|
11/23 |
2009/2/10-13 [Computer/SW/Security, Computer/SW/Unix] UID:52552 Activity:nil |
2/10 I have an sh file that does a mount.. the mount does an authentication. I previosly stored the username and password from zenity prompts. However, I can't get a return on the password field. The following only works on the username: mount -t davfs "http://blahblah.com/BLahUser11" /mountdir << EOF ${username} ${password} EOF It gets stuck at the password. Any thoughts? thanks \_ Expect? \_ the username gets passed and a carriage return then a prompt for the password is there but the ${password} doesnt get put in nor carriage return. so script is stuck \_ /usr/bin/expect \_ can't use expect. this is an automated installer on other persons machines. I would have to apt-get expect No way to do it just with EOFs? \_ would "for i in 1; do echo $username; sleep 1; \ echo $password"; done | mount -t ..." work? It really depends on how the password is being read. \_ that didnt work... same behavior \_ No, this is one reason tools like Expect were invented. See, e.g., http://www.noah.org/wiki/Pexpect#Q:_Why_not_just_use_a_pipe_.28popen.28.29.29.3F \_ thanks.. i guess i have no choice :) excellent! \_ Well, that's not to say you couldn't make a very stripped down version of an expect-like tool that does what you want, and ship that. Maybe someone else has already done it. \_ or use Perl Expect or Python Expect. |
2009/1/15-23 [Computer/SW/Languages/Java, Computer/SW/Security] UID:52394 Activity:nil |
1/15 http://cwe.mitre.org/top25 2009 CWE/SANS Top 25 Most Dangerous Programming Errors \_ "Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a username is valid or not." Really? Fuck you buddy. I don't always remember what my goddamn username was on your stupid fucking site. Just tell me if I got it wrong thank you very much. (Just like if my password doesn't conform to the rules for what a valid password is FUCKING TELL ME WHAT THE RULES ARE. Any attacker knows that information and giving it to me may remind me what password I used so please, make our lives easier.) \_ at that level of frustration i would just choose another website for that service, or go see the store in person. \_ http://Buy.com offers no helpful hints, but their prices are good. Does make me want to strangle people, though. -!pp \_ I wish there was a counter/way to determine how with online stores i can be assured of creating jobs/ buying american. I am wondering how much we are screwing ourselves into a longer recession by sending a job overseas by saving five dollars. I think i'd rather pay the extra $20. \_ My last three http://Buy.com purchases all shipped from American companies. |
2009/1/11-15 [Computer/SW/Security] UID:52358 Activity:nil |
1/11 http://www.americanstinker.com/2008/01/barack_obama_and_israel.html \_ well hopefully he has good Secret Service security. |
2009/1/5-9 [Politics/Domestic, Computer/SW/Security] UID:52317 Activity:nil |
1/5 http://indiacgny.org/php/showContent.php?linkid=200&partid=96&sub=sub2 IRONY |
2009/1/2 [Computer/SW/Security] UID:52311 Activity:nil |
1/1 Is email still down? My outgoing email seems to be not working. Also ssh password login seems to be not working (but certificate works). Thanks and Happy New Year. |
2008/12/26-28 [Computer/SW/Security, Academia/Berkeley/CSUA/Motd] UID:52296 Activity:kinda low |
12/26 Motd is dead for good, RIP Motd. You will be missed. :( \_ What about soda? Date: Sun, 28 Dec 2008 11:56:41 -0800 From: Steven Schlansker <stevenschlansker@berkeley.edu> To: announce@csua.berkeley.edu Subject: [CSUA Announce] Soda back up! Hey guys, Unfortunately http://soda.csua.berkeley.edu crashed over the Christmas break when I was out of town and none of the rootstaff with cardkey access to Soda could get in. About a day's worth of mail was bounced unfortunately - if you got a bounce message, just try to resend your email and it'll go through now. Sincerest apologies - I simply couldn't make it back to Berkeley any faster. Hopefully everything will be running OK for now. We're still waiting on our shipment of a new server... the latest ETA is the 10th. Then I will be rebuilding it (with the help of the rootstaff and some new hopefully up-and-coming root members!) and we'll put it into production as fast as we can! Hope everyone's holidays find them well, Your VP Steven Schlansker _______________________________________________ Announce mailing list Announce@vermouth.csua.berkeley.edu http://vermouth.csua.berkeley.edu:1337/cgi-bin/mailman/listinfo/announce |
2008/12/18-2009/1/2 [Computer/SW/Security] UID:52280 Activity:nil 50%like:52218 |
12/18 Hi, is there a how-to to access csua with ftp? \_ man scp \_ Thanks that did it. |
11/23 |
2008/12/2-7 [Computer/SW/Security] UID:52141 Activity:nil |
12/2 Thomas Sowell is awesomely cantankerous in his most recent column I love this line: Working in a homeless shelter is widely regarded as "community service" as if aiding and abetting vagrancy is necessarily a service, rather than a disservice, to the community. \_ What a pompous idiot is a pompous idiot! What a shocker! And \_ Wow! A pompous idiot is a pompous idiot! What a shocker! And look! Nazis! Hitler! \_ For chrissake. A great deal of homelessness is due to untreated mental illness. How about this: "treating heart disease is aiding and abetting unhealthy lifestyles..." \_ The Hoover Institude is not paying him to write reasonable, thoughtful opinion pieces where he deals fairly with the root causes of whatever the hell he's writing about this week. |
2008/11/16-17 [Computer/Networking, Computer/SW/Security, Computer/SW/Unix] UID:51999 Activity:low |
11/16 Can I use my SBC Yahoo! DSL login name "xxx@sbcglobal.net" and password for the DSL at someone else's home? \_ Why don't you try it... \_ Don't check your email at your mistress' house. |
2008/11/7-13 [Academia/Berkeley/CSUA, Computer/SW/Security] UID:51875 Activity:nil |
11/7 Does this guy have a soda account? http://www.mercurynews.com/ci_10926276?source=rss (online stalker) \_ boring \_ I wonder if Sold Intel Secrets To AMD guy has a soda account. |
2008/10/31-11/2 [Computer/SW/Security, Computer/SW/Unix] UID:51769 Activity:nil |
10/31 As root, is there a way to make "passwd" give the same "too short" and other bad password errors (or at least warn in those cases)? This is on linux. |
2008/10/29-31 [Computer/SW/Security] UID:51721 Activity:nil |
10/29 Bruce Schneiner et al. have released their submission for the new SHA replacement: http://www.schneier.com/blog/archives/2008/10/the_skein_hash.html \- btw, worth looking at the MD6 design if you are interested in this stuff. multicore scalability a "tier 1" goal. |
2008/10/23-28 [Computer/SW/Security, Computer/SW/Unix] UID:51654 Activity:nil |
10/23 Woman charged with crime for "killing" (deletion really) of online character: http://tinyurl.com/6lspuv \_ she is weak. SHe should have created her own character and then do a backstab on his ass. - turin |
2008/10/16-17 [Computer/SW/Security, Politics/Domestic/Election] UID:51551 Activity:nil 50%like:51512 |
10/15 Secret Service says no one said "Kill him" at Palin rally http://www.timesleader.com/news/breakingnews/Secret_Service_says_Kill_him_allegation_unfounded_.html |
2008/10/9 [Computer/SW/Security, Computer/SW/Unix] UID:51447 Activity:nil |
10/8 http://www.scribd.com/doc/4964973/Worst-Captchas-of-All-Time Worst captchas of all time. Some stupid, some funny. |
2008/9/21-23 [Computer/SW/Security, Politics/Domestic/SocialSecurity] UID:51253 Activity:nil |
9/21 Obama's Social Security Whopper http://www.newsweek.com/id/160179 \_ if you say so |
2008/9/20-23 [Recreation/Dating, Computer/SW/Security] UID:51244 Activity:kinda low |
9/20 Etiquette question: my gf's boss invited her to his son's bar-mitzvah. What is a proper attire to wear for non Jewish women? Black & white only? Long sleeves only? Can you have color? Can you take pictures? Thanks. \_ Ok my gf just wore long dress. Turns out they had a super fancy one with 200 people attending. They spent ~$30K on a bar-mitzvah. Is that how much they normally cost? It's very impressive. \_ $30K was more than my wedding, a LOT more. If you're spending that much on a 13 year old kid, it says a lot about how much you value bar-mitzvah. Or it could just mean that Jewish people ARE rich! \_ Mazel Tov! Think in terms of what you would wear to go to church, remembering that the actual Bar Mitzvah ceremony will be part of a service at a synagogue. Think in terms of a dress, a nice pants suit, or a skirt and nice top. Dress shoes and, if cooler weather, stockings. Nothing flashy or showing much flesh. There is typically no need for a head covering--if the congregation likes women to have head coverings, there'll have something in the lobby for you to put on. Colors are okay, although subdued would be best. A card including a check made out to the son is best, which you can give to the father anytime except during the service. If you've been invited to a party or a reception afterwards, that's a good time. It's traditional in Judaism to give money in multiples of $18, so think something like $54 or $72 or $90, depending on what you can afford and whether you've been invited only to the service or to a party afterward. In terms of the service, it will be a combination of English and Hebrew. The boy will recite prayers in Hebrew, and a portion of the Torah (what you may call the Old Testament) in Hebrew. There may also be a short speech in English. Just stand when the congregation stands and sit when they sit. If you understand the prayers and are comfortable reciting them with the congregation, do so, otherwise it's okay, since you're a visitor, just to read along in the prayer book (called a Siddur). \_ Give a card that says "In lieu of a gift, my tax dollars were sent to Israel". \_ LOL good one!!! It's almost Seinfeld material. \- ok tnx |
2008/9/16-19 [Computer/SW/Security, Politics/Domestic/SocialSecurity] UID:51192 Activity:nil |
9/16 <DEAD>retirementplans.vanguard.com/VGApp/pe/pubnews/SocialSecurityAndWorking.jsf?SelectedSegment=LivinginRetirement<DEAD> Why Social Security fucks everyone up. Earn too much? Get nothing! \_ Your reading comprehension is poor. You don't get nothing, you just get reduced benefits. That Vanguard page doesn't mention that your later benefits are actually increased because of working later. \_ You are right, we should let Morgan Stanley run Social Security, they will do a good job of protecting our retirement money. |
2008/8/6-10 [Computer/SW/Security] UID:50801 Activity:nil |
8/6 What kind of captcha would you love to see? List them here: -Hot or not? TOTALLY -Male or Female? -Gay or not? -Geek or not? -enormous breasts or regular size breasts? \_ Chinese, Japanese or Korean? \_ That would also serve as a test to weed out whites. \_ Oh come one. It's been demonstrated that Asians can't tell each other apart either. \_ What's "captcha"? Thx. \_ STFW. Or just read http://en.wikipedia.org/wiki/Captcha \_ I see. But then what does hot or female or gay above have to do with Captcha? \_ Hard to program something to automate that check. It used to be impossible to write a program to recognize the distorted letters and numbers used in older Captcha's, but technology has caught up. \_ http://www.badhackerz.com/full-appz/11087-rapidshare-turbo-download-reads-new-cat-captchas.html |
2008/7/30-8/5 [Science/Electric, Computer/SW/Security] UID:50729 Activity:nil 78%like:50725 |
7/29 Pepperspray vs. taser, round #1: http://www.brickhousesecurity.com/self-defense-personalsecurity.html http://preview.tinyurl.com/5sjfz5 [infowars.com] http://videos.caught-on-video.com/Player.aspx?fileid=513DC6A2-FF6A-40F9-9893-589AC926FCCE&p=0 (taser takes down a BULL) |
2008/7/29-30 [Science/Electric, Computer/SW/Security] UID:50725 Activity:nil 78%like:50729 |
7/29 Pepperspray vs. taser, round #1: http://www.brickhousesecurity.com/self-defense-personalsecurity.html http://www.infowars.com/articles/ps/tasers_vs_pepper_spray_evaluation_of_police_weapons.htm http://videos.caught-on-video.com/Player.aspx?fileid=513DC6A2-FF6A-40F9-9893-589AC926FCCE&p=0 (taser takes down a BULL) |
2008/7/28-8/5 [Computer/SW/Security] UID:50711 Activity:nil |
7/28 Everyone's captcha hacked: http://blogs.zdnet.com/security/?p=1418 \_ I still like the idea of making real people solve captchas to get porn or torrents or the like. Captchas that are actually used by other sites. |
2008/7/20-23 [Computer/HW/Laptop, Computer/SW/Security] UID:50640 Activity:nil |
7/20 Does my encrypted disk LVM everything partition scheme make my laptop consume a lot more power than if I weren't using encrypted LVM? |
2008/7/15-23 [Computer/SW/Security] UID:50581 Activity:nil |
7/14 anyone know this guy? A disgruntled city computer engineer has virtually commandeered San Francisco's new multimillion-dollar computer network, altering it to deny access to top administrators even as he sits in jail on $5 million bail, authorities said Monday. http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/07/14/BAOS11P1M5.DTL&tsp=PSB \_ The article is short on technologies involved. It sounds vaguely like he commandeered their domain's administrator account. \- i suspect waterboarding would be successful in this case. \_ Is that you in the sfgate comments? \- no, i didnt not read the comments. \_ probably better that way. they make me sad. \_ I enjoy how the article says there is no known motive. Anyone who has hung out with disgruntled sysadmins know that no motive is needed. \_ No, but he is the poster child for a BOFH. I wish I knew him, so I could shake his hand. \_ Having worked with IT guys who couldn't comprehend the fact that IT is fucking support and not an ends to itself I wish I knew IT is f***ing support and not an ends to itself I wish I knew him so I could kick him in the balls. \_ Depends. IT can be support or it can be an ends to itself. For the city I'd say IT is a big part of what they do. \_ IT by itself is nothing. IT is a tool to make other tasks easier. I accept that. Keep the tools running is an honorable job. Just admit that's not what you are doing. \_ Well it depends. I think you are too limited in your scope. There are a lot of situations where the tool is more important than the operator. Making a job so simple that a monkey can do it is one of the areas where IT can help and in those instances I think the IT adds more value than the actual "doers". At that point where IT is contributing more significantly to the bottom line I wouldn't say it is a supporting role anymore, but a key role. Addendum: What role you would say IT plays at companies like eBay? \_ Or Amazon, with the EC2 project? \_ it might be a big Peoplesoft install. \_ He made $149,269 working for the gov't, which is not bad now is it? \_ Previous motd postings lead me to believe that this makes him rich. Still won't make $5m bail, though. \_ This is a lot of money, almost as much as I make as a Director in the private sector. Maybe those public sector IT geeks are overpaid afterall... \_ Plus he can't get fired even when he's clearly got issues and he probably has better benefits than you do, too. |
2008/7/13-23 [Computer/SW/Security] UID:50553 Activity:nil |
7/13 Illegal Immigrants prosecuted for social security fraud: http://preview.tinyurl.com/6c4wm6 [nyt] Prof. Camayd-Freixas essay re same: http://blogs.ilw.com/gregsiskind/files/camayd.pdf |
2008/7/2-6 [Politics/Domestic/911, Computer/SW/Security] UID:50453 Activity:kinda low |
