Berkeley CSUA MOTD:Entry 53791
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2022/08/07 [General] UID:1000 Activity:popular
8/7     

2010/4/19-5/10 [Computer/SW/Security, Computer/SW/WWW/Server] UID:53791 Activity:nil
4/18    http://Apache.org hacked:
        http://www.theinquirer.net/inquirer/news/1601103/apache-hacked
ERROR, url_link recursive (eces.Colorado.EDU/secure/mindterm2) 2022/08/07 [General] UID:1000 Activity:popular
8/7     

You may also be interested in these entries...
2013/10/24-11/21 [Computer/Companies/Apple] UID:54747 Activity:nil
9/19    "No, A Severed Finger Will Not Be Able to Access a Stolen iPhone 5S"
        http://mashable.com/2013/09/15/severed-finger-iphone-5s
        I'm sure the Apple QA department has tested extensively that a severed
        finger will not be able to access a stolen iPhone 5S.
        \_ It doesn't matter whether or not a severed finger can be used.  It
           matters whether or not a robber thinks that a severed finger can be
	...
2013/6/6-7/31 [Politics/Foreign/Asia/China, Computer/SW/Security] UID:54690 Activity:nil
6/6     Wow, NSA rocks. Who would have thought they had access to major
        data exchangers? I have much more respect for government workers,
        crypto experts, mathematicans now than ever.
        \_ flea to Hong Kong --> best dim-sum in the world
           \_ "flee"
        \_ The dumb ones work for DMV, the smart ones for the NSA. If you
	...
2012/8/26-11/7 [Computer/SW/Security] UID:54465 Activity:nil
8/26    Poll: how many of you pub/priv key users: 1) use private keys that
        are not password protected 2) password protect your private keys
        but don't use ssh-agent 3) use ssh-agent:
        1) .
        2) ..
        3) ...
	...
2012/8/29-11/7 [Computer/SW/Security] UID:54467 Activity:nil
8/29    There was once a CSUA web page which runs an SSH client for logging
        on to soda.  Does that page still exist?  Can someone remind me of the
        URL please?  Thx.
        \_ what do you mean? instruction on how to ssh into soda?
           \_ No I think he means the ssh applet, which, iirc, was an applet
              that implemented an ssh v1 client.  I think this page went away
	...
2012/9/24-11/7 [Computer/SW/Languages, Computer/SW/Unix] UID:54484 Activity:nil
9/24    How come changing my shell using ldapmodify (chsh doesn't work) doesn't
        work either? ldapsearch and getent show the new shell but I still get
        the old shell on login.
        \_ Scratch that, it magically took my new shell now. WTF?
           \_ probably nscd(8)
	...
2012/8/7-10/17 [Computer/SW/Security] UID:54455 Activity:nil
8/6     Amazon and Apple have lame security policies:
        http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all
        "First you call Amazon and tell them you are the account holder, and
         want to add a credit card number to the account. All you need is the
         name on the account, an associated e-mail address, and the billing
         address. "
	...
2012/7/13-8/19 [Computer/SW/Security, Computer/Companies/Yahoo] UID:54436 Activity:nil
7/13    Why would Yahoo store passwords unencrypted?  I recall that even 20+
        years ago the passwords stored in /etc/passwd on instructional
        machines here at Cal were one-way encrypted.  (I think those were
        Ultrix machines.)
        \_ Doesn't this say anything already?
           http://finance.yahoo.com/echarts?s=YHOO+Interactive#symbol=yhoo;range=5y
	...
2010/4/22-5/10 [Computer/SW/Languages/Misc] UID:53797 Activity:nil
4/22    In Linux is there an easy way to rename the scripts in /etc/rc?.d ?
        For example I want to set all the /etc/rc?.d/S91apache to S100apache
        so that it'll run the ramdisk BEFORE going to apache.
        \_ Sure, just move them.
           \_ I mean is there a script that will rename all of them
              for me? Like: setrc apache2 0 0 1 1 1 1
	...
2010/1/22-30 [Computer/HW/Laptop, Computer/SW/OS/OsX] UID:53655 Activity:high
1/22    looking to buy a new development laptop
        needs ssdrive, >6 hr possible batt life, and runs linux reasonably
        Anyone have a recommendation? Thx.
