RE: Linux Network Security: POP
I asssumed cable modems were encrypting there communications with some simple built-in algorithm -Original Message- From: Ethan Benson [mailto:[EMAIL PROTECTED] Sent: zondag 18 maart 2001 14:59 To: debian-user@lists.debian.org Subject: Re: Linux Network Security: POP On Sun, Mar 18, 2001 at 03:38:36PM +0100, William Leese wrote: Having a cable modem I'm concerned with the fact that when I use email my password is sent in clear text over the network. I've heard that there were as you should be, cable modems generally are equivilent to large unswitched lans, which means any bozo with a cable modem can set thier machine to primisquous mode and see every packet sent by any cable modem user. (at least for that segment) other services that could be used instead of POP but i'm not sure if that can be used here if my provider doesnt support it. imap over ssl maybe.. For my email I use my providers POP server. For sending email I also use their server. Though in the past I used sendmail, can someone tell me the advantages of using one over the other? if you have a static ip and your connection is actually stable you could just run your own mailserver and have mail delivered directly to it. that way you don't need pop3 or imap. no passwords sent anywhere that way. you still need to use GnuPG to encrypt any mail you don't want everyone seeing but you should do that regardless of your network connection. Also, if there any way I can encrypt the passwords being sent without the provider taking any needed steps to enable me to do so? only if you have a shell account on thier pop3 server via ssh, then you can tunnel the pop3 connection over ssh. if you have a shell account on any of thier machines that would probably still be an improvment since you would get the connection encrypted at least into thier hopefully switched and secure lan and off the insecure cable modem network. unfortunatly there seems to be a law saying all ISPs must suck, and thus shell access is an endangered species. along with static ips, reliability, security, etc etc -- Ethan Benson http://www.alaska.net/~erbenson/
RE: Linux Network Security: POP
On Mon, 19 Mar 2001, Joris Lambrecht wrote: I asssumed cable modems were encrypting there communications with some simple built-in algorithm It is my understanding that modern DOCSIS modems use encryption between the cable modem and the cable head end. The motorola cybersufr brand has been doing this forever as well. This prevents someone from using some sort of cable analyser to sniff datagrams after they hit the wire.. I wouldn't count on the encryption being actually super secure, but it is unlikely that someone is going to be sniffing packets by examining the signals on the coax. as you should be, cable modems generally are equivilent to large unswitched lans, which means any bozo with a cable modem can set thier machine to primisquous mode and see every packet sent by any cable modem user. (at least for that segment) This is certianly untrue for modern cable stuff. In general, the bandwidth on the actual coax is far greater than 10mbit ethernet (coming out of the modem), even if the modem wanted to it couldn't spew all packets onto the local lan. Jason
Re: Linux Network Security: POP
On Mon, Mar 19, 2001 at 03:24:09AM +0100, William Leese wrote: On Monday 19 March 2001 00:41, Ethan Benson wrote: On Sun, Mar 18, 2001 at 05:04:02PM +0100, William Leese wrote: knowing basically nothing about imap and ssl where would i look first to see if this is suitable and how it can be used? check to see if they have the imap-ssl port open (i don't know it offhand) or the pop3-ssl... they probably don't. yatsu:$ nmap -sS pop.provider.nl ummm some isps don't take kindly to being portscanned, there is more subtle and less obnoxious ways to find out. Port State Service 22/tcp openssh 23/tcp opentelnet 25/tcp opensmtp 110/tcpopenpop-3 111/tcpopensunrpc 113/tcpopenauth 587/tcpopensubmission 995/tcpopenpop3s 1023/tcp openunknown could pop3s be what i'm looking for? yes: [EMAIL PROTECTED] eb]$ cat /etc/services | grep pop3s pop3s 995/tcp # POP-3 over SSL pop3s 995/udp # POP-3 over SSL [EMAIL PROTECTED] eb]$ -- Ethan Benson http://www.alaska.net/~erbenson/ pgpeOWowZmDbc.pgp Description: PGP signature
Re: Linux Network Security: POP
knowing basically nothing about imap and ssl where would i look first to see if this is suitable and how it can be used? check to see if they have the imap-ssl port open (i don't know it offhand) or the pop3-ssl... they probably don't. yatsu:$ nmap -sS pop.provider.nl ummm some isps don't take kindly to being portscanned, there is more subtle and less obnoxious ways to find out. oops, acting out of ignorance I'm afraid.. Port State Service 22/tcp openssh 23/tcp opentelnet 25/tcp opensmtp 110/tcpopenpop-3 111/tcpopensunrpc 113/tcpopenauth 587/tcpopensubmission 995/tcpopenpop3s 1023/tcp openunknown could pop3s be what i'm looking for? yes: [EMAIL PROTECTED] eb]$ cat /etc/services | grep pop3s pop3s 995/tcp # POP-3 over SSL pop3s 995/udp # POP-3 over SSL [EMAIL PROTECTED] eb]$ having taken a quick look at my providers homepage (which, i admit i should have done first.. but i'm used to ISP pages with nothing but marketing talk) i found something on pop-ssl. However aparently i need an email client that supports it. I use Kmail, but.. it doesnt seem to support ssl. Can someone confirm this? If I can't use Kmail for it which email client should be well suited? I've tried Elm but I found it too hard to use. I've considered using Pine but it doesn't seem to be in sid.
