Computer SW Security - Berkeley CSUA MOTD
Berkeley CSUA MOTD:Computer:SW:Security:
Results 151 - 300 of 1108   < 1 2 3 4 5 6 7 8 >
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2024/11/27 [General] UID:1000 Activity:popular
11/27   

2001/4/22 [Computer/SW/Security, Computer/SW] UID:21052 Activity:very high
4/21    Do you like to code/hack?
        \_ Yes.
        \_ hack is a dirty word.
           \_ to "professionals", yes, but what about crypto and software
              and computer pioneers?
              \_ to me, it mean "threw together code quickly without
                 much forethought", does it mean different to other people?
2001/3/22 [Computer/SW/Security] UID:20880 Activity:nil
3/20    tom's ridiculous and endless whining about ssh purged.  if tom was a
        man he'd give himself twink points everytime he brings it up.  you
        can login. ssh1 works fine.  now stfu and get over it.
2001/3/21-22 [Computer/SW/Security] UID:20875 Activity:low
3/20                            \_ what about the broken sshd?  -tom
                              \_ Its not broken. It works fine for SSHv1
                                 and OpenSSH clients. Get a different client.
                                \_ what would you call a server that violates
                                   protocols?  I would call it broken.  The
                                   fact that openssh clients also violate
                                   protocols doesn't make the server any
                                   less broken.  And, once again, there's
                                   ABSOLUTELY NO ADVANTAGE TO USING OPENSSH.
                                    -tom
                                    \_ Totally there is!  Open source!
                                    \_ Why don't we run both versions? Run
                                       the non-OpenSSH version of port 69
                                       so that tom will shutup.
                                   \_ Uh, its free and it comes preinstalled
                                      with *BSD, MacOS X, Linux, etc.
                                      WTF would I want to download something
                                      extra from http://ssh.com that isn't nearly
                                      as well audited as OpenSSH and isn't
                                      free for corporate users?
                                        \_ what difference does it make
                                           whether it's free for corporate
                                           users?  You would want to download
                                           it because IT SUPPORTS MORE CLIENTS.
                                           Are you really this stupid?  -tom
                                           \_ Because some of us are corporate
                                              users, not gub'ment 'ployees.
                                                \_ we're not talking about what
                                                   you install in your cube.
                                                   you can connect to soda
                                                   if it's not running openssh.
                                                     -tom
                    http://ssh.com's ssh server doesn't like _/
                    OpenSSH clients and it doesn't like
                    NiftyTelnet SSH on the mac (ie it will
                    randomly drop my connection and scp
                    doesn't work right), both of
                    which currently work with soda's
                    OpenSSH server. No reason to switch
                    since switching would reduce the
                    number of clients that are supported.
                        \_ Bullshit.  I am using both openssh clients and
                           NiftyTelnet with http://ssh.com's server and they work
                           fine.  -tom
                                   \_ since you clearly are not making any
                                      progress getting the powers that be to
                                      switch from OpenSSH, why don't you
                                      harass the OpenSSH people and get them
                                      to fix it?
                                   \_ So, you like the added bloat of having
                                      to start the ssh1 daemon every time an
                                      ssh1 client connects? Once OpenSSH
                                      supports shession rekeying (promissed in
                                      the next major release) there will be
                                      no reason not to use OpenSSH.
2001/3/21-22 [Transportation/Car, Computer/SW/Security] UID:20873 Activity:very high
3/21    Went for a regular cleanup but the medical bill sez the doc did
        root canal and 6 x-rays. It said I had to pay 20% of the copayment
        to the doc but the doc sez to just ignore it. what's going on
        and what should i do 'bout it?
        \_ mmm, medical insurance fraud.
        \_ the doc over-charges.  If the actual charge is $100, the doc
           is reporting the cost to be $120, so the $20 you supposedly
           need to pay is included in the overcharged amount.  It is a
           win-win situation for you and your doc.  Pretend that you
           don't know about it and play along.
           \_ I already paid a fuckin $10 copayment, and the insurance is
              paying $725 for a $50 cleanup. What the fuck?
              \_ its called fraud.  If you're annoyed about it talk to your
        \_ If that's the case, I think you should also charge the doc 20%
           for your "services".
                insurance provider to get yer doc busted.
        \_ This is why medicare and medicaid are going bankrupt.  As a
           taxpayer, thanks!
           \_ Do you even know what medicare is?  If you did you would
              be able to figure out that the original poster isn't even
              qualified for it.
        \_ liberal solution: spend more on medical/care to cover
           the fraud. ITS FOR THE CHILDREN!
                \_ Yeah, totally.  I'd pay anything and give up all my freedoms
                   so long as it was for the children.
        \_ That's your frequent flyer miles rebate.
        \_ I read an article in Smartmoney magazine saying that
           doctors are not earning as much as they used to.  Many are
           working longer hours, selling their Porches, and putting
           their children in public instead of private schools.
           Also, they no longer small talk or develop a personal
           \_ They make the same, but they have to work harder for it.
              Tough. For $350,000 they can deal. There's a lot of
              competition driving down prices. Most of my doctors don't
              even charge me the co-payment (they "forget") so it's not
              like they miss that extra $10 from each patient. The fee
              schedule is all out-of-whack with reality thanks to HMOs.
              For example, buying a certain medication through my HMO =
              $10 copayment. Buying it "without insurance" = $6.50. That's
              why I *always* ask how much the drug is retail cost, and
              it's not limited to drugs. The HMOs are screwing the doctors
              and the patients. --dim
              \_ But HMOs are FOR THE CHILDREN!  Don't you care about THEM!?
           relationship with their patients but go right to the
           diagnosis in a production line manner.
           \_ And this is supposed to excuse fraud?
           \- If this has really happened to you, you have a obligation to
           bring it up. It'd really bad to let them get away with this. This
           is hardly a Jean Valjean stealing a loaf of bread.
2001/3/21 [Computer/SW/Security] UID:20865 Activity:very high
3/20    Hi.  it appears that people have been flaming ][e about vp-like
        administrative policies.  In the future, please direct the mail
        to vice-president@csua.berkeley.edu (duh). - paolo
        \_ Jon's just pissed 'cuz he did more work than he had to
           \_ He's under no contractual obligation to do anything if he
              doesn't want to.
              \_ Just as the VP is under no obligation to do his job if
                 he doesn't want to.  I guess he should email poliburo
                 about it.
                 \_ Actually, the VP has obligations as outlined in the
                    CSUA Constitution.  If he is unable to perform these
                    duties, he should resign.
           \_ he should email vp about it then. - paolo
              \_ I have paolo.  I'm still waiting for you to do your job. -Jon
                 \_ i'm not seeing anything new to root or vp, unless it's
                    the .43 net thing which is solved already. - paolo
                        \_ what about the broken sshd?  -tom
                              \_ Its not broken. It works fine for SSHv1
                                 and OpenSSH clients. Get a different client.
                                \_ what would you call a server that violates
                                   protocols?  I would call it broken.  The
                                   fact that openssh clients also violate
                                   protocols doesn't make the server any
                                   less broken.  And, once again, there's
                                   ABSOLUTELY NO ADVANTAGE TO USING OPENSSH.
                                    -tom
                                    \_ Totally there is!  Open source!
                                      with *BSD, MacOS X, LinSUX, etc.
                                    \_ Why don't we run both versions? Run
                                       the non-OpenSSH version of port 69
                                       so that tom will shutup.
                                   \_ Uh, its free and it comes preinstalled
                                      with *BSD, MacOS X, Linux, etc.
                                      WTF would I want to download something
                                      extra from http://ssh.com that isn't nearly
                                      as well audited as OpenSSH and isn't
                                      free for corporate users?
                                        \_ what difference does it make
                                           whether it's free for corporate
                                           users?  You would want to download
                                           it because IT SUPPORTS MORE CLIENTS.
                                           Are you really this stupid?  -tom
                                           \_ Because some of us are corporate
                                              users, not gub'ment 'ployees.
                                   \_ since you clearly are not making any
                                      progress getting the powers that be to
                                      switch from OpenSSH, why don't you
                                      harass the OpenSSH people and get them
                                      to fix it?
                                   \_ So, you like the added bloat of having
                                      to start the ssh1 daemon every time an
                                      ssh1 client connects? Once OpenSSH
                                      supports shession rekeying (promissed in
                                      the next major release) there will be
                                      no reason not to use OpenSSH.
                           \_ That's an old thing that he isn't fixing, not
                              a new thing.
                                \_ well, like Jon said, he's not doing his
                                   job.  -tom
                                   \_ It's a student .org.  No one cares but
                                      you.  Run for VP.  Oh wait, you can't.
                \_ what the fuck are you bitter, insignificant
                   poor suffering morons whining about?
                   \_ lack of asian chic?
                      \_ azn chix p.
                         \_ SKY?  Is that you SKY?  Is Muchandr dead?
                            \_ Muchandr is not dead, but he looks like a shadow
                               of his former rambunctious self, haunting
                               Berkeley downtown.
2001/3/19-20 [Computer/SW/Security] UID:20846 Activity:moderate
3/19    Hi, I'm looking for a simple encryption program for PC/w2k.  I want to
        create a directory and everything I copy into that directory gets
        encrypted.  It can pop up a window and ask me for a passphrase.  That's
        not a big deal.  Is there something simple like that?
        \_ There was something or other PGP that could encrypt a partition...
           \_ PGPdisk
        \_ store your porn offsite. it'll be safer there.
2001/3/15 [Computer/SW/Unix, Computer/SW/Security, Computer/SW/OS] UID:20794 Activity:nil
3/14    My saiden/cory account is disabled and my
        http://www-inst.eecs.berkeley.edu/~myself page is gone. If I'm a grad
        student how long do I get to keep my account? I'd love to have
        http://www.cs.berkeley.edu/~myself to be up forever.
        \_ nmap http://www.cs.berkeley.edu to figure out what OS its running.
           Get out your root kit for that OS and get root.
2001/3/14 [Computer/SW/Security] UID:20773 Activity:high
3/13    When I ssh from my computer to this one machine, I get:
        No agent.
        But when I go to a different machine I get:
        Connection to authentication agent opened.
        How do I fix the "no agent" problem?
        \_ Let me read your mind...
2024/11/27 [General] UID:1000 Activity:popular
11/27   

2001/3/13 [Computer/SW/Security] UID:20768 Activity:nil
3/12    What command do you use to generate a new /etc/ssh_host_key and
        /etc/ssh_host_key.pub for a new machine?
2001/3/13-14 [Computer/SW/Security] UID:20765 Activity:low
3/12    Need a secure way to encrypt files?  Try Pig Latin!
        (and you thought all those Pig Latin routines you learn in 61A would
        goto waste)
        http://www.cnn.com/2001/TECH/internet/03/12/napster.02/index.html
        \_ Uh huh....
        \_ Okay, so it is illegal to systematically un-Pig-Latinify the file
           names.  But what excuse does Napster have to not simple
           Pig-Latinify the list of song names that it's supposed to block,
           and match the new list with the file names?  There's no law
           saying you can't compare encrypted info with encrypted info, right?
2001/3/10-12 [Computer/SW/Security] UID:20745 Activity:high
3/9     Whenever I attempt to scp something, I get the following error:
          "Warning: no access to tty (Bad file descriptor).
          Write failed flushing stdout buffer.
          stty: stdin isn't a terminal
          write stdout: Broken pipe"
        How do I fix this?
        \_ Remove stty & similar settings from .cshrc/.login/.profile or
           put them inside 'if ($?prompt)' so they don't run when scp
           connectes
           \_ What other sorts of things should I check for?  It's still broken
                but there's a different error now.
              But there's a different error now.
           \_ whats the best way to check for that for sh/ksh?
              \_ 'if ($?prompt)' is a shitty hack by an newbie.
                 The correct way to do this in any shell is via tty.
                 Put the interactive stuff in your .profile into the
                 following wrapper:
                 if tty -s > /dev/null 2>&1 ; then
                 : # your interactive stuff here
                 fi
                 \_ dont use "tty -s".  use "test -t 0"
                    \_ "test -t 0" is not portable, "tty -s" is.
                       Some of us still have accounts on older
                       machines and need a portable .profile.
        \_ Somewhat related: don't put interactive programs in your dot files
           either.  Some coder monkey put "more blay.txt" at the end of his
           .cshrc and then complained to me that scp hadn't been working for
           a month.
2001/3/9 [Computer/SW/Security, Computer/SW/OS/Solaris] UID:20737 Activity:nil
3/9     I guess IBM joins M$ as a company whose platforms you can't trust
        for ecommerce:

        http://www.theregister.co.uk/content/8/17467.html

        Ever since they got on the "LinSUX" bandwagon, the IBM of old (the
        one whose information systems defended the governments of the free
        world) seems to be slowly but surely disappearing.
        At least there is still Trusted Solaris and OpenBSD.
2001/2/22 [Computer/SW/Security] UID:20646 Activity:nil
2/20    How come we are still running OpenSSH 2.3.0? Shouldn't
        we upgrade to the newer 2.5.1?
        Also I've read up on that IDEA cypher that tom keeps asking
        for, it turns out that IDEA is deliberately ommited from
        OpenSSh because there is a big security whole associated
        with it. I'm not sure why he wants it anyway, as the other
        supported methods are much better.
         \_ Let me try to explain this one more time.  We have a choice of
            using a server which will support whatever client one of our
            users is using, with whatever configuration they want to use.
            Or we can use OpenSSH.  No one has put forth a reason why
            OpenSSH is even theoretically better.  So why are we running it?
             -tom
                \_ Because it's open and open is kewl.  Ride bike!
            \_ OpenSSH is as good as FSecure in terms of protocol support
               and because its auditing practices are like OpenBSD it is
               proactively secure. Who knows what buffer overflows are in
               the commerical closed source alternatives. Besides, Tatu
               is a much more immature punk than Theo de Raat.
                \_ OpenSSH is absolutely not as good as FSecure in terms of
                   protocol support.  OpenSSH does not support session
                   re-keying, which is a required part of the ssh2 protocol.
                   The ssh server from http://www.ssh.com also supports this, and
                   is, of course, open source.  -tom
                   \_ Okay explain to me why you need session re-keying.
                      And Tatu's ssh from http://ssh.com may be "open source",
                      but there are serious restrictions on who can and
                      cannot use it. OpenSSH has no restrictions.
                        \_ I need session re-keying because IT IS A
                           REQUIREMENT OF THE PROTOCOL and therefore
                           PROPERLY-FUNCTIONING SSH2 CLIENTS DO NOT WORK
                           WHEN CONNECTED TO OPENSSH SERVERS.  How many
                           times does this need to be explained?  -tom
                           \_ Whatever. What is re-keying anyway?
                              What does it do and why is it needed
                              by the protocol? I mean SSH v2 seems
                              to work find without it when using
                              OpenSSH. Are you just being ANAL again?
                                \_ Leave your ssh2 client idle for an hour or
                                   so when connected to an openssh server.
                                   It will freeze eventually and that makes
                                   SSH2 protocol support in OpenSSH useless for
                                   people who need it.
        \_ The fact that openssh does not support rekeying made its
           ssh2 protocol support nearly useless. Has this been fixed in 2.5.1?
           \_ Just short by one feature.  No big deal.
              \_ This is a big deal for sites that need a working ssh2
                 protocol support
                 \_ soda doesn't need ssh2.
        \_ fsecure ssh 2.3 and earlier have a flaw in their HMAC code.
           this is documented along with the openssh lack of rekeying:
           http://www.openssh.com/faq.html#2.3 --jon.
2001/2/22 [Computer/SW/Security] UID:20644 Activity:nil
2/21    Using Fsecure's (ssh v2.0.13) i attempted to do a vary large scp -r
        wich began fine and copied about 223 megs of files before it hung and
        is not doing anything. On two other machines i got about 13 (of a
        planned 70) megs worth of files transferred before it stopped and hung
        there.  Has anyone experienced anything like this?  What is going on?
        What should I do?
        \_ Use OpenSSH. I copy gigs (cd images) with it and have had no problem.
            \_ thanks, but i already had an rsync binary for these systems and
               i just popped that on there and ran it over ssh and all was well.
2001/2/21 [Computer/SW/OS/Linux, Computer/SW/Security] UID:20637 Activity:nil
2/19    http://www.securityfocus.com/bid/2364
        Potentially major security hole in linux kernels up through 2.2.18
        \_ Shocking.  A security hole in a linux kernel... who wooda thunk it?
        \_ no. it is _all_ kernels, we verified this last night
           you want to change, in /usr/src/linux/sysctl.c (around line
           1125, the line that reads int l, len to size_t l, len. - paolo
2001/2/17 [Computer/SW/Security] UID:20620 Activity:moderate
2/16    Anyone here running SRP telnet? The URL is:

        http://www-cs-students.stanford.edu/~tjw/srp

        It looks better than SSH (no lawsuit, Open vs. DataFellows, etc).
        I know its from the farm (but hell, some of are grad students there).
        \_ I wrote some papers with Tom, he's a pretty sharp guy.  I think
           SRP is more secure than SSH, the only problem is that nobody
           uses it.  Also, if I recall correctly, it doesn't encrypt
           anything after the login.
2001/2/16-18 [Computer/SW/Security, Computer/SW/Unix] UID:20609 Activity:kinda low
2/16    I've got a (very) remote Solaris 7 box that I lost the root password
        to (been a long time). I do have a non-privileged account on the box.
        Box is on the internet and it's not been patched in awhile.  Any
        suggestions on methods/tools to recover root? I hate to have to go
        cross-country and hook up a CDROM drive to it. TIA (and sorry, no,
        I cannot post the hostname)
        \_ yeah, I also lost the soda root pw, and can't get to the box to hook
           up a CDROM. Any ideas?
        \_ Uh huh.  "You" have a remote Solaris 7 box that "you lost" the root
           password to, and you need help to get it "back".
        \_ I'd suggest a search on <DEAD>www.wannabe-hacker-dork-info.com<DEAD>  Look,
           if you can't find very basic info like this on the net, you have
           no business having root to anything.
        \_ Giving you the benefit of the doubt, you should probably at least
           identify yourself if not the hostname if you want to have at least
           a chance of the rest of the motd monkeys treating you as anything
           other than a wannabe script kiddie. Requests like this are obviously
           by default suspiciousa, and anonymity only solidifies certain
           assumptions.
2001/2/15 [Computer/SW/Security] UID:20602 Activity:very high
2/14    I can't connect to soda using SSH Secure Shell from SSH Communications
        Security.  I know I can use TTSSH, but is this normal?  I get
        a "Packet integrity error".  I can connect via SSH1 to other
        computers ...
        \_ I believe this is what tom keeps complaining about. Why don't
           you get a different SSH client.
           \_ or just get rid of tom's account.
                \_ why don't we get a working SSH server?  F/Secure implements
                   the protocol correctly.  -tom
2001/2/13 [Computer/SW/Security, Computer/SW/OS] UID:20580 Activity:nil
.nuS eht morf detapissid si taeh woh sa yaw emaS _\
.toidi ,loof a eb t'noD  ?flesruoY _\
!toidi na ton s'ohw enoemos _\
.lairetam  gnilooc a gnitalba ro gnitaropave ni ssam fo tol
 a etsaw ot tnaw uoy sselnu ,eciohc ylno rey s'ti ,erehpsomta
on evah uoy nehw tub ,si noitcudnoc sa taeh fo dir gnitteg ta
tneiciffe sa t'nsi noitaidar ydob kcalB  .srotaidar esu yeht _\
ME ycneuqerf wol ,derarfni _\
.niaga gnitsop erofeb "eulc" pu gnikool yb trats
ot tnaw thgim uoy ,yranoitcid eht fo gnikaeps
dna ,hO  .noitseuq eht gnisserdda yaw yna ni ro
 gnirewsna yllautca tuohtiw ,noitamrofni
deriuqca ylisae htiw pu flesmih gniffup
 si loof siht taht gniyas m'I yllautca ,oN _\
.suoixonbo dna diputs gnieb tsuj erew
uoY  .uoy pleh t'now yranoitcid eht tub yrt eciN _\
.llew
 sa "suoiceps" dna "citnames" spahreP  .yranoitcid
eht ni "yrtsihpos" pu kool -- pleh deen uoy spahreP _\
.muucav a si ecaps taht esimerp eslaf eht n desab si
"...woh ]ps[mucav a si ecaps fI"  .si ti tahw rof tcaf fo
noitcerroc elpmis a esingocer ot sseleulc oot era sretsop
dtom emos ,yletanutrofnU  .gniyas saw I tahw s'tahT  .seY _\
.muucav a ton si ecaps taht yas ot gniyrt tsuj si sih kniht I _\
?seicnavelerri citoidi gnituops tsuj
uoy era rO  ?taeh tnacifingis sevomer sag fo ytisned wol
siht taht tressa ot gniyrt uoy erA  ?tniop ruoy s'tahW _\
.derusaem yllanosrep
t'nevah I  .yas yeht oS  .ecaps peed ni sretemitnec cibuc 01
rep mota negordyh 1 ylhguoR  .muucav erup/eurt a t'nsi ecapS _\
?tfarcecaps a ni detapissid taeh si woh mucav a si ecaps fI     21/2