7/2 On the torture debate (or maybe just flame fest), the claim that torture doesn't work is true most of the time but untrue some of the time. Most of the reasoning for pro-torture positions doesn't make sense to me, I feel like its not logical to give support to something that doesn't produce results while the same time being oppressive. The one thing I think I can see is that I make a decision that I would rather have a little less security to have more human rights/ civil liberties. When Patrick Henry said "Give me liberty of give me death" he didn't mean unless he might get hurt. I can understand that if you won't tolerate any threat to your personal security (at least any threat outside of our government) it would be in your best interest to want them to torture anyone they thought might be involved in terrorism. But to me that seems like a cowardly approach, a minimal risk to yourself is worth the gain in liberty for all. Its easy to see that deaths from terrorism << torture/government repress- ion. -mrauser \- the ticking time bomb scenario has long been "the standard" classroom hypo after THE TROLLY PROBLEM for the tension between UTILITARIAN theories [cost-benefit analysis] and DEONTOLOGICAL theories [torture is wrong. the exact reason it is wrong depends on the flavor of deontology, but probably "the standard" again is the kantian one but maybe simpler to understand is the RDWORKIN "RIGHTS AS TRUMPS" view ... mostly this is beyond the scope of a motd discussion]. but the "i only care about me" sort of begs the question ... since a core question of moral philosophy is "what do we own other" and you're pretty much saying "nothing" "what do we owe others" and you're pretty much saying "nothing" in that "degenerate" case. EGOISM may be an apt description of a lot of people, but it's not really a philosophy [although i suppose maybe FWNIETZSCHE might have spun it into one, but i am not really an expert on FWN ... and that is also beyond the scope of the motd]. here is a problem with the "results oriented" view: do you think it would be categorically wrong to say torture a family member of the terrorist ... say KSM's wife and kids ... if that would be a highly effective way of producing results. if you want "the standard" critiques of utilitarianism, see BERNARD WILLIAMS [formerly UCB Dept Philosophy, now dead] and AMARTYA SEN ... at the core, utilitariamsism "does take persons/rights seriously. Williams also has a very influential critique of deontology, but that may be a little hard to follow. \_ I've heard of the ticking time bomb, and its pretty easy to feel saying you would torture the guy, because in this magical fantasy he is directly responsible for the bomb being there and you know that there must be a bomb so there is a perverse justice in torturing him to make him tell you. But as a real world example, it holds no water, because how often do you KNOW that there is a threat and the person in front of you has specific knowledge of it. You torture without this information, in the hopes of getting it. Another scenario, say a terrorist kidnaps someone's family and then tells that person where they put a bomb in a building, but they tell that person if they tell the authorities they will kill thier family. So do you torture a complete innocent who has a self interest in not telling you the info? Here is a scenario which is nearly as plausible as the ticking time bomb, but I don't think anyone could feel good about either option. The problem to me is that torture is used in ambigious situations with a presumed guilt or presumed having of the info. I think that because torture can really never be used with certainty, it should never be used at all. Plus, there is a strong argument that it leads to false confessions and false in- formation just as long as it leads to good ones. -mrauser \_ look up "a fortiori" \_ Your writing is only partially intelligible. What was your "i only care about me" and "what do we own other" sentence referring to? |
2008/6/25-7/14 [Computer/SW/Security] UID:50380 Activity:nil |
6/25 some XCF or CSUA person had a web page about a project they were working on where I set up a machine, and you set up a machine somewhere, and they both passively back each other, i believe with an encryption key so i can't read your backups. when your disk catches on fire, i just give you a copy of your data. anyone remember the name of this? \_ crashplan? \_ You might be thinking about oceanstore: http://oceanstore.cs.berkeley.edu But its a slightly different concept and more massively distributed. |
2008/6/19-23 [Computer/SW/Security] UID:50314 Activity:low |
6/19 "One in three IT staff snoops on colleagues: survey" http://news.yahoo.com/s/nm/20080619/lf_nm_life/technology_snooping_dc \_ Weird, I go way way way out of my way to not snoop on coworkers. If I get someone to enter in a password, I look the other way. I want to keep out of trouble. If I get someone to enter in a password, I start studying the backside of the really hot chick in HR at the other end of the room so I really have no idea what their password is. I want to keep out of trouble. \_ I do the same because I respect their privacy. \_ Yeah, I decided very early on in my career that I was not going to abuse my priveledges to invade other's privacy. I going to abuse my privileges to invade other's privacy. I would fire anyone I caught doing that. |
2008/6/17-20 [Computer/SW/Security] UID:50283 Activity:nil |
6/17 We currently have AT&T (used to be SBC) for local phone service. However these guys really suck, and my wife hates them. Is there an alternative local land-line service provider in the Bay area? \_ Hello, telco monopoly. You want alternate business, voice-overIP on a non-AT&T internetconnection, or get a cell phone. |
2008/6/9-12 [Computer/SW/Languages/C_Cplusplus, Computer/SW/Security] UID:50194 Activity:nil |
6/8 CSUA code guru please help. I need to see my random number generator with a good seed (I just need random 18 bit identifiers). The usual time(NULL) is OK, except my program might be invoked faster than once a second, and seeding using time() produced the same result. I tried clock() but it seems to return 0. My program needs to be run in Linux/DOS (Watcom 32bit compiler), so I prefer to stick with standard API. What's a good way to get some randomness without using special time function that goes into millisecond precision? Poke at some random bytes? Allocate a random array? This is in C. If I allocate say a 64byte block, and XOR the uninitialized memory, is there any guarantee that it will be a different 64byte block the next time my program is run? Thanks! \_ What are you doing this for? If it's encryption why are reimplementing the (really difficult to get right) wheel? If it's not encryption what is it that needs high quality random numbers? \_ I need to assign ID that are unique within a day to something 30 bit. I am thinking seconds_since_midnight (17 bits) + a random number (13 bits). If I simply seed using time(), my rand() will generate the same number if invoked within a second. So I am now seeding it using the XOR of time() with 64 uninitialized int on the stack (again XORed together). This seems to do the trick. \_ Huh? You only need to seed once. After that you have a supply of random numbers you can draw on. So just seed by time when you start the program. Or are you thinking you are going to invoke main() many times per second? I don't know what you are doing here so it's hard to give good feedback, but think in terms of "now I have a stream of random numbers and I just need to use them." \_ The program exists after generating one ID. \_ Do you mean "exits"? S/w like SSH uses prngd to get around this problem. \_ Use another random number generator to generate the random seed for your random number generator! Oh wait ...... \_ What is wrong with rand? \_ Easiest just to bite the bullet and use non-ANSI C functions. The random array allocations are not at all guaranteed. \_ seed it with time and getpid. Expecting unintialized memory to have random data runs the risk some chowderhead will take your code and comment it out when it generates warnings. \_ Does DOS even have PIDs? Wtf is even using DOS these days... \_ Embedded applications like digital cameras, I guess. http://www.datalight.com/products/romdos \_ you could try opening and reading from a dummy file and then using clock to seed. That way you'll block on IO and the amount of time you do that should be relatively random. \_ I thought about it again and this wouldn't be a good idea especially if you are running the progam often. What will happen is that the file's memory page will be in cache after the first read and you won't have good random behavior. You could try file writes, but in general this is not a very strong randomness anyways. -pp \_ You're not a Debian contributor are you? |
2008/5/29-6/1 [Computer/SW/Security] UID:50082 Activity:nil |
5/29 Major jump in unemployment benefits for continuing claims 4Q corporate earnings forecast to be solid http://www.tickerforum.org/cgi-ticker/akcs-www?getimagenr=5939 (chart) \_ No Outside Links / Please Sign In Access to large images, or links from outside sites, are not permitte\ d unless you are signed into the board. Thank you, Management Access to large images, or links from outside sites, are not permitted unless you are signed into the board. Thank you, Management \_ sorry |
2008/5/21-23 [Computer/SW/Security, Computer/SW/Unix] UID:50023 Activity:nil |
5/21 remember the big guy who runs Comic Relief in downtown berkeley? he died, at 50, on monday: http://blogsearch.google.com/blogsearch?q=%22rory%20root%22 http://www.comicsreporter.com/index.php/rory_root_1958_2008 \_ "Worst. News. Ever" |
2008/5/15-23 [Computer/SW/Security] UID:49961 Activity:nil |
5/15 How is Facebook's authentication system different from OpenID? http://developers.facebook.com/documentation.php?doc=auth \_ I think the point might be that it is not? We should get dans back on the motd, I bet he knows. I miss his 50 lines tangents sometimes. \_ Conceptually it's the same as OAuth (which merged/is merging with OpenID). AFAIK, Facebook's lack of support for OAuth is a political hedge to protect Facebook's 'walled garden'. -dans |
2008/4/26-30 [Computer/Companies/Google, Computer/SW/Security] UID:49838 Activity:low |
4/26 is Google Chat through the web browser encrypted? My sweetie spends all day chatting with me via Google Chat in gmail "oh baby i want to **** your **** and then *** *** **** ** ** *** ***" and "* **** **** *** **** in ** *** *****". Could some nosy sysadmin packet sniff her? \_ Like this really happened with a live woman. \_ Actually I'm not joking! It's great. \_ Get her a soda account, then you can both log in via ssh and chat away to your heart's content. \_ most likely she's not a UCB student |
2008/4/21-5/2 [Computer/SW/Security] UID:49787 Activity:nil |
4/21 Yahoo Instant Messenger is not encrypted. Are there chat programs that are a bit more secure than YIM? \_ what OS are you using? \_ What are your goals? Corporate security, or preventing your wife from eavesdropping on you? If you're using IM for internal company communication, you shouldn't be using anything where you don't control the server; deploy an internal messaging server instead. Jabber-based servers are popular for this. \_ I think AIM supports encryption (at least it seems to when I'm using iChat or Adium). I think GTalk supports encryption as well. \_ Beware of webcams pointing at your screen! \_ There is encryption but it's a pain in the ass sometimes. \_ Both you and your mistress log on to soda using ssh. Then run the good o' "talk" program. good o' "talk" program. You two will have a more intimate experience than using popular chat programs, coz now you can see every keystroke by the other instead of just line by line. every keystroke by the other instead of just line by line. (Imagine all kinds of real-time animation you can do with the '-' key and the backspace key.) what animation you can do with the '-' key and the backspace key.) \_ install adium or pidgin-otr. Trust in nikitab. |
2008/4/17-23 [Computer/SW/Security, Politics/Domestic/SocialSecurity] UID:49771 Activity:nil |
4/16 I've heard that you don't pay social security on income above $90K. Is this correct? Does that mean ~$8000 a year is the most you ever pay? \_ Yes, though the limit goes up every year. \_ My 2007 W-2 said my Social Security Wages is $97500. \_ Yes, that was the limit this year. There is no limit for Medicare. \_ Yes, that was the limit this year. There is no limit for Medicare. |
2008/3/17-21 [Computer/SW/Security, Industry/Jobs, Computer/SW/Unix] UID:49482 Activity:nil |
3/17 http://market-ticker.denninger.net Former sysadmin says Fed measures not addressing root of problem, IBs/banks will eventually be taken to woodshed \_ Once again, who cares if he is a sysadmin? \_ It dovetails nicely with the background of most of the pontificators on the motd. What's not to like? We really need to get this guy a soda account! \_ If sysadmins had run Bear Sterns the company would still be solvent right now. \_ He's got tech skills. I've got tech skills. Therefore I care what he says about the economy...? Huh? He may be 100% on the mark but having tech skills does not make his writing on the economy any more interesting. |
2008/2/29-3/4 [Computer/SW/Security] UID:49303 Activity:nil |
2/28 Hi do I allow only a certain SSH key to run a particular command? \_ Look for LocalCommand in ssh_config(5). Unless you're literally asking what you seem to be asking, in which case you're probably out of luck. \_ Read the manpages for authorized_keys file if you're using openssh. You can specify the "absolute command" in there, or have it call a wrapper and have it process the $SSH_ORIGINAL_COMMAND variable. \- see /tmp/authorized_keys.acl-sample for an example. who is asking? |
2008/2/28-3/4 [Computer/SW/Security, Computer/SW/Unix] UID:49282 Activity:nil |
2/28 Is anyone's IMAP password no longer working? \_ for the past two or three days, connecting to mead. :( \_ It works for me. Could you please tell me when you stopped being able to log in, and what error message you get? --mconst |
2008/2/26-3/4 [Transportation/Airplane, Computer/SW/Security] UID:49257 Activity:nil |
2/26 Documentary team says bomb ingredients can still be smuggled onto airplanes: http://preview.tinyurl.com/39basa (telegraph.co.uk) http://preview.tinyurl.com/yqflv9 (thisislondon.co.uk) The TSA disagrees: http://preview.tinyurl.com/3b6agt (tsa.gov/blog) \_ Airport screening is all about making people *feel* safer and very little about actually making people safe. \- no, it is about political CYA. |
2008/2/25-26 [Computer/SW/OS/Windows, Computer/SW/SpamAssassin, Computer/SW/Security] UID:49243 Activity:nil 80%like:49239 |
2/24 Facebook comscore numbers slipping http://preview.tinyurl.com/24p9n8 (techcrunch.com) http://preview.tinyurl.com/2hug7v (hollywoodreporter.com) Over to you, dans \_ dans doesn't work at facebook \_ Slide feeds at the pig trough which is facebook apps: http://adonomics.com/company/Slide |
2008/2/21-25 [Computer/HW/Memory, Computer/SW/Security] UID:49208 Activity:nil |
2/21 Cold Boot Attacks Against Disk Encryption: http://www.schneier.com/blog/archives/2008/02/cold_boot_attac.html http://citp.princeton.edu/memory |
2008/2/19-22 [Computer/SW/Security, Finance/Investment] UID:49189 Activity:nil |
2/19 http://tinyurl.com/2ymrrc (yahoo.com) GOOG filing warns on near-revenue growth on reduction of accidental clickthroughs \_ Wow. I didn't know they were making money from deceiving click regions. \_ the monkey wants to be clicked |
2008/2/15-18 [Computer/SW/Security, Computer/SW/Virus] UID:49158 Activity:nil |
2/15 Digital photo frames carry viruses: http://preview.tinyurl.com/2w6uc9 (sfgate.com) |
2008/1/30-2/2 [Recreation/Computer/Games, Computer/SW/Security] UID:49034 Activity:moderate |
