Entry 30592 (Berkeley CSUA MOTD)

Berkeley CSUA MOTD:Entry 30592

WIKI \| FAQ \| Tech FAQ
`http://csua.com/feed/`

2025/04/04 [General] UID:1000 Activity:popular

4/4

2004/6/4 [Computer/SW/Security] UID:30592 Activity:nil

6/4     MacOS X Screensaver Passwd lock security issue:
        Vulnerability: http://tinyurl.com/2ghmz (macosxhints.com)
        Workaround:    http://tinyurl.com/2muab (macosxhints.com)

ERROR, url_link recursive (eces.Colorado.EDU/secure/mindterm2) 2025/04/04 [General] UID:1000 Activity:popular

4/4

You may also be interested in these entries...

2012/8/26-11/7 [Computer/SW/Security] UID:54465 Activity:nil

8/26    Poll: how many of you pub/priv key users: 1) use private keys that
        are not password protected 2) password protect your private keys
        but don't use ssh-agent 3) use ssh-agent:
        1) .
        2) ..
        3) ...
	...

2012/8/29-11/7 [Computer/SW/Security] UID:54467 Activity:nil

8/29    There was once a CSUA web page which runs an SSH client for logging
        on to soda.  Does that page still exist?  Can someone remind me of the
        URL please?  Thx.
        \_ what do you mean? instruction on how to ssh into soda?
           \_ No I think he means the ssh applet, which, iirc, was an applet
              that implemented an ssh v1 client.  I think this page went away
	...

2012/9/24-11/7 [Computer/SW/Languages, Computer/SW/Unix] UID:54484 Activity:nil

9/24    How come changing my shell using ldapmodify (chsh doesn't work) doesn't
        work either? ldapsearch and getent show the new shell but I still get
        the old shell on login.
        \_ Scratch that, it magically took my new shell now. WTF?
           \_ probably nscd(8)
	...

2012/8/7-10/17 [Computer/SW/Security] UID:54455 Activity:nil

8/6     Amazon and Apple have lame security policies:
        http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all
        "First you call Amazon and tell them you are the account holder, and
         want to add a credit card number to the account. All you need is the
         name on the account, an associated e-mail address, and the billing
         address. "
	...

2012/7/18-8/19 [Health/Men, Computer/SW/Security] UID:54438 Activity:nil

7/18    "Largest penis record holder arouses security suspicions at airport"
        http://www.csua.org/u/x2f (in.news.yahoo.com)
        \_ I often have that same problem.
        \_ I think the headline writer had some fun with that one.
           \_ One time when I glanced over a Yahoo News headline "U.S. busts
              largest-ever identity theft ring" all I saw was "U.S. busts
	...

2012/4/23-6/1 [Computer/SW/WWW/Browsers] UID:54360 Activity:nil

4/19    My Firefox 3.6.28 pops up a Software Update box that reads "Your
        version of Firefox will soon be vulnerable to online attacks."  Are
        they planning to turn off some security feature in my version of
        Firefox?
        \_ Not as such, no, but they're no longer developing this version,
           so if a 3.6.x-targeted hack shows up, you're not going to get
	...

2011/11/8-30 [Computer/SW/Security, Computer/SW/OS/Windows] UID:54218 Activity:nil

11/8    ObM$Sucks
        http://technet.microsoft.com/en-us/security/bulletin/ms11-083
        \_ How is this different from the hundreds of other M$ security
           vulnerabilities that people have been finding?
           \_ "The vulnerability could allow remote code execution if an
               attacker sends a continuous flow of specially crafted UDP
	...

Cache (2056 bytes)

tinyurl.com/2ghmz -> www.macosxhints.com/article.php?story=20040603102200986&mode=printA vulnerability with the screensaver password lock Fri, Jun 4 '04 at 11:00AM from: babbage No one wants other people messing around with their computer when they're away from their desks, but what can you do? It's not practical to log out every time you want to go for a cup of coffee, so many people put a password lock on their screensaver instead. This is much more convenient, but it has a serious Achilles heel: if you are in an environment where many people have logins on your computer, such as an office with centralized login (NIS, ActiveDirectory/Kerberos, LDAP, OpenDirectory, NetInfo, etc) where everyone has an account on every computer, then anyone can use their own login to disable your locked session. log, which is only useful after the fact -- provided that the person who logged in didn't know to cover their tracks. For a lot of people, this probably defeats the purpose of locking the screen to begin with. Until and unless Apple provides a way to change this behavior, it may be wise to avoid the screen saver lock and fully log out of the system whenever you will be away from your computer for a long time (lunch break, overnight, etc). robg adds: There was an earlier security issue with the screensaver password as well, which has since been fixed. this hint and comments, which offer the best solution, I think, to this problem. Logging out is a pain, especially when you have 20 or so apps running with multiple open documents. The referenced hint explains how to use Fast User Switching to bring up the main OS X login screen, which won't actually log you out. It also won't be susceptible to this hack -- the other user could login, but it would be to their own account, not yours. Of course, there's no screensaver at the login prompt, so you'll probably then want to hit the Sleep button to put your machine to sleep (or at least dim your screen). If you hate the amount of menubar space used by the FUS menu item, use something like Butler, FUSKey, FUS++, etc. to enable fast user switching without having the menu active.

Cache (668 bytes)

tinyurl.com/2muab -> www.macosxhints.com/article.php?story=20031031112407491&mode=printhere, for one), there is a minor security issue with screen locking in Panther. To avoid this and generally provide a more secure screen lock, enable fast user switching in the Accounts system preferences under "Login Options" (even if you only have one user). " menu item in the user switching menu to lock your computer instead of using the screensaver/sleep lockout. This menu item takes you back to the login screen without actually logging out, so all your applications will be the way they were when you "log back in." Your account is listed in the login screen as "currently logged in." As a bonus you also get to see the gratuitously cool rotating cube effect.