Berkeley CSUA MOTD:Entry 53523
Berkeley CSUA MOTD
2018/01/23 [General] UID:1000 Activity:popular

2009/11/13-30 [Computer/SW/Unix] UID:53523 Activity:nil
11/12   How does one find out if a system has rootkit installed?
        \_ Unix or m$?
           \_ Unix. On M$ I always assume it's compromised.
              \_ Install Tripwire before you plug your server into The Net?
                 The only other answer I can think of is to reinstall the
                 OS from scratch on another server and do an md checksum
                 comparison with your current binaries. You can also look
                 for other signs of infection, like open ports that don't
                 belong there (netstat -o), mysteriously growing filesystems,
                 etc, but a really good rootkit is almost undetectable. Most
                 of them aren't really good though.
                 \_ ObKenThompson:
ERROR, url_link recursive (eces.Colorado.EDU/secure/mindterm2) 2018/01/23 [General] UID:1000 Activity:popular

You may also be interested in these entries...
2012/8/26-11/7 [Computer/SW/Security] UID:54465 Activity:nil
8/26    Poll: how many of you pub/priv key users: 1) use private keys that
        are not password protected 2) password protect your private keys
        but don't use ssh-agent 3) use ssh-agent:
        1) .
        2) ..
        3) ...
2012/8/29-11/7 [Computer/SW/Security] UID:54467 Activity:nil
8/29    There was once a CSUA web page which runs an SSH client for logging
        on to soda.  Does that page still exist?  Can someone remind me of the
        URL please?  Thx.
        \_ what do you mean? instruction on how to ssh into soda?
           \_ No I think he means the ssh applet, which, iirc, was an applet
              that implemented an ssh v1 client.  I think this page went away
2012/9/24-11/7 [Computer/SW/Languages, Computer/SW/Unix] UID:54484 Activity:nil
9/24    How come changing my shell using ldapmodify (chsh doesn't work) doesn't
        work either? ldapsearch and getent show the new shell but I still get
        the old shell on login.
        \_ Scratch that, it magically took my new shell now. WTF?
           \_ probably nscd(8)
2012/3/29-6/4 [Computer/HW/Memory, Computer/HW/CPU, Computer/HW/Drives] UID:54351 Activity:nil
3/29    A friend wants a PC (no mac). She doesn't want Dell. Is there a
        good place that can custom build for you (SSD, large RAM, cheap video
        card--no game)?
        \_ As a side note: back in my Cal days more than two decades ago when
           having a 387SX made me the only person with floating-point hardware,
           most machines were custom built.
2012/1/27-3/26 [Computer/SW/Unix] UID:54299 Activity:nil
1/27    Interesting list of useful unix tools. Shout out to
        cowsay even!
        \_ This is nice.  Thanks.
2011/10/26-12/6 [Computer/SW/Unix] UID:54202 Activity:nil
10/24  What's an easy way to see if say column 3 of a file matches a list of
       expressions in a file? Basically I want to combine "grep -f <file>"
       to store the patterns and awk's $3 ~ /(AAA|BBB|CCC)/ ... I realize
       I can do this with "egrep -f " and use regexp instead of strings, but
       was wondering if there was some magic way to do this.
       \_ UNIX has no magic. Make a shell script to produce the ask or egrep
2011/4/27-7/30 [Computer/SW/Unix, Computer/SW/Security] UID:54096 Activity:nil
4/28    Will wall be fixed?   - jsl
        \_ What's wall?
           \_ An anachronism from a bygone era, when computers were hard to
              comeby, the dorms didn't have net, there was no airbears, and
              when phones didn't come standard with twitter or sms.
           \_ A non useful implementation of twitter.
2011/5/19-7/30 [Computer/SW/Security] UID:54110 Activity:nil
5/19    Uh, is anyone still using this? Please mark here if you post and
        haven't added this yet. I'll start:
        \_ person k
        \_ ausman, I check in about once a week.
        \_ erikred, twice a week or so.
        \_ mehlhaff, I login when I actually own my home directory instead of
2010/3/10-30 [Computer/SW/Mail] UID:53751 Activity:nil
3/10    What email program do people in Cal CS use nowadays?  In my school days
        people used /usr/bin/mail, then RMail in emacs, then VMail in emacs.
