Computer SW Security - Berkeley CSUA MOTD
Berkeley CSUA MOTD:Computer:SW:Security:
Results 751 - 900 of 1108   < 1 2 3 4 5 6 7 8 >
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2017/12/16 [General] UID:1000 Activity:popular
12/16   

2006/4/11-24 [Academia/Berkeley/CSUA, Computer/SW/Security] UID:42732 Activity:nil
4/12    Soda - very unstable. Is POP3/S disabled?
        \_ Alright, who keeps rebooting soda?
           \- soda is currently rebooting itself for an unknown reason.
              someone on root is working on it, or if not, will be very soon.
              -lin
           \_ V FOR VENDETTA!
        \_ From the csua home page:
           Soda was recently compromised and the root staff have rebuilt it
           from scratch. Soda was down all weekend for repairs. Due to the
           scope of the attack, all user accounts have been disabled. Please
           note, that if you logged into another machine from Soda in the
           last two weeks, that account is compromised or if you used
           keyboard authentication to access soda, your password has been
           logged. The root staff has not yet restored POP and IMAP, but
           plan to do so in the near future. In addition, certain parts of
           ~user public_html pages are presently disabled.

.
2006/4/11-18 [Computer/SW/Security] UID:42729 Activity:nil
4/11    so any suggestions how I can try and verify that other machines
        to which I have access have not been compromised? in which case
        hopefully it shoudl be enough to change my passwords. I dont
        think I logged in anywhere from soda but woudl like to be sure.
        \_ If you have logged in with keyboard interactive to soda, or ssh'ed
           with keyboard interactive from soda your passwords are likely
           compromised.  Sorry for the instability.
           \_ The machine I logged into soda from's password is
              compromised?  How does that work?
2017/12/16 [General] UID:1000 Activity:popular
12/16   

2006/4/11-17 [Computer/SW/Security] UID:42724 Activity:low
4/11    So is there a trail of evidence as to where this compromise came from?
        \_ A theory is that someone caused the crash by trojanning
           ssh/sshd and then instaling a rootkit when he temporarily had root.
           \_ ZOMG remember remember, the 5th of november!
              \_ Well, yeah that letter was involved.
           \_ Let's go through some suspects. Who are some of the past
              disgruntled root members?
              \_ Historically the most digruntled root members are those who
                 still HAVE root (not by choice).  --dbushong
           \_ Yeah, but, erm, doesn't that kind of beg the question?
              \_ A certain person installed and put the old vulnerable sendmail
                 back even on this current incarnation of soda.  Seems like
                 maybe you should question him/his motiVes.
           ssh/sshd and then instaling a rootkit when he temporarily
           had root.
2006/4/6-7 [Reference/Law/Court, Computer/SW/Security] UID:42708 Activity:kinda low
4/6     http://csua.org/u/fg6 (orlandosentinel.com)
        Lawyer for DHS ICE Operation Predator chief (who pleaded no contest
        to exposing sexual organs and disorderly conduct), says he could have
        won the case:
        "The victim's account is not credible, Phillips said, saying that if
        the teen could see 2 centimeters of flesh from 20 feet away when others
        sitting much closer to Figueroa didn't notice anything, 'she has the
        visual acuity of most birds of prey.'"
        \_ 2 centimeters? Now I feel sorry for the guy ...
        \_ It's not too hard to see 2cm at 20 feet distance.
        \_ He thinks the average juror Joe would know how long a centimeter is?
        \_ because clearly, 20 feet from someone is a safe distance to be
           masturbating.
2006/4/6-7 [Computer/SW/Security, Computer/SW/Unix] UID:42706 Activity:low
4/6     /var/mail is full.  I'd mail root, but...
        \_ soda: [~] % du -h /var/mail/kislyuk
                      16G    /var/mail/kislyuk
           \_ Last login Sun Dec  4 18:44 (PST) on ttyB5 from ....
           New mail received Thu Apr  6 09:12 2006 (PDT)
                Unread since Sat Dec  3 12:47 2005 (PST)
           \_ Isn't there a 25M quota on /var/mail?  How did it get to 16G?
2006/4/6-7 [Computer/SW/Security, Computer/SW/Unix] UID:42704 Activity:nil
4/5     Problem: sshd acting weird. Platform: Linux 2.6.x. Symptoms: Ssh
        \_ I thought Soda ran FreeBSD
        connection got stuck all of a sudden. Cannot ssh into the machine.
        Ping ok, and apache2 apparently working. Console log-in takes +5 min &
        nothing weird in /var/log/*.log. Restarted sshd a few times, no luck.
        Restarted the machine, everything's normal. Two hours later, sshd
        is weird again. Same symptoms. What are some possible culprits?
        \_ NIS or NFS?
        \_ Hmm... any chance you have a bad disk?  sshd's virtual memory is
           writing to bad blocks, which causes it to run very slow?  Or the
           blocks where your auth.log or something else that gets written to
           on login? -dans
        \_ NFS mounted home dir on remote file server.  DNS lookup failure
           on that NFS mount, or DNS reverse lookup failure on remote host
           but the console login delay implies NFS failure.  Or it could be
           something entirely different.  :-)  But I'd check those two first.
2006/4/6 [Computer/SW/Security] UID:42696 Activity:high
4/5     Problem: sshd acting weird. Platform: Linux 2.6.x. Symptoms: Ssh
        connection got stuck all of a sudden. Cannot ssh into the machine.
        Ping ok, and apache2 apparently working. Console log-in takes +5 min &
        nothing weird in /var/log/*.log. Restarted sshd a few times, no luck.
        Restarted the machine, everything's normal. Two hours later, sshd
        is weird again. Same symptoms. What are some possible culprits?
        \_ NIS or NFS?
        \_ Hmm... any chance you have a bad disk?  sshd's virtual memory is
           writing to bad blocks, which causes it to run very slow?  Or the
           blocks where your auth.log or something else that gets written to
           on login? -dans
2006/4/5-7 [Computer/SW/Security] UID:42685 Activity:nil
4/5     A few days ago someone asked for technical details for BART's fuckup.
        Here it is: http://www.bart.gov/news/press/news20060405.asp
        \_ well, they seem well-intentioned.  I don't think anyone's
           about to boycott Bart because of the downtime anyway.
           \_ In one of those links posted I found it interesting to read that
              one of BART's design goals is that a technical incident that
              causes the shutdown of all trains for more than 5 seconds is
              supposed to occur with a mean frequency of no more than once in
              20,000 service hours.  I think if you count the recent screwups
              as a single incident, they probably meet that goal.  Individual
              trains obviously fail more often though.
2006/4/4 [Computer/SW/Security, Computer/SW/Apps/Media, Industry/Startup] UID:42653 Activity:nil
4/4     http://news.yahoo.com/s/ap/20060404/ap_on_bi_ge/computer_sciences
        Computer Sciences Cutting 5,000 Jobs. Don't worry it's not
        CS CS, but CS Corp. What a dumb ass company name, it's like
        Merck naming itself "Pharmaceuticle Company"
        \_ How do you feel about Microchip, LSI, or VLSI?
           \_ Or Analog Devices.  But yea, CSC is bad.  My company uses them
              and they are incompetent.
        \_ Usually they are called 'CSC'. As other have noted, how is
           that much different from, say, SAIC?
2006/4/3-4 [Computer/SW/Security] UID:42641 Activity:nil
4/3     Can someone explain why some people where getting "Connection Closed" when
        trying to SSH to soda?  -clueless
        \_ something is wrong w/ password authentication. try ssh -v to get
           more info.
           \_ yea i did that. ssh -vvv What could be wrong with password
              authentication?
        \_ on putty/win32.  I checked "x-forwarding." and it worked for
           some reason
2006/4/3-4 [Computer/SW/Security] UID:42632 Activity:nil 75%like:42634
4/3     Any idea why soda's SSH has been flaky the past few days?
        \_ It has something to do with LDAP being a terrorist and sshd dying
           randomly.
           \_ I always knew El-Dap was fishy.
2006/4/3-7 [Computer/SW/Security] UID:42630 Activity:nil
4/3     SSH is being flaky. We are working on the issue. Please be patient.
        In the meantime, we suggest using screen. Soda's ssh key has been
        changed, sorry about that (ssh was restarted, as well).
        We will post more as we work on the problem.
        Thanks, students-not-in-class - edilaic
2006/4/2-3 [Computer/SW/Security] UID:42607 Activity:nil
4/2     Anyone been getting a "Connection closed by 128.32.112.233" when
        attempting to ssh into soda? I'm getting this when using OS X's
        OpenSSH but not when using Java SSH. [motd format god was here]
        \_ I've been getting this too from OS X and from a Linux machine.
           Clever idea to use the Java SSH client though -- i hadn't thought
           of that.
           \_ Works fine with putty. Something wonky happened recently.
              Local ssh also fails. The sshd must have been broken.
              \_ I am using putty and I am not able to get in.
           \_ Further investigation: I added my key to authorized_hosts2
              and can login from my OS X box now. It seems that the
              keyboard-interactive method is broken. -pp
              \- Starting last thursday around 5-6pm or so, we saw
                 some RSTs resetting ssh connections of certain network
                 segments I cant go into details about. We haven't figured
                 out where they came from and a fair number of people
                 are quite converned about this. I'd may attention to
                 chaning hostkeys and generally go to DEFCON4 for a while.
                 This was not in the http://berkeley.edu domain. If you see
                 this is other domains, can you list them here. Tnx.
2006/3/31-4/3 [Computer/SW/Apps/Media, Computer/SW/Security] UID:42568 Activity:high
3/31    Anyone want to engage in wild speculation on 30th anniversary Apple
        announcements?
        \ OMFG TEH 1337 LIMITED EDITION 30th ANNIVERSARY IPOD!  -John
        \_ More very expensive consumer electronics toys that lock you in.
           \_ The iPod locks you in how?  Well, ITMS does but frankly, ITMS
              is lame.  (Not the implementation, the whole DRM + too damn
              much a song)
              \_ I have plans to write an application that adds some of your
                 fair use rights back in to iTunes, but does not circumvent
                 the terms of the DMCA. -dans
                 \_ That's cute dan.
                    \_ I'm not sure how to interpret this. -dans
                 \_ Ignoring the fact that you will likely be in violation
                    of the itms terms of use, how exactly do you propose to
                    go about doing this in light of the 2d cir's ruling in
                    Corely (273 F.3d 429 (2d Cir 2001)) that "fair use"
                    doesn't mean that you have a right to use in your pre-
                    fered format?
                    And if you do decide to take up the challenge, you may
                    wish to speak to Robin Gross who handled the Corley
                    matter.
           \_ I don't know how you can make such wild claims.
              \_ Reckless posting like this will destabilize the motd for
                 generations!
                 \_ I bet BUD DAY never posts recklessly!
        \_ Probably just an accident, but I find it odd that this thread from
           the middle of 3/31 was nuked while threads with fewer comments or
           responses from 3/30 and 3/29 were not.  In response to the person
           who mentioned terms of use as well as the Corley case: Actually,
           the app I plan to release is something that facilitates legal
           sharing, not format shifting.  Also, isn't there more recent case
           law that does support format and time-shifting as fair use?
           Basically, it allows you to authorize a friend's computer for your
           iTunes purchases for a limited amount of time, and then
           automatically deauthorize.  This in no way allows you to circumvent
           having more than the max (5?) machines authorized at any one time.
           I still need to look at the iTunes EULA to see if *using* this app
           violates the terms of service.  Even if it does, it's a contract
           violation, not an illegal act.  Regardless, it's definitely legal
           for me to write and distribute it since it is intended to
           facilitate legitimate, non-infringinging fair use of copyrighted
           works.  Also, I'm not 100% certain that my app is feasible, I still
           need to look into some technical odds and ends to verify this.
           Fortunately, we have many very good electronic rights lawyers in
           and around this area, Robin Gross among them, as well as Berkeley's
           own Pamela Samuelson, Lawrence Lessig, and Fred von Lohmann to name
           a few. -dans
           \_ AFAIK, most of there haven't been any recent cases of any
              significance wrt time/space shifting.
              You are probably thinking of the 9th Cir. ruling in RIAA v.
              Diamond, 180 F. 3d 1072 (9th Cir 1999). Diamond dealt w/
              what constitutes a digital audio recorder; not w/ DMCA
              violations. The DMCA wasn't at issue b/c (1) it hadn't been
              passed when the case was brought, (2) may not have taken
              effect until 2000 (Sec 1201(a)(1) 2d sentence) and (3) CDs
              don't have DRM/TPM so they are not covered under the DMCA.
              Corley was 2 yrs later (2001) and dealt w/ the DMCA directly.
              My understanding is that the Corley view that fair use doesn't
              mean you have the right to make a digital reproduction pretty
              much dominates.
              It is of some note that the USSC avoided the whole time/shape
              shifting Sony argument in Grokster. I'd personally be VERY
              hesitant to get involved in any US effort in this area (but
              then again I don't want to have to cool my heels in the
              clink).
              Re production of the app, I'm not sure that your interpretation
              of Sec. 1201 is correct. You might be making a "device" whose
              primary purpose is to circumvent Apple's access control mechan-
              ism under Sec 1201(a)(2) (if one were to adopt the view of the
              unholy hordes of darkness). You might also be making a device
              whoe primary prupose is to circument a copy control mechanism
              under Sec 1201(b)(2)(A) (perhaps the RIAA could use some 100W
              bulbs in their offices so that they would not be forced to take
              so dim a view of the law).
              BTW, I took a class from Robin last summer and could probably
              put you in touch w/ her if needed "more/better" info re the
              DMCA, &c.
              \_ Oh, cool.  Thanks.  I'm fairly confident that writing and
                 releasing the app is not going to get me sued.  Of course,
                 before it comes to that, I'll almost certainly get a cease
                 and desist letter.  I'll cross that bridge when I come to it.
                 I'm good friends with a former EFF staff technologist, and
                 reasonably acquainted with (one of?) the current one(s) so I
                 should have some inroads.  As I understand it the law is
                 ultimately about arguments.  So if this actually came to a
                 challenge, it would be up to a judge to determine whether or
                 not this consitutes a device who's primary purpose is
                 circumventing an access control or if this is a device who's
                 primary purpose was to facilitate contributory copyright
                 infringement.  Is that a reasonable assessment?  Thank you
                 anonymous motd legal advisor, I appreciate the insights.
                 -dans
                 \_ I love it when someone is more pedantic and long winded
                    on the motd.  it makes me so hot.
                    \_ wtf?  I asked a question.  I'm not a lawyer or a law
                       student.  Whoever posted the post I was responding to
                       clearly knows his/her shit.  If my understanding of
                       theory or process is flawed, I'd like to know it. -dans
                         \_ Wow, so you post an honest question addressing
                            something your ignorant about, someone gives a
                            something you're ignorant about, someone gives a
                            snarky reply...and you get all pissy about it?  I
                            remember you having a similar conversation not so
                            long ago, only with positions reversed....
                            long ago, only with positions reversed and you
                            getting very righteous about being snarky....
                            \_ My MOTD with Dans:
                               1. Sweeping comment Made by Dans.
                               2. Disagreement expressed.
                               3. Dans goes nuts and says "where are the facts"
                                  (not that he has really presented any)
                                  May remind you that he is Jewish.
                               4. You or somebody else tries to give a short
                                  reply ... Dans broadens/changes the topic ...
                                  and spends a lot of time ignorantly but
                                  occasionally entertainingly (isn't that what
                                  make it all worth it?) foaming.
                               5. You or somebody else takes the time to
                                  post a long informed reply in an area of
                                  expertise or experience.
                               6. Dans now says "I'm glad we had a civilized
                                  discussion," not realizing he has been taken
                                  to skool.
                                      \_ sic  --dans #1 Fan
                                         \- that is olde english, used by
                                            people too cool for school
                                  \_ Please support your statement with facts!!
                                        --dans #1 Fan
                            \_ Yup.  Get over it.  Hey look, I got my answer
                               below, which is all I care about! -dans
                               \_ Typical Jew.
                                  \_ This is such an obvious troll, but say
                                     that to my face some time and see what
                                     happens. -dans
                               \_ Well, at least you're honest about your
                                  hypocrisy....
                                  \_ Your posts lack either insight or humor?
                                     Do you have a point?  If your goal is to
                                     upset me, you failed. -dans
                       \_ You are mostly in the ballpark. There is more to
                          the law than simply arguments, and judges are
                          usually limited in their application of a statute
                          to a higher ct's interpretation of that statute.
                          I am not 100% sure, but iirc the word "primarily"
                          has pretty much been read out of the Sec 1201(a)
                          (2)(A). Note also that Sec 1201(a)(1) doesn't even
                          require "primarily."
                          There are two theories of vicarious liability you
                          probably need to know about:
                          1. Contributory Infringment - You knew that users
                             were infringing and either caused or contributed
                             to the infringment.
                          2. Inducement - You knew that users were infringing,
                             you materially contributed to that infringement
                             and you encouraged them to infringe for personal
                             gain.
                          If you gave the software away, you probably could
                          avoid the whole Inducement issue (the Grokster
                          theory of liability), but this is still an open
                          issue. hic sunt dracones.
                          After reading the itms music license, contributory
                          infringement seems like it could be a problem for
                          you. If you look at Section 9(b) Use of Products,
                          one may not actually own the bits that constitute
                          a song purchased from itms:
                          http://www.apple.com/support/itunes/legal/terms.html
                          [ This is one reason I won't buy from itms, even
                            though I drink a considerable amt of iKoolAid ]
                          \_ Cool, thanks! -dans
2006/3/15-17 [Politics/Domestic/911, Computer/SW/Security] UID:42248 Activity:nil
3/15    Homeland Security is everyone's business:
        http://www.twotigersonline.com/banners.html  -John
2006/3/15-16 [Computer/SW/Security] UID:42246 Activity:kinda low
3/14    http://news.yahoo.com/s/nm/20060315/od_nm/media_discovery1_dc
        Look you can look smart in front of your kids by relearning things
        you forgot in school! (In other words, people become dumber and
        dumber as they get older).
        \_ No, people forget things they don't use as they learn new things.
        \_ Just finished reading a Time article where it talks about how your
           brain becomes more efficient until around age 60 or so, when it
           starts to deteriorate.  Of course, if you DON'T USE IT, then yes
           you will become dumber and dumber as you get older.
2006/3/15-16 [Computer/SW/Security] UID:42245 Activity:nil
3/15    Zfone Beta is out (secure VoIP software from Phil "PGP" Zimmermann):
        http://www.philzimmermann.com/EN/zfone/index.html
        \_ What do you have to hide?  Hmmmm?
2006/3/13-14 [Computer/SW/Security] UID:42206 Activity:nil
3/13    "Big Boost Begins March 19"
        http://www.actransit.org/news/articledetail.wu?articleid=c1e6ca52
        New transbay bus lines crossing the Bay Bridge and San Mateo Bridge,
        service increase to many existing lines, and the new All Nighter
        service.
2006/3/10-13 [Computer/SW/Security, Computer/SW/OS/FreeBSD] UID:42188 Activity:low 72%like:42184
3/10    Isn't posner supposed to be smart?
        http://csua.org/u/f7i (news.com.com)
        \- What is your point? also since he would have been hearing it
           at the appelate level, his comment may be on some narrow legal
           point. i imagine he approaches this in interms of his econ
           approach about what ruling produces "efficient outcomes".
        \_ this is so fcuked up.
        \_ The guy who wrote the http://news.com.com must have read a different
           opinion than the linked Posner one.  Reading the linked Posner
           decision, what the http://news.com.com article claims are "two
           remarkable leaps" are actually just direct application of the
           US Code ("damage" includes "any impairment to the integrity or
           *availability* of data" [emphasis added]) or a previous decision
              \_ I disagree.  That US Code is "unconstitutionaly vague".
                 Simply deleting the files constitutes "impairent" to the
                 "availability of data." If attempting to delete the files
                 was a violation, then fine.  But the fact that he happened
                 (unlike most people) to know how to *actually* delete the
                 files, is, im(ns)ho, irrelevant.
           ("violating the duty of loyalty, or failing to disclose adverse
           interests, voids the agency relationship" State v. DiBiulio).
        \_ The way I read the statute, IAC needs to show the following
           in order to state a claim under the statute:
                1. Citrin knowingly transmitted a program
                2. To a protected computer; AND
                3. Citirn intentionally used that program
                4. To cause damage to the data on the computer; AND
                5. Citrin was not authorized to cause that damage.
           Posner is hearing the case on appeal from a dismissal for
           failure to state a claim. Basically, at this point his
           job is to assume that Citrin actually did all the things
           IAC says he did and figure out if that would be enough
           for IAC to get relief.
           Added to this is the suggestion that some of the data
           that was deleted may have been incriminating evidence
           re a breach of contract or breach of the duty of loyalty
           claim.
           Given that it is so early in the game and the potential
           destruction of evidence Posner seems to think that it is
           probably a good idea to have Citrin tell the trial judge
           his side of the story before the case is dismissed.
           Re "damage" == "delete": To me, it seems clear that it is
           within Congress' power to reach unauthorized deletions of
           data from a protected computer under the Commerce Clause.
           If you access my computer w/o my authorization, intentionally
           install srm(1) and then srm /bsd, I think Congress has the
           power to hold you liable.
           I don't see the 5th amend vaguness argument, please explain.
2006/3/2 [Computer/SW/Security, Computer/SW/Unix] UID:42066 Activity:nil
3/2     very bizarre pass login behavior on soda ... I am able to login
        using an old password, and variations of that password ... anyone
        ever heard of this behavior before? I emailed root ... is anyone
        checking that now????
2006/3/1-2 [Computer/SW/Security] UID:42050 Activity:nil
3/1     Every once in a while my ssh and X11 via port forwarding would get
        stuck and wouldn't respond anymore and I'd have to reconnect.
        Does anyone know why this is happening and how to fix it? Thanks.
        \_ Does this only happen after you've been idle for a while?
2006/2/16-17 [Computer/SW/Security] UID:41894 Activity:kinda low
2/16    When are these people going to realize how to correctly black out text
        in a PDF file?  It's fortunate it's only driver's license numbers that
        were "blacked out".
        link:csua.org/u/f05 (latimes.com) Sheriff's report on Cheney shooting
        \_ I don't see what is wrong, give me a clue?
           \_ Try to copy out the blacked out text.
           \_ Try to think of the most stupid way imaginable to try to black
              out text in an electronic document.  Bingo.
              \_ Hey, it might not be the stupidest. Never (mis)underestimate
                 stupidity.
        \_ Beautiful. This happens almost too often in court, and people are
           constantly calling to see if they can get what they thought was a
           redacted copy off the website. --erikred
        \_ "I was to report to the main house."  "I was instructed to park my
           vehicle ..."  "I ... was turned over to another agent ...".  Gee,
           how submissive.  County Sheriffs work for the county, not the Fed,
           right?  This Chief Deputy has no balls.  That is, unless his report
           on a typical highway pullover also reads like this:
           "I was to report to the speeding driver's window."
           "I was instructed that the driver's license has expired."
           "I was turned over to the passenger who judged my (lack of) genital
           size."
           "I humbly submitted the written citation to the driver.  Then I
           excused myself back to the insignificant patrol car."
           \_ Well, if he just ignored the secret service he'd be liable to
              get his ass shot. Does he have authority over them?
              \_ I know a guy who used to drive in nuke convoys when  he was in
                 the army.  The Colorado highway patrol used to try to pull
                 them over.  They had helicopter gunship and F-15 escorts,
                 and U.S. gov't plates, generally were not speeding, and these
                 fuckers would come up with their little cop pistols and try
                 to start shit.  It did not generally end well for the cops.
                 No one was ever hurt beyond a bruised ego, but they were very
                 very lucky.
                 \_ How do F-15 jets escort trucks going 65mph?
              \_ Secret Service *is* law enforcement.  They can make arrests,
                 etc.  They most likely have jurisdiction wherever they are.
                 \_ If the County Sheriff don't have jurisdiction over this
                    incident, why was the Chief Deputy taking statements?
2006/2/15 [Computer/SW/Security, Computer/SW/Unix] UID:41851 Activity:low
2/15    Can one of you root guys please explain how tom has been
        eearily and correctly identifying anonymous motd posters? Is he
        abusing root or abusing his connection to root?
        \_ I don't think tom's been abusing root.  Unfortunately, it's not
           too hard to identify most motd posters even without root.  If you
           have ideas for how to make it harder, please let us know.  --root
           \_ why should it be hard to identify who is posting to the MOTD?
              Do we really think the MOTD is a better place for not having
              the basic auditing capability that every other forum on the
              net has?  -tom
        \_ I bet tom doesn't need technical means to know identify most
           posters.
        \_ Several of us have various scripted ways of figuring out who other
           posters are but only a childish schmuck would descend to that
           level in a cheap attempt to 'score' points on the motd.  And his
           predictive abilities are hardly "eery".  He has a terrible track
           record of identifying people especially considering how often he
           names names.
           \_ ooh, big bad tom naming names...  Grow up, reiffin.
              \_ nice try but wrong.
2006/2/14-15 [Recreation/Computer/Games, Computer/SW/Languages/Misc, Computer/SW/Security] UID:41841 Activity:moderate
2/14    Related to the gaming thread below.  What made you/inspired you to
        take CS?  Computer gaming as a kid?
        \_ Hott CS women.  I was obviously misled.
           \_ Isn't karen hot?
              \_ Note that the comment is plural.
              \_ If you're CS, yes.
        \_ I liked computers and liked the idea of controlling them.  I guess
           I got started with LOGO and a toy robot that could be given simple
           programs like "go forward, turn left, go forward, flash lights" etc.
        \_ When I was 7 years old I used a Heathkit computer that my uncle had
           bought.  Just seeing some of the retarded games on it got me
           interested.
        \_ Anthro 193 survey form filled out by 200+ undergrads: all but a
           trivial number said "money" or "parents made me for money".
           \_ must have been during the boom years.  I liked CS because it
              was interesting.
              \_ Early 90s.  Definitely pre-boom.  It was a recession.
        \_ Writing really simple games in basic/pascal.
        \_ Writing really simple but cool graphics code on an old Atari.
           Pixels and sprites 4 life!
        \_ Writing machine code on Apple II with no assembler to read some
           hardware switches, and interfacing it with BASIC, was fun.
           \_ Fuckin' a.
           \_ Reminds me of when I wrote machine code to access the sectors of
              a disk directly so I could read the Ultima IV map off the disks.
              Then I remapped the character set of my dot-matrix printer to
              match the game.  The map was 256x256 squares.  Ah, those were the
              days of hand-assembled 6502.
              \_ Just goes to show that practical application is a powerful
                 motivator; I learned ResEdit just so's I screw around with
                 hex code in Prince of Persia.
              \_ We made our own maps on Ultima IV & III once we learned what
                 all the codes stood for.
        \_ My mom was a ai researcher.
2006/2/3-7 [Computer/SW/Security] UID:41689 Activity:nil
2/3     OpenSSH 4.3 is out. Mostly bug fixes.
        http://marc.theaimsgroup.com/?l=secure-shell&m=113881090315376&w=2
2006/2/1-3 [Consumer/CellPhone, Computer/SW/Security] UID:41652 Activity:low
2/1     Dear old farts. What was the consumer end of telecomm like before
        the 1983 divestiture of AT&T into 7 baby Bells, in terms of price
        for consumers, sound quality, reliability, and service?
        \_ Most of you youngin' were too young to remember this but back
           then long distance calls were prohibitively expensive. On the
           other hand, you didn't have tons of long distance carriers to
           choose from each with confusing plans, and you didn't have to
           worry about MCI or 1010220 or 1010-RIPOFF that exist today, each
           ripping you off one way or another because you didn't read the
           fine prints. The quality and reliability of service was CONSISTENT,
           meaning it wasn't all that great by today's standards but at least
           you knew that your line sucked as much as everyone elses. Nowadays
           the quality varies so much (cell, landline, voip) that it's hard
           to make an informed decision on choosing a good plan-- e.g. in
           one year Cingular's great, but next year it'll be oversaturated
           again. To sum up, I miss the accountability and consistency of
           service in the old days. I miss not having to read 10 different
           plans before choosing one. I miss the easy to read telephone
           bills-- you ever read today's bills and see how confusing it
           is?  I wish that today's companies would offer more
           accountability, more independent auditing of quality of service,
           and above all else making plans and fine prints much clearer for
           consumers to make informed decisions.                -old man
        \_ i thought it's just AT&T :p  the quality and reliability was
           pretty good in my experience.  During Chinese New Year time,
           however, I would have to keep dialing for hours at the time to
           get the international phone call through.  Long Distance phone
           call was expensive.  The most important thing, IMHO, is that there
           isn't much innovation when AT&T dominated the phone landscape.
           Call-waiting, call-forwarding, caller-ID, i think all these things
           cames up *AFTER* the break up of AT&T.
                - cant wait to see wave of innovation comes out after we
                  breaks up Microsoft
           \_ Let's see how many units M$ can break up to: OS, browser and web
              server, dev tools, games, office apps.  Browser and web server
              might need to break up further into two.
        \_ I remember standing in line with my dad so he could get a phone.
           You would rent your phone from AT&T, you didn't own it.  I read
           an article about little old ladies who have been paying the phone
           rental fees for 20+ years because the phone companies never bothered
           to tell them they can have their own phones for free now.  It's
           a not-insignificant revenue stream.
           \_ I might be wrong, but from what I recall you could own a
              phone or rent one. However, it was expensive to buy one
              and most people rented.
              \_ You could own a cheap one, but it voided out your AT&T service
                 agreement. If something happened, they would "check the line"
                 since your non-standard equipment might have caused the
                 problem. Since your agreement was now void, they could charge
                 you whatever and take care of it whenever they felt like.
                 Mmmm... Taste that monopoly goodness. Then AT&T figured they
                 could get around complaints and make money by selling AT&T
                 approved phones. Welcome Princess and Slimline phones!
        \_ Cost of long-distance calls (let alone international calls) was
           prohibitive. For a modern equivalent, cf. Japan's NTT five to
           ten years ago, complete with phone renting, no competition.
        \_ "So I feel like a real consumer fool about my money, and now
           I have to feel like a fool about my phone, too. I liked it
           better back when we all had to belong to the same Telephone
           Company, and phones were phones -- black, heavy objects
           that were routinely used in the movies as murder weapons
           (try that with today's phones!). Also, they were
           permanently attached to your house, and only highly trained
           Telephone Company personnel could "install" them. This
           involved attaching four wires, but the Telephone Company
           always made it sound like brain surgery. It was part of the
           mystique. When you called for your installation
           appointment, the Telephone Company would say: "We will have
           an installer in your area between the hours of 9
           A.M. October 3 and the following spring. Will someone be at
           home?" And you would say yes, if you wanted a phone. You
           would stay at home, the anxious hours ticking by, and you
           would wait for your Phone Man. It was as close as most
           people came to experiencing what heroin addicts go through,
           the difference being that heroin addicts have the option of
           going to another supplier. Phone customer's didn't. They
           feared the power of the Telephone Company.

