| WIKI | FAQ | Tech FAQ | |
 http://csua.com/feed/ | |
| ||||||
| 5/16 |
| 2009/2/10-13 [Computer/SW/Security, Computer/SW/Unix] UID:52552 Activity:nil |
2/10 I have an sh file that does a mount.. the mount does an
authentication. I previosly stored the username and password
from zenity prompts. However, I can't get a return on the password
field. The following only works on the username:
mount -t davfs "http://blahblah.com/BLahUser11" /mountdir << EOF
${username}
${password}
EOF
It gets stuck at the password. Any thoughts? thanks
\_ Expect?
\_ the username gets passed and a carriage return then a prompt
for the password is there but the ${password} doesnt get
put in nor carriage return. so script is stuck
\_ /usr/bin/expect
\_ can't use expect. this is an automated installer on other
persons machines. I would have to apt-get expect
No way to do it just with EOFs?
\_ would "for i in 1; do echo $username; sleep 1; \
echo $password"; done | mount -t ..." work?
It really depends on how the password is being read.
\_ that didnt work... same behavior
\_ No, this is one reason tools like Expect were invented.
See, e.g.,
http://www.noah.org/wiki/Pexpect#Q:_Why_not_just_use_a_pipe_.28popen.28.29.29.3F
\_ thanks.. i guess i have no choice :) excellent!
\_ Well, that's not to say you couldn't make a very
stripped down version of an expect-like tool
that does what you want, and ship that. Maybe
someone else has already done it.
\_ or use Perl Expect or Python Expect. |
| 2009/1/15-23 [Computer/SW/Languages/Java, Computer/SW/Security] UID:52394 Activity:nil |
1/15 http://cwe.mitre.org/top25 2009 CWE/SANS Top 25 Most Dangerous Programming Errors \_ "Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a username is valid or not." Really? Fuck you buddy. I don't always remember what my goddamn username was on your stupid fucking site. Just tell me if I got it wrong thank you very much. (Just like if my password doesn't conform to the rules for what a valid password is FUCKING TELL ME WHAT THE RULES ARE. Any attacker knows that information and giving it to me may remind me what password I used so please, make our lives easier.) \_ at that level of frustration i would just choose another website for that service, or go see the store in person. \_ http://Buy.com offers no helpful hints, but their prices are good. Does make me want to strangle people, though. -!pp \_ I wish there was a counter/way to determine how with online stores i can be assured of creating jobs/ buying american. I am wondering how much we are screwing ourselves into a longer recession by sending a job overseas by saving five dollars. I think i'd rather pay the extra $20. \_ My last three http://Buy.com purchases all shipped from American companies. |
| 2009/1/11-15 [Computer/SW/Security] UID:52358 Activity:nil |
1/11 http://www.americanstinker.com/2008/01/barack_obama_and_israel.html \_ well hopefully he has good Secret Service security. |
| 2009/1/5-9 [Politics/Domestic, Computer/SW/Security] UID:52317 Activity:nil |
1/5 http://indiacgny.org/php/showContent.php?linkid=200&partid=96&sub=sub2 IRONY |
| 2009/1/2 [Computer/SW/Security] UID:52311 Activity:nil |
1/1 Is email still down? My outgoing email seems to be not working.
Also ssh password login seems to be not working (but certificate works).
Thanks and Happy New Year. |
| 2008/12/26-28 [Computer/SW/Security, Academia/Berkeley/CSUA/Motd] UID:52296 Activity:kinda low |
12/26 Motd is dead for good, RIP Motd. You will be missed. :(
\_ What about soda?
Date: Sun, 28 Dec 2008 11:56:41 -0800
From: Steven Schlansker <stevenschlansker@berkeley.edu>
To: announce@csua.berkeley.edu
Subject: [CSUA Announce] Soda back up!
Hey guys,
Unfortunately http://soda.csua.berkeley.edu crashed over the Christmas break
when I was out of town and none of the rootstaff with cardkey access to
Soda could get in. About a day's worth of mail was bounced
unfortunately - if you got a bounce message, just try to resend your
email and it'll go through now. Sincerest apologies - I simply couldn't
make it back to Berkeley any faster.
Hopefully everything will be running OK for now. We're still waiting on
our shipment of a new server... the latest ETA is the 10th. Then I
will be rebuilding it (with the help of the rootstaff and some new
hopefully up-and-coming root members!) and we'll put it into production
as fast as we can!
Hope everyone's holidays find them well,
Your VP
Steven Schlansker
_______________________________________________
Announce mailing list
Announce@vermouth.csua.berkeley.edu
http://vermouth.csua.berkeley.edu:1337/cgi-bin/mailman/listinfo/announce |
| 2008/12/18-2009/1/2 [Computer/SW/Security] UID:52280 Activity:nil 50%like:52218 |
12/18 Hi, is there a how-to to access csua with ftp?
\_ man scp
\_ Thanks that did it. |
| 2008/12/2-7 [Computer/SW/Security] UID:52141 Activity:nil |
12/2 Thomas Sowell is awesomely cantankerous in his most recent column
I love this line: Working in a homeless shelter is widely regarded as
"community service" as if aiding and abetting vagrancy is necessarily
a service, rather than a disservice, to the community.
\_ What a pompous idiot is a pompous idiot! What a shocker! And
\_ Wow! A pompous idiot is a pompous idiot! What a shocker! And
look! Nazis! Hitler!
\_ For chrissake. A great deal of homelessness is due to untreated
mental illness. How about this: "treating heart disease is
aiding and abetting unhealthy lifestyles..."
\_ The Hoover Institude is not paying him to write reasonable,
thoughtful opinion pieces where he deals fairly with the root
causes of whatever the hell he's writing about this week. |
| 2008/11/16-17 [Computer/Networking, Computer/SW/Security, Computer/SW/Unix] UID:51999 Activity:low |
11/16 Can I use my SBC Yahoo! DSL login name "xxx@sbcglobal.net" and password
for the DSL at someone else's home?
\_ Why don't you try it...
\_ Don't check your email at your mistress' house. |
| 2008/11/7-13 [Academia/Berkeley/CSUA, Computer/SW/Security] UID:51875 Activity:nil |
11/7 Does this guy have a soda account?
http://www.mercurynews.com/ci_10926276?source=rss (online stalker)
\_ boring
\_ I wonder if Sold Intel Secrets To AMD guy has a soda account. |
| 2008/10/31-11/2 [Computer/SW/Security, Computer/SW/Unix] UID:51769 Activity:nil |
10/31 As root, is there a way to make "passwd" give the same "too short"
and other bad password errors (or at least warn in those cases)? This
is on linux. |
| 2008/10/29-31 [Computer/SW/Security] UID:51721 Activity:nil |
10/29 Bruce Schneiner et al. have released their submission for the new
SHA replacement:
http://www.schneier.com/blog/archives/2008/10/the_skein_hash.html
\- btw, worth looking at the MD6 design if you are interested in
this stuff. multicore scalability a "tier 1" goal. |
| 2008/10/23-28 [Computer/SW/Security, Computer/SW/Unix] UID:51654 Activity:nil |
10/23 Woman charged with crime for "killing" (deletion really) of online
character:
http://tinyurl.com/6lspuv
\_ she is weak. SHe should have created her own character
and then do a backstab on his ass. - turin |
| 2008/10/16-17 [Computer/SW/Security, Politics/Domestic/Election] UID:51551 Activity:nil 50%like:51512 |
10/15 Secret Service says no one said "Kill him" at Palin rally
http://www.timesleader.com/news/breakingnews/Secret_Service_says_Kill_him_allegation_unfounded_.html |
| 2008/10/9 [Computer/SW/Security, Computer/SW/Unix] UID:51447 Activity:nil |
10/8 http://www.scribd.com/doc/4964973/Worst-Captchas-of-All-Time Worst captchas of all time. Some stupid, some funny. |
| 2008/9/21-23 [Computer/SW/Security, Politics/Domestic/SocialSecurity] UID:51253 Activity:nil |
9/21 Obama's Social Security Whopper
http://www.newsweek.com/id/160179
\_ if you say so |
| 2008/9/20-23 [Recreation/Dating, Computer/SW/Security] UID:51244 Activity:kinda low |
9/20 Etiquette question: my gf's boss invited her to his son's bar-mitzvah.
What is a proper attire to wear for non Jewish women? Black & white
only? Long sleeves only? Can you have color? Can you take
pictures? Thanks.
\_ Ok my gf just wore long dress. Turns out they had a super fancy
one with 200 people attending. They spent ~$30K on a bar-mitzvah.
Is that how much they normally cost? It's very impressive.
\_ $30K was more than my wedding, a LOT more. If you're spending
that much on a 13 year old kid, it says a lot about how much
you value bar-mitzvah. Or it could just mean that Jewish
people ARE rich!
\_ Mazel Tov! Think in terms of what you would wear to go to church,
remembering that the actual Bar Mitzvah ceremony will be part of
a service at a synagogue. Think in terms of a dress, a nice pants
suit, or a skirt and nice top. Dress shoes and, if cooler weather,
stockings. Nothing flashy or showing much flesh. There is typically
no need for a head covering--if the congregation likes women to
have head coverings, there'll have something in the lobby for you
to put on. Colors are okay, although subdued would be best.
A card including a check made out to the son is best, which you
can give to the father anytime except during the service. If you've
been invited to a party or a reception afterwards, that's a good
time. It's traditional in Judaism to give money in multiples of $18,
so think something like $54 or $72 or $90, depending on what you
can afford and whether you've been invited only to the service or
to a party afterward. In terms of the service, it will be a
combination of English and Hebrew. The boy will recite prayers in
Hebrew, and a portion of the Torah (what you may call the Old
Testament) in Hebrew. There may also be a short speech in English.
Just stand when the congregation stands and sit when they sit. If
you understand the prayers and are comfortable reciting them with
the congregation, do so, otherwise it's okay, since you're a
visitor, just to read along in the prayer book (called a Siddur).
\_ Give a card that says "In lieu of a gift, my tax dollars
were sent to Israel".
\_ LOL good one!!! It's almost Seinfeld material.
\- ok tnx |
| 2008/9/16-19 [Computer/SW/Security, Politics/Domestic/SocialSecurity] UID:51192 Activity:nil |
9/16 <DEAD>retirementplans.vanguard.com/VGApp/pe/pubnews/SocialSecurityAndWorking.jsf?SelectedSegment=LivinginRetirement<DEAD> Why Social Security fucks everyone up. Earn too much? Get nothing! \_ Your reading comprehension is poor. You don't get nothing, you just get reduced benefits. That Vanguard page doesn't mention that your later benefits are actually increased because of working later. \_ You are right, we should let Morgan Stanley run Social Security, they will do a good job of protecting our retirement money. |
| 2008/8/6-10 [Computer/SW/Security] UID:50801 Activity:nil |
8/6 What kind of captcha would you love to see? List them here:
-Hot or not? TOTALLY
-Male or Female?
-Gay or not?
-Geek or not?
-enormous breasts or regular size breasts?
\_ Chinese, Japanese or Korean?
\_ That would also serve as a test to weed out whites.
\_ Oh come one. It's been demonstrated that Asians can't
tell each other apart either.
\_ What's "captcha"? Thx.
\_ STFW. Or just read http://en.wikipedia.org/wiki/Captcha
\_ I see. But then what does hot or female or gay above have
to do with Captcha?
\_ Hard to program something to automate that check. It used
to be impossible to write a program to recognize the
distorted letters and numbers used in older Captcha's, but
technology has caught up.
\_ http://www.badhackerz.com/full-appz/11087-rapidshare-turbo-download-reads-new-cat-captchas.html |
| 5/16 |
| 2008/7/30-8/5 [Science/Electric, Computer/SW/Security] UID:50729 Activity:nil 78%like:50725 |
7/29 Pepperspray vs. taser, round #1:
http://www.brickhousesecurity.com/self-defense-personalsecurity.html
http://preview.tinyurl.com/5sjfz5 [infowars.com]
http://videos.caught-on-video.com/Player.aspx?fileid=513DC6A2-FF6A-40F9-9893-589AC926FCCE&p=0 (taser takes down a BULL) |
| 2008/7/29-30 [Science/Electric, Computer/SW/Security] UID:50725 Activity:nil 78%like:50729 |
7/29 Pepperspray vs. taser, round #1:
http://www.brickhousesecurity.com/self-defense-personalsecurity.html
http://www.infowars.com/articles/ps/tasers_vs_pepper_spray_evaluation_of_police_weapons.htm
http://videos.caught-on-video.com/Player.aspx?fileid=513DC6A2-FF6A-40F9-9893-589AC926FCCE&p=0 (taser takes down a BULL) |
| 2008/7/28-8/5 [Computer/SW/Security] UID:50711 Activity:nil |
7/28 Everyone's captcha hacked:
http://blogs.zdnet.com/security/?p=1418
\_ I still like the idea of making real people solve captchas to get
porn or torrents or the like. Captchas that are actually used by
other sites. |
| 2008/7/20-23 [Computer/HW/Laptop, Computer/SW/Security] UID:50640 Activity:nil |
7/20 Does my encrypted disk LVM everything partition scheme make my
laptop consume a lot more power than if I weren't using encrypted
LVM? |
| 2008/7/15-23 [Computer/SW/Security] UID:50581 Activity:nil |
7/14 anyone know this guy?
A disgruntled city computer engineer has virtually commandeered
San Francisco's new multimillion-dollar computer network,
altering it to deny access to top administrators even as he
sits in jail on $5 million bail, authorities said Monday.
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/07/14/BAOS11P1M5.DTL&tsp=PSB
\_ The article is short on technologies involved. It sounds vaguely
like he commandeered their domain's administrator account.
\- i suspect waterboarding would be successful in this case.
\_ Is that you in the sfgate comments?
\- no, i didnt not read the comments.
\_ probably better that way. they make me sad.
\_ I enjoy how the article says there is no known motive. Anyone who
has hung out with disgruntled sysadmins know that no motive is
needed.
\_ No, but he is the poster child for a BOFH. I wish I knew him,
so I could shake his hand.
\_ Having worked with IT guys who couldn't comprehend the fact that
IT is fucking support and not an ends to itself I wish I knew
IT is f***ing support and not an ends to itself I wish I knew
him so I could kick him in the balls.
\_ Depends. IT can be support or it can be an ends to itself.
For the city I'd say IT is a big part of what they do.
\_ IT by itself is nothing. IT is a tool to make other
tasks easier. I accept that. Keep the tools running
is an honorable job. Just admit that's not what you
are doing.
\_ Well it depends. I think you are too limited in
your scope. There are a lot of situations where the
tool is more important than the operator. Making a
job so simple that a monkey can do it is one of the
areas where IT can help and in those instances I
think the IT adds more value than the actual "doers".
At that point where IT is contributing more
significantly to the bottom line I wouldn't say it
is a supporting role anymore, but a key role.
Addendum: What role you would say IT plays at companies
like eBay?
\_ Or Amazon, with the EC2 project?
\_ it might be a big Peoplesoft install.
\_ He made $149,269 working for the gov't, which is not bad now is it?
\_ Previous motd postings lead me to believe that this makes him
rich. Still won't make $5m bail, though.
\_ This is a lot of money, almost as much as I make as a Director
in the private sector. Maybe those public sector IT geeks are
overpaid afterall...
