This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
Date: Mon, 6 Aug 2001 23:34:23 -0700 From: Marc MERLIN <marc_news@valinux.com> To: J C Lawrence <claw@kanga.nu> Cc: Wayne Earl <wayne@qconcepts.net>, svlug@svlug.org Subject: Re: [svlug] perl script. On Mon, Aug 06, 2001 at 11:47:04AM -0700, J C Lawrence wrote: > Apache.org and SourceForge were compromised by two factors: > > 2) Lack of suitable/sufficient/well_enough_monitored use of HIDS > tools on apache.org and sourceforge that would have detected the > installation of trojan SSH installations. They were detected very quickly (at least on the SF side), but considering the amount of traffic and logs on SF, even if you respond within a day, that's too late (there was some claim that SF had been compromized for 5 months, but that was utter bullshit) The apache guys claim they got cracked because of SF. I actually don't know for sure who got cracked first, but a bunch of sites got cracked around the same time due to a few people who had the (very) bad idea to log into one system, and then use it to hop into another system. It only took for one to be compromized and ssh to be replaced by a trojan before the other ones fell pretty quickly. Who was first doesn't really matters, what matters is that the people responsible for this mess were the ones logging left and right from untrusted systems. The solution, as it's already been mentionned, is ssh + opie/skey. (and since your connection can still be snooped, don't you be typing any reusable passwords once you're logged in) As for tempest, LCD screens are probably a fairly good countermeasure, and I my case, I use a 6x10 font in 1800x1440, that people can't read, even by being in front of my monitor I don't know what the current status on technology wrt to reading keystrokes from a distance, but that has to be a lot harder than tuning on the EMF from a CRT. Marc -- Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key === Date: Tue, 7 Aug 2001 00:40:34 -0700 To: svlug@svlug.org Subject: Re: [svlug] perl script. From: Rick Moen <rick@linuxmafia.com> begin Marc MERLIN quotation: > The solution, as it's already been mentioned, is ssh + opie/skey. > (and since your connection can still be snooped, don't you be typing > any reusable passwords once you're logged in) In case people around here haven't yet heard of it, if you use a PalmPilot or other PalmOS machine, you _really_ want to have Martin Pool's excellent Keyring program (http://gnukeyring.sourceforge.net/ or http://linuxmafia.com/pub/palmos/), which will store all your passwords using a very solid encryption scheme (3DES symmetric cipher), and can also generate passwords for you. (It's GPLed.) Why? Because the reason people tend to re-use passwords in multiple contexts is that good passwords are difficult to remember. You know in your heart that you should choose good, human-hostile, unique passwords for just about everything, but don't because you know you'll never remember them all. Keyring fixes this. Since adopting it, I've been able to use strong, unique passwords basically everywhere. If you are using S/Key-type one-time password pads, then you'll also want the PalmKey pad generator (http://palmkey.sourceforge.net/ or http://linuxmafia.com/pub/palmos/), which is likewise GPLed. === Date: Tue, 7 Aug 2001 00:52:37 -0700 To: svlug@svlug.org Subject: Re: [svlug] perl script. - humm From: Rick Moen <rick@linuxmafia.com> begin Rafael Skodlar quotation: [Cybercafes:] > One way to deal would be to use PDA which communicates with the remote > host with serial or IR port using hostile machine as a conduit. There is, indeed, an SSH for PalmOS, TopGun SSH (http://www.ai/~iang/TGssh/ , ftp://ftp.zedz.net/pub/crypto/palmpilot/ , http://linuxmafia.com/pub/palmos/ ). But getting PPP service on the cybercafe machine's serial port is unlikely. On the other hand, plugging in your laptop to an available ethernet port fits the bill perfectly. If permitted. If not, you have a problem. > The program to enable that communication could be downloaded and run in > Java on hostile machines. The encryption would be done on PDA and > remote machine. Good luck getting permission to install software onto a typical cybercafe machine. On the other hand, you might be allowed to reboot one of them temporarily to a bootable business card (assuming you're willing to trust the hardware). On the whole, the laptop's your best bet. (Yrs. truly had six years' residence in the CoffeeNet building to ponder this exact problem.) ===