| WIKI | FAQ | Tech FAQ | |
 http://csua.com/feed/ | |
| ||||||
| 5/16 |
| 2001/4/22 [Computer/SW/Security, Computer/SW] UID:21052 Activity:very high |
4/21 Do you like to code/hack?
\_ Yes.
\_ hack is a dirty word.
\_ to "professionals", yes, but what about crypto and software
and computer pioneers?
\_ to me, it mean "threw together code quickly without
much forethought", does it mean different to other people? |
| 2001/3/22 [Computer/SW/Security] UID:20880 Activity:nil |
3/20 tom's ridiculous and endless whining about ssh purged. if tom was a
man he'd give himself twink points everytime he brings it up. you
can login. ssh1 works fine. now stfu and get over it. |
| 2001/3/21-22 [Computer/SW/Security] UID:20875 Activity:low |
3/20 \_ what about the broken sshd? -tom
\_ Its not broken. It works fine for SSHv1
and OpenSSH clients. Get a different client.
\_ what would you call a server that violates
protocols? I would call it broken. The
fact that openssh clients also violate
protocols doesn't make the server any
less broken. And, once again, there's
ABSOLUTELY NO ADVANTAGE TO USING OPENSSH.
-tom
\_ Totally there is! Open source!
\_ Why don't we run both versions? Run
the non-OpenSSH version of port 69
so that tom will shutup.
\_ Uh, its free and it comes preinstalled
with *BSD, MacOS X, Linux, etc.
WTF would I want to download something
extra from http://ssh.com that isn't nearly
as well audited as OpenSSH and isn't
free for corporate users?
\_ what difference does it make
whether it's free for corporate
users? You would want to download
it because IT SUPPORTS MORE CLIENTS.
Are you really this stupid? -tom
\_ Because some of us are corporate
users, not gub'ment 'ployees.
\_ we're not talking about what
you install in your cube.
you can connect to soda
if it's not running openssh.
-tom
http://ssh.com's ssh server doesn't like _/
OpenSSH clients and it doesn't like
NiftyTelnet SSH on the mac (ie it will
randomly drop my connection and scp
doesn't work right), both of
which currently work with soda's
OpenSSH server. No reason to switch
since switching would reduce the
number of clients that are supported.
\_ Bullshit. I am using both openssh clients and
NiftyTelnet with http://ssh.com's server and they work
fine. -tom
\_ since you clearly are not making any
progress getting the powers that be to
switch from OpenSSH, why don't you
harass the OpenSSH people and get them
to fix it?
\_ So, you like the added bloat of having
to start the ssh1 daemon every time an
ssh1 client connects? Once OpenSSH
supports shession rekeying (promissed in
the next major release) there will be
no reason not to use OpenSSH. |
| 2001/3/21-22 [Transportation/Car, Computer/SW/Security] UID:20873 Activity:very high |
3/21 Went for a regular cleanup but the medical bill sez the doc did
root canal and 6 x-rays. It said I had to pay 20% of the copayment
to the doc but the doc sez to just ignore it. what's going on
and what should i do 'bout it?
\_ mmm, medical insurance fraud.
\_ the doc over-charges. If the actual charge is $100, the doc
is reporting the cost to be $120, so the $20 you supposedly
need to pay is included in the overcharged amount. It is a
win-win situation for you and your doc. Pretend that you
don't know about it and play along.
\_ I already paid a fuckin $10 copayment, and the insurance is
paying $725 for a $50 cleanup. What the fuck?
\_ its called fraud. If you're annoyed about it talk to your
\_ If that's the case, I think you should also charge the doc 20%
for your "services".
insurance provider to get yer doc busted.
\_ This is why medicare and medicaid are going bankrupt. As a
taxpayer, thanks!
\_ Do you even know what medicare is? If you did you would
be able to figure out that the original poster isn't even
qualified for it.
\_ liberal solution: spend more on medical/care to cover
the fraud. ITS FOR THE CHILDREN!
\_ Yeah, totally. I'd pay anything and give up all my freedoms
so long as it was for the children.
\_ That's your frequent flyer miles rebate.
\_ I read an article in Smartmoney magazine saying that
doctors are not earning as much as they used to. Many are
working longer hours, selling their Porches, and putting
their children in public instead of private schools.
Also, they no longer small talk or develop a personal
\_ They make the same, but they have to work harder for it.
Tough. For $350,000 they can deal. There's a lot of
competition driving down prices. Most of my doctors don't
even charge me the co-payment (they "forget") so it's not
like they miss that extra $10 from each patient. The fee
schedule is all out-of-whack with reality thanks to HMOs.
For example, buying a certain medication through my HMO =
$10 copayment. Buying it "without insurance" = $6.50. That's
why I *always* ask how much the drug is retail cost, and
it's not limited to drugs. The HMOs are screwing the doctors
and the patients. --dim
\_ But HMOs are FOR THE CHILDREN! Don't you care about THEM!?
relationship with their patients but go right to the
diagnosis in a production line manner.
\_ And this is supposed to excuse fraud?
\- If this has really happened to you, you have a obligation to
bring it up. It'd really bad to let them get away with this. This
is hardly a Jean Valjean stealing a loaf of bread. |
| 2001/3/21 [Computer/SW/Security] UID:20865 Activity:very high |
3/20 Hi. it appears that people have been flaming ][e about vp-like
administrative policies. In the future, please direct the mail
to vice-president@csua.berkeley.edu (duh). - paolo
\_ Jon's just pissed 'cuz he did more work than he had to
\_ He's under no contractual obligation to do anything if he
doesn't want to.
\_ Just as the VP is under no obligation to do his job if
he doesn't want to. I guess he should email poliburo
about it.
\_ Actually, the VP has obligations as outlined in the
CSUA Constitution. If he is unable to perform these
duties, he should resign.
\_ he should email vp about it then. - paolo
\_ I have paolo. I'm still waiting for you to do your job. -Jon
\_ i'm not seeing anything new to root or vp, unless it's
the .43 net thing which is solved already. - paolo
\_ what about the broken sshd? -tom
\_ Its not broken. It works fine for SSHv1
and OpenSSH clients. Get a different client.
\_ what would you call a server that violates
protocols? I would call it broken. The
fact that openssh clients also violate
protocols doesn't make the server any
less broken. And, once again, there's
ABSOLUTELY NO ADVANTAGE TO USING OPENSSH.
-tom
\_ Totally there is! Open source!
with *BSD, MacOS X, LinSUX, etc.
\_ Why don't we run both versions? Run
the non-OpenSSH version of port 69
so that tom will shutup.
\_ Uh, its free and it comes preinstalled
with *BSD, MacOS X, Linux, etc.
WTF would I want to download something
extra from http://ssh.com that isn't nearly
as well audited as OpenSSH and isn't
free for corporate users?
\_ what difference does it make
whether it's free for corporate
users? You would want to download
it because IT SUPPORTS MORE CLIENTS.
Are you really this stupid? -tom
\_ Because some of us are corporate
users, not gub'ment 'ployees.
\_ since you clearly are not making any
progress getting the powers that be to
switch from OpenSSH, why don't you
harass the OpenSSH people and get them
to fix it?
\_ So, you like the added bloat of having
to start the ssh1 daemon every time an
ssh1 client connects? Once OpenSSH
supports shession rekeying (promissed in
the next major release) there will be
no reason not to use OpenSSH.
\_ That's an old thing that he isn't fixing, not
a new thing.
\_ well, like Jon said, he's not doing his
job. -tom
\_ It's a student .org. No one cares but
you. Run for VP. Oh wait, you can't.
\_ what the fuck are you bitter, insignificant
poor suffering morons whining about?
\_ lack of asian chic?
\_ azn chix p.
\_ SKY? Is that you SKY? Is Muchandr dead?
\_ Muchandr is not dead, but he looks like a shadow
of his former rambunctious self, haunting
Berkeley downtown. |
| 2001/3/19-20 [Computer/SW/Security] UID:20846 Activity:moderate |
3/19 Hi, I'm looking for a simple encryption program for PC/w2k. I want to
create a directory and everything I copy into that directory gets
encrypted. It can pop up a window and ask me for a passphrase. That's
not a big deal. Is there something simple like that?
\_ There was something or other PGP that could encrypt a partition...
\_ PGPdisk
\_ store your porn offsite. it'll be safer there. |
| 2001/3/15 [Computer/SW/Unix, Computer/SW/Security, Computer/SW/OS] UID:20794 Activity:nil |
3/14 My saiden/cory account is disabled and my
http://www-inst.eecs.berkeley.edu/~myself page is gone. If I'm a grad
student how long do I get to keep my account? I'd love to have
http://www.cs.berkeley.edu/~myself to be up forever.
\_ nmap http://www.cs.berkeley.edu to figure out what OS its running.
Get out your root kit for that OS and get root. |
| 2001/3/14 [Computer/SW/Security] UID:20773 Activity:high |
3/13 When I ssh from my computer to this one machine, I get:
No agent.
But when I go to a different machine I get:
Connection to authentication agent opened.
How do I fix the "no agent" problem?
\_ Let me read your mind... |
| 2001/3/13 [Computer/SW/Security] UID:20768 Activity:nil |
3/12 What command do you use to generate a new /etc/ssh_host_key and
/etc/ssh_host_key.pub for a new machine? |
| 2001/3/13-14 [Computer/SW/Security] UID:20765 Activity:low |
3/12 Need a secure way to encrypt files? Try Pig Latin!
(and you thought all those Pig Latin routines you learn in 61A would
goto waste)
http://www.cnn.com/2001/TECH/internet/03/12/napster.02/index.html
\_ Uh huh....
\_ Okay, so it is illegal to systematically un-Pig-Latinify the file
names. But what excuse does Napster have to not simple
Pig-Latinify the list of song names that it's supposed to block,
and match the new list with the file names? There's no law
saying you can't compare encrypted info with encrypted info, right? |
| 2001/3/10-12 [Computer/SW/Security] UID:20745 Activity:high |
3/9 Whenever I attempt to scp something, I get the following error:
"Warning: no access to tty (Bad file descriptor).
Write failed flushing stdout buffer.
stty: stdin isn't a terminal
write stdout: Broken pipe"
How do I fix this?
\_ Remove stty & similar settings from .cshrc/.login/.profile or
put them inside 'if ($?prompt)' so they don't run when scp
connectes
\_ What other sorts of things should I check for? It's still broken
but there's a different error now.
But there's a different error now.
\_ whats the best way to check for that for sh/ksh?
\_ 'if ($?prompt)' is a shitty hack by an newbie.
The correct way to do this in any shell is via tty.
Put the interactive stuff in your .profile into the
following wrapper:
if tty -s > /dev/null 2>&1 ; then
: # your interactive stuff here
fi
\_ dont use "tty -s". use "test -t 0"
\_ "test -t 0" is not portable, "tty -s" is.
Some of us still have accounts on older
machines and need a portable .profile.
\_ Somewhat related: don't put interactive programs in your dot files
either. Some coder monkey put "more blay.txt" at the end of his
.cshrc and then complained to me that scp hadn't been working for
a month. |
| 2001/3/9 [Computer/SW/Security, Computer/SW/OS/Solaris] UID:20737 Activity:nil |
3/9 I guess IBM joins M$ as a company whose platforms you can't trust
for ecommerce:
http://www.theregister.co.uk/content/8/17467.html
Ever since they got on the "LinSUX" bandwagon, the IBM of old (the
one whose information systems defended the governments of the free
world) seems to be slowly but surely disappearing.
At least there is still Trusted Solaris and OpenBSD. |
| 2001/2/22 [Computer/SW/Security] UID:20646 Activity:nil |
2/20 How come we are still running OpenSSH 2.3.0? Shouldn't
we upgrade to the newer 2.5.1?
Also I've read up on that IDEA cypher that tom keeps asking
for, it turns out that IDEA is deliberately ommited from
OpenSSh because there is a big security whole associated
with it. I'm not sure why he wants it anyway, as the other
supported methods are much better.
\_ Let me try to explain this one more time. We have a choice of
using a server which will support whatever client one of our
users is using, with whatever configuration they want to use.
Or we can use OpenSSH. No one has put forth a reason why
OpenSSH is even theoretically better. So why are we running it?
-tom
\_ Because it's open and open is kewl. Ride bike!
\_ OpenSSH is as good as FSecure in terms of protocol support
and because its auditing practices are like OpenBSD it is
proactively secure. Who knows what buffer overflows are in
the commerical closed source alternatives. Besides, Tatu
is a much more immature punk than Theo de Raat.
\_ OpenSSH is absolutely not as good as FSecure in terms of
protocol support. OpenSSH does not support session
re-keying, which is a required part of the ssh2 protocol.
The ssh server from http://www.ssh.com also supports this, and
is, of course, open source. -tom
\_ Okay explain to me why you need session re-keying.
And Tatu's ssh from http://ssh.com may be "open source",
but there are serious restrictions on who can and
cannot use it. OpenSSH has no restrictions.
\_ I need session re-keying because IT IS A
REQUIREMENT OF THE PROTOCOL and therefore
PROPERLY-FUNCTIONING SSH2 CLIENTS DO NOT WORK
WHEN CONNECTED TO OPENSSH SERVERS. How many
times does this need to be explained? -tom
\_ Whatever. What is re-keying anyway?
What does it do and why is it needed
by the protocol? I mean SSH v2 seems
to work find without it when using
OpenSSH. Are you just being ANAL again?
\_ Leave your ssh2 client idle for an hour or
so when connected to an openssh server.
It will freeze eventually and that makes
SSH2 protocol support in OpenSSH useless for
people who need it.
\_ The fact that openssh does not support rekeying made its
ssh2 protocol support nearly useless. Has this been fixed in 2.5.1?
\_ Just short by one feature. No big deal.
\_ This is a big deal for sites that need a working ssh2
protocol support
\_ soda doesn't need ssh2.
\_ fsecure ssh 2.3 and earlier have a flaw in their HMAC code.
this is documented along with the openssh lack of rekeying:
http://www.openssh.com/faq.html#2.3 --jon. |
| 2001/2/22 [Computer/SW/Security] UID:20644 Activity:nil |
2/21 Using Fsecure's (ssh v2.0.13) i attempted to do a vary large scp -r
wich began fine and copied about 223 megs of files before it hung and
is not doing anything. On two other machines i got about 13 (of a
planned 70) megs worth of files transferred before it stopped and hung
there. Has anyone experienced anything like this? What is going on?
What should I do?
\_ Use OpenSSH. I copy gigs (cd images) with it and have had no problem.
\_ thanks, but i already had an rsync binary for these systems and
i just popped that on there and ran it over ssh and all was well. |
| 2001/2/21 [Computer/SW/OS/Linux, Computer/SW/Security] UID:20637 Activity:nil |
2/19 http://www.securityfocus.com/bid/2364 Potentially major security hole in linux kernels up through 2.2.18 \_ Shocking. A security hole in a linux kernel... who wooda thunk it? \_ no. it is _all_ kernels, we verified this last night you want to change, in /usr/src/linux/sysctl.c (around line 1125, the line that reads int l, len to size_t l, len. - paolo |
| 2001/2/17 [Computer/SW/Security] UID:20620 Activity:moderate |
2/16 Anyone here running SRP telnet? The URL is:
http://www-cs-students.stanford.edu/~tjw/srp
It looks better than SSH (no lawsuit, Open vs. DataFellows, etc).
I know its from the farm (but hell, some of are grad students there).
\_ I wrote some papers with Tom, he's a pretty sharp guy. I think
SRP is more secure than SSH, the only problem is that nobody
uses it. Also, if I recall correctly, it doesn't encrypt
anything after the login. |
| 2001/2/16-18 [Computer/SW/Security, Computer/SW/Unix] UID:20609 Activity:kinda low |
2/16 I've got a (very) remote Solaris 7 box that I lost the root password
to (been a long time). I do have a non-privileged account on the box.
Box is on the internet and it's not been patched in awhile. Any
suggestions on methods/tools to recover root? I hate to have to go
cross-country and hook up a CDROM drive to it. TIA (and sorry, no,
I cannot post the hostname)
\_ yeah, I also lost the soda root pw, and can't get to the box to hook
up a CDROM. Any ideas?
\_ Uh huh. "You" have a remote Solaris 7 box that "you lost" the root
password to, and you need help to get it "back".
\_ I'd suggest a search on <DEAD>www.wannabe-hacker-dork-info.com<DEAD> Look,
if you can't find very basic info like this on the net, you have
no business having root to anything.
\_ Giving you the benefit of the doubt, you should probably at least
identify yourself if not the hostname if you want to have at least
a chance of the rest of the motd monkeys treating you as anything
other than a wannabe script kiddie. Requests like this are obviously
by default suspiciousa, and anonymity only solidifies certain
assumptions. |
| 5/16 |
| 2001/2/15 [Computer/SW/Security] UID:20602 Activity:very high |
2/14 I can't connect to soda using SSH Secure Shell from SSH Communications
Security. I know I can use TTSSH, but is this normal? I get
a "Packet integrity error". I can connect via SSH1 to other
computers ...
\_ I believe this is what tom keeps complaining about. Why don't
you get a different SSH client.
\_ or just get rid of tom's account.
