Re: [vox] secure diary thoughts
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [vox] secure diary thoughts
On Tue, 25 Jun 2002, Rick Moen wrote:
> My point was solely that the cited modifications prevent use of that
> particular user's SSH channels (or ones with his authority) to subvert
> the server host if the client host is compromised. I _think_ they also
> might make it impractical to subvert the client host if the server
> host is compromise (but I'm less certain of that, and would have to
> think about threat models some more).
I agree with your points. Your points are very good to make. I was being a
bit dense in my response by not picking up on your direction and where you
were going - I appologize for my mistake.
> You were (earlier) making the excellent point that all SSH -- by itself
> -- really accomplishes is to let you operate over a hostile network with
> confidence if you have faith in both endpoints. I was trying to suggest
> a modification where that is true, but where you can also prevent one
> end being compromised from causing the other end to be, too.
Oh no! This is not my idea! I got this from reading the proposed RFC on
ssh. I can in no way claim to have that idea as my own. It was one of
those things that, when I read it, made me go, "huh! That seems so
obvious, but is worthy for them to mention." Especially after hearing
people say, "Oh just use ssh and it will all be secure" I am glad it was
in the papers I read and try to re-state it when it comes up so people
dont just think that by adding ssh, their machine is magically secured, or
their session is magically secured. Enough people have expressed this
t me to cause me to think the "S" in SSL and SSH should not have been
an "S" it should have been an "E" for "Encrypted" and thus help defer
some of the misunderstandings on their purpose. Perhaps, "SSL" had a
better marketability with "Secure" as part of its name? ( I dunno. )
> > The "better" solution is to have an admin you can trust, or be the admin
> > yourself and make sure nobody else has admin control. :-)
> Yeah, tell me. There was a company I worked at (which shall go
> nameless) whose entire internal WAN became compromised because some
> nitwit sysadmin SSH'd out to a public hosting service the firm operates
> and SSH'd back in. Unfortunately for that nitwit, the hosting service's
> SSH client was trojaned and reported his security tokens directly to the
> bad guy, who then just followed him in. Game, set, match.
> If I'd stuck fully to my principles, I'd never have used the firm's
> IS-maintained workstations to SSH home -- and instead, used only my
> personal laptop for that purpose, thus obeying your dictum about SSH
> being a fine way to traverse hostile networks if you trust both ends.
> So, I had to scramble home, lock everything down ASAP, and pray to
> Great Finagle. That time, I got lucky -- and I never repeated that
> particular mistake.
I like to hear stories like this - even if they have unhappiness :-( . If
you ever care to offer more experiences from "the real world" You will
have at least one willing reader. :-) I did lik the background you offered
on the two source trees for:
> Carrying the LNX-BBC disk around is very helpful, in that regard.
I need to take the new image of that and burn it. Very cool tool indeed.
It would be useful at installfests and helping buddies. (Thanks for the
background you offered on the diff trees, as I did not know about the
-----BEGIN GEEK CODE BLOCK-----
GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$) P+$>+++
L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ !PGP
t@-(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z?
------END GEEK CODE BLOCK------
decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html
vox mailing list