|
12/25 |
2002/7/2-3 [Reference/History, Computer/SW/Security, Politics/Domestic/President/Bush] UID:25265 Activity:nil |
7/2 The Prez has lots of experience with corporate fraud: http://www.nytimes.com/2002/07/02/opinion/02KRUG.html http://www.salon.com/politics/feature/2002/07/02/bush/index_np.html?x \_ so? if it really ends up leading to reform, i don't care what he did in the past. let's judge him by his current actions, not past actions. they're bad enough. \_ You really think we have any real chance of seeing reform? |
2002/7/1 [Computer/SW/Security] UID:25250 Activity:kinda low |
6/28 I've been looking at web-based calendars. Has anyone tried/been happy with one of these? I noticed prospector, in particular is GPLed, which I like because it guarantees no ads. http://prospector.sourceforge.net http://www.localendar.com http:/greatwebcalendar.com/ , etc. I've noticed that one of these web calendars had a nasty security hole, is one concern. \_ Which one has a hole? |
2002/6/29-7/1 [Computer/SW/Security, Computer/SW/OS/Windows] UID:25240 Activity:moderate |
6/28 http://www.theregister.co.uk/content/4/25940.html Analysis of MS Palladium scheme. It's even worse than I'd first thought. Very ugly stuff. \_ You expected any less? \_ It didn't occur to me such evil was possible but I'm not at all surprised it was MS that came up with it. \_ see also http://www.cl.cam.ac.uk/users/rja14/tcpa-faq.html \_ What is stopping people from just replacing the "fritz" chip with a FPGA that says yes to every query? \_ Destroying your MB because it'll be built in that way? Or worse, it'll be part of the CPU in v2? |
2002/6/28 [Computer/SW/Security] UID:25232 Activity:nil |
6/27 Anyone successfully used the UCB campus-licensed Windows SSH 3.1.0 client (from http://ssh.com) with Solaris 9 SSH server? It keeps telling me "key exchange failed" no matter what algorithm I choose (and this is with debugging on), but works with other SSH servers \_ Bug in Solaris 9 bundled SSH. Need to use version 3.0.0 which is also available on http://software.berkeley.edu |
2002/6/26-27 [Computer/SW/Security] UID:25205 Activity:moderate |
6/26 What happened to s/key? Is there an alternative way to get one-time passwords to login from a potentially insecure machine? \_ ask root (and / or the VP ) to recompile soda's kernel and turn s/key and keyinit back on \_ s/key still works for me. \_ You haven't run out of keys yet. skeyinit is turned off. |
2002/6/26-27 [Computer/SW/Security, Computer/SW/OS/FreeBSD] UID:25201 Activity:high |
6/26 Upgrade to OpenSSH 3.4 ASAP: http://www.openssh.com/txt/iss.adv \_ so is 3.3 fixed too (i thought) or just better because of PrivilegeSeparation. \_ 3.3 doesn't have a fix but if you enable priv sep on 3.3, the exploit won't result in a remote root explot \_ I don't know how you run your systems but i'd wager that for most people (certainly for me) any remote exploit is a remote root exploit. There are simply too many local exploits to always have them all fixed. \_ Agreed. However one advantage of priv sep is that even if sshd falls victim to a exploit, the intruder only has user level access and them must find out which of your local binaries have local exploits. This leaves a trail which you can use to track the intruder down. \_ Not really. By the time they find a local exploit, which will be about 18 seconds on a bad day, you won't be tracking anything. Once they get a local shell with any account it's all over. \_ Thanks for the link. I was happy to see a quick kludge in there. I don't have time to deal with a full upgrade for real right now. \_ Just so you know turning off ChallengeResponse is a hack to fix the one known exploit, but it isn't a fix for the whole class of exploits that were found and fixed by the OpenSSH team in 3.4. Try to upgrade as soon as you can. \_ On my list for tonight. I didn't want to do it remotely and fuck it up and cut myself off from my server. Thanks for pointing that out. |
2002/6/25-26 [Computer/SW/Security] UID:25188 Activity:moderate |
6/24 OpenSSH 3.3 with Privilege Separation now available. http://marc.theaimsgroup.com/?l=secure-shell&m=102485397824660&w=2 \_ and why should we care? \_ BIG security exploit in openssh if priv. sep. is not enabled and priv. sep. is available only in v 3.3 \_ The problem has NOT been fixed in the priv. sep. openssh. However, privelege separated openssh supposedly diminishes the possibility of root compromisse. Keep in mind that privelege separation is a new option and it does not work well on many non-*BSD platforms. \_ ?? Got a url for the openssh problem? I missed that one. tx |
2002/6/24-25 [Computer/SW/Security, Computer/SW/OS/Windows] UID:25180 Activity:nil |
6/24 The future of computer security is Palladium: http://www.infoworld.com/articles/hn/xml/02/06/24/020624hnpalladium.xml \_ Uhm, no it isn't. Only in BG's little brain. |
2002/6/24-25 [Computer/SW/Security] UID:25178 Activity:high |
6/24 I'd like to use Cygwin to manage my Redhat 7.2 box. I can ssh in no prob, but when I try to open an xterm, it fails, with: xterm Xt error: Can't open display: server:10.0 I can get X11 over ssh just fine from soda. This is a stock 7.2 install--nothing special. Any ideas? \_ first did you try ssh -X and then have you tried ssh -v for verbose mode. \_ Yes, -X works fine, -v lists the following X11 related stuff: debug1: Requesting X11 forwarding with authentication spoofing. debug1: channel request 0: x11-req debug1: channel request 0: shell debug1: fd 5 setting TCP_NODELAY debug1: channel 0: open confirm rwindow 0 rmax 16384 \_ have you installed xhost on the redhat box? I don't remember what rpm contains it. \_ yes, xhost is installed. \_ "xhost +" and try again. \_ tried it with no effect (BTW, thanks for this help-- I really appreciate it). \_ Found the solution. My ssh connection set the DISPLAY on the remote site to "machine:10.0" instead of "localhost:10.0". When I fix the display variable to use "localhost" it works just fine. \_ Just had the same problem a few days ago. Another way to deal with this is add your machine name ("machine" above) to /etc/hosts with your correct IP (if it's static). Then it'll work as-is, without requiring a manual reset of $DISPLAY every time. -alexf |
2002/6/21-23 [Computer/SW/Security, Computer/SW/WWW/Server] UID:25167 Activity:very high |
6/21 Big bad apache hole in the wild. Patch/upgrade now. See http://apache.org or your favorite security site for details. \_ So they finally learned from Microshit? "In order to gain free press we need to introduce security holes." \_ Does anyone think this vulnerability could lead to a fast spreading worm like Code Red, for example? \_ What's the point? Apache + modules (esp. php) are full of holes. \_ So, don't use the modules you don't trust. Patch one, and there are still a hundred others that the '1337 H4X0R5 will use to break in. Even if you patch all the modules, you still have all your executable content (perl cgi, ssi, php, servlet, jsp, etc) which is undoubtedly riddled with holes. \_ 1) try formatting. 2) just because there are other holes is no reason not to patch this one. 3) glad you're not the admin at my company. \_ It is possible but cracking a site by exploiting the holes in locally written code is much harder than exploiting a widely publicized and well understood vulnerability that possibly affects nearly every apache site out there. If you care about security, run publicfile. \_ publicfile does not support CGI scripts or any kind of server side programming which makes it fairly useless for lots of users. \_ Um, it's not actually that bad. It's a DoS exploit at worst on many architectures. \_ nnnn! go read the security alert, not msnbc. \_ Actually I read all three. Plus the apache one. Plus the debian security-announce summary. It's a DoS explot. \_ Well you didn't read the one that said it's a full root exploit. Whatever, go use telnet. Not my problem. \_ At least one exploit (for openbsd) has already been posted on bugtraq with intent to prove people like you wrong. \_ If your OS doesn't execute data off the stack, it's not exploitable (but it's still DOS). And it's not a root hole, just the user Apache runs as. Still, it's potentially bad. -tom \_ Lots of people run apache as root. Lots of sites that run apache as 'www' or whatever will also have local holes if they haven't fixed this one. Thus it is highly likely that getting in through apache is just one step from root. Layers.... \_ I challenge you to find one person running Apache as root. -tom \- the csua used to run a WEEB server on it's name server. there was a bug that let you get a shell running as the WEEB server uid. now it turned out the WEEB server uid owned the WEEB config file, so you could just changed the run-as user to root and repeat the process and you would have a root shell on the name server. this is detailed in some comment by myself and P. Norby some time ago. I dont think this is that big a deal and right now the "real" denial of service is all the people running around recommend things like vulnerabilty people immidiately delete their defaultroutes and such. --psb |
2002/6/21-22 [Computer/SW/Security] UID:25164 Activity:high |
6/21 Since keyinit has been disabled and ssh doesn't work for me (behind company firewall/proxy), what other options do I have to login to csua? Already tried ssh with http-tunnel and socks2http. -allenchu \_ Find someone who'll let you telnet into their shell account and ssh in from there. -Someone who ran out of keys too. \_ People like you are simply irresponsible bastards. You know the difference between telnet and ssh but you're still insisting on using telnet, potentially compromissing not only the security of your personal account on both machines but also compromissing the host security of both machines in general. Lots of root breakins start with sniffed passwords. But you, of course, don't give a flying f**k to this because you're probably not the one who will end up fixing the problems later. \_ If the company's firewall didn't block port 22, he would of use SSH. Just because you are an irresponsible idoit doesn't mean everyone else is. \_ that's not an excuse for using telnet and jeopardazing the security of the entire machine. I am also surprised that a company that filters outgoing ssh still allows outgoing telnet. \_ I doubt there is one. It's too stupid to comprehend. \_ How did you post your question without logging in? \_ Because I have ssh at home. Also have a few keys left. \_ can you ssh to port 80 on scotch.csua \_ Thank you. This might be it. Of couse this assumes the lovely M$ proxy that prevented http-tunnel to work will not do the same to this solution. -op \_ sorry, I haven't been paying attention: why is keyinit disabled anyway? \_ The answer I got was some sort of security hole w/ skey. |
2002/6/21 [Computer/Networking, Computer/SW/Security] UID:25163 Activity:moderate |
6/20 I'm so confused. Isn't 192.168.0.0 a non-routing network? ... \_ http://CNC.net should not be routing these packets. Neither should XO really, but they might have an agreement with CNC that makes it hard for them to filter traffic. \_ Welcome to the world of routing. Sadly, certain Network Operators are, shall we say, less than clued. \_ A lot of providers use RFC1918 addresses for 'private' interfaces; frame relay clouds are a good example of this. They're not supposed to be routed, but rather just used within a given cloud or circuit for routers to be able to contact each other. Sometimes routing information about these slips out, when someone exports a default route, or doesn't filter correctly (correct me if I'm wrong, but aren't some protocols, like OSPF, a pain to filter individual routes/networks with?) so people with different providers will see these addresses as "existing" in various places. Shouldn't do any harm, it's just not very clean. -John \_ still, one shouldn't be using RFC1918 addresses even for transit links, as it will get important ICMP messages generated by the routes filtered out. Things like unreachables and fragmentation-needed stuff. Its sloppy/bad practice. -ERic \- terminal administrative domains such as lbl.gov put on a lot of filters like this, but for some reason, various transit domains like esnet are refusing to do so ... they are saying there are some performance issues ... we didnt argue much or demand to see the evidence but it is possible there is sort of a reason, i.e. even if the overhead is small, the fraction of these packets is vanishingly small --psb |
2002/6/19-20 [Computer/SW/Security] UID:25150 Activity:kinda low |
6/19 Is there a free program that does scp on window 95? (This is for a machine at work, over which I have no control.) \_ I don't know if it works on Win95, but it works on Win2k and Win98: putty and pscp. Do a google search. \_ As the above person said, pscp works. Also try WinSCP. Has some issues with its interface (at least the version I have), but does the job. \_ The link is: http://winscp.vse.cz/download2.php?file=WinSCP2.exe \_ the scp (and ssh) programs for cygwin work pretty well. I realize that this is overkill for this problem, but you may find cygwin generally useful as well. |
2002/6/13 [Computer/SW/Security] UID:25085 Activity:high |
6/12 What's the ANSI escape sequence for setting colors 8-15? \_ colors 8-15 are just high-intensity versions of colors 0-7. to set the high-intensity attribute, use {ESC}[1m see also: http://perso.efrei.fr/~marnier/docs/ansi-esc.htm --jameslin \_ Hm... interesting. The reason behind this question is that colors 0-7 in SSH Secure Shell are very dark. I'd like to use termcap/terminfo to trick programs to using colors 8-15 (which look normal). I've tried using Esc[1m, but I get the brighter color along with a bold typeface. I'd like to get just the brighter color but not the bold typeface. Ideas? \_ don't use colorls? \_ Unless you can change something in your terminal program's options itself, you're fucked. Try another ssh client. PuTTY is good. Teraterm is usable but doesn't do ansi colors iirc. \_ Teraterm actually does. \_ Putty is nice when you need something fast for a one shot but for daily use I prefer terateam which doesn't feel like someone's HS project. \_ I'm curious -- name one thing that teraterm does better than the current stable version of putty. I've used all 3 (ssh.com client, tterm pro, putty) for quite a while and now just use putty because it's acted up much less often than the others. \_ For starters, putty is the only ssh client that will spontaneously drop my connection all day every day. It's not an idle time issue, it'll do it in the middle of typing. There were a few other personal preference differences but I consider disconnects a serious issue. \_ Strange; I've never had that happen over several months of using putty (unless the network went out with it). Are you sure it's not a problem with your server's sshd (which the other clients may be more tolerant toward)? |
2002/6/10-11 [Computer/Domains, Computer/SW/Security] UID:25057 Activity:kinda low |
6/9 I have a geocities website and my own domainname. Is there any free service to do DNS+Url Redirection of my domain to geocities? I couldn't figure out if http://freedns.com is what I needed. -fuless, not faithless \_ some domain registrars will do redirects for you as part of the service. shop around. maybe your own already does this. \_ I ended up using http://afraid.org. --opp |
2002/6/9-10 [Computer/SW/Security, Computer/SW/OS/Windows] UID:25049 Activity:high |
6/9 What is up with the logos of http://msdn.microsoft.com and http://amazon.com being identical? Same font, same arrow. \_ what about Lucent and Zachary's Pizza? \_ what about http://chickswithdicks.com and yermom? \_ Obviously, they are both part of a vast Washington state conspiracy to brainwash the rest of the country. \_ obYerMomAndMyDick |
2002/6/7-8 [Computer/SW/Security] UID:25023 Activity:high |
6/6 imap via ssl on csua is down: ports 585 and 993 both refuse connection. Why does csua require ssh when we are only allowed to use nonsecure imap? \_ You could always do IMAP over SSH like what I do. ssh -g -l jondoe -L 20143:csua.berkeley.edu:143 http://csua.berkeley.edu then connect to localhost:20143 from your client. -jeff \_ Works great, thanks so much for the great tip!!! Now I don't have to badger our sysadmins about this any more, they have resisted installing imap/ssl... \_ You are a moron. \_ well, no. this has been happening all too often lately. root has been pinged about putting ssl+imap into inetd, but as yet nothing has been done about it. They could get the complaints and the security concern out of their hair very quickly... Granted, the person could ssh tunnel themselves, but changing your config when it's soda's config that's broken is a time sink. \_ Or they could *GASP* read mail on soda! \_ If we offer a service, we should do at least the bare minimum to keep it running. it's not that hard to put it into inetd... \_ that's not the way of the true alumni! POP YER MAIL! \_ Fuck off, paolo. \_ That's no way to talk to an Dept Honored Officer! \_ Heh. \_ IMAP/SSL is now available. \_ how about POP/SSL? \_ how about SSH/SSL?? I want my secure link to be totally secure! |
2002/6/6-7 [Computer/SW/Security, Computer/Companies/Yahoo] UID:25011 Activity:nil |
6/5 Where is Yahoo options do I opt out of the mailing list? \_ http://subscribe.yahoo.com/showaccount also http://privacy.yahoo.com/privacy/us/pixels/details.html |
2002/5/27 [Academia/Berkeley/CSUA, Computer/SW/Security] UID:24952 Activity:nil |