        \_ thinkpad t23 w ssdrive and battery inplace of drive bay
        \_ Ever wondered what RICHARD STALLMAN uses for a laptop?  Well,
           wonder no more!
	...
2010/1/12-29 [Computer/SW/Apps/Media] UID:53627 Activity:kinda low
1/12    How do I get a job NOT related to internet DNS social network cloud
        twitter GOOG EC2 amazon API ???
        \_ A CS job not related to API?
        \_ Chip design, or maybe software that does chip design. What is
           your major? How about game developer?
        \_ DNS? DNS? What era ado you live in? I agree that social network
	...
2009/12/7-2010/1/3 [Computer/HW/Memory, Computer/HW] UID:53574 Activity:nil
12/7    How many TCP retransmits are too many? Here is what I get:
            3594143433 segments received
            3760174421 segments send out
            3801829561 segments retransmited
        \_ rephrase. you can never have too much money. or too little.
           what is, is.
	...
2009/5/7-14 [Computer/SW/WWW/Server] UID:52963 Activity:nil
5/7     I am trying to reproduce a customer bug where their apache header
        has the content-encoding as the last line in the header.
        My test platform is running apache2.2 on ubuntu. Is there a way
        to do this ?i I have already read the apache 2.0 docs and
        I dont see anything obvious ? page is txt/html
	...
2009/3/8-17 [Computer/SW/Unix] UID:52685 Activity:kinda low
3/8     I'm reading about an old exploit where someone used a buffer overflow
        in a printer daemon to get "daemon privileges," which allowed them
        to use another exploit on the mail delivery program to get root.  I'm
        not sure what daemon privileges are.  Is there some set of priveleges
        that most daemons run on that is higher than user but lower than root?
        What are they?  I've never heard this before.
	...
2008/10/14-20 [Computer/SW/Languages/Misc, Computer/SW/Languages/Web] UID:51527 Activity:nil
10/14   2 apache 2.0.52 servers running on Linux boxes.  Identical httpd.conf
        files (except for ServerName).  But on one, if a CGI script takes
        longer than 300 seconds, it times out.  The other, not.  Why is that?
        \_ Perhaps network equipment configuration. Or try comparing settings
           in /proc/sys/net.
           \_ I ran /sbin/sysctl -a | grep tcp, all settings are the same.
	...
2008/9/3 [Computer/SW/Unix] UID:51030 Activity:nil
9/3     Okay, my sed and awk skills are obviously not up to par here.
        I want to only see the "500's" in my apache error log, how do I
        do that? I want to see the whole line, not just the 500 error code.
        Never mind, grep " 500 " is close enough.
	...
2008/3/10-13 [Computer/SW/SpamAssassin] UID:49412 Activity:nil
3/10    Is there a reliable way to control spam on soda?
        Can someone write an "any undergrad can do it" level FAQ?  Thanks.
        \_ echo "/dev/null" > ~/.forward
        \_ I use Thunderbird to check my soda mail.
        \_ Forward to gmail.  Let google's spam filter work for you.
        \_ I use spamassassin. I just checked and it caught all but one of
	...
2007/12/11-14 [Computer/SW/OS/Linux, Computer/SW/WWW/Server] UID:48785 Activity:nil
12/11   Apache/Linux question: I've got apache 2.0.52 on an idle redhat
        box (2.6.9-55 kernel).  Every so often one to four apache procs
        will run the cpu at 100% for any where from 15 to 90 mins, then
        drop back to normal.  USR and SYS time both increase to levels
        that the production boxes don't reach when serving traffic at
        noon.  I've checked apache and linux kernel versions, several
	...
2007/9/23-24 [Computer/SW/Languages/Perl, Computer/SW/WWW/Server, Computer/SW/Languages/Web] UID:48152 Activity:kinda low
9/23    I have an Apache question:
        If I have a directory which allows both CGI handler and Perl
        handler (mod_perl) how can I tell which is being invoked by the
        web server? The scripts are being executed, but I have no idea if
        mod_perl is running correctly or if the CGI Handler is just
        picking them up and running them. How can I tell?
	...
