subject:"OT\: SSH not secure\?"

Re: OT: SSH not secure?

2012-05-10 Thread Mo Libden

Wed, 9 May 2012 09:20:44 -0600 PQ Alvaro Mantilla Gimenez 
alv...@alvaromantilla.com:
 According these guys connect trough SSH to a remote server is not secure...
 
 http://www.wziss.com/
 
 Look in Case Studies
 

What a disgusting way of promoting one's product!
Content of Case Studies is just ridiculous. If somebody
has keys from your apartment, they can enter it! Locks are
not secure!

You can make it as secure as you want, then
there is also the wrench solution:

http://xkcd.com/538/

:-)

Re: OT: SSH not secure?

2012-05-10 Thread Kevin Chadwick

On Thu, 10 May 2012 12:49:09 +0400
Mo Libden wrote:

 You can make it as secure as you want, then
 there is also the wrench solution:

I used to work somewhere with a steel door. Downstairs made copper
wire. There was some building work going on across the road. One
morning there was a whole in the wall and a JCB missing from the
building site.

One of the employees said they were more interested in how the gypsies
moved a more than 10 tonne coil of copper with ropes as the crane they
had wasn't big enough and one coil they had nicked on another night had
been there for years.

Re: OT: SSH not secure?

2012-05-10 Thread Kenneth R Westerback

On Wed, May 09, 2012 at 05:59:55PM +, Miod Vallat wrote:
   It's only as secure as the local and/or remote machine.
   There's nothing SSH can do about that
  
   I have a bucket of water. Can anyone tell me why my hand gets wet if I
   put it inside the bucket.
  
  
  That's because you need to buy AutoBucket.
 
 And only AutoBucket can protect you against water temperature attacks.
 You don't want to risk burning your hand with hot water, do you?
 
 Miod
 

This is why the recommended test is to take a cup of the water and
pour it on your crotch before risking your less temperature sensitive
hand in the water.

 Ken

Re: OT: SSH not secure?

2012-05-10 Thread Daniel Bolgheroni

On Wed, May 09, 2012 at 02:35:42PM -0300, Christiano F. Haesbaert wrote:
 
 That's because you need to buy AutoBucket.

Made my day.

Re: OT: SSH not secure?

2012-05-10 Thread Lars Hansson

On Thu, May 10, 2012 at 12:32 AM, Weldon Goree wel...@b.rontosaur.us wrote:
 Right... because AutoSFTP and AutoSSH do not allow an administrator to
 tamper with *them* at all?

I guess it's because they have Anti-Trojan capabilities so
presumably the binaries will detect if they have been tampered with.
Of course, you need to trust that the closed source blob that is
AutoSSH/AutoSFTP a) actually works like that and b) isn't in itself
malicious.
Some might say that's a bit of a conundrum

Cheers,
Lars

Re: OT: SSH not secure?

2012-05-10 Thread Steve Shockley


On 5/9/2012 12:32 PM, Weldon Goree wrote:

only our AutoSSH and AutoSFTP can detect
truss/tusc/strace and dtrace attack, and detect Trojan Horse attack.


See, now we know why people keep asking for dtrace in OpenBSD, it's to 
get our passwords.  I knew it was a trap!

OT: SSH not secure?

2012-05-09 Thread Alvaro Mantilla Gimenez

According these guys connect trough SSH to a remote server is not secure...

http://www.wziss.com/

Look in Case Studies

Cheers,

Alvaro

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: OT: SSH not secure?

2012-05-09 Thread Martin Schröder

2012/5/9 Alvaro Mantilla Gimenez alv...@alvaromantilla.com:
 According these guys connect trough SSH to a remote server is not secure...

It's only as secure as the local and/or remote machine.
There's nothing SSH can do about that.

Re: OT: SSH not secure?