           I remember when I was in college, and my roommate Rob
           somehow obtained a phone. It was a Hot Phone. Rob hooked it
           up to our legal, wall-mounted phone with a long wire, which
           gave us the capability of calling the pizza-delivery man
           without getting up off the floor. This capability was
           essential, many nights. But we lived in fear. Because we
           knew we were breaking the rule -- not a local, state, or
           federal rule, but a Telephone Company rule -- and that any
           moment, agents of the Telephone Company, accompanied by
           heavy black dogs, might burst through the door and seize
           the Hot Phone and write our names down and we would never
           be allowed to have phone service again. And the dogs would
           seize our pizza."   --Dave Barry
2006/1/25-27 [Academia/Berkeley/CSUA, Computer/SW/Security, Computer/SW/Unix] UID:41509 Activity:nil
1/25    to root:  just curious... what might be the causes of recent
        Soda unstability?  are you guys doing something that may crash soda?
        are you guys trying to fix something?
        \_ The root of the problem is that the root used to be run by
           experienced late 20/early 30 something folks, and when the
           root was handed down by the new gen-Y 20 year old kids, they
           don't know how to run the system. In fact they prefer soda
           running on Windown XP.
        \_ http://csua.org/u/erg
           Rest assured, when Soda recovers from its Jan. 24th funk, it
           will be much happier and stable. -mrauser
           \_ I prefer the more straight-forward approach of the VP bat.
              - jvarga
2006/1/21-24 [Computer/SW/Security, Computer/SW/OS/OsX] UID:41471 Activity:low
1/21    How does one usually write a log file from a multi-threaded
        server?  Is there a way to avoid using locks around the file
        writes?  Relying on some kind of low-level atmoic writes and
        fsync() or something?
        \_ I would create a class to act as the single point of access
           to the log file. Have the other threads go through the logger
           singleton to write the info into a ring buffer and signal
           a separate thread to actually write to the file. - ciyer
           \_ Well you will need a lock to write into the ring buffer, and once
              one thread has that lock then if the buffer is getting full you
              can have that thread write the buffer and flush the output stream
              right? -!op
              \_ That should work too. I work with audio and parts of my
                 code run in realtime threads which should not block, so
                 I've implemented a lockless ring buffer (using
                 CompareAndSwap on OS X) so the thread writing into the log
                 never takes a lock and can't access the disk
2006/1/10-12 [Computer/SW/Security] UID:41329 Activity:nil
1/10    I added X11 forwarding (said "yes") in /etc/ssh/ssh*_config
        and /etc/init.d/ssh restart. However, my win ssh client
        still says "server does not allow X11 forwarding." What's up?
        \_ Silly question (or maybe not).. Are you running an X server
           on your windows box?  Another silly question.  Is X installed
           on said server?  sshd needs to be able to find xauth, etc to
           do X forwarding.  Make sure they're in your path.
           \_ THANK YOU. After thinking about this, I simply did an
              apt-get install xbase-clients which then pulled in all
              the X dependencies. Afterwards, I can do X!!! Yay!
              Thank you so much. By the way how do I check which
              package depends on others? I have no idea what package
              I pulled in.
              \_ rpm -q --requires xbase-clients   -tom
2006/1/4-6 [Computer/SW/Security, Computer/Theory] UID:41226 Activity:nil
1/4     "Mo. Researchers Find Largest Prime Number"
        http://news.yahoo.com/s/ap/20060104/ap_on_sc/largest_prime_number
        Why are people interested in finding large prime numbers?  They already
        know that there are infinte number of primes, so what's the point of
        finding them?
        \_ because they are there.  finding more may help with proving
           (or disproving) conjectures about dist. of primes, etc
        \_ You know that prime numbers have a lot to do with public key
           cryptography right?
           \_ Yeah, but with a prime as large as 30 million bits?
        \_ This is usually tangential to burning in a new supercomputer.
           They let it sit there and compute prime for a bit. As computers
           get ever faster, they find new primes and it generates a little
           PR for the guys running the new computer. At least this is how
           most of these ginormous primes are discovered.
              \_ Learning how to work with large primes has value.  We used to
                 compute pi to billions of digits.  Now we test primes.
                 \_ This particular project is more like SETI-at-home and
                    is validating a s/w concept re: distributed computing.
                    Lots of these primes are incidental discoveries.
        \_ This is usually tangential to burning in a new supercomputer.
           They let it sit there and compute prime for a bit. As computers
           get ever faster, they find new primes and it generates a little
           PR for the guys running the new computer. At least this is how
           most of these ginormous primes are discovered.
2005/12/26-28 [Academia/Berkeley/CSUA, Computer/SW/Security] UID:41141 Activity:nil
12/25   I can't log into soda from my home machine.  (I can ssh to beer
        and ssh to soda from there, however) -jrleek
2005/12/20-22 [Computer/SW/Security, Politics/Domestic/SocialSecurity] UID:41088 Activity:nil
12/20   Update on the "DHS visits student for book ILL" story.  At least one
        fact is wrong.  The ILL doesn't require a social security number:
        http://acrlblog.org/2005/12/19/interlibrary-loan-causes-a-stir
2005/12/12-14 [Computer/SW/Security] UID:40978 Activity:nil
12/12   On the hardware page the SSH rsa and dsa keys are listed as:
          RSA - 96:0d:44:65:af:9b:c2:9a:b3:19:6f:28:bc:07:85:e4
          DSA - 91:cc:22:95:03:1d:92:3f:a3:4b:1d:5c:0c:44:d6:69
        I think these are the keys for coke. Anyway, when I run
        ssh-keygen -l on soda (or when I get the keys via keyscan)
        I get the following values:
          RSA - e1:9c:e5:c7:f9:9f:f3:af:04:ef:df:2d:63:b0:84:4a
          DSA - 2a:5f:0c:23:c2:80:dc:ef:d4:ee:bb:4e:a5:80:25:d5
        Can someone fix the webpage?
          http://www.csua.berkeley.edu/computing/hardware
        tia.
        \_ Finally did it. - jvarga
           \_ Thanks. You rock.
2005/12/10-12 [Computer/SW/Security, Academia/Berkeley/CSUA] UID:40952 Activity:nil
12/10   Where can I find the new ssh keys?
        \_ http://csua.berkeley.edu/computing/hardware
2005/12/9-11 [Recreation/Computer, Computer/SW/Security, Academia/Berkeley/CSUA] UID:40941 Activity:nil 77%like:40940
12/9    Looking for a job? Come work with us at Snapfish (now a service of HP).
        It's fun and neat and all that stuff. Take a look at
        /csua/pub/jobs/Snapfish for the latest postings, and feel free to
        drop me a line with questions or whatnot. - ajani
2005/12/7-9 [Computer/SW/Database, Computer/SW/Security, Industry/Jobs] UID:40906 Activity:nil
12/7    We're looking for interns for a 3-5 month project helping us
        populate our security policy database for various windows applications.
        The work involves installing the application, using it for a while,
        determining the appropriate security policy, and entering it
        in to a database.  Work is 15+ hours a week (however much you want
        to work above min. 15 is fine), pays $12-$15 an hour, and can be
        done offsite from the comfort of your own home.
        email sking@zonelabs.com if you are interested.
        --sky
        \_ Don't you know students don't read motd?
           \_ Good point. i should email jobs@csua
2005/12/4-6 [Computer/SW/Security, Computer/SW/Unix] UID:40845 Activity:nil
12/3    Free rootcow!
        \_ Freed.  --mconst
        \_ What does this mean?
         ______________________________
        < Someone may be abusing root! >
         ------------------------------
                \   ^__^
                 \  (oo)\_______
                    (__)\       )\/\
                        ||----w |
                        ||     ||
2005/12/4-6 [Computer/SW/Security] UID:40837 Activity:low
12/3    Hey root, did someone p0wn soda?  Why'd the host keys change?!  Is
        this a man in the middle attack?  Do we all have to change our
        passwords and keys now?  [Someone had to do it. ;-)]  Thanks jvarga,
        you're the best.
        \_ I stole all your passwords.  hahahahaha.  Or something like that.
           I figure I'll actually field this question: I actually intentionally
           did not keep old-soda's keys.  I'll post the new keys on the website
           when I am a bit more conscious.  For anyone that is interested:
           http://soda.berkeley.edu/computing/hardware/soda-mark-vii.html
           - jvarga
2005/11/22-24 [Computer/SW/Security, Computer/SW/OS/Windows] UID:40691 Activity:kinda low
11/21   In windows I can disconnect anyone who's using shares on my computer.
        How do I disconnect from shares I'm using on another computer--for
        instance because I'm using a common computer and I want to revoke my
        authentication?
        \_ right-click and hit 'disconnect'?  -John
        \_ "net use /?" from cmd shell.  --sky
           \_ No, not a mapped drive.  I mean I browse to \\server\dir and want
              to close the explorer windows and when I browse again I get
              reauthenticated.
              \_ Uh, as sky said: net use.  It has nothing to do with whether
                 the drives are mapped.
              \_ "net use \\server\dir /del".  On the other hand, please tell
                 me how to disconnect anyone who's using shares on my computer.
                 Thanks.
                 \_ Right click on My Computer > Manage > System Tools >
                    Shared Folders > Sessions
2005/11/16-18 [Computer/SW/Security, Politics/Domestic/President/Bush] UID:40626 Activity:moderate
11/16   So, it was Hadley who was Woodward's source.
        He was Deputy Natl Security Advisor at the time (NSA was Rice), and is
        NSA now.
        \_ url?
           \_ http://news.google.com/news?q=hadley+woodward
        \_ "In his book, Plan of Attack, Woodward says he was given access to
            classified minutes of National Security Council meetings. Both
            Rice and Hadley were major players in these meetings."
           Okay, so he was given access to classified minutes and info. If he
           was aware that the information was classified and he revealed it,
           then he's guilty of revealing classified info. If he did not
           reveal it, then Woodward's a dead-end in this investigation,
           except perhaps to point out that the Administration tried to leak
           the info from multiple sources.
           \_ Are you suggesting that Woodward had some sort of s00perd00per
              sekr!t clearance, and thus revealing classified info to him
              would not be a crime?
              \_ If not, then yes, it's a crime, and Hadley should be charged.
                 If he _was_ given clearance, then no. Either way, Scooter's
                 still in the fryer.
        \_ NYT has hinted the Senior administration official might be Cheney.
           \_ but the NYT is a proven fraud, many times over.
              \_ You don't know what the word "fraud" means. It has not
                 been 100% correct, nothing is, but it has won many
                 Pulitzers for fine reporting. It has certainly got
                 more integrity than the Bush Administration. At least
                 they fire the liars in house, instead of promoting them
                 and giving them Freedom medals.
2005/11/16-18 [Computer/SW/Security] UID:40622 Activity:nil
11/16   Why doesn't Yahoo Mail use secure web pages?  Does it take a lot more
        hardware resource to run a secure web site?  Thanks.
        \_ Yes.  You need to actually encrypt the pages, which is probably about
           10x as expensive as serving them unencrypted.  So, while not
           resource intensive by modern standards in an absolute sense, 10x
           means 10x as many servers to serve the same load.  That's nothing to
           sniff at for a big provider.
           \_ there are SSL engine systems they could put in front of the
              actual web servers to handle the encryption load and separate
              it from the mail servers.   They're not cheap however.  What
              were you paying for Yahoo Mail's secure mail service, again?
              \_ Are you saying they aren't making any money off of me?
2005/11/12-14 [Computer/SW/OS/Windows, Computer/SW/Security] UID:40559 Activity:low
11/11   I'm phone shopping and looking for suggestions. I don't need anything
        but good phone service and the ability to swap files easily with a
        computer. I'm on Cingular. I just found out the only data swap package
        for the Samsung phone I bought (SGH-X497) uses a serial port. No USB
        options available which kind of blows. -- ulysses
        \_ what kind of file you need to swap?  Best addressbook /desktop
           integration belongs to Microsoft :(  If you want to swap photos,
           ringtone, wall papers, etc, both Nokia and SonyEricsson has good
           data suite for their phones.
           \_ The addressbooki is all I care about. The rest is fluff AFAIAC.
2005/11/9-11 [Computer/SW/Security] UID:40516 Activity:nil
11/9    Does anyone know of a web hosting service that provides unix shell
        access that can access IMAP files?  I was looking at 1and1, which
        offers good space/bdw and ssh access, but their mail is maintained
        separately from the hosted files, which is kind of lame.  I'd like
        to be able to easily import or backup IMAP files using something
        like scp.  Thanks! -mds
        \_ price range?
           \_ Yes.
           \_ 1and1 with shell access an 10GB of space is $10/month.  I'd
              like something similar (e.g. < $20/month if possible) that
              has a shared pool of mail and web data.  It would have to be
              less than the cost of co-hosting my own box (which I don't
              have time for right now).  Alternatively, I guess some means
              of doing bulk transfers of IMAP data might work in a pinch, but
              I haven't seen a client capable of doing that? -mds
              \_ Typically your IMAP data is owned by one of the mail server
                 accounts and couldn't be read by your UNIX account.
                 \_ so then you're completely at the mercy of the server
                    backups?  I'd think there would be some way to take
                    a dump of those remote files as well?  Haven't found
                    a thunderbird plug-in or similar to do so, though.
                    \_ belay that, found the link below.  Thanks! -mds_
                       http://gemal.dk/blog/2004/02/19/backup_your_imap_mail
        \_ How about fetchmail?  --dbushong
2005/11/8-10 [Computer/SW/Security] UID:40487 Activity:nil
11/8    Don't forget, there's talk on software  election security by one
        of the leaders in the field, Dr. David  Jefferson.  It's tonight
        at 6pm in 306 Soda,
        \_ How long is the talk supposed to run?
           \_ Probably about 1 hour.
        \_ Why is it not held before the election day?
           \_ Basically logistical reasons.  David Jefferson is a busy
              guy, and originally he was going to speak on something
              totally different. We didn't get it all figured out until
              last week, and the room is availible today. -jrleek
2005/10/31-11/1 [Computer/SW/Security, Computer/Networking] UID:40347 Activity:moderate
10/31   What's the best tool out there to crack WEP?
        \_ pissed that your neighbor finally enabled encryption?
           \_ Can't hack into the webcam in their daughter's bedroom?
               \_ mmm, daughter cam.
        \_ Auditor collection.  http://www.remote-exploit.org and make a donation
           to Max.  You owe me a coke.  -John
2005/10/30-31 [Computer/SW/Security, Computer/Networking] UID:40339 Activity:nil
10/29   I'm using ssh X port forwarding and just got a DLINK game router.
        Which port should I prioritize?
        \_ its all over ssh -- port 22
2005/10/28-31 [Computer/SW/Mail, Computer/SW/Security] UID:40324 Activity:nil
10/28   Abandon the Web! guerrilla platform warfare: http://csua.org/u/dus
2005/10/27-29 [Computer/SW/Security, Computer/SW/Unix] UID:40291 Activity:low
10/27   Okay, is ftp completely gone? I'd search the motd archives but,
        wait for it, there are none.
        \_ try sftp or scp.  most sftp clients that I've used have scp
           support for transfering multiple files or directories.
           \_ Hm, does WS_FTP do sftp?
              \_ Use Filezilla.
              \_ putty has a free command line scp binary that I use all
                 the time.  I've never tried their sftp client, but it can
                 be found here: http://www.putty.nl/download.html    -sax
        \_ See section 3 of last week's minutes. -gm
2005/10/22-24 [Computer/SW/Security, Computer/SW/WWW/Server] UID:40230 Activity:nil
10/22   I want to set up a Wiki site for users of a software framework, but
        I'm concerned about security. Are there any Wiki engines that are
        particularly good about security? Any good sites discussing this?
        Thanks. - ciyer
        \_ Not twiki.
           \_ google for natswiki.  It's a mod of twiki.
2005/10/22-24 [Computer/SW/Security] UID:40227 Activity:nil
10/22   How come .nofinger does not prevent people from getting my last login
        remotely?
        \_ Make sure fingerd has permission to access your home directory --
           otherwise it can't see your .nofinger file.  Try "chmod a+x ~".
        \_ Can't reproduce.  Sanity check: soda has a hacked up fingerd.  Are
           you trying to put a .nofinger somewhere else?
2005/10/16-19 [Computer/SW/Security, Computer/SW/Unix] UID:40126 Activity:nil
10/16   I accidently overwrote a file in my home dir.  Is there a process
        where I can request the version of this file from, say, 1 month
        ago?  Or are there even backups/archives like this at all?
        \_ mail root
        \_ Yes, backups do exist.  Right now, they are not mounted, so
           you will need to email root.  Be aware that backups do rotate out,
           and are currently being sporadically manually done, so email sooner
           than later -- njh (the guy who runs backups)
           \_ Thanks!!  Now that I think about it, I might actually have my
              own backup from the time I want, though it would be on a PC
              that I don't have access to today.  I'll check for my own
              backup before emailing root, but it's good to know that root
              can help me if necessary.  Thanks!  -op
2005/10/15-16 [Computer/SW/Security, Computer/SW/Unix] UID:40104 Activity:nil
10/15   Here is a proposal, a compromise for both parties. Split
        /etc/motd.public into two files-- one is /etc/motd.civil
        which is logged and viewable by root only, and is viewed in
        default .login. The other one is /etc/motd.wild, which is
        unlogged and is pretty much like our current motd.
        \_ The problem with this "solution" is that it does not fix
           the problem of threats, slander, etc, from the point of
           view of the politburo. They are still responsible for
           hosting it. -ausman
        \_ Your welcome to create ~user/cesspool.motd if you really want a
           place where you can be threatened at will by anyone.  Root will
           not breach the anonimity of the logs unless there is a specific
           post which requires it. -mrauser
           \_ I have a better idea.  We'll have one file called /etc/motd.public
              which is an open forum for discussing politics, fundamental
              computer science, the computer industry, general science, sex,
              and the meanining of life in a lively, free form, while also
              posting timely links about current events and giving recent grads
              a leg up on their careers.  Then we'll have another file called
              /etc/motd.jamf, where a small group of people can have a
              carefully logged and moderated discussion of vi/EMACS, the
              latest linux kernel and monty python.  Anyone  who mentions
              politics, sex, violence, industry, uses a swear word, or says
              anything remotely useful or interesting on /etc/motd.jamf
              will recieve a demerit.  Three demerits will banish them forever
              from /etc/motd.jamf.
2005/10/14-2010/9/30 [Computer/SW/Unix, Computer/SW/Security, Academia/Berkeley/CSUA] UID:40095 Activity:nil
**/**   Do not mail individual members of root for assistance.  You will be
        ignored!  Your root staff are: steven, edilaic, mconst, jvarga,
        mikeh, mrauser, kimbrel, toulouse, vaheder
        Your Politburo are: kimbrel (P), steven (VP), toulouse (S),
        yns88 (T), vidya (L), steven (E), bordicon (A)
        Your new Politburo are: toulouse (P), steven (VP), eyung (T),
        stevenk (S), sakura (L), dw5ight (E), scotspin (A)

