Re: OT: SSH not secure?
Wed, 9 May 2012 09:20:44 -0600 PQ Alvaro Mantilla Gimenez alv...@alvaromantilla.com: According these guys connect trough SSH to a remote server is not secure... http://www.wziss.com/ Look in Case Studies What a disgusting way of promoting one's product! Content of Case Studies is just ridiculous. If somebody has keys from your apartment, they can enter it! Locks are not secure! You can make it as secure as you want, then there is also the wrench solution: http://xkcd.com/538/ :-)
Re: OT: SSH not secure?
On Thu, 10 May 2012 12:49:09 +0400 Mo Libden wrote: You can make it as secure as you want, then there is also the wrench solution: I used to work somewhere with a steel door. Downstairs made copper wire. There was some building work going on across the road. One morning there was a whole in the wall and a JCB missing from the building site. One of the employees said they were more interested in how the gypsies moved a more than 10 tonne coil of copper with ropes as the crane they had wasn't big enough and one coil they had nicked on another night had been there for years.
Re: OT: SSH not secure?
On Wed, May 09, 2012 at 05:59:55PM +, Miod Vallat wrote: It's only as secure as the local and/or remote machine. There's nothing SSH can do about that I have a bucket of water. Can anyone tell me why my hand gets wet if I put it inside the bucket. That's because you need to buy AutoBucket. And only AutoBucket can protect you against water temperature attacks. You don't want to risk burning your hand with hot water, do you? Miod This is why the recommended test is to take a cup of the water and pour it on your crotch before risking your less temperature sensitive hand in the water. Ken
Re: OT: SSH not secure?
On Wed, May 09, 2012 at 02:35:42PM -0300, Christiano F. Haesbaert wrote: That's because you need to buy AutoBucket. Made my day.
Re: OT: SSH not secure?
On Thu, May 10, 2012 at 12:32 AM, Weldon Goree wel...@b.rontosaur.us wrote: Right... because AutoSFTP and AutoSSH do not allow an administrator to tamper with *them* at all? I guess it's because they have Anti-Trojan capabilities so presumably the binaries will detect if they have been tampered with. Of course, you need to trust that the closed source blob that is AutoSSH/AutoSFTP a) actually works like that and b) isn't in itself malicious. Some might say that's a bit of a conundrum Cheers, Lars
Re: OT: SSH not secure?
On 5/9/2012 12:32 PM, Weldon Goree wrote: only our AutoSSH and AutoSFTP can detect truss/tusc/strace and dtrace attack, and detect Trojan Horse attack. See, now we know why people keep asking for dtrace in OpenBSD, it's to get our passwords. I knew it was a trap!
OT: SSH not secure?
According these guys connect trough SSH to a remote server is not secure... http://www.wziss.com/ Look in Case Studies Cheers, Alvaro [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: OT: SSH not secure?
2012/5/9 Alvaro Mantilla Gimenez alv...@alvaromantilla.com: According these guys connect trough SSH to a remote server is not secure... It's only as secure as the local and/or remote machine. There's nothing SSH can do about that.
Re: OT: SSH not secure?
On Wed, May 09, 2012 at 09:20:44AM -0600, Alvaro Mantilla Gimenez wrote: According these guys connect trough SSH to a remote server is not secure... http://www.wziss.com/ Look in Case Studies Cheers, Alvaro [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] Of course you can catch passwords etc if you have access to the hardware or root access for software tracing. I don't believe their claims that they can prevent that. -Otto
Re: OT: SSH not secure?
Exactly! LOL El 09/05/2012, a las 09:53, S. Scott escribis: On May 9, 2012, at 11:25, Alvaro Mantilla Gimenez alv...@alvaromantilla.com wrote: According these guys connect trough SSH to a remote server is not secure... http://www.wziss.com/ Look in Case Studies Cheers, Alvaro [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] Lets break this down. You have a case where a malicious administrator -- whom you granted elevated trust and permissions -- with physical access and the technical 'clearance' to install and run all the mentioned hack tools and, by extrapolation, any/all the other unmentioned hack tools as well that would yield User's password and you're concerned about ssh. Good luck with your malicious administrator and the other 999,999 things you really need to be concerned about. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: OT: SSH not secure?