Re: Linux Network Security: POP
On Mon, Mar 19, 2001 at 02:03:01PM +0100, William Leese wrote: having taken a quick look at my providers homepage (which, i admit i should have done first.. but i'm used to ISP pages with nothing but marketing talk) i found something on pop-ssl. However aparently i need an email client that supports it. I use Kmail, but.. it doesnt seem to support ssl. Can someone confirm this? If I can't use Kmail for it which email client should be well suited? I've tried Elm but I found it too hard to use. I've considered using Pine but it doesn't seem to be in sid. just do mail the unix way, install fetchmail-ssl (from non-US/main or so i hear) configure it to fetch all your mail from the isp and hand it to the local MTA, then tell kmail to use a local mailspool in /var/mail/$USER instead of pop3. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpqhWOwNRh48.pgp Description: PGP signature
Re: Linux Network Security: POP
WL == William Leese [EMAIL PROTECTED] writes: WL having taken a quick look at my providers homepage (which, i WL admit i should have done first.. but i'm used to ISP pages WL with nothing but marketing talk) i found something on WL pop-ssl. However aparently i need an email client that WL supports it. I use Kmail, but.. it doesnt seem to support WL ssl. Can someone confirm this? If I can't use Kmail for it WL which email client should be well suited? I've tried Elm but I WL found it too hard to use. I've considered using Pine but it WL doesn't seem to be in sid. You can either use fetchmail with SSL support or use stunnel. With fetchmail you can fetch your emails via SSL connection. With stunnel you can create SSL connection between your machine and remote and forward this connection in decrypted form on local port on your machine. -- Ilya Martynov AGAVA Software Company, http://www.agava.com
Linux Network Security: POP
Having a cable modem I'm concerned with the fact that when I use email my password is sent in clear text over the network. I've heard that there were other services that could be used instead of POP but i'm not sure if that can be used here if my provider doesnt support it. For my email I use my providers POP server. For sending email I also use their server. Though in the past I used sendmail, can someone tell me the advantages of using one over the other? Also, if there any way I can encrypt the passwords being sent without the provider taking any needed steps to enable me to do so? William
Re: Linux Network Security: POP
On Sun, Mar 18, 2001 at 03:38:36PM +0100, William Leese wrote: Having a cable modem I'm concerned with the fact that when I use email my password is sent in clear text over the network. I've heard that there were as you should be, cable modems generally are equivilent to large unswitched lans, which means any bozo with a cable modem can set thier machine to primisquous mode and see every packet sent by any cable modem user. (at least for that segment) other services that could be used instead of POP but i'm not sure if that can be used here if my provider doesnt support it. imap over ssl maybe.. For my email I use my providers POP server. For sending email I also use their server. Though in the past I used sendmail, can someone tell me the advantages of using one over the other? if you have a static ip and your connection is actually stable you could just run your own mailserver and have mail delivered directly to it. that way you don't need pop3 or imap. no passwords sent anywhere that way. you still need to use GnuPG to encrypt any mail you don't want everyone seeing but you should do that regardless of your network connection. Also, if there any way I can encrypt the passwords being sent without the provider taking any needed steps to enable me to do so? only if you have a shell account on thier pop3 server via ssh, then you can tunnel the pop3 connection over ssh. if you have a shell account on any of thier machines that would probably still be an improvment since you would get the connection encrypted at least into thier hopefully switched and secure lan and off the insecure cable modem network. unfortunatly there seems to be a law saying all ISPs must suck, and thus shell access is an endangered species. along with static ips, reliability, security, etc etc -- Ethan Benson http://www.alaska.net/~erbenson/ pgpm3dWkzuvm0.pgp Description: PGP signature
Re: Linux Network Security: POP
