Computer SW Security - Berkeley CSUA MOTD
Berkeley CSUA MOTD:Computer:SW:Security:
Results 901 - 1050 of 1108   < 1 2 3 4 5 6 7 8 >
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2024/12/26 [General] UID:1000 Activity:popular
12/26   

2009/2/10-13 [Computer/SW/Security, Computer/SW/Unix] UID:52552 Activity:nil
2/10    I have an sh file that does a mount.. the mount does an
        authentication. I previosly stored the username and password
        from zenity prompts. However, I can't get a return on the password
        field. The following only works on the username:
        mount -t davfs "http://blahblah.com/BLahUser11" /mountdir << EOF
        ${username}
        ${password}
        EOF
        It gets stuck at the password. Any thoughts? thanks
        \_ Expect?
          \_ the username gets passed and a carriage return then a prompt
                for the password is there but the ${password} doesnt get
                put in nor carriage return. so script is stuck
                \_ /usr/bin/expect
                  \_ can't use expect. this is an automated installer on other
                    persons machines. I would have to apt-get expect
                    No way to do it just with EOFs?
                    \_ would "for i in 1; do echo $username; sleep 1; \
                              echo $password"; done | mount -t ..." work?
                       It really depends on how the password is being read.
                        \_ that didnt work... same behavior
                    \_ No, this is one reason tools like Expect were invented.
                       See, e.g.,
                       http://www.noah.org/wiki/Pexpect#Q:_Why_not_just_use_a_pipe_.28popen.28.29.29.3F
                        \_ thanks.. i guess i have no choice :) excellent!
                           \_ Well, that's not to say you couldn't make a very
                              stripped down version of an expect-like tool
                              that does what you want, and ship that. Maybe
                              someone else has already done it.
                                \_ or use Perl Expect or Python Expect.
2009/1/15-23 [Computer/SW/Languages/Java, Computer/SW/Security] UID:52394 Activity:nil
1/15    http://cwe.mitre.org/top25
        2009 CWE/SANS Top 25 Most Dangerous Programming Errors
        \_ "Avoid inconsistent messaging that might accidentally tip off
           an attacker about internal state, such as whether a username
           is valid or not."  Really?  Fuck you buddy.  I don't always
           remember what my goddamn username was on your stupid fucking
           site.  Just tell me if I got it wrong thank you very much.
           (Just like if my password doesn't conform to the rules for
           what a valid password is FUCKING TELL ME WHAT THE RULES ARE.
           Any attacker knows that information and giving it to me may
           remind me what password I used so please, make our lives
           easier.)
           \_ at that level of frustration i would just choose another
              website for that service, or go see the store in person.
              \_ http://Buy.com offers no helpful hints, but their prices are
                 good. Does make me want to strangle people, though. -!pp
                 \_ I wish there was a counter/way to determine how with
                    online stores i can be assured of creating jobs/ buying
                    american.  I am wondering how much we are screwing
                    ourselves into a longer recession by sending a job
                    overseas by saving five dollars.  I think i'd rather
                    pay the extra $20.
                    \_ My last three http://Buy.com purchases all shipped from
                       American companies.
2009/1/11-15 [Computer/SW/Security] UID:52358 Activity:nil
1/11    http://www.americanstinker.com/2008/01/barack_obama_and_israel.html
        \_ well hopefully he has good Secret Service security.
2009/1/5-9 [Politics/Domestic, Computer/SW/Security] UID:52317 Activity:nil
1/5     http://indiacgny.org/php/showContent.php?linkid=200&partid=96&sub=sub2  IRONY
2009/1/2 [Computer/SW/Security] UID:52311 Activity:nil
1/1     Is email still down?  My outgoing email seems to be not working.
        Also ssh password login seems to be not working (but certificate works).
        Thanks and Happy New Year.
2008/12/26-28 [Computer/SW/Security, Academia/Berkeley/CSUA/Motd] UID:52296 Activity:kinda low
12/26   Motd is dead for good, RIP Motd. You will be missed. :(
               \_ What about soda?
Date: Sun, 28 Dec 2008 11:56:41 -0800
From: Steven Schlansker <stevenschlansker@berkeley.edu>
To: announce@csua.berkeley.edu
Subject: [CSUA Announce] Soda back up!
Hey guys,
Unfortunately http://soda.csua.berkeley.edu crashed over the Christmas break
when I was out of town and none of the rootstaff with cardkey access to
Soda could get in.  About a day's worth of mail was bounced
unfortunately - if you got a bounce message, just try to resend your
email and it'll go through now.  Sincerest apologies - I simply couldn't
make it back to Berkeley any faster.
Hopefully everything will be running OK for now.  We're still waiting on
our shipment of a new server...  the latest ETA is the 10th.  Then I
will be rebuilding it (with the help of the rootstaff and some new
hopefully up-and-coming root members!) and we'll put it into production
as fast as we can!
Hope everyone's holidays find them well,
Your VP
Steven Schlansker
_______________________________________________
Announce mailing list
Announce@vermouth.csua.berkeley.edu
http://vermouth.csua.berkeley.edu:1337/cgi-bin/mailman/listinfo/announce
2008/12/18-2009/1/2 [Computer/SW/Security] UID:52280 Activity:nil 50%like:52218
12/18   Hi, is there a how-to to access csua with ftp?
        \_ man scp
          \_ Thanks that did it.
2008/12/2-7 [Computer/SW/Security] UID:52141 Activity:nil
12/2    Thomas Sowell is awesomely cantankerous in his most recent column
        I love this line: Working in a homeless shelter is widely regarded as
        "community service" as if aiding and abetting vagrancy is necessarily
        a service, rather than a disservice, to the community.
        \_ What a pompous idiot is a pompous idiot!  What a shocker!  And
        \_ Wow! A pompous idiot is a pompous idiot!  What a shocker!  And
           look!  Nazis!  Hitler!
        \_ For chrissake.  A great deal of homelessness is due to untreated
           mental illness.  How about this:  "treating heart disease is
           aiding and abetting unhealthy lifestyles..."
        \_ The Hoover Institude is not paying him to write reasonable,
           thoughtful opinion pieces where he deals fairly with the root
           causes of whatever the hell he's writing about this week.
2008/11/16-17 [Computer/Networking, Computer/SW/Security, Computer/SW/Unix] UID:51999 Activity:low
11/16   Can I use my SBC Yahoo! DSL login name "xxx@sbcglobal.net" and password
        for the DSL at someone else's home?
        \_ Why don't you try it...
        \_ Don't check your email at your mistress' house.
2008/11/7-13 [Academia/Berkeley/CSUA, Computer/SW/Security] UID:51875 Activity:nil
11/7    Does this guy have a soda account?
        http://www.mercurynews.com/ci_10926276?source=rss (online stalker)
        \_ boring
        \_ I wonder if Sold Intel Secrets To AMD guy has a soda account.
2008/10/31-11/2 [Computer/SW/Security, Computer/SW/Unix] UID:51769 Activity:nil
10/31   As root, is there a way to make "passwd" give the same "too short"
        and other bad password errors (or at least warn in those cases)? This
        is on linux.
2008/10/29-31 [Computer/SW/Security] UID:51721 Activity:nil
10/29   Bruce Schneiner et al. have released their submission for the new
        SHA replacement:
        http://www.schneier.com/blog/archives/2008/10/the_skein_hash.html
        \- btw, worth looking at the MD6 design if you are interested in
           this stuff. multicore scalability a "tier 1" goal.
2008/10/23-28 [Computer/SW/Security, Computer/SW/Unix] UID:51654 Activity:nil
10/23   Woman charged with crime for "killing" (deletion really) of online
        character:
        http://tinyurl.com/6lspuv
        \_ she is weak. SHe should have created her own character
           and then do a backstab on his ass. - turin
2008/10/16-17 [Computer/SW/Security, Politics/Domestic/Election] UID:51551 Activity:nil 50%like:51512
10/15   Secret Service says no one said "Kill him" at Palin rally
        http://www.timesleader.com/news/breakingnews/Secret_Service_says_Kill_him_allegation_unfounded_.html
2008/10/9 [Computer/SW/Security, Computer/SW/Unix] UID:51447 Activity:nil
10/8    http://www.scribd.com/doc/4964973/Worst-Captchas-of-All-Time
        Worst captchas of all time. Some stupid, some funny.
2008/9/21-23 [Computer/SW/Security, Politics/Domestic/SocialSecurity] UID:51253 Activity:nil
9/21    Obama's Social Security Whopper
        http://www.newsweek.com/id/160179
        \_ if you say so
2008/9/20-23 [Recreation/Dating, Computer/SW/Security] UID:51244 Activity:kinda low
9/20    Etiquette question: my gf's boss invited her to his son's bar-mitzvah.
        What is a proper attire to wear for non Jewish women? Black & white
        only? Long sleeves only? Can you have color? Can you take
        pictures? Thanks.
        \_ Ok my gf just wore long dress. Turns out they had a super fancy
           one with 200 people attending. They spent ~$30K on a bar-mitzvah.
           Is that how much they normally cost? It's very impressive.
           \_ $30K was more than my wedding, a LOT more. If you're spending
              that much on a 13 year old kid, it says a lot about how much
              you value bar-mitzvah. Or it could just mean that Jewish
              people ARE rich!
        \_ Mazel Tov! Think in terms of what you would wear to go to church,
           remembering that the actual Bar Mitzvah ceremony will be part of
           a service at a synagogue. Think in terms of a dress, a nice pants
           suit, or a skirt and nice top. Dress shoes and, if cooler weather,
           stockings. Nothing flashy or showing much flesh. There is typically
           no need for a head covering--if the congregation likes women to
           have head coverings, there'll have something in the lobby for you
           to put on. Colors are okay, although subdued would be best.
           A card including a check made out to the son is best, which you
           can give to the father anytime except during the service. If you've
           been invited to a party or a reception afterwards, that's a good
           time. It's traditional in Judaism to give money in multiples of $18,
           so think something like $54 or $72 or $90, depending on what you
           can afford and whether you've been invited only to the service or
           to a party afterward. In terms of the service, it will be a
           combination of English and Hebrew. The boy will recite prayers in
           Hebrew, and a portion of the Torah (what you may call the Old
           Testament) in Hebrew. There may also be a short speech in English.
           Just stand when the congregation stands and sit when they sit. If
           you understand the prayers and are comfortable reciting them with
           the congregation, do so, otherwise it's okay, since you're a
           visitor, just to read along in the prayer book (called a Siddur).
           \_ Give a card that says "In lieu of a gift, my tax dollars
              were sent to Israel".
              \_ LOL good one!!! It's almost Seinfeld material.
                 \- ok tnx
2008/9/16-19 [Computer/SW/Security, Politics/Domestic/SocialSecurity] UID:51192 Activity:nil
9/16    <DEAD>retirementplans.vanguard.com/VGApp/pe/pubnews/SocialSecurityAndWorking.jsf?SelectedSegment=LivinginRetirement<DEAD>
        Why Social Security fucks everyone up. Earn too much? Get nothing!
        \_ Your reading comprehension is poor. You don't get nothing, you
           just get reduced benefits. That Vanguard page doesn't mention that
           your later benefits are actually increased because of working
           later.
        \_ You are right, we should let Morgan Stanley run Social Security,
           they will do a good job of protecting our retirement money.
2008/8/6-10 [Computer/SW/Security] UID:50801 Activity:nil
8/6     What kind of captcha would you love to see? List them here:
        -Hot or not?  TOTALLY
        -Male or Female?
        -Gay or not?
        -Geek or not?
        -enormous breasts or regular size breasts?
        \_ Chinese, Japanese or Korean?
           \_ That would also serve as a test to weed out whites.
                \_ Oh come one.  It's been demonstrated that Asians can't
                   tell each other apart either.
        \_ What's "captcha"?  Thx.
           \_ STFW.  Or just read http://en.wikipedia.org/wiki/Captcha
              \_ I see.  But then what does hot or female or gay above have
                 to do with Captcha?
                 \_ Hard to program something to automate that check. It used
                    to be impossible to write a program to recognize the
                    distorted letters and numbers used in older Captcha's, but
                    technology has caught up.
        \_ http://www.badhackerz.com/full-appz/11087-rapidshare-turbo-download-reads-new-cat-captchas.html
2024/12/26 [General] UID:1000 Activity:popular
12/26   