\_ why don't we get a working SSH server? F/Secure implements
the protocol correctly. -tom |
| 2001/2/13 [Computer/SW/Security, Computer/SW/OS] UID:20580 Activity:nil |
.nuS eht morf detapissid si taeh woh sa yaw emaS _\
.toidi ,loof a eb t'noD ?flesruoY _\
!toidi na ton s'ohw enoemos _\
.lairetam gnilooc a gnitalba ro gnitaropave ni ssam fo tol
a etsaw ot tnaw uoy sselnu ,eciohc ylno rey s'ti ,erehpsomta
on evah uoy nehw tub ,si noitcudnoc sa taeh fo dir gnitteg ta
tneiciffe sa t'nsi noitaidar ydob kcalB .srotaidar esu yeht _\
ME ycneuqerf wol ,derarfni _\
.niaga gnitsop erofeb "eulc" pu gnikool yb trats
ot tnaw thgim uoy ,yranoitcid eht fo gnikaeps
dna ,hO .noitseuq eht gnisserdda yaw yna ni ro
gnirewsna yllautca tuohtiw ,noitamrofni
deriuqca ylisae htiw pu flesmih gniffup
si loof siht taht gniyas m'I yllautca ,oN _\
.suoixonbo dna diputs gnieb tsuj erew
uoY .uoy pleh t'now yranoitcid eht tub yrt eciN _\
.llew
sa "suoiceps" dna "citnames" spahreP .yranoitcid
eht ni "yrtsihpos" pu kool -- pleh deen uoy spahreP _\
.muucav a si ecaps taht esimerp eslaf eht n desab si
"...woh ]ps[mucav a si ecaps fI" .si ti tahw rof tcaf fo
noitcerroc elpmis a esingocer ot sseleulc oot era sretsop
dtom emos ,yletanutrofnU .gniyas saw I tahw s'tahT .seY _\
.muucav a ton si ecaps taht yas ot gniyrt tsuj si sih kniht I _\
?seicnavelerri citoidi gnituops tsuj
uoy era rO ?taeh tnacifingis sevomer sag fo ytisned wol
siht taht tressa ot gniyrt uoy erA ?tniop ruoy s'tahW _\
.derusaem yllanosrep
t'nevah I .yas yeht oS .ecaps peed ni sretemitnec cibuc 01
rep mota negordyh 1 ylhguoR .muucav erup/eurt a t'nsi ecapS _\
?tfarcecaps a ni detapissid taeh si woh mucav a si ecaps fI 21/2
.stsop dtom ruoy sa devirtnoc dna sseltniop
sa si efil ruoy esuaceb esuoh eht fo tuo ssa tnagorra
,taf ,yzal ruoy gnikcik si mom rey ,sdrow rehto nI _\
.naelc ot ssel reh sevael ti sa tnemegnarra wen eht ekil
lliw diam ehT .oot ,htnom txen esuoh eht gnitaroceder
,haey hO .dtom eht tide ot emit evah llits I dna %01 ni
gnittup ,serugif 6 elbatrofmoc gnikam m'I ,serianoillim
-itlum-itlum-itlum era stnerap ym ,rehgih si egagtrom yM _\
)hcus dna stnemtsevni aiv erom nrae
I tub ,ssel si yralas yM .gniht erugif 6 taht
drawot emocni yralas-non redisnoc t'nod I ,WTB(
.hcir
eldi eht fo rebmem eb ot noos - .detsevnier era
sdnedivid rehto eht lla ,nwo I dnuf latum elgnis a no
sdnedivid yb derevoc si erutidnepxe ylraey ym tub
,tnempiuqe retupmoc ro sehtolc yub I yllanoisaccO
.)om/ecnanetniam 02$ ,om/ecnarusni 05$ ,om/sag 05$(
rac ym dna )om/96$( LSD era evah I stsoc gnirrucer
ylno ehT .ereht stsoc no kcab tuc I os ,stnerap ym
htiw emoh ta evil I .tnuoocca tekram yenom ym otni
yltcerid tser eht ,PPSE ot %01 ,)k(104 ot %51 m'I _\
.ekam ew hcum woh
fo daetsni dneps ew elttil woh no etepmoc ot deen ew taht das
s'ti hguohtlA .rehtie serugif 6 gnikam ton m'I dna ,)k(104
ym ot %11 gnitubirtnoc dna )elbitcuded-xat-non( stnerap ym ot
om/K1$ gnidnes dna htnom a tnemyap egagtrom 0062$ gnikam m'I _\
.rehtie serugif 6 gnikam ton gnikam m'I
dna tnuocca tekram yenom ym otni tisoped tcerid yb raey
a K04 ~ gnivas m'I ?K54 ~ ?ekam uoy od hcum woH .K02 ylnO _\
yug lagurf- .serugif 6 gnikam ton m'I dnA .yaw taht
raey a K02 gnivas ot elba m'I .tnuocca taht morf wardhtiw reve
TON OD dna tnuocca sgnivas a otni kcehcyap ruoy fo noitrop a tup ot
tisoped yllacitamotua esU !siht thguorht tnew ew thguoht I ,yeH _\
!lreP _\
.yenom hcum oot stsoc elif txet a ,ekorb era uoy fI _\
.siht od ot elif txet nialp a esu tsuj I _\
.txen eht ot refsnart dna egap a fo mottob eht ta pu ti ddA
.)esnepxe( - ro )tisoped( + saw ti fi drocer uoy erehw eno tsal a
dna noitpircsed a ni etirw uoy erehw rehtona ,noitcasnart a fo
etad eht ni etirw uoy erehw nmuloc eno evah uoY .sselyap ro sgnol
morf koobeton 01.0$ a gnisu ekam nac uoY .regdel a dellac stI _\
.teehsdaerps yna naht siht ta retteb era yenoM tfosorciM dna nekciuQ _\
.sesnepxe ym kcart gnipeek
trats ot teehsdaerps gnikcik-ssa na rof gnikool ma I .ekorb ma I 21/2
.haissem repel ot woB _\
?toidi na tsuj uoy era ro tniop a evah uoy oD _\
.)lairetam deripxe
thgirypoc tsael ta ro( lagel yletelpmoc gnirahs elpoep
rof redrah ti sekam tsuj retspan nwod gnisolc taht si
ssenisub retspan elohw siht tuoba dnatsrednu t'nod I tahW _\
.roop me ekam
.seibab yrc eht dna esuac eht era yehT .acillatem ttocyob _\
.erehwyna taht ees t'ndid I ?meht tsniaga delur egduj ehT _\
! /daolnwod/moc.hsemi.www//:ptth ta hsemi
tuokcehc ,tuokcalb retspaN a tuoba deirrow era uoy fo yna fI 21/2
.siht gnidaer er'uoy fi uoy era os tub
driew tib A .enod llew yreV ."?uohT trA erehW ,rehtorB hO" ees oG 21/2
neuy -- ?nekorb si gnihtemoS .eromyna taht od
t'nseod ti yadot tuB .drowssap emit-eno eht rof sksa dna yek eht
stnirp ti erehw ptf TN ym htiw krow ot desu tI .egnarts s'tahT _\
?dnammoc laretil eht hguorht esu nac I dnammoc
a ereht si .drowssap emit-eno eht retne ot tpmorp on
si ereht tub yeks htiw ptf 59niW esu ot gniyrt ma I 21/2
P: nedraG evilO ro s'noyL _\
.deirram teg ro pu ti eviG .demood er'uoY _\
.daetsni kooc
ot dediced--hpargeleT no airottarT inazzaM ta noitavreser
ym dellecnac tsuj I ,oslA .yadrutaS no dekcehc I nehw
tfel ecaps dah yeht ,egelloC no anailiciS al airottarT yrT _\
.raey tsal ecin
ylbanosaer saw taht ecalp a otni klaw ot elba yllautca saw I _\
.aedi doog a si gniht gnikooc eht ,WTB .emit txen
reilrae nalP .oga skeew owt neve snoitavreser teg t'ndluoc uoY _\
snoitavreser teg nac I ,tuo reh ekat ll'I _\
.neht tuo reh ekaT
.yadsruhT no rehtegot kcab teG .yadot reh pmuD _\
.smelborp ruoy lla evlos lliw ti ,deirram teG _\
.tae ew elihw dna eraperp I elihw revres
ekirtsretnoc ym no retspan morf 3pm gnidaolnwod eb
t'nac I taht naem t'nseod siht tuB .ecalp eht etaroced
dna naelc em pleh ot retsis ym dna kooc ot mom ym
teg dluohs I taht tnem uoy taht demussa I "kooc" yb _\
... tub ,siht wenk ydaerla snados tsom
epoh I .revres ekirtsretnuoc ruoy no sdaolnwod retspaN
,dnuorgkcab eht ni gniralb VT ,stnecsednacni ton -- sesruoc
lareves ,erawrevlis ,rennid tileldnac naem ew ,"kooc" yb _\
.rebmemer lliw ehs gnihtemos si
erutseg eht ,laem tneced a kooc t'nac uoy fi nevE .lufgninaem erom
hcum hcum si reh rof gnikooC .gnivas htrow ton ylbaborp s'ti neht
,pihsnoitaler eht "evas" ot FG ruoy enid dna eniw ot deen uoy fi _\
.yaD-V rof sseletad --
.tser eht ni llif nac uoy kniht I .ecalp citnamor a ot tuo
reh ekaT .etalocohc illedrarihg emos dna evots roodtuo na
dnif dna lwob a ni )...cte ,sananab ,seirrebwarts ,wedyenoh
deppohc( stiurf emos teG .em rof dekrow taht pit tresed ecin
a s'ereH .tsaf yllaer kooc ot woh nrael retteb d'uoy tub
snoitavreser teg t'ndluoc uoy taht gniht doog a eb thgim ti
,esac taht nI .reh rof rennid gnikooc yb stniop erom erocs
yllaitnetop dluoc uoY .snoitavreser o/w elbaliava syawla
era .rJ slraC dna ,kcarC eht ni kcaJ ,gniK regruB ,sdlanoDcM _\
?pihsnoitaler ruo evas I nac ro sselepoh yletelpmoc
ti sI .dekoob si gnihtyreve dna ,yad senitnelaV rof snalp
rennid ekam ot gniyrt ,dnuora gnillac m'I !dewercs os ma I 21/2
.adoC ro SFA yrt
esaelp ,retnuomotua eht ot ytilanoitcnuf ralimis deen uoy fI
).esaCraelC diputs fo esuaceb emit eht
lla deneppah siht dnA .ylnaelc ti toober neve t'ndluoc uoy
dna xob nuS ruoy esu t'ndluoc uoy ,ytivitcennoc tsol ro nwod
tnew sretsam +SIN/SIN eht ro srevres eht fo yna fi dna ocsiC
ta sexob ruo lla no sfotua dah eW .ereht neeb ev'I ,em tsurT(
.smelborp fo stros lla evah lliw uoy ,gninnur ti teg uoy fi nevE
.eugalp eht ekil dediova eb dluohs taht SOP yletelpmoc a stI
?retnuomotua eht htiw od ot gniyrt uoy era yltcaxe tahw dnA
lmth.sfotua/SFotuA_dmA/moc.gnitlusnoc-xunil.www//:ptth
:QAF retnuomotuA eht fo trap siraloS
eht ta kool a ekaT .dednemmocer ton tub ,elbissop si ti seY _\
?elbissop neve siht sI .siralos
rednu +SIN gninnur TUOHTIW seirotcerid emoh tnuomotua ot gniyrt m'I
?sQAF rehto yna ereht erA .gnikrow gniht nmad eht teg ot elba ton
llits m'I tub gro.plehnus.www morf retnuomotua no sQAF eht dewollof I 21/2
?scamEX ni siht od I od woH
.ni dedaol teg selif cc ym lla dna cc.* F-C X-C od nac I scame nI 21/2
.ila dna mot
fo evisulcni si rosnec dnA .rotatum ,rekun ,rosnec
,llort fo evisulcni si resol .tnadnuder era eseht fo emos _\
*| tnias
*| rennis
*| revol
| enorc
*| rehtom
*| nediam
*| hctib
|* bjt
*| bjt rof gnikool
| rekot thgindim
| rekoms
| rekoj
| rennis
| revol
| rennirg
| rekcip
*| desuma tsuj
***| ?huh ?dtom
*| stniop
kniwt gninrae
*| llort tnarongi
*| llort diputs
*| llort duorp
| bsp!
****| bsp
***| ila
**| mot
*| )resol( gnahck
*************| resol
*| rotamrofer dtom
*| rotatum dtom
| rekun dtom
]DEROSNEC[ uoy ,rosnec _\
*| rerosnec dtom
***| retrotsid dtom
****| retsop dtom
******| redaer dtom
:)a( ma I emit eht fo tsoM .lloP 21/2
.llehs htiw liam reiht daer nem laer _\
uf kcal ylraelc uoy ,enip gnisu er'uoy fi _\
sessylu- .)ados no toor gnieb tuohtiw .e.i( yrotcerid
emoh ym ni siht llatsni ot uf eht kcal I teb I hguoht ,doog skooL _\
/ed.eniltalf.enip4pgp//:ptth ?enip4pgp deirt uoy evaH _\
sessylu- ?tpircs
yalpsid dna crenip rieht fo snoitrop tnaveler eht spahrep em
dnes yeht dluoc dna pgp /w enip esu ydobyna seoD .smelborp o/w
esu I metsys rehtona no skrow ti ecnis pgp htiw krow nac enip
wonk I tub ,ttum ta kool lliw i dna detaicerppa noitsegguS _\
.)ytsur teg t'nod slatrom su erus
ekam ot( esaeler yreve sgalf gifnoc pgp segnahc yllufesoprup
maet tnempoleved ttum eht ,rebmemeR .edargpu uoy litnu haeY _\
.llew yrev pgp
htiw setargetni ttum .ttum ot hctiws dluohs uoy _\
sessylu- .gnikrow t'nsi pu
tes I tpircs "hsc.yalpsid" eht ro putes snoitpo sretlif eht
tog ev'I yaw eht tuoba htS ?ados no rof .ceps enip htiw
yllacitamotua htiw krow ot pgp gnitteg rof QAF a ereht sI 21/2
.relooc si u- tros _\
.)stsop ym ngis t'nod i yhw si siht dna(
POT- .toidi na m'i ,sknahT .kcits eulc kciht a
htiw gnikcahw doog a evresed i hguoht sa leef I ,yoB _\
'++}_${nees$ sselnu tnirp' en- lrep
:redro lanigiro sti ni elif eht peek ot tnaw uoy fi ,rO _\
qinu | tros | oof _\
?elif a morf setacilpud LLA pirts ot yaw ysae na si tahW
.rehtona eno ot tnecajda era taht setacilpud spirts ylno qinu 21/2
.yrassecen sa strop
gnippam dna )tuo semoc 1.4.2 htiw gnihtemos litnu( SFresieR
htiw ekardnaM-xuniL gninnur ,xob TAN a dniheb enihcam eht
gnivael er'ew ,elpoep wef a htiw gnitlusnoc retfa ,sknahT _\
.suoivbo t'nsaw taht esac ni ,eulc on sah tnadnopser sihT _\
.)sQaR eht
no )stelvreS & PSJ tpecxe( derugifnoc dna dellatsni-erp si
ffuts bew ytfin taht lla( llew ytterp ffuts bew od dna paehc
ytterp era yeht ,4/3QaR )nuS AKA( tlaboC eht ta kool a ekat
XUSniL htiw ecnailppa gnivres bew detacided a tnaw uoy fI
.siraloS dna DSB* naht reisae
hcum XUSniL no nur ot .cte ,snoisnetxE egaPtnorF ,stelvreS
,PSJ ,)nuS AKA tlaboC AKA tfoSilihC dellac ynapmoc a aiv
,xuniL no elbaliava si PSA $M sey( PSA ,PHP ekil ffuts
bew looc ytfin teg nac uoy ecnis ,gnivres bew rof XUSniL
gninnur ffo retteb eb ylbaborp dluow uoY .)XUSniL ekilnu
,3v stroppus DSBnepO ,SFN tnaw uoy fi tub ,ABMAS tnaw uoy
gnimussa m'I( gnirahs elif dna PTMS rof DSBnepO nur dluow I _\
?sesoprup ruo rof retteb
si hcihw ,enod dna dias si lla nehW .yawyna yad yb yad
ti eruces ot woh nrael dluohs ew dna ,detroppus ylediw s'ti
taht si taH deR rof tnemugra ehT .seloh ytiruces rof reffus ot
enorp ssel er'ew ,seibwen sa ,taht si DSBnepO rof tnemugra ehT
.pukcab gnidulcni ,ereh secivres etargim ylwols dna pu xuniL
taH deR ro DSBnepO rehtie tup ot ekil dluow eW .gnivres elif
dna ,PTMS ,gnivres bew rof K2niW gninnur seineew ezodniW er'eW 21/2
.yldipar etiuq daerps ot dnet sesuriv
eseht dlrow swodniW eht ni stoidi fi arohtelp a
stsixe ereht ecnis dnA .lavivrus rieht rof resu
eht fo ycoidi eht no dneped sesuriv esehT .epoN _\
.swolBniW esu t'nod I dalG ?s09 ylrae eht fo
mroW tenretnI eht ekil egdelwonk ppA/SO ro lliks
gnidoc laer yna eriuqer t'nseod "suriv" siht ,oS _\
.margorp eht snur hcihw ,ti no
kcilc-elbuod ot dnet sresu ;elbatucexe na tsuj si eno sihT _\
?krow siht seod woH ?margorp gniweiv eht naht
rehtar egami reiht gnitucexe trats ot margorp gniweiv eht
ni swolfrevo reffub tiolpxe yeht od ,lareneg nI ?suriv a eb
nac egassem liame a woh dnatsrednu etiuq t'nod I .cificeps
swodniw eb ot smees ti tub ,ereht tuo suriv liame wen a si
ereht taht smees ti dna 30-1002-AC yrosivdA TREC daer tsuj I 21/2 |
| 2001/2/13-14 [Computer/SW/Mail, Computer/SW/Security] UID:20575 Activity:high |
2/12 Is there a FAQ for getting pgp to work with automatically
with pine spec. for on soda? Sth about the way I've got
the filters options setup or the "display.csh" script I set
up isn't working. -ulysses
\_ The happy ending. Somebody fixed something because the
filter works all of a sudden. Note that, if anybody
else has a problem, check out /usr/local/bin/pgpdecode.
\_ you should switch to mutt. mutt integrates with
pgp very well.
\_ Yeah until you upgrade. Remember, the mutt development team
purposefully changes pgp config flags every release (to make
sure us mortals don't get rusty).
\_ Suggestion appreciated and i will look at mutt, but I know
pine can work with pgp since it works on another system I use
w/o problems. Does anybody use pine w/ pgp and could they send
me perhaps the relevant portions of their pinerc and display
script? -ulysses
\_ Have you tried pgp4pine? http://pgp4pine.flatline.de
\_ Looks good, though I bet I lack the fu to install this in my home
directory (i.e. without being root on soda). -ulysses
\_ if you're using pine, you clearly lack fu
\_ real men read thier mail with shell.
\_ pinesh! pinesh! pinesh is the Standard!!! Uhh...
\_ In bourne shell a paging mail reader is
about 5-10 lines of code. A real man can
type it all in on the command line.
\_ Just add these to your .pinerc, nothing else needed:
display-filters=_BEGINNING("-----BEGIN PGP")_ /usr/local/bin/pgp -f
sending-filters=/usr/local/bin/pgp -feast _RECIPIENTS_
\_ Can I still send emails to people who doesn't have PGP software?
\_ are you chinese? -ali
\_ That is NOT all you have to do. |
| 2001/2/12-13 [Computer/SW/Security, Computer/SW/Unix] UID:20571 Activity:high |
2/12 I am trying to use Win95 ftp with skey but there is
no prompt to enter the one-time password. is there a
command I can use through the literal command?
\_ That's strange. It used to work with my NT ftp where it prints
the key and asks for the one-time password. But today it doesn't
do that anymore. Something is broken? -- yuen
\_ Today (2/13) I tried again, and it works okay now. You just
type the one-time password at the "Password:" prompt. -- yuen |
| 2001/2/9-10 [Computer/SW/Security] UID:20554 Activity:nil |
2/9 ssh has vunerability. Integer overflow. Openssh is safe.
\_ Take that, Tom! Take that, Bowlarama! Take that, Convenience
Mart! Take that, Nuclear Power Plan--oh, fiddlesticks.
\_ Bowlarama! Good times! |
| 2001/2/9 [Computer/SW/Security] UID:20548 Activity:very high |
2/8 Question about ssh or need confirmation.
- purpose of using ssh is to avoid information that I read at my
terminal not being seen by someone in between the traffic, so
does that mean if my terminal is being mornitored (i.e., my employer
or network admin is watching my console at a remote terminal), they
will only see garbled messages?
- or does ssh only ensures data send between soda and my terminal not
being intercepted, but once information gets displayed on my screen,
a mornitoring agent can just capture the screen and still see every
key stroke I type in or every message I am reading?
\_ work on your fucking english
\_ hahhaha...having a hard time reading? I don't see the
others have any problem. Can you just point out one flaw
so that I can fix it.
\_ double negative, run-on sentence, fragmentary
phrase, passive voice, misspelling. And that's
just the first sentence.
\_ ssh encrypts data on the network between your host and wherever you
ssh to ( in this case, soda). If your host has been compromised
by whomever might be monitoring you, there is little ssh (or
anything else for that matter) can do to stop you from being
monitored.
\_ here's what I do at work: swap around the keycaps on my
keyboard. You should see the security people tearing their
hair out! muahhaha!
\_ how does that help really?