5/26 Congrats on your award for service to the CS department through the CSUA paolo! |
12/25 |
2002/5/25-26 [Computer/SW/Security] UID:24945 Activity:high |
5/25 Which of the following is safer: ssh login to a remote host and read mail there use a command-line client or access my mails using an imap capable local client? -- crypto/protocol novice \_Using encrypted email. Otherwise, it just a matter of where on the network your attacker is sitting. \_ Or maybe they're reading your keys and monitor from a van parked across the street. It doesn't matter. It's just the dude's personal mail. No one cares what's in it. \_ Look, I am not worried about individual emails get sniffed on its way. I just want to have a reasonably secure way to check my emails from a long distance or a continent away without compromising my password etc. a continent away without compromising my password or having personal info. in my mails systematically collected in some database when they pass through rogue networks. \_ Ssh in and use your favorite local client. |
2002/5/23-24 [Computer/SW/Security] UID:24921 Activity:moderate |
5/22 Does anyone use Dragon? I currently use a service that charges $.10 for transcription and am thinking about switching to Dragon. They have standard, preferred, and professional, but it is unclear what you get for $100 and what you get for $700. \_ Yes, I mean Dragon Naturally Speaking 6.0. \_ You mean Dragon the PC software? \_ no, the big reptilian thing that breaths fire. \_ That was practically a gimme but funny anyway. Thanks! |
2002/5/8-9 [Computer/SW/Security] UID:24756 Activity:low |
5/8 I'm thinking about using a block cipher to encrypt pkts in my application, but I'm running into a problems wtr transmitting/receiving the encrypted pkts. Here is what I want to do (given values are secret key K, plain text PT): 1. Derive K1 (encryption key) from K and a random nonce N1 and derive K2 (HMAC key) from K and a random nonce N2 2. Encrypt PT and H(PT) using K1: e = E(H(PT)|PT,K1) 3. Calc. HMAC of the e: h = HMAC(e,K2) 4. Transmit N1|N2|e|h (this would be a fixed size pkt) 5. Recv. N1,N2,e,h 6. Derive K1 and K2 from K using recv'd N1 and N2 7. If HMAC(e) = h, then decrypt e: D(e,K2) = H(PT)|PT 8. If the decrypted H(PT) matches a computes H(PT) return PT. What I don't know how to do is recover from the following situations: * HMAC(e) of the recv'ed e != h * Decrypted H(PT) != computed H(PT) Since it it unlikely that the pkt was corrupted by trans. errors (I'm using TCP), the only way that this could happen is because of an active attacker. Is there any point in asking for a retransmit on the recv side if an active attacker is present? \_ post this to crypto@csua, you'll get better results than the motd. Motd is full of dropouts and sysadmins. \_ Hi paolo. You're delusional again. Go back to bed. \_ who is this paolo? \_ He was president for a long time, then he quit logging in. |
2002/5/4-6 [Computer/SW/Security, Computer/Theory] UID:24704 Activity:high |
5/3 If I want to learn about error correction, compression, and cryto, which class would I take? crypto? _/ \_ Info theory at Stanford. Berkeley does not teach ugrad info theory. \_ Information theory. Read Thomas & Cover. There is an information theory class using that book at Stanford. Berkeley does not teach information theory to undergrads. \_ 170 talks about the basics of both, 150 has some error correction too. specifics? \_ Crypto classes: 261 (well, security), 276 (protocol-level), and this semester Wagner taught a 294 which was block-cypher level. Even though I've managed not to pay any attention to 174, I remember somebody saying something about entropy, so likely has to do something with compression and/or random number generation. -chialea \_ "managed not to pay any attention to 174". Okey dokey, now who was making noise before about the best Cal ugrads not getting into Cal grad school? \_ Not best. Schmooziest. Big difference. \_ if you were as good as chialea, wouldn't you be bored by 174? --chialea #1 fan \_ several EE courses discuss compression (the multimedial related signal/image processing courses) \_ depending on the prof, Math 114 often covers coding theory, and error-correcting codes. - rory |
2002/5/3-5 [Computer/SW/Languages/Java, Computer/SW/Apps/Media, Computer/SW/Security] UID:24700 Activity:nil |
5/3 Finally we know who was the first borg, it was Prof. Steve Mann of the University of Toronto: http://chronicle.com/free/v48/i34/34a03101.htm \_ He's saying he had a wearable video display 20 years ago? \_ He's saying he was a freak 20 years ago just like now. |
2002/4/24-25 [Computer/SW/Security, Computer/SW/Unix] UID:24568 Activity:moderate |
4/24 Are you getting bounces from http://mail.yahoo.com? I tried responding to people, and I'm getting bounces. They are not spammers. I respond a few seconds after they email me. \_ so it has begun \_ Yes. It's been sporadic for a day or so. \_ Well did you pay your Yahoo E-Delivery Fee? You can only send mail to Yahoo users if you're a paying customer. |
2002/4/23-24 [Computer/SW/Security] UID:24543 Activity:very high |
4/23 Security question: assuming i have a "good" /dev/random and I read from /dev/random from 00:00 to 00:01 and save that in a file, will take make it trivial to attack someome who uses /dev/random on the same machine to "seed" a random passwd generator at 00:00:30? Or does each caller some how whiten it with his own environment? \_ Or say I read in 10k bytes from /dev/random or /dev/urandom at 00:00 and I start and another copy of the same process "at the same time", will I get overlapping random streams? at 00:00, which takes 2 seconds. I start and another copy of the same process a couple of millisenconds after 00:00, will I get overlapping or interleaved random streams? \_ no and no, if it is a "good" /dev/random \_ So what prevents two people "simultaneously" reading from /dev/random from letting the same stream? \_ The driver probably has a locking mechanism in the read entry point to prevent this: ep_read { lock ; copy bit to userspace ; unlock ; } |
2002/4/22 [Computer/SW/Security] UID:24532 Activity:high |
4/21 MOTD Poll. How many people use pgp (or gnupg) on soda? PGP: GnuPG: ... Neither, Because No One Cares What's In Your Email: .. I'm Not That Paranoid: .. The Feds Already Cracked It Or We Wouldn't Be Allowed To Use It: . the NSA paid for my fucking harddrive anyway so there's no point: . \_ and if anyone who got *ANY* sort of PGP filter worked with with pine, let me know. -kngharv \_ I tried. How I tried. I believe the problem is actually with soda's installation of pgp. I bought the bullet and started soda's installation of pgp. I bit the bullet and started using mutt. I can't say I'm an enthusiast but it does handle gpg better. I never did get pgp working. --ulysses \_ I couldn't get it working in pine. I gave up and switched to mh-e and mailcrypt. \_ Follow up poll. Do you: sign email: . sign news: sign + encrypt email: sign + encrypt news: |
2002/3/28 [Computer/SW/Security] UID:24260 Activity:high |
3/28 What exactly are the "Digital IDs" that Outlook Express blabs about when I click on "Security" in the program? ... specifcally, how do these relate to PGP encryption? \_ No, it's created by combining your SS#, DOB, Mother's maiden name, and CDL in a complex alogorythm that involves concatenation and rot13. This cryptographic innovation brought to you by Microsoft! The ecommerce version has your bank account and pin in there, too, for your convenience. |
2002/3/25-26 [Computer/SW/Security] UID:24222 Activity:moderate |
3/25 Has anyone heard about the CBDTPA? http://www.politechbot.com/docs/cbdtpa/hollings.s2048.032102.html It will be a disaster if this thing gets passed. \_ No one has ever heard of this or the SSSCA before. \_ dude! i just found the greatest web site! you should check it out: http://slashdot.org \_ cool thanks! its looks really low end and new are they working on improving it at all? it might stand a chance! "community" $ell$!! |
2002/3/23-24 [Computer/SW/Security] UID:24212 Activity:nil |
3/23 MacOS X's Preview bypasses PDF "security": http://www.macuser.co.uk/macsurfer/php3/openframe.php3?page=/newnews/newsarticle.php3?id=1854 Why is it that Adobe's attempts at "security" are always so damn stupid? |
2002/3/15 [Computer/SW/Security] UID:24123 Activity:high |
3/15 i want to take this opportunity to publicly insult newark electronics customer service. they suck donkey balls. their web site is lame was programmed by yermom. go digikey or allied! \_ This is the motd, not a customer satisfaction line. Your complaint is entirely too banal and does not once mention yermom. |
2002/3/15 [Computer/SW/Security] UID:24122 Activity:nil |
3/15 Any one uses pgp4pine and gpg? for some reason, my send filter worked, but display filter (for recieving encrypted / signed email) does not. What really puzzle me, is that when I open the file contains pgp (uses _BEGINNING("-----USE PGP")), my default editor (in this case, jove) launched, and has an error message in jove saying: "invalid switch -c" anyone has any clue? -kngharv |
2002/3/14 [Computer/SW/Security] UID:24112 Activity:moderate |
3/14 http://www.nytimes.com/2002/03/14/technology/circuits/14MANN.html \_ "He is now undergoing tests to determine whether his brain has been affected by the sudden detachment from the technology." |
2002/3/13 [Computer/SW/Security] UID:24092 Activity:high |
3/12 sshd has got vulnerabilities, fixes, and potential future vulnerabilities. If I TCP wrap and use hosts.allow/deny for sshd and other apps, so only listed hosts can connect, does that prevent intruders from exploiting future holes? That is, as long as it's TCP-wrapped or restricted by hosts.* files, even if I was running an exploitable version of sshd, nobody can break in via sshd, true? Same with all inetd.conf daemons, right? I only run one. (This assumes the hosts in my hosts.allow file are secure) \_ Here is a thought. Run sshd on a high number port as sshd rather than root. Then use your fw/nat/pat box redir 22 to the high number port. This way even if there is a breakin, they don't get root (assuming root can't login via ssh). \_ Assuming no holes in tcpwrappers, probably. ssh uses libwrap, which is a little different than being wrapped in inetd.conf, and possibly is less secure. -tom \_ why dont you just upgrade/patch ssh? \_ "potential future vulnerabilities", i.e. undiscovered bugs. \_ well then, why dont you jsut remove ssh. even safer, unplug your machine from the net. Nothing safer from network attacks than an airwall. \_ You're an idiot. -tom \_ No s/he has a point. If the OP is so afraid of being on the net that they want to be 'safe' from the future, they're on the wrong net. They need to power down and idiot." because that requires no thought or effort. go read a book in a park if they want that level of safety. No one can protect your net from unknown future bugs. If it was that easy everyone would be doing it. Of course it's much easier to just post "You're an idiot." because that requires no thought or effort. -i2 \_ Oh, and posting "disconnect from the net if you want to feel safe" requires effort? Guess what-- you're an idiot, too. -tom \_ i don't give a rats ass about this thread, i'm just going to point out that tom has proven himself to be a total idiot about a hundred times over on the motd. \_ Does that include his anonymous postings? \_ clearly you're dead to sarcasm. \_ "Sarcasm is hard! Let's go shopping!" \_ The post above by "i2" is not sarcasm. If you are i2 then you are a liar, if you are not then, Guess what -- -!tom \_ Wow... let it go. Time to move on. Try Prozac or Ritalin or something. \_ IP Spoofing isn't that hard and you will also need to ensure all of the hosts in your list are never compromised. If you are concerned about security you need to set up your network in a manner that is secure. \_ Isn't the known hole in ssh quite hard to exploit? \_ Yes, and that too only if you have a local account with a valid passwd and shell. |
2002/3/8-10 [Computer/SW/Security] UID:24063 Activity:nil |
3/7 Root people: http://www.pine.nl/advisories/pine-cert-20020301.html Allowing local users to gain root via openssh. \_ Root people, New York and California Root people, I was born on Jupiter \_ Ever heard of e-mail? \_ Like they read it? Like no one else here runs anything and might need to know this, too? Fuck off. |
2002/3/1 [Computer/SW/Security] UID:24005 Activity:nil |
2/28 Todd Solondz speaks! Saturday, Wheeler. 1 free ticket for all Cal students w/ Student ID at the Zellerbach Box Office. Would anyone in the CSUA be interested in possibly recording this (if possible) and hosting it on the web somewhere? I'm willing to help but don't have access to many of the needed resources. - rory \_ who is todd solondz? \_ Isn't he the kid in Mask with Cher? \_ Eric Stoltz. :) \_ Sadly, I think that kid is dead. ...wonder if he ever made it to Katmandu or wherever. \_ Indie movie director. \_ http://us.imdb.com/Name?Solondz,+Todd |
2002/2/26-27 [Computer/SW/Security] UID:23973 Activity:nil |
2/25 <DEAD>www.bsdi.com/date<DEAD> used to have a small gif showing where the sun was currently shining. Anybody know where I can find that image somewhere else? \_http://www.fourmilab.ch/cgi-bin/uncgi/Earth/action?opt=-p gets you a large image of that, plus access to a bunch of other cool stuff. \_ this is cool. |
2002/2/25-26 [Computer/SW/Security, Computer/SW/OS/Solaris] UID:23970 Activity:high |
2/25 Is there anyone out who understands the NT security API? All I'm trying to do is set permissions on a directory: Everyone group, full control, inheritable by child objects and containers. Then I need to know how to create files so that they don't override the parent ACL. Should they have a NULL SD, or a default SD with a NULL DACL? What I'm doing now is setting security on every file create and copy, which is error prone. CopyFile doesn't copy the SD, so I do SetNamedSecurityInfo(DACL_SECURITY_INFORMATION| PROTECTED_DACL_SECURITY_INFORMATION) on the new file. It would be better if it just obeyed the parent directory settings. -sky \_ I know how to do the similar on Solaris on but not NT. Sorry. In Solaris I set the parent directories ACL and mask and then all children (both files & directories) inherit ACL. At least when you do commands like cp/cat/vi. Okay, so it's not going thru the API so it's not similar thing. There are some oddities when on older versions of Veritas products though. Are you using Veritas? \_ Apparently no one understands the NT security API. What I _do_ know is it has nothing to do with the way Veritas or Solaris work. |
2002/2/25 [Computer/SW/Security] UID:23969 Activity:moderate |
2/25 I need to give a user console X access but no remote login access of any kind (translation: secure location, but a bad password). Other users need to have remote access. Setup is kde/freebsd. What's the easiest way to do this? \_sshd has allowuser/denyuser allowgroup/denygroup useful for an ftp-only account -dwc \_ Perfect, thank you. |
2002/2/22 [Computer/SW/Security, Computer/SW/Unix] UID:23943 Activity:very high |
2/21 My moronic boss asked me to write a batch file to auomate a telnet session and one requirement is it should not ask user for the password. How do I kindly tell him that he is an idiot? \_ setup ssh with passwordless public key or host-based authentication, symlink telnet to ssh and let him believe that the users are using telnet ;p \_ The batch file will be placed in hundreds of Windows 98 machine's at a client site; none of these machines have ssh. How do I tell him off? I told him it can't be done and he insisted that it can be done. \_ Why are you still even working there? I can't imagine working in a place with a boss that stupid and an OS that crappy. \_ This isn't 1998. \_ Include ssh along with the batch file. --dim \_ He's a moron, true, but you've done your duty by telling him so, now it is your job to make it work. I suggest a telnetd that auto-auths anyone with no password. Yes, this is frightfully stupid, etc, etc, but unless you want to polish your resume, swallow the bile and just do it. Now is not a good time to get fired. Make sure you have it documented that this is insecure and you told them so but were told to do it anyway. You're then free from serious fallout. C.Y.A. \_ I agree with the SSH suggestion. However, if you still need to use telnet, you can embed a known password into the batch script. You need to telnet to the same account, though. Or maybe have the user save the password somewhere, but not ask on every use. \_ Create a server on a random port that does what he wants and have your script telnet to that port. \_ write a telnet program that automates the password and ship it with your batch file. And document it that it's insecure. \_ Upgrade windows. Realize that even windows has better tools than telnet for running remote batch jobs. \_ Whatever you do ignore the idiots here who give the 1990's dotcom answer of "oh just quit!". Find a way to do the project and do it. Document the insecurity and the specs and forget about it. Your job is more important than religion. \_ maybe he's talking about telnet -F option with Kerberos V5 authentication being used. \_ acct with no passwd? |
2002/2/20-21 [Computer/SW/Security] UID:23926 Activity:high |