2008/7/30-8/5 [Science/Electric, Computer/SW/Security] UID:50729 Activity:nil 78%like:50725
7/29    Pepperspray vs. taser, round #1:
        http://www.brickhousesecurity.com/self-defense-personalsecurity.html
        http://preview.tinyurl.com/5sjfz5 [infowars.com]
        http://videos.caught-on-video.com/Player.aspx?fileid=513DC6A2-FF6A-40F9-9893-589AC926FCCE&p=0 (taser takes down a BULL)
2008/7/29-30 [Science/Electric, Computer/SW/Security] UID:50725 Activity:nil 78%like:50729
7/29    Pepperspray vs. taser, round #1:
        http://www.brickhousesecurity.com/self-defense-personalsecurity.html
        http://www.infowars.com/articles/ps/tasers_vs_pepper_spray_evaluation_of_police_weapons.htm
        http://videos.caught-on-video.com/Player.aspx?fileid=513DC6A2-FF6A-40F9-9893-589AC926FCCE&p=0 (taser takes down a BULL)
2008/7/28-8/5 [Computer/SW/Security] UID:50711 Activity:nil
7/28    Everyone's captcha hacked:
        http://blogs.zdnet.com/security/?p=1418
        \_ I still like the idea of making real people solve captchas to get
           porn or torrents or the like.  Captchas that are actually used by
           other sites.
2008/7/20-23 [Computer/HW/Laptop, Computer/SW/Security] UID:50640 Activity:nil
7/20    Does my encrypted disk LVM everything partition scheme make my
        laptop consume a lot more power than if I weren't using encrypted
        LVM?
2008/7/15-23 [Computer/SW/Security] UID:50581 Activity:nil
7/14    anyone know this guy?
        A disgruntled city computer engineer has virtually commandeered
        San Francisco's new multimillion-dollar computer network,
        altering it to deny access to top administrators even as he
        sits in jail on $5 million bail, authorities said Monday.
        http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/07/14/BAOS11P1M5.DTL&tsp=PSB
        \_ The article is short on technologies involved.  It sounds vaguely
           like he commandeered their domain's administrator account.
           \- i suspect waterboarding would be successful in this case.
              \_ Is that you in the sfgate comments?
                 \- no, i didnt not read the comments.
                    \_ probably better that way.  they make me sad.
        \_ I enjoy how the article says there is no known motive.  Anyone who
           has hung out with disgruntled sysadmins know that no motive is
           needed.
        \_ No, but he is the poster child for a BOFH. I wish I knew him,
           so I could shake his hand.
           \_ Having worked with IT guys who couldn't comprehend the fact that
              IT is fucking support and not an ends to itself I wish I knew
              IT is f***ing support and not an ends to itself I wish I knew
              him so I could kick him in the balls.
              \_ Depends. IT can be support or it can be an ends to itself.
                 For the city I'd say IT is a big part of what they do.
                 \_ IT by itself is nothing.  IT is a tool to make other
                    tasks easier.  I accept that.  Keep the tools running
                    is an honorable job.  Just admit that's not what you
                    are doing.
                    \_ Well it depends. I think you are too limited in
                       your scope. There are a lot of situations where the
                       tool is more important than the operator. Making a
                       job so simple that a monkey can do it is one of the
                       areas where IT can help and in those instances I
                       think the IT adds more value than the actual "doers".
                       At that point where IT is contributing more
                       significantly to the bottom line I wouldn't say it
                       is a supporting role anymore, but a key role.
                       Addendum: What role you would say IT plays at companies
                       like eBay?
                       \_ Or Amazon, with the EC2 project?
        \_ it might be a big Peoplesoft install.
        \_ He made $149,269 working for the gov't, which is not bad now is it?
           \_ Previous motd postings lead me to believe that this makes him
              rich. Still won't make $5m bail, though.
           \_ This is a lot of money, almost as much as I make as a Director
              in the private sector. Maybe those public sector IT geeks are
              overpaid afterall...
              \_ Plus he can't get fired even when he's clearly got issues and
                 he probably has better benefits than you do, too.
2008/7/13-23 [Computer/SW/Security] UID:50553 Activity:nil
7/13    Illegal Immigrants prosecuted for social security fraud:
        http://preview.tinyurl.com/6c4wm6 [nyt]
        Prof. Camayd-Freixas essay re same:
        http://blogs.ilw.com/gregsiskind/files/camayd.pdf
2008/7/2-6 [Politics/Domestic/911, Computer/SW/Security] UID:50453 Activity:kinda low
7/2     On the torture debate (or maybe just flame fest), the claim that
        torture doesn't work is true most of the time but untrue some of the
        time.  Most of the reasoning for pro-torture positions doesn't make
        sense to me, I feel like its not logical to give support to something
        that doesn't produce results while the same time being oppressive.
        The one thing I think I can see is that I make a decision that I
        would rather have a little less security to have more human rights/
        civil liberties.  When Patrick Henry said "Give me liberty of give me
        death" he didn't mean unless he might get hurt.  I can understand
        that if you won't tolerate any threat to your personal security (at
        least any threat outside of our government) it would be in your best
        interest to want them to torture anyone they thought might be involved
        in terrorism.  But to me that seems like a cowardly approach, a
        minimal risk to yourself is worth the gain in liberty for all.  Its
        easy to see that deaths from terrorism << torture/government repress-
        ion. -mrauser
        \- the ticking time bomb scenario has long been "the standard"
           classroom hypo after THE TROLLY PROBLEM for the tension between
           UTILITARIAN theories [cost-benefit analysis] and DEONTOLOGICAL
           theories [torture is wrong. the exact reason it is wrong depends
           on the flavor of deontology, but probably "the standard" again
           is the kantian one but maybe simpler to understand is the RDWORKIN
           "RIGHTS AS TRUMPS" view ... mostly this is beyond the scope of a
           motd discussion]. but the "i only care about me" sort of begs
           the question ... since a core question of moral philosophy is
           "what do we own other" and you're pretty much saying "nothing"
           "what do we owe others" and you're pretty much saying "nothing"
           in that "degenerate" case. EGOISM may be an apt description of a
           lot of people, but it's not really a philosophy [although i
           suppose maybe FWNIETZSCHE might have spun it into one, but i am
           not really an expert on FWN ... and that is also beyond the
           scope of the motd]. here is a problem with the "results
           oriented" view: do you think it would be categorically wrong
           to say torture a family member of the terrorist ... say KSM's
           wife and kids ... if that would be a highly effective way of
           producing results. if you want "the standard" critiques of
           utilitarianism, see BERNARD WILLIAMS [formerly UCB Dept Philosophy,
           now dead] and AMARTYA SEN ... at the core, utilitariamsism
           "does take persons/rights seriously. Williams also has a very
           influential critique of deontology, but that may be a little
           hard to follow.
           \_ I've heard of the ticking time bomb, and its pretty easy to feel
              saying you would torture the guy, because in this magical fantasy
              he is directly responsible for the bomb being there and you know
              that there must be a bomb so there is a perverse justice in
              torturing him to make him tell you.  But as a real world example,
              it holds no water, because how often do you KNOW that there is
              a threat and the person in front of you has specific knowledge
              of it.  You torture without this information, in the hopes of
              getting it.  Another scenario, say a terrorist kidnaps someone's
              family and then tells that person where they put a bomb in a
              building, but they tell that person if they tell the authorities
              they will kill thier family.  So do you torture a complete
              innocent who has a self interest in not telling you the info?
              Here is a scenario which is nearly as plausible as the ticking
              time bomb, but I don't think anyone could feel good about either
              option.  The problem to me is that torture is used in ambigious
              situations with a presumed guilt or presumed having of the info.
              I think that because torture can really never be used with
              certainty, it should never be used at all.  Plus, there is a
              strong argument that it leads to false confessions and false in-
              formation just as long as it leads to good ones. -mrauser
              \_ look up "a fortiori"
           \_ Your writing is only partially intelligible. What was your
              "i only care about me" and "what do we own other" sentence
              referring to?
2008/6/25-7/14 [Computer/SW/Security] UID:50380 Activity:nil
6/25    some XCF or CSUA person had a web page about a project they were
        working on where I set up a machine, and you set up a machine
        somewhere, and they both passively back each other, i believe with
        an encryption key so i can't read your backups.  when your disk
        catches on fire, i just give you a copy of your data.  anyone remember
        the name of this?
        \_ crashplan?
        \_ You might be thinking about oceanstore:
           http://oceanstore.cs.berkeley.edu
           But its a slightly different concept and more massively distributed.
2008/6/19-23 [Computer/SW/Security] UID:50314 Activity:low
6/19    "One in three IT staff snoops on colleagues: survey"
        http://news.yahoo.com/s/nm/20080619/lf_nm_life/technology_snooping_dc
        \_ Weird, I go way way way out of my way to not snoop on coworkers.
           If I get someone to enter in a password, I look the other way.
           I want to keep out of trouble.
           If I get someone to enter in a password, I start studying the
           backside of the really hot chick in HR at the other end of the room
           so I really have no idea what their password is.  I want to keep
           out of trouble.
           \_ I do the same because I respect their privacy.
              \_ Yeah, I decided very early on in my career that I was not
                 going to abuse my priveledges to invade other's privacy. I
                 going to abuse my privileges to invade other's privacy. I
                 would fire anyone I caught doing that.
2008/6/17-20 [Computer/SW/Security] UID:50283 Activity:nil
6/17    We currently have AT&T (used to be SBC) for local phone service.
        However these guys really suck, and my wife hates them.  Is there an
        alternative local land-line service provider in the Bay area?
        \_ Hello, telco monopoly.   You want alternate business, voice-overIP
          on a non-AT&T internetconnection, or get a cell phone.
2008/6/9-12 [Computer/SW/Languages/C_Cplusplus, Computer/SW/Security] UID:50194 Activity:nil
6/8     CSUA code guru please help. I need to see my random number
        generator with a good seed (I just need random 18 bit
        identifiers). The usual time(NULL) is OK, except my program
        might be invoked faster than once a second, and seeding using
        time() produced the same result. I tried clock() but it seems
        to return 0. My program needs to be run in Linux/DOS (Watcom
        32bit compiler), so I prefer to stick with standard API.
        What's a good way to get some randomness without using special
        time function that goes into millisecond precision? Poke at
        some random bytes? Allocate a random array? This is in C. If
        I allocate say a 64byte block, and XOR the uninitialized
        memory, is there any guarantee that it will be a different
        64byte block the next time my program is run? Thanks!
        \_ What are you doing this for?  If it's encryption why are
           reimplementing the (really difficult to get right) wheel?
           If it's not encryption what is it that needs high quality
           random numbers?
           \_ I need to assign ID that are unique within a day to
              something 30 bit. I am thinking seconds_since_midnight
              (17 bits) + a random number (13 bits). If I simply seed
              using time(), my rand() will generate the same number if
              invoked within a second. So I am now seeding it using
              the XOR of time() with 64 uninitialized int on the stack
              (again XORed together). This seems to do the trick.
              \_ Huh? You only need to seed once. After that you have a
                 supply of random numbers you can draw on. So just seed by
                 time when you start the program. Or are you thinking you
                 are going to invoke main() many times per second? I don't
                 know what you are doing here so it's hard to give good
                 feedback, but think in terms of "now I have a stream of
                 random numbers and I just need to use them."
                 \_ The program exists after generating one ID.
                    \_ Do you mean "exits"? S/w like SSH uses prngd to
                       get around this problem.
        \_ Use another random number generator to generate the random seed for
           your random number generator!  Oh wait ......
        \_ What is wrong with rand?
        \_ Easiest just to bite the bullet and use non-ANSI C functions.
           The random array allocations are not at all guaranteed.
        \_ seed it with time and getpid.   Expecting unintialized memory
           to have random data runs the risk some chowderhead will take your
           code and comment it out when it generates warnings.
           \_ Does DOS even have PIDs? Wtf is even using DOS these days...
              \_ Embedded applications like digital cameras, I guess.
                 http://www.datalight.com/products/romdos
        \_ you could try opening and reading from a dummy file and then using
           clock to seed.  That way you'll block on IO and the amount of time
           you do that should be relatively random.
           \_ I thought about it again and this wouldn't be a good idea
              especially if you are running the progam often.  What will happen
              is that the file's memory page will be in cache after the first
              read and you won't have good random behavior.  You could try
              file writes, but in general this is not a very strong
              randomness anyways. -pp
        \_ You're not a Debian contributor are you?
2008/5/29-6/1 [Computer/SW/Security] UID:50082 Activity:nil
5/29    Major jump in unemployment benefits for continuing claims
        4Q corporate earnings forecast to be solid
        http://www.tickerforum.org/cgi-ticker/akcs-www?getimagenr=5939
        (chart)
        \_ No Outside Links / Please Sign In
           Access to large images, or links from outside sites, are not permitte\
d unless you are signed into the board.  Thank you, Management
           Access to large images, or links from outside sites, are not
           permitted unless you are signed into the board.  Thank you,
           Management
           \_ sorry
2008/5/21-23 [Computer/SW/Security, Computer/SW/Unix] UID:50023 Activity:nil
  5/21  remember the big guy who runs Comic Relief in downtown berkeley?
        he died, at 50, on monday:
        http://blogsearch.google.com/blogsearch?q=%22rory%20root%22
        http://www.comicsreporter.com/index.php/rory_root_1958_2008
        \_ "Worst. News. Ever"
2008/5/15-23 [Computer/SW/Security] UID:49961 Activity:nil
5/15    How is Facebook's authentication system different from OpenID?
        http://developers.facebook.com/documentation.php?doc=auth
        \_ I think the point might be that it is not?   We should get dans
           back on the motd, I bet he knows.  I miss his 50 lines tangents
           sometimes.
           \_ Conceptually it's the same as OAuth (which merged/is merging
              with OpenID).  AFAIK, Facebook's lack of support for OAuth
              is a political hedge to protect Facebook's 'walled garden'.
              -dans
2008/4/26-30 [Computer/Companies/Google, Computer/SW/Security] UID:49838 Activity:low
4/26    is Google Chat through the web browser encrypted?  My sweetie
        spends all day chatting with me via Google Chat in gmail
        "oh baby i want to **** your **** and then *** *** **** **
        ** *** ***" and "* **** **** *** **** in ** *** *****".
        Could some nosy sysadmin packet sniff her?
        \_ Like this really happened with a live woman.
           \_ Actually I'm not joking!  It's great.
        \_ Get her a soda account, then you can both log in via ssh and
           chat away to your heart's content.
           \_ most likely she's not a UCB student
2008/4/21-5/2 [Computer/SW/Security] UID:49787 Activity:nil
4/21    Yahoo Instant Messenger is not encrypted. Are there chat programs
        that are a bit more secure than YIM?
        \_ what OS are you using?
        \_ What are your goals? Corporate security, or preventing your wife
           from eavesdropping on you? If you're using IM for internal company
           communication, you shouldn't be using anything where you don't
           control the server; deploy an internal messaging server instead.
           Jabber-based servers are popular for this.
        \_ I think AIM supports encryption (at least it seems to when I'm
           using iChat or Adium).  I think GTalk supports encryption as well.
        \_ Beware of webcams pointing at your screen!
        \_ There is encryption but it's a pain in the ass sometimes.
        \_ Both you and your mistress log on to soda using ssh.  Then run the
           good o' "talk" program.
           good o' "talk" program.  You two will have a more intimate
           experience than using popular chat programs, coz now you can see
           every keystroke by the other instead of just line by line.
           every keystroke by the other instead of just line by line.  (Imagine
           all kinds of real-time animation you can do with the '-' key and the
           backspace key.)
           what animation you can do with the '-' key and the backspace key.)
        \_ install adium or pidgin-otr.  Trust in nikitab.
2008/4/17-23 [Computer/SW/Security, Politics/Domestic/SocialSecurity] UID:49771 Activity:nil
4/16    I've heard that you don't pay social security on income above $90K.
        Is this correct?  Does that mean ~$8000 a year is the most you ever
        pay?
        \_ Yes, though the limit goes up every year.
        \_ My 2007 W-2 said my Social Security Wages is $97500.
           \_ Yes, that was the limit this year. There is no limit for Medicare.
           \_ Yes, that was the limit this year. There is no limit for
              Medicare.
2008/3/17-21 [Computer/SW/Security, Industry/Jobs, Computer/SW/Unix] UID:49482 Activity:nil
3/17    http://market-ticker.denninger.net
        Former sysadmin says Fed measures not addressing root of problem,
        IBs/banks will eventually be taken to woodshed
        \_ Once again, who cares if he is a sysadmin?
           \_ It dovetails nicely with the background of most of the
              pontificators on the motd.  What's not to like?  We really
              need to get this guy a soda account!
              \_ If sysadmins had run Bear Sterns the company would still
                 be solvent right now.
              \_ He's got tech skills.  I've got tech skills.  Therefore I
                 care what he says about the economy...?  Huh?
                 He may be 100% on the mark but having tech skills does not
                 make his writing on the economy any more interesting.
2008/2/29-3/4 [Computer/SW/Security] UID:49303 Activity:nil
2/28    Hi do I allow only a certain SSH key to run a particular command?
        \_ Look for LocalCommand in ssh_config(5). Unless you're
           literally asking what you seem to be asking, in which case
           you're probably out of luck.
        \_ Read the manpages for authorized_keys file if you're using
           openssh.  You can specify the "absolute command" in there, or
           have it call a wrapper and have it process the
           $SSH_ORIGINAL_COMMAND variable.
           \- see /tmp/authorized_keys.acl-sample for an example.
              who is asking?
2008/2/28-3/4 [Computer/SW/Security, Computer/SW/Unix] UID:49282 Activity:nil
2/28    Is anyone's IMAP password no longer working?
        \_ for the past two or three days, connecting to mead.  :(
        \_ It works for me.  Could you please tell me when you stopped
           being able to log in, and what error message you get?  --mconst
2008/2/26-3/4 [Transportation/Airplane, Computer/SW/Security] UID:49257 Activity:nil
2/26    Documentary team says bomb ingredients can still be smuggled onto
        airplanes:
        http://preview.tinyurl.com/39basa (telegraph.co.uk)
        http://preview.tinyurl.com/yqflv9 (thisislondon.co.uk)
        The TSA disagrees:
        http://preview.tinyurl.com/3b6agt (tsa.gov/blog)
        \_ Airport screening is all about making people *feel* safer and
           very little about actually making people safe.
           \- no, it is about political CYA.
2008/2/25-26 [Computer/SW/OS/Windows, Computer/SW/SpamAssassin, Computer/SW/Security] UID:49243 Activity:nil 80%like:49239
2/24    Facebook comscore numbers slipping
        http://preview.tinyurl.com/24p9n8 (techcrunch.com)
        http://preview.tinyurl.com/2hug7v (hollywoodreporter.com)
        Over to you, dans
        \_ dans doesn't work at facebook
           \_ Slide feeds at the pig trough which is facebook apps:
              http://adonomics.com/company/Slide
2008/2/21-25 [Computer/HW/Memory, Computer/SW/Security] UID:49208 Activity:nil
2/21    Cold Boot Attacks Against Disk Encryption:
        http://www.schneier.com/blog/archives/2008/02/cold_boot_attac.html
        http://citp.princeton.edu/memory
2008/2/19-22 [Computer/SW/Security, Finance/Investment] UID:49189 Activity:nil
2/19    http://tinyurl.com/2ymrrc (yahoo.com)
        GOOG filing warns on near-revenue growth on reduction of accidental
        clickthroughs
        \_ Wow.  I didn't know they were making money from deceiving click
           regions.
           \_ the monkey wants to be clicked
2008/2/15-18 [Computer/SW/Security, Computer/SW/Virus] UID:49158 Activity:nil
2/15    Digital photo frames carry viruses:
        http://preview.tinyurl.com/2w6uc9 (sfgate.com)
2008/1/30-2/2 [Recreation/Computer/Games, Computer/SW/Security] UID:49034 Activity:moderate
1/30    One of my friend in china is asking me to sign up a world of
        warcarft account for him. I am not too familiar with this
        game, I am going to buy the game from Amazon, and use the
        CD-key to sign up an account. Do I need to tie my credit card
        with the account? Since the online game is fee based, I'd
        imagine I need a credit to get this to work, if so, then I'll
        tell him I can't do it. If I don't need a credit card, then I
        will do it. Does anyone on the motd play this game? Can you
        enlighten me? Thanks!
        \_ Friends don't let friends play the World of Warcraft.
           Mothers Against World of Warcraft.
           \_ Is this guy a "friend" or an actual friend?
        \_ Tell him you can't and let him figure out if you're wrong.
        \_ Sometimes these games allow you to buy a monthly usage card online
           but I don't know if warcraft requires a cc for signup or has the
           monthly thing.  I don't understand why your friend can't just sign
           themself up?
           \_ He claims that he's in China and he can't sign up. How
              do I prove he's wrong?
              \_ 1.5 Chinese World of Warcrack players?
              \_ Go to China and sign up.
                 \_ Remote-Desktop into your friend's machine in China,
                    and sign up.
              \_ He can't sign up for US servers, only on Chinese WoW servers.
                 There's millions more WoW players in asia than there are in
                 the US, but they are all on asian WoW servers.
        \_ It's true.  If you are a good friend, don't help him to play
           WoW in any way.
        \_ he probably wants you tot get a US version of the game so that
           he can get access to US servers. The Chinese version will send him
           to chinese servers.   His play experience will likely suck due to
           more lag, but whatever.   If he plans to go into gold farming there
           might be more market for his 'product' than if he were on a
           china server -- however that's against the game's ToS.  Anyway, you
           can buy the boxed game and  send it over.
           If you try to install and sign in, it will either ask for gamecard
           or credit card info to get the WoW account started. I'd recommend
           not taking that step.   -ERic
           \_ He might also be trying to make a conduit account.  I don't play
              Wow, but my understanding it that the Chinese Gold farmers nead
              dealers (conduits) on the US side to deliver their wares.
              \_ they have plenty of hacked accounts to do this with.
           \_ I can think of a host of reasons why a chinese person might want
              an account on US servers -- most of them involving some from of
              ToS violation -- but there are a few legitimate ones. Maybe he
              wants to play with US friends/aquaintances.  I'm willing to give
              them the benefit of doubt. However, whatever you do don't log
              into the US game (sign up the account) with your own user
              information and/or cerdit card if you plan on handing the account
              over. This makes YOU the 'customer of record' -- the owner of
              the account, responsible for whatever mischief your Chinese
              "friend" wants to commit with it. -ERic
              \_ that's like trying to legitimize one's use of bittoreent
                 because one uses it to download Linux ISO's, when the reality
                 is most of one's use is really restricted-copyright mp3's and
                 videos.  Most likely the intended use of this cross-region WoW
                 account is illegitimate.  Gold Farming, selling gold taken
                 from hacked WoW accounts, etc...
        \_ Very helpful replies. Thanks everyone! I am going to just say no. ;)
2008/1/25-2/2 [Computer/SW/Security] UID:49013 Activity:nil
1/25    Societe Generale uncovers massive fraud - Yahoo! News:
        http://www.csua.org/u/kkq
        After reading the whole article, I still don't understand how the fraud
        worked.
        \_ You mean you're supposed to understand anything by reading
           Yahoo! News?
           \_ It's an AP story.
2008/1/21-31 [Computer/SW/Security] UID:48980 Activity:nil
1/21    I'm trying to set up Thunderbird at with with gmail via IMAP.
        There is a proxy at work such that if I want to view a web page
        using Firefox or IE, it prompts me for my network login and
        password before it lets me onto the web.  When I try to get my mail
        in Thunderbird, it won't connect to the server.  I already tried
        setting the config option to tell it the proxy server address and
        port number.  But it still won't connect.  What can I do to get this
        to work, or is it possible that they have it set up at work that no
        matter what I do, it won't work?
        \_ It is likely that your firewall doesn't allow outbound traffic
           on the IMAP ports.  You might be able to SSH tunnel it from
           soda.  -tom
           \_ ssh is also blocked at work.  I guess I'm out of luck? -op
              \_ Try corkscrew.  http://www.agroman.net/corkscrew
                 You'll need to run a sshd on port 443 in most cases, though.
                 \_ Getting a router that can run dd-wrt or some other
                    firmware is a relatively easy way to get the sshd
                    if you don't want to leave your computer on all day.
              \_ Maybe this is a sign you should quit your job at the Kremlin.
2007/12/4-7 [Computer/SW/Security] UID:48744 Activity:low
12/4    Dunno if this is common knowledge ... msft wireless peripheral
        crypto cracked ... --psb
      http://www.theregister.co.uk/2007/12/03/wireless_keyboard_crypto_cracked
        \_ a one byte pad hardly counts as crypto
        \_ I guess this doesn't work for the Xbox 360 controllers.
        \_ I don't get it, Bluetooth isn't secure either, is it?
2007/11/20-26 [Computer/SW/Security] UID:48667 Activity:nil
11/20   Okay, password login failed for me again.  How do I set up my soda acct
        so that I can login using SSL public key?
        \_ One tutorial here: http://www.modwest.com/help/kb20-90.html
           \_ I can't get it working from that.  Either putty won't load the
              key generated on soda, or soda rejects my key generated from
              putty.  Has anyone done this with putty on windows?
              \_ You need to import the key you got from soda, into
                 Puttygen on the windows side, then use the resulting key.
                 \_ Excellent, that did it.  Thanks very much. -op
           \_ Condensed into step-by-step here: /tmp/publickey_putty_instruct
              Please feel free to correct/distribute. --erikred
2007/11/18-21 [Computer/SW/Security] UID:48654 Activity:nil
11/17   I need a wiki package that uses sqlite, and lets me
        give out username/passwords to limit editing and viewing access
        to certain sections.  Any suggestions?  Thanks.
        \_ http://wikimatrix.org
2007/10/18-20 [Computer/SW/Security] UID:48376 Activity:kinda low
10/18   Subversion woes. We want to be able to go to other developers'
        directories and type "svn status -q" to automate scripts.
        Now when I do something like this:
          user1@:~user2/dev/blah> svn status
          svn: Can't open '.svn/blah/_file.tmpl.tmp': Permission denied
        However there is no file named _file.* anywhere! What's going on?
        \_ it's trying to create a temp file in a directory where you don't
           have write access.  -tom
        \_ Use svn, save a ausman today!
        \_ Use svn, save a german shepherd today!
2007/10/7 [Computer/SW/Security, Recreation/Humor] UID:48254 Activity:nil 50%like:48227
10/3    Is that a Real Doll?  Wow!  So real!
        http://www.youporn.com/watch/13668 \_ Another one:
        http://www.youporn.com/watch/212 \_ It'd be more real if the skin
        is not as glossy.  \_ HA! Funny how he pulled out and squirted
        on his left hand
           so that he wouldn't have to clean up the doll. Now in real
           sex... Oh well, I guess it's better than no sex.
2007/9/27-10/2 [Computer/SW/Security] UID:48199 Activity:nil
9/27    Does anyone have experiences with OpenId and/or TypeKey as to
        minimize the effort spent on your web app authentication? How easy is
        it to integrate these 3rd party components into your web apps?
2007/9/3 [Computer/SW/P2P, Computer/SW/Security, Computer/SW/Unix] UID:47877 Activity:nil
9/3     So I was watching the Today Show this morning and in the crowd of
        jackasses trying to get on TV, some dude kept emphatically showing a
        home made sign that simply said, "lemonparty.org." None the wiser, I
        fired up my laptop, curious as to what could possibly be at
        http://lemonparty.org. I wondered why he was smiling so mischievously,
        shaking his sign in the air each time the camera had him in the frame.
        Could it be some family reunion site? A wedding announcement? A site
        devoted to lovers of lemons? Oh no, I would not be so lucky.

