Re: Patching a SSH 'Weakness'

Tue, 16 Sep 2008 02:27:37 -0700 

On 13 Sep 2008, at 04:46 , johan beisser wrote:

On Fri, Sep 12, 2008 at 05:42:08PM -0700, johan beisser wrote:

It's just a improbable attack. One that's easily defended against by
maintaining the interactive shell/echoback and simply push additional 

Was it you who said earlier that you weren't a cryptanalyst? Well,

neither am I, but I have come away with one lesson from them: be on  
the
attack. You are on the defense, and always putting forward reasons  
why

this isn't a quick total penetration. Instead, try thinking of what

information you can get by snooping, and what you might do with it.  
It's

a whole different mindset.


Yes. I'm not sure why you assume to know how or what I'm thinking.


I'm saying what he's wanting to prevent - Eve watching input and  
output to figure out passwords, based on keyboard timing and typing  
patterns - isn't really an easy attack for Eve to accomplish without  
a huge amount of data being collected first.



Man, I don't see your point... I've read your previous messages, and I  
can't see what are you arguing for/against...
If you're against someone patching ssh again this attack because you  
think it is not worthy, you're on a wrong track - everyone can/should  
do with their free time whatever they want. If you're just against the  
value of the attack, we'll, wrong track again :)



First, this approach is not for just stealing passwords. If you'd read  
that article careful enough, you would notice that they state one  
should try to capture as much as she/he can. Then, based on the  
transcript, you can mine for passwords.



Second, attack is attack, whether it is easy or hard. Sure, script  
kiddies prefer easy ones... but most of us wouldn't feel any better if  
were attacked the hard or the easy way...



Third and final point... So far, I was thinking mainly about console  
users, and developers do tend to fall into this category. Emerging way  
of computing becomes cloud computing, where services are placed in a  
cloud, and users are accessing them. So far, communication was  
protected with SSL/SSH. Now, imagine a lot of users, doing a lot of  
work... That is a lot of data to work with...


Just my 2c,
Nikola



























					Reply via email to