\_ Plus he can't get fired even when he's clearly got issues and
he probably has better benefits than you do, too. |
| 2008/7/13-23 [Computer/SW/Security] UID:50553 Activity:nil |
7/13 Illegal Immigrants prosecuted for social security fraud:
http://preview.tinyurl.com/6c4wm6 [nyt]
Prof. Camayd-Freixas essay re same:
http://blogs.ilw.com/gregsiskind/files/camayd.pdf |
| 2008/7/2-6 [Politics/Domestic/911, Computer/SW/Security] UID:50453 Activity:kinda low |
7/2 On the torture debate (or maybe just flame fest), the claim that
torture doesn't work is true most of the time but untrue some of the
time. Most of the reasoning for pro-torture positions doesn't make
sense to me, I feel like its not logical to give support to something
that doesn't produce results while the same time being oppressive.
The one thing I think I can see is that I make a decision that I
would rather have a little less security to have more human rights/
civil liberties. When Patrick Henry said "Give me liberty of give me
death" he didn't mean unless he might get hurt. I can understand
that if you won't tolerate any threat to your personal security (at
least any threat outside of our government) it would be in your best
interest to want them to torture anyone they thought might be involved
in terrorism. But to me that seems like a cowardly approach, a
minimal risk to yourself is worth the gain in liberty for all. Its
easy to see that deaths from terrorism << torture/government repress-
ion. -mrauser
\- the ticking time bomb scenario has long been "the standard"
classroom hypo after THE TROLLY PROBLEM for the tension between
UTILITARIAN theories [cost-benefit analysis] and DEONTOLOGICAL
theories [torture is wrong. the exact reason it is wrong depends
on the flavor of deontology, but probably "the standard" again
is the kantian one but maybe simpler to understand is the RDWORKIN
"RIGHTS AS TRUMPS" view ... mostly this is beyond the scope of a
motd discussion]. but the "i only care about me" sort of begs
the question ... since a core question of moral philosophy is
"what do we own other" and you're pretty much saying "nothing"
"what do we owe others" and you're pretty much saying "nothing"
in that "degenerate" case. EGOISM may be an apt description of a
lot of people, but it's not really a philosophy [although i
suppose maybe FWNIETZSCHE might have spun it into one, but i am
not really an expert on FWN ... and that is also beyond the
scope of the motd]. here is a problem with the "results
oriented" view: do you think it would be categorically wrong
to say torture a family member of the terrorist ... say KSM's
wife and kids ... if that would be a highly effective way of
producing results. if you want "the standard" critiques of
utilitarianism, see BERNARD WILLIAMS [formerly UCB Dept Philosophy,
now dead] and AMARTYA SEN ... at the core, utilitariamsism
"does take persons/rights seriously. Williams also has a very
influential critique of deontology, but that may be a little
hard to follow.
\_ I've heard of the ticking time bomb, and its pretty easy to feel
saying you would torture the guy, because in this magical fantasy
he is directly responsible for the bomb being there and you know
that there must be a bomb so there is a perverse justice in
torturing him to make him tell you. But as a real world example,
it holds no water, because how often do you KNOW that there is
a threat and the person in front of you has specific knowledge
of it. You torture without this information, in the hopes of
getting it. Another scenario, say a terrorist kidnaps someone's
family and then tells that person where they put a bomb in a
building, but they tell that person if they tell the authorities
they will kill thier family. So do you torture a complete
innocent who has a self interest in not telling you the info?
Here is a scenario which is nearly as plausible as the ticking
time bomb, but I don't think anyone could feel good about either
option. The problem to me is that torture is used in ambigious
situations with a presumed guilt or presumed having of the info.
I think that because torture can really never be used with
certainty, it should never be used at all. Plus, there is a
strong argument that it leads to false confessions and false in-
formation just as long as it leads to good ones. -mrauser
\_ look up "a fortiori"
\_ Your writing is only partially intelligible. What was your
"i only care about me" and "what do we own other" sentence
referring to? |
| 2008/6/25-7/14 [Computer/SW/Security] UID:50380 Activity:nil |
6/25 some XCF or CSUA person had a web page about a project they were
working on where I set up a machine, and you set up a machine
somewhere, and they both passively back each other, i believe with
an encryption key so i can't read your backups. when your disk
catches on fire, i just give you a copy of your data. anyone remember
the name of this?
\_ crashplan?
\_ You might be thinking about oceanstore:
http://oceanstore.cs.berkeley.edu
But its a slightly different concept and more massively distributed. |
| 2008/6/19-23 [Computer/SW/Security] UID:50314 Activity:low |
6/19 "One in three IT staff snoops on colleagues: survey"
http://news.yahoo.com/s/nm/20080619/lf_nm_life/technology_snooping_dc
\_ Weird, I go way way way out of my way to not snoop on coworkers.
If I get someone to enter in a password, I look the other way.
I want to keep out of trouble.
If I get someone to enter in a password, I start studying the
backside of the really hot chick in HR at the other end of the room
so I really have no idea what their password is. I want to keep
out of trouble.
\_ I do the same because I respect their privacy.
\_ Yeah, I decided very early on in my career that I was not
going to abuse my priveledges to invade other's privacy. I
going to abuse my privileges to invade other's privacy. I
would fire anyone I caught doing that. |
| 2008/6/17-20 [Computer/SW/Security] UID:50283 Activity:nil |
6/17 We currently have AT&T (used to be SBC) for local phone service.
However these guys really suck, and my wife hates them. Is there an
alternative local land-line service provider in the Bay area?
\_ Hello, telco monopoly. You want alternate business, voice-overIP
on a non-AT&T internetconnection, or get a cell phone. |
| 2008/6/9-12 [Computer/SW/Languages/C_Cplusplus, Computer/SW/Security] UID:50194 Activity:nil |
6/8 CSUA code guru please help. I need to see my random number
generator with a good seed (I just need random 18 bit
identifiers). The usual time(NULL) is OK, except my program
might be invoked faster than once a second, and seeding using
time() produced the same result. I tried clock() but it seems
to return 0. My program needs to be run in Linux/DOS (Watcom
32bit compiler), so I prefer to stick with standard API.
What's a good way to get some randomness without using special
time function that goes into millisecond precision? Poke at
some random bytes? Allocate a random array? This is in C. If
I allocate say a 64byte block, and XOR the uninitialized
memory, is there any guarantee that it will be a different
64byte block the next time my program is run? Thanks!
\_ What are you doing this for? If it's encryption why are
reimplementing the (really difficult to get right) wheel?
If it's not encryption what is it that needs high quality
random numbers?
\_ I need to assign ID that are unique within a day to
something 30 bit. I am thinking seconds_since_midnight
(17 bits) + a random number (13 bits). If I simply seed
using time(), my rand() will generate the same number if
invoked within a second. So I am now seeding it using
the XOR of time() with 64 uninitialized int on the stack
(again XORed together). This seems to do the trick.
\_ Huh? You only need to seed once. After that you have a
supply of random numbers you can draw on. So just seed by
time when you start the program. Or are you thinking you
are going to invoke main() many times per second? I don't
know what you are doing here so it's hard to give good
feedback, but think in terms of "now I have a stream of
random numbers and I just need to use them."
\_ The program exists after generating one ID.
\_ Do you mean "exits"? S/w like SSH uses prngd to
get around this problem.
\_ Use another random number generator to generate the random seed for
your random number generator! Oh wait ......
\_ What is wrong with rand?
\_ Easiest just to bite the bullet and use non-ANSI C functions.
The random array allocations are not at all guaranteed.
\_ seed it with time and getpid. Expecting unintialized memory
to have random data runs the risk some chowderhead will take your
code and comment it out when it generates warnings.
\_ Does DOS even have PIDs? Wtf is even using DOS these days...
\_ Embedded applications like digital cameras, I guess.
http://www.datalight.com/products/romdos
\_ you could try opening and reading from a dummy file and then using
clock to seed. That way you'll block on IO and the amount of time
you do that should be relatively random.
\_ I thought about it again and this wouldn't be a good idea
especially if you are running the progam often. What will happen
is that the file's memory page will be in cache after the first
read and you won't have good random behavior. You could try
file writes, but in general this is not a very strong
randomness anyways. -pp
\_ You're not a Debian contributor are you? |
| 2008/5/29-6/1 [Computer/SW/Security] UID:50082 Activity:nil |
5/29 Major jump in unemployment benefits for continuing claims
4Q corporate earnings forecast to be solid
http://www.tickerforum.org/cgi-ticker/akcs-www?getimagenr=5939
(chart)
\_ No Outside Links / Please Sign In
Access to large images, or links from outside sites, are not permitte\
d unless you are signed into the board. Thank you, Management
Access to large images, or links from outside sites, are not
permitted unless you are signed into the board. Thank you,
Management
\_ sorry |
| 2008/5/21-23 [Computer/SW/Security, Computer/SW/Unix] UID:50023 Activity:nil |
5/21 remember the big guy who runs Comic Relief in downtown berkeley?
he died, at 50, on monday:
http://blogsearch.google.com/blogsearch?q=%22rory%20root%22
http://www.comicsreporter.com/index.php/rory_root_1958_2008
\_ "Worst. News. Ever" |
| 2008/5/15-23 [Computer/SW/Security] UID:49961 Activity:nil |
5/15 How is Facebook's authentication system different from OpenID?
http://developers.facebook.com/documentation.php?doc=auth
\_ I think the point might be that it is not? We should get dans
back on the motd, I bet he knows. I miss his 50 lines tangents
sometimes.
\_ Conceptually it's the same as OAuth (which merged/is merging
with OpenID). AFAIK, Facebook's lack of support for OAuth
is a political hedge to protect Facebook's 'walled garden'.
-dans |
| 2008/4/26-30 [Computer/Companies/Google, Computer/SW/Security] UID:49838 Activity:low |
4/26 is Google Chat through the web browser encrypted? My sweetie
spends all day chatting with me via Google Chat in gmail
"oh baby i want to **** your **** and then *** *** **** **
** *** ***" and "* **** **** *** **** in ** *** *****".
Could some nosy sysadmin packet sniff her?
\_ Like this really happened with a live woman.
\_ Actually I'm not joking! It's great.
\_ Get her a soda account, then you can both log in via ssh and
chat away to your heart's content.
\_ most likely she's not a UCB student |
| 2008/4/21-5/2 [Computer/SW/Security] UID:49787 Activity:nil |
4/21 Yahoo Instant Messenger is not encrypted. Are there chat programs
that are a bit more secure than YIM?
\_ what OS are you using?
\_ What are your goals? Corporate security, or preventing your wife
from eavesdropping on you? If you're using IM for internal company
communication, you shouldn't be using anything where you don't
control the server; deploy an internal messaging server instead.
Jabber-based servers are popular for this.
\_ I think AIM supports encryption (at least it seems to when I'm
using iChat or Adium). I think GTalk supports encryption as well.
\_ Beware of webcams pointing at your screen!
\_ There is encryption but it's a pain in the ass sometimes.
\_ Both you and your mistress log on to soda using ssh. Then run the
good o' "talk" program.
good o' "talk" program. You two will have a more intimate
experience than using popular chat programs, coz now you can see
every keystroke by the other instead of just line by line.
every keystroke by the other instead of just line by line. (Imagine
all kinds of real-time animation you can do with the '-' key and the
backspace key.)
what animation you can do with the '-' key and the backspace key.)
\_ install adium or pidgin-otr. Trust in nikitab. |
| 2008/4/17-23 [Computer/SW/Security, Politics/Domestic/SocialSecurity] UID:49771 Activity:nil |
4/16 I've heard that you don't pay social security on income above $90K.
Is this correct? Does that mean ~$8000 a year is the most you ever
pay?
\_ Yes, though the limit goes up every year.
\_ My 2007 W-2 said my Social Security Wages is $97500.
\_ Yes, that was the limit this year. There is no limit for Medicare.
\_ Yes, that was the limit this year. There is no limit for
Medicare. |
| 2008/3/17-21 [Computer/SW/Security, Industry/Jobs, Computer/SW/Unix] UID:49482 Activity:nil |
3/17 http://market-ticker.denninger.net Former sysadmin says Fed measures not addressing root of problem, IBs/banks will eventually be taken to woodshed \_ Once again, who cares if he is a sysadmin? \_ It dovetails nicely with the background of most of the pontificators on the motd. What's not to like? We really need to get this guy a soda account! \_ If sysadmins had run Bear Sterns the company would still be solvent right now. \_ He's got tech skills. I've got tech skills. Therefore I care what he says about the economy...? Huh? He may be 100% on the mark but having tech skills does not make his writing on the economy any more interesting. |
| 2008/2/29-3/4 [Computer/SW/Security] UID:49303 Activity:nil |
2/28 Hi do I allow only a certain SSH key to run a particular command?
\_ Look for LocalCommand in ssh_config(5). Unless you're
literally asking what you seem to be asking, in which case
you're probably out of luck.
\_ Read the manpages for authorized_keys file if you're using
openssh. You can specify the "absolute command" in there, or
have it call a wrapper and have it process the
$SSH_ORIGINAL_COMMAND variable.
\- see /tmp/authorized_keys.acl-sample for an example.
who is asking? |
| 2008/2/28-3/4 [Computer/SW/Security, Computer/SW/Unix] UID:49282 Activity:nil |
2/28 Is anyone's IMAP password no longer working?
\_ for the past two or three days, connecting to mead. :(
\_ It works for me. Could you please tell me when you stopped
being able to log in, and what error message you get? --mconst |
| 2008/2/26-3/4 [Transportation/Airplane, Computer/SW/Security] UID:49257 Activity:nil |
2/26 Documentary team says bomb ingredients can still be smuggled onto
airplanes:
http://preview.tinyurl.com/39basa (telegraph.co.uk)
http://preview.tinyurl.com/yqflv9 (thisislondon.co.uk)
The TSA disagrees:
http://preview.tinyurl.com/3b6agt (tsa.gov/blog)
\_ Airport screening is all about making people *feel* safer and
very little about actually making people safe.
\- no, it is about political CYA. |
| 2008/2/25-26 [Computer/SW/OS/Windows, Computer/SW/SpamAssassin, Computer/SW/Security] UID:49243 Activity:nil 80%like:49239 |
2/24 Facebook comscore numbers slipping
http://preview.tinyurl.com/24p9n8 (techcrunch.com)
http://preview.tinyurl.com/2hug7v (hollywoodreporter.com)
Over to you, dans
\_ dans doesn't work at facebook
\_ Slide feeds at the pig trough which is facebook apps:
http://adonomics.com/company/Slide |
| 2008/2/21-25 [Computer/HW/Memory, Computer/SW/Security] UID:49208 Activity:nil |
2/21 Cold Boot Attacks Against Disk Encryption:
http://www.schneier.com/blog/archives/2008/02/cold_boot_attac.html
http://citp.princeton.edu/memory |
| 2008/2/19-22 [Computer/SW/Security, Finance/Investment] UID:49189 Activity:nil |
2/19 http://tinyurl.com/2ymrrc (yahoo.com) GOOG filing warns on near-revenue growth on reduction of accidental clickthroughs \_ Wow. I didn't know they were making money from deceiving click regions. \_ the monkey wants to be clicked |
| 2008/2/15-18 [Computer/SW/Security, Computer/SW/Virus] UID:49158 Activity:nil |
2/15 Digital photo frames carry viruses:
http://preview.tinyurl.com/2w6uc9 (sfgate.com) |
| 2008/1/30-2/2 [Recreation/Computer/Games, Computer/SW/Security] UID:49034 Activity:moderate |
1/30 One of my friend in china is asking me to sign up a world of
warcarft account for him. I am not too familiar with this
game, I am going to buy the game from Amazon, and use the
CD-key to sign up an account. Do I need to tie my credit card
with the account? Since the online game is fee based, I'd
imagine I need a credit to get this to work, if so, then I'll
tell him I can't do it. If I don't need a credit card, then I
will do it. Does anyone on the motd play this game? Can you
enlighten me? Thanks!
