With this being the state of the art in protection, why bother with
intercepts, cryptoanalysis etc?
Having just returned from the USENIX Workshop on
Intrusion Detection, I'd say that all juicy targets
are or will soon be thinking something like "better
living through surveillance." It i
> With this being the state of the art in protection, why bother with
> intercepts, cryptoanalysis etc?
Why try to protect your information if someone is eventually going to
discover it? Like so many things in life, the game of security is based
on the probability of a certain event occurring an
I know of three systems that have been attacked in the last month or so.
One was attacked by social engineering the password out of an user.
Another was attacked by installing NETBUS on an user's machine. The third
was attacked by having the attacker subscribe himself to the mailing list
used to
Dominick LaTrappe <[EMAIL PROTECTED]> writes:
>While on the topic of password-sniffing anecdotes from conferences --
>
>At the 2600-coordinated Beyond HOPE conference (NYC, 1997), it was made very
>clear to users that passwords transmitted in-the-clear would be sniffed. To
>hammer home the poin
> At the 2600-coordinated Beyond HOPE conference (NYC, 1997), it was made
> very clear to users that passwords transmitted in-the-clear would be
Right, passwords always have been the weakest link.
> panel singled-out an unlucky telnet user, announcing a domain name and
Not just telnet is vulner
While on the topic of password-sniffing anecdotes from conferences --
At the 2600-coordinated Beyond HOPE conference (NYC, 1997), it was made
very clear to users that passwords transmitted in-the-clear would be
sniffed. To hammer home the point, one participant in the Tiger Teaming
panel singled
Phil Karn wrote (amongst other things)
> The people who run today's MIS/IT departments are the direct
> descendents of those who ran big computer centers in the old days.
No we're not their descendents - we are the same guys. Those "old days"
aren't that long ago & we haven't been put out to gr
At 08:35 AM 3/25/99 -0800, Jurgen Botz wrote:
>Yes, I could demand that all my remote users be running NT4.0SP4 with
>some additional security patches and have all their services turned
>off (or better still, Linux or *BSD configured by my network
>engineers), but how am I going to enforce this?
I'm going to go off on a bit of a tangent here... this is really
a security issue, not a crypto issue, but I think it's something
that we'd all do well to think about.
Derek Atkins wrote:
> sniffible, none of my passwords were. I happen to be one of the
> lucky few who has made it through the po
>as one person who downloaded the source from his home site, and then
>compiled it on the local machine with a GCC binary which he had also
>brought from "home".
So he trusted the libaries and headers on the local machine?
That seems less secure than bringing statically-linked binaries
on a flopp
>sniffible, none of my passwords were. I happen to be one of the lucky
>few who has made it through the politics of large companies to "open
>up the firewall". Yes, corporate IT people see something even as
>secure as SSH as 'opening the firewall'.
>Clearly we need to teach the MIS/IT personnel
-BEGIN PGP SIGNED MESSAGE-
> Actually, things are getting much better in the IETF terminal rooms.
> SSH is now *very* widely used, with encrypted Telnet and IPSEC
> trailing well behind.
...And of course nobody has compromised any of the ssh binaries on the
workstations...
> Phil
>...And of course nobody has compromised any of the ssh binaries on the
>workstations...
Workstations? What workstations? Anybody serious about security brings
their own laptops. And then they worry about them being tampered with
by the hotel custodial staff.
Laptops are also easier to lug into
> On Tue, 23 Mar 1999 14:54:15 -0800 (PST), Phil Karn <[EMAIL PROTECTED]> said:
Phil> Actually, things are getting much better in the IETF terminal rooms.
Phil> SSH is now *very* widely used, with encrypted Telnet and IPSEC
Phil> trailing well behind.
Phil> Phil
The same fo
Unfortunately getting these security systems installed is more of a
political problem than a technical one. I happen to use kerberos and
ssh in my daily routine, so although _some_ of my packets were
sniffible, none of my passwords were. I happen to be one of the lucky
few who has made it throug
Actually, things are getting much better in the IETF terminal rooms.
SSH is now *very* widely used, with encrypted Telnet and IPSEC
trailing well behind.
Phil
Catching up on email, I will point out that every major service provider
is probably compromised to one degree or another as frequently as 3
times per year from terminal rooms. For example, in addition to Usenix
meetings: IETF meetings, NANOG meetings, and every other computer
meeting or show tha
Thanks for the good pointers that a number of people gave. The particular
incident I remembered was the BARRnet one
http://www.geek-girl.com/bugtraq/1993_4/0032.html
(thanks Dan Riley).
I had no idea there had been so many, so well hushed up! MILNET, JANET (4
independent incidents in the UK in
There was also a significant sniffer event on one of the MILNET
backbone nets at least 3 years ago; I think it was in Risks. I'll go
looking.
I know I saw an official comminication from the MILNET owners on that
one.
--tep
> On Mon, 8 Mar 1999 16:05:04 -0800, Tom Perrine <[EMAIL PROTECTED]> said:
Tom> There was also a significant sniffer event on one of the MILNET
Tom> backbone nets at least 3 years ago; I think it was in Risks. I'll go
Tom> looking.
Tom> I know I saw an official comminication
I don't specfically know about MAE-West, but there are any number of
attacks on ISPs that involved setting up password sniffers on major
transit Ethernets.
Phil
At 02:29 PM 3/8/99 +1100, Greg Rose wrote:
> For part of this, I wanted to
>refer to the incident where someone mounted a password sniffer at a major
>network hub (MAE-West?) a couple of years ago. But I haven't turned up
>anything useful in a Web search. I didn't dream this incident, d
Greg Rose <[EMAIL PROTECTED]> writes:
> I wanted to refer to the incident where someone mounted a password
> sniffer at a major network hub (MAE-West?) a couple of years
> ago. But I haven't turned up anything useful in a Web search. I
> didn't dream this incident, did I? Does anyone have any ref
This is a little off topic, I know, but I'm writing a paper about the
work we've done on an encrypting sendmail (I'll announce details as soon
as it restabilises, but if anyone wants to see the old version it's at
http://www.home.aone.net.au/qualcomm ). For part of this, I wanted to
refer to t
24 matches
Mail list logo