| WIKI | FAQ | Tech FAQ | |
 http://csua.com/feed/ | |
| ||||||
| 11/23 |
| 2002/7/2-3 [Reference/History, Computer/SW/Security, Politics/Domestic/President/Bush] UID:25265 Activity:nil |
7/2 The Prez has lots of experience with corporate fraud:
http://www.nytimes.com/2002/07/02/opinion/02KRUG.html
http://www.salon.com/politics/feature/2002/07/02/bush/index_np.html?x
\_ so? if it really ends up leading to reform, i don't care
what he did in the past. let's judge him by his current actions,
not past actions. they're bad enough.
\_ You really think we have any real chance of seeing reform? |
| 2002/7/1 [Computer/SW/Security] UID:25250 Activity:kinda low |
6/28 I've been looking at web-based calendars. Has anyone tried/been happy
with one of these? I noticed prospector, in particular is GPLed, which
I like because it guarantees no ads.
http://prospector.sourceforge.net
http://www.localendar.com
http:/greatwebcalendar.com/ , etc.
I've noticed that one of these web calendars had a nasty security hole,
is one concern.
\_ Which one has a hole? |
| 2002/6/29-7/1 [Computer/SW/Security, Computer/SW/OS/Windows] UID:25240 Activity:moderate |
6/28 http://www.theregister.co.uk/content/4/25940.html Analysis of MS Palladium scheme. It's even worse than I'd first thought. Very ugly stuff. \_ You expected any less? \_ It didn't occur to me such evil was possible but I'm not at all surprised it was MS that came up with it. \_ see also http://www.cl.cam.ac.uk/users/rja14/tcpa-faq.html \_ What is stopping people from just replacing the "fritz" chip with a FPGA that says yes to every query? \_ Destroying your MB because it'll be built in that way? Or worse, it'll be part of the CPU in v2? |
| 11/23 |
| 2002/6/28 [Computer/SW/Security] UID:25232 Activity:nil |
6/27 Anyone successfully used the UCB campus-licensed Windows SSH
3.1.0 client (from http://ssh.com) with Solaris 9 SSH server? It
keeps telling me "key exchange failed" no matter what
algorithm I choose (and this is with debugging on), but
works with other SSH servers
\_ Bug in Solaris 9 bundled SSH. Need to use version 3.0.0
which is also available on http://software.berkeley.edu |
| 2002/6/26-27 [Computer/SW/Security] UID:25205 Activity:moderate |
6/26 What happened to s/key? Is there an alternative way to get
one-time passwords to login from a potentially insecure machine?
\_ ask root (and / or the VP ) to recompile soda's kernel
and turn s/key and keyinit back on
\_ s/key still works for me.
\_ You haven't run out of keys yet. skeyinit is turned off. |
| 2002/6/26-27 [Computer/SW/Security, Computer/SW/OS/FreeBSD] UID:25201 Activity:high |
6/26 Upgrade to OpenSSH 3.4 ASAP: http://www.openssh.com/txt/iss.adv \_ so is 3.3 fixed too (i thought) or just better because of PrivilegeSeparation. \_ 3.3 doesn't have a fix but if you enable priv sep on 3.3, the exploit won't result in a remote root explot \_ I don't know how you run your systems but i'd wager that for most people (certainly for me) any remote exploit is a remote root exploit. There are simply too many local exploits to always have them all fixed. \_ Agreed. However one advantage of priv sep is that even if sshd falls victim to a exploit, the intruder only has user level access and them must find out which of your local binaries have local exploits. This leaves a trail which you can use to track the intruder down. \_ Not really. By the time they find a local exploit, which will be about 18 seconds on a bad day, you won't be tracking anything. Once they get a local shell with any account it's all over. \_ Thanks for the link. I was happy to see a quick kludge in there. I don't have time to deal with a full upgrade for real right now. \_ Just so you know turning off ChallengeResponse is a hack to fix the one known exploit, but it isn't a fix for the whole class of exploits that were found and fixed by the OpenSSH team in 3.4. Try to upgrade as soon as you can. \_ On my list for tonight. I didn't want to do it remotely and fuck it up and cut myself off from my server. Thanks for pointing that out. |
| 2002/6/25-26 [Computer/SW/Security] UID:25188 Activity:moderate |
6/24 OpenSSH 3.3 with Privilege Separation now available.
http://marc.theaimsgroup.com/?l=secure-shell&m=102485397824660&w=2
\_ and why should we care?
\_ BIG security exploit in openssh if priv. sep. is not
enabled and priv. sep. is available only in v 3.3
\_ The problem has NOT been fixed in the priv. sep. openssh.
However, privelege separated openssh supposedly diminishes
the possibility of root compromisse. Keep in mind that
privelege separation is a new option and it does not work
well on many non-*BSD platforms.
\_ ?? Got a url for the openssh problem? I missed that one. tx |
| 2002/6/24-25 [Computer/SW/Security, Computer/SW/OS/Windows] UID:25180 Activity:nil |
6/24 The future of computer security is Palladium:
http://www.infoworld.com/articles/hn/xml/02/06/24/020624hnpalladium.xml
\_ Uhm, no it isn't. Only in BG's little brain. |
| 2002/6/24-25 [Computer/SW/Security] UID:25178 Activity:high |
6/24 I'd like to use Cygwin to manage my Redhat 7.2 box. I can ssh in no
prob, but when I try to open an xterm, it fails, with:
xterm Xt error: Can't open display: server:10.0
I can get X11 over ssh just fine from soda. This is a stock 7.2
install--nothing special. Any ideas?
\_ first did you try ssh -X
and then have you tried ssh -v
for verbose mode.
\_ Yes, -X works fine, -v lists the following X11 related stuff:
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: channel request 0: x11-req
debug1: channel request 0: shell
debug1: fd 5 setting TCP_NODELAY
debug1: channel 0: open confirm rwindow 0 rmax 16384
\_ have you installed xhost on the redhat box?
I don't remember what rpm contains it.
\_ yes, xhost is installed.
\_ "xhost +" and try again.
\_ tried it with no effect (BTW, thanks for this help-- I
really appreciate it).
\_ Found the solution. My ssh connection set the DISPLAY on the remote
site to "machine:10.0" instead of "localhost:10.0". When I fix the
display variable to use "localhost" it works just fine.
\_ Just had the same problem a few days ago. Another way to deal
with this is add your machine name ("machine" above) to
/etc/hosts with your correct IP (if it's static). Then it'll
work as-is, without requiring a manual reset of $DISPLAY every
time. -alexf |
| 2002/6/21-23 [Computer/SW/Security, Computer/SW/WWW/Server] UID:25167 Activity:very high |
6/21 Big bad apache hole in the wild. Patch/upgrade now. See http://apache.org or your favorite security site for details. \_ So they finally learned from Microshit? "In order to gain free press we need to introduce security holes." \_ Does anyone think this vulnerability could lead to a fast spreading worm like Code Red, for example? \_ What's the point? Apache + modules (esp. php) are full of holes. \_ So, don't use the modules you don't trust. Patch one, and there are still a hundred others that the '1337 H4X0R5 will use to break in. Even if you patch all the modules, you still have all your executable content (perl cgi, ssi, php, servlet, jsp, etc) which is undoubtedly riddled with holes. \_ 1) try formatting. 2) just because there are other holes is no reason not to patch this one. 3) glad you're not the admin at my company. \_ It is possible but cracking a site by exploiting the holes in locally written code is much harder than exploiting a widely publicized and well understood vulnerability that possibly affects nearly every apache site out there. If you care about security, run publicfile. \_ publicfile does not support CGI scripts or any kind of server side programming which makes it fairly useless for lots of users. \_ Um, it's not actually that bad. It's a DoS exploit at worst on many architectures. \_ nnnn! go read the security alert, not msnbc. \_ Actually I read all three. Plus the apache one. Plus the debian security-announce summary. It's a DoS explot. \_ Well you didn't read the one that said it's a full root exploit. Whatever, go use telnet. Not my problem. \_ At least one exploit (for openbsd) has already been posted on bugtraq with intent to prove people like you wrong. \_ If your OS doesn't execute data off the stack, it's not exploitable (but it's still DOS). And it's not a root hole, just the user Apache runs as. Still, it's potentially bad. -tom \_ Lots of people run apache as root. Lots of sites that run apache as 'www' or whatever will also have local holes if they haven't fixed this one. Thus it is highly likely that getting in through apache is just one step from root. Layers.... \_ I challenge you to find one person running Apache as root. -tom \- the csua used to run a WEEB server on it's name server. there was a bug that let you get a shell running as the WEEB server uid. now it turned out the WEEB server uid owned the WEEB config file, so you could just changed the run-as user to root and repeat the process and you would have a root shell on the name server. this is detailed in some comment by myself and P. Norby some time ago. I dont think this is that big a deal and right now the "real" denial of service is all the people running around recommend things like vulnerabilty people immidiately delete their defaultroutes and such. --psb |
| 2002/6/21-22 [Computer/SW/Security] UID:25164 Activity:high |
6/21 Since keyinit has been disabled and ssh doesn't work for me (behind
company firewall/proxy), what other options do I have to login to
csua? Already tried ssh with http-tunnel and socks2http. -allenchu
\_ Find someone who'll let you telnet into their shell account
and ssh in from there. -Someone who ran out of keys too.
\_ People like you are simply irresponsible bastards. You know
the difference between telnet and ssh but you're still insisting
on using telnet, potentially compromissing not only the security
of your personal account on both machines but also compromissing
the host security of both machines in general. Lots of root
breakins start with sniffed passwords. But you, of course, don't
give a flying f**k to this because you're probably not the one
who will end up fixing the problems later.
\_ If the company's firewall didn't block port 22,
he would of use SSH. Just because you are an irresponsible
idoit doesn't mean everyone else is.
\_ that's not an excuse for using telnet and
jeopardazing the security of the entire machine. I am
also surprised that a company that filters outgoing
ssh still allows outgoing telnet.
\_ I doubt there is one. It's too stupid to comprehend.
\_ How did you post your question without logging in?
\_ Because I have ssh at home. Also have a few keys left.
\_ can you ssh to port 80 on scotch.csua
\_ Thank you. This might be it. Of couse this assumes the
lovely M$ proxy that prevented http-tunnel to work will
not do the same to this solution. -op
\_ sorry, I haven't been paying attention: why is keyinit disabled
anyway?
\_ The answer I got was some sort of security hole w/ skey. |
| 2002/6/21 [Computer/Networking, Computer/SW/Security] UID:25163 Activity:moderate |
6/20 I'm so confused. Isn't 192.168.0.0 a non-routing network? ...
\_ http://CNC.net should not be routing these packets. Neither should
XO really, but they might have an agreement with CNC that
makes it hard for them to filter traffic.
\_ Welcome to the world of routing. Sadly, certain Network Operators
are, shall we say, less than clued.
\_ A lot of providers use RFC1918 addresses for 'private' interfaces;
frame relay clouds are a good example of this. They're not
supposed to be routed, but rather just used within a given
cloud or circuit for routers to be able to contact each other.
Sometimes routing information about these slips out, when someone
exports a default route, or doesn't filter correctly (correct
me if I'm wrong, but aren't some protocols, like OSPF, a pain
to filter individual routes/networks with?) so people with
different providers will see these addresses as "existing"
in various places. Shouldn't do any harm, it's just not very
clean. -John
\_ still, one shouldn't be using RFC1918 addresses even for
transit links, as it will get important ICMP messages generated
by the routes filtered out. Things like unreachables and
fragmentation-needed stuff. Its sloppy/bad practice. -ERic
\- terminal administrative domains such as lbl.gov put on a
lot of filters like this, but for some reason, various
transit domains like esnet are refusing to do so ... they
are saying there are some performance issues ... we didnt
argue much or demand to see the evidence but it is possible
there is sort of a reason, i.e. even if the overhead is
small, the fraction of these packets is vanishingly small
--psb |
| 2002/6/19-20 [Computer/SW/Security] UID:25150 Activity:kinda low |
6/19 Is there a free program that does scp on window 95? (This is for a
machine at work, over which I have no control.)
\_ I don't know if it works on Win95, but it works on Win2k and
Win98: putty and pscp. Do a google search.
\_ As the above person said, pscp works. Also try WinSCP. Has some
issues with its interface (at least the version I have), but does
the job.
\_ The link is: http://winscp.vse.cz/download2.php?file=WinSCP2.exe
\_ the scp (and ssh) programs for cygwin work pretty well. I realize
that this is overkill for this problem, but you may find cygwin
generally useful as well. |
| 2002/6/13 [Computer/SW/Security] UID:25085 Activity:high |
6/12 What's the ANSI escape sequence for setting colors 8-15?
\_ colors 8-15 are just high-intensity versions of colors 0-7.
to set the high-intensity attribute, use {ESC}[1m
see also: http://perso.efrei.fr/~marnier/docs/ansi-esc.htm
--jameslin
\_ Hm... interesting. The reason behind this question is that
colors 0-7 in SSH Secure Shell are very dark. I'd like to
use termcap/terminfo to trick programs to using colors
8-15 (which look normal). I've tried using Esc[1m, but I
get the brighter color along with a bold typeface. I'd like
to get just the brighter color but not the bold typeface.
Ideas?
\_ don't use colorls?
\_ Unless you can change something in your terminal program's
options itself, you're fucked. Try another ssh client.
PuTTY is good. Teraterm is usable but doesn't do
ansi colors iirc.
\_ Teraterm actually does.
\_ Putty is nice when you need something fast for a one shot
but for daily use I prefer terateam which doesn't feel like
someone's HS project.
\_ I'm curious -- name one thing that teraterm does better
than the current stable version of putty. I've used all
3 (ssh.com client, tterm pro, putty) for quite a while
and now just use putty because it's acted up much less
often than the others.
\_ For starters, putty is the only ssh client that will
spontaneously drop my connection all day every day.
It's not an idle time issue, it'll do it in the
middle of typing. There were a few other personal
preference differences but I consider disconnects a
serious issue.
\_ Strange; I've never had that happen over several
months of using putty (unless the network went
out with it). Are you sure it's not a problem
with your server's sshd (which the other clients
may be more tolerant toward)? |
| 2002/6/10-11 [Computer/Domains, Computer/SW/Security] UID:25057 Activity:kinda low |
6/9 I have a geocities website and my own domainname. Is there any free
service to do DNS+Url Redirection of my domain to geocities? I couldn't
figure out if http://freedns.com is what I needed. -fuless, not faithless
\_ some domain registrars will do redirects for you as part of the
service. shop around. maybe your own already does this.
\_ I ended up using http://afraid.org. --opp |
| 2002/6/9-10 [Computer/SW/Security, Computer/SW/OS/Windows] UID:25049 Activity:high |
6/9 What is up with the logos of http://msdn.microsoft.com and http://amazon.com being identical? Same font, same arrow. \_ what about Lucent and Zachary's Pizza? \_ what about http://chickswithdicks.com and yermom? \_ Obviously, they are both part of a vast Washington state conspiracy to brainwash the rest of the country. \_ obYerMomAndMyDick |
| 2002/6/7-8 [Computer/SW/Security] UID:25023 Activity:high |
6/6 imap via ssl on csua is down: ports 585 and 993 both refuse connection.
Why does csua require ssh when we are only allowed to use nonsecure
imap?
\_ You could always do IMAP over SSH like what I do.
ssh -g -l jondoe -L 20143:csua.berkeley.edu:143 http://csua.berkeley.edu
then connect to localhost:20143 from your client. -jeff
\_ Works great, thanks so much for the great tip!!! Now I
don't have to badger our sysadmins about this any more, they
have resisted installing imap/ssl...
\_ You are a moron.
\_ well, no. this has been happening all too often lately.
root has been pinged about putting ssl+imap into inetd, but
as yet nothing has been done about it. They could get the
complaints and the security concern out of their hair
very quickly... Granted, the person could ssh tunnel
themselves, but changing your config when it's soda's config
that's broken is a time sink.
\_ Or they could *GASP* read mail on soda!
\_ If we offer a service, we should do at least the bare
minimum to keep it running. it's not that hard to put
it into inetd...
\_ that's not the way of the true alumni! POP YER MAIL!
\_ Fuck off, paolo.
\_ That's no way to talk to an Dept Honored Officer!
\_ Heh.
\_ IMAP/SSL is now available.
\_ how about POP/SSL?
\_ how about SSH/SSL?? I want my secure link to be totally secure! |
| 2002/6/6-7 [Computer/SW/Security, Computer/Companies/Yahoo] UID:25011 Activity:nil |
6/5 Where is Yahoo options do I opt out of the mailing list?