2/20 Quoting from instructions on how to send a Sony laptop in for non-warranty service. They fuck you so fantastically hard it's Awesome! >Should you choose to send the system for service, you will be >responsible for the following: ... >d. You MUST provide proper documentation with your shipment; > - Name, Return Shipping Address (no PO boxes), > - Day and Evening Phone Numbers > - Detailed Errors and symptoms > - Method of payment (MC, VISA, AMEX, DISCOVER, Money Orders > and Checks (no starters) > - Written letter authorizing charges up to $700. <======= Rad! ... >NOTE: There is a minimum $25 estimate fee and a $35 return shipping >fee. The estimate charge will be waived if the repairs are >performed at the Fremont facility. You will be notified of, and >must approve the estimate prior to the repair. Service estimates >are not available through email. The diagnosis of hardware >service issues cannot be handled via e-mail. The system must be >shipped in prior to receiving a service estimate quote. \_ you are getting a Dell dude! \_ we know you're supposed to get a macintosh. |
2002/2/20 [Computer/SW/P2P, Computer/SW/Security] UID:23921 Activity:high |
2/19 Tom posts an intelligent comment on usenet: http://groups.google.com/groups?hl=en&selm=a4u5df%241uvv%241%40agate.berkeley.edu \_ Charging is one possibility except then you get into the problem of exactly who to charge. Do you charge the student assigned to a workstation? Ok, another user logs in from another local machine and uses the other student's machine for external access. Do you charge the whole department or sub-unit and "let God sort it out"? That just means rich departments stay on the net and poorer ones take the net away from most of their users. You can't charge by IP address because IP != unique user and packets don't have user names on them. There's still no answer short of simply cutting off a lot of people from external net access and I don't think anyone wants that. \_ "tragedy of the commons" problems usually have no easy solution. The issue of access to national parks is a good example; you can't restrict access to Yosemite Valley in a way that's pleasing and fair, but you have to restrict access if you want Yosemite Valley to retain its value. At some point you have to make some decisions about tradeoffs. A campus phone isn't equivalent to a unique user, either, but we manage to bill people for phone service. -tom \_ I don't have a problem with the basic concept of billing for usage but it isn't the same as phones. Most people aren't on the phone all day. Most aren't making LD calls. And it is a bit difficult to login to your phone from my desk without your knowledge and rack up a huge bill to 976-hotsex. $300 in calls on my phone to my office mate's mother in Tokyo is easy to track down and bill properly. With the technology at hand I only see raising bandwidth or cutting a lot of people off from the public net. I don't see the latter as a good choice for a research/educational institution. It also wouldn't fly politically. \- i think this is naive. \_ How are you planning to pay for this increased bandwidth? \_ I don't think anyone wants to cut people off the net, but providing a certain amount of "free" service, and charging if you go over a certain amount of traffic, is probably a tenable model. Buying bandwidth indefinitely so kids can fill it up with more kazaa is untenable. -tom \_Just raise tuiton. Make net access a line item that people can elect not to pay for if they don't need it. \_ "Every complex problem has a solution that's simple, elegant, and won't work." -tom \_ isn that ken lindahl's or msinatra's quote? \- Why doesnt "disallow P2P except on certain subnets/via prior arragement" [say for people using gnutella for collaboration or maybe some- body in cs doing something researchy] solve the problem as long as someone in the dorms can get their own isp access [i am not sure if this is possible]. are students on the dormnet allowed to run WEEB servers? yes, a lot of the http is garbage but you have to attack what is viable and cost-effective. the comment about running the p2p server on port 80 to "hide" is not a real issue. at least with napster, gnutella, kazza, we can detect it on any port [although not in real time, although that doesnt seem important]. Also, the TotC comparison isnt quite right since the Commons is a natural endowment while bandwidth is sort of a "weakly- rival" good paid for by somebody. Say I build a lighthouse for my shipping company along my shipping lane. I dont care if some people use my lighthouses, however if this makes for "my shipping lanes" too crowded for me to use, well, i'd be better off switching technologies. it seems like if you throttled the dormnet traffic onto the routed internet but allowed significant bandwidth to campus, people could do their school work. [i assume most of the p2p sharing isnt local]. --psb [the lighthouse example is a little off because it is not a divisible but a binary good but that wasnt the point i was getting at. someone does own the bandwidth]. \_ dorm traffic is already handled under a separate cap. You can do things to discourage P2P sharing, but that only solves 25% of your problem, and the more you discourage it, the more incentive there is to find ways around it. -tom \_ MOTD WANKERY! None of you people are in position to do anything. \_ actually, I am. -tom \_ A chill falls across the room... \_ wanking is precisely what they are in the position to do. |
2002/2/13-14 [Computer/SW/Security, Computer/SW/Unix] UID:23861 Activity:high 54%like:23860 |
2/13 Each time I login, I would like to see my "Last Login" info, but not the motd. How do I do this? \_ Edit the .login file in your home directory. If you still see the motd scroll by, create a file called ".hushlogin" in your homedir (`touch .hushlogin` will do). \_ Right, but with .hushlogin I don't see my "Last Login" I can't seem to quell only the motd. Can I set something like "no-motd" in my .login? Also, my "Last Login" info gets shoved off the screen before I get a chance to read it. Why is that? Why is that? -brett (thanks & sorry) \_ Sign your name and make ur .login public so we can help you. Perhaps you have a 'clear' command in it. \_ Okay. |
2002/2/13 [Computer/SW/Unix, Computer/SW/Security] UID:23860 Activity:nil 54%like:23861 |
2/13 I want to see my "Last Login" info, but not the motd, each time I login. How do I configure this? |
2002/2/12-13 [Computer/Domains, Computer/SW/Security, Computer/HW] UID:23850 Activity:high |
2/12 Is there a good way to find all the HOSTS in an nis domain, assuming you have access to master and slave servers? It would be better if there was a log file to parse, but I can dump network traffic too. \_ ypcat passwd \_ ypcat hosts \_ That doesn't do anything useful. \- maybe "snoop rpc ypserv" --psb |
2002/2/11 [Computer/SW/Security, Computer/SW/Unix] UID:23833 Activity:high |
2/10 can some root type make install the Word file reader wv port? thanks \_ Done. --some root type \- Where do you get this software ? \_ the joy of /usr/ports/ on FreeBSD \_ http://www.wvWare.com |
2002/2/7-8 [Computer/SW/Security] UID:23806 Activity:high |
2/7 An attack on the SSHv2 Protocol (for those who don't follow sci.crypt): http://groups.google.com/groups?hl=en&group=sci.crypt&selm=MPG.16cb6c26ff1c3931989687%40chicago.usenetserver.com \_ The thing about all these newer 'attacks' is they all require the man in the middle to have all sorts of access you can't expect a typical hacker to get. Anyone who has the warrant or the skill to insert themself into my ssh2 datastream will probably find it easier to hack straight into the server or just get a warrant to put a van outside my building and 'listen in' on my keyboard and monitor through the walls. I'm not losing sleep over this one. \_ Yes it is theoretical, but the point is that it could be more secure. IPSec for example does not have the problem. |
2002/2/5-6 [Computer/SW/Security] UID:23789 Activity:nil |
2/5 When I try to PGP encrypt outgoing messages in conjunction with mutt, I get several screens of hex numbers and then a fault notification. Does anyone have mutt + PGP working on soda? Can I get a look at your muttrc? [ reformatted - motd formatting daemon ] |
2002/2/2 [Computer/SW/Security, Computer/SW/OS/Windows] UID:23750 Activity:nil |
2/1 Idiots Dos the World Economic Forum website. Claim some sort of bizarre victory. http://www.washingtonpost.com/wp-dyn/articles/A10521-2002Feb1.html \_ See next motd topic. |
2002/1/31 [Computer/SW/Security] UID:23732 Activity:high |
1/31 I used to get "You have mail." or "You have new mail." messages when I logged in but not anymore. What happened? Where do they come from? \_ the system sshd_config may have had CheckMail turned off. \_ CheckMail in sshd is deprecated http://www.monkey.org/openbsd/archive/misc/0111/msg00384.html \_ I think tcsh may have been upgraded. \_ look at your .login. if you dont have nfrm anywhere in the file, add it. \_ nfrm shows you who the mail is from, which is nice but takes way too long. I just want to see if I have new mail or not like it used to show. how do I get that? \_ RTFM, einstein. It's in there. |
2002/1/25-26 [Computer/SW/Security] UID:23669 Activity:high |
1/25 Crap. At a new job and the emc tech guy just sent mail that our emc service contract expired almost a year ago. $225/hr, minimum of 2 hours to do anything. \_ That's probably less than they would have charged you for a service contract. -tom \_ i doubt it.. cuz thats prob jus labor and not parts. -shac \_ that's just time, not materials. And you think they're going to be really zippy when its on an hourly paid basis? They already take 4+ hours to swap a disk or two. --fucked EMC admin |
2002/1/24-25 [Computer/SW/Security, Computer/SW/Unix] UID:23660 Activity:high |
1/24 Anyone have any ideas and/or pointers of how to crack Yahoo IM offline messages and archived chats and conferences without knowing the password of the account that you are trying to snoop on? \_ No, but I'm sure google does. -John \_ If google doesn't help you could try cracking it yourself. I'd make my own logs with my own account and see what comes out. Use long strings of each character in the alphabet, 1 per log, etc. I know they used to send everything over the net in clear text so I doubt the archive encryption is tougher than rot13 or des. \_ never used it but try http://www.elcomsoft.com/aimpr.html |
2002/1/15-16 [Computer/SW/Graphics, Computer/SW/Security] UID:23571 Activity:nil |
1/15 This is too funny. Go to http://www.bsa.org/usa and find the Flash movie halfway down and see the story of Meg A. Byte the software pirate. \_ That's hilarious. I especially like how they ripped of a few games in the video. Nothing makes the point better than hypocrisy. |
2002/1/14-15 [Computer/SW/Security, Computer/SW/OS/Windows] UID:23561 Activity:very high |
1/15 .name URLs now available \_ What is it? \_ Is it permanent? (I mean as permanent as http://www.csua.berkeley.edu/~mylogin \_ http://www.siliconvalley.com/docs/news/svfront/002411.htm \_ Gee. They might as well open up the name space for *anything* that is descriptive, e.g. "JohnDoe@university.of.california.at. berkeley", "JohnDoe@2345.dwight.way.apt12.berkeley.ca94704", "JohnDoe@510.643.1234.us" \_ worthless. Making a 4 letter extension is going to break all sorts of code out there. \_ Maybe badly written code... There have been >3 letter extensions for quite a while. \_ Not to mention 2-letter extensions like .tv and all the international extensions (.jp, .it, .ca, etc) \_ They're called TLDs people, not "extensions". This ain't DOS. \_ yeah baby, <DEAD>cum.cum.cum<DEAD> |
2002/1/13-14 [Computer/SW/P2P, Computer/SW/Security] UID:23552 Activity:very high |
1/13 http://www.nytimes.com/2002/01/13/edlife/13BAND.html?pagewanted=print The article mentions 'Direct Connect.' What other file sharing programs are in use these days besides this and Morpheus and other FastTrack variants. Any CSUA members in the dorms or otherwise with big pipes care to comment? \_ irc \_ yeah, I've got a big pipe for ya \_ http://vadim.berkeley.edu \_ hi paolo! \_ nice going vadim, taking scheme.xcf.berkeley and changing it to vadim.berkeley. fucking tactless egomaniac. \_ I thought the useless xcf was shut down years ago? -alum \_ It was. It has become... the Vadim Computing Facility. \_ This is probably funny but I don't know who Vadim is or the current xcf situation. Is it dead or what? \_ Not dead. There's one member. \_ Just using your powers of deduction, see if you can infer what that one member's name is. \_ check http://zeropaid.com for an extensive listing of file sharing prorams. -- jj \_ the Dec207 warez club! \_ The dorms don't have a big pipe anymore. They're collectively limited to ~20Mbit. That's 4,000+ hosts. UCB dorm net is pretty much useless these days. Residents keep trying to get DSL installed because it's faster. \_ Buncha whiners. I felt lucky to have 14.4 access after I got access to the staff/professor modem bank and off the busy and broken 1200-9600 student bank. Doing classwork on campus was better anyway. Easily block remote connections to your workstation and keep all those other pesky students dialing in at 2400 on some other machine. \_ in my day, we used smoke signals. on a clear day with a small enough wind we could get ten bits per minutes, and we were damn pleased with that. \_ They allowed you to have smoke? And you knew what the sun looked like? And wind? You had wind?? You must be new around here.... \_ Petition them to increase the size of the big pipe. This is not 1991 anymore, when I spent big bucks to upgrade to a 9600 modem. \_ The problem with the dorms is that they'll use (for napster clones, mostly) all the bandwidth you'll give them, and the campus pays for bandwidth used to the commodity net. Dorm traffic isn't limited if it goes over Internet 2. -tom \_ Cool. Now they just need a multi-campus I2 p2p thing going and they're set. I've got this idea for a business model... I just need $325m in funding now.... \_ Two words: traffic shaping. Eliminate this bandwidth cap bullshit, and use traffic shaping to limit obscene traffic caused by p2p filesharing apps. Dorm net becomes useable again. \_ A few more words: apathy, money, unimportant. It isn't worth anyone's time to fix the dorm net situation. Who cares? Let them eat cake! Is there a minimum bandwidth promised or an SLA in the current dorm contract? Do people *really* choose the dorms because they have net? Was the <DEAD>dorm.net<DEAD> the deciding factor for anyone's living arrangement? If so they need to get over it. \_ Clearly, that's the way campus wants to go, but it's rather difficult in our environment. -tom \_ that's 20Mbit to off campus. |
2002/1/10 [Computer/SW/Security] UID:23520 Activity:very high |
1/10 So I've decided that since my system is vulnerable to one kind of attack to not bother with any sort of defenses. I'm reinstalling telnetd, disabling ssh2, running an old version of ssh1, putting IIS 4.0 unpatched back into production, get 8.01 bind going and then setting the root password to "root". Does this make sense to anyone? Should I stop patching my computers because there might be a different way to get in that isn't covered by the current patches? \_ It makes no sense and you are an idiot. \_ So is this any different than not spending money on one form of national defense because the country would still be open to other forms of attack? \_ you're an idiot. -tom \_ At least now we have your best point against national defense. You're brilliant. You should be running the DoD. \_ sign your name, o brilliant one. -tom \_ Missle defence is analogous to building a huge titanium dome for your computer. It is expensive, impractical and won't defend against the likeliest threats. It will also distract you from defending against the threats you should be concerned about. \_ So you mean the most likely threat from nukes isn't nukes on warheads? When there's 5000+ of them out there in the hands of multiple nations and some of those nations aren't very friendly? You determined this was an unlikely threat? You're not qualified to make that analysis. \_ My titanium dome protects my computer against worms, viruses, DoS, and every exploit that exists. \_ The analogy is to a titanium dome that still has holes in it for network access. -tom \_ This is known as a "strawman argument" and it's considered bad debate form. Most people left this behind in the dorms. \_ And the original poster was not? |
2002/1/5-6 [Academia/Berkeley/CSUA, Computer/SW/Security] UID:23468 Activity:moderate |
1/4 csua/csua and user/pass are two short, many sites require 5-8 char names and passwords. What should is sign up as then? -goodCSUAer \_ ucbcsua with password ucbcsua1, ucbcsua2, etc. Or csua123 or csuacsua as username. Some site require pw diff from logins so either have a pw that is the reverse of the login or I dunno...? \_ cypherpunk/cypherpunk \_ csuamotd/csuamotd works fine for me at a few places. thanks to whoever set that up. \_ How about a /csua/pub file of websites with user/pass for each. \_ soda.csua/password was set up for NYT. |
2002/1/4-5 [Computer/SW/Security] UID:23459 Activity:very high |