The uncensored messages below this line may not reflect opinions of the CSUA.
2005/10/13-14 [Computer/SW/Security, Computer/SW/Unix] UID:40061 Activity:very high
10/12   [moved to top]
        I strongly suggest everyone read the minutes from the last
        meeting.  Both changes to the motd and soda itself were
        discussed. -jrleek
        \_ (Put up front since it's relevant) One thing that was left out of
           the minutes is this: although we decided to enable logging of the
           MOTD, we would like the implementation to be put in place by the
           users OF the MOTD. The decision stands and is not debatable, but
           the flavor of it is up to you guys. The current proposition is
           to enable kernel auditing, such that only root can view the logs.
           If you have a more palatable idea, you're welcome to submit your
           opinions to root@csua. Of course, 'ideas' are not nearly as
           useful as 'implementations', if you propose something non-trivial.
           \_ I don't have any complaint on any of this. I just like to
              ask if you guys can consider making the list of people who
              have root public, and tighten access control to only those
              who should have root. Secondly, I'd like to ask if you guys
              can make all user complaints and requests to expose offenders
              public. I'd hate to see root exercising power under the hood
              without any form of auditing. Without public auditing
              there is no check and no balance.
           \_ Why perpetuate the scam and make us lend the logging an air of
              respectability?
           \_ I am amused by the fact that this was posted anonymously. -gm
        \_ Exact proposition: "To allow, when necessary, root-types to
           identify exactly who posted any message in the MOTD"
        \_ If I read these correctly, the change that will be implemented is
           a foolproof way for root-types to know who is posting to the motd,
           so that people who make direct threats can be found.  Somehow I
           doubt this is gonna raise the quality of the discourse around
           here.
           \_ The problem is we've apparently seen root-type people abuse their
              root in the past to un-anon people on the motd they simply don't
              like.  I'd like to know who the root-type people are and that
              there is some official (as official as the csua can get) process
              in place to a) make sure no one else has root and b) make sure
              the very limited set of people with root are known and c) revoke
              root privs of abusers.  I was once in favor of a totally anon
              motd, but given some of the vicious and excessive personal
              attacks, threats, and named posts clearly intended to destroy
              other people, I've changed my mind on the topic.  Free speech
              is a good thing but yelling fire in a theatre is not ok nor is
              abusing anonymity to harass or ruin others.
              \_ The root list has been getting cleaned up, and I have made
                 sure that the only people with root on any of the new
                 machines are active, trustworthy root types.  Furthermore,
                 abuse of root power by anyone to un-anonymify someone for
                 any reason other than official business is an immediately
                 squishable offense in my book.  If I caught someone using
                 root logs to spite someone on the motd, I would not hesitate
                 to not only revoke the root cookie, but also sorry that
                 person's account.  I would even take such action on a
                 current member of Politburo if they did such.  I consider
                 the privacy of the people on this server, and the
                 professionalness of those who have access to priviledged
                 information on this server very important. - jvarga
              \_ You are a thin-skinned idiot.
                 \_ Haven't been around here that long, huh?
                    \_ Only about 8 years.  What'd I miss?
                       \_ Pfft. n00b!  -meyers
                       \_ You missed the part where not abusing root is a good
                          thing, and an obvious thing.  Where have you been?
              \_ Vicious and excessive personal attacks? Perhaps, but the
                 motd is not for the faint of heart. This is less "fire" in a
                 theater and more theater of the absurd. More Sproul Plaza than
                 debate club. Keep it anon. How else am I supposed to make my
                 snide "yermom" comments without looking like a total sleeze?
                 \_ yer mom doesn't mind looking like a total sleaze.
              \_ You're correct that too many people have root. We'll get
                 an automatic reset when we switch to new soda, we should
                 set up some new rules then.
        \_ So let's say some user provides a web- or e-mail based front-end to
           let anonymous types modify motd.  The soda log will show that the
           creator of the interface is making changes, even though it could be
           Joe Loser off the Internet.  I suppose at the first abuse then that
           interface should be shut off?
           \_ Before the first abuse; it's against policy to share your
              account.  -tom
              \_ Has this specific example been tested yet?  ("share your
                 account" encompasses providing a web/e-mail interface for
                 people outside soda to anonymously modify motd)
                 \_ "share your account" means whatever they want it to mean.
                    \_ This would also qualify under "don't be a hoser."  -tom
        \_ Just curious, but how many of you outraged motders are actual
           csua voters?
        \_ I'm disappointed that the CSUA would run Linux, I'm not sure what
           the issue was with BSD.  There was a big push to get it working
           at the end of last year, and as far as I know it was.  What
           happened?  --jwm
           \_ How competent is the vp?  This is not intended to be a put
              down as such, but failing to get bsd to boot may be
           \_ How competent is the vp?  Failing to get bsd to boot may be
              meaningful or meaningless, depending on vp cluefulness.
              \_ As freebsd developers have trouble getting 5.4 to run on
                 certain amd boxes, I wouldn't use this as a guide to VP
                 cluefulness
                 \_ You do know that my question regarding vp cluefulness
                    still applies until you show (boot_bsd(clueless admin)
                    == 1) for all values of clueless admin.
           \_ What's wrong with Linux these days?  (Aside from TRADITION!)
              \_ If you have to ask, you don't know.
                 \_ Yes, that would be why I'm asking.
                    \_ Install the 2.6 kernel and see how long it lasts
                       under load.
                       \- can you elaborate on this a little. i have some
                          crunching farms and the people who run them for
                          me appear to slowly be moving toward 2.6. tnx.
2005/10/13 [Computer/SW/Unix, Computer/SW/Security, Politics/Domestic/President/Bush] UID:40060 Activity:nil
10/12   root, please do not squish me for posting this treasonous
        url anonymously.  also the picture is wrong, p bush
        was funding them until 1951.
        http://www.indybay.org/uploads/p1090147a.jpg - danh
        \_ It's been nice knowing you danh, I shall miss you after your
           mysterious disappearance.
        \_ Huh, I didn't realize we were into punishing the sons for the
           sins of the fathers.
2005/10/8-9 [Computer/SW/Security] UID:40023 Activity:nil
10/7    putty seems to lock up on Windows about 10 minutes after I don't type
        anything ... Even with the keepalive with a "Network error: Software
        caused connection abort" ... Adding the keepalives didn't make any
        difference.  Had to switch since soda no longer supports ssh1 ...
        How do I stop this from happening?
        \_ are you implying that your previous ssh client didn't do this?
                \_ Yes teraterm + ttssh never had this problem.
        \_ Same problem here--I am behind a firewall with a timeout setting
           (haven't checked yet how long).  This is the same for OpenSSH
           3.8.1p1 on OSX, commercial SSH on XP and Mindterm.  Use spinner,
           that usually works for me.  -John
           \_ try both TCPKeepAlive and ServerAliveInterval on openssh...
              curious to know if one helps and not the other.
2005/10/6-9 [Computer/SW/Security] UID:40007 Activity:nil
10/6    What's the easiest way to get the ip from the env var
        SSH_CLIENT="10.10.10.10 1212 22" in bash? I want to use it to
        set the DISPLAY env var.
        \_ see man pages for any/all of: sed, awk, perl, cut, tr (and many
           others).
        \_ Why are you doing this?  ssh will set DISPLAY itself if you
           run it with the right options, and it will do it securely.  -tom
           \_ Ah, thx.
              \_ ssh -X -l mylogin hostname
              \_ ssh -Y -l mylogin hostname
           \_ Ok, now it's slow. ;) What's the fastest cipher and mac
              to use? The choices are:
              rc4/blowfish/aes-128/192/256/twofish/3des...
              \_ plaintext.
              \_ IMO, blowfish is the best blend of speed and security
              \_ RC4 is by far the fastest, and secure enough for joe averages
                 using SSH2.
                 \_ After you log in, how do you see what cipher/mac is in use?
                    \_ depends on what ssh you use, obviously. i don't know of
                       a way for openssh. use -v to see what's being
                       negotiated.
           \_ Ok, now it's slow. ;) What's the fastest cipher and mac to use?
2005/10/4-6 [Computer/SW/Security] UID:39972 Activity:nil
10/4    New AC Transit Transbay Service Begins December 5th
        http://www.actransit.org/news/articledetail.wu?articleid=35e17163
2005/10/3-5 [Computer/SW/Security] UID:39961 Activity:nil
10/3    I would like to download my work calendar to my personal
        laptop which is running XP outlook whilst the server is
        Exchange 2003.  The computer is not  a member of the domain;
        the standard  " add exchange account" fails once it can not
        resolve the username via check name. I  have no problems using
        imap or the web  access to get access to the mail. I can also
        log into shares on the machine as well. is there a way to
        download  the calendar via the cli ?
        \_ You don't need to use 'check name'.  It'll be something like
           windowsloginname@exchangeserver.domain.com where domain is your
           AD domain (AD usually but not always corresponds to your DNS
           domain.)  Check with a co-worker's outcrook that works.  If you
           can't figure it out, let me know and I'll check in a few days. -John
           -- I found out what the problem was. There is a value in
           mapisvc.inf called PR_RESOURCE_FLAGS that needed to be
        changed in MSEX section.  Thanks  for responding
2005/9/21-23 [Computer/SW/Languages/C_Cplusplus, Computer/SW/P2P, Computer/SW/Security] UID:39809 Activity:nil
9/21    http://tinyurl.com/7swro
        It's the dawn of the age of uninhibited file sharing! LionShare is
        creates a neat, private sheltered place where people could shop
        music and movies to their heart's content without entertainment
        companies ever knowing.
2005/9/20-21 [Computer/SW/Security] UID:39782 Activity:high
9/20    what is 'fan service' in anime?
        \_ scantily clad female characters
           \_ It has more to do with very extraneous scenery that doesn't
              enhance plot, character, etc.  Mostly yeah, it's little
              revealing clips (random upskirt shots, etc) but depending on the
              feature and subject "fan service" can refer to anything 'extra'.
           \_ I think wikipedia is pretty good here:
              http://en.wikipedia.org/wiki/Fan_service
              \_ Wikipedia failed on the word BBFS, bare back full service
                 \_ Go in and fix it!
2005/9/17-20 [Computer/SW/Security] UID:39722 Activity:nil
9/17    While using eMule, after some hours, it loses the internet
        connection, sort of.  eMule continues to work fine.  If I have an
        open ssh connection to csua, that's working fine.  But I can no
        longer go to any web pages, open any new ssh connections, and some
        of the IM programs lose their connection and won't reconnect.  The
        only solution I've found is to reboot.  Is there any other way?
2005/9/11-13 [Politics/Foreign/Asia/China, Computer/SW/Security] UID:39626 Activity:nil
9/10    One more data point that libertarianism leads to chaos:
        http://news.bbc.co.uk/2/hi/programmes/click_online/4227578.stm
        \_ "It can be used for many good things, like giving the oppressed a
           voice, but users can also preach race-hatred or share child
           pornography with complete impunity."  Gee, what else does that sound
           like to you... I know!  Speech!  Hands!  Computers!  Brains!
           Ban them all!
        \_ Any politcal/economic system can be a problem if unchecked.  That
           why we have limits on speech, captialism, etc.
2005/9/9 [Computer/SW/WWW/Browsers, Computer/SW/Security] UID:39585 Activity:kinda low
9/9     Dear Park B1 (Firefox 1.5) is out:
           \_ "Deer" Park you moron.
                http://www.mozilla.org/projects/firefox
        OpenSSH 4.2 is out as well:
                http://marc.theaimsgroup.com/?l=secure-shell&m=112558710925132&w=2
                Portable: http://www.openssh.org/portable.html
                OpenBSD: http://www.openssh.org/openbsd.html
        \_ fyi, that B1 means Beta 1 (didn't know myself)
2005/9/7-9 [Computer/SW/Security, Politics] UID:39549 Activity:nil
9/7     Awesome, London's mayor thinks the bombers families should be
        allowed to attend the national memorial service for the victims.
        http://news.bbc.co.uk/1/hi/england/london/4220836.stm
        \_ I think it's a good gesture.  Or shall the sins of the father be
           visited upon the son, and his son, and further unto 5 generations?
           \_ Ob affirmative action.
           \_ It would be a nice gesture if the victim's families invited
              them (highly unlikely), not the frinkin' mayor.  Inviting
              the murder's family to the victim's funeral is asking for
              trouble.
              \_ True, but it's suicide 'victims' too.
2005/9/6-8 [Computer/SW/Security, Computer/SW/Unix] UID:39525 Activity:nil
9/7     Is there a way to change passwords on windows from the cmd line?
        I only have a telnet session... Thx.
        \_ Your google fu is weak.
           http://support.microsoft.com/?kbid=149427    -John
2005/9/6-7 [Computer/SW/Editors, Computer/SW/Security] UID:39523 Activity:low
9/6     Probably old news to some of you, but what do you all think of the
        "Street Performer Protocol"?
        http://www.firstmonday.org/issues/issue4_6/kelsey
        \_ I'd probably never go for it.
        \_ I think the ideas sounds interesting in parts, but I don't
           see how it could work as the primary mechanism for funding of
           copyrighted works.  An author who wishes to publish his first
           novel will not be able to get donations, so he needs someone
           else (i.e., a publishing house) to decide he is worth it,
           market the book and put it in stores.  That publishing house
           needs to have control of the copyright to at least some extent,
           because they publish and promote a lot of books by first-time
           authors and most of them don't make money, so to fund their
           operations they need to make their money from the few successful
           books.
           The idea might work for Stephen King.  -tom
           \_ Stephen King tried it and it failed him if I recall.
              \_ King tried putting his books up for download by serial,
                 with small payments, but without any escrow.  So very
                 few people actually paid for them because they were all
                 available on the the file-swapping services for free.
                 If he said "OK I want to make $100K off this book" and
                 waited until there was $100K in escrow, the file-swapping
                 problem would be mitigated.  -tom
        \_ It's overly optomistic about a performer's skill. One of the
           greatest resource of a publishing house is it's editors. First
           novels are hardly ever insta-classics without the vicious advice
           of an editor. Plotholes, meandering writing, lack of character,
           inaccurate facts, etc. sinks books even before they are finished.
           A good editor will fix that. Plus, a partially written book does
           nobody any good. Authors should create a finished product or they
           will find themselves lost like a potter  trying to glaze a wet
           piece of clay.
2005/9/2-3 [Computer/Rants, Computer/SW/Security] UID:39448 Activity:low 52%like:39356
9/2     Evil Corporation Wal-Mart response to New Orleans looters:
        http://informationweek.com/story/showArticle.jhtml?articleID=170102839
        \_ $15m in goods at retail prices or Wal-Mart prices?
        \_ When is Bill Gates going do donate some Office 97 to the victims?
           \_ I wish you'd post your names so I could hate you both properly.
              Fucktards.
           \_ What do you think the "sandbags" are filled with?
2005/8/30-31 [Computer/SW/Security, Consumer/TV] UID:39354 Activity:nil
8/30    http://cbs5.com/business/finance_story_228124420.html
        Interesting map idea, but I think would would be even cooler is
        a 3-D satellite map. Right now Google has a 2D satellite map,
        but if they can scan, interpret, and re-render the terrain in
        3-D that'd be even cooler
2005/8/29 [Computer/SW/Security, Academia/Berkeley/CSUA] UID:39326 Activity:nil
8/28    The yellow triangle "Time Warner Full Service Network" poster has
        been taken down from the CSUA Office. If this has any lore-value
        to anyone, come grab it ASAP. First come, first serve. - amckee
2005/8/23-24 [Computer/SW/Unix, Computer/SW/Security] UID:39241 Activity:nil
8/23    Looking for a good backup software for Windows. Preferably free,
        or something cheap with encryption. I'm sick and tired of manually
        using MS's backup software to create a tar-like file and then
        using my pirated Nero to burn it on the DVD. ok thx.
        \_ Check out the backup reviews first.
           http://www.backup-software-reviews.com
           I downloaded a copy of Genie Backup Manager, trial version.
           It is very good. I got it from Bittorrent with serial keys
           but I liked it so much that I decided to buy it from them.
        \_ I use Acronis True Image to back up my Windoze disk to an
           external hard drive.  It's fast:  1 gigabyte / minute over
           FireWire or an efficient Hi-Speed USB 2.0 interface.
           Image is password-protected (though not encrypted, but I think
           the password protection is good enough).  Buy the download version
           off http://newegg.com.
2005/8/23-24 [Computer/SW/Security] UID:39233 Activity:low
8/23    Hi motd.  I recently got a Dell Latitude D610 from work.  There is a
        "Hard Drive Password" feature in BIOS.  After setting it, now every
        time I boot it asks me for this before it loads the OS.
        Does anyone know if this password is stored on the drive or on the
        mobo?  E.g., if the latter, I can just put the drive in an external
        enclosure and access all files.  Thanks.  I suspect the latter.
        Okay, I see here it looks like the former:
        http://www.pcreview.co.uk/forums/thread-1942031.php
        \_ Depends on the make & model.  A lot of mfgrs deal with the password
           with a combination of bios and either an eeprom or a reserved area
           on the drive.  Generally it's some variant of the bios being a
           sort of "handler" for the password info which is stored elsewhere.
           The good news is, there are ways of breaking this with some
           understanding of electronics diagrams and a degree of proficiency
           with a soldering iron.  With some IBMs, for example, you need to
           nuke the password on the particular laptop it was set on before you
           can use it for something else (unless of course you break it, which
           is difficult-but-not-impossible.)  I did some research on this a
           while ago for a project, but my info may be out of date.  -John
           \_ fyi, I downloaded the spec doc for the Hitachi 5K80 Travelstar,
              and there's a whole section on this, which leads with:  "With a
              device lock password, a user can prevent unauthorized access to a
              device even if it is removed from the computer."  It sounds like
           \_ fyi, I downloaded the spec doc for the Hitachi 7K100 Travelstar,
              and there's oodles about password set/clear/change.  Presumably
              this is all stored on the HD.
              Upon further reading, it looks like the drive supports a Master
              Password and User Password.  Presumably the Master Password is
              known only to Dell and is different for different service tags,
              and is used to unlock the drive if the user forgets the User
              Password that he or she used to lock the drive.
              Unfortunately it looks like all you need is a keygen program
              to get the Master Password for Dell Latitudes:
              http://www.techspot.com/vb/topic18780-pg4.html&pp=20
              Doh! -op
              I do agree that if you speak with Dell they'll probably tell
              you a special way of clearing the "Hard Drive Password" if
              you authenticate with them completely.  And DriveSavers probably
              knows exactly how to do it without any trouble.
              After googling for a while, it looks like this is the only way to
              clear the hard drive password:  http://dp.allhyper.com
              Much easier to clear the non-hard-drive passwords. -op
              \_ OK the mechanism I found consisted of soldering together a
                 bit of electronic gymcrackery according to a set of wiring
                 specs I found, which would slurp the password hash off the
                 laptop via serial and let you dump it on a PC in order to
                 crack it.  I'd be very interested in what you find, so if you
                 would like to look at the bit of poking around that I did,
                 drop me a mail (non-bouncing email in my .plan)  -John
                 \_ Oh, it's just the link I posted -- run the keygen
                    against the reported hard drive code, obtain the password
                    which clears the other passwords.  Apparently another
                    mechanism involves a paperclip shorting some pins. -op
              \_ Good news.  That keygen only works for old service tags
                 (ending with extension -D35B).  Then, I e-mailed the owner of
                 the document that describes how to unlock passwords using
                 a paperclip (shorting some pins).  He says his method is
                 only for the BIOS passwords, and there is nothing he knows
                 of that can unlock the "hard drive password".  Yay. -op
                 \_ See above, offer still stands (dunno if it'll be of any use
                    but might give you some pointers of where to look.)  -John
2005/8/8-11 [Computer/SW/Security] UID:39058 Activity:nil
8/8     Any tips on getting a bank, cell phone company, or utility to properly
        acknowledge a change of address?  With my recent move, both PG&E and
        Cingular fucked up the change.  In PG&E's case, they moved the
        location of the account (i.e., where the gas and electricity was
        being delivered), but not where the bill was being sent.  In Cingular's
        case, they just dropped the ball completely and failed to move the
        account at all.  In both cases I called specifically ahead of time to
        move the account.  Since the Post Office acknowledged my forwarding
        request, but never forwarded any of my mail, I never got any
        bills and got hit with all sorts of "surprise" disconnection notices
        recently.
        \_ You could try praying.
        \_ Cingular's customer service is so f*cked up. Best bet is to
           contact their customer service and get someone to give you their
           direct phone number for future inquiries. If you get a different
           person for each customer service inquiry, then just start praying.
        \_ I moved several times in the past.  Every time PG&E always sent the
           bills of the old and new accounts to my new address properly.  USPS
           forwarded most of my mail properly for a year or so.  Once a while a
           piece of mail slipped USPS's forwarding mechanism and went to the
           old addresse.
        \_ I had a serious snafu with PG&E that took 6 months to resolve.
           The short version is they couldn't keep track of what money was
           supposed to go toward a deposit and what was towards my bill.
           Even after you call them, the rate they actually fix things
           is much slower than the rate the computers send out "we're
           shutting off your electricity" notices, so I had to call a lot
           to confirm with someone "Yes, I see the notes here, the
           paperwork just hasn't gone through yet. Don't worry, we won't
           shut you off." I'd say call once a month until things are
           resolved, and when you call, just give them your account
           number so they can bring up your case history and catch up
           on the story. Thank goodness I don't have to deal with
           PG&E anymore. -bz
2005/8/8 [Science, Computer/SW/Security] UID:39036 Activity:nil
8/7     I heard something about someone attempting to utilize NIS
        authentication on Sloda. What was the exact nature for this,
        was it to allow for a centralized system to manage users
        amongst the different computers within the CSUA? What is
        currently being utilized for this, and why was NIS chosen
        vs. a less obsolete technology like LDAP?
        \_ Why do you think somebody owes anonymous you an
           explanation?  Check the wall, motd logs.
2005/8/4-19 [Academia/Berkeley/CSUA, Computer/SW/Security] UID:38981 Activity:nil
8/3     Soda home directory quotas increased.  Don't spend it all in one place.
        --dlong
        \_ So quit your bitchin'.
        \_ Home dirs are now mounted off the new file server.  Quota increases
           abound, faster home dir access (no more home dirs on TDA!), etc.
           *prepares for flames*  Logins unified under NIS.
           Everything appears to be working.  Please email root if not.  I need
           a very long vacation.  Hopefully new soda will be up soon. - jvarga
           \_ Looks like keg is having issues with updating quotas on the fly.
              Looking into it. - jvarga
           \_ Anyone with a UID over 20000 didn't get a home dir quota
              assigned to them.  I've fixed that.  Sorry! - jvarga
2005/8/2-4 [Computer/SW/Security, Computer/SW/Unix] UID:38939 Activity:nil
8/2     How do you create an NDMP user/pass on a netapp?  The docs seem to
        tell me how to check a given user for a password but not set up a
        new user.  thanks.
        \_ Just use the admin/root user.
2005/7/26 [Computer/SW/Security] UID:38825 Activity:high
7/26    Doing the jobs American's won't do...
        Mexican accused of leading document-fraud ring - Millions
        of phony IDs for illegal aliens
        http://www.freerepublic.com/focus/f-news/1450601/posts
        \_ Yay, freeper is back! --freeper #1 fan
           \_ And Freeper doesn't know how use an apostrophe! What a
              dolt.
              \_ Nice way to duck the issue raised with a weak personal attack.
                 I don't read freeperlinks or like freeperguy but you're
                 making yourself look more stupid than freeperguy.  Either
                 respond intelligently, putting him in his place, or ignore it
                 if you have nothing worth saying.
                 \_ What's the issue to duck?  Freeperguy hates immigrants.
                    This has been long established.  There really isn't much
                    to do except make fun of him.
<<<<<<< /home/sgi/dcs/tms
                 \_ I'm not ducking anything. I didn't even read the article,
                    sounds boring. He didn't even make a point.
=======
                    \_ You haven't made fun of him.  You've made yourself
                       look petty, stupid, and childish, assuming it was you
                       getting personal above.  Just ignore it.  Why can't
                       you see you're only encouraging it?
                       \_ FWIW, I wasn't the one making fun of freeperguy's
                          grammatical problems. --pp
        \_ And he's getting incredibly good at hiding his identity
>>>>>>> /etc/motd.public
2005/7/18 [Computer/SW/Security] UID:38675 Activity:nil
7/18    I'm trying to infiltrate into the freeper site but apparently they
        already blocked off an entire class D network, both at school and at
        home. Does anyone have a similar problem? Can I get an anonymizer
        to work? Anyone recommend a good and FREE anonymizer? Sameer's
        <DEAD>anonymizer.com<DEAD> stops working after clicking a few times.
        \_ Don't you have anything better to do?
        \_ A real hacker would know how w/o using crap like anonymizer.
2005/7/14-16 [Computer/SW/Security, Computer/HW/Drives] UID:38619 Activity:moderate
7/14    Anybody upgrade to PGP desktop 9.0?  I'm wondering how the
        "Whole Disk" encryption is working out.  Comments would be
        appreciated.  Thanks.
        \_ I would also appreciate if anyone could give any feedback
           on this.  We are thinking about using it as an encryption
           system where multiple users need access to the files.
                            -mrauser
           \_ Go to class, mrauser. - jvarga
        \_ Why? Are you hiding porn from Cisco's tough anti-porn initiatives?
           \_ I consider it the ultimate crime to hide porn on any server I
              administer.  If you have pr0n on soda, you must make it publicly
              accessible or face my wrath.  Pr0n is a glorious resource that
              should be shared freely with all who seek it.  To summarize: no
              hiding porn! - jvarga
              \_ Addenum: if I have to su to get to it, you're making me do
                 too much work. - jvarga
              \_ I vote jvarga as the most humorous admin EVER!!!
              \_ I may have a backup of the j-pr0n archive lying around (from
                 around the same time as safari, I think.)  Let me know if you
                 want this magnificent piece of CSUA history.  -John
        \_ upgrading to 9.0 broke a lot of stuff. we downgraded back to
           8.x.
2005/7/14-15 [Computer/SW/Security, Computer/SW/Unix] UID:38611 Activity:moderate
7/13    Soda is back up, and the rest of the servers are slowly being brought
        back.  We're fixing lots of errors on all machines.  We'll keep you
        all posted.  - jvarga
        \_ DikuMUD doesn't work anymore. Can you please restore it, or if
           you can't find it at least install a new version? I'd like to
           start as level 29, one level before immortal. Thanks jvarga!
        \_ Office accounts are going to be dead until I can figure out why the
           *(#)&^*)#$ debian doesn't like netgroups.  Anyone with insight on
           this, please email me/root.  Thanks.  - jvarga
           \_ Looks like I've fixed office accounts on everything but martini.
              Problems to root.  Moving on to the next stupid issues that came
              out of this move... - jvarga (needs a life, and a raise)
        \_ Great work. Thanks.
        \_ Thanks for the time and effort you've put into this.
        \_ Many thanks for seeing this through.
           \_ Come now, all this nicey nice is unbecoming.  Where's the
              obligatory alumni bitchfest?
              \_ Err, I still remember what it was like being a ugrad in cs.
                 I appreciate the work being put in for little reward.  -mice
              \_ Perhaps most of us are used to the trials and tribs of this
                 sort of thing.
        \_ Awesome, thanks.  But when do we get new soda?
           \_ This is the first step to getting new soda online.  But in the
              interim, new soda needs to stop doing things like playing the
              "OS not found" game on boot, and tell me why sshd is dead.
              - jvarga
2005/7/14-8/4 [Computer/SW/Security, Computer/SW/Unix] UID:38609 Activity:nil
7/13    Scotch will be coming down tonight.  Expect disruption in CSUA service
        between 7pm and wheneverweactuallyfinish.  We don't intend on bringing
        soda down for more than a few minutes to rotate it in the rack (so
        that it cooks evenly).  Probability of list disruption will be high.
        Office accounts will be unavailable.  Njh will be piss drunk. - jvarga
        \_ 7/14 Soda is back up, scotch is back up, lists are down, office
                accounts are down.  We're working on things, but I have to be
                up at 6am for work. - jvarga
        \_ 7/15 Office accounts are working again after much mudwrestling with
                all systems involved.  Debian mirror and other services on
                screwdriver are back up.  Send booze to root. - jvarga
        \_ 7/24 Just realized that soda's FTP was being mounted off of scotch
                (wtf?) and that's the cause of people's complaining.  Am
                looking at possible solutions.  Please be patient. - jvarga
        \_ 7/24 Lounge machines should be working again for the most part.
                Still screwing with xterm logins.  Send booze.  Now. - jvarga
      /
     /
July 12, 2005