\_ Friends don't let friends play the World of Warcraft.
Mothers Against World of Warcraft.
\_ Is this guy a "friend" or an actual friend?
\_ Tell him you can't and let him figure out if you're wrong.
\_ Sometimes these games allow you to buy a monthly usage card online
but I don't know if warcraft requires a cc for signup or has the
monthly thing. I don't understand why your friend can't just sign
themself up?
\_ He claims that he's in China and he can't sign up. How
do I prove he's wrong?
\_ 1.5 Chinese World of Warcrack players?
\_ Go to China and sign up.
\_ Remote-Desktop into your friend's machine in China,
and sign up.
\_ He can't sign up for US servers, only on Chinese WoW servers.
There's millions more WoW players in asia than there are in
the US, but they are all on asian WoW servers.
\_ It's true. If you are a good friend, don't help him to play
WoW in any way.
\_ he probably wants you tot get a US version of the game so that
he can get access to US servers. The Chinese version will send him
to chinese servers. His play experience will likely suck due to
more lag, but whatever. If he plans to go into gold farming there
might be more market for his 'product' than if he were on a
china server -- however that's against the game's ToS. Anyway, you
can buy the boxed game and send it over.
If you try to install and sign in, it will either ask for gamecard
or credit card info to get the WoW account started. I'd recommend
not taking that step. -ERic
\_ He might also be trying to make a conduit account. I don't play
Wow, but my understanding it that the Chinese Gold farmers nead
dealers (conduits) on the US side to deliver their wares.
\_ they have plenty of hacked accounts to do this with.
\_ I can think of a host of reasons why a chinese person might want
an account on US servers -- most of them involving some from of
ToS violation -- but there are a few legitimate ones. Maybe he
wants to play with US friends/aquaintances. I'm willing to give
them the benefit of doubt. However, whatever you do don't log
into the US game (sign up the account) with your own user
information and/or cerdit card if you plan on handing the account
over. This makes YOU the 'customer of record' -- the owner of
the account, responsible for whatever mischief your Chinese
"friend" wants to commit with it. -ERic
\_ that's like trying to legitimize one's use of bittoreent
because one uses it to download Linux ISO's, when the reality
is most of one's use is really restricted-copyright mp3's and
videos. Most likely the intended use of this cross-region WoW
account is illegitimate. Gold Farming, selling gold taken
from hacked WoW accounts, etc...
\_ Very helpful replies. Thanks everyone! I am going to just say no. ;) |
| 2008/1/25-2/2 [Computer/SW/Security] UID:49013 Activity:nil |
1/25 Societe Generale uncovers massive fraud - Yahoo! News:
http://www.csua.org/u/kkq
After reading the whole article, I still don't understand how the fraud
worked.
\_ You mean you're supposed to understand anything by reading
Yahoo! News?
\_ It's an AP story. |
| 2008/1/21-31 [Computer/SW/Security] UID:48980 Activity:nil |
1/21 I'm trying to set up Thunderbird at with with gmail via IMAP.
There is a proxy at work such that if I want to view a web page
using Firefox or IE, it prompts me for my network login and
password before it lets me onto the web. When I try to get my mail
in Thunderbird, it won't connect to the server. I already tried
setting the config option to tell it the proxy server address and
port number. But it still won't connect. What can I do to get this
to work, or is it possible that they have it set up at work that no
matter what I do, it won't work?
\_ It is likely that your firewall doesn't allow outbound traffic
on the IMAP ports. You might be able to SSH tunnel it from
soda. -tom
\_ ssh is also blocked at work. I guess I'm out of luck? -op
\_ Try corkscrew. http://www.agroman.net/corkscrew
You'll need to run a sshd on port 443 in most cases, though.
\_ Getting a router that can run dd-wrt or some other
firmware is a relatively easy way to get the sshd
if you don't want to leave your computer on all day.
\_ Maybe this is a sign you should quit your job at the Kremlin. |
| 2007/12/4-7 [Computer/SW/Security] UID:48744 Activity:low |
12/4 Dunno if this is common knowledge ... msft wireless peripheral
crypto cracked ... --psb
http://www.theregister.co.uk/2007/12/03/wireless_keyboard_crypto_cracked
\_ a one byte pad hardly counts as crypto
\_ I guess this doesn't work for the Xbox 360 controllers.
\_ I don't get it, Bluetooth isn't secure either, is it? |
| 2007/11/20-26 [Computer/SW/Security] UID:48667 Activity:nil |
11/20 Okay, password login failed for me again. How do I set up my soda acct
so that I can login using SSL public key?
\_ One tutorial here: http://www.modwest.com/help/kb20-90.html
\_ I can't get it working from that. Either putty won't load the
key generated on soda, or soda rejects my key generated from
putty. Has anyone done this with putty on windows?
\_ You need to import the key you got from soda, into
Puttygen on the windows side, then use the resulting key.
\_ Excellent, that did it. Thanks very much. -op
\_ Condensed into step-by-step here: /tmp/publickey_putty_instruct
Please feel free to correct/distribute. --erikred |
| 2007/11/18-21 [Computer/SW/Security] UID:48654 Activity:nil |
11/17 I need a wiki package that uses sqlite, and lets me
give out username/passwords to limit editing and viewing access
to certain sections. Any suggestions? Thanks.
\_ http://wikimatrix.org |
| 2007/10/18-20 [Computer/SW/Security] UID:48376 Activity:kinda low |
10/18 Subversion woes. We want to be able to go to other developers'
directories and type "svn status -q" to automate scripts.
Now when I do something like this:
user1@:~user2/dev/blah> svn status
svn: Can't open '.svn/blah/_file.tmpl.tmp': Permission denied
However there is no file named _file.* anywhere! What's going on?
\_ it's trying to create a temp file in a directory where you don't
have write access. -tom
\_ Use svn, save a ausman today!
\_ Use svn, save a german shepherd today! |
| 2007/10/7 [Computer/SW/Security, Recreation/Humor] UID:48254 Activity:nil 50%like:48227 |
10/3 Is that a Real Doll? Wow! So real!
http://www.youporn.com/watch/13668 \_ Another one:
http://www.youporn.com/watch/212 \_ It'd be more real if the skin
is not as glossy. \_ HA! Funny how he pulled out and squirted
on his left hand
so that he wouldn't have to clean up the doll. Now in real
sex... Oh well, I guess it's better than no sex. |
| 2007/9/27-10/2 [Computer/SW/Security] UID:48199 Activity:nil |
9/27 Does anyone have experiences with OpenId and/or TypeKey as to
minimize the effort spent on your web app authentication? How easy is
it to integrate these 3rd party components into your web apps? |
| 2007/9/3 [Computer/SW/P2P, Computer/SW/Security, Computer/SW/Unix] UID:47877 Activity:nil |
9/3 So I was watching the Today Show this morning and in the crowd of
jackasses trying to get on TV, some dude kept emphatically showing a
home made sign that simply said, "lemonparty.org." None the wiser, I
fired up my laptop, curious as to what could possibly be at
http://lemonparty.org. I wondered why he was smiling so mischievously,
shaking his sign in the air each time the camera had him in the frame.
Could it be some family reunion site? A wedding announcement? A site
devoted to lovers of lemons? Oh no, I would not be so lucky.
No sir -- or ma'am -- it was a photograph of three geriatric men
engaged in very passionate adult loving. And by loving, I mean a good
old fashioned three-way.
Of course, I couldn't let it go at this. I had to find out more about
http://lemonparty.org, as it seemed like an inside joke to which I was not
privy. A friendly google search yielded several results, all informing
me that http://lemonparty.org is supposedly a shock site, in the ranks of
loopback.jpg, http://tubgirl.com and goatse.cx. Now, I'm not sure if the
shock value or http://lemonparty.org packs the same punch as the
aforementioned peers, but I can only imagine a suburban housewife or
lonely grandpa typing the web site in as I did, because, well, they
too had nothing better to do.
So why am I sharing this? I honestly don't know, other than I needed
to purge my conscience. I think this was either one of the most
wonderfully subversive things I've seen on TV in a long time, or one
of the more disturbing ones (although I doubt there are many young
kids watching the Today show on Labor Day). But, hey, old guys need to
get it on, too, I suppose; so lemonparty indeed!
\_ Yucks! It's amazing enough that that guy can get it up. |
| 2007/8/28 [Computer/SW/Security, Computer/SW/OS/Windows] UID:47776 Activity:moderate |
8/27 google QA automation stuff, can someone view these videos
and tell me if they're worth watching? thanks.
http://www.youtube.com/view_play_list?p=7D3E685B59779C16 |
| 2007/8/24 [Computer/SW/Security, Computer/SW/Unix] UID:47749 Activity:high |
8/24 Anybody experiencing login authentication problems? I cannot login
using my login and passwd thru ssh on the SECOND attempt and on:
ie, when I do ssh csua, it works once, but not afterwards.
Then when I do ssh http://csua.berkeley.edu, it works once, but not afterwards.
I can STILL login when I use a machine that use ssh authorized public
keys (with the ssh passwd), but not the unix login/passwd.
After I login, when I do a passwd, I get the *new* LDAP passwd prompt
that allows me to change the passwd, but only once. After that,
I can no longer access that LDAP prompt (seems like the LDAP server
is rejecting any requests from a particular host after first attempt),
but instead I get the *old* unix passwd change prompt that won't take
*any* of my passwds:
(current) UNIX password:
passwd: Authentication failure
passwd: password unchanged
After about an hour, if I do passwd, I get the new LDAP prompt again--
but only once again. Basically the LDAP prompt comes back in about
once every hour.
If an admin is reading this please help. Seems like the LDAP server
is down and/or unix passwd is out of sync. Thanks. --pchen |
| 2007/8/24 [Computer/SW/Security, Computer/SW/Unix] UID:47748 Activity:nil |
8/24 Anybody experiencing login authentication problems? I cannot login
with unix passwd thru ssh, although I was able to login using my ssh
auth keys/cert. Then when I type passwd to change the passwd,
I'm getting an LDAP passwd change prompt--but only once: if I type
passwd again, I get the Unix passwd change prompt. In any case,
it won't accept my old passwd nor allow me to change the passwd.
What's going on? Also mail is not working (nothing sent nor received).
I emailed root and get no response yet. If an admin is reading
this please help. Thanks. -pchen |
| 2007/8/18-20 [Computer/SW/Unix, Computer/SW/Security] UID:47652 Activity:kinda low 80%like:47603 |
8/17 hey root you wanna restore /csua/bin/mtd one day?
\_ did you mail root about it?
\_ do you really have to mail root when all of
/csua/bin/ disappears?
\_ empirical evidence would say, "yes, you do". -!root
\_ yeah. |
| 2007/8/16-22 [Computer/SW/Security, Computer/HW/Drives] UID:47623 Activity:kinda low |
8/20 I am looking for personal NAS... you know, an large intestinal
harddrive that I can access data everywhere. Idealy, I want be
able to set up. so it streams mp3 music as well, any recommendations?
\_ USB 2.0 or GigE?
\_ thinking about connect the harddrive to my router, and be able to
access it outside the LAN.
\_ I hear 'mediatomb' might be what you're looking for.
\_ how's it supposed to deal with access control? Or is it just
going to be anohter open WAREZ site?
\_ http://www.archive.org/web/petabox.php
\_ apache + basic auth + hard drive?
\_ "intestinal"? |
| 2007/8/13 [Computer/SW/Unix, Computer/SW/Security] UID:47605 Activity:nil |
8/13 hey root would you engage in scrotal inflation? thanks
\_ Have you emailed root? Because the motd.public isn't the preferred
contact method.
\_ I did.
\_ Hey root, i think Spamassassin is dead too.
\_ I think root is too busy leveling in WoW. |
| 2007/8/13 [Computer/SW/Unix, Computer/SW/Security] UID:47603 Activity:kinda low 66%like:47566 80%like:47652 |
8/13 hey root would you restore /csua/bin/mtd ? thanks.
\_ Have you emailed root? Because the motd.public isn't the preferred
contact method.
\_ I did.
\_ Hey root, i think Spamassassin is dead too.
\_ I think root is too busy leveling in WoW. |
| 2007/8/11-15 [Computer/SW/Security] UID:47589 Activity:nil |
8/11 TSA can't find a guy who bypassed security checks:
http://urltea.com/174l (usatoday.com) |
| 2007/8/6-22 [Computer/SW/Security] UID:47541 Activity:nil |
8/6 Another entry for the "no duh" department:
"WASHINGTON (AFP) - The US government cannot account for more than half
of all small arms given to Iraqis in the hope of bolstering their
security forces, raising fears the weapons may have found their way to
insurgent groups, according to a new congressional probe." |
| 2007/7/14-16 [Computer/SW/Security, Reference/Law/Court] UID:47292 Activity:nil |
7/13 Another good Conservative railroaded by Fitzgerald:
http://www.freerepublic.com/focus/f-chat/1865420/posts |
| 2007/7/8-10 [Computer/SW/Security] UID:47225 Activity:nil |
7/8 Those employed by the oil industry had more children than any other
industry, while those employed in journalism and hotel service
had the lowest.
http://neuropolitics.org |
| 2007/6/21-24 [Politics/Domestic/HateGroups, Computer/SW/Security] UID:47033 Activity:nil |
6/21 Powell was threatened by the KKK to not run for presidency. Did Obama
receive such thread also?
\_ He was the first candidate to be assigned a secret service detail.
Glean from that what you will.
\_ Well, a canidate must request secret service protection. So, he
\_ We don't threaten nobody but we support all Republicans -kkk
\_ Well, a candidate must request secret service protection. So, he
asked for it. There may or may not be a good reason for that.
\_ I think the above statement is incorrect.
\_ Hillary, as First Lady, has had it since 1992. |
| 2007/6/8-11 [Computer/SW/Security, Computer/SW/Unix] UID:46892 Activity:low |
6/8 I was talking to an acquaintance who said that his workplace was
slowly evolving to a stated goal of taking superuser privileges
away from the sysadmins in an effort to maintain a strict CM
and, I assume in some way, lower costs - possibly by hiring
trained monkeys to deploy pre-built images. I am curious what the
IT theories are behind this. Is this a crackpot method of system
management or is there some established theory behind this? Has
anyone else seen this happen at their work? What were the results?
My kneejerk reaction is that this is a Very Bad Thing, but maybe
there's something to it.
\_ Depends. Are they mostly Windows? Mostly UNIX? Who still has
superuser access? Are they highly responsive? It can be made to
work. But unless it's driven by competent IT management, it could
be LOTS o' PAIN
\_ All UNIX. I assume the idea is that if a change needs to be
made then it is rolled out from some central server
somewhere and no admins ever touch the individual workstations
for any reason except perhaps hardware failure.
\_ CM?
\_ configuration management
\_ No, this is in keeping with Best Practices surrounding security,
especially the notion of "least privelege" which is to say that
especially the notion of "least privilege" which is to say that
people should have the permissions they need to do their job
and no more. I personally think this is fine, but only works
after an organization reaches a certain maturity and size.
You need at least enough people so that you can have an on-call
page rotation for the "root" team and another one for the
"admin" team. Email if you want to talk about this some more
this is something I have thought about quite a bit. -ausman
http://en.wikipedia.org/wiki/Principle_of_least_privilege
http://www.csua.org/u/ivq (Forrester Research) |
| 2007/5/31-6/4 [Computer/SW/Security] UID:46802 Activity:nil |
5/31 PHP-related question: a web app I'm using recently moved from
CRYPT_STD_DES to CRYPT_MD5 for password hashing. On the off chance
anyone's faced a similar problem (I am having trouble getting a
reply from the developers), am I missing something fundamental or
am I just fucked if I want to migrate my existing userbase without
having to reset their passwords? -John
\_ Can you provide auth'ing off of DES while re-encrypting and storing
the new MD5?