\_ http://subscribe.yahoo.com/showaccount also
http://privacy.yahoo.com/privacy/us/pixels/details.html |
| 2002/5/27 [Academia/Berkeley/CSUA, Computer/SW/Security] UID:24952 Activity:nil |
5/26 Congrats on your award for service to the CS department through the
CSUA paolo! |
| 2002/5/25-26 [Computer/SW/Security] UID:24945 Activity:high |
5/25 Which of the following is safer: ssh login to a remote host and read
mail there use a command-line client or access my mails using an imap
capable local client? -- crypto/protocol novice
\_Using encrypted email. Otherwise, it just a matter of where on the
network your attacker is sitting.
\_ Or maybe they're reading your keys and monitor from a van parked
across the street. It doesn't matter. It's just the dude's
personal mail. No one cares what's in it.
\_ Look, I am not worried about individual emails get
sniffed on its way. I just want to have a reasonably
secure way to check my emails from a long distance or
a continent away without compromising my password etc.
a continent away without compromising my password or
having personal info. in my mails systematically collected
in some database when they pass through rogue networks.
\_ Ssh in and use your favorite local client. |
| 2002/5/23-24 [Computer/SW/Security] UID:24921 Activity:moderate |
5/22 Does anyone use Dragon? I currently use a service that charges $.10
for transcription and am thinking about switching to Dragon. They
have standard, preferred, and professional, but it is unclear what you
get for $100 and what you get for $700.
\_ Yes, I mean Dragon Naturally Speaking 6.0.
\_ You mean Dragon the PC software?
\_ no, the big reptilian thing that breaths fire.
\_ That was practically a gimme but funny anyway. Thanks! |
| 2002/5/8-9 [Computer/SW/Security] UID:24756 Activity:low |
5/8 I'm thinking about using a block cipher to encrypt pkts
in my application, but I'm running into a problems wtr
transmitting/receiving the encrypted pkts. Here is
what I want to do (given values are secret key K, plain
text PT):
1. Derive K1 (encryption key) from K and a random nonce
N1 and derive K2 (HMAC key) from K and a random nonce N2
2. Encrypt PT and H(PT) using K1: e = E(H(PT)|PT,K1)
3. Calc. HMAC of the e: h = HMAC(e,K2)
4. Transmit N1|N2|e|h (this would be a fixed size pkt)
5. Recv. N1,N2,e,h
6. Derive K1 and K2 from K using recv'd N1 and N2
7. If HMAC(e) = h, then decrypt e: D(e,K2) = H(PT)|PT
8. If the decrypted H(PT) matches a computes H(PT)
return PT.
What I don't know how to do is recover from the following
situations:
* HMAC(e) of the recv'ed e != h
* Decrypted H(PT) != computed H(PT)
Since it it unlikely that the pkt was corrupted by trans.
errors (I'm using TCP), the only way that this could happen
is because of an active attacker. Is there any point in
asking for a retransmit on the recv side if an active
attacker is present?
\_ post this to crypto@csua, you'll get better results than the
motd. Motd is full of dropouts and sysadmins.
\_ Hi paolo. You're delusional again. Go back to bed.
\_ who is this paolo?
\_ He was president for a long time, then he quit logging in. |
| 2002/5/4-6 [Computer/SW/Security, Computer/Theory] UID:24704 Activity:high |
5/3 If I want to learn about error correction, compression, and cryto,
which class would I take? crypto? _/
\_ Info theory at Stanford. Berkeley does not teach ugrad info theory.
\_ Information theory. Read Thomas & Cover. There is an information
theory class using that book at Stanford. Berkeley does not
teach information theory to undergrads.
\_ 170 talks about the basics of both, 150 has some error correction
too. specifics?
\_ Crypto classes: 261 (well, security), 276 (protocol-level), and this
semester Wagner taught a 294 which was block-cypher level. Even
though I've managed not to pay any attention to 174, I remember
somebody saying something about entropy, so likely has to do
something with compression and/or random number generation.
-chialea
\_ "managed not to pay any attention to 174". Okey dokey, now
who was making noise before about the best Cal ugrads not
getting into Cal grad school?
\_ Not best. Schmooziest. Big difference.
\_ if you were as good as chialea, wouldn't you be bored
by 174? --chialea #1 fan
\_ several EE courses discuss compression (the multimedial related
signal/image processing courses)
\_ depending on the prof, Math 114 often covers coding theory, and
error-correcting codes. - rory |
| 2002/5/3-5 [Computer/SW/Languages/Java, Computer/SW/Apps/Media, Computer/SW/Security] UID:24700 Activity:nil |
5/3 Finally we know who was the first borg, it was Prof. Steve
Mann of the University of Toronto:
http://chronicle.com/free/v48/i34/34a03101.htm
\_ He's saying he had a wearable video display 20 years ago?
\_ He's saying he was a freak 20 years ago just like now. |
| 2002/4/24-25 [Computer/SW/Security, Computer/SW/Unix] UID:24568 Activity:moderate |
4/24 Are you getting bounces from http://mail.yahoo.com? I tried responding to people, and I'm getting bounces. They are not spammers. I respond a few seconds after they email me. \_ so it has begun \_ Yes. It's been sporadic for a day or so. \_ Well did you pay your Yahoo E-Delivery Fee? You can only send mail to Yahoo users if you're a paying customer. |
| 2002/4/23-24 [Computer/SW/Security] UID:24543 Activity:very high |
4/23 Security question: assuming i have a "good" /dev/random and I
read from /dev/random from 00:00 to 00:01 and save that in a file,
will take make it trivial to attack someome who uses /dev/random on
the same machine to "seed" a random passwd generator at 00:00:30?
Or does each caller some how whiten it with his own environment?
\_ Or say I read in 10k bytes from /dev/random or /dev/urandom
at 00:00 and I start and another copy of the same process "at
the same time", will I get overlapping random streams?
at 00:00, which takes 2 seconds. I start and another copy of
the same process a couple of millisenconds after 00:00,
will I get overlapping or interleaved random streams?
\_ no and no, if it is a "good" /dev/random
\_ So what prevents two people "simultaneously" reading from
/dev/random from letting the same stream?
\_ The driver probably has a locking mechanism in the
read entry point to prevent this:
ep_read { lock ; copy bit to userspace ; unlock ; } |
| 2002/4/22 [Computer/SW/Security] UID:24532 Activity:high |
4/21 MOTD Poll. How many people use pgp (or gnupg) on soda?
PGP:
GnuPG: ...
Neither, Because No One Cares What's In Your Email: ..
I'm Not That Paranoid: ..
The Feds Already Cracked It Or We Wouldn't Be Allowed To Use It: .
the NSA paid for my fucking harddrive anyway so there's no point: .
\_ and if anyone who got *ANY* sort of PGP filter worked with
with pine, let me know. -kngharv
\_ I tried. How I tried. I believe the problem is actually with
soda's installation of pgp. I bought the bullet and started
soda's installation of pgp. I bit the bullet and started
using mutt. I can't say I'm an enthusiast but it does handle
gpg better. I never did get pgp working. --ulysses
\_ I couldn't get it working in pine. I gave up and switched
to mh-e and mailcrypt.
\_ Follow up poll. Do you:
sign email: .
sign news:
sign + encrypt email:
sign + encrypt news: |
| 2002/3/28 [Computer/SW/Security] UID:24260 Activity:high |
3/28 What exactly are the "Digital IDs" that Outlook Express blabs about
when I click on "Security" in the program? ... specifcally, how do
these relate to PGP encryption?
\_ No, it's created by combining your SS#, DOB, Mother's maiden name,
and CDL in a complex alogorythm that involves concatenation and
rot13. This cryptographic innovation brought to you by Microsoft!
The ecommerce version has your bank account and pin in there, too,
for your convenience. |
| 2002/3/25-26 [Computer/SW/Security] UID:24222 Activity:moderate |
3/25 Has anyone heard about the CBDTPA?
http://www.politechbot.com/docs/cbdtpa/hollings.s2048.032102.html
It will be a disaster if this thing gets passed.
\_ No one has ever heard of this or the SSSCA before.
\_ dude! i just found the greatest web site! you should
check it out: http://slashdot.org
\_ cool thanks! its looks really low end and new are they
working on improving it at all? it might stand a chance!
"community" $ell$!! |
| 2002/3/23-24 [Computer/SW/Security] UID:24212 Activity:nil |
3/23 MacOS X's Preview bypasses PDF "security":
http://www.macuser.co.uk/macsurfer/php3/openframe.php3?page=/newnews/newsarticle.php3?id=1854
Why is it that Adobe's attempts at "security" are always so damn
stupid? |
| 2002/3/15 [Computer/SW/Security] UID:24123 Activity:high |
3/15 i want to take this opportunity to publicly insult newark
electronics customer service. they suck donkey balls. their web
site is lame was programmed by yermom. go digikey or allied!
\_ This is the motd, not a customer satisfaction line. Your complaint
is entirely too banal and does not once mention yermom. |
| 2002/3/15 [Computer/SW/Security] UID:24122 Activity:nil |
3/15 Any one uses pgp4pine and gpg? for some reason, my send filter
worked, but display filter (for recieving encrypted / signed
email) does not. What really puzzle me, is that when I
open the file contains pgp (uses _BEGINNING("-----USE PGP")),
my default editor (in this case, jove) launched, and has an
error message in jove saying: "invalid switch -c" anyone
has any clue? -kngharv |
| 2002/3/14 [Computer/SW/Security] UID:24112 Activity:moderate |
3/14 http://www.nytimes.com/2002/03/14/technology/circuits/14MANN.html \_ "He is now undergoing tests to determine whether his brain has been affected by the sudden detachment from the technology." |
| 2002/3/13 [Computer/SW/Security] UID:24092 Activity:high |
3/12 sshd has got vulnerabilities, fixes, and potential future
vulnerabilities. If I TCP wrap and use hosts.allow/deny for sshd
and other apps, so only listed hosts can connect, does that prevent
intruders from exploiting future holes?
That is, as long as it's TCP-wrapped or restricted by hosts.* files,
even if I was running an exploitable version of sshd, nobody can
break in via sshd, true?
Same with all inetd.conf daemons, right? I only run one.
(This assumes the hosts in my hosts.allow file are secure)
\_ Here is a thought. Run sshd on a high number port as sshd rather
than root. Then use your fw/nat/pat box redir 22 to the high
number port. This way even if there is a breakin, they don't
get root (assuming root can't login via ssh).
\_ Assuming no holes in tcpwrappers, probably. ssh uses libwrap,
which is a little different than being wrapped in inetd.conf,
and possibly is less secure. -tom
\_ why dont you just upgrade/patch ssh?
\_ "potential future vulnerabilities", i.e. undiscovered bugs.
\_ well then, why dont you jsut remove ssh. even safer,
unplug your machine from the net. Nothing safer from network
attacks than an airwall.
\_ You're an idiot. -tom
\_ No s/he has a point. If the OP is so afraid of being on
the net that they want to be 'safe' from the future,
they're on the wrong net. They need to power down and
idiot." because that requires no thought or effort.
go read a book in a park if they want that level of
safety. No one can protect your net from unknown future
bugs. If it was that easy everyone would be doing it.
Of course it's much easier to just post "You're an
idiot." because that requires no thought or effort. -i2
\_ Oh, and posting "disconnect from the net if you
want to feel safe" requires effort? Guess what--
you're an idiot, too. -tom
\_ i don't give a rats ass about this thread,
i'm just going to point out that tom has
proven himself to be a total idiot about
a hundred times over on the motd.
\_ Does that include his anonymous postings?
\_ clearly you're dead to sarcasm.
\_ "Sarcasm is hard! Let's go shopping!"
\_ The post above by "i2" is not sarcasm. If you
are i2 then you are a liar, if you are not
then, Guess what -- -!tom
\_ Wow... let it go. Time to move on. Try
Prozac or Ritalin or something.
\_ IP Spoofing isn't that hard and you will also need to ensure
all of the hosts in your list are never compromised. If you are
concerned about security you need to set up your network in
a manner that is secure.
\_ Isn't the known hole in ssh quite hard to exploit?
\_ Yes, and that too only if you have a local account
with a valid passwd and shell. |
| 2002/3/8-10 [Computer/SW/Security] UID:24063 Activity:nil |
3/7 Root people: http://www.pine.nl/advisories/pine-cert-20020301.html Allowing local users to gain root via openssh. \_ Root people, New York and California Root people, I was born on Jupiter \_ Ever heard of e-mail? \_ Like they read it? Like no one else here runs anything and might need to know this, too? Fuck off. |
| 2002/3/1 [Computer/SW/Security] UID:24005 Activity:nil |
2/28 Todd Solondz speaks! Saturday, Wheeler. 1 free ticket for all
Cal students w/ Student ID at the Zellerbach Box Office.
Would anyone in the CSUA be interested in possibly recording
this (if possible) and hosting it on the web somewhere? I'm
willing to help but don't have access to many of the needed
resources. - rory
\_ who is todd solondz?
\_ Isn't he the kid in Mask with Cher?
\_ Eric Stoltz. :)
\_ Sadly, I think that kid is dead. ...wonder if he
ever made it to Katmandu or wherever.
\_ Indie movie director.
\_ http://us.imdb.com/Name?Solondz,+Todd |
| 2002/2/26-27 [Computer/SW/Security] UID:23973 Activity:nil |
2/25 <DEAD>www.bsdi.com/date<DEAD> used to have a small gif showing where the sun was currently shining. Anybody know where I can find that image somewhere else? \_http://www.fourmilab.ch/cgi-bin/uncgi/Earth/action?opt=-p gets you a large image of that, plus access to a bunch of other cool stuff. \_ this is cool. |
| 2002/2/25-26 [Computer/SW/Security, Computer/SW/OS/Solaris] UID:23970 Activity:high |
2/25 Is there anyone out who understands the NT security API? All I'm
trying to do is set permissions on a directory: Everyone group,
full control, inheritable by child objects and containers. Then I
need to know how to create files so that they don't override the
parent ACL. Should they have a NULL SD, or a default SD with a NULL
DACL?
What I'm doing now is setting security on every file create and
copy, which is error prone. CopyFile doesn't copy the SD, so I do
SetNamedSecurityInfo(DACL_SECURITY_INFORMATION|
PROTECTED_DACL_SECURITY_INFORMATION) on the new file. It would be
better if it just obeyed the parent directory settings. -sky
\_ I know how to do the similar on Solaris on but not NT. Sorry.
In Solaris I set the parent directories ACL and mask and then all
children (both files & directories) inherit ACL. At least when
you do commands like cp/cat/vi. Okay, so it's not going thru the
API so it's not similar thing. There are some oddities when on
older versions of Veritas products though. Are you using Veritas?
\_ Apparently no one understands the NT security API. What I _do_
know is it has nothing to do with the way Veritas or Solaris work. |
| 2002/2/25 [Computer/SW/Security] UID:23969 Activity:moderate |
2/25 I need to give a user console X access but no remote login access
of any kind (translation: secure location, but a bad password).
Other users need to have remote access. Setup is kde/freebsd.
What's the easiest way to do this?
\_sshd has allowuser/denyuser allowgroup/denygroup useful for
an ftp-only account -dwc
\_ Perfect, thank you. |
| 2002/2/22 [Computer/SW/Security, Computer/SW/Unix] UID:23943 Activity:very high |
2/21 My moronic boss asked me to write a batch file to auomate a telnet
session and one requirement is it should not ask user for the
password. How do I kindly tell him that he is an idiot?
\_ setup ssh with passwordless public key or host-based authentication,
symlink telnet to ssh and let him believe that the users are using
telnet ;p
\_ The batch file will be placed in hundreds of Windows 98
machine's at a client site; none of these machines have ssh.
How do I tell him off? I told him it can't be done and he
insisted that it can be done.
\_ Why are you still even working there? I can't imagine
working in a place with a boss that stupid and an OS
that crappy.
\_ This isn't 1998.
\_ Include ssh along with the batch file. --dim
\_ He's a moron, true, but you've done your duty by telling him so, now
it is your job to make it work. I suggest a telnetd that auto-auths
anyone with no password. Yes, this is frightfully stupid, etc, etc,
but unless you want to polish your resume, swallow the bile and just
do it. Now is not a good time to get fired. Make sure you have it
documented that this is insecure and you told them so but were told
to do it anyway. You're then free from serious fallout. C.Y.A.
\_ I agree with the SSH suggestion. However, if you still need to
use telnet, you can embed a known password into the batch script.
You need to telnet to the same account, though. Or maybe have
the user save the password somewhere, but not ask on every
use.
\_ Create a server on a random port that does what he wants and have
your script telnet to that port.
\_ write a telnet program that automates the password and ship
it with your batch file. And document it that it's insecure.
\_ Upgrade windows. Realize that even windows has better tools
than telnet for running remote batch jobs.
