On 13 Sep 2008, at 04:46 , johan beisser wrote:
On Fri, Sep 12, 2008 at 05:42:08PM -0700, johan beisser wrote:
It's just a improbable attack. One that's easily defended against by
maintaining the interactive shell/echoback and simply push
additional
Was it you who said earlier that you
Hi!
On Fri, Sep 12, 2008 at 07:41:05PM +0300, Toni Spets wrote:
Stuart Henderson wrote:
On 2008-09-12, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
To all who opposed the suggestion to send one block of data
when the Enter key is pressed: my suggestion strictly referred
to the login procedure,
On Saturday 13 September 2008, johan beisser wrote:
On Sep 13, 2008, at 5:49 AM, steve szmidt wrote:
Yes, the US had it for a while but a recent ruling has reversed
that.
Really? I never heard of it ever being passed in the first place.
If it's the case I'm thinking of, the key couldn't
On 2008-09-14, J.C. Roberts [EMAIL PROTECTED] wrote:
In the UK, it seems there's such a law.
Page 1: http://networks.silicon.com/mobile/0,39024665,39282266,00.htm
Page 2:
http://networks.silicon.com/silicon/networks/mobile/0,39024665,39282266-2,00.htm
The team cracks low-grade encryption
On Sunday 14 September 2008, Stuart Henderson wrote:
On 2008-09-14, J.C. Roberts [EMAIL PROTECTED] wrote:
In the UK, it seems there's such a law.
Page 1:
http://networks.silicon.com/mobile/0,39024665,39282266,00.htm Page
2:
On Saturday 13 September 2008, johan beisser wrote:
On Sep 13, 2008, at 5:49 AM, steve szmidt wrote:
Yes, the US had it for a while but a recent ruling has reversed that.
Really? I never heard of it ever being passed in the first place.
If it's the case I'm thinking of, the key couldn't be
On Sep 12, 2008, at 9:43 PM, Darrin Chandler wrote:
I'm saying what he's wanting to prevent - Eve watching input and
output to
figure out passwords, based on keyboard timing and typing patterns
- isn't
really an easy attack for Eve to accomplish without a huge amount
of data
being
Am 12.09.2008 um 23:19 schrieb Stuart Henderson:
On 2008/09/12 13:59, Marti Martinez wrote:
On Fri, Sep 12, 2008 at 1:16 PM, Stuart Henderson [EMAIL PROTECTED]
wrote:
Wait, how do you know someone is typing a password inside the
session
and not just writing a text file or typing
On 2008-09-13, Jonathan Schleifer [EMAIL PROTECTED] wrote:
Am 12.09.2008 um 23:19 schrieb Stuart Henderson:
On 2008/09/12 13:59, Marti Martinez wrote:
On Fri, Sep 12, 2008 at 1:16 PM, Stuart Henderson [EMAIL PROTECTED]
wrote:
Wait, how do you know someone is typing a password inside the
Am 13.09.2008 um 11:36 schrieb Stuart Henderson:
Not always. You might connect to another machine and connect
out again from there.
You could directly connect from your machine to the other machine. You
might bring the argument that you can't get a direct connection, but
for that purpose, SSH
johan beisser wrote:
Given enough time and enough response packets you might be able to
figure out which two letter commands were given at any given time.
Section 6 of RFC4253[1] should provide some level of masking to which
character is typed outbound to the remote system and more than bit on
On Saturday 13 September 2008, Jonathan Schleifer wrote:
I don't know a single country where you are forced to hand over keys,
but not to hand over passwords
--
Jonathan
Yes, the US had it for a while but a recent ruling has reversed that.
--
Steve Szmidt
They that would give up
On Sep 13, 2008, at 3:21 AM, Toni Spets wrote:
What about some known patterns like screen (-r) from the start of
every session for example in an IRC shell where most people do that
first? Could it be used with lots of data to crack open future
sessions?
I would say yes it's possible. But
On Sep 13, 2008, at 5:49 AM, steve szmidt wrote:
Yes, the US had it for a while but a recent ruling has reversed that.
Really? I never heard of it ever being passed in the first place.
If it's the case I'm thinking of, the key couldn't be compelled from
the guy due to how they were trying
To all who opposed the suggestion to send one block of data
when the Enter key is pressed: my suggestion strictly referred
to the login procedure, not to the later data communication. I did
not mention this because I thought it was clear from the context
of the original poster who
has expressively
On 9/10/2008 at 2:58 PM Kevin Neff wrote:
|Hi,
|
|Some secure protocols like SSH send encrypted keystrokes
|as they're typed. By doing timing analysis you can figure
|out which keys the user probably typed (keys that are
|physically close together on a keyboard can be typed
|faster). A careful
On Fri, Sep 12, 2008 at 4:12 AM, [EMAIL PROTECTED] wrote:
To all who opposed the suggestion to send one block of data
when the Enter key is pressed: my suggestion strictly referred
to the login procedure, not to the later data communication. I did
not mention this because I thought it was
On 2008-09-12, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
To all who opposed the suggestion to send one block of data
when the Enter key is pressed: my suggestion strictly referred
to the login procedure, not to the later data communication. I did
not mention this because I thought it was
Thanks for all the comments. I think we're all pretty much on the same
page.
First order of business is to look at how much of a weakness this may be.
Then, implement several potential solutions. Finally, test to see if the
fixes improved the situation.