\_ security through obscurity. though the right way to
do this is to use a qwerty keyboard in dvorak mode.
and remove the 'W'. |
| 2001/2/7-8 [Computer/SW/Security] UID:20529 Activity:nil |
2/7 http://www.nwfusion.com/news/2001/0205ddos.html No light at the end of the tunnel for preventing/protecting against DDoS attacks. \_ This is not an engineering problem, but a law enforcement problem. |
| 2001/2/6 [Computer/SW/Security] UID:20512 Activity:nil |
2/3 Speaking of ssh, could soda admins generate new 'n fixed ssh host
keys so that we don't have to edit our known_hosts file every time
soda is switched from openssh to commerical ssh1 and then back to
openssh?
\_ They could. I hope they have better things to do or you'd just
ignore the errors like everyone else.
\_ It is pretty time consuming to copy a file. I give you that.
\_ I ssh to soda from about seven different systems. It is
kind of annoying to have to update known_hosts file on all of
them whenever soda admins change their mind about which version
of sshd to run. -original poster
\_ we should just have the ssh1 ssh2 and openssh binaries each of
which get called after a case statement depending on /dev/rand
then tom can bitch all he wants, and he will be a happy tom.
\_ redhat 7.1 uses SSH Version OpenSSH_2.3.0p1
\_ And your point is? I was not advocating using one implementation
of ssh or another. What I say is that the soda admins should
generate new ssh host keys so that people's clients don't
compalain every time sshd is switched to openssh and then
back to data fellows ssh1. The current keys are 1023bit and
the sshd1 fails to acknowledge that. |
| 2001/2/6-5/17 [Computer/SW/Security, Computer/SW/Unix] UID:20503 Activity:nil 53%like:19809 |
02/02 OS updated. Bugs to root. Complaints on wall/motd will be ignored.
\_ And so will complaints to root, apparently. Give me root for 30
seconds and I'll fix the sshd problem. -tom
\_ tom is the last person that ought to have root on soda.
\_ yeah, I was only the VP for a year. -tom |
| 2001/2/1-2 [Transportation/Airplane, Computer/SW/Security] UID:20496 Activity:nil |
2/1 Tomorrow's Groundhog day!
\_ http://www.intellicast.com says it's going to be cloudy in Oakland
tomorrow. So spring arrives soon? |
| 2001/1/31-2/1 [Computer/SW/Security, Computer/SW/Unix] UID:20485 Activity:very high 57%like:20472 |
1/31 Regarding the Soda MkV bios password, why not just reset BIOS?
\_ i could, but it's old and may not like it so if there's a
less invasive method, i'm all up for it, otherwise i will
\_ sign your fucking posts paolo
\_ Check for a bios password hack on the net. Never know....
\_ what kind of bozo would put a BIOS password on a
machine in a machine room
\_ One who knows just how many other people have
access to the machine room and just how often
some of them fail to make sure the door closes
all the way when they leave.
\_ get a fucking clue
\_ Uhm, yeah, and? A bios password will
somehow save you? Sigh... find a crack
or hack for it on the net. And oh yeah,
as the above said, get a fucking clue.
\_ umm, judging by the posters present
difficulty, i'd say Yeah a bios pwd.
may save you. Not everyone has the
same skill set and sometimes just
making things a bit more difficult for
an intruder is all it takes. There are
plenty of people who just check for
unlocked doors. I bet you leave yours
unlocked, because, hell, they can always
break a window.
\_ never said it would save you, just that
being in the machine room doesn't make
it any more or less useful to set one
than a machine left in a public place. |
| 2001/1/31-2/1 [Computer/SW/Security, Computer/SW/OS/Windows] UID:20480 Activity:moderate |
1/30 In NT, when I try to open or delete a file and it says "The process
cannot access the file because it is being used by another process",
is there a way to find out which process is using the file? Thx.
\_ lsof
\_ handleex.exe, http://www.sysinternals.com
\_ Is Filemon from the same site better for this purpose?
\_ reboot
\_ That won't find out and it also won't release the file if
the file is opened again at startup or login. If you
don't know what you're tal-- nevermind. It's the motd.
Go right ahead.
\_ If you don't know, you're Tal. -- talg #1 fan.
\_ chill. the answer is meant as a joke.
\_ This is Berkeley. That wasn't funny. |
| 2001/1/27-28 [Computer/SW/Security] UID:20447 Activity:moderate |
1/26 anyone ever heard of a linux kernel patch that prevents
non root users from seeing the processes of other users?
what's it called?
\_ it's called "stupid"
\_ What's "stupid" about it? Gosh, maybe this is for something
"stupid" like an ISP that allows shell access but wants to do
some stuff to keep users from invading each other's privacy?
Yeah, that's really "stupid". You're right. Who would want
something "stupid" like that?
\_ it's called uclink2
\_ reference to "uclink2" shows one's age. guess what?
there's no Web under Evans anymore either!
\_ http://www.openwall.com
\_ I don't think you need to patch the kernel.. I think this is the
default behavior if you make ps, top, and whatnot !setuid
root/mem/whatever. |
| 2001/1/25 [Computer/SW/Mail, Computer/SW/Security] UID:20429 Activity:nil |
1/24 Anybody know of any web-based newsgroups that allow you to post
a question? urlP.
\_ uh, your question doesn't make sense. you can access usenet
newsgroups via your favourite web browser... there are tons
of bulletin board type things all over the web... what the
hell are you asking?
\_ For example, http://www.dejanews.com allows you to read articles, but
you can't post a question. Using a news reader client, I can
connect to various public news servers that will allow you to
post. However, port 119 (NNTP) is shut down on the network, so
I can't use any of the news readers. My only option is to go
over the web, and most web-based newsgroups that I know of only
allow you to read, not post. Question remains - are there any
web-based public newsgroups that allow you to post?
\_ you can't post to http://deja.com as an anonymous bastard.
you need to register with them and go through http://my.deja.com |
| 2001/1/19-21 [Computer/SW/Security, Computer/SW/OS, Computer/SW/Unix] UID:20373 Activity:nil |
1/19 http://fusionone.com is finally charging people for syncing files. Let's boycott. \_ I just signed up for "Free sync for life". What are you talking about? \_ after using it for about 6 months, I got an email saying "email sync is free for life. upgrade to premium account if you want to continue using file sync." \_ Holy shit! Someone on the net is trying to make money from their web based service! That sucks! Let's boycott the net! The net wants to be free! |
| 2001/1/15-17 [Computer/SW/Security] UID:20329 Activity:moderate 60%like:20332 |
1/15 Who provides the time service at the number POP-CORN (767-2676)?
\_ "Kernel" Sanders
\_ You do not need to dial "POPCORN" to hear the time. You just need
to dial 767, plus 4 other digits. ANY 4 other digits. So now you
this, hopefully you can figure out who provides this service (No, it
isn't some strange group of people).
\_ You mean it's PacBell? So it only works in Northern California?
\_ It's certainly affiliated with the telco somehow, but this
did _not_ exist in SoCal last time I checked, so it's
not a universal PacBell feature
\_ Does not work in SoCal, even though Pacific Bell is
my telco (some areas are Verizon). --dim
\_ in LA it's 853-1212 (or possibly any four digits).
you can find out what it is anywhere by calling
411 and asking for the number for the time.
welcome to the universe. more interesting is
the number to dial that repeats your own number
back to you. it varies depending on Central
Office, and the phone co doesn't want you to have
it.
sf mission area readback #: 211-0022
berkeley: ?
\_ Yep.
\_ It worked in Reno when I lived there, but that's also
PacBell land. -alan-
\_ That's not the official number anyways. Only for bwd compat
\_ what's the number to get the phone number of the phone
you are dialing from?
\_ You have been abused by the motd formatting god.
\_ I think it used to be 1-800-MY-ANI-IS, but they changed
the password to it. -geordan
\_ Ah, I still remember the good 'ole 80s
\_ in maryland, they dont have the 767 (popcorn) feature
and i find that i miss it. is there some web page that
tells you where you can call up if you need to know the
time when youre not in norcal? i tried a number of key
search words on the web (time service, etc) and had no
luck. -hahnak
\_ RTFM (RTFphone book) or check providers home page |
| 2001/1/15-16 [Computer/SW/Security] UID:20325 Activity:high |
1/15 any plans to start running ssh2d ?
\_ OpenSSH didn't work, the other ssh2d is not free, so no.
\_ The other ssh2d is free for soda's purposes. -tom
\_ What about http://www.ssh.com/products/ssh/download.html |
| 2001/1/11 [Computer/SW/Security, Computer/SW/OS/Windows] UID:20295 Activity:high |
01/11 If you or anyone you know is running a version of Borland's Interbase
released in the past 8 years, forward the following information:
http://www.kb.cert.org/vuls/id/247371
http://www.interbase2000.com
[yes, this is a /. repost; urgency justifies it, as far as
i'm concerned] -alexf
\_ Uh, "compiled into the source between 92 and '94". Does interbase
come as partial source + binaries-with-no-source? What about the
whole open source many eyes thing? If someone can sneak in a back
door account for 6+ years, what's the point of it all? Might as
well use MS products for all the good OS did in this case.
Normally, I'd purge this as /. repost but I find this interesting
although not urgent.
\_ it was not open-source whatsoever until ~6 months ago. being a
huge body of code, it's not too surprising that it took 5 months
to find the backdoor (especially since no one would've been looking
for it directly)
\_ uh, why would anyone be running Interbase. -tom
\_ good question. not my concern. -alexf
\_ My point is, it's not urgent because no one is running
it. -tom
\_ grow up man. the real world won't always conform
to your sense of aesthetics. at your age you should have
learned that by now.
\_ ^no one^no one you know of
there's a large difference between the two
\_ ^no one likely to be reading the MOTD you twink^
\_ ah so tom knows everyone reading the motd (and
everyone else those people know; see original
tom doesn't know me: 3
tom doesn't know me: 4
post). impressive, tom.
Let's try a motd poll --
tom knows me: 0
tom doesn't know me: 6
and if i ever meet the bastartd, ill kick his ass:2 |
| 2001/1/10-11 [Computer/SW/Security] UID:20284 Activity:high |
1/9 I've inherited an old Xylogics annex box which I'd like to set up
so I can dial-up remotely via modem to access the consoles on my
four home servers. Any suggestions on how to configure this?
URLs would be fine. thanks!
\_ Install sshd. Dialup? What millenium is this? If you must, I
suggest you contact Xylogics and see if they have a manual online
or can ship you a new one for a few bucks.
\_ gee, does sshd run at the boot prompt?
\_ How else am I to access my home system consoles except by
dialup? Anyways, I found the documentation on Nortel's home
page. After much frustration (their search engine SUCKS
and it's slow) found some docs, but of course they are
WRONG. Bunch of misspelled configuration parameters.
But I think I have it finally figured out thru ESP. sheesh.
Now all I need is a 2nd (working) modem.
page. After much frustration (their search engine SUCKS and
page-design is slow) found some docs, but of course they are
WRONG, after downloading the huge PDF files. Bunch of
misspelled configuration parameters to lead you astray.
But I think I have it finally figured out thru my psychic
abilities. sheesh. Now all I need is a 2nd (working) modem.
\_ buddy system. put null modem cables between systems
and make sure you don't crash all of them out to the
boot prompt at the same time.
\_ You mean using one workstation as the "annex" that
has the modem? Ah, but then I wouldnt get to utilize
and set up this annex box i got.
has the modem? Good idea. Ah, but then I wouldnt
get to utilize and set up this annex box i got at least
not in the most ideal configuration.
\_ This is what I was talking about with ssh but some
smart ass deleted it. You can run ssh on each box
and have: A->B->C->D->A serial connections. Thus
the only way you get screwed is if you don't have
net or box A and B are down, you need to get to B
but A is dead and unrecoverable from D. It can
happen but I doubt your home is a 24x7x365 site.
\_ You can be easily screwed. |
| 2001/1/6-16 [Computer/SW/Security] UID:20249 Activity:kinda low |
01/05 Anyone else with @home in Berkeley (I'm northside) experience REALLY
crappy service since the beginning of November? Bandwidth is still
good but latency has gone up from 40ms to >200ms.
\_ After 1.5 yrs of "experience" with @home on Berkeley southside, the
one thing I've learned is that how your service gets fucked is not
correlated 90% of the time with how your neighbors' service gets
fucked. Everyone's gets fucked up once in a while, but asking other
people in the area doesn't produce significant trends. -alexf
\_ yup, exact same problem with @home here... up to 50% packetloss
at times. it sucks. -jlau
\_ I'm sorry. I'll try to restrict my pingfloods/nmaps next time.
- .home user.
\_ nephew from norway doing ping -f's w/o root access again? |
| 2001/1/5 [Computer/SW/Security] UID:20240 Activity:nil |
1/3 If I ssh from machine foo to machine bar and sshd is trojaned on bar,
then they cant get my passphrase because it is sent encrypted, right?
But if I login with my password, can they get that?
\_ your "passphrase" never leaves your machine, because that's
supposed to decrypt your local ssh ID key.
Your "password" is encrypted to hand over to sshd.
So sshd gets to see your login password for machine bar.
It also gets to see anything ELSE you type that goes to
machine bar. |
| 2001/1/3-4 [Computer/SW/Mail, Computer/SW/Security, Computer/Theory] UID:20228 Activity:nil |
1/2 I've been getting the following error message repeatedly lately.
The authenticity of host 'quasar.cs.berkeley.edu' can't be established.
RSA key fingerprint is 14:1f:b3:63:83:6a:fe:73:4e:fa:64:30:9c:9f:c3:c8.
Is this a problem w/ quasar or is it the soda ssh client? Why doesn't
it allow me to add quasar to my list of trusted hosts? |
| 2000/12/26-28 [Computer/SW/Security] UID:20178 Activity:high |
12/26 anybody ever dealt with Amazon's customer service? I ordered an m100
that never arrived. I'm trying to get them to give me some credit
back in addition to refunding my money. They only offered a $10 gift
certificate. Pisses me off. Anybody ever milked them for more?
\_ I have used Amazon.co.uk and Amazon.de's customer service, and
it was actually pretty good.
\_ I got jacked trying to buy a Handspring Platinum. Normally they
are pretty good (I returned a Palm Viix after two months), but
this pisses me off. I used a promotional code giving me a $50
discount and they are crediting the $50 to my account
(AMZN-ELECTRONIC ?)
\_ So you buncha wankers are honestly upset that Amazon won't let you
fuck them over for hundreds of bucks?
\_ Toys R Us gave me $50 last year for missing my shipment. |
| 2000/12/21-23 [Computer/SW/Security] UID:20153 Activity:moderate |
12/20 Why is OpenSSH prefered over SSH1? Aren't all those bad ass
patented algorithms better than the free ones? Does this
mean no RSA?
\_ OpenSSH is not preferred over SSH. -tom
\_ Depends. You want code from the OpenBSD guys or from whoever?
There's no magic in the non-Open version you'll be missing out on.
\_ except working support for the SSH2 protocol and IDEA. -tom
\_ OpenSSH works just fine with IDEA, you just have to enable
it (and in OpenSSL).
\_ ssh2? Yes... and? So what? What are you doing that ssh1
isn't good enough for?
\_ Connecting from a Mac, for one. Connecting with an ssh2
client, for another. -tom
\_ OK, let's see. #1 is wrong.. I connect from a mac to
ssh1 servers all the time, and #2 is a tautology.
Boy, you're a bright one, tom.
\_ I "connect" from a Mac to ssh1 servers, but the
software available has insufficient features. And
#2 isn't a tautology if you are someone running
a system that has to be accessed remotely (such as,
just about every machine running ssh). -tom
\_ How many machines with _only_ ssh2 clients have
you worked with?
\_ I have had to install ssh2 servers so
people with only ssh2 clients could
connect. Real world. -tom |
| 2000/12/19-20 [Computer/SW/Database, Computer/SW/Security] UID:20126 Activity:high |
12/19 One of my major performance bottlenecks is the need to log
every entry in a single log file. This leads to contention for
write access lock to the file, delaying each process. What to do?
\_ write to per process log file, and have a background process
coalesce log files together.
\_ this method provides the most concurrency
\_ or write to sockets with a separate process listening
on each, handling the logging.
\_ this method is easy and most similar to what you're
already doing
\_ use a real db engine
\_ for something this simple it might not be worth paying for
one. plus, it gives this guy job security. |
| 2000/12/17-18 [Computer/SW/Security, Computer/SW/Unix] UID:20119 Activity:nil |
12/17 http://www.nipc.gov/warnings/assessments/2000/00-062.htm \_ yeah. "Energy Crisis" |
| 2000/12/17 [Computer/SW/Unix, Computer/SW/Security] UID:20111 Activity:nil |
12/14 Why is it that the motd is not auto displayed when I login?
\_ I would think this is a good feature.
\_ yes, but it probably would be better to let the .hushlogin
file control it, which right now doesn't seem to do anything. |
| 2000/12/17 [Computer/SW/Security] UID:20109 Activity:nil |
12/14 Speaking of ebusiness... http://www.eeye.com \_ hacked page archived at www.csua/~mikeh/eeye-index.html \_ My IP is blocked. Has eeye blocked everyone? \_ yes |
| 2000/12/17 [Computer/SW/Security, Computer/SW/OS/Windows, Computer/SW/Unix] UID:20104 Activity:insanely high |
12/16 I need Windoze software that will prohibit my employees from
visiting specified web sites on the Internet (like http://cnn.com).
This should be server software, so that I do not have to run
out and install it on all the workstations. Does anyone have
any recommendations?
\_ route -add -reject <subnet> or route -add -blackhole <subnet>
on your border router.
\_ Yeah. Eat shit and die.
\_ what company? I'll build a site serving a mirror of http://cnn.com
(i.e. a simple solution to your stupid policies)
\_ Thanks, but all I really want is plug-and-play Windows software.
\_ The easiest thing to do is point their DNS entries to 127.0.0.1
or your corporate intranet or something. Do it on the DNS you
have their workstations pointing to for name resolution. All
childish "the information wants to be free!" Berkeley idiocy
replies removed. --graduated from Cal and joined real world
\_ I can point my machine at a different DNS server by
editing /etc/resolv.conf or whatever, thus a rejecting
route or a blackhole is the only soln.
\_ no. You can't. Why not? Because you're a non-techie
at a large company with a no-surf policy and you don't
know jack shit about that. If it were a unix box you
wouldn't have root at this person's company.
\_ Thanks, but I do want to let them access most web sites
except ones I exclude. Is there a plug-and-play solution?
\_ Yes. Like I said, you add things like http://cnn.com to your
local DNS as something else. Everything else works.
\_ The easiest solution is to get a switch and a proxy server
that can do transparent redirection of http requests to force
them all through the proxy which does filtering. (Set up one
with enough space to do caching and you'll also lower bandwidth
usage and increase access speed.) Look at products from companies
such as Alteon, Foundry, and Cisco on the switch side, and
NetApp's NetCache or something similar on the proxy side.
\_ Why? Do you like pissing your employees off? Are you trying
to convince them all to quit?
\_ Not all companies are like that. Not everyone can go get a
better job in 24 hours. Obviously these are windows no-techie
8-6 slaves there to do what they're told and nothing more. These
people are entirely fungible. |
| 2000/12/12-13 [Computer/SW/Security, Computer/SW/OS/FreeBSD] UID:20086 Activity:high |
12/12 Something happened to CSUA server again? This morning I was
unable to ssh in, I have to delete the known.hosts file to
resolve the problem...
\_ weird ssh problems this morning. Looks like the tcp/80 forwarder
to soda's sshd was getting web requests!
\_ Me too!
\_ http://dailynews.yahoo.com/h/nm/20001212/tc/linux_shell_dc_1.html
http://dailynews.yahoo.com/h/nm/20001212/bs/ibm_linux_dc_1.html
\_ if it's good enought for shell and ibm...
\_ I guess ECC Ram and hot swap disks and scalable
processing just aren't what Shell Oil needs.