        No sir -- or ma'am -- it was a photograph of three geriatric men
        engaged in very passionate adult loving. And by loving, I mean a good
        old fashioned three-way.

        Of course, I couldn't let it go at this. I had to find out more about
        http://lemonparty.org, as it seemed like an inside joke to which I was not
        privy. A friendly google search yielded several results, all informing
        me that http://lemonparty.org is supposedly a shock site, in the ranks of
        loopback.jpg, http://tubgirl.com and goatse.cx. Now, I'm not sure if the
        shock value or http://lemonparty.org packs the same punch as the
        aforementioned peers, but I can only imagine a suburban housewife or
        lonely grandpa typing the web site in as I did, because, well, they
        too had nothing better to do.

        So why am I sharing this? I honestly don't know, other than I needed
        to purge my conscience. I think this was either one of the most
        wonderfully subversive things I've seen on TV in a long time, or one
        of the more disturbing ones (although I doubt there are many young
        kids watching the Today show on Labor Day). But, hey, old guys need to
        get it on, too, I suppose; so lemonparty indeed!
        \_ Yucks!  It's amazing enough that that guy can get it up.
2007/8/28 [Computer/SW/Security, Computer/SW/OS/Windows] UID:47776 Activity:moderate
8/27    google QA automation stuff, can someone view these videos
        and tell me if they're worth watching?  thanks.
        http://www.youtube.com/view_play_list?p=7D3E685B59779C16
2007/8/24 [Computer/SW/Security, Computer/SW/Unix] UID:47749 Activity:high
8/24    Anybody experiencing login authentication problems?  I cannot login
        using my login and passwd thru ssh on the SECOND attempt and on:
        ie, when I do ssh csua, it works once, but not afterwards.
        Then when I do ssh http://csua.berkeley.edu, it works once, but not afterwards.
        I can STILL login when I use a machine that use ssh authorized public
        keys (with the ssh passwd), but not the unix login/passwd.

        After I login, when I do a passwd, I get the *new* LDAP passwd prompt
        that allows me to change the passwd, but only once.  After that,
        I can no longer access that LDAP prompt (seems like the LDAP server
        is rejecting any requests from a particular host after first attempt),
        but instead I get the *old* unix passwd change prompt that won't take
        *any* of my passwds:

        (current) UNIX password:
        passwd: Authentication failure
        passwd: password unchanged

        After about an hour, if I do passwd, I get the new LDAP prompt again--
        but only once again.  Basically the LDAP prompt comes back in about
        once every hour.

        If an admin is reading this please help.  Seems like the LDAP server
        is down and/or unix passwd is out of sync.  Thanks.          --pchen
2007/8/24 [Computer/SW/Security, Computer/SW/Unix] UID:47748 Activity:nil
8/24    Anybody experiencing login authentication problems?  I cannot login
        with unix passwd thru ssh, although I was able to login using my ssh
        auth keys/cert.  Then when I type passwd to change the passwd,
        I'm getting an LDAP passwd change prompt--but only once: if I type
        passwd again, I get the Unix passwd change prompt.  In any case,
        it won't accept my old passwd nor allow me to change the passwd.
        What's going on?  Also mail is not working (nothing sent nor received).
        I emailed root and get no response yet.  If an admin is reading
        this please help.  Thanks.  -pchen
2007/8/18-20 [Computer/SW/Unix, Computer/SW/Security] UID:47652 Activity:kinda low 80%like:47603
8/17    hey root you wanna restore /csua/bin/mtd one day?
        \_ did you mail root about it?
           \_ do you really have to mail root when all of
              /csua/bin/ disappears?
              \_ empirical evidence would say, "yes, you do".  -!root
           \_ yeah.
2007/8/16-22 [Computer/SW/Security, Computer/HW/Drives] UID:47623 Activity:kinda low
8/20    I am looking for personal NAS... you know, an large intestinal
        harddrive that I can access data everywhere.  Idealy, I want be
        able to set up.  so it streams mp3 music as well, any recommendations?
        \_ USB 2.0 or GigE?

        \_ thinking about connect the harddrive to my router, and be able to

           access it outside the LAN.
           \_ I hear 'mediatomb' might be what you're looking for.
           \_ how's it supposed to deal with access control? Or is it just