1/4 http://news.cnet.com/news/0-1005-200-8358574.html?tag=mn_hd \_ Did nweaver post this because he was quoted in the article? :-) \_ This guy picked the Christmas week to notify AOL and then claimed waiting for a week is too long. Hmm. Maybe he just wanted the publicity. \_ The article I read said that AOL didn't even bother to respond to him. It's not just that they didn't fix it in the first week after he reported it -- they didn't even acknowledge that the problem *existed*. Then when he goes public they fix it in 24 hours? Sounds like he was right to go public. \_ At most tech companies, there was no one around to respond to anything from Dec. 22 - Jan. 1. \_ Sounds like the best time to exploit a hole :) \_ I can't think of any legitimate reason for their escalation path for security problems to be broken, even for holidays. Whether they failed to respond out of arrogance or incompetence doesn't make much of a difference. \_ suppose you find a major security hole in AIM. Whom do you email? Does AOL have a special email address hotline for reporting critical exploits? Do they publicize it? I'd guess that the answer to at least one of those questions is "no". So now you're left with filing a bug report using the standard support channels, which most likely get flooded with mail from clueless newbies. Do the real developers field all these questions, or does a low-paid grunt deal with them? Does this support grunt check email every day during his vacation? give him a break. \_ When I call AOL tech support, I usually get prompt and complete service. signed, AOLuser \_ You send it to support. It is the responsibility of their support organization to classify the incoming report correctly and advise their management so they can direct it to the appropriate engineers to repair. An organization the size of AOL doesn't have a single support grunt who goes on vacation and leaves the support email unanswered; they have a large group of people processing incoming support requests, and there's always somebody there. The front line people have more senior people they can escalate things to (usually multiple levels). Even during holidays and weekends, there should be somebody on call in engineering capable of addressing the problem. Coordintaing support and engineering like this is hardly a problem unique to AOL. Oh, and AOL never said they hadn't seen it; they said they wanted more time to work on it. |
2002/1/2-3 [Computer/Networking, Computer/SW/Security] UID:23431 Activity:high |
1/1 I'm using SecureCRT over a 33.6 modem to connect to soda, and my connection consistently is reset after typing just a few characters (for instance, I couldn't type this post using it). I've tried ssh 1 & 2; 3des, rc4, and blowfish; and several different server types, with no improvement. Why is this happening? \_ SecureCRT does that with DSL connections for me. Not that bad but enough for me to curse it or windows. \_ Could be flaky modem connections or so--although that usually happens with v.90 (56.6k)--doesn't ssh have some sort of error checking to make sure no funny business is going on with your connection? I would try to bring down the connection speed to 1200 and then gradually increase it and see what happens. Also for fun try another ssh client like TeraTerm to compare. -John \_ Try putty, it works better than SecCRT on dialup lines (at least that was my experience when I was in India and had to deal with the dial up lines there). \_ putty? barf! Putty was dropping me from a rock solid T1 line. This is definitely what they meant by "get what you pay for" when it comes to software. Tera Term takes an extra 30 seconds to setup, is free, and unlike putty, it works. I'd rather go back to whistling in the phone then use putty. \_ I use putty on both T1 and dial-ups. It never drops any connctions. \_ I've used SecureCRT on dial-up and over cable and, with the exception of campus network outtages, have never had problems. |
2001/12/31-2002/1/2 [Computer/SW/WWW/Browsers, Computer/SW/Security] UID:23421 Activity:moderate |
12/31 Anybody know what's going on with the National Park service web site? http://www.nps.gov It used to be the most complete web site on national parks and now it's gone. What the hell? \_ I think it's a GWB VRWC conspiracy. Soon it'll point to <DEAD>www.evil_white_men_in_office.com<DEAD> \_ Hacked by Chinese!!! \_ The ENTIRE Department of the Interior (which includes the NPS) was disconnected from the Internet by court order on December 5th (the result of a lawsuit against the government for poorly securing DOI computers handling Indian trust-fund accounts). If you visit http://www.doi.gov it'll tell you that the only Interior bureau currently allowed to connect to the Internet is the USGS. -- kahogan \_ I'll bet this was a Bush appointed judge. \_ Needless to say, the systems found so insecure the DOI had to be forced off the net were windows based... \_ http://forum.fuckedcompany.com/fc/phparchives/search.php?search=usgs \_ Does it only apply to only HTTP or does it apply to everything including e-mail? |
2001/12/27-28 [Computer/SW/P2P, Computer/SW/Security] UID:23378 Activity:very high |
12/30 is it just me, or is kazaa empty right now? did those busts actually kill it? \_ or maybe it's because most college kids are at home during winter break? \_ Those busts have nothing to do with the gutter-warez you find on Kazaa. They busted a wholly higher-class of warez-hosers. \_ DoD hadn't put out anything of note in 18 months. They didn't bust anyone important to the scene. \_ They will never bust the most cruical warez ring and that is the casual copier. They can never stop someone from copying office from work or giving a copy of the latest game to thier pals so that they can have a lan party. visiting a warez page be illegal? conspiracy charges? please. \_ Is it illegal to visit warez web sites? \_ why would it be? \_ because warez is illegal? own use and linking to computers software will be \_ downloading or distributing warez is illegal. why would visiting a warez page be? conspiracy charges? please. original. - Bill G. \_ that's surfing with intent to download! Better plead no contest and ask for leniency from the judge. \_ How do you legally distinguish mere surfing and downloading? Afterall all these packets of warez coming to your computer is an act by another computer while surfing and clicking on links is your action. \_ yeah... that's just stupid.. i mean, next thing you know, making copies of stuff you already own for your own use and linking to computer software will be illegal... \_ You shouldn't make copies, you should buy a spare original. Kids these days with thier Linux/Open Sources/Free Software. They make me sick. - Bill G. \_ YEAH! FUCK FAIR USE. FUCKING CONSTITUTION! FUCKING US CODE!! - Mini-Bill-Me \_ You napster, gnutella, audio galaxy and kaaza junkies don't know what "fair use" means. Fair use means that you have the right to listen to your original cd in your stereo and your car. It doesn't mean you can make a copy for your friends and it certainly doesn't mean that you can make a near-perfect digital copy that can be re-distribute illegally to strangers via the internet. Now you kids need to stop illegally copying music, movies and software and start buying it. Otherwise all the poor artists will have to go back to a career in food service and start suffering for thier art and we won't be able to make the kind of money that is necessary in order to maintain our land rovers, our pacific palasides bungalows and our all armani, versace and bally wardrobes. - RIAA \_ Start paying the artists instead of keeping all the money yourself and I'll consider it. \_ Strange thing is that all my artist friends are already on the verge of waiting tables although in terms of art it is the likes of Britney who should be in the personal service business. |
2001/12/23 [Computer/SW/OS/Linux, Computer/SW/Security] UID:23354 Activity:nil |
12/22 How do you make OpenSSH 2.5.2p2 works with Debian Linux 2.2 r4? ssh into this machine kept on getting denied while everything works fine with OpenSSH 1.2.3 (precompiled for Debian). Does that mean Debian 2.2r4 doesn't support ssh2x? Thx in advance! - jthoms |
2001/12/20 [Computer/SW/Mail, Computer/SW/Security, Computer/SW/Unix] UID:23321 Activity:nil |
12/19 I'm running Redhat 6.1 for about a year with no problems and over the last 5 days or so it's been taking a really long time to log into my machine through ssh or ftp. sendmail and samba don't seem to be working right either, though apache is fine. i'm not even sure what to look for, any advice? \_ look for timeouts due to dns - are your daemons waiting for dns to time out? \_ have you been applying security patches? if not, do a rootkit scan. everyone i know who ran such an old install without patching has been rooted via an ssh vulnerability. |
2001/12/19-20 [Computer/Networking, Computer/SW/Security] UID:23308 Activity:low |
12/19 Anyone ever tried ATT Broadband phone service? They have a good deal right now but I don't want to cancel PacBel, then find that quality sucks or something, and have to pay a re-instatement fee with PacBell. \_ I've got AT&T Digital Phone Service. It is excelllent. A couple interesting things though: 1) they install a small, shoebox sized battery somewhere in your house. It keeps the phone working in a power failure. 2) The installation USED to be done by a crappy subcontractor company. (inept) But the AT&T service employees that have since come out for misc. things have been VERY skilled and helpfull. Phone, Internet, CableTV all come in through a Single Coax cable. You can keep your phone number, which means getting worth from paying PacBells "Number Portability Charge" all those years. \_ thanks for the info... I was about to sign my post as "chialea" to try and solicit some responses. |
2001/12/19-20 [Computer/SW/Security] UID:23306 Activity:low |
12/19 http://www.theage.com.au/news/national/2001/12/20/FFXPK6KZDVC.html Mmmm! That new car smell! It's only cancer.... \_ One reason to buy used cars. |
2001/12/15-16 [Computer/SW/Security] UID:23258 Activity:kinda low |
12/15 I have cable srevice by at&t, but I don't think this is a problem with my cable service. Basically, I have a linux 2.2 natd box for connections from my internal network. I have win98/ win2k/linux behind the natd box. WHen I ssh out (OpenSSH_2.3.0p1 or ttssh), if I am idle for say, 5 mins, the connection is cut..reset by peer. Why does this happen, and how do I fix it? \_ I don't have this problem with a similar setup. Could the other side be idling you out? I _have_ had that problem. \_ This is a problem with ipchains. It doesn't have any state, so it has no idea about connections and things like that, so to keep from having NAT sessions open forever, it has timeouts for inactive NAT sessions. I forget where you change this (it's been years since I used ipchains, since iptables (linux 2.4 filtering) is so much better.) however, I'll bet money that that is your problem. Look it up in the ipchains HOWTO, I believe it is in there, and increase the timeout for TCP, since the default is something low, like 5 minutes. There may be a way to get ssh to send connection keep alive packets, which would solve the problem without having a large timout value, so I'd look into that as well. Or, just switch to 2.4, and use iptables. Stateful packet filtering is your friend. -- ajani \_ thanks! when i was using ipf on openbsd I kind of took this for granted. \_ NAT is stateful by definition. You can't do NAT without keeping session state information. NAT session timeouts exist in all implementations, not just ipchains because if you don't expire the idle sessions, there is a higher chance that the NAT session state table will eventually fill up. What Linux iptables adds is a session state tracking for non-NAT sessions as well. \_ Uh, the ipchains NAT session timeout default is way bigger than a few minutes. Check the HOWTO, it is more like several hours. |
2001/12/11-12 [Computer/SW/WWW/Browsers, Computer/SW/Security] UID:23214 Activity:very high |
12/11 http://www.google.com/googlegroups/archive_announce_20.html \_ http://groups.google.com/groups?selm=3lje5o%24n7h%40agate.berkeley.edu \_ Does "Usenet newsgroups" mean all the newsgroups I can see when I run trn? Are there newsgroups that are not Usenet newsgroups? Confused. \_ It means Usenet groups before the big re-org. talk.* and net.* stuff. It doesn't have my 1985 posts, but it does have some 1986 stuff I wrote... It scares me. \_ Say, what newsgroup did the Ahm/Blojo incident happen in? \_ ucb.erotica.sensual, but I can't find the exact original posting, just aftermath signs such as: http://groups.google.com/groups?start=100&hl=en&group=ucb.erotica.sensual&selm=4a1t98%24nk0%40agate.berkeley.edu http://groups.google.com/groups?start=100&hl=en&group=ucb.erotica.sensual&selm=frrawx7xfx.fsf%40sigma.veritas.com Anyone have the original ahm/blojo postings archived? -alexf \_ http://groups.google.com/groups?q=+%22tawei+liao%22&hl=en&scoring=d&rnum=8&selm=58t1r7%241ev%40agate.berkeley.edu \_ is this for real? real or not, did it work? \_ http://www.ereview.com/archive/tawei Status: single Must not have worked... \_ Hmm...what happened to Tawei? He was quite a character. \_ http://groups.google.com/groups?selm=3ljdjg%24mu6%40agate.berkeley.edu http://groups.google.com/groups?selm=31jp6o%24oc2%40agate.berkeley.edu http://groups.google.com/groups?selm=2ron5j%244iu%40agate.berkeley.edu |
2001/12/7-9 [Computer/SW/Security, Politics/Foreign/Europe] UID:23179 Activity:high |
12/7 What is the best way to transfer funds between accounts in U.S. and another country (in Europe) without fee or getting riped off by special conversion rate? The amount is small and just to cover my expenses when I travel or order internationally, i.e. < $2000. \_ My dad has a US checking account at B of A. Every month I make a deposit to his account at a branch here, and he withdraws the money at a branch in Hong Kong. No transaction fee, but I don't know if the conversion rate is the same as the standard rate. \_ I asked at the Bank of America in Hong Kong whether one can access his US account in HK, the answwer I get is plain no, as Bank of America Asia supposedly cannot access account of its parent bank in US. If you are converting from USD to a foreign currency, you are bound to pay a conversion fee (3% I think in most banks). You can open an USD account in a more established financial houses (like SG), so you can withdraw funds outside of US much more easily. But for $2000, it's easier to get travel's checks. \_Tnx for the reply. However often the need to transfer money arises and the amount becomes known while I am outside U.S., not to mention carrying traveler's check is like carrying cash other than being much safer. \_ I've heard from a lot of people that ATMs are good, you get better (minimal but still significant) fees. Better than changing cash out. \_ but you cannot deposit foreign currency to your account from abroad. \_ Go back and read the stated objective, duud. \_ Use your credit card. You'll get the best exchange rate and if you pay it off, the fee will be minimal. No cash that you need to carry which should eliminate the cost of foreign->US. \_ Depends. While I was in Europe this past summer, it was cheapest for me to just withdraw cash from ATMs: BofA was tacking a "foreign currency conversion fee" to each of my CC transactions, while for the ATM withdrawals, I was getting the interbank exchange rate without any additional fees. When I lived in Germany, I had my paychecks direct-deposited to my credit union account in the US and paid for everything in cash: if my needs exceeded the daily transaction limit, I planned ahead and visited the ATM multiple days in a row. If you want an account at a bank that has a presence on both sides of the Atlantic, I've heard that Citibank and HSBC are good choices for US->Europe expatriates, although I have no experience with either. -- kahogan \_ which ever route you choose, make sure you don't go to the foreign currency exchange booth at traverler's spots. Their rate is horrible. (something like 8%) \_ That's strange. Maybe my dad makes his withdrawal by writing himself a check and then cash it at a B of A branch there? I've never asked him. \_ The more I think about it, this is a good way for money laundry. \_ Yes, this is exactly how my father got money at a BofA branch in Taiwan. |
2001/12/6-7 [Computer/SW/Security] UID:23162 Activity:moderate |
12/5 Did anyone figure out why people are getting those "ssh_exchange_identification: Connection closed by remote host" errors? \_ Too many people were trying to connect to soda at once, and openssh started dropping connections. I've turned up the maximum number of unauthenticated connections, so everyone should be able to connect now; please let me know if these errors come back. --mconst \_ yer the best mconst! \_ i usually try "ssh -1"and it works. there's probably a big nasty security hole in there i don't care about. \_ This morning I tried logging in from outside and I got this error. I then tried it again right away and it worked. I've never seen this error before. |
2001/12/5 [Computer/SW/Security, Computer/SW/Unix] UID:23147 Activity:low |
12/4 Is there a way to run a proram from another machine, without having to log into that machine? Specifically, I'd like to run an xbiff icon from another machine, on my local machine (so I can tell when that account gets mail). I'd like not to have to keep the extra xterm open on my local machine. \_ "ssh -X foo@bar.com xbiff" might work. After you enter your password you can background the process (or you can & it if you have DSA stuff set up). \_ or just ssh -f foo@bar.com xbiff and it will background itself (you only have to give -X if whoever set up the client explicitly made X forwarding off by default) \_ Run a cron job on the remote host. Have it check if your xbiff is running and if not, run it with the appropriate parameters/env. |
