Date: Mon, 30 Jul 2001 06:40:17 -0500 From: Mike Meyer <mwm@mired.org> To: "Ted Mittelstaedt" <tedm@toybox.placo.com> Cc: questions@freebsd.org Subject: RE: URGENT - Seems like i've been hacked... what to do now? Message-ID: <15205.18337.148080.887001@guru.mired.org> In-Reply-To: <00be01c118d0$9df492c0$1401a8c0@tedm.placo.com> References: <15204.14832.983339.818756@guru.mired.org> <00be01c118d0$9df492c0$1401a8c0@tedm.placo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ted Mittelstaedt <tedm@toybox.placo.com> types: > >[I tried to restore the disorder introduced by top posting, and gave > >up. Bleah.] > > > >Ted Mittelstaedt <tedm@toybox.placo.com> types: > >> But if that isn't the case, then your increased exposure using > >> Telnet as opposed to SSH is theoretical. If your willing to believe > >> that backbone provider's allow any Joe off the street into their > >> network rooms to attach sniffers, or other equally silly and > >> impractical stories, then you probably would feel better using > >> SSH than Telnet. > > > >It's not the silly and impractical stories you believe that make using > >SSH a good idea, it's the ones you *don't* believe. Like the one about > >every box on every route through every provider on the internet being > >secure. Sure, the chances of something critical of yours going through > >a box compromised by someone who acetually cares is nearly zero, but > >why risk it, especially when ssh free and easy to install on pretty > >much anything that has a cpu? > > Because in many cases the source device that your Telnetting in from DOES NOT > support SSH. Not all systems are PC's. I'm well aware that not everything is a PC. That's why I said "pretty much anything that has a cpu." That's been my experience. > To give you an example, I use BSD boxes internally in customer networks many > times. Often these boxes are stuffed in a closet, sans monitor. If I happen > to get called in to the company to do something, I'm not going to find a > convenient system that's got an SSH client installed, although all of the > systems have Windows Telnet on them. Been there, done that. Putty is free, available over the network, and takes just a few minutes to install. The CISCO routers example require telnet, but would also cause me to beat on CISCO. > Security is all about weighing risks. More accurately, it's all about balancing costs against risks. SSH is freely available for most boxes with CPUs, has almost no cost, and significantly reduces the risk associated with sending passwords over the network. > There's no point in going gaga over SSH when the server your running > it on is physically insecure. Actually, there's little point in going gaga over ssh in any case. Almost as little as there is in not installing it on all servers and using it as a matter of course. > I've got one customer that stupidly built their server room in an > empty office. Office was empty because it was a ground floor corner > office in a architecturally weird location and it had _three_ walls > that were full length glass, and it was fricking cold in there all > the time so no employees wanted to have the office. This is a stupid thing from a security perspective, but has absolutely nothing to do with either the cost of installing ssh, or the risks it helps reduce. ssh reduces the risks associated with sending passwords around the network. That the machines are trivialy stolen doesn't change either that risk or the costs associated with installing ssh. While you might spend less on other security measures because one specific one is poor, neglecting them is a bad idea. You wouldn't set the machines to not have a root password just because they have poor physical security. > Anyway, the DCMA is just waiting for a court test in front of the Supreme > Court and it will happen eventually and the law will be tossed out and > that will be that. You give the US legal system more credit than I do. While I certainly hope it gets tossed out, I wouldn't bet on it. <mike -- Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15205.18337.148080.887001>