.stsop dtom ruoy sa devirtnoc dna sseltniop
sa si efil ruoy esuaceb esuoh eht fo tuo ssa tnagorra
,taf ,yzal ruoy gnikcik si mom rey ,sdrow rehto nI _\
.naelc ot ssel reh sevael ti sa tnemegnarra wen eht ekil
lliw diam ehT  .oot ,htnom txen esuoh eht gnitaroceder
,haey hO  .dtom eht tide ot emit evah llits I dna %01 ni
gnittup ,serugif 6 elbatrofmoc gnikam m'I ,serianoillim
-itlum-itlum-itlum era stnerap ym ,rehgih si egagtrom yM _\
                )hcus dna stnemtsevni aiv erom nrae
I tub ,ssel si yralas yM .gniht erugif 6 taht
drawot emocni yralas-non redisnoc t'nod I ,WTB(
.hcir
 eldi eht fo rebmem eb ot noos - .detsevnier era
sdnedivid rehto eht lla ,nwo I dnuf latum elgnis a no
sdnedivid yb derevoc si erutidnepxe ylraey ym tub
,tnempiuqe retupmoc ro sehtolc yub I yllanoisaccO
.)om/ecnanetniam 02$ ,om/ecnarusni 05$ ,om/sag 05$(
rac ym dna )om/96$( LSD era evah I stsoc gnirrucer
ylno ehT .ereht stsoc no kcab tuc I os ,stnerap ym
htiw emoh ta evil I .tnuoocca tekram yenom ym otni
yltcerid tser eht ,PPSE ot %01 ,)k(104 ot %51 m'I _\
.ekam ew hcum woh
fo daetsni dneps ew elttil woh no etepmoc ot deen ew taht das
s'ti hguohtlA  .rehtie serugif 6 gnikam ton m'I dna ,)k(104
ym ot %11 gnitubirtnoc dna )elbitcuded-xat-non( stnerap ym ot
om/K1$ gnidnes dna htnom a tnemyap egagtrom 0062$ gnikam m'I _\
.rehtie serugif 6 gnikam ton gnikam m'I
dna tnuocca tekram yenom ym otni tisoped tcerid yb raey
 a K04 ~ gnivas m'I ?K54 ~ ?ekam uoy od hcum woH .K02 ylnO _\
yug lagurf-  .serugif 6 gnikam ton m'I dnA  .yaw taht
raey a K02 gnivas ot elba m'I  .tnuocca taht morf wardhtiw reve
TON OD dna tnuocca sgnivas a otni kcehcyap ruoy fo noitrop a tup ot
tisoped yllacitamotua esU  !siht thguorht tnew ew thguoht I ,yeH _\
!lreP _\
.yenom hcum oot stsoc elif txet a ,ekorb era uoy fI _\
.siht od ot elif txet nialp a esu tsuj I _\
.txen eht ot refsnart dna egap a fo mottob eht ta pu ti ddA
.)esnepxe( - ro )tisoped( + saw ti fi drocer uoy erehw eno tsal a
 dna noitpircsed a ni etirw uoy erehw rehtona ,noitcasnart a fo
etad eht ni etirw uoy erehw nmuloc eno evah uoY .sselyap ro sgnol
morf koobeton 01.0$ a gnisu ekam nac uoY .regdel a dellac stI _\
.teehsdaerps yna naht siht ta retteb era yenoM tfosorciM dna nekciuQ _\
.sesnepxe ym kcart gnipeek
trats ot teehsdaerps gnikcik-ssa na rof gnikool ma I .ekorb ma I    21/2

.haissem repel ot woB _\
   ?toidi na tsuj uoy era ro tniop a evah uoy oD _\
 .)lairetam deripxe
thgirypoc tsael ta ro( lagel yletelpmoc gnirahs elpoep
 rof redrah ti sekam tsuj retspan nwod gnisolc taht si
ssenisub retspan elohw siht tuoba dnatsrednu t'nod I tahW _\
 .roop me ekam
.seibab yrc eht dna esuac eht era yehT .acillatem ttocyob _\
.erehwyna taht ees t'ndid I  ?meht tsniaga delur egduj ehT _\
!  /daolnwod/moc.hsemi.www//:ptth ta hsemi
tuokcehc ,tuokcalb retspaN a tuoba deirrow era uoy fo yna fI    21/2

.siht gnidaer er'uoy fi uoy era os tub
driew tib A  .enod llew yreV  ."?uohT trA erehW ,rehtorB hO" ees oG     21/2

neuy --  ?nekorb si gnihtemoS  .eromyna taht od
t'nseod ti yadot tuB  .drowssap emit-eno eht rof sksa dna yek eht
stnirp ti erehw ptf TN ym htiw krow ot desu tI  .egnarts s'tahT _\
?dnammoc laretil eht hguorht esu nac I dnammoc
a ereht si .drowssap emit-eno eht retne ot tpmorp on
si ereht tub yeks htiw ptf 59niW esu ot gniyrt ma I    21/2

P:  nedraG evilO ro s'noyL _\
.deirram teg ro pu ti eviG  .demood er'uoY _\
.daetsni kooc
ot dediced--hpargeleT no airottarT inazzaM ta noitavreser
 ym dellecnac tsuj I ,oslA  .yadrutaS no dekcehc I nehw
tfel ecaps dah yeht ,egelloC no anailiciS al airottarT yrT _\
 .raey tsal ecin
ylbanosaer saw taht ecalp a otni klaw ot elba yllautca saw I _\
.aedi doog a si gniht gnikooc eht ,WTB .emit txen
reilrae nalP .oga skeew owt neve snoitavreser teg t'ndluoc uoY _\
snoitavreser teg nac I ,tuo reh ekat ll'I _\
.neht tuo reh ekaT
.yadsruhT no rehtegot kcab teG  .yadot reh pmuD _\
.smelborp ruoy lla evlos lliw ti ,deirram teG _\
                 .tae ew elihw dna eraperp I elihw revres
ekirtsretnoc ym no retspan morf 3pm gnidaolnwod eb
t'nac I taht naem t'nseod siht tuB .ecalp eht etaroced
 dna naelc em pleh ot retsis ym dna kooc ot mom ym
teg dluohs I taht tnem uoy taht demussa I "kooc" yb _\
... tub ,siht wenk ydaerla snados tsom
epoh I  .revres ekirtsretnuoc ruoy no sdaolnwod retspaN
,dnuorgkcab eht ni gniralb VT ,stnecsednacni ton -- sesruoc
lareves ,erawrevlis ,rennid tileldnac naem ew ,"kooc" yb _\
.rebmemer lliw ehs gnihtemos si
erutseg eht ,laem tneced a kooc t'nac uoy fi nevE  .lufgninaem erom
hcum hcum si reh rof gnikooC  .gnivas htrow ton ylbaborp s'ti neht
,pihsnoitaler eht "evas" ot FG ruoy enid dna eniw ot deen uoy fi _\
.yaD-V rof sseletad --
.tser eht ni llif nac uoy kniht I .ecalp citnamor a ot tuo
reh ekaT .etalocohc illedrarihg emos dna evots roodtuo na
dnif dna lwob a ni )...cte ,sananab ,seirrebwarts ,wedyenoh
deppohc( stiurf emos teG  .em rof dekrow taht pit tresed ecin
a s'ereH  .tsaf yllaer kooc ot woh nrael retteb d'uoy tub
snoitavreser teg t'ndluoc uoy taht gniht doog a eb thgim ti
,esac taht nI .reh rof rennid gnikooc yb stniop erom erocs
yllaitnetop dluoc uoY .snoitavreser o/w elbaliava syawla
era .rJ slraC dna ,kcarC eht ni kcaJ ,gniK regruB ,sdlanoDcM _\
?pihsnoitaler ruo evas I nac ro sselepoh yletelpmoc
ti sI  .dekoob si gnihtyreve dna ,yad senitnelaV rof snalp
rennid ekam ot gniyrt ,dnuora gnillac m'I  !dewercs os ma I     21/2

 .adoC ro SFA yrt
esaelp ,retnuomotua eht ot ytilanoitcnuf ralimis deen uoy fI
 ).esaCraelC diputs fo esuaceb emit eht
lla deneppah siht dnA .ylnaelc ti toober neve t'ndluoc uoy
dna xob nuS ruoy esu t'ndluoc uoy ,ytivitcennoc tsol ro nwod
tnew sretsam +SIN/SIN eht ro srevres eht fo yna fi dna ocsiC
ta sexob ruo lla no sfotua dah eW .ereht neeb ev'I ,em tsurT(
.smelborp fo stros lla evah lliw uoy ,gninnur ti teg uoy fi nevE
.eugalp eht ekil dediova eb dluohs taht SOP yletelpmoc a stI
?retnuomotua eht htiw od ot gniyrt uoy era yltcaxe tahw dnA

lmth.sfotua/SFotuA_dmA/moc.gnitlusnoc-xunil.www//:ptth

:QAF retnuomotuA eht fo trap siraloS
eht ta kool a ekaT .dednemmocer ton tub ,elbissop si ti seY _\
?elbissop neve siht sI  .siralos
rednu +SIN gninnur TUOHTIW seirotcerid emoh tnuomotua ot gniyrt m'I
?sQAF rehto yna ereht erA  .gnikrow gniht nmad eht teg ot elba ton
llits m'I tub gro.plehnus.www morf retnuomotua no sQAF eht dewollof I   21/2

?scamEX ni siht od I od woH
  .ni dedaol teg selif cc ym lla dna cc.* F-C X-C od nac I scame nI     21/2

.ila dna mot
fo evisulcni si rosnec dnA .rotatum ,rekun ,rosnec
,llort fo evisulcni si resol .tnadnuder era eseht fo emos _\
*|           tnias
*|          rennis
*|           revol
|               enorc
*|          rehtom
*|              nediam
*|           hctib
|*              bjt
*| bjt rof gnikool
|  rekot thgindim
|               rekoms
|               rekoj
|               rennis
|               revol
|               rennirg
|               rekcip
*|      desuma tsuj
***|    ?huh  ?dtom
*|      stniop
kniwt gninrae
*|      llort tnarongi
*|      llort diputs
*|      llort duorp
|               bsp!
****|             bsp
***|             ila
**|             mot
*|  )resol( gnahck
*************|          resol
*| rotamrofer dtom
*|    rotatum dtom
|       rekun dtom
]DEROSNEC[ uoy ,rosnec _\
*|      rerosnec dtom
***|    retrotsid dtom
****|   retsop dtom
******| redaer dtom
:)a( ma I emit eht fo tsoM .lloP        21/2

.llehs htiw liam reiht daer nem laer _\
uf kcal ylraelc uoy ,enip gnisu er'uoy fi _\
sessylu- .)ados no toor gnieb tuohtiw .e.i( yrotcerid
 emoh ym ni siht llatsni ot uf eht kcal I teb I hguoht ,doog skooL _\
/ed.eniltalf.enip4pgp//:ptth ?enip4pgp deirt uoy evaH _\
sessylu- ?tpircs
 yalpsid dna crenip rieht fo snoitrop tnaveler eht spahrep em
 dnes yeht dluoc dna pgp /w enip esu ydobyna seoD .smelborp o/w
 esu I metsys rehtona no skrow ti ecnis pgp htiw krow nac enip
wonk I tub ,ttum ta kool lliw i dna detaicerppa noitsegguS _\
.)ytsur teg t'nod slatrom su erus
ekam ot( esaeler yreve sgalf gifnoc pgp segnahc yllufesoprup
maet tnempoleved ttum eht ,rebmemeR  .edargpu uoy litnu haeY _\
.llew yrev pgp
htiw setargetni ttum  .ttum ot hctiws dluohs uoy  _\
sessylu- .gnikrow t'nsi pu
 tes I tpircs "hsc.yalpsid" eht ro putes snoitpo sretlif eht
 tog ev'I yaw eht tuoba htS ?ados no rof .ceps enip htiw
yllacitamotua htiw krow ot pgp gnitteg rof QAF a ereht sI       21/2

.relooc si u- tros _\
.)stsop ym ngis t'nod i yhw si siht dna(
POT- .toidi na m'i ,sknahT  .kcits eulc kciht a
htiw gnikcahw doog a evresed i hguoht sa leef I ,yoB _\
'++}_${nees$ sselnu tnirp' en- lrep
:redro lanigiro sti ni elif eht peek ot tnaw uoy fi ,rO _\
qinu | tros | oof _\
?elif a morf setacilpud LLA pirts ot yaw ysae na si tahW
.rehtona eno ot tnecajda era taht setacilpud spirts ylno qinu    21/2

.yrassecen sa strop
gnippam dna )tuo semoc 1.4.2 htiw gnihtemos litnu( SFresieR
htiw ekardnaM-xuniL gninnur ,xob TAN a dniheb enihcam eht
gnivael er'ew ,elpoep wef a htiw gnitlusnoc retfa ,sknahT _\
.suoivbo t'nsaw taht esac ni ,eulc on sah tnadnopser sihT _\
.)sQaR eht
no )stelvreS & PSJ tpecxe( derugifnoc dna dellatsni-erp si
ffuts bew ytfin taht lla( llew ytterp ffuts bew od dna paehc
 ytterp era yeht ,4/3QaR )nuS AKA( tlaboC eht ta kool a ekat
XUSniL htiw ecnailppa gnivres bew detacided a tnaw uoy fI
 .siraloS dna DSB* naht reisae
hcum XUSniL no nur ot .cte ,snoisnetxE egaPtnorF ,stelvreS
,PSJ ,)nuS AKA tlaboC AKA tfoSilihC dellac ynapmoc a aiv
,xuniL no elbaliava si PSA $M sey( PSA ,PHP ekil ffuts
bew looc ytfin teg nac uoy ecnis ,gnivres bew rof XUSniL
gninnur ffo retteb eb ylbaborp dluow uoY .)XUSniL ekilnu
,3v stroppus DSBnepO ,SFN tnaw uoy fi tub ,ABMAS tnaw uoy
gnimussa m'I( gnirahs elif dna PTMS rof DSBnepO nur dluow I _\
?sesoprup ruo rof retteb
si hcihw ,enod dna dias si lla nehW  .yawyna yad yb yad
ti eruces ot woh nrael dluohs ew dna ,detroppus ylediw s'ti
taht si taH deR rof tnemugra ehT  .seloh ytiruces rof reffus ot
enorp ssel er'ew ,seibwen sa ,taht si DSBnepO rof tnemugra ehT
.pukcab gnidulcni ,ereh secivres etargim ylwols dna pu xuniL
taH deR ro DSBnepO rehtie tup ot ekil dluow eW  .gnivres elif
dna ,PTMS ,gnivres bew rof K2niW gninnur seineew ezodniW er'eW    21/2