\_ Don't think so. It looks to me like this was just kind of
a planning fuckup. :-( -John
\_ I was going to suggest the same as the above person. It is
"the standard" way of dealing with this. If you can't do
that and apparently don't have access to the source, you're
hosed. Sorry. Maybe you can redirect them to some other
page you do have control of and rewrite their passwords from
there. |
| 2007/5/25-28 [Computer/SW/Security] UID:46754 Activity:nil |
5/25 I would like to write a script to login to a windows machine remotely
and start a simulation (basically a poor man's version of a Windows
Beowulf cluser). The simplest way to do this seems to be to run sshd
on cygwin. Are there better ways? (Obviously, one better way would be
to install LINUX, but that isn't possible in the near term). Thanks.
\_ There are some OpenSSH implementations for Windows you can install
without the full cygwin implementation.
\_ Can you list some? Thanks.
\_ copSSH works well for me. -!pp
\_ What is the advantage of copSSH over cygwin+sshd? From the
(brief) webpage for copSSH it sounds like it is cygwin+sshd. |
| 2007/5/11-14 [Computer/SW/Security, Computer/SW/OS/Windows] UID:46589 Activity:nil |
5/11 Hackers use Windows Update to reliably download their malicious code:
http://preview.tinyurl.com/2dorvr (computerworld.com) |
| 2007/4/30-5/4 [Computer/SW/Security] UID:46482 Activity:nil |
4/30 Can someone recommend a website that provides the same service as
cafepress, with custom t-shirt designs, but that does not censor?
I want to make shirts that I know would get censored at cafepress,
based on past bad experiences with them. |
| 2007/4/13 [Computer/SW/Languages, Computer/SW/Security, Computer/SW/Unix] UID:46294 Activity:nil |
4/13 Can someone w/ root fix this:
$ ls -l /dev/null
crw------- 1 root csua 1, 3 2007-01-25 19:41 /dev/null |
| 2007/4/9-10 [Computer/Networking, Computer/SW/Security] UID:46239 Activity:nil 66%like:46247 |
4/9 Free W-Fi on Transbay buses:
http://www.actransit.org/news/articledetail.wu?articleid=ae8a49cd |
| 2007/3/31-4/6 [Reference/Law/Court, Computer/SW/Security] UID:46167 Activity:nil |
3/31 Anti-plagarism service sued for copyright infringement:
http://urltea.com/321 (washingtonpost.com)
\- hello if you are interested ... really interested ... I have
put the complaint at:
http://home.lbl.gov:8080/~psb/Ephemeral/TurnItIn-complaint.pdf
\_ Thanks.
\_ Am I the only one who really doesn't like TurnItIn but
really hope they win because of what it might mean for
fair use rights? |
| 2007/3/28-31 [Computer/SW/Security, Computer/SW/Unix] UID:46132 Activity:nil |
3/28 What controls the order of files in regards to which file is displayed
as the root file of a webpage? Specifically, I have to have a
index.php in my root directory, but I want my webpage to display
home.php. How can I do this? Thanks.
\_ Just figured it out myself, using .htaccess! -op |
| 2007/3/23-27 [Computer/SW/Security, Computer/SW/Unix] UID:46068 Activity:nil |
3/23 hey root can you turn 'PINGS' to soda.csua back on?
thanks
\_ Hey, root, can you disable this h0zer's motd-editing cron-job pls?
\_ and what's up with crippling traceroute? It needs setuid to
function.
> traceroute scotch
traceroute: icmp socket: Operation not permitted |
| 2007/3/13-14 [Computer/SW/Security] UID:45950 Activity:nil |
3/13 OpenSSH 4.6 is out:
http://undeadly.org/cgi?action=article&sid=20070308183425
Portable Version:
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.6p1.tar.gz
OpenBSD Version:
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-4.6.tar.gz |
| 2007/3/4-6 [Computer/SW/Security] UID:45863 Activity:nil |
3/3 What is the cheapest option for internet access for somebod my parents
who just need to do some email a couple of hours a week and nominal
amounts of web browsing? Some kind of dialup service? They have a
mac, in case that makes a difference, and live in the South Bay.
Fast access at $30-$50/mo, not worth it for them, especially since
they travel for months at a time.
\_ Jyno has $9.95/mo dialup, but for just $3/mo more you can get
a fractional DSL line from http://Sonic.net. Actually, I see these
same prices from dslextreme, my current DSL provider, though
to get that dial-up price, you have to buy a whole year. |
| 2007/3/2 [Computer/SW/Security] UID:45856 Activity:nil |
3/2 Paypal has a new security key:
http://preview.tinyurl.com/ytr6zn (consumerist.com) |
| 2007/2/25-3/1 [Computer/SW/Security, Computer/HW/Drives] UID:45817 Activity:nil |
2/25 The top page of Fry's Electronic's (outpost) no longer shows
the [Retail] Store Locator. Are they getting rid of the stores?
\_ I doubt it:
http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/02-05-2007/0004520005&EDATE=
http://preview.tinyurl.com/ysdl54 (prnewswire.com) |
| 2007/2/20-22 [Computer/SW/WWW/Server, Computer/SW/Security] UID:45782 Activity:high |
2/20 Any recommendations on a cheap/easy-to-use digital signature system?
\- i dunno exactly wat you are looking for or what the status of this
project is, but if the obvious [gnupg] wont do, you can google
for AKENTI. --psb
\_ What do you want exactly? A toolkit for digitally signing various
files? OpenSSL is free. It is, however, a pain in the ass to use,
but, once you know what you want to do with it, you probably won't
ever have to figure it out again. -dans
\_ Mostly documents that are federally mandated in the development
process of medical software. The team is somewhat distributed, so
I was hoping for something fairly easy to use. Years ago I'd
have used PGP, but I don't know how things have progressed and
what a good (preferably open) system is.
\_ GnuPG is fairly easy to use and its free. Many commercial apps use
it for digital signatures: http://gnupg.org
\_ Yeah, I pretty much agree. If price is the key, find a decent
frontend to gnupg and tweak it to fit your needs. If usability
is key, it's worth buying a copy of PGP. Both support the
OpenPGP standard. OpenSSL is too low level for what you want.
-dans
\_ GnuPG seems to be the way to go. I've got everything figured
out except verifying signatures. Thanks for the advice. -op
\_ This is from memory, not the man page, but I think it was
something like gpg --verify. Or are you trying to do
something more complicated? -dans
\_ You're right that --verify is the command line
solution, but I was going for something in a GUI. It
turns out that GPGee (Win Explorer extension) has that
ability, and works great. Thanks again. -op |
| 2007/2/18-23 [Computer/SW/Security, Consumer/TV] UID:45771 Activity:nil |
2/18 I have a Tivo. I don't have service. I'm not going to get service.
What is cool that I can do with the Tivo?
\_ eat it?
\_ prop open doors? |
| 2007/2/17 [Computer/SW/WWW/Browsers, Computer/SW/Security] UID:45765 Activity:nil |
2/17 http://www.foxnews.com/story/0,2933,252541,00.html Mormon University says YouCant to YouTube. |
| 2007/2/13-17 [Computer/SW/Security, Computer/SW/WWW/Server] UID:45734 Activity:nil |
2/13 The personal webpages are now up
\_ Ming-Hay
\_ Thanks. Something seems a little messed up w/ the server config.
The front page produces a server error for me, and the server
is returning lists of files rather index.html for directories.
\_ Agreed, things are fubar. I've written/tweaked/debugged an
Apache config or twenty in my day so I'd be happy to look things
over and help out, just ask. That said, I'm shockingly busy at
the moment, so I may not be the quickest source of help. You
may want to turn personal public_html directories off until you
fix this as the current config does leak information, which has
(IMO, minor) security implications. If you're a soda user, you
can prevent people from browsing your public_html directories
over the web until this is fixed with the following:
chmod og-r ~/public_html
-dans |
| 2007/1/28-2/1 [Computer/SW/Security, Computer/SW/Unix] UID:45607 Activity:moderate |
1/28 Where does inbound mail get spooled now? I had no problem moving
my old spool to /var/mail/$USER, but where is the new mail
spooling? (Yes, I read soda-changes.) Nothing is ending up in
/var/mail/$USER/new. Should it be?
\_ Do you have .procmailrc setup? If so, I needed to add
an additional rule at the end (after setting up the
DEFAULT=/var/mail/loginname):
DEFAULT=/var/mail/$USER):
:0:
$DEFAULT
If I didn't do that, my mail just shows up as a single
"msg.xxx" in the /var/mail/loginname directory.
"msg.xxx" in the /var/mail/$USER directory.
\_ nope, it's on a different server normal people don't have access
to. it's called 'seperation of services'. The next time
someone breaks into http://soda.csua.berkeley.edu, mail will
continue to be delivered since they can't break into
the machine that is handling delivery of email. Were you
in CS? Do you remember how all the instructional machines
didn't store your email on your local machine? Same theory.
\_ So I have to use IMAP or POP now? Is that right? I used to
use UCB mail.
\_ It certainly wasn't stored *locally* on every machine, but
it was available via NFS on instructional machines.
It looks to me like it /should/ be showing up on soda. I presume
'mead-mail' is where it's getting delivered-to on mead anyways.
lrwxrwxrwx 1 root root 22 2007-01-24 00:58 /var/mail -> /mnt/oh/0X0-mead-mail/
lrwxrwxrwx 1 root root 22 2007-01-24 00:58 /var/mail ->
/mnt/oh/0X0-mead-mail/
\_ Absent procmail interference, mail should spool to the Maildir under
/var/mail/$USER. If that's not happening for you, something is wrong.
/var/mail/$USER. If that's not happening for you, something is
wrong. |
| 2007/1/26-30 [Computer/SW/Security, Computer/SW/Unix] UID:45598 Activity:nil |
1/26 Thanks root people!
\_ Many thanks! |
| 2007/1/18-25 [Computer/SW/Security] UID:45558 Activity:nil |
1/18 Are the accounts on soda reactivated? Looks like ssh is up, but I
don't know if it's me not remembering the password I set it to
after the last reactivation or if accounts aren't activated.
\_ So you just typed your password (maybe several of them) into a box that might or
might not actually be soda?
\_ So you just typed your password (maybe several of them) into a box
that might or might not actually be soda?
\_ People should really use DSA public-key auth. It saves typing
in passwords and prevents situations like what you described.
\_ heh heh. heh heh. all your passwords belong to us.
\_ are
\_ I did the same thing but since I don't remember my password
anyway, "they" are welcome to hack away at whatever random
stuff I was trying. :)
\_ Soda is up for root and politburo login right now, but not yet for
general login. Hopefully it will be up for general login soon,
sorry about it taking so long. -mrauser
\_ Thank you for your efforts. --erikred
\_ Concur! Many thanks! --dim |
| 2006/12/29-30 [Computer/SW/Security, Academia/Berkeley/CSUA/Motd] UID:45510 Activity:high |
12/29 There have been a lot of complaints regarding soda reliability and
users not volunteering their time and effort to help. Obviously,
it wouldn't make sense for every user to be given root access so
they can volunteer. Instead, why don't we use motd for people to
contribute concrete suggestions (not just to start flame wars) to
improve soda reliability and security? I'll start:
- Tripwire
- Maybe going back to a *BSD
- Sendmail is complicated and filled with holes. Why not use an
alternative MTA?
\_ Also, there use to be this message "Last logged in from..."
I used to look at to see where my account was last used.
\_ From being a part of the new-rebuild considerations, yes, no,
and yes. --michener
\_ Run soda in a virtual machine. |
| 2006/12/28-30 [Computer/SW/Security] UID:45508 Activity:insanely high |
12/28 Soda will be down tomorrow December 29, 2006 for maintenance
service. We hope to keep the downtime as short as possible.
- minghay (CSUA President)
\_ You hozer. What about my screen uptime and low pty IDs? - jvarga
\_ You mean like less than 3weeks this time?
\_ Hey, shut yer trap. This machine is run by volunteers. If
you want to put time into it then step up. I don't volunteer
but I don't bitch at the people who do. I appreciate their
efforts and donation of their time to a shared resource.
\_ I dropped by the office relatively early in the downtime.
No one with root was around any time that day (I was there
for like 4 hours). Mconst dropped in a bit later to check
in as well, but he had only limited access (soda root, but
not keg, etc). A few years ago, pburo nuked a number of
people from their root access. I said then it was a bad
idea. If current pburo wants to rectify that and increase
their root-base, I say more power to them. And I'd be glad
to volunteer. --scotsman
\_ Having a shorter list of volunteers is obviously going to
limit how much time is available to take care of soda. My
gripe with the person above is that they're bitching out
(however many) people there are to take care of things,
all of whom are volunteers. It's a free service, the
price is right, I'm happy that other people have maintained
it all these years with no expensve to myself and I
appreciate those efforts. When things go bad it is
frustrating but I don't feel I'm owed anything by any of
them.
\_ Exchange of money is not the only way to establish
responsibility.
\_ Money? What? Who said money? The people running this
machine are donating their time. That is what the word
"volunteer" means. It certainly isn't worth anything on
a resume. What are you talking about?
\_ You're reading the above comment wrongly. The fact
that someone is a volunteer doesn't absolve them
of responsibility to do what they've volunteered to
do; quite the opposite. A lame-ass is a lame-ass
whether he's being paid or not. -tom
\_ They're not absolved but if you don't like the
quality and performance provided by other volunteers
you have two real choices: shut up and acknowledge
whatever little you're getting is for nothing in
return or volunteer to do it yourself and do a
better job. Bitching them out without volunteering
doesn't improve the situation. It only makes it
worse. I shouldn't have to explain why.
\_ As I said above, pburo.past nuked the volunteers.
pburo.current, if they want/need the volunteers,
would have them if they say so. Get on wall,
guys. Ask.
\_ Volunteer. Send a note to pburo asking what
they need help with. If you did and they
ignored it or said they don't need any help
then that's that on the volunteer front.
\_ So what do we need to do in order to get root? (Other
than, obviously, hack in like everyone else.)
\- you know, sloda has always been run by volunteers
and by any measure the current incarnation should be
a lot less work than the apollo, sequent, vax etc
days. i could be wrong, but i dont think it's ever
been down for as long as it was ~1 mo ago. i think
people have been tremendously appreciative of mr jvarga...
and if that appreciation hasnt extended to the pburo
at large, my personal perception is there appears
reasonable basis for that differentiation.
\_ My gut feeling is that Cal students today are not
nearly as Unix proficient as they were back in the
days. Most donations come in the form of Windows
boxes and students today could care less about
Unix. So these "soda volunteers" are really just
alumni and not the current breed.
\_ Whoever the volunteers are, they are still freely
providing service to the community with zero
compensation and a lot of flack for the times things
aren't perfect. As far as proficiency goes, *nix is
a lot easier now than "back in the day" so uber m@d
sk1llz are no longer required to get class work or
anything else done on a *nix box. This is just the
nature of technology. I'll bet the average
teen/college boy in the 50s knew a hell of a lot
more about his car than *anyone* on soda/csua does
today. That isn't necessarily a bad thing.