other services that could be used instead of POP but i'm not sure if that can be used here if my provider doesnt support it. imap over ssl maybe.. knowing basically nothing about imap and ssl where would i look first to see if this is suitable and how it can be used? For my email I use my providers POP server. For sending email I also use their server. Though in the past I used sendmail, can someone tell me the advantages of using one over the other? if you have a static ip and your connection is actually stable you could just run your own mailserver and have mail delivered directly to it. that way you don't need pop3 or imap. no passwords sent anywhere that way. you still need to use GnuPG to encrypt any mail you don't want everyone seeing but you should do that regardless of your network connection. the connection is pretty solid, however i'm going to have to switch ISPs in a month (same cable network, different service provider), and I've heard they are far less reliable. I'm forced to switch providers because this one, will stop its consumer services in May. Also, if there any way I can encrypt the passwords being sent without the provider taking any needed steps to enable me to do so? only if you have a shell account on thier pop3 server via ssh, then you can tunnel the pop3 connection over ssh. I doubt I do, there was nothing mentioned of this when i signed up. Also, same problem as above, I have no clue what the change of providers will bring. This leaves imap over ssl, can this always be done regardless of what services my ISP provides?
Re: Linux Network Security: POP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Having a cable modem I'm concerned with the fact that when I use email my password is sent in clear text over the network. I've heard that there were other services that could be used instead of POP but i'm not sure if that can be used here if my provider doesnt support it. If your provider doesn't support it you're pretty much SOL. For my email I use my providers POP server. For sending email I also use their server. Though in the past I used sendmail, can someone tell me the advantages of using one over the other? Disadvantage of using sendmail: these days sending email direct from a dial-up line is frowned upon. On the other hand, sendmail can be configured to simply cache the connection going to an upstream mail server. Advantage: better control over your own email. Also, if there any way I can encrypt the passwords being sent without the provider taking any needed steps to enable me to do so? If your provider isn't using a Unix-type system with ssh installed, or doesn't have SSL-enabled IMAP, SMTP, and POP daemons, your stuck. You should try to contact your ISP - they may be willing to consider setting something up. Especially the SSL-enabled daemons - Windows supports that better than making a vpn with ssh. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6tNLH/ZTSZFDeHPwRAov8AKCVA3n2Ogu0+apY314W8GPeY4obWQCfdTnZ 62qWIHDuUewnyl4QbwAp8uE= =j0cj -END PGP SIGNATURE-
Re: Linux Network Security: POP
On Sun, Mar 18, 2001 at 04:59:23AM -0900, Ethan Benson wrote: On Sun, Mar 18, 2001 at 03:38:36PM +0100, William Leese wrote: Having a cable modem I'm concerned with the fact that when I use email my password is sent in clear text over the network. I've heard that there were as you should be, cable modems generally are equivilent to large unswitched lans, which means any bozo with a cable modem can set thier machine to primisquous mode and see every packet sent by any cable modem user. (at least for that segment) Bzzzt. This is simply not true with DOCSIS modems (if you can cite a provable example I'd love to hear about it). It's also not true with LANCity Gen3 modems at least. It might work with the super-old Zenith stuff but I don't know anyone sane using that. (My prior employer still is in one market :/ ) Cable modems act as a layer-2 bridge. To prevent the sniffing problem you are talking about, each modem is programmed to proxy arp a finite number of MAC addresses (usually one). So, unless you are a technical wizard and have access to documentation that the manufacturers won't even give the cable companies, you are SOL if you want to sniff your neighbors. When I worked for a cable provider, I wanted a sniffer so we could troubleshoot. Obviously I needed a modem that could be set to promiscuous mode. The official word was it couldn't be done. I was unofficially informed that it could be done but the manufacturer didn't plan on that software ever leaving the factory. other services that could be used instead of POP but i'm not sure if that can be used here if my provider doesnt support it. imap over ssl maybe.. Some providers support POP over SSL. Usually that implies a clueful provider, and, well, we're talking about cable companies :) For my email I use my providers POP server. For sending email I also use their server. Though in the past I used sendmail, can someone tell me the advantages of using one over the other? if you have a static ip and your connection is actually stable you could just run your own mailserver and have mail delivered directly to it. that way you don't need pop3 or imap. no passwords sent anywhere that way. you still need to use GnuPG to encrypt any mail you don't want everyone seeing but you should do that regardless of your network connection. Except you now risk running afoul of the DUL. Also, if there any way I can encrypt the passwords being sent without the provider taking any