think on your feet. Most people don't like the idea of presenting and, in my experience, the worst part is the feeling that you'll get something wrong and look like a fool. With slideshow karaoke, the likelihood is that you'll always be wrong and everyone will be expecting you to get flustered and tongue tied. So with this in mind, I want to start a slideshow karaoke group in Melbourne. The rules are: * all attendees have to give at least one presentation * those with the least presentations under their belt go first * all attendees have to critique a presentation and offer positive feedback and suggestions. From posture to missed opportunities for a good pun, nothing is off limits so long as it's positive. * all presenters must accept feedback professionally and not be offended - you're here to grow and improve your presentation skills, not to defend your existing methods. Anyone who is interested in joining this group is invited to join the mailing list at http://groups.google.com/group/slideshow-karaoke-melbourne Once there are enough members to make this group worthwhile, we'll work out a venue and time. Yours in palpitative anticipation, Ben -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 257 bytes Desc: OpenPGP digital signature URL: From scottp at dd.com.au Mon Jun 8 21:04:31 2009 From: scottp at dd.com.au (scottp at dd.com.au) Date: Mon, 8 Jun 2009 23:04:31 -0500 (CDT) Subject: [Melbourne-pm] DBI don't start transaction In-Reply-To: <1174618154.371911244520084280.JavaMail.root@mail-4.01.com> Message-ID: Hey Guys I have a basic database ($dbh) like this: my $dbh = DBI->connect("dbi:SQLite:dbname=list.db',"","", { RaiseError => 1, AutoCommit => 0 }); I want to do an SQLite attach, which requires no transaction. But DBI automatically does a begin on a do or prepare if no begin was run. I can reconnect to the database withou AutoCommit => 1, do the attach, disconnect, reconnect with AutoCommit => 0, but that is a slow process. Example of the error: $dbh->do('ATTACH DATABASE "/path/to/other.db" as other'); error = "cannot ATTACH database within transaction(1) at dbdimp.c line 403 ..." Does anyone know how I can do a "do" without a begin if AutoCommit is off? Ta Scott -- http://scott.dd.com.au/ scottp at dd.com.au -------------- next part -------------- An HTML attachment was scrubbed... URL: From toby.corkindale at strategicdata.com.au Mon Jun 8 21:27:08 2009 From: toby.corkindale at strategicdata.com.au (Toby Corkindale) Date: Tue, 09 Jun 2009 14:27:08 +1000 Subject: [Melbourne-pm] DBI don't start transaction In-Reply-To: References: Message-ID: <4A2DE49C.6070709@strategicdata.com.au> scottp at dd.com.au wrote: > Hey Guys > > I have a basic database ($dbh) like this: > > my $dbh = DBI->connect("dbi:SQLite:dbname=list.db',"","", { > RaiseError => 1, AutoCommit => 0 }); > > I want to do an SQLite attach, which requires no transaction. But DBI > automatically does a begin on a do or prepare if no begin was run. I can > reconnect to the database withou AutoCommit => 1, do the attach, > disconnect, reconnect with AutoCommit => 0, but that is a slow process. > > Example of the error: > $dbh->do('ATTACH DATABASE "/path/to/other.db" as other'); > error = "cannot ATTACH database within transaction(1) at dbdimp.c line > 403 ..." > > Does anyone know how I can do a "do" without a begin if AutoCommit is off? Would this help? { local $dbh->{AutoCommit} = 1; $dbh->do('ATTACH DATABASE xxx.db'); } -Toby From scottp at dd.com.au Mon Jun 8 23:18:39 2009 From: scottp at dd.com.au (Scott Penrose) Date: Tue, 9 Jun 2009 01:18:39 -0500 (CDT) Subject: [Melbourne-pm] DBI don't start transaction In-Reply-To: <4A2DE49C.6070709@strategicdata.com.au> Message-ID: ----- "Toby Corkindale" wrote: > Would this help? > { > local $dbh->{AutoCommit} = 1; > $dbh->do('ATTACH DATABASE xxx.db'); > } Thanks Toby, that has worked perfectly. I don't trust it to be portable or future proof, as you can never tell how the DBD implements when that variable is read, but it works now and I have made sure I put tests in to pick up any issue in the future. Ta Scott -- http://scott.dd.com.au/ scottp