\_ Whatever you do ignore the idiots here who give the 1990's dotcom
answer of "oh just quit!". Find a way to do the project and do it.
Document the insecurity and the specs and forget about it. Your job
is more important than religion.
\_ maybe he's talking about telnet -F option with Kerberos V5
authentication being used.
\_ acct with no passwd? |
| 2002/2/20-21 [Computer/SW/Security] UID:23926 Activity:high |
2/20 Quoting from instructions on how to send a Sony laptop in for
non-warranty service. They fuck you so fantastically hard it's
Awesome!
>Should you choose to send the system for service, you will be
>responsible for the following:
...
>d. You MUST provide proper documentation with your shipment;
> - Name, Return Shipping Address (no PO boxes),
> - Day and Evening Phone Numbers
> - Detailed Errors and symptoms
> - Method of payment (MC, VISA, AMEX, DISCOVER, Money Orders
> and Checks (no starters)
> - Written letter authorizing charges up to $700. <======= Rad!
...
>NOTE: There is a minimum $25 estimate fee and a $35 return shipping
>fee. The estimate charge will be waived if the repairs are
>performed at the Fremont facility. You will be notified of, and
>must approve the estimate prior to the repair. Service estimates
>are not available through email. The diagnosis of hardware
>service issues cannot be handled via e-mail. The system must be
>shipped in prior to receiving a service estimate quote.
\_ you are getting a Dell dude!
\_ we know you're supposed to get a macintosh. |
| 2002/2/20 [Computer/SW/P2P, Computer/SW/Security] UID:23921 Activity:high |
2/19 Tom posts an intelligent comment on usenet:
http://groups.google.com/groups?hl=en&selm=a4u5df%241uvv%241%40agate.berkeley.edu
\_ Charging is one possibility except then you get into the problem
of exactly who to charge. Do you charge the student assigned to a
workstation? Ok, another user logs in from another local machine
and uses the other student's machine for external access. Do you
charge the whole department or sub-unit and "let God sort it out"?
That just means rich departments stay on the net and poorer ones
take the net away from most of their users. You can't charge by
IP address because IP != unique user and packets don't have user
names on them. There's still no answer short of simply cutting off
a lot of people from external net access and I don't think anyone
wants that.
\_ "tragedy of the commons" problems usually have no easy solution.
The issue of access to national parks is a good example; you
can't restrict access to Yosemite Valley in a way that's
pleasing and fair, but you have to restrict access if you want
Yosemite Valley to retain its value. At some point you have
to make some decisions about tradeoffs. A campus phone isn't
equivalent to a unique user, either, but we manage to bill
people for phone service. -tom
\_ I don't have a problem with the basic concept of billing for
usage but it isn't the same as phones. Most people aren't on
the phone all day. Most aren't making LD calls. And it is a
bit difficult to login to your phone from my desk without your
knowledge and rack up a huge bill to 976-hotsex. $300 in
calls on my phone to my office mate's mother in Tokyo is easy
to track down and bill properly. With the technology at hand
I only see raising bandwidth or cutting a lot of people off
from the public net. I don't see the latter as a good choice
for a research/educational institution. It also wouldn't fly
politically.
\- i think this is naive.
\_ How are you planning to pay for this increased bandwidth?
\_ I don't think anyone wants to cut people off the net,
but providing a certain amount of "free" service, and
charging if you go over a certain amount of traffic, is
probably a tenable model. Buying bandwidth indefinitely
so kids can fill it up with more kazaa is untenable. -tom
\_Just raise tuiton. Make net access a line item that
people can elect not to pay for if they don't need it.
\_ "Every complex problem has a solution that's
simple, elegant, and won't work." -tom
\_ isn that ken lindahl's or msinatra's quote?
\- Why doesnt "disallow P2P except on certain
subnets/via prior arragement" [say for people
using gnutella for collaboration or maybe some-
body in cs doing something researchy] solve the
problem as long as someone in the dorms can
get their own isp access [i am not sure if this
is possible]. are students on the dormnet
allowed to run WEEB servers? yes, a lot of the
http is garbage but you have to attack what is
viable and cost-effective. the comment about
running the p2p server on port 80 to "hide" is
not a real issue. at least with napster,
gnutella, kazza, we can detect it on any port
[although not in real time, although that doesnt
seem important]. Also, the TotC comparison isnt
quite right since the Commons is a natural
endowment while bandwidth is sort of a "weakly-
rival" good paid for by somebody. Say I build a
lighthouse for my shipping company along my
shipping lane. I dont care if some people use
my lighthouses, however if this makes for "my
shipping lanes" too crowded for me to use,
well, i'd be better off switching technologies.
it seems like if you throttled the dormnet
traffic onto the routed internet but allowed
significant bandwidth to campus, people could
do their school work. [i assume most of the
p2p sharing isnt local]. --psb
[the lighthouse example is a little off because
it is not a divisible but a binary good but that
wasnt the point i was getting at. someone does
own the bandwidth].
\_ dorm traffic is already handled under
a separate cap. You can do things to
discourage P2P sharing, but that only
solves 25% of your problem, and the
more you discourage it, the more incentive
there is to find ways around it. -tom
\_ MOTD WANKERY! None of you people are in position to do anything.
\_ actually, I am. -tom
\_ A chill falls across the room...
\_ wanking is precisely what they are in the position to do. |
| 2002/2/13-14 [Computer/SW/Security, Computer/SW/Unix] UID:23861 Activity:high 54%like:23860 |
2/13 Each time I login, I would like to see my "Last Login" info, but
not the motd. How do I do this?
\_ Edit the .login file in your home directory. If you still see
the motd scroll by, create a file called ".hushlogin" in your
homedir (`touch .hushlogin` will do).
\_ Right, but with .hushlogin I don't see my "Last Login"
I can't seem to quell only the motd. Can I set something
like "no-motd" in my .login? Also, my "Last Login" info
gets shoved off the screen before I get a chance to read it.
Why is that?
Why is that? -brett (thanks & sorry)
\_ Sign your name and make ur .login public so we can
help you. Perhaps you have a 'clear' command in it.
\_ Okay. |
| 2002/2/13 [Computer/SW/Unix, Computer/SW/Security] UID:23860 Activity:nil 54%like:23861 |
2/13 I want to see my "Last Login" info, but not the motd, each
time I login. How do I configure this? |
| 2002/2/12-13 [Computer/Domains, Computer/SW/Security, Computer/HW] UID:23850 Activity:high |
2/12 Is there a good way to find all the HOSTS in an nis domain, assuming
you have access to master and slave servers? It would be better if
there was a log file to parse, but I can dump network traffic too.
\_ ypcat passwd
\_ ypcat hosts
\_ That doesn't do anything useful.
\- maybe "snoop rpc ypserv" --psb |
| 2002/2/11 [Computer/SW/Security, Computer/SW/Unix] UID:23833 Activity:high |
2/10 can some root type make install the Word file reader wv port? thanks
\_ Done. --some root type
\- Where do you get this software ?
\_ the joy of /usr/ports/ on FreeBSD
\_ http://www.wvWare.com |
| 2002/2/7-8 [Computer/SW/Security] UID:23806 Activity:high |
2/7 An attack on the SSHv2 Protocol (for those who don't follow
sci.crypt):
http://groups.google.com/groups?hl=en&group=sci.crypt&selm=MPG.16cb6c26ff1c3931989687%40chicago.usenetserver.com
\_ The thing about all these newer 'attacks' is they all require the
man in the middle to have all sorts of access you can't expect a
typical hacker to get. Anyone who has the warrant or the skill to
insert themself into my ssh2 datastream will probably find it
easier to hack straight into the server or just get a warrant to
put a van outside my building and 'listen in' on my keyboard and
monitor through the walls. I'm not losing sleep over this one.
\_ Yes it is theoretical, but the point is that it could be more
secure. IPSec for example does not have the problem. |
| 2002/2/5-6 [Computer/SW/Security] UID:23789 Activity:nil |
2/5 When I try to PGP encrypt outgoing messages in conjunction with mutt,
I get several screens of hex numbers and then a fault notification.
Does anyone have mutt + PGP working on soda? Can I get a look at your
muttrc?
[ reformatted - motd formatting daemon ] |
| 2002/2/2 [Computer/SW/Security, Computer/SW/OS/Windows] UID:23750 Activity:nil |
2/1 Idiots Dos the World Economic Forum website. Claim some sort of
bizarre victory.
http://www.washingtonpost.com/wp-dyn/articles/A10521-2002Feb1.html
\_ See next motd topic. |
| 2002/1/31 [Computer/SW/Security] UID:23732 Activity:high |
1/31 I used to get "You have mail." or "You have new mail." messages when I
logged in but not anymore. What happened? Where do they come from?
\_ the system sshd_config may have had CheckMail turned off.
\_ CheckMail in sshd is deprecated
http://www.monkey.org/openbsd/archive/misc/0111/msg00384.html
\_ I think tcsh may have been upgraded.
\_ look at your .login. if you dont have nfrm anywhere in the
file, add it.
\_ nfrm shows you who the mail is from, which is nice but takes
way too long. I just want to see if I have new mail or not
like it used to show. how do I get that?
\_ RTFM, einstein. It's in there. |
| 2002/1/25-26 [Computer/SW/Security] UID:23669 Activity:high |
1/25 Crap. At a new job and the emc tech guy just sent mail that our emc
service contract expired almost a year ago. $225/hr, minimum of 2
hours to do anything.
\_ That's probably less than they would have charged you for a
service contract. -tom
\_ i doubt it.. cuz thats prob jus labor and not parts. -shac
\_ that's just time, not materials. And you think they're going to
be really zippy when its on an hourly paid basis? They already
take 4+ hours to swap a disk or two. --fucked EMC admin |
| 2002/1/24-25 [Computer/SW/Security, Computer/SW/Unix] UID:23660 Activity:high |
1/24 Anyone have any ideas and/or pointers of how to crack Yahoo IM offline
messages and archived chats and conferences without knowing the
password of the account that you are trying to snoop on?
\_ No, but I'm sure google does. -John
\_ If google doesn't help you could try cracking it yourself. I'd
make my own logs with my own account and see what comes out. Use
long strings of each character in the alphabet, 1 per log, etc.
I know they used to send everything over the net in clear text so
I doubt the archive encryption is tougher than rot13 or des.
\_ never used it but try http://www.elcomsoft.com/aimpr.html |
| 2002/1/15-16 [Computer/SW/Graphics, Computer/SW/Security] UID:23571 Activity:nil |
1/15 This is too funny. Go to http://www.bsa.org/usa and find the Flash movie halfway down and see the story of Meg A. Byte the software pirate. \_ That's hilarious. I especially like how they ripped of a few games in the video. Nothing makes the point better than hypocrisy. |
| 2002/1/14-15 [Computer/SW/Security, Computer/SW/OS/Windows] UID:23561 Activity:very high |
1/15 .name URLs now available
\_ What is it?
\_ Is it permanent? (I mean as permanent as
http://www.csua.berkeley.edu/~mylogin
\_ http://www.siliconvalley.com/docs/news/svfront/002411.htm
\_ Gee. They might as well open up the name space for *anything*
that is descriptive, e.g. "JohnDoe@university.of.california.at.
berkeley", "JohnDoe@2345.dwight.way.apt12.berkeley.ca94704",
"JohnDoe@510.643.1234.us"
\_ worthless. Making a 4 letter extension is going to break all sorts
of code out there.
\_ Maybe badly written code... There have been >3 letter extensions
for quite a while.
\_ Not to mention 2-letter extensions like .tv and all the
international extensions (.jp, .it, .ca, etc)
\_ They're called TLDs people, not "extensions". This ain't DOS.
\_ yeah baby, <DEAD>cum.cum.cum<DEAD> |
| 2002/1/13-14 [Computer/SW/P2P, Computer/SW/Security] UID:23552 Activity:very high |
1/13 http://www.nytimes.com/2002/01/13/edlife/13BAND.html?pagewanted=print The article mentions 'Direct Connect.' What other file sharing programs are in use these days besides this and Morpheus and other FastTrack variants. Any CSUA members in the dorms or otherwise with big pipes care to comment? \_ irc \_ yeah, I've got a big pipe for ya \_ http://vadim.berkeley.edu \_ hi paolo! \_ nice going vadim, taking scheme.xcf.berkeley and changing it to vadim.berkeley. fucking tactless egomaniac. \_ I thought the useless xcf was shut down years ago? -alum \_ It was. It has become... the Vadim Computing Facility. \_ This is probably funny but I don't know who Vadim is or the current xcf situation. Is it dead or what? \_ Not dead. There's one member. \_ Just using your powers of deduction, see if you can infer what that one member's name is. \_ check http://zeropaid.com for an extensive listing of file sharing prorams. -- jj \_ the Dec207 warez club! \_ The dorms don't have a big pipe anymore. They're collectively limited to ~20Mbit. That's 4,000+ hosts. UCB dorm net is pretty much useless these days. Residents keep trying to get DSL installed because it's faster. \_ Buncha whiners. I felt lucky to have 14.4 access after I got access to the staff/professor modem bank and off the busy and broken 1200-9600 student bank. Doing classwork on campus was better anyway. Easily block remote connections to your workstation and keep all those other pesky students dialing in at 2400 on some other machine. \_ in my day, we used smoke signals. on a clear day with a small enough wind we could get ten bits per minutes, and we were damn pleased with that. \_ They allowed you to have smoke? And you knew what the sun looked like? And wind? You had wind?? You must be new around here.... \_ Petition them to increase the size of the big pipe. This is not 1991 anymore, when I spent big bucks to upgrade to a 9600 modem. \_ The problem with the dorms is that they'll use (for napster clones, mostly) all the bandwidth you'll give them, and the campus pays for bandwidth used to the commodity net. Dorm traffic isn't limited if it goes over Internet 2. -tom \_ Cool. Now they just need a multi-campus I2 p2p thing going and they're set. I've got this idea for a business model... I just need $325m in funding now.... \_ Two words: traffic shaping. Eliminate this bandwidth cap bullshit, and use traffic shaping to limit obscene traffic caused by p2p filesharing apps. Dorm net becomes useable again. \_ A few more words: apathy, money, unimportant. It isn't worth anyone's time to fix the dorm net situation. Who cares? Let them eat cake! Is there a minimum bandwidth promised or an SLA in the current dorm contract? Do people *really* choose the dorms because they have net? Was the <DEAD>dorm.net<DEAD> the deciding factor for anyone's living arrangement? If so they need to get over it. \_ Clearly, that's the way campus wants to go, but it's rather difficult in our environment. -tom \_ that's 20Mbit to off campus. |
| 2002/1/10 [Computer/SW/Security] UID:23520 Activity:very high |
1/10 So I've decided that since my system is vulnerable to one kind of
attack to not bother with any sort of defenses. I'm reinstalling
telnetd, disabling ssh2, running an old version of ssh1, putting IIS
4.0 unpatched back into production, get 8.01 bind going and then
setting the root password to "root". Does this make sense to anyone?
Should I stop patching my computers because there might be a different
way to get in that isn't covered by the current patches?
\_ It makes no sense and you are an idiot.
\_ So is this any different than not spending money on one form
of national defense because the country would still be open to
other forms of attack?
\_ you're an idiot. -tom
\_ At least now we have your best point against national
defense. You're brilliant. You should be running the
DoD.
\_ sign your name, o brilliant one. -tom
\_ Missle defence is analogous to building a huge titanium dome
for your computer. It is expensive, impractical and won't
defend against the likeliest threats. It will also distract
you from defending against the threats you should be concerned
about.
\_ So you mean the most likely threat from nukes isn't nukes on
warheads? When there's 5000+ of them out there in the hands of
multiple nations and some of those nations aren't very friendly?
You determined this was an unlikely threat? You're not qualified
to make that analysis.
\_ My titanium dome protects my computer against worms, viruses,
DoS, and every exploit that exists.
\_ The analogy is to a titanium dome that still has holes
in it for network access. -tom
\_ This is known as a "strawman argument" and it's
considered bad debate form. Most people left this
behind in the dorms.
\_ And the original poster was not? |
| 2002/1/5-6 [Academia/Berkeley/CSUA, Computer/SW/Security] UID:23468 Activity:moderate |
1/4 csua/csua and user/pass are two short, many sites require 5-8 char
names and passwords. What should is sign up as then? -goodCSUAer
\_ ucbcsua with password ucbcsua1, ucbcsua2, etc.
Or csua123 or csuacsua as username. Some site require
pw diff from logins so either have a pw that is the
reverse of the login or I dunno...?
\_ cypherpunk/cypherpunk
\_ csuamotd/csuamotd works fine for me at a few places. thanks to
whoever set that up.