needed steps to enable me to do so? only if you have a shell account on thier pop3 server via ssh, then you can tunnel the pop3 connection over ssh. if you have a shell account on any of thier machines that would probably still be an improvment since you would get the connection encrypted at least into thier hopefully switched and secure lan and off the insecure cable modem network. unfortunatly there seems to be a law saying all ISPs must suck, and thus shell access is an endangered species. along with static ips, reliability, security, etc etc Can't argue with that. The sad thing is, a geek oriented ISP wouldn't necessarily get very far; the mass horde is fairly happy with the crap they've got. Cheers, -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Inc. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpHqx5gcxiaE.pgp Description: PGP signature
Re: Linux Network Security: POP
On Sun, 18 Mar 2001, Ethan Benson wrote: if you have a static ip and your connection is actually stable you could just run your own mailserver and have mail delivered directly to it. that way you don't need pop3 or imap. no passwords sent anywhere that way. OTOH, then you have another service running, which makes you that much more open to being cracked. It's not a bad thing in and of itself, but it does demand that you keep up to date with security announcements for that package. At least when you're using POP and sending a plain-text password, it's a password for your ISP's system, not yours. :) -- David Steinberg [EMAIL PROTECTED]
Re: Linux Network Security: POP
On Sun, Mar 18, 2001 at 05:04:02PM +0100, William Leese wrote: knowing basically nothing about imap and ssl where would i look first to see if this is suitable and how it can be used? check to see if they have the imap-ssl port open (i don't know it offhand) or the pop3-ssl... they probably don't. the connection is pretty solid, however i'm going to have to switch ISPs in a month (same cable network, different service provider), and I've heard they are far less reliable. I'm forced to switch providers because this one, will stop its consumer services in May. probably to comply with the Suck Law, where every ISP must suck donkey balls. I doubt I do, there was nothing mentioned of this when i signed up. Also, same problem as above, I have no clue what the change of providers will bring. This leaves imap over ssl, can this always be done regardless of what services my ISP provides? no they must cooperate, which means your screwed. i recommend running your own mailserver or getting a host to do it. most isps can't seem to route mail worth a damn anyway. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpWLcSTqIruc.pgp Description: PGP signature
Re: Linux Network Security: POP
On Sun, Mar 18, 2001 at 12:13:37PM -0600, Nathan E Norman wrote: Bzzzt. This is simply not true with DOCSIS modems (if you can cite a provable example I'd love to hear about it). It's also not true with LANCity Gen3 modems at least. It might work with the super-old Zenith stuff but I don't know anyone sane using that. (My prior employer still is in one market :/ ) unless they changed something in the last year or so, come to alaska and get GCI's cable modems, i have personally seen where every packet sent across the network is happily deposited into my friends lan. (this was a while ago though) Cable modems act as a layer-2 bridge. To prevent the sniffing problem you are talking about, each modem is programmed to proxy arp a finite number of MAC addresses (usually one). So, unless you are a technical wizard and have access to documentation that the manufacturers won't even give the cable companies, you are SOL if you want to sniff your neighbors. though in many cases you don't need to do any sniffing since they also bridge unrouteable protocols like appletalk and netbios, simply hook up a mac or windows box and go poking around all the hundreds of wide open shares. or run your neighbors appletalk printer out of paper... (or did they do something about this too?) When I worked for a cable provider, I wanted a sniffer so we could troubleshoot. Obviously I needed a modem that could be set to promiscuous mode. The official word was it couldn't be done. I was unofficially informed that it could be done but the manufacturer didn't plan on that software ever leaving the factory. well when you ask GCI if they could please route mail worth a damn they say `im sorry that cannot be done' ;-) same thing with `can you please avoid regular week long failures of your network?' Some providers support POP over SSL. Usually that implies a clueful provider, and, well, we're talking about cable companies :) clueful isp? wuahahahahahaHAHAHHAHAHAHAHHAHAH those are as extinct as the dinosoars. :/ Except you now risk running afoul of the DUL. using your isp's mail service runs you the risk of having very large quantities of your mail simply dropped in the bit bucket without you ever knowing about it. my isp