1/30 One of my friend in china is asking me to sign up a world of warcarft account for him. I am not too familiar with this game, I am going to buy the game from Amazon, and use the CD-key to sign up an account. Do I need to tie my credit card with the account? Since the online game is fee based, I'd imagine I need a credit to get this to work, if so, then I'll tell him I can't do it. If I don't need a credit card, then I will do it. Does anyone on the motd play this game? Can you enlighten me? Thanks! \_ Friends don't let friends play the World of Warcraft. Mothers Against World of Warcraft. \_ Is this guy a "friend" or an actual friend? \_ Tell him you can't and let him figure out if you're wrong. \_ Sometimes these games allow you to buy a monthly usage card online but I don't know if warcraft requires a cc for signup or has the monthly thing. I don't understand why your friend can't just sign themself up? \_ He claims that he's in China and he can't sign up. How do I prove he's wrong? \_ 1.5 Chinese World of Warcrack players? \_ Go to China and sign up. \_ Remote-Desktop into your friend's machine in China, and sign up. \_ He can't sign up for US servers, only on Chinese WoW servers. There's millions more WoW players in asia than there are in the US, but they are all on asian WoW servers. \_ It's true. If you are a good friend, don't help him to play WoW in any way. \_ he probably wants you tot get a US version of the game so that he can get access to US servers. The Chinese version will send him to chinese servers. His play experience will likely suck due to more lag, but whatever. If he plans to go into gold farming there might be more market for his 'product' than if he were on a china server -- however that's against the game's ToS. Anyway, you can buy the boxed game and send it over. If you try to install and sign in, it will either ask for gamecard or credit card info to get the WoW account started. I'd recommend not taking that step. -ERic \_ He might also be trying to make a conduit account. I don't play Wow, but my understanding it that the Chinese Gold farmers nead dealers (conduits) on the US side to deliver their wares. \_ they have plenty of hacked accounts to do this with. \_ I can think of a host of reasons why a chinese person might want an account on US servers -- most of them involving some from of ToS violation -- but there are a few legitimate ones. Maybe he wants to play with US friends/aquaintances. I'm willing to give them the benefit of doubt. However, whatever you do don't log into the US game (sign up the account) with your own user information and/or cerdit card if you plan on handing the account over. This makes YOU the 'customer of record' -- the owner of the account, responsible for whatever mischief your Chinese "friend" wants to commit with it. -ERic \_ that's like trying to legitimize one's use of bittoreent because one uses it to download Linux ISO's, when the reality is most of one's use is really restricted-copyright mp3's and videos. Most likely the intended use of this cross-region WoW account is illegitimate. Gold Farming, selling gold taken from hacked WoW accounts, etc... \_ Very helpful replies. Thanks everyone! I am going to just say no. ;) |
2008/1/25-2/2 [Computer/SW/Security] UID:49013 Activity:nil |
1/25 Societe Generale uncovers massive fraud - Yahoo! News: http://www.csua.org/u/kkq After reading the whole article, I still don't understand how the fraud worked. \_ You mean you're supposed to understand anything by reading Yahoo! News? \_ It's an AP story. |
2008/1/21-31 [Computer/SW/Security] UID:48980 Activity:nil |
1/21 I'm trying to set up Thunderbird at with with gmail via IMAP. There is a proxy at work such that if I want to view a web page using Firefox or IE, it prompts me for my network login and password before it lets me onto the web. When I try to get my mail in Thunderbird, it won't connect to the server. I already tried setting the config option to tell it the proxy server address and port number. But it still won't connect. What can I do to get this to work, or is it possible that they have it set up at work that no matter what I do, it won't work? \_ It is likely that your firewall doesn't allow outbound traffic on the IMAP ports. You might be able to SSH tunnel it from soda. -tom \_ ssh is also blocked at work. I guess I'm out of luck? -op \_ Try corkscrew. http://www.agroman.net/corkscrew You'll need to run a sshd on port 443 in most cases, though. \_ Getting a router that can run dd-wrt or some other firmware is a relatively easy way to get the sshd if you don't want to leave your computer on all day. \_ Maybe this is a sign you should quit your job at the Kremlin. |
2007/12/4-7 [Computer/SW/Security] UID:48744 Activity:low |
12/4 Dunno if this is common knowledge ... msft wireless peripheral crypto cracked ... --psb http://www.theregister.co.uk/2007/12/03/wireless_keyboard_crypto_cracked \_ a one byte pad hardly counts as crypto \_ I guess this doesn't work for the Xbox 360 controllers. \_ I don't get it, Bluetooth isn't secure either, is it? |
2007/11/20-26 [Computer/SW/Security] UID:48667 Activity:nil |
11/20 Okay, password login failed for me again. How do I set up my soda acct so that I can login using SSL public key? \_ One tutorial here: http://www.modwest.com/help/kb20-90.html \_ I can't get it working from that. Either putty won't load the key generated on soda, or soda rejects my key generated from putty. Has anyone done this with putty on windows? \_ You need to import the key you got from soda, into Puttygen on the windows side, then use the resulting key. \_ Excellent, that did it. Thanks very much. -op \_ Condensed into step-by-step here: /tmp/publickey_putty_instruct Please feel free to correct/distribute. --erikred |
2007/11/18-21 [Computer/SW/Security] UID:48654 Activity:nil |
11/17 I need a wiki package that uses sqlite, and lets me give out username/passwords to limit editing and viewing access to certain sections. Any suggestions? Thanks. \_ http://wikimatrix.org |
2007/10/18-20 [Computer/SW/Security] UID:48376 Activity:kinda low |
10/18 Subversion woes. We want to be able to go to other developers' directories and type "svn status -q" to automate scripts. Now when I do something like this: user1@:~user2/dev/blah> svn status svn: Can't open '.svn/blah/_file.tmpl.tmp': Permission denied However there is no file named _file.* anywhere! What's going on? \_ it's trying to create a temp file in a directory where you don't have write access. -tom \_ Use svn, save a ausman today! \_ Use svn, save a german shepherd today! |
2007/10/7 [Computer/SW/Security, Recreation/Humor] UID:48254 Activity:nil 50%like:48227 |
10/3 Is that a Real Doll? Wow! So real! http://www.youporn.com/watch/13668 \_ Another one: http://www.youporn.com/watch/212 \_ It'd be more real if the skin is not as glossy. \_ HA! Funny how he pulled out and squirted on his left hand so that he wouldn't have to clean up the doll. Now in real sex... Oh well, I guess it's better than no sex. |
2007/9/27-10/2 [Computer/SW/Security] UID:48199 Activity:nil |
9/27 Does anyone have experiences with OpenId and/or TypeKey as to minimize the effort spent on your web app authentication? How easy is it to integrate these 3rd party components into your web apps? |
2007/9/3 [Computer/SW/P2P, Computer/SW/Security, Computer/SW/Unix] UID:47877 Activity:nil |
9/3 So I was watching the Today Show this morning and in the crowd of jackasses trying to get on TV, some dude kept emphatically showing a home made sign that simply said, "lemonparty.org." None the wiser, I fired up my laptop, curious as to what could possibly be at http://lemonparty.org. I wondered why he was smiling so mischievously, shaking his sign in the air each time the camera had him in the frame. Could it be some family reunion site? A wedding announcement? A site devoted to lovers of lemons? Oh no, I would not be so lucky. No sir -- or ma'am -- it was a photograph of three geriatric men engaged in very passionate adult loving. And by loving, I mean a good old fashioned three-way. Of course, I couldn't let it go at this. I had to find out more about http://lemonparty.org, as it seemed like an inside joke to which I was not privy. A friendly google search yielded several results, all informing me that http://lemonparty.org is supposedly a shock site, in the ranks of loopback.jpg, http://tubgirl.com and goatse.cx. Now, I'm not sure if the shock value or http://lemonparty.org packs the same punch as the aforementioned peers, but I can only imagine a suburban housewife or lonely grandpa typing the web site in as I did, because, well, they too had nothing better to do. So why am I sharing this? I honestly don't know, other than I needed to purge my conscience. I think this was either one of the most wonderfully subversive things I've seen on TV in a long time, or one of the more disturbing ones (although I doubt there are many young kids watching the Today show on Labor Day). But, hey, old guys need to get it on, too, I suppose; so lemonparty indeed! \_ Yucks! It's amazing enough that that guy can get it up. |
2007/8/28 [Computer/SW/Security, Computer/SW/OS/Windows] UID:47776 Activity:moderate |
8/27 google QA automation stuff, can someone view these videos and tell me if they're worth watching? thanks. http://www.youtube.com/view_play_list?p=7D3E685B59779C16 |
2007/8/24 [Computer/SW/Security, Computer/SW/Unix] UID:47749 Activity:high |
8/24 Anybody experiencing login authentication problems? I cannot login using my login and passwd thru ssh on the SECOND attempt and on: ie, when I do ssh csua, it works once, but not afterwards. Then when I do ssh http://csua.berkeley.edu, it works once, but not afterwards. I can STILL login when I use a machine that use ssh authorized public keys (with the ssh passwd), but not the unix login/passwd. After I login, when I do a passwd, I get the *new* LDAP passwd prompt that allows me to change the passwd, but only once. After that, I can no longer access that LDAP prompt (seems like the LDAP server is rejecting any requests from a particular host after first attempt), but instead I get the *old* unix passwd change prompt that won't take *any* of my passwds: (current) UNIX password: passwd: Authentication failure passwd: password unchanged After about an hour, if I do passwd, I get the new LDAP prompt again-- but only once again. Basically the LDAP prompt comes back in about once every hour. If an admin is reading this please help. Seems like the LDAP server is down and/or unix passwd is out of sync. Thanks. --pchen |
2007/8/24 [Computer/SW/Security, Computer/SW/Unix] UID:47748 Activity:nil |
8/24 Anybody experiencing login authentication problems? I cannot login with unix passwd thru ssh, although I was able to login using my ssh auth keys/cert. Then when I type passwd to change the passwd, I'm getting an LDAP passwd change prompt--but only once: if I type passwd again, I get the Unix passwd change prompt. In any case, it won't accept my old passwd nor allow me to change the passwd. What's going on? Also mail is not working (nothing sent nor received). I emailed root and get no response yet. If an admin is reading this please help. Thanks. -pchen |
2007/8/18-20 [Computer/SW/Unix, Computer/SW/Security] UID:47652 Activity:kinda low 80%like:47603 |
8/17 hey root you wanna restore /csua/bin/mtd one day? \_ did you mail root about it? \_ do you really have to mail root when all of /csua/bin/ disappears? \_ empirical evidence would say, "yes, you do". -!root \_ yeah. |
2007/8/16-22 [Computer/SW/Security, Computer/HW/Drives] UID:47623 Activity:kinda low |
8/20 I am looking for personal NAS... you know, an large intestinal harddrive that I can access data everywhere. Idealy, I want be able to set up. so it streams mp3 music as well, any recommendations? \_ USB 2.0 or GigE? \_ thinking about connect the harddrive to my router, and be able to access it outside the LAN. \_ I hear 'mediatomb' might be what you're looking for. \_ how's it supposed to deal with access control? Or is it just going to be anohter open WAREZ site? \_ http://www.archive.org/web/petabox.php \_ apache + basic auth + hard drive? \_ "intestinal"? |
2007/8/13 [Computer/SW/Unix, Computer/SW/Security] UID:47605 Activity:nil |
8/13 hey root would you engage in scrotal inflation? thanks \_ Have you emailed root? Because the motd.public isn't the preferred contact method. \_ I did. \_ Hey root, i think Spamassassin is dead too. \_ I think root is too busy leveling in WoW. |
2007/8/13 [Computer/SW/Unix, Computer/SW/Security] UID:47603 Activity:kinda low 66%like:47566 80%like:47652 |
8/13 hey root would you restore /csua/bin/mtd ? thanks. \_ Have you emailed root? Because the motd.public isn't the preferred contact method. \_ I did. \_ Hey root, i think Spamassassin is dead too. \_ I think root is too busy leveling in WoW. |
2007/8/11-15 [Computer/SW/Security] UID:47589 Activity:nil |
8/11 TSA can't find a guy who bypassed security checks: http://urltea.com/174l (usatoday.com) |
2007/8/6-22 [Computer/SW/Security] UID:47541 Activity:nil |
8/6 Another entry for the "no duh" department: "WASHINGTON (AFP) - The US government cannot account for more than half of all small arms given to Iraqis in the hope of bolstering their security forces, raising fears the weapons may have found their way to insurgent groups, according to a new congressional probe." |
2007/7/14-16 [Computer/SW/Security, Reference/Law/Court] UID:47292 Activity:nil |
7/13 Another good Conservative railroaded by Fitzgerald: http://www.freerepublic.com/focus/f-chat/1865420/posts |
2007/7/8-10 [Computer/SW/Security] UID:47225 Activity:nil |
7/8 Those employed by the oil industry had more children than any other industry, while those employed in journalism and hotel service had the lowest. http://neuropolitics.org |
2007/6/21-24 [Politics/Domestic/HateGroups, Computer/SW/Security] UID:47033 Activity:nil |
6/21 Powell was threatened by the KKK to not run for presidency. Did Obama receive such thread also? \_ He was the first candidate to be assigned a secret service detail. Glean from that what you will. \_ Well, a canidate must request secret service protection. So, he \_ We don't threaten nobody but we support all Republicans -kkk \_ Well, a candidate must request secret service protection. So, he asked for it. There may or may not be a good reason for that. \_ I think the above statement is incorrect. \_ Hillary, as First Lady, has had it since 1992. |
2007/6/8-11 [Computer/SW/Security, Computer/SW/Unix] UID:46892 Activity:low |
6/8 I was talking to an acquaintance who said that his workplace was slowly evolving to a stated goal of taking superuser privileges away from the sysadmins in an effort to maintain a strict CM and, I assume in some way, lower costs - possibly by hiring trained monkeys to deploy pre-built images. I am curious what the IT theories are behind this. Is this a crackpot method of system management or is there some established theory behind this? Has anyone else seen this happen at their work? What were the results? My kneejerk reaction is that this is a Very Bad Thing, but maybe there's something to it. \_ Depends. Are they mostly Windows? Mostly UNIX? Who still has superuser access? Are they highly responsive? It can be made to work. But unless it's driven by competent IT management, it could be LOTS o' PAIN \_ All UNIX. I assume the idea is that if a change needs to be made then it is rolled out from some central server somewhere and no admins ever touch the individual workstations for any reason except perhaps hardware failure. \_ CM? \_ configuration management \_ No, this is in keeping with Best Practices surrounding security, especially the notion of "least privelege" which is to say that especially the notion of "least privilege" which is to say that people should have the permissions they need to do their job and no more. I personally think this is fine, but only works after an organization reaches a certain maturity and size. You need at least enough people so that you can have an on-call page rotation for the "root" team and another one for the "admin" team. Email if you want to talk about this some more this is something I have thought about quite a bit. -ausman http://en.wikipedia.org/wiki/Principle_of_least_privilege http://www.csua.org/u/ivq (Forrester Research) |
2007/5/31-6/4 [Computer/SW/Security] UID:46802 Activity:nil |
5/31 PHP-related question: a web app I'm using recently moved from CRYPT_STD_DES to CRYPT_MD5 for password hashing. On the off chance anyone's faced a similar problem (I am having trouble getting a reply from the developers), am I missing something fundamental or am I just fucked if I want to migrate my existing userbase without having to reset their passwords? -John \_ Can you provide auth'ing off of DES while re-encrypting and storing the new MD5? \_ Don't think so. It looks to me like this was just kind of a planning fuckup. :-( -John \_ I was going to suggest the same as the above person. It is "the standard" way of dealing with this. If you can't do that and apparently don't have access to the source, you're hosed. Sorry. Maybe you can redirect them to some other page you do have control of and rewrite their passwords from there. |