\- my point is that maintainance should
take less time, e.g in the age of
cheep disks, a machine that doesnt have
to be racked up in a machine room,
standardized buses etc. anyway, his
standardized buses etc. anyway, this
seems to me to be mostly a leadership
failure not a technical matter ...
e.g. it's not a mostly a failure of
e.g. it's not mostly a failure of
knowledge, but of decisionmaking,
communication etc.
\_ However, those of us who have been around dealt
with the same difficulties and complaints when
we were in pburo/on root. And I can safely say
we never had a month long outage. If you don't
want to/can't actually provide the service,
scrap it. We'll survive... But IMO, and IME,
having the alumni around and happy is a good
thing for those who want the professional
networking opportunities and knowledgebase that
comes with them.
\_ http://csua.com/?entry=45397
"I'm willing to wager $100 that Soda will be up for another 3 months
or less before it is completely down for at least 3 days again."
We'll see how long soda is down this time.
\_ Are you helping with this maintenance to help make sure things go
smoothly or just bitching from the sidelines?
\_ A quick update from the ex-pres, secretary, and one of the few UGs
with any *nix-fu. (whoever said that it's starting to be lacking is
spot on). I have good news, and the good news is that our new VP
doesn't suck. He rules. He's def. reading rootmail (something Ed
never did), has a *lot* of Debian knowledge and experience, and is
preparing to, you know, GET SHIT DONE. As a volunteer. Which is awesome.
And something that Ed never did (this from being president over him).
Right now, the holdup is that apparently there's no cardkey access for
the moment but hopefully within a day or two, there will be much
tinkering. I think (and hope) y'all will see the difference :)
Take heart sodans! --michener
\- lack of cardkey access never stopped us in the old days ...
"oh look, the door is open". :-) |
| 2006/12/2-8 [Computer/SW/Security, Computer/Networking] UID:45410 Activity:low |
12/2 I have only two internet choices-- Verizon and Time Warner Cable.
I've tried Verizon's 3Mbps/512Kbps service with 12 month commitment.
In practice I only get 2.2Mbps/225Kbps and Verizon is unable to
bump up the speed saying that they're unable to guarantee speed
due to distance and whatever bullshit they said. Now my 12 month
commitment is up I'm trying out Time Warner. I subscribed to
their 10Mbps/512Kbps service which costs slightly more
than their 6Mbps/512Kbps tier. Again, in practice, I'm only
getting 3.5Mbps/200Kbps which is LESS THAN HALF of what they
promised. Once again, they're giving me bullshit about distance
and how they don't guarantee speed. Anyone have similar problems
with their providers?
\_ Wah, wah. Cry me a river. The service is cheap because it's
consumer grade. If you want an SLA, get a real connection. And if
your Verizon service is DSL, what they're telling you about
distance isn't bullshit. Distance from the local CO dictates a
physical limit to the maximum speed your DSL line can run at.
If you can get DSL service from Speakeasy, consider it. Speakeasy
can't rewrite the laws of phsyics, and their consumer plans still
won't have an SLA, but, in my experience, they are a cut above all
the other DSL/Cable providers. How are you measuring your line
speed, anyway? It's actually really hard to do this accurately,
and I have yet to see a point and click web tool for testing speed
that does so. -dans |
| 2006/11/30-12/8 [Computer/SW/Security, Computer/SW/Unix] UID:45402 Activity:nil |
11/29 Pathetic Google engineers:
http://valleywag.com/tech/revisit/man-in-google-lap-pool-217775.php
http://www.valleywag.com/tech/dating/another-chance-to-crash-googles-holiday-party-217736.php |
| 2006/11/21-12/30 [Computer/SW/Security, Computer/SW/Unix] UID:45359 Activity:nil |
11/21 Bad stuff happened. Root is working on restoring all services to
normal. Please email root if something is not installed or is on the
fritz[0rz] (according to michener). - jvarga
\_ How would we be able to tell? Logins are still disabled, according to
someone named "jvarga"... (2006-11-22 07:30)
\_ You have to be THIS tall to enter...
\_ Please email activate@csua.berkeley.edu to get your account
reactivated. |
| 2006/11/8-9 [Computer/SW/Security] UID:45263 Activity:nil |
11/8 OpenSSH 4.5 is out:
http://www.openssh.org/txt/release-4.5
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-4.5.tar.gz
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.5p1.tar.gz |
| 2006/10/31-11/1 [Computer/SW/Security, Computer/SW/Languages/Java] UID:45045 Activity:moderate |
10/31 Mainframes are back!
http://www.cnn.com/2006/TECH/biztech/10/30/reviving.mainframes.ap
\_ Mainframes never left.
\_ There are big differences between 1) X is here, 2) X is coming
back, and 3) X left. Fucking dumb shit, how did you even
get into Cal?
\_ I didn't get into Cal. I dropped out of college so I could
spend more time on the motd and wall hanging out with smart
people like you hoping one day I can learn to comprehend
English as well as you. No, wait, you are a babbling fool
who wrote something completely off topic and non-responsive
because you can't understand basic English.
\_ Bwaaahhhhhhh!!1! You are teh suck!!!!1!!!!!!!!1!!
\_ "The university saved money upfront by selecting a mainframe that
runs at less than top capacity. Then on days when computing loads
are heavier, the school can buy a short-term boost of extra
processing power. Network managers call IBM, which remotely tunes
the mainframe to deliver better performance." Interesting.
\_ *laugh*. This is how the IBM mainframe division has always
worked except in the 'old days' they sent a tech out at some
outrageous hourly rate who opened the back, hit a button to turn
on the extra cpus+planes+memory/etc that was already in the box.
So now they just remotely login and tweak some software variable
limit like "max speed = max speed + 50", logout and send a bill.
This is almost as good a scam as MS making their money on CALs. |
| 2006/10/27-30 [Computer/SW/Security] UID:45013 Activity:low |
10/27 Anybody tried the "PDF decryptor" or "PDF password delete" type of
software? I have a PDF form file that won't let me save. I'm
considering getting one of those type of software to unlock the
file. I really don't want to pay to try it out though. Are there
free open source PDF unlock programs? Thanks.
\_ I've used Elcomsoft's (of "Free Dmitry Sklyarov!" fame) PDF
decryptor. Worked fine. Its legality is dubious, though.
\_ How so? It's my understanding (correct me if wrong, please)
that documents legitimately in your possession are covered
by various fair use clauses, i.e. you're not stealing trade
secrets, that sort of thing. As for pdfs, unlocking them is
trivial unless they're encrypted, in which case you're SOL--
I don't know of anything that can handle this easily. -John
\_ I meant the legality of obtaining Elcomsoft's eBook
Processor itself, which was posted to the 'net after
Sklyarov was arrested. I'm not referring to the
legality of decrypting (which should be legal based on
fair use rights, but OTOH there's that thing called the
DMCA). And yes, Elcomsoft's program does decrypt PDFs.
\_ I thought there were two kinds of pdf encryption--the
access encryption and actual data encryption, and that
Elcomsoft only dealt with the latter. -John |
| 2006/10/12-13 [Computer/SW/Unix, Computer/SW/Security] UID:44782 Activity:nil |
10/11 Star Wars characters USB thumb drives:
http://tinyurl.com/kjg53 (gizmodo.com) |
| 2006/10/4-6 [Computer/HW/Laptop, Computer/SW/Security] UID:44664 Activity:nil |
10/4 motd routing nerds, help me out.
let's say i am torrenting stuff on my laptop. I want
of course my SSH connections to be responsive and fast,
but the upstream torrenting gets in the way. Could i
implement QOS somehow on my local machine and improve
SSH? I'm running Linux. Would I have to make a virtual
machine somewhere on my laptop and run QOS in that? Thanks!
\_ or just use your torrent client's builtin bw limit options
\_ no no you don't understand, have you ever used QOS
on a router before? You can make your SSH packets
have a higher priority than your web or torrent packets,
reducing the latency for your ssh sessions. If you limit
the upstream of your torrents... your downstream becomes
slower
\_ sympathy factor crashes like rock. back in my day we got 300
baud and we were glad for it!
\_ if you're bottlenecked on the inbound, no amount of
fiddling with your router's QoS settings is going to help.
Maybe if you could fiddle with your ISP's router, but I
suspect they won't be sympathetic to your torrent leeching
needs.
If you're bottlenecked on the outbound, limit your torrent
clients' upload speeds (or play with QoS). It doesn't take
backing off much to give huge improvements to ssh and/or
other interactive programs.
clients upload speeds (or play with QoS).
\_ get a faster pipe, whiner
\_ So-called "gaming routers" can put preferences on ports. That's
quick solution.
\_ Not only is this a quick solution, but an excellent solution.
I bought a DLINK gaming router and never looked back. I get
the best of all worlds-- filling up the pipe AND get small
latency for ssh and X11 related things.
\_ agree that this is one way to do it. increase priority for
port 22 outgoing (router should also be smart enough to
prioritize incoming packets for the session), and back off your
upstream torrent cap a bit until you're satisfied. |
| 2006/9/27-28 [Computer/SW/OS/FreeBSD, Computer/SW/Security] UID:44580 Activity:nil |
9/27 OpenSSH 4.4 is leftist
http://www.openssh.org/txt/release-4.4
OpenBSD src:
http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-4.4.tar.gz
OpenBSD src signature:
http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-4.4.tar.gz.asc
Portable src:
http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.4p1.tar.gz
Portable src signature:
http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.4p1.tar.gz.asc |
| 2006/9/27-28 [Computer/Networking, Computer/SW/Security] UID:44564 Activity:low |
9/27 I'm currently using http://johncompanies.com and getting close to their 40G/month bandwidth quota. I'm already paying $47/month for 5G disk storage and 40G/month bandwidth, and while the customer service has been superb, I'm a bit budget conscious and a bit reluctant to pay $80/month to johncompanies for the next level of service. I'm also a big socialist, and I support proletarian revolution. I've been contemplating a few options. For example, maybe I can get cable modem with 768kbps uplink/upstream for $50/month, which will be adaquate to serve 50-60G of content per month and has the positive side effect of having a much bigger disk storage over what I'm getting now at johncompanies. Is hosting at home a ridiculous idea or is it feasible? \_ Do you have a real server room environment? Do you have a usage agreement that allows you to fill your pipe all month long? No. \_ If you don't need a full jailed environment, JC is overkill. Just host w/ el cheapo web provider. If you need the custom env, it's probably worth the price. JC are pretty easy to talk to, though. Mail them about what you want to do and ask for suggestions. They might even refer you to someone who could better meet your needs. ("They" probably meaning "John") --dbushong \_ Do you work at or an affiliate of johncompanies? \_ Overkill is when you need 40G bandwidth but got 1000G. The op said he's going over the 40G bandwidth quota so his hosting choice isn't exactly "overkill". |
| 2006/9/25-27 [Computer/SW/Security] UID:44517 Activity:nil |
9/25 Does anyone know if there's a way for mail.app to use different
connection profiles for various accounts? I have 2 imaps accounts
which I need to connect to via an ssh tunnel at a client's; so
normally it'd be "host.x.com:993" but I would like to switch
quickly to "localhost:10993" without going through the "edit
account" rigmarole...thanks for any help. -John
\_ Why not just create two separate accounts and activate the
one that you need.
\_ Fair point, I didn't think of that, thanks. -John |
| 2006/9/18-20 [Computer/SW/Security, Computer/SW/Unix] UID:44435 Activity:nil |
9/18 Any reason that /dev/null is rw by root only?
crw------- 1 root root 1, 3 Sep 13 12:56 /dev/null |
| 2006/9/16-19 [Politics/Foreign/Asia/China, Computer/SW/Apps/Media, Computer/SW/Security] UID:44403 Activity:nil |
9/15 Software in China helps w/ sentencing:
http://news.com.com/2102-1012_3-6115154.html?tag=st.util.print
"The software can avoid abuse of discretionary power of judges as a
result of corruption or insufficient training."
\_ What about the verdict part?
\_ That's easy:
if(political_activist || causing trouble) guilty=true; |
| 2006/9/15-19 [Computer/SW/Security, Computer/SW] UID:44387 Activity:nil |
9/15 Looking for recommendations (prefer Bay Area?) for ISP/company
that can run a small-business web-site (products list, help
pages, shopping cart) and handle their email (web-mail & IMAP access)
My friend currently has a small business but is not satisfied
with his current ISP/web-design firm handling his .com domain far
in LA. They are slow to respond to web-site change requests,
and they have dropped connections, broken shopping carts,
customer complaints and slow employee web-mail access.
\_ Is your friend's current company called http://dreamhost.com? Have you
looked into other hosting companies like http://shopping.yahoo.com?
\_ not dreamhost. Was going to look at yahoo, but i think they
want their own domain |
| 2006/9/9-12 [Transportation/Airplane, Computer/SW/Security] UID:44330 Activity:nil |
9/9 http://www.latimes.com/news/local/la-me-baggage9sep09,0,1502706.story This is insanely stupid. All the bad guys need to do is throw kgs of TATP in the false hardsides of their luggage on several very busy buses and have them all explode at the same time on buses across the city. Let's hope L.A. people are so inherently anti-public transportation that those buses never fill. \_ uh, from a security standpoint how is this any different than checking bags at the counter? Or bringing a bomb onto any bus? -tom \_ there's no difference from a security standpoint as you've implied. however, from the standpoint of the terror impact of burning bus shells on TV, the synchronized bombings of full LAX transit buses is much more effective and obvious than (synchronized) exploding ticket counters or bus lines intended for low-income workers / students. \_ uh, whatever. -tom \_ uh, yeah |
| 2006/9/8-12 [Computer/SW/Unix, Computer/SW/Security, Computer/SW/WWW/Server] UID:44325 Activity:nil |
9/9 Is there a gzip-like unix command that will encrypt a file?
I'm looking for something that's widely available. Thanks
crypt (not very secure - DES). Or failing that, openssl or gnupg
\_ openssl or gnupg... what are you looking for? Those will work fine..
\_ Thanks for the recommendations. I'm basically experimenting
with a way of using my friend's computer to backup my
personal files and using my computer to backup theirs.
Of course, this means storing files in a way where we can't
see each other's personal files.
\_ I'd recommend checking out http://dar.linux.free.fr
It makes the whole "backing up a bunch of files, encrypting
it, and chunking it into bite-sized pieces" thing much easier
than dump/tar + gzip + openssl. --dbushong
\_ Oh, that is so cool. Thanks. My way was going to
be much more convoluted involving ssh and a bunch
of script writing. This should save some time.
\_ One nice thing about using gpg (dump/tar | gpg) is you
can do public key crypto and not ever have passwords stored
in the script. I believe gpg also can chunk it into X
byte chunks, optionally ascii armored, for emailing as
well. (well, I suppose you could mime-attach it)
\_ openssl bf-cbc -in file.txt -out file.txt.bfcbc # encrypt
openssl bf-cbc -d -in file.txt.bfcbc -out file.txt # decrypt
--dbushong
\_ /usr/bin/{zip,unzip} on soda can take passwords. Don't know if
they're widely available on other *nix's. |
| 2006/8/22-23 [Computer/SW/Security] UID:44096 Activity:high |
8/22 In Windoze XP, how can I make my service start automatically when it
boots up in Safe Mode? I searched MSDN site and didn't see anything.
Thanks.
\_ I don't know how to do that in Windoze XP but it isn't that hard in
Windows XP.
\_ And that would be how? Thx.
\_ Start here and you should get the right idea:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
\_ Thanks!
\_ Out of curiousity, why do you need to do that?
\_ I am working on a module that is a service, and I need it to be
loaded even in Safe Mode so that people won't be able to bypass
it by rebooting the machine in Safe Mode.