On Wed, 2012-05-09 at 11:53 -0400, S. Scott wrote: Good luck with your malicious administrator and the other 999,999 things you really need to be concerned about. It's more of the DAC silliness: you're not secure because you trust your systems administrator; I don't have to do that... (I just have to trust the person who administers the DAC rules). Note the money sentence at the end of the case study: Currently, the only secure way to use ssh or sftp on a UNIX/Linux machine to connect with mission critical server is using our AutoSSH and/or AutoSFTP: only our AutoSSH and AutoSFTP can detect truss/tusc/strace and dtrace attack, and detect Trojan Horse attack. Using AutoSSH and/or AutoSFTP with public/private key pair with pass phrase protection for the private key is the most secure way of connecting with mission critical servers Right... because AutoSFTP and AutoSSH do not allow an administrator to tamper with *them* at all? Weldon
Re: OT: SSH not secure?
On 2012-05-09, Alvaro Mantilla Gimenez alv...@alvaromantilla.com wrote: According these guys connect trough SSH to a remote server is not secure... http://www.wziss.com/ And if you're connecting to a compromised web server, HTTPS doesn't automatically make that secure either. This is not the threat that this particular protocol guards against. Look in Case Studies Here's another: if you use agent forwarding, even if you use ssh-add -c when you add your identities to require that they're confirmed to prevent the most common attack scenario with agent forwarding, the admin could have replaced the ssh binary with one which makes the connection and runs his own commands over it, or allows access to a second session via multiplexing. And another: if you do the above *and* build your own ssh binary to make sure that's legitimate, the admin could have replaced the compiler, or make, or install, or something else, with one which builds/installs a trojanned program.
Re: OT: SSH not secure?
On Wed, 9 May 2012 17:42:09 +0200 Martin SchrC6der wrote: It's only as secure as the local and/or remote machine. There's nothing SSH can do about that I have a bucket of water. Can anyone tell me why my hand gets wet if I put it inside the bucket.
Re: OT: SSH not secure?
On 9 May 2012 13:18, Kevin Chadwick ma1l1i...@yahoo.co.uk wrote: On Wed, 9 May 2012 17:42:09 +0200 Martin SchrC6der wrote: It's only as secure as the local and/or remote machine. There's nothing SSH can do about that I have a bucket of water. Can anyone tell me why my hand gets wet if I put it inside the bucket. That's because you need to buy AutoBucket.
Re: OT: SSH not secure?
It's only as secure as the local and/or remote machine. There's nothing SSH can do about that I have a bucket of water. Can anyone tell me why my hand gets wet if I put it inside the bucket. That's because you need to buy AutoBucket. And only AutoBucket can protect you against water temperature attacks. You don't want to risk burning your hand with hot water, do you? Miod
Re: OT: SSH not secure?
On 9 May 2012 14:59, Miod Vallat m...@online.fr wrote: It's only as secure as the local and/or remote machine. There's nothing SSH can do about that I have a bucket of water. Can anyone tell me why my hand gets wet if I put it inside the bucket. That's because you need to buy AutoBucket. And only AutoBucket can protect you against water temperature attacks. You don't want to risk burning your hand with hot water, do you? Well noted, but that's only supported in AutoBucket Enterprise Edition.
Re: OT: SSH not secure?
On Wed, 9 May 2012 14:35:42 -0300 Christiano F. Haesbaert wrote: That's because you need to buy AutoBucket. Having spent some time recently on some linux mailing lists. I have to say this lists fuckin A.
Re: OT: SSH not secure?
I think Alvaro should read the classic paper: Reflections on Trusting Trust. Alvaro, Written by one of the guys who wrote UNIX and the original C compiler, which is what almost every UNIX based system is derived from... http://cm.bell-labs.com/who/ken/trust.html -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=30v_g83VHK4
Re: OT: SSH not secure?
Thanks for pointing that article out. I read that paper sometime ago. My intention with this thread was exactly this: get a lot of comments and put some smiles in people4s faces. I received this trough linkedin from some experts group or something like that (yeap...no comments). Is interesting how many people believe on information that they just received on a social (professional???) network... Cheers, Alvaro El 09/05/2012, a las 12:39, bofh escribis: I think Alvaro should read the classic paper: Reflections on Trusting Trust. Alvaro, Written by one of the guys who wrote UNIX and the original C compiler, which is what almost every UNIX based system is derived from... http://cm.bell-labs.com/who/ken/trust.html -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=30v_g83VHK4 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]