.yldipar etiuq daerps ot dnet sesuriv
eseht dlrow swodniW eht ni stoidi fi arohtelp a
stsixe ereht ecnis dnA .lavivrus rieht rof resu
eht fo ycoidi eht no dneped sesuriv esehT .epoN _\
.swolBniW esu t'nod I dalG ?s09 ylrae eht fo
mroW tenretnI eht ekil egdelwonk ppA/SO ro lliks
gnidoc laer yna eriuqer t'nseod "suriv" siht ,oS _\
.margorp eht snur hcihw ,ti no
 kcilc-elbuod ot dnet sresu ;elbatucexe na tsuj si eno sihT _\
?krow siht seod woH ?margorp gniweiv eht naht
rehtar egami reiht gnitucexe trats ot margorp gniweiv eht
ni swolfrevo reffub tiolpxe yeht od ,lareneg nI ?suriv a eb
nac egassem liame a woh dnatsrednu etiuq t'nod I .cificeps
swodniw eb ot smees ti tub ,ereht tuo suriv liame wen a si
ereht taht smees ti dna 30-1002-AC yrosivdA TREC daer tsuj I    21/2
2001/2/13-14 [Computer/SW/Mail, Computer/SW/Security] UID:20575 Activity:high
2/12    Is there a FAQ for getting pgp to work with automatically
        with pine spec. for on soda? Sth about the way I've got
        the filters options setup or the "display.csh" script I set
        up isn't working. -ulysses
        \_ The happy ending. Somebody fixed something because the
           filter works all of a sudden. Note that, if anybody
           else has a problem, check out /usr/local/bin/pgpdecode.
        \_  you should switch to mutt.  mutt integrates with
            pgp very well.
            \_ Yeah until you upgrade.  Remember, the mutt development team
               purposefully changes pgp config flags every release (to make
               sure us mortals don't get rusty).
            \_ Suggestion appreciated and i will look at mutt, but I know
               pine can work with pgp since it works on another system I use
               w/o problems. Does anybody use pine w/ pgp and could they send
               me perhaps the relevant portions of their pinerc and display
               script? -ulysses
        \_ Have you tried pgp4pine? http://pgp4pine.flatline.de
           \_ Looks good, though I bet I lack the fu to install this in my home
              directory (i.e. without being root on soda). -ulysses
                \_ if you're using pine, you clearly lack fu
                   \_ real men read thier mail with shell.
                      \_ pinesh! pinesh! pinesh is the Standard!!! Uhh...
                         \_ In bourne shell a paging mail reader is
                            about 5-10 lines of code. A real man can
                            type it all in on the command line.
        \_ Just add these to your .pinerc, nothing else needed:
        display-filters=_BEGINNING("-----BEGIN PGP")_ /usr/local/bin/pgp -f
        sending-filters=/usr/local/bin/pgp -feast _RECIPIENTS_
           \_ Can I still send emails to people who doesn't have PGP software?
             \_ are you chinese? -ali
        \_ That is NOT all you have to do.
2001/2/12-13 [Computer/SW/Security, Computer/SW/Unix] UID:20571 Activity:high
2/12    I am trying to use Win95 ftp with skey but there is
        no prompt to enter the one-time password. is there a
        command I can use through the literal command?
        \_ That's strange.  It used to work with my NT ftp where it prints
           the key and asks for the one-time password.  But today it doesn't
           do that anymore.  Something is broken?  -- yuen
           \_ Today (2/13) I tried again, and it works okay now.  You just
              type the one-time password at the "Password:" prompt.  -- yuen
2001/2/9-10 [Computer/SW/Security] UID:20554 Activity:nil
2/9     ssh has vunerability. Integer overflow.  Openssh is safe.
        \_ Take that, Tom!  Take that, Bowlarama!  Take that, Convenience
           Mart!  Take that, Nuclear Power Plan--oh, fiddlesticks.
           \_ Bowlarama!  Good times!
2001/2/9 [Computer/SW/Security] UID:20548 Activity:very high
2/8     Question about ssh or need confirmation.
        - purpose of using ssh is to avoid information that I read at my
          terminal not being seen by someone in between the traffic, so
          does that mean if my terminal is being mornitored (i.e., my employer
          or network admin is watching my console at a remote terminal), they
          will only see garbled messages?
        - or does ssh only ensures data send between soda and my terminal not
          being intercepted, but once information gets displayed on my screen,
          a mornitoring agent can just capture the screen and still see every
          key stroke I type in or every message I am reading?
                \_ work on your fucking english
                   \_ hahhaha...having a hard time reading?  I don't see the
                   others have any problem.  Can you just point out one flaw
                   so that I can fix it.
                        \_ double negative, run-on sentence, fragmentary
                           phrase, passive voice, misspelling.  And that's
                           just the first sentence.
        \_ ssh encrypts data on the network between your host and wherever you
           ssh to ( in this case, soda).  If your host has been compromised
           by whomever might be monitoring you, there is little ssh (or
           anything else for that matter) can do to stop you from being
           monitored.
           \_ here's what I do at work: swap around the keycaps on my
              keyboard. You should see the security people tearing their
              hair out! muahhaha!
              \_ how does that help really?
                 \_ security through obscurity.  though the right way to
                    do this is to use a qwerty keyboard in dvorak mode.
                    and remove the 'W'.
2001/2/7-8 [Computer/SW/Security] UID:20529 Activity:nil
2/7     http://www.nwfusion.com/news/2001/0205ddos.html
        No light at the end of the tunnel for preventing/protecting against
        DDoS attacks.
        \_ This is not an engineering problem, but a law enforcement problem.
2001/2/6 [Computer/SW/Security] UID:20512 Activity:nil
2/3     Speaking of ssh, could soda admins generate  new 'n fixed ssh host
        keys so that we don't have to edit our known_hosts file every time
        soda is switched from openssh to commerical ssh1 and then back to
        openssh?
        \_ They could.  I hope they have better things to do or you'd just
           ignore the errors like everyone else.
           \_ It is pretty time consuming to copy a file. I give you that.
           \_ I ssh to soda from about seven different systems. It is
              kind of annoying to have to update known_hosts file on all of
              them whenever soda admins change their mind about which version
              of sshd to run. -original poster
        \_ we should just have the ssh1 ssh2 and openssh binaries each of
           which get called after a  case statement depending on /dev/rand
           then tom can bitch all he wants, and he will be a happy tom.
        \_ redhat 7.1 uses SSH Version OpenSSH_2.3.0p1
           \_ And your point is? I was not advocating using one implementation
              of ssh or another. What I say is that the soda admins should
              generate new ssh host keys so that people's clients don't
              compalain every time sshd is switched to openssh and then
              back to data fellows ssh1. The current keys are 1023bit and
              the sshd1 fails to acknowledge that.
2001/2/6-5/17 [Computer/SW/Security, Computer/SW/Unix] UID:20503 Activity:nil 53%like:19809
02/02   OS updated.  Bugs to root.  Complaints on wall/motd will be ignored.
        \_ And so will complaints to root, apparently.  Give me root for 30
           seconds and I'll fix the sshd problem.  -tom
           \_ tom is the last person that ought to have root on soda.
                \_ yeah, I was only the VP for a year.  -tom
2001/2/1-2 [Transportation/Airplane, Computer/SW/Security] UID:20496 Activity:nil
2/1     Tomorrow's Groundhog day!
        \_ http://www.intellicast.com says it's going to be cloudy in Oakland
           tomorrow.  So spring arrives soon?
2001/1/31-2/1 [Computer/SW/Security, Computer/SW/Unix] UID:20485 Activity:very high 57%like:20472
1/31    Regarding the Soda MkV bios password, why not just reset BIOS?
        \_ i could, but it's old and may not like it so if there's a
           less invasive method, i'm all up for it, otherwise i will
           \_ sign your fucking posts paolo
           \_ Check for a bios password hack on the net.  Never know....
                \_ what kind of bozo would put a BIOS password on a
                   machine in a machine room
                        \_ One who knows just how many other people have
                           access to the machine room and just how often
                           some of them fail to make sure the door closes
                           all the way when they leave.
                                \_ get a fucking clue
                                \_ Uhm, yeah, and?  A bios password will
                                   somehow save you?  Sigh... find a crack
                                   or hack for it on the net.  And oh yeah,
                                   as the above said, get a fucking clue.
                                    \_ umm, judging by the posters present
                                       difficulty, i'd say Yeah a bios pwd.
                                       may save you.  Not everyone has the
                                       same skill set and sometimes just
                                       making things a bit more difficult for
                                       an intruder is all it takes.  There are
                                       plenty of people who just check for
                                       unlocked doors.  I bet you leave yours
                                       unlocked, because, hell, they can always
                                       break a window.
                                   \_ never said it would save you, just that
                                      being in the machine room doesn't make
                                      it any more or less useful to set one
                                      than a machine left in a public place.
2001/1/31-2/1 [Computer/SW/Security, Computer/SW/OS/Windows] UID:20480 Activity:moderate
1/30    In NT, when I try to open or delete a file and it says "The process
        cannot access the file because it is being used by another process",
        is there a way to find out which process is using the file?  Thx.
        \_ lsof
        \_ handleex.exe, http://www.sysinternals.com
           \_ Is Filemon from the same site better for this purpose?
        \_ reboot
                \_ That won't find out and it also won't release the file if
                   the file is opened again at startup or login.  If you
                   don't know what you're tal-- nevermind.  It's the motd.
                   Go right ahead.
                   \_ If you don't know, you're Tal. -- talg #1 fan.
                   \_ chill.  the answer is meant as a joke.
                        \_ This is Berkeley.  That wasn't funny.
2001/1/27-28 [Computer/SW/Security] UID:20447 Activity:moderate
1/26    anyone ever heard of a linux kernel patch that prevents
        non root users from seeing the processes of other users?
        what's it called?
        \_ it's called "stupid"
           \_ What's "stupid" about it?  Gosh, maybe this is for something
              "stupid" like an ISP that allows shell access but wants to do
              some stuff to keep users from invading each other's privacy?
              Yeah, that's really "stupid".  You're right.  Who would want
              something "stupid" like that?
        \_ it's called uclink2
           \_ reference to "uclink2" shows one's age.  guess what?
              there's no Web under Evans anymore either!
        \_ http://www.openwall.com
        \_ I don't think you need to patch the kernel.. I think this is the
           default behavior if you make ps, top, and whatnot !setuid
           root/mem/whatever.
2001/1/25 [Computer/SW/Mail, Computer/SW/Security] UID:20429 Activity:nil
1/24    Anybody know of any web-based newsgroups that allow you to post
        a question? urlP.
        \_ uh, your question doesn't make sense.  you can access usenet
           newsgroups via your favourite web browser...  there are tons
           of bulletin board type things all over the web...  what the
           hell are you asking?
           \_ For example, http://www.dejanews.com allows you to read articles, but
              you can't post a question.  Using a news reader client, I can
              connect to various public news servers that will allow you to
              post.  However, port 119 (NNTP) is shut down on the network, so
              I can't use any of the news readers.  My only option is to go
              over the web, and most web-based newsgroups that I know of only
              allow you to read, not post.  Question remains - are there any
              web-based public newsgroups that allow you to post?
                \_ you can't post to http://deja.com as an anonymous bastard.
                   you need to register with them and go through http://my.deja.com
2001/1/19-21 [Computer/SW/Security, Computer/SW/OS, Computer/SW/Unix] UID:20373 Activity:nil
1/19    http://fusionone.com is finally charging people for syncing files. Let's
        boycott.
        \_ I just signed up for "Free sync for life". What are you talking
           about?
           \_ after using it for about 6 months, I got an email saying
                "email sync is free for life. upgrade to premium account
                if you want to continue using file sync."
        \_ Holy shit!  Someone on the net is trying to make money from their
           web based service!  That sucks!  Let's boycott the net!  The net
           wants to be free!
2001/1/15-17 [Computer/SW/Security] UID:20329 Activity:moderate 60%like:20332
1/15    Who provides the time service at the number POP-CORN (767-2676)?
        \_ "Kernel" Sanders
        \_ You do not need to dial "POPCORN" to hear the time.  You just need
           to dial 767, plus 4 other digits.  ANY 4 other digits.  So now you
           this, hopefully you can figure out who provides this service (No, it
           isn't some strange group of people).
           \_ You mean it's PacBell?  So it only works in Northern California?
              \_ It's certainly affiliated with the telco somehow, but this
                 did _not_ exist in SoCal last time I checked, so it's
                 not a universal PacBell feature
                 \_ Does not work in SoCal, even though Pacific Bell is
                    my telco (some areas are Verizon). --dim
                    \_ in LA it's 853-1212 (or possibly any four digits).
                       you can find out what it is anywhere by calling
                       411 and asking for the number for the time.
                       welcome to the universe. more interesting is
                       the number to dial that repeats your own number
                       back to you. it varies depending on Central
                       Office, and the phone co doesn't want you to have
                       it.
                                sf mission area readback #: 211-0022
                                berkeley: ?
                \_ Yep.
                \_ It worked in Reno when I lived there, but that's also
                   PacBell land.        -alan-
           \_ That's not the official number anyways. Only for bwd compat
           \_ what's the number to get the phone number of the phone
              you are dialing from?
              \_ You have been abused by the motd formatting god.
              \_ I think it used to be 1-800-MY-ANI-IS, but they changed
                 the password to it. -geordan
                 \_ Ah, I still remember the good 'ole 80s
        \_ in maryland, they dont have the 767 (popcorn) feature
           and i find that i miss it.  is there some web page that
           tells you where you can call up if you need to know the
           time when youre not in norcal?  i tried a number of key
           search words on the web (time service, etc) and had no
           luck.  -hahnak
           \_ RTFM (RTFphone book) or check providers home page
2001/1/15-16 [Computer/SW/Security] UID:20325 Activity:high
1/15   any plans to start running ssh2d ?
        \_ OpenSSH didn't work, the other ssh2d is not free, so no.
           \_ The other ssh2d is free for soda's purposes.  -tom
                \_ What about http://www.ssh.com/products/ssh/download.html
2001/1/11 [Computer/SW/Security, Computer/SW/OS/Windows] UID:20295 Activity:high
01/11   If you or anyone you know is running a version of Borland's Interbase
        released in the past 8 years, forward the following information:
        http://www.kb.cert.org/vuls/id/247371
        http://www.interbase2000.com
        [yes, this is a /. repost; urgency justifies it, as far as
         i'm concerned]     -alexf
        \_ Uh, "compiled into the source between 92 and '94".  Does interbase
           come as partial source + binaries-with-no-source?  What about the
           whole open source many eyes thing?  If someone can sneak in a back
           door account for 6+ years, what's the point of it all?  Might as
           well use MS products for all the good OS did in this case.
           Normally, I'd purge this as /. repost but I find this interesting
           although not urgent.
           \_ it was not open-source whatsoever until ~6 months ago. being a
              huge body of code, it's not too surprising that it took 5 months
              to find the backdoor (especially since no one would've been looking
              for it directly)
        \_ uh, why would anyone be running Interbase. -tom
           \_ good question. not my concern. -alexf
                \_ My point is, it's not urgent because no one is running
                   it.  -tom
                   \_ grow up man.  the real world won't always conform
                      to your sense of aesthetics. at your age you should have
                      learned that by now.
                   \_ ^no one^no one you know of
                      there's a large difference between the two
                        \_ ^no one likely to be reading the MOTD you twink^
                           \_ ah so tom knows everyone reading the motd (and
                              everyone else those people know; see original
                              tom doesn't know me: 3
                              tom doesn't know me: 4
                              post). impressive, tom.
                              Let's try a motd poll --
                              tom knows me:        0
                              tom doesn't know me: 6
                        and if i ever meet the bastartd, ill kick his ass:2
2001/1/10-11 [Computer/SW/Security] UID:20284 Activity:high
1/9     I've inherited an old Xylogics annex box which I'd like to set up
        so I can dial-up remotely via modem to access the consoles on my
        four home servers. Any suggestions on how to configure this?
        URLs would be fine. thanks!
        \_ Install sshd.  Dialup?  What millenium is this?  If you must, I
           suggest you contact Xylogics and see if they have a manual online
           or can ship you a new one for a few bucks.
                \_ gee, does sshd run at the boot prompt?
           \_ How else am I to access my home system consoles except by
              dialup? Anyways, I found the documentation on Nortel's home
              page. After much frustration (their search engine SUCKS
              and it's slow) found some docs, but of course they are
              WRONG. Bunch of misspelled configuration parameters.
              But I think I have it finally figured out thru ESP. sheesh.
              Now all I need is a 2nd (working) modem.
              page. After much frustration (their search engine SUCKS and
              page-design is slow) found some docs, but of course they are
              WRONG, after downloading the huge PDF files.  Bunch of
              misspelled configuration parameters to lead you astray.
              But I think I have it finally figured out thru my psychic
              abilities. sheesh.  Now all I need is a 2nd (working) modem.
              \_ buddy system.  put null modem cables between systems
                 and make sure you don't crash all of them out to the
                 boot prompt at the same time.
                 \_ You mean using one workstation as the "annex" that
                    has the modem? Ah, but then I wouldnt get to utilize
                    and set up this annex box i got.
                    has the modem? Good idea. Ah, but then I wouldnt
                    get to utilize and set up this annex box i got at least
                    not in the most ideal configuration.
                        \_ This is what I was talking about with ssh but some
                           smart ass deleted it.  You can run ssh on each box
                           and have: A->B->C->D->A serial connections.  Thus
                           the only way you get screwed is if you don't have
                           net or box A and B are down, you need to get to B
                           but A is dead and unrecoverable from D.  It can
                           happen but I doubt your home is a 24x7x365 site.
                           \_ You can be easily screwed.
2001/1/6-16 [Computer/SW/Security] UID:20249 Activity:kinda low
01/05   Anyone else with @home in Berkeley (I'm northside) experience REALLY
        crappy service since the beginning of November? Bandwidth is still
        good but latency has gone up from 40ms to >200ms.
        \_ After 1.5 yrs of "experience" with @home on Berkeley southside, the
           one thing I've learned is that how your service gets fucked is not
           correlated 90% of the time with how your neighbors' service gets
           fucked. Everyone's gets fucked up once in a while, but asking other
           people in the area doesn't produce significant trends. -alexf
        \_ yup, exact same problem with @home here... up to 50% packetloss
           at times. it sucks. -jlau
        \_ I'm sorry.  I'll try to restrict my pingfloods/nmaps next time.
           - .home user.
           \_ nephew from norway doing ping -f's w/o root access again?
2001/1/5 [Computer/SW/Security] UID:20240 Activity:nil
1/3     If I ssh from machine foo to machine bar and sshd is trojaned on bar,
        then they cant get my passphrase because it is sent encrypted, right?
        But if I login with my password, can they get that?
        \_ your "passphrase" never leaves your machine, because that's
           supposed to decrypt your local ssh ID key.
           Your "password" is encrypted to hand over to sshd.
           So sshd gets to see your login password for machine bar.
           It also gets to see anything ELSE you type that goes to
           machine bar.
2001/1/3-4 [Computer/SW/Mail, Computer/SW/Security, Computer/Theory] UID:20228 Activity:nil
1/2     I've been getting the following error message repeatedly lately.
The authenticity of host 'quasar.cs.berkeley.edu' can't be established.
RSA key fingerprint is 14:1f:b3:63:83:6a:fe:73:4e:fa:64:30:9c:9f:c3:c8.
        Is this a problem w/ quasar or is it the soda ssh client?  Why doesn't
        it allow me to add quasar to my list of trusted hosts?
2000/12/26-28 [Computer/SW/Security] UID:20178 Activity:high
12/26   anybody ever dealt with Amazon's customer service?  I ordered an m100
        that never arrived.  I'm trying to get them to give me some credit
        back in addition to refunding my money. They only offered a $10 gift
        certificate.  Pisses me off.  Anybody ever milked them for more?
        \_ I have used Amazon.co.uk and Amazon.de's customer service, and
           it was actually pretty good.
        \_ I got jacked trying to buy a Handspring Platinum. Normally they
           are pretty good (I returned a Palm Viix after two months), but
           this pisses me off. I used a promotional code giving me a $50
           discount and they are crediting the $50 to my account
           (AMZN-ELECTRONIC ?)
        \_ So you buncha wankers are honestly upset that Amazon won't let you
           fuck them over for hundreds of bucks?
        \_ Toys R Us gave me $50 last year for missing my shipment.
2000/12/21-23 [Computer/SW/Security] UID:20153 Activity:moderate
12/20   Why is OpenSSH prefered over SSH1? Aren't all those bad ass
        patented algorithms better than the free ones? Does this
        mean no RSA?
        \_ OpenSSH is not preferred over SSH.  -tom
        \_ Depends.  You want code from the OpenBSD guys or from whoever?
           There's no magic in the non-Open version you'll be missing out on.
           \_ except working support for the SSH2 protocol and IDEA. -tom
              \_ OpenSSH works just fine with IDEA, you just have to enable
                 it (and in OpenSSL).
              \_ ssh2?  Yes... and?  So what?  What are you doing that ssh1
                 isn't good enough for?
                \_ Connecting from a Mac, for one.  Connecting with an ssh2
                   client, for another.  -tom
                   \_ OK, let's see.  #1 is wrong.. I connect from a mac to
                      ssh1 servers all the time, and #2 is a tautology.
                      Boy, you're a bright one, tom.
                        \_ I "connect" from a Mac to ssh1 servers, but the
                           software available has insufficient features.  And
                           #2 isn't a tautology if you are someone running
                           a system that has to be accessed remotely (such as,
                           just about every machine running ssh).  -tom
                           \_ How many machines with _only_ ssh2 clients have
                              you worked with?
                                \_ I have had to install ssh2 servers so
                                   people with only ssh2 clients could
                                   connect.  Real world.  -tom
2000/12/19-20 [Computer/SW/Database, Computer/SW/Security] UID:20126 Activity:high
12/19   One of my major performance bottlenecks is the need to log
        every entry in a single log file.  This leads to contention for
        write access lock to the file, delaying each process. What to do?
        \_ write to per process log file, and have a background process
           coalesce log files together.
                \_ this method provides the most concurrency
         \_ or write to sockets with a separate process listening
            on each, handling the logging.
                \_ this method is easy and most similar to what you're
                   already doing
        \_ use a real db engine
           \_ for something this simple it might not be worth paying for
              one.  plus, it gives this guy job security.
2000/12/17-18 [Computer/SW/Security, Computer/SW/Unix] UID:20119 Activity:nil
12/17   http://www.nipc.gov/warnings/assessments/2000/00-062.htm
        \_ yeah.  "Energy Crisis"
2000/12/17 [Computer/SW/Unix, Computer/SW/Security] UID:20111 Activity:nil
12/14   Why is it that the motd is not auto displayed when I login?
        \_ I would think this is a good feature.
           \_ yes, but it probably would be better to let the .hushlogin
              file control it, which right now doesn't seem to do anything.
2000/12/17 [Computer/SW/Security] UID:20109 Activity:nil
12/14   Speaking of ebusiness... http://www.eeye.com
        \_ hacked page archived at www.csua/~mikeh/eeye-index.html
        \_ My IP is blocked.  Has eeye blocked everyone?
           \_ yes
2000/12/17 [Computer/SW/Security, Computer/SW/OS/Windows, Computer/SW/Unix] UID:20104 Activity:insanely high
12/16   I need Windoze software that will prohibit my employees from
        visiting specified web sites on the Internet (like http://cnn.com).
        This should be server software, so that I do not have to run
        out and install it on all the workstations.  Does anyone have
        any recommendations?
           \_ route -add -reject <subnet> or route -add -blackhole <subnet>
              on your border router.
        \_ Yeah. Eat shit and die.
        \_ what company? I'll build a site serving a mirror of http://cnn.com
           (i.e. a simple solution to your stupid policies)
           \_ Thanks, but all I really want is plug-and-play Windows software.
        \_ The easiest thing to do is point their DNS entries to 127.0.0.1
           or your corporate intranet or something.  Do it on the DNS you
           have their workstations pointing to for name resolution.  All
           childish "the information wants to be free!" Berkeley idiocy
           replies removed. --graduated from Cal and joined real world
              \_ I can point my machine at a different DNS server by
                 editing /etc/resolv.conf or whatever, thus a rejecting
                 route or a blackhole is the only soln.
                 \_ no.  You can't.  Why not?  Because you're a non-techie
                    at a large company with a no-surf policy and you don't
                    know jack shit about that.  If it were a unix box you
                    wouldn't have root at this person's company.
           \_ Thanks, but I do want to let them access most web sites
              except ones I exclude.  Is there a plug-and-play solution?
                \_ Yes.  Like I said, you add things like http://cnn.com to your
                   local DNS as something else.  Everything else works.
        \_ The easiest solution is to get a switch and a proxy server
           that can do transparent redirection of http requests to force
           them all through the proxy which does filtering.  (Set up one
           with enough space to do caching and you'll also lower bandwidth
           usage and increase access speed.)  Look at products from companies
           such as Alteon, Foundry, and Cisco on the switch side, and
           NetApp's NetCache or something similar on the proxy side.
        \_ Why?  Do you like pissing your employees off?  Are you trying
           to convince them all to quit?
           \_ Not all companies are like that.  Not everyone can go get a
              better job in 24 hours.  Obviously these are windows no-techie
              8-6 slaves there to do what they're told and nothing more.  These
              people are entirely fungible.
2000/12/12-13 [Computer/SW/Security, Computer/SW/OS/FreeBSD] UID:20086 Activity:high
12/12   Something happened to CSUA server again?  This morning I was
        unable to ssh in, I have to delete the known.hosts file to
        resolve the problem...
        \_ weird ssh problems this morning.  Looks like the tcp/80 forwarder
            to soda's sshd was getting web requests!
        \_ Me too!
        \_ http://dailynews.yahoo.com/h/nm/20001212/tc/linux_shell_dc_1.html
           http://dailynews.yahoo.com/h/nm/20001212/bs/ibm_linux_dc_1.html
           \_ if it's good enought for shell and ibm...
              \_ I guess ECC Ram and hot swap disks and scalable
                 processing just aren't what Shell Oil needs.
                 \_ maybe they asked for help and got turned off when
                    a freebsd user mouthed them off?
                    \_ they should have contacted an OpenBSD or
                       NetBSD user.
        \_ i've never had a weird problem with openssh, teraterm, putty, etc.
        \_ No problems with OpenSSH on *BSD (inlcuding MacOSX) or
           NiftyTelnet on MacOS.
                \_ openssh sucks.  We should install ssh 2.3.0.  -tom
                   \_ freebsd sucks.  we should install linux 2.2.17 -!tom
                      \_ it really does -!!tom
2000/12/12-13 [Computer/SW/Security] UID:20078 Activity:low
12/11   Does anyone know of a Palm application designed to store passwords,
        credit card info, etc. that has encryption, requires password entry
        for access, enables you to sync with your PC, access all the info on
        your PC, and import/export the info between your PC application and,
        for example, a tab seperated text file?  -asb (if you send me
                                email, please send it to asb@eci.ucsb.edu)
        \_ Speaking of UCSB, my ex-roomie was a sorority girl from UCSB
           who came to attend Boalt School of Law. I did not have sex with
           her, but at least she got into a better school than Hastings.
        \_ Forget about your silly whims, it doesn't fit the plan.
2000/12/12-14 [Computer/SW/Security] UID:20077 Activity:nil
12/12   Is it possible to keep the same key each time SSH is changed/
        upgraded?
        \_ They key has never changed.  The problem lies in the
           fact that soda has a really really old key the 2 ssh programs
           treat the keys differently.  Really old version of ssh created
           1023 bit keys instead of 1024 and ssh has continued to lie about
           the keysize.  OpenSSH's sshd, on the other hand tells the truth.
           This confuses your ssh client.  -mikeh
           \_ I think that you can fix this by editing the length field for
              the key in your $HOME/known_hosts file.
2000/12/12-2001/2/2 [Computer/SW/Security] UID:20076 Activity:nil
12/12   We have switched versions of sshd since the OpenSSH one was hanging.
        Mail root if you witness odd behavior.  -root
2000/12/12-13 [Computer/SW/Security, Computer/SW/WWW/Server] UID:20073 Activity:nil
12/11   What are the security implecations of allowing the Delete method?
        Does apache allow that by default?  Does it really mean that any
        user could send a header commanding your server to delete any file
        that nobody is able to write?  If so, how do you disable this methd?
        \_ Something like
        <Directory />
         Deny all
         Allow GET PUT other-explicit-methods-you-like
        </Directory>
2000/12/9 [Computer/SW/Security] UID:20055 Activity:nil
12/8    SSH question. Any idea why I am getting this error:
        Invalid SSH_AUTH_SOCK `', it should contain at least one /.
        and it gets set to "agent-socket-21980" instead of
        SSH_AUTH_SOCK=/tmp/ssh-user/agent-socket-21980 ?
2000/12/6-8 [Computer/SW/Security] UID:20022 Activity:high
12/6    Does @home allow services?  No.  Y'all were wrong yesterday.
        http://www.home.com/qa.html#server
        <DEAD>www.athome.att.com/faq.html#server<DEAD>
        \_ Genius, you're reading the generic @home agreement.  The local
           Bay Area one I signed when I got my service doesn't say I can't
           \_ but effective.  I run an ebusiness from an @home site. - small
              traffic, high price one, and haven't had any probs.
           run a service.  It only says I can't resell net or run a business
           and I'm responsible for my own security.  In fact the agreement is
           chock full of warnings about hax0rz if I run a service but *never*
           says I can't.  Thank you for using @home in the SF Bay Area.
           \_ The one I signed in Fremont explicitly says I can't run a
              server, and I get scanned for running NNTP every day --dbushong
        \_ Disallowing and preventing are entirely different.
           \_ Hey, that's naughty!
           \_ but effective.  I run an ebusiness from an @home site.
              - small traffic, high price one, and haven't had any
              and he's had no problems either. @home doesn't seem
              to mind/care. ----ranga
              probs.
           \_ My brother runs a Cobalt Qube3 with web/ftp/nat/ssh
              and he has had no problems. @home doesn't seem to
              mind/care. ----ranga
2000/12/6 [Computer/SW/Security] UID:20014 Activity:nil
12/5    If you run xdm rather than ssh-agent xinit, is there some way to use
        ssh-agent for everything and not just "ssh-agent xterm" ?
        \_ yes.
           \_ More helpfully: put the line
                eval `ssh-agent`
              near the beginning of your .xsession.
2000/12/6-7 [Computer/SW/Security] UID:20011 Activity:nil
12/5    I am trying to write a report on SSH does anyone know why
        X11 forwarding makes a host more vulnerable to attack? Any
        good sites to find information on the weak spots of SSH?
        I have the RFC but don't know enough write about weak points of
        SSH. -nesim
        \_ If a bozo user types 'xhost +' on either end of the connection,
           then all the ssh in the world won't keep others from sniffing
           their keystrokes via X.
        \_ The argument goes as follows: if you ssh from your trusted host,
           to an untrusted host, then from there to a trusted host, and run
           X clients off of the remote trusted host, SHOCKER: root on the
           untrusted host might be able to do something nasty.  Fucking duh.
           I hate it when shit like this gets called a security hole.  Once
           and for all, people: YOU CAN NOT PROTECT YOURSELF FROM A MALICIOUS
           root USER.  PERIOD.  (Please don't cite non-unix operating systems
           or some silly securelevel hack as way of counter"proof")
2000/12/5-7 [Computer/SW/Security, Computer/SW/WWW/Server] UID:20009 Activity:very high
4/249   I think my employer logs all web traffic. Is there any free software
        I can run to block this?  Like a proxy or some sort?  Thanks.
        \_ http://www.anonymizer.com
           if you don't want to pay for ssl service do the following:
           1. setup apache+ssl at home
           2. write a cgi that takes in url request and then forwards
              it to anonymizer and parses the response to get rid of
              the annoying tags.
           3. configure your browser to use your home box as a proxy
           Other options include hacking junkbuster to support https.
        \_ j is that you?
              \_ you idiot, I can't even log into soda from work thanks
                 to a certain wonderful firewall.
        \_ yes theres plenty of ways to do this.
        \_ obhttp://www.zeroknowledge.com (it's what it was meant for -
           i.e. people not knowing what you are doing exactly)