\_ maybe they asked for help and got turned off when
a freebsd user mouthed them off?
\_ they should have contacted an OpenBSD or
NetBSD user.
\_ i've never had a weird problem with openssh, teraterm, putty, etc.
\_ No problems with OpenSSH on *BSD (inlcuding MacOSX) or
NiftyTelnet on MacOS.
\_ openssh sucks. We should install ssh 2.3.0. -tom
\_ freebsd sucks. we should install linux 2.2.17 -!tom
\_ it really does -!!tom |
| 2000/12/12-13 [Computer/SW/Security] UID:20078 Activity:low |
12/11 Does anyone know of a Palm application designed to store passwords,
credit card info, etc. that has encryption, requires password entry
for access, enables you to sync with your PC, access all the info on
your PC, and import/export the info between your PC application and,
for example, a tab seperated text file? -asb (if you send me
email, please send it to asb@eci.ucsb.edu)
\_ Speaking of UCSB, my ex-roomie was a sorority girl from UCSB
who came to attend Boalt School of Law. I did not have sex with
her, but at least she got into a better school than Hastings.
\_ Forget about your silly whims, it doesn't fit the plan. |
| 2000/12/12-14 [Computer/SW/Security] UID:20077 Activity:nil |
12/12 Is it possible to keep the same key each time SSH is changed/
upgraded?
\_ They key has never changed. The problem lies in the
fact that soda has a really really old key the 2 ssh programs
treat the keys differently. Really old version of ssh created
1023 bit keys instead of 1024 and ssh has continued to lie about
the keysize. OpenSSH's sshd, on the other hand tells the truth.
This confuses your ssh client. -mikeh
\_ I think that you can fix this by editing the length field for
the key in your $HOME/known_hosts file. |
| 2000/12/12-2001/2/2 [Computer/SW/Security] UID:20076 Activity:nil |
12/12 We have switched versions of sshd since the OpenSSH one was hanging.
Mail root if you witness odd behavior. -root |
| 2000/12/12-13 [Computer/SW/Security, Computer/SW/WWW/Server] UID:20073 Activity:nil |
12/11 What are the security implecations of allowing the Delete method?
Does apache allow that by default? Does it really mean that any
user could send a header commanding your server to delete any file
that nobody is able to write? If so, how do you disable this methd?
\_ Something like
<Directory />
Deny all
Allow GET PUT other-explicit-methods-you-like
</Directory> |
| 2000/12/9 [Computer/SW/Security] UID:20055 Activity:nil |
12/8 SSH question. Any idea why I am getting this error:
Invalid SSH_AUTH_SOCK `', it should contain at least one /.
and it gets set to "agent-socket-21980" instead of
SSH_AUTH_SOCK=/tmp/ssh-user/agent-socket-21980 ? |
| 2000/12/6-8 [Computer/SW/Security] UID:20022 Activity:high |
12/6 Does @home allow services? No. Y'all were wrong yesterday.
http://www.home.com/qa.html#server
<DEAD>www.athome.att.com/faq.html#server<DEAD>
\_ Genius, you're reading the generic @home agreement. The local
Bay Area one I signed when I got my service doesn't say I can't
\_ but effective. I run an ebusiness from an @home site. - small
traffic, high price one, and haven't had any probs.
run a service. It only says I can't resell net or run a business
and I'm responsible for my own security. In fact the agreement is
chock full of warnings about hax0rz if I run a service but *never*
says I can't. Thank you for using @home in the SF Bay Area.
\_ The one I signed in Fremont explicitly says I can't run a
server, and I get scanned for running NNTP every day --dbushong
\_ Disallowing and preventing are entirely different.
\_ Hey, that's naughty!
\_ but effective. I run an ebusiness from an @home site.
- small traffic, high price one, and haven't had any
and he's had no problems either. @home doesn't seem
to mind/care. ----ranga
probs.
\_ My brother runs a Cobalt Qube3 with web/ftp/nat/ssh
and he has had no problems. @home doesn't seem to
mind/care. ----ranga |
| 2000/12/6 [Computer/SW/Security] UID:20014 Activity:nil |
12/5 If you run xdm rather than ssh-agent xinit, is there some way to use
ssh-agent for everything and not just "ssh-agent xterm" ?
\_ yes.
\_ More helpfully: put the line
eval `ssh-agent`
near the beginning of your .xsession. |
| 2000/12/6-7 [Computer/SW/Security] UID:20011 Activity:nil |
12/5 I am trying to write a report on SSH does anyone know why
X11 forwarding makes a host more vulnerable to attack? Any
good sites to find information on the weak spots of SSH?
I have the RFC but don't know enough write about weak points of
SSH. -nesim
\_ If a bozo user types 'xhost +' on either end of the connection,
then all the ssh in the world won't keep others from sniffing
their keystrokes via X.
\_ The argument goes as follows: if you ssh from your trusted host,
to an untrusted host, then from there to a trusted host, and run
X clients off of the remote trusted host, SHOCKER: root on the
untrusted host might be able to do something nasty. Fucking duh.
I hate it when shit like this gets called a security hole. Once
and for all, people: YOU CAN NOT PROTECT YOURSELF FROM A MALICIOUS
root USER. PERIOD. (Please don't cite non-unix operating systems
or some silly securelevel hack as way of counter"proof") |
| 2000/12/5-7 [Computer/SW/Security, Computer/SW/WWW/Server] UID:20009 Activity:very high |
4/249 I think my employer logs all web traffic. Is there any free software
I can run to block this? Like a proxy or some sort? Thanks.
\_ http://www.anonymizer.com
if you don't want to pay for ssl service do the following:
1. setup apache+ssl at home
2. write a cgi that takes in url request and then forwards
it to anonymizer and parses the response to get rid of
the annoying tags.
3. configure your browser to use your home box as a proxy
Other options include hacking junkbuster to support https.
\_ j is that you?
\_ you idiot, I can't even log into soda from work thanks
to a certain wonderful firewall.
\_ yes theres plenty of ways to do this.
\_ obhttp://www.zeroknowledge.com (it's what it was meant for -
i.e. people not knowing what you are doing exactly)
\_ How to check that the company logs all web traffic?
\_ write a bot that hammers a bunch of sites, such as http://apple.com,
http://sun.com and http://microsoft.com. run it on your machine and all the
other machines you can get your hands on. Clueless admins will
think that its 'software updates' or some such thing. Your
real traffic will be obscured by the noise. Eventually the will
give up and realize that logging is stupid. |
| 2000/12/4 [Computer/SW, Computer/SW/Security] UID:19990 Activity:insanely high |
12/4 E-COmmerce sucks. COmputer science rewls.
\_ Got fired from http://dogfood.com?
\_ Doing work sucks, playing around with a hobby rules. Good luck
guy, hope you can come up with something intersting for the
academic community to attack.
\_ You got your whole life to find something that you like to do
and that someone will pay you for doing. Get to it. If you
can read the MOTD, it's not hard to get there from this point
in your life.
\_ Computer science doesn't pay for my Armani collection and
my awsome Boxster -paper millionaire
\_ But I am perfectly happy with blue jeans and t-shirt,
and my little Miata. |
| 2000/12/3-4 [Computer/SW/Security] UID:19986 Activity:low |
12/1 Say I want to encrypt some text files that I don't use that often
(eg, sent-mail files). Is there any command line util better than
crypt available to do this? Maybe something that uses the new DES
standard? (I don't want to attempt spelling it)
\_ Use "pgp -e".
\_ Does this have a batch mode for (de|en)crytpting multiple files?
\_ You mean the new AES standard. (And Rijndael isn't _that_ hard
to spell)
\_ If you're some anthropologist used to garbage 'languages' from
the underlife, maybe. |
| 2000/12/2-4 [Computer/SW/Security] UID:19978 Activity:high |
12/01 Anyone get TeraTerm + ssh to work connecting to Soda? I changed the
protocol to blowfish, but SSH mysteriously drops after attempting to
connect. (Alternatively, a list of win32 ssh clients would be
usefull--I didn't find the ones on the csua www page to be useful.)
\_ It works for me. Does it give any error messages when it
disconnects? Can it connect to other machines than soda?
\_ Here is the obligatory why don't you install a real os with a real
ssh client follow up.
\_ I installed it on my dad's Windows98 box to login when I visit them
and had no problems (other than getting a new key when we went to
Mark VI). -- bcmuller
\_ Worked fine for me as well, and I've installed it on several
different machines (win98, win2k, winnt 4)
\_ Are you sure you're using Tera Term Pro and TTSSH?
\_ Works for me, too. -ausman
\_ sshd has been acting up - there have been random times when it
has refused connections. From what I know mikeh has been considering
installing the old ssh. This is information dated last week - paolo |
| 2000/11/29-30 [Computer/SW/Security] UID:19951 Activity:high |
11/29 So, i have host based ssh authentication going; i think.
How to test? If i try to use scp from an authorized
user/host it still prompts me for a password. Does that
mean i don't have it set up correctly? (i'm using openssh)
\_ If you mean you want to use a .shosts file, you need to:
* make sure the server has:
RhostsRSAAuthentication yes
IgnoreRhosts no
* put the hostname (and optionally username) in ~/.shosts for
the target user (on the server)
* ssh from the _server_ to the _client_ using the same hostname
that the client will reverse as (i.e. if your client is 1.2.3.4,
and 1.2.3.4 reverses as <DEAD>joebob.example.com<DEAD>,
ssh <DEAD>joebob.example.com<DEAD>) If your client is a windows box, this is
more complicated and you'll need to configure your client software
to generate and use an ssh host key. Make sure the host key is
in ~/.ssh/known_hosts
* ssh -v server from the client to test
--dbushong
--uglydbushong |
| 2000/11/29 [Computer/SW/Security, Recreation/Dating] UID:19943 Activity:nil |
11/28 http://www.wired.com/news/culture/0,1284,40369,00.html \_ Sign up fast before they run out!! Finally, women that geeks have a chance with! |
| 2000/11/28-29 [Computer/SW/Security] UID:19938 Activity:nil |
11/28 With SSH, when we change our password for the account do we have to
regenerate the one time pass phrass?
\_ Nope, they're separate. |
| 2000/11/28-12/4 [Computer/SW/Security, Computer/SW/Unix] UID:19937 Activity:kinda low |
11/28 NIS question. My nsswitch.conf has the line
passwd: files nis nisplus
To me this says that the user should be looked for in the passwd file
first, then checked for in NIS, then NIS+... Yet when the NIS server
isn't available, I have to wait for a huge timeout before I'm finally
logged in (yes, there is an entry in the passwd file). Why does this
happen and how do I get the expected behavior? -mogul
\_ It's probably doing something other than a passwd lookup.
You'll have to truss the process to find out what. -tom
\_ Or you can check for other nis lines in the nsswitch.conf
automount, group, hosts may all be blocking on nis lookup.
It may be something in your .login/.profile/.[t]cshrc file
causing an nis lookup as well (like having someone else's
homedir referenced in your path). --scotsman
\_ If it's stalling in .cshrc, I think there is some option
you can set in .cshrc to show you where. Put a line with
'set verbose' or something at the top of .cshrc
And if you have root, then login as root and see if
the problem still exists. Since root has simpler dotfiles
and should have no remotely mounted home dir, you can
use it to narrow down the possible problem.
You might also modify nsswitch.conf
\_ Yes, but only if I log into another client served by NIS.
My home directory gets mounted from my main machine. On
my machine, the passwd home directory entry is set to the
local directory so it doesn't go through autofs... -mogul
to remove nis and nisplus and see what happens.
Make sure you have another xterm open however
just in case modifying nsswitch.conf locks you out.
Also try getent passwd YOURUSERNAME and see if it says
what you think it should be (i.e. is your home dir
really on your local desktop disk?)
Also check /var/*/messages file for errors
\_ what's in the groups line? is your default group in a file
or in nis? initgroups usually takes forever
\_ groups line was fine, but my group was missing from local
/etc/group. Still didn't solve the problem though. I will try
tom's suggestion when I return to work. -mogul
\_ These things are often due to DNS problems.
\_ is your home directory auto-mounted? could be the auto
mounter maps are stored on the nis server.
\_ Try: passwd: files nis [NOTFOUND=return] nisplus -- ivy |
| 2000/11/16-17 [Computer/SW/Security] UID:19808 Activity:moderate |
11/16 Do we want to copy over the old ssh host key? Or is it a feature?
\_ The host key has not changed. ssh has. We're now using OpenSSH.
\_ Oh course the host key has been changed. Otherwise I
wouldn't get this when trying to login:
\_ Due to a bug, old ssh created a 1023bit key instead of
a 1024 bit key. It advertized it as 1024bits. OpenSSH
tells the truth that it's 1023, which makes your ssh
client unhappy.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
\_ ooh!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
.....
\_ you can fix this by editing your ~/.ssh/known_hosts file. next to
the csua key, change the length from 1024 to 1023. |
| 2000/11/16-19 [Computer/SW/Security] UID:19804 Activity:nil |
11/16 Why does the new sshd reject cipher type IDEA on Mk6?
\_ because the new sshd does not support IDEA.
\_ Why not?
\_ Is it possible to build openssh with IDEA support?
\_ Probably because IDEA is patent encumbered, where 3DES and
Blowfish (and twofish, and rijndael, etc) are not. |
| 2000/11/15 [Computer/SW/Security] UID:19783 Activity:high |
11/14 ssh question. I cant get a .shosts file to work, I think it
has something to do with this error
Remote: Your host key cannot be verified: unknown or invalid host key.
Any idea what I need to fix?
\_ You need to add the client's host key (/etc/ssh_host_key.pub)
to the server's known hosts file (/etc/ssh_known_hosts). The
filenames vary; try adding "/usr/local" at the beginning, and
try replacing "etc" with "etc/ssh". |
| 2000/11/10 [Computer/SW/Security] UID:19705 Activity:nil |
11/9 I'm having a problem with pam and openssh. Anyone know what
the /etc/pam.d/sshd file ought to look like? |
| 2000/11/5 [Computer/SW/WWW/Browsers, Computer/SW/Security] UID:19647 Activity:high |
11/5 http://www.cnn.com/2000/TECH/computing/11/02/mideast.webwar/index.html \_ wow. maybe l33t h4c0rs can go there to get mecenary jobs. \_ 3733t HaxX0rz w1LL k1cK y)u 1n the nu7z. \_ religion sucks. It does nothing but bring an endless lists of wars and senseless deaths. \_ not to mention kicking people in the nuts. |
| 2000/11/1 [Computer/SW/Security] UID:19622 Activity:moderate |
11/1 Can someone pls fix POP and IMAP access to soda? Thx.
\_ I never seem to get a break around here. - someone
\_ Done. -root
\_ It seems to be broken again. Can you fix it again?
\_ Done, again. If you have any idea what's causing inetd
to hang, let us know. -root
\_ Yes. root can do it.
\_ P(E|E) = 1 |
| 2000/10/29 [Computer/SW/Security, Computer/SW/OS/Windows] UID:19593 Activity:nil |
10.29 http://www.theregister.co.uk/content/1/14265.html |
| 2000/10/27 [Computer/SW/WWW/Browsers, Computer/SW/Security] UID:19580 Activity:nil |
10/26 http://www.cnn.com/2000/WORLD/meast/10/26/israel.cyberwar.ap |
| 2000/10/25-26 [Computer/SW/Apps/Media, Computer/SW/Security] UID:19565 Activity:moderate |
10/25 http://www.pantyraider.com \_ Now why don't they have something like predicateRaider? Now that might hold my attention. \_ is that like ContextFreeGrammarRaider and LR1Raider?? \_ woo woo! \_ How about corporateRaider? That would be *interesting*. \_ almost related: http://www.phonebashing.com |
| 2000/10/12-13 [Computer/SW/Unix, Computer/SW/Security] UID:19460 Activity:high |
10/11 Pointer to how to make a secure ftp connection from cory to csua?
\_ man scp
\_ use ssh to port forward a port from cory to soda, then use
ftp -P to connect to that forwarded port. Don't forget to use
passive mode.
\_ it's -p
ftp -P 9001
\_ ssh -L 9001:csua:21
ssh -L 9002:csua:20 (can you do these two at once?)
ftp -p -P 9001 localhost
\_ I tried this ssh -L 9001:csua:21 from home and it just spit
the usage info back at me. So i tried it locally (i.e. from
HERE) and it did the same thing.
\_ You need to add the remote host:
ssh -L 9001:csua:21 csua
\_ I had tried that but it just logs me in!
\_ The port forwarding is a side-effect.
As long as you are logged in, the port
forwarding is on. I suggest using scp
unless you really, really need ftp. -- jsjacob |
| 2000/10/9-10 [Computer/SW/Security] UID:19445 Activity:high |
10/9 Shouldn't we upgrade to OpenSSH/OpenSSL soon?
\_ why "should" we? -shac
\_ Because of inherent weaknesses in the SSHv1
protocol that are corrected in SSHv2 which
\_ must protect uber-super-sekrit soda crap?!?
is implemented by OpenSSH.
\_ and why then should we use OpenSSH instead of the
free (to academic institutions) ssh2 server? -tom
\_ OpenSSH default install allows connections
to/from Either SSH 1or2 and at least one of
the commercial SSH2 servers doesn't pretend to
attempt validation on bad names. (not that
that matters on SODA) -crebbs
\_ the ssh2 server also allows connections to/from
either ssh 1 or 2. -tom |
| 2000/10/6-7 [Academia/Berkeley/CSUA, Computer/SW/Security, Computer/SW/Unix] UID:19430 Activity:nil 52%like:19447 |
10/6 Readline enabled wallall in /csua/bin/wallall-rl. man readline for
details. Mail root to let them know how much you want this to be the
default. Bugs to mogul. -mogul |
| 2000/10/2-3 [Computer/SW/Security] UID:19396 Activity:nil 75%like:19390 |
10/02 Going to India next month and need a ssh client there. How do I log
onto Soda if I am far away, and don't have permission to download
any ssh client there?
\_ http://www.csua.berkeley.edu/ssh
\_ thats a ssh-in-your-web-browser java implementation of ssh.
IMHO it is pretty darned good.
\_ you can also use s/key. http://www.CSUA.Berkeley.EDU/skey-howto.html
\_ I like the windows program for skey at http://www.yak.net/skey
it also includes binaries for dos, mac, sunos, ultrix, and source |
| 2000/10/2 [Computer/SW/Security] UID:19390 Activity:nil 75%like:19396 |
10/02 How do I log onto Soda if I am far away, and don't have permission
to download any ssh client?
\_ http://www.csua.berkeley.edu/ssh
\_ thats a ssh-in-your-web-browser java implementation of ssh.
IMHO it is pretty darned good. |
| 2000/9/29 [Computer/SW/Security] UID:19367 Activity:nil |
9/29 http://www.eros-os.org/essays/capintro.html |
| 2000/9/27-28 [Computer/SW/Security, Finance/Investment] UID:19337 Activity:nil |
9/26 E*Trade security problem:
http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2000/09/26/BU22755.DTL |
| 2000/9/26 [Computer/SW/Security, Computer/SW/OS/Windows] UID:19326 Activity:kinda low |
9/25 For DOS programmers, is there a version of Borland C 4.5 (or any other
version for DOS) run-time library that has a qsort() routine that
works with huge pointers (__huge *)? Thanks.