\_ I sure hope there isn't a way to do what you want. If the
users want to bypass your module, let them!
\_ It's part of a security product, and we don't want the end
user bypass it.
\_ And what stops them from booting off a USB key, CD,
other hard drive, etc?
\_ BIOS password.
\_ Yank HD, take to another computer, etc.
\_ Always true for any product that can't
physically defend itself. I don't think most
customers want their firewall to shoot at
people.
\_
http://blubbie.com/usb-nailgunner-pc-gadget.html -tom
\_ There's also FS encryption.
\_ Some of the firmare-level drive crypto stuff
out there is pretty buff. Not failsafe, but
in most cases more trouble than it's really
worth. -John
\_ What gives you the arrogance to think you can take over
the end user's system in such a way?
\_ I think he's building a security appliance not a
home user software thing.
\_ A security appliance running Windows?
\_ RESPECT MY AUTHORITAW!
\_ And suppose there is such a way. What's to stop
someone from writing a malicious service that does the
same thing? |
| 2006/8/21-24 [Computer/SW/Security] UID:44088 Activity:nil |
8/21 Apparently, you need to pay $1.00 to Direct Marketing Association to
have your name taken off of the junk mailing list. When did they
start charging for this? http://www.the-dma.org/cgi/offmailinglist |
| 2006/8/17-19 [Computer/SW/Security, Recreation/Humor] UID:44052 Activity:nil Cat_by:auto 80%like:44043 |
8/17 This is pretty funny:
http://tinyurl.com/ku2mp (schneier.com/blog) -John
\_ Another funny link on the same page:
http://geekz.co.uk/schneierfacts |
| 2006/8/17 [Computer/SW/Security, Recreation/Humor] UID:44043 Activity:nil Cat_by:auto 80%like:44052 |
8/17 This is pretty funny:
http://tinyurl.com/ku2mp -John |
| 2006/8/12-14 [Computer/SW/Security] UID:43984 Activity:nil |
8/12 Anybody know of a good backup solution for PGP encrypted disks?
The way I've been backing up is to make copies of the .pgd file
with dates in the filename. This method is not very scalable as my
.pgd files are becoming gigabytes in size. Anybody know
of an integrated solution to backups and encrypted folders/disks?
OS X Leopard "time machine" backup feature looks interesting. But
I don't think it works if all my files are in PGP disks/directories.
Any other solutions that integrate encryption and backups? -thanks.
\_ This is Windows, right? (Dunno if PGPDisk exists on another OS.)
Wouldn't anything that checks to see if a drive letter is attached
do the trick? Also, is this for personal backups, enterprise-
level, what? -John |
| 2006/8/9 [Computer/Theory, Computer/SW/Security] UID:43952 Activity:nil |
8/9 Can someone update soda's ssh host keys on
http://www.csua.berkeley.edu/computing/hardware
I think the new keys are:
RSA - 9c:a4:3a:66:23:22:b0:2f:ba:87:2a:ca:03:c5:24:b6
DSA - 93:1d:30:88:65:a5:fa:38:6f:06:a3:86:12:0d:85:8b
\_ That's what you'd like us to believe. |
| 2006/8/7-11 [Computer/SW/Unix, Computer/SW/Security] UID:43929 Activity:nil |
8/7 hey ax watch this when you get home from work
http://www.youtube.com/watch?v=f83L9iWIx54
\_ Is there a CSUA login?
\_ Use http://www.bugmenot.com to find a login.
\_ That was work safe in my book, but thanks for thinking
of me. Has anyone one noticed any patterns concerning
women who wear Bebe shirts? -ax
\_ I wanna work where you work. I think there's
a pattern for chicks who wear Hollister shirts.
\_ one more for you
link:tinyurl.com/gmaxd
\_ Jesus Christ.
http://i43.photobucket.com/albums/e381/oklahomaok/DSCN0419.jpg
\_ That's not Jesus Christ. --Mel Gibson |
| 2006/8/4-6 [Computer/SW/Security] UID:43908 Activity:nil |
8/4 Has anyone used Working Assets cell phone service?
is it good?
\_ they are a sprint reseller. co-worker has it, likes the
customer service, and web payment options, and of course
there is the donation thing to progressive cause of your
choice. Paper correspondence comes on all 100% recycled
paper. Just under $50 for 450 minute plan after all the
taxes/etc. One downside, she gets a lot of mail (snail,
I think) from other progressive causes, but I think that
one can opt out of that.
\_ No. Yes. -proud American
\_ how much for mass amounts of text messages? |
| 2006/8/2-6 [Computer/SW/Security] UID:43882 Activity:nil |
8/2 Does anybody have a sample of a reliable and robust /tmp cleaner
which can be run out of cron? I am not sure what is a good way to
make sure things that need to be persistent like ssh-agent "files"
dont get deleted ... obviously I can specifically tailor it for
"known knowns", but I want something conservative but also reasonable.
\_ reboot?
\- i'm thinking if the idea is to save space, rather than remove
clutter, can add a switch to remove say +1mb files. But not sure
of a good idea for the clutter problem ... maybe not descend to
subdirs for some rules.
\_ Yes. -proud American |
| 2006/8/2-6 [Computer/SW/Security, Recreation/Media] UID:43863 Activity:nil |
8/2 What do you guys think about http://www.wtcmovie.com ? \_ I don't think much either way, but it's clear we're still in what I'd call "The Rambo Years" -- a very glorified version of historical events. I don't think it's outright propaganda, I think it's actually a fairly collective view the US has on 9/11. Make this movie in 10 or 20 years and it will be entirely different. I can't wait for the FMJ kind of take on it. --michener I'd call "The Rambo Years" -- a very glorified version of historical events. I don't think it's outright propaganda, I think it's actually a fairly collective view the US has on 9/11. Make this movie in 10 or 20 years and it will be entirely different. I can't wait for the FMJ kind of take on it. --michener [formatd was here] \_ who/what is FMJ ? \_ Full Metal Jacket? \_ I prefer http://www.tawnyroberts.com -proud American |
| 2006/7/30-8/2 [Computer/SW/Languages/Web, Computer/SW/Security] UID:43838 Activity:low |
7/28 Anyone have more info on the breakins on a bunch of Cal sites?
http://www.csua.org/u/gkg -John
\_ Yes.
http://ls.berkeley.edu/lscr/news/2006-07-25-security-incident
(The defacements were mostly one multi-homed server). -tom
\_ Most kernel problems require local access to exploit.
so, if not a user account then some other insecure service
that can be used as a starting point. Is this the case here?
Do you know/mind_telling_us the details? -crebbs
Do you mind telling us the details? -crebbs
\_ The machine is a web hosting server for L&S departments,
where departments can install their own PHP code. There
was a security hole in user-installed PHP code that got
the hackers shell access, and they used a 0-day RedHat
kernel priv escalation bug (SYS_PRCTL) to get root.
It is worth noting that the bad PHP code was hand-written,
not some package like phpBB with security holes which you can
search the net for; the initial compromise seemed to have
a higher degree of sophistication than is usually found
in script kiddies. -tom
\_ I doubt the hackers found the PHP hole the same day the
Redhat bug came out. I'd bet a buck they had non-root
shell access on the machine for a long time. I also
suspect they had root for a while too. Or there was more
than 1 set of hackers. Why would sophisticated hackers
waste a quality attack on a web page defacement? I'd bet
another buck they still have access to that and several
other machines.
\_ I can pretty closely track their root access; they
did have it for over a week before it was discovered.
I am pretty certain that they no longer have root
access. I agree that there are likely remaining
apache-level holes on the machine; it's an
occupational hazard of an open PHP hosting environment.
When is PHP going to implement taint mode, anyway?
-tom
\_ The only way to be absolutely sure is to rebuild the
box. You could do a bit by bit comparison from a CD
on all the binaries but yech.
\_ Yes, I've read "Reflections on Trusting Trust."
\_ Yes, I've read "eflections on the Revolution in
France"
-tom
\_ Yes, I've read "Reflections on the Revolution in
France" -tom |
| 2006/7/13 [Computer/SW/Graphics, Computer/SW/Security, Computer/SW/Apps] UID:43656 Activity:kinda low |
7/13 I have about 80 .pdf graphics files, that are a mix of vector graphics
and bitmaps, and I want to convert them all to bitmap of a specified
resolution, while preserving the physical size of the original image.
Does anyone have any suggestions for how to do this fast and
efficiently? I have access to the full Adobe suite if that makes any
difference. thanks.
\_ Are they all one page?
\_ Each file is much less than a page in size, and they're all
seperate files.
\_ Should be able to use ghostscript.
Post a file if you want an example.
\_ Ok, thanks. I've been messing with Ghostscript, but I can't
figure out how to get it to both be 600 dpi and to preserve
the physical size. If I were smarter, I probably would have
specified all the sizes in the Latex code so that I wouldn't
care, but that would be a lot of work at this point (180 page
document). Here is an example file:
/csua/tmp/lafe/5point5huge.pdf
Any pointers very much appreciated. |
| 2006/7/12-18 [Computer/SW/Security] UID:43645 Activity:nil 50%like:43591 |
7/12 Kchang -- thanks for turning the search feature back on!
\_ you're welcome. I spent some time making sure that even if the
mysql passwords are stolen, it would only have read only access.
It would have been easier with suexec, but I guess the current
admins insist that CGIs run as "nobody", which is a security risk
that I guess they just don't care about anymore. -kchang
\_ Intellidiff is back too! Thanks! -Intellidiff #1 fan
\_ It is broken. I use scp to edit but it blames someone else.
Yet another useless program written by someone useless. |
| 2006/7/11-17 [Computer/SW/Security] UID:43637 Activity:nil |
7/11 I'm working for a new company that is coming out with a web based
product soon and we need to find good co-location facilites to
host it. Can anyone recommend a good co-location facility in
the south bay that can provide load balancing, backups, possibly
SAN access, bandwidth on demand and has good peering?
\_ you want the co-lo to provide the load balancing and storage?
-shac
\_ Possibly yes. This will be a one man show for a while so
having some of the services managed would be nice and to
lower the initial capital expense hit. Who does IGN use?
\_ IGN is mostly at various Savvis colo's around the world
but we have all our own gear and storage. the only thing
we outsource is a fraction of our dba work. most of the
big companies dont outsource load balancing and storage
-shac
\_ we use quest at work...
\_ Not a recommendation, but check http://www.webhostingtalk.com
You will get better response there and also do some search
on a company's reputation.
\_ might want to ask http://he.net |
| 2006/6/30-7/5 [Computer/SW/Security, Computer/SW/Mail] UID:43544 Activity:nil |
6/30 I'm trying to set up SSH port forwarding of VNC between my laptop and
my home server. Once I had it working but I lost be client-side
config. I can use PuTTY to set up port forwarding and can successfully
load webpages off the remote server by using <DEAD>localhost<DEAD>
My problem is that I can't seem to forward port 5900 (VNC) to my
remote machine. When I try telnetting to localhost port 5900 I get
a connection but don't get the standard VNC handshake: "RFB 003.003"
I know VNC is up on that machine because I can connect to it just fine
when I am on the same subnet. Any ideas?
\_ You're not running VNC on your local box on port 5900, are you?
\_ Ooh, good idea.. but no.
\_ OK, so in PuTTY, your Forwarded ports: lines for your server Session
look like:
L80 localhost:80
L5900 localhost:5900
Is that right? What OS is the server?
\_ I had this:
L80 http://myhost.com:80
L5900 http://myhost.com:5900
I changed the second one to
L5900 locahlost:5900 and now it works. Thanks!
But why did the HTTP forwarding work then?
\_ Maybe your firewall/VNC server/whatever would allow loopback
connections, but not connections on the "real" IP |
| 2006/6/28-29 [Computer/SW/Security, Computer/SW/Virus] UID:43517 Activity:nil |
6/28 I'm looking for a company that can do testing of antivirus and
anti-malicious code products--I have a client who wants some sort
of "external verification", even if it's just a formality. I
imagine this will involve running a battery of not-too-complex
malicious code & exploit tests. Any recommendations? -John
|_ http://www.counterpane.com/consulting.html or
http://securityevaluators.com ? Both have well known security ppl
\_ Securityevaluators looks good, thanks. -John |
| 2006/6/25-28 [Computer/SW/Security, Computer/SW/Unix] UID:43493 Activity:nil 53%like:43401 |
6/25 Hey root, could you please reenable finger motd@csua? Can't be a
security issue since fingerd is enabled ...
\_ Done. For some reason linking it refused to work, so I added it
as a cronjob that happens just as the motd concatenation happens
(every 2 minutes). --michener |
| 2006/6/23-28 [Computer/SW/Security, Computer/SW/Unix] UID:43487 Activity:nil 80%like:43482 80%like:43483 |
6/23 Soda rooted by sendmail bug. Will be going down at 8pm.
\_ Resetting accounts again?
\_ Good thing I stopped using my @csua.berkeley.edu address as my main
non-work e-mail address!
\_ Let's try FreeBSD again!
\_ Let's try Windows!
\_ Er, why is this in motd.public?
\_ soda is run by liburals, always aiding and comforting Terrorists
\_ Maybe 'cause it's a lie?
\_ So, why is it still up?
\_ It used to say 5pm.
\_ The crackers have changed the root passwd! Root is powerless!
\_ I can assure you this has not happened. --michener
\_ They probably exploited something to put in a trojan su.
Did you test this by suing? Now they probably have the
old root password!
\_ Someone should go to the server room and destroy soda with
an sledgehammer before the crackers unleash the skynet on us.
\_ I know of no such issue and have not heard from the rest of root
about it. If this is not a lie, will whoever wrote this email root?
--michener
\_ Did the cracker post this to freak everybody out?
\_ The only non-anonymous evidence I see is on wall log, where
Paolo posted a snippet showing brg and sly speculating on
whether soda had been hacked
\_ which had nothing to do with sendmail at all.
\_ Lying about a rooting is l4m3.
\_ My account has been hacked! Last login from China! |
| 2006/6/23 [Computer/SW/Unix, Computer/SW/Security, Computer/SW/Mail] UID:43483 Activity:kinda low 80%like:43482 80%like:43487 |
6/23 Soda rooted by sendmail bug. Will be going down at 3pm.
\_ Resetting accounts again?
\_ Good thing I stopped using my @csua.berkeley.edu address as my main
non-work e-mail address!
\_ Let's try FreeBSD again!
\_ Let's try Windows!
\_ Er, why is this in motd.public?
\_ soda is run by liburals, always aiding and comforting Terrorists
\_ Maybe 'cause it's a lie?
\_ So, why is it still up?
\_ It used to say 5pm.
\_ The crackers have changed the root passwd! Root is powerless!
\_ I can assure you this has not happened. --michener
\_ I know of no such issue and have not heard from the rest of root
about it. If this is not a lie, will whoever wrote this email root?
--michener |
| 2006/6/23-28 [Computer/SW/Security, Computer/SW/Languages/Web] UID:43481 Activity:nil |
6/23 apache back on and PHP seems to be working once more (so the main page
works too). Security modules have been added, so if they interfere with
things, mail root. Hopefully they won't though. Thanks for your patience
and understanding --michener |
| 2006/6/23-24 [Computer/SW/Security] UID:43475 Activity:nil |
6/22 Whats up with all the defunct sshd processes on soda?
Have we been hacked again?
\_ I don't think so, but let me check your account. What was your
username again?