2012-05-09 Thread Otto Moerbeek

On Wed, May 09, 2012 at 09:20:44AM -0600, Alvaro Mantilla Gimenez wrote:

 According these guys connect trough SSH to a remote server is not secure...
 
 http://www.wziss.com/
 
 Look in Case Studies
 
 Cheers,
 
 Alvaro
 
 [demime 1.01d removed an attachment of type application/pgp-signature which 
 had a name of signature.asc]

Of course you can catch passwords etc if you have access to the
hardware or root access for software tracing.

I don't believe their claims that they can prevent that.

-Otto

Re: OT: SSH not secure?

2012-05-09 Thread Alvaro Mantilla Gimenez

Exactly! LOL

El 09/05/2012, a las 09:53, S. Scott escribis:

 On May 9, 2012, at 11:25, Alvaro Mantilla Gimenez
 alv...@alvaromantilla.com wrote:

 According these guys connect trough SSH to a remote server is not
secure...

 http://www.wziss.com/

 Look in Case Studies

 Cheers,

   Alvaro

 [demime 1.01d removed an attachment of type application/pgp-signature which
had a name of signature.asc]


 Lets break this down.  You have a case where a malicious administrator
 -- whom you granted elevated trust and permissions -- with physical
 access and the technical 'clearance' to install and run all the
 mentioned hack tools and, by extrapolation, any/all the other
 unmentioned hack tools as well that would yield User's password and
 you're concerned about ssh.

 Good luck with your malicious administrator and the other 999,999
 things you really need to be concerned about.

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: OT: SSH not secure?

2012-05-09 Thread Weldon Goree

On Wed, 2012-05-09 at 11:53 -0400, S. Scott wrote:

 Good luck with your malicious administrator and the other 999,999
 things you really need to be concerned about.
 

It's more of the DAC silliness: you're not secure because you trust
your systems administrator; I don't have to do that... (I just have to
trust the person who administers the DAC rules).

Note the money sentence at the end of the case study:

Currently, the only secure way to use ssh or sftp on a UNIX/Linux
machine to connect with mission critical server is using our AutoSSH
and/or AutoSFTP: only our AutoSSH and AutoSFTP can detect
truss/tusc/strace and dtrace attack, and detect Trojan Horse attack.
Using AutoSSH and/or AutoSFTP with public/private key pair with pass
phrase protection for the private key is the most secure way of
connecting with mission critical servers

Right... because AutoSFTP and AutoSSH do not allow an administrator to
tamper with *them* at all?

Weldon

Re: OT: SSH not secure?

2012-05-09 Thread Stuart Henderson

On 2012-05-09, Alvaro Mantilla Gimenez alv...@alvaromantilla.com wrote:
 According these guys connect trough SSH to a remote server is not secure...

 http://www.wziss.com/

And if you're connecting to a compromised web server, HTTPS doesn't
automatically make that secure either. This is not the threat that
this particular protocol guards against.

 Look in Case Studies

Here's another: if you use agent forwarding, even if you use ssh-add -c
when you add your identities to require that they're confirmed to prevent
the most common attack scenario with agent forwarding, the admin could
have replaced the ssh binary with one which makes the connection and
runs his own commands over it, or allows access to a second session
via multiplexing.

And another: if you do the above *and* build your own ssh binary to
make sure that's legitimate, the admin could have replaced the compiler,
or make, or install, or something else, with one which builds/installs
a trojanned program.

Re: OT: SSH not secure?

2012-05-09 Thread Kevin Chadwick

On Wed, 9 May 2012 17:42:09 +0200
Martin SchrC6der wrote:

 It's only as secure as the local and/or remote machine.
 There's nothing SSH can do about that

I have a bucket of water. Can anyone tell me why my hand gets wet if I
put it inside the bucket.

Re: OT: SSH not secure?

2012-05-09 Thread Christiano F. Haesbaert

On 9 May 2012 13:18, Kevin Chadwick ma1l1i...@yahoo.co.uk wrote:
 On Wed, 9 May 2012 17:42:09 +0200
 Martin SchrC6der wrote:

 It's only as secure as the local and/or remote machine.
 There's nothing SSH can do about that

 I have a bucket of water. Can anyone tell me why my hand gets wet if I
 put it inside the bucket.