\_ Watcom does. You're fundamentally not going to get clib routines
from a compiler which doesn't support flat-mode memory access like
Watcom does with DOS4GW. |
| 2000/9/21-22 [Computer/SW/Security] UID:19307 Activity:kinda low |
9/20 A friend of mine got hacked through wu-ftpd, (right about the time
I was wisely moving to proftpd). He was woken up by the irregular
clicks of his hard drive and was able to disconnect them. They
were attempting to install a root-kit called "anivnew" Has anyone
heard of it? Where can i find more info? [i've searched the web to
no avail]. There was a "ps" command, which i can see how it would
be useful to disguise what was going on, but it seems to work
correctly (i.e. i can't figure out what kind of activity it doesn't
report). Also there is an SSHD serve included in the kit. WHY?
(A poster mentioned that they want to secure their "victim" site but
that seems like an inadequate explanation).
\_ Well, duh. This wu-ftpd problem has been reported and fixed months
ago. Anyone who still runs the old vulnerable version deserves to
be hacked IMHO.
\_ By replacing sshd, they can patch it to 1) Sniff passwords
2) create a backdoor 3) Disable logging
\_ By using sshd they can hide better from intrusion detection
& tracking systems
\- btw, do you know what version the trojan sshd claims
to be? there might still be a way for a good IDS to
detect it. if you can mail me the src or binary,
i would apprecaite it. would like to work on a
detection heuristic for our IDS. --psb
\_ proftpd had a remote root hole not too long ago... (doesn't
hold a candle to wu' though =)
\_ that one apparently never got exploited
\_ In the same way that openbsd reports long lists of exploits
and holes, mostly, they are proactively discovered and patches
released before the rest of the world knows about them. All
software projects have bugs. Some are fixed before they get
abused, others are fixed after. I prefer the former.
\_ USE WINDOWS! |
| 2000/9/15-18 [Computer/SW/Security] UID:19258 Activity:nil |
9/15 Someone mentioned a security hole proftpd versions post 1.2.0pre9
(though the web page seems to think anything after 1.2.0pre9 is o.k.)
Can someone tell point me to specifics. I'm running pre10, but older
than the date that was specified. More info please.
\_ if there was one, it would probably be in the bugtraq archives
on http://securityfocus.com
\_ yes, see http://securityfocus.com; no successful exploits are known yet (or,
if there are, they've been an extraordinarily well-kept secret). And
yes, older pre10's are still [theoretically] vulnerable. |
| 2000/9/8-10 [Computer/SW/Security] UID:19206 Activity:nil |
9/7 Goddamnit. Why do web sites / hosts limit the length of passwords?
Ooh, increased security by reducing the hashable characters. Good idea
\_ Because most people are stupid and would forget anything longer
than their own first name. |
| 2000/9/6-7 [Computer/SW/Security] UID:19179 Activity:nil |
9/6 Does anyone know if there's an SSH extension for Windows Telnet?
I'm having trouble with the Whacked out Java SSH. It can't run
well when using Pine or Pico. Sorry if this screen looks messed
up. I can't see what I'm typing in Pico. --pcjr
\_ dont fucking use pine or pico.
\_ F-Secure SSH
\_ http://www.zip.com.au/~roca/ttssh.html |
| 2000/9/6-7 [Computer/SW/Security, Computer/SW/Unix] UID:19178 Activity:moderate |
9/6 I would like to install some software for the CSUA community. I
have mailed root about it but got no response. Am I going about
it the wrong way?
\_ Obviously, you have wronged root at some point in the past.
Better backup your home directory. ;)
\_ This one is just for you.
\_ Well, that's sound advice even I haven't wronged root. So
thanks.
\_ The politburo decided answering root mail was a waste of time so
kicked everyone off root who actually answered root mail.
\_ Actually that was mikeh. |
| 2000/8/28 [Computer/SW/Security, Computer/SW/OS/OsX] UID:19105 Activity:high |
08/27 Does anyone know of any SSH and/or scp clients available for the
Macintosh (free or otherwise)? Thanks -dans
\_ F/Secure SSH http://www.datafellows.com
NiftyTelnet SSH
http://www.lysator.liu.se/~jonasw/freeware/niftyssh
Do a fuckin' web search next time. -tom
Do a web search next time. -tom
\_ you could even have looked on www-inst or www.csua
(localhost). *duh*
\_ Did both. Asked the motd in case I missed anything.
Anybody know if the version of F-Secure for the Mac on
eecs-inst is the full version or an evaluation version?
-dans
\_ If you've read it, remove your fucking motd entry.
\_ BTW, this one's not legal in US until 20 Sept I believe
(RSA patent needs to run out or something) |
| 2000/8/16 [Academia/Berkeley/CSUA/Motd, Computer/SW/Security] UID:19013 Activity:nil |
8/14 Is there anyone with root access in the CSUA office during the summer?
If so, who are they and approximately what time/days are they there?
Thanks.
\_ call in the afternoon. sometimes one of us is around. -root
\_ Who do I email to set up an appointment? staff@csua or
root@csua? (unless you mean to call literally....)
\_ yeah you can call 1 510 I DONT CARE bitch ass mutherfreak.
</MOTD>
--------------------------- [ cut here ] ---------------------------
------------ [that's it, nothing else to see, scuddle along now] ------------
dHHHbo._
dHF""HHHHb.
dHH _ "HHHHb.
HHH_'o "HHHHHb.
HHFo "HHHHHHbo.
HHH\`, HHHHHHHHHHho._
HFHH`._,'HHH' `HHHHHHb_ ____
P "HHHHH\HP "HHF:. `._ ,-'"" "-.
"HHFHHF F" :::..""" "-. `.
F PF , \ \
F j\ / ; `.
| j `. ` A \
| | ;_ . 8 \
J F\_,'| "`-----.\ j `. \
F j F | F / \ \ ____ ,..
J J | | F j `. ,'" ""--/::::-_
| F_j F J / `. : ._`::::-_
F J____J J j `-_ __,.----"`--._ ::::;
F | | F _.--' `. ""---"
| F | _.------'"" :
J J | ' \ "`.
F F l _____.....--"""-. ";
__.-""- J """"" `-. ;.
(.___...-' "-.j |
| 2000/8/15-17 [Computer/SW/Security] UID:19000 Activity:nil |
8/15 URL for freeware windows ssh client? Doesn't have to do anything
fancy. Only using it to login to a remote ssh-only box to run one
script for a user. I don't care about emulation quality, features,
or anything else beyond basic ssh'ing ability. No demoware with
interactive nags, delays and self bombing timers. I want to install
this for the user just once and forget about it forever. Thanks!
\_ http://www.employees.org/~satch/ssh/faq/ssh-faq-2.html#ss2.2.3
\_ Found what I needed. Thanks again! |
| 2000/8/15-16 [Computer/SW/Security] UID:18995 Activity:low |
8/14 Is there anyone with root access in the CSUA office during the summer?
If so, who are they and approximately what time/days are they there?
Thanks.
\_ call in the afternoon. sometimes one of us is around. -root
\_ Who do I email to set up an appointment? staff@csua or
root@csua? (unless you mean to call literally....)
\_ yeah you can call 1 510 I DONT CARE bitch ass mutherfreak. |
| 2000/8/14-15 [Computer/SW/Security] UID:18980 Activity:moderate |
8/14 I have installed proFTPD and want to change the banner, which
announces what it is, i have altered /etc/welcome.msg and that
has changed half of it but not all. How can i change the rest?
\_ Use the source, Luke!
\_ Careful. Remote root security hole in proftpd's older than
July 28th. --dbushong
\_ Arg. I installed proFTPD because it's supposed to be MORE
secure
\_ Try ncftpd. It isn't based on the same shitty ancient ftpd
source as almost everything else out there.
\_ As did I. Its track record of one remote root in however
many years >>>> wuftpd's "root hole of the month"
And, yes, I like the apache-style config. --dbushong |
| 2000/8/11-14 [Computer/SW/Security] UID:18965 Activity:high |
8/11 Can anyone recommend a good network monitoring program? We have
multiple Sun Servers and a buncha PC's, on a 100-BaseT subnet.
\_ mrtg?
\_ Memorize References to Tron Game?
\_ look it up on google
\_ What exactly are you going to monitor?
\_ Would like to pinpoint any problem areas, slowness,
lack of response, highest use, etc.
\-sounds you want to monitor the network, not monitor *over*
the network, in which case ping, traceroute etc. are not
what you want. mrtg is pretty nice and has a lot of uses.
but to answer your question: if you want to be serious about
this, you get to get someone who really understands this
stuff and is well-briefed about your network topology, your
priorities and other local conditions. too many people spend
lots of money on these big industrial strength solutions like
sun net manager or that hp open whatever when a halfway clueful
person can cobble something together from free stuff that meets
your needs better. but they have to know exactly what you
want to monitor. it is a very different matter to continuously
watch for suspicious stuff security-wise vs. once a week snap-
shots for capacity planning to have off-line stuff in place
that can be quickly brought online to diagnose things. it is
a differnt problem to get exact info about one "class c" vs.
get 95% accurate info about a couple of classBs, but to be able
to get it really fast, also depends whether you have privilaged
acess to routers, whether you are worried about denial of
service [a realy problem with a lot of monitoring setups] --psb
service [a real problem with a lot of monitoring setups] --psb
\_ is it all one ethernet? how many routers you got?
\_ Sorry to be anal, but ping, traceroute and snmpwalk work
for me.
\_ ping and traceroute are practically useless for
monitoring a local network. -tom
\_ Depends on the size and subnetting. We use
ping, traceroute and snmpwalk with some homebrew
perl/java cgi frontends for managing/maintaining
our heavily switched/routed lab nets at cisco.
\_ gee, if it's switched and routed it's not local.
\_ local to me means everything on my side of the
BFR (I mean 12000 GSR). If you think local
all on the same switch, I beg to differ. I
might agree for all on the same VLAN. |
| 2000/8/10 [Computer/SW/Security] UID:18945 Activity:moderate |
8/9 I just installed openSSH --with-tcp-wrappers on my Redhat 6.2 box and
outgoing functonality works great but when i try to connect using eith
ssh1 or 2 i save a key but then "password authentication fails."
I am quite certain i am using the right username/password combo.
What could be going wrong? I can still telnet in, there is nothing
in the hosts.allow/deny files that could be causing this.
\_ ssh -v
\_ Read the FAQ on OpenSSH. You need to modify pam.conf or
something like that to get it to work. --PeterM
\_ not pam.conf, /etc/pam.d/sshd, look in ~peterm/sshd
\_ You need to instal openbsd where it "just works".
\_ or freebsd 4.x, or debian linux (apt-get install ssh) |
| 2000/8/7-8 [Computer/SW/Security] UID:18905 Activity:high |
8/6 <DEAD>www.svmagazine.com/2000/week33/features/Story01.html<DEAD> Months later, the public was let in on the joke. Naughton had agreed to give technical assistance, including writing software, to the FBI in exchange for a lighter sentence. Neither Naughton, the U.S. Attorney's office nor the FBI will comment on the nature of his work. \_ We'll find out the details this week. \_ moral of the story-- YOU ARE BEING WATCHED. Think twice before you post on motd, wall, email, or download porn. Everything is taken as literal, even in the so called internet fantasy world. \_ and dont forget to encrypt your pr0n \_ zbeny bs gur fgbel-- LBH NER ORVAT JNGPURQ. Guvax gjvpr orsber lbh cbfg ba zbgq, jnyy, rznvy, be qbjaybnq cbea. Rirelguvat vf gnxra nf yvgreny, rira va gur fb pnyyrq vagrearg snagnfl jbeyq. \_ naq qbag sbetrg gb rapelcg lbhe ce0a \_ Thank God I use my own encryption method to edit the motd. \_ I think this was all an elaborate plot by the FBI to get a young, extremely talented programmer to sign his life away on some classified government project. He was probably targetted because they saw that he was a super smart guy in an unstable marriage who visited sex channels on IRC. |
| 2000/8/2-3 [Computer/SW/Security] UID:18847 Activity:kinda low |
8/1 The java SSH client we have running does not use https:// so i
assume that when i put in my password it gets sent plain text.
isn't the whole idea of dis-allowing telnet was to aviod the
sending of plain text passwords?
\_ nothing to do with it. the http part is just to download
the ssh client locally. from there, you run ssh which
creates a secure connection to the remote host (which is
where your password gets transmitted).
\_ What (s)he said. Of course, if you're really paranoid, you
should care that you didn't download the java ssh client via
https, because someone who noticed you fetch it a lot could
hijack your download and replace the safe app with a compromised
one. Unlikely? Sure! But then again... you're using ssh
instead of telnet, so....
\_ I thought this would be a problem too. But when running
unsigned Java applets, aren't network connections
restricted to the host that the applet was loaded from?
This wouldn't eliminate the vulnerability, but it would
at least limit it. (A rogue program would have to be
set up on the web server which listened for connections
from hacked ssh clients.)
\_ That's the theory. You trust it in practice? |
| 2000/7/29 [Computer/SW/Security, Computer/HW] UID:18811 Activity:moderate |
7/28 Hi-Tech and all the other cheap places in Berkeley have gone under.
Where is a cheap, but decent in terms of service, place to buy
a computer in SF (or Berkeley).
\_ Central Computer has been our OEM of choice for a while. -nweaver
\_ For a personal computer, buy parts from out of state and assemble.
For your company, buy Dell.
\_ God forbid a part doesn't work. Ah, to live in L.A.
near hundreds of OEM vendors. |
| 2000/7/28-29 [Computer/SW/Security] UID:18808 Activity:kinda low |
7/28 What are the security implications of using a network time server?
\_ If someone nasty can control your clock precisely it may make it
easier for them to guess the values that will be generated by
psuedo-random algorithms seeded with the current time. If those
are used to form keys or such, security may be weakened. However,
many security protocols, such as Kerberos & NIS+, require computers
to have relatively close ideas of the current time so that they can
prevent replay attacks by rejecting packets with far-off timestamps. |
| 2000/7/28-29 [Computer/SW/Security] UID:18807 Activity:high |
7/28 That web-based ssh client we have is Phat,K-RAD and 2C00l. i want to
implement that on my server so i can access it if at a comp. without
ssh. What are the security implications?
\_ It posts your username/password and session log to
alt.security.gotcha, but is otherwise pretty safe. |
| 2000/7/26-27 [Computer/SW/Security, Computer/SW/OS/Solaris] UID:18771 Activity:nil |
7/24 Is there a way to install WindowMaker on a Solaris machine
without root access? Any url/pointer?
\_ ./configure --prefix=/someplace/youcanwriteto/
make
make install
and then you're done. Not very hard. |
| 2000/7/21-22 [Computer/SW/Security] UID:18746 Activity:high |
7/21 Is there a way to get root access given (unlimited) access to console
on a sparc20 box with solaris 2.5.1? The pricks in IS&T are taking over
a month to fix some things on my desktop machine and I really
need to take care of several of them to get anything done, at risk
of pissing off IS&T. Please withhold the "if you don't know how to
do this, you shouldn't have root anyway" flames; i know how to fix
what I want fixed, while not fucking up anything else.
\_ Well, if the other things fail you could try:
<DEAD>phrack.infonexus.com/search.phtml?view&article=p53-9<DEAD>
I haven't done this, and don't know whether it will work with
your model+keyboard. --Galen
\_ Thank you kindly. This worked like a charm after
a few small corrections (s/1\@/@/g).
\_ How do you find the memory address of the process?
ps -lp gives me a ? for ADDR
\_ It didn't do that for me; make sure you're running
/usr/bin/ps though (/usr/ucb/ps, for one, has
entirely different flags). If that fails, poke
around in /proc/$$/, it's probably visible from
somewhere in there (try bytes 0x48-0x4B of
/proc/$$/psinfo). Make sure to check the current
contents of *(process_pointer)+0x18 first, and see
if it matches your current ruid (or risk clobbering
something random in memory)
\_ Boot from CD. -tom
\_ No CD drive (or floppy for that matter)
\_It is likely that your box was installed over network and
the install server is still acting as boot/install server.
In this case you can boot of the network by typing "boot net"
from open boot prom. This is equivalent to booting from CD.
Of course, this wouldn't work if boot prom is password
protected. In this case you might need to swap the prom chip.
Though, if your box is also locked then you can't get root
without breaking things.
\_ Borrow a cdrom - the CSUA has a sun-compatible one.
\_ unless of course they set a prom password, in which case you're
pretty hosed.
\_ or swap in a prom. Or swap in a disk with your favored
configuration. With physical access it's always
possible. -tom
\_ Mmm..physical access.. *drool*
\_ They all say they know how to fix what they want fixed without
fucking up anything else. Why don't you talk to their manager
or have your manager talk to their manager? If it's truly
preventing you from getting work done then it's a big deal and
i'm an intern. it's not _/
taking matters into your own hands will just mask a problem. Maybe
IS&T is short-staffed and enough complaints will allow them to
hire, for example. --dim
\_ IS around here is absolutely hopeless. Trust me, this is the last
resort.
\_ Well, if the other things fail you could try:
<DEAD>phrack.infonexus.com/search.phtml?view&article=p53-9<DEAD>
I haven't done this, and don't know whether it will work with
your model+keyboard. --Galen |
| 2000/6/19-20 [Computer/SW/Security] UID:18498 Activity:high |
6/19 Any suggestions for a Win98 SSH client?
\_ F-Secure but you have to pay $$$
\_ Yes. Go get a real OS.
\_ teraterm is pretty stable and has some nifty features (eg
recognizing most xterm escapes and imitating unix cut'n'paste
behavior with respect to right/middle clicks)
\_ TeraTerm plus TSSH. I'm using it right now. See:
http://www.csua.berkeley.edu/ssh-howto.html
\_ I'm using "SSH Windows Client" that I found from the same page.
-- yuen
\_ I use it at home and at work. Works great. |
| 2000/6/14-16 [Computer/SW/Security] UID:18465 Activity:high |
6/14 I have written a program that "pipes" port1 to port2 on a machine
[so if you do say telnet foo 25 that can automatically send to
to port 19, chargen]. Is there a way to grab all the unbound ports
and map them to chargen, to deter people scanning my machine? Will
that be an expensive program to run? I don't want to launch one
version of the process for each port. Thanks!
\_ Why are you even doing this? You're reinventing the wheel.
Just use the IP firewall rules built into your OS to port
forward a range of ports.
\_ I want to turn this on and off. Also not all OSes support
IP firewall. Would like to do this at the application level.
Can you tell me how to listen on all the unbound ports like
inetd?
\_ Sheesh, get a real os. What are you using? win 3.1?
\_ It's actually a vintage box; running a hacked-up
TCP/IP stack for CP/M. I'm using it as a low-load
web server
\_ inetd doesn't listen on all unbound ports - it listens on
the ports listed in inetd.conf. You could write a program
that looped through all possible port numbers and bound them
(if your OS supports opening 64k fd's in a single process)
but that would prevent any other app from being able to bind
a listening port.
\_ N0H0ZERZ!
\_ If the ports are unused what's the big deal? You can't stop
a scan. And if you have insecure services running on other
ports, your program won't help that either. What are you
trying to do? What's the point? Your program won't do
anything useful for you.
\_ An easier thing to do is run FreeBSD 4.x and in /etc/rc.conf set
tcp_restrict_rst="YES" This will cause connections to ports with
nothing listening to hang until timed out. This pretty much kills
portscanning. --dbushong
\_ Who cares? Let em scan. Security through obfuscation and
irritation is not security. You're only slowing down the
inevitable.
\_ If you don't believe in "security through obfuscation"
you won't mind sharing all your passwords with me.
\_ That's different. A password is obscure in a
way that in order to crack it, you need to
try a bunch of random combinations before you
can get it right. Security through obscurity
is where a backdoor exists but you just hid it
somewhere. It's the difference between a key
to your house and hiding that key under the mat.