Root is planning to swap out scotch.CSUA for a newer machine in the next few
days as part of planned server upgrades.  Scotch serves DNS, NIS for the
office, mailing lists, and is soda's backup mail server.  During the
downtime, some or all of these services will be unavailable.  The length of
the outage depends on our luck, but we hope to have everything back
available within a few hours with as little disruption as possible.  Note
that the soda motd will continue to be as troll-filled as usual.

Additionally, the scotch replacement will bring in phase 1 of the new soda
upgrade.  We will be unifying soda logins and office logins (but not home
directories), which means that I will be pulling the password database off
of soda to serve as the master list for office logins.  This means that if
you have an office account, your office password will be the same as your
soda password. If you did not have an office account before, this change
will not grant you an office account.

The exact date and time of this switchover will be announced soon.  Please
direct all questions/comments/concerns to root.

jvarga
2005/7/13-14 [Politics/Domestic/Crime, Politics/Foreign, Computer/SW/Security] UID:38600 Activity:nil
7/13    http://csua.org/u/cp6 (findlaw.com)
        "Whoever, having or having had authorized access to classified
        information that identifies a covert agent, intentionally discloses
        any information identifying such covert agent to any individual not
        authorized to receive classified information, knowing that the
        information disclosed so identifies such covert agent and that the
        United States is taking affirmative measures to conceal such covert
        agent's intelligence relationship to the United States, shall be fined
        under title 18 or imprisoned not more than ten years, or both."
        ... so, what do you think?  I don't see "name" in the above, just
        "identifies", so I guess it depends on what the meaning of "identifies"
        is.  A lot of it is also intent and foreknowledge.
        \_ Rove's claim that "I didn't know her name" is totally irrelevant.
           Identifying someone as "his wife" uniquely establishes her
           identity, except possibly in Utah.
2005/7/12-13 [Computer/SW/Unix, Computer/SW/Security] UID:38553 Activity:low
7/13    Scotch will be coming down tonight.  Expect disruption in CSUA service
        between 7pm and wheneverweactuallyfinish.  We don't intend on bringing
        soda down for more than a few minutes to rotate it in the rack (so
        that it cooks evenly).  Probability of list disruption will be high.
        Office accounts will be unavailable.  Njh will be piss drunk. - jvarga
      /
     /
July 12, 2005

Root is planning to swap out scotch.CSUA for a newer machine in the next few
days as part of planned server upgrades.  Scotch serves DNS, NIS for the
office, mailing lists, and is soda's backup mail server.  During the
downtime, some or all of these services will be unavailable.  The length of
the outage depends on our luck, but we hope to have everything back
available within a few hours with as little disruption as possible.  Note
that the soda motd will continue to be as troll-filled as usual.

Additionally, the scotch replacement will bring in phase 1 of the new soda
upgrade.  We will be unifying soda logins and office logins (but not home
directories), which means that I will be pulling the password database off
of soda to serve as the master list for office logins.  This means that if
you have an office account, your office password will be the same as your
soda password. If you did not have an office account before, this change
will not grant you an office account.

The exact date and time of this switchover will be announced soon.  Please
direct all questions/comments/concerns to root.

