Berkeley CSUA MOTD:Entry 14665
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2025/07/08 [General] UID:1000 Activity:popular
7/8     

1998/9/24-26 [Computer/SW/Security] UID:14665 Activity:high
9/24    How do I find out what machines are in a certain domain, e.g.
        http://laney.edu?  Thanks.
        \_ ping -f http://laney.edu
        \_ a little command many people forget about: host -l http://laney.edu
        \_ echo "What machines are in your domain?" | mail postmaster@laney.edu
                \-You have to be so tall ... /tmp/laney.edu --psb
           You could try to use nslookup's ls command to list everything in the
           domain, but most nameservers (including http://laney.edu's) won't let you.
                \-"You have to be this tall ... " ... /tmp/laney.edu --psb
           \_ you could get a map of what network addresses they use, and then
              try to get reverse dns mappings for everything in those addresses.
              This is why disabling zone transfers on a nameserver (i.e. ls)
              is pretty stupid unless you kill reverse dns too. -ERic
                \_ Disabling zone transfers stops the script kiddies for now
                   (until someone takes pity on them and writes them a script
                    to do things the hard way)
                   \_ so until then you end up making it harder on everyone
                       else.
                        \_ stupidity in the name of security is rampant.
                           See soda's relaying policy.  -tom
                        \_ most everyone else doesn't need to do a zone xfer
                           or can ask nicely for one
                           \_ Disallowing them is a security through obscurity
                              policy, and impedes curiosity.  It's like turning
                              off finger on Unix.  Besides, crackers can still
                              scan easily, even without using DNS.
                                \_ or it's like using shadowed passwords
                                   \_ WTF are you smoking!?  Non shadow-passwd
                                      files are a huge security hole.  Give
                                      any user on your system instant access
                                      to all the poor sops' accounts and files
                                      who can't pick a decent password.
                                        \_ unshadowed passwrds aren't the
                                           cause of the security hole, stupid
                                           users are
                                \_ shadowed passwords provide little real
                                   security; it's not difficult to get the
                                   shadow file without root.  -tom
                                   \_ Um, by that logic, it's not hard to get
                                      root, so why bother having any security
                                      at all  --dbushong
                                   \_ Tom, you were the one who suggested
                                      using shadowed passwds and have, until
                                      now, continued to do so on the basis that
                                      it was "more secure" for at least 4 years
                                      now, see CSUA/OCF/XCF Help Session handout
                                      by Tom Holub
                                        \_ I haven't updated that in quite
                                           some time; I haven't taught the
                                           security help session in something
                                           like 3 years.  At the time, I
                                           wasn't aware that programs such as
                                           ftpd can leave large swaths of the
                                           shadow file in core dumps.  -tom
                                \_ That's not the logic.  The logic is that
                                   shadowed passwords provide a false sense
                                   of security.  The security problem with
                                   non-shadowed passwords is having bad
                                   passwords; having shadowed passwords does
                                   little or nothing to alleviate the only
                                   problem it could theoretically solve. -tom
                                        \-i think turning off zone xfers is
                                        basically free to do. of course you
                                        shouldnt rely on it and what is really
                                        the important thing to do is to be able
                                        to see who is asking forone and what
                                        they do right after that. a zone xfer
                                        a pretty good indicator of certain
                                        types of scans/signatures of certain
                                        tools. --psb
                                        \_ Or just curious network users.
                                           E.g. zone transfer of various
                                           things under http://mit.edu is fun.
                \_ Please define "zone transfer"        -- clueless
                   \_ Simple answer: it's what you get when you run
                        host -l or nslookup ls.  Long answer: Read the
                        BIND book from O'Reilley
ERROR, url_link recursive (eces.Colorado.EDU/secure/mindterm2) 2025/07/08 [General] UID:1000 Activity:popular
7/8     

You may also be interested in these entries...
2013/10/24-11/21 [Computer/Companies/Apple] UID:54747 Activity:nil
9/19    "No, A Severed Finger Will Not Be Able to Access a Stolen iPhone 5S"
        http://mashable.com/2013/09/15/severed-finger-iphone-5s
        I'm sure the Apple QA department has tested extensively that a severed
        finger will not be able to access a stolen iPhone 5S.
        \_ It doesn't matter whether or not a severed finger can be used.  It
           matters whether or not a robber thinks that a severed finger can be
	...
2013/6/6-7/31 [Politics/Foreign/Asia/China, Computer/SW/Security] UID:54690 Activity:nil
6/6     Wow, NSA rocks. Who would have thought they had access to major
        data exchangers? I have much more respect for government workers,
        crypto experts, mathematicans now than ever.
        \_ flea to Hong Kong --> best dim-sum in the world
           \_ "flee"
        \_ The dumb ones work for DMV, the smart ones for the NSA. If you
	...
2012/8/26-11/7 [Computer/SW/Security] UID:54465 Activity:nil
8/26    Poll: how many of you pub/priv key users: 1) use private keys that
        are not password protected 2) password protect your private keys
        but don't use ssh-agent 3) use ssh-agent:
        1) .
        2) ..
        3) ...
	...
2012/8/29-11/7 [Computer/SW/Security] UID:54467 Activity:nil
8/29    There was once a CSUA web page which runs an SSH client for logging
        on to soda.  Does that page still exist?  Can someone remind me of the
        URL please?  Thx.
        \_ what do you mean? instruction on how to ssh into soda?
           \_ No I think he means the ssh applet, which, iirc, was an applet
              that implemented an ssh v1 client.  I think this page went away
	...
2012/8/7-10/17 [Computer/SW/Security] UID:54455 Activity:nil
8/6     Amazon and Apple have lame security policies:
        http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all
        "First you call Amazon and tell them you are the account holder, and
         want to add a credit card number to the account. All you need is the
         name on the account, an associated e-mail address, and the billing
         address. "
	...
2012/7/13-8/19 [Computer/SW/Security, Computer/Companies/Yahoo] UID:54436 Activity:nil
7/13    Why would Yahoo store passwords unencrypted?  I recall that even 20+
        years ago the passwords stored in /etc/passwd on instructional
        machines here at Cal were one-way encrypted.  (I think those were
        Ultrix machines.)
        \_ Doesn't this say anything already?
           http://finance.yahoo.com/echarts?s=YHOO+Interactive#symbol=yhoo;range=5y
	...
2012/7/18-8/19 [Health/Men, Computer/SW/Security] UID:54438 Activity:nil
7/18    "Largest penis record holder arouses security suspicions at airport"
        http://www.csua.org/u/x2f (in.news.yahoo.com)
        \_ I often have that same problem.
        \_ I think the headline writer had some fun with that one.
           \_ One time when I glanced over a Yahoo News headline "U.S. busts
              largest-ever identity theft ring" all I saw was "U.S. busts
	...
Cache (71 bytes)
laney.edu
FRAME: frame REFRESH(0 sec): http://laney.edu/cis Laney College Website
Cache (741 bytes)
mit.edu
skip to search friday, may 14, 2004 About this site massachusetts institute of technology spotlight: creative intelligence an exhibit from MIT's visual arts program news creative collisions spark research at Stata education courses, admissions, OpenCourseWare research labs, centers and programs, libraries offices+services resources, jobs, business, giving to MIT community groups students, faculty, parents, alumni/ae events calendar, athletics, arts, commencement about mit facts, campus map, evolving campus search Google-MIT MIT People search terms Go MIT MIT today's homepage: Andrew Smiles massachusetts institute of technology 77 massachusetts avenue cambridge, ma 02139-4307 tel 617.253.1000 tty 617.258.9344 about this site contact