              going to be anohter open WAREZ site?
        \_ http://www.archive.org/web/petabox.php
        \_ apache + basic auth + hard drive?
        \_ "intestinal"?
2007/8/13 [Computer/SW/Unix, Computer/SW/Security] UID:47605 Activity:nil
8/13    hey root would you engage in scrotal inflation?  thanks
        \_ Have you emailed root?  Because the motd.public isn't the preferred
           contact method.
           \_  I did.
            \_ Hey root, i think Spamassassin is dead too.
               \_ I think root is too busy leveling in WoW.
2007/8/13 [Computer/SW/Unix, Computer/SW/Security] UID:47603 Activity:kinda low 66%like:47566 80%like:47652
8/13    hey root would you restore /csua/bin/mtd ? thanks.
        \_ Have you emailed root?  Because the motd.public isn't the preferred
           contact method.
           \_  I did.
            \_ Hey root, i think Spamassassin is dead too.
               \_ I think root is too busy leveling in WoW.
2007/8/11-15 [Computer/SW/Security] UID:47589 Activity:nil
8/11    TSA can't find a guy who bypassed security checks:
        http://urltea.com/174l (usatoday.com)
2007/8/6-22 [Computer/SW/Security] UID:47541 Activity:nil
8/6     Another entry for the "no duh" department:
        "WASHINGTON (AFP) - The US government cannot account for more than half
        of all small arms given to Iraqis in the hope of bolstering their
        security forces, raising fears the weapons may have found their way to
        insurgent groups, according to a new congressional probe."
2007/7/14-16 [Computer/SW/Security, Reference/Law/Court] UID:47292 Activity:nil
7/13    Another good Conservative railroaded by Fitzgerald:
        http://www.freerepublic.com/focus/f-chat/1865420/posts
2007/7/8-10 [Computer/SW/Security] UID:47225 Activity:nil
7/8     Those employed by the oil industry had more children than any other
        industry, while those employed in journalism and hotel service
        had the lowest.
        http://neuropolitics.org
2007/6/21-24 [Politics/Domestic/HateGroups, Computer/SW/Security] UID:47033 Activity:nil
6/21    Powell was threatened by the KKK to not run for presidency.  Did Obama
        receive such thread also?
        \_ He was the first candidate to be assigned a secret service detail.
           Glean from that what you will.
           \_ Well, a canidate must request secret service protection.  So, he
        \_ We don't threaten nobody but we support all Republicans   -kkk
           \_ Well, a candidate must request secret service protection.  So, he
              asked for it.  There may or may not be a good reason for that.
              \_ I think the above statement is incorrect.
           \_ Hillary, as First Lady, has had it since 1992.
2007/6/8-11 [Computer/SW/Security, Computer/SW/Unix] UID:46892 Activity:low
6/8     I was talking to an acquaintance who said that his workplace was
        slowly evolving to a stated goal of taking superuser privileges
        away from the sysadmins in an effort to maintain a strict CM
        and, I assume in some way, lower costs - possibly by hiring
        trained monkeys to deploy pre-built images. I am curious what the
        IT theories are behind this. Is this a crackpot method of system
        management or is there some established theory behind this? Has
        anyone else seen this happen at their work? What were the results?
        My kneejerk reaction is that this is a Very Bad Thing, but maybe
        there's something to it.
        \_ Depends.  Are they mostly Windows?  Mostly UNIX?  Who still has
           superuser access?  Are they highly responsive?  It can be made to
           work.  But unless it's driven by competent IT management, it could
           be LOTS o' PAIN
           \_ All UNIX. I assume the idea is that if a change needs to be
              made then it is rolled out from some central server
              somewhere and no admins ever touch the individual workstations
              for any reason except perhaps hardware failure.
        \_ CM?
           \_ configuration management
        \_ No, this is in keeping with Best Practices surrounding security,
           especially the notion of "least privelege" which is to say that
           especially the notion of "least privilege" which is to say that
           people should have the permissions they need to do their job
           and no more. I personally think this is fine, but only works
           after an organization reaches a certain maturity and size.
           You need at least enough people so that you can have an on-call
           page rotation for the "root" team and another one for the
           "admin" team. Email if you want to talk about this some more
           this is something I have thought about quite a bit. -ausman
           http://en.wikipedia.org/wiki/Principle_of_least_privilege
           http://www.csua.org/u/ivq (Forrester Research)
2007/5/31-6/4 [Computer/SW/Security] UID:46802 Activity:nil
5/31    PHP-related question:  a web app I'm using recently moved from
        CRYPT_STD_DES to CRYPT_MD5 for password hashing.  On the off chance
        anyone's faced a similar problem (I am having trouble getting a
        reply from the developers), am I missing something fundamental or
        am I just fucked if I want to migrate my existing userbase without
        having to reset their passwords?  -John
        \_ Can you provide auth'ing off of DES while re-encrypting and storing
           the new MD5?
           \_ Don't think so.  It looks to me like this was just kind of
              a planning fuckup. :-(  -John
              \_ I was going to suggest the same as the above person.  It is
                 "the standard" way of dealing with this.  If you can't do
                 that and apparently don't have access to the source, you're
                 hosed.  Sorry.  Maybe you can redirect them to some other
                 page you do have control of and rewrite their passwords from
                 there.
2007/5/25-28 [Computer/SW/Security] UID:46754 Activity:nil
5/25    I would like to write a script to login to a windows machine remotely
        and start a simulation (basically a poor man's version of a Windows
        Beowulf cluser). The simplest way to do this seems to be to run sshd
        on cygwin. Are there better ways? (Obviously, one better way would be
        to install LINUX, but that isn't possible in the near term). Thanks.
        \_ There are some OpenSSH implementations for Windows you can install
           without the full cygwin implementation.
           \_ Can you list some? Thanks.
           \_ copSSH works well for me. -!pp
              \_ What is the advantage of copSSH over cygwin+sshd? From the
                 (brief) webpage for copSSH it sounds like it is cygwin+sshd.
2007/5/11-14 [Computer/SW/Security, Computer/SW/OS/Windows] UID:46589 Activity:nil
5/11    Hackers use Windows Update to reliably download their malicious code:
        http://preview.tinyurl.com/2dorvr (computerworld.com)
2007/4/30-5/4 [Computer/SW/Security] UID:46482 Activity:nil
4/30    Can someone recommend a website that provides the same service as
        cafepress, with custom t-shirt designs, but that does not censor?
        I want to make shirts that I know would get censored at cafepress,
        based on past bad experiences with them.
2007/4/13 [Computer/SW/Languages, Computer/SW/Security, Computer/SW/Unix] UID:46294 Activity:nil
4/13    Can someone w/ root fix this:
        $ ls -l /dev/null
        crw------- 1 root csua 1, 3 2007-01-25 19:41 /dev/null
2007/4/9-10 [Computer/Networking, Computer/SW/Security] UID:46239 Activity:nil 66%like:46247
4/9     Free W-Fi on Transbay buses:
        http://www.actransit.org/news/articledetail.wu?articleid=ae8a49cd
2007/3/31-4/6 [Reference/Law/Court, Computer/SW/Security] UID:46167 Activity:nil
3/31    Anti-plagarism service sued for copyright infringement:
        http://urltea.com/321 (washingtonpost.com)
        \- hello if you are interested ... really interested ... I have
           put the complaint at:
           http://home.lbl.gov:8080/~psb/Ephemeral/TurnItIn-complaint.pdf
           \_ Thanks.
        \_ Am I the only one who really doesn't like TurnItIn but
           really hope they win because of what it might mean for
           fair use rights?
2007/3/28-31 [Computer/SW/Security, Computer/SW/Unix] UID:46132 Activity:nil
3/28    What controls the order of files in regards to which file is displayed
        as the root file of a webpage? Specifically, I have to have a
        index.php in my root directory, but I want my webpage to display
        home.php. How can I do this? Thanks.
        \_ Just figured it out myself, using .htaccess! -op
2007/3/23-27 [Computer/SW/Security, Computer/SW/Unix] UID:46068 Activity:nil
3/23    hey root can you turn 'PINGS' to soda.csua back on?
        thanks
        \_ Hey, root, can you disable this h0zer's motd-editing cron-job pls?
        \_ and what's up with crippling traceroute?  It needs setuid to
            function.
            > traceroute scotch
            traceroute: icmp socket: Operation not permitted
2007/3/13-14 [Computer/SW/Security] UID:45950 Activity:nil
3/13    OpenSSH 4.6 is out:
        http://undeadly.org/cgi?action=article&sid=20070308183425
        Portable Version:
        ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.6p1.tar.gz
        OpenBSD Version:
        ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-4.6.tar.gz
2007/3/4-6 [Computer/SW/Security] UID:45863 Activity:nil
3/3     What is the cheapest option for internet access for somebod my parents
        who just need to do some email a couple of hours a week and nominal
        amounts of web browsing?  Some kind of dialup service?  They have a
        mac, in case that makes a difference, and live in the South Bay.
        Fast access at $30-$50/mo, not worth it for them, especially since
        they travel for months at a time.
        \_ Jyno has $9.95/mo dialup, but for just $3/mo more you can get
           a fractional DSL line from http://Sonic.net. Actually, I see these
           same prices from dslextreme, my current DSL provider, though
           to get that dial-up price, you have to buy a whole year.
2007/3/2 [Computer/SW/Security] UID:45856 Activity:nil
3/2     Paypal has a new security key:
        http://preview.tinyurl.com/ytr6zn (consumerist.com)
2007/2/25-3/1 [Computer/SW/Security, Computer/HW/Drives] UID:45817 Activity:nil
2/25    The top page of Fry's Electronic's (outpost) no longer shows
        the [Retail] Store Locator. Are they getting rid of the stores?
        \_ I doubt it:
           http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/02-05-2007/0004520005&EDATE=
           http://preview.tinyurl.com/ysdl54 (prnewswire.com)
2007/2/20-22 [Computer/SW/WWW/Server, Computer/SW/Security] UID:45782 Activity:high
2/20    Any recommendations on a cheap/easy-to-use digital signature system?
        \- i dunno exactly wat you are looking for or what the status of this
           project is, but if the obvious [gnupg] wont do, you can google
           for AKENTI. --psb
        \_ What do you want exactly?  A toolkit for digitally signing various
           files?  OpenSSL is free.  It is, however, a pain in the ass to use,
           but, once you know what you want to do with it, you probably won't
           ever have to figure it out again. -dans
           \_ Mostly documents that are federally mandated in the development
              process of medical software. The team is somewhat distributed, so
              I was hoping for something fairly easy to use.  Years ago I'd
              have used PGP, but I don't know how things have progressed and
              what a good (preferably open) system is.
        \_ GnuPG is fairly easy to use and its free. Many commercial apps use
           it for digital signatures: http://gnupg.org
           \_ Yeah, I pretty much agree.  If price is the key, find a decent
               frontend to gnupg and tweak it to fit your needs.  If usability
               is key, it's worth buying a copy of PGP.  Both support the
               OpenPGP standard.  OpenSSL is too low level for what you want.
               -dans
               \_ GnuPG seems to be the way to go. I've got everything figured
                  out except verifying signatures. Thanks for the advice. -op
                  \_ This is from memory, not the man page, but I think it was
                     something like gpg --verify.  Or are you trying to do
                     something more complicated? -dans
                     \_ You're right that --verify is the command line
                        solution, but I was going for something in a GUI. It
                        turns out that GPGee (Win Explorer extension) has that
                        ability, and works great. Thanks again. -op
2007/2/18-23 [Computer/SW/Security, Consumer/TV] UID:45771 Activity:nil
2/18    I have a Tivo.  I don't have service.  I'm not going to get service.
        What is cool that I can do with the Tivo?
        \_ eat it?
        \_ prop open doors?
2007/2/17 [Computer/SW/WWW/Browsers, Computer/SW/Security] UID:45765 Activity:nil
2/17    http://www.foxnews.com/story/0,2933,252541,00.html
        Mormon University says YouCant to YouTube.
2007/2/13-17 [Computer/SW/Security, Computer/SW/WWW/Server] UID:45734 Activity:nil
2/13    The personal webpages are now up
        \_ Ming-Hay
        \_ Thanks. Something seems a little messed up w/ the server config.
           The front page produces a server error for me, and the server
           is returning lists of files rather index.html for directories.
           \_ Agreed, things are fubar.  I've written/tweaked/debugged an
              Apache config or twenty in my day so I'd be happy to look things
              over and help out, just ask.  That said, I'm shockingly busy at
              the moment, so I may not be the quickest source of help.  You
              may want to turn personal public_html directories off until you
              fix this as the current config does leak information, which has
              (IMO, minor) security implications.  If you're a soda user, you
              can prevent people from browsing your public_html directories
              over the web until this is fixed with the following:
              chmod og-r ~/public_html
              -dans
2007/1/28-2/1 [Computer/SW/Security, Computer/SW/Unix] UID:45607 Activity:moderate
1/28    Where does inbound mail get spooled now? I had no problem moving
        my old spool to /var/mail/$USER, but where is the new mail
        spooling? (Yes, I read soda-changes.) Nothing is ending up in
        /var/mail/$USER/new. Should it be?
        \_ Do you have .procmailrc setup?  If so, I needed to add
           an additional rule at the end (after setting up the
           DEFAULT=/var/mail/loginname):
           DEFAULT=/var/mail/$USER):