jvarga
2005/7/8 [Computer/SW/Security] UID:38481 Activity:nil
7/8     Anybody use PGP mobile (from http://pgp.com) for PalmOS?  How is it?  It
        doesn't seem to support the "encrypted virtual disk" feature like
        on the PGP desktop versions.  I'm wondering if that's even possible
        under PalmOS.  I have files on my PC that I dump into the PGP disk.
        I want to take that PGP disk (just a file actually) and view it
        on a Palm PDA.  Is that possible?  http://pgp.com discontinued their pgp
        mobile product.  Note that file-by-file encryption is not practical.
        I don't want to do this manually one by one.  Thanks.
        [reposted; not sure why it was deleted -thanks]
2005/7/7 [Computer/Networking, Computer/SW/Security] UID:38458 Activity:nil 80%like:38453
7/6     Steal someone else's wife, go to jail:
        http://news.yahoo.com/s/ap/techbits_wi_fi_theft
2005/7/1 [Computer/SW/Unix, Computer/SW/Security] UID:38391 Activity:moderate
7/1     Is there some way for a non-root person to figure out when
        someone's account was created?
        \_ How would a root person figure this out?
           \_ The adduser script used to keep a log file.  -tom
           \_ You're an idiot.
2005/6/30-7/1 [Politics/Domestic/California, Computer/SW/Security] UID:38384 Activity:high
6/30       Whenever I watch celebrity news I hear so and so is guilty in the
           court and have to perform community service. They don't get fined or
           go to jail, but have to perform community service. What's so bad
           about serving your community? I mean, isn't it noble to serve food
           for the homeless, paint houses for the poor, and clean up highways
           trash? Imagine the United States drafting men between 18-25 to
           perform mandatory community service for just one year. We'd
           have a huge [free] labor force to clean up grafitti, recycle
           cans, and other wonderful things that make our community more
           beautiful. In our ever increasingly busy digital lives, we rarely
           have time to even help ourselves, let alone help others out. We
           are increasingly isolated from one another, and have very little
           understanding on this "sense of community" that our grandparents
           talked about. Perhaps incentives and rewards should be given to
           those that help our community, to make everyone's lives better.
           Community service is an honor performed by those who honor community
           and brotherhood. It is sad and ironic that criminals have the honor
           to serve our community. Just my two cents for today.   -2 cents guy
         \_ For reasons I won't elaborate on, I had to spend some time cleaning
            up trash with the other "community service" people in People's
            Park at one point.  There is actually a pretty huge pool of
            people who have "community service" hours to do at any given time.
            Several of the people there had 1000 hours of service they had to
            do.  I was, as far as I could tell, the only person there who was
            actually working.  Mostly people would just show up and loaf around
            all day, then get double that number of hours signed off for by
            the dude who runs the park.  If the dude who runs any given park
            doesn't want to be corrupt, people just migrate somewhere where
            it *is* corrupt.  Of all those community service hours that get
            handed out by judges, very little real service gets done (although
            I busted ass cleaning up the park).
         \_ This is a fairly old idea.  This was called a 'subbotnik' in
            USSR (only this was done on Saturdays, hence the name 'subbota =
            saturday'.)  You should ask someone who participated in a subbotnik
            what they think of it. -- ilyas
            \_ why didn't you participate in a subbotnik?
               \_ I was too young. -- ilyas
              \_ Switzerland requires you to serve the military or perform
                 substitute service (community service). Maybe John can tell
                 you all about it.
                 \_ Yes, and it's pointless, a waste of money, bad for the
                    economy (by forcing people to take a large, unproductive
                    gap between school and work, and by forcing employers,
                    including SMEs, to subsidize long absences), and exposes
                    young men to drugs and cigarettes.  In the abasence of
                    enemies or funding for all these recruits, there are many
                    make-work projects to occupy the ~60% or so who don't
                    manage to get out of it.  It's state slavery; totally
                    pointless and philosophically repulsive.  -John
            \_ One might obtain a somewhat less grim view of such matters by
               looking at the Works Projects Administration established in the
               US during the great depression.  I believe modern Germany has a
               similar program where one may choose between military or
               `alternative' civilian service, but don't know much about it.
               Also, why constrain this sort of thing to men only?  That seems
               backwards and silly.  That said, if you're going to encourage
               community service, I don't think picking up trash and cleaning
               up graffiti are particularly inspiring tasks or the most useful
               application of that sort of workforce.  What made the WPA cool
               was that it took on really ambitious projects.  Even if you take
               all this into account, I don't know how much it's going to do
               for instilling a sense of community in people.  I know there's a
               geographic component to this: Many of my grandparents'
               present-day friends are people they grew up with on the same
               *block* in Brooklyn.  They joined the service together.  After
               the war they settled on Long Island together.  In their later
               years, part of the group moved to the same communities in
               Florida.  Of your friends today, how many lived on the same
               street you did when you were young?  Do you still keep in touch
               with your friends from high school?  Personally, I think my
               sense of community is as strong as my grandparents, just
               oriented along different axes (e.g. cultural vs. geographic).
               -dans
               \_ I think the CCC also did something similar in the same time
                  frame.
         \_ Why community service? Because we supposively live in a classless
           society. Billioniares pay the same amount for a moving violation
           as the average Joe. Community service forces the culprit to give
           up time, which means the rich don't get off easy and the poor
           aren't forced to pay fines. Both beat jail which puts the burden
           on society. All of this is separate from enforcing a draft
           (military or community works) or volunteerism. Much of the
           reasons behind why not lay with the relationship of citizens and
           government and society in general. And those discussions get ugly.
           \_ Where is the claim made that we live in a classless society?
              There have never been, and perhaps never will be a classless
              society. -- ilyas
              \_ I never claimed it was a classless society in reality.
                 It's just one of those things that American democracy
                 aims for. Probably a silly thing to put in the motd...
                 \_ I think the best you can say along these lines is
                    American society was in part a rejection of solidified
                    class lines of European society.  I don't think the
                    founding fathers were specifically aiming to create a
                    classless society, merely to reject aristocracy in the
                    European conception of the word.  Classless society is
                    probably impossible, and almost certain undesirable,
                    as a goal.  Even an ant colony has 'classes.' -- ilyas
                    \_ Yes, and we should never seek to surpass the utopian
                       efficiency and elegance of ant society.
                       \_ If you seriously want to make men into an
                          ant colony, you should read Hellstrom's Hive.
                          Also, a certain quote from John involving a baseball
                          bat comes to mind.  Do you actually maintain American
                          society has a classless society as an explicit goal?
                          Do you have a source for this claim, or are you just
                          making stuff up to suit your agenda? -- ilyas
                          \_ I think you were trolled.  -John
                          \_ I think you're being needlessly pedantic.
                             "classless" in the context of government applies
                             to equal treatment under the law, one-person-one-
                             vote, etc. I think this type of classlessness is
                             an explicit goal of American society; that people
                             have equal opportunity etc. --!op
                             \_ When someone talks about a 'classless society,'
                                especially if they talk about ant colonies
                                being utopian in the same breath,
                                I understand them to be using the common
                                definition the Marxists use.  I don't think
                                I am being pedantic at all, I think you
                                misunderstood the previous poster. -- ilyas
                                \_ I didn't write the "ant" comment, but I did
                                   write the original "classless society" one.
                                   The original thought was towards the equal
                                   treatment of Man under law as opposed to
                                   a more communistic "equality of Man" ideal.
                                   The followup use of "American democracy"
                                   was an attempt to point in that direction.
                                   Apologies to those who may have been misled.
              \_ What kind of "classes" do chimpanzees have?
                 \_ Chimpanzees have a society?  (Actually, to the extent that
                    great apes are social animals and live in hierarchies you
                    may well say they have 'classes.'  So do wolves.  An
                    interesting question I thought about recently is why do
                    all functional wolf packs have at least one Omega).
                      -- ilyas
                    all functional wolf packs have at least one Omega).-- ilyas
                    \- I have discovered a remarkable proof for this but:
                      (0. Hola)
                       1. it requires the Axiom of Choice
                       2. the motd is too small to contain it.
                       3. ok tnx.
2005/6/30 [Computer/SW/Security] UID:38367 Activity:moderate
6/30    Whenever I watch celebrity news I hear so and so is guilty in the
        court and have to perform community service. They don't get fined or
        go to jail, but have to perform community service. What's so bad
        about serving your community? I mean, isn't it noble to serve food
        for the homeless, paint houses for the poor, and clean up highways
        trash? Imagine the United States drafting men between 18-25 to
        perform mandatory community service for just one year. We'd
        have a huge [free] labor force to clean up grafitti, recycle
        cans, and other wonderful things that make our community more
        beautiful. In our ever increasingly busy digital lives, we rarely
        have time to even help ourselves, let alone help others out. We
        are increasingly isolated from one another, and have very little
        understanding on this "sense of community" that our grandparents
        talked about. Perhaps incentives and rewards should be given to
        those that help our community, to make everyone's lives better.
        Community service is an honor performed by those who honor community
        and brotherhood. It is sad and ironic that criminals have the honor
        to serve our community. Just my two cents for today.   -2 cents guy
        \_ For reasons I won't elaborate on, I had to spend some time cleaning
           up trash with the other "community service" people in People's
           Park at one point.  There is actually a pretty huge pool of
           people who have "community service" hours to do at any given time.
           Several of the people there had 1000 hours of service they had to
           do.  I was, as far as I could tell, the only person there who was
           actually working.  Mostly people would just show up and loaf around
           all day, then get double that number of hours signed off for by
           the dude who runs the park.  If the dude who runs any given park
           doesn't want to be corrupt, people just migrate somewhere where
           it *is* corrupt.  Of all those community service hours that get
           handed out by judges, very little real service gets done (although
           I busted ass cleaning up the park).
        \_ This is a fairly old idea.  This was called a 'subbotnik' in
           USSR (only this was done on Saturdays, hence the name 'subbota =
           saturday'.)  You should ask someone who participated in a subbotnik
           what they think of it. -- ilyas
           \_ why didn't you participate in a subbotnik?
              \_ I was too young. -- ilyas
           \_ Switzerland requires you to serve the military or perform
              substitute service (community service). Maybe John can tell
              you all about it.
           \_ One might obtain a somewhat less grim view of such matters by
              looking at the Works Projects Administration established in the
              US during the great depression.  I believe modern Germany has a
              similar program where one may choose between military or
              `alternative' civilian service, but don't know much about it.
              Also, why constrain this sort of thing to men only?  That seems
              backwards and silly.  That said, if you're going to encourage
              community service, I don't think picking up trash and cleaning
              up graffiti are particularly inspiring tasks or the most useful
              application of that sort of workforce.  What made the WPA cool
              was that it took on really ambitious projects.  Even if you take
              all this into account, I don't know how much it's going to do
              for instilling a sense of community in people.  I know there's a
              geographic component to this: Many of my grandparents'
              present-day friends are people they grew up with on the same
              *block* in Brooklyn.  They joined the service together.  After
              the war they settled on Long Island together.  In their later
              years, part of the group moved to the same communities in
              Florida.  Of your friends today, how many lived on the same
              street you did when you were young?  Do you still keep in touch
              with your friends from high school?  Personally, I think my
              sense of community is as strong as my grandparents, just
              oriented along different axes (e.g. cultural vs. geographic).
              -dans
              \_ I think the CCC also did something similar in the same time
                 frame.
        \_ Why community service? Because we supposively live in a classless
           society. Billioniares pay the same amount for a moving violation
           as the average Joe. Community service forces the culprit to give
           up time, which means the rich don't get off easy and the poor
           aren't forced to pay fines. Both beat jail which puts the burden
           on society. All of this is separate from enforcing a draft
           (military or community works) or volunteerism. Much of the
           reasons behind why not lay with the relationship of citizens and
           government and society in general. And those discussions get ugly.
           \_ Where is the claim made that we live in a classless society?
              There have never been, and perhaps never will be a classless
              society. -- ilyas
2005/6/29-30 [Computer/SW/Security] UID:38364 Activity:moderate
6/29    Does anyone have a well-reasoned essay on why it's a bad idea to force
        your users to change their passwords regularly?  I have a strong
        password and changing it frequently means I have to keep it on a
        piece of paper or use dictionary words.
        \_ I'm sure there's something obvious I'm missing here, but why can't\
           computers just have either a rfid reader, a barcode scanner or a
        \_ I'm sure there's something obvious I'm missing here, but why can't
           computers just have either a rfid reader, a barcode scanner or a
           magnetic strip reader, and just let users swipe a card?  If carrying
           an artifact on your keychain is good enough security for your car
           and home, it's good enough for your computer.  I think passwords
           are fundamentally flawed for normal people (and I have *worse* than
           normal ability to remember passwords.)
           \_ Because optimally you want two-factor auth (remember, a combo
              of what you have, are and know.)  If you can only do one-factor
              auth, you'd rather limit yourself to the last than the first
              which can be more easily, well, swiped.  -John
              \_ I'm not sure I see the problem.  I use a key I carry in my
                 pocket as the only form of security for my car (sure, people
                 may have some electronic thing, but they always have it
                 on their keychain also).  So why does some office email
                 system have to have better than that? If the physical
                 security of the building is based on a key it seems that
                 should be fine for the computers in most offices.  I'm
                 a totaly neophyte about computer security, but I've always
                 found passwords to be impossible to remember and I think I'm
                 not alone.  Isn't a physical key better than a password that's
                 written on a post-it note right over the terminal?
                 not alone.  Isn't a physical key better than a password
                 that's written on a post-it note right over the terminal?
        \_ Why do you need well-reasoned?  Everyone I know who has to change
           passwords regularly switches between two passwords.
           \_ That's nice, because lots of software remembers the old
              passwords and this won't work. Personally, I have a good
              memory and changing my password often isn't a problem. For
              people who have trouble, simply store your passwords in a PDA
              in encrypted format.
              \_ At Intel, it remembered the last 8 passwords.  Most people I
                 knew cycled through pass1, pass2, ... pass8, and then set
                 whatever they wanted. -emarkp
        \_ http://www.securityfocus.com/infocus/1554 is a start.  If you
           drop me a mail (other address in my .plan) I will gladly find you
           some very strongly worded essays on the topic--there were a few
           good ones written on this area in the last year.  Constant
           password change policies and restrictive password histories are
           a solution for weak-minded security managers.  -John
        \_ If you have an ACM account, I suggest looking up "Users are not
           the enemy" by Adams and Sasse. Excerpt (from Firewalls and Internet
           Security) in /csua/tmp/uante. -gm
        \_ http://www.useit.com/alertbox/20001126.html  --jameslin
2005/6/29-30 [Computer/SW/Security] UID:38362 Activity:moderate
6/29    Anyone have experience with monarch computer?  They arn't shipping my
        stuff when they said they would, and I'm starting to get concerned.
        \_ used them once, no problems. but now i just use newegg.
        \_ ordered an athlon x2 did you?  anyway, http://newegg.com only lists when
           they have stock, or they'll put an auto-notify link.
           \_ No, I ordered an Athlon64 3700.  Nothing special, and they say
              it is in stock.  At the moment I consider it poor customer
              service, but if they keep this up I will consider it fraud.
              It's a shame too they seemed to have a good reputation, but
              they are just lying to me.
           \_ No, I ordered an Athlon64 3700.  They have now promised to get
              it out tomorrow with expedited shipping which would be great if
              it happens.
2005/6/29-30 [Computer/SW/Security, Computer/Networking] UID:38359 Activity:low
6/30    I don't want to crack WEP, but I'd like to learn more about it.
        For example, is it a link layer encryption or is it tied to the
        physical layer? If it is link layer encryption (something built
        on top of link layer), then is it possible to "sniff" sequences
        of packets on a regular computer then brute force crack it? Does it
        take a super computer to do it or can anyone with a regular
        laptop do it?
        \_ go read http://www.tomsnetworking.com/Sections-article118.php - danh
        \_ Looking at how some of the crackers work is a great way of
           learning how WEP works.  Have a look at Auditor at
           http://www.remote-exploit.org for good tools and docs.  -John
           \- This may be more relevant to people with a greater interest
              in wireless security than the OP but i looked at draft of
              a book on wireless sec by william arbaugh of university of
              maryland [i forgot the other authors, see AMAZONG] which
              is going to be more indepth and theoretical than random
              "how to" web pages, but is more practical than a berkeley-type
              textbook. oh it looks like the book is out now:
              http://csua.org/u/ck2 anyway, if that is what you are
              lookig for, the book is decent (looks like it is 2yrs old
              an unrevised, so may be lean on some recent things and
              cover some things that died on the vine). ok tnx.
2005/6/29-30 [Computer/SW/Security] UID:38356 Activity:nil
6/29    Am in PST, still Wednesday over here ... quick follow-up to post re:
        anonymizer.  Looked into TOR, it seems to only protect the transport.
        Privoxy or JAP would be alternatives to <DEAD>anonymizer.com<DEAD>.  Actually
        bought anonymizer at Fry's, and it seems to work pretty well.  Now if
        I can only disavow ever writing this message ... How do you people
        figure out who wrote a post anyways??
2005/6/28-29 [Computer/SW/Security] UID:38337 Activity:nil
6/28    Sorry for going back in time here, but where I am, it's still Tuesday
        the 28th of June ... anyways, I had a couple of posts about how much
        people trust http://www.anonymizer.com if people had experience with how
        much anonymizer can protect your information, especially if they are
        subpoenaed to turn over evidence.  Please leave this post up a couple
        of days, cuz I don't get to check the MOTD that many times a day.
        If nobody wants to comment, leave a note to that extent.
        \_ I used to work for a company in the same space. We kept access logs
           for 7 days, mainly to get statistics and bill advertisers. If we
           recieved a subpoena for access logs within 7 days of an event, we
           would turn over those logs (as required). If the request came more
           than 7 days after the event, we had no data to provide. The
           Anonymizer privacy policy states that they will disclose privacy
           information when required by law; however, they also say that
           "Anonymizer does not hold any personal information on our customers
           that could result in compromising their privacy and security", so I
           don't know what they might give up. I seem to recall their policies
           being about the same as ours, but it was a long time ago. -gm
        \_ Screw anonymizer.  Use TOR.
           \_ Is TOR anything like Freenet?  I tried out Freenet a while ago,
              but it was unreliable and slow as hell.  Looks like it's still
              being actively developed, but haven't installed it on my new
              computer.  Does either TOR or Freenet rely on a lot of
              participants?  -- op.
              \_ TOR is a serious mix-network crypto system.  Pretty
                 industrial strength.  Latency is gonna blow, but thats
                 the price.
        \_ Nothing you do online is anonymous, the trick is to make as
           cumbersome as possible for someone to track you.  If you go to
           a random library in another city, avoid cameras, use a public
           terminal and use an anonymizer, your "less likely" to be
           tracked than say logging into your home PC or local Computer Lab
           while using your private e-mail account.  It depends on what
           risks you're wiling to take (cost/ benefit).
2005/6/23-25 [Computer/SW/Security, Computer/SW/Unix] UID:38277 Activity:low
6/23    I was not too smart to believe what I read on SBC Yahoo!'s web
        site (that after merging my Yahoo! ID with a SBC sub-account ID,
        I can reverse the merge by simply deleting the sub-account) and
        went ahead with the merge.  The merge did NOTHING as claimed--
        I did not get any extra storage nor any extra service.  So I
        wanted to reverse the process only to find out that I can only
        'suspend' an sub-account, but not delete.  I called customer
        service and was told it is impossible to delete an sub-account
        and hence impossible to undo the merge.  I have spoken to 5
        people including one manager and one level 2 support person.
        None was able to offer any help.  I tried suspending the
        sub-account, only to find out that I could no longer access my regular
        Yahoo! account.  Has anyone had to deal with this issue?  How
        was it resolved?  Are the 5 people I talked to not too bright
        or their web site is just lying?
        \_ I have evidence that Yahoo is controlled by Scientologists.
        \_ When this was first offered (2+ years ago), I distinctly remember
           reading that it was not reversible. It's possible that the 5 people
           you spoke with are still operating under that assumption. Print
           out the page with the relevant promise and direct support
           personnel to the url.
           \_ I did.  I pointed the support people to the URL that states
              the process is reversible.  All I get was a defensive
              comment, "I am telling you the truth!  It cannot be done!".
2005/6/19-20 [Computer/SW/Security, Academia/Berkeley/CSUA/Troll] UID:38195 Activity:nil
6/19    Stupid question.  how do we implement POP and IMAP access on Soda?
        \_ imap and pop over SSL works fine - danh
        \_ Stupid answer.  Slave monkeys and Google page-rank pigeons. - jvarga
2005/6/15-17 [Computer/Networking, Computer/SW/Security] UID:38143 Activity:low
6/15    Wanna have WiFi access on transbay buses, free for you and free for AC
        Transit?  Voice your support by taking the survey:
        http://www.actransit.org/news/articledetail.wu?articleid=d5f2ff4a
        \_ If they combine it with GPS so I know where the buses are...
           \_ I put GPS and a coffee service in the suggestions box.
              \_ It sure will get your responses ignored.
           \_ Said the suicide bomber...
              \_ I hope this is facetious, and if not, I hope you never ever
                 get your hands on a top secret DHS triple grade red
                 classified bus schedule.
        \_ I already get this using my PDA GPRS/EDGE/UTMS cell with laptop
           You are wasting money.
           \_ Didn't I mention it'd be free?
2005/6/15-17 [Computer/SW/Security, Academia/Berkeley/CSUA/Motd] UID:38139 Activity:nil
6/15    Attempting to sftp to http://csua.berkeley.edu. Got password from key.
        Entered password and got back:
        Received message too long 1701996907
        Wtf?
        \_ password from key.  since sftp uses ssh, shouldn't you just
           use your normal password?
        \_ Trying to do anonymous motd?
           \_ No, trying to send files from my PC to my CSUA account.
              \_ Just use scp.
        \_ I just tried ssh from SunOS 5 and it worked.
           \_ I'm trying sftp http://csua.berkeley.edu from CSUA. I'm running
              tcsh as my shell.
        \_ tunneling ftp through ssh for sftp is a total lost cause.
           just use scp.  google for winscp
           \_ he's not tunnelling ftp through ssh, he's using sftp.
                \_ he's doomed, it's not going to work.  USE WINSCP
                   \_ I use putty's psftp all the time.  As well as FileZilla
                      for xfering files to and from soda.  Why is he doomed?
        \_ Update: so scp seems to do the trick (on soda and from my Mac).
           Purely for curiosity's sake, any idea why sftp isn't working?
           \_ It works for me on windows.
           \_ sftp seems to be working fine too from freebsd machine
           \_ A ssh1/ssh2 mismatch? Just a guess, I have never used
              sftp. scp works fine for all my needs.
2005/6/13-15 [Computer/SW/Mail, Computer/SW/Security] UID:38098 Activity:nil
6/13    Any recommendations for a free webmail service that doesn't charge for
        POP3 download, SMTP?  I want to be able to access it using VersaMail
        on Treo 650.  Using GMail right now, but I'm not a big fan of their
        privacy practices.  So the requirements are: free, respects privacy, a
        viable company.
        \_ I think you're just going to have to suck it up and use Gmail.
           \_ Agreed.  No company is gonna offer free popS service for free
              besides google.  At least not right now.
2005/6/6-7 [Computer/SW/Security, Computer/SW/Unix] UID:37988 Activity:nil
6/6     s/key confusion and confirmation: I must have reading deficiency.  I
        read the s/key howto over and over but I couldn't grasp the idea.  So
        maybe someone can confirm my understanding of it.  The s/key stuff
        only dictates which machine I can access the csua server from.  That
        is, if I have entered the one time password from my home desktop, then
        I can log in from my home desktop with my unix login/pass.  I can not
        log in to cusa from my work machine if I haven't entered the one-time
        pass on that machine.