\_ ok so then whats with the 1655 syslogds running? |
| 2006/6/22-28 [Computer/SW/Security] UID:43470 Activity:nil |
6/22 http://media.putfile.com/AOL-Cancellation Guy attempts to cancel AOL account with AOL customer service rep (who sounds like a full-blown American, not outsourced labor). It gets started slowly, but it really builds up half-way in. http://insignificantthoughts.com/page/2 http://www.msnbc.msn.com/id/13447232 \_ It's amusing that he recorded it and posted it online but his experience is dirt common for AOL. I hope no one was actually shocked by this encounter in any way. It took me 5+ minutes to cancel an account a few years ago although the CSR took a different direction she still wouldn't cancel it until I'd told her at least three dozen times I wanted it cancelled. |
| 2006/6/20-24 [Computer/SW/Mail, Computer/SW/Security] UID:43439 Activity:nil |
6/19 I'm leaving the country for a year. I am thinking of
getting a Skype number in the United States, and I guess
if people in the US call it, my Skype client running
on my computer in the foreign country will receive the call?
What is wrong with my plan to do this?
nnn \_ 1. yes. The only thing wrong with your plan is that as nerdy as
you are, you may *NOT* be at front of computer all the time.
After a while, when people couldn't reach you via the Skype
number, they will STOP calling you. I recommend you also purchase
couple SkypeOut credit; and also set up a call-forwarding on your
SkypeIn number to your local cell phone. THis way, when you are not
at the front of computer or your computer is off, calls will
be forwarded to your cell phone. kngharv
\_ No. You get voicemail with your skypein number. I'm using
it (my Swiss cell phone is forwarded to my CH skypein
number while I'm in Chile.) When you start your Skype
client, it tells you you have voicemails. Works a charm,
worth the money. -John
\_ duh, voicemail come with the SkypeIn number. My experience
is that after a while, people just sick of calling because
he/she gets voicemail all the time. Skype forwarding
service would keep people interested in calling this number.
kngharv
\_ That wasn't his question. -John
\_ 1. yes. The only thing wrong with your plan is that as nerdy as
you are, you may *NOT* be at front of computer all the time.
After a while, when people couldn't reach you via the Skype
number, they will STOP calling you. I recommend you also purchase
couple SkypeOut credit; and also set up a call-forwarding on your
SkypeIn number to your local cell phone. THis way, when you are not
at the front of computer or your computer is off, calls will
be forwarded to your cell phone. kngharv
\_ No. You get voicemail with your skypein number. I'm using
it (my Swiss cell phone is forwarded to my CH skypein
number while I'm in Chile.) When you start your Skype
client, it tells you you have voicemails. Works a charm,
worth the money. -John
\_ duh, voicemail come with the SkypeIn number. My experience
is that after a while, people just sick of calling because
he/she gets voicemail all the time. Skype forwarding
service would keep people interested in calling this number.
kngharv
\_ That wasn't his question. -John
\_ There are other similar VOIP service. For example,
http://voicestick.com offers FREE virtual # anywhere in USA. It
can then forward anyone calling that # to anywhere in the
world. Of course you pay for the forwarded calls. |
| 2006/6/13-15 [Computer/SW/Security] UID:43377 Activity:nil |
6/13 ok, memorizing all these passwords is driving me insane. I
know this has been asked before but I cant find it: whats the
best way to keep a password-protected file of very sensitive
information? in this case, all my other passwords. thanks
\_ I use http://www.bugmenot.com
\_ Whatever happened to this single login thing called the
MS Passport or something?
\_ I just use a yellow sticky note on my monitor. Works like a charm.
\_ I use a Palm Pilot that is password protected. I then have a
Crypto program on it (also requires a password).
\_ the second part is very important, cause even if you password
protect the file using Palm's native password protection, the
document is downloaded in unencrypted format when you sync to
your computer. I use Keyring for encryption:
http://gnukeyring.sourceforge.net
\_ I pgp encrypt this password excel file. You should have
some password level as well:
- password to this excel file
- password for financial sites
- password for secure e-commerce sites
- password for other non secure sites
A secure password can be the initial of your favorite
phrase. I consider sites that emails back your password in
plaintext as non-secure site. Good sites should reset your
password to a random one in the worst case.
\_ For passwords I don't get to choose, I use this:
http://www.schneier.com/passsafe.html on PocketPC
For passwords tied to domains, I use a command line version of this:
http://bushong.net/dave/webpasswd
(generates a reproducible hex hash) --dbushong
\_ http://keepass.sourceforge.net
Also, in the same vein as generating passwords from hashes,
here's a Firefox extension to make it more convenient:
http://www.xs4all.nl/~jlpoutre/BoT/Javascript/PasswordComposer
\_ Ooh. Great minds think alike. This one looks more secure than
mine (uses a Base64 variant encoding rather than Hex). Alas,
I can't switch now or I'd have to check 2 of them :-) --dbushong
\_ this program is really old but it's simple and works (for windows
users): http://www.passkeeper.com |
| 2006/6/12-13 [Computer/SW/Security, Health/Women] UID:43355 Activity:nil |
6/12 http://news.yahoo.com/s/nm/20060612/od_nm/newzealand_streaker_dc Are all New Zeland women as attractive as this one? Are they more fit than say, American women in general? Damn I gotta move there! \_ Most of the women I've met from New Zeland looks more like this: http://www.manuphotos.com/images/NEw%20Zealand/NZ%20Maori%20Woman%2001.jpg |
| 2006/6/7-9 [Computer/SW/Security] UID:43302 Activity:nil |
6/7 Rails question: I've got data in a number of tables, all of it owned by
one site "user" or another. Is there a nice clean standard way
(probably at the model level) to validate whether the current user has
access to the requested bit(s) of data? (Hopefully that's not too
inefficient) I tried some obvious things, but Model classes don't have
access to your session data, so they can't trivially see what user id
is making the request. Or does this sort of thing not belong in the
models. Thoughts?
\_ Try handlers. Install a handler that will do the ID check, then
throw an exception if it's fails. The model has access to the
session data, otherwise you can't do anything custom wrt to
the session, so I don't know what you're talking about. -marked |
| 2006/6/7-9 [Computer/SW/Security] UID:43295 Activity:nil |
6/6 Where can I find the RSA host key to put in a .ssh/known_hosts (or
whatever exactly it's called) so I can ssh to csua?
here use mine
|1|42db5+KDy9Hano4lbj/SgFMPKDs=|taKwtpIOjvjZb9S9EIZ+pMbK7pQ= ssh-rsa AAAAB3NzaC1\
yc2EAAAABIwAAAQEA4F3Vgzyef4WlQqLst2xqi+yiRTdg1f4enDPkeT1zSFqhOFNXGoFlKJOGHRmpfwm\
Fxpa0eS6PVtleoI4b5kTbx0C9mA1OFXFVbZNlwjH6Hmife/NZazI4Nhe6Gl7JTNHBliu6VD6KLct66iA\
tZVUhOmM3gmbMfhgIqfbTvtPTLcYGeGHMz+X7dzWPMxMOqoD4iCXIthuLImijbL1HPqX1G65R048MWL1\
eHctxOi+XeFKzvAJ37iez2+prakglPkyAU6jg9luRiPtVQmjD3Q9gp+kenZGKKIK0FiuCuX+avuid5+5\
2psfIl6UWGbXl4VciV5QWZ6AdUmiEsEovZ9DbBQ== |
| 2006/6/6-9 [Computer/SW/Apps/Media, Computer/SW/Security] UID:43284 Activity:nil |
6/6/06 http://www.eff.org/deeplinks/archives/004721.php |
| 2006/5/29 [Computer/SW/Security, Politics/Foreign/MiddleEast/Iraq, Politics/Foreign/Europe] UID:43215 Activity:nil |
5/29 Castro's Cuba
http://www.therealcuba.com/index.htm |
| 2006/5/20-22 [Computer/SW/Languages/C_Cplusplus, Computer/SW/WWW/Browsers, Computer/SW/Security] UID:43123 Activity:nil 61%like:43119 |
5/19 I need a simple plug-in 128-bit (or so) C encryption library.
Semmetric key is easiest, but public key is ok if that's the only
thing I can get. Any ideas?
\_ symmetric
thing I can get. Any ideas?
\_ http://mcrypt.sourceforge.net --dbushong
\_ Thanks, I'm checking it out. |
| 2006/5/17-22 [Computer/SW/Security] UID:43078 Activity:nil |
5/16 Blue Security gives up:
http://csua.org/u/fvo |
| 2006/5/10-12 [Academia/Berkeley/CSUA/Motd, Computer/SW/Security] UID:43004 Activity:nil |
5/10 Can we get kais motd intellidiff back now that cgi is re-enabled?
\_ No. "suexec" is not enabled so it is run as "nobody", which means
I need to make EVERYTHING world readable, including the index.cgi
in which I embed mysql password. I am not enabling anything
back till suexec is added. Until then, soda is insecure, and
I'm not going to risk security for convenience. -kchang
\_ root: Can we get suexec set up? -intellidiff #1 fan
\_ Mysql has fairly granular permissions. Why not set up an
account that has read-only access to the appropriate tables?
\_ Because it also needs to write to certain directories/files.
In the end it's a lot of trouble and I don't have
time to code a workaround now. Look. Enabling suexec
takes 30 seconds, so it is a solution that has a much
higher work/time ratio. I'm no no hurry. I can wait. -kchang
higher work/time ratio. I'm in no hurry. I can wait. -kchang
\_ How can we access mysql from soda?
\_ I compiled my private copy on a separate port and
not sharing it -kchang |
| 2006/5/8-9 [Computer/SW/Security, Computer/SW/Unix] UID:42979 Activity:nil |
5/8 A friend of mine still hasn't gotten his account reactivated even
though he sent photo id. Is this still being worked on?
\_ soda root == students
may 12 == start of finals.
I'd say a little patience is in order.
\_ Granted, but 3 weeks is a long time. Could you update the
website so they have a clue. 4/17 was in a galaxy far, far away. |
| 2006/5/8 [Computer/SW/Security] UID:42976 Activity:moderate |
5/8 why you are getting all that blue frog spam
http://q.queso.com/archives/001917 - danh
\_ While I'm not ready to call it outright bullshit, I'm skeptical:
* Most DNS operators with a clue set TTL values to cache records
for 24 hours to one week. The DNS notify mechanism leaves much
to be desired. Thus, changing a DNS pointer is unlikely to
divert a DoS attack.
* Many DoS attacks hard code the ip of the target both to avoid the
added complexity of DNS lookups and because, if the code is
written by a script kiddie moron, he may botch it and do the DNS
lookup before sending each packet which slows things down
spectacularly.
-dans
\_ and I call bullshit here, because the TTL values of a domain are
under control of the domain's owner (or at least the nameserver
the domain is master'd from), and any DoS attack hardcoded to
an IP is trivial to defeat by changing the IP of your web/service.
And TTL only comes into play when an address is cached, which
isn't likely to be the case with all the clients participating
in a DDOS.
-ERic
\_ Correct, ttl values of a domain are controlled by the
domain's owner, but if ttl values are set to sane values,
e.g. 24 hours to 1 week, then it will be 24 hours to 1 week
before reducing them will have any effect on cache behavior.
If DDoS clients actually perform DNS lookups, then the vast
majority of lookups will go through caches, which won't
refresh their content until ttl expiry. It would be
enlightening to see what http://bluesecurity.com's DNS records
looked like the week prior to the attack. Also, changing the
IP of your service doesn't help if you just hop to a new IP
address on the same network, since modern DDoS attacks
overwhelm your upstream network pipe(s), and not just an
individual host running a sppecific service. -dans
\_ This guy doesn't really have any idea what he is talking about:
he can't explain correctly how Blue Security really works and
instead of bothering to learn, he just argued with the people
trying to teach him. Finally, he just turned off comments rather
than accept that he was wrong. He sounds a bit like Bill O' Reilly.
I wouldn't really take his explaination for what happened at
face value, given his record. -ausman |
| 2006/5/4-7 [Computer/SW/Security, Computer/SW/Unix] UID:42931 Activity:nil |
5/4 Ok I need to make a hosting choice soon because my current co-op
colo is falling apart like http://autobahn.org in the old days. I can
go with http://dreamhost.com, http://textdrive.com, or http://johncompanies.com [from
which dans heard good things about]. I really like johncompanies'
virtual machines because you get root, but it is a whopping
$47/month!!! http://dreamhost.com is dirt cheap, but you share
resources and it's probably just as secure as soda (which is
not very). I haven't heard anything about http://textdrive.com.
What do you guys use and recommend? Thanks.
\_ i have a bunch of stuff hosted with dreamhost and have been
very happy with them. i was referred by another sodan. alot
of guys at gamespy use dreamhost as well and love it. -shac
\_ How much quota, IP/hosts, do you get, and how much do you pay?
\_ i pay annually. so i paid $120 for 1 year starting at 20GB
disk, 1TB monthly transfer. each month they increase both
of these numbers for you so im probably at like 22GB and
whatever monthly transfer. the longer you are a customer
the larger your quotas are. see their pricing comparison.
http://www.dreamhost.com/shared/comparison.html
-shac
\_ which coop is dieing? how much do you use now?
\_ i've heard good things about simpli.biz
\_ JohnCompanies kicks ass. You send mail and.. John mails you back
in like 2 minutes. None of the trouble-ticket-queue bullshit. On
the flipside, yeah, they're (relatively) pricey and you have to do
all the admin themselves, and if John dies in a carcrash, I'm not
\- that is the scenario i call
BUS TERMINATED. --psb
sure how much human failover they have. --dbushong
\_ HA that's pretty funny. But how do you know johncompany is
run by 1 man, and if other companies aren't in the same
situation?
\_ I don't, but if you go with <insert random huge company>
it's unlikely.
\_ Oh, if you are doing anything art or community oriented, consider
Laughing Squid. -dans |
| 2006/5/3-5 [Computer/SW/Security, Computer/SW/Mail] UID:42921 Activity:nil |
5/3 Can anyone recommend an e-mail service that provides POP3/IMAP and
SMTP with encrypted authentication, From: address to whatever you want
it, isn't zombie-land, has minimal service interruptions, and won't
go away? Doesn't need to be free. Really imporant to have minimal
service interruptions.
\_ Gmail!
\_ From: address always defaults to @gmail.com.
\_ I believe you can change this in Settings->Accounts.
There is no IMAP though.
\_ Cool, I just tested it. Works through SMTP auth port 465
too. Thanks. -op
\_ Not if you're using SMTP, afaik. |
| 2006/5/3-5 [Computer/SW/Mail, Computer/SW/Security] UID:42918 Activity:nil |
5/3 In the light of what happened recently, should I stop using soda
for any important communications and get a gmail account instead?
\_ FYI, I am making my ISP account (Comcast) my main e-mail point.
My problem with gmail is that the From: address is automagically
replaced with your @gmail.com address, whereas I can make it
whatever I want with Comcast as long as I authenticate.
I do realize Comcast is the source of most zombie spam.
This is after having used soda as my main mail account since '92.
Props to all the undergrads who have kept soda up, anyway.
\_ Comcast is a bad idea. Comcast is a spam target and also means
you are tied to that ISP. Better to convert to gmail.
\_ because, you know, gmail isn't a spam target. -tom
\_ No, but it does have good spam filtering built-in.
Still, what is a good reason for using comcast over
gmail? I'd rather use soda. Or <DEAD>cal.berkeley.edu<DEAD>.
\_ I don't use comcast, but web interfaces to email
suck, and gmail still doesn't offer IMAP, right? -tom
\_ Well, gmail is faster than any other webmail I've
used, and the searching/labeling/filtering system
is pretty good. Gmail is the only webmail I've used
that I could put up with daily... although I still
only use it for certain things. Maybe eventually
they will have IMAP. I saw some kind of beta 3rd
party attempts at providing IMAP gmail access.
