Re: Accounts on debian.org machines
On Tue, 9 Dec 2003 11:04, David B Harris <[EMAIL PROTECTED]> wrote: > Or are you saying that you used [EMAIL PROTECTED] for your > computing needs, including storing your unencrypted GPG, unencrypted SSH > key (or encrypted, in which case both of which use the passwords you've > posted), your email client, your web browsing, your programming, your > work, and what have you? :) It wouldn't surprise me if someone did that. ssh private keys have been installed on my play machine (never checked whether they were specially generated for my play machine or copied from somewhere else), people have used it to ssh and scp to root accounts on other servers (which presumably are not SE Linux play machines), people have logged in with X11 and xauth forwarding enabled. One time someone claimed to have broken the security of my play machine by writing a shell script to "kill -1" the shells of other users. However they had apparently enabled X11 forwarding... Incidentally the adsl.coker.com.au host disappeared 9 months ago when I switched from Amsterdam ADSL to Melbourne Cable. The details of my new play machine are linked from my .sig. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: Accounts on debian.org machines
On Mon, 8 Dec 2003, Matthew Garrett wrote: > Steve Langasek wrote: > > >But an ssh key on removable media is not vulnerable to keysniffing > >alone, where a password is. > > There's no inherent increase in security from using a key on a > USB device other than the fact that attackers aren't thinking about that > yet. Cryptographic smart cards on a USB token seem like the only secure way to store keys: http://www.datakey.com/products/smartCards/ikey.shtml Niall YoungChime Communications Pty Ltd [EMAIL PROTECTED]Level 6, 263 Adelaide Terrace Ph: (+61) 08 9213 1330 / 0408 192 797 Perth, Western Australia 6000 "I was trying to kill a level 5 lumberjack in the MUD I play" -- Travis Read, August 2003
Re: Accounts on debian.org machines
On Mon, 08 Dec 2003 18:38:25 -0500 Joe Drew <[EMAIL PROTECTED]> wrote: > On Mon, 2003-12-08 at 15:37, David B Harris wrote: > > I've also yet to see anybody post their IP address, userid, and > > password for their publicly-accessible servers to a public mailing list > > :) > > I have. root, even. > > http://lists.debian.org/debian-devel/2002/debian-devel-200206/msg01187.html *THEIR* IP address, userid, and password. As opposed to a carefully sandboxed userid and environment. Or are you saying that you used [EMAIL PROTECTED] for your computing needs, including storing your unencrypted GPG, unencrypted SSH key (or encrypted, in which case both of which use the passwords you've posted), your email client, your web browsing, your programming, your work, and what have you? :)
Re: Accounts on debian.org machines
On Mon, 2003-12-08 at 15:37, David B Harris wrote: > I've also yet to see anybody post their IP address, userid, and > password for their publicly-accessible servers to a public mailing list > :) I have. root, even. http://lists.debian.org/debian-devel/2002/debian-devel-200206/msg01187.html -- Joe Drew <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Just admit to yourself that you're a thief: http://me.woot.net/stealing.html
Re: Accounts on debian.org machines
On Mon, 2003-12-08 at 03:18, Matthew Garrett wrote: > Steve Langasek wrote: > > >But an ssh key on removable media is not vulnerable to keysniffing > >alone, where a password is. > > If such behaviour becomes common, the keysniffers will simply copy > anything that looks like an SSH key that exists on an item of removable > media. There's no inherent increase in security from using a key on a > USB device other than the fact that attackers aren't thinking about that > yet. > Unless you only connect the USB device for the brief period you wish to use the content, after a "reasonable" check that your box hasn't been compromised. Not having the key permanently on a box is certainly better than the opposite. Scott -- Have you ever, ever felt like this? Had strange things happen? Are you going round the twist? signature.asc Description: This is a digitally signed message part
Re: Accounts on debian.org machines
On Mon, 08 Dec 2003 03:18:53 + Matthew Garrett <[EMAIL PROTECTED]> wrote: > Steve Langasek wrote: > >But an ssh key on removable media is not vulnerable to keysniffing > >alone, where a password is. > > If such behaviour becomes common, the keysniffers will simply copy > anything that looks like an SSH key that exists on an item of removable > media. There's no inherent increase in security from using a key on a > USB device other than the fact that attackers aren't thinking about that > yet. The old "security through obscurity" idea, eh? Well, if you *rely* on obscurity for your security (ie: if an attacker has free reign if they know the secret you're trying to keep [in this case, that the SSH key is on USB media]), then sure, there's a problem. It's not a problem, however, if it's only *part* of a security regimen. For instance, I'll ask a simple question: does the hacker who installed the hardware keylogger on my machine know that my SSH key is somewhere unusual? Do they even know about SSH keys? If either of those answers is "no", I have effectively averted a compromise, whereas even if they *didn't* know, but I didn't use an SSH key, they'd have effective control of my machine. Some food for thought. Obscurity != security, but I've yet to see any effective security regimen which did *not* include some obscurity factors. I've also yet to see anybody post their IP address, userid, and password for their publicly-accessible servers to a public mailing list :)