\_ How about a /csua/pub file of websites with user/pass for each.
\_ soda.csua/password was set up for NYT. |
| 2002/1/4-5 [Computer/SW/Security] UID:23459 Activity:very high |
1/4 http://news.cnet.com/news/0-1005-200-8358574.html?tag=mn_hd \_ Did nweaver post this because he was quoted in the article? :-) \_ This guy picked the Christmas week to notify AOL and then claimed waiting for a week is too long. Hmm. Maybe he just wanted the publicity. \_ The article I read said that AOL didn't even bother to respond to him. It's not just that they didn't fix it in the first week after he reported it -- they didn't even acknowledge that the problem *existed*. Then when he goes public they fix it in 24 hours? Sounds like he was right to go public. \_ At most tech companies, there was no one around to respond to anything from Dec. 22 - Jan. 1. \_ Sounds like the best time to exploit a hole :) \_ I can't think of any legitimate reason for their escalation path for security problems to be broken, even for holidays. Whether they failed to respond out of arrogance or incompetence doesn't make much of a difference. \_ suppose you find a major security hole in AIM. Whom do you email? Does AOL have a special email address hotline for reporting critical exploits? Do they publicize it? I'd guess that the answer to at least one of those questions is "no". So now you're left with filing a bug report using the standard support channels, which most likely get flooded with mail from clueless newbies. Do the real developers field all these questions, or does a low-paid grunt deal with them? Does this support grunt check email every day during his vacation? give him a break. \_ When I call AOL tech support, I usually get prompt and complete service. signed, AOLuser \_ You send it to support. It is the responsibility of their support organization to classify the incoming report correctly and advise their management so they can direct it to the appropriate engineers to repair. An organization the size of AOL doesn't have a single support grunt who goes on vacation and leaves the support email unanswered; they have a large group of people processing incoming support requests, and there's always somebody there. The front line people have more senior people they can escalate things to (usually multiple levels). Even during holidays and weekends, there should be somebody on call in engineering capable of addressing the problem. Coordintaing support and engineering like this is hardly a problem unique to AOL. Oh, and AOL never said they hadn't seen it; they said they wanted more time to work on it. |
| 2002/1/2-3 [Computer/Networking, Computer/SW/Security] UID:23431 Activity:high |
1/1 I'm using SecureCRT over a 33.6 modem to connect to soda, and my
connection consistently is reset after typing just a few
characters (for instance, I couldn't type this post using it).
I've tried ssh 1 & 2; 3des, rc4, and blowfish; and several
different server types, with no improvement. Why is this
happening?
\_ SecureCRT does that with DSL connections for me. Not that bad
but enough for me to curse it or windows.
\_ Could be flaky modem connections or so--although that usually
happens with v.90 (56.6k)--doesn't ssh have some sort of error
checking to make sure no funny business is going on with your
connection? I would try to bring down the connection speed to
1200 and then gradually increase it and see what happens. Also
for fun try another ssh client like TeraTerm to compare. -John
\_ Try putty, it works better than SecCRT on dialup lines (at least
that was my experience when I was in India and had to deal with
the dial up lines there).
\_ putty? barf! Putty was dropping me from a rock solid T1 line.
This is definitely what they meant by "get what you pay for"
when it comes to software. Tera Term takes an extra 30 seconds
to setup, is free, and unlike putty, it works. I'd rather go
back to whistling in the phone then use putty.
\_ I use putty on both T1 and dial-ups. It never drops any
connctions.
\_ I've used SecureCRT on dial-up and over cable and, with the
exception of campus network outtages, have never had problems. |
| 2001/12/31-2002/1/2 [Computer/SW/WWW/Browsers, Computer/SW/Security] UID:23421 Activity:moderate |
12/31 Anybody know what's going on with the National Park service web
site? http://www.nps.gov It used to be the most complete web site on
national parks and now it's gone. What the hell?
\_ I think it's a GWB VRWC conspiracy. Soon it'll point to
<DEAD>www.evil_white_men_in_office.com<DEAD>
\_ Hacked by Chinese!!!
\_ The ENTIRE Department of the Interior (which includes the NPS) was
disconnected from the Internet by court order on December 5th (the
result of a lawsuit against the government for poorly securing DOI
computers handling Indian trust-fund accounts). If you visit
http://www.doi.gov it'll tell you that the only Interior bureau currently
allowed to connect to the Internet is the USGS. -- kahogan
\_ I'll bet this was a Bush appointed judge.
\_ Needless to say, the systems found so insecure the DOI had
to be forced off the net were windows based...
\_ http://forum.fuckedcompany.com/fc/phparchives/search.php?search=usgs
\_ Does it only apply to only HTTP or does it apply to everything
including e-mail? |
| 2001/12/27-28 [Computer/SW/P2P, Computer/SW/Security] UID:23378 Activity:very high |
12/30 is it just me, or is kazaa empty right now? did those busts actually
kill it?
\_ or maybe it's because most college kids are at home during winter
break?
\_ Those busts have nothing to do with the gutter-warez you find on
Kazaa. They busted a wholly higher-class of warez-hosers.
\_ DoD hadn't put out anything of note in 18 months. They didn't
bust anyone important to the scene.
\_ They will never bust the most cruical warez ring and that
is the casual copier. They can never stop someone from copying
office from work or giving a copy of the latest game to thier
pals so that they can have a lan party.
visiting a warez page be illegal? conspiracy charges?
please.
\_ Is it illegal to visit warez web sites?
\_ why would it be?
\_ because warez is illegal?
own use and linking to computers software will be
\_ downloading or distributing warez is illegal. why would
visiting a warez page be? conspiracy charges? please.
original. - Bill G.
\_ that's surfing with intent to download! Better
plead no contest and ask for leniency from the
judge.
\_ How do you legally distinguish mere surfing and
downloading? Afterall all these packets of warez
coming to your computer is an act by another computer
while surfing and clicking on links is your action.
\_ yeah... that's just stupid.. i mean, next thing you
know, making copies of stuff you already own for your
own use and linking to computer software will be
illegal...
\_ You shouldn't make copies, you should buy a spare
original. Kids these days with thier Linux/Open
Sources/Free Software. They make me sick. - Bill G.
\_ YEAH! FUCK FAIR USE. FUCKING CONSTITUTION!
FUCKING US CODE!! - Mini-Bill-Me
\_ You napster, gnutella, audio galaxy and kaaza
junkies don't know what "fair use" means.
Fair use means that you have the right to
listen to your original cd in your stereo
and your car. It doesn't mean you can make a
copy for your friends and it certainly doesn't
mean that you can make a near-perfect digital
copy that can be re-distribute illegally to
strangers via the internet. Now you kids need
to stop illegally copying music, movies and
software and start buying it. Otherwise all
the poor artists will have to go back to a
career in food service and start suffering
for thier art and we won't be able to make
the kind of money that is necessary in order
to maintain our land rovers, our pacific
palasides bungalows and our all armani,
versace and bally wardrobes. - RIAA
\_ Start paying the artists instead of
keeping all the money yourself and
I'll consider it.
\_ Strange thing is that all my artist friends
are already on the verge of waiting tables
although in terms of art it is the likes
of Britney who should be in the personal
service business. |
| 2001/12/23 [Computer/SW/OS/Linux, Computer/SW/Security] UID:23354 Activity:nil |
12/22 How do you make OpenSSH 2.5.2p2 works with Debian Linux 2.2 r4?
ssh into this machine kept on getting denied while everything works
fine with OpenSSH 1.2.3 (precompiled for Debian). Does that mean
Debian 2.2r4 doesn't support ssh2x? Thx in advance! - jthoms |
| 2001/12/20 [Computer/SW/Mail, Computer/SW/Security, Computer/SW/Unix] UID:23321 Activity:nil |
12/19 I'm running Redhat 6.1 for about a year with no problems and over
the last 5 days or so it's been taking a really long time to log
into my machine through ssh or ftp. sendmail and samba don't seem
to be working right either, though apache is fine. i'm not even
sure what to look for, any advice?
\_ look for timeouts due to dns - are your daemons waiting for
dns to time out?
\_ have you been applying security patches? if not, do a rootkit
scan. everyone i know who ran such an old install without
patching has been rooted via an ssh vulnerability. |
| 2001/12/19-20 [Computer/Networking, Computer/SW/Security] UID:23308 Activity:low |
12/19 Anyone ever tried ATT Broadband phone service? They have a good
deal right now but I don't want to cancel PacBel, then find that
quality sucks or something, and have to pay a re-instatement fee
with PacBell.
\_ I've got AT&T Digital Phone Service. It is excelllent.
A couple interesting things though: 1) they install a small,
shoebox sized battery somewhere in your house. It keeps
the phone working in a power failure. 2) The installation USED
to be done by a crappy subcontractor company. (inept)
But the AT&T service employees that have since come out for misc.
things have been VERY skilled and helpfull.
Phone, Internet, CableTV all come in through a Single Coax cable.
You can keep your phone number, which means getting worth from
paying PacBells "Number Portability Charge" all those years.
\_ thanks for the info... I was about to sign my post as
"chialea" to try and solicit some responses. |
| 2001/12/19-20 [Computer/SW/Security] UID:23306 Activity:low |
12/19 http://www.theage.com.au/news/national/2001/12/20/FFXPK6KZDVC.html Mmmm! That new car smell! It's only cancer.... \_ One reason to buy used cars. |
| 2001/12/15-16 [Computer/SW/Security] UID:23258 Activity:kinda low |
12/15 I have cable srevice by at&t, but I don't think this is a problem
with my cable service. Basically, I have a linux 2.2 natd box for
connections from my internal network. I have win98/ win2k/linux
behind the natd box. WHen I ssh out (OpenSSH_2.3.0p1 or ttssh),
if I am idle for say, 5 mins, the connection is cut..reset
by peer. Why does this happen, and how do I fix it?
\_ I don't have this problem with a similar setup. Could the other
side be idling you out? I _have_ had that problem.
\_ This is a problem with ipchains. It doesn't have any state, so
it has no idea about connections and things like that, so to keep
from having NAT sessions open forever, it has timeouts for inactive
NAT sessions. I forget where you change this (it's been years since
I used ipchains, since iptables (linux 2.4 filtering) is so much
better.) however, I'll bet money that that is your problem. Look
it up in the ipchains HOWTO, I believe it is in there, and increase
the timeout for TCP, since the default is something low, like 5
minutes. There may be a way to get ssh to send connection keep
alive packets, which would solve the problem without having a large
timout value, so I'd look into that as well. Or, just switch to
2.4, and use iptables. Stateful packet filtering is your friend.
-- ajani
\_ thanks! when i was using ipf on openbsd I kind of took this for
granted.
\_ NAT is stateful by definition. You can't do NAT without keeping
session state information. NAT session timeouts exist in all
implementations, not just ipchains because if you don't expire
the idle sessions, there is a higher chance that the NAT session
state table will eventually fill up. What Linux iptables adds is
a session state tracking for non-NAT sessions as well.
\_ Uh, the ipchains NAT session timeout default is way bigger than
a few minutes. Check the HOWTO, it is more like several hours. |
| 2001/12/11-12 [Computer/SW/WWW/Browsers, Computer/SW/Security] UID:23214 Activity:very high |
12/11 http://www.google.com/googlegroups/archive_announce_20.html \_ http://groups.google.com/groups?selm=3lje5o%24n7h%40agate.berkeley.edu \_ Does "Usenet newsgroups" mean all the newsgroups I can see when I run trn? Are there newsgroups that are not Usenet newsgroups? Confused. \_ It means Usenet groups before the big re-org. talk.* and net.* stuff. It doesn't have my 1985 posts, but it does have some 1986 stuff I wrote... It scares me. \_ Say, what newsgroup did the Ahm/Blojo incident happen in? \_ ucb.erotica.sensual, but I can't find the exact original posting, just aftermath signs such as: http://groups.google.com/groups?start=100&hl=en&group=ucb.erotica.sensual&selm=4a1t98%24nk0%40agate.berkeley.edu http://groups.google.com/groups?start=100&hl=en&group=ucb.erotica.sensual&selm=frrawx7xfx.fsf%40sigma.veritas.com Anyone have the original ahm/blojo postings archived? -alexf \_ http://groups.google.com/groups?q=+%22tawei+liao%22&hl=en&scoring=d&rnum=8&selm=58t1r7%241ev%40agate.berkeley.edu \_ is this for real? real or not, did it work? \_ http://www.ereview.com/archive/tawei Status: single Must not have worked... \_ Hmm...what happened to Tawei? He was quite a character. \_ http://groups.google.com/groups?selm=3ljdjg%24mu6%40agate.berkeley.edu http://groups.google.com/groups?selm=31jp6o%24oc2%40agate.berkeley.edu http://groups.google.com/groups?selm=2ron5j%244iu%40agate.berkeley.edu |
| 2001/12/7-9 [Computer/SW/Security, Politics/Foreign/Europe] UID:23179 Activity:high |
12/7 What is the best way to transfer funds between accounts in U.S. and
another country (in Europe) without fee or getting riped off
by special conversion rate? The amount is small and just to cover
my expenses when I travel or order internationally, i.e. < $2000.
\_ My dad has a US checking account at B of A. Every month I make
a deposit to his account at a branch here, and he withdraws the
money at a branch in Hong Kong. No transaction fee, but I don't
know if the conversion rate is the same as the standard rate.
\_ I asked at the Bank of America in Hong Kong whether
one can access his US account in HK, the answwer I get
is plain no, as Bank of America Asia supposedly cannot
access account of its parent bank in US. If you are
converting from USD to a foreign currency, you are bound
to pay a conversion fee (3% I think in most banks). You
can open an USD account in a more established financial
houses (like SG), so you can withdraw funds outside of US
much more easily. But for $2000, it's easier to get
travel's checks.
\_Tnx for the reply. However often the need to transfer
money arises and the amount becomes known while I am outside
U.S., not to mention carrying traveler's check is like
carrying cash other than being much safer.
\_ I've heard from a lot of people that ATMs are good,
you get better (minimal but still significant)
fees. Better than changing cash out.
\_ but you cannot deposit foreign currency to your account
from abroad.
\_ Go back and read the stated objective, duud.
\_ Use your credit card. You'll get the best exchange rate
and if you pay it off, the fee will be minimal. No cash
that you need to carry which should eliminate the cost of
foreign->US.
\_ Depends. While I was in Europe this past summer, it was
cheapest for me to just withdraw cash from ATMs: BofA
was tacking a "foreign currency conversion fee" to each
of my CC transactions, while for the ATM withdrawals, I
was getting the interbank exchange rate without any
additional fees. When I lived in Germany, I had my
paychecks direct-deposited to my credit union account
in the US and paid for everything in cash: if my needs
exceeded the daily transaction limit, I planned ahead
and visited the ATM multiple days in a row. If you
want an account at a bank that has a presence on both
sides of the Atlantic, I've heard that Citibank and
HSBC are good choices for US->Europe expatriates,
although I have no experience with either. -- kahogan
\_ which ever route you choose, make sure you don't go to
the foreign currency exchange booth at traverler's spots.
Their rate is horrible. (something like 8%)
\_ That's strange. Maybe my dad makes his withdrawal by writing
himself a check and then cash it at a B of A branch there?
I've never asked him.
\_ The more I think about it, this is a good way for money
laundry.
\_ Yes, this is exactly how my father got money at a BofA
branch in Taiwan. |
| 2001/12/6-7 [Computer/SW/Security] UID:23162 Activity:moderate |
12/5 Did anyone figure out why people are getting those
"ssh_exchange_identification: Connection closed by remote host"
errors?
\_ Too many people were trying to connect to soda at once, and
openssh started dropping connections. I've turned up the
maximum number of unauthenticated connections, so everyone
should be able to connect now; please let me know if these
errors come back. --mconst
\_ yer the best mconst!
\_ i usually try "ssh -1"and it works. there's
probably a big nasty security hole in there i don't
care about.
\_ This morning I tried logging in from outside and I got this error.
I then tried it again right away and it worked. I've never seen
this error before. |
| 2001/12/5 [Computer/SW/Security, Computer/SW/Unix] UID:23147 Activity:low |
12/4 Is there a way to run a proram from another machine, without
having to log into that machine? Specifically, I'd like to run
an xbiff icon from another machine, on my local machine (so I can
tell when that account gets mail). I'd like not to have to keep
the extra xterm open on my local machine.
\_ "ssh -X foo@bar.com xbiff" might work. After you enter your
password you can background the process (or you can & it if
you have DSA stuff set up).