        Basically, since ssh2 is in effect now, I downloaded PuTTY.  After I
        enter the login as value, it shows "s/key 92 hi97345", then "password".
        However, I used the s/key calculator, and put in 92 hi97345, and got
        a one-time pass, with that pass I can not log in.  But I tried with my
        unix password, I'm no logged in.  So I am confused why it has "s/key"
        stuff and didn't expect a s/key one-time pass phrase?  I basically
        just use my unix login/pass just like before ssh was enabled.
        \_ Same here--that is, I've been seeing the s/key stuff when logging in
           since the ssh change, but I'm loggin in via putty, and just use my
           normal login.
        \_ Thanks for overwriting my changes fucktard.
           \_ vi should have locked the file if you opened it for write. others
                can only open it read-only.  So you must not have the lock on
                the file when you tried to edit it.
                \_ 1, you're wrong. 2, you overwrote someone else when adding
                   this post.
                   \_ 3, I thought we went over this, using VI will ensure a
                      lock on the file you are editing.  Or should we run a
                      command before editing a file?
2005/6/3-6 [Computer/SW/Security] UID:37962 Activity:nil
6/2     yaBlueToothHack:
        http://www.newscientist.com/article.ns?id=dn7461
        \_ So Bluetooth uses symmetric key exchange in an unencrypted
           wireless channel? Is that correct? If that's true then
           whoever developed the Bluetooth encryption protocol wasn't
           thinking too hard.
           \_ Math is hard.
2005/6/3 [Computer/SW/Security] UID:37953 Activity:nil
6/2     yaBlueToothHack:
        http://www.newscientist.com/article.ns?id=dn7461&feedId=online-news_rss20
2005/6/2-5 [Computer/SW/Security] UID:37940 Activity:low
6/2     My TeraTerm SSH no longer works on soda.  What other software should
        I try now?
        \_ putty
        \_ Cygwin + OpenSSH. Related request - can root (or someone) add a
           webpage w/ the ssh public key fingerprints for soda and the other
           login systems? Soda's fingerprints are:
           RSA - df:69:f5:98:d5:68:d2:4b:9a:77:4b:53:75:b0:21:51
           DSA - b2:2b:32:26:6e:19:d3:f0:f2:51:70:25:30:c1:54:22
           \_ Done, see CSUA main page. - jvarga
              \_ Dude, whatever they're paying you, ask for a raise.   -mice
              \_ Dude, whatever they're paying you, ask for a raise.  Get a
                 life, man, you're making me feel guilty.  :)      -mice
                 \_ While you are on a roll, how about the wall log archiver
                    and the tmp and var cleaners.
        \_ Get the SSH2 extension to TeraTerm
           http://sleep.mat-yan.jp/~yutaka/windows
           \_ Great! Thanks.
        \_ will http://csua.berkeley.edu/ssh be updated as well?
2005/6/2-7/12 [Computer/SW/Security] UID:37939 Activity:nil
6/1     SSH got restarted with the new changes (no more SSH1).  As a result,
        it may look like soda's key has changed.  This is just because you may
        be used to using SSH1 and therefore the SSH1 key.  The SSH2 key has not
        recently changed, but your SSH client may not recognize it unless you
        usually use SSH2 to connect to soda.
2005/6/2-3 [Computer/SW/Security] UID:37935 Activity:low
6/2     In the 'official' part of the motd it says ssh1 would be shut off,
        weeks ago no less, and yet it still seems to be on.  What up with that?
        \_ Whoever did the change neglected to restart sshd.  Fixed.  -jvarga
           \_ I just tried ssh from a Solaris machine to soda and I got "ssh:
              connect to host http://soda.csua.berkeley.edu port 22: Connection
              refused".  I tried both with and without the "-2" option.  Now if
              I log out from this session I won't be able to log in again!
              \_ Using putty forcing to ssh2 doesn't connect either.
                 \_ That's the last time I trust someone's changes to "just
                    work"... fucking dammit where'd all these sshd_config
                    errors come from??? - jvarga
                    \_ What say we strip some people (person?) of their root
                       cookie?
                       \_ I say we strip karen.
                          \_ I say you're a chauvinist and an ass.
                    \_ Dang, you've been in CS how long and you only just
                       figured THAT one out? :P -jrleek
                       \_ I'm glad it was caught before soda rebooted... it
                          would suck to have to go and be physically present to
                          fix this. - jvarga
                          \_ wait, if you're not a current student, what the
                             \_ Who said he wasn't?  School's not in session,
                                dumbass.
                             hell are current students doing? It used to be
                             the case that current students run, manage, fix,
                             install everything. What the hell do they do now?
                             Playing with Windows NT servers because UNIX is
                             too hard?
                             \_ Do you object to me fixing crap?  Because if so
                                I can just leave all the broken shit for
                                "current politburo" to eventually get to or
                                notice.  Do you object to njh, dlong, mconst,
                                etc also fixing soda problems? - jvarga
                                \_ Man, lazy/apathetic kids today (current
                                   politburo). As a mentor, how about teaching
                                   them how to fish instead of giving them
                                   fish?
                                   \_ Hey yeah, and while we're at it let's
                                      un-root all the non students; they have
                                      no business working on soda.  Thanks for
                                      all the cool shee-it, jvarga, you are de
                                      man.  -John
                    \_ Maybe that's the reason whoever did the change didn't
                       restart sshd in the first place.  He didn't think his
                       own change would work either.
                       \_ Then he should have reverted sshd_config to a known-
                          working state so that an accidental (or intentional)
                          soda reboot wouldn't fuck over sshd. - jvarga
                \_ seems ok now.
        \_ will the csua website recommend an ssh2 client we can use?
           will http://csua.berkeley.edu/ssh be upgraded as well?
2005/5/27-31 [Computer/SW/Security, Computer/SW/Unix] UID:37869 Activity:nil
5/27    I'm the guy who was asking for software for organizing web links.
        I tried the sdidesk software somebody recommended but it's too
        complicated (I don't have time to learn wiki).  So my focus has now
        shifted to generic note-taking software.  Anybody use one?
        There are tons of those programs on the web.  If you use one, please
        let us know what you use.  Thanks.
        \_ Check out SafeSex from Nullsoft if you want something somewhat
           protected and small.  It can get a bit annoying what with having
           to give it a password all the time.  -John
2005/5/24-26 [Computer/SW/Security, Computer/SW/OS/Windows] UID:37826 Activity:low
5/23    On XP, can I use encryption on the swap file?
        \_ Doesn't answer the question, but provides workaround
           http://csua.org/u/c6c (microsoft.com)
           http://csua.org/u/c6c
           http://tinyurl.com/b9oxc
           \_ Thanks.  Too bad it doesn't help when it crashes.  I'll have to
              remember to boot it up again and then do a clean shutdown.
2005/5/24-26 [Computer/SW/Security, Industry/Jobs] UID:37825 Activity:moderate
5/24    How common are contract-based bonuses for service-oriented software
        companies as a form of profit-sharing?
        E.g., the company wins a 1 million dollar contract.
        The sales guy for the contract gets x% of $1 million;
        The lead engineer on the project gets y%;
        Other engineers who will be working on the project get z%.
        Yes, the sales guy has a base salary and makes much more from
        commissions, which is how this normally works.
        Currently our bonus system is the standard annual bonus (the boss
        decides at the end of the year how much bonus you get, which ends
        up being ~ 5%).
        \_ Why is this a question? You can structure payment for services
           any way you want as long as it is not unconscionable.
           \_ "how common are ... for ...", not "is it possible"
           \_ "how common are ... for ..."
              \_ Very good, you apparently understand basic semantics.
                 I still don't understand why this is a question. If you
                 want your firm to move towards a direct percentage based
                 system based on profits vs. a fixed annual bonus then
                 bring it up with your super. Why should it matter if it
                 is followed by a majority of other consulting firms?
        \_ I've never seen a commission system for anyone other than sales.
           For IT/Engineering, if there is a bonus system is usually "up to
           x% of salary per quarter".  One place I worked at did profit
           sharing at .1% of profits for most, while some with seniority
           got more.
        \_ <yeah, like your retarded nonsensical comment, dipshit>
        \_ OP: you should deal with retarded but critical sounding comments
           by deleting them. --!OP
                \_ I am going to guess "not common"
           \_ Haha.  Are you the poster whose comment I deleted?
              Did you experience a flush of anger when you saw I
              deleted your pathetic comment?
           \_ <stop deleting someone else's shit and we'll stop deleting
               your shit>
               \_ Deleting a "followup" which consists of "that's a dumb
                  question" is a service not an abuse.
               \_ <right, which is why this is a service>
           \_ Little losers: you guys really couldn't tell the difference
              between your lame answers and the one above?
        \_ I've had that kind of deal offered to me to finish a project at
           a company that 1. had no prospect of a liquidity event, and 2. had
           a co-development deal with another company that would bring in cash
           with each milestone met.  A more common version of this happens
           when a company gets acquired for $(n+m+o+...), with $(m+o+...)
           tied to project milestones.
2005/5/17-18 [Computer/SW/Security, Computer/SW/OS/Windows] UID:37725 Activity:low
5/17    http://blogs.washingtonpost.com/securityfix
        "A system administrator, angered by his diminished role in a thriving
        defense manufacturing firm whose computer network he alone had
        developed and managed, centralized the software that supported the
        company's manufacturing processes on a single server, and then
        intimidated a coworker into giving him the only backup tapes for that
        software. Following the system administrator's termination for
        inappropriate and abusive treatment of his coworkers, a logic bomb
        previously planted by the insider detonated, deleting the only
        remaining copy of the critical software from the company's server. The
        company estimated the cost of damage in excess of $10 million, which
        led to the layoff of some 80 employees."
        \_ Whose fault was this?  Now consider:  whose responsibility is it
           (not for failing to look over his shoulder, but for allowing this
           much "power" to concentrate in one set of hands)?  -John
           \- fault is not zero sum. poor decision making on part of the
              company doesn't remove his culpability. legally it may be
              up in the air to what extent can say a shareholder hold
              the negligent management responsible vs the malicious employee
              but ethically, the failure is on the "evil employee".
              \_ Well, the company holds the evil employee liable in its
                 turn, but it's kind of a case of where the buck stops.  That
                 said, dingdingding.  -John
2005/5/11-13 [Computer/SW/Security] UID:37640 Activity:nil
5/11    Maybe this is old news, but there is a mit project to prevent addr
        harvesting from known_hosts files:
        http://nms.csail.mit.edu/projects/ssh
        Their paper on ssh worms propogating via info discovered from the
        known_hosts files is interesting:
        http://nms.csail.mit.edu/projects/ssh/sshworm.pdf
2005/5/11 [Computer/SW/Security, Academia/Berkeley/CSUA/Motd] UID:37630 Activity:high
5/11    I know kchang's de-anonymizer is putting a crimp in your style, but
        can you people who scp to /etc/motd.public please stop overwriting?
        \_ A little thought should help you realize that's impossible.
           \_ A little quality thought should help you realize that:
              "Overwriting" is being used in the context of "screwing up
              other people's changes".
              If you turn off brain and assume the literal definition of
              overwrite, you might realize you're "overwriting" [literally]
              /etc/motd.public every time you save it in an editor.
              Finally, scp users can reduce frequency of overwriting
              [contextual meaning] by reducing the lag time between the scp
              "get" and "put".
              \_ Well, they should be diffing and merging as the final step
              \_ No, they should be diffing and merging as the final step
                 before putting. This leaves a pretty tiny window for potential
                 overwrites. But can someone tell me how kchang is logging
                 file access? What OS features help with this? I'm curious to
                 know for other possible applications.
                 \_ I signed a pact with Satan
        \_ Hm, how about this feature. If you put in "-anon" at the end of
           your post, then my Ashcroft script will not reveal your id? -kchang
                 \_ Note that "tiny window for potential overwrite" is a
                    longwinded way of saying "that's impossible".
                 \_ it shouldn't be hard to modify motdedit to do this.
        \_ Play nice, or we'll take away your cookies. Or, perhaps, make it
           so that you can't scp the motd. - almighty root
           \_ hmm, maybe make it so that the motd is only editable through
              motdedit and make that a suid file w/ sudo'er perms for everyone.
              everyone should then be anon, and no more scp. yes, I'm replying
              to myself. =)
              \_ I concur. Let's enforce some type of lock/unlock mechanism.
                 \_ Make the trains run on time while you're at it.
                    \_ locking and semaphores - the first step towards fascism.
                       \_ You missed the "enforce" part didn't you?
                          \_ So tell me, if you've done any work with databases
                             or file systems, how useful is a lock that is not
                             enforced?
                             \_ Hey, I didn't realize the motd was that
                                important to you.
              \_ fuck motdedit.  In the ear.  It's not a technical problem.
                 \_ Technically, yes it is a technical problem. Access is
                    provided throuh a mechanism that causes corruption. Any
                    time such a mechanism exists and is exploitable, it puts
                    the infrastructure at risk. Asking users nicely not to do
                    it is not a solution Either you live with the corruption
                    or you fix it. As a CS grad, you should know this.
                    \_ Uhm, we're talking about motd...wtf are you talking
                       about?  This isn't a general "all locks and
                       synchronization are bad" thread, this is a "motdedit
                       is a shitty technical solution which doesn't even
                       really address all the problems" thread.  As a high
                       school grad this should be obvious to you.
                       \_ First of all, tell us why motdedit is broken, and
                          maybe we can come up with something better.
                          \_ Because of patronizing motdedit users.  Anything
                             without patronizing evangelists that works would
                             be better.
                       \_ As important as MOTD is for a bunch of users here,
                          most of whom are CS grads, I'd wager any technical
                          problem could be ironed out quickly. Anyways,
                          whatever, this is your guys' problem. I don't use
                          MOTD and everytime I read it, I feel less inclined to
                          put as much time into maintaining this system as I
                          do. I was offering solutions to a real problem of
                          corruption. But hey, if you people like broken, then
                          broken you get.
                          \_ Broken >> supercilious motdedit nazi assholes
                             Go or stay, use it or don't use it, it's a free
                             country, and nobody is particularly pining for
                             you either way.  Go, and be happy, my son.
                              xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                             \_ No offsense, but go fuck yourself. As root, VP,
                             \_ No offsense, but go eat a carrot. As root, VP,
                                and now president of the CSUA my policies on
                                sorrying non-student accounts is much more
                                draconian than that of my predecessors. You
                                may have been a student once, but our ultimate
                                mission is to provide service to current
                                students - and when people make this a hostile
                                environment, I won't blink to kick them off our
                                server. Although I value the insight and
                                participation of alumni in the CSUA, I'd advise
                                you not to fuck it up for everyone. If you
                                disagree with an idea, then voice your reasons
                                - not some immature tirade and rant. This is
                                not your personal soap box, this is a server
                                for use by university students.
                                xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

                          \_ I suggest we first solve the problem of people
                             posting lines longer than 80 columns or people
                             with their tabstop not set at 8.
                             \_ I suggest pliers or a heavy bludgeon.  There's
                                nothing like broken bones to keep columns
                                down to a reasonable size.
        \_ Hm, how about this feature. If you put in "-anon" or some type of
           identity at the end of your thread, then my Almighty Ashcroft
           script will not reveal your id? -kchang
           \_ How about we just squish your ass right now? -anon
              \_ I wouldn't do that. John Ashcroft is watching you.
                 \_ But...but...I put "-anon" at the end!  Pretty please let me
                    be anonymous? -anon
                   \_ Well I haven't implemented it, I'm just soliciting
                      opinions and should there be enough demand, I'll do it.
                      \_ Anyone who has worked with group-writable files
                         has come to the conclusion that locking and
                         logging is important; I'd like to see motdedit
                         (or something functionally similar like RCS)
                         required.  -tom
                         \_ Because the motd is mission critical!  Seriously,
                            if this were source code, I'd agree.  An anonymous
                            posting board where anyone can add or delete?  Feh.
                            \_ It blows me away how worked up people get
                               about a lame ass world writeable file.
           \_ kchang, I like to troll. the motd is too boring. can you include
              an 'exclude' list of names? ;) we need to revive the motd of
              better topics!!!
        \_ Perhaps the de-anonimizer is a good thing. Its like that old
           Donald Duck count to 10 before you explode cartoon. You have
           to think about whether or not your really want to write that
           comment before you do. It makes the discussion more civilized.
2005/5/10-12 [Computer/SW/Security] UID:37604 Activity:nil
5/10    will putty w/ ssh work tomorrow?
        \_ "putty w/ ssh"?
        \_ Putty should work, but make sure you have a recent version.
           It's what I use, at least. - amckee
        \_ putty supports ssh2, so yes.
        \_ If you have a session defined for soda, you may want to change your
           "preferred SSH protocol version" to 2, or "2 only" in the
           Connection->SSH options.
        \_ Logging in with putty to write this on 5/11 -erikred.
2005/5/6-8 [Computer/SW/Security, Computer/SW/Unix] UID:37555 Activity:nil
5/6     A lot of web sites now have a login snippet on their main page,
        which forefox does not display a SSL icon
        (http://www.bankofamerica.com Are those logins safe? You can
        usually find a specific login page within the website that
        have the SSL icon. I assume bank sites are usually safe in
        their design, but what about sites like
        http://www.officedepot.com Some sites's login page
        (http://www.bookpool.com/ac does not have a SSL icon, but
        their login button specifically says "secure login", how does
        it work? As an end user, how can one be sure the login/pw
        information is encrypted while in transit?
        \_ It's usually good practice to put the login page under SSL to
           preempt concerns like yours.  Many places don't have a login box
           on their front page, and make you click through to an https link
           to get a login box.  Others put the login box on their front
           page to save you that step, but the load of putting their front
           page under SSL is prohibitive.  If they say it's a secure login,
           the HTTP Post that sends your information will be under ssl.  If
           you want to test this, put in a bogus login/password and watch it
           jump to SSL when you click "login".
           \_ For verification:
              http://www.bankofamerica.com/signin/security_details_popup.cfm
           \_ So you have to 'observe' the flashing by of the SSL icon
              to distinguish these sites from sites that indeed uses
              no security. I guess a better question is, how do you
              tell if the HTTP post used to send your login
              information is under SSL?
              \_ Best course of action: don't worry about it.  if someone's
                 really intent on stealing your info, there are easier ways
                 to do it.  There are non-technical ways to protect yourself
                 better.  keep an eye on your account activity.  get your
                 annual credit check (or more frequently if you're worried).
                 SSL is no guarantee no matter how Verisign wants to package
                 it.
                 \_ I find security policy varies significantly
                    between sites. Your password can be as strong as
                    you like, but often times the "I lost my password"
                    feature is typically implemented with very little
                    security in mind. Better sites will allow you to
                    reset your password after you verified who you are
                    (via secret questions, etc), never revealing what
                    your actual password was. But some no so security
                    conscious sites will simply email your password in
                    plain text, and sometimes all you have to do is to
                    provide your email address.  Some sites will also
                    reset your password with only the email address.
                    You can only guess how careful those sites will
                    treat your data (such as credit card info).. I am
                    trying to sort out the sites that have my login
                    information so that the lesser secure sites do not
                    share the same password as the more
                    secure/important sites...
              \_ The guy I spoke to said it used to be configurable but was
                 taken out.  If I turn any of my URLs into https, it stays
                 https, including turning all the links into ssl, but I know
                 of several people where it redirects to http.  No clue why
                 it varies.  -John
              \_ The only way to be sure is to look at the source and see
                 how it's posting the login.  But even then, you won't know
                 for sure that the authentication server is using weak
                 encryption.
        \_ What's pretty funny is that gmail defaults back to http when you've
           logged in, and they seem to have removed the setting the security
           guy I mentioned which lets you set ssl for all mail access.  -John
           \_ My gmail still stays https and always has.  I know yahoo
              switches back to http after login.
              \_ The guy I spoke to said it used to be configurable but was
                 taken out.  If I turn any of my URLs into https, it stays
                 https, including turning all the links into ssl, but I know
                 of several people where it redirects to http.  No clue why
                 it varies.  -John
                 \_ You're right.  I just never noticed it, because my
                    bookmark specified https.  Thanks for the tip.
2005/5/4-5 [Computer/SW/Security] UID:37521 Activity:kinda low
5/4     Has anyone checked in a cardboard box for a flight recently?  Will
        the security screener tape the box back to shipping condition if
        they open it for inspection?
        \_ Haven't recently, but expect it to be opened and no way to seal
           it. Of course you can bring your own or hit one of the "inside"
           stores for some tape (don't expect shipping tape).
        \_ I took my bike in a cardboard box and they didn't bother opening
           it.  But then again, it's probably easily identified using the x-ray
           machines.  Your best bet is to either not put anything suspicious, or\
           use one of those huge tupaware looking storage boxes as they atleast
           machines.  Your best bet is to either not put anything suspicious, or
           use one of those huge tupaware looking storage boxes as they atleast
           close up resonably afterwards.  -scottyg
           \_ I was asking for checked-in luggage.  I don't mind bring
              tapes but since security screening of checked in luggage
              is done without my presence, how can I make sure the screener
              seal it back?
2005/4/29-7/12 [Computer/SW/Mail, Computer/SW/Security] UID:37426 Activity:nil
4/29    From the official motd above:
        As of May 11 Soda will discontinue SSH 1 and secure telnet support.  We
        will also be discontinuing support for unauthenticated/unencrypted
        mail services in compliance with university security requirements.
        Please see your email for more information (assuming you're on
        csua@csua).  Questions, comments, complaints, and cheap floozies to
        root.
         \_ Does this mean that I will not be able to access csua using
            ssh, or simply that there will be no one to help with problems,
            or that I need to use a new secure version of ssh?  Also, can
            I still use pine on csua?
            \_ SSHv1 is the old insecure version of the protocol. Most
               ssh clients now support SSHv2. If you are using OpenSSH
               you should have no problems.
         \_ Does this mean we will be able to use soda as an smtp gateway
            when off of campus net?
            \_ From the email sent out a few hours ago:
                To comply with UC Berkeley departmental standards, we must
                terminate support for unauthenticated/unencrypted external
                access to all mail services. If you access Soda via POP, IMAP,
                or send mail through our SMTP server you MUST switch to use
                both authentication and SSL/encryption. These options should
                be easily found within most mailers,

                IMAP / http://soda.csua.berkeley.edu port 993 (w/ssl)
                SMTP / http://soda.csua.berkeley.edu port 465 (w/ SSL + login is
                user@soda.csua.berkeley.edu and password)
                POP / http://soda.csua.berkeley.edu port 995 (w/ auth + SSL)