2001/12/5-6 [Computer/SW/Security] UID:23144 Activity:moderate |
12/5 Has there been a ssh change? Protocol 1 no longer works, and protocol 2 has problem with ssh_exchange_identification: Connection closed by remote host \_ It could be AT&T (I've noticed the same thing) but there's also a recent vulnerability found in ssh1. \_ It's not AT&T -- this just happened to me and I have DSL. I was able to login after a couple of minutes though. Anyone know what's going on? \_ I had the same problem from work and we have a T3 (not att). \_ I've been having the same difficulty. I attribute it to rampant packet loss into/out of EECS. |
2001/11/9-10 [Computer/SW/Security] UID:22994 Activity:nil |
11/9 In case you though your money was safe: http://www.theregister.co.uk/content/55/22751.html |
2001/11/5-6 [Computer/SW/Security] UID:22943 Activity:high |
11/5 In ssh1, I can make passphraseless keys that let me login from one place to another without typing a password/phrase (yes, yes, I know). How can I do this with ssh2? My man pages aren't helping with what I need to put into what files to use passphrases instead of passwords. I know how to make the key, just not what to do with it. Thanks! \_ copy .ssh/id_dsa.pub from your local machine to .ssh/authorized_keys2 on the foreign machine. - danh \_ And chmod 600 ~/.ssh/authorized_keys2 --dbushong \_ Did both of these things and it still falls back to the password auth... help? Does it have something to do with either the IdentityFile or AuthorizationFile settings in sshd2_config? \_ add the "-v" flag when sshing, does that tell you anything useful? \_ Ok, I got it, thanks all. Our machines had the http://www.ssh.com version installed which works a little differently than soda. I needed to specify the dsa and pub files in the identification and authorization files with some trivial syntax. This is from a pdf off <DEAD>www.ssh.com's<DEAD> support website. Nothing in the man pages about it. I guess that's how they make money with support and services. What danh and dbhushong said worked perfectly with soda which had me confused for a bit. And -v was pretty useless, unfortunately. |
2001/11/5-6 [Computer/SW/Security] UID:22939 Activity:high |
11/5 I crossed the Dumbarton bridge westbound this morning. Not a single Coast Guard or cop I saw along the way. What tight security. \_ I drove my van across the Bay Bridge on Sunday. I saw a lot of Coast Guards but no one checked my van. What tight security. \_ the best security is security you dont see \_ Really... what... are the military using thier high tech cloaking device or holding on underneath the bridge? or do they have sniper men miles away.... \_ It's like the CDA in Monsters Inc. When shit happens, they just appear 3 seconds later. \_ You expected every truck and van to be stopped? Because of some vague warning? Yes, let's just stop everything everywhere because hey, ya know, something *might* happen. \_ This is why Davis should have kept his mouth shut. \_ Because it wasn't targeted. The Bay Bridge and Golden Gate were. I drive the SM and there are CHP patrol cars at both ends. \_ I usually take the San Mateo Bridge, but these few days I am so so paranoid that I take Dumbarton instead. \_ that's fine. But if they don't stop my van when I crossed Bay Bridge, how are they going to stop simultaneous attack on the bridges? Dumb fucks. \_ The bridges were built to withstand 7.0 earthquakes. There's not much your van can do to seriously damage them. The real risk is the cables on the suspension bridges. \_ You think if Timothy McVeigh could make one trunk bomb that could cut through the multi-story fed building like a cake, the Al Qaida folks can't make the same bomb and blow a big hold on the bridge surface(s)? blow a big hold on the bridge surface (or two surfaces if they explode it on lower-deck Bay Bridge)? Besides, for the suspension ones, if the cables are gone, the bridge falls, right? |
2001/10/29-30 [Computer/SW/Security, Computer/SW/OS/Solaris] UID:22862 Activity:nil |
10/29 I found "sftp" on my Solaris machine, but I couldn't find the man page. Can someone tell me how to specify a user name different from my current login? I tried "-l username" like in ssh, but it doesn't work. Thanks. \_ Well, if it's anything like sftp on soda: soda ~ [12:57pm] sftp -h usage: sftp [-1vC] [-b batchfile] [-osshopt=value] \ [user@]host[:file [file]] --dbushong |
2001/10/29-30 [Computer/SW/Security] UID:22857 Activity:very high |
10/29 I tried ssh'ing to my csua acct from my csua acct to test ssh-agent and X11 forwarding. Neither worked, so I created a ~/.ssh/config file with the following lines: Host * ForwardAgent yes ForwardX11 yes Now, X11 forwarding works, but ssh-agent forwarding still doesn't. Any ideas? \_ perhaps your ssh to CSUA from whereever you are (say at work) doesnt have X11 forwarding either, whether by buildtime lack of support or runtime option. ssh -v is your friend. -jon \_ But X11 forwarding works now, but not agent forwarding.... \_ oops sorry, got the order reversed when i read your sentence \_ Ok, it works if I use ssh -1 csua, but not otherwise. Is this a known issue? |
2001/10/24-25 [Computer/SW/Security] UID:22820 Activity:moderate |
10/24 My sshd used to accept connections from machines without matching reverse lookup. Then, all of a sudden, today, it stopped. I changed resolv.conf to use a nameserver with made up ptr records and it works fine, but the question remains, What changed? There is no indication that sshd has been restarted since the machine was 60 days ago. This is on solaris, using (foolishly) F-secure sshd 2.0-2 which is also the same as it has been. (i did stop some services 2 days ago, but nothing that should effect this). \_ You've been hacked. \_ Maybe you have edited the hosts.allow or hosts.deny files and added or removed some rules on those? This would apply if sshd was compiled with support for tcp wrappers. \_ Or it actually _was_ doing reverse lookups and your DNS broke. |
2001/10/21 [Computer/SW/Security] UID:22789 Activity:very high |
10/21 If I ssh into machine A and then ssh into machine B and then back into machine A, is that slower than if I ssh into machine A and stay there? \_ Yes, in theory but if your pipe from you to A is smaller than the pipe A <-> B it may not matter much. If you're only typing over this link it won't matter at all. If you're sending data through an ssh tunnel then it could matter a lot. \_ What kind of answer is this? Don't answer questions you know nothing about. The correct answer is that your latency will be increased by double the amount of the latency of your A->B link but your bandwidth should not be effected. \_ The verb you're looking for is "affected." \_ Unless your subject is psychology, you will seldom use the word affect. \_ wtf are you talking about? "affected" is the correct word here. "effect" is seldom used as a verb. |
2001/10/18 [Computer/SW/Security] UID:22766 Activity:high |
10/17 what language uses explicit scope? \_ what's explicit scope? \_ it's a language that lets you say, "function foo has access to var A, and function bar has access to var B"... no matter where they are. think of it as specifically putting an ACL My friend had to have his ACL replaced. He _/ was on crutches for weeks. on each variable as to what function can access it. \_ BASIC. |
2001/10/16 [Computer/SW/Security] UID:22752 Activity:low |
10/16 Soda's ssh host key appears to have changed in the past month or so. Is there a way to check the current fingerprint? -phr \_ Sure it's not just that newer versions of ssh also tie the host key to the resolved IP address, which just changed? |
2001/10/15 [Computer/SW/Security, Computer/SW/Unix] UID:22738 Activity:high |
10/15 I want to restrict a user on a linux box from logging in, i only want someone to be able to "su" to this account. how do i do that? \_ why? if they can su to the account, they get the same privs as if they'd logged in. If they can su, they are already logged in... \_ Set there starting shell in /etc/passwd to something that exits immediately. \_ then you won't be able to su to that account \_ Yes, you will. You won't be able to su - \_ when you su to a user, it exec's his shell. Get a clue. -tom \_ You mean su -m (or the equivalent) su - means "not only run their shell, but do it as a login process" \_ set the password to * in /etc/passwd or /etc/shadow; barring publickey ssh authentication, the account should be only su-able -max \_ Ding ding ding. Max rocks. --#1 max fan |
2001/10/14-15 [Computer/SW/Security, Computer/SW/OS/FreeBSD] UID:22734 Activity:very high |
10/14 What is the "best" (reliable, secure, supports IMAP) free web-based email service? Is hotmail good? \_ I have had no problems with squirrelmail. \_ IMP (component of horde) works great for me. \_ I installed IMP a couple of years ago. I wasn't impressed. Has it gotten better? \_ Bah! I use mail to read mail! Anything else is bloat! - freebsd #1 fan \_ Hi Paolo! |
2001/10/9-10 [Computer/SW/Languages, Computer/SW/Security, Computer/SW/WWW/Server] UID:22674 Activity:very high |
10/9 so when is Berkeley's DNS supposed to be updated with soda's new address? \_ when i get done working taking over the world. --phillip \_ that's my line - the brain \_ HAHAHAHAHAHA! \_ At 3am every day \_ also, when is the web server going to be running again? \_ the joyride is over! call verio! \_ Apache doesn't like it when you don't have a valid name. Probably tomorrow. -tom \_ will emails received during the downtime be cached, rejected, or sent to /dev/null? \_ /dev/yermomisabigfatbitchbiggestbitchinthewholewideworld -root \_ they should be delivered once the name gets updated tonight. -tom \_ root is just so ... rude!!11! \_ you get what you pay for. if you want quality service try a professional colo \_ they'll all be forwarded to the FBI. \_ ln -s /dev/null /dev/fbi |
2001/10/8 [Computer/SW/Security] UID:22665 Activity:nil |
10/7 I'm starting to dig rsync and ssh. There's some caveats that aren't clear to me yet such as how to create a passphraseless key but still be able to limit permissions on the key. Anyone know how to do that? \_ keychain might be the best you can get-- it keeps your ssh-agent running as long as the machine is not rebooted. That way, you can log in to foo, start ssh-agent running in the background, add your identities, and use 'em till foo reboots. http://www-106.ibm.com/developerworks/linux/library/l-keyc2 \_ What do you mean? Without a passphrase on your key, anyone with root on the machine your "identity" is on can read your key and use it. With a passphrase, someone with root can STILL get your key, but they have to work harder. If your key is on a machine that you're certain won't be compromised, with absolutely trustworthy root, then you don't need a passphrase. If your key is in an NFS-exported directory, you need a passphrase. [ reformatted ] \_ I think what he's trying to say, is that is there a way to set group permissions on a passphraseless key so the key can only be read by a certain gid (i.e. group foo). I don't think this is possible. \_ You don't need a passphraseless key; you can just use .shosts. \_ unless you don't administer the box.. grr... |
2001/10/6-7 [Computer/SW/Security, Computer/SW/RevisionControl] UID:22654 Activity:high |
10/05 I am have several accounts each with useful files and I often travel. I am looking for some software that create a virtual file system transparently and securely distributed over several locations that allow me to access them no matter where I am as if it is some file on whatever account/computer I am using. I have seen some "meta-frame" program for Win2000 on my friend's PC but it must be very expensive, for large companies and perhaps only works for win2000. Please recommend a low budget or free solution, either *nix or preferabbly multi-platform. Ok tnx. \_ You may try a file synchronizer, like /usr/ports/net/unison. It works on unixen and windows (and is written in Ocaml to boot!) -- ilyas \_ I assume that you will have net wherever you are...have you considered just scp'ing/running rdist via ssh? That's kludge-y but assuming your boxes are on the net, it'll work. Otherwise, if you run the machines, you can run an ipsec vpn between them and (ugh) nfs mount between machines. Both of those would be free. -John \_ It sounds like cvs would be a good solution. With cvs, you set up a repository somewhere on your home machine and then you can check out/check in files from wherever you are via ssh. Basically you set CVS_RSH to ssh and you set CVSROOT to something like :ext:me@mymachine.net:/home/cvsroot. Then use cvs checkout, cvs add, cvs update, cvs commit, etc. See the cvs info file for details. I've been using this method to work on files from home, school, and my laptop. -emin \_ Thanks for all the answers. It seems that VNC tunnled through ssh plus AFS are what I need, if I have the foo to manage it. By the way, can AFS traffic be encrypted, say over ssh? |
2001/10/6-7 [Computer/SW/Security] UID:22649 Activity:high |
10/5 Why do people think IMAP is betting than POP3 here? Is this an security issue? \_ Vegas has the best odds when you're betting. \_ IMAP has a superset of POP3 functionality. \_ IMAP stores messages and folders on the server. This means you can access them and from any machine that has an IMAP client. Email and folder content stored on the client is just a cache. This allows all IMAP clients to see the same view. In addition, clients can resync their folder cache and manage folders and email offline. This is useful when you read email from a number of different machines regularly and want one interface to all your various email accounts. \_ IMAP _can_ store folders on the server. That's how most clients are implemented. The protocol can also download and delete just like POP. |
2001/10/4 [Politics/Domestic, Computer/SW/Security] UID:22625 Activity:insanely high |
10/4 Someone please tell me why making airport security screeners to be federal employees going to help? I've seen government employees and they're still underpaid, laid back, and don't give a damn about you. \_ as opposed to airline employees? \_ just look at it this way: they can't get any worse. \_ Federalizing security means that the employees have to go through a basic security check, get paid on a wage scale, get benefits, and can make it into a career. It's also a draw for those just leaving the military. Crimes against airport security become federal crimes and can draw on the resources of the military. \_ The law also allows the fed to conduct polygraphs test on all Federal employees. \_ I thought the US military is not allowed to act against US civilians even if the civilians are criminals. civilians even if the civilians are criminals. Is it written in the constitution or something? \_ You have made an unpatriotic statement. Report to the termination vats immediately. \_ ^termination vats^Al Qaeda training camps \_ how is this statement relevant? -jon \_ The previous poster said "...... federal crimes and can draw on the resources of the military." \_ A better response might be "why is this bad engrish"? anyway, the US Military has been called upon to commit acts against US citizens before. EO 9066 --jon \_ I had also meant to write ".. draw on the resources of the federal government." I was thinking of the FBI and the newly created Office of Homeland Protection. Better resources than the local politzi. resources than the local politzi. Plus federal money to fund better security toys. |
2001/10/2 [Computer/SW/Security] UID:22622 Activity:nil |
10/2 Serious question: What should I do if I have my SSN, birth date, address, and other personal information stolen? \_ if you have material loss, report to the police. Not that they can help you much, but at least the court won't think you're making up stories of losses. Call up your banks/brokers, and let them know you have your id info stolen. Then tell them that no one from now on can access your account without a password which you will tell them. Check your account frequently. Unfortunately, this is about all you can do. You may choose to move your assets to a different, less popular bank so the theft will less likely to hit you again. \_ also call the credit agencies and put a fraud alert on your record, this will make it more difficult for whoever has your personal information to open new accounts in your name |
2001/9/21-22 [Transportation/Bicycle, Computer/SW/Security] UID:22583 Activity:high |
9/21 How is the government going to enforce the backdoors in the open source encryption software considering that it will be trivial to remove them given that you have access to the program source? \_ i just want to say something about all this encryption backdoor stopping the terrorist horseshit. If you have a good network of human couriers that can act as go betweens once a year or so, you can communicate the key to a one time pad generated by a random noise source like jonson noise or something. no one can break it, and even a moron can use it securely. The NSA knows this of course. they want to read YOUR mail, and make morons feel safe; this has nothing to do with stopping real threats. \_ Practically none of the security restrictions have to do with stopping real threats. You can drive across the Golden Gate but you can't bike across. You can hide a knife in your boot getting on a plane but not in your bag. It's a predictable reaction. -tom \_ Maybe they're worried about bikers/pedestrians getting killed by a bomb. Who cares about car drivers? \_ allowing unruly bikers across the bridge (which i may add has the variable # of lanes in either direction) would cause drivers to have more accidents, since bikers will swerve into traffic and assume the car drivers will sacrifice their vehicles to save the bikers life. (from experience in SF downtown traffic commute). \_ Are you a complete idiot? There are SIDEWALKS on the Golden Gate. -tom \_ What does your bike-across-the-bridges fetish have to do with terrorism and encryption? \_ They closed the sidewalks on the Golden Gate as a response to the terrorist attacks. -tom \_ Remove the backdoors from the source code? You mean removing them by altering the encryption scheme? \_ I think you should do a little reading on this kind of thing first. Then if you still don't understand you can ask your question. |
