Category Archives: Security

Security :p

Computer, Murmuring, Network, Security

微軟對釣魚網站大反擊

控告釣魚網站侵害商標 (對, 是以「商標法」為手段):Butterfly attack on phishers

上面提到的這篇文章「Microsoft launches 117 anti-phishing suits」很清楚的表示了 決定一口氣控告 117 個釣魚站台,這些站台是在 2004/10 ~ 2005/03 在網路上釣取使用者資料。

果然是 的大手筆。(該不會是因為他們公司很久沒被司法部捅菊花,所以律師都沒事做?)

Computer, Murmuring, Network, Security, Software

幹壞事是進步最大的原動力

雖然是 4/1 新聞,可是引用的報導是 3/30,而且下面的 comments 看起來好像是真的 XD Student Hacks System to Alter Grades

A UCSB student is being charged with four felonies after she allegedly stole the identity of two professors and used the information to change her own and several other students’ grades, police said.

怎麼 crack 呢,因為為了怕教授們忘記密碼的時候不知道怎麼辦,所以這個系統 (eGrades) 可以用社會安全號碼與出生日期拿到密碼:

The Universty of California Santa Barbara has a custom program, eGrades, where faculty can submit and alter grades. It’s password protected, of course. But there’s a backup system, so that faculty who forget their password can reset it using their Social Security number and date of birth.

很明顯的,這是程式上的瑕疵,於是被學生給予正義的一擊… (不過怎麼會被抓呢 *thinking*)

Blog, Computer, Joke, Murmuring, Network, Recreation, Security

O’Reilly 與 Slashdot

Boing Boing 看到 Slashdot 把 O’Reilly Emerging Tech 給 ban 掉了:Slashdot bans O’Reilly Emerging Tech!

不過… 這是因為有 400 個 user 用同一個 IP 的關係:(所以基本上只是個意外而已)

There are about 400 geeks here running RSS readers that are pulling Slashdot’s feed from behind the same IP address, as Slashdot’s systems have interpreted this as one user repeatedly reloading it.

Administration, Computer, Database, Mail, Network, Security

用 Gmail 備份 MySQL Database

5 Comments

之前在 386bsd 上 post 的,整理一下放上來。

先在自己的機器與 mysql server 安裝 GnuPG (現在是 1.4.0):

# cd /usr/ports/security/gnupg
# make install clean

如果是 FreeBSD 4.x,在自己的機器上產生 key 前,先設定 random device:

# rndcontrol -s 5
# rndcontrol -s 11

其中的 5 與 11 是 IRQ number,可以用下面的指令看哪個 IRQ 可以當 random device:

# pciconf -l

接下來在自己機器上用下面的指令產生 publickey 與 privatekey:

$ gpg –gen-key

應該會有許多問題要答,分別是:

Your selection? 1 (用 DSA & Elgamal)
What keysize do you want? (2048) 4096 (最高的 4096 bits)
Key is valid for? (0) 0 (這把 key 不設 expire)
Is this correct? (y/N) y (確定不設 expire)
Real name: Gea-Suan Lin (名字)
Email address: gslin@ccca.nctu.edu.tw (e-mail)
Comment: (不用填,enter 過去)
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o (Okay)
Enter passphrase: !@#$%^ (設個密碼吧)
Repeat passphrase: !@#$%^ (同樣的密碼再打一次)

然後讓他跑一陣子 (4096 bits 比較久),這樣應該就把 key 生出來了,像:

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   1024D/31ABE498 2005-03-12
      Key fingerprint = 826E E0DF 72ED 4BEB FA85  52E3 9F02 FDC3 31AB E498
uid                  Gea-Suan Lin <gslin @ccca.nctu.edu.tw>
sub   4096g/69E68E46 2005-03-12

然後將這把 key export 出來:

$ gpg -a --export gslin > /tmp/publickey.gslin

然後把 publickey.gslin 拿到 mysql server 主機上 import 給 root 處理:

# gpg –import < publickey.gslin

然後設定信賴程度:

# gpg --edit-key gslin trust

接下來會問幾個問題:

Your decision? 5 (I trust ultimately)
Do you really want to set this key to ultimate trust? (y/N) y
Command> save (存進去)

把下面的內容放到 /usr/local/sbin/backup-db.sh,其中粗體的部分代表需要改的:

#!/bin/sh
DATE=`/bin/date +%Y%m%d`

/usr/local/bin/mysqldump -A -u root --password=PASSWORD | gzip -9 | uuencode mysql-${DATE}.gz | gpg -a -e -r gslin | mail -s "evil.NCTU.edu.tw MySQL backup (${DATE})" evilGMAIL@gmail.com

最後在 /etc/crontab 設定每天 03:00 備份:

0       3       *       *       *       root    /usr/local/sbin/backup-db.sh > /dev/null 2>&1