        \_ Per request, a copy of the email has been saved to the following
           location: /csua/pub/SodaChanges0505
           - jvarga
                \_ As an aside, I've found that for some bizarre reason,
                   Mozilla mail doesn't like some SMTP AUTH/TLS authentication
                   setups, while SMTP AUTH/SSL is just fine.  This is with
                   Postfix/SASL2 & Dovecot/imaps under FreeBSD 5.3-R.  I just
                   went through some trouble setting this up, and if anyone
                   wants my configs I'm happy to share.  -John
            \_ I'm off campus-net and I can send mail fine using SSL on port
               25.
        \_ Does that mean the ssh client at
           http://www.csua.berkeley.edu/ssh will no longer work?
2005/4/29-5/1 [Computer/SW/Security, Computer/SW/OS/Solaris] UID:37425 Activity:moderate
4/29    Why did Sun decide to implement SMF in Solaris 10? Was it just to
        piss off customers or is there some technical advantage?
        \_ Are you talking about the new way to start/stop programs,
           &c.?  If so, I must agree that the only purpose was to piss
           off customers and prove that Sun can do something stupid and
           different than Linux (chkconfig may not be great, but it
           mostly works and everyone knows how to write init scripts)
           BTW, SMF pissed off a lot of ppl inside sun who have to ship
           products on other *nix than Solaris.
           \_ I guess Sun should be on http://fuckedcompany.com if it isn't
              already.
        \_ Can someone give me a list of reasons why SMF is bad?
           \_ Complicated new way to do something that has already been
              done. Like I said, if there's some technical advantage then
              I'd like to know what it is. Maybe there is one. If not, it
              is just change for change's sake.
           \_ 1. SMF uses non-standard commands - you can't simply
                 start/stop a process by calling its init script,
                 you have to know what its SMF "name" is. Even if
                 you don't have to deal w/ other *nix, SMF makes
                 switching btwn S9 and S10 a pain.
              2. SMF enable/disable semantics are bizarre - you
                 can't just say enable/disable X like in chkconfig
                 and assume that the daemon is enabled
              3. SMF fails to provide adequate feedback re failures
                 of configuration. Often, you can't tell if a fault
                 needs to be cleared in order for it be enabled.
                 service can be enabled.
              4. SMF's files are non-standard and their contents
                 are not explained well - the purpose of SMF is
                 to make fault recover/mgmt easier, however if
                 most of your admins don't/can't figure out how
                 to fix config problems, faults will take longer
                 to remedy. Developers and Admins should not have
                 to read some guys blog on http://blogs.sun.com in order
                 to get details on how the system works.
                 \_ http://docs.sun.com/app/docs/doc/817-1985/6mhm8o5n0?q=smf&a=view
                    \_ Yes there are docs, but the docs don't
                       really have anything useful in the. Ex.
                       tell me where in that page it specifies
                       how to use svcadm to disable a process
                       from being started or how to tell if
                       the reason a particular process is not
                       starting automatically is b/c SMF thinks
                       that the process is in 'fault' state and
                       must be cleared.
              5. The fault mgmt functionality provided by SMF could
                 easily have been provided through additions to
                 existing functionality (specific args to init
                 scripts, allowing apps to dump monitoring scripts
                 into a given directory, &c.)
                \_ Sounds like one of those numerous cases where Sun was trying
                   to solve the problem which has been already solved
                   by others and comes up with some terribly complicated and
                   non-standard way of doing things. *sigh*
2005/4/29-5/1 [Computer/SW/Security] UID:37424 Activity:moderate
4/29    How does data cracking work?  I guess someone intercepts some encoded
        data, and then try to apply many different conversions on the data to
        find the right conversion that yields the original data.  But then how
        does he know which conversion is the right one when he doesn't even
        know what the original data is?  -- newbie
        \_ Related question:  What were the problem(s) with SSH1?
           -- not-so-newbie
           \_ iirc, SSHv1 used the same dh key for both encryption and
              hmac w/o deriving separate keys for each.
        \_ Depends on application--some apps use poor randomness, insufficient
           keylength, static keys, re-used keys, etc.  Cracking can be done
           a couple of ways, including pattern analysis and just plain brute
           forcing--you're pretty unlikely to get, say, two different clear
           text tcp streams that both look "right".  Very often you're also
           not "cracking" anything, but rather relying on a buffer overflow or
           similar (as with the SSH CRC32 exploit.)  -John
        \_ What John said. Also, the TLA agencies do things like pattern
           and traffic analysis to try and look for information in the
           bitstream. A surprising amount of information can be figured
           just by looking at things like the frequency of certain
           sequences.
           \- hola, i do not know what "data cracking" means however, based
              on the followup comments, you may want to look at I GOLDBERG's
              [UCB] PhD thesis on the design of the "anonymized IP wormhole"
              which 1. presents a useful framework to think about "the problem
              space" 2. has an interesting discussion on confounding "generic
              traffic analysis". it may be more than you are looking for but
              isnt that long ... i image there is a shorter version of the
              "freedom" project [IG gaves some talks], but i dont know if
              there is something downloadable. --psb
              \- I note in passing IG uses the example of "you would never
                 expect the us govt and the libyan govt to collude!" which
                 is sort of funny given that MQ is now our good buddy.
                 is sort of funny given that MQ is now our good friend.
                 better add the north korean and syrian govts. the probabilty
                 of north korea becoming our friend = how many bits of crypto
                 strength? --psb
2005/4/29-5/1 [Computer/SW/Security] UID:37422 Activity:nil
4/29    When I run winver.exe, it displays a string "Version 5.1 (Build
        2600.xpsp2.050301-1526 : Service Pack 1)".  Since it says Service Pack
        1, what does the "sp2" after "xp" stand for?  Thanks.
        \_ I have (Build 2600.xpsp_sp2_gdr.050301-1519 : Service Pack 2)
        \_ http://blogs.msdn.com/oldnewthing/archive/2005/03/18/398550.aspx
2005/4/21-22 [Computer/SW/Security, Computer/SW/OS/Windows] UID:37302 Activity:nil
4/21    Prank Paper accepted for publication:
        http://www.cnn.com/2005/EDUCATION/04/21/academic.hoax.ap/index.html
        \_ Wow, that only took CNN about 2 weeks to report.
        \_ Dude that's already been reported on motd:
           http://csua.com/?entry=37223
                \_ it's already been reported twice on the motd.
        \_ Conferences are just social gatherings.
2005/4/20-22 [Computer/SW/Security] UID:37288 Activity:low
4/20 SSH X forwarding question: I hook up my laptop to  corpoprate net
     and am able, via cygwin and ssh -X to  run X stuff w/o a problem from
     my corporate PC. But, when I am at home;  I get authentication
     errors when my laptop is on hooked up to my dsl.  The only
     difference is that, in order to get through  my work's firewall;
     I need to ssh  through another host (i.e. ssh -X  shost.corp and
     then ssh -X mypc. I can run apps from the shost machine w/o a
     problem. Ideas ? Suggestions?  shost is freebsd 4.10 while my
     machine is freebsd 5.3.  thanks
        \_ On which machine are you getting the errors?  Are you going
           directly from the home laptop to mypc?  -John
        \_ ssh -g -L 4567:mypc:22 shost.corp
           ssh -X localhost -p 4567
        \_ The formatting and punctuation is just painful to look at.
           \_ [ Edited for readability -formatd ]
2005/4/18-19 [Computer/SW/Security] UID:37241 Activity:nil
4/18    How do I do all that dsa_id public thingie so that I can ssh/scp into
        my cluster of machines (that happen to have the same NFS mount)
        without having to type password?                -dsa ssh idiot
        \_ http://www.arches.uga.edu/~pkeck/ssh
        \_ http://www.csua.berkeley.edu/~ranga/notes/ssh_nopass.html
        \_ Assuming that all of the systems in your cluster mount your
           home directory the following will probably work for you:
           1. Generate a dsa key pair (can be on any system):
                $ cd && ssh-keygen -t dsa -f .id_dsa -P ''
              This creates .id_dsa (private key) and .id_dsa.pub (public
              key) in your home directory
           2. Copy .id_dsa.pub into your nfs accessible home directory:
                $ scp .id_dsa.pub user@host:.ssh/authorized_keys
                $ scp .id_dsa.pub user@host:.ssh/authorized_keys2
              (This assumes that you don't have authorized keys
               already)
           3. Test it out:
                $ ssh -i .id_dsa user@host
              You should not be promted for a password. If you
              are try ssh -v and/or make sure that the authorized
              keys files are 0600 and the .ssh dir is 0700.
           4. If you always want to present the same id to all hosts
              add the following to your ~/.ssh/config:
                Host *
                        IdentityFile ~/.id_dsa
              If you want to restrict (on your cluster systems) the
              hosts from which you will accept a particular id, try
              adding 'from="ip range" ' before ssh-dsa.
2005/4/17-18 [Computer/SW/Security, Computer/Networking] UID:37232 Activity:nil
4/17    Anyone know if Yahoo Messenger is encrypted? I use it in internet
        cafes a lot with my 802.11 and I'm wondering if my password is
        protected or not. I don't care about the communication, just my
        password. -ok thx
        \_ Probably not.  If you want to know definitively, run tcpdump.
           Alternatively, set up a VPN and pipe all your connections through
           that.
        \_ Your clear text password is not saved in your machine nor is it sent
           in the clear text through the internet.
2005/4/15-17 [Computer/SW/Security, Computer/SW/Apps, Computer/HW/CPU] UID:37199 Activity:nil
4/15    http://www.cnn.com/2005/TECH/science/04/14/mit.prank.reut/index.html
        The lead author is a (recent) cal alum.
2005/4/14-15 [Computer/SW/Security, Computer/SW/Unix] UID:37186 Activity:high
4/13    Hey, if you're going to update nethack, update angband, too.  You
        could also install a variant, like NPPAngband:
        http://home.comcast.net/~nppangband
        \_ Interesting.  Thanks for the pointer.
           \_ there's even a competition:
              http://mysite.wanadoo-members.co.uk/angband_comp/compo.html
        \_ Installed angband (there was a ports version) - amckee
           \_ NPPAngband is trivial to install.  Why not install that too?
              \_ Because I was up until 2:30 upgrading Perl and did this
                 between compiles? MAYBE I'll install it, though. =) amckee
           \_ If by 'trivial' you mean 'completely manual', yes it was trivial.
              I've installed it as NPPAngband, I did not overwrite angband
        \_Oh no!  There goes my weekend/life! -scottyg
        \_ NetHack, Copyright 1985-2003
           By Stichting Mathematisch Centrum and M. Stephenson.
           See license for details.
           No write permission to lock perm!
           Hit space to continue:
           \_ Unable to replicate with my two user-land accounts,
              do you have any stale files around? Anyone else seeing this?
              Send email to amckee/root, iff you see this and want it
              looked at.
              \_ i don't think you quite understand what userland means.
                 \_ You do realize that, in addition to OS, process, and
                    object level privileges, root accounts can run in
                    increased kernel priority levels? Granted, in this case
                    the problem is most likely to do with file permissions,
                    it is not an atypical usage of the word 'userland' to
                    refer to non-root/non-privileged users. Thanks for the
                    snideness, though.
                    \_ i still don't think you quite understand what
                       userland means. try looking it up in, say, the jargon
                       file. root accounts are not any different from
                       normal ones in terms of where they run (i.e., they do
                       not run in the kernel). the kernel will allow you to
                       do privileges things by being root, yes, but they are
                       still done by the kernel, not because you as root are
                       in the kernel mucking around.
2005/4/13-15 [Computer/SW/Security] UID:37183 Activity:kinda low
4/13    Comcast internet service SUCKS!!!
        If you want to be a national ISP you've got to know how to run a DNS
        server.
        \_ Agreed.  It could be worse, though -- at least broken DNS is easy
           to work around.
           \_ Whiny bitches.  If people wanted reliable service, the free
              market would reward a company for providing it.  Clearly,
              people are happy to pay for spotty service.
                \_ One of the great things about "the free market" is that
                   it provide for many a niche.  Some, like me, pay a
                   small premium to a company like speakeasy for reliable
                   and reasonable service (no shutting off access to ports
                   without notice) and others who want a cheap services,
                   without notice) and others who want a cheap service,
                   get it.
                   \_ You know, I think I agree with this.  I'm getting what
                   \_ You know, I think you're right.  I'm getting what
                      I pay for.  --second poster
2005/4/12-14 [Transportation/Car, Computer/SW/Security] UID:37151 Activity:nil
4/12    Free transbay bus service for one month:
        http://www.actransit.org/news/articledetail.wu?articleid=ae28f29b
        Pretty attractive when gas price is high.
        \_ It's only free westbound.  Return trip still costs $3.  But I
           think it's a good publicity for the new park & ride lot.
2005/4/11-13 [Computer/SW/Security] UID:37143 Activity:nil
4/11    I called Berkeley's fraud alert hotline and the only info the thieves
        had are: My full name, SSN, and the money I made. That's weird, I
        don't remember putting down how much money I made when I applied to
        Berkeley. Anyways, they told me to call Experian 888-397-3742
        Option 2, 2, 3, 2, 1, 2 to put myself on fraud alert.
        \_ Is this pre-emptive or has somebody already started using the
           stolen ID info? -- ulysses
           \_ I don't think there's been any evidence that the stolen ID info
              has been used.  -tom
           \_ who is deleting useful replies?
              There is as of yet no evidence that the stolen data have been
              used.   -tom
2005/4/11 [Computer/SW/Security, Computer/SW/OS/OsX] UID:37142 Activity:very high
4/11    What's the best way to transfer files between Macs and PCs? I don't
        want to install NFS (too heavy weight), there must be another way.
        Like, I don't want to use SCP because it doesn't do recursive copy...
            \_ my problem with WinSCP is that it doesn't like to copy file
               names with foreign letters (accented e, Ooo, etc). What other
               alternatives are there besides WinSCP which I like a lot?
               \_ You were given the correct answer and deleted it.  go away.
            \_ scp doesn't do recursive copy? have you tried scp -r?
        \_ scp -r.  windows scp clients do this too.  fool
        \_ samba on the Mac.  -tom
        \_ Why not just connect to the PC from the Mac? OS X has a built-in
           SMB client or you can just enable Windows Sharing on OS X for
           the opposite direction.
            \_ my problem with WinSCP is that it doesn't like to copy file
               names with foreign letters (accented e, Ooo, etc). What other
               alternatives are there besides WinSCP which I like a lot?
               \_ You were given the correct answer and deleted it.  go away.
            \_ scp doesn't do recursive copy? have you tried scp -r?
        \_ USB2.0/IEEE1394 hard drive enclosure
           \_ Why was this deleted?
        \_ rsync over ssh.
        \_ car full of cdrs!
           \_ Only if copied and driven by a hot naked chick, who you have sex
              with during the copying.
           \_ Only if the data is lisp code.
        \_ 4" floppy disk
        \_ smb share + net.
           \_ seconded. If you have OpenSSH installed on your Win* box,
              then you can even use ssh tunneling.
2005/4/6-8 [Computer/SW/Security, Computer/SW/Unix] UID:37085 Activity:nil
4/6     In Linux, when I type "limit" I get to see the max # of file
        descriptors I can have. How do I check the number of descriptors
        I'm holding and how do I change it? "limit descriptors 8096"
        doesn't work (think I might need root or something)
        \_ limit/ulimit work at the shell level.  You can see the number of
           descriptors held in /proc/self/fd.  To change the max fd's, you
           may need to change the hardcoded limits in /etc/security/limits.conf
           your syntax is right, but you are probably trying to go past the
           hard limit (limit -h to view)  Yes, you will need root access to
           change the hard limit.
2005/4/6-7 [Computer/SW/Languages, Computer/SW/Security] UID:37084 Activity:high
4/6     My banks, brokers and credit card companies are promoting paperless
        statements.  If I tell them to stop mailing me paper statements, and
        later there's a gitch on their computers, will I be in a disadvantage
        proving my case with prinouts from their web pages compare to if I
        have their paper statements?  I'm trying to see if it's a good idea to
        stop the paper statements in my mailbox in order to avoid ID theft.
        Thx.
        \_ Can you ask them whether they can somehow sign their statements
           that they send to you (x.509 cert, pgp, etc.?)  What's the
           situation on digital signing/non-repudiation in the US right now
           anyway?  Even if there's no precedent or legal basis for it, it
           might still be better than just an occasional email or web page
           printout.  If you're worried about ID theft from paper statements,
           there are easier ways of doing it (credit card slips, for example.)
           You could just get a PO box too.  If your bank is putting info that
           could be used to compromise your authentication details on paper
           statements, find a new bank.  -John
           \_ All my bank and credit card paper statements have account numbers
              on them.  I think stealing mail from my mailbox at the front of
              my house in broad daylight is very easy.
           \_ my friends in comp security all say digital signature and
              non-repudiation is a non-issue.  the courts don't care and will
              accept all kinds of strange records if presented w/ an
              avidavit/oath of truth.  hell, fax'd signatures are enough,
              and anyone can forge one of those.  records are the starting
              point for deliberation, not the endpoint.
              \_ It's an issue in countries with a proper legal framework, and
                 with banks that give a rat's ass (American banks are
                 notorious in that regard, and for not paying a lot of
                 attention to proper authentication.)  Will a paper statement
                 serve as proof in court in case of a dispute?  I'm asking
                 because you're essentially trusting their record keeping
                 (such as transaction serial #s, etc.) to verify the
                 authenticity of the documentation.  -John
        \_ I think you should do a risk assessment of using the bank's
           record keeping vs. your own and see which is more likely to fail.
           \_ Yes my record is more likely to fail, but that's not the issue.
              If my record has a mistake, the bank is not going to go by my
              record to determine how much I have left in my account.  But if
              the bank record has a mistake, the bank will most likely go by
              its record unless I can prove otherwise.  Now my question is:
              does a printout from a web page as good a proof as the fancy
              paper statement from the bank?
              \_ I think you'll find neither of them can prove a balance.
                 the record of transactions is useful so you can ask for
                 details on any transactions that occured which are not
                 in your records, e.g. reconciliation of accounts.
        \_ I filed a small claims lawsuit and needed to print out a statement.
           8 months passed between when I filed for the claim and when the
           trial's gonna happen. That month I tried to print out bank
           statements but it said "Sorry we only go back to 6 months." I
           had no choice but to delay the trial date. What a drag.
        \_ I think if you care about these sort of things, then you should
           keep the paper copy. I do the same thing for the very same reason.
2005/4/2-5 [Computer/SW/Security] UID:37045 Activity:nil
4/2     Where do I enter computer equipment expense for my
        consulting service? Is it Office Expense? Misc expense?
        Home Office expense? Thanks.
        \_ I put it under misc. on the Schedule C (not the 8859)
2005/3/30-31 [Computer/SW/Security, Computer/SW/Unix] UID:36971 Activity:kinda low
3/30    ssh port forwarding/X11 issue: Any ideas  on how to solve this
        problem: I ssh over to a remote host that shares my same home
        directory. My forward X11 works okay until I sudo to root.
        I get a message about wrong authentication. Any ideas ?
        Being root on the  base machine works just fine for X11.
        \_ xhost
        \_ NFS mount root squash making your $HOME/.Xauthority not readable
           perhaps.
           \_ Another possibility is sudo not retaining $HOME. But anyway,
              look into the xauth command.
2005/3/30-31 [Computer/SW/Security, Computer/SW/OS/Windows, Computer/SW/Unix] UID:36959 Activity:nil
3/30    In Windows XP, when I share [export] a folder with read/write/execute
        permissions for ALL, it still asks for username/password. How do I
        configure it so that it never asks for user/password?
        \_ You need to enable the Guest account.
2005/3/25-31 [Computer/SW/Security, Computer/SW/Unix] UID:36883 Activity:moderate
3/25    My team (Yahoo! login/registration/access) has several
        software engineer positions open at all experience levels. -atom
        \_ I need a part time job, please give me a flexible part time
           job because school sucks.                             -kchang
        \_ How about fucking change the default login to be secure login??
           Every other fucking website in the world uses secure login. Why
           does Yahoo insist on using non-secure login as default????!!!
           \_ Because it is secure, dufus. Assuming you have javascript
              enabled anyway. They issue a random challenge string that
              you answer by hashing together your password and the challenge.
              \_ Oh wow, we don't really need SSL don't we?
              \_ Oh wow, we don't really need SSL I guess.
                 \_ Wow, no, it's needed for some things.
              \_ Why doesn't yahoo use SSL login by default?
                 \_ Well, the obvious reason is they don't want to buy
                    hardware that can handle craploads of SSL connections,
                    which is a lot more expensive than the hashing scheme.
           \_ Aren't you in LA?
2005/3/25-28 [Computer/SW/Security] UID:36868 Activity:nil
3/24    Where can I dispose of a dead CRT for free? Office Depot had a free
        service, but it looks like it's over. Thanks. -slow
        \_ http://csua.com/?entry=25428
        \_ In a dumpster. Seriously. Otherwise, wait for one of those
           days where you can dispose of toxics for free. I favor a random
           dumpster, though. Yes, I have done that.
        \_ Free on Fridays at http://www.accrc.org
2005/3/23-24 [Computer/SW/Languages/Misc, Computer/SW/Security, Transportation/Car/Hybrid] UID:36839 Activity:nil 50%like:36690
3/23    Now you can RIDE ELECTRIC BIKE!
        http://tinyurl.com/59b77 (gizmodo)
        \_ Electric bikes are not new.  -tom
2005/3/23-24 [Recreation/Dating, Computer/SW/Security] UID:36827 Activity:high
3/26    One more reason to use PGP, and maybe the Anonymizer. And by the way,
        only 1700 porn pictures? I have at least 100X that:
        http://news.bbc.co.uk/2/hi/entertainment/4376959.stm
        \_ You have over 170,000 porn pictures?
           \_ I do.
              \_ Assuming no repeats an a minimal 10 seconds per picture,
              \_ Assuming no repeats and a minimal 10 seconds per picture,
                 it would take you 472.2 hours to looks at all that pr0n.
                 Where are you getting the time?
                 \_ 10 seconds?  Try 1.
                 \_ 472 hrs? Spread that over five years and you are talking
                    about an hour a week.
                    \_ Just another slow work week.
        \_ How about yet another reason to get your mind out of the
           gutter and use your higher cognitive functions for something
           more useful than viewing pictures of women in various states
           of undress?
           \_ How about two or more women?