           :0:
           $DEFAULT

           If I didn't do that, my mail just shows up as a single
           "msg.xxx" in the /var/mail/loginname directory.
           "msg.xxx" in the /var/mail/$USER directory.
        \_ nope, it's on a different server normal people don't have access
           to.  it's called 'seperation of services'.  The next time
           someone breaks into http://soda.csua.berkeley.edu, mail will
           continue to be delivered since they can't break into
           the machine that is handling delivery of email.  Were you
           in CS?  Do you remember how all the instructional machines
           didn't store your email on your local machine?  Same theory.
           \_ So I have to use IMAP or POP now? Is that right? I used to
              use UCB mail.
           \_ It certainly wasn't stored *locally* on every machine, but
              it was available via NFS on instructional machines.
              It looks to me like it /should/ be showing up on soda.  I presume
              'mead-mail' is where it's getting delivered-to on mead anyways.
              lrwxrwxrwx 1 root root 22 2007-01-24 00:58 /var/mail -> /mnt/oh/0X0-mead-mail/
              lrwxrwxrwx 1 root root 22 2007-01-24 00:58 /var/mail ->
              /mnt/oh/0X0-mead-mail/
        \_ Absent procmail interference, mail should spool to the Maildir under
           /var/mail/$USER.  If that's not happening for you, something is wrong.
           /var/mail/$USER.  If that's not happening for you, something is
           wrong.
2007/1/26-30 [Computer/SW/Security, Computer/SW/Unix] UID:45598 Activity:nil
1/26    Thanks root people!
        \_ Many thanks!
2007/1/18-25 [Computer/SW/Security] UID:45558 Activity:nil
1/18    Are the accounts on soda reactivated?  Looks like ssh is up, but I
        don't know if it's me not remembering the password I set it to
        after the last reactivation or if accounts aren't activated.
        \_ So you just typed your password (maybe several of them) into a box that might or
            might not actually be soda?
        \_ So you just typed your password (maybe several of them) into a box
           that might or might not actually be soda?
            \_ People should really use DSA public-key auth. It saves typing
               in passwords and prevents situations like what you described.
            \_ heh heh. heh heh. all your passwords belong to us.
                                                    \_ are
            \_ I did the same thing but since I don't remember my password
               anyway, "they" are welcome to hack away at whatever random
               stuff I was trying.  :)
        \_ Soda is up for root and politburo login right now, but not yet for
           general login.  Hopefully it will be up for general login soon,
           sorry about it taking so long. -mrauser
           \_ Thank you for your efforts. --erikred
              \_ Concur! Many thanks! --dim
2006/12/29-30 [Computer/SW/Security, Academia/Berkeley/CSUA/Motd] UID:45510 Activity:high
12/29   There have been a lot of complaints regarding soda reliability and
        users not volunteering their time and effort to help. Obviously,
        it wouldn't make sense for every user to be given root access so
        they can volunteer. Instead, why don't we use motd for people to
        contribute concrete suggestions (not just to start flame wars) to
        improve soda reliability and security? I'll start:
        - Tripwire
        - Maybe going back to a *BSD
        - Sendmail is complicated and filled with holes. Why not use an
          alternative MTA?
          \_ Also, there use to be this message "Last logged in from..."
             I used to look at to see where my account was last used.
          \_ From being a part of the new-rebuild considerations, yes, no,
             and yes. --michener
          \_ Run soda in a virtual machine.
2006/12/28-30 [Computer/SW/Security] UID:45508 Activity:insanely high
12/28   Soda will be down tomorrow December 29, 2006 for maintenance
        service.  We hope to keep the downtime as short as possible.
        - minghay (CSUA President)
        \_ You hozer.  What about my screen uptime and low pty IDs? - jvarga
        \_ You mean like less than 3weeks this time?
           \_ Hey, shut yer trap.  This machine is run by volunteers.  If
              you want to put time into it then step up.  I don't volunteer
              but I don't bitch at the people who do.  I appreciate their
              efforts and donation of their time to a shared resource.
              \_ I dropped by the office relatively early in the downtime.
                 No one with root was around any time that day (I was there
                 for like 4 hours).  Mconst dropped in a bit later to check
                 in as well, but he had only limited access (soda root, but
                 not keg, etc).  A few years ago, pburo nuked a number of
                 people from their root access.  I said then it was a bad
                 idea.  If current pburo wants to rectify that and increase
                 their root-base, I say more power to them.  And I'd be glad
                 to volunteer.  --scotsman
                 \_ Having a shorter list of volunteers is obviously going to
                    limit how much time is available to take care of soda.  My
                    gripe with the person above is that they're bitching out
                    (however many) people there are to take care of things,
                    all of whom are volunteers.  It's a free service, the
                    price is right, I'm happy that other people have maintained
                    it all these years with no expensve to myself and I
                    appreciate those efforts.  When things go bad it is
                    frustrating but I don't feel I'm owed anything by any of
                    them.
              \_ Exchange of money is not the only way to establish
                 responsibility.
                 \_ Money?  What?  Who said money?  The people running this
                    machine are donating their time.   That is what the word
                    "volunteer" means.  It certainly isn't worth anything on
                    a resume.  What are you talking about?
                    \_ You're reading the above comment wrongly.  The fact
                       that someone is a volunteer doesn't absolve them
                       of responsibility to do what they've volunteered to
                       do; quite the opposite.  A lame-ass is a lame-ass
                       whether he's being paid or not.  -tom
                       \_ They're not absolved but if you don't like the
                          quality and performance provided by other volunteers
                          you have two real choices: shut up and acknowledge
                          whatever little you're getting is for nothing in
                          return or volunteer to do it yourself and do a
                          better job.  Bitching them out without volunteering
                          doesn't improve the situation.  It only makes it
                          worse.  I shouldn't have to explain why.
                          \_ As I said above, pburo.past nuked the volunteers.
                             pburo.current, if they want/need the volunteers,
                             would have them if they say so.  Get on wall,
                             guys.  Ask.
                             \_ Volunteer.  Send a note to pburo asking what
                                they need help with.  If you did and they
                                ignored it or said they don't need any help
                                then that's that on the volunteer front.
              \_ So what do we need to do in order to get root? (Other
                 than, obviously, hack in like everyone else.)
                 \- you know, sloda has always been run by volunteers
                    and by any measure the current incarnation should be
                    a lot less work than the apollo, sequent, vax etc
                    days. i could be wrong, but i dont think it's ever
                    been down for as long as it was ~1 mo ago. i think
                    people have been tremendously appreciative of mr jvarga...
                    and if that appreciation hasnt extended to the pburo
                    at large, my personal perception is there appears
                    reasonable basis for that differentiation.
                    \_ My gut feeling is that Cal students today are not
                       nearly as Unix proficient as they were back in the
                       days. Most donations come in the form of Windows
                       boxes and students today could care less about
                       Unix. So these "soda volunteers" are really just
                       alumni and not the current breed.
                       \_ Whoever the volunteers are, they are still freely
                          providing service to the community with zero
                          compensation and a lot of flack for the times things
                          aren't perfect.  As far as proficiency goes, *nix is
                          a lot easier now than "back in the day" so uber m@d
                          sk1llz are no longer required to get class work or
                          anything else done on a *nix box.  This is just the
                          nature of technology.  I'll bet the average
                          teen/college boy in the 50s knew a hell of a lot
                          more about his car than *anyone* on soda/csua does
                          today.  That isn't necessarily a bad thing.
                                  \- my point is that maintainance should
                                     take less time, e.g in the age of
                                     cheep disks, a machine that doesnt have
                                     to be racked up in a machine room,
                                     standardized buses etc. anyway, his
                                     standardized buses etc. anyway, this
                                     seems to me to be mostly a leadership
                                     failure not a technical matter ...
                                     e.g. it's not a mostly a failure of
                                     e.g. it's not mostly a failure of
                                     knowledge, but of decisionmaking,
                                     communication etc.
                          \_ However, those of us who have been around dealt
                             with the same difficulties and complaints when
                             we were in pburo/on root.  And I can safely say
                             we never had a month long outage.  If you don't
                             want to/can't actually provide the service,
                             scrap it.  We'll survive...  But IMO, and IME,
                             having the alumni around and happy is a good
                             thing for those who want the professional
                             networking opportunities and knowledgebase that
                             comes with them.
        \_ http://csua.com/?entry=45397
           "I'm willing to wager $100 that Soda will be up for another 3 months
            or less before it is completely down for at least 3 days again."
           We'll see how long soda is down this time.
           \_ Are you helping with this maintenance to help make sure things go
              smoothly or just bitching from the sidelines?
        \_ A quick update from the ex-pres, secretary, and one of the few UGs
           with any *nix-fu. (whoever said that it's starting to be lacking is
           spot on). I have good news, and the good news is that our new VP
           doesn't suck. He rules. He's def. reading rootmail (something Ed
           never did), has a *lot* of Debian knowledge and experience, and is
           preparing to, you know, GET SHIT DONE. As a volunteer. Which is awesome.
           And something that Ed never did (this from being president over him).
           Right now, the holdup is that apparently there's no cardkey access for
           the moment but hopefully within a day or two, there will be much
           tinkering. I think (and hope) y'all will see the difference :)
           Take heart sodans! --michener
           \- lack of cardkey access never stopped us in the old days ...
              "oh look, the door is open". :-)
2006/12/2-8 [Computer/SW/Security, Computer/Networking] UID:45410 Activity:low
12/2    I have only two internet choices-- Verizon and Time Warner Cable.
        I've tried Verizon's 3Mbps/512Kbps service with 12 month commitment.
        In practice I only get 2.2Mbps/225Kbps and Verizon is unable to
        bump up the speed saying that they're unable to guarantee speed
        due to distance and whatever bullshit they said. Now my 12 month
        commitment is up I'm trying out Time Warner. I subscribed to
        their 10Mbps/512Kbps service which costs slightly more
        than their 6Mbps/512Kbps tier. Again, in practice, I'm only
        getting 3.5Mbps/200Kbps which is LESS THAN HALF of what they
        promised. Once again, they're giving me bullshit about distance
        and how they don't guarantee speed. Anyone have similar problems
        with their providers?
        \_ Wah, wah.  Cry me a river.  The service is cheap because it's
           consumer grade.  If you want an SLA, get a real connection.  And if
           your Verizon service is DSL, what they're telling you about
           distance isn't bullshit.  Distance from the local CO dictates a
           physical limit to the maximum speed your DSL line can run at.
           If you can get DSL service from Speakeasy, consider it.  Speakeasy
           can't rewrite the laws of phsyics, and their consumer plans still
           won't have an SLA, but, in my experience, they are a cut above all
           the other DSL/Cable providers.  How are you measuring your line
           speed, anyway?  It's actually really hard to do this accurately,
           and I have yet to see a point and click web tool for testing speed
           that does so. -dans
2006/11/30-12/8 [Computer/SW/Security, Computer/SW/Unix] UID:45402 Activity:nil
11/29   Pathetic Google engineers:
        http://valleywag.com/tech/revisit/man-in-google-lap-pool-217775.php
        http://www.valleywag.com/tech/dating/another-chance-to-crash-googles-holiday-party-217736.php
2006/11/21-12/30 [Computer/SW/Security, Computer/SW/Unix] UID:45359 Activity:nil
11/21   Bad stuff happened.  Root is working on restoring all services to
        normal.  Please email root if something is not installed or is on the
        fritz[0rz] (according to michener). - jvarga
        \_ How would we be able to tell?  Logins are still disabled, according to
            someone named "jvarga"... (2006-11-22 07:30)
           \_ You have to be THIS tall to enter...
        \_ Please email activate@csua.berkeley.edu to get your account
           reactivated.
2006/11/8-9 [Computer/SW/Security] UID:45263 Activity:nil
11/8    OpenSSH 4.5 is out:
        http://www.openssh.org/txt/release-4.5
        ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-4.5.tar.gz
        ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.5p1.tar.gz
2006/10/31-11/1 [Computer/SW/Security, Computer/SW/Languages/Java] UID:45045 Activity:moderate
10/31   Mainframes are back!
        http://www.cnn.com/2006/TECH/biztech/10/30/reviving.mainframes.ap
        \_ Mainframes never left.
           \_ There are big differences between 1) X is here, 2) X is coming
              back, and 3) X left. Fucking dumb shit, how did you even
              get into Cal?
              \_ I didn't get into Cal.  I dropped out of college so I could
                 spend more time on the motd and wall hanging out with smart
                 people like you hoping one day I can learn to comprehend
                 English as well as you.  No, wait, you are a babbling fool
                 who wrote something completely off topic and non-responsive
                 because you can't understand basic English.
                 \_ Bwaaahhhhhhh!!1!  You are teh suck!!!!1!!!!!!!!1!!
        \_ "The university saved money upfront by selecting a mainframe that
           runs at less than top capacity. Then on days when computing loads
           are heavier, the school can buy a short-term boost of extra
           processing power. Network managers call IBM, which remotely tunes
           the mainframe to deliver better performance."  Interesting.
           \_ *laugh*.  This is how the IBM mainframe division has always
              worked except in the 'old days' they sent a tech out at some
              outrageous hourly rate who opened the back, hit a button to turn
              on the extra cpus+planes+memory/etc that was already in the box.
              So now they just remotely login and tweak some software variable
              limit like "max speed = max speed + 50", logout and send a bill.
              This is almost as good a scam as MS making their money on CALs.
2006/10/27-30 [Computer/SW/Security] UID:45013 Activity:low
10/27   Anybody tried the "PDF decryptor" or "PDF password delete" type of
        software?  I have a PDF form file that won't let me save.  I'm
        considering getting one of those type of software to unlock the
        file.  I really don't want to pay to try it out though.  Are there
        free open source PDF unlock programs?  Thanks.
        \_ I've used Elcomsoft's (of "Free Dmitry Sklyarov!" fame) PDF
           decryptor.  Worked fine.  Its legality is dubious, though.
           \_ How so?  It's my understanding (correct me if wrong, please)
              that documents legitimately in your possession are covered
              by various fair use clauses, i.e. you're not stealing trade
              secrets, that sort of thing.  As for pdfs, unlocking them is
              trivial unless they're encrypted, in which case you're SOL--
              I don't know of anything that can handle this easily.  -John
              \_ I meant the legality of obtaining Elcomsoft's eBook
                 Processor itself, which was posted to the 'net after
                 Sklyarov was arrested.  I'm not referring to the
                 legality of decrypting (which should be legal based on
                 fair use rights, but OTOH there's that thing called the
                 DMCA).  And yes, Elcomsoft's program does decrypt PDFs.
                 \_ I thought there were two kinds of pdf encryption--the
                    access encryption and actual data encryption, and that
                    Elcomsoft only dealt with the latter.  -John
2006/10/12-13 [Computer/SW/Unix, Computer/SW/Security] UID:44782 Activity:nil