        \_ How to check that the company logs all web traffic?
        \_ write a bot that hammers a bunch of sites, such as http://apple.com,
           http://sun.com and http://microsoft.com. run it on your machine and all the
           other machines you can get your hands on. Clueless admins will
           think that its 'software updates' or some such thing. Your
           real traffic will be obscured by the noise. Eventually the will
           give up and realize that logging is stupid.
2000/12/4 [Computer/SW, Computer/SW/Security] UID:19990 Activity:insanely high
12/4    E-COmmerce sucks. COmputer science rewls.
        \_ Got fired from http://dogfood.com?
        \_ Doing work sucks, playing around with a hobby rules.  Good luck
           guy, hope you can come up with something intersting for the
           academic community to attack.
        \_ You got your whole life to find something that you like to do
           and that someone will pay you for doing.  Get to it.  If you
           can read the MOTD, it's not hard to get there from this point
           in your life.
        \_ Computer science doesn't pay for my Armani collection and
           my awsome Boxster                    -paper millionaire
           \_ But I am perfectly happy with blue jeans and t-shirt,
              and my little Miata.
2000/12/3-4 [Computer/SW/Security] UID:19986 Activity:low
12/1    Say I want to encrypt some text files that I don't use that often
        (eg, sent-mail files).  Is there any command line util better than
        crypt available to do this?  Maybe something that uses the new DES
        standard? (I don't want to attempt spelling it)
        \_ Use "pgp -e".
          \_ Does this have a batch mode for (de|en)crytpting multiple files?
        \_ You mean the new AES standard.  (And Rijndael isn't _that_ hard
           to spell)
           \_ If you're some anthropologist used to garbage 'languages' from
              the underlife, maybe.
2000/12/2-4 [Computer/SW/Security] UID:19978 Activity:high
12/01   Anyone get TeraTerm + ssh to work connecting to Soda?  I changed the
        protocol to blowfish, but SSH mysteriously drops after attempting to
        connect.  (Alternatively, a list of win32 ssh clients would be
        usefull--I didn't find the ones on the csua www page to be useful.)
        \_ It works for me.  Does it give any error messages when it
           disconnects?  Can it connect to other machines than soda?
        \_ Here is the obligatory why don't you install a real os with a real
           ssh client follow up.
        \_ I installed it on my dad's Windows98 box to login when I visit them
           and had no problems (other than getting a new key when we went to
           Mark VI).  -- bcmuller
        \_ Worked fine for me as well, and I've installed it on several
           different machines (win98, win2k, winnt 4)
        \_ Are you sure you're using Tera Term Pro and TTSSH?
           \_ Works for me, too. -ausman
        \_ sshd has been acting up - there have been random times when it
        has refused connections.  From what I know mikeh has been considering
        installing the old ssh.  This is information dated last week - paolo
2000/11/29-30 [Computer/SW/Security] UID:19951 Activity:high
11/29   So, i have host based ssh authentication going; i think.
        How to test?  If i try to use scp from an authorized
        user/host it still prompts me for a password.  Does that
        mean i don't have it set up correctly? (i'm using openssh)
        \_ If you mean you want to use a .shosts file, you need to:
           * make sure the server has:
             RhostsRSAAuthentication yes
             IgnoreRhosts no
           * put the hostname (and optionally username) in ~/.shosts for
             the target user (on the server)
           * ssh from the _server_ to the _client_ using the same hostname
             that the client will reverse as (i.e. if your client is 1.2.3.4,
             and 1.2.3.4 reverses as <DEAD>joebob.example.com<DEAD>,
             ssh <DEAD>joebob.example.com<DEAD>)  If your client is a windows box, this is
             more complicated and you'll need to configure your client software
             to generate and use an ssh host key.  Make sure the host key is
             in ~/.ssh/known_hosts
           * ssh -v server from the client to test
           --dbushong
           --uglydbushong
2000/11/29 [Computer/SW/Security, Recreation/Dating] UID:19943 Activity:nil
11/28   http://www.wired.com/news/culture/0,1284,40369,00.html
        \_ Sign up fast before they run out!!  Finally, women that geeks have
           a chance with!
2000/11/28-29 [Computer/SW/Security] UID:19938 Activity:nil
11/28   With SSH, when we change our password for the account do we have to
        regenerate the one time pass phrass?
        \_ Nope, they're separate.
2000/11/28-12/4 [Computer/SW/Security, Computer/SW/Unix] UID:19937 Activity:kinda low
11/28   NIS question.  My nsswitch.conf has the line
          passwd: files nis nisplus
        To me this says that the user should be looked for in the passwd file
        first, then checked for in NIS, then NIS+... Yet when the NIS server
        isn't available, I have to wait for a huge timeout before I'm finally
        logged in (yes, there is an entry in the passwd file).  Why does this
        happen and how do I get the expected behavior? -mogul
        \_ It's probably doing something other than a passwd lookup.
           You'll have to truss the process to find out what.  -tom
           \_ Or you can check for other nis lines in the nsswitch.conf
              automount, group, hosts may all be blocking on nis lookup.
              It may be something in your .login/.profile/.[t]cshrc file
              causing an nis lookup as well (like having someone else's
              homedir referenced in your path). --scotsman
              \_ If it's stalling in .cshrc, I think there is some option
                 you can set in .cshrc to show you where. Put a line with
                 'set verbose' or something at the top of .cshrc
                 And if you have root, then login as root and see if
                 the problem still exists. Since root has simpler dotfiles
                 and should have no remotely mounted home dir, you can
                 use it to narrow down the possible problem.
                 You might also modify nsswitch.conf
                 \_ Yes, but only if I log into another client served by NIS.
                    My home directory gets mounted from my main machine.  On
                    my machine, the passwd home directory entry is set to the
                    local directory so it doesn't go through autofs... -mogul
                 to remove nis and nisplus and see what happens.
                 Make sure you have another xterm open however
                 just in case modifying nsswitch.conf locks you out.
                 Also try getent passwd YOURUSERNAME and see if it says
                 what you think it should be (i.e. is your home dir
                 really on your local desktop disk?)
                 Also check /var/*/messages file for errors
        \_ what's in the groups line?  is your default group in a file
           or in nis?  initgroups usually takes forever
           \_ groups line was fine, but my group was missing from local
              /etc/group.  Still didn't solve the problem though.  I will try
              tom's suggestion when I return to work.  -mogul
              \_ These things are often due to DNS problems.
              \_ is your home directory auto-mounted? could be the auto
                 mounter maps are stored on the nis server.
        \_ Try:  passwd: files nis [NOTFOUND=return] nisplus    -- ivy
2000/11/16-17 [Computer/SW/Security] UID:19808 Activity:moderate
11/16   Do we want to copy over the old ssh host key?  Or is it a feature?
        \_ The host key has not changed.  ssh has.  We're now using OpenSSH.
                \_ Oh course the host key has been changed. Otherwise I
                   wouldn't get this when trying to login:
                   \_ Due to a bug, old ssh created a 1023bit key instead of
                      a 1024 bit key.  It advertized it as 1024bits.  OpenSSH
                      tells the truth that it's 1023, which makes your ssh
                      client unhappy.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@       WARNING: HOST IDENTIFICATION HAS CHANGED!         @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
                                               \_ ooh!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
.....
        \_ you can fix this by editing your ~/.ssh/known_hosts file. next to
           the csua key, change the length from 1024 to 1023.
2000/11/16-19 [Computer/SW/Security] UID:19804 Activity:nil
11/16   Why does the new sshd reject cipher type IDEA on Mk6?
        \_ because the new sshd does not support IDEA.
           \_ Why not?
           \_ Is it possible to build openssh with IDEA support?
           \_ Probably because IDEA is patent encumbered, where 3DES and
              Blowfish (and twofish, and rijndael, etc) are not.
2000/11/15 [Computer/SW/Security] UID:19783 Activity:high
11/14   ssh question.  I cant get a .shosts file to work, I think it
        has something to do with this error
        Remote: Your host key cannot be verified: unknown or invalid host key.
        Any idea what I need to fix?
        \_ You need to add the client's host key (/etc/ssh_host_key.pub)
           to the server's known hosts file (/etc/ssh_known_hosts).  The
           filenames vary; try adding "/usr/local" at the beginning, and
           try replacing "etc" with "etc/ssh".
2000/11/10 [Computer/SW/Security] UID:19705 Activity:nil
11/9    I'm having a problem with pam and openssh. Anyone know what
        the /etc/pam.d/sshd file ought to look like?
2000/11/5 [Computer/SW/WWW/Browsers, Computer/SW/Security] UID:19647 Activity:high
11/5    http://www.cnn.com/2000/TECH/computing/11/02/mideast.webwar/index.html
        \_ wow.  maybe l33t h4c0rs can go there to get mecenary jobs.
           \_ 3733t HaxX0rz w1LL k1cK y)u 1n the nu7z.
              \_ religion sucks.  It does nothing but bring an endless
                 lists of wars and senseless deaths.
                 \_ not to mention kicking people in the nuts.
2000/11/1 [Computer/SW/Security] UID:19622 Activity:moderate
11/1    Can someone pls fix POP and IMAP access to soda?  Thx.
            \_ I never seem to get a break around here. - someone
        \_ Done. -root
           \_ It seems to be broken again. Can you fix it again?
              \_ Done, again.  If you have any idea what's causing inetd
                 to hang, let us know. -root
        \_ Yes. root can do it.
           \_ P(E|E) = 1
2000/10/29 [Computer/SW/Security, Computer/SW/OS/Windows] UID:19593 Activity:nil
10.29   http://www.theregister.co.uk/content/1/14265.html
2000/10/27 [Computer/SW/WWW/Browsers, Computer/SW/Security] UID:19580 Activity:nil
10/26   http://www.cnn.com/2000/WORLD/meast/10/26/israel.cyberwar.ap
2000/10/25-26 [Computer/SW/Apps/Media, Computer/SW/Security] UID:19565 Activity:moderate
10/25   http://www.pantyraider.com
        \_ Now why don't they have something like predicateRaider?  Now
           that might hold my attention.
                \_ is that like ContextFreeGrammarRaider and LR1Raider??
                   \_ woo woo!
           \_ How about corporateRaider? That would be *interesting*.
        \_ almost related: http://www.phonebashing.com
2000/10/12-13 [Computer/SW/Unix, Computer/SW/Security] UID:19460 Activity:high
10/11   Pointer to how to make a secure ftp connection from cory to csua?
        \_ man scp
          \_ use ssh to port forward a port from cory to soda, then use
             ftp -P to connect to that forwarded port.  Don't forget to use
             passive mode.
             \_ it's -p
                ftp -P 9001
             \_ ssh -L 9001:csua:21
                ssh -L 9002:csua:20 (can you do these two at once?)
                ftp -p -P 9001 localhost
                \_ I tried this ssh -L 9001:csua:21 from home and it just spit
                   the usage info back at me.  So i tried it locally (i.e. from
                   HERE) and it did the same thing.
                   \_ You need to add the remote host:
                      ssh -L 9001:csua:21 csua
                        \_ I had tried that but it just logs me in!
                           \_ The port forwarding is a side-effect.
                              As long as you are logged in, the port
                              forwarding is on. I suggest using scp
                              unless you really, really need ftp. -- jsjacob
2000/10/9-10 [Computer/SW/Security] UID:19445 Activity:high
10/9    Shouldn't we upgrade to OpenSSH/OpenSSL soon?
        \_ why "should" we? -shac
           \_ Because of inherent weaknesses in the SSHv1
              protocol that are corrected in SSHv2 which
              \_ must protect uber-super-sekrit soda crap?!?
              is implemented by OpenSSH.
                \_ and why then should we use OpenSSH instead of the
                   free (to academic institutions) ssh2 server?  -tom
                     \_ OpenSSH default install allows connections
                        to/from Either SSH 1or2 and at least one of
                        the commercial SSH2 servers doesn't pretend to
                        attempt validation on bad names. (not that
                        that matters on SODA) -crebbs
                        \_ the ssh2 server also allows connections to/from
                           either ssh 1 or 2.  -tom
2000/10/6-7 [Academia/Berkeley/CSUA, Computer/SW/Security, Computer/SW/Unix] UID:19430 Activity:nil 52%like:19447
10/6    Readline enabled wallall in /csua/bin/wallall-rl. man readline for
        details.  Mail root to let them know how much you want this to be the
        default.  Bugs to mogul.  -mogul
2000/10/2-3 [Computer/SW/Security] UID:19396 Activity:nil 75%like:19390
10/02   Going to India next month and need a ssh client there. How do I log
        onto Soda if I am far away, and don't have permission to download
        any ssh client there?
        \_ http://www.csua.berkeley.edu/ssh
          \_ thats a ssh-in-your-web-browser java implementation of ssh.
             IMHO it is pretty darned good.
        \_ you can also use s/key.  http://www.CSUA.Berkeley.EDU/skey-howto.html
        \_ I like the windows program for skey at http://www.yak.net/skey
           it also includes binaries for dos, mac, sunos, ultrix, and source
2000/10/2 [Computer/SW/Security] UID:19390 Activity:nil 75%like:19396
10/02   How do I log onto Soda if I am far away, and don't have permission
        to download any ssh client?
        \_ http://www.csua.berkeley.edu/ssh
          \_ thats a ssh-in-your-web-browser java implementation of ssh.
             IMHO it is pretty darned good.
2000/9/29 [Computer/SW/Security] UID:19367 Activity:nil
9/29    http://www.eros-os.org/essays/capintro.html
2000/9/27-28 [Computer/SW/Security, Finance/Investment] UID:19337 Activity:nil
9/26    E*Trade security problem:
        http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2000/09/26/BU22755.DTL
2000/9/26 [Computer/SW/Security, Computer/SW/OS/Windows] UID:19326 Activity:kinda low
9/25    For DOS programmers, is there a version of Borland C 4.5 (or any other
        version for DOS) run-time library that has a qsort() routine that
        works with huge pointers (__huge *)?  Thanks.
        \_ Watcom does. You're fundamentally not going to get clib routines
           from a compiler which doesn't support flat-mode memory access like
           Watcom does with DOS4GW.
2000/9/21-22 [Computer/SW/Security] UID:19307 Activity:kinda low
9/20    A friend of mine got hacked through wu-ftpd, (right about the time
        I was wisely moving to proftpd).  He was woken up by the irregular
        clicks of his hard drive and was able to disconnect them.  They
        were attempting to install a root-kit called "anivnew"  Has anyone
        heard of it?  Where can i find more info? [i've searched the web to
        no avail].  There was a "ps" command, which i can see how it would
        be useful to disguise what was going on, but it seems to work
        correctly (i.e. i can't figure out what kind of activity it doesn't
        report).  Also there is an SSHD serve included in the kit.  WHY?
        (A poster mentioned that they want to secure their "victim" site but
        that seems like an inadequate explanation).
        \_ Well, duh. This wu-ftpd problem has been reported and fixed months
           ago. Anyone who still runs the old vulnerable version deserves to
           be hacked IMHO.
        \_ By replacing sshd, they can patch it to 1) Sniff passwords
           2) create a backdoor 3) Disable logging
                \_ By using sshd they can hide better from intrusion detection
                   & tracking systems
                        \- btw, do you know what version the trojan sshd claims
                        to be? there might still be a way for a good IDS to
                        detect it. if you can mail me the src or binary,
                        i would apprecaite it. would like to work on a
                        detection heuristic for our IDS. --psb
        \_ proftpd had a remote root hole not too long ago...  (doesn't
           hold a candle to wu' though =)
           \_ that one apparently never got exploited
           \_ In the same way that openbsd reports long lists of exploits
              and holes, mostly, they are proactively discovered and patches
              released before the rest of the world knows about them.  All
              software projects have bugs.  Some are fixed before they get
              abused, others are fixed after.  I prefer the former.
        \_ USE WINDOWS!
2000/9/15-18 [Computer/SW/Security] UID:19258 Activity:nil
9/15    Someone mentioned a security hole proftpd versions post 1.2.0pre9
        (though the web page seems to think anything after 1.2.0pre9 is o.k.)
        Can someone tell point me to specifics. I'm running pre10, but older
        than the date that was specified. More info please.
        \_ if there was one, it would probably be in the bugtraq archives
           on http://securityfocus.com
        \_ yes, see http://securityfocus.com; no successful exploits are known yet (or,
           if there are, they've been an extraordinarily well-kept secret). And
           yes, older pre10's are still [theoretically] vulnerable.
2000/9/8-10 [Computer/SW/Security] UID:19206 Activity:nil
9/7     Goddamnit.  Why do web sites / hosts limit the length of passwords?
        Ooh, increased security by reducing the hashable characters. Good idea
        \_ Because most people are stupid and would forget anything longer
           than their own first name.
2000/9/6-7 [Computer/SW/Security] UID:19179 Activity:nil
9/6     Does anyone know if there's an SSH extension for Windows Telnet?
        I'm having trouble with the Whacked out Java SSH.  It can't run
        well when using Pine or Pico.  Sorry if this screen looks messed
        up.  I can't see what I'm typing in Pico. --pcjr
        \_ dont fucking use pine or pico.
        \_ F-Secure SSH
        \_ http://www.zip.com.au/~roca/ttssh.html
2000/9/6-7 [Computer/SW/Security, Computer/SW/Unix] UID:19178 Activity:moderate
9/6     I would like to install some software for the CSUA community.  I
        have mailed root about it but got no response.  Am I going about
        it the wrong way?
        \_ Obviously, you have wronged root at some point in the past.
           Better backup your home directory. ;)
                                               \_ This one is just for you.
           \_ Well, that's sound advice even I haven't wronged root.  So
              thanks.
        \_ The politburo decided answering root mail was a waste of time so
           kicked everyone off root who actually answered root mail.
           \_ Actually that was mikeh.
2000/8/28 [Computer/SW/Security, Computer/SW/OS/OsX] UID:19105 Activity:high
08/27   Does anyone know of any SSH and/or scp clients available for the
        Macintosh (free or otherwise)?  Thanks -dans
        \_ F/Secure SSH http://www.datafellows.com
           NiftyTelnet SSH
           http://www.lysator.liu.se/~jonasw/freeware/niftyssh
           Do a fuckin' web search next time.  -tom
           Do a web search next time.  -tom
                \_ you could even have looked on www-inst or www.csua
                   (localhost). *duh*
                   \_ Did both.  Asked the motd in case I missed anything.
                      Anybody know if the version of F-Secure for the Mac on
                      eecs-inst is the full version or an evaluation version?
                      -dans
                      \_ If you've read it, remove your fucking motd entry.
           \_ BTW, this one's not legal in US until 20 Sept I believe
              (RSA patent needs to run out or something)
2000/8/16 [Academia/Berkeley/CSUA/Motd, Computer/SW/Security] UID:19013 Activity:nil
8/14    Is there anyone with root access in the CSUA office during the summer?
        If so, who are they and approximately what time/days are they there?
        Thanks.
                \_ call in the afternoon. sometimes one of us is around. -root
                   \_ Who do I email to set up an appointment?  staff@csua or
                      root@csua?  (unless you mean to call literally....)
                \_ yeah you can call 1 510 I DONT CARE bitch ass mutherfreak.

