Berkeley CSUA MOTD:1999:March:10 Wednesday <Tuesday, Thursday>
Berkeley CSUA MOTD
1999/3/10 [Uncategorized] UID:15572 Activity:nil
3/9     Shit.
        \_ Bad hair day?
1999/3/10-11 [Transportation/Car, Recreation/Computer/Games] UID:15573 Activity:nil
3/9     If you know of regular, scheduled Ultimate frisbee games (pickup or
        practice, I don't care), please email me.  --sowings
        \_ Kleeberger field on thursdays at midnight.  --sly
1999/3/10-11 [Computer/SW/Security] UID:15574 Activity:very high
3/9     Given all the network sniffing that goes on, how about turning off
        telnet and rlogin on soda and force everybody to use ssh?  I think
        the cost of dealing with ssh problems outweighs the consequences of
        a break-in.  What do you guys think?
        \_ no ssh installed on UCB dialup CLI connections
           \_ I honestly have to wonder how many people still use CLI
              from the annexen.  --sowings
              \_ All the lazy people who don't want to bother to setup ppp.
        \_ Discriminates against our non-US-citizen members who we legally
           aren't allowed to let use ssh/sshd.  (Stupid US goverment fucknuts)
           \_ don't want to make fun of the US govt. They might
              be watching the motd and consficate soda.
           \_ You're wrong; the most popular implementations of SSH for all
              major platforms (Windows/Mac/Unix) are developed and sold
              outside of the US.  The US is starting to lag, not lead, in
              crypto software, because of crypto export laws.
                \_ So.  That has nothing to do with the CSUA violating the
                   law everytime it allows a non-citizen to use encryption
                   software - even if they downloaded ssh on their own, it's
                   useless without the sshd software running on soda.
           \_ I know of a supercomputer center run by the government and
              foreign users connecting to that system MUST use ssh.
              If it's OK for them, it's probably OK for soda.  --peterM
        \_ There is no free SSH client for Windoze, to my knowledge
           \_ --dim
           \_ F-Secure SSH seems to be free as well.
                \_ only for 30 day trial
           \_ Then you should look at
                and learn much...
        \_ who cares?
                my ssh key into an sshd on a machine run my people i dont
                \-I think this is an insane idea. I dont want to type
                my ssh key into an sshd on a machine run by people i dont
                know and i dont trust ... and I would rather not set up a
                "low security" ssh key in addition to my regular one.
                given all the network sniffing that goes on, use rhosts
                and dont trust soda on machines you care about.
                What are you going to do about the XDM machines?
                I disagree with your cost-benefit analysis. The cost of a
                compromised passwd isnt that high. The cost of a compromised
                ssh key is high. For one thing, the hacker can hide from IDS
                systems. I wont go on any more. It was reasonable to float
                this balloon, but crazy to jump on it. --partha "i watch the
                net" banerjee
                \_ you never ever type your ssh-passphrase to
                   a remote process.  the remote sshd, when you use
                   RSAAuthentication, provides you a challenge to which you
                   respond.  That response is the equivalent  of doing an
                   RSA encrypt with your private key which the remote
                   sshd tries to decrypt with the public key you deposited
                   on the remote host earlier.  If what the remote sshd
                   obtained by decrypting your response  with your public
                   key and and the original challenge coincide, then you
                   are authenticated.  Of course, if you do not trust
                   RSA, and think someone may use your public key to obtain
                   your private key and the pass prase you use to further
                   protect it against local machine attacks, thats another
                   story. --jon
                \_ Oh great psb, please sniff my network in a sexual way.
                                -psb #1 fan
                   \_ Poser.   The real -psb #1 Fan
                \_ Uh, partha, you do realize that you don't need to use
                   RSA authentication to still get most of the benefits
                   of ssh.
                        \- yes but realistically you see more trojaned
                        clients and daemons than seq number or spoof attacks.
                        my point was this imposes a reasonable cost for people
                        who log in from a lot of different machines.
                        \_ It would be pretty obvious if you had logged into
                           a trojaned sshd server. In addition to the server
                           authenticating you the client also authenticates
                           the server and spews a nasty message if the
                           authentication fails.
                        \_ What do seq number or spoof attacks matter?  The
                           attacks we see daily on campus are packet sniffers.
                           ssh eliminates the threat of packet sniffing
                           script kiddies, whether or not you use RSA
                           authentication.  -tom
                           \_ I think he is saying that he believes one is
                              better off using rlogin and .rhosts as
                              attacks spoofing a connection from a
                              trusted host or attempting to hijack your
                              connection are rarer than trojan attacks.
                  \_ Do you passively sniff traffic or do you run the IDS
                  on a gateway and dynamically block packets?  If you are
                  just passively watching the traffic, until TCP/IP
                  stacks are standardized, your IDS can be circumvented 7
                  ways to sunday.  Its so easy to inject packets that will put
                  the IDS and the target host's stack in inconsistant states.