Shrug.
\_ "web interfaces to email suck" ?? what are you
talking about? gmail is easy to use, has key-
board shortcuts and is accessible from anywhere
without worrying about ssh'ing or crap like that
\_ One drawback of web mail is that if you don't
access it within X time, your account can
go byebye. Although gmail's 9 months is I think
much longer than any other free webmail.
\_ Let me be more explicit; non-web GUI mail clients
have better interfaces than web-based mail
clients. It can be useful to have access to
a web-based client, but the web interface is
signficantly less effective for day-to-day
activity. -tom
\_ gmail supports POP/SMTP, so you can use
other email clients like outlook and
mac mail client.
\_ but not with multiple mailboxes, so
what's the point? -tom
\_ Most people stopped using soda for important communications a
long time ago.
\_ Yes, it's pretty obvious that gmail will be more reliable for
things like that. I use both.
\_ I echo the op's concerns and am switching to my primary e-mail to my
ISP as well (SBC). If you lived in a neighborhood for 10 years,
loved it, then all of a sudden couldn't get access to your house for
2 weeks because their was a break-in, while the local police was
processing your paperwork, I would move. Again, not enough praise
can be given to those volunteering their time and effort to maintaining
this environment. It's a testament that it's has as much uptime as it
does. But as your primary account, it would be awful to go
through that again. I think free e-mail services are risky because
they can start charging at anytime or start going downhill
(ie. Hotmail). If you are happy with your ISP and plan to use them for
awhile, why not go with them, at least you have greater control of the
risks.
\_ I'm still using soda for most things just because, it's really
nice to be able to hand someone an email address you can be
fairly sure will still be there in 5 years.
\_ Why not just register your own domain ($2 to $30/year), and
point it at a cheap virtualhosting/email provider ($10 to
$50/month)? -dans
\_ because there are free, or already-paid-for alternatives. |
| 2006/5/2-5 [Computer/SW/Security] UID:42892 Activity:nil |
5/2 Okay, I think I get it now. If I want password-less login to
soda, then I need to do the whole generating the public and private
keys which requires a pass phrase, if I can put up with entering
my unix password every time in SSH or PUTTY, then I don't need
to do the whole ssh-keygen stuff. Is it correct?
\_ Yes. But if you go password-less, then if soda is compromised
again, you won't need to change your unix password.
\_ why is that? if soda is compromised then they have access
to the unix password too.
\_ Not if you didn't type it in while soda was compromised. -tom
\_ Unless it was cracked, which basically depends only on
how motivated the attacker is. -gm
\_ This is why a couple of soda users choose not to have
passwords at all -- they have "*" for their password
in /etc/shadow, so ssh keys are the only way they can
log in. For those users, an attacker who gets soda's
password file won't have anything to crack. --mconst
\_ how do you put * in /etc/shadow? I can't even
view it? so if I don't want to use unix password,
I need to ssh-keygen on my client server, then copy
the generated public key to soda under .ssh/ folder?
I should not copy my private key on soda though, right?
\_ Unfortunately, it's not possible for you to do
this yourself. If you really want to have no
password, mail root and we can remove it for
you -- but before you do that, you might want
to try just setting your password to something
random and not using it for a while. This will
give you a chance to get used to ssh keys and
see how you like them, and if anything goes
wrong with your ssh keys, you'll be able to log
in with your password and fix them. And yes,
your ssh-keygen stuff is exactly right. You
didn't mention this, but when you put the public
key on soda, you need to put it in a file named
.ssh/authorized_keys. --mconst
\_ thank you bery much! this helped alot in clearing
out my confusions.
\_ I was told because of the comprise, my ssh private key may be
stolen as well, but how is that possible? I thought the ssh
private key is on the client host, not on the server host (i.e.
http://csua.berkeley.edu)?
\_ Some people put their private keys on soda (with a passphrase,
I would hope). If you did, then both your private key and your
passphrase may have been stolen. If you didn't store your private
key on soda, you should be fine. -gm
\_ they put their private keys on soda, is it because they want
to use soda as a client to a different server?
\_ Exactly.
\_ the private key would be under .ssh/ right? |
| 2006/5/1-4 [Computer/SW/Security] UID:42878 Activity:nil |
5/1 Where can I find step by step instructions to change my ssh pass?
How do I change my login password? Sorry I haven't been on unix
for too long.
\_ What do you mean? You mean your login password? Run passwd.
You mean the password used to decrypt your private key? If you
stored a private key on soda, shouldn't you assume that's been
compromised too and generate a new private/public key pair?
\_ yes the compromised passphrase fo rdecrypt the key. Please
how do you remember the steps to regenerate a new priveate/pub
key? All I remember there were some very tricky steps to generate
the key. Like I either 1) have to use the keyboard that is on
the server; or 2) use the java interface to generate the key
Now I can't find the procedures on csua website....
\_ You seem to be confusing ssh keys with the ridiculously
paranoid (and not altogether useful) "advice" on securing
your pgp/gpg key. Try "man ssh-keygen"
\_ Passphrase you mean?
\_ Would this help? http://www.csua.berkeley.edu/ssh-howto.html
\_ http://www.csua.berkeley.edu/~ranga/notes/ssh_nopass.html |
| 2006/5/1-4 [Computer/SW/Security, Uncategorized/Profanity, Computer/SW/Unix] UID:42873 Activity:nil |
5/1 Fuck it.
RSS wall feed isn't down, so much as only serving out my little diatribe on
the life and death of the hack.
I got shit to do. Later.
--michener
\_ Bring it back. This is *your* organization. It should run *your*
code. If bitchy alums, myself included, have problem with it, fuck
em! If bitchy alums have a problem with google seeing it, tell
them to get off their asses and write robots.txt file to fix the
problem. -dans
\_ root staff seems much more inclined to ignore than do anything.
It's rather discouraging for alums to even bother trying to
help when work making old desired software run is ignored, and
for requests that people "mail root if you want to do this," are
met with much silence.
\_ yes, you can "fuck em" but if the existence of a feed
makes people revolt, and not use wall logging, and therefore
make the feed pretty much useless as well, what's the fucking
point?
\_ Lowers the alumni noise floor of wall thereby making it a
useful channel for undergraduate signal? Sounds like a win
to me. -dans
\_ that way all 6 undergrads can talk. If the alumni noise
is a concern for them, I'm sure they can figure out
how to make a second wallall channel
\_ If, as you indicate, there are only 6 active undergrads
in the organization, then perhaps the CSUA has run its
course and should be shut down. Of course, you're
wrong, so the point is moot. -dans
\_ Do you actually work on getting stupider every
day? -tom
\_ For you tom? Anything. :-*
It's cute how you define stupid as "Any view
that doesn't support what you believe." Here in
reality, i.e. that place outside of the bubble
you live in, we call that closeminded and
juvenile. meh. Bored now. -dans
\_ Coming from you, this is hilarious.
\- but is it ironic?
\_ Let me add some useful info to this debate. For the record, I
think it's a cool idea, and don't care of Google indexes wall, in
which case you could just reenable it as is. But, the bitchy
alumni can read these:
http://csua.org/u/fok - How do I request that Google not crawl
parts or all of my site?
http://csua.org/u/foj - How can I remove content from Google's
index?
\_ Interesting and useful. But, really. I seriously have code to
write for classes and such and shit to do. So I'll revisit at
a later date. Until then, bad alums, no cookie! ;) --michener |
| 2006/4/21-24 [Recreation/Activities, Computer/SW/Unix, Computer/SW/Security] UID:42798 Activity:low |
4/22 ok, so maybe a dumb question, but a coworker just asked me and I'm
not sure the answer: so is it possible to view the standard
output of a process running on your system? I do have root. thx
\_ truss/strace, with the option to print the entire syscalls
\_ ok, let me rephrase: there is a process running on my system.
I did not start it. I am root. I have just the process id
(from ps) ... is there some way I can see std out/err? thx
\_ you can't see what has -already- gone out to stdout/stderr
if you look at the write() calls for stdout/stderr (by fd)
you can see what it is putting out -now-. truss -p pid
\_ try /proc/<pid>/fd \
\_______________\_ this was all helpful. thanks. |
| 2006/4/19-23 [Computer/SW/Security] UID:42785 Activity:low |
4/19 Hey, IMAP and IMAP/SSL aren't accepting my password. Is this
happening to anyone else? I can login fine using ssh. It had been
working up until someone turned off POP.
\_ Is it possible that SASL is configured to use a different
authentication backend, e.g. PAM, than logins, which I believe use
LDAP? -dans
\_ Wrong.
\_ I asked if it's possible. I've seen this error on other
systems before. Do you have any constructive suggestions?
-dans
\_ SMTP auth... please
\_ oh goodie, they both work now as of 1:30pm today (the 20th, and it
wasn't working an hour ago). -op |
| 2006/4/18-23 [Computer/SW/Security, Computer/SW/WWW/Server] UID:42779 Activity:nil |
4/18 Thanks mrauser for the call just now.
root: I think one of the next priorities can be enabling POP3/SSL
and IMAP/SSL. I'm going to download e-mail with the unencrypted
connection, but I'll probably change my password once every couple
weeks until the above gets online.
Most if not all of the official UC e-mail systems now require SSL
for downloading and sending e-mail, right?
\_ Actually, all password transactions must be encrypted according
to the Minimum Standards for Networked Devices policy. -tom
\_ IMAP/SSL is now up, POP3 is down entirely. That should suffice
for the moment. -michener |
| 2006/4/18-20 [Computer/SW/Security, Computer/SW/Unix] UID:42775 Activity:moderate |
4/18 Some thoughts about securing a machine. Feel free to add your
expert opinions. --ricky
* Securing a machine that allows interactive logins by users
is _very_ hard.
* Reduce suid binary to absolute bare minimum.
* Perform automatic _remote_ checksums from a machine that is
separate and is not accessible by regular users. Usually,
NFS is recommended for this. Basically, have a remote
machine regularly check critical files on the machine and
alert root if anything changed.
\_ This existed a while ago, called Tripwire. Started as a
a research project and grew to a startup. Many people tried
it but gave it. The concept is easy, but in practice, it takes
damn too much time. All of the above suggestions are good,
but in the end, if the cost of manageability is high, no
one will care. Lastly root and politburo aren't paid to do any
of the above stuff and most people have better use of their
time so... why cares. Would YOU like to volunteer
\_ Why are suggestions being taken as a demand that they
do it. If alumni (or "members") do all this stuff, aren't
they just "fucking the undergrads" ?
\_ No. If they storm into the machine room or the office
and insist that it be done there way and be done right
this minute, then they are fucking the undergrads.
Historically, asking nicely and accepting a polite `No.'
is not one of the strong suits of the alumni. Though
anecdotal, it's also worth noting that the amount a
given alumnus bitches appears to be inversely
proportional to the amount of meaningful contributions
(time, money, hardware, etc.) he makes to the
organization. -dans
\_ so you contribute absolutely nothing, eh? -tom
\_ Ah let me clarify that. The amount a given
alumnus bitches at the current undergrads appears
to be inversely proportional to the amount of
meaningful contributions he makes to the
organization. If the alumni bitch at each other,
it has no bearing on the CSUA or its future.
-dans
doing these things ricky? You should attend politburo.
\_ Agreed, I tried to set up a modern version of tripwire on
hosts I administered in my last job, and it's nigh unusable.
It smacks of overengineering, and has too many features
apparently added by marketing folks trying to sell to the
enterprise software market. Furthermore, if you want to be
really secure, running _remote_ checksums isn't good enough
since the credentials for soda are likely the same as the
credentials for other CSUA hosts. Thus, checksumming soda's
binaries from screwdriver takes a non-trivial amount of work
for a trivial gain. Also, what happens when people trojan
libraries not binaries? Should we checksum those to? Which
libs? -dans
\_ ideally you checksum everything, and flag what is 'volatile'
and likely to change from day to day.
\_ ideally, yes, but that's a really time consuming,
tedious, manual process. Unless you have some '1337 tool
to do that for us. If so, please post a url. -dans
\_ I have used aide, a tripwire-like tool that checksums files
in two ways. It works pretty well, and isn't that difficult to
use. I found it annoying if I didn't check/update signatures
before doing package upgrades, which meant I couldn't tell
whether the changes were intentional from the update or if
someone had done something to the binaries the same day.
While there are certain more-secure "ideal" ways to set things
up (binary on immutable media, running on a separate system,
database on immutable media, etc.) A simple "on this system"
"aide running out of /usr/sbin" "database stored locally" while
not great from a security standpoint, as long as one doesn't
rely on the lack of warnings and messages to mean you are
secure, is still a useful tool.
* Educate users about ssh. For example, unless the user is
extremely certain that their private keys are safe (resides
in encrypted partition, etc.) having empty passphrase is a
bad idea. Assuming above is met, using passphrase protected
key pair and setting up authorized_keys is safer than using
passwords.
\_ Education works the best, when people are willing to
be educated. Do you think people like to be educated?
\_ It's also vital to keep up with patches to OS and utilities.
\- ssh wont solve the problem. the problem is a combination of
clueless users and users who dont care about security [and
are willing to login from machines with kbd sniffers]
combined with the close to inevitability of local account ->
local exploit -> root. i think sloda should adopt the
position: 1. soda will be broken into and should not be
trusted ... meaning it should not be used as an outbound
stepping stone ... no rsh, rlogin, ssh, telnet. i suppose
you can leave ftp on and i guess scp. 2. do what you can
about prevention [applying patches etc but also invest some
in rapid detection. tripwire is a piece of crap but there are
other tools to do this with ... i maintain checksums on about
50 things [in some cases OSes, in other cases various data
trees] and while i dont look at all the data everyday, with
disk being cheap i can store enough snapshots i can at least
go back and tell a story if there is a problem found at some
point. even a half asses checksumming system will get you
pretty far ... and would certainly pickup a trojaned daemon
or client. we have some not-very-portable hacks to address the
case of trojaned libs [these check low level information in
inodes and compare them to higher level queries and look
for inconsistencies ... like say in the link count] but these
are probably not worth the effort ... they were crafted for
very specific rootkits. |
| 2006/4/18-22 [Computer/SW/Security] UID:42773 Activity:nil |
4/18 I'm interested in doing some traffic analysis to see if
the sshd trojan can be detected by looking at traffic patterns.
I seem to remember people's inbound sshd connections
being dropped now fairly frequently [but soda stayed up].
Can anybody authoritatively speak to whether just some
sshds were dropped or when one was dropped all were dropped.
Also I assume outbound sshes were not dropped. I'm curious
whether the sshd bug was in maybe the checkpointing routine
when it was writing out to the sniffer log, or it was
something more random/complex. Unless I get a good lead
I probably wont pursue this because I'm sort of busy
now and it's a lot of data to trawl though potentially or
lot of work to reconstruct. Basically looking for a large
clustering of sshd drops in time and space without evidence
of a reboot [other protocols dropped] and not a normal shutdown
might be smoke -> fire signal.
\_ Even if this particular ssh trojan was causing the daemon to drop
connections, why would you assume that this would be true of other
ssh trojans? -dans
\- why do you assume i assume it is true of other trojans.
obviously my concern is we dont know where the soda hacker
came from and what he did with the sniffed info. assuming
this same person installed the same buggy trojan elsewhere
is hardly a stretch. a better question might be: is the
trojan buggy on just freebsd. and the issueis sshd not
ssh. ssh trojan and sshd trojan have different implications. |
| 5/16 |