Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 30 Jul 2001 01:21:22 -0700
From:      "Ted Mittelstaedt" <tedm@toybox.placo.com>
To:        "Mike Meyer" <mwm@mired.org>
Cc:        <questions@freebsd.org>
Subject:   RE: URGENT - Seems like i've been hacked... what to do now?
Message-ID:  <00be01c118d0$9df492c0$1401a8c0@tedm.placo.com>
In-Reply-To: <15204.14832.983339.818756@guru.mired.org>

next in thread | previous in thread | raw e-mail | index | archive | help
>-----Original Message-----
>From: Mike Meyer [mailto:mwm@mired.org]
>Sent: Sunday, July 29, 2001 9:30 AM
>To: Ted Mittelstaedt
>Cc: questions@freebsd.org
>Subject: RE: URGENT - Seems like i've been hacked... what to do now?
>
>
>[I tried to restore the disorder introduced by top posting, and gave
>up. Bleah.]
>
>Ted Mittelstaedt <tedm@toybox.placo.com> types:
>> But if that isn't the case, then your increased exposure using
>> Telnet as opposed to SSH is theoretical.  If your willing to believe
>> that backbone provider's allow any Joe off the street into their
>> network rooms to attach sniffers, or other equally silly and
>> impractical stories, then you probably would feel better using
>> SSH than Telnet.
>
>It's not the silly and impractical stories you believe that make using
>SSH a good idea, it's the ones you *don't* believe. Like the one about
>every box on every route through every provider on the internet being
>secure. Sure, the chances of something critical of yours going through
>a box compromised by someone who acetually cares is nearly zero, but
>why risk it, especially when ssh free and easy to install on pretty
>much anything that has a cpu?

Because in many cases the source device that your Telnetting in from DOES NOT
support SSH.  Not all systems are PC's.

To give you an example, I use BSD boxes internally in customer networks many
times.  Often these boxes are stuffed in a closet, sans monitor.  If I happen
to get called in to the company to do something, I'm not going to find a
convenient system that's got an SSH client installed, although all of the
systems have Windows Telnet on them.  As another example, I have some
customers with BSD boxes acting as routers that are deep inside their internal
WAN, many hops away.  Their gateway to the outside is a Cisco router running
translation that is connected to a circuit that terminates at the router in
the next room.  If something in their internal routing falls down that's
related to one of these boxes that's buried, I have to hopscotch from Cisco
WAN router to Cisco WAN router to reach the subnet that the BSD router is on
and Cisco routers don't support SSH.

Security is all about weighing risks.  There's no point in going gaga over SSH
when the server your running it on is physically insecure.  I've got one
customer that stupidly built their server room in an empty office.  Office was
empty because it was a ground floor corner office in a architecturally weird
location and it had _three_ walls that were full length glass, and it was
fricking cold in there all the time so no employees wanted to have the office.
They figured the cold and the fact that it was big and no one wanted it made
it an ideal server room and even spent a grand on a fancy card-key electronic
lock on the door.  I never tire of asking them when the guys with the big
truck and the sledgehammers are going to show up and smash the window and make
off with all their server hardware in the middle of the night.  (did I mention
the office isn't visible from the street and the servers are all full towers
sitting on the floor?)

 I've been told that telnet with
>encryption is more secure, but finding implementations for everything
>I need it for is a bit harder.
>
>That said, encryption isn't a panacea. It just raises the cost to the
>attacker. The DMCA also brings more legal weapons into play - it makes
>distribution of the tools needed to crack an ssh session a felony in
>the US.
>

Actually, no it does not.  All it makes it a felony to do is to distribute
the tools ONLINE.  Printed material is still covered by Freedom of the
Press.  In fact the Electronic Frontier Foundation distributed a pretty
good DES cracker in this manner.  They simply put the machine source into
the printed pages with instructions on how to OCR it into a binary.  (it was
an assembly language program for obvious reasons)

Anyway, the DCMA is just waiting for a court test in front of the Supreme
Court and it will happen eventually and the law will be tossed out and
that will be that.

Ted Mittelstaedt                                       tedm@toybox.placo.com
Author of:                           The FreeBSD Corporate Networker's Guide
Book website:                          http://www.freebsd-corp-net-guide.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00be01c118d0$9df492c0$1401a8c0>