2001/9/21-22 [Computer/SW/Security] UID:22579 Activity:nil |
9/21 Encryption is in trouble: http://www.theregister.co.uk/content/55/21791.html |
2001/9/20 [Computer/SW/WWW/Browsers, Computer/SW/Security] UID:22556 Activity:moderate |
9/20 In Netscape for NT, how do I find out whether it's a 56-bit or 128-bit version? Thanks. \_ about: doesn't work for you? \_ It says" This version supports U.S. security with RSA Public Key Cryptography, MD2, MD5, RC2-CBC, RC4, DES-CBC, DES-EDE3-CBC." Does it mean 56-bit or 128-bit? \_ U.S. security probably means 128-bit (as opposed to 40-bit export security) |
2001/9/20 [Computer/SW/Security] UID:22545 Activity:very high |
9/20 There was something in the last meeting minutes about running crack/ripper on the passwords and emailing people about changing thier passwords. Has this been done? \_ aye. in process. \_ Any idea when emails will be sent out? \_ What's that all about? \_ I find this offensive and think logging in should be restricted for 24 hours. \_ Good, bring it before politburo, and I'm sure they'll be glad to hear your case. -dans \_ What does enforcing password changes have to do with login time? \_ What does enforcing password policy have to do with login time? \_ I think you are beginning to see his point. |
2001/9/20 [Computer/SW/Security] UID:22544 Activity:very high |
9/20 A problem for you: Tom is NATed behind a firewall. He SSHes out to a remote machine which is ALSO NATed and behind a firewall. (the remote FW has a redirect to the remote internal machine which is how he can ssh to there). Tom would like to run an X-term on the remote machine and have it (tunnled through ssh obviously) display on his local machine. Assuming he has root on the remote box and his box, but that any access to either firewall (especially the remote one) involves painful red-tape, What is the easiest way for tom to accomplish his objective. \_ "X11Forwarding yes" in your sshd_config and use "ssh -X" to get to machines. \_ Error: Can't open display: \_ chances are your error is unrelated to the NATing. \_ I agree with my esteemed collegue. \_ It is more likely due to your broken ass boxes \_ Indeed. If you can ssh successfully, it can forward X. |
2001/9/19 [Computer/SW/Security, Politics/Foreign/MiddleEast/Iraq, Computer/SW/Unix] UID:22516 Activity:nil |
ladenix 5.0 (jihad) login: _ |
2001/9/18 [Politics/Domestic/911, Computer/SW/Security] UID:22507 Activity:insanely high |
9/18 http://news.cnet.com/news/0-1005-200-7215723.html?tag=mn_hd " U.S. citizens back encryption controls " Right, only American companies can write encryption code/product, and the intelligence failure to warn the attack is due to, or partly due to encryption products! Classical "not my fault" syndrome. Let's ban commercial airlines because their planes are used in the attack. Let's ban all knives because they are used in the attack. \_ lets ban all people because they were used in the attack. \_ Let's ban religion. religion is the root of the Northern Ireland \_ Try economics. There's not much that was ever perpetrated solely because of religion. People aren't that pious, no matter what they may say. conflict, Palestine, Pakistan/India, and various historical atrocities. Not to mention the Holocaust, Cyprus, Kosovo, etc. atrocities. That's the one thing I didn't mind about China and USSR. Freedom FROM religion. I guess I don't mind Buddhists. They never slaughter anyone. (right? i'd be interested to learn otherwise.) \_ Tibetan Buddhism was the state religion of the Mongol Khans, \_ Tibetan Buddhism was the state religion of the the Mongol Khans, possibly the most murderous forces in known history. Zen Buddhism, as connected with Imperial Shinto during the years leading up to the Japanese expansion, was part and parcel with the philosophy that guided that set of warriors. \_ So is there such a thing as a religion that doesn't have significant blood on its hand? \_ Quakers? \_ Well, I see that as just being their personal philosophy, and not something that actively caused strife. I mean, I don't think they cared what religion other people were when they were conquering them, they just wanted to conquer them. That's good, honest conquest. They weren't haters. \_ Imperial Shinto? Zen Buddhism is very different from Shinto. What is your source? \_ The Shaolin monks in ancient China once fought for an emperor in the Tang dynasty against rebels in the region. I think in return the emperor gave the Shaolin temples exclusive rights among all Buddist temples to openly practise martial arts, or something like that. But that you can say they fought for a good cause. in the Tang dynasty against rebels in the region. But that you can say they fought for a good cause. \_ yeah, nothing wrong with that. no hatred, no frothy fervor. \_ lets ban the internet in the US! I guess I don't mind Buddhists and Hindus. They never slaughter anyone. I guess I don't mind Pengiuns. They never slaughter anyone. That's good, honest conquest. |
2001/9/13-14 [Computer/SW/Security] UID:22438 Activity:nil |
9/13 Well, the anti-crypto people are at it again: http://www.wired.com/news/politics/0,1283,46816,00.html \_ "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin: Motto of the Historical Review of Pennsylvania, 1759 |
2001/9/13 [Computer/SW/Security, Politics/Domestic/911] UID:22421 Activity:high |
9/12 This is probably the scariest thing I've read all day: http://www.opinionjournal.com/extra/?id=95001106 \_ I heard the FAA is going to add another question at the checkin counters: "Why are you travelling." Yeah, they're going to block the terrorists when they answer "Well, I'm planning to hijack this plane." I feel safe now. plane." |
2001/9/13 [Computer/SW/Security] UID:22420 Activity:nil |
9/12 There are people looking for loved ones inside of New York City. C'mon computer geeks! Can't we setup an online forum/system service to help match people with loved ones in New York City? \_ This has been left as an excersize for the poster. But seriously, without adequate bandwidth and pubilicity I'm not sure how useful the effort would be? \_ that's why you are computer geeks, right? You are capable. Slashdot, newsgroups, people who want to donate ISP space... \_ There already is one. At Berkeley, too. \_ URL? \_ <DEAD>safe.millennium.berkeley.edu<DEAD> It has bw and server capacity. it's on the news. --jon \_ It's all over the wires as well, as a matter of fact. -alexf \_ some people can be so insensitive. They are adding names (on the other services) like Beavis and Butthead and Christina Aguilara. |
2001/9/11 [Computer/SW/Security] UID:22378 Activity:very high |
9/10 Why does OpenSSH default to "ForwardX11 no"? Given X11's lack of encryption, isn't this the best way to do X11? \_ X programs can do more than just open windows on your desktop -- they can also do things like capture images of your display (as xwd does) or intercept the keystrokes you type (as most window managers do). This means that, while it's safe to telnet to a random machine you don't trust -- it can't do anything to your local account -- it's *not* safe to ssh with X forwarding to a random machine, since that machine could (say) start monitoring the passwords you type into other windows. \_ Yes, but they believe X11 forwarding should be something you request as it can open security holes if you do it wrong. \_ So what can I do wrong when using SSH's X11 port forwarding \_ So what kind I do wrong when using SSH's X11 port forwarding that would open a security hole? \_ xhost +, which would then allow anyone on the remote machine to snoop everything you type, completely destroying the usefulness of ssh \_ This doesn't make sense. Why would someone who is using ssh want to use xhost at all and if you do "xhost +" it shouldn't matter whether you use ssh or not because either way there is a huge wide open hole at this point. \_ less things to try to hack. period. |
2001/9/7-8 [Computer/SW/Security] UID:22349 Activity:very high |
9/7 The DMCA just plain sucks: http://news.cnet.com/news/0-1003-200-7079519.html \_ Why are all you liberals trying to get things for free? \_ This is not about things being free. I don't mind paying for a good security solution. What I don't like is the fact that most people are scared into silence by the DMCA. Let's say that RSA, DH or AES was covered by DMCA and I found a weakness. I'd be scared of reporting my findings because I don't want to do hard time in a federal jail for violating the DMCA. If I don't report my findings people will continue to use a compromised security system. Someone less scrupulous than I may discover the same weakness and exploit it, which is very frightening. \_ yeah, everybody should pay for everything, all the time. listen to the whims of the corporations. screw fair use too! \_ As inconvenient as it might be to your conservative agenda, we still have the freedom to speak and think freely. \_ Liberals are the ones who try to limit freedoms. \_ Who is the one locking everyone up? \_ The Feds, regardless of political associations, have always been about locking up people. That's why we have the second amendment. So that they can't take your rights from you. |
2001/9/6 [Computer/SW/WWW/Browsers, Computer/SW/Security] UID:22322 Activity:low |
9/5 does shit like this still happen? http://www.techlawjournal.com/courts/kathleenr/20010306op.asp or is that only in backwater states? \_ um dude, that's livermore, ca. \_ and what's wrong with it? an idiot woman brought an idiot suit to court, and the case was dismissed. BFD. /- I think she IS an idiot, trying to make up for her own bad parenting skills. Obviously, this kid knew what he was doing; (printing his school schedule over the top of a "scantily clad woman"--how much money did he get for that from his buddies?) the library was just a means to an end. --sowings \_ I don't think the woman is an idiot. I think this scum is smart enough to realize that she can probably make some quick bucks by filing this idiot suit and reaching a settlement. Oh did she remember to get the media involved? Oh she might even be able to write a book afterwards on how her son's innocence was violated and how she was physically and emotionally hurt and how she spent years in turmoil before she recovered and blah blah blah. \_ You are right, this is terrible. Those librarians should be shot. |
2001/9/1 [Computer/SW/Security] UID:22315 Activity:nil |
8/31 check it out. Logged in from explorer on a mac (to csua/ssh)... SODA_1% which ssh /usr/bin/ssh SODA_2% ssh me@x.x.x.x SODA_2% history 1 23:09 which ssh 2 23:10 history it's like i just hit "enter" instead of the ssh command. what up? |
2001/8/31 [Computer/SW/Security] UID:22312 Activity:nil |
8/31 Is it ok to ssh to a remote machine as root? I need to write a script to do some administration jobs in a remote machine. Should I do ssh to the machine as root and then execute a command or ssh as a normal user and then use sudo to execute the command? \_ It really ends up equivalent. SSHing directly as root is probably easier. /etc/ssh/sshd_config PermitRootLogin yes IgnoreRhosts no RhostsAuthentication no RhostsRSAAuthentication yes Then, as root on the _server_ ssh back to the _client_ to get a copy of the client's host key in your known_hosts file. Now just make sure you have the client in the server's root's .shosts file, and you should be good to go. |
2001/8/30-31 [Computer/SW/Security] UID:22297 Activity:nil |
8/30 Well, it was bound to happen; a worm masquerading as a security advisory: http://www.theregister.co.uk/content/56/21376.html |
2001/8/29-30 [Computer/SW/Security] UID:22285 Activity:kinda low |
8/28 I use my cory account to ftp from campus labs when secure alternatives aren't available, so I basically treat it as hacked/hackable. But assuming that I need to get to soda from cory, which is more secure-- password-based normal logins, or password-protected DSA files? Or are they both about the same? \_ Why are secure alternatives not available? You can always use scp to transfer files or just log in with Java ssh with those library machines. \_ I use the NT/Mac machines in Evans/Wheeler/LeConte. I've never once been able to use scp/sftp... something about incompatible ssh versions. \_ probably not incompatible ssh versions, probably that they just have some free windows ssh client that doesn't support scp. Try just using the command-line windows ftp combined with s/key. That should do the trick. - rory \_ Is there a good web s/key calculator that doesn't need java? \_ Get WinSCP. Very good graphical scp for just this issue. http://winscp.vse.cz/eng --scotsman \_ WinSCP has some pretty nasty UI issues. Better than nothing though. \_ Also PuTTY/PSCP (Google search "putty") -- schoen \_ I think the problem is that these apps aren't installed in campus labs. I've mailed admin about it; no response. |
2001/8/23-24 [Computer/SW/Security] UID:22219 Activity:kinda low |
8/22 Someone mentioned something about using scotch to get to CSUA via port 80. How do I get an account on scotch? \_ if you drink enough scotch, you won't care about this stuff. \_ ask for an office acct. get your sid and come to 343. \_ scotch port 80 forwards to csua. \_ some nice person should post how to use the port forward on scotch, i can't remember right now \_ ssh http://scotch.csua.berkeley.edu -p 80. is that what you are asking? \_ though ssh is idiotic and doesn't include ports as part of the host definition in the known_hosts file, so this will tend to confuse it. You're better off putting: Host soda HostName http://scotch.csua.berkeley.edu Port 80 in your ~/.ssh/config file, and then just "ssh soda" --dbushong |
2001/8/21 [Computer/SW/Security] UID:22196 Activity:nil |
8/20 Anyone have exprience with Broadbandnow as a high-speed internet service provider? How is their service, bandwidth, etc.? thanks. |
2001/8/21-23 [Computer/SW/Security] UID:22195 Activity:high |
8/20 anybody have an ssh-over-http tunnel to soda that they're willing to share? \_ http://www.csua.berkeley.edu/ssh ? \_ doofus. he wants to run ssh using http as base for an IP layer. \_ I was looking for this a while ago. There's some stuff on the open source sites but I don't recall which. Try freshmeat and then sourceforge. I don't think it was on http://kernel.org. \_ use scotch \_ Actually I have been looking for a ssh-over-http tunnel that actually uses HTTP protocol, as tcp/80 can get intercepted by annoying http only things like caches and proxies. \_ That would be very painful. HTTP makes a very poor interactive protocol - the header overhead would kill you. \_ people behind corporate proxy servers don't have a choice. do you have any better alternatives? |
2001/8/20 [Academia/Berkeley/Ocf, Computer/SW/Security] UID:22191 Activity:high |
8/20 http://socrates.berkeley.edu:7015/email I've graduated many years ago. How are they going to enforce my soda account termination? \_ we can port and run re-reg (from the ocf). \_ the ocf hasn't run re-reg in years, and has no intention of running it anytime soon. \_ maybe. maybe it will now. Maybe you ought to think about options. Looks like a non-issue for now tho. \_ "years" meaning, what, 3? \_ What's the page about? My browser can't find it with the URL above. |
2001/8/20 [Computer/SW/Security, Computer/SW/Unix] UID:22180 Activity:very high |
8/20 [this is a copy of a message from Mike Clancy, posted here to gather ideas] I'm designing a "security" quiz for 9E. Topics I've thought of so far include file permissions (what should be readable/executable and what should not), the sequence of directories in $PATH, use of xhost, and setting up ssh access. I'd appreciate any other suggestions you might have. \_ why setuid/setgid shell scripts are bad and typically not supported. how to resolve of the problems with setuid shell scripts and chgrp, why chown is restricted to superusers. the limitations of those "solutions" Why setuid/setgid programs are good/bad chgrp, why chown is restricted to superusers. --jon \_ directory permissions: difference between r-x and --x and how command line args (e.g. vi filename) show up in ps output \_ What the sticky bit is, and why you would use it. \_ Why /etc/passwd is world readable but /etc/shadow is not. \_ Why anyone who has to take 9E having root is a bad idea. \_ What's 9E? - non ee/cs alum \_ self-paced unix course \_ How to tell when paolo is running a script that deletes the motd every 3 minutes. -tom \_ What's a jail, what does tripwire do. -John \_ Using my 1st amendment right, I disagree with tom. \_ How to figure out that paolo is running a script which deletes the motd every 3 minutes. -tom \_ Why you shouldn't use any English word, however uncommon it is, as your password. -- yuen \_ Why two bits of salt for a passwd is bad. \_ Why xhost should never be used and how to use xauth -alan http://www.xs4all.nl/~zweije/xauth.html \_ Why xauth is too much trouble and how to use ssh. \_ tom, are you still an undergrad? \_ no. \_ to paraphrase Theo: "Perhaps you should stay clear of discussions where the roles of undergraduate cs students -- especially what their responsibilities-- are being discussed." |