</MOTD>

--------------------------- [ cut here ] ---------------------------

------------ [that's it, nothing else to see, scuddle along now] ------------

       dHHHbo._
      dHF""HHHHb.
     dHH  _ "HHHHb.
     HHH_'o  "HHHHHb.
     HHFo     "HHHHHHbo.
     HHH\`,   HHHHHHHHHHho._
     HFHH`._,'HHH'   `HHHHHHb_           ____
     P "HHHHH\HP       "HHF:. `._   ,-'""    "-.
        "HHFHHF         F"  :::.."""     "-.    `.
          F  PF                ,            \     \
              F    j\         /              ;     `.
              |    j  `.      `              A       \
              |    |    ;_       .           8        \
              J    F\_,'| "`-----.\         j `.       \
               F  j  F  |          F        /   \       \  ____     ,..
              J   J  |  |          F       j     `.     ,'"    ""--/::::-_
              |    F_j  F         J        /       `.  :           ._`::::-_
              F   J____J          J       j          `-_ __,.----"`--._ ::::;
              F   |               |       F       _.--' `.             ""---"
              |   F               |    _.------'""       :
              J  J                |   '             \    "`.
               F F                l    _____.....--"""-.    ";
         __.-""- J                 """""                `-.  ;.
       (.___...-'                                          "-.j
2000/8/15-17 [Computer/SW/Security] UID:19000 Activity:nil
8/15    URL for freeware windows ssh client?  Doesn't have to do anything
        fancy.  Only using it to login to a remote ssh-only box to run one
        script for a user.  I don't care about emulation quality, features,
        or anything else beyond basic ssh'ing ability.  No demoware with
        interactive nags, delays and self bombing timers.  I want to install
        this for the user just once and forget about it forever.  Thanks!
        \_ http://www.employees.org/~satch/ssh/faq/ssh-faq-2.html#ss2.2.3
                \_ Found what I needed.  Thanks again!
2000/8/15-16 [Computer/SW/Security] UID:18995 Activity:low
8/14    Is there anyone with root access in the CSUA office during the summer?
        If so, who are they and approximately what time/days are they there?
        Thanks.
                \_ call in the afternoon. sometimes one of us is around. -root
                   \_ Who do I email to set up an appointment?  staff@csua or
                      root@csua?  (unless you mean to call literally....)
                \_ yeah you can call 1 510 I DONT CARE bitch ass mutherfreak.
2000/8/14-15 [Computer/SW/Security] UID:18980 Activity:moderate
8/14    I have installed proFTPD and want to change the banner, which
        announces what it is, i have altered /etc/welcome.msg and that
        has changed half of it but not all.  How can i change the rest?
        \_ Use the source, Luke!
        \_ Careful.  Remote root security hole in proftpd's older than
           July 28th.  --dbushong
            \_ Arg. I installed proFTPD because it's supposed to be MORE
               secure
                \_ Try ncftpd.  It isn't based on the same shitty ancient ftpd
                   source as almost everything else out there.
               \_ As did I.  Its track record of one remote root in however
                  many years >>>> wuftpd's "root hole of the month"
                  And, yes, I like the apache-style config.  --dbushong
2000/8/11-14 [Computer/SW/Security] UID:18965 Activity:high
8/11    Can anyone recommend a good network monitoring program?  We have
        multiple Sun Servers and a buncha PC's, on a 100-BaseT subnet.
         \_ mrtg?
    \_ Memorize References to Tron Game?
               \_ look it up on google
        \_ What exactly are you going to monitor?
           \_ Would like to pinpoint any problem areas, slowness,
              lack of response, highest use, etc.
                \-sounds you want to monitor the network, not monitor *over*
                the network, in which case ping, traceroute etc. are not
                what you want. mrtg is pretty nice and has a lot of uses.
                but to answer your question: if you want to be serious about
                this, you get to get someone who really understands this
                stuff and is well-briefed about your network topology, your
                priorities and other local conditions. too many people spend
                lots of money on these big industrial strength solutions like
                sun net manager or that hp open whatever when a halfway clueful
                person can cobble something together from free stuff that meets
                your needs better. but they have to know exactly what you
                want to monitor. it is a very different matter to continuously
                watch for suspicious stuff security-wise vs. once a week snap-
                shots for capacity planning to have off-line stuff in place
                that can be quickly brought online to diagnose things. it is
                a differnt problem to get exact info about one "class c" vs.
                get 95% accurate info about a couple of classBs, but to be able
                to get it really fast, also depends whether you have privilaged
                acess to routers, whether you are worried about denial of
                service [a realy problem with a lot of monitoring setups] --psb
                service [a real problem with a lot of monitoring setups] --psb
              \_ is it all one ethernet?  how many routers you got?
        \_ Sorry to be anal, but ping, traceroute and snmpwalk work
           for me.
                \_ ping and traceroute are practically useless for
                   monitoring a local network.  -tom
                   \_ Depends on the size and subnetting. We use
                      ping, traceroute and snmpwalk with some homebrew
                      perl/java cgi frontends for managing/maintaining
                      our heavily switched/routed lab nets at cisco.
                        \_ gee, if it's switched and routed it's not local.
                           \_ local to me means everything on my side of the
                              BFR (I mean 12000 GSR). If you think local
                              all on the same switch, I beg to differ. I
                              might agree for all on the same VLAN.
2000/8/10 [Computer/SW/Security] UID:18945 Activity:moderate
8/9     I just installed openSSH --with-tcp-wrappers on my Redhat 6.2 box and
        outgoing functonality works great but when i try to connect using eith
        ssh1 or 2 i save a key but then "password authentication fails."
        I am quite certain i am using the right username/password combo.
        What could be going wrong?  I can still telnet in, there is nothing
        in the hosts.allow/deny files that could be causing this.
        \_ ssh -v
          \_ Read the FAQ on OpenSSH.  You need to modify pam.conf or
             something like that to get it to work.  --PeterM
                \_ not pam.conf, /etc/pam.d/sshd, look in ~peterm/sshd
        \_ You need to instal openbsd where it "just works".
           \_ or freebsd 4.x, or debian linux (apt-get install ssh)
2000/8/7-8 [Computer/SW/Security] UID:18905 Activity:high
8/6     <DEAD>www.svmagazine.com/2000/week33/features/Story01.html<DEAD>
        Months later, the public was let in on the joke. Naughton had
        agreed to give technical assistance, including writing software,
        to the FBI in exchange for a lighter sentence. Neither Naughton,
        the U.S. Attorney's office nor the FBI will comment on the
        nature of his work.
        \_ We'll find out the details this week.
        \_ moral of the story-- YOU ARE BEING WATCHED. Think twice before
           you post on motd, wall, email, or download porn. Everything is
           taken as literal, even in the so called internet fantasy world.
           \_ and dont forget to encrypt your pr0n
              \_ zbeny bs gur fgbel-- LBH NER ORVAT JNGPURQ. Guvax gjvpr
                 orsber lbh cbfg ba zbgq, jnyy, rznvy, be qbjaybnq cbea.
                 Rirelguvat vf gnxra nf yvgreny, rira va gur fb
                 pnyyrq vagrearg snagnfl jbeyq.
                 \_ naq qbag sbetrg gb rapelcg lbhe ce0a

        \_ Thank God I use my own encryption method to edit the motd.
        \_ I think this was all an elaborate plot by the FBI to get a
           young, extremely talented programmer to sign his life away on
           some classified government project. He was probably targetted
           because they saw that he was a super smart guy in an unstable
           marriage who visited sex channels on IRC.
2000/8/2-3 [Computer/SW/Security] UID:18847 Activity:kinda low
8/1     The java SSH client we have running does not use https:// so i
        assume that when i put in my password it gets sent plain text.
        isn't the whole idea of dis-allowing telnet was to aviod the
        sending of plain text passwords?
        \_ nothing to do with it.  the http part is just to download
           the ssh client locally.  from there, you run ssh which
           creates a secure connection to the remote host (which is
           where your password gets transmitted).
           \_ What (s)he said.  Of course, if you're really paranoid, you
              should care that you didn't download the java ssh client via
              https, because someone who noticed you fetch it a lot could
              hijack your download and replace the safe app with a compromised
              one.  Unlikely?  Sure!  But then again... you're using ssh
              instead of telnet, so....
              \_ I thought this would be a problem too. But when running
                 unsigned Java applets, aren't network connections
                 restricted to the host that the applet was loaded from?
                 This wouldn't eliminate the vulnerability, but it would
                 at least limit it. (A rogue program would have to be
                 set up on the web server which listened for connections
                 from hacked ssh clients.)
                 \_ That's the theory.  You trust it in practice?
2000/7/29 [Computer/SW/Security, Computer/HW] UID:18811 Activity:moderate
7/28    Hi-Tech and all the other cheap places in Berkeley have gone under.
        Where is a cheap, but decent in terms of service, place to buy
        a computer in SF (or Berkeley).
        \_ Central Computer has been our OEM of choice for a while. -nweaver
        \_ For a personal computer, buy parts from out of state and assemble.
           For your company, buy Dell.
           \_ God forbid a part doesn't work.  Ah, to live in L.A.
              near hundreds of OEM vendors.
2000/7/28-29 [Computer/SW/Security] UID:18808 Activity:kinda low
7/28    What are the security implications of using a network time server?
        \_ If someone nasty can control your clock precisely it may make it
           easier for them to guess the values that will be generated by
           psuedo-random algorithms seeded with the current time.  If those
           are used to form keys or such, security may be weakened.  However,
           many security protocols, such as Kerberos & NIS+, require computers
           to have relatively close ideas of the current time so that they can
           prevent replay attacks by rejecting packets with far-off timestamps.
2000/7/28-29 [Computer/SW/Security] UID:18807 Activity:high
7/28    That web-based ssh client we have is Phat,K-RAD and 2C00l.  i want to
        implement that on my server so i can access it if at a comp. without
        ssh.  What are the security implications?
        \_ It posts your username/password and session log to
           alt.security.gotcha, but is otherwise pretty safe.
2000/7/26-27 [Computer/SW/Security, Computer/SW/OS/Solaris] UID:18771 Activity:nil
7/24    Is there a way to install WindowMaker on a Solaris machine
        without root access?  Any url/pointer?
        \_ ./configure --prefix=/someplace/youcanwriteto/
           make
           make install
           and then you're done. Not very hard.
2000/7/21-22 [Computer/SW/Security] UID:18746 Activity:high
7/21    Is there a way to get root access given (unlimited) access to console
        on a sparc20 box with solaris 2.5.1? The pricks in IS&T are taking over
        a month to fix some things on my desktop machine and I really
        need to take care of several of them to get anything done, at risk
        of pissing off IS&T. Please withhold the "if you don't know how to
        do this, you shouldn't have root anyway" flames; i know how to fix
        what I want fixed, while not fucking up anything else.
              \_ Well, if the other things fail you could try:
                 <DEAD>phrack.infonexus.com/search.phtml?view&article=p53-9<DEAD>
                 I haven't done this, and don't know whether it will work with
                 your model+keyboard. --Galen
                 \_ Thank you kindly. This worked like a charm after
                    a few small corrections (s/1\@/@/g).
                    \_ How do you find the memory address of the process?
                       ps -lp gives me a ? for ADDR
                       \_ It didn't do that for me; make sure you're running
                          /usr/bin/ps though (/usr/ucb/ps, for one, has
                          entirely different flags). If that fails, poke
                          around in /proc/$$/, it's probably visible from
                          somewhere in there (try bytes 0x48-0x4B of
                          /proc/$$/psinfo). Make sure to check the current
                          contents of *(process_pointer)+0x18 first, and see
                          if it matches your current ruid (or risk clobbering
                          something random in memory)
        \_ Boot from CD. -tom
           \_ No CD drive (or floppy for that matter)
                \_It is likely that your box was installed over network and
                  the install server is still acting as boot/install server.
                  In this case you can boot of the network by typing "boot net"
                  from open boot prom. This is equivalent to booting from CD.
                  Of course, this wouldn't work if boot prom is password
                  protected. In this case you might need to swap the prom chip.
                  Though, if your box is also locked then you can't get root
                  without breaking things.
                \_ Borrow a cdrom - the CSUA has a sun-compatible one.
           \_ unless of course they set a prom password, in which case you're
              pretty hosed.
                \_ or swap in a prom.  Or swap in a disk with your favored
                   configuration.  With physical access it's always
                   possible.  -tom
                   \_ Mmm..physical access.. *drool*
        \_ They all say they know how to fix what they want fixed without
           fucking up anything else. Why don't you talk to their manager
           or have your manager talk to their manager? If it's truly
           preventing you from getting work done then it's a big deal and
                                       i'm an intern. it's not _/
           taking matters into your own hands will just mask a problem. Maybe
           IS&T is short-staffed and enough complaints will allow them to
           hire, for example. --dim
           \_ IS around here is absolutely hopeless. Trust me, this is the last
              resort.
              \_ Well, if the other things fail you could try:
                 <DEAD>phrack.infonexus.com/search.phtml?view&article=p53-9<DEAD>
                 I haven't done this, and don't know whether it will work with
                 your model+keyboard. --Galen
2000/6/19-20 [Computer/SW/Security] UID:18498 Activity:high
6/19    Any suggestions for a Win98 SSH client?
        \_ F-Secure but you have to pay $$$
        \_ Yes. Go get a real OS.
        \_ teraterm is pretty stable and has some nifty features (eg
           recognizing most xterm escapes and imitating unix cut'n'paste
           behavior with respect to right/middle clicks)
        \_ TeraTerm plus TSSH.  I'm using it right now.  See:
           http://www.csua.berkeley.edu/ssh-howto.html
           \_ I'm using "SSH Windows Client" that I found from the same page.
              -- yuen
           \_ I use it at home and at work.  Works great.
2000/6/14-16 [Computer/SW/Security] UID:18465 Activity:high
6/14    I have written a program that "pipes" port1 to port2 on a machine
        [so if you do say telnet foo 25 that can automatically send to
        to port 19, chargen].  Is there a way to grab all the unbound ports
        and map them to chargen, to deter people scanning my machine?  Will
        that be an expensive program to run?  I don't want to launch one
        version of the process for each port.  Thanks!
        \_ Why are you even doing this?  You're reinventing the wheel.
           Just use the IP firewall rules built into your OS to port
           forward a range of ports.
                \_ I want to turn this on and off.  Also not all OSes support
                IP firewall.  Would like to do this at the application level.
                Can you tell me how to listen on all the unbound ports like
                inetd?
                \_ Sheesh, get a real os.  What are you using?  win 3.1?
                   \_ It's actually a vintage box; running a hacked-up
                      TCP/IP stack for CP/M. I'm using it as a low-load
                      web server
                \_ inetd doesn't listen on all unbound ports - it listens on
                   the ports listed in inetd.conf.  You could write a program
                   that looped through all possible port numbers and bound them
                   (if your OS supports opening 64k fd's in a single process)
                   but that would prevent any other app from being able to bind
                   a listening port.
                        \_ N0H0ZERZ!
                \_ If the ports are unused what's the big deal?  You can't stop
                   a scan.  And if you have insecure services running on other
                   ports, your program won't help that either.  What are you
                   trying to do?  What's the point?  Your program won't do
                   anything useful for you.
        \_ An easier thing to do is run FreeBSD 4.x and in /etc/rc.conf set
           tcp_restrict_rst="YES"  This will cause connections to ports with
           nothing listening to hang until timed out.  This pretty much kills
           portscanning.  --dbushong
                \_ Who cares?  Let em scan.  Security through obfuscation and
                   irritation is not security.  You're only slowing down the
                   inevitable.
                   \_ If you don't believe in "security through obfuscation"
                      you won't mind sharing all your passwords with me.
                        \_ That's different.  A password is obscure in a
                           way that in order to crack it, you need to
                           try a bunch of random combinations before you
                           can get it right.  Security through obscurity
                           is where a backdoor exists but you just hid it
                           somewhere.  It's the difference between a key
                           to your house and hiding that key under the mat.
                           The key is like the password.  Hiding the key
                           under the mat the the obscure part.  Obviously,
                           most prowlers will usually look under the mat
                           first before actually cracking the windows.
                        \_ A password is not obfuscation.  Hiding your buggy
                           service on a random port and making it hard to scan
                           is obfuscation.  Given a few extra minutes your
                           s00per sekret buggy service will turn up.  My ssh
                           passphrase won't.  You know I could give you my
                           ssh passphrase and it won't help you get into any
                           of the machines I run but you wouldn't undersand
                           why.  Damn, it's so sad there's no real ugrad
                           security classes.  It shows.
                        \- i was thinkign about writing a something to wedge
                        the iss scanner specifically. am trying to decide
                        whether to do it at a tcp level [long time outs etc.]
                        or generate random data on port 80, when talking to
                        nfsd, mountd etc. i am also thinking about using
                        xinetd. would be interested in more discussion on
                        this. --psb
2000/6/12-14 [Computer/SW/Security] UID:18446 Activity:moderate
6/11    Anybody know if encryption routines (DES, IPsec related, etc) can
        be parallelized?  Does adding more CPUs and writing some parallel
        software speed things up?
        \_ Look at the source code.  Much of the time, what can be
           parallelized is done at a fine grain level (vector data,
           level, loop level, instruction level, etc...) in which
           case, adding CPU's won't do you any good.  If it's thread
           level paralellism, then yes.  Go to http://mit.edu's web site and
           search for Krste Asonovic (he was a PhD student here w/
           Patterson).  His thesis has a good explaination.  Also look
           at the spring 2000 cs252 website.  I think someone did
           a project on encryption algorithms. -jeff
        \_ IPSEC isn't an encryption routine--IPSEC ESP just makes
           provision for tunnel encryption and key exchange for
           whatever crypto you're using.  -John the Nitpicker
        \_ No.
        \_ It depends on the feedback mode used.  If the cyper is running
           in ECB mode, yes, but it's a bad mode of operation otherwise.
           the most common mode, CFB mode, has a dependency between
           blocks and can't be parallelized.  -nweaver
           \_ is that a mathematically proven statement or a "can't _easily_
              be paralellized"?
                \_ Do you understand what you're talking about?  If step B
                   depends on the result of step A before it can be started,
                   IT'S IMPOSSIBLE TO RUN A & B IN PARALLEL.
                   \_ Do YOU understand what YOU are talking about? There's
                      more than one way to split a task into blocks, and
                      parallelism need not apply at global level to be useful.
                      A complete mathematical proof of nweaver's statement
                      would be quite difficult.
                   \_ Not so.  It's been done before in superscalar
                      processors using load value prediction and
                      trivial computation predictions.
                   \_ CFB can not be parallelized beyond the parallelism
                      inherant in the encryption of a single block, because
                      of the dependency.  CFB of block N is computed by
                      encrypting the value of N xor the last block.  -nweaver
                      \_ look, computation prediction is NOT trivial!!
                   \_ CFB encyption can NOT be parallelized beyond the
                      parallelimsm inherant in the encryption of a single
                      block, because of the cyclic dependency.  You need to
                      completely encrypt one block before you can begin
                      encrypting the next block.  CFB DECRYPTION however,
                      can be parallelized between blocks.  -nweaver
2000/5/24-26 [Computer/SW/Security] UID:18336 Activity:low
5/24    I want to make my FS encrypted so that no one can take out
        my linux harddrive, hook it up to another computer that they
        have root on and see my files. I want only my password to be
        able to access those files. Anyone know of such a FS package?
        Doesn't have to be distributed like NFS.
        \_ try cfs (it has a debian package in non-us). User-mode, IIRC.
                \_ hello, does anyone know the status of the Alex file
                   system from cmu [not andrew]. has that been abandoned?
                   is there a sucessor [is nebula any good?]. will it
                   run on solaris? --psb
                   \_ Re-formatted.
        \_ Who would bother?  If they stick a gun to your head, you'll very
           happily give them the password and suck their cock, too.
2000/5/16-18 [Science/GlobalWarming, Computer/SW/Security] UID:18283 Activity:high
5/16    http://www.wired.com/news/politics/0,1283,36339,00.html