2007/5/25-28 [Computer/SW/Security] UID:46754 Activity:nil |
5/25 I would like to write a script to login to a windows machine remotely and start a simulation (basically a poor man's version of a Windows Beowulf cluser). The simplest way to do this seems to be to run sshd on cygwin. Are there better ways? (Obviously, one better way would be to install LINUX, but that isn't possible in the near term). Thanks. \_ There are some OpenSSH implementations for Windows you can install without the full cygwin implementation. \_ Can you list some? Thanks. \_ copSSH works well for me. -!pp \_ What is the advantage of copSSH over cygwin+sshd? From the (brief) webpage for copSSH it sounds like it is cygwin+sshd. |
2007/5/11-14 [Computer/SW/Security, Computer/SW/OS/Windows] UID:46589 Activity:nil |
5/11 Hackers use Windows Update to reliably download their malicious code: http://preview.tinyurl.com/2dorvr (computerworld.com) |
2007/4/30-5/4 [Computer/SW/Security] UID:46482 Activity:nil |
4/30 Can someone recommend a website that provides the same service as cafepress, with custom t-shirt designs, but that does not censor? I want to make shirts that I know would get censored at cafepress, based on past bad experiences with them. |
2007/4/13 [Computer/SW/Languages, Computer/SW/Security, Computer/SW/Unix] UID:46294 Activity:nil |
4/13 Can someone w/ root fix this: $ ls -l /dev/null crw------- 1 root csua 1, 3 2007-01-25 19:41 /dev/null |
2007/4/9-10 [Computer/Networking, Computer/SW/Security] UID:46239 Activity:nil 66%like:46247 |
4/9 Free W-Fi on Transbay buses: http://www.actransit.org/news/articledetail.wu?articleid=ae8a49cd |
2007/3/31-4/6 [Reference/Law/Court, Computer/SW/Security] UID:46167 Activity:nil |
3/31 Anti-plagarism service sued for copyright infringement: http://urltea.com/321 (washingtonpost.com) \- hello if you are interested ... really interested ... I have put the complaint at: http://home.lbl.gov:8080/~psb/Ephemeral/TurnItIn-complaint.pdf \_ Thanks. \_ Am I the only one who really doesn't like TurnItIn but really hope they win because of what it might mean for fair use rights? |
2007/3/28-31 [Computer/SW/Security, Computer/SW/Unix] UID:46132 Activity:nil |
3/28 What controls the order of files in regards to which file is displayed as the root file of a webpage? Specifically, I have to have a index.php in my root directory, but I want my webpage to display home.php. How can I do this? Thanks. \_ Just figured it out myself, using .htaccess! -op |
2007/3/23-27 [Computer/SW/Security, Computer/SW/Unix] UID:46068 Activity:nil |
3/23 hey root can you turn 'PINGS' to soda.csua back on? thanks \_ Hey, root, can you disable this h0zer's motd-editing cron-job pls? \_ and what's up with crippling traceroute? It needs setuid to function. > traceroute scotch traceroute: icmp socket: Operation not permitted |
2007/3/13-14 [Computer/SW/Security] UID:45950 Activity:nil |
3/13 OpenSSH 4.6 is out: http://undeadly.org/cgi?action=article&sid=20070308183425 Portable Version: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.6p1.tar.gz OpenBSD Version: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-4.6.tar.gz |
2007/3/4-6 [Computer/SW/Security] UID:45863 Activity:nil |
3/3 What is the cheapest option for internet access for somebod my parents who just need to do some email a couple of hours a week and nominal amounts of web browsing? Some kind of dialup service? They have a mac, in case that makes a difference, and live in the South Bay. Fast access at $30-$50/mo, not worth it for them, especially since they travel for months at a time. \_ Jyno has $9.95/mo dialup, but for just $3/mo more you can get a fractional DSL line from http://Sonic.net. Actually, I see these same prices from dslextreme, my current DSL provider, though to get that dial-up price, you have to buy a whole year. |
2007/3/2 [Computer/SW/Security] UID:45856 Activity:nil |
3/2 Paypal has a new security key: http://preview.tinyurl.com/ytr6zn (consumerist.com) |
2007/2/25-3/1 [Computer/SW/Security, Computer/HW/Drives] UID:45817 Activity:nil |
2/25 The top page of Fry's Electronic's (outpost) no longer shows the [Retail] Store Locator. Are they getting rid of the stores? \_ I doubt it: http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/02-05-2007/0004520005&EDATE= http://preview.tinyurl.com/ysdl54 (prnewswire.com) |
2007/2/20-22 [Computer/SW/WWW/Server, Computer/SW/Security] UID:45782 Activity:high |
2/20 Any recommendations on a cheap/easy-to-use digital signature system? \- i dunno exactly wat you are looking for or what the status of this project is, but if the obvious [gnupg] wont do, you can google for AKENTI. --psb \_ What do you want exactly? A toolkit for digitally signing various files? OpenSSL is free. It is, however, a pain in the ass to use, but, once you know what you want to do with it, you probably won't ever have to figure it out again. -dans \_ Mostly documents that are federally mandated in the development process of medical software. The team is somewhat distributed, so I was hoping for something fairly easy to use. Years ago I'd have used PGP, but I don't know how things have progressed and what a good (preferably open) system is. \_ GnuPG is fairly easy to use and its free. Many commercial apps use it for digital signatures: http://gnupg.org \_ Yeah, I pretty much agree. If price is the key, find a decent frontend to gnupg and tweak it to fit your needs. If usability is key, it's worth buying a copy of PGP. Both support the OpenPGP standard. OpenSSL is too low level for what you want. -dans \_ GnuPG seems to be the way to go. I've got everything figured out except verifying signatures. Thanks for the advice. -op \_ This is from memory, not the man page, but I think it was something like gpg --verify. Or are you trying to do something more complicated? -dans \_ You're right that --verify is the command line solution, but I was going for something in a GUI. It turns out that GPGee (Win Explorer extension) has that ability, and works great. Thanks again. -op |
2007/2/18-23 [Computer/SW/Security, Consumer/TV] UID:45771 Activity:nil |
2/18 I have a Tivo. I don't have service. I'm not going to get service. What is cool that I can do with the Tivo? \_ eat it? \_ prop open doors? |
2007/2/17 [Computer/SW/WWW/Browsers, Computer/SW/Security] UID:45765 Activity:nil |
2/17 http://www.foxnews.com/story/0,2933,252541,00.html Mormon University says YouCant to YouTube. |
2007/2/13-17 [Computer/SW/Security, Computer/SW/WWW/Server] UID:45734 Activity:nil |
2/13 The personal webpages are now up \_ Ming-Hay \_ Thanks. Something seems a little messed up w/ the server config. The front page produces a server error for me, and the server is returning lists of files rather index.html for directories. \_ Agreed, things are fubar. I've written/tweaked/debugged an Apache config or twenty in my day so I'd be happy to look things over and help out, just ask. That said, I'm shockingly busy at the moment, so I may not be the quickest source of help. You may want to turn personal public_html directories off until you fix this as the current config does leak information, which has (IMO, minor) security implications. If you're a soda user, you can prevent people from browsing your public_html directories over the web until this is fixed with the following: chmod og-r ~/public_html -dans |
2007/1/28-2/1 [Computer/SW/Security, Computer/SW/Unix] UID:45607 Activity:moderate |
1/28 Where does inbound mail get spooled now? I had no problem moving my old spool to /var/mail/$USER, but where is the new mail spooling? (Yes, I read soda-changes.) Nothing is ending up in /var/mail/$USER/new. Should it be? \_ Do you have .procmailrc setup? If so, I needed to add an additional rule at the end (after setting up the DEFAULT=/var/mail/loginname): DEFAULT=/var/mail/$USER): :0: $DEFAULT If I didn't do that, my mail just shows up as a single "msg.xxx" in the /var/mail/loginname directory. "msg.xxx" in the /var/mail/$USER directory. \_ nope, it's on a different server normal people don't have access to. it's called 'seperation of services'. The next time someone breaks into http://soda.csua.berkeley.edu, mail will continue to be delivered since they can't break into the machine that is handling delivery of email. Were you in CS? Do you remember how all the instructional machines didn't store your email on your local machine? Same theory. \_ So I have to use IMAP or POP now? Is that right? I used to use UCB mail. \_ It certainly wasn't stored *locally* on every machine, but it was available via NFS on instructional machines. It looks to me like it /should/ be showing up on soda. I presume 'mead-mail' is where it's getting delivered-to on mead anyways. lrwxrwxrwx 1 root root 22 2007-01-24 00:58 /var/mail -> /mnt/oh/0X0-mead-mail/ lrwxrwxrwx 1 root root 22 2007-01-24 00:58 /var/mail -> /mnt/oh/0X0-mead-mail/ \_ Absent procmail interference, mail should spool to the Maildir under /var/mail/$USER. If that's not happening for you, something is wrong. /var/mail/$USER. If that's not happening for you, something is wrong. |
2007/1/26-30 [Computer/SW/Security, Computer/SW/Unix] UID:45598 Activity:nil |
1/26 Thanks root people! \_ Many thanks! |
2007/1/18-25 [Computer/SW/Security] UID:45558 Activity:nil |
1/18 Are the accounts on soda reactivated? Looks like ssh is up, but I don't know if it's me not remembering the password I set it to after the last reactivation or if accounts aren't activated. \_ So you just typed your password (maybe several of them) into a box that might or might not actually be soda? \_ So you just typed your password (maybe several of them) into a box that might or might not actually be soda? \_ People should really use DSA public-key auth. It saves typing in passwords and prevents situations like what you described. \_ heh heh. heh heh. all your passwords belong to us. \_ are \_ I did the same thing but since I don't remember my password anyway, "they" are welcome to hack away at whatever random stuff I was trying. :) \_ Soda is up for root and politburo login right now, but not yet for general login. Hopefully it will be up for general login soon, sorry about it taking so long. -mrauser \_ Thank you for your efforts. --erikred \_ Concur! Many thanks! --dim |
2006/12/29-30 [Computer/SW/Security, Academia/Berkeley/CSUA/Motd] UID:45510 Activity:high |
12/29 There have been a lot of complaints regarding soda reliability and users not volunteering their time and effort to help. Obviously, it wouldn't make sense for every user to be given root access so they can volunteer. Instead, why don't we use motd for people to contribute concrete suggestions (not just to start flame wars) to improve soda reliability and security? I'll start: - Tripwire - Maybe going back to a *BSD - Sendmail is complicated and filled with holes. Why not use an alternative MTA? \_ Also, there use to be this message "Last logged in from..." I used to look at to see where my account was last used. \_ From being a part of the new-rebuild considerations, yes, no, and yes. --michener \_ Run soda in a virtual machine. |
2006/12/28-30 [Computer/SW/Security] UID:45508 Activity:insanely high |
12/28 Soda will be down tomorrow December 29, 2006 for maintenance service. We hope to keep the downtime as short as possible. - minghay (CSUA President) \_ You hozer. What about my screen uptime and low pty IDs? - jvarga \_ You mean like less than 3weeks this time? \_ Hey, shut yer trap. This machine is run by volunteers. If you want to put time into it then step up. I don't volunteer but I don't bitch at the people who do. I appreciate their efforts and donation of their time to a shared resource. \_ I dropped by the office relatively early in the downtime. No one with root was around any time that day (I was there for like 4 hours). Mconst dropped in a bit later to check in as well, but he had only limited access (soda root, but not keg, etc). A few years ago, pburo nuked a number of people from their root access. I said then it was a bad idea. If current pburo wants to rectify that and increase their root-base, I say more power to them. And I'd be glad to volunteer. --scotsman \_ Having a shorter list of volunteers is obviously going to limit how much time is available to take care of soda. My gripe with the person above is that they're bitching out (however many) people there are to take care of things, all of whom are volunteers. It's a free service, the price is right, I'm happy that other people have maintained it all these years with no expensve to myself and I appreciate those efforts. When things go bad it is frustrating but I don't feel I'm owed anything by any of them. \_ Exchange of money is not the only way to establish responsibility. \_ Money? What? Who said money? The people running this machine are donating their time. That is what the word "volunteer" means. It certainly isn't worth anything on a resume. What are you talking about? \_ You're reading the above comment wrongly. The fact that someone is a volunteer doesn't absolve them of responsibility to do what they've volunteered to do; quite the opposite. A lame-ass is a lame-ass whether he's being paid or not. -tom \_ They're not absolved but if you don't like the quality and performance provided by other volunteers you have two real choices: shut up and acknowledge whatever little you're getting is for nothing in return or volunteer to do it yourself and do a better job. Bitching them out without volunteering doesn't improve the situation. It only makes it worse. I shouldn't have to explain why. \_ As I said above, pburo.past nuked the volunteers. pburo.current, if they want/need the volunteers, would have them if they say so. Get on wall, guys. Ask. \_ Volunteer. Send a note to pburo asking what they need help with. If you did and they ignored it or said they don't need any help then that's that on the volunteer front. \_ So what do we need to do in order to get root? (Other than, obviously, hack in like everyone else.) \- you know, sloda has always been run by volunteers and by any measure the current incarnation should be a lot less work than the apollo, sequent, vax etc days. i could be wrong, but i dont think it's ever been down for as long as it was ~1 mo ago. i think people have been tremendously appreciative of mr jvarga... and if that appreciation hasnt extended to the pburo at large, my personal perception is there appears reasonable basis for that differentiation. \_ My gut feeling is that Cal students today are not nearly as Unix proficient as they were back in the days. Most donations come in the form of Windows boxes and students today could care less about Unix. So these "soda volunteers" are really just alumni and not the current breed. \_ Whoever the volunteers are, they are still freely providing service to the community with zero compensation and a lot of flack for the times things aren't perfect. As far as proficiency goes, *nix is a lot easier now than "back in the day" so uber m@d sk1llz are no longer required to get class work or anything else done on a *nix box. This is just the nature of technology. I'll bet the average teen/college boy in the 50s knew a hell of a lot more about his car than *anyone* on soda/csua does today. That isn't necessarily a bad thing. \- my point is that maintainance should take less time, e.g in the age of cheep disks, a machine that doesnt have to be racked up in a machine room, standardized buses etc. anyway, his standardized buses etc. anyway, this seems to me to be mostly a leadership failure not a technical matter ... e.g. it's not a mostly a failure of e.g. it's not mostly a failure of knowledge, but of decisionmaking, communication etc. \_ However, those of us who have been around dealt with the same difficulties and complaints when we were in pburo/on root. And I can safely say we never had a month long outage. If you don't want to/can't actually provide the service, scrap it. We'll survive... But IMO, and IME, having the alumni around and happy is a good thing for those who want the professional networking opportunities and knowledgebase that comes with them. \_ http://csua.com/?entry=45397 "I'm willing to wager $100 that Soda will be up for another 3 months or less before it is completely down for at least 3 days again." We'll see how long soda is down this time. \_ Are you helping with this maintenance to help make sure things go smoothly or just bitching from the sidelines? \_ A quick update from the ex-pres, secretary, and one of the few UGs with any *nix-fu. (whoever said that it's starting to be lacking is spot on). I have good news, and the good news is that our new VP doesn't suck. He rules. He's def. reading rootmail (something Ed never did), has a *lot* of Debian knowledge and experience, and is preparing to, you know, GET SHIT DONE. As a volunteer. Which is awesome. And something that Ed never did (this from being president over him). Right now, the holdup is that apparently there's no cardkey access for the moment but hopefully within a day or two, there will be much tinkering. I think (and hope) y'all will see the difference :) Take heart sodans! --michener \- lack of cardkey access never stopped us in the old days ... "oh look, the door is open". :-) |