That's because you need to buy AutoBucket.

Re: OT: SSH not secure?

2012-05-09 Thread Miod Vallat

  It's only as secure as the local and/or remote machine.
  There's nothing SSH can do about that
 
  I have a bucket of water. Can anyone tell me why my hand gets wet if I
  put it inside the bucket.
 
 
 That's because you need to buy AutoBucket.

And only AutoBucket can protect you against water temperature attacks.
You don't want to risk burning your hand with hot water, do you?

Miod

Re: OT: SSH not secure?

2012-05-09 Thread Christiano F. Haesbaert

On 9 May 2012 14:59, Miod Vallat m...@online.fr wrote:
  It's only as secure as the local and/or remote machine.
  There's nothing SSH can do about that
 
  I have a bucket of water. Can anyone tell me why my hand gets wet if I
  put it inside the bucket.
 

 That's because you need to buy AutoBucket.

 And only AutoBucket can protect you against water temperature attacks.
 You don't want to risk burning your hand with hot water, do you?


Well noted, but that's only supported in AutoBucket Enterprise Edition.

Re: OT: SSH not secure?

2012-05-09 Thread Kevin Chadwick

On Wed, 9 May 2012 14:35:42 -0300
Christiano F. Haesbaert wrote:

 That's because you need to buy AutoBucket.

Having spent some time recently on some linux mailing lists.

I have to say this lists fuckin A.

Re: OT: SSH not secure?

2012-05-09 Thread bofh

I think Alvaro should read the classic paper: Reflections on Trusting Trust.

Alvaro,
Written by one of the guys who wrote UNIX and the original C compiler,
which is what almost every UNIX based system is derived from...

http://cm.bell-labs.com/who/ken/trust.html

--
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
This officer's men seem to follow him merely out of idle curiosity.
-- Sandhurst officer cadet evaluation.
Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted.  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=30v_g83VHK4

Re: OT: SSH not secure?

2012-05-09 Thread Alvaro Mantilla Gimenez

Thanks for pointing that article out. I read that paper sometime ago.

My intention with this thread was exactly this: get a lot of comments and put
some smiles in people4s faces.

I received this trough linkedin from some experts group or something like that
(yeap...no comments).

Is interesting how many people believe on information that they just received
on a social (professional???) network...

Cheers,

Alvaro

El 09/05/2012, a las 12:39, bofh escribis:

 I think Alvaro should read the classic paper: Reflections on Trusting
Trust.

 Alvaro,
 Written by one of the guys who wrote UNIX and the original C compiler,
 which is what almost every UNIX based system is derived from...

 http://cm.bell-labs.com/who/ken/trust.html

 --
 http://www.glumbert.com/media/shift
 http://www.youtube.com/watch?v=tGvHNNOLnCk
 This officer's men seem to follow him merely out of idle curiosity.
 -- Sandhurst officer cadet evaluation.
 Securing an environment of Windows platforms from abuse - external or
 internal - is akin to trying to install sprinklers in a fireworks
 factory where smoking on the job is permitted.  -- Gene Spafford
 learn french:  http://www.youtube.com/watch?v=30v_g83VHK4

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: OT: SSH not secure?

Re: OT: SSH not secure?

Re: OT: SSH not secure?

Re: OT: SSH not secure?

Re: OT: SSH not secure?

Re: OT: SSH not secure?

OT: SSH not secure?

Re: OT: SSH not secure?

Re: OT: SSH not secure?

Re: OT: SSH not secure?

Re: OT: SSH not secure?

Re: OT: SSH not secure?

Re: OT: SSH not secure?

Re: OT: SSH not secure?

Re: OT: SSH not secure?

Re: OT: SSH not secure?

Re: OT: SSH not secure?

Re: OT: SSH not secure?

Re: OT: SSH not secure?

19 matches

Site Navigation

Mail list logo

Footer information