10/11   Star Wars characters USB thumb drives:
        http://tinyurl.com/kjg53 (gizmodo.com)
2006/10/4-6 [Computer/HW/Laptop, Computer/SW/Security] UID:44664 Activity:nil
10/4    motd routing nerds, help me out.
        let's say i am torrenting stuff on my laptop.  I want
        of course my SSH connections to be responsive and fast,
        but the upstream torrenting gets in the way.  Could i
        implement QOS somehow on my local machine and improve
        SSH?  I'm running Linux.  Would I have to make a virtual
        machine somewhere on my laptop and run QOS in that?  Thanks!
        \_ or just use your torrent client's builtin bw limit options
           \_ no no you don't understand, have you ever used QOS
              on a router before?  You can make your SSH packets
              have a higher priority than your web or torrent packets,
              reducing the latency for your ssh sessions.  If you limit
              the upstream of your torrents... your downstream becomes
              slower
              \_ sympathy factor crashes like rock. back in my day we got 300
                 baud and we were glad for it!
              \_ if you're bottlenecked on the inbound, no amount of
                 fiddling with your router's QoS settings is going to help.
                 Maybe if you could fiddle with your ISP's router, but I
                 suspect they won't be sympathetic to your torrent leeching
                 needs.
                 If you're bottlenecked on the outbound, limit your torrent
                 clients' upload speeds (or play with QoS).  It doesn't take
                 backing off much to give huge improvements to ssh and/or
                 other interactive programs.
                 clients upload speeds (or play with QoS).
           \_ get a faster pipe, whiner
        \_ So-called "gaming routers" can put preferences on ports.  That's
           quick solution.
           \_ Not only is this a quick solution, but an excellent solution.
              I bought a DLINK gaming router and never looked back. I get
              the best of all worlds-- filling up the pipe AND get small
              latency for ssh and X11 related things.
           \_ agree that this is one way to do it.  increase priority for
              port 22 outgoing (router should also be smart enough to
              prioritize incoming packets for the session), and back off your
              upstream torrent cap a bit until you're satisfied.
2006/9/27-28 [Computer/SW/OS/FreeBSD, Computer/SW/Security] UID:44580 Activity:nil
9/27    OpenSSH 4.4 is leftist
        http://www.openssh.org/txt/release-4.4
        OpenBSD src:
        http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-4.4.tar.gz
        OpenBSD src signature:
        http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-4.4.tar.gz.asc
        Portable src:
        http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.4p1.tar.gz
        Portable src signature:
        http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.4p1.tar.gz.asc
2006/9/27-28 [Computer/Networking, Computer/SW/Security] UID:44564 Activity:low
9/27    I'm currently using http://johncompanies.com and getting close to their
        40G/month bandwidth quota. I'm already paying $47/month for 5G disk
        storage and 40G/month bandwidth, and while the customer service
        has been superb, I'm a bit budget conscious and a bit reluctant to
        pay $80/month to johncompanies for the next level of service. I'm also
        a big socialist, and I support proletarian revolution. I've
        been contemplating a few options. For example, maybe I can get cable
        modem with 768kbps uplink/upstream for $50/month, which will be
        adaquate to serve 50-60G of content per month and has the positive
        side effect of having a much bigger disk storage over what I'm
        getting now at johncompanies. Is hosting at home a ridiculous
        idea or is it feasible?
        \_ Do you have a real server room environment?  Do you have a
           usage agreement that allows you to fill your pipe all month
           long?  No.
        \_ If you don't need a full jailed environment, JC is overkill.  Just
           host w/ el cheapo web provider.  If you need the custom env, it's
           probably worth the price.  JC are pretty easy to talk to, though.
           Mail them about what you want to do and ask for suggestions.  They
           might even refer you to someone who could better meet your needs.
           ("They" probably meaning "John")  --dbushong
           \_ Do you work at or an affiliate of johncompanies?
           \_ Overkill is when you need 40G bandwidth but got 1000G. The op
              said he's going over the 40G bandwidth quota so his hosting
              choice isn't exactly "overkill".
2006/9/25-27 [Computer/SW/Security] UID:44517 Activity:nil
9/25    Does anyone know if there's a way for mail.app to use different
        connection profiles for various accounts?  I have 2 imaps accounts
        which I need to connect to via an ssh tunnel at a client's; so
        normally it'd be "host.x.com:993" but I would like to switch
        quickly to "localhost:10993" without going through the "edit
        account" rigmarole...thanks for any help.  -John
        \_ Why not just create two separate accounts and activate the
           one that you need.
           \_ Fair point, I didn't think of that, thanks.  -John
2006/9/18-20 [Computer/SW/Security, Computer/SW/Unix] UID:44435 Activity:nil
9/18    Any reason that /dev/null is rw by root only?
        crw------- 1 root root 1, 3 Sep 13 12:56 /dev/null
2006/9/16-19 [Politics/Foreign/Asia/China, Computer/SW/Apps/Media, Computer/SW/Security] UID:44403 Activity:nil
9/15    Software in China helps w/ sentencing:
        http://news.com.com/2102-1012_3-6115154.html?tag=st.util.print
        "The software can avoid abuse of discretionary power of judges as a
         result of corruption or insufficient training."
        \_ What about the verdict part?
           \_ That's easy:
              if(political_activist || causing trouble) guilty=true;
2006/9/15-19 [Computer/SW/Security, Computer/SW] UID:44387 Activity:nil
9/15    Looking for recommendations (prefer Bay Area?) for ISP/company
        that can run a small-business web-site (products list, help
        pages, shopping cart) and handle their email (web-mail & IMAP access)
        My friend currently has a small business but is not satisfied
        with his current ISP/web-design firm handling his .com domain far
        in LA.  They are slow to respond to web-site change requests,
        and they have dropped connections, broken shopping carts,
        customer complaints and slow employee web-mail access.
        \_ Is your friend's current company called http://dreamhost.com? Have you
           looked into other hosting companies like http://shopping.yahoo.com?
           \_ not dreamhost. Was going to look at yahoo, but i think they
              want their own domain
2006/9/9-12 [Transportation/Airplane, Computer/SW/Security] UID:44330 Activity:nil
9/9     http://www.latimes.com/news/local/la-me-baggage9sep09,0,1502706.story
        This is insanely stupid.  All the bad guys need to do is throw
        kgs of TATP in the false hardsides of their luggage on several very
        busy buses and have them all explode at the same time on buses across
        the city.  Let's hope L.A. people are so inherently anti-public
        transportation that those buses never fill.
        \_ uh, from a security standpoint how is this any different than
           checking bags at the counter?  Or bringing a bomb onto any
           bus?  -tom
           \_ there's no difference from a security standpoint as you've
              implied.  however, from the standpoint of the terror impact of
              burning bus shells on TV, the synchronized bombings of full
              LAX transit buses is much more effective and obvious than
              (synchronized) exploding ticket counters or bus lines intended
              for low-income workers / students.
              \_ uh, whatever.  -tom
                 \_ uh, yeah
2006/9/8-12 [Computer/SW/Unix, Computer/SW/Security, Computer/SW/WWW/Server] UID:44325 Activity:nil
9/9     Is there a gzip-like unix command that will encrypt a file?
        I'm looking for something that's widely available. Thanks
        crypt (not very secure - DES).  Or failing that, openssl or gnupg
        \_ openssl or gnupg... what are you looking for?  Those will work fine..
           \_ Thanks for the recommendations. I'm basically experimenting
              with a way of using my friend's computer to backup my
              personal files and using my computer to backup theirs.
              Of course, this means storing files in a way where we can't
              see each other's personal files.
              \_ I'd recommend checking out http://dar.linux.free.fr
                 It makes the whole "backing up a bunch of files, encrypting
                 it, and chunking it into bite-sized pieces" thing much easier
                 than dump/tar + gzip + openssl.  --dbushong
                 \_ Oh, that is so cool. Thanks. My way was going to
                    be much more convoluted involving ssh and a bunch
                    of script writing. This should save some time.
              \_ One nice thing about using gpg (dump/tar | gpg) is you
                 can do public key crypto and not ever have passwords stored
                 in the script.  I believe gpg also can chunk it into X
                 byte chunks, optionally ascii armored, for emailing as
                 well. (well, I suppose you could mime-attach it)
        \_ openssl bf-cbc -in file.txt -out file.txt.bfcbc    # encrypt
           openssl bf-cbc -d -in file.txt.bfcbc -out file.txt # decrypt
           --dbushong
        \_ /usr/bin/{zip,unzip} on soda can take passwords.  Don't know if
           they're widely available on other *nix's.
2006/8/22-23 [Computer/SW/Security] UID:44096 Activity:high
8/22    In Windoze XP, how can I make my service start automatically when it
        boots up in Safe Mode?  I searched MSDN site and didn't see anything.
        Thanks.
        \_ I don't know how to do that in Windoze XP but it isn't that hard in
           Windows XP.
           \_ And that would be how?  Thx.
              \_ Start here and you should get the right idea:
           HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
                 \_ Thanks!
        \_ Out of curiousity, why do you need to do that?
           \_ I am working on a module that is a service, and I need it to be
              loaded even in Safe Mode so that people won't be able to bypass
              it by rebooting the machine in Safe Mode.
              \_ I sure hope there isn't a way to do what you want.  If the
                 users want to bypass your module, let them!
                 \_ It's part of a security product, and we don't want the end
                    user bypass it.
                    \_ And what stops them from booting off a USB key, CD,
                       other hard drive, etc?
                       \_ BIOS password.
                          \_ Yank HD, take to another computer, etc.
                             \_ Always true for any product that can't
                                physically defend itself.  I don't think most
                                customers want their firewall to shoot at
                                people.
                                \_
                        http://blubbie.com/usb-nailgunner-pc-gadget.html -tom
                             \_ There's also FS encryption.
                             \_ Some of the firmare-level drive crypto stuff
                                out there is pretty buff.  Not failsafe, but
                                in most cases more trouble than it's really
                                worth.  -John
                    \_ What gives you the arrogance to think you can take over
                       the end user's system in such a way?
                       \_ I think he's building a security appliance not a
                          home user software thing.
                          \_ A security appliance running Windows?
                 \_ RESPECT MY AUTHORITAW!
              \_ And suppose there is such a way.  What's to stop
                 someone from writing a malicious service that does the
                 same thing?
2006/8/21-24 [Computer/SW/Security] UID:44088 Activity:nil
8/21    Apparently, you need to pay $1.00 to Direct Marketing Association to
        have your name taken off of the junk mailing list. When did they
        start charging for this?  http://www.the-dma.org/cgi/offmailinglist
2006/8/17-19 [Computer/SW/Security, Recreation/Humor] UID:44052 Activity:nil Cat_by:auto 80%like:44043
8/17    This is pretty funny:
        http://tinyurl.com/ku2mp (schneier.com/blog) -John
        \_ Another funny link on the same page:
           http://geekz.co.uk/schneierfacts
2006/8/17 [Computer/SW/Security, Recreation/Humor] UID:44043 Activity:nil Cat_by:auto 80%like:44052
8/17    This is pretty funny:
        http://tinyurl.com/ku2mp  -John
2006/8/12-14 [Computer/SW/Security] UID:43984 Activity:nil
8/12    Anybody know of a good backup solution for PGP encrypted disks?
        The way I've been backing up is to make copies of the .pgd file
        with dates in the filename.  This method is not very scalable as my
        .pgd files are becoming gigabytes in size.  Anybody know
        of an integrated solution to backups and encrypted folders/disks?
        OS X Leopard "time machine" backup feature looks interesting.  But
        I don't think it works if all my files are in PGP disks/directories.
        Any other solutions that integrate encryption and backups? -thanks.
        \_ This is Windows, right?  (Dunno if PGPDisk exists on another OS.)
           Wouldn't anything that checks to see if a drive letter is attached
           do the trick?  Also, is this for personal backups, enterprise-
           level, what?  -John
2006/8/9 [Computer/Theory, Computer/SW/Security] UID:43952 Activity:nil
8/9     Can someone update soda's ssh host keys on
        http://www.csua.berkeley.edu/computing/hardware
        I think the new keys are:
        RSA - 9c:a4:3a:66:23:22:b0:2f:ba:87:2a:ca:03:c5:24:b6
        DSA - 93:1d:30:88:65:a5:fa:38:6f:06:a3:86:12:0d:85:8b
        \_ That's what you'd like us to believe.
2006/8/7-11 [Computer/SW/Unix, Computer/SW/Security] UID:43929 Activity:nil
8/7     hey ax watch this when you get home from work
        http://www.youtube.com/watch?v=f83L9iWIx54
        \_ Is there a CSUA login?
           \_ Use http://www.bugmenot.com to find a login.
                \_ That was work safe in my book, but thanks for thinking
                   of me.  Has anyone one noticed any patterns concerning
                   women who wear Bebe shirts?  -ax
                   \_ I wanna work where you work.  I think there's
                      a pattern for chicks who wear Hollister shirts.
                      \_ one more for you
                         link:tinyurl.com/gmaxd
                         \_ Jesus Christ.
                            http://i43.photobucket.com/albums/e381/oklahomaok/DSCN0419.jpg
                            \_ That's not Jesus Christ. --Mel Gibson
2006/8/4-6 [Computer/SW/Security] UID:43908 Activity:nil
8/4     Has anyone used Working Assets cell phone service?
        is it good?
        \_ they are a sprint reseller.  co-worker has it, likes the
           customer service, and web payment options, and of course
           there is the donation thing to progressive cause of your
           choice.  Paper correspondence comes on all 100% recycled
           paper.  Just under $50 for 450 minute plan after all the
           taxes/etc.  One downside, she gets a lot of mail (snail,
           I think) from other progressive causes, but I think that
           one can opt out of that.
        \_ No.  Yes.  -proud American
           \_ how much for mass amounts of text messages?
2006/8/2-6 [Computer/SW/Security] UID:43882 Activity:nil
8/2     Does anybody have a sample of a reliable and robust /tmp cleaner
        which can be run out of cron? I am not sure what is a good way to
        make sure things that need to be persistent like ssh-agent "files"
        dont get deleted ... obviously I can specifically tailor it for
        "known knowns", but I want something conservative but also reasonable.
        \_ reboot?
        \- i'm thinking if the idea is to save space, rather than remove
           clutter, can add a switch to remove say +1mb files. But not sure
           of a good idea for the clutter problem ... maybe not descend to
           subdirs for some rules.
                \_ Yes.  -proud American
2006/8/2-6 [Computer/SW/Security, Recreation/Media] UID:43863 Activity:nil
8/2     What do you guys think about http://www.wtcmovie.com ?
        \_ I don't think much either way, but it's clear we're still in what
           I'd call "The Rambo Years" -- a very glorified version of historical
           events. I don't think it's outright propaganda, I think it's actually
           a fairly collective view the US has on 9/11. Make this movie in 10 or
           20 years and it will be entirely different. I can't wait for the FMJ
           kind of take on it. --michener
           I'd call "The Rambo Years" -- a very glorified version of
           historical events. I don't think it's outright propaganda, I think
           it's actually a fairly collective view the US has on 9/11. Make
           this movie in 10 or 20 years and it will be entirely different. I
           can't wait for the FMJ kind of take on it. --michener
           [formatd was here]
           \_ who/what is FMJ ?
              \_ Full Metal Jacket?
        \_ I prefer http://www.tawnyroberts.com  -proud American
2006/7/30-8/2 [Computer/SW/Languages/Web, Computer/SW/Security] UID:43838 Activity:low
7/28    Anyone have more info on the breakins on a bunch of Cal sites?
        http://www.csua.org/u/gkg   -John
        \_ Yes.
           http://ls.berkeley.edu/lscr/news/2006-07-25-security-incident
           (The defacements were mostly one multi-homed server).  -tom
           \_ Most kernel problems require local access to exploit.
              so, if not a user account then some other insecure service
              that can be used as a starting point.  Is this the case here?
              Do you know/mind_telling_us the details? -crebbs
              Do you mind telling us the details? -crebbs
              \_ The machine is a web hosting server for L&S departments,
                 where departments can install their own PHP code.  There
                 was a security hole in user-installed PHP code that got
                 the hackers shell access, and they used a 0-day RedHat
                 kernel priv escalation bug (SYS_PRCTL) to get root.
                 It is worth noting that the bad PHP code was hand-written,