Re: Accounts on debian.org machines
Steve Langasek wrote: >But an ssh key on removable media is not vulnerable to keysniffing >alone, where a password is. If such behaviour becomes common, the keysniffers will simply copy anything that looks like an SSH key that exists on an item of removable media. There's no inherent increase in security from using a key on a USB device other than the fact that attackers aren't thinking about that yet. -- Matthew Garrett | [EMAIL PROTECTED]
Re: Accounts on debian.org machines
On Sun, Dec 07, 2003 at 09:27:53PM +0100, Tollef Fog Heen wrote: > * Matt Zimmerman > | (Please follow up on a public list) > done, -devel has M-F-T set to. > | On Sun, Dec 07, 2003 at 06:26:48PM +0100, Tollef Fog Heen wrote: > | > | > * Matt Zimmerman > | > > | > | You would type a Debian password into a system that you do not trust > | > | with an ssh private key? > | > > | > Yes, since I don't want to keep a key on them, since they are not > | > secure over time. They are most likely secure when I'm sitting at the > | > console. See above for an example: I don't trust that anything I put > | > permanently on the hard drive won't be compromised, however, I don't > | > think the box itself has any trojans or keysniffers installed. > | > | This doesn't make sense to me; if the system is not trustworthy, then you > | should not trust it with any authentication data, whether passwords or ssh > | keys. > You are forgetting the temporal aspect here. A machine may be viewed > as fairly safe when I have physical control of it. That does not mean > that the machine is safe always, which is the case for, say my > father's windows 2000 laptop when it's only connected to a NAT-ed > internet connection. But an ssh key on removable media is not vulnerable to keysniffing alone, where a password is. -- Steve Langasek postmodern programmer signature.asc Description: Digital signature
Re: Accounts on debian.org machines
* Bernd Eckenfels | On Sun, Dec 07, 2003 at 09:27:53PM +0100, Tollef Fog Heen wrote: | > father's windows 2000 laptop when it's only connected to a NAT-ed | > internet connection. | | How do you know it is not trojaned when u use it? I don't. Just like I don't know that my Debian laptop isn't trojaned. Security isn't black and white, it's a lot of shades of gray. I try to protect such things as ssh keys and gpg keys better than I protect passwords, since they are changed a lot less often. -- Tollef Fog Heen,''`. UNIX is user friendly, it's just picky about who its friends are : :' : `. `' `-
Re: Accounts on debian.org machines
On Sun, Dec 07, 2003 at 09:27:53PM +0100, Tollef Fog Heen wrote: > father's windows 2000 laptop when it's only connected to a NAT-ed > internet connection. How do you know it is not trojaned when u use it? Greetings Bernd -- (OO) -- [EMAIL PROTECTED] -- ( .. ) [EMAIL PROTECTED],linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD [EMAIL PROTECTED] +497257930613 BE5-RIPE (OO) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
Re: Accounts on debian.org machines
* Matt Zimmerman | (Please follow up on a public list) done, -devel has M-F-T set to. | On Sun, Dec 07, 2003 at 06:26:48PM +0100, Tollef Fog Heen wrote: | | > * Matt Zimmerman | > | > | You would type a Debian password into a system that you do not trust | > | with an ssh private key? | > | > Yes, since I don't want to keep a key on them, since they are not | > secure over time. They are most likely secure when I'm sitting at the | > console. See above for an example: I don't trust that anything I put | > permanently on the hard drive won't be compromised, however, I don't | > think the box itself has any trojans or keysniffers installed. | | This doesn't make sense to me; if the system is not trustworthy, then you | should not trust it with any authentication data, whether passwords or ssh | keys. You are forgetting the temporal aspect here. A machine may be viewed as fairly safe when I have physical control of it. That does not mean that the machine is safe always, which is the case for, say my father's windows 2000 laptop when it's only connected to a NAT-ed internet connection. -- Tollef Fog Heen,''`. UNIX is user friendly, it's just picky about who its friends are : :' : `. `' `-