2006/12/2-8 [Computer/SW/Security, Computer/Networking] UID:45410 Activity:low |
12/2 I have only two internet choices-- Verizon and Time Warner Cable. I've tried Verizon's 3Mbps/512Kbps service with 12 month commitment. In practice I only get 2.2Mbps/225Kbps and Verizon is unable to bump up the speed saying that they're unable to guarantee speed due to distance and whatever bullshit they said. Now my 12 month commitment is up I'm trying out Time Warner. I subscribed to their 10Mbps/512Kbps service which costs slightly more than their 6Mbps/512Kbps tier. Again, in practice, I'm only getting 3.5Mbps/200Kbps which is LESS THAN HALF of what they promised. Once again, they're giving me bullshit about distance and how they don't guarantee speed. Anyone have similar problems with their providers? \_ Wah, wah. Cry me a river. The service is cheap because it's consumer grade. If you want an SLA, get a real connection. And if your Verizon service is DSL, what they're telling you about distance isn't bullshit. Distance from the local CO dictates a physical limit to the maximum speed your DSL line can run at. If you can get DSL service from Speakeasy, consider it. Speakeasy can't rewrite the laws of phsyics, and their consumer plans still won't have an SLA, but, in my experience, they are a cut above all the other DSL/Cable providers. How are you measuring your line speed, anyway? It's actually really hard to do this accurately, and I have yet to see a point and click web tool for testing speed that does so. -dans |
2006/11/30-12/8 [Computer/SW/Security, Computer/SW/Unix] UID:45402 Activity:nil |
11/29 Pathetic Google engineers: http://valleywag.com/tech/revisit/man-in-google-lap-pool-217775.php http://www.valleywag.com/tech/dating/another-chance-to-crash-googles-holiday-party-217736.php |
2006/11/21-12/30 [Computer/SW/Security, Computer/SW/Unix] UID:45359 Activity:nil |
11/21 Bad stuff happened. Root is working on restoring all services to normal. Please email root if something is not installed or is on the fritz[0rz] (according to michener). - jvarga \_ How would we be able to tell? Logins are still disabled, according to someone named "jvarga"... (2006-11-22 07:30) \_ You have to be THIS tall to enter... \_ Please email activate@csua.berkeley.edu to get your account reactivated. |
2006/11/8-9 [Computer/SW/Security] UID:45263 Activity:nil |
11/8 OpenSSH 4.5 is out: http://www.openssh.org/txt/release-4.5 ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-4.5.tar.gz ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.5p1.tar.gz |
2006/10/31-11/1 [Computer/SW/Security, Computer/SW/Languages/Java] UID:45045 Activity:moderate |
10/31 Mainframes are back! http://www.cnn.com/2006/TECH/biztech/10/30/reviving.mainframes.ap \_ Mainframes never left. \_ There are big differences between 1) X is here, 2) X is coming back, and 3) X left. Fucking dumb shit, how did you even get into Cal? \_ I didn't get into Cal. I dropped out of college so I could spend more time on the motd and wall hanging out with smart people like you hoping one day I can learn to comprehend English as well as you. No, wait, you are a babbling fool who wrote something completely off topic and non-responsive because you can't understand basic English. \_ Bwaaahhhhhhh!!1! You are teh suck!!!!1!!!!!!!!1!! \_ "The university saved money upfront by selecting a mainframe that runs at less than top capacity. Then on days when computing loads are heavier, the school can buy a short-term boost of extra processing power. Network managers call IBM, which remotely tunes the mainframe to deliver better performance." Interesting. \_ *laugh*. This is how the IBM mainframe division has always worked except in the 'old days' they sent a tech out at some outrageous hourly rate who opened the back, hit a button to turn on the extra cpus+planes+memory/etc that was already in the box. So now they just remotely login and tweak some software variable limit like "max speed = max speed + 50", logout and send a bill. This is almost as good a scam as MS making their money on CALs. |
2006/10/27-30 [Computer/SW/Security] UID:45013 Activity:low |
10/27 Anybody tried the "PDF decryptor" or "PDF password delete" type of software? I have a PDF form file that won't let me save. I'm considering getting one of those type of software to unlock the file. I really don't want to pay to try it out though. Are there free open source PDF unlock programs? Thanks. \_ I've used Elcomsoft's (of "Free Dmitry Sklyarov!" fame) PDF decryptor. Worked fine. Its legality is dubious, though. \_ How so? It's my understanding (correct me if wrong, please) that documents legitimately in your possession are covered by various fair use clauses, i.e. you're not stealing trade secrets, that sort of thing. As for pdfs, unlocking them is trivial unless they're encrypted, in which case you're SOL-- I don't know of anything that can handle this easily. -John \_ I meant the legality of obtaining Elcomsoft's eBook Processor itself, which was posted to the 'net after Sklyarov was arrested. I'm not referring to the legality of decrypting (which should be legal based on fair use rights, but OTOH there's that thing called the DMCA). And yes, Elcomsoft's program does decrypt PDFs. \_ I thought there were two kinds of pdf encryption--the access encryption and actual data encryption, and that Elcomsoft only dealt with the latter. -John |
2006/10/12-13 [Computer/SW/Unix, Computer/SW/Security] UID:44782 Activity:nil |
10/11 Star Wars characters USB thumb drives: http://tinyurl.com/kjg53 (gizmodo.com) |
2006/10/4-6 [Computer/HW/Laptop, Computer/SW/Security] UID:44664 Activity:nil |
10/4 motd routing nerds, help me out. let's say i am torrenting stuff on my laptop. I want of course my SSH connections to be responsive and fast, but the upstream torrenting gets in the way. Could i implement QOS somehow on my local machine and improve SSH? I'm running Linux. Would I have to make a virtual machine somewhere on my laptop and run QOS in that? Thanks! \_ or just use your torrent client's builtin bw limit options \_ no no you don't understand, have you ever used QOS on a router before? You can make your SSH packets have a higher priority than your web or torrent packets, reducing the latency for your ssh sessions. If you limit the upstream of your torrents... your downstream becomes slower \_ sympathy factor crashes like rock. back in my day we got 300 baud and we were glad for it! \_ if you're bottlenecked on the inbound, no amount of fiddling with your router's QoS settings is going to help. Maybe if you could fiddle with your ISP's router, but I suspect they won't be sympathetic to your torrent leeching needs. If you're bottlenecked on the outbound, limit your torrent clients' upload speeds (or play with QoS). It doesn't take backing off much to give huge improvements to ssh and/or other interactive programs. clients upload speeds (or play with QoS). \_ get a faster pipe, whiner \_ So-called "gaming routers" can put preferences on ports. That's quick solution. \_ Not only is this a quick solution, but an excellent solution. I bought a DLINK gaming router and never looked back. I get the best of all worlds-- filling up the pipe AND get small latency for ssh and X11 related things. \_ agree that this is one way to do it. increase priority for port 22 outgoing (router should also be smart enough to prioritize incoming packets for the session), and back off your upstream torrent cap a bit until you're satisfied. |
2006/9/27-28 [Computer/SW/OS/FreeBSD, Computer/SW/Security] UID:44580 Activity:nil |
9/27 OpenSSH 4.4 is leftist http://www.openssh.org/txt/release-4.4 OpenBSD src: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-4.4.tar.gz OpenBSD src signature: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-4.4.tar.gz.asc Portable src: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.4p1.tar.gz Portable src signature: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.4p1.tar.gz.asc |
2006/9/27-28 [Computer/Networking, Computer/SW/Security] UID:44564 Activity:low |
9/27 I'm currently using http://johncompanies.com and getting close to their 40G/month bandwidth quota. I'm already paying $47/month for 5G disk storage and 40G/month bandwidth, and while the customer service has been superb, I'm a bit budget conscious and a bit reluctant to pay $80/month to johncompanies for the next level of service. I'm also a big socialist, and I support proletarian revolution. I've been contemplating a few options. For example, maybe I can get cable modem with 768kbps uplink/upstream for $50/month, which will be adaquate to serve 50-60G of content per month and has the positive side effect of having a much bigger disk storage over what I'm getting now at johncompanies. Is hosting at home a ridiculous idea or is it feasible? \_ Do you have a real server room environment? Do you have a usage agreement that allows you to fill your pipe all month long? No. \_ If you don't need a full jailed environment, JC is overkill. Just host w/ el cheapo web provider. If you need the custom env, it's probably worth the price. JC are pretty easy to talk to, though. Mail them about what you want to do and ask for suggestions. They might even refer you to someone who could better meet your needs. ("They" probably meaning "John") --dbushong \_ Do you work at or an affiliate of johncompanies? \_ Overkill is when you need 40G bandwidth but got 1000G. The op said he's going over the 40G bandwidth quota so his hosting choice isn't exactly "overkill". |
2006/9/25-27 [Computer/SW/Security] UID:44517 Activity:nil |
9/25 Does anyone know if there's a way for mail.app to use different connection profiles for various accounts? I have 2 imaps accounts which I need to connect to via an ssh tunnel at a client's; so normally it'd be "host.x.com:993" but I would like to switch quickly to "localhost:10993" without going through the "edit account" rigmarole...thanks for any help. -John \_ Why not just create two separate accounts and activate the one that you need. \_ Fair point, I didn't think of that, thanks. -John |
2006/9/18-20 [Computer/SW/Security, Computer/SW/Unix] UID:44435 Activity:nil |
9/18 Any reason that /dev/null is rw by root only? crw------- 1 root root 1, 3 Sep 13 12:56 /dev/null |
2006/9/16-19 [Politics/Foreign/Asia/China, Computer/SW/Apps/Media, Computer/SW/Security] UID:44403 Activity:nil |
9/15 Software in China helps w/ sentencing: http://news.com.com/2102-1012_3-6115154.html?tag=st.util.print "The software can avoid abuse of discretionary power of judges as a result of corruption or insufficient training." \_ What about the verdict part? \_ That's easy: if(political_activist || causing trouble) guilty=true; |
2006/9/15-19 [Computer/SW/Security, Computer/SW] UID:44387 Activity:nil |
9/15 Looking for recommendations (prefer Bay Area?) for ISP/company that can run a small-business web-site (products list, help pages, shopping cart) and handle their email (web-mail & IMAP access) My friend currently has a small business but is not satisfied with his current ISP/web-design firm handling his .com domain far in LA. They are slow to respond to web-site change requests, and they have dropped connections, broken shopping carts, customer complaints and slow employee web-mail access. \_ Is your friend's current company called http://dreamhost.com? Have you looked into other hosting companies like http://shopping.yahoo.com? \_ not dreamhost. Was going to look at yahoo, but i think they want their own domain |
2006/9/9-12 [Transportation/Airplane, Computer/SW/Security] UID:44330 Activity:nil |
9/9 http://www.latimes.com/news/local/la-me-baggage9sep09,0,1502706.story This is insanely stupid. All the bad guys need to do is throw kgs of TATP in the false hardsides of their luggage on several very busy buses and have them all explode at the same time on buses across the city. Let's hope L.A. people are so inherently anti-public transportation that those buses never fill. \_ uh, from a security standpoint how is this any different than checking bags at the counter? Or bringing a bomb onto any bus? -tom \_ there's no difference from a security standpoint as you've implied. however, from the standpoint of the terror impact of burning bus shells on TV, the synchronized bombings of full LAX transit buses is much more effective and obvious than (synchronized) exploding ticket counters or bus lines intended for low-income workers / students. \_ uh, whatever. -tom \_ uh, yeah |
2006/9/8-12 [Computer/SW/Unix, Computer/SW/Security, Computer/SW/WWW/Server] UID:44325 Activity:nil |
9/9 Is there a gzip-like unix command that will encrypt a file? I'm looking for something that's widely available. Thanks crypt (not very secure - DES). Or failing that, openssl or gnupg \_ openssl or gnupg... what are you looking for? Those will work fine.. \_ Thanks for the recommendations. I'm basically experimenting with a way of using my friend's computer to backup my personal files and using my computer to backup theirs. Of course, this means storing files in a way where we can't see each other's personal files. \_ I'd recommend checking out http://dar.linux.free.fr It makes the whole "backing up a bunch of files, encrypting it, and chunking it into bite-sized pieces" thing much easier than dump/tar + gzip + openssl. --dbushong \_ Oh, that is so cool. Thanks. My way was going to be much more convoluted involving ssh and a bunch of script writing. This should save some time. \_ One nice thing about using gpg (dump/tar | gpg) is you can do public key crypto and not ever have passwords stored in the script. I believe gpg also can chunk it into X byte chunks, optionally ascii armored, for emailing as well. (well, I suppose you could mime-attach it) \_ openssl bf-cbc -in file.txt -out file.txt.bfcbc # encrypt openssl bf-cbc -d -in file.txt.bfcbc -out file.txt # decrypt --dbushong \_ /usr/bin/{zip,unzip} on soda can take passwords. Don't know if they're widely available on other *nix's. |
2006/8/22-23 [Computer/SW/Security] UID:44096 Activity:high |
8/22 In Windoze XP, how can I make my service start automatically when it boots up in Safe Mode? I searched MSDN site and didn't see anything. Thanks. \_ I don't know how to do that in Windoze XP but it isn't that hard in Windows XP. \_ And that would be how? Thx. \_ Start here and you should get the right idea: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal \_ Thanks! \_ Out of curiousity, why do you need to do that? \_ I am working on a module that is a service, and I need it to be loaded even in Safe Mode so that people won't be able to bypass it by rebooting the machine in Safe Mode. \_ I sure hope there isn't a way to do what you want. If the users want to bypass your module, let them! \_ It's part of a security product, and we don't want the end user bypass it. \_ And what stops them from booting off a USB key, CD, other hard drive, etc? \_ BIOS password. \_ Yank HD, take to another computer, etc. \_ Always true for any product that can't physically defend itself. I don't think most customers want their firewall to shoot at people. \_ http://blubbie.com/usb-nailgunner-pc-gadget.html -tom \_ There's also FS encryption. \_ Some of the firmare-level drive crypto stuff out there is pretty buff. Not failsafe, but in most cases more trouble than it's really worth. -John \_ What gives you the arrogance to think you can take over the end user's system in such a way? \_ I think he's building a security appliance not a home user software thing. \_ A security appliance running Windows? \_ RESPECT MY AUTHORITAW! \_ And suppose there is such a way. What's to stop someone from writing a malicious service that does the same thing? |