                 not some package like phpBB with security holes which you can
                 search the net for; the initial compromise seemed to have
                 a higher degree of sophistication than is usually found
                 in script kiddies.  -tom
                 \_ I doubt the hackers found the PHP hole the same day the
                    Redhat bug came out.  I'd bet a buck they had non-root
                    shell access on the machine for a long time.  I also
                    suspect they had root for a while too.  Or there was more
                    than 1 set of hackers.  Why would sophisticated hackers
                    waste a quality attack on a web page defacement?  I'd bet
                    another buck they still have access to that and several
                    other machines.
                    \_ I can pretty closely track their root access; they
                       did have it for over a week before it was discovered.
                       I am pretty certain that they no longer have root
                       access.  I agree that there are likely remaining
                       apache-level holes on the machine; it's an
                       occupational hazard of an open PHP hosting environment.
                       When is PHP going to implement taint mode, anyway?
                         -tom
                       \_ The only way to be absolutely sure is to rebuild the
                          box.  You could do a bit by bit comparison from a CD
                          on all the binaries but yech.
                          \_ Yes, I've read "Reflections on Trusting Trust."
                          \_ Yes, I've read "eflections on the Revolution in
                             France"
                              -tom
                          \_ Yes, I've read "Reflections on the Revolution in
                             France" -tom
2006/7/13 [Computer/SW/Graphics, Computer/SW/Security, Computer/SW/Apps] UID:43656 Activity:kinda low
7/13    I have about 80 .pdf graphics files, that are a mix of vector graphics
        and bitmaps, and I want to convert them all to bitmap of a specified
        resolution, while preserving the physical size of the original image.
        Does anyone have any suggestions for how to do this fast and
        efficiently?  I have access to the full Adobe suite if that makes any
        difference.  thanks.
        \_ Are they all one page?
           \_ Each file is much less than a page in size, and they're all
              seperate files.
        \_ Should be able to use ghostscript.
           Post a file if you want an example.
           \_ Ok, thanks.  I've been messing with Ghostscript, but I can't
              figure out how to get it to both be 600 dpi and to preserve
              the physical size.  If I were smarter, I probably would have
              specified all the sizes in the Latex code so that I wouldn't
              care, but that would be a lot of work at this point (180 page
              document).  Here is an example file:
              /csua/tmp/lafe/5point5huge.pdf
              Any pointers very much appreciated.
2006/7/12-18 [Computer/SW/Security] UID:43645 Activity:nil 50%like:43591
7/12    Kchang -- thanks for turning the search feature back on!
        \_ you're welcome. I spent some time making sure that even if the
           mysql passwords are stolen, it would only have read only access.
           It would have been easier with suexec, but I guess the current
           admins insist that CGIs run as "nobody", which is a security risk
           that I guess they just don't care about anymore.     -kchang
        \_ Intellidiff is back too! Thanks!   -Intellidiff #1 fan
           \_ It is broken. I use scp to edit but it blames someone else.
              Yet another useless program written by someone useless.
2006/7/11-17 [Computer/SW/Security] UID:43637 Activity:nil
7/11    I'm working for a new company that is coming out with a web based
        product soon and we need to find good co-location facilites to
        host it. Can anyone recommend a good co-location facility in
        the south bay that can provide load balancing, backups, possibly
        SAN access, bandwidth on demand and has good peering?
        \_ you want the co-lo to provide the load balancing and storage?
           -shac
           \_ Possibly yes. This will be a one man show for a while so
              having some of the services managed would be nice and to
              lower the initial capital expense hit. Who does IGN use?
              \_ IGN is mostly at various Savvis colo's around the world
                 but we have all our own gear and storage. the only thing
                 we outsource is a fraction of our dba work. most of the
                 big companies dont outsource load balancing and storage
                 -shac
        \_ we use quest at work...
        \_ Not a recommendation, but check http://www.webhostingtalk.com
           You will get better response there and also do some search
           on a company's reputation.
        \_ might want to ask http://he.net
2006/6/30-7/5 [Computer/SW/Security, Computer/SW/Mail] UID:43544 Activity:nil
6/30    I'm trying to set up SSH port forwarding of VNC between my laptop and
        my home server.  Once I had it working but I lost be client-side
        config.  I can use PuTTY to set up port forwarding and can successfully
        load webpages off the remote server by using <DEAD>localhost<DEAD>
        My problem is that I can't seem to forward port 5900 (VNC) to my
        remote machine.  When I try telnetting to localhost port 5900 I get
        a connection but don't get the standard VNC handshake: "RFB 003.003"
        I know VNC is up on that machine because I can connect to it just fine
        when I am on the same subnet.  Any ideas?
        \_ You're not running VNC on your local box on port 5900, are you?
           \_ Ooh, good idea.. but no.
        \_ OK, so in PuTTY, your Forwarded ports: lines for your server Session
           look like:
           L80 localhost:80
           L5900 localhost:5900
           Is that right?  What OS is the server?
           \_ I had this:
              L80 http://myhost.com:80
              L5900 http://myhost.com:5900
              I changed the second one to
              L5900 locahlost:5900 and now it works.  Thanks!
              But why did the HTTP forwarding work then?
              \_ Maybe your firewall/VNC server/whatever would allow loopback
                 connections, but not connections on the "real" IP
2006/6/28-29 [Computer/SW/Security, Computer/SW/Virus] UID:43517 Activity:nil
6/28    I'm looking for a company that can do testing of antivirus and
        anti-malicious code products--I have a client who wants some sort
        of "external verification", even if it's just a formality.  I
        imagine this will involve running a battery of not-too-complex
        malicious code & exploit tests.  Any recommendations?  -John
        |_ http://www.counterpane.com/consulting.html or
           http://securityevaluators.com ? Both have well known security ppl
           \_ Securityevaluators looks good, thanks.  -John
2006/6/25-28 [Computer/SW/Security, Computer/SW/Unix] UID:43493 Activity:nil 53%like:43401
6/25    Hey root, could you please reenable finger motd@csua? Can't be a
        security issue since fingerd is enabled ...
        \_ Done. For some reason linking it refused to work, so I added it
           as a cronjob that happens just as the motd concatenation happens
           (every 2 minutes). --michener
2006/6/23-28 [Computer/SW/Security, Computer/SW/Unix] UID:43487 Activity:nil 80%like:43482 80%like:43483
6/23    Soda rooted by sendmail bug.  Will be going down at 8pm.
        \_ Resetting accounts again?
        \_ Good thing I stopped using my @csua.berkeley.edu address as my main
           non-work e-mail address!
        \_ Let's try FreeBSD again!
        \_ Let's try Windows!
        \_ Er, why is this in motd.public?
           \_ soda is run by liburals, always aiding and comforting Terrorists
           \_ Maybe 'cause it's a lie?
        \_ So, why is it still up?
           \_ It used to say 5pm.
           \_ The crackers have changed the root passwd!  Root is powerless!
              \_ I can assure you this has not happened. --michener
                 \_ They probably exploited something to put in a trojan su.
                    Did you test this by suing?  Now they probably have the
                    old root password!
              \_ Someone should go to the server room and destroy soda with
                 an sledgehammer before the crackers unleash the skynet on us.
        \_ I know of no such issue and have not heard from the rest of root
           about it. If this is not a lie, will whoever wrote this email root?
           --michener
           \_ Did the cracker post this to freak everybody out?
           \_ The only non-anonymous evidence I see is on wall log, where
              Paolo posted a snippet showing brg and sly speculating on
              whether soda had been hacked
              \_ which had nothing to do with sendmail at all.
        \_ Lying about a rooting is l4m3.
           \_ My account has been hacked!  Last login from China!
2006/6/23 [Computer/SW/Unix, Computer/SW/Security, Computer/SW/Mail] UID:43483 Activity:kinda low 80%like:43482 80%like:43487
6/23    Soda rooted by sendmail bug.  Will be going down at 3pm.
        \_ Resetting accounts again?
        \_ Good thing I stopped using my @csua.berkeley.edu address as my main
           non-work e-mail address!
        \_ Let's try FreeBSD again!
        \_ Let's try Windows!
        \_ Er, why is this in motd.public?
           \_ soda is run by liburals, always aiding and comforting Terrorists
           \_ Maybe 'cause it's a lie?
        \_ So, why is it still up?
           \_ It used to say 5pm.
           \_ The crackers have changed the root passwd!  Root is powerless!
              \_ I can assure you this has not happened. --michener
        \_ I know of no such issue and have not heard from the rest of root
           about it. If this is not a lie, will whoever wrote this email root?
           --michener
2006/6/23-28 [Computer/SW/Security, Computer/SW/Languages/Web] UID:43481 Activity:nil
6/23    apache back on and PHP seems to be working once more (so the main page
        works too). Security modules have been added, so if they interfere with
        things, mail root. Hopefully they won't though. Thanks for your patience
        and understanding --michener
2006/6/23-24 [Computer/SW/Security] UID:43475 Activity:nil
6/22    Whats up with all the defunct sshd processes on soda?
        Have we been hacked again?
        \_ I don't think so, but let me check your account.  What was your
           username again?
           \_ ok so then whats with the 1655 syslogds running?
2006/6/22-28 [Computer/SW/Security] UID:43470 Activity:nil
6/22    http://media.putfile.com/AOL-Cancellation
        Guy attempts to cancel AOL account with AOL customer service rep (who
        sounds like a full-blown American, not outsourced labor).  It gets
        started slowly, but it really builds up half-way in.
        http://insignificantthoughts.com/page/2
        http://www.msnbc.msn.com/id/13447232
        \_ It's amusing that he recorded it and posted it online but his
           experience is dirt common for AOL.  I hope no one was actually
           shocked by this encounter in any way.  It took me 5+ minutes to
           cancel an account a few years ago although the CSR took a different
           direction she still wouldn't cancel it until I'd told her at least
           three dozen times I wanted it cancelled.
2006/6/20-24 [Computer/SW/Mail, Computer/SW/Security] UID:43439 Activity:nil
6/19    I'm leaving the country for a year.  I am thinking of
        getting a Skype number in the United States, and I guess
        if people in the US call it, my Skype client running
        on my computer in the foreign country will receive the call?
        What is wrong with my plan to do this?
nnn     \_ 1. yes.  The only thing wrong with your plan is that as nerdy as
           you are, you may *NOT* be at front of computer all the time.
           After a while, when people couldn't reach you via the Skype
           number, they will STOP calling you.  I recommend you also purchase
           couple SkypeOut credit; and also set up a call-forwarding on your
           SkypeIn number to your local cell phone.  THis way, when you are not
           at the front of computer or your computer is off, calls will
           be forwarded to your cell phone.             kngharv
           \_ No.  You get voicemail with your skypein number.  I'm using
              it (my Swiss cell phone is forwarded to my CH skypein
              number while I'm in Chile.)  When you start your Skype
              client, it tells you you have voicemails.  Works a charm,
              worth the money.  -John
              \_ duh, voicemail come with the SkypeIn number.  My experience
                 is that after a while, people just sick of calling because
                 he/she gets voicemail all the time.  Skype forwarding
                 service would keep people interested in calling this number.
                                                kngharv
                 \_ That wasn't his question.  -John
        \_ 1. yes.  The only thing wrong with your plan is that as nerdy as
           you are, you may *NOT* be at front of computer all the time.
           After a while, when people couldn't reach you via the Skype
           number, they will STOP calling you.  I recommend you also purchase
           couple SkypeOut credit; and also set up a call-forwarding on your
           SkypeIn number to your local cell phone.  THis way, when you are not
           at the front of computer or your computer is off, calls will
           be forwarded to your cell phone.             kngharv
           \_ No.  You get voicemail with your skypein number.  I'm using
              it (my Swiss cell phone is forwarded to my CH skypein
              number while I'm in Chile.)  When you start your Skype
              client, it tells you you have voicemails.  Works a charm,
              worth the money.  -John
              \_ duh, voicemail come with the SkypeIn number.  My experience
                 is that after a while, people just sick of calling because
                 he/she gets voicemail all the time.  Skype forwarding
                 service would keep people interested in calling this number.
                                                kngharv
                 \_ That wasn't his question.  -John
        \_ There are other similar VOIP service.  For example,
           http://voicestick.com offers FREE virtual # anywhere in USA.  It
           can then forward anyone calling that # to anywhere in the
           world.  Of course you pay for the forwarded calls.
2006/6/13-15 [Computer/SW/Security] UID:43377 Activity:nil
6/13    ok, memorizing all these passwords is driving me insane. I
        know this has been asked before but I cant find it: whats the
        best way to keep a password-protected file of very sensitive
        information? in this case, all my other passwords. thanks
        \_ I use http://www.bugmenot.com
        \_ Whatever happened to this single login thing called the
           MS Passport or something?
        \_ I just use a yellow sticky note on my monitor.  Works like a charm.
        \_ I use a Palm Pilot that is password protected. I then have a
           Crypto program on it (also requires a password).
           \_ the second part is very important, cause even if you password
              protect the file using Palm's native password protection, the
              document is downloaded in unencrypted format when you sync to
              your computer.  I use Keyring for encryption:
              http://gnukeyring.sourceforge.net
        \_ I pgp encrypt this password excel file. You should have
           some password level as well:
           - password to this excel file
           - password for financial sites
           - password for secure e-commerce sites
           - password for other non secure sites
           A secure password can be the initial of your favorite
           phrase. I consider sites that emails back your password in
           plaintext as non-secure site. Good sites should reset your
           password to a random one in the worst case.
        \_ For passwords I don't get to choose, I use this:
           http://www.schneier.com/passsafe.html on PocketPC
           For passwords tied to domains, I use a command line version of this:
           http://bushong.net/dave/webpasswd
           (generates a reproducible hex hash)  --dbushong
        \_ http://keepass.sourceforge.net
           Also, in the same vein as generating passwords from hashes,
           here's a Firefox extension to make it more convenient:
           http://www.xs4all.nl/~jlpoutre/BoT/Javascript/PasswordComposer
           \_ Ooh.  Great minds think alike.  This one looks more secure than
              mine (uses a Base64 variant encoding rather than Hex).  Alas,
              I can't switch now or I'd have to check 2 of them :-) --dbushong
        \_ this program is really old but it's simple and works (for windows
           users): http://www.passkeeper.com
2006/6/12-13 [Computer/SW/Security, Health/Women] UID:43355 Activity:nil
6/12    http://news.yahoo.com/s/nm/20060612/od_nm/newzealand_streaker_dc
        Are all New Zeland women as attractive as this one? Are they
        more fit than say, American women in general? Damn I gotta
        move there!
        \_ Most of the women I've met from New Zeland looks more like
           this:
http://www.manuphotos.com/images/NEw%20Zealand/NZ%20Maori%20Woman%2001.jpg
2006/6/7-9 [Computer/SW/Security] UID:43302 Activity:nil
6/7     Rails question:  I've got data in a number of tables, all of it owned by
        one site "user" or another.  Is there a nice clean standard way
        (probably at the model level) to validate whether the current user has
        access to the requested bit(s) of data?  (Hopefully that's not too
        inefficient)  I tried some obvious things, but Model classes don't have
        access to your session data, so they can't trivially see what user id
        is making the request.  Or does this sort of thing not belong in the
        models.  Thoughts?
        \_ Try handlers.  Install a handler that will do the ID check, then
           throw an exception if it's fails.  The model has access to the
           session data, otherwise you can't do anything custom wrt to
           the session, so I don't know what you're talking about.  -marked
2006/6/7-9 [Computer/SW/Security] UID:43295 Activity:nil
6/6     Where can I find the RSA host key to put in a .ssh/known_hosts (or
        whatever exactly it's called) so I can ssh to csua?