\_ or just ssh -f foo@bar.com xbiff
and it will background itself (you only have to give -X if
whoever set up the client explicitly made X forwarding off by
default)
\_ Run a cron job on the remote host. Have it check if your xbiff is
running and if not, run it with the appropriate parameters/env. |
| 2001/12/5-6 [Computer/SW/Security] UID:23144 Activity:moderate |
12/5 Has there been a ssh change? Protocol 1 no longer works, and
protocol 2 has problem with
ssh_exchange_identification: Connection closed by remote host
\_ It could be AT&T (I've noticed the same thing) but there's also
a recent vulnerability found in ssh1.
\_ It's not AT&T -- this just happened to me and I have DSL.
I was able to login after a couple of minutes though. Anyone
know what's going on?
\_ I had the same problem from work and we have a T3 (not att).
\_ I've been having the same difficulty. I attribute it to rampant
packet loss into/out of EECS. |
| 2001/11/9-10 [Computer/SW/Security] UID:22994 Activity:nil |
11/9 In case you though your money was safe:
http://www.theregister.co.uk/content/55/22751.html |
| 2001/11/5-6 [Computer/SW/Security] UID:22943 Activity:high |
11/5 In ssh1, I can make passphraseless keys that let me login from one
place to another without typing a password/phrase (yes, yes, I know).
How can I do this with ssh2? My man pages aren't helping with what
I need to put into what files to use passphrases instead of passwords.
I know how to make the key, just not what to do with it. Thanks!
\_ copy .ssh/id_dsa.pub from your local machine to
.ssh/authorized_keys2 on the foreign machine. - danh
\_ And chmod 600 ~/.ssh/authorized_keys2 --dbushong
\_ Did both of these things and it still falls back to the
password auth... help? Does it have something to do with
either the IdentityFile or AuthorizationFile settings in
sshd2_config?
\_ add the "-v" flag when sshing, does that tell you
anything useful?
\_ Ok, I got it, thanks all. Our machines had the http://www.ssh.com version
installed which works a little differently than soda. I needed to
specify the dsa and pub files in the identification and
authorization files with some trivial syntax. This is from a pdf
off <DEAD>www.ssh.com's<DEAD> support website. Nothing in the man pages about
it. I guess that's how they make money with support and services.
What danh and dbhushong said worked perfectly with soda which had
me confused for a bit. And -v was pretty useless, unfortunately. |
| 2001/11/5-6 [Computer/SW/Security] UID:22939 Activity:high |
11/5 I crossed the Dumbarton bridge westbound this morning. Not a single
Coast Guard or cop I saw along the way. What tight security.
\_ I drove my van across the Bay Bridge on Sunday. I saw a lot of
Coast Guards but no one checked my van. What tight security.
\_ the best security is security you dont see
\_ Really... what... are the military using thier high tech
cloaking device or holding on underneath the bridge? or do
they have sniper men miles away....
\_ It's like the CDA in Monsters Inc. When shit happens, they
just appear 3 seconds later.
\_ You expected every truck and van to be stopped? Because of some
vague warning? Yes, let's just stop everything everywhere because
hey, ya know, something *might* happen.
\_ This is why Davis should have kept his mouth shut.
\_ Because it wasn't targeted. The Bay Bridge and Golden Gate were.
I drive the SM and there are CHP patrol cars at both ends.
\_ I usually take the San Mateo Bridge, but these few days I am so
so paranoid that I take Dumbarton instead.
\_ that's fine. But if they don't stop my van when I crossed
Bay Bridge, how are they going to stop simultaneous attack
on the bridges? Dumb fucks.
\_ The bridges were built to withstand 7.0 earthquakes.
There's not much your van can do to seriously damage them.
The real risk is the cables on the suspension bridges.
\_ You think if Timothy McVeigh could make one trunk bomb
that could cut through the multi-story fed building like
a cake, the Al Qaida folks can't make the same bomb and
blow a big hold on the bridge surface(s)?
blow a big hold on the bridge surface (or two surfaces if
they explode it on lower-deck Bay Bridge)? Besides, for
the suspension ones, if the cables are gone, the bridge
falls, right? |
| 2001/10/29-30 [Computer/SW/Security, Computer/SW/OS/Solaris] UID:22862 Activity:nil |
10/29 I found "sftp" on my Solaris machine, but I couldn't find the man page.
Can someone tell me how to specify a user name different from my
current login? I tried "-l username" like in ssh, but it doesn't work.
Thanks.
\_ Well, if it's anything like sftp on soda:
soda ~ [12:57pm] sftp -h
usage: sftp [-1vC] [-b batchfile] [-osshopt=value] \
[user@]host[:file [file]]
--dbushong |
| 2001/10/29-30 [Computer/SW/Security] UID:22857 Activity:very high |
10/29 I tried ssh'ing to my csua acct from my csua acct to test
ssh-agent and X11 forwarding. Neither worked, so I created a
~/.ssh/config file with the following lines:
Host *
ForwardAgent yes
ForwardX11 yes
Now, X11 forwarding works, but ssh-agent forwarding still
doesn't. Any ideas?
\_ perhaps your ssh to CSUA from whereever you are (say at work)
doesnt have X11 forwarding either, whether by buildtime lack
of support or runtime option. ssh -v is your friend. -jon
\_ But X11 forwarding works now, but not agent forwarding....
\_ oops sorry, got the order reversed when i read your sentence
\_ Ok, it works if I use ssh -1 csua, but not otherwise. Is this
a known issue? |
| 2001/10/24-25 [Computer/SW/Security] UID:22820 Activity:moderate |
10/24 My sshd used to accept connections from machines without matching
reverse lookup. Then, all of a sudden, today, it stopped. I changed
resolv.conf to use a nameserver with made up ptr records and it works
fine, but the question remains, What changed? There is no indication
that sshd has been restarted since the machine was 60 days ago. This
is on solaris, using (foolishly) F-secure sshd 2.0-2 which is also the
same as it has been. (i did stop some services 2 days ago, but nothing
that should effect this).
\_ You've been hacked.
\_ Maybe you have edited the hosts.allow or hosts.deny files and
added or removed some rules on those? This would apply if sshd
was compiled with support for tcp wrappers.
\_ Or it actually _was_ doing reverse lookups and your DNS broke. |
| 2001/10/21 [Computer/SW/Security] UID:22789 Activity:very high |
10/21 If I ssh into machine A and then ssh into machine B and then back
into machine A, is that slower than if I ssh into machine A and
stay there?
\_ Yes, in theory but if your pipe from you to A is smaller than the
pipe A <-> B it may not matter much. If you're only typing over
this link it won't matter at all. If you're sending data through
an ssh tunnel then it could matter a lot.
\_ What kind of answer is this? Don't answer questions you know
nothing about. The correct answer is that your latency will
be increased by double the amount of the latency of your A->B
link but your bandwidth should not be effected.
\_ The verb you're looking for is "affected."
\_ Unless your subject is psychology, you will seldom
use the word affect.
\_ wtf are you talking about? "affected" is the correct
word here. "effect" is seldom used as a verb. |
| 2001/10/18 [Computer/SW/Security] UID:22766 Activity:high |
10/17 what language uses explicit scope?
\_ what's explicit scope?
\_ it's a language that lets you say, "function foo has access
to var A, and function bar has access to var B"... no matter
where they are. think of it as specifically putting an ACL
My friend had to have his ACL replaced. He _/
was on crutches for weeks.
on each variable as to what function can access it.
\_ BASIC. |
| 2001/10/16 [Computer/SW/Security] UID:22752 Activity:low |
10/16 Soda's ssh host key appears to have changed in the past month or
so. Is there a way to check the current fingerprint? -phr
\_ Sure it's not just that newer versions of ssh also tie the host
key to the resolved IP address, which just changed? |
| 2001/10/15 [Computer/SW/Security, Computer/SW/Unix] UID:22738 Activity:high |
10/15 I want to restrict a user on a linux box from logging in,
i only want someone to be able to "su" to this account.
how do i do that?
\_ why? if they can su to the account, they get the same privs as if
they'd logged in. If they can su, they are already logged in...
\_ Set there starting shell in /etc/passwd to something that exits
immediately.
\_ then you won't be able to su to that account
\_ Yes, you will. You won't be able to su -
\_ when you su to a user, it exec's his shell.
Get a clue. -tom
\_ You mean su -m (or the equivalent) su - means "not only run
their shell, but do it as a login process"
\_ set the password to * in /etc/passwd or /etc/shadow; barring
publickey ssh authentication, the account should be only
su-able -max
\_ Ding ding ding. Max rocks. --#1 max fan |
| 2001/10/14-15 [Computer/SW/Security, Computer/SW/OS/FreeBSD] UID:22734 Activity:very high |
10/14 What is the "best" (reliable, secure, supports IMAP) free web-based
email service? Is hotmail good?
\_ I have had no problems with squirrelmail.
\_ IMP (component of horde) works great for me.
\_ I installed IMP a couple of years ago. I wasn't impressed.
Has it gotten better?
\_ Bah! I use mail to read mail! Anything else is bloat!
- freebsd #1 fan
\_ Hi Paolo! |
| 2001/10/9-10 [Computer/SW/Languages, Computer/SW/Security, Computer/SW/WWW/Server] UID:22674 Activity:very high |
10/9 so when is Berkeley's DNS supposed to be updated with soda's new
address?
\_ when i get done working taking over the world. --phillip
\_ that's my line - the brain
\_ HAHAHAHAHAHA!
\_ At 3am every day
\_ also, when is the web server going to be running again?
\_ the joyride is over! call verio!
\_ Apache doesn't like it when you don't have a valid name.
Probably tomorrow. -tom
\_ will emails received during the downtime be cached, rejected,
or sent to /dev/null?
\_ /dev/yermomisabigfatbitchbiggestbitchinthewholewideworld -root
\_ they should be delivered once the name gets updated tonight. -tom
\_ root is just so ... rude!!11!
\_ you get what you pay for. if you want quality service
try a professional colo
\_ they'll all be forwarded to the FBI.
\_ ln -s /dev/null /dev/fbi |
| 2001/10/8 [Computer/SW/Security] UID:22665 Activity:nil |
10/7 I'm starting to dig rsync and ssh. There's some
caveats that aren't clear to me yet such as how to
create a passphraseless key but still be able to limit permissions
on the key. Anyone know how to do that?
\_ keychain might be the best you can get-- it keeps your ssh-agent
running as long as the machine is not rebooted. That way, you
can log in to foo, start ssh-agent running in the background,
add your identities, and use 'em till foo reboots.
http://www-106.ibm.com/developerworks/linux/library/l-keyc2
\_ What do you mean? Without a passphrase on your key,
anyone with root on the machine your "identity" is on
can read your key and use it. With a passphrase, someone
with root can STILL get your key, but they have to work harder.
If your key is on a machine that you're certain won't be
compromised, with absolutely trustworthy root, then you don't
need a passphrase. If your key is in an NFS-exported directory,
you need a passphrase.
[ reformatted ]
\_ I think what he's trying to say, is that is there a way
to set group permissions on a passphraseless key so the key
can only be read by a certain gid (i.e. group foo).
I don't think this is possible.
\_ You don't need a passphraseless key; you can just use .shosts.
\_ unless you don't administer the box.. grr... |
| 2001/10/6-7 [Computer/SW/Security, Computer/SW/RevisionControl] UID:22654 Activity:high |
10/05 I am have several accounts each with useful files and I often
travel. I am looking for some software that create a virtual file
system transparently and securely distributed over several locations
that allow me to access them no matter where I am as if it is some
file on whatever account/computer I am using. I have seen some
"meta-frame" program for Win2000 on my friend's PC but it must be very
expensive, for large companies and perhaps only works for win2000.
Please recommend a low budget or free solution, either *nix or
preferabbly multi-platform. Ok tnx.
\_ You may try a file synchronizer, like /usr/ports/net/unison.
It works on unixen and windows (and is written in Ocaml to boot!)
-- ilyas
\_ I assume that you will have net wherever you are...have you
considered just scp'ing/running rdist via ssh? That's kludge-y
but assuming your boxes are on the net, it'll work. Otherwise,
if you run the machines, you can run an ipsec vpn between them
and (ugh) nfs mount between machines. Both of those would
be free. -John
\_ It sounds like cvs would be a good solution. With cvs, you
set up a repository somewhere on your home machine and then
you can check out/check in files from wherever you are via
ssh. Basically you set CVS_RSH to ssh and you set CVSROOT
to something like :ext:me@mymachine.net:/home/cvsroot. Then
use cvs checkout, cvs add, cvs update, cvs commit, etc. See
the cvs info file for details. I've been using this method
to work on files from home, school, and my laptop. -emin
\_ Thanks for all the answers. It seems that VNC tunnled through
ssh plus AFS are what I need, if I have the foo to manage it.
By the way, can AFS traffic be encrypted, say over ssh? |
| 2001/10/6-7 [Computer/SW/Security] UID:22649 Activity:high |
10/5 Why do people think IMAP is betting than POP3 here? Is this an
security issue?
\_ Vegas has the best odds when you're betting.
\_ IMAP has a superset of POP3 functionality.
\_ IMAP stores messages and folders on the server. This means you can
access them and from any machine that has an IMAP client. Email
and folder content stored on the client is just a cache. This allows
all IMAP clients to see the same view. In addition, clients can
resync their folder cache and manage folders and email offline.
This is useful when you read email from a number of
different machines regularly and want one interface to all your
various email accounts.
\_ IMAP _can_ store folders on the server. That's how most clients
are implemented. The protocol can also download and delete just
like POP. |
| 2001/10/4 [Politics/Domestic, Computer/SW/Security] UID:22625 Activity:insanely high |
10/4 Someone please tell me why making airport security screeners to be
federal employees going to help? I've seen government employees and
they're still underpaid, laid back, and don't give a damn about you.
\_ as opposed to airline employees?
\_ just look at it this way: they can't get any worse.
\_ Federalizing security means that the employees have to go through
a basic security check, get paid on a wage scale, get benefits,
and can make it into a career. It's also a draw for those just
leaving the military. Crimes against airport security become
federal crimes and can draw on the resources of the military.
\_ The law also allows the fed to conduct polygraphs test on all
Federal employees.
\_ I thought the US military is not allowed to act against US
civilians even if the civilians are criminals.
civilians even if the civilians are criminals. Is it written in
the constitution or something?
\_ You have made an unpatriotic statement. Report to the termination
vats immediately.
\_ ^termination vats^Al Qaeda training camps
\_ how is this statement relevant? -jon
\_ The previous poster said "...... federal crimes and can
draw on the resources of the military."
\_ A better response might be "why is this bad engrish"?
anyway, the US Military has been called upon to commit
acts against US citizens before. EO 9066 --jon
\_ I had also meant to write ".. draw on the resources of
the federal government." I was thinking of the FBI and
the newly created Office of Homeland Protection. Better
resources than the local politzi.
resources than the local politzi. Plus federal money
to fund better security toys. |
| 2001/10/2 [Computer/SW/Security] UID:22622 Activity:nil |
10/2 Serious question: What should I do if I have my SSN, birth date,
address, and other personal information stolen?
\_ if you have material loss, report to the police. Not that they
can help you much, but at least the court won't think you're making
up stories of losses. Call up your banks/brokers, and let them
know you have your id info stolen. Then tell them that no one
from now on can access your account without
a password which you will tell them. Check your account frequently.
Unfortunately, this is about all you can do. You may choose to move
your assets to a different, less popular bank so the theft will less
likely to hit you again.
\_ also call the credit agencies and put a fraud alert on your record,
this will make it more difficult for whoever has your personal
information to open new accounts in your name |
| 2001/9/21-22 [Transportation/Bicycle, Computer/SW/Security] UID:22583 Activity:high |
9/21 How is the government going to enforce the backdoors in the open source
encryption software considering that it will be trivial to remove them
given that you have access to the program source?
\_ i just want to say something about all this encryption backdoor
stopping the terrorist horseshit. If you have a good network
of human couriers that can act as go betweens once a year or so,
you can communicate the key to a one time pad generated by
a random noise source like jonson noise or something. no one
can break it, and even a moron can use it securely. The NSA knows
this of course. they want to read YOUR mail, and make morons
feel safe; this has nothing to do with stopping real threats.
\_ Practically none of the security restrictions have to do
with stopping real threats. You can drive across the Golden
Gate but you can't bike across. You can hide a knife in your
boot getting on a plane but not in your bag. It's
a predictable reaction. -tom
\_ Maybe they're worried about bikers/pedestrians getting
killed by a bomb. Who cares about car drivers?
\_ allowing unruly bikers across the bridge (which i may add has
the variable # of lanes in either direction) would cause
drivers to have more accidents, since bikers will swerve
into traffic and assume the car drivers will sacrifice their
vehicles to save the bikers life. (from experience in SF
downtown traffic commute).