The key is like the password. Hiding the key
under the mat the the obscure part. Obviously,
most prowlers will usually look under the mat
first before actually cracking the windows.
\_ A password is not obfuscation. Hiding your buggy
service on a random port and making it hard to scan
is obfuscation. Given a few extra minutes your
s00per sekret buggy service will turn up. My ssh
passphrase won't. You know I could give you my
ssh passphrase and it won't help you get into any
of the machines I run but you wouldn't undersand
why. Damn, it's so sad there's no real ugrad
security classes. It shows.
\- i was thinkign about writing a something to wedge
the iss scanner specifically. am trying to decide
whether to do it at a tcp level [long time outs etc.]
or generate random data on port 80, when talking to
nfsd, mountd etc. i am also thinking about using
xinetd. would be interested in more discussion on
this. --psb |
| 2000/6/12-14 [Computer/SW/Security] UID:18446 Activity:moderate |
6/11 Anybody know if encryption routines (DES, IPsec related, etc) can
be parallelized? Does adding more CPUs and writing some parallel
software speed things up?
\_ Look at the source code. Much of the time, what can be
parallelized is done at a fine grain level (vector data,
level, loop level, instruction level, etc...) in which
case, adding CPU's won't do you any good. If it's thread
level paralellism, then yes. Go to http://mit.edu's web site and
search for Krste Asonovic (he was a PhD student here w/
Patterson). His thesis has a good explaination. Also look
at the spring 2000 cs252 website. I think someone did
a project on encryption algorithms. -jeff
\_ IPSEC isn't an encryption routine--IPSEC ESP just makes
provision for tunnel encryption and key exchange for
whatever crypto you're using. -John the Nitpicker
\_ No.
\_ It depends on the feedback mode used. If the cyper is running
in ECB mode, yes, but it's a bad mode of operation otherwise.
the most common mode, CFB mode, has a dependency between
blocks and can't be parallelized. -nweaver
\_ is that a mathematically proven statement or a "can't _easily_
be paralellized"?
\_ Do you understand what you're talking about? If step B
depends on the result of step A before it can be started,
IT'S IMPOSSIBLE TO RUN A & B IN PARALLEL.
\_ Do YOU understand what YOU are talking about? There's
more than one way to split a task into blocks, and
parallelism need not apply at global level to be useful.
A complete mathematical proof of nweaver's statement
would be quite difficult.
\_ Not so. It's been done before in superscalar
processors using load value prediction and
trivial computation predictions.
\_ CFB can not be parallelized beyond the parallelism
inherant in the encryption of a single block, because
of the dependency. CFB of block N is computed by
encrypting the value of N xor the last block. -nweaver
\_ look, computation prediction is NOT trivial!!
\_ CFB encyption can NOT be parallelized beyond the
parallelimsm inherant in the encryption of a single
block, because of the cyclic dependency. You need to
completely encrypt one block before you can begin
encrypting the next block. CFB DECRYPTION however,
can be parallelized between blocks. -nweaver |
| 2000/5/24-26 [Computer/SW/Security] UID:18336 Activity:low |
5/24 I want to make my FS encrypted so that no one can take out
my linux harddrive, hook it up to another computer that they
have root on and see my files. I want only my password to be
able to access those files. Anyone know of such a FS package?
Doesn't have to be distributed like NFS.
\_ try cfs (it has a debian package in non-us). User-mode, IIRC.
\_ hello, does anyone know the status of the Alex file
system from cmu [not andrew]. has that been abandoned?
is there a sucessor [is nebula any good?]. will it
run on solaris? --psb
\_ Re-formatted.
\_ Who would bother? If they stick a gun to your head, you'll very
happily give them the password and suck their cock, too. |
| 2000/5/16-18 [Science/GlobalWarming, Computer/SW/Security] UID:18283 Activity:high |
5/16 http://www.wired.com/news/politics/0,1283,36339,00.html Question: How exactly can you distinguish Voice traffic from other traffic, esp. when you can tunnel it over another protocol like http or you encrypt it using SSL and such? What the hell do the telco's want regulated? \_ It's just political clap trap noise. \_ But, technically, unencrypted voice traffic is hella easy to detect, regardless of protocol. Anyone who knows basic signal processing can write the code. -blojo \_ what's the easy trick? does the spectrum for speech look very specific? -ali \_ What you would basically do is: (a) look for signals that have most of their energy in the 500Hz-4KHz range. (b) The amount of energy and its centroid oscillate / fluctuate with periods that are O(.25 seconds). Basically you can look at docs for any of the recent vocoders and see what circumstances they focus on reproducing... fortunately recognition that something is probably a voice is a lot easier than recognizing what the voice is saying. -blojo \_ Key phrase: unencrypted. Solution: encrypt it. \- you know the NSA has a patent on automatically IDing FAX and some other kinds of traffic. --psb \_ i've got something that fluctuates at 4 Hz right down here. -ali \_ Wow. That sounds painful...or unsatisfying. Not sure which.... |
| 2000/4/25-26 [Computer/SW/Security] UID:18110 Activity:very high |
4/24 Are there instructions on how to use the Java SSH client at
http://soda.csua.berkeley.edu/ssh - clueless
\_ got that right
\_ You need instructions on how to use this? This is a joke
right?
\_ OK - this is one of those cases like you're the only person that
hears any weird sounds coming from your car, but your mechanic doesn't
when you bring it to the shop. What happened was that when connected
to certain networks, say at work, the Java ssh client would not know
http://soda.csua.berkeley.edu, and return an error to that effect. Thus, the
cause for clueless-ness. However, on less prohibitive networks, say
at home via dial-up ISP provider or dsl, I have no problems, which
would invite a "got that right" comment. So, now another clueless
question is - does this ssh client run over http or another protocol?
Why does it work in some cases and not others? More than happy to read
all about ssh if you got a pointer/url, especially for this Java ssh
implementation. - Longer than necessary, clueless
\_ Well it runs ssh's network protocol, to port 22 on soda. Odds are
if its not connectin you're behind a tightwad firewall that blocks
outgoing tcp/22. -ERic
\_ You might also being having DNS troubles resolving names from
behind the firewall. I know Sun's firewall does wierd DNS hiding
and you need a super special ssh client to get out. - seidl
\_ might also try running ssh in verbose mode to gather clue |
| 2000/4/11-13 [Computer/SW/Security] UID:17974 Activity:nil |
4/11 When I dialup from home, I use screen in my shell so that if I
get disconnected, I can dial back in and reconnect my screen and
thus not loose any work. Is there something similar I can do with
my X apps also? (xterms, emacs, etc). I suppose I can run vnc on
my workstation at school, but vnc is slow and not secure.
\_ YOu can vnc over ssh.
\_ Doesn't ssh break the connection when you hang up?
\_ w/ static IPs, use ssh w/o keepalives, and ssh/X will persist
short interruptions or long ones if all is idle. |
| 2000/4/11-12 [Computer/SW/Security] UID:17965 Activity:low |
4/10 Why is ssh2 better than ssh1? Aside from sftp. I'd like a pointer
to technical reasons why ssh2 has improved security.
(Yes, I already spent some time looking.) --PeterM
\_ well, the ssh2 protocol was written more from the ground up
rather than as modifications to a hack to a neat idea. --jon
\_ I can see in general how rewriting the code would improve it,
but what particular attacks are now harder/impossible? --PeterM
\_ pure marketting + revenue |
| 2000/4/3 [Computer/SW/Security, Computer/HW] UID:17913 Activity:high |
4/2 Is there a program that will continually monitor when a file gets
appended to and display it to stdout (like a security log monitor)?
\_ simple way might be to use: tail -f FILENAME
\_ might be? That's _the_ way. How much easier can it get? No
bullshit, no coding, no side effects, included in every *nix.
Even Linux has it. |
| 2000/3/30 [Computer/SW/Unix, Computer/SW/Security] UID:17890 Activity:nil |
3/28 -nick is login "nick" already
\_ No it's not - the other nick |
| 2000/3/22-23 [Computer/SW/Security] UID:17825 Activity:insanely high |
3/22 SHIT! My linux gateway running ipchains got cracked.
How? --PeterM
\_ Run a BSD. Any BSD. No, really. Linux sucks.
\_ How about:
BSD security >> Linux security, but Linux is getting there
\- realistically i think there are just more linux
root kits floating around. same reason more solaris
boxes get cracked than say ultrix.irix machines. --psb
\_ In my experience, VMS security >> HP security >>
SUN security >> IRIX security >> Linux security >>
Windows security. IRIX really sucks and SGI ships
the OS wide-open. --dim
\- i work in this area so my data is based on a lot
of machines and not just on my experience. most people
cracking systems are just trying a lot of doors and
arent picking locks. the doors the usually get into
arent necessarily the easiest ones to pick but the
ones with the most spare keys floating around or the
most likely to have been left unlocked. VMS machines
arent cracked because very few people have access
to them, or sources etc. i agree solaris security is
better than irix security but there are more suns
and more peopel have access to suns ... hence more
solaris root kits. --psb.
solaris root kits. a lot of the weeinie crackers
dont even know the difference ... you see people
using solaris eject cracks on irix machines all the
time. you know you are dealing with a clown when a
cracker's editor of choice is pico. [which it is
more and more often these days] --psb
\_ I agree completely. I just wanted to point out
how much IRIX sucks. --dim
\- back in the old days suns used to "ship"
with + in /etc/hosts.equiv. it only took a few years
for sun to admit they had their head up their ass on
on that one. SGI was even more intrasigent about the
lp/guest etc accounts. whenever you would complain to
SGI they would either point to "small print" or defend
what they did with "we know better" ... well apparently
"the market" knew better. --psb
\_ sendmail, dns, irc, ftp, what else are you running?
\_ no ftp, irc. Running sendmail as an smtp server for
the internal network, but blocking connections from
outside. Running DNS. Nothing else that I know of
offhand.
\_ move DNS serving to an internal machine. This
will take some of the load off and also close
a potential security hole. I also switched to
to postfix which seems to be more secure than
sendmail.
\_ In recent history, all of those other daemons have
had a lot more security problems than sendmail.
\_ I haven't seen as many CERT warnings
about postfix as for sendmail and
qmail.
\- what version of named? are you running named
unprivilaged and chrooted? this was a common attack
on freebsd. --psb
\_ what are your rules? wuftpd supposedly has some buffer
overflow exploits.
\_ "no ftp"?
\_ RedHat 6.1?
\_ an inside job?
\_ a blown job? |
| 2000/3/14 [Academia/Berkeley/CSUA, Computer/SW/Security] UID:17763 Activity:kinda low |
3/14 http://www.csua.berkeley.edu/~benchan/entreprise/CYBERARMS.html \_ Is commerce allowed on CSUA? \_ No. \_ but this is eCommerce! It's downright unamerican not to encourage eCommerce! \_ Squish! |
| 2000/3/13-14 [Computer/SW/Security, Computer/SW/Apps/Media, Computer/Networking] UID:17759 Activity:moderate |
3/13 At work each "phone" jack has an ethernet port, digital phone, analog
phone, and a fax port. Anybody know where I can get a jack like that?
I couldn't find it at homedepot. -trying to rewire my house.
\_ Just unscrew the one at work. (Someone else's office)
\_ http://www.l-com.com sells just about every possible connector or
cable for many different applicaqtions. they should have
whatever jack you need, and i think they can do online orders
via web.
\_ Did you look in the catalogs? (http://www.blackbox.com for example)
\_ under your desk? *grin*
\_ I liked it better when the area admin was under my desk. |
| 2000/3/8 [Computer/SW/Unix, Computer/SW/Security, Computer/SW/OS/Windows] UID:17713 Activity:nil |
3/7 What are people using to do S/MIME on Unix? I don't know which
M to RTFM. (I've used a thawte digital certificate to read/
send encrypted mail in windows, but don't like going over
there every time to read encrypted mails... Thanks |
| 2000/3/2-3 [Computer/SW/Security] UID:17677 Activity:moderate |
3/2 "He was plotting it for around two weeks, jokingly, saying he was
going to extort money from these companies. Then all of a sudden
he got dared to do it, and 10 minutes later Yahoo! was down. He
never made extortion demands," the source said. We should all be
thankful he got scared and didn't carry out his next idea, and
that no one else feels the need to do this either," the source
wrote. "He had a DDoS (distributed denial of service) tool that he
wrote installed on all of his hacked boxes. He was planning on
using all 1,000 machines in a combined attack on the Root
Nameservers, flooding the Nameservice ports with UDP packets." "He
is safe and he knows it, he deleted all evidence off his machine.
...He is very well aware that there isn't any way to prove a smurf
attack after the fact." http://www.msnbc.com
\_ Hear that tjb? They're on to you! |
| 2000/3/1-2 [Computer/SW/Security, Computer/SW/OS/Windows] UID:17667 Activity:moderate |
2/29 http://www.gnu.org/philosophy/amazon.html#whyBoycott http://www.oreilly.com/ask_tim/amazon_patent.html \_ USE WINDOWS. WAREZ REWLZ. LINUX SUX. \_ Uh huh, communists and a guy who made his millions on the copyright system which is the printed version of the patent system. I'm impressed. I'm also stoned, stupid, and a libertarian. \_ There is a BIG difference between the patent system and the copyright system. You can have two books that describe how to use the same algorithm, in detail, and not violate copyright. But the way the PTO is going, you wont be able to have two separate programs that use the same algorithm, without violating patents. \_ Bullshit. Stop repeating the ignorant drivel from the slashdot crowd and do your own research. Start with a law degree. "But I don't need no stinkin' law degree to know that my rights to other people's work is being infringed!" \_ One of the cornerstones of patent law is that no one should be allowed to patent prior art (something which someone has done before) nor any trivial extention of prior art (something which would be obvious to anyone in the field even without it having already been done) The trick is that the patent office's track record for letting prior art leak into patents is abysmal. [Dubious reference to prior art accidentally deleted] \_ Please quote the spec example and provide URL. If it was that simple the judge would not have granted an injunction. That's only done when there is a high probability of victory. If the example you claim is in the cookie spec covered the whole patent, then B&N's lawyers could have easily not only not been on the wrong end of the injuction, but could have had the patent declared invalid long before now. Patent law isn't as simple as slashdot makes it out. \_ Were any of the online brokers up and running in 1997? Any one of their stock purchase systems would constitute prior art if in place then. -mel \_ No, it wouldn't. You have no idea what a patent even is. It is defined by the claims, not the oft and over quoted summaries printed on slashdot and other anti-IP sites. Violate so much as a single minor claim and you're infringing on some- one else's property. |
| 2000/3/1-2 [Computer/SW/OS/Windows, Computer/SW/Security] UID:17664 Activity:nil |
2/29 does an ssh client for windows 3.11 exist? thanks.
\_ USE WINDOWS MAN. LINUX SUX. WINDOWS REWLZ. ANYONE WHO'S
ANYONE USES WINDOWS. LINUX USERS ARE FREAKS MAN.
\_ Win32 programs have been known to run on 3.11 systems.
Try TeraTerm ssh (free) or F-Secure (maybe free if you're on
campus).
\_ There was an article in the merc this week saying that
SSH Communications & SANS were giving away free SSH to
.edu's but I can't find anything on http://ssh.com or http://sans.org.
Anyone know anything about it? |
| 2000/2/25 [Recreation/Dating, Computer/SW/Security] UID:17622 Activity:nil |
2/25 Pro-immigration drivel deleted. That was not a reason to allow
queers to marry. That was a reason to deny foreigners easy access
to our shores. I abhore the practice of foreigners, mostly women,
prostituting themselves out to gain status here. We should eliminate
that possibility equally for everyone. |
| 2000/2/22-23 [Computer/SW/Security, Computer/SW/Unix] UID:17587 Activity:moderate |
2/22 Is it possible for Soda to create a web mail interface similar to
http://mail.yahoo.com to access emails on soda?
\_ No. Soda is a computer and has not yet achieved sentience.
Use POP or IMAP or forward your mail to luser@@yahoo.com.
\_ Soda still allows POP and IMAP? I thought that the whole
point of turning off telnet/ftp/etc was to prevent some
twinks from sending their passwords in clear text over the
net. So, what's the point of turning off telnet and ftp
if POP and IMAP are still running?
\_ There is no point, only trolls.
\_ You may email your request to the entity known as "Soda".
\_ I was looking at something called 'mailman' a while ago. It'd
require nothing more than a few cgi scripts and a cron job that
copies your mail into a directory off your public_html/. They
started charging for mail man, though, and I haven't had time
for it since. Mail me if interested. -John
\_ there are at least a dozen different mail->web gateways
listed on http://freshmeat.net
\_The OCF got acmemail up and running in a few hours -jones
\_http://secure.OCF.Berkeley.EDU/cgi-bin/acme/acmemail.cgi |
| 2000/2/11-13 [Computer/Networking, Computer/SW/Security] UID:17494 Activity:very high |
2/11 Why can't they stop all these DoS with a simple TCP source quench? My
understanding is that if the incoming data rate passes a certain
threshold, you can simply ask the the upstream sender to slow down or
drop packets. So why don't the end points just do this so that the
systems don't go down?
\_ But then if that's true and the upstream sender starts dropping
packets, it will still appear the same to the clients that the
server has crashed. The effect is the same. Right? -- yuen
\_ Sort of, my understanding is that you can do a source quench
on one or more source IP's, so when you send a quench the
message propogates all the the way back to the source. When
the router's closest to the source start dropping, it will look
like (from the source's perspective) the destination
has gone away. Other source IP's won't be affected.
\_ Source quench idea doesn't work necessarily because the
idea of source quench assumes that the sending host is
co-operative, not hostile. When the sending host has
been root compromised, the compromise could change the
behavior to make it ignore source quench requests.
Also, a lot of the source IPs are being spoofed, so you
don't even know who the real sources are.
\_ The attacks are a lot more complicated than just "send lots of
packets to yahoo". -tom
\_ So where can I get a description about how these attacks work.
And I'm not looking for the garbage in the general press.
\_ http://www.securityfocus.com
\_ http://staff.washington.edu/dittrich/misc/tfn.analysis
\_ http://staff.washington.edu/dittrich
Look in the papers where he analyizes trinoo, tfn and
stracheldaht. Best analysis of them I have seen. -ausman
\_ while (1) { httpget("yahoo.com"); } And now you know!
\_ This is hardly untraceable since your IP will show up
in access_log. My understanding is that the attacks
have been untraceable, so they must involve header
rewritting or session hijack or something.
\_ No. _some one's_ IP appears in the log. Who is to
say httpget() isn't mushing the IP or using a proxy
or doing a million other things?
\_ The problem with DoS attacks is not that they're crashing the
machines, but that they're preventing normal users from accessing
the service. Your suggestion does nothing to change this.
\_ If you or your upstream routers block/quench based on the
sending rate of a source IP, then you could filter the DoS
traffic (high incoming rate) and still allow most normal
users (low incoming rate) to connect. I think that is is a L3
analogy to the hammer filters in some ftp servers.
\_ Except that many of the attacks consist of a low incoming
rate per IP address from thousands of different addresses.
Telling real traffic from attack is harder than you think.
\_ Pull network cable, sell stock, go home.
\_ Wrong order!
\_ You want to sell at the high moments before it
crashes to make sure you soak it for every last bit.
After all, who knows better when it's going down
than you? It'll take a while for others to notice.
\_ I opened a joint broker account with my girlfriend and placed $1000 in
it, telling her that whatever is in it when engagement comes would be
the price of her diamond ring. GE didn't go fast enough for her, so
we went into Checkpoint Software, and it went from $1000 to $4000
in 4 months, and has been going through the roof since the DoS
attacks. Do you think my girlfriend might be involved?