        Question: How exactly can you distinguish Voice traffic
                  from other traffic, esp. when you can tunnel it
                  over another protocol like http or you encrypt
                  it using SSL and such?
                  What the hell do the telco's want regulated?
        \_ It's just political clap trap noise.
           \_ But, technically, unencrypted voice traffic is hella
              easy to detect, regardless of protocol.  Anyone who
              knows basic signal processing can write the code.  -blojo
              \_ what's the easy trick? does the spectrum for speech look very
                 specific? -ali
                 \_ What you would basically do is: (a) look for signals
                    that have most of their energy in the 500Hz-4KHz range.
                    (b) The amount of energy and its centroid oscillate /
                    fluctuate with periods that are O(.25 seconds).
                    Basically you can look at docs for any of the recent
                    vocoders and see what circumstances they focus on
                    reproducing... fortunately recognition that something
                    is probably a voice is a lot easier than recognizing
                    what the voice is saying.   -blojo
                    \_ Key phrase: unencrypted.  Solution: encrypt it.
                        \- you know the NSA has a patent on automatically
                        IDing FAX and some other kinds of traffic. --psb
                    \_ i've got something that fluctuates at 4 Hz right down
                       here. -ali
                       \_ Wow.  That sounds painful...or unsatisfying.  Not
                          sure which....
2000/4/25-26 [Computer/SW/Security] UID:18110 Activity:very high
4/24    Are there instructions on how to use the Java SSH client at
        http://soda.csua.berkeley.edu/ssh  - clueless
                                              \_ got that right
        \_ You need instructions on how to use this?  This is a joke
           right?
        \_ OK - this is one of those cases like you're the only person that
        hears any weird sounds coming from your car, but your mechanic doesn't
        when you bring it to the shop.  What happened was that when connected
        to certain networks, say at work, the Java ssh client would not know
        http://soda.csua.berkeley.edu, and return an error to that effect.  Thus, the
        cause for clueless-ness.  However, on less prohibitive networks, say
        at home via dial-up ISP provider or dsl, I have no problems, which
        would invite a "got that right" comment.  So, now another clueless
        question is - does this ssh client run over http or another protocol?
        Why does it work in some cases and not others?  More than happy to read
        all about ssh if you got a pointer/url, especially for this Java ssh
        implementation.  - Longer than necessary, clueless
        \_ Well it runs ssh's network protocol, to port 22 on soda.  Odds are
           if its not connectin you're behind a tightwad firewall that blocks
           outgoing tcp/22.  -ERic
        \_ You might also being having DNS troubles resolving names from
           behind the firewall.  I know Sun's firewall does wierd DNS hiding
           and you need a super special ssh client to get out. - seidl
        \_ might also try running ssh in verbose mode to gather clue
2000/4/11-13 [Computer/SW/Security] UID:17974 Activity:nil
4/11     When I dialup from home, I use screen in my shell so that if I
         get disconnected, I can dial back in and reconnect my screen and
         thus not loose any work. Is there something similar I can do with
         my X apps also? (xterms, emacs, etc). I suppose I can run vnc on
         my workstation at school, but vnc is slow and not secure.
         \_ YOu can vnc over ssh.
            \_ Doesn't ssh break the connection when you hang up?
         \_ w/ static IPs, use ssh w/o keepalives, and ssh/X will persist
            short interruptions or long ones if all is idle.
2000/4/11-12 [Computer/SW/Security] UID:17965 Activity:low
4/10    Why is ssh2 better than ssh1?  Aside from sftp.  I'd like a pointer
        to technical reasons why ssh2 has improved security.
        (Yes, I already spent some time looking.) --PeterM
        \_ well, the ssh2 protocol was written more from the ground up
           rather than as modifications to a hack to a neat idea. --jon
           \_ I can see in general how rewriting the code would improve it,
              but what particular attacks are now harder/impossible? --PeterM
        \_ pure marketting + revenue
2000/4/3 [Computer/SW/Security, Computer/HW] UID:17913 Activity:high
4/2     Is there a program that will continually monitor when a file gets
        appended to and display it to stdout (like a security log monitor)?
        \_ simple way might be to use: tail -f FILENAME
           \_ might be?  That's _the_ way.  How much easier can it get?  No
              bullshit, no coding, no side effects, included in every *nix.
              Even Linux has it.
2000/3/30 [Computer/SW/Unix, Computer/SW/Security] UID:17890 Activity:nil
3/28    -nick is login "nick" already
        \_ No it's not - the other nick
2000/3/22-23 [Computer/SW/Security] UID:17825 Activity:insanely high
3/22    SHIT!  My linux gateway running ipchains got cracked.
        How?  --PeterM
        \_ Run a BSD.  Any BSD.  No, really.  Linux sucks.
           \_ How about:
              BSD security >> Linux security, but Linux is getting there
                \- realistically i think there are just more linux
                root kits floating around. same reason more solaris
                boxes get cracked than say ultrix.irix machines. --psb
                \_ In my experience, VMS security >> HP security >>
                   SUN security >> IRIX security >> Linux security >>
                   Windows security. IRIX really sucks and SGI ships
                   the OS wide-open. --dim
                        \- i work in this area so my data is based on a lot
                        of machines and not just on my experience. most people
                        cracking systems are just trying a lot of doors and
                        arent picking locks. the doors the usually get into
                        arent necessarily the easiest ones to pick but the
                        ones with the most spare keys floating around or the
                        most likely to have been left unlocked. VMS machines
                        arent cracked because very few people have access
                        to them, or sources etc. i agree solaris security is
                        better than irix security but there are more suns
                        and more peopel have access to suns ... hence more
                        solaris root kits. --psb.
                        solaris root kits. a lot of the weeinie crackers
                        dont even know the difference ... you see people
                        using solaris eject cracks on irix machines all the
                        time. you know you are dealing with a clown when a
                        cracker's editor of choice is pico. [which it is
                        more and more often these days] --psb
                        \_ I agree completely. I just wanted to point out
                           how much IRIX sucks. --dim
                                \- back in the old days suns used to "ship"
                        with + in /etc/hosts.equiv. it only took a few years
                        for sun to admit they had their head up their ass on
                        on that one. SGI was even more intrasigent about the
                        lp/guest etc accounts. whenever you would complain to
                        SGI they would either point to "small print" or defend
                        what they did with "we know better" ... well apparently
                        "the market" knew better. --psb
        \_ sendmail, dns, irc, ftp, what else are you running?
           \_ no ftp, irc.  Running sendmail as an smtp server for
              the internal network, but blocking connections from
              outside.  Running DNS.  Nothing else that I know of
              offhand.
                \_ move DNS serving to an internal machine. This
                   will take some of the load off and also close
                   a potential security hole. I also switched to
                   to postfix which seems to be more secure than
                   sendmail.
                \_ In recent history, all of those other daemons have
                   had a lot more security problems than sendmail.
                                \_ I haven't seen as many CERT warnings
                                   about postfix as for sendmail and
                                   qmail.
                        \- what version of named? are you running named
                        unprivilaged and chrooted? this was a common attack
                        on freebsd. --psb
              \_ what are your rules?  wuftpd supposedly has some buffer
                 overflow exploits.
                 \_ "no ftp"?
        \_ RedHat 6.1?
        \_ an inside job?
                \_ a blown job?
2000/3/14 [Academia/Berkeley/CSUA, Computer/SW/Security] UID:17763 Activity:kinda low
3/14    http://www.csua.berkeley.edu/~benchan/entreprise/CYBERARMS.html
        \_ Is commerce allowed on CSUA?
           \_ No.
              \_ but this is eCommerce!  It's downright unamerican not
                 to encourage eCommerce!
        \_ Squish!
2000/3/13-14 [Computer/SW/Security, Computer/SW/Apps/Media, Computer/Networking] UID:17759 Activity:moderate
3/13    At work each "phone" jack has an ethernet port, digital phone, analog
        phone, and a fax port.  Anybody know where I can get a jack like that?
        I couldn't find it at homedepot.  -trying to rewire my house.
        \_ Just unscrew the one at work. (Someone else's office)
        \_ http://www.l-com.com sells just about every possible connector or
           cable for many different applicaqtions.  they should have
           whatever jack you need, and i think they can do online orders
           via web.
        \_ Did you look in the catalogs? (http://www.blackbox.com for example)
        \_ under your desk? *grin*
                \_ I liked it better when the area admin was under my desk.
2000/3/8 [Computer/SW/Unix, Computer/SW/Security, Computer/SW/OS/Windows] UID:17713 Activity:nil
3/7     What are people using to do S/MIME on Unix?  I don't know which
        M to RTFM.  (I've used a thawte digital certificate to read/
        send encrypted mail in windows, but don't like going over
        there every time to read encrypted mails...  Thanks
2000/3/2-3 [Computer/SW/Security] UID:17677 Activity:moderate
3/2     "He was plotting it for around two weeks, jokingly, saying he was
        going to extort money from these companies. Then all of a sudden
        he got dared to do it, and 10 minutes later Yahoo! was down. He
        never made extortion demands," the source said.  We should all be
        thankful he got scared and didn't carry out his next idea, and
        that no one else feels the need to do this either," the source
        wrote. "He had a DDoS (distributed denial of service) tool that he
        wrote installed on all of his hacked boxes. He was planning on
        using all 1,000 machines in a combined attack on the Root
        Nameservers, flooding the Nameservice ports with UDP packets." "He
        is safe and he knows it, he deleted all evidence off his machine.
        ...He is very well aware that there isn't any way to prove a smurf
        attack after the fact." http://www.msnbc.com
        \_ Hear that tjb? They're on to you!
2000/3/1-2 [Computer/SW/Security, Computer/SW/OS/Windows] UID:17667 Activity:moderate
2/29    http://www.gnu.org/philosophy/amazon.html#whyBoycott
        http://www.oreilly.com/ask_tim/amazon_patent.html
        \_ USE WINDOWS. WAREZ REWLZ. LINUX SUX.
        \_ Uh huh, communists and a guy who made his millions on the
           copyright system which is the printed version of the patent
           system.  I'm impressed.  I'm also stoned, stupid, and a libertarian.
           \_ There is a BIG difference between the patent system and the
              copyright system. You can have two books that describe how
              to use the same algorithm, in detail, and not violate copyright.
              But the way the PTO is going, you wont be able to have two
              separate programs that use the same algorithm, without
              violating patents.
                \_ Bullshit.  Stop repeating the ignorant drivel from the
                   slashdot crowd and do your own research.  Start with a law
                   degree.  "But I don't need no stinkin' law degree to know
                   that my rights to other people's work is being infringed!"
                   \_ One of the cornerstones of patent law is that no one
                      should be allowed to patent prior art (something which
                      someone has done before) nor any trivial extention of
                      prior art (something which would be obvious to anyone
                      in the field even without it having already been done)
                      The trick is that the patent office's track record for
                      letting prior art leak into patents is abysmal.
                      [Dubious reference to prior art accidentally deleted]
                      \_ Please quote the spec example and provide URL.  If
                         it was that simple the judge would not have granted
                         an injunction.  That's only done when there is a
                         high probability of victory.  If the example you
                         claim is in the cookie spec covered the whole patent,
                         then B&N's lawyers could have easily not only not
                         been on the wrong end of the injuction, but could
                         have had the patent declared invalid long before now.
                         Patent law isn't as simple as slashdot makes it out.
                      \_ Were any of the online brokers up and running in
                         1997?  Any one of their stock purchase systems
                         would constitute prior art if in place then.  -mel
                         \_ No, it wouldn't.  You have no idea what a patent
                            even is.  It is defined by the claims, not the
                            oft and over quoted summaries printed on slashdot
                            and other anti-IP sites.  Violate so much as a
                            single minor claim and you're infringing on some-
                            one else's property.
2000/3/1-2 [Computer/SW/OS/Windows, Computer/SW/Security] UID:17664 Activity:nil
2/29    does an ssh client for windows 3.11 exist?  thanks.
        \_ USE WINDOWS MAN.  LINUX SUX.  WINDOWS REWLZ.  ANYONE WHO'S
           ANYONE USES WINDOWS.  LINUX USERS ARE FREAKS MAN.
        \_ Win32 programs have been known to run on 3.11 systems.
           Try TeraTerm ssh (free) or F-Secure (maybe free if you're on
           campus).
                \_ There was an article in the merc this week saying that
                   SSH Communications & SANS were giving away free SSH to
                   .edu's but I can't find anything on http://ssh.com or http://sans.org.
                   Anyone know anything about it?
2000/2/25 [Recreation/Dating, Computer/SW/Security] UID:17622 Activity:nil
2/25    Pro-immigration drivel deleted.  That was not a reason to allow
        queers to marry.  That was a reason to deny foreigners easy access
        to our shores.  I abhore the practice of foreigners, mostly women,
        prostituting themselves out to gain status here.  We should eliminate
        that possibility equally for everyone.
2000/2/22-23 [Computer/SW/Security, Computer/SW/Unix] UID:17587 Activity:moderate
2/22    Is it possible for Soda to create a web mail interface similar to
        http://mail.yahoo.com to access emails on soda?
        \_ No.  Soda is a computer and has not yet achieved sentience.
                Use POP or IMAP or forward your mail to luser@@yahoo.com.
                \_ Soda still allows POP and IMAP? I thought that the whole
                   point of turning off telnet/ftp/etc was to prevent some
                   twinks from sending their passwords in clear text over the
                   net. So, what's the point of turning off telnet and ftp
                   if POP and IMAP are still running?
                        \_ There is no point, only trolls.
        \_ You may email your request to the entity known as "Soda".
        \_ I was looking at something called 'mailman' a while ago.  It'd
           require nothing more than a few cgi scripts and a cron job that
           copies your mail into a directory off your public_html/.  They
           started charging for mail man, though, and I haven't had time
           for it since.  Mail me if interested.  -John
                \_ there are at least a dozen different mail->web gateways
                        listed on http://freshmeat.net
        \_The OCF got acmemail up and running in a few hours -jones
                \_http://secure.OCF.Berkeley.EDU/cgi-bin/acme/acmemail.cgi
2000/2/11-13 [Computer/Networking, Computer/SW/Security] UID:17494 Activity:very high
2/11    Why can't they stop all these DoS with a simple TCP source quench? My
        understanding is that if the incoming data rate passes a certain
        threshold, you can simply ask the the upstream sender to slow down or
        drop packets. So why don't the end points just do this so that the
        systems don't go down?
        \_ But then if that's true and the upstream sender starts dropping
           packets, it will still appear the same to the clients that the
           server has crashed.  The effect is the same.  Right?  -- yuen
           \_ Sort of, my understanding is that you can do a source quench
              on one or more source IP's, so when you send a quench the
              message propogates all the the way back to the source. When
              the router's closest to the source start dropping, it will look
              like (from the source's perspective) the destination
              has gone away. Other source IP's won't be affected.
              \_ Source quench idea doesn't work necessarily because the
                 idea of source quench assumes that the sending host is
                 co-operative, not hostile.  When the sending host has
                 been root compromised, the compromise could change the
                 behavior to make it ignore source quench requests.
                 Also, a lot of the source IPs are being spoofed, so you
                 don't even know who the real sources are.
        \_ The attacks are a lot more complicated than just "send lots of
           packets to yahoo".  -tom
           \_ So where can I get a description about how these attacks work.
              And I'm not looking for the garbage in the general press.
                \_ http://www.securityfocus.com
                \_ http://staff.washington.edu/dittrich/misc/tfn.analysis
              \_ http://staff.washington.edu/dittrich
                 Look in the papers where he analyizes trinoo, tfn and
                 stracheldaht. Best analysis of them I have seen. -ausman
                \_ while (1) { httpget("yahoo.com"); }     And now you know!
                   \_ This is hardly untraceable since your IP will show up
                      in access_log. My understanding is that the attacks
                      have been untraceable, so they must involve header
                      rewritting or session hijack or something.
                      \_ No.  _some one's_ IP appears in the log.  Who is to
                         say httpget() isn't mushing the IP or using a proxy
                         or doing a million other things?
        \_ The problem with DoS attacks is not that they're crashing the
            machines, but that they're preventing normal users from accessing
            the service.  Your suggestion does nothing to change this.
            \_ If you or your upstream routers block/quench based on the
               sending rate of a source IP, then you could filter the DoS
               traffic (high incoming rate) and still allow most normal
               users (low incoming rate) to connect. I think that is is a L3
               analogy to the hammer filters in some ftp servers.
                \_ Except that many of the attacks consist of a low incoming
                   rate per IP address from thousands of different addresses.
                   Telling real traffic from attack is harder than you think.
        \_ Pull network cable, sell stock, go home.
                \_ Wrong order!
                        \_ You want to sell at the high moments before it
                           crashes to make sure you soak it for every last bit.
                           After all, who knows better when it's going down
                           than you?  It'll take a while for others to notice.
        \_ I opened a joint broker account with my girlfriend and placed $1000 in
           it, telling her that whatever is in it when engagement comes would be
           the price of her diamond ring.  GE didn't go fast enough for her, so
           we went into Checkpoint Software, and it went from $1000 to $4000
           in 4 months, and has been going through the roof since the DoS
           attacks.  Do you think my girlfriend might be involved?
                \_ She hired me to do it.  I get half the account, she gets
                   the other half for her ring.  Expect it to continue upwards
                   until you're engaged.
                   \_ I knew she was involved!  I once suggested to her that
                      instead of a diamond ring, I can give her a super cool
                      Sun workstation.  To my surprise, even though she is a
                      nerdy (but very beautiful, in my opinion) computer
                      science student, she didn't like the idea very much.
                      If you can convince her otherwise, it would be a great
                      favor for me!
                      \_ She is much smarter than you think. Diamonds are
                         forever. Sun workstations become obsolete.
                         She also realizes that you may in fact wish to
                         fondle the sun hardware instead of twiddle her bits.
                         And when the workstation becomes old, Sun allows
                         you to trade it in for a newer model, perhaps giving
                         you certain ideas she finds threatening.
2000/2/9-10 [Computer/SW/Security] UID:17468 Activity:low
2/9     I would like to start using PGP for communications.  Problem is that
        the machine at work won't let me install freeware PGP for WinNT (I'm not
        an admin nor do I play one on TV).  I thought there was an impl in PERL
        somewhere but can't find anything about it.  Does anyone have a list of
        PGP impls handy?  And if so could you share?
