> I don;t have telnet open on my home network, but i was considering opening
> it up on the OpenbD firewall, and using some sort of one time password
> scheme.
>
> Would this be a sane thing to do? and f so, where cold find some software
> to support the one time password functionality?
Once you log in to your machine the untrusted machine can inject
anything it wants into the keyboard stream pretending that you typed
it. At that point the flood gates are more or less wide open. It
can:
1) destroy any data you have write access to. (eg. delete your
$HOME directory tree.)
2) grab sources for an attack program from somewhere on the net,
compile them and start them running. (eg. compile up a spam
server and send tons of spam from your account.)
3) offer a shell to some remote machine (via opening an active tcp
connection to some port on a waiting host).
Now I don't think either type of keyboard stream injection attack has
happened yet, but it is just a matter of time.
-wolfgang