                  How do you deal with something as simple as TTL?  --sky "i
                  0wn j0r n3t w1th my 31337++ hAx0r sk1LLz" king
                        \-the TTL problems is in fact tricky and really
                basically intractible. i think we are cleverer than you
                think. i cant discuss exactly what we do, but if you have
                some attack based on ttls ot fragmentation or whatever,
                anything stealthy, as opposed to a flood/DoS, we would be
                interested in talking to you to see if you can evade our
                monitor. the commercial monitor cos are just interested in
                profit maximizing ... so if it would take a huge effort
                to fix something and lacking that one thing isnt hurting
                their sales much, then they wont fix it/ for example a major
                IDS which will remain nameless only keeps 3minutes of "state",
                which means if you just control-z a connection for 3min, you
                have probably evaded the monitor. anyway, if you are serious
                drop us a note. i am not going to publicly comment on the
                non-passive part of the monitoring. --psb
                \_ Yeah.  We have a whole library of scripts written
                   in a custom language for sending and receiving raw
                   net traffic that we use for OS fingerprinting,
                   firewall penetration testing, and IDS circumvention.
                   We have a collection of scripts whose purpose is to
                   exploit descripencies in stack implementation so that
                   the IDS and the target systems state become disjoint,
                   allowing us to insert evil data w/o the IDS detecting it.
                   It would be interesting to see how BRO handles under
                   these conditions.  --sky
                \_ "non-passive": guys in full-length black Kevlar suits
                   with BIG GUNS
                        \that's "big *fucking* guns" to you. --psb
                \_ Um, this whole conversation has me completely lost.
                   Any sources to strengthen my security/network fu?
        \_ How about just forcing telnetd/rlogind users to use one-time
           passwords until they can be elite enuf to use some kind of encrypted
           login system?
                \_Is using ssh w/o sshd a waste of time?
                  \_ sshd is the server; ssh is the client.. they're pretty
                     useless without each other.  You probably meant
                     "w/o ssh-agent" And no, ssh is still useful without
                     ssh-agent, whatever psb might think about the impossiblity
                     of ssh password authentication --dbushong
                        \-i dont even know what "the impossibility of ssh
                        passwd authentication means". the only think i said
                        was close if not actually impossible was for a passive
                        monitor upstream from a destination host to replicate
                        the stream it would see if it were in a different
                        point in "net space". aka "the TTL attack". --psb
                  \_ some silly places have ssh set up to automatically call
                     rlogin when the target host is not running sshd.  this
                     is a completely useless way to run ssh, and might
                     screw you one day when you're tired and not noticing that
                     this time your connection is not encrypted.
                     \_ You implied in your original post that you need to
                        generate an ssh key in order to use ssh, which is not
                        true.  --dbushong
                        \-BTW, is anyone familiar with the stuff at
                        <DEAD><DEAD>? --psb
                        \_ Yes.  mconst was thinking of patching it into
                           ssh one of these days.  --dbushong
1999/3/10 [Recreation/Food, Academia/Berkeley/CSUA] UID:15575 Activity:nil
3/9     At the CSUA meeting tonight, SoftTouch has ponied up for
        a slew of Little Chicago Pizza.  Come one, come all. -jones
1999/3/10-11 [Computer/SW/OS/Windows, Recreation/Dating] UID:15576 Activity:high
3/9     Did anyone see 'Triumph of the Nerds' on pbs? Apparently the enitre
        Microsoft thing was a fluke in history because a Digital employee's wife
        told IBM to screw off.
        \_ It's also interesting to note that Micrsoft didn't write the core
           of MSDOS.  They just bought QDOS from a local software company
           and adapted it to look and behave like CP/M.
        \_ that wasn't just any person, it was Gary Kildall, writer of CP/M
           it goes to show don't marry the wrong person!
           \_ Those of you who are interested might want to talk to my
              old boss.  She's Kathy Strutynski, co-author of CP/M and
              Digital Reasearch's (not DEC) 5th employee.  She has an
              interesting perspective on most of the people shown in the show.
1999/3/10-11 [Reference/BayArea, Academia/Berkeley] UID:15577 Activity:high
3/9     Red Darwf Season 8 aired this past Sunday. Is KTEH airing the
        season again? Thanks --marc

3/\d+   BIKE PARADE FRIDAY!!!  As reported at Berkeley City Council
        last night, the Berkeley Bike Parade will be celebrating its
        SIXTH BIRTHDAY.  Party to follow the ride.  Meet 5:30 PM
        downtown Berkeley BART to leave at 6 PM.  (every 2nd Friday)
        \_ Get a life, jnat.
           \_ Hmm... what do you mean?  I keep very busy and despite
              negative people (case in point) and corrupt corporations
              and the like I have a great time and am doing a lot of
              good work.  How about check my personal web pages
     and tell me what's missing.
                \_ Perspective on your useless existence.
                   \_ I don't get it, I mean, I have some philosophy
                      and everythiiing...what's the URL?
Berkeley CSUA MOTD:1999:March:10 Wednesday <Tuesday, Thursday>