2001/8/19-20 [Computer/SW/Security, Computer/SW/OS] UID:22176 Activity:high |
8/19 Is this normal behavior: soda:~>dmesg | more <DEAD>kofthewest.com<DEAD>, AF_INET) failed pid 33773 (a.out), uid 1216: exited on signal 11 (core dumped) \_ as of: Sun Aug 19 20:42:43 PDT 2001 it is now saying: soda:~>dmesg | more : getaddrinfo(209-76-220-17.bankofthewest.com, AF_INET) failed pid 33773 (a.out), uid 1216: exited on signal 11 (core dumped) pid 24745 (trn), uid 30148: exited on signal 6 any ideas? \_ seems like the kernel message buffer got set really low. \_ I think some hackers from bankofthewest have gotten into your kernel. REBOOT IMMEDIATELY! \_ pid 9236 (sshd), uid 0: exited on signal 11 (core dumped) WTF is sshd dumping core? |
2001/8/19 [Computer/SW/Security, Computer/SW/Virus] UID:22175 Activity:high |
8/19 Hi Dr Nick! - http://www.computersecuritynow.com/article.php?sid=36&mode=thread&order=0 \_ I got tape worm... |
2001/8/18 [Computer/SW/Security, Computer/SW/WWW/Server] UID:22162 Activity:kinda low |
8/17 On 18 July, just as Code Red was starting to scan for vulnerable web servers, a CSX train carrying hazardous materials was derailed in the Howard Street tunnel in Baltimore, US. The derailment and subsequent fire severed cables running through the tunnel used by seven of the biggest net service providers to swap data. These companies started reporting disruption to the usual running of the net just as Code Red was hitting its stride, leading many people to assume that the worm was doing the damage. Analysis by Keynote has shown that even at its height, Code Red posed no threat to the running of the net. (http://news.bbc.co.uk/hi/english/sci/tech/newsid_1470000/1470246.stm - anyone else hear about the fire? \_ yes \_ It was in the news on TV. But I thought Code Red was later than the train accident. \_ What they DIDNT SAY, was that the train had a WBEM system, hosted under IIS, which caused the derailment once the web control interface crashed. \_ you gotta be kidding. \_ muah-hahahahahaha.... the sad thing is, it's plausible, eh? \_ It was noted right away in the RISKS digest (aka comp.risks) |
2001/8/15-16 [Computer/SW/Security] UID:22126 Activity:moderate |
8/15 security doesn't matter, my ass. Code red is running rampant on the financial aid office machines. I wonder how much sensitive information can be grabbed from there. \_ It does matter, but not many people are willing to spend money on them. I m very glad to see someone's finally pulled off code red just to make everyone aware network security is very important. \_ It hasn't raised enough awareness. The vast majority of Americans condone Microsoft for making such an insecure OS and accept the fact that worms and viruses are inevitable. If anything, Code Red is telling Americans that the time to deal with these problems is after the fact and that buggy software that requires a constant stream of security updates is acceptable. |
2001/8/13-14 [Computer/SW/Security, Computer/SW/OS/Windows] UID:22101 Activity:very high |
8/13 Edlin is the standard! Seriously, just wondering who has used edlin before. \_ oh baby yeah. my dad taught me edlin when i was 10 or so. it was easier than the funky diskedit clone he'd use for other things. --scotsman \_ I have... -geordan \_ I suppose you were using a pre-"edit" DOS version? \_ I remember editting autoexec.bat and config.sys with edlin. That must have been in the DOS 3.x era. \_ Yes. Boy, when "edit" came out (yeah, it was qbasic, but no one really cared) it was like a whole new world. Much better than the treebark I used to use. And I liked it. I loved it. -geordan \_ ditto. DOS 3.x or before had no edit. edit was so cool. What was the last official dos version? 6.11? \_ 6.3? \_ There was PC DOS 7.1. Don't know about MS-DOS. \_ I vaguely remember back in the pre-"edit" days I used something else other than edlin to change config.sys and autoexec.bat, but I forgot what program it was. I think I used edlin only once or twice. \_ copy con c:foo.sys and then hit ctrl-z when done - paolo \_ The truly lazy hit F6. -geordan |
2001/8/7 [Computer/SW/Security, Computer/SW/Unix] UID:22028 Activity:nil |
8/7 How is it that whenever I sign into my hotmail account, MSN Instant Messenger some how starts and re-registers itself to execute at login, without it ever asking me for permission? \_ Error: incorrect operating system detected. Please try again. |
2001/8/5 [Recreation/Food, Computer/SW/Security] UID:22008 Activity:high |
8/4 What do most bio majors do once they've applied to med school for two years on a row and got rejected both times? Do most of them just end up in the food service industry like history majors do? \_ is the food service industry big enough for english, history, AND bio majors? \_ Don't forget philosophy, psychology, ethnic studies, women's studies, religious studies, mass comm, sociology, and poli sci. \_ No. Philosophy majors (unless going to law school), upon graduation, immediately enter an eternal state of unemployment. \_ Soylent green is made of people! You've got to tell them! Soylent green is people! \_ I think many apply to med schools in other countries. And I got the impression that those doing bad enough to not even get into those have already changed majors by that point. \_ Agreed http://www.thinkgeek.com/images/zoom/despair-poster-stupidity.jpg \_ From what I understand, there are other options for bio majors besides med school. Some go into grad school, some go into pharma, and some go into completely different career paths. Most of the ones I know, however, ended up in pharma. -chaoS |
2001/7/28 [Computer/SW/Security] UID:21980 Activity:high |
7/27 In Applied Cryptography he basically comes out and says that IDEA is pretty much the cypher to use for max. security, but I keep hearing about this thing called AES that is "better". Anyone know where I can find a comparision of AES to IDEA in terms of the resitance to linear and differential crytanalysis. \_ from Schneier's mouth, he has no problem with AES/Rjendael; and things it should be used widlely. \_ Where did you hear this? AES isn't covered in ACv2. If there is a v3 I'd buy it just to read about AES. \_ See http://www.counterpane.com/crypto-gram-0010.html#8 -- misha. \_ Thanks this is perfect. \_ AC is somewhat out of date in this regard; I think IDEA isn't really a contender for use in new applications due to the patent and the fact that various newer ciphers are at least as good. I don't have any particular suggestions as to where to look for information beyond citeseer. --Galen \_ I had originally planned on (and still probably will) using either DES or 3DES (which ever I can get away with linking with without needing a export license). I was reading AC and found IDEA, which Schneier seemed to recommend. When I heard about AES I just wanted more info. Since I'm not an expert at this, I just wanted to read about how resistant AES is to known crytanalysis as compared to other cyphers. Anyway the above link had the info I needed. |
2001/7/27-28 [Computer/SW/Security] UID:21977 Activity:low |
7/27 Is there an easy way to use ssh-agent with KDM so that all my KDE processes can use my private key? \_ D00D U R 50 '1337 4 U51NG 57R0NG CRYP70! R U BL4CK H47 | WH173 H47? 1'M S7111 R3D H47! |
2001/7/24 [Computer/SW/Security] UID:21936 Activity:nil |
7/24 Its probably a good thing we are running OpenSSH instead of that commerical version: http://www.ssh.com/products/ssh/exploit.cfm \_ There was a hole in openssh a month ago. Get a clue. -tom \_ But the whole was not in the *default* config, this is a hole in the standard config. \_ My read of this "hole" is that it takes a password of two or fewer characters to open it up. Somehow, that doesn't have me quaking in my boots. Still, thanks for pointing it out. --PeterM \_ Some of the daemon accounts on *nix systems have NP as the password in /etc/shadow. |
2001/7/24 [Computer/SW/Security] UID:21921 Activity:nil |
7/23 All .mil sites no longer accessible to public! http://abcnews.go.com/sections/world/DailyNews/militarycyberattack_010723.html |
2001/7/23 [Computer/SW/Security, Computer/SW] UID:21915 Activity:moderate |
7/23 How do big employers catch employees surfing porn sites? Do they run software that checks employees' URL requests against a list of host names of known porn sites? Or do they actually check the content being transmitted? I don't think they'd hire an IT person to visually inspect every .JPG being transmitted, right? \_ i could require you to use a proxy to get out to surf the web, then i can just read the access logs and see you accessing the dirty pictures. there's also expensive software out there that will catalog and present in a nice gui to your manager your web surfing habits. i can't remember the names of any of them right now. you don't need to hire an employee, there is software that sits on the router that will do all the above. \_ Yes, that is my job. I examine all your dirty little pictures and decide which ones to keep on file. \_ use sameer's filter \_ URL? Google came up mainly with his current business and techno music stuff. |
2001/7/21 [Computer/SW/Security] UID:21894 Activity:nil |
7/20 Anyone here using megapath, speakeasy or telocity for dsl? If so, is the service reliable? I'm trying to decide between these three, as they seem to be the best rated in the SJ area according to dslreports. I'm leaning toward telocity because its $49/mo (128/1.5), while the other two are about $89/mo for the same. (Price isn't really an issue, I'm willing to pay ~ $100 for reliable highspeed service, but if the service is the same, I might as well go with the cheaper one). \_ I have IDSL (144/144) through MegaPath; had it about a year. Their tech support is a little annoying to reach, but the people you talk to actually seem to have clue (so very, very rare). I like them. --dbushong \_ I have ADSL through Telocity and it was fairly reliable since my service was restored after the Northpoint disaster. |
2001/7/19-20 [Computer/Networking, Computer/SW/Security] UID:21867 Activity:high |
7/19 I want to host a basic website running on my home computer. Any recs on a DSL provider that will let me have my own domain, whose service doesn't suck, and is under $100/mo? \_ First world has a 192K/1.5M line for $69/mo. The line comes \_ Firstworld has a 192K/1.5M line for $69/mo. The line comes with two static IPs and they don't care what domain name you register for those IPs. Alternatively you could try sprintbroadband (wireless). The "line" is 256K/2M for $49/mo and comes with one static IP. You need line of site to Monument Peak though. \_ Hey genius, Firstworld is dumping their DSL customers on Earthlink with no guarantees as of August 31st, so... \_ Where did you read this? I can't seem to find it on their web page, but if its true, I need to switch my line soon. \_ http://Speakeasy.net |
2001/7/18 [Computer/SW/Security] UID:21836 Activity:high |
7/17 ranga, http://www.ssh.com/products/ssh/cert/vulnerability.html is 404 today, but was there yesterday. What gives? - new guy #2 \_ Take a look at: http://www.google.com/search?q=cache:xWSTNSCGxl8:www.ssh.com/products/ssh/cert/vulnerability.html+ssh1+vulnerabilities+cert&hl=en (go google. fight the power). \_ Actually all you really need is: http://www.google.com/search?q=cache:xWSTNSCGxl8:www.ssh.com/products/ssh/cert/vulnerability.html Isn't web caching wonderful? I've also preserved a copy of just the text at: http://www.csua.berkeley.edu/~ranga/misc/sshv1.txt \_ Is it? http://www.google.com/search?q=cache:www.csua.berkeley.edu/motd \_ downright scary. \_ re ssh (not google cache) it seems that ssh1 is fine iff 1. you do not use RC4 2. you have valid host keys \_ There is also an intercept attack, but I'm not sure if that was covered in the cert stuff. |
2001/7/18 [Computer/SW/Security] UID:21834 Activity:low |
7/17 A Russian cryptographer was arrested in the US for giving talk on ebook security: http://www.planetebook.com/mainpage.asp?webpageid=165 \_ Clever. The First Amendment only applies to Americans. \_ ... that don't violate copyrights, or tell you how to make bombs, or .... |
2001/7/17 [Computer/SW/Security] UID:21822 Activity:high |
7/16 I'm also new to the csua -but not as "social minded" as the previous poster. What problems have you had using ssh1? I hear ssh1 is very vulnerable to certain attacks, but I've never been able to get someone claiming this to point me to urls/papers about ssh1 vulnerabilities. Is it something inherent in the ssh1 protocol (but not in ssh2)? Googling for "ssh1 vulnerabilities" doesn't seem to turn up much. \_ Not this all over again. \_ No. I don't want flammage about openssh vs ssh1 vs ssh2d. I want facts and urls to papers. \_ Take a look at: http://www.ssh.com/products/ssh/cert/vulnerability.html It has a summary of the cert warnings associated with ssh v1. ----ranga \_ thank you! - OG poster |
2001/7/11 [Computer/SW/Security] UID:21767 Activity:nil |
7/12 evoice is going away. any other service on the web out there like it? - danh \_ http://onebox.com |
2001/7/10 [Computer/SW/Security] UID:21753 Activity:moderate |
7/9 I accidentally clicked on "remember my password". How do I reverse this security mess? \_ click "forget" \_ what program? \_ internet explorer (application/login asked for it) \_ if it was "Remember my password" on a web page, delete your cookies. if it was the IE autocomplete thingie, Tools > Internet Options > Content > AutoComplete, uncheck the user/passwords box, click on the Clear Passwords button. \_ thx |
2001/7/9-10 [Computer/SW/Security] UID:21749 Activity:high |
7/9 W/ scp, is it possible to turn off encryption for a given data file while preserving encryption of the authentication process? (I'm sending a lot of large, nearly uncompressable files that aren't sensitive, and I just want to encrypt my password). \_ encryption != compression \_ Understood. I was merely mentioning that to make it clear any sort of benefits gained from the data munging are nil. \_ But what do you expect to gain by turning off encryption? today What's the best way to turn a movie into MPEG? \_ http://www.tmpgenc.com |
2001/7/9 [Computer/SW/Security, Politics/Foreign/Asia/Others] UID:21740 Activity:nil |
7/8 Speaking of M$, Any thoughts on why MSFT can't seem to get their instant messanger service running? I would think that with a co like MSFT the backup redundency would basically mean they can crash the entire system and it would still work within a day when they activate the mirror service sitting in line india or something-- but they have just been dead for a week now... |
2001/7/5-6 [Politics/Domestic/California, Computer/SW/Security] UID:21720 Activity:nil |
7/5 http://www.securityfocus.com/templates/article.html?id=221 \_ Computer security consultant and confessed cyber intruder Max Butler will serve out his 18-month prison term at the privately-run Taft Correctional Institution in central California, sources say. |
2001/7/4 [Computer/SW/Security, Computer/SW/Unix] UID:21712 Activity:insanely high |
7/4 I'm running win2k. when i leave my computer alone for a while and I come back, I have to enter in my password to "unlock" it. How do get rid of this? \_ M-X install-linux \_ disable the screen saver password. \_ no it's something else \_ works for me. dunno what weird config you have. \_ Control Panel -> Power Options \_ Repartition, install !win2k. |
2001/7/3 [Computer/Networking, Computer/SW/Security] UID:21706 Activity:nil |
7/3 Metricom has declared bankruptcy: http://news.cnet.com/news/0-1004-200-6442868.html?tag=tp_pr |
2001/6/30 [Reference/Law, Reference/Law/Court, Computer/SW/Security] UID:21688 Activity:nil |
6/30 fuck amihotornot: http://www.ratemyrack.com |
2001/6/28 [Computer/SW/Security] UID:21666 Activity:nil |
6/28 I'm trying to SSH into a PIX box. i've tried ssh -l "" HOSTNAME and that asks for the password for @HOSTNAME. I would think this would work but it doesn't. (the problem here being that the Cisco PIX just asks for a password not a username). What is the correct way to connect? \_ ssh -l <username> <hostname> \_ Maybe (s)he didn't want to reveal his remote login name to someone who can do a ps on the local host? \_ AFAIK you need to add a user to the PIX before it will allow you to login. - cisco alum |
2001/6/19 [Computer/SW/Security] UID:21580 Activity:high |
6/19 some fuck in russia the other day "found" a security hole in our system and sent us a letter that more or less said, "If you give me $150k I won't reveal this security hole to the public." Blackmail. One guy, some liberal dude, remained unconvinced that the intent was blackmail. Should we call the FBI? \_ What can the FBI do in this situation? \_ Yes. FBI Special Agent Kevin D. Johnson has helped us in exactly this matter: +1 (415) 553-7400. \_ Why are seemingly all FBIs "special" agents? Are there actually regular agents? \_ Most field agents who interact with the public are special agents. Whereas they have a supporting staff, such as lab techs and etc. who are just agents. it's all on the FBI www \_ Why are the FBI folks called "agents", why not just "officers" or "cops"? \_ why are real estate agents called agents instead of salesmen? |