here use mine
|1|42db5+KDy9Hano4lbj/SgFMPKDs=|taKwtpIOjvjZb9S9EIZ+pMbK7pQ= ssh-rsa AAAAB3NzaC1\
yc2EAAAABIwAAAQEA4F3Vgzyef4WlQqLst2xqi+yiRTdg1f4enDPkeT1zSFqhOFNXGoFlKJOGHRmpfwm\
Fxpa0eS6PVtleoI4b5kTbx0C9mA1OFXFVbZNlwjH6Hmife/NZazI4Nhe6Gl7JTNHBliu6VD6KLct66iA\
tZVUhOmM3gmbMfhgIqfbTvtPTLcYGeGHMz+X7dzWPMxMOqoD4iCXIthuLImijbL1HPqX1G65R048MWL1\
eHctxOi+XeFKzvAJ37iez2+prakglPkyAU6jg9luRiPtVQmjD3Q9gp+kenZGKKIK0FiuCuX+avuid5+5\
2psfIl6UWGbXl4VciV5QWZ6AdUmiEsEovZ9DbBQ==
2006/6/6-9 [Computer/SW/Apps/Media, Computer/SW/Security] UID:43284 Activity:nil
6/6/06  http://www.eff.org/deeplinks/archives/004721.php
2006/5/29 [Computer/SW/Security, Politics/Foreign/MiddleEast/Iraq, Politics/Foreign/Europe] UID:43215 Activity:nil
5/29    Castro's Cuba
        http://www.therealcuba.com/index.htm
2006/5/20-22 [Computer/SW/Languages/C_Cplusplus, Computer/SW/WWW/Browsers, Computer/SW/Security] UID:43123 Activity:nil 61%like:43119
5/19    I need a simple plug-in 128-bit (or so) C encryption library.
        Semmetric key is easiest, but public key is ok if that's the only
        thing I can get.  Any ideas?
        \_ symmetric
        thing I can get.  Any ideas?
        \_ http://mcrypt.sourceforge.net --dbushong
           \_ Thanks, I'm checking it out.
2006/5/17-22 [Computer/SW/Security] UID:43078 Activity:nil
5/16    Blue Security gives up:
        http://csua.org/u/fvo
2006/5/10-12 [Academia/Berkeley/CSUA/Motd, Computer/SW/Security] UID:43004 Activity:nil
5/10    Can we get kais motd intellidiff back now that cgi is re-enabled?
        \_ No. "suexec" is not enabled so it is run as "nobody", which means
           I need to make EVERYTHING world readable, including the index.cgi
           in which I embed mysql password. I am not enabling anything
           back till suexec is added. Until then, soda is insecure, and
           I'm not going to risk security for convenience.    -kchang
           \_ root: Can we get suexec set up? -intellidiff #1 fan
           \_ Mysql has fairly granular permissions.  Why not set up an
              account that has read-only access to the appropriate tables?
              \_ Because it also needs to write to certain directories/files.
                 In the end it's a lot of trouble and I don't have
                 time to code a workaround now. Look. Enabling suexec
                 takes 30 seconds, so it is a solution that has a much
                 higher work/time ratio. I'm no no hurry. I can wait. -kchang
                 higher work/time ratio. I'm in no hurry. I can wait. -kchang
              \_ How can we access mysql from soda?
                 \_ I compiled my private copy on a separate port and
                    not sharing it                              -kchang
2006/5/8-9 [Computer/SW/Security, Computer/SW/Unix] UID:42979 Activity:nil
5/8     A friend of mine still hasn't gotten his account reactivated even
        though he sent photo id. Is this still being worked on?
        \_ soda root == students
           may 12 == start of finals.
           I'd say a little patience is in order.
           \_ Granted, but 3 weeks is a long time. Could you update the
              website so they have a clue. 4/17 was in a galaxy far, far away.
2006/5/8 [Computer/SW/Security] UID:42976 Activity:moderate
5/8     why you are getting all that blue frog spam
        http://q.queso.com/archives/001917 - danh
        \_ While I'm not ready to call it outright bullshit, I'm skeptical:
           * Most DNS operators with a clue set TTL values to cache records
             for 24 hours to one week.  The DNS notify mechanism leaves much
             to be desired.  Thus, changing a DNS pointer is unlikely to
             divert a DoS attack.
           * Many DoS attacks hard code the ip of the target both to avoid the
             added complexity of DNS lookups and because, if the code is
             written by a script kiddie moron, he may botch it and do the DNS
             lookup before sending each packet which slows things down
             spectacularly.
           -dans
           \_ and I call bullshit here, because the TTL values of a domain are
              under control of the domain's owner (or at least the nameserver
              the domain is master'd from), and any DoS attack hardcoded to
              an IP is trivial to defeat by changing the IP of your web/service.
              And TTL only comes into play when an address is cached, which
              isn't likely to be the case with all the clients participating
              in a DDOS.
              -ERic
              \_ Correct, ttl values of a domain are controlled by the
                 domain's owner, but if ttl values are set to sane values,
                 e.g. 24 hours to 1 week, then it will be 24 hours to 1 week
                 before reducing them will have any effect on cache behavior.
                 If DDoS clients actually perform DNS lookups, then the vast
                 majority of lookups will go through caches, which won't
                 refresh their content until ttl expiry.  It would be
                 enlightening to see what http://bluesecurity.com's DNS records
                 looked like the week prior to the attack.  Also, changing the
                 IP of your service doesn't help if you just hop to a new IP
                 address on the same network, since modern DDoS attacks
                 overwhelm your upstream network pipe(s), and not just an
                 individual host running a sppecific service. -dans
        \_ This guy doesn't really have any idea what he is talking about:
           he can't explain correctly how Blue Security really works and
           instead of bothering to learn, he just argued with the people
           trying to teach him. Finally, he just turned off comments rather
           than accept that he was wrong. He sounds a bit like Bill O' Reilly.
           I wouldn't really take his explaination for what happened at
           face value, given his record. -ausman
2006/5/4-7 [Computer/SW/Security, Computer/SW/Unix] UID:42931 Activity:nil
5/4     Ok I need to make a hosting choice soon because my current co-op
        colo is falling apart like http://autobahn.org in the old days. I can
        go with http://dreamhost.com, http://textdrive.com, or http://johncompanies.com [from
        which dans heard good things about]. I really like johncompanies'
        virtual machines because you get root, but it is a whopping
        $47/month!!! http://dreamhost.com is dirt cheap, but you share
        resources and it's probably just as secure as soda (which is
        not very). I haven't heard anything about http://textdrive.com.
        What do you guys use and recommend? Thanks.
        \_ i have a bunch of stuff hosted with dreamhost and have been
           very happy with them. i was referred by another sodan. alot
           of guys at gamespy use dreamhost as well and love it. -shac
           \_ How much quota, IP/hosts, do you get, and how much do you pay?
              \_ i pay annually. so i paid $120 for 1 year starting at 20GB
                 disk, 1TB monthly transfer. each month they increase both
                 of these numbers for you so im probably at like 22GB and
                 whatever monthly transfer. the longer you are a customer
                 the larger your quotas are. see their pricing comparison.
                 http://www.dreamhost.com/shared/comparison.html
                 -shac
        \_ which coop is dieing?  how much do you use now?
        \_ i've heard good things about simpli.biz
        \_ JohnCompanies kicks ass.  You send mail and.. John mails you back
           in like 2 minutes.  None of the trouble-ticket-queue bullshit.  On
           the flipside, yeah, they're (relatively) pricey and you have to do
           all the admin themselves, and if John dies in a carcrash, I'm not
                                            \- that is the scenario i call
                                               BUS TERMINATED. --psb
           sure how much human failover they have.  --dbushong
           \_ HA that's pretty funny. But how do you know johncompany is
              run by 1 man, and if other companies aren't in the same
              situation?
              \_ I don't, but if you go with <insert random huge company>
                 it's unlikely.
        \_ Oh, if you are doing anything art or community oriented, consider
           Laughing Squid. -dans
2006/5/3-5 [Computer/SW/Security, Computer/SW/Mail] UID:42921 Activity:nil
5/3     Can anyone recommend an e-mail service that provides POP3/IMAP and
        SMTP with encrypted authentication, From: address to whatever you want
        it, isn't zombie-land, has minimal service interruptions, and won't
        go away?  Doesn't need to be free.  Really imporant to have minimal
        service interruptions.
        \_ Gmail!
           \_ From: address always defaults to @gmail.com.
              \_ I believe you can change this in Settings->Accounts.
                 There is no IMAP though.
                 \_ Cool, I just tested it.  Works through SMTP auth port 465
                    too.  Thanks. -op
              \_ Not if you're using SMTP, afaik.
2006/5/3-5 [Computer/SW/Mail, Computer/SW/Security] UID:42918 Activity:nil
5/3     In the light of what happened recently, should I stop using soda
        for any important communications and get a gmail account instead?
        \_ FYI, I am making my ISP account (Comcast) my main e-mail point.
           My problem with gmail is that the From: address is automagically
           replaced with your @gmail.com address, whereas I can make it
           whatever I want with Comcast as long as I authenticate.
           I do realize Comcast is the source of most zombie spam.
           This is after having used soda as my main mail account since '92.
           Props to all the undergrads who have kept soda up, anyway.
           \_ Comcast is a bad idea. Comcast is a spam target and also means
              you are tied to that ISP. Better to convert to gmail.
              \_ because, you know, gmail isn't a spam target.  -tom
                 \_ No, but it does have good spam filtering built-in.
                    Still, what is a good reason for using comcast over
                    gmail? I'd rather use soda. Or <DEAD>cal.berkeley.edu<DEAD>.
                    \_ I don't use comcast, but web interfaces to email
                       suck, and gmail still doesn't offer IMAP, right?  -tom
                       \_ Well, gmail is faster than any other webmail I've
                          used, and the searching/labeling/filtering system
                          is pretty good. Gmail is the only webmail I've used
                          that I could put up with daily... although I still
                          only use it for certain things. Maybe eventually
                          they will have IMAP. I saw some kind of beta 3rd
                          party attempts at providing IMAP gmail access.
                          Shrug.
                       \_ "web interfaces to email suck" ?? what are you
                          talking about? gmail is easy to use, has key-
                          board shortcuts and is accessible from anywhere
                          without worrying about ssh'ing or crap like that
                          \_ One drawback of web mail is that if you don't
                             access it within X time, your account can
                             go byebye. Although gmail's 9 months is I think
                             much longer than any other free webmail.
                          \_ Let me be more explicit; non-web GUI mail clients
                             have better interfaces than web-based mail
                             clients.  It can be useful to have access to
                             a web-based client, but the web interface is
                             signficantly less effective for day-to-day
                             activity.  -tom
                                \_ gmail supports POP/SMTP, so you can use
                                   other email clients like outlook and
                                   mac mail client.
                                   \_ but not with multiple mailboxes, so
                                      what's the point?  -tom
        \_ Most people stopped using soda for important communications a
           long time ago.
        \_ Yes, it's pretty obvious that gmail will be more reliable for
           things like that. I use both.
        \_ I echo the op's concerns and am switching to my primary e-mail to my
           ISP as well (SBC). If you lived in a neighborhood for 10 years,
           loved it, then all of a sudden couldn't get access to your house for
           2 weeks because their was a break-in, while the local police was
           processing your paperwork, I would move.  Again, not enough praise
           can be given to those volunteering their time and effort to maintaining
           this environment.  It's a testament that it's has as much uptime as it
           does.  But as your primary account, it would be awful to go
           through that again.  I think free e-mail services are risky because
           they can start charging at anytime or start going downhill
           (ie. Hotmail).  If you are happy with your ISP and plan to use them for
           awhile, why not go with them, at least you have greater control of the
           risks.
        \_ I'm still using soda for most things just because, it's really
           nice to be able to hand someone an email address you can be
           fairly sure will still be there in 5 years.
           \_ Why not just register your own domain ($2 to $30/year), and
              point it at a cheap virtualhosting/email provider ($10 to
              $50/month)? -dans
              \_ because there are free, or already-paid-for alternatives.
2006/5/2-5 [Computer/SW/Security] UID:42892 Activity:nil
5/2     Okay, I think I get it now.  If I want password-less login to
        soda, then I need to do the whole generating the public and private
        keys which requires a pass phrase, if I can put up with entering
        my unix password every time in SSH or PUTTY, then I don't need
        to do the whole ssh-keygen stuff.  Is it correct?
        \_ Yes.  But if you go password-less, then if soda is compromised
           again, you won't need to change your unix password.
           \_ why is that?  if soda is compromised then they have access
              to the unix password too.
              \_ Not if you didn't type it in while soda was compromised. -tom
                 \_ Unless it was cracked, which basically depends only on
                    how motivated the attacker is. -gm
                    \_ This is why a couple of soda users choose not to have
                       passwords at all -- they have "*" for their password
                       in /etc/shadow, so ssh keys are the only way they can
                       log in.  For those users, an attacker who gets soda's
                       password file won't have anything to crack.  --mconst
                        \_ how do you put * in /etc/shadow?  I can't even
                           view it?  so if I don't want to use unix password,
                           I need to ssh-keygen on my client server, then copy
                           the generated public key to soda under .ssh/ folder?
                           I should not copy my private key on soda though, right?
                           \_ Unfortunately, it's not possible for you to do
                              this yourself.  If you really want to have no
                              password, mail root and we can remove it for
                              you -- but before you do that, you might want
                              to try just setting your password to something
                              random and not using it for a while.  This will
                              give you a chance to get used to ssh keys and
                              see how you like them, and if anything goes
                              wrong with your ssh keys, you'll be able to log
                              in with your password and fix them.  And yes,
                              your ssh-keygen stuff is exactly right.  You
                              didn't mention this, but when you put the public
                              key on soda, you need to put it in a file named
                              .ssh/authorized_keys.  --mconst
                                \_ thank you bery much! this helped alot in clearing
                                   out my confusions.
        \_ I was told because of the comprise, my ssh private key may be
           stolen as well, but how is that possible?  I thought the ssh
           private key is on the client host, not on the server host (i.e.
           http://csua.berkeley.edu)?
           \_ Some people put their private keys on soda (with a passphrase,
              I would hope). If you did, then both your private key and your
              passphrase may have been stolen. If you didn't store your private
              key on soda, you should be fine. -gm
              \_ they put their private keys on soda, is it because they want
                 to use soda as a client to a different server?
                 \_ Exactly.
              \_ the private key would be under .ssh/ right?
2006/5/1-4 [Computer/SW/Security] UID:42878 Activity:nil
5/1     Where can I find step by step instructions to change my ssh pass?
        How do I change my login password?  Sorry I haven't been on unix
        for too long.
        \_ What do you mean?  You mean your login password?  Run passwd.
           You mean the password used to decrypt your private key?  If you
           stored a private key on soda, shouldn't you assume that's been
           compromised too and generate a new private/public key pair?
           \_ yes the compromised passphrase fo rdecrypt the key.  Please
              how do you remember the steps to regenerate a new priveate/pub
              key?  All I remember there were some very tricky steps to generate
              the key.  Like I either 1) have to use the keyboard that is on
              the server; or 2) use the java interface to generate the key
              Now I can't find the procedures on csua website....
              \_ You seem to be confusing ssh keys with the ridiculously
                 paranoid (and not altogether useful) "advice" on securing
                 your pgp/gpg key.  Try "man ssh-keygen"
        \_ Passphrase you mean?
        \_ Would this help? http://www.csua.berkeley.edu/ssh-howto.html
        \_ http://www.csua.berkeley.edu/~ranga/notes/ssh_nopass.html
2006/5/1-4 [Computer/SW/Security, Uncategorized/Profanity, Computer/SW/Unix] UID:42873 Activity:nil
5/1     Fuck it.
        RSS wall feed isn't down, so much as only serving out my little diatribe on
        the life and death of the hack.
        I got shit to do. Later.
        --michener
        \_ Bring it back.  This is *your* organization.  It should run *your*
           code.  If bitchy alums, myself included, have problem with it, fuck
           em!  If bitchy alums have a problem with google seeing it, tell
           them to get off their asses and write robots.txt file to fix the
           problem. -dans
           \_ root staff seems much more inclined to ignore than do anything.
              It's rather discouraging for alums to even bother trying to
              help when work making old desired software run is ignored, and
              for requests that people "mail root if you want to do this," are
              met with much silence.
           \_ yes, you can "fuck em" but if the existence of a feed
              makes people revolt, and not use wall logging, and therefore
              make the feed pretty much useless as well, what's the fucking
              point?
              \_ Lowers the alumni noise floor of wall thereby making it a
                 useful channel for undergraduate signal?  Sounds like a win
                 to me. -dans
                 \_ that way all 6 undergrads can talk.  If the alumni noise
                    is a concern for them, I'm sure they can figure out
                    how to make a second wallall channel
                    \_ If, as you indicate, there are only 6 active undergrads
                       in the organization, then perhaps the CSUA has run its
                       course and should be shut down.  Of course, you're
                       wrong, so the point is moot. -dans
                       \_ Do you actually work on getting stupider every
                          day?  -tom
                          \_ For you tom?  Anything. :-*
                             It's cute how you define stupid as "Any view
                             that doesn't support what you believe."  Here in
                             reality, i.e. that place outside of the bubble
                             you live in, we call that closeminded and
                             juvenile.  meh.  Bored now. -dans
                             \_ Coming from you, this is hilarious.
                                \- but is it ironic?
        \_ Let me add some useful info to this debate.  For the record, I
           think it's a cool idea, and don't care of Google indexes wall, in
           which case you could just reenable it as is.  But, the bitchy
           alumni can read these:
           http://csua.org/u/fok - How do I request that Google not crawl
           parts or all of my site?
           http://csua.org/u/foj - How can I remove content from Google's
           index?
        \_ Interesting and useful. But, really. I seriously have code to
           write for classes and such and shit to do. So I'll revisit at
           a later date. Until then, bad alums, no cookie! ;) --michener
2006/4/21-24 [Recreation/Activities, Computer/SW/Unix, Computer/SW/Security] UID:42798 Activity:low
4/22    ok, so maybe a dumb question, but a coworker just asked me and I'm
        not sure the answer: so is it possible to view the standard
        output of a process running on your system? I do have root. thx
        \_ truss/strace, with the option to print the entire syscalls
           \_ ok, let me rephrase: there is a process running on my system.
              I did not start it. I am root. I have just the process id
              (from ps) ... is there some way I can see std out/err? thx
              \_ you can't see what has -already- gone out to stdout/stderr
                 if you look at the write() calls for stdout/stderr (by fd)
                 you can see what it is putting out -now-.  truss -p pid
        \_ try /proc/<pid>/fd   \
                 \_______________\_  this was all helpful. thanks.
2006/4/19-23 [Computer/SW/Security] UID:42785 Activity:low
4/19    Hey, IMAP and IMAP/SSL aren't accepting my password.  Is this
        happening to anyone else?  I can login fine using ssh.  It had been
        working up until someone turned off POP.
        \_ Is it possible that SASL is configured to use a different
           authentication backend, e.g. PAM, than logins, which I believe use
           LDAP? -dans
           \_ Wrong.
              \_ I asked if it's possible.  I've seen this error on other
                 systems before.  Do you have any constructive suggestions?
                 -dans
        \_ SMTP auth... please
        \_ oh goodie, they both work now as of 1:30pm today (the 20th, and it
           wasn't working an hour ago). -op
2006/4/18-23 [Computer/SW/Security, Computer/SW/WWW/Server] UID:42779 Activity:nil
4/18    Thanks mrauser for the call just now.
        root:  I think one of the next priorities can be enabling POP3/SSL
        and IMAP/SSL.  I'm going to download e-mail with the unencrypted
        connection, but I'll probably change my password once every couple
        weeks until the above gets online.
        Most if not all of the official UC e-mail systems now require SSL
        for downloading and sending e-mail, right?
        \_ Actually, all password transactions must be encrypted according
           to the Minimum Standards for Networked Devices policy.  -tom
        \_ IMAP/SSL is now up, POP3 is down entirely. That should suffice
           for the moment. -michener
2006/4/18-20 [Computer/SW/Security, Computer/SW/Unix] UID:42775 Activity:moderate
4/18    Some thoughts about securing a machine.  Feel free to add your
        expert opinions. --ricky
        * Securing a machine that allows interactive logins by users
          is _very_ hard.
        * Reduce suid binary to absolute bare minimum.
        * Perform automatic _remote_ checksums from a machine that is
          separate and is not accessible by regular users.  Usually,
          NFS is recommended for this.  Basically, have a remote
          machine regularly check critical files on the machine and
          alert root if anything changed.
          \_ This existed a while ago, called Tripwire. Started as a
             a research project and grew to a startup. Many people tried
             it but gave it. The concept is easy, but in practice, it takes
             damn too much time. All of the above suggestions are good,
             but in the end, if the cost of manageability is high, no
             one will care. Lastly root and politburo aren't paid to do any
             of the above stuff and most people have better use of their
             time so... why cares. Would YOU like to volunteer
                \_ Why are suggestions being taken as a demand that they
                   do it.  If alumni (or "members") do all this stuff, aren't
                   they just "fucking the undergrads" ?
                   \_ No.  If they storm into the machine room or the office
                      and insist that it be done there way and be done right
                      this minute, then they are fucking the undergrads.
                      Historically, asking nicely and accepting a polite `No.'
                      is not one of the strong suits of the alumni.  Though
                      anecdotal, it's also worth noting that the amount a
                      given alumnus bitches appears to be inversely
                      proportional to the amount of meaningful contributions
                      (time, money, hardware, etc.) he makes to the
                      organization. -dans
                      \_ so you contribute absolutely nothing, eh?  -tom
                         \_ Ah let me clarify that.  The amount a given
                            alumnus bitches at the current undergrads appears
                            to be inversely proportional to the amount of
                            meaningful contributions he makes to the
                            organization.  If the alumni bitch at each other,
                            it has no bearing on the CSUA or its future.
                            -dans
             doing these things ricky? You should attend politburo.
             \_ Agreed, I tried to set up a modern version of tripwire on
                hosts I administered in my last job, and it's nigh unusable.
                It smacks of overengineering, and has too many features
                apparently added by marketing folks trying to sell to the
                enterprise software market.  Furthermore, if you want to be
                really secure, running _remote_ checksums isn't good enough
                since the credentials for soda are likely the same as the
                credentials for other CSUA hosts.  Thus, checksumming soda's
                binaries from screwdriver takes a non-trivial amount of work
                for a trivial gain.  Also, what happens when people trojan
                libraries not binaries?  Should we checksum those to?  Which
                libs? -dans
                \_ ideally you checksum everything, and flag what is 'volatile'
                   and likely to change from day to day.
                   \_ ideally, yes, but that's a really time consuming,
                      tedious, manual process.  Unless you have some '1337 tool
                      to do that for us.  If so, please post a url. -dans
             \_ I have used aide, a tripwire-like tool that checksums files
                in two ways. It works pretty well, and isn't that difficult to
                use.  I found it annoying if I didn't check/update signatures
                before doing package upgrades, which meant I couldn't tell
                whether the changes were intentional from the update or if
                someone had done something to the binaries the same day.
                While there are certain more-secure "ideal" ways to set things
                up (binary on immutable media, running on a separate system,
                database on immutable media, etc.) A simple "on this system"
                "aide running out of /usr/sbin" "database stored locally" while
                not great from a security standpoint, as long as one doesn't
                rely on the lack of warnings and messages to mean you are
                secure, is still a useful tool.
        * Educate users about ssh.  For example, unless the user is
          extremely certain that their private keys are safe (resides
          in encrypted partition, etc.) having empty passphrase is a
          bad idea.  Assuming above is met, using passphrase protected
          key pair and setting up authorized_keys is safer than using
          passwords.
          \_ Education works the best, when people are willing to
             be educated. Do you think people like to be educated?
        \_ It's also vital to keep up with patches to OS and utilities.
           \- ssh wont solve the problem. the problem is a combination of
              clueless users and users who dont care about security [and
              are willing to login from machines with kbd sniffers]
              combined with the close to inevitability of local account ->
              local exploit -> root. i think sloda should adopt the
              position: 1. soda will be broken into and should not be
              trusted ... meaning it should not be used as an outbound
              stepping stone ... no rsh, rlogin, ssh, telnet. i suppose
              you can leave ftp on and i guess scp. 2. do what you can
              about prevention [applying patches etc but also invest some
              in rapid detection. tripwire is a piece of crap but there are
              other tools to do this with ... i maintain checksums on about
              50 things [in some cases OSes, in other cases various data
              trees] and while i dont look at all the data everyday, with
              disk being cheap i can store enough snapshots i can at least
              go back and tell a story if there is a problem found at some
              point. even a half asses checksumming system will get you
              pretty far ... and would certainly pickup a trojaned daemon
              or client. we have some not-very-portable hacks to address the
              case of trojaned libs [these check low level information in
              inodes and compare them to higher level queries and look
              for inconsistencies ... like say in the link count] but these
              are probably not worth the effort ... they were crafted for
              very specific rootkits.
2006/4/18-22 [Computer/SW/Security] UID:42773 Activity:nil
4/18    I'm interested in doing some traffic analysis to see if
        the sshd trojan can be detected by looking at traffic patterns.
        I seem to remember people's inbound sshd connections
        being dropped now fairly frequently [but soda stayed up].
        Can anybody authoritatively speak to whether just some
        sshds were dropped or when one was dropped all were dropped.
        Also I assume outbound sshes were not dropped. I'm curious
        whether the sshd bug was in maybe the checkpointing routine
        when it was writing out to the sniffer log, or it was
        something more random/complex. Unless I get a good lead
        I probably wont pursue this because I'm sort of busy
        now and it's a lot of data to trawl though potentially or
        lot of work to reconstruct. Basically looking for a large
        clustering of sshd drops in time and space without evidence
        of a reboot [other protocols dropped] and not a normal shutdown
        might be smoke -> fire signal.
        \_ Even if this particular ssh trojan was causing the daemon to drop
           connections, why would you assume that this would be true of other
           ssh trojans? -dans
           \- why do you assume i assume it is true of other trojans.
              obviously my concern is we dont know where the soda hacker
              came from and what he did with the sniffed info. assuming
              this same person installed the same buggy trojan elsewhere
              is hardly a stretch. a better question might be: is the
              trojan buggy on just freebsd. and the issueis sshd not
              ssh. ssh trojan and sshd trojan have different implications.
2024/12/26 [General] UID:1000 Activity:popular
12/26   
Results 901 - 1050 of 1108   < 1 2 3 4 5 6 7 8 >
Berkeley CSUA MOTD:Computer:SW:Security:
.