at dd.com.au From pjf at perltraining.com.au Tue Jun 9 23:37:24 2009 From: pjf at perltraining.com.au (Paul Fenwick) Date: Wed, 10 Jun 2009 16:37:24 +1000 Subject: [Melbourne-pm] Reminder: Meeting TONIGHT at 6:30pm Message-ID: <4A2F54A4.5020600@perltraining.com.au> Reminder! Perl Mongers is tonight! When: Wednesday, 8th April 2009, 6:30pm Where: Remasys Pty Ltd Level 1 180 Flinders St MELBOURNE VIC 3121 What: Jacinta Richardson: How to get your conference talk accepted. Jacinta Richardson: The CPAN Top 100 Fail Social! Introductions, meet, greet and talk Cheerio, Paul -- Paul Fenwick | http://perltraining.com.au/ Director of Training | Ph: +61 3 9354 6001 Perl Training Australia | Fax: +61 3 9354 2681 From toby.corkindale at strategicdata.com.au Wed Jun 10 01:24:46 2009 From: toby.corkindale at strategicdata.com.au (Toby Corkindale) Date: Wed, 10 Jun 2009 18:24:46 +1000 Subject: [Melbourne-pm] Reminder: Meeting TONIGHT at 6:30pm In-Reply-To: <4A2F54A4.5020600@perltraining.com.au> References: <4A2F54A4.5020600@perltraining.com.au> Message-ID: <4A2F6DCE.3080203@strategicdata.com.au> Apologies all, I'll be along rather late tonight. Paul Fenwick wrote: > Reminder! Perl Mongers is tonight! > > When: Wednesday, 8th April 2009, 6:30pm > > Where: Remasys Pty Ltd > Level 1 > 180 Flinders St > MELBOURNE VIC 3121 > > What: Jacinta Richardson: How to get your conference talk accepted. > Jacinta Richardson: The CPAN Top 100 Fail > Social! Introductions, meet, greet and talk > > Cheerio, > > Paul > -- Strategic Data Pty Ltd Ph: 03 9340 9000 From mathew.robertson at netratings.com.au Wed Jun 10 16:46:26 2009 From: mathew.robertson at netratings.com.au (Mathew Robertson) Date: Thu, 11 Jun 2009 09:46:26 +1000 Subject: [Melbourne-pm] Reminder: Meeting TONIGHT at 6:30pm In-Reply-To: <4A2F54A4.5020600@perltraining.com.au> References: <4A2F54A4.5020600@perltraining.com.au> Message-ID: <4A3045D2.9010309@netratings.com.au> I didn't get to this... :( But I'm interested to find out the Top100... :) is there a link? Mathew Robertson -------------- next part -------------- An HTML attachment was scrubbed... URL: From jarich at perltraining.com.au Wed Jun 10 19:20:30 2009 From: jarich at perltraining.com.au (Jacinta Richardson) Date: Thu, 11 Jun 2009 12:20:30 +1000 Subject: [Melbourne-pm] Reminder: Meeting TONIGHT at 6:30pm In-Reply-To: <4A3045D2.9010309@netratings.com.au> References: <4A2F54A4.5020600@perltraining.com.au> <4A3045D2.9010309@netratings.com.au> Message-ID: <4A3069EE.90607@perltraining.com.au> Mathew Robertson wrote: > I didn't get to this... :( > > But I'm interested to find out the Top100... :) is there a link? There are a few top 100 lists all visible at: http://ali.as/top100/index.html The ones we were talking about were the Top 100 FAIL. J -- ("`-''-/").___..--''"`-._ | Jacinta Richardson | `6_ 6 ) `-. ( ).`-.__.`) | Perl Training Australia | (_Y_.)' ._ ) `._ `. ``-..-' | +61 3 9354 6001 | _..`--'_..-_/ /--'_.' ,' | contact at perltraining.com.au | (il),-'' (li),' ((!.-' | www.perltraining.com.au | From jarich at perltraining.com.au Thu Jun 11 18:04:35 2009 From: jarich at perltraining.com.au (Jacinta Richardson) Date: Fri, 12 Jun 2009 11:04:35 +1000 Subject: [Melbourne-pm] Looking for a job? Message-ID: <4A31A9A3.7030502@perltraining.com.au> G'day folk, SearchWorld (subsidiary of Webfirm Group) are looking for a full-time "Perl programmer" and have asked me for any suggestions. They're based in South Melbourne. I don't have much more information than that, but if you're looking for something, or just want to know what's out there, I'd be happy to connect you. J -- ("`-''-/").___..--''"`-._ | Jacinta Richardson | `6_ 6 ) `-. ( ).`-.__.`) | Perl Training Australia | (_Y_.)' ._ ) `._ `. ``-..-' | +61 3 9354 6001 | _..`--'_..-_/ /--'_.' ,' | contact at perltraining.com.au | (il),-'' (li),' ((!.