\_ She hired me to do it. I get half the account, she gets
the other half for her ring. Expect it to continue upwards
until you're engaged.
\_ I knew she was involved! I once suggested to her that
instead of a diamond ring, I can give her a super cool
Sun workstation. To my surprise, even though she is a
nerdy (but very beautiful, in my opinion) computer
science student, she didn't like the idea very much.
If you can convince her otherwise, it would be a great
favor for me!
\_ She is much smarter than you think. Diamonds are
forever. Sun workstations become obsolete.
She also realizes that you may in fact wish to
fondle the sun hardware instead of twiddle her bits.
And when the workstation becomes old, Sun allows
you to trade it in for a newer model, perhaps giving
you certain ideas she finds threatening. |
| 2000/2/9-10 [Computer/SW/Security] UID:17468 Activity:low |
2/9 I would like to start using PGP for communications. Problem is that
the machine at work won't let me install freeware PGP for WinNT (I'm not
an admin nor do I play one on TV). I thought there was an impl in PERL
somewhere but can't find anything about it. Does anyone have a list of
PGP impls handy? And if so could you share?
\_ PGP? For what? You think the NSA and Evil HAx0rz are listening in
to your love letters to your SO? |
| 2000/2/9-10 [Computer/SW/Security] UID:17463 Activity:insanely high |
2/8 After the recent attacks against the big boys of
dot com how does a guy prevent further Denial of service (DoS)
from happening to his own cos. - curious
\_ You don't. You can filter some of the crap but never be totally
safe from it with current protocols and technology.
\_ why not just change the filter properties?
\_ Which devices do you own that can filter 1 gigabit per
second without crashing while still letting the good
traffic through? And what if the DoS consists of properly
formed http calls? What are you going to filter?
\_ so i guess you need to call an upstream isp to put
in the proper filters?
\_ Idiot!
\_ Argh! TROLL!
\_ well, isn't that what they did to stop
the http://cnn.com attack?
\_ Yeah, they turned on the "filter_DoS_packets"
rule in the routers. Some new guy had
turned it off and no one noticed.
\_ so i guess you don't know then, huh?
\_ I think when they upgraded to dos
version 2.11, everything was ok.
\_ what are you going to filter, when the DoS looks EXACTLY like
lots of normal traffic packets? Is the 'Slashdot Effect'
a malicious attack, or just your site suddenly becoming very
popular. Either way, your site is basically down.
\_ are you sure DoS packets look exactly like normal packets?
\_ Of course not. They have the DoS flag set.
\_ so i guess you don't know then, huh?
\_ The dos upgrade to v2.11 fixed it.
\_ A possibility would be to make your company site a moving target.
Have sevearal locations/IP's you can use. When one IP gets hit with
the big DoS, change your DNS entry ( you set your TTL low ahead
of time, right?), and move your site to the new IP.
\_ That'll work, uh... never. DoS kiddies just get the new
IP the same as everyone else. Welcome to the internet.
\_ ACK! I've been trolled!
\_ if you have to ask, you don't know
\_ thanx for stating the obvious
\_ Unplug net cable.
\_ If companies with hundreds of millions of dollars at stake can't
prevent it, what the hell makes you think you can?
\_ Because I read a zdnet article about how to stop it.
\_ it's so ironic, that zdnet was attacked and shutdown
for 2 hours this morning.
\_ Very little. Try not to be a tempting target. The way the big
sites were attacked recently was by distributed clients running
on many windows boxes infected with a remotely activated virus.
There wasn't any obvious TCP stack bug problem with the servers
or anything, they just got overwhelmed by tons of valid-looking
hits. Short of weird heuristics, there's very little you can
do about this.
\_ What about authenticated IP? -- network newbie
\_ Won't stop traffic floods, which is what they're getting
hit with.
\_ First define authenticated IP, then figure out how much your
business will lose by cutting off all the random web users
who don't use it.
\_ Why don't we all start attacking http://www.microsoft.com and bring down
the Evil Empire(TM)? |
| 2000/2/7-8 [Computer/SW/Security, Computer/SW/Unix] UID:17447 Activity:high |
2/7 POP-3 Question: I want to run a popd at home (such as qpopper) so
that my parents can check thier mail without having to login to
the mail server at home. From what I can tell from the RFC's POP
seems to be an insecure protocol, in that it sends passwords as
plain-text. Is it possible to run a secure POP server, or can I
at least have the POP passwds in a file other than /etc/passwd
(like .htaccess)?
\_ Use APOP or ssh port forwarding. Using APOP would be probably
less hassle for non-*nix users. You still need to send a clear text
password, however, it is not the same as a user's unix password.
If a user is using *nix, fetchmail + ssh port forwarding is
the way to go. -akop
\_ the APOP password is not clear-text; it's MD5 encoded I
believe. -tom
\_ Couldn't get APOP to work correctly in the released
version of qpopper. Besides it looked like APOP didn't
work with Netscape.
\_ APOP does not work with Netscape. But it does
work fine with qpopper. -tom
\_ "My parents use *nix!"
\_ My mom has been a Unix user/hacker since the PDP-11 was
a new machine. Its not a user issue, I'm just trying to
minimize logins to the mail server (also the firewall/nat
box).
\_ Then maybe you should be asking yermom for advice.
\_ I would ask my mom (not yermom) for advice, but
she is currently out of the country.
\_ Then she doesn't need her email right now, does she?
I don't release any GPL'd code until my mom has
QA'd, debugged, and approved the release.
\_ http://www.linuxdoc.org/HOWTO/mini/Secure-POP+SSH.html
also, fetchmail can do APOP (but not netscape mail)
\_ Go for IMAP+SSL - then they can use netscrape or MS LookOut!
\_ Which server should I try? From just looking at the homepages
for Cyrus (CMU) and Imapd (WU) I couldn't tell if either
supported SSL.
\_ Use either with the SSL wrapper from the ssl toolkit. |
| 2000/1/27-28 [Computer/SW/OS/FreeBSD, Computer/SW/Security] UID:17349 Activity:high |
1/26 Are the security benefits of mounting /usr partition in read-only
mode worth the trouble of rebooting your server whenever you install
OS patches or updates? -sysadm
\- this isnt worth doing ... at least not on solaris.
spend a little more energy on keeping md5 checksums --psb
\_ an ounce of prevention is wourth a pound of
"AAAa! We've been hacked, FIX IT!"
\_ Depends on your needs. Extra security vs convenience. In general,
I'd say don't do stuff like this unless you're sure you need to.
That you have to ask says you probably don't need it.
\_ Most of the time you have to reboot after installing OS patches &
updates anyway.
\_ Ok I will modify my question. What about simple and yet
important updates that DON'T require a reboot. I'd rather
restrart a service than reboot. -sysadm
\_ what's going to stop some cracker from just remounting /usr r/w,
changing stuff, and then having a ball ? I dont see
any benefit in the world of mounts with -o remount or -u (bsd) -ERic
\_ The only security benfit is to block script kiddies.
Crackers with half a clue can get right past it.
\_ You NEED TO BE ROOT to remount. the whole point is to make it
more difficult for them to get it
\_ Eye 0wn3d y00!111 |
| 2000/1/23-24 [Computer/SW/Security, Computer/SW/WWW/Server] UID:17302 Activity:nil |
1/21 Anyone have a page where I can find stuff on headers for our apache web
server? We have authentication, though we've realize that caching
really is another issue entirely and would like our pages to have the
same behavior as the portals (e.g., yahoo, aol) re browser based
email authentication
\_ http://www.hamsterdance.com
\_ Don't go to hamsterdance. You're looking for
http://windowsupdate.microsoft.com.
\_ Would you care to try again except use English and format to
between 76 and 80 columns?
\_ Reformatted to fit on 80-column punchcard. - motd punchcard god |
| 2000/1/18-19 [Computer/SW/Security, Finance/Investment] UID:17263 Activity:high |
1/18 Is E*TRADE FDIC insured? Thx.
\_ They are a brokerage not a bank. They have SIPC and backup private
insurance. Read their web site. (BTW do you really want an account
with E*TRADE? I haven't had an account there but heard their
customer service is impossible. You might find this useful:
http://www.gomez.com.)
\_ Very useful site. Thanks.
\_ I have an account with them. I've only had to ask one question
but got a response within 24hrs. But that's just once, so take
it as you will.
\_I have had nothing but trouble w/ Etrade. It is hard to
connect with them during the day, it takes days for them to
respond to emails, and you have to wait >>>1h to talk to a
customer service rep when you call. I prefer Datek, even
though they offer fewer services.
\_ E*TRADE is completely incompetent. They are awful. --aaron
\_ How about http://www.schwab.com
\_ schwab has pretty good service. Problem is their
commission costs for trades are pricey
\_ Why do people use/need customer support that much? I would
think that once you get things setup, you don't need
that much customer support
\_ try doing a brokerage transfer. -tom |
| 2000/1/14-17 [Computer/SW/Security] UID:17241 Activity:nil |
1/14 can't find ssh client for win 3.11. help? (and pls don't suggest to
upgrade to win 95/98/NT.) thanks in advance.
\_ LINUX! RIDE BIKE!
\_ I think you can just telnet the non-secure way, use the one-time
password generator at http://www.csua.berkeley.edu/skey or
elsewhere to generate the one-time password, then manually type
the password in your non-secure telnet.
\_ F-Secure ssh for Win32 will run on Win 3.11 -sony
\_ http://www.zip.com.au/~roca/ttssh.html
\_ Can you run java? If so: http://www.mindbright.se/mindterm |
| 2000/1/11 [Computer/SW/Security] UID:17211 Activity:high |
1/10 Why don't we use SSH Ver.2? (I think there was an explanation
somewhere but i can't find it)
\_ No one supports SSH 2.
\_ SSH2 costs too much
\_ Exactly. SSH1 is freeware while SSH2 is available for purchase
only. |
| 1999/12/22-23 [Recreation/Dating, Health/Men, Computer/SW/Security] UID:17085 Activity:high |
12/21 So I'm looking for Logo information -- I go to bh's Web page, and just
below his photo is a link inviting me to "Take a look at my son Heath."
NO WAY!!! bh actually found a female to get intimate with him?
Is/was bh married? Or is this some kind of weird I-hate-my-family-so-
I'll-pick-a-new-one thing like benco and his "fathers" Allman and
McKusick?
\_ he adopted a 12 year old boy. single parent. unmarried.
\_ no, 11
\_ Some morons let that total bug eyed freak get his molestor's
dirty fat little paws on a helpless child which he promptly
posted pictures of on the net? WTF is this country coming to?
Next, they'll let queers marry.
\_ You obviously don't know BH personally. So quit trolling.
FYI, there's no law (or reason) against posting your kids'
pictures on the net, he wanted a kid for nearly a decade,
and had to put up with the social service system (which is
ridiculously biased against men) for that long, and has
a master's in clinical psychology to show for the statement
that he's capable of caring for the kid properly.
\_ Oh yeah, I went to school so I must know all about kids!
You're so completely clueless and dense. There's a very
good reason they don't give children to unmarried men.
The only shock is that they let freakoid have one after
*any* number of years of trying. Normal people who want
kids try out this thing called "marriage" and they "have
sex" and "procreate". Try it sometime... or in your
case, please don't. The gene pool is sufficiently
polluted.
\_ I agree. Lezbo "couple" adoptions and sperm
inseminations should be banned by law. |
| 1999/12/19-21 [Computer/SW/Security] UID:17070 Activity:kinda low |
12/18 Is anyone aware of an existing scp interface for Wind0ze?
\_ Not a chance.
\_ http://bmrc.berkeley.edu/people/chaffee/winntutil.html
about 1/2 way down the page -mikeh
\_ This is bogus.
\_ How so? It works for me. -mikeh
\_ It doesn't properly follow the specs.
\_ Clarify?
\_ Read the spec and compare. |
| 1999/12/1 [Politics/Foreign/Asia/China, Computer/SW/Security] UID:16982 Activity:very high |
11/30 http://www.gn.apc.org/pmhp/ehippies/action/index.htm \_ death to the protesters. We need martial law. Every single protester on TV ended up being an unemployed laborer who basically wants us to pay $75 for a made-in-America Tickle Me Elmo. DEATH TO THE MEATHEADS! USE MORE RUBBER BULLETS! \_ The TV coverage was biased beyond belief. You've been taken by the mass media. Use your mind, not your TV remote. The WTO is evil. One-World Government is evil. I don't hate you, but I do pity you. --eyes open, TV off \_ PAT! PAT! PAT! PAT FOR PRESIDENT!!!! HE'LL SAVE US FROM THOSE ONE-WORLD FOREIGN JOB-STEALING DEVILS!!!!!! \_ Pat is an idiot. I don't care about your job. I care about your air. \_ This is called a "Denial of service attack", not a "sit-in". Dont kid yourselves, this is bordering on illegal, if not actually illegal. The webpage owners are setting themselves up for "Incitement to commit a crime" or something. And personally, I hope they get arrested on those charges. \_ guess what, sit-ins are illegal too. And if you see how it is set up it won't do anything unless tons of people participate \_ It would be far better to just have a petition, with thousands of names. otherwise,it will beseen as a few hundred people trying to interfere with "progress". This is an artificial attempt to magnify the effect that a few hundred people can have. Because if it actually made thousands of people actually "sign" their names, clinton would actually listen. \_ Are you really this stupid? Do you know hte difference between a sit-in and a petition? Sheesh... kids. \_ They're making the dangerous assumption that the average Joe actually *cares* enough to turn on his WebTV and point it at a WTO Web site in the first place . . . \_ Who the hell do you think stopped the WTO today? The streets were packed with average Joes you cynical fuck nut. \_ now THAT (unfortunately) will have an effect. Killing the web site with a DOS attack, will not. \_ I chose not to participate in the DOS. It seemed pointless. I'm still opposed the WTO and in favor of almost any protest opposing the WTO. \_ For what its worth the WTO is a serious issue, deserving alot more attention than its given in the media. Whether the US should be in the WTO is questionable, and bringing China into the WTO would be a blunder. \_ WTO rules! Don't turn US into inward-looking Ming dynasty China! Unilateralism will make the US into a leader without followers! \_ shut up achoi \_ Who's that? \_ Don't turn the US into a lackey of the One World Government. By the people, for the people. Not whatever tiny scrap of empowerment the OWG _lets_ you have. The WTO is evil. \_ Fuck the WTO, the UN, and all One World Government stupidity. \_ of course, this idea does not exclude the similar idea that the WTO rioters all deserve a swift kick to the head while being dunked in toilet water diarrhea. Moron fuck-ups. \_ No. They deserve to be honored as the heros they are. The anti-WTO protesters have a very clear idea of what's going on. If you looked up from your Quake3 once in a while and looked around, you might also. Death to the WTO and all other One World Governemtn anti-people organisations. \_ PAT! PAT! PAT! PAT FOR PRESIDENT!!! HE'LL SAVE US FROM THOSE FOREIGN ONE-WORLDER JOB-STEALING DEVILS!!! \_ It's not about jobs. It's about clean air and water. |
| 1999/11/30-12/1 [Computer/SW/Mail, Computer/SW/Security] UID:16980 Activity:high |
11/30 Is there a way to use trn to connect to an NNTP server that
requires a login and password? -brianm
\_ trn4 supports NNTP authentication, and despite being in beta
for the last 4 years is more stable than 3.6
\_ Right. Where in the man page or documentation is the
explanation of how to actually authenticate? |
| 1999/11/22-24 [Computer/SW/Security] UID:16939 Activity:low |
11/22 http://www.landoverbaptist.org \_ This is a parody Web site for those who haven't figured it out. \_ No. We're complete and total morons who would be lost without you to explain things for us. If it wasn't for your brilliant guidance, we'd never have found the truth about Santa Claus or the Tooth Fairy either. (But please, can you tell us, is Trevor Buckigham for real? He's even more unbelievable than the Tooth Fairy...) \_ TB is for real. Some of us have even met him. \_ What? You're saying the TF isn't real? Then where'd all that money come from, wise guy?! \_ No, the funny bit is the mailbag. -John \_ No, the depressing bit is the mailbag. |
| 1999/11/20-22 [Computer/SW/Security, Computer/SW/Unix] UID:16927 Activity:moderate |
11/18 /var/mail at 100%. Got mail? Get rid of it..
\_ Root is evil! Buy more disk! Ride bike! Linux wouldn't have
run out of disk with the new beta3 of the mail compressing file
system, mcfs!!!
\_ we need philfs
\_ We already have philcompress. root can just use that on /var/mail.
-- ilyas
\_ philfs would use philcompress automatically though, and there's
no telling what other nifty features Phillip would include. |
| 1999/11/14-15 [Computer/SW/OS/Linux, Computer/SW/Security] UID:16879 Activity:nil |
11/11 Skey for Linux - Do you know how to compile it / where to get a version
that's later than 1995? Thanks!
\_ http://rpmfind.net
\_ rufus
\_ it sho' is hard to find, suh |
| 1999/11/14-16 [Computer/SW/Security, Computer/SW/Unix] UID:16871 Activity:high |
11/14 I know they're generally a pretty lame alternative, but how
would people/root/politburo feel about running a webmail server
on soda for folks who'd like to check their mail by browser?
Mind you, I'm not suggesting a public free mail server, but
currently I have nothing but proxied http net access, and I
wasn't about to suggest port-redirecting http on scotch to ssh
the way mconst did with telnet (yay!) I have been playing with
MailMan from http://www.endymion.com with the idea of having cron
move my mail to a restricted directory so I could read it via
shell account as well as browser. Has anyone ever considered an
https server on scotch/soda so http passwords wouldn't be sent
in cleartext? Just some thoughts... -John
\_ I'd prefer to respond to this over mail. --root
\_ in my personal experience, root usually replies something
and then just delete my mail. fuck root.
\_ YOU NO CONJUGATING VERB MUST LIKING VERY MUCH ON
\_ What do these acronymns stand for?
BOAT GETTING GO TO BACK WHERE YOU COME FROM LEARNED
ENGLISH SO MANY DIFFICULT! -(fucker)
\_ Go home, fuckered, stop blabbering on the motd.
\_ At least (fucker) is funny. What have you
contributed recently?
\_ Fuck you. FOAD --Jon
\_ What does this acronymn stand for?
\_ Heyyyy, take that back. meanness to roots is not
tolerated. you must write with respect.
--Consumer Affairs Department
\_ .forward
\_ Have you thought of getting non-proxy net access?
\_ I currently forward my mail from soda, and I have a mail
address and non-proxy net access with a provider. I
was simply playing around with ways to get my mail off
soda through a firewall for the fun of it, and thought that
maybe, perhaps, possibly, people might be interested in having
me invest some time to set it up. Obviously not, since
I haven't gotten any feedback except from the usual
too-chickenshit-to-sign-your-name peanut gallery. -John
\_ I never sign my name but I didn't add anything to this
thread until now. --too-chickenshit-to-sign-my-name-monkey
\_ install IMAP & TWIG on a machine with APACHE-SSL |
| 1999/11/10-12 [Computer/SW/Security, Computer/SW/OS/Windows] UID:16858 Activity:very high |
11/10 Anyone heard of a "BubbleBoy Virus"? Thx.