           \_ I agree. He should spend more time getting out of the house
              to find women willing to undress live and in person. There's
              no cognitive function more useful than that.
2005/3/22-24 [Computer/SW/Security, Politics/Domestic/SocialSecurity] UID:36815 Activity:nil
3/22    CNN front page:  "But when 443 of the 909 polled were asked whether
        they supported private retirement accounts in exchange for a reduction
        of guaranteed retirement benefits, support fell to 33 percent, while
        opposition rose to 59 percent [+/- 4.5 points]. ...
        Fifty percent said they understood the debate over Social Security
        "somewhat well," and 31 percent said they understood it "very well."
        Only 18 percent said they did not have a good grasp of the matter.
2005/3/22-5/9 [Computer/SW/Security] UID:36803 Activity:nil
3/22    imap, pine, pop3s, ssh/sshd, and (most importantly) nethack
        updated.  Okay, a bunch of other random stuff that no one
        ever probably uses has also been updated. Send bugs
        (other than high score resetting) to root.
2005/3/18-19 [Computer/SW/Security] UID:36748 Activity:kinda low
3/15    Someone asked about popular backup options?
        http://www.engadget.com/entry/1234000710036562
        \_ I appreciate the helpfulness, but as usual, they all suck.  The
           closet thing to easy I've heard of are the one-touch backup drives
           closest thing to easy I know of are the one-touch backup drives
           from Western Digital, but I just wish they did encryption too.
           \_ It's kludgey, but have you considered backing up encrypted
              content rather than encrypting backed up content?  -John
              \_ Yes.  But it would be nice if, on the backup, the whole
                 drive is encrypted.
                 \_ How non-interactive must it be?  Can you back up to a
                    pgpdisk or EFS, or cfs/encfs on FreeBSD/Linux?  -John
                    \_ Well, when I said "closest thing to easy" I really
                       meant for yermom, I mean, my mom or my boss to use it,
                       and ideally easy for me to setup as well.
2005/3/18-4/4 [Computer/SW/Unix, Computer/SW/Security] UID:36744 Activity:nil
3/18    Office account holders - please clean up your directories, or
        we'll have to unleash the wrath of root (and karen) on you! =)
2005/3/11-14 [Computer/SW/P2P, Computer/SW/Security] UID:36651 Activity:high
3/11    What do I need to do to make sure I don't get sued when I use
        bittorrent? I am still a newbie. Thx.
        \_ Azureus bittorrent client w/ safepeer plug-in supposedly
           blacklists evil MPAA spy machines...
        \_ Don't download copyrighted materials, or run it on someone else's
           machine.
           \_ How about a real answer? I don't care much for music/movie,
              only apps/games.
              \_ It is a real answer.  Bittorrent was not conceived to
                 provide any sort of anonymity; Bram Cohen states as much
                 somewhere on http://bittorrent.com.  The fact that you have a
                 tracker file hosted somewhere makes your IP show up.  -John
              \_ That's illegal and you can never fully "make sure" you don't
                 get sued.
                 \_ Under bittorrent, how would they trace me? Just give me
                    the technical info, if they were to do so? does the .torrent
                    file contains my info? ip?
                    \_ If you don't know enough to figure this out yourself,
                       you really shouldn't attempt it.
                       \_ In other words "I don't know".
                          \_ In other words, "You're a dumbass, and I'll laugh
                             my ass the fuck off if you get prosecuted"
                             \_ Sniff. Please sir, don't call me names.
                    \_ AFAIK, the underlying d/l stream in BT is not
                       encrypted. Someone w/ a pkt sniffer can tell
                       tell that you are using BT and what you are
                       d/l'ing. If they record the pkts, (which may
                       not be protected under 4 amd) the recorded
                       stream may be used as evid of your copyright
                       violation.
                       The best way to avoid this is to not become
                       an attractive target by d/l'ing high value
                       items frequently. The ONLY 100% safe way is
                       to not d/l copyrighted material.
                       \_ Isn't it easier than that to track someone?
                          I mean, if you're downloading Revenge of the Sith,
                          that means you're also serving it.
                          If I'm the Feds, and I turn on my bittorrent
                          client and start grabbing the movie, I should get
                          a list of IP addresses of everyone I'm getting
                          packets from.  I just tell the movie companies to
                          ask the ISPs to match IP addresses to people's
                          names for those people sending the most packets.
                          It doesn't matter if the data are encrypted, since
                          the IP addresses in the IP headers are in cleartext.
                          (although I feel stupid putting it this way)
                          \_ ISPs do not have to disclose the names of
                             people for a particular IP addr unless the
                             cops get a warrant by showing prob. cause.
                             To show prob. cause, the cops need to prove
                             that the IP addr actually served or d/l'ed
                             copyrighted content thus violating the
                             copyright. (simply having copyrighted
                             content on your computer that you own may
                             be covered under fair use and does not
                             show that you have likely violated the law).
                             If the content is encrypted, then the cops
                             can't really prove to the judge issuing
                             the warrant that you served or d/l'ed
                             copyrighted content and may not be able
                             to meet the prob cause requirement.
                             (Some judges might say that having the
                             files there was enough to est. prob
                             cause so you have to be careful)
                             If you use authentication, and the feds
                             lie to you to get a valid passwd, then
                             you may have all sorts of other legal
                             protections.
                             \_ Maybe that's why there are so few torrent
                                users being sued.  Anyways, since I don't
                                think the torrent data are encrypted anyway,
                                maybe it's not worth arguing about.
                                From a "I might get sued!" standpoint, I
                                personally would take the assumption that
                                encryption won't help for the Revenge of
                                the Sith example, but, YMMV.
              \_ Uhm, it is a real answer.  You want to use it for illegal
                 purposes, so you risk getting sued.
        \_ From what I've heard they've only sued 7 bittorrent users
           (non-ISPs).  It's not as bad as MP3 sharing ... yet.
           Basically, you are a target if you have fat upstream, you leave your
           computer on all the time so you have the double whammy of always
           serving files and your IP address never changing, and you serve a
           lot of new movies.
           You're probably not a juicy target, but for the average user, I
           would just avoid grabbing new mainstream movies, lots of recent
           movies, or serving lots of ISOs like WinXP or Office 2003.
           \_ Thanks! And to the guy above, f*** off!
              \_ Uhm, so you basically posted to get someone to pat you on the
                 back and say "Oh no, baby, it's okay.  No one's going to sue
                 you!"  That's pretty retarded.  I mean, honestly, if you're
                 going to trade in copyrighted materials, you become vulnerable
                 to a variety of legal actions.  Period.  If you can't accept
                 that, the just buy the fucking thing and quite wringing your
                 that, then just buy the fucking thing and quite wringing your
                 hands.
                 \_ Every piece of software on your computer is legally
                    obtained?
                    \_ No clue...but I know the risks and am willing to
                       accept them.  *shrug*
                       \_ I see, so all that no stealing lecture does not
                          apply to yourself. I am speachless.
                          \_ You do realize that more than two people can post
                             right?  I haven't campaigned for or against the
                             morality of the issue, only the OP's retardation
                             about playing games with legality and essentially
                             entering a state of denial.  You're an idiot,
                             by the way, just in case that wasn't clear in your
                             post.
                 \_ He didn't ask for a lecture, just how to avoid the law.
                    \_ So if op had asked you how to shoplift, you would
                       have told him w/o informing him that (1) it was
                       wrong to steal and (2) he may be subject to criminal
                       liability?
                       What I find more disturbing is the fact that op
                       feels entitled to download games (and whatever
                       else he wants) w/o paying for it.  Regardless of
                       the civil/criminal liability associated w/ this
                       sort of activity, op OUGHT to realize that actual
                       people worked on the games that he is stealing
                       and if everyone acted like him and stole these
                       games there would be no incentive for people to
                       work on future games. If the hard work of others
                       brings you benefit, PAY FOR IT or we all lose in
                       the long run.
                       \_ I'm not going to disagree with you about games, but
                          I don't agree that stealing software always costs
                          companies money in lost business.  I've used stolen
                          copies of very expensive software to get the feel
                          for them and figure out how to use them and then
                          spent huge amounts of Other People's Money to buy
                          the real thing based on having tried it for free.
                          In some cases I would probably not have made that
                          purchasing decision had I not been able to try it out.
                          So in the end, the company made *more* money than
                          they would had I not stolen a copy while I was a poor
                          student who couldn't afford it anyway.
                          \_ I can see your rationale. If you end up
                             buying a copy of the software or deleting
                             it b/c you don't want to buy it, there is
                             no violation of the principle that one ought
                             pay for things from one which one derives a
                             benfit. Unfortunately the law does not (and
                             probably cannot ever) allow for this.
                             The general principle could be applied to
                             games/music/books/movies/&c. if there were
                             no public library or private rental systems,
                             however, it is so easy and affordable to
                             rent things it doesn't really make sense to
                             steal.
                             \_  Well, the way for this to be legal is for the
                                 company to have the foresight to give away
                                 a version that's good enough to learn the
                                 commands and get a feel for it so poeple like
                                 me don't *have* to break the law to try their
                                 damn product.  Wasn't there a free version of
                                 Doom in the begining to get people hooked?
                                 After that, I was more than happy to shell
                                 out the money for the real thing which I
                                 probably wouldn't have done otherwise.
                                 \_ right...I'm sure companies which provide
                                    demo versions never get their software
                                    stolen.  -tom
        \_ Join a private forum.  No, really.
        \_ Would decentralization, using SSL encryption, and only using
           centralized servers to randomly connect people, and always
           use another node as a middle-man when xferring data make it
           really hard to track? Sort of a cross between filetopia and
           bittorrent...
           \_ onion routing, so nobody's sure what data is going through them,
              taht would be more like it.  See 'freenet'
2005/3/11-14 [Computer/SW/Security] UID:36644 Activity:nil
3/11    I'd like a way to have Terminal.app change the window's background
        color when I ssh to another machine-- really cool would be to have
        some sort of mapping of hostname to RGB value so that the window
        for machine1 looks different than machine2.  Is there a way to do
        this?  TIA.
        \_ If I wanted to do this for one machine only, I would replace ssh
           with a wrapper that outputs some ANSI sequences before calling
           the real ssh. (You might want to put in some logic to only do this
           for interactive sessions.) To set it up on a number of systems, I
           would put the ANSI sequences in my .profile. That way, if you ssh
           from A to B, then from B to C, your colors will match machine C
           instead of machine B. -gm
        \_ You might be able to do this w/ saved .term files. Just set
           the background to the color you want and then do File->Save
           and specify the cmd to execute as /usr/bin/ssh user@host.
           Then when you click on a particular term file, it will have
           the color set and will ssh into that host.
2005/3/10 [Computer/SW/Security] UID:36614 Activity:kinda low
3/10    If I run to run X11 through NAT, is it better to set up raw forwarding
        of port 6000, or ssh-tunnel the connection?  I'm not using WPA or WPA2.
        \_ SSH tunnel--use -c for compression, it helps a bit.  Unless you
           have serious computer (not net) performance issues, port forwarding
           through SSH is very often a good idea out of principle.  Also, does
           X11 now let you use just 6000?  Used to use 6001..2..n as well, or
           has someone fixed that?  -John
           \_ my understanding is you can use just 6000, defaulting to 0.0,
              6001, ..., n for 0.1 ... n, if desired, but not necessary.
2005/3/9-10 [Computer/SW/Security, Computer/SW/OS/FreeBSD] UID:36594 Activity:nil
3/9     OpenSSH 4.0 is out:
        Announcement: http://tinyurl.com/5aea4
        Portable: http://www.openssh.com/portable.html
        OpenBSD: http://www.openssh.com/openbsd.html
        Nifty new feature is the connection multi-plexing.
        \_ What is that?
           \_ Once you start one connection to a remote system, other
              connections will use the same key pair so you don't have
              to pay the cost of a new DH exchange (at least this is
              the impression I got from reading the mailing list)
2005/3/8-9 [Transportation/Car, Computer/SW/Security] UID:36586 Activity:low
3/8     "It was certainly an accident ... The car was traveling at a velocity
        that couldn't have been more than 40 kilometers (25 miles) per hour
        ... The government has a duty to point out that the reconstruction of
        the tragic event ... from the direct account of our secret service
        official who was with Dr. Calipari does not coincide, totally, with
        what has been said so far by the U.S. authorities."
        [Fini] said Calipari, an experienced officer who had negotiated the
        release of other hostages in Iraq in the past, "made all the
        necessary contacts with the U.S. authorities," both with those in
        charge of airport security and with the forces patrolling areas next
        to the airport.
        -G. Fini, Italian foreign minister (http://csua.org/u/bb0 CNN)
        Another article:  [The security agent in the car] said that a light
        was flashed at the car after a curve and that gunfire -- lasting 10 or
        15 seconds -- started immediately afterward, disputing U.S. military
        claims that several attempts were made to get the car to stop before
        shooting.
2005/3/7-8 [Computer/SW/Security, Computer/SW/Unix] UID:36560 Activity:nil
3/7     Are there any ISPs that still offer generic dial-up PPP accounts that
        works with the Windoze generic dialer and don't require custom dial-up
        clients?  I have an AT&T Global Dialer account, but it needs the Global
        Dialer client.  I remember the old days where all I needed was to enter
        the phone number, login and password into the Windoze dialer, and it'd
        work.  Thanks.
        \_ SBC Global works for me when I'm on the road. - jvarga
        \_ http://ispwest.com works well for that. even works with linux.
        \_ http://sonic.net
        \_ They've always had the at&t dialer, but you've been able to
           authenticate with PAP and with login in the past with the
           8764287346@worldnet.att.net and the gibberish password.  Look for
           an account.txt file -dwc
2005/3/3-5 [Consumer/CellPhone, Consumer/PDA, Computer/SW/Security] UID:36517 Activity:nil
3/3     Anyone know of a good stopwatch/timer that works on a Treo? I've
        tried a few and they all seem to crash when I try to access any
        of the menus. tia.
2005/3/3-5 [Computer/SW/Security] UID:36515 Activity:moderate
3/3     Is there a way I can set up my cell phone so it only rings if
        the person calling knows a secret code, and otherwise just goes to
        voicemail?  Or, can it be set up to first go to a message where
        the person calling can choose to leave me a voicemail or to ring the
        phone?  In the latter scenario, this would enable people to call and
        leave a voicemail in the middle of the night without waking me, but
        they would still have the option to ring the phone if they really
        want to talk to me at that minute.
        \_ If you come up with a decent way to do this, could you please let
           me know?  (For now, I have a profile on my phone called "Asleep",
           which is mostly silent; if I expect someone to call at night, then
           I set a non-silent ring tone for that person.  It works okay, but
           what you suggested would be much nicer.)  --mconst
        \_ I think you would need an answering service to handle the
           decision-making and a distinctive ring to only wake you when
           the answering service dials through.  Once your phone has
           forwarded the call to voicemail, it would be up to the voicemail
           provider (usually your cell provider) to handle things.
        \_ In the latter scenario the caller already has an option: if they
           don't want to wake you, don't call in the middle of the night!
           Send email or call in the morning.  As for the first scenario,
           you can get a silent ringtone, set that as the default, and
           assign non-default ones to people you know.
           \_ Yes, but I could have a seperate outgoing message for
              when I'm sleeping and for when I'm awake.  Sometimes I'm up
              at 11pm, sometimes I'm in bed.  The caller doesn't know. -op
        \_ on my cell phone feature wish list: a way to just leave someone
           a voicemail w/out ringing their phone. Sometimes I want to just
           leave someone some info but dont want to talk. Also I HATE
           checking voicemail... but txt msgs are often too cumbersome.
           It'd be great if each persons phone had a voice-to-text thing
           that they could use to create txt msgs.
           \_ If both people are on AT&T, at least, you can send voicemail
              directly: call your own voicemail, and select 2 from the main
              menu.
2005/3/2-3 [Computer/SW/Security] UID:36498 Activity:kinda low
3/2     I can read mail through CalMail or BearMail but can't POP. Anyone else
        having this problem?
        \_ You probably shouldn't've ignored the 3 (or was it 4?) warnings
           that the CalMail people sent out in the past month that vanilla
           POP3, being blatantly insecure by way of transmitting passwords
           in cleartext, will be (and now has been) permanently disabled
           as of 03/01/2005. Set up your mailer to use secure POP (or SIMAP),
           on the default port, 995 (or, respectively, 993). -alexf
2005/2/23-24 [Computer/SW/Security] UID:36377 Activity:very high
2/23    Hi, my girlfriend's mom is in Taiwan.  Her computer stopped booting;
        it shows BIOS, but it won't show the WinXP screen.  So, it sounds like
        a virus (less likely, partial drive failure / OS corruption, but let's
        assume it's a virus).
        She is concerned about recovering her files.
        Normally if I were on-site I'd just pull out the drive, put it in an
        enclosure, and bam.
        Is there any convenient way for her to recover her files without my
        being on-site?  I am thinking something along the lines of a bootable
        CD-ROM I can mail her that could mount an NTFS partition and also a
        USB memory key.  It would show an easy Explorer-like tree with which
        she can explore the C: drive and copy files over.
        \_ The only convenient way I can think of is for her to buy a new
           computer, then open up the old computer, take the disk out and
           put it in the new computer as a secondary drive. Even this is
           not "easy", but it is relatively straightforward for a non-
           technical user. Can you trust her to be able to operate a
           screwdriver? If not, she needs to bring it in to a data
           recovery service, which will be much more expensive.
        \_ have somebody in Taiwan make a KNOPPIX CD.
           You make the same knoppix CD here and talk her through it.
           She copies the files from HDD to the USB key.
           In these situations avoid the screwdriver if you can.
           \_ Thanks, I'm downloading KNOPPIX 3.7 English now and will try it
              out.  I'll let motd know how it goes.
              \_ Also, if you could get remote access to her computer,
                 that would probably make things easy for you. You might try
                 setting up a remote access tunnel. Have her run (as root)
              \_ Also, if you get remote access to her computer,
                 that would probably make things go faster.
                 You might try setting up a ssh tunnel like this:
                  Have her type:
                  (at the boot: prompt) knoppix 2 vga=normal
                  # passwd  (to set the root password)
                  # /etc/init.d/ssh start
                  # ssh -R 2222:localhost:22 account@yourserver
                  then you ssh to you@yourserver and run
                  $ ssh -p 2222 root@yourserver
                  This should give you root on her server. I haven't tried
                  this specificaly but I'll test it out later tonight.
                  Then you ssh to yourserver like normal and run
                  $ ssh -p 2222 root@localhost
                  at the password prompt, type her new root password.
                  This should give you knoppix root on her computer.
                  I just tested it and it works. -brett
                  \_ Sounds cool.  She gets net via PPPoE, though.  So I guess
                     I will need to fish for the PPPoE settings in KNOPPIX and
                     tell her how to do that?
                     \_ D'oh. She doesn't she have a firewall/router device?
                        That could explain how her computer got comprimised.
                        \_ That's what I told my gf.  But my gf does Windows
                           Remote Assistance all the time with her family and
                           didn't want to mess with unblocking ports.
                           ...
                           "It ain't broke, so why fix it?"
                           "Because you might get p0wn3d one day"
                           "But I have everyone on Windows Automatic Update"
                           "Okay"
                           "Dang, I got p0wn3d!"
                           The real answer is that we need to test the port
                           unblocking in the U.S., and move them to the
                           D-Link gateway next time we visit Taiwan.
                           \_ Your girlfriend should either:
                              1) fix it herself now (or)
                              2) follow your advice ahead of time.
                              3) Get Macs for her parents.
                            Your gf doesn't understand inbound/outbound rules:
                        "If you are using Network Address Translation (NAT) in a
                         home environment, you can use Remote Assistance without
                         any special configurations."
                         \_ You have never had a girlfriend, have you?
        \_ Doesn't she have any computer savvy acquaintances in Taiwan?
           Isn't Taiwan a high tech island?
           \_ Friends we used to ask are in gr4d sk00l in the U.S.
2017/12/16 [General] UID:1000 Activity:popular
12/16   
Results 751 - 900 of 1108   < 1 2 3 4 5 6 7 8 >
Berkeley CSUA MOTD:Computer:SW:Security:
.