2006/8/21-24 [Computer/SW/Security] UID:44088 Activity:nil |
8/21 Apparently, you need to pay $1.00 to Direct Marketing Association to have your name taken off of the junk mailing list. When did they start charging for this? http://www.the-dma.org/cgi/offmailinglist |
2006/8/17-19 [Computer/SW/Security, Recreation/Humor] UID:44052 Activity:nil Cat_by:auto 80%like:44043 |
8/17 This is pretty funny: http://tinyurl.com/ku2mp (schneier.com/blog) -John \_ Another funny link on the same page: http://geekz.co.uk/schneierfacts |
2006/8/17 [Computer/SW/Security, Recreation/Humor] UID:44043 Activity:nil Cat_by:auto 80%like:44052 |
8/17 This is pretty funny: http://tinyurl.com/ku2mp -John |
2006/8/12-14 [Computer/SW/Security] UID:43984 Activity:nil |
8/12 Anybody know of a good backup solution for PGP encrypted disks? The way I've been backing up is to make copies of the .pgd file with dates in the filename. This method is not very scalable as my .pgd files are becoming gigabytes in size. Anybody know of an integrated solution to backups and encrypted folders/disks? OS X Leopard "time machine" backup feature looks interesting. But I don't think it works if all my files are in PGP disks/directories. Any other solutions that integrate encryption and backups? -thanks. \_ This is Windows, right? (Dunno if PGPDisk exists on another OS.) Wouldn't anything that checks to see if a drive letter is attached do the trick? Also, is this for personal backups, enterprise- level, what? -John |
2006/8/9 [Computer/Theory, Computer/SW/Security] UID:43952 Activity:nil |
8/9 Can someone update soda's ssh host keys on http://www.csua.berkeley.edu/computing/hardware I think the new keys are: RSA - 9c:a4:3a:66:23:22:b0:2f:ba:87:2a:ca:03:c5:24:b6 DSA - 93:1d:30:88:65:a5:fa:38:6f:06:a3:86:12:0d:85:8b \_ That's what you'd like us to believe. |
2006/8/7-11 [Computer/SW/Unix, Computer/SW/Security] UID:43929 Activity:nil |
8/7 hey ax watch this when you get home from work http://www.youtube.com/watch?v=f83L9iWIx54 \_ Is there a CSUA login? \_ Use http://www.bugmenot.com to find a login. \_ That was work safe in my book, but thanks for thinking of me. Has anyone one noticed any patterns concerning women who wear Bebe shirts? -ax \_ I wanna work where you work. I think there's a pattern for chicks who wear Hollister shirts. \_ one more for you link:tinyurl.com/gmaxd \_ Jesus Christ. http://i43.photobucket.com/albums/e381/oklahomaok/DSCN0419.jpg \_ That's not Jesus Christ. --Mel Gibson |
2006/8/4-6 [Computer/SW/Security] UID:43908 Activity:nil |
8/4 Has anyone used Working Assets cell phone service? is it good? \_ they are a sprint reseller. co-worker has it, likes the customer service, and web payment options, and of course there is the donation thing to progressive cause of your choice. Paper correspondence comes on all 100% recycled paper. Just under $50 for 450 minute plan after all the taxes/etc. One downside, she gets a lot of mail (snail, I think) from other progressive causes, but I think that one can opt out of that. \_ No. Yes. -proud American \_ how much for mass amounts of text messages? |
2006/8/2-6 [Computer/SW/Security] UID:43882 Activity:nil |
8/2 Does anybody have a sample of a reliable and robust /tmp cleaner which can be run out of cron? I am not sure what is a good way to make sure things that need to be persistent like ssh-agent "files" dont get deleted ... obviously I can specifically tailor it for "known knowns", but I want something conservative but also reasonable. \_ reboot? \- i'm thinking if the idea is to save space, rather than remove clutter, can add a switch to remove say +1mb files. But not sure of a good idea for the clutter problem ... maybe not descend to subdirs for some rules. \_ Yes. -proud American |
2006/8/2-6 [Computer/SW/Security, Recreation/Media] UID:43863 Activity:nil |
8/2 What do you guys think about http://www.wtcmovie.com ? \_ I don't think much either way, but it's clear we're still in what I'd call "The Rambo Years" -- a very glorified version of historical events. I don't think it's outright propaganda, I think it's actually a fairly collective view the US has on 9/11. Make this movie in 10 or 20 years and it will be entirely different. I can't wait for the FMJ kind of take on it. --michener I'd call "The Rambo Years" -- a very glorified version of historical events. I don't think it's outright propaganda, I think it's actually a fairly collective view the US has on 9/11. Make this movie in 10 or 20 years and it will be entirely different. I can't wait for the FMJ kind of take on it. --michener [formatd was here] \_ who/what is FMJ ? \_ Full Metal Jacket? \_ I prefer http://www.tawnyroberts.com -proud American |
2006/7/30-8/2 [Computer/SW/Languages/Web, Computer/SW/Security] UID:43838 Activity:low |
7/28 Anyone have more info on the breakins on a bunch of Cal sites? http://www.csua.org/u/gkg -John \_ Yes. http://ls.berkeley.edu/lscr/news/2006-07-25-security-incident (The defacements were mostly one multi-homed server). -tom \_ Most kernel problems require local access to exploit. so, if not a user account then some other insecure service that can be used as a starting point. Is this the case here? Do you know/mind_telling_us the details? -crebbs Do you mind telling us the details? -crebbs \_ The machine is a web hosting server for L&S departments, where departments can install their own PHP code. There was a security hole in user-installed PHP code that got the hackers shell access, and they used a 0-day RedHat kernel priv escalation bug (SYS_PRCTL) to get root. It is worth noting that the bad PHP code was hand-written, not some package like phpBB with security holes which you can search the net for; the initial compromise seemed to have a higher degree of sophistication than is usually found in script kiddies. -tom \_ I doubt the hackers found the PHP hole the same day the Redhat bug came out. I'd bet a buck they had non-root shell access on the machine for a long time. I also suspect they had root for a while too. Or there was more than 1 set of hackers. Why would sophisticated hackers waste a quality attack on a web page defacement? I'd bet another buck they still have access to that and several other machines. \_ I can pretty closely track their root access; they did have it for over a week before it was discovered. I am pretty certain that they no longer have root access. I agree that there are likely remaining apache-level holes on the machine; it's an occupational hazard of an open PHP hosting environment. When is PHP going to implement taint mode, anyway? -tom \_ The only way to be absolutely sure is to rebuild the box. You could do a bit by bit comparison from a CD on all the binaries but yech. \_ Yes, I've read "Reflections on Trusting Trust." \_ Yes, I've read "eflections on the Revolution in France" -tom \_ Yes, I've read "Reflections on the Revolution in France" -tom |
2006/7/13 [Computer/SW/Graphics, Computer/SW/Security, Computer/SW/Apps] UID:43656 Activity:kinda low |
7/13 I have about 80 .pdf graphics files, that are a mix of vector graphics and bitmaps, and I want to convert them all to bitmap of a specified resolution, while preserving the physical size of the original image. Does anyone have any suggestions for how to do this fast and efficiently? I have access to the full Adobe suite if that makes any difference. thanks. \_ Are they all one page? \_ Each file is much less than a page in size, and they're all seperate files. \_ Should be able to use ghostscript. Post a file if you want an example. \_ Ok, thanks. I've been messing with Ghostscript, but I can't figure out how to get it to both be 600 dpi and to preserve the physical size. If I were smarter, I probably would have specified all the sizes in the Latex code so that I wouldn't care, but that would be a lot of work at this point (180 page document). Here is an example file: /csua/tmp/lafe/5point5huge.pdf Any pointers very much appreciated. |
2006/7/12-18 [Computer/SW/Security] UID:43645 Activity:nil 50%like:43591 |
7/12 Kchang -- thanks for turning the search feature back on! \_ you're welcome. I spent some time making sure that even if the mysql passwords are stolen, it would only have read only access. It would have been easier with suexec, but I guess the current admins insist that CGIs run as "nobody", which is a security risk that I guess they just don't care about anymore. -kchang \_ Intellidiff is back too! Thanks! -Intellidiff #1 fan \_ It is broken. I use scp to edit but it blames someone else. Yet another useless program written by someone useless. |
2006/7/11-17 [Computer/SW/Security] UID:43637 Activity:nil |
7/11 I'm working for a new company that is coming out with a web based product soon and we need to find good co-location facilites to host it. Can anyone recommend a good co-location facility in the south bay that can provide load balancing, backups, possibly SAN access, bandwidth on demand and has good peering? \_ you want the co-lo to provide the load balancing and storage? -shac \_ Possibly yes. This will be a one man show for a while so having some of the services managed would be nice and to lower the initial capital expense hit. Who does IGN use? \_ IGN is mostly at various Savvis colo's around the world but we have all our own gear and storage. the only thing we outsource is a fraction of our dba work. most of the big companies dont outsource load balancing and storage -shac \_ we use quest at work... \_ Not a recommendation, but check http://www.webhostingtalk.com You will get better response there and also do some search on a company's reputation. \_ might want to ask http://he.net |
2006/6/30-7/5 [Computer/SW/Security, Computer/SW/Mail] UID:43544 Activity:nil |
6/30 I'm trying to set up SSH port forwarding of VNC between my laptop and my home server. Once I had it working but I lost be client-side config. I can use PuTTY to set up port forwarding and can successfully load webpages off the remote server by using <DEAD>localhost<DEAD> My problem is that I can't seem to forward port 5900 (VNC) to my remote machine. When I try telnetting to localhost port 5900 I get a connection but don't get the standard VNC handshake: "RFB 003.003" I know VNC is up on that machine because I can connect to it just fine when I am on the same subnet. Any ideas? \_ You're not running VNC on your local box on port 5900, are you? \_ Ooh, good idea.. but no. \_ OK, so in PuTTY, your Forwarded ports: lines for your server Session look like: L80 localhost:80 L5900 localhost:5900 Is that right? What OS is the server? \_ I had this: L80 http://myhost.com:80 L5900 http://myhost.com:5900 I changed the second one to L5900 locahlost:5900 and now it works. Thanks! But why did the HTTP forwarding work then? \_ Maybe your firewall/VNC server/whatever would allow loopback connections, but not connections on the "real" IP |
2006/6/28-29 [Computer/SW/Security, Computer/SW/Virus] UID:43517 Activity:nil |
6/28 I'm looking for a company that can do testing of antivirus and anti-malicious code products--I have a client who wants some sort of "external verification", even if it's just a formality. I imagine this will involve running a battery of not-too-complex malicious code & exploit tests. Any recommendations? -John |_ http://www.counterpane.com/consulting.html or http://securityevaluators.com ? Both have well known security ppl \_ Securityevaluators looks good, thanks. -John |
2006/6/25-28 [Computer/SW/Security, Computer/SW/Unix] UID:43493 Activity:nil 53%like:43401 |
6/25 Hey root, could you please reenable finger motd@csua? Can't be a security issue since fingerd is enabled ... \_ Done. For some reason linking it refused to work, so I added it as a cronjob that happens just as the motd concatenation happens (every 2 minutes). --michener |
2006/6/23-28 [Computer/SW/Security, Computer/SW/Unix] UID:43487 Activity:nil 80%like:43482 80%like:43483 |
6/23 Soda rooted by sendmail bug. Will be going down at 8pm. \_ Resetting accounts again? \_ Good thing I stopped using my @csua.berkeley.edu address as my main non-work e-mail address! \_ Let's try FreeBSD again! \_ Let's try Windows! \_ Er, why is this in motd.public? \_ soda is run by liburals, always aiding and comforting Terrorists \_ Maybe 'cause it's a lie? \_ So, why is it still up? \_ It used to say 5pm. \_ The crackers have changed the root passwd! Root is powerless! \_ I can assure you this has not happened. --michener \_ They probably exploited something to put in a trojan su. Did you test this by suing? Now they probably have the old root password! \_ Someone should go to the server room and destroy soda with an sledgehammer before the crackers unleash the skynet on us. \_ I know of no such issue and have not heard from the rest of root about it. If this is not a lie, will whoever wrote this email root? --michener \_ Did the cracker post this to freak everybody out? \_ The only non-anonymous evidence I see is on wall log, where Paolo posted a snippet showing brg and sly speculating on whether soda had been hacked \_ which had nothing to do with sendmail at all. \_ Lying about a rooting is l4m3. \_ My account has been hacked! Last login from China! |
2006/6/23 [Computer/SW/Unix, Computer/SW/Security, Computer/SW/Mail] UID:43483 Activity:kinda low 80%like:43482 80%like:43487 |
6/23 Soda rooted by sendmail bug. Will be going down at 3pm. \_ Resetting accounts again? \_ Good thing I stopped using my @csua.berkeley.edu address as my main non-work e-mail address! \_ Let's try FreeBSD again! \_ Let's try Windows! \_ Er, why is this in motd.public? \_ soda is run by liburals, always aiding and comforting Terrorists \_ Maybe 'cause it's a lie? \_ So, why is it still up? \_ It used to say 5pm. \_ The crackers have changed the root passwd! Root is powerless! \_ I can assure you this has not happened. --michener \_ I know of no such issue and have not heard from the rest of root about it. If this is not a lie, will whoever wrote this email root? --michener |
2006/6/23-28 [Computer/SW/Security, Computer/SW/Languages/Web] UID:43481 Activity:nil |
6/23 apache back on and PHP seems to be working once more (so the main page works too). Security modules have been added, so if they interfere with things, mail root. Hopefully they won't though. Thanks for your patience and understanding --michener |
2006/6/23-24 [Computer/SW/Security] UID:43475 Activity:nil |
6/22 Whats up with all the defunct sshd processes on soda? Have we been hacked again? \_ I don't think so, but let me check your account. What was your username again? \_ ok so then whats with the 1655 syslogds running? |
2006/6/22-28 [Computer/SW/Security] UID:43470 Activity:nil |
6/22 http://media.putfile.com/AOL-Cancellation Guy attempts to cancel AOL account with AOL customer service rep (who sounds like a full-blown American, not outsourced labor). It gets started slowly, but it really builds up half-way in. http://insignificantthoughts.com/page/2 http://www.msnbc.msn.com/id/13447232 \_ It's amusing that he recorded it and posted it online but his experience is dirt common for AOL. I hope no one was actually shocked by this encounter in any way. It took me 5+ minutes to cancel an account a few years ago although the CSR took a different direction she still wouldn't cancel it until I'd told her at least three dozen times I wanted it cancelled. |
2006/6/20-24 [Computer/SW/Mail, Computer/SW/Security] UID:43439 Activity:nil |