recently added murphy.debian.org to thier silent bitbucket list, i cannot be sure they don't have more machines on such a thing. (it was hard enough to convince them that i KNEW they were throwing away mail, they tried to just blow me off, when i started talking about having no such problems getting the mail from another machine out of state they decided to fix the problem rather then risk me coming down thier to lart them personally) unfortunatly there seems to be a law saying all ISPs must suck, and thus shell access is an endangered species. along with static ips, reliability, security, etc etc Can't argue with that. The sad thing is, a geek oriented ISP wouldn't necessarily get very far; the mass horde is fairly happy with the crap they've got. the problem is geeks are all spread out across the globe. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpLs1CCfdjJ9.pgp Description: PGP signature
Re: Linux Network Security: POP
On Sun, Mar 18, 2001 at 11:13:08AM -0800, David Steinberg wrote: OTOH, then you have another service running, which makes you that much more open to being cracked. It's not a bad thing in and of itself, but it does demand that you keep up to date with security announcements for that package. At least when you're using POP and sending a plain-text password, it's a password for your ISP's system, not yours. :) ever read the usage contract you have to sign when you get isp service? it basically states YOUR responsible for whatever your account is used for and having your password stolen is no excuse if someone uses to do evil in your name. of course if the password only gets you pop3 access and not dialup or shell or anything else it would probably only get your mail stolen but still. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpYTfTSwGhfL.pgp Description: PGP signature
Re: Linux Network Security: POP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... unless they changed something in the last year or so, come to alaska and get GCI's cable modems, i have personally seen where every packet sent across the network is happily deposited into my friends lan. (this was a while ago though) No, Nathan's right - the DOCSIS units don't allow much sniffing to go on. On my own cable modem all I see is my own traffic and alot of ARP traffic. though in many cases you don't need to do any sniffing since they also bridge unrouteable protocols like appletalk and netbios, simply hook up a mac or windows box and go poking around all the hundreds of wide open shares. or run your neighbors appletalk printer out of paper... (or did they do something about this too?) Some are starting to do something about it. I've heard that @Home is starting to block NetBIOS/TCP traffic; I'm sure it's not a big step to block non-IP/IPv6 traffic from there. well when you ask GCI if they could please route mail worth a damn they say `im sorry that cannot be done' ;-) same thing with `can you please avoid regular week long failures of your network?' Work around the breakage :) Ask someone you know trust to relay your mail for you over ssh or ssl/tls-enabled daemons. clueful isp? wuahahahahahaHAHAHHAHAHAHAHHAHAH those are as extinct as the dinosoars. :/ Aren't they (a clueful ISP) one of those nearly mythical creatures only fabled to exist, like a unicorn? BTW, I find that all the clue drains from the ISPs and accumulates at the one or two universities present in each large city :) using your isp's mail service runs you the risk of having very large quantities of your mail simply dropped in the bit bucket without you ever knowing about it. my isp recently added murphy.debian.org to thier silent bitbucket list, i cannot be sure they don't have more machines on such a thing. (it was hard enough to convince them that i KNEW they were throwing away mail, they tried to just blow me off, when i started talking about having no such problems getting the mail from another machine out of state they decided to fix the problem rather then risk me coming down thier to lart them personally) There's an unwritten rule that if something breaks they don't do anything about it until someone yells loud enough or it affects their entire netowrk. ;) - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6tVqf/ZTSZFDeHPwRAjbdAJ9UF1Slcu+Ja4L7fgmRLIcKgDei+gCeP5Jk IFW4xE0reYpJmpFJJtM6ffo= =L4Ox -END PGP SIGNATURE-
Re: Linux Network Security: POP
On Monday 19 March 2001 00:41, Ethan Benson wrote: On Sun, Mar 18, 2001 at 05:04:02PM +0100, William Leese wrote: knowing basically nothing about imap and ssl where would i look first to see if this is suitable and how it can be used? check to see if they have the imap-ssl port open (i don't know it offhand) or the pop3-ssl... they probably don't. yatsu:$ nmap -sS pop.provider.nl Port State Service 22/tcp openssh 23/tcp opentelnet 25/tcp opensmtp 110/tcpopenpop-3 111/tcpopensunrpc 113/tcpopenauth 587/tcpopensubmission 995/tcpopenpop3s 1023/tcp openunknown could pop3s be what i'm looking for?