Complete.Org: Mailing Lists: Archives: discussion: September 1998:
[aclug-L] Security Question: How safe is it?
Home

[aclug-L] Security Question: How safe is it?

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: aclug-L@xxxxxxxxxxxx
Subject: [aclug-L] Security Question: How safe is it?
From: Bob Deep <bobd@xxxxxxxxxxxx>
Date: Tue, 29 Sep 1998 09:37:59 -0500
Reply-to: aclug-L@xxxxxxxxxxxx

Jeremy Johnstone wrote:
> 
> True, but don't both ends have to support it at a system level? Otherwise,
> if you only have it in your bin dir in your personal account you will have
> to login insecurely then start it up and then login securely. OR am I
> flawed somewhere?
> 

Ah yes... The Chicken and egg thing..  Even if this was a new service,
the encoding of passwords would have to be well known in advance, so
even then the sending of the password would be risky, even if it was
encoded some how.

This is an interesting issue of security.. I wonder how many folks,
sitting at their home computer, would be routed traffic that contained
such information from their ISP?

Further, assuming somebody actually had a direct attachment to a segment
of the backbone, how much password information they could filter out of
the data stream...   Consider that they would only be able to see
traffic on that specific segment and that you need three pieces of
information to log into a computer....
        1.  The IP address of the host (or the host name to look up the IP).
        2.  A valid user name,
        3.  The password for that user name.

Getting a socket connection requires quite a number of packets, which
would all have to be intercepted to be sure to get all the required
information to monitor the connection.  Then you must be able to
interpret the service to sniff out a user name and password... How
easily can this be done?  It does not sound very easy, and it is limited
to traffic on the local network segment to start with...

I don't mean to suggest that there is no danger, but that sending
passwords in the clear is not as risky as some would lead you to
believe.  There is an element of security when you can "hide in the
crowd" of data flowing around.  It's not totally effective, but is it
good enough?

-= bob =-
---
This is the Air Capitol Linux Users Group discussion list.  If you
want to unsubscribe, send the word "unsubscribe" to
aclug-L-request@xxxxxxxxxxxx.  If you want to post to the list, send your
message to aclug-L@xxxxxxxxxxxx.



[Prev in Thread] Current Thread [Next in Thread]