6/19 I'm leaving the country for a year. I am thinking of getting a Skype number in the United States, and I guess if people in the US call it, my Skype client running on my computer in the foreign country will receive the call? What is wrong with my plan to do this? nnn \_ 1. yes. The only thing wrong with your plan is that as nerdy as you are, you may *NOT* be at front of computer all the time. After a while, when people couldn't reach you via the Skype number, they will STOP calling you. I recommend you also purchase couple SkypeOut credit; and also set up a call-forwarding on your SkypeIn number to your local cell phone. THis way, when you are not at the front of computer or your computer is off, calls will be forwarded to your cell phone. kngharv \_ No. You get voicemail with your skypein number. I'm using it (my Swiss cell phone is forwarded to my CH skypein number while I'm in Chile.) When you start your Skype client, it tells you you have voicemails. Works a charm, worth the money. -John \_ duh, voicemail come with the SkypeIn number. My experience is that after a while, people just sick of calling because he/she gets voicemail all the time. Skype forwarding service would keep people interested in calling this number. kngharv \_ That wasn't his question. -John \_ 1. yes. The only thing wrong with your plan is that as nerdy as you are, you may *NOT* be at front of computer all the time. After a while, when people couldn't reach you via the Skype number, they will STOP calling you. I recommend you also purchase couple SkypeOut credit; and also set up a call-forwarding on your SkypeIn number to your local cell phone. THis way, when you are not at the front of computer or your computer is off, calls will be forwarded to your cell phone. kngharv \_ No. You get voicemail with your skypein number. I'm using it (my Swiss cell phone is forwarded to my CH skypein number while I'm in Chile.) When you start your Skype client, it tells you you have voicemails. Works a charm, worth the money. -John \_ duh, voicemail come with the SkypeIn number. My experience is that after a while, people just sick of calling because he/she gets voicemail all the time. Skype forwarding service would keep people interested in calling this number. kngharv \_ That wasn't his question. -John \_ There are other similar VOIP service. For example, http://voicestick.com offers FREE virtual # anywhere in USA. It can then forward anyone calling that # to anywhere in the world. Of course you pay for the forwarded calls. |
2006/6/13-15 [Computer/SW/Security] UID:43377 Activity:nil |
6/13 ok, memorizing all these passwords is driving me insane. I know this has been asked before but I cant find it: whats the best way to keep a password-protected file of very sensitive information? in this case, all my other passwords. thanks \_ I use http://www.bugmenot.com \_ Whatever happened to this single login thing called the MS Passport or something? \_ I just use a yellow sticky note on my monitor. Works like a charm. \_ I use a Palm Pilot that is password protected. I then have a Crypto program on it (also requires a password). \_ the second part is very important, cause even if you password protect the file using Palm's native password protection, the document is downloaded in unencrypted format when you sync to your computer. I use Keyring for encryption: http://gnukeyring.sourceforge.net \_ I pgp encrypt this password excel file. You should have some password level as well: - password to this excel file - password for financial sites - password for secure e-commerce sites - password for other non secure sites A secure password can be the initial of your favorite phrase. I consider sites that emails back your password in plaintext as non-secure site. Good sites should reset your password to a random one in the worst case. \_ For passwords I don't get to choose, I use this: http://www.schneier.com/passsafe.html on PocketPC For passwords tied to domains, I use a command line version of this: http://bushong.net/dave/webpasswd (generates a reproducible hex hash) --dbushong \_ http://keepass.sourceforge.net Also, in the same vein as generating passwords from hashes, here's a Firefox extension to make it more convenient: http://www.xs4all.nl/~jlpoutre/BoT/Javascript/PasswordComposer \_ Ooh. Great minds think alike. This one looks more secure than mine (uses a Base64 variant encoding rather than Hex). Alas, I can't switch now or I'd have to check 2 of them :-) --dbushong \_ this program is really old but it's simple and works (for windows users): http://www.passkeeper.com |
2006/6/12-13 [Computer/SW/Security, Health/Women] UID:43355 Activity:nil |
6/12 http://news.yahoo.com/s/nm/20060612/od_nm/newzealand_streaker_dc Are all New Zeland women as attractive as this one? Are they more fit than say, American women in general? Damn I gotta move there! \_ Most of the women I've met from New Zeland looks more like this: http://www.manuphotos.com/images/NEw%20Zealand/NZ%20Maori%20Woman%2001.jpg |
2006/6/7-9 [Computer/SW/Security] UID:43302 Activity:nil |
6/7 Rails question: I've got data in a number of tables, all of it owned by one site "user" or another. Is there a nice clean standard way (probably at the model level) to validate whether the current user has access to the requested bit(s) of data? (Hopefully that's not too inefficient) I tried some obvious things, but Model classes don't have access to your session data, so they can't trivially see what user id is making the request. Or does this sort of thing not belong in the models. Thoughts? \_ Try handlers. Install a handler that will do the ID check, then throw an exception if it's fails. The model has access to the session data, otherwise you can't do anything custom wrt to the session, so I don't know what you're talking about. -marked |
2006/6/7-9 [Computer/SW/Security] UID:43295 Activity:nil |
6/6 Where can I find the RSA host key to put in a .ssh/known_hosts (or whatever exactly it's called) so I can ssh to csua? here use mine |1|42db5+KDy9Hano4lbj/SgFMPKDs=|taKwtpIOjvjZb9S9EIZ+pMbK7pQ= ssh-rsa AAAAB3NzaC1\ yc2EAAAABIwAAAQEA4F3Vgzyef4WlQqLst2xqi+yiRTdg1f4enDPkeT1zSFqhOFNXGoFlKJOGHRmpfwm\ Fxpa0eS6PVtleoI4b5kTbx0C9mA1OFXFVbZNlwjH6Hmife/NZazI4Nhe6Gl7JTNHBliu6VD6KLct66iA\ tZVUhOmM3gmbMfhgIqfbTvtPTLcYGeGHMz+X7dzWPMxMOqoD4iCXIthuLImijbL1HPqX1G65R048MWL1\ eHctxOi+XeFKzvAJ37iez2+prakglPkyAU6jg9luRiPtVQmjD3Q9gp+kenZGKKIK0FiuCuX+avuid5+5\ 2psfIl6UWGbXl4VciV5QWZ6AdUmiEsEovZ9DbBQ== |
2006/6/6-9 [Computer/SW/Apps/Media, Computer/SW/Security] UID:43284 Activity:nil |
6/6/06 http://www.eff.org/deeplinks/archives/004721.php |
2006/5/29 [Computer/SW/Security, Politics/Foreign/MiddleEast/Iraq, Politics/Foreign/Europe] UID:43215 Activity:nil |
5/29 Castro's Cuba http://www.therealcuba.com/index.htm |
2006/5/20-22 [Computer/SW/Languages/C_Cplusplus, Computer/SW/WWW/Browsers, Computer/SW/Security] UID:43123 Activity:nil 61%like:43119 |
5/19 I need a simple plug-in 128-bit (or so) C encryption library. Semmetric key is easiest, but public key is ok if that's the only thing I can get. Any ideas? \_ symmetric thing I can get. Any ideas? \_ http://mcrypt.sourceforge.net --dbushong \_ Thanks, I'm checking it out. |
2006/5/17-22 [Computer/SW/Security] UID:43078 Activity:nil |
5/16 Blue Security gives up: http://csua.org/u/fvo |
2006/5/10-12 [Academia/Berkeley/CSUA/Motd, Computer/SW/Security] UID:43004 Activity:nil |
5/10 Can we get kais motd intellidiff back now that cgi is re-enabled? \_ No. "suexec" is not enabled so it is run as "nobody", which means I need to make EVERYTHING world readable, including the index.cgi in which I embed mysql password. I am not enabling anything back till suexec is added. Until then, soda is insecure, and I'm not going to risk security for convenience. -kchang \_ root: Can we get suexec set up? -intellidiff #1 fan \_ Mysql has fairly granular permissions. Why not set up an account that has read-only access to the appropriate tables? \_ Because it also needs to write to certain directories/files. In the end it's a lot of trouble and I don't have time to code a workaround now. Look. Enabling suexec takes 30 seconds, so it is a solution that has a much higher work/time ratio. I'm no no hurry. I can wait. -kchang higher work/time ratio. I'm in no hurry. I can wait. -kchang \_ How can we access mysql from soda? \_ I compiled my private copy on a separate port and not sharing it -kchang |
2006/5/8-9 [Computer/SW/Security, Computer/SW/Unix] UID:42979 Activity:nil |
5/8 A friend of mine still hasn't gotten his account reactivated even though he sent photo id. Is this still being worked on? \_ soda root == students may 12 == start of finals. I'd say a little patience is in order. \_ Granted, but 3 weeks is a long time. Could you update the website so they have a clue. 4/17 was in a galaxy far, far away. |
2006/5/8 [Computer/SW/Security] UID:42976 Activity:moderate |
5/8 why you are getting all that blue frog spam http://q.queso.com/archives/001917 - danh \_ While I'm not ready to call it outright bullshit, I'm skeptical: * Most DNS operators with a clue set TTL values to cache records for 24 hours to one week. The DNS notify mechanism leaves much to be desired. Thus, changing a DNS pointer is unlikely to divert a DoS attack. * Many DoS attacks hard code the ip of the target both to avoid the added complexity of DNS lookups and because, if the code is written by a script kiddie moron, he may botch it and do the DNS lookup before sending each packet which slows things down spectacularly. -dans \_ and I call bullshit here, because the TTL values of a domain are under control of the domain's owner (or at least the nameserver the domain is master'd from), and any DoS attack hardcoded to an IP is trivial to defeat by changing the IP of your web/service. And TTL only comes into play when an address is cached, which isn't likely to be the case with all the clients participating in a DDOS. -ERic \_ Correct, ttl values of a domain are controlled by the domain's owner, but if ttl values are set to sane values, e.g. 24 hours to 1 week, then it will be 24 hours to 1 week before reducing them will have any effect on cache behavior. If DDoS clients actually perform DNS lookups, then the vast majority of lookups will go through caches, which won't refresh their content until ttl expiry. It would be enlightening to see what http://bluesecurity.com's DNS records looked like the week prior to the attack. Also, changing the IP of your service doesn't help if you just hop to a new IP address on the same network, since modern DDoS attacks overwhelm your upstream network pipe(s), and not just an individual host running a sppecific service. -dans \_ This guy doesn't really have any idea what he is talking about: he can't explain correctly how Blue Security really works and instead of bothering to learn, he just argued with the people trying to teach him. Finally, he just turned off comments rather than accept that he was wrong. He sounds a bit like Bill O' Reilly. I wouldn't really take his explaination for what happened at face value, given his record. -ausman |
2006/5/4-7 [Computer/SW/Security, Computer/SW/Unix] UID:42931 Activity:nil |
5/4 Ok I need to make a hosting choice soon because my current co-op colo is falling apart like http://autobahn.org in the old days. I can go with http://dreamhost.com, http://textdrive.com, or http://johncompanies.com [from which dans heard good things about]. I really like johncompanies' virtual machines because you get root, but it is a whopping $47/month!!! http://dreamhost.com is dirt cheap, but you share resources and it's probably just as secure as soda (which is not very). I haven't heard anything about http://textdrive.com. What do you guys use and recommend? Thanks. \_ i have a bunch of stuff hosted with dreamhost and have been very happy with them. i was referred by another sodan. alot of guys at gamespy use dreamhost as well and love it. -shac \_ How much quota, IP/hosts, do you get, and how much do you pay? \_ i pay annually. so i paid $120 for 1 year starting at 20GB disk, 1TB monthly transfer. each month they increase both of these numbers for you so im probably at like 22GB and whatever monthly transfer. the longer you are a customer the larger your quotas are. see their pricing comparison. http://www.dreamhost.com/shared/comparison.html -shac \_ which coop is dieing? how much do you use now? \_ i've heard good things about simpli.biz \_ JohnCompanies kicks ass. You send mail and.. John mails you back in like 2 minutes. None of the trouble-ticket-queue bullshit. On the flipside, yeah, they're (relatively) pricey and you have to do all the admin themselves, and if John dies in a carcrash, I'm not \- that is the scenario i call BUS TERMINATED. --psb sure how much human failover they have. --dbushong \_ HA that's pretty funny. But how do you know johncompany is run by 1 man, and if other companies aren't in the same situation? \_ I don't, but if you go with <insert random huge company> it's unlikely. \_ Oh, if you are doing anything art or community oriented, consider Laughing Squid. -dans |
2006/5/3-5 [Computer/SW/Security, Computer/SW/Mail] UID:42921 Activity:nil |
5/3 Can anyone recommend an e-mail service that provides POP3/IMAP and SMTP with encrypted authentication, From: address to whatever you want it, isn't zombie-land, has minimal service interruptions, and won't go away? Doesn't need to be free. Really imporant to have minimal service interruptions. \_ Gmail! \_ From: address always defaults to @gmail.com. \_ I believe you can change this in Settings->Accounts. There is no IMAP though. \_ Cool, I just tested it. Works through SMTP auth port 465 too. Thanks. -op \_ Not if you're using SMTP, afaik. |
2006/5/3-5 [Computer/SW/Mail, Computer/SW/Security] UID:42918 Activity:nil |
5/3 In the light of what happened recently, should I stop using soda for any important communications and get a gmail account instead? \_ FYI, I am making my ISP account (Comcast) my main e-mail point. My problem with gmail is that the From: address is automagically replaced with your @gmail.com address, whereas I can make it whatever I want with Comcast as long as I authenticate. I do realize Comcast is the source of most zombie spam. This is after having used soda as my main mail account since '92. Props to all the undergrads who have kept soda up, anyway. \_ Comcast is a bad idea. Comcast is a spam target and also means you are tied to that ISP. Better to convert to gmail. \_ because, you know, gmail isn't a spam target. -tom \_ No, but it does have good spam filtering built-in. Still, what is a good reason for using comcast over gmail? I'd rather use soda. Or <DEAD>cal.berkeley.edu<DEAD>. \_ I don't use comcast, but web interfaces to email suck, and gmail still doesn't offer IMAP, right? -tom \_ Well, gmail is faster than any other webmail I've used, and the searching/labeling/filtering system is pretty good. Gmail is the only webmail I've used that I could put up with daily... although I still only use it for certain things. Maybe eventually they will have IMAP. I saw some kind of beta 3rd party attempts at providing IMAP gmail access. Shrug. \_ "web interfaces to email suck" ?? what are you talking about? gmail is easy to use, has key- board shortcuts and is accessible from anywhere without worrying about ssh'ing or crap like that \_ One drawback of web mail is that if you don't access it within X time, your account can go byebye. Although gmail's 9 months is I think much longer than any other free webmail. \_ Let me be more explicit; non-web GUI mail clients have better interfaces than web-based mail clients. It can be useful to have access to a web-based client, but the web interface is signficantly less effective for day-to-day activity. -tom \_ gmail supports POP/SMTP, so you can use other email clients like outlook and mac mail client. \_ but not with multiple mailboxes, so what's the point? -tom \_ Most people stopped using soda for important communications a long time ago. \_ Yes, it's pretty obvious that gmail will be more reliable for things like that. I use both. \_ I echo the op's concerns and am switching to my primary e-mail to my ISP as well (SBC). If you lived in a neighborhood for 10 years, loved it, then all of a sudden couldn't get access to your house for 2 weeks because their was a break-in, while the local police was processing your paperwork, I would move. Again, not enough praise can be given to those volunteering their time and effort to maintaining this environment. It's a testament that it's has as much uptime as it does. But as your primary account, it would be awful to go through that again. I think free e-mail services are risky because they can start charging at anytime or start going downhill (ie. Hotmail). If you are happy with your ISP and plan to use them for awhile, why not go with them, at least you have greater control of the risks. \_ I'm still using soda for most things just because, it's really nice to be able to hand someone an email address you can be fairly sure will still be there in 5 years. \_ Why not just register your own domain ($2 to $30/year), and point it at a cheap virtualhosting/email provider ($10 to $50/month)? -dans \_ because there are free, or already-paid-for alternatives. |