\_ Are you a complete idiot? There are SIDEWALKS on the
Golden Gate. -tom
\_ What does your bike-across-the-bridges fetish have to do with
terrorism and encryption?
\_ They closed the sidewalks on the Golden Gate as a
response to the terrorist attacks. -tom
\_ Remove the backdoors from the source code? You mean removing them
by altering the encryption scheme?
\_ I think you should do a little reading on this kind of thing
first. Then if you still don't understand you can ask your
question. |
| 2001/9/21-22 [Computer/SW/Security] UID:22579 Activity:nil |
9/21 Encryption is in trouble:
http://www.theregister.co.uk/content/55/21791.html |
| 2001/9/20 [Computer/SW/WWW/Browsers, Computer/SW/Security] UID:22556 Activity:moderate |
9/20 In Netscape for NT, how do I find out whether it's a 56-bit or 128-bit
version? Thanks.
\_ about: doesn't work for you?
\_ It says" This version supports U.S. security with RSA Public Key
Cryptography, MD2, MD5, RC2-CBC, RC4, DES-CBC, DES-EDE3-CBC."
Does it mean 56-bit or 128-bit?
\_ U.S. security probably means 128-bit (as opposed to 40-bit
export security) |
| 2001/9/20 [Computer/SW/Security] UID:22545 Activity:very high |
9/20 There was something in the last meeting minutes about running
crack/ripper on the passwords and emailing people about changing
thier passwords. Has this been done?
\_ aye. in process.
\_ Any idea when emails will be sent out?
\_ What's that all about?
\_ I find this offensive and think logging in should be restricted
for 24 hours.
\_ Good, bring it before politburo, and I'm sure they'll be glad
to hear your case. -dans
\_ What does enforcing password changes have to do with login time?
\_ What does enforcing password policy have to do with login time?
\_ I think you are beginning to see his point. |
| 2001/9/20 [Computer/SW/Security] UID:22544 Activity:very high |
9/20 A problem for you: Tom is NATed behind a firewall. He SSHes out to a
remote machine which is ALSO NATed and behind a firewall. (the remote
FW has a redirect to the remote internal machine which is how he can
ssh to there). Tom would like to run an X-term on the remote machine
and have it (tunnled through ssh obviously) display on his local machine.
Assuming he has root on the remote box and his box, but that any access
to either firewall (especially the remote one) involves painful red-tape,
What is the easiest way for tom to accomplish his objective.
\_ "X11Forwarding yes" in your sshd_config and use "ssh -X" to
get to machines.
\_ Error: Can't open display:
\_ chances are your error is unrelated to the NATing.
\_ I agree with my esteemed collegue.
\_ It is more likely due to your broken ass boxes
\_ Indeed. If you can ssh successfully, it can forward X. |
| 2001/9/19 [Computer/SW/Security, Politics/Foreign/MiddleEast/Iraq, Computer/SW/Unix] UID:22516 Activity:nil |
ladenix 5.0 (jihad) login: _ |
| 2001/9/18 [Politics/Domestic/911, Computer/SW/Security] UID:22507 Activity:insanely high |
9/18 http://news.cnet.com/news/0-1005-200-7215723.html?tag=mn_hd " U.S. citizens back encryption controls " Right, only American companies can write encryption code/product, and the intelligence failure to warn the attack is due to, or partly due to encryption products! Classical "not my fault" syndrome. Let's ban commercial airlines because their planes are used in the attack. Let's ban all knives because they are used in the attack. \_ lets ban all people because they were used in the attack. \_ Let's ban religion. religion is the root of the Northern Ireland \_ Try economics. There's not much that was ever perpetrated solely because of religion. People aren't that pious, no matter what they may say. conflict, Palestine, Pakistan/India, and various historical atrocities. Not to mention the Holocaust, Cyprus, Kosovo, etc. atrocities. That's the one thing I didn't mind about China and USSR. Freedom FROM religion. I guess I don't mind Buddhists. They never slaughter anyone. (right? i'd be interested to learn otherwise.) \_ Tibetan Buddhism was the state religion of the Mongol Khans, \_ Tibetan Buddhism was the state religion of the the Mongol Khans, possibly the most murderous forces in known history. Zen Buddhism, as connected with Imperial Shinto during the years leading up to the Japanese expansion, was part and parcel with the philosophy that guided that set of warriors. \_ So is there such a thing as a religion that doesn't have significant blood on its hand? \_ Quakers? \_ Well, I see that as just being their personal philosophy, and not something that actively caused strife. I mean, I don't think they cared what religion other people were when they were conquering them, they just wanted to conquer them. That's good, honest conquest. They weren't haters. \_ Imperial Shinto? Zen Buddhism is very different from Shinto. What is your source? \_ The Shaolin monks in ancient China once fought for an emperor in the Tang dynasty against rebels in the region. I think in return the emperor gave the Shaolin temples exclusive rights among all Buddist temples to openly practise martial arts, or something like that. But that you can say they fought for a good cause. in the Tang dynasty against rebels in the region. But that you can say they fought for a good cause. \_ yeah, nothing wrong with that. no hatred, no frothy fervor. \_ lets ban the internet in the US! I guess I don't mind Buddhists and Hindus. They never slaughter anyone. I guess I don't mind Pengiuns. They never slaughter anyone. That's good, honest conquest. |
| 2001/9/13-14 [Computer/SW/Security] UID:22438 Activity:nil |
9/13 Well, the anti-crypto people are at it again:
http://www.wired.com/news/politics/0,1283,46816,00.html
\_ "They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." -- Benjamin Franklin:
Motto of the Historical Review of Pennsylvania, 1759 |
| 2001/9/13 [Computer/SW/Security, Politics/Domestic/911] UID:22421 Activity:high |
9/12 This is probably the scariest thing I've read all day:
http://www.opinionjournal.com/extra/?id=95001106
\_ I heard the FAA is going to add another question at the checkin
counters: "Why are you travelling." Yeah, they're going to block
the terrorists when they answer "Well, I'm planning to hijack this
plane." I feel safe now.
plane." |
| 2001/9/13 [Computer/SW/Security] UID:22420 Activity:nil |
9/12 There are people looking for loved ones inside of New York City.
C'mon computer geeks! Can't we setup an online forum/system
service to help match people with loved ones in New York City?
\_ This has been left as an excersize for the poster. But seriously,
without adequate bandwidth and pubilicity I'm not sure how
useful the effort would be?
\_ that's why you are computer geeks, right? You are capable.
Slashdot, newsgroups, people who want to donate
ISP space...
\_ There already is one. At Berkeley, too.
\_ URL?
\_ <DEAD>safe.millennium.berkeley.edu<DEAD>
It has bw and server capacity. it's on the news. --jon
\_ It's all over the wires as well, as a matter of fact. -alexf
\_ some people can be so insensitive. They are adding names
(on the other services) like Beavis and Butthead and
Christina Aguilara. |
| 2001/9/11 [Computer/SW/Security] UID:22378 Activity:very high |
9/10 Why does OpenSSH default to "ForwardX11 no"? Given X11's lack of
encryption, isn't this the best way to do X11?
\_ X programs can do more than just open windows on your desktop --
they can also do things like capture images of your display (as
xwd does) or intercept the keystrokes you type (as most window
managers do).
This means that, while it's safe to telnet to a random machine you
don't trust -- it can't do anything to your local account -- it's
*not* safe to ssh with X forwarding to a random machine, since
that machine could (say) start monitoring the passwords you type
into other windows.
\_ Yes, but they believe X11 forwarding should be something you
request as it can open security holes if you do it wrong.
\_ So what can I do wrong when using SSH's X11 port forwarding
\_ So what kind I do wrong when using SSH's X11 port forwarding
that would open a security hole?
\_ xhost +, which would then allow anyone on the remote machine
to snoop everything you type, completely destroying the
usefulness of ssh
\_ This doesn't make sense. Why would someone who is using
ssh want to use xhost at all and if you do "xhost +"
it shouldn't matter whether you use ssh or not because
either way there is a huge wide open hole at this point.
\_ less things to try to hack. period. |
| 2001/9/7-8 [Computer/SW/Security] UID:22349 Activity:very high |
9/7 The DMCA just plain sucks:
http://news.cnet.com/news/0-1003-200-7079519.html
\_ Why are all you liberals trying to get things for free?
\_ This is not about things being free. I don't mind paying for a
good security solution. What I don't like is the fact that most
people are scared into silence by the DMCA.
Let's say that RSA, DH or AES was covered by DMCA and I found
a weakness. I'd be scared of reporting my findings because I
don't want to do hard time in a federal jail for violating the
DMCA. If I don't report my findings people will continue to use
a compromised security system. Someone less scrupulous than I
may discover the same weakness and exploit it, which is very
frightening.
\_ yeah, everybody should pay for everything, all the time. listen to
the whims of the corporations. screw fair use too!
\_ As inconvenient as it might be to your conservative agenda,
we still have the freedom to speak and think freely.
\_ Liberals are the ones who try to limit freedoms.
\_ Who is the one locking everyone up?
\_ The Feds, regardless of political associations,
have always been about locking up people. That's
why we have the second amendment. So that they
can't take your rights from you. |
| 2001/9/6 [Computer/SW/WWW/Browsers, Computer/SW/Security] UID:22322 Activity:low |
9/5 does shit like this still happen?
http://www.techlawjournal.com/courts/kathleenr/20010306op.asp
or is that only in backwater states?
\_ um dude, that's livermore, ca.
\_ and what's wrong with it? an idiot woman brought an idiot suit
to court, and the case was dismissed. BFD.
/- I think she IS an idiot, trying to make up for her own
bad parenting skills. Obviously, this kid knew what he
was doing; (printing his school schedule over the top
of a "scantily clad woman"--how much money did he get
for that from his buddies?) the library was just a means
to an end. --sowings
\_ I don't think the woman is an idiot. I think this scum is smart
enough to realize that she can probably make some quick bucks by
filing this idiot suit and reaching a settlement. Oh did she
remember to get the media involved? Oh she might even be able to
write a book afterwards on how her son's innocence was violated
and how she was physically and emotionally hurt and how she
spent years in turmoil before she recovered and blah blah blah.
\_ You are right, this is terrible. Those librarians should be shot. |
| 2001/9/1 [Computer/SW/Security] UID:22315 Activity:nil |
8/31 check it out. Logged in from explorer on a mac (to csua/ssh)...
SODA_1% which ssh
/usr/bin/ssh
SODA_2% ssh me@x.x.x.x
SODA_2% history
1 23:09 which ssh
2 23:10 history
it's like i just hit "enter" instead of the ssh command. what up? |
| 2001/8/31 [Computer/SW/Security] UID:22312 Activity:nil |
8/31 Is it ok to ssh to a remote machine as root? I need to write a script
to do some administration jobs in a remote machine. Should I do ssh to
the machine as root and then execute a command or ssh as a normal user
and then use sudo to execute the command?
\_ It really ends up equivalent. SSHing directly as root is probably
easier. /etc/ssh/sshd_config
PermitRootLogin yes
IgnoreRhosts no
RhostsAuthentication no
RhostsRSAAuthentication yes
Then, as root on the _server_ ssh back to the _client_ to get a copy
of the client's host key in your known_hosts file. Now just make
sure you have the client in the server's root's .shosts file, and
you should be good to go. |
| 2001/8/30-31 [Computer/SW/Security] UID:22297 Activity:nil |
8/30 Well, it was bound to happen; a worm masquerading as a security advisory:
http://www.theregister.co.uk/content/56/21376.html |
| 2001/8/29-30 [Computer/SW/Security] UID:22285 Activity:kinda low |
8/28 I use my cory account to ftp from campus labs when secure
alternatives aren't available, so I basically treat it as
hacked/hackable. But assuming that I need to get to soda from
cory, which is more secure-- password-based normal logins, or
password-protected DSA files? Or are they both about the same?
\_ Why are secure alternatives not available? You can always use
scp to transfer files or just log in with Java ssh with those
library machines.
\_ I use the NT/Mac machines in Evans/Wheeler/LeConte. I've
never once been able to use scp/sftp... something about
incompatible ssh versions.
\_ probably not incompatible ssh versions, probably that
they just have some free windows ssh client that doesn't
support scp. Try just using the command-line windows
ftp combined with s/key. That should do the trick.
- rory
\_ Is there a good web s/key calculator that doesn't need
java?
\_ Get WinSCP. Very good graphical scp for just this issue.
http://winscp.vse.cz/eng --scotsman
\_ WinSCP has some pretty nasty UI issues. Better than
nothing though.
\_ Also PuTTY/PSCP (Google search "putty") -- schoen
\_ I think the problem is that these apps aren't installed
in campus labs. I've mailed admin about it; no response. |
| 2001/8/23-24 [Computer/SW/Security] UID:22219 Activity:kinda low |
8/22 Someone mentioned something about using scotch to get to CSUA via
port 80. How do I get an account on scotch?
\_ if you drink enough scotch, you won't care about this stuff.
\_ ask for an office acct. get your sid and come to 343.
\_ scotch port 80 forwards to csua.
\_ some nice person should post how to use the port
forward on scotch, i can't remember right now
\_ ssh http://scotch.csua.berkeley.edu -p 80. is that what you are asking?
\_ though ssh is idiotic and doesn't include ports as part of
the host definition in the known_hosts file, so this will
tend to confuse it. You're better off putting:
Host soda
HostName http://scotch.csua.berkeley.edu
Port 80
in your ~/.ssh/config file, and then just "ssh soda"
--dbushong |
| 2001/8/21 [Computer/SW/Security] UID:22196 Activity:nil |
8/20 Anyone have exprience with Broadbandnow as a high-speed internet
service provider? How is their service, bandwidth, etc.? thanks. |
| 2001/8/21-23 [Computer/SW/Security] UID:22195 Activity:high |
8/20 anybody have an ssh-over-http tunnel to soda that they're willing to
share?
\_ http://www.csua.berkeley.edu/ssh ?
\_ doofus. he wants to run ssh using http as base for an IP layer.
\_ I was looking for this a while ago. There's some stuff on the
open source sites but I don't recall which. Try freshmeat and
then sourceforge. I don't think it was on http://kernel.org.
\_ use scotch
\_ Actually I have been looking for a ssh-over-http tunnel
that actually uses HTTP protocol, as tcp/80 can get intercepted
by annoying http only things like caches and proxies.
\_ That would be very painful. HTTP makes a very poor
interactive protocol - the header overhead would kill you.
\_ people behind corporate proxy servers don't have a choice.
do you have any better alternatives? |
| 2001/8/20 [Academia/Berkeley/Ocf, Computer/SW/Security] UID:22191 Activity:high |
8/20 http://socrates.berkeley.edu:7015/email I've graduated many years ago. How are they going to enforce my soda account termination? \_ we can port and run re-reg (from the ocf). \_ the ocf hasn't run re-reg in years, and has no intention of running it anytime soon. \_ maybe. maybe it will now. Maybe you ought to think about options. Looks like a non-issue for now tho. \_ "years" meaning, what, 3? \_ What's the page about? My browser can't find it with the URL above. |
| 2001/8/20 [Computer/SW/Security, Computer/SW/Unix] UID:22180 Activity:very high |
8/20 [this is a copy of a message from Mike Clancy, posted here to gather
ideas]
I'm designing a "security" quiz for 9E. Topics I've thought of so
far include file permissions (what should be readable/executable and
what should not), the sequence of directories in $PATH, use of xhost,
and setting up ssh access. I'd appreciate any other suggestions you
might have.
\_ why setuid/setgid shell scripts are bad and typically not supported.
how to resolve of the problems with setuid shell scripts and
chgrp, why chown is restricted to superusers.
the limitations of those "solutions"
Why setuid/setgid programs are good/bad
chgrp, why chown is restricted to superusers. --jon
\_ directory permissions: difference between r-x and --x
and how command line args (e.g. vi filename) show up in ps output
\_ What the sticky bit is, and why you would use it.
\_ Why /etc/passwd is world readable but /etc/shadow is not.
\_ Why anyone who has to take 9E having root is a bad idea.
\_ What's 9E? - non ee/cs alum
\_ self-paced unix course
\_ How to tell when paolo is running a script that deletes the motd
every 3 minutes. -tom
\_ What's a jail, what does tripwire do. -John
\_ Using my 1st amendment right, I disagree with tom.
\_ How to figure out that paolo is running a script which deletes
the motd every 3 minutes. -tom
\_ Why you shouldn't use any English word, however uncommon it is, as
your password. -- yuen
\_ Why two bits of salt for a passwd is bad.
\_ Why xhost should never be used and how to use xauth -alan
http://www.xs4all.nl/~zweije/xauth.html
\_ Why xauth is too much trouble and how to use ssh.
\_ tom, are you still an undergrad?