        \_ PGP?  For what?  You think the NSA and Evil HAx0rz are listening in
           to your love letters to your SO?
2000/2/9-10 [Computer/SW/Security] UID:17463 Activity:insanely high
2/8     After the recent attacks against the big boys of
        dot com how does a guy prevent further Denial of service (DoS)
        from happening to his own cos. - curious
        \_ You don't.  You can filter some of the crap but never be totally
           safe from it with current protocols and technology.
           \_ why not just change the filter properties?
                \_ Which devices do you own that can filter 1 gigabit per
                   second without crashing while still letting the good
                   traffic through?  And what if the DoS consists of properly
                   formed http calls?  What are you going to filter?
                   \_ so i guess you need to call an upstream isp to put
                      in the proper filters?
                        \_ Idiot!
                        \_ Argh!  TROLL!
                           \_ well, isn't that what they did to stop
                              the http://cnn.com attack?
                                \_ Yeah, they turned on the "filter_DoS_packets"
                                   rule in the routers.  Some new guy had
                                   turned it off and no one noticed.
                                   \_ so i guess you don't know then, huh?
                                        \_ I think when they upgraded to dos
                                           version 2.11, everything was ok.
             \_ what are you going to filter, when the DoS looks EXACTLY like
                lots of normal traffic packets?  Is the 'Slashdot Effect'
                a malicious attack, or just your site suddenly becoming very
                popular.  Either way, your site is basically down.
                \_ are you sure DoS packets look exactly like normal packets?
                        \_ Of course not.  They have the DoS flag set.
                           \_ so i guess you don't know then, huh?
                                \_ The dos upgrade to v2.11 fixed it.
        \_ A possibility would be to make your company site a moving target.
           Have sevearal locations/IP's you can use. When one IP gets hit with
           the big DoS, change your DNS entry ( you set your TTL low ahead
           of time, right?), and move your site to the new IP.
                \_ That'll work, uh... never.  DoS kiddies just get the new
                   IP the same as everyone else.  Welcome to the internet.
                        \_ ACK!  I've been trolled!
        \_ if you have to ask, you don't know
           \_ thanx for stating the obvious
        \_ Unplug net cable.
        \_ If companies with hundreds of millions of dollars at stake can't
           prevent it, what the hell makes you think you can?
                \_ Because I read a zdnet article about how to stop it.
                     \_ it's so ironic, that zdnet was attacked and shutdown
                        for 2 hours this morning.
        \_ Very little.  Try not to be a tempting target.  The way the big
           sites were attacked recently was by distributed clients running
           on many windows boxes infected with a remotely activated virus.
           There wasn't any obvious TCP stack bug problem with the servers
           or anything, they just got overwhelmed by tons of valid-looking
           hits.  Short of weird heuristics, there's very little you can
           do about this.
        \_ What about authenticated IP? -- network newbie
           \_ Won't stop traffic floods, which is what they're getting
              hit with.
           \_ First define authenticated IP, then figure out how much your
                business will lose by cutting off all the random web users
                who don't use it.
        \_ Why don't we all start attacking http://www.microsoft.com and bring down
           the Evil Empire(TM)?
2000/2/7-8 [Computer/SW/Security, Computer/SW/Unix] UID:17447 Activity:high
2/7     POP-3 Question: I want to run a popd at home (such as qpopper) so
        that my parents can check thier mail without having to login to
        the mail server at home. From what I can tell from the RFC's POP
        seems to be an insecure protocol, in that it sends passwords as
        plain-text. Is it possible to run a secure POP server, or can I
        at least have the POP passwds in a file other than /etc/passwd
        (like .htaccess)?
        \_ Use APOP or ssh port forwarding. Using APOP would be probably
           less hassle for non-*nix users. You still need to send a clear text
           password, however, it is not the same as a user's unix password.
           If a user is using *nix, fetchmail + ssh port forwarding is
           the way to go. -akop
                \_ the APOP password is not clear-text; it's MD5 encoded I
                   believe.  -tom
                   \_ Couldn't get APOP to work correctly in the released
                      version of qpopper. Besides it looked like APOP didn't
                      work with Netscape.
                        \_ APOP does not work with Netscape.  But it does
                           work fine with qpopper.  -tom
           \_ "My parents use *nix!"
               \_ My mom has been a Unix user/hacker since the PDP-11 was
                  a new machine. Its not a user issue, I'm just trying to
                  minimize logins to the mail server (also the firewall/nat
                  box).
                  \_ Then maybe you should be asking yermom for advice.
                     \_ I would ask my mom (not yermom) for advice, but
                        she is currently out of the country.
                        \_ Then she doesn't need her email right now, does she?
                           I don't release any GPL'd code until my mom has
                           QA'd, debugged, and approved the release.
                \_ http://www.linuxdoc.org/HOWTO/mini/Secure-POP+SSH.html
                   also, fetchmail can do APOP (but not netscape mail)
        \_ Go for IMAP+SSL - then they can use netscrape or MS LookOut!
           \_ Which server should I try? From just looking at the homepages
              for Cyrus (CMU) and Imapd (WU) I couldn't tell if either
              supported SSL.
                \_ Use either with the SSL wrapper from the ssl toolkit.
2000/1/27-28 [Computer/SW/OS/FreeBSD, Computer/SW/Security] UID:17349 Activity:high
1/26    Are the security benefits of mounting /usr partition in read-only
        mode worth the trouble of rebooting your server whenever you install
        OS patches or updates?  -sysadm
                \- this isnt worth doing ... at least not on solaris.
                spend a little more energy on keeping md5 checksums --psb
                \_ an ounce of prevention is wourth a pound of
                  "AAAa! We've been hacked, FIX IT!"
        \_ Depends on your needs.  Extra security vs convenience. In general,
           I'd say don't do stuff like this unless you're sure you need to.
           That you have to ask says you probably don't need it.
        \_ Most of the time you have to reboot after installing OS patches &
           updates anyway.
           \_ Ok I will modify my question. What about simple and yet
              important updates that DON'T require a reboot. I'd rather
              restrart a service than reboot. -sysadm
      \_   what's going to stop some cracker from just remounting /usr r/w,
        changing stuff, and then having a ball ?   I dont see
        any benefit in the world of mounts with -o remount or -u (bsd)  -ERic
                \_ The only security benfit is to block script kiddies.
                    Crackers with half a clue can get right past it.
        \_ You NEED TO BE ROOT to remount. the whole point is to make it
           more difficult for them to get it
        \_ Eye 0wn3d y00!111
2000/1/23-24 [Computer/SW/Security, Computer/SW/WWW/Server] UID:17302 Activity:nil
1/21    Anyone have a page where I can find stuff on headers for our apache web
        server?  We have authentication, though we've realize that caching
        really is another issue entirely and would like our pages to have the
        same behavior as the portals (e.g., yahoo, aol) re browser based
        email authentication
        \_ http://www.hamsterdance.com
        \_ Don't go to hamsterdance.  You're looking for
           http://windowsupdate.microsoft.com.
        \_ Would you care to try again except use English and format to
           between 76 and 80 columns?
        \_ Reformatted to fit on 80-column punchcard. - motd punchcard god
2000/1/18-19 [Computer/SW/Security, Finance/Investment] UID:17263 Activity:high
1/18    Is E*TRADE FDIC insured?  Thx.
        \_ They are a brokerage not a bank. They have SIPC and backup private
           insurance. Read their web site. (BTW do you really want an account
           with E*TRADE? I haven't had an account there but heard their
           customer service is impossible. You might find this useful:
           http://www.gomez.com.)
           \_ Very useful site.  Thanks.
           \_ I have an account with them. I've only had to ask one question
              but got a response within 24hrs. But that's just once, so take
              it as you will.
           \_I have had nothing but trouble w/ Etrade. It is hard to
             connect with them during the day, it takes days for them to
             respond to emails, and you have to wait >>>1h to talk to a
             customer service rep when you call. I prefer Datek, even
             though they offer fewer services.
        \_ E*TRADE is completely incompetent. They are awful. --aaron
           \_ How about http://www.schwab.com
                \_ schwab has pretty good service.  Problem is their
                        commission costs for trades are pricey
        \_ Why do people use/need customer support that much?  I would
                think that once you get things setup, you don't need
                that much customer support
        \_ try doing a brokerage transfer.  -tom
2000/1/14-17 [Computer/SW/Security] UID:17241 Activity:nil
1/14    can't find ssh client for win 3.11. help? (and pls don't suggest to
        upgrade to win 95/98/NT.) thanks in advance.
        \_ LINUX! RIDE BIKE!
        \_ I think you can just telnet the non-secure way, use the one-time
           password generator at http://www.csua.berkeley.edu/skey or
           elsewhere to generate the one-time password, then manually type
           the password in your non-secure telnet.
        \_ F-Secure ssh for Win32 will run on Win 3.11 -sony
           \_ http://www.zip.com.au/~roca/ttssh.html
        \_ Can you run java? If so: http://www.mindbright.se/mindterm
2000/1/11 [Computer/SW/Security] UID:17211 Activity:high
1/10    Why don't we use SSH Ver.2?  (I think there was an explanation
        somewhere but i can't find it)
        \_ No one supports SSH 2.
        \_ SSH2 costs too much
          \_ Exactly. SSH1 is freeware while SSH2 is available for purchase
             only.
1999/12/22-23 [Recreation/Dating, Health/Men, Computer/SW/Security] UID:17085 Activity:high
12/21   So I'm looking for Logo information -- I go to bh's Web page, and just
        below his photo is a link inviting me to "Take a look at my son Heath."
        NO WAY!!!  bh actually found a female to get intimate with him?
        Is/was bh married?  Or is this some kind of weird I-hate-my-family-so-
        I'll-pick-a-new-one thing like benco and his "fathers" Allman and
        McKusick?
        \_ he adopted a 12 year old boy.  single parent. unmarried.
                        \_ no, 11
             \_ Some morons let that total bug eyed freak get his molestor's
                dirty fat little paws on a helpless child which he promptly
                posted pictures of on the net?  WTF is this country coming to?
                Next, they'll let queers marry.
                \_ You obviously don't know BH personally. So quit trolling.
                   FYI, there's no law (or reason) against posting your kids'
                   pictures on the net, he wanted a kid for nearly a decade,
                   and had to put up with the social service system (which is
                   ridiculously biased against men) for that long, and has
                   a master's in clinical psychology to show for the statement
                   that he's capable of caring for the kid properly.
                   \_ Oh yeah, I went to school so I must know all about kids!
                      You're so completely clueless and dense.  There's a very
                      good reason they don't give children to unmarried men.
                      The only shock is that they let freakoid have one after
                      *any* number of years of trying.  Normal people who want
                      kids try out this thing called "marriage" and they "have
                      sex" and "procreate".  Try it sometime... or in your
                      case, please don't.  The gene pool is sufficiently
                      polluted.
                      \_ I agree. Lezbo "couple" adoptions and sperm
                         inseminations should be banned by law.
1999/12/19-21 [Computer/SW/Security] UID:17070 Activity:kinda low
12/18   Is anyone aware of an existing scp interface for Wind0ze?
        \_ Not a chance.
           \_ http://bmrc.berkeley.edu/people/chaffee/winntutil.html
              about 1/2 way down the page  -mikeh
                \_ This is bogus.
                   \_ How so?  It works for me.  -mikeh
                        \_ It doesn't properly follow the specs.
                           \_ Clarify?
                                \_ Read the spec and compare.
1999/12/1 [Politics/Foreign/Asia/China, Computer/SW/Security] UID:16982 Activity:very high
11/30   http://www.gn.apc.org/pmhp/ehippies/action/index.htm
        \_ death to the protesters.  We need martial law.  Every single
           protester on TV ended up being an unemployed laborer who basically
           wants us to pay $75 for a made-in-America Tickle Me Elmo.
           DEATH TO THE MEATHEADS!  USE MORE RUBBER BULLETS!
           \_ The TV coverage was biased beyond belief.  You've been taken by
              the mass media.  Use your mind, not your TV remote.  The WTO is
              evil.  One-World Government is evil.  I don't hate you, but I do
              pity you.  --eyes open, TV off
              \_ PAT!  PAT!  PAT!  PAT FOR PRESIDENT!!!!  HE'LL SAVE US
                 FROM THOSE ONE-WORLD FOREIGN JOB-STEALING DEVILS!!!!!!
                \_ Pat is an idiot.  I don't care about your job.  I care about
                   your air.
        \_ This is called a "Denial of service attack", not a
           "sit-in". Dont kid yourselves, this is bordering on
           illegal, if not actually illegal. The webpage
           owners are setting themselves up for
           "Incitement to commit a crime" or something. And
           personally, I hope they get arrested on those charges.
            \_ guess what, sit-ins are illegal too.  And if you see how it is
               set up it won't do anything unless tons of people participate
               \_ It would be far better to just have a petition, with
                  thousands of names. otherwise,it will beseen as
                  a few hundred people trying to interfere with "progress".
                  This is an artificial attempt to magnify the effect that
                  a few hundred people can have.
                  Because if it actually made thousands of people
                  actually "sign" their names, clinton would actually
                  listen.
                  \_ Are you really this stupid?  Do you know hte difference
                     between a sit-in and a petition?  Sheesh... kids.
        \_ They're making the dangerous assumption that the average Joe
           actually *cares* enough to turn on his WebTV and point it at a
           WTO Web site in the first place . . .
                \_ Who the hell do you think stopped the WTO today?  The
                   streets were packed with average Joes you cynical fuck nut.
                   \_ now THAT (unfortunately) will have an effect.
                      Killing the web site with a DOS attack, will
                      not.
                        \_ I chose not to participate in the DOS.  It seemed
                           pointless.  I'm still opposed the WTO and in favor
                           of almost any protest opposing the WTO.
        \_ For what its worth the WTO is a serious issue, deserving alot
           more attention than its given in the media.  Whether the US
           should be in the WTO is questionable, and bringing China into
           the WTO would be a blunder.
           \_ WTO rules!  Don't turn US into inward-looking Ming dynasty
              China!  Unilateralism will make the US into a leader
              without followers!
                \_ shut up achoi
                   \_ Who's that?
                \_ Don't turn the US into a lackey of the One World Government.
                   By the people, for the people.  Not whatever tiny scrap of
                   empowerment the OWG _lets_ you have.  The WTO is evil.
        \_ Fuck the WTO, the UN, and all One World Government stupidity.
           \_ of course, this idea does not exclude the similar idea that
              the WTO rioters all deserve a swift kick to the head while
              being dunked in toilet water diarrhea.  Moron fuck-ups.
                \_ No.  They deserve to be honored as the heros they are.  The
                   anti-WTO protesters have a very clear idea of what's going
                   on.  If you looked up from your Quake3 once in a while and
                   looked around, you might also.  Death to the WTO and all
                   other One World Governemtn anti-people organisations.
                   \_ PAT!  PAT!  PAT!  PAT FOR PRESIDENT!!!  HE'LL SAVE US
                      FROM THOSE FOREIGN ONE-WORLDER JOB-STEALING DEVILS!!!
                        \_ It's not about jobs.  It's about clean air and
                           water.
1999/11/30-12/1 [Computer/SW/Mail, Computer/SW/Security] UID:16980 Activity:high
11/30   Is there a way to use trn to connect to an NNTP server that
        requires a login and password? -brianm
        \_ trn4 supports NNTP authentication, and despite being in beta
           for the last 4 years is more stable than 3.6
           \_ Right.  Where in the man page or documentation is the
              explanation of how to actually authenticate?
1999/11/22-24 [Computer/SW/Security] UID:16939 Activity:low
11/22   http://www.landoverbaptist.org
        \_ This is a parody Web site for those who haven't figured it out.
                \_ No.  We're complete and total morons who would be lost
                   without you to explain things for us.  If it wasn't for
                   your brilliant guidance, we'd never have found the truth
                   about Santa Claus or the Tooth Fairy either.  (But please,
                   can you tell us, is Trevor Buckigham for real?  He's even
                   more unbelievable than the Tooth Fairy...)
                        \_ TB is for real. Some of us have even met him.
                   \_ What?  You're saying the TF isn't real?  Then where'd
                      all that money come from, wise guy?!
                   \_ No, the funny bit is the mailbag.  -John
                      \_ No, the depressing bit is the mailbag.
1999/11/20-22 [Computer/SW/Security, Computer/SW/Unix] UID:16927 Activity:moderate
11/18  /var/mail at 100%. Got mail? Get rid of it..
        \_ Root is evil!  Buy more disk!  Ride bike!  Linux wouldn't have
           run out of disk with the new beta3 of the mail compressing file
           system, mcfs!!!
        \_ we need philfs
        \_ We already have philcompress.  root can just use that on /var/mail.
           -- ilyas
           \_ philfs would use philcompress automatically though, and there's
              no telling what other nifty features Phillip would include.
1999/11/14-15 [Computer/SW/OS/Linux, Computer/SW/Security] UID:16879 Activity:nil
11/11   Skey for Linux - Do you know how to compile it / where to get a version
        that's later than 1995? Thanks!
        \_ http://rpmfind.net
        \_ rufus
        \_ it sho' is hard to find, suh
1999/11/14-16 [Computer/SW/Security, Computer/SW/Unix] UID:16871 Activity:high
11/14   I know they're generally a pretty lame alternative, but how
        would people/root/politburo feel about running a webmail server
        on soda for folks who'd like to check their mail by browser?
        Mind you, I'm not suggesting a public free mail server, but
        currently I have nothing but proxied http net access, and I
        wasn't about to suggest port-redirecting http on scotch to ssh
        the way mconst did with telnet (yay!)  I have been playing with
        MailMan from http://www.endymion.com with the idea of having cron
        move my mail to a restricted directory so I could read it via
        shell account as well as browser.  Has anyone ever considered an
        https server on scotch/soda so http passwords wouldn't be sent
        in cleartext?  Just some thoughts...   -John
        \_ I'd prefer to respond to this over mail. --root
                \_ in my personal experience, root usually replies something
                   and then just delete my mail. fuck root.
                   \_ YOU NO CONJUGATING VERB MUST LIKING VERY MUCH ON
                      \_ What do these acronymns stand for?
                      BOAT GETTING GO TO BACK WHERE YOU COME FROM LEARNED
                      ENGLISH SO MANY DIFFICULT! -(fucker)
                      \_ Go home, fuckered, stop blabbering on the motd.
                         \_ At least (fucker) is funny.  What have you
                            contributed recently?
                   \_ Fuck you.  FOAD --Jon
                      \_ What does this acronymn stand for?
                   \_ Heyyyy, take that back.  meanness to roots is not
                      tolerated.  you must write with respect.
                      --Consumer Affairs Department
        \_ .forward
        \_ Have you thought of getting non-proxy net access?
           \_ I currently forward my mail from soda, and I have a mail
              address and non-proxy net access with a provider.  I
              was simply playing around with ways to get my mail off
              soda through a firewall for the fun of it, and thought that
              maybe, perhaps, possibly, people might be interested in having
              me invest some time to set it up.  Obviously not, since
              I haven't gotten any feedback except from the usual
              too-chickenshit-to-sign-your-name peanut gallery.  -John
                \_ I never sign my name but I didn't add anything to this
                   thread until now.  --too-chickenshit-to-sign-my-name-monkey
        \_ install IMAP & TWIG on a machine with APACHE-SSL
1999/11/10-12 [Computer/SW/Security, Computer/SW/OS/Windows] UID:16858 Activity:very high
11/10   Anyone heard of a "BubbleBoy Virus"?  Thx.