__/~*##$%@@@******~\-__
/f=r/~_-~ _-_ --_.^-~--\=b\
4fF / */ .o ._-__.__/~-. \*R\
/fF./ . /- /' /|/| \_ * *\ *\R\
(iC.I+ '| - *-/00 |- \ ) ) )|RB
(I| ( [ / -|/^^\ | ) /_/ | *)B
(I(. \ `` \ \m_m_|~__/ )_ .-~ F/
\b\\=_.\_b`-+-~x-_/ .. ,._/ , F/
~\_\= = =-*###%#x==-# *=- =/
~\**U/~ | i i | ~~~\===~
| I I \\
/ // i\ \\
( [ (( I@) ))) )
\_\_VYVU_/
|| * |
| * *\
/* /I\ *~~\
/~-/* / \ \ ~~M~\
____----=~ // /WVW\* \|\ ***===--___
MOTD NUKED
HAVE A NICE DAY
\_ It can be a problem if you run IE5 and Windows scripting host on
win98. In which case you deserve it. -John
__/~*##$%@@@******~\-__
/f=r/~_-~ _-_ --_.^-~--\=b\
4fF / */ .o ._-__.__/~-. \*R\
/fF./ . /- /' /|/| \_ * *\ *\R\
(iC.I+ '| - *-/00 |- \ ) ) )|RB
(I| ( [ / -|/^^\ | ) /_/ | *)B
(I(. \ `` \ \m_m_|~__/ )_ .-~ F/
\b\\=_.\_b`-+-~x-_/ .. ,._/ , F/
~\_\= = =-*###%#x==-# *=- =/
~\**U/~ | i i | ~~~\===~
| I I \\
/ // i\ \\
( [ (( I@) ))) )
\_\_VYVU_/
|| * |
| * *\
/* /I\ *~~\
/~-/* / \ \ ~~M~\
____----=~ // /WVW\* \|\ ***===--___
MOTD NUKED
HAVE A NICE DAY
\_ OrCAD still sucks
\_ Any URL where I can find a warning from CERN?
\_ Any URL where I can find a warning from CERT?
\_ If CERT issued a warning it would be on their web site.
Since it's not, they haven't bothered. They don't issue
alerts for every new MS virus or they'd be spending all
their time doing that.
\_ Open outlook. Go to Tools/options/security. Set to 'restricted'.
Go to IE's tools/options/security/restricted. Set everything to
disabled. Learn lesson that M$ never learned about keeping data
separate from code. Thou shalt not make active data types.
\_ Windows Update. Eyedog control ActiveX patch. Problem dealt with.
\_ obFormatHardDiskInstallLinux
\_ Linux? I thought we're talking about security not k00lness?
The mindless Linux crowd pisses me off just as much as the
equally ignorant Windows crowd. -pissed off by stupidity
\_ actually I'm a Windoze user that posted the ob comment
\_ Gach! Surrounded! It's hopeless!
\_ If you want extra secure use OpenBSD. If you want
complete security unplug your network from your computer.
\_ Never mind; I was high on crack at the time. -Phil
\_ Impersonating Phil in the motd should be a
squishable offense. Doing so as badly as
the above person should be a capital offense.
\_ But the network IS the computer. Phil told me!
\_ Non-Phil forgeries deleted. -Phil
\_ Non-Phil forgeries deleted. -Non-Phil
\_ damn philforge don't work worth a damn...
\_ be even more secure, unplug the computer.
\_ Whoa! This is stunningly original! Can I quote
you on this? |
| 1999/11/2 [Computer/SW/Security, Computer/SW/OS/OsX] UID:16811 Activity:insanely high |
11/1 How secure is the www Java ssh terminal? Can't someone still
intercept packets going through your browser?
\_ The real answer you're looking for is "No, not really". Don't
forget, the Java doesn't run on the site you got it from, it's
like a downloaded program and is run _locally_ in your browser.
The outgoing traffic is encrypted by the ssh code. _However_,
if someone really had it in for you, they could intercept the
ssh java code as you downloaded it the first time you went to
that URL and replace it with compromised java code. --dbushong
\_ or attach a debugger or read your process data via /proc...
\_ yes, if they have root access to your machine, kill -SEGV your
client and analyze the core file. But that's true for any
ssh client (not just the java version).
\_ if you're going to be that way about it, all they have
to do is intercept data going to/from your tty, and you'd
never know.
\_ I don't have a tty.
\_ or attach a debugger or read your process data via /proc or
just secretly replace the ssh binary or hack the socket
system calls to log or . . . Short answer: You must trust
root, because they can do anything they want to you.
\_ I don't trust root. I only use a Macintosh because it
has the best security. You never hear about Mac servers
getting broken into.
\_ That's because you never hear about Mac servers.
\_ What do you think Apple is running? Mac rulez,
unix dr00lez@!
\_ soda [12] telnet http://www.apple.com http
Trying 17.254.0.91...
Connected to http://www.apple.com
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 500 Server Error
Server: Netscape-Enterprise/3.6 SP3
Date: Tue, 02 Nov 1999 22:21:38 GMT
Content-length: 305
Content-type: text/html
Connection: close
Connection closed by foreign host.
Apple is runnig MacOS?
\_ Netscape for Macintosh, dummy! You dr00le!!!1
\_ There isn't an Enterprise for Mac. Look
at their web site. |
| 1999/10/30-31 [Computer/SW/Security, Computer/SW/Unix] UID:16798 Activity:very high |
10/30 I accidentally posted my hostname and root password to usenet. Help!
\_ how stupid are you? change the password, and get on with life.
\_ I DID! It was posted again! I think I have a virus! Help!
\_ I DID! It was posted again! I think I have a virus! Help!
\_ how stupid are you to respond to him?
\_ Help! I'm stuck under a bridge and can't get out! ACK! |
| 1999/10/25-27 [Computer/SW/Security, Computer/SW/Unix] UID:16765 Activity:very high |
10/24 alumni.eecs is down again. Could someonw with root powers check it
out? thanks!
\_ mail root@alumni.eecs. heh.
\_ tried that before. no one checks root email there.
\_ I was joking.
\_ root@ucsee.eecs, http://ucb.org.ucsee
\_ actually, the machine itself is up (it's ping-able) but the telnet
service isn't. Been seeing some weird things with alumni/ucsee
machines today. :-(
\_ Time for a three-finger salute?
\_ REBOOT! REBOOT! REBOOT IS THE STANDARD!
\_ Hmm... single-user mode perhaps?
\_ Then a single-finger salute is in order.
\_ OK it's up, but old mail still needs to be delivered. Dunno whose
responsibility that is.
|__ Hey jon, feeling a bit tense about alumni.eecs?
\_ FOAD --jon
\_ PLUR --jon
\_ I'd help you but I quit for reasons that anybody, who has typed
uname on alumni, can figure out. The other sysadmins have
graduated. Given that you have a csua account, one wonders why
you would even want your alumni account back up. But if I have
any spare time from cs 152 I'll see if I can get it going again.
--jeff
\_ how about replacing alumni? would anyone be willing to do it
if I donate an old sparc lx?
\_ You really think a $50 computer will help?
\_ it's better than the current alumni.
\_ email jon@soda; he may be willing.
\_ I hate that machine. I don't know why I bother with it.
Fuck ultrix, fuck clueless users who think they are
entitled to services, and fuck flaky hardware. --jon
*just* enough crochety and cluess alums (who don't
seem to understand that the machine is run by
student volunteers rather than paid admins) to
make life as a sysadmin there awfully annoying.
\_ what? are you mocking that bad ass DEC Station 3100
running Ultrix, the best OS ever?
running Ultrix?
running Ultrix, the best OS ever?
\_ PLUR --jon
\_ FOAD --jon
\_ Well (speaking from some personal experience), not
only does alumni.EECS have the DS/Ultrix thing
going against it, but it also has a user base with
*just* enough crochety and clueless alums (who
don't seem to understand that the machine is run
by student volunteers rather than paid admins) to
make life as a sysadmin there incredibly annoying.
I appreciate having the "@alumni.EECS.Berkeley"
mailing address, and would be more than willing to
throw in my share of cash for a replacement
machine, but can understand why the current
caretakers would want to throw in the towel.
Maybe the dept. should take over the hostname for
some kind of mail-forwarding arrangement, or some
competent alum volunteers should step forward to
take a share of root-type responsibilities . . .
-- former root@alumni.EECS person
\_ Nonononono, as a crotchety clueless alum, I
insist we stand by tradition and have students
continue trying to support dead hardware running
a badly b0rken bsd clone from 10 years ago. I'll
tell ya, Back In My Day, we were lucky to have
\_ FOAD --jon
a 4 meg sun 3/50 with swap mounted remotely on
another sun over a 10mbit shared networked. You
youngin's today... whine whine whine....
\_ PLUR --jon
--- clueless crotchety alum
PLUR an acronym for?
\_ FOAD --jon
\_ pardon my cluelessness but what is
FOAD an acronym for?
\_ you left out "and sharing the same
swap server with 20 other machines
was a small price to pay..."
\_ I thought of that but didn't want to
re-edit to add it in. Any other clueless
\_ FOAD --jon
crotchety alum would've known what I was
talking about.
still time! (Oh yeah, and FOAD.)
\_ I volunteered less ancient h/w
before, but no one reads root email
on alumni. I think alums should
volunteer h/w, but sysadmin should
\_ PLUR --jon
be a student service for someone who
wants to learn sysadmin stuff.
still time! (Oh yeah, and PLUR.)
\_ Its still down for some reason after a brief uptime...
\_ FOAD --jon
\_ Because it's an ancient piece of crap.
\_ It's back up now, so move your files off of it while there's
still time! (Oh yeah, and FOAD.)
\_ As an alum, I definitely wouldn't mind making donations of cash,
or hardware to keep alumni alive. This should be an organized
effort, though. Something that is sanctioned and kept alive
from generation to generation.
\_ Too late. The powers that be are talking about making a
subscription mail forwarding $ervice.
\_ <DEAD>alumni.csua.berkeley.edu<DEAD> mail forward? |
| 1999/10/16-18 [Computer/SW/Security, Computer/SW/WWW/Server] UID:16714 Activity:nil |
10.15 Apache on RedHat- set UserDir to public_html in httpd.conf,
with no specific directory permissions. I still get
"Forbidden You don't have permission to access /~{user}
on this server." What do I have to set to make this work?
\_ look in your error log for chrissakes. -tom
\_ Oh. Thanks.
\_ You likely need to make sure that both the public_html dir AND
the USER directory are WORLD executable. -crebbs |
| 1999/10/15-17 [Computer/SW/Security, Computer/SW/Unix] UID:29932 Activity:kinda low |
10/14 /var/mail is full; clean up your crap!
top ten mail hosers:
jenlam 7488 jam 7832
tonytung 7968 alvinwoo 8232
ramses 8496 moraleda 8720
robin 8832 klee 9680
suzuki 12032 rico 12160
\_ Hey root, why don't you move these hozer's mail spools to
their home directories?
\_ root would rather have users police themselves. fucker.
\_ the various root users know that sometimes when
they try to deal with sloppy users' mail for them
they sometimes get "rm" confused with "mv". |
| 1999/10/13-14 [Computer/SW/Security] UID:16702 Activity:high |
10/13 So, say i want to ssh to another site that allows it. How do i do
it? "ssh http://siteName.com" returns the error that the host key is not
found and asks me over and over if i want to keep connecting.
\_ say yes you idiot.
\_ Well, I'll be damned. that WORKED! (o.k., o.k., in defense
of my idiocy, when was the last time you had to type in
"yes" to answer a computer's yes-no question? I typed 'y'
for fuck's sake. I even tried 'Y' just in case. But the
IDEA of typing 'yes' never even entered my mind.
\_ Obviously you are not an emacs user. You therefore
don't deserve to be able to ssh.
\_ If Cal gave you a degree, give it back. If not yet, drop
out and go to Stanford. |
| 1999/10/13-14 [Computer/SW/Security, Computer/SW/Unix] UID:16698 Activity:low |
10/13 Anybody know of a free proxy server out there? I just need something
very very simple no fancy features. Thanks.
\_ natd. much more transparent than using a proxy server.
\_ wingate or winroute.
\_ What type of Proxy? HTTP only? If so, Squid, Apache, & CERN
(listed in order of proxy-studliness - don't bother with CERN
anymore - apache's overkill for just a proxy, squid kicks ass)
\_ squid kicks its own ass. The only reason it stays up
is because the start script is basically
' while true; do squid ; done'
\_ is Squid GNU software? I couldn't find it on the gnu sites.
where can I find it? Thanks.
Password Thief Ransacks AOL
3:00 a.m. Password-stealing emails slip into AOL accounts and make off
with user passwords by the thousands, according to the email service
used to launch the attacks. Critics says it's the latest in a pattern
of neglect by AOL. By Chris Oakes.
\_ Thank you Wired News!
\_ "Password-stealing emails"? Is this social engineering, or some
K-RAD N3W PASSWURD ST3AL1NG HACK1NG V1RUZ????/???
\_ Standard "click on idiot.exe" in html email to send your password
to random account bullshit. The only fault AOL has is having a
browser available to it's customers that allows them to run an
.EXE from a hyper link. |
| 1999/10/13 [Computer/SW/Security] UID:16697 Activity:nil |
Password Thief Ransacks AOL
3:00 a.m. Password-stealing emails slip into AOL accounts and make off
with user passwords by the thousands, according to the email service
used to launch the attacks. Critics says it's the latest in a pattern
of neglect by AOL. By Chris Oakes. |
| 1999/10/11-12 [Computer/SW/Security] UID:16689 Activity:high |
10/10 Does sshd on soda have an idle timeout? Or is it something
that I need to configure on my client? I keep getting
"connection reset by peer" messages after about 10 minutes or
so.
\_ There's an option in ssh that lets you do keepalives. You
might also be behind a firewall that timesout too quickly.
\_ Yeah, I'm aware of keepalives. It doesn't seem to help.
The firewall that I'm behind is a simple Linux ipchains
one. I don't *think* it has any idle timeouts. Weird.
\_ ipchains masquerading has a 15-minute timeout by default.
You can raise it to (say) one day: "ipchains -MS 86400 0 0".
See "man ipchains" for details.
\_ Thanks for the info. Is that 15 minutes default
timeout listed somewhere in the man page? I didn't see it.
\_ It's not in the manpage, but it is mentioned in
/usr/doc/HOWTO/IPCHAINS-HOWTO (section 4.1.5).
\_ Soda's keepalives are currently set for 24 hours, so if you're
getting hozed after ten minutes, somethings fucked on your
end. |
| 1999/10/6-9 [Computer/SW/Security] UID:16672 Activity:nil |
10/6 When I am logged in via SSH, is all the data I type encrypted and
safe from sniffing, or just the login/password pair?
\_ All is encrypted using 3DES
\_ Oh boy, not RedHat again. Try linuxconf or netcfg or
appropriate module in /lib/modules/2.2.5/net
\_ and people who write dumb shit like this would be taken out
and beaten to death as the crowds cheer? |
| 1999/10/6-8 [Computer/SW/Mail, Computer/SW/Security] UID:16671 Activity:high |
10/6 What is the reason for ssh being suid root?
\_ ssh is setuid root for .shosts authentication. The client
connects to the server, proves its identity using its host
key, and then sends your username to the server. You can't
write a fake client that sends someone else's username because
the client connects from a reserved port (that's why it has
to be setuid root). You can't run a fake client as root on
your own linux box because you don't have the real client's
host key.
make a fake client that sends someone else's username because
the host key is only readable by root.
If you don't use .shosts authentication, your ssh client does
not need to be setuid. --mconst
\_ The remote server connects back to check or what? I don't
see how your description prevents me from hacking my own
client and handing them my own user generated server key.
\_ It checks against it's own list of known keys
(in the system directory or the user's directory)
\_ Huh? Waitasec... so I hack my own client to
return a key I've created which I'm falsely
telling the server is a valid key for my host.
How does it know I haven't made a hacked client?
There's too many pronouns floating around
confusing me. Thanks.
\_ The server only trusts hosts it's talked to
before and saves their public keys for
future reference. The only way to spoof
that is break into the client and find it's
private key (which is only readable by root
on Unix boxes so non-root people can't do
evil shit with it).
\_ Hmmm.. ok.. but what if the only prior
server contact was with my hacked client?
\_ Then the user was a moron if they
added your hacked client's key &
hostname to their .shosts
\_ the server /etc/known_hosts file is maintained
by the sysadmin. sshd won't add new hosts to it.
\_ Ok, got that. I still don't see why I can't
hack my own client to feed all bad info to
the remote server from first contact to
potential security violation. If my client
is the only source of info for the remote
server and I've hacked my client to send
false data, how does the other side know?
\_ it doesn't, but it has no reason
to care either. You only get to
login if your host in the .shosts
and your key matches what the
server thinks your host key is.
Otherwise you lose. |
| 1999/10/4-5 [Computer/SW/Languages/Misc, Computer/SW/Security, Computer/SW/Unix] UID:16660 Activity:high |
10/4 does anyone know how to script the password for rsync over ssh?
\_ Don't. Instead use RSA rhosts, that is: on the target machine
(the one you'll be sshing _to_), put the hostname and username
you'll be sshing from into the file ~/.shosts (man rhosts for
format). Then make sure you ssh at least once from the target
machine and the target account _back_ to the machine you'll be
normally running rsync on to get its host key in place. Then
your script won't need to type a password, but it's much much
more secure than a real .rhosts file. Yadda yadda.. security
risk since you don't need to type a password as that user yadda
yadda. --dbushong
\_ huh? No, use the authorized_keys file, to avoid
spoofing.
\_ This is the approach I've used. --PeterM |
| 1999/9/30-10/2 [Computer/SW/Security] UID:16630 Activity:moderate |
9/29 This is probably a dumb question, but why don't .htaccess files
work on soda? I am guessing it has something to do with web access
loads and the such but I was just wondering if there was some sort
of official reason.
\_ They do work, but thre are some things they wont do. What
problems are you seeing with them?
\_ Trying to do server side javascript includes and just simple
password security. More just to see how they are done than
anything else so it is not that important -fucking moron
\_ I'm not sure about the javascript includes, but the password
security stuff should work if you get it configured
properly.
\_ The official reason is that you are a fucking moron. This
is supported by your inability to sign your post
\_ And where's your signature?
\_ Hey! That's not fair! Don't bring facts into this! |
| 1999/9/28-30 [Computer/SW/WWW/Server, Computer/SW/Security] UID:16614 Activity:high |
9/28 Hi -- say Im using apache+openssl, but Im using basic (not digest)
http authentication for a dir under https; is that initial password
transaction encryped over ssl? In other words, do I make basic http
auth more secure (non-sniffable) by using openssl, or am I still
screwed. Yes, I could sniff the packets, but Im lazy:)
\_ Get your lazy ass outta your chair, pick up your Visa, and buy
Stronghold!
\_ apache+openssl is working fine and free -- I just had the
above question, that's all. Do ya know the answer?
\_ And illegal in the US, but who cares about that...
\_ if you're too damn lazy to run "tcpdump 443 | strings", you
\_ They can have my STRONG CRYPTO when they pry
it out of my cold, dead hands!!!!~@~@!!!@~@!@!
\_ You'd be the first to give up your strong crypto
when the MIB show at your door. Talk is cheap.
\_ It's not the men in black coming after you
it's RSA's lawyers with patent infringement
lawsuits.
\_ What color suits do lawyers tend to wear
these days?
\_ if you're too damn lazy to run "tcpdump port 443 | strings", you
deserve to get hacked, then fired.
\_ I think a more important issue (it turns out) is client
caching of the password, so it's a bad idea anyway....
\_ I thought it was legal as long as you didn't use any of the
patented crypto code like idea and rsa. --marc
\_ I refuse to use anything unless my use is considered a
violation of patent, copyright, or arms control laws. |
| 5/16 |