2001/6/19 [Computer/SW/Security] UID:21577 Activity:high |
6/19 Here is another question for all you knowledgable crypto people. How bad is the ability of a PC to generate random numbers for cryptography? Is this at all a limiting factor in PC based encryption? If someone were to build a little box that made random numbers based on a physical process that was provably uncorrelated, would that interest people? \_ PC's running reasonable OS'es generate good random numbers. -tom \_ Depending on the sources of entropy used, a ordinary PC can generate sufficiently random numbers for use with cryptography. Look at how ssh does it for more info. \_ P3s can generate random numbers based on thermal noise, right? \_ I don't know. There IS a thermal diode on it, but I'm not sure of the response time. Actually, that might be an interesting little problem/implementation to do, since a lot of devices have thermal diodes these days, for over temperature protection. -nweaver |
2001/6/19 [Computer/SW/Security, Computer/Theory] UID:21573 Activity:high |
6/18 I have a question about diffie-hellman. After going through the initial key exchange and generating the session key k', how do you use this key with 3des or blowfish? Do you just trucate the key to the appropriate length (doesn't seem right) or is there some other method? tia. \_ Probably feed the key into a one way hash function (i.e. MD5) that outputs the appropriate number of bits. \_ This is correct. You would use a hash function. However, you should not use Diffie-Hellman straight, much the same as you should not use plain RSA. Get a cryptography book and read about it. \_ Okay, I understand the bit about the hash function, but I don't understand why the session key k' can't be used directly? I've been referring to Applied Cryptography, but I can't seem to find a place where he explains why the session keys should not be used directly. \_ Here's a hand-wavy argument: Your DH key must be larger than your 3DES key since otherwise it's easy to break DH. This means that you'll have to shrink your DH key to make your 3DES key. You want to make your 3DES key by using all of the randomness that you've got in your DH key, but you don't know if truncating the DH key will do this. However, you DO know that using a good hash function to make your 3DES key will conserve all of the randomness of your DH key. \_ I guess I wasn't clear. I understand that I need to hash the session key in a way that preserves the randomness of the key and that I need to use the hash value as the key for my crypto algorithm. The bit I don't understand is related to the following: I keep reading that one should use the hashed value of the session key *only* for encrypting a different secret key and then that encrypted secret key should be transmitted so that all other transmissions are encrypted with the secret key rather than the hash of the session key. Why can't I just keep using the hash of the session key? It seems much simpler to do this than to maintain a separate secret key. |
2001/6/14-7/20 [Computer/SW/Security] UID:21514 Activity:low |
6/13 Note that sprint just cancelled ION- who the hell knew what ION was anyway???? They had all these commercials but never once showed the product or what it does. Teledesic rocks! \_ I never saw an ION commerical, but I had read about it on several ng's. I was looking forward to migrating from 1.5 DSL to ION, but I guess that's not possible now. BTW, the ION web page doesn't have any info on the cancellation, though the check for service now says that the service is unavailable in my zip code (it was available last week). Teledesic looks good, but they won't be in wide service till 2005. I considered WildBlue for a bit, but they don't seem like they are *nix friendly (PC/Mac only). That leased line is looking better all the time. |
2001/6/12 [Computer/SW/Security] UID:21496 Activity:nil |
6/12 Here's the bottom line: The RIAA wants to control all channels of distribution. For a user to access his own "private" collection may infringe upon the notion of "ownership." Meaning that by leaving those mp3s on an "open" (yes it is open because you have access to it outside of the LAN) network exposes the user to "potential" distribution infringement. http://mp3.com attempted something like this but the RIAA nuked that idea right out the water. The way it would have to work is if the RIAA forces the user to license each component of music that he/she has access to, regardless if they had, indeed, purchased it. Why? Because the RIAA can track that information still. How? Through the networking software. Tapes and CDs prove to be untrackable in terms of distribution but software is trackable especially over networks. As long as the RIAA can track their distribution, no user truly can have that sense of privacy. In terms of tapes and CDs, the RIAA would have to invade each suspected user's home and then provide a warrant to search their premise. That's ridiculous in terms of overhead. Networking software makes usage tracking simple. The idea won't fly. I might've been talking about mp3 cell phones that are distributed by sony a while back. The reason why those are novel (albeit not necessarily popular) is because 1) it's Sony and DoCoMo doing the distribution; 2) the method of transmission is done through the memory chip. The memory chip is portable and removable so it's effectively like copying onto a tape. Supposedly the new G4 technology being pushed by DoCoMo will have a Java client that gets streaming audio/video to your phone. If it does, you can guarantee those lines won't be private and if they are it'll be challenged in court. - keithyw |
2001/6/1-3 [Computer/SW/Unix, Computer/SW/Security] UID:21404 Activity:very high |
5/31 Does anyone have the login/pw for the private space at http://ign.com? We shouldn't have to be paying for access..esp. things like the silent hill 2 full trailer. \_ Will somebody please provide a valid login/pass? They fucking cut off the last Hideo Kojima interview on the subject of mgs2...damnit..that chafes my hide. \_ sign yer name -shac \_ oh come on. the rest of the motd wants to know too. \_ l: phil p: vahmifqy \_ They have to pay reporters, editors, webmasters, sys admins, electricity bills, network connection bills, and much more - why shouldn't you have to pay them back for some of it? The dream of an advertiser-supported internet is dead - ads don't pay enough. \_ pay should be voluntary, like the PBS model. If you like what you get, you should donate some cash, but you shouldn't have to pay before seeing the goods. \_ that's ridiculous. \_ Communism is dead, kid. \_ YEAH, BECAUSE PBS IS AN EVIL COMMIE LIBERAL STATION. \_ psb is a communist? \_ This isn't communism. If it were communism, everyone would be forced to pay the government, and the government would be funding and running everything. Voluntary donations are than in a piece of shit rm or WMP format. Is that too much to ask? Damn ign bastards...*sigh* completely different. \_ "You shouldn't have to pay before seeing the goods." There is that "should" there that I don't like. The mentality seems to be that the consumer can dictate to the producer their terms. In a truly free society, all contracts are voluntary. for Linsux. \_ what's wrong with that? we're in a capitalist society driven by consumerism; why shouldn't consumers dictate what they want? \_ because you're an idiot. you don't get to decide *after* you use something whether you want to pay for it. -tom \_ you do if you have access to warez. long live warez! cd images galore! i wonder when someone will finally crack down on newsgroup piracy? \_ Property is theft! \_ regardless of what anyone agrees on, login: phil p: vahmifqy doesn't work. Someone please provide a valid login/pw. It's not like I can't get it at one of the other sites; I'd just rather have it in quicktime format than in a piece of shit rm or WMP format. Is that too much to ask? Damn ign bastards...*sigh* \_ COMMIE MAC USER!!! \_ QuickTime runs on Windows and there is even mov player for Linux. \_ The Windows Media Player much better than real, QT or anything similar out there. \_ WMP? Good? Surely you jest. AVI and ASF are total POS. The quality is terrible and the playback frequently hangs esp. if you try to stream a file. QuickTime at least has decent stream and playback. \_ I know not of AVI/ASF. What i know is that when i play the SAME file with REAL it looks like crap, when i play it with WMP it looks good. \_ you need to study harder. the correct answer is "M$ SUC|<Z U53 L1NUX!" and not worry about whether something works for you or not. |
2001/5/26-28 [Computer/SW/Security] UID:21366 Activity:insanely high |
5/25 If IPv6 encrypts everything (IPSec) as part of the standard, does this mean protocols like ssh would no longer be required? Will IPv6 allow telnet and ftp and other cleartext password protocols to live on? What use would there be for ssh if IPv6 was everywhere? \- i realize i am "begging the hypothetical" but the "if ipv6 was everywhere [and interoperating nicely, with reasonable key management, and transparancy]" is a pretty big if. "if ksh does everything sh does and more, why do we still have sh?" etc. --psb \_ It's a good question. I think the answer is mostly just inertia and history. \_ there will always be a need for application-level security \_ What does ssh do for me that ipsec doesn't? IPv6 encrypts, it compresses, QoS, and lots of other funs things. What does ssh get me in a pure IPv6 world? (Yes, I know this will take a while to happen, that's not my query). Don't get me wrong. I love ssh and use it for all sorts of stuff. I'm just not seeing a big role for it in IPv6. \_ Authentication? \_ I think a telnet prompt with memorised password is better auth than the keys-on-disk ssh standard auth. I can steal your private key. I can't read your mind. \_ you can require a key on disk, and protect the key with a passphrase \_ Is stealing someone's private key easier than reading their password out of the password file? \_ Yes. And can be more useful. \_ Of course -my- private key is encrypted. Go ahead and steal it. As for memorized password, it can be easily stolen as well with a use of a trojaned client or server, and I have seen this happen many times. \_ So you unencrypt your key before each use? Uh huh. If the server or client is trojaned all is lost anyway so it hardly matters what you use at that point, does it? \_ This is not true in general. It's easy to authenticate yourself without revealing your private key. \_ Yes, man ssh-agent. And if your are not using ssh-agent, then yes, you need to decrypt the key every time you use it. Ssh client does this for you. And yes, this is more secure because you don't have to send neither your password nor your private key to the remote ssh server. \_ I think you don't understand how ssh-agent or ssh itself works. ssh-agent is a local key manager that makes it so you don't have to retype your passphrase over and over for each new connection. Nothing more. I'd like to hear your explanation of how it auths to the server without sending any info. \_ do you even know what PKI means? \_ Same question: how are you doing auth without sending someone something? \_ i was speaking more broadly, e.g. SSL too. the main use of app-level security is authentication and integrity of data between app-level (not system-level) principals. \_ Is something like app-level ssl necessary when the underlying protocol (IPv6 in this case) deal with it? \_ yes, particularly for distributed systems. not only are there app-level principals that are not known at the system level to auth/authz, but you also want to reduce the extent of damage when one part fails. \_ Agent system, agent forwarding, x11 forwarding... \_ BTW, IPSec has nothing to do with IPv6. Implementations of both for *BSD systems happen to be codevelped by the same people (kame.net), but IPv6 !=, is not a superset of, does not imply, whathaveyou, IPSec. \_ Well, true, but what I read implied that IPv6 is assumed to use IPSec by default. |
2001/5/17 [Computer/SW/Security] UID:21299 Activity:nil |
5/16 OpenSSH 2.9 is released! And it supports rekeying, and all those other ssh2 features that people have been bitching about. When's soda going to upgrade? http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=98883939725585&w=2 \_ Only tom's been bitching, the rest of us use OpenSSH and have no problems. \_ I have problems using OpenSSH. I keep getting these constant stream of emails from some guy named Tom Holub telling me to switch. \_ Hm, I suppose I should look into that upgrade to 2.5.2p2 that someone suggested a while back. --root \_ What's wrong with openssh? I'm using it and it works perfectly. \_ unless you are tom there is no problem \_ Prior versions of opensshv2 sucked when connecting to the non "open"ssh. even openssh2.5. I'm happy to report thta 2.9 has fixed my (20-40)-second delay problems. |
2001/5/16-17 [Computer/Networking, Computer/SW/Security] UID:21289 Activity:moderate |
5/15 http://edge.mcs.drexel.edu/GICL/people/sevy/airport/128bit.html (How to get 128-bit encryption from your Airport base station) \_ too bad you cant get 128bit from the builtin airport interface on their laptops. --jon \_ Rumor has it that 802.11b (including AirPort) are going to 54mbps w/128bit encryption in the coming months. Also, above url states AirPort has 64bit encryption, which is wrong, it's 40bit, which everyone knows you can pretty much break on the fly with your laptop and a little reciever. \_ 802.11b will never be 54 MBit. 802.11a will be. Its scheduled to be released in the fall/winter of this year. Most people say that you will probably need a new Airport card, but that you can probably upgrade your base station. \_ Uh, wtf is the point? The Gold and Silver levels of 802.11b encryption have both been cracked. Run IPsec with however many bits you want... \_ Its not "encryption" is Wireless Equivalent Privacy. The protection it provides is the same as what cat5 cable provides. No more, no less. |
2001/5/6-7 [Computer/SW/Mail, Computer/SW/Security, Computer/SW/Unix] UID:21182 Activity:high |
5/6 any web-based newsgroup posting sites out there now? deja/google not allowing at the moment...please advise? thanks. \_ http://www.mailandnews.com |
2001/4/30-5/1 [Computer/SW/Security] UID:21152 Activity:kinda low |
4/30 ForwardX11 is set to "yes" in my sshd2_config file (and was by default so i assume support was compiled into the default Fsecure ssh2 install that i have), but my DISPLAY is NOT being set upon connecting. What could be wrong? \_ That's ForwardX11 not ForwadX11. \_ fixed. It is spelled right in the conf file. \_ the remote sshd may not itself support X11 forwarding. |
2001/4/30-5/1 [Computer/SW/Security, Computer/SW/OS/FreeBSD] UID:21147 Activity:high |
4/30 And you though OpenBSD was strict about long hard to forge passwords: http://support.microsoft.com/support/kb/articles/q276/3/04.ASP \_ And the fun part is what happens when your admin account hits this fun little bug and you can't login to run the patch? FUCKED. \_ 03/08/2001 06:43p 5.0.2195.3351 331,536 Msgina.dll Software named after an SO? \_ Maybe but GINA actually stands for something. This isn't to say some random MS lackey didn't come up with something to fit the letters though. \_ Global Integer Non-Assigned for those of you who don't speak hungarian \_ Thanks. I was too lazy to look it up but I'm sure it was on google. |
2001/4/25 [Computer/SW/Apps/Media, Computer/SW/Security] UID:21107 Activity:nil |
4/25 http://news.cnet.com/news/0-1005-200-5726313.html?tag=tp_pr We should develop tech like this for the motd. Have a phantom "virtual sodan" bot that answers the dumb questions, and emits the obligatory RIDE BIKE and 'use google' remarks, and occasionally fetches useful info. \_ That's pretty useful for spreading rumors when you short a stock. \_ You mean getting sued and ruining your life? \_ It should also periodically initiate an Asian Chix post, post some obligatory trolls, insult tom, and accidentally overwrite some posts...just like a real person. |
2001/4/25 [Computer/SW/Security] UID:21100 Activity:high |
4/25 Where can I get the web based ssh stuff soda is running? I want to do the same thing at home to get around some workplace lame network setup issues. Thanks. \_ /usr/local/www/htdocs/ssh \_ or dl it from mindbright yourself: http://www.mindbright.com./products/mindterm \_ you do realize that it's just an ssh client in java, right? it's not ssh over http or anything, so if your network doesn't allow ssh packets to go through, it won't help you. \_ That can easily be remedied by having sshd listen to a port that the firewall allows instead of 22. \_ Ok, I dug further into it (I'm remote so this is all through email with the other person) and it appears they're doing http proxying. Nothing goes directly out. The workstation IP is 10.x.y.z. There is a unix box though, so I'm having them install sshd on that, running it on a high port, and then doing ssh NT->unix->home. The unix box has a real IP but only runs telnetd right now. You were right about the mindbright stuff not being what I wanted. \_ Hmmm... didn't know that. I'll have to check it out. Thanks for all the links and paths. \_ Ok, I found httptunnel. There's source, RPMs and a windows binary. Thanks for the help and info. Anyone bored is welcome to delete this thread. |
12/25 |