2006/5/2-5 [Computer/SW/Security] UID:42892 Activity:nil |
5/2 Okay, I think I get it now. If I want password-less login to soda, then I need to do the whole generating the public and private keys which requires a pass phrase, if I can put up with entering my unix password every time in SSH or PUTTY, then I don't need to do the whole ssh-keygen stuff. Is it correct? \_ Yes. But if you go password-less, then if soda is compromised again, you won't need to change your unix password. \_ why is that? if soda is compromised then they have access to the unix password too. \_ Not if you didn't type it in while soda was compromised. -tom \_ Unless it was cracked, which basically depends only on how motivated the attacker is. -gm \_ This is why a couple of soda users choose not to have passwords at all -- they have "*" for their password in /etc/shadow, so ssh keys are the only way they can log in. For those users, an attacker who gets soda's password file won't have anything to crack. --mconst \_ how do you put * in /etc/shadow? I can't even view it? so if I don't want to use unix password, I need to ssh-keygen on my client server, then copy the generated public key to soda under .ssh/ folder? I should not copy my private key on soda though, right? \_ Unfortunately, it's not possible for you to do this yourself. If you really want to have no password, mail root and we can remove it for you -- but before you do that, you might want to try just setting your password to something random and not using it for a while. This will give you a chance to get used to ssh keys and see how you like them, and if anything goes wrong with your ssh keys, you'll be able to log in with your password and fix them. And yes, your ssh-keygen stuff is exactly right. You didn't mention this, but when you put the public key on soda, you need to put it in a file named .ssh/authorized_keys. --mconst \_ thank you bery much! this helped alot in clearing out my confusions. \_ I was told because of the comprise, my ssh private key may be stolen as well, but how is that possible? I thought the ssh private key is on the client host, not on the server host (i.e. http://csua.berkeley.edu)? \_ Some people put their private keys on soda (with a passphrase, I would hope). If you did, then both your private key and your passphrase may have been stolen. If you didn't store your private key on soda, you should be fine. -gm \_ they put their private keys on soda, is it because they want to use soda as a client to a different server? \_ Exactly. \_ the private key would be under .ssh/ right? |
2006/5/1-4 [Computer/SW/Security] UID:42878 Activity:nil |
5/1 Where can I find step by step instructions to change my ssh pass? How do I change my login password? Sorry I haven't been on unix for too long. \_ What do you mean? You mean your login password? Run passwd. You mean the password used to decrypt your private key? If you stored a private key on soda, shouldn't you assume that's been compromised too and generate a new private/public key pair? \_ yes the compromised passphrase fo rdecrypt the key. Please how do you remember the steps to regenerate a new priveate/pub key? All I remember there were some very tricky steps to generate the key. Like I either 1) have to use the keyboard that is on the server; or 2) use the java interface to generate the key Now I can't find the procedures on csua website.... \_ You seem to be confusing ssh keys with the ridiculously paranoid (and not altogether useful) "advice" on securing your pgp/gpg key. Try "man ssh-keygen" \_ Passphrase you mean? \_ Would this help? http://www.csua.berkeley.edu/ssh-howto.html \_ http://www.csua.berkeley.edu/~ranga/notes/ssh_nopass.html |
2006/5/1-4 [Computer/SW/Security, Uncategorized/Profanity, Computer/SW/Unix] UID:42873 Activity:nil |
5/1 Fuck it. RSS wall feed isn't down, so much as only serving out my little diatribe on the life and death of the hack. I got shit to do. Later. --michener \_ Bring it back. This is *your* organization. It should run *your* code. If bitchy alums, myself included, have problem with it, fuck em! If bitchy alums have a problem with google seeing it, tell them to get off their asses and write robots.txt file to fix the problem. -dans \_ root staff seems much more inclined to ignore than do anything. It's rather discouraging for alums to even bother trying to help when work making old desired software run is ignored, and for requests that people "mail root if you want to do this," are met with much silence. \_ yes, you can "fuck em" but if the existence of a feed makes people revolt, and not use wall logging, and therefore make the feed pretty much useless as well, what's the fucking point? \_ Lowers the alumni noise floor of wall thereby making it a useful channel for undergraduate signal? Sounds like a win to me. -dans \_ that way all 6 undergrads can talk. If the alumni noise is a concern for them, I'm sure they can figure out how to make a second wallall channel \_ If, as you indicate, there are only 6 active undergrads in the organization, then perhaps the CSUA has run its course and should be shut down. Of course, you're wrong, so the point is moot. -dans \_ Do you actually work on getting stupider every day? -tom \_ For you tom? Anything. :-* It's cute how you define stupid as "Any view that doesn't support what you believe." Here in reality, i.e. that place outside of the bubble you live in, we call that closeminded and juvenile. meh. Bored now. -dans \_ Coming from you, this is hilarious. \- but is it ironic? \_ Let me add some useful info to this debate. For the record, I think it's a cool idea, and don't care of Google indexes wall, in which case you could just reenable it as is. But, the bitchy alumni can read these: http://csua.org/u/fok - How do I request that Google not crawl parts or all of my site? http://csua.org/u/foj - How can I remove content from Google's index? \_ Interesting and useful. But, really. I seriously have code to write for classes and such and shit to do. So I'll revisit at a later date. Until then, bad alums, no cookie! ;) --michener |
2006/4/21-24 [Recreation/Activities, Computer/SW/Unix, Computer/SW/Security] UID:42798 Activity:low |
4/22 ok, so maybe a dumb question, but a coworker just asked me and I'm not sure the answer: so is it possible to view the standard output of a process running on your system? I do have root. thx \_ truss/strace, with the option to print the entire syscalls \_ ok, let me rephrase: there is a process running on my system. I did not start it. I am root. I have just the process id (from ps) ... is there some way I can see std out/err? thx \_ you can't see what has -already- gone out to stdout/stderr if you look at the write() calls for stdout/stderr (by fd) you can see what it is putting out -now-. truss -p pid \_ try /proc/<pid>/fd \ \_______________\_ this was all helpful. thanks. |
2006/4/19-23 [Computer/SW/Security] UID:42785 Activity:low |
4/19 Hey, IMAP and IMAP/SSL aren't accepting my password. Is this happening to anyone else? I can login fine using ssh. It had been working up until someone turned off POP. \_ Is it possible that SASL is configured to use a different authentication backend, e.g. PAM, than logins, which I believe use LDAP? -dans \_ Wrong. \_ I asked if it's possible. I've seen this error on other systems before. Do you have any constructive suggestions? -dans \_ SMTP auth... please \_ oh goodie, they both work now as of 1:30pm today (the 20th, and it wasn't working an hour ago). -op |
2006/4/18-23 [Computer/SW/Security, Computer/SW/WWW/Server] UID:42779 Activity:nil |
4/18 Thanks mrauser for the call just now. root: I think one of the next priorities can be enabling POP3/SSL and IMAP/SSL. I'm going to download e-mail with the unencrypted connection, but I'll probably change my password once every couple weeks until the above gets online. Most if not all of the official UC e-mail systems now require SSL for downloading and sending e-mail, right? \_ Actually, all password transactions must be encrypted according to the Minimum Standards for Networked Devices policy. -tom \_ IMAP/SSL is now up, POP3 is down entirely. That should suffice for the moment. -michener |
2006/4/18-20 [Computer/SW/Security, Computer/SW/Unix] UID:42775 Activity:moderate |
4/18 Some thoughts about securing a machine. Feel free to add your expert opinions. --ricky * Securing a machine that allows interactive logins by users is _very_ hard. * Reduce suid binary to absolute bare minimum. * Perform automatic _remote_ checksums from a machine that is separate and is not accessible by regular users. Usually, NFS is recommended for this. Basically, have a remote machine regularly check critical files on the machine and alert root if anything changed. \_ This existed a while ago, called Tripwire. Started as a a research project and grew to a startup. Many people tried it but gave it. The concept is easy, but in practice, it takes damn too much time. All of the above suggestions are good, but in the end, if the cost of manageability is high, no one will care. Lastly root and politburo aren't paid to do any of the above stuff and most people have better use of their time so... why cares. Would YOU like to volunteer \_ Why are suggestions being taken as a demand that they do it. If alumni (or "members") do all this stuff, aren't they just "fucking the undergrads" ? \_ No. If they storm into the machine room or the office and insist that it be done there way and be done right this minute, then they are fucking the undergrads. Historically, asking nicely and accepting a polite `No.' is not one of the strong suits of the alumni. Though anecdotal, it's also worth noting that the amount a given alumnus bitches appears to be inversely proportional to the amount of meaningful contributions (time, money, hardware, etc.) he makes to the organization. -dans \_ so you contribute absolutely nothing, eh? -tom \_ Ah let me clarify that. The amount a given alumnus bitches at the current undergrads appears to be inversely proportional to the amount of meaningful contributions he makes to the organization. If the alumni bitch at each other, it has no bearing on the CSUA or its future. -dans doing these things ricky? You should attend politburo. \_ Agreed, I tried to set up a modern version of tripwire on hosts I administered in my last job, and it's nigh unusable. It smacks of overengineering, and has too many features apparently added by marketing folks trying to sell to the enterprise software market. Furthermore, if you want to be really secure, running _remote_ checksums isn't good enough since the credentials for soda are likely the same as the credentials for other CSUA hosts. Thus, checksumming soda's binaries from screwdriver takes a non-trivial amount of work for a trivial gain. Also, what happens when people trojan libraries not binaries? Should we checksum those to? Which libs? -dans \_ ideally you checksum everything, and flag what is 'volatile' and likely to change from day to day. \_ ideally, yes, but that's a really time consuming, tedious, manual process. Unless you have some '1337 tool to do that for us. If so, please post a url. -dans \_ I have used aide, a tripwire-like tool that checksums files in two ways. It works pretty well, and isn't that difficult to use. I found it annoying if I didn't check/update signatures before doing package upgrades, which meant I couldn't tell whether the changes were intentional from the update or if someone had done something to the binaries the same day. While there are certain more-secure "ideal" ways to set things up (binary on immutable media, running on a separate system, database on immutable media, etc.) A simple "on this system" "aide running out of /usr/sbin" "database stored locally" while not great from a security standpoint, as long as one doesn't rely on the lack of warnings and messages to mean you are secure, is still a useful tool. * Educate users about ssh. For example, unless the user is extremely certain that their private keys are safe (resides in encrypted partition, etc.) having empty passphrase is a bad idea. Assuming above is met, using passphrase protected key pair and setting up authorized_keys is safer than using passwords. \_ Education works the best, when people are willing to be educated. Do you think people like to be educated? \_ It's also vital to keep up with patches to OS and utilities. \- ssh wont solve the problem. the problem is a combination of clueless users and users who dont care about security [and are willing to login from machines with kbd sniffers] combined with the close to inevitability of local account -> local exploit -> root. i think sloda should adopt the position: 1. soda will be broken into and should not be trusted ... meaning it should not be used as an outbound stepping stone ... no rsh, rlogin, ssh, telnet. i suppose you can leave ftp on and i guess scp. 2. do what you can about prevention [applying patches etc but also invest some in rapid detection. tripwire is a piece of crap but there are other tools to do this with ... i maintain checksums on about 50 things [in some cases OSes, in other cases various data trees] and while i dont look at all the data everyday, with disk being cheap i can store enough snapshots i can at least go back and tell a story if there is a problem found at some point. even a half asses checksumming system will get you pretty far ... and would certainly pickup a trojaned daemon or client. we have some not-very-portable hacks to address the case of trojaned libs [these check low level information in inodes and compare them to higher level queries and look for inconsistencies ... like say in the link count] but these are probably not worth the effort ... they were crafted for very specific rootkits. |
2006/4/18-22 [Computer/SW/Security] UID:42773 Activity:nil |
4/18 I'm interested in doing some traffic analysis to see if the sshd trojan can be detected by looking at traffic patterns. I seem to remember people's inbound sshd connections being dropped now fairly frequently [but soda stayed up]. Can anybody authoritatively speak to whether just some sshds were dropped or when one was dropped all were dropped. Also I assume outbound sshes were not dropped. I'm curious whether the sshd bug was in maybe the checkpointing routine when it was writing out to the sniffer log, or it was something more random/complex. Unless I get a good lead I probably wont pursue this because I'm sort of busy now and it's a lot of data to trawl though potentially or lot of work to reconstruct. Basically looking for a large clustering of sshd drops in time and space without evidence of a reboot [other protocols dropped] and not a normal shutdown might be smoke -> fire signal. \_ Even if this particular ssh trojan was causing the daemon to drop connections, why would you assume that this would be true of other ssh trojans? -dans \- why do you assume i assume it is true of other trojans. obviously my concern is we dont know where the soda hacker came from and what he did with the sniffed info. assuming this same person installed the same buggy trojan elsewhere is hardly a stretch. a better question might be: is the trojan buggy on just freebsd. and the issueis sshd not ssh. ssh trojan and sshd trojan have different implications. |
11/23 |