This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
Date: Mon, 6 Aug 2001 23:34:23 -0700
From: Marc MERLIN <marc_news@valinux.com>
To: J C Lawrence <claw@kanga.nu>
Cc: Wayne Earl <wayne@qconcepts.net>, svlug@svlug.org
Subject: Re: [svlug] perl script.
On Mon, Aug 06, 2001 at 11:47:04AM -0700, J C Lawrence wrote:
> Apache.org and SourceForge were compromised by two factors:
>
> 2) Lack of suitable/sufficient/well_enough_monitored use of HIDS
> tools on apache.org and sourceforge that would have detected the
> installation of trojan SSH installations.
They were detected very quickly (at least on the SF side), but considering
the amount of traffic and logs on SF, even if you respond within a day,
that's too late
(there was some claim that SF had been compromized for 5 months, but that
was utter bullshit)
The apache guys claim they got cracked because of SF. I actually don't know
for sure who got cracked first, but a bunch of sites got cracked around the
same time due to a few people who had the (very) bad idea to log into one
system, and then use it to hop into another system.
It only took for one to be compromized and ssh to be replaced by a trojan
before the other ones fell pretty quickly.
Who was first doesn't really matters, what matters is that the people
responsible for this mess were the ones logging left and right from
untrusted systems.
The solution, as it's already been mentionned, is ssh + opie/skey.
(and since your connection can still be snooped, don't you be typing any
reusable passwords once you're logged in)
As for tempest, LCD screens are probably a fairly good countermeasure, and I
my case, I use a 6x10 font in 1800x1440, that people can't read, even by
being in front of my monitor
I don't know what the current status on technology wrt to reading keystrokes
from a distance, but that has to be a lot harder than tuning on the EMF from
a CRT.
Marc
--
Microsoft is to operating systems & security ....
.... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key
===
Date: Tue, 7 Aug 2001 00:40:34 -0700
To: svlug@svlug.org
Subject: Re: [svlug] perl script.
From: Rick Moen <rick@linuxmafia.com>
begin Marc MERLIN quotation:
> The solution, as it's already been mentioned, is ssh + opie/skey.
> (and since your connection can still be snooped, don't you be typing
> any reusable passwords once you're logged in)
In case people around here haven't yet heard of it, if you use a
PalmPilot or other PalmOS machine, you _really_ want to have Martin
Pool's excellent Keyring program (http://gnukeyring.sourceforge.net/ or
http://linuxmafia.com/pub/palmos/), which will store all your passwords
using a very solid encryption scheme (3DES symmetric cipher), and can
also generate passwords for you. (It's GPLed.)
Why? Because the reason people tend to re-use passwords in multiple
contexts is that good passwords are difficult to remember. You know in
your heart that you should choose good, human-hostile, unique passwords
for just about everything, but don't because you know you'll never
remember them all. Keyring fixes this. Since adopting it, I've been
able to use strong, unique passwords basically everywhere.
If you are using S/Key-type one-time password pads, then you'll also
want the PalmKey pad generator (http://palmkey.sourceforge.net/ or
http://linuxmafia.com/pub/palmos/), which is likewise GPLed.
===
Date: Tue, 7 Aug 2001 00:52:37 -0700
To: svlug@svlug.org
Subject: Re: [svlug] perl script. - humm
From: Rick Moen <rick@linuxmafia.com>
begin Rafael Skodlar quotation:
[Cybercafes:]
> One way to deal would be to use PDA which communicates with the remote
> host with serial or IR port using hostile machine as a conduit.
There is, indeed, an SSH for PalmOS, TopGun SSH
(http://www.ai/~iang/TGssh/ , ftp://ftp.zedz.net/pub/crypto/palmpilot/ ,
http://linuxmafia.com/pub/palmos/ ). But getting PPP service on the
cybercafe machine's serial port is unlikely.
On the other hand, plugging in your laptop to an available ethernet port
fits the bill perfectly. If permitted. If not, you have a problem.
> The program to enable that communication could be downloaded and run in
> Java on hostile machines. The encryption would be done on PDA and
> remote machine.
Good luck getting permission to install software onto a typical cybercafe
machine. On the other hand, you might be allowed to reboot one of them
temporarily to a bootable business card (assuming you're willing to
trust the hardware).
On the whole, the laptop's your best bet.
(Yrs. truly had six years' residence in the CoffeeNet building to ponder
this exact problem.)
===