        After my days people used Elm, Pine, Mutt (I forgot which order).  In
        my first two jobs we could tell the seniority of fellow engineers based
        on which email program they use at work, because everyone used what
        they used to use in their school years.  In my last two jobs though,
Cache (7052 bytes)
Reflections on Trusting Trust Ken Thompson Reprinted from Communication of the ACM, Vol. Copyright 1984, Association for Computing Machinery, Inc. Also appears in ACM Turing Award Lectures: The First Twenty Years 1965-1985 Copyright 1987 by the ACM press and Computers Under Attack: Intruders, Worms, and Viruses Copyright 1990 by the ACM press. I can't help but feel that I am receiving this honor for timing and serendipity as much as technical merit. UNIX swept into popularity with an industry-wide change from central main frames to autonomous minis. I suspect that Daniel Bobrow would be here instead of me if he could not afford a PDP-10 and and had to "settle" for a PDP-11. Moreover, the current state of UNIX is the result of the labors of a large number of people. There is an old adage, "Dance with the one that brought you," which means that I should talk about UNIX. I have not worked on mainstream UNIX in many years, yet I continue to get undeserved credit for the work of others. Therefore, I am not going to talk about UNIX, but I want to thank everyone who has contributed. In the ten years that we have worked together, I can recall only one case of miscoordination of work. On that occasion, I discovered that we both had written the same 20-line assembly language program. I compared the sources and was astounded to find that they matched character-for-character. The result of our work together has been far greater than the work that we each contributed. On my 1040 form, that is what I put down as my occupation. I would like to present to you the cutest program I ever wrote. I will do this in three stages and try to bring it together at the end. Stage I In college, before video games, we would amuse ourselves by posing programming exercises. One of the favorites was to write the shortest self-reproducing program. Since this is an exercise divorced from reality, the usual vehicle was FORTRAN. Actually, FORTRAN was the language of choice for the same reason that three-legged races are popular. More precisely stated, the problem is to write a source program that, when compiled and executed, will produce as output an exact copy of its source. If you have never done this, I urge you to try it on your own. The discovery of how to do it is a revelation that far surpasses any benefit obtained by being told how to do it. The part about "shortest" was just an incentive to demonstrate skill and determine a winner. Figure I shows a self-reproducing program in the C programming language. This program can contain an arbitrary amount of excess baggage that will be reproduced along with the main algorithm. Stage II The C compiler is written in C What I am about to describe is one of many "chicken and egg" problems that arise when compilers are written in their own language. In this ease, I will use a specific example from the C compiler. C allows a string construct to specify an initialized character array. The individual characters in the string can be escaped to represent unprintable characters. For example, "Hello world\n" represents a string with the character "\n," representing the new line character. Figure 2 is an idealization of the code in the C compiler that interprets the character escape sequence. It "knows" in a completely portable way what character code is compiled for a new line in any character set. The act of knowing then allows it to recompile itself, thus perpetuating the knowledge. Figure 3 We then recompile the C compiler, but we get a diagnostic. Obviously, since the binary version of the compiler does not know about "\v," the source is not legal C We must "train" the compiler. After it "knows" what "\v" means, then our new change will become legal C We look up on an ASCII chart that a vertical tab is decimal 11. Figure 6 shows a simple modification to the compiler that will deliberately miscompile source whenever a particular pattern is matched. If this were not deliberate, it would be called a compiler "bug." Since it is deliberate, it should be called a "Trojan horse." FIGURE 6 The actual bug I planted in the compiler would match code in the UNIX "login" command. The replacement code would miscompile the login command so that it would accept either the intended encrypted password or a particular known password. Thus if this code were installed in binary and the binary were used to compile the login command, I could log into that system as any user. Even the most casual perusal of the source of the C compiler would raise suspicions. Figure 7 This simply adds a second Trojan horse to the one that already exists. The replacement code is a Stage I self-reproducing program that inserts both Trojan horses into the compiler. This requires a learning phase as in the Stage II example. First we compile the modified source with the normal C compiler to produce a bugged binary. We install this binary as the official C We can now remove the bugs from the source of the compiler and the new binary will reinsert the bugs whenever it is compiled. Of course, the login command will remain bugged with no trace in source anywhere. You can't trust code that you did not totally create yourself. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect. After trying to convince you that I cannot be trusted, I wish to moralize. I would like to criticize the press in its handling of the "hackers," the 414 gang, the Dalton gang, etc. The acts performed by these kids are vandalism at best and probably trespass and theft at worst. It is only the inadequacy of the criminal code that saves the hackers from very serious prosecution. The companies that are vulnerable to this activity (and most large companies are very vulnerable) are pressing hard to update the criminal code. Unauthorized access to computer systems is already a serious crime in a few states and is currently being addressed in many more state legislatures as well as Congress. On the one hand, the press, television, and movies make heroes of vandals by calling them whiz kids. On the other hand, the acts performed by these kids will soon be punishable by years in prison. It is clear that they are completely unaware of the seriousness of their acts. The act of breaking into a computer system has to have the same social stigma as breaking into a neighbor's house. It should not matter that the neighbor's door is unlocked. The press must learn that misguided use of a computer is no more amazing than drunk driving of an automobile. Acknowledgment I first read of the possibility of such a Trojan horse in an Air Force critique of the security of an early implementation of Multics. References 1 Bobrow, DG, Burchfiel, JD, Murphy, DL, and Tomlinson, RS TENEX, a paged time-sharing system for the PDP-10.