Cache (4557 bytes)
www.theinquirer.net/inquirer/news/1601103/apache-hacked
JIRA as its issue tracker, and Apache has warned users of the Apache hosted JIRA and Bugzilla or Confluence equivalents that their hashed passwords have been compromised. "We believe the risk to simple passwords based on dictionary words is quite high, and most users should rotate their passwords", it added, before suggesting some other possible security measures. "In addition, if you logged into the Apache JIRA instance between April 6th and April 9th, you should consider the password as compromised, because the attackers changed the login form to log them." The issue contained a warning, "ive got this error while browsing some projects in jira", along with a tinyurl web link. Unfortunately the link lead users to a cross-site scripting attack, which in turn allowed hackers to steal session cookies relating to JIRA. jsp, in which attackers threw hundreds of thousands of password combinations at its servers. Unfortunately, in less than twenty-four hours one of these attempts was succesful in gaining entry. "The attackers used this access to create copies of many users' home directories and various files," wrote Apache. "They also uploaded other JSP files that gave them backdoor access to the system using the account that JIRA runs under." Following this, the attackers then installed a JAR file which was used to collect and save logins and passwords. org machine, which hosts the Apache installs of JIRA, Bugzilla and Confluence. The detail and analysis presented in the post are enlightening, and we can only hope that other victims follow the Apache Software Foundation's lead. As it says, "We hope our disclosure has been as open as possible and true to the ASF spirit. Next article > Comments "threw hundreds of thousands of password combinations at its servers" I repeat from I think the Twitter compromise story: Isn't there ANY alarm for this? Are modern systems so stupidly designed as to allow unlimited attempts, instead of ignoring an IP after three failed attempts? Complain about this comment @AB: Changing IPs every 3 tries would be an obstacle. As would simply an alarm that thousands of attempts were coming from anywhere. By the way, I've already suggested using Firefox with a custom user agent string to initially validate that password attempts come from an apparently authorized source. If you can't answer my question simply and directly, I think it a good question. that tinyURL will be used to cloak compromised "real" URLs ? It has seemed to me from the outset that any URL that doesn't easily parse into a meaningful is likely to be used as a vector for maliciousness. The average punter is barely savvy enough to read the URL in any case, when it's an inscrutable handful of characters there is no hope. Let's face it, whoever was zapped here on an Apache issue log was no nave end user... Complain about this comment Don't restrict by IP add A better way to block a brute force password attack is to lock an account for a short period of time after a small number of failed attempts. For instance, locking an account for 1 minute after 5 failed attempts DRASTICALLY slows down brute force attempts. Increasing the delay for subsequent failures (say up to an hour) would make brute-force attacks stop in their tracks. Hundreds of thousands of attempts would take weeks, months, or years depending on the approach taken. A notification to admins and the user being attacked would further ensure that repeated failed attempts result in that user being disabled. All of this takes time to develop, and isn't necessarily the top priority of developers or management until someone makes it a priority. Sadly, by the time it's a priority, it's usually too late. Complain about this comment Passwords, passwords This still comes down to poor password discipline. LONG passwords are the best way to mitigate dictionary attacks although delays and fail2ban are also good. Complain about this comment @Mike Your advice is useful on something like a desktop computer where only one user has access at a time from a single point of entry. On a web server, I think this technique would make it trivial for anyone to launch a DoS attack, locking thousands of users out of their accounts. I've got to commend ASF for admitting a mistake publicly, and warning us about the methodology being used to hack the accounts. Many times we all see a sort of "passing the buck" by big firms that get hacked. Also, I have to think that the "3 tries and you're out" password scheme can be effective, at least in slowing down brute force.
Cache (1423 bytes)
Apache.org
The Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users. Software Patents Kill Innovation We are protesting against attempts to legalise software patents in Europe. For ASF developers and users alike, this directive would mean legal uncertainty: a patent minefield. HTTP Server has been the leading web server platform since 1996. Founded as a collaborative effort aimed at creating a robust, commercial grade, standards-compliant, and feature-rich HTTP server, we are thrilled that the worldwide Internet community has embraced open source as a viable model for software product development. Our achievement is testament to the benefits of the process of open source software development itself. Maven is a Java project management and project comprehension tool. In a nutshell Maven aims to make the developer's life easier by providing a well defined project structure, well defined development processes to follow, and a coherent body of documentation that keeps your developers and clients apprised of what's happening with your project.