\_ no.
\_ to paraphrase Theo: "Perhaps you should stay clear of
discussions where the roles of undergraduate cs students --
especially what their responsibilities-- are being discussed." |
| 2001/8/19-20 [Computer/SW/Security, Computer/SW/OS] UID:22176 Activity:high |
8/19 Is this normal behavior:
soda:~>dmesg | more
<DEAD>kofthewest.com<DEAD>, AF_INET) failed
pid 33773 (a.out), uid 1216: exited on signal 11 (core dumped)
\_ as of: Sun Aug 19 20:42:43 PDT 2001
it is now saying:
soda:~>dmesg | more
: getaddrinfo(209-76-220-17.bankofthewest.com, AF_INET) failed
pid 33773 (a.out), uid 1216: exited on signal 11 (core dumped)
pid 24745 (trn), uid 30148: exited on signal 6
any ideas?
\_ seems like the kernel message buffer got set really low.
\_ I think some hackers from bankofthewest have gotten into
your kernel. REBOOT IMMEDIATELY!
\_ pid 9236 (sshd), uid 0: exited on signal 11 (core dumped)
WTF is sshd dumping core? |
| 2001/8/19 [Computer/SW/Security, Computer/SW/Virus] UID:22175 Activity:high |
8/19 Hi Dr Nick! - http://www.computersecuritynow.com/article.php?sid=36&mode=thread&order=0 \_ I got tape worm... |
| 2001/8/18 [Computer/SW/Security, Computer/SW/WWW/Server] UID:22162 Activity:kinda low |
8/17 On 18 July, just as Code Red was starting to scan for vulnerable
web servers, a CSX train carrying hazardous materials was
derailed in the Howard Street tunnel in Baltimore, US.
The derailment and subsequent fire severed cables running through
the tunnel used by seven of the biggest net service providers to
swap data.
These companies started reporting disruption to the usual running
of the net just as Code Red was hitting its stride, leading many
people to assume that the worm was doing the damage.
Analysis by Keynote has shown that even at its height, Code Red
posed no threat to the running of the net.
(http://news.bbc.co.uk/hi/english/sci/tech/newsid_1470000/1470246.stm
- anyone else hear about the fire?
\_ yes
\_ It was in the news on TV. But I thought Code Red was later than the
train accident.
\_ What they DIDNT SAY, was that the train had a WBEM system,
hosted under IIS, which caused the derailment once the
web control interface crashed.
\_ you gotta be kidding.
\_ muah-hahahahahaha.... the sad thing is, it's plausible, eh?
\_ It was noted right away in the RISKS digest (aka comp.risks) |
| 2001/8/15-16 [Computer/SW/Security] UID:22126 Activity:moderate |
8/15 security doesn't matter, my ass. Code red is running rampant on
the financial aid office machines. I wonder how much sensitive
information can be grabbed from there.
\_ It does matter, but not many people are willing to spend
money on them. I m very glad to see someone's finally pulled
off code red just to make everyone aware network security
is very important.
\_ It hasn't raised enough awareness. The vast majority of
Americans condone Microsoft for making such an insecure
OS and accept the fact that worms and viruses are
inevitable. If anything, Code Red is telling Americans
that the time to deal with these problems is after the fact
and that buggy software that requires a constant stream
of security updates is acceptable. |
| 2001/8/13-14 [Computer/SW/Security, Computer/SW/OS/Windows] UID:22101 Activity:very high |
8/13 Edlin is the standard! Seriously, just wondering who has
used edlin before.
\_ oh baby yeah. my dad taught me edlin when i was 10 or so. it
was easier than the funky diskedit clone he'd use for other things.
--scotsman
\_ I have... -geordan
\_ I suppose you were using a pre-"edit" DOS version?
\_ I remember editting autoexec.bat and config.sys with
edlin. That must have been in the DOS 3.x era.
\_ Yes. Boy, when "edit" came out (yeah, it was qbasic,
but no one really cared) it was like a whole new world.
Much better than the treebark I used to use. And I liked
it. I loved it. -geordan
\_ ditto. DOS 3.x or before had no edit. edit was so
cool. What was the last official dos version? 6.11?
\_ 6.3?
\_ There was PC DOS 7.1. Don't know about MS-DOS.
\_ I vaguely remember back in the pre-"edit" days I used something
else other than edlin to change config.sys and autoexec.bat, but
I forgot what program it was. I think I used edlin only once or
twice.
\_ copy con c:foo.sys and then hit ctrl-z when done - paolo
\_ The truly lazy hit F6. -geordan |
| 2001/8/7 [Computer/SW/Security, Computer/SW/Unix] UID:22028 Activity:nil |
8/7 How is it that whenever I sign into my hotmail account, MSN
Instant Messenger some how starts and re-registers itself
to execute at login, without it ever asking me for permission?
\_ Error: incorrect operating system detected. Please try again. |
| 2001/8/5 [Recreation/Food, Computer/SW/Security] UID:22008 Activity:high |
8/4 What do most bio majors do once they've applied to med school for
two years on a row and got rejected both times? Do most of them
just end up in the food service industry like history majors do?
\_ is the food service industry big enough for english, history, AND
bio majors?
\_ Don't forget philosophy, psychology, ethnic studies, women's
studies, religious studies, mass comm, sociology, and poli sci.
\_ No. Philosophy majors (unless going to law school), upon
graduation, immediately enter an eternal state of
unemployment.
\_ Soylent green is made of people! You've got to tell them!
Soylent green is people!
\_ I think many apply to med schools in other countries. And I
got the impression that those doing bad enough to not even
get into those have already changed majors by that point.
\_ Agreed
http://www.thinkgeek.com/images/zoom/despair-poster-stupidity.jpg
\_ From what I understand, there are other options for bio majors
besides med school. Some go into grad school, some go into
pharma, and some go into completely different career paths.
Most of the ones I know, however, ended up in pharma. -chaoS |
| 2001/7/28 [Computer/SW/Security] UID:21980 Activity:high |
7/27 In Applied Cryptography he basically comes out and says that IDEA
is pretty much the cypher to use for max. security, but I keep hearing
about this thing called AES that is "better". Anyone know where
I can find a comparision of AES to IDEA in terms of the resitance
to linear and differential crytanalysis.
\_ from Schneier's mouth, he has no problem with AES/Rjendael; and
things it should be used widlely.
\_ Where did you hear this? AES isn't covered in ACv2. If there
is a v3 I'd buy it just to read about AES.
\_ See http://www.counterpane.com/crypto-gram-0010.html#8
-- misha.
\_ Thanks this is perfect.
\_ AC is somewhat out of date in this regard; I think IDEA isn't really
a contender for use in new applications due to the patent and the
fact that various newer ciphers are at least as good. I don't have
any particular suggestions as to where to look for information
beyond citeseer. --Galen
\_ I had originally planned on (and still probably will) using
either DES or 3DES (which ever I can get away with linking
with without needing a export license). I was reading AC and
found IDEA, which Schneier seemed to recommend. When I heard
about AES I just wanted more info.
Since I'm not an expert at this, I just wanted to read about
how resistant AES is to known crytanalysis as compared to
other cyphers. Anyway the above link had the info I needed. |
| 2001/7/27-28 [Computer/SW/Security] UID:21977 Activity:low |
7/27 Is there an easy way to use ssh-agent with KDM so that all my KDE
processes can use my private key?
\_ D00D U R 50 '1337 4 U51NG 57R0NG CRYP70! R U BL4CK H47 | WH173
H47? 1'M S7111 R3D H47! |
| 2001/7/24 [Computer/SW/Security] UID:21936 Activity:nil |
7/24 Its probably a good thing we are running OpenSSH instead
of that commerical version:
http://www.ssh.com/products/ssh/exploit.cfm
\_ There was a hole in openssh a month ago. Get a clue. -tom
\_ But the whole was not in the *default* config, this
is a hole in the standard config.
\_ My read of this "hole" is that it takes a password of two or
fewer characters to open it up. Somehow, that doesn't have me
quaking in my boots. Still, thanks for pointing it out. --PeterM
\_ Some of the daemon accounts on *nix systems have NP as
the password in /etc/shadow. |
| 2001/7/24 [Computer/SW/Security] UID:21921 Activity:nil |
7/23 All .mil sites no longer accessible to public!
http://abcnews.go.com/sections/world/DailyNews/militarycyberattack_010723.html |
| 2001/7/23 [Computer/SW/Security, Computer/SW] UID:21915 Activity:moderate |
7/23 How do big employers catch employees surfing porn sites? Do they run
software that checks employees' URL requests against a list of host
names of known porn sites? Or do they actually check the content
being transmitted? I don't think they'd hire an IT person to visually
inspect every .JPG being transmitted, right?
\_ i could require you to use a proxy to get out to
surf the web, then i can just read the access logs and
see you accessing the dirty pictures. there's also
expensive software out there that will catalog and
present in a nice gui to your manager your web surfing
habits. i can't remember the names of any of them
right now. you don't need to hire an employee,
there is software that sits on the router that will
do all the above.
\_ Yes, that is my job. I examine all your dirty little pictures
and decide which ones to keep on file.
\_ use sameer's filter
\_ URL? Google came up mainly with his current business and
techno music stuff. |
| 2001/7/21 [Computer/SW/Security] UID:21894 Activity:nil |
7/20 Anyone here using megapath, speakeasy or telocity for dsl?
If so, is the service reliable? I'm trying to decide between
these three, as they seem to be the best rated in the SJ
area according to dslreports. I'm leaning toward telocity
because its $49/mo (128/1.5), while the other two are about
$89/mo for the same. (Price isn't really an issue, I'm willing
to pay ~ $100 for reliable highspeed service, but if the
service is the same, I might as well go with the cheaper one).
\_ I have IDSL (144/144) through MegaPath; had it about a year.
Their tech support is a little annoying to reach, but the
people you talk to actually seem to have clue (so very,
very rare). I like them. --dbushong
\_ I have ADSL through Telocity and it was fairly reliable
since my service was restored after the Northpoint disaster. |
| 2001/7/19-20 [Computer/Networking, Computer/SW/Security] UID:21867 Activity:high |
7/19 I want to host a basic website running on my home computer. Any
recs on a DSL provider that will let me have my own domain, whose
service doesn't suck, and is under $100/mo?
\_ First world has a 192K/1.5M line for $69/mo. The line comes
\_ Firstworld has a 192K/1.5M line for $69/mo. The line comes
with two static IPs and they don't care what domain name you
register for those IPs.
Alternatively you could try sprintbroadband (wireless). The
"line" is 256K/2M for $49/mo and comes with one static IP.
You need line of site to Monument Peak though.
\_ Hey genius, Firstworld is dumping their DSL customers on
Earthlink with no guarantees as of August 31st, so...
\_ Where did you read this? I can't seem to find it on
their web page, but if its true, I need to switch my
line soon.
\_ http://Speakeasy.net |
| 2001/7/18 [Computer/SW/Security] UID:21836 Activity:high |
7/17 ranga, http://www.ssh.com/products/ssh/cert/vulnerability.html is 404 today, but was there yesterday. What gives? - new guy #2 \_ Take a look at: http://www.google.com/search?q=cache:xWSTNSCGxl8:www.ssh.com/products/ssh/cert/vulnerability.html+ssh1+vulnerabilities+cert&hl=en (go google. fight the power). \_ Actually all you really need is: http://www.google.com/search?q=cache:xWSTNSCGxl8:www.ssh.com/products/ssh/cert/vulnerability.html Isn't web caching wonderful? I've also preserved a copy of just the text at: http://www.csua.berkeley.edu/~ranga/misc/sshv1.txt \_ Is it? http://www.google.com/search?q=cache:www.csua.berkeley.edu/motd \_ downright scary. \_ re ssh (not google cache) it seems that ssh1 is fine iff 1. you do not use RC4 2. you have valid host keys \_ There is also an intercept attack, but I'm not sure if that was covered in the cert stuff. |
| 2001/7/18 [Computer/SW/Security] UID:21834 Activity:low |
7/17 A Russian cryptographer was arrested in the US for giving talk on
ebook security:
http://www.planetebook.com/mainpage.asp?webpageid=165
\_ Clever. The First Amendment only applies to Americans.
\_ ... that don't violate copyrights, or tell you how to make
bombs, or .... |
| 2001/7/17 [Computer/SW/Security] UID:21822 Activity:high |
7/16 I'm also new to the csua -but not as "social minded" as the previous
poster. What problems have you had using ssh1? I hear ssh1 is
very vulnerable to certain attacks, but I've never been able to
get someone claiming this to point me to urls/papers about ssh1
vulnerabilities. Is it something inherent in the ssh1 protocol (but
not in ssh2)? Googling for "ssh1 vulnerabilities" doesn't seem to
turn up much.
\_ Not this all over again.
\_ No. I don't want flammage about openssh vs ssh1 vs ssh2d. I
want facts and urls to papers.
\_ Take a look at:
http://www.ssh.com/products/ssh/cert/vulnerability.html
It has a summary of the cert warnings associated with ssh v1.
----ranga
\_ thank you! - OG poster |
| 2001/7/11 [Computer/SW/Security] UID:21767 Activity:nil |
7/12 evoice is going away. any other service on the web out there
like it? - danh
\_ http://onebox.com |
| 2001/7/10 [Computer/SW/Security] UID:21753 Activity:moderate |
7/9 I accidentally clicked on "remember my password". How do I reverse
this security mess?
\_ click "forget"
\_ what program?
\_ internet explorer (application/login asked for it)
\_ if it was "Remember my password" on a web page, delete your cookies.
if it was the IE autocomplete thingie, Tools > Internet Options >
Content > AutoComplete, uncheck the user/passwords box, click on the
Clear Passwords button.
\_ thx |
| 2001/7/9-10 [Computer/SW/Security] UID:21749 Activity:high |
7/9 W/ scp, is it possible to turn off encryption for a given data
file while preserving encryption of the authentication process?
(I'm sending a lot of large, nearly uncompressable files that
aren't sensitive, and I just want to encrypt my password).
\_ encryption != compression
\_ Understood. I was merely mentioning that to make it clear
any sort of benefits gained from the data munging are nil.
\_ But what do you expect to gain by turning off encryption?
today What's the best way to turn a movie into MPEG?
\_ http://www.tmpgenc.com |
| 2001/7/9 [Computer/SW/Security, Politics/Foreign/Asia/Others] UID:21740 Activity:nil |
7/8 Speaking of M$, Any thoughts on why MSFT can't seem to get their
instant messanger service running?
I would think that with a co like MSFT the backup redundency
would basically mean they can crash the entire system and it
would still work within a day when they activate the mirror
service sitting in line india or something-- but they have just
been dead for a week now... |
| 2001/7/5-6 [Politics/Domestic/California, Computer/SW/Security] UID:21720 Activity:nil |
7/5 http://www.securityfocus.com/templates/article.html?id=221 \_ Computer security consultant and confessed cyber intruder Max Butler will serve out his 18-month prison term at the privately-run Taft Correctional Institution in central California, sources say. |
| 2001/7/4 [Computer/SW/Security, Computer/SW/Unix] UID:21712 Activity:insanely high |
7/4 I'm running win2k. when i leave my computer alone
for a while and I come back, I have to enter in my password
to "unlock" it. How do get rid of this?
\_ M-X install-linux
\_ disable the screen saver password.
\_ no it's something else
\_ works for me. dunno what weird config you have.
\_ Control Panel -> Power Options
\_ Repartition, install !win2k. |
| 2001/7/3 [Computer/Networking, Computer/SW/Security] UID:21706 Activity:nil |
7/3 Metricom has declared bankruptcy:
http://news.cnet.com/news/0-1004-200-6442868.html?tag=tp_pr |
| 2001/6/30 [Reference/Law, Reference/Law/Court, Computer/SW/Security] UID:21688 Activity:nil |
6/30 fuck amihotornot: http://www.ratemyrack.com |
| 2001/6/28 [Computer/SW/Security] UID:21666 Activity:nil |
6/28 I'm trying to SSH into a PIX box. i've tried ssh -l "" HOSTNAME
and that asks for the password for @HOSTNAME. I would think
this would work but it doesn't. (the problem here being that
the Cisco PIX just asks for a password not a username).
What is the correct way to connect?
\_ ssh -l <username> <hostname>
\_ Maybe (s)he didn't want to reveal his remote login name to
someone who can do a ps on the local host?
\_ AFAIK you need to add a user to the PIX before it will allow
you to login. - cisco alum |
| 2001/6/19 [Computer/SW/Security] UID:21580 Activity:high |
6/19 some fuck in russia the other day "found" a security hole in our
system and sent us a letter that more or less said,
"If you give me $150k I won't reveal this security
hole to the public." Blackmail. One guy, some
liberal dude, remained unconvinced that the intent was
blackmail. Should we call the FBI?