                     __/~*##$%@@@******~\-__
                   /f=r/~_-~ _-_ --_.^-~--\=b\
                 4fF / */  .o  ._-__.__/~-. \*R\
                /fF./  . /- /' /|/|  \_  * *\ *\R\
               (iC.I+ '| - *-/00  |-  \  )  ) )|RB
               (I| (  [  / -|/^^\ |   )  /_/ | *)B
               (I(. \ `` \   \m_m_|~__/ )_ .-~ F/
                \b\\=_.\_b`-+-~x-_/ .. ,._/ , F/
                 ~\_\= =  =-*###%#x==-#  *=- =/
                    ~\**U/~  | i i | ~~~\===~
                            | I I \\
                           / // i\ \\
                      (   [ (( I@) )))  )
                           \_\_VYVU_/
                             || * |
                             | *  *\
                            /* /I\ *~~\
                          /~-/*  / \ \ ~~M~\
                ____----=~ // /WVW\* \|\ ***===--___

                            MOTD NUKED
                          HAVE A NICE DAY
        \_ It can be a problem if you run IE5 and Windows scripting host on
           win98.  In which case you deserve it.  -John

                     __/~*##$%@@@******~\-__
                   /f=r/~_-~ _-_ --_.^-~--\=b\
                 4fF / */  .o  ._-__.__/~-. \*R\
                /fF./  . /- /' /|/|  \_  * *\ *\R\
               (iC.I+ '| - *-/00  |-  \  )  ) )|RB
               (I| (  [  / -|/^^\ |   )  /_/ | *)B
               (I(. \ `` \   \m_m_|~__/ )_ .-~ F/
                \b\\=_.\_b`-+-~x-_/ .. ,._/ , F/
                 ~\_\= =  =-*###%#x==-#  *=- =/
                    ~\**U/~  | i i | ~~~\===~
                            | I I \\
                           / // i\ \\
                      (   [ (( I@) )))  )
                           \_\_VYVU_/
                             || * |
                             | *  *\
                            /* /I\ *~~\
                          /~-/*  / \ \ ~~M~\
                ____----=~ // /WVW\* \|\ ***===--___

                            MOTD NUKED
                          HAVE A NICE DAY
                          \_ OrCAD still sucks
           \_ Any URL where I can find a warning from CERN?
           \_ Any URL where I can find a warning from CERT?
                \_ If CERT issued a warning it would be on their web site.
                   Since it's not, they haven't bothered.  They don't issue
                   alerts for every new MS virus or they'd be spending all
                   their time doing that.
        \_ Open outlook.  Go to Tools/options/security.  Set to 'restricted'.
           Go to IE's tools/options/security/restricted.  Set everything to
           disabled.  Learn lesson that M$ never learned about keeping data
           separate from code.  Thou shalt not make active data types.
        \_ Windows Update.  Eyedog control ActiveX patch.  Problem dealt with.
           \_ obFormatHardDiskInstallLinux
              \_ Linux?  I thought we're talking about security not k00lness?
                 The mindless Linux crowd pisses me off just as much as the
                 equally ignorant Windows crowd.  -pissed off by stupidity
                 \_ actually I'm a Windoze user that posted the ob comment
                    \_ Gach!  Surrounded!  It's hopeless!
              \_ If you want extra secure use OpenBSD.  If you want
                 complete security unplug your network from your computer.
                    \_ Never mind; I was high on crack at the time. -Phil
                        \_ Impersonating Phil in the motd should be a
                                squishable offense.  Doing so as badly as
                                the above person should be a capital offense.
                 \_ But the network IS the computer. Phil told me!
                        \_ Non-Phil forgeries deleted. -Phil
                        \_ Non-Phil forgeries deleted. -Non-Phil
                           \_ damn philforge don't work worth a damn...
                 \_ be even more secure, unplug the computer.
                        \_ Whoa!  This is stunningly original!  Can I quote
                           you on this?
1999/11/2 [Computer/SW/Security, Computer/SW/OS/OsX] UID:16811 Activity:insanely high
11/1    How secure is the www Java ssh terminal? Can't someone still
        intercept packets going through your browser?
        \_ The real answer you're looking for is "No, not really".  Don't
           forget, the Java doesn't run on the site you got it from, it's
           like a downloaded program and is run _locally_ in your browser.
           The outgoing traffic is encrypted by the ssh code.  _However_,
           if someone really had it in for you, they could intercept the
           ssh java code as you downloaded it the first time you went to
           that URL and replace it with compromised java code.  --dbushong
                \_ or attach a debugger or read your process data via /proc...
        \_ yes, if they have root access to your machine, kill -SEGV your
           client and analyze the core file.  But that's true for any
           ssh client (not just the java version).
           \_ if you're going to be that way about it, all they have
              to do is intercept data going to/from your tty, and you'd
              never know.
                \_ I don't have a tty.
                \_ or attach a debugger or read your process data via /proc or
                   just secretly replace the ssh binary or hack the socket
                   system calls to log or . . . Short answer:  You must trust
                   root, because they can do anything they want to you.
                   \_ I don't trust root.  I only use a Macintosh because it
                      has the best security.  You never hear about Mac servers
                      getting broken into.
                      \_ That's because you never hear about Mac servers.
                         \_ What do you think Apple is running?  Mac rulez,
                            unix dr00lez@!
                            \_ soda [12] telnet http://www.apple.com http
                            Trying 17.254.0.91...
                            Connected to http://www.apple.com
                            Escape character is '^]'.
                            HEAD / HTTP/1.0

                            HTTP/1.1 500 Server Error
                            Server: Netscape-Enterprise/3.6 SP3
                            Date: Tue, 02 Nov 1999 22:21:38 GMT
                            Content-length: 305
                            Content-type: text/html
                            Connection: close

                            Connection closed by foreign host.

                            Apple is runnig MacOS?
                            \_ Netscape for Macintosh, dummy!  You dr00le!!!1
                               \_ There isn't an Enterprise for Mac.  Look
                                  at their web site.
1999/10/30-31 [Computer/SW/Security, Computer/SW/Unix] UID:16798 Activity:very high
10/30   I accidentally posted my hostname and root password to usenet.  Help!
        \_ how stupid are you? change the password, and get on with life.
           \_ I DID!  It was posted again!  I think I have a virus!  Help!
           \_ I DID!  It was posted again!  I think I have a virus!  Help!
        \_ how stupid are you to respond to him?
           \_ Help!  I'm stuck under a bridge and can't get out!  ACK!
1999/10/25-27 [Computer/SW/Security, Computer/SW/Unix] UID:16765 Activity:very high
10/24   alumni.eecs is down again. Could someonw with root powers check it
        out? thanks!
        \_ mail root@alumni.eecs.  heh.
           \_ tried that before. no one checks root email there.
                \_ I was joking.
        \_ root@ucsee.eecs, http://ucb.org.ucsee
        \_ actually, the machine itself is up (it's ping-able) but the telnet
           service isn't. Been seeing some weird things with alumni/ucsee
           machines today. :-(
        \_ Time for a three-finger salute?
                \_ REBOOT!  REBOOT!  REBOOT IS THE STANDARD!
        \_ Hmm... single-user mode perhaps?
          \_ Then a single-finger salute is in order.
        \_ OK it's up, but old mail still needs to be delivered. Dunno whose
           responsibility that is.
        |__ Hey jon, feeling a bit tense about alumni.eecs?
        \_ FOAD --jon
        \_ PLUR --jon
        \_ I'd help you but I quit for reasons that anybody, who has typed
           uname on alumni, can figure out.  The other sysadmins have
           graduated.  Given that you have a csua account, one wonders why
           you would even want your alumni account back up.  But if I have
           any spare time from cs 152 I'll see if I can get it going again.
           --jeff
           \_ how about replacing alumni? would anyone be willing to do it
              if I donate an old sparc lx?
                \_ You really think a $50 computer will help?
                        \_ it's better than the current alumni.
                \_ email jon@soda; he may be willing.
                   \_ I hate that machine.  I don't know why I bother with it.
                      Fuck ultrix, fuck clueless users who think they are
                      entitled to services, and fuck flaky hardware. --jon
                            *just* enough crochety and cluess alums (who don't
                            seem to understand that the machine is run by
                            student volunteers rather than paid admins) to
                            make life as a sysadmin there awfully annoying.
                      \_ what? are you mocking that bad ass DEC Station 3100
                         running Ultrix, the best OS ever?
                         running Ultrix?
                         running Ultrix, the best OS ever?
                         \_ PLUR --jon
                         \_ FOAD --jon
                         \_ Well (speaking from some personal experience), not
                            only does alumni.EECS have the DS/Ultrix thing
                            going against it, but it also has a user base with
                            *just* enough crochety and clueless alums (who
                            don't seem to understand that the machine is run
                            by student volunteers rather than paid admins) to
                            make life as a sysadmin there incredibly annoying.
                            I appreciate having the "@alumni.EECS.Berkeley"
                            mailing address, and would be more than willing to
                            throw in my share of cash for a replacement
                            machine, but can understand why the current
                            caretakers would want to throw in the towel.
                            Maybe the dept. should take over the hostname for
                            some kind of mail-forwarding arrangement, or some
                            competent alum volunteers should step forward to
                            take a share of root-type responsibilities . . .
                                             -- former root@alumni.EECS person
                            \_ Nonononono, as a crotchety clueless alum, I
                               insist we stand by tradition and have students
                               continue trying to support dead hardware running
                               a badly b0rken bsd clone from 10 years ago. I'll
                               tell ya, Back In My Day, we were lucky to have
                               \_ FOAD --jon
                               a 4 meg sun 3/50 with swap mounted remotely on
                               another sun over a 10mbit shared networked.  You
                               youngin's today... whine whine whine....
                               \_ PLUR --jon
                                 --- clueless crotchety alum
                                     PLUR an acronym for?
                               \_ FOAD --jon
                                  \_ pardon my cluelessness but what is
                                     FOAD an acronym for?
                               \_ you left out "and sharing the same
                                  swap server with 20 other machines
                                  was a small price to pay..."
                                  \_ I thought of that but didn't want to
                                     re-edit to add it in.  Any other clueless
           \_ FOAD --jon
                                     crotchety alum would've known what I was
                                     talking about.
           still time!  (Oh yeah, and FOAD.)
                                        \_ I volunteered less ancient h/w
                                           before, but no one reads root email
                                           on alumni. I think alums should
                                           volunteer h/w, but sysadmin should
           \_ PLUR --jon
                                           be a student service for someone who
                                           wants to learn sysadmin stuff.
           still time!  (Oh yeah, and PLUR.)
        \_ Its still down for some reason after a brief uptime...
           \_ FOAD --jon
                \_ Because it's an ancient piece of crap.
        \_ It's back up now, so move your files off of it while there's
           still time!  (Oh yeah, and FOAD.)
        \_ As an alum, I definitely wouldn't mind making donations of cash,
           or hardware to keep alumni alive. This should be an organized
           effort, though. Something that is sanctioned and kept alive
           from generation to generation.
            \_ Too late.  The powers that be are talking about making a
               subscription mail forwarding $ervice.
            \_ <DEAD>alumni.csua.berkeley.edu<DEAD> mail forward?
1999/10/16-18 [Computer/SW/Security, Computer/SW/WWW/Server] UID:16714 Activity:nil
10.15   Apache on RedHat- set UserDir to public_html in httpd.conf,
        with no specific directory permissions.  I still get
        "Forbidden You don't have permission to access /~{user}
        on this server."  What do I have to set to make this work?
        \_ look in your error log for chrissakes. -tom
          \_ Oh.  Thanks.
        \_  You likely need to make sure that both the public_html dir AND
            the USER directory are WORLD executable.    -crebbs
1999/10/15-17 [Computer/SW/Security, Computer/SW/Unix] UID:29932 Activity:kinda low
10/14   /var/mail is full; clean up your crap!
        top ten mail hosers:
        jenlam    7488 jam       7832
        tonytung  7968 alvinwoo  8232
        ramses    8496 moraleda  8720
        robin     8832 klee      9680
        suzuki    12032 rico      12160
        \_ Hey root, why don't you move these hozer's mail spools to
           their home directories?
           \_ root would rather have users police themselves. fucker.
                \_ the various root users know that sometimes when
                   they try to deal with sloppy users' mail for them
                   they sometimes get "rm" confused with "mv".
1999/10/13-14 [Computer/SW/Security] UID:16702 Activity:high
10/13  So, say i want to ssh to another site that allows it.  How do i do
        it? "ssh http://siteName.com" returns the error that the host key is not
        found and asks me over and over if i want to keep connecting.
        \_ say yes you idiot.
           \_ Well, I'll be damned. that WORKED!  (o.k., o.k., in defense
              of my idiocy, when was the last time you had to type in
              "yes" to answer a computer's yes-no question? I typed 'y'
              for fuck's sake.  I even tried 'Y' just in case.  But the
              IDEA of typing 'yes' never even entered my mind.
                \_ Obviously you are not an emacs user.  You therefore
                        don't deserve to be able to ssh.
           \_ If Cal gave you a degree, give it back.  If not yet, drop
              out and go to Stanford.
1999/10/13-14 [Computer/SW/Security, Computer/SW/Unix] UID:16698 Activity:low
10/13   Anybody know of a free proxy server out there?  I just need something
        very very simple no fancy features. Thanks.
        \_ natd. much more transparent than using a proxy server.
        \_ wingate or winroute.
        \_ What type of Proxy?  HTTP only?  If so, Squid, Apache, & CERN
                (listed in order of proxy-studliness - don't bother with CERN
                 anymore - apache's overkill for just a proxy, squid kicks ass)
          \_ squid kicks its own ass. The only reason it stays up
             is because the start script is basically
             '  while true; do  squid ; done'
                \_ is Squid GNU software?  I couldn't find it on the gnu sites.
                    where can I find it?  Thanks.

        Password Thief Ransacks AOL
       3:00 a.m. Password-stealing emails slip into AOL accounts and make off
       with user passwords by the thousands, according to the email service
       used to launch the attacks. Critics says it's the latest in a pattern
       of neglect by AOL. By Chris Oakes.
       \_ Thank you Wired News!
       \_ "Password-stealing emails"?  Is this social engineering, or some
          K-RAD N3W PASSWURD ST3AL1NG HACK1NG V1RUZ????/???
        \_ Standard "click on idiot.exe" in html email to send your password
           to random account bullshit.  The only fault AOL has is having a
           browser available to it's customers that allows them to run an
           .EXE from a hyper link.
1999/10/13 [Computer/SW/Security] UID:16697 Activity:nil
       Password Thief Ransacks AOL
       3:00 a.m. Password-stealing emails slip into AOL accounts and make off
       with user passwords by the thousands, according to the email service
       used to launch the attacks. Critics says it's the latest in a pattern
       of neglect by AOL. By Chris Oakes.
1999/10/11-12 [Computer/SW/Security] UID:16689 Activity:high
10/10   Does sshd on soda have an idle timeout?  Or is it something
        that I need to configure on my client?  I keep getting
        "connection reset by peer" messages after about 10 minutes or
        so.
        \_ There's an option in ssh that lets you do keepalives. You
            might also be behind a firewall that timesout too quickly.
           \_ Yeah, I'm aware of keepalives.  It doesn't seem to help.
              The firewall that I'm behind is a simple Linux ipchains
              one.  I don't *think* it has any idle timeouts.  Weird.
              \_ ipchains masquerading has a 15-minute timeout by default.
                 You can raise it to (say) one day: "ipchains -MS 86400 0 0".
                 See "man ipchains" for details.
                 \_ Thanks for the info.  Is that 15 minutes default
                    timeout listed somewhere in the man page?  I didn't see it.
                    \_ It's not in the manpage, but it is mentioned in
                       /usr/doc/HOWTO/IPCHAINS-HOWTO (section 4.1.5).
        \_ Soda's keepalives are currently set for 24 hours, so if you're
                getting hozed after ten minutes, somethings fucked on your
                end.
1999/10/6-9 [Computer/SW/Security] UID:16672 Activity:nil
10/6    When I am logged in via SSH, is all the data I type encrypted and
        safe from sniffing, or just the login/password pair?
        \_ All is encrypted using 3DES
        \_ Oh boy, not RedHat again.  Try linuxconf or netcfg or
           appropriate module in /lib/modules/2.2.5/net
           \_ and people who write dumb shit like this would be taken out
              and beaten to death as the crowds cheer?
1999/10/6-8 [Computer/SW/Mail, Computer/SW/Security] UID:16671 Activity:high
10/6    What is the reason for ssh being suid root?
        \_ ssh is setuid root for .shosts authentication.  The client
           connects to the server, proves its identity using its host
           key, and then sends your username to the server.  You can't
           write a fake client that sends someone else's username because
           the client connects from a reserved port (that's why it has
           to be setuid root).  You can't run a fake client as root on
           your own linux box because you don't have the real client's
           host key.
           make a fake client that sends someone else's username because
           the host key is only readable by root.

           If you don't use .shosts authentication, your ssh client does
           not need to be setuid.  --mconst
                \_ The remote server connects back to check or what?  I don't
                   see how your description prevents me from hacking my own
                   client and handing them my own user generated server key.
                        \_ It checks against it's own list of known keys
                           (in the system directory or the user's directory)
                           \_ Huh?  Waitasec... so I hack my own client to
                              return a key I've created which I'm falsely
                              telling the server is a valid key for my host.
                              How does it know I haven't made a hacked client?
                              There's too many pronouns floating around
                              confusing me.  Thanks.
                                \_ The server only trusts hosts it's talked to
                                   before and saves their public keys for
                                   future reference.  The only way to spoof
                                   that is break into the client and find it's
                                   private key (which is only readable by root
                                   on Unix boxes so non-root people can't do
                                   evil shit with it).
                                   \_ Hmmm.. ok.. but what if the only prior
                                      server contact was with my hacked client?
                                        \_ Then the user was a moron if they
                                           added your hacked client's key &
                                           hostname to their .shosts
                        \_ the server /etc/known_hosts file is maintained
                           by the sysadmin.  sshd won't add new hosts to it.
                                \_ Ok, got that.  I still don't see why I can't
                                   hack my own client to feed all bad info to
                                   the remote server from first contact to
                                   potential security violation.  If my client
                                   is the only source of info for the remote
                                   server and I've hacked my client to send
                                   false data, how does the other side know?
                                        \_ it doesn't, but it has no reason
                                           to care either.  You only get to
                                           login if your host in the .shosts
                                           and your key matches what the
                                           server thinks your host key is.
                                           Otherwise you lose.
1999/10/4-5 [Computer/SW/Languages/Misc, Computer/SW/Security, Computer/SW/Unix] UID:16660 Activity:high
10/4    does anyone know how to script the password for rsync over ssh?
        \_ Don't.  Instead use RSA rhosts, that is: on the target machine
           (the one you'll be sshing _to_), put the hostname and username
           you'll be sshing from into the file ~/.shosts (man rhosts for
           format).  Then make sure you ssh at least once from the target
           machine and the target account _back_ to the machine you'll be
           normally running rsync on to get its host key in place.  Then
           your script won't need to type a password, but it's much much
           more secure than a real .rhosts file.  Yadda yadda.. security
           risk since you don't need to type a password as that user yadda
           yadda.  --dbushong
           \_ huh? No, use the authorized_keys file, to avoid
              spoofing.
              \_  This is the approach I've used.  --PeterM
1999/9/30-10/2 [Computer/SW/Security] UID:16630 Activity:moderate
9/29    This is probably a dumb question, but why don't .htaccess files
        work on soda? I am guessing it has something to do with web access
        loads and the such but I was just wondering if there was some sort
        of official reason.
        \_ They do work, but thre are some things they wont do.  What
           problems are you seeing with them?
           \_ Trying to do server side javascript includes and just simple
              password security. More just to see how they are done than
              anything else so it is not that important -fucking moron
              \_ I'm not sure about the javascript includes, but the password
                  security stuff should work if you get it configured
                  properly.
        \_ The official reason is that you are a fucking moron.  This
           is supported by your inability to sign your post
           \_ And where's your signature?
                \_ Hey!  That's not fair!  Don't bring facts into this!
1999/9/28-30 [Computer/SW/WWW/Server, Computer/SW/Security] UID:16614 Activity:high
9/28    Hi -- say Im using apache+openssl, but Im using basic (not digest)
        http authentication for a dir under https;  is that initial password
        transaction encryped over ssl?  In other words, do I make basic http
        auth more secure (non-sniffable) by using openssl, or am I still
        screwed.  Yes, I could sniff the packets, but Im lazy:)
        \_ Get your lazy ass outta your chair, pick up your Visa, and buy
           Stronghold!
              \_ apache+openssl is working fine and free -- I just had the
              above question, that's all.  Do ya know the answer?
                \_ And illegal in the US, but who cares about that...
        \_ if you're too damn lazy to run "tcpdump 443 | strings", you
                        \_ They can have my STRONG CRYPTO when they pry
                           it out of my cold, dead hands!!!!~@~@!!!@~@!@!
                           \_ You'd be the first to give up your strong crypto
                              when the MIB show at your door.  Talk is cheap.
                                \_ It's not the men in black coming after you
                                   it's RSA's lawyers with patent infringement
                                   lawsuits.
                                   \_ What color suits do lawyers tend to wear
                                      these days?
        \_ if you're too damn lazy to run "tcpdump port 443 | strings", you
           deserve to get hacked, then fired.
           \_ I think a more important issue (it turns out) is client
              caching of the password, so it's a bad idea anyway....
        \_ I thought it was legal as long as you didn't use any of the
           patented crypto code like idea and rsa. --marc
                \_ I refuse to use anything unless my use is considered a
                   violation of patent, copyright, or arms control laws.
2024/11/27 [General] UID:1000 Activity:popular
11/27   
Results 151 - 300 of 1108   < 1 2 3 4 5 6 7 8 >
Berkeley CSUA MOTD:Computer:SW:Security:
.