-' | www.perltraining.com.au | From pat at patspam.com Thu Jun 11 21:43:35 2009 From: pat at patspam.com (Patrick Donelan) Date: Fri, 12 Jun 2009 14:43:35 +1000 Subject: [Melbourne-pm] Looking for a job? In-Reply-To: <4A31A9A3.7030502@perltraining.com.au> References: <4A31A9A3.7030502@perltraining.com.au> Message-ID: <42321ee20906112143s59bf081cqcc323377403d1895@mail.gmail.com> On a similar note, if anyone is looking for web-related Perl work, we'll seriously consider contracting/employing anyone who demonstrates their ability by contributing to the open source WebGUI project. Jump in and fix a bug , implement an RFE, etc... and then ping me on #webgui or speak to me in person at the next Perl Mongers meeting. Cheers, Patrick On Fri, Jun 12, 2009 at 11:04 AM, Jacinta Richardson < jarich at perltraining.com.au> wrote: > G'day folk, > > SearchWorld (subsidiary of Webfirm Group) are looking for a full-time "Perl > programmer" and have asked me for any suggestions. They're based in South > Melbourne. I don't have much more information than that, but if you're > looking > for something, or just want to know what's out there, I'd be happy to > connect you. > > J > > -- > ("`-''-/").___..--''"`-._ | Jacinta Richardson | > `6_ 6 ) `-. ( ).`-.__.`) | Perl Training Australia | > (_Y_.)' ._ ) `._ `. ``-..-' | +61 3 9354 6001 | > _..`--'_..-_/ /--'_.' ,' | contact at perltraining.com.au | > (il),-'' (li),' ((!.-' | www.perltraining.com.au | > _______________________________________________ > Melbourne-pm mailing list > Melbourne-pm at pm.org > http://mail.pm.org/mailman/listinfo/melbourne-pm > -------------- next part -------------- An HTML attachment was scrubbed... URL: From stephen at sydney.pm.org Tue Jun 16 04:08:43 2009 From: stephen at sydney.pm.org (Stephen Steneker) Date: Tue, 16 Jun 2009 21:08:43 +1000 Subject: [Melbourne-pm] REMINDER: OSDC 2009 Call for Papers closes end of June Message-ID: <8C5471D0-9CF5-4C85-A243-8E99E1D2D4D7@sydney.pm.org> Hi all, This is a reminder that the deadline for the call for papers for OSDC 2009 is coming up soon. All that is required before the first deadline of 30th June is a 200 word summary of your talk emailed to papers at osdc.com.au - full details are available on the website. I would like to invite you to submit a paper and do a talk at our conference. This conference is a grassroots style conference designed by developers for developers. We're planning to cover Perl, Python, Ruby, PHP and Open Source operating systems. If you'd like us to cover something else as well that is Open Source themed, please feel free. The Call for Papers can be found at: http://2009.osdc.com.au/call-for-papers The important dates are: Call for Papers Closes 30 June, 2009 Proposal acceptance 20 July, 2009 Accepted paper submissions 14 September, 2009 OSDC 2009 Main Conference! 25th to 27th November, 2009 OSDC 2009 will be held at the Bardon Conference Center in Brisbane this year. This is a fantastic venue a short drive from the Brisbane CBD, totally surrounded by lush greenery. Cheers, Stephen From jarich at perltraining.com.au Thu Jun 25 22:01:07 2009 From: jarich at perltraining.com.au (Jacinta Richardson) Date: Fri, 26 Jun 2009 15:01:07 +1000 Subject: [Melbourne-pm] 4 days left until OSDC CFP closes (30th June) Message-ID: <4A445613.5060808@perltraining.com.au> G'day folk, Last year there was a terribly low number of Perl-related talks submitted to OSDC. Less than 20, I think, and probably barely more than 10 distinct speakers. Considering that us Perl folk started this conference, this was a shock! Don't let it happen again! Submit your talk idea now and come up and visit sunny Brisbane. Speakers get free entry, a seat at the conference dinner, and praise and adoration from the wonderful attendees (actual results may vary). This year the submission process is easy. Just send your awesome proposal idea to papers at osdc.com.au. For more details read the CFP first at http://2009.osdc.com.au/call-for-papers They only need 200 words (plus some stuff about you), so don't delay! Let's give the papers committee some great Perl content! All the best, Jacinta -- ("`-''-/").___..--''"`-._ | Jacinta Richardson | `6_ 6 ) `-. ( ).`-.__.`) | Perl Training Australia | (_Y_.)' ._ ) `._ `. ``-..-' | +61 3 9354 6001 | _..`--'_..-_/ /--'_.' ,' | contact at perltraining.com.au | (il),-'' (li),' ((!.-' | www.perltraining.com.au |