\_ What can the FBI do in this situation?
\_ Yes. FBI Special Agent Kevin D. Johnson has helped us in exactly
this matter: +1 (415) 553-7400.
\_ Why are seemingly all FBIs "special" agents? Are there actually
regular agents?
\_ Most field agents who interact with the public are special
agents. Whereas they have a supporting staff, such as lab
techs and etc. who are just agents. it's all on the FBI www
\_ Why are the FBI folks called "agents", why not just "officers"
or "cops"?
\_ why are real estate agents called agents instead of
salesmen? |
| 2001/6/19 [Computer/SW/Security] UID:21577 Activity:high |
6/19 Here is another question for all you knowledgable crypto people.
How bad is the ability of a PC to generate random numbers for
cryptography? Is this at all a limiting factor in PC based
encryption? If someone were to build a little box that made
random numbers based on a physical process that was provably
uncorrelated, would that interest people?
\_ PC's running reasonable OS'es generate good random numbers. -tom
\_ Depending on the sources of entropy used, a ordinary PC
can generate sufficiently random numbers for use with
cryptography. Look at how ssh does it for more info.
\_ P3s can generate random numbers based on thermal noise, right?
\_ I don't know. There IS a thermal diode on it, but I'm not
sure of the response time. Actually, that might be an
interesting little problem/implementation to do, since a
lot of devices have thermal diodes these days, for over
temperature protection. -nweaver |
| 2001/6/19 [Computer/SW/Security, Computer/Theory] UID:21573 Activity:high |
6/18 I have a question about diffie-hellman. After going through the initial
key exchange and generating the session key k', how do you use this key
with 3des or blowfish? Do you just trucate the key to the appropriate
length (doesn't seem right) or is there some other method? tia.
\_ Probably feed the key into a one way hash function (i.e. MD5) that
outputs the appropriate number of bits.
\_ This is correct. You would use a hash function. However, you
should not use Diffie-Hellman straight, much the same as you
should not use plain RSA. Get a cryptography book and read
about it.
\_ Okay, I understand the bit about the hash function, but
I don't understand why the session key k' can't be used
directly? I've been referring to Applied Cryptography,
but I can't seem to find a place where he explains why
the session keys should not be used directly.
\_ Here's a hand-wavy argument:
Your DH key must be larger than your 3DES key since
otherwise it's easy to break DH. This means that
you'll have to shrink your DH key to make your 3DES
key. You want to make your 3DES key by using all of
the randomness that you've got in your DH key, but
you don't know if truncating the DH key will do this.
However, you DO know that using a good hash function
to make your 3DES key will conserve all of the
randomness of your DH key.
\_ I guess I wasn't clear. I understand that I
need to hash the session key in a way that
preserves the randomness of the key and that
I need to use the hash value as the key for
my crypto algorithm.
The bit I don't understand is related to the
following: I keep reading that one should use
the hashed value of the session key *only* for
encrypting a different secret key and then that
encrypted secret key should be transmitted so
that all other transmissions are encrypted with
the secret key rather than the hash of the
session key.
Why can't I just keep using the hash of the
session key? It seems much simpler to do this
than to maintain a separate secret key. |
| 2001/6/14-7/20 [Computer/SW/Security] UID:21514 Activity:low |
6/13 Note that sprint just cancelled ION- who the hell knew what ION was
anyway???? They had all these commercials but never once showed the
product or what it does. Teledesic rocks!
\_ I never saw an ION commerical, but I had read about it
on several ng's. I was looking forward to migrating from
1.5 DSL to ION, but I guess that's not possible now. BTW,
the ION web page doesn't have any info on the cancellation,
though the check for service now says that the service is
unavailable in my zip code (it was available last week).
Teledesic looks good, but they won't be in wide service
till 2005. I considered WildBlue for a bit, but they
don't seem like they are *nix friendly (PC/Mac only).
That leased line is looking better all the time. |
| 2001/6/12 [Computer/SW/Security] UID:21496 Activity:nil |
6/12 Here's the bottom line: The RIAA wants to control all channels
of distribution. For a user to access his own "private"
collection may infringe upon the notion of "ownership." Meaning
that by leaving those mp3s on an "open" (yes it is open because
you have access to it outside of the LAN) network exposes the
user to "potential" distribution infringement. http://mp3.com
attempted something like this but the RIAA nuked that idea
right out the water. The way it would have to work is if the
RIAA forces the user to license each component of music that
he/she has access to, regardless if they had, indeed, purchased
it. Why? Because the RIAA can track that information still.
How? Through the networking software. Tapes and CDs prove to be
untrackable in terms of distribution but software is trackable
especially over networks. As long as the RIAA can track their
distribution, no user truly can have that sense of privacy. In
terms of tapes and CDs, the RIAA would have to invade each
suspected user's home and then provide a warrant to search
their premise. That's ridiculous in terms of overhead.
Networking software makes usage tracking simple. The idea won't fly.
I might've been talking about mp3 cell phones that are
distributed by sony a while back. The reason why those are
novel (albeit not necessarily popular) is because 1) it's Sony
and DoCoMo doing the distribution; 2) the method of transmission
is done through the memory chip. The memory chip is portable
and removable so it's effectively like copying onto a tape.
Supposedly the new G4 technology being pushed by DoCoMo will
have a Java client that gets streaming audio/video to your
phone. If it does, you can guarantee those lines won't be
private and if they are it'll be challenged in court. - keithyw |
| 2001/6/1-3 [Computer/SW/Unix, Computer/SW/Security] UID:21404 Activity:very high |
5/31 Does anyone have the login/pw for the private space at
http://ign.com? We shouldn't have to be paying for access..esp.
things like the silent hill 2 full trailer.
\_ Will somebody please provide a valid login/pass? They
fucking cut off the last Hideo Kojima interview on the
subject of mgs2...damnit..that chafes my hide.
\_ sign yer name -shac
\_ oh come on. the rest of the motd wants to know too.
\_ l: phil
p: vahmifqy
\_ They have to pay reporters, editors, webmasters, sys admins,
electricity bills, network connection bills, and much more - why
shouldn't you have to pay them back for some of it? The dream of
an advertiser-supported internet is dead - ads don't pay enough.
\_ pay should be voluntary, like the PBS model. If you like what
you get, you should donate some cash, but you shouldn't have
to pay before seeing the goods.
\_ that's ridiculous.
\_ Communism is dead, kid.
\_ YEAH, BECAUSE PBS IS AN EVIL COMMIE LIBERAL STATION.
\_ psb is a communist?
\_ This isn't communism. If it were communism, everyone would
be forced to pay the government, and the government would
be funding and running everything. Voluntary donations are
than in a piece of shit rm or WMP format. Is that too much to ask?
Damn ign bastards...*sigh*
completely different.
\_ "You shouldn't have to pay before seeing the goods."
There is that "should" there that I don't like. The
mentality seems to be that the consumer can dictate
to the producer their terms. In a truly free society,
all contracts are voluntary.
for Linsux.
\_ what's wrong with that? we're in a capitalist society
driven by consumerism; why shouldn't consumers dictate
what they want?
\_ because you're an idiot. you don't get to decide
*after* you use something whether you want to
pay for it. -tom
\_ you do if you have access to warez. long live
warez! cd images galore! i wonder when someone
will finally crack down on newsgroup piracy?
\_ Property is theft!
\_ regardless of what anyone agrees on, login: phil
p: vahmifqy doesn't work. Someone please provide a valid
login/pw. It's not like I can't get it at one of the
other sites; I'd just rather have it in quicktime format
than in a piece of shit rm or WMP format. Is that too much
to ask? Damn ign bastards...*sigh*
\_ COMMIE MAC USER!!!
\_ QuickTime runs on Windows and there is even mov player
for Linux.
\_ The Windows Media Player much better than real, QT or
anything similar out there.
\_ WMP? Good? Surely you jest. AVI and ASF are total
POS. The quality is terrible and the playback
frequently hangs esp. if you try to stream a file.
QuickTime at least has decent stream and playback.
\_ I know not of AVI/ASF. What i know is that
when i play the SAME file with REAL it looks
like crap, when i play it with WMP it looks good.
\_ you need to study harder. the correct answer
is "M$ SUC|<Z U53 L1NUX!" and not worry about
whether something works for you or not. |
| 2001/5/26-28 [Computer/SW/Security] UID:21366 Activity:insanely high |
5/25 If IPv6 encrypts everything (IPSec) as part of the standard, does this
mean protocols like ssh would no longer be required? Will IPv6 allow
telnet and ftp and other cleartext password protocols to live on?
What use would there be for ssh if IPv6 was everywhere?
\- i realize i am "begging the hypothetical" but the "if ipv6
was everywhere [and interoperating nicely, with reasonable key
management, and transparancy]" is a pretty big if. "if ksh does
everything sh does and more, why do we still have sh?" etc. --psb
\_ It's a good question. I think the answer is mostly just
inertia and history.
\_ there will always be a need for application-level security
\_ What does ssh do for me that ipsec doesn't? IPv6 encrypts, it
compresses, QoS, and lots of other funs things. What does ssh
get me in a pure IPv6 world? (Yes, I know this will take a while
to happen, that's not my query). Don't get me wrong. I love
ssh and use it for all sorts of stuff. I'm just not seeing a
big role for it in IPv6.
\_ Authentication?
\_ I think a telnet prompt with memorised password is better
auth than the keys-on-disk ssh standard auth. I can steal
your private key. I can't read your mind.
\_ you can require a key on disk, and protect the
key with a passphrase
\_ Is stealing someone's private key easier than reading
their password out of the password file?
\_ Yes. And can be more useful.
\_ Of course -my- private key is encrypted. Go ahead and
steal it. As for memorized password, it can be easily
stolen as well with a use of a trojaned client or
server, and I have seen this happen many times.
\_ So you unencrypt your key before each use? Uh huh.
If the server or client is trojaned all is lost
anyway so it hardly matters what you use at that
point, does it?
\_ This is not true in general. It's easy to
authenticate yourself without revealing
your private key.
\_ Yes, man ssh-agent. And if your are not using
ssh-agent, then yes, you need to decrypt the
key every time you use it. Ssh client does this
for you. And yes, this is more secure because
you don't have to send neither your password
nor your private key to the remote ssh server.
\_ I think you don't understand how ssh-agent
or ssh itself works. ssh-agent is a local
key manager that makes it so you don't have
to retype your passphrase over and over for
each new connection. Nothing more. I'd
like to hear your explanation of how it
auths to the server without sending any
info.
\_ do you even know what PKI means?
\_ Same question: how are you doing auth
without sending someone something?
\_ i was speaking more broadly, e.g. SSL too. the main use
of app-level security is authentication and integrity
of data between app-level (not system-level) principals.
\_ Is something like app-level ssl necessary when the
underlying protocol (IPv6 in this case) deal with it?
\_ yes, particularly for distributed systems. not
only are there app-level principals that are not
known at the system level to auth/authz, but
you also want to reduce the extent of damage when
one part fails.
\_ Agent system, agent forwarding, x11 forwarding...
\_ BTW, IPSec has nothing to do with IPv6. Implementations of both
for *BSD systems happen to be codevelped by the same people
(kame.net), but IPv6 !=, is not a superset of, does not imply,
whathaveyou, IPSec.
\_ Well, true, but what I read implied that IPv6 is assumed to use
IPSec by default. |
| 2001/5/17 [Computer/SW/Security] UID:21299 Activity:nil |
5/16 OpenSSH 2.9 is released! And it supports rekeying, and all those other
ssh2 features that people have been bitching about. When's soda going
to upgrade?
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=98883939725585&w=2
\_ Only tom's been bitching, the rest of us use OpenSSH and have no
problems.
\_ I have problems using OpenSSH. I keep getting these constant
stream of emails from some guy named Tom Holub telling me to
switch.
\_ Hm, I suppose I should look into that upgrade to 2.5.2p2 that
someone suggested a while back. --root
\_ What's wrong with openssh? I'm using it and it works perfectly.
\_ unless you are tom there is no problem
\_ Prior versions of opensshv2 sucked when connecting to the non
"open"ssh. even openssh2.5. I'm happy to report thta 2.9 has
fixed my (20-40)-second delay problems. |
| 2001/5/16-17 [Computer/Networking, Computer/SW/Security] UID:21289 Activity:moderate |
5/15 http://edge.mcs.drexel.edu/GICL/people/sevy/airport/128bit.html (How to get 128-bit encryption from your Airport base station) \_ too bad you cant get 128bit from the builtin airport interface on their laptops. --jon \_ Rumor has it that 802.11b (including AirPort) are going to 54mbps w/128bit encryption in the coming months. Also, above url states AirPort has 64bit encryption, which is wrong, it's 40bit, which everyone knows you can pretty much break on the fly with your laptop and a little reciever. \_ 802.11b will never be 54 MBit. 802.11a will be. Its scheduled to be released in the fall/winter of this year. Most people say that you will probably need a new Airport card, but that you can probably upgrade your base station. \_ Uh, wtf is the point? The Gold and Silver levels of 802.11b encryption have both been cracked. Run IPsec with however many bits you want... \_ Its not "encryption" is Wireless Equivalent Privacy. The protection it provides is the same as what cat5 cable provides. No more, no less. |
| 2001/5/6-7 [Computer/SW/Mail, Computer/SW/Security, Computer/SW/Unix] UID:21182 Activity:high |
5/6 any web-based newsgroup posting sites out there now?
deja/google not allowing at the moment...please advise? thanks.
\_ http://www.mailandnews.com |
| 2001/4/30-5/1 [Computer/SW/Security] UID:21152 Activity:kinda low |
4/30 ForwardX11 is set to "yes" in my sshd2_config file (and was by
default so i assume support was compiled into the default Fsecure
ssh2 install that i have), but my DISPLAY is NOT being set upon
connecting. What could be wrong?
\_ That's ForwardX11 not ForwadX11.
\_ fixed. It is spelled right in the conf file.
\_ the remote sshd may not itself support X11 forwarding. |
| 2001/4/30-5/1 [Computer/SW/Security, Computer/SW/OS/FreeBSD] UID:21147 Activity:high |
4/30 And you though OpenBSD was strict about long hard to
forge passwords:
http://support.microsoft.com/support/kb/articles/q276/3/04.ASP
\_ And the fun part is what happens when your admin account hits
this fun little bug and you can't login to run the patch? FUCKED.
\_ 03/08/2001 06:43p 5.0.2195.3351 331,536 Msgina.dll
Software named after an SO?
\_ Maybe but GINA actually stands for something. This isn't to
say some random MS lackey didn't come up with something to fit
the letters though.
\_ Global Integer Non-Assigned for those of you who
don't speak hungarian
\_ Thanks. I was too lazy to look it up but I'm sure it was
on google. |
| 2001/4/25 [Computer/SW/Apps/Media, Computer/SW/Security] UID:21107 Activity:nil |
4/25 http://news.cnet.com/news/0-1005-200-5726313.html?tag=tp_pr We should develop tech like this for the motd. Have a phantom "virtual sodan" bot that answers the dumb questions, and emits the obligatory RIDE BIKE and 'use google' remarks, and occasionally fetches useful info. \_ That's pretty useful for spreading rumors when you short a stock. \_ You mean getting sued and ruining your life? \_ It should also periodically initiate an Asian Chix post, post some obligatory trolls, insult tom, and accidentally overwrite some posts...just like a real person. |
| 2001/4/25 [Computer/SW/Security] UID:21100 Activity:high |
4/25 Where can I get the web based ssh stuff soda is running? I want to do
the same thing at home to get around some workplace lame network setup
issues. Thanks.
\_ /usr/local/www/htdocs/ssh
\_ or dl it from mindbright yourself:
http://www.mindbright.com./products/mindterm
\_ you do realize that it's just an ssh client in java, right? it's
not ssh over http or anything, so if your network doesn't allow
ssh packets to go through, it won't help you.
\_ That can easily be remedied by having sshd listen to a port
that the firewall allows instead of 22.
\_ Ok, I dug further into it (I'm remote so this is all through
email with the other person) and it appears they're doing
http proxying. Nothing goes directly out. The workstation
IP is 10.x.y.z. There is a unix box though, so I'm having
them install sshd on that, running it on a high port, and
then doing ssh NT->unix->home. The unix box has a real IP
but only runs telnetd right now. You were right about the
mindbright stuff not being what I wanted.
\_ Hmmm... didn't know that. I'll have to check it out. Thanks
for all the links and paths.
\_ Ok, I found httptunnel. There's source, RPMs and a windows binary.
Thanks for the help and info. Anyone bored is welcome to delete
this thread. |
| 11/23 |