I like the idea of mainly patching the
Ted Unangst wrote:
On Fri, Sep 12, 2008 at 4:12 AM, [EMAIL PROTECTED] wrote:
To all who opposed the suggestion to send one block of data
when the Enter key is pressed: my suggestion strictly referred
to the login procedure, not to the later data communication. I did
not mention this because
Stuart Henderson wrote:
On 2008-09-12, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
To all who opposed the suggestion to send one block of data
when the Enter key is pressed: my suggestion strictly referred
to the login procedure, not to the later data communication. I did
not mention this
On Fri, Sep 12, 2008 at 5:41 PM, Toni Spets [EMAIL PROTECTED] wrote:
Stuart Henderson wrote:
On 2008-09-12, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
To all who opposed the suggestion to send one block of data
when the Enter key is pressed: my suggestion strictly referred
to the login
David Higgs [EMAIL PROTECTED] wrote:
When it detects that *s are being echoed instead of the actual input
character.
I have never seen a password prompt on a UNIX terminal that echo'd *s.
--
Jonathan
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of
On 2008-09-12, Toni Spets [EMAIL PROTECTED] wrote:
Stuart Henderson wrote:
On 2008-09-12, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
To all who opposed the suggestion to send one block of data
when the Enter key is pressed: my suggestion strictly referred
to the login procedure, not to the
On Fri, Sep 12, 2008 at 1:16 PM, Stuart Henderson [EMAIL PROTECTED]wrote:
Wait, how do you know someone is typing a password inside the session
and not just writing a text file or typing arbitrary commands?
e.g. when eve's machine that's hijacking the network packets picks
up an outgoing
On Sep 12, 2008, at 1:16 PM, Stuart Henderson wrote:
Wait, how do you know someone is typing a password inside the session
and not just writing a text file or typing arbitrary commands?
e.g. when eve's machine that's hijacking the network packets picks
up an outgoing SSH connection.
I'm not
On 2008/09/12 13:59, Marti Martinez wrote:
On Fri, Sep 12, 2008 at 1:16 PM, Stuart Henderson [EMAIL PROTECTED]wrote:
Wait, how do you know someone is typing a password inside the session
and not just writing a text file or typing arbitrary commands?
e.g. when eve's machine that's
On 2008/09/12 14:05, johan beisser wrote:
I'm not going to say It's impossible. It's not. How about really
highly unlikely that Eve will pick up enough useful signal to decrypt
which letters are being typed by the user.
You might like to read the abstract of the article which started the
On Sep 12, 2008, at 7:02 AM, Kevin Neff wrote:
Thanks for all the comments. I think we're all pretty much on the
same
page.
First order of business is to look at how much of a weakness this
may be.
Then, implement several potential solutions. Finally, test to see
if the
fixes improved
On Sep 12, 2008, at 2:28 PM, Stuart Henderson wrote:
On 2008/09/12 14:05, johan beisser wrote:
I'm not going to say It's impossible. It's not. How about really
highly unlikely that Eve will pick up enough useful signal to
decrypt
which letters are being typed by the user.
You might like
On Sep 12, 2008, at 2:28 PM, Stuart Henderson wrote:
On 2008/09/12 14:05, johan beisser wrote:
I'm not going to say It's impossible. It's not. How about really
highly unlikely that Eve will pick up enough useful signal to
decrypt
which letters are being typed by the user.
You might like
On Thu, 11 Sep 2008, [EMAIL PROTECTED] wrote:
Just off the top of my head (I have to check the SSH protocol yet):
Why not encipher all accumulated keystrokes up to the Enter key as a
block send them instead of sending each keystroke as it is typed? This
shrouds the typist's characteristics.
On Fri, Sep 12, 2008 at 2:05 PM, johan beisser [EMAIL PROTECTED] wrote:
...
I'm not going to say It's impossible. It's not. How about really highly
unlikely that Eve will pick up enough useful signal to decrypt which
letters are being typed by the user. I know that not everyone uses ssh keys,
On Sep 12, 2008, at 3:12 PM, Philip Guenther wrote:
On Fri, Sep 12, 2008 at 2:05 PM, johan beisser [EMAIL PROTECTED] wrote:
This about security. Being realistic means *not* being optimistic
that extracting data will be too hard, too unlikely, only
applicable to a subset of people [and
On Fri, 12 Sep 2008, johan beisser wrote:
On Sep 12, 2008, at 3:12 PM, Philip Guenther wrote:
On Fri, Sep 12, 2008 at 2:05 PM, johan beisser [EMAIL PROTECTED] wrote:
This about security. Being realistic means *not* being optimistic
that extracting data will be too hard, too unlikely,
On Sep 12, 2008, at 4:08 PM, Damien Miller wrote:
There is no reason to believe that keystroke timing attacks will be
impossible against protocol 2 where they work against protocol 1.
They might just be a little more tricky.
I don't think I discounted an updated version of this attack against
On Fri, Sep 12, 2008 at 05:42:08PM -0700, johan beisser wrote:
It's just a improbable attack. One that's easily defended against by
maintaining the interactive shell/echoback and simply push additional
Was it you who said earlier that you weren't a cryptanalyst? Well,
neither am I, but I have
On Sep 12, 2008, at 6:41 PM, Darrin Chandler wrote:
On Fri, Sep 12, 2008 at 05:42:08PM -0700, johan beisser wrote:
It's just a improbable attack. One that's easily defended against by
maintaining the interactive shell/echoback and simply push additional
Was it you who said earlier that you
On Fri, Sep 12, 2008 at 07:46:59PM -0700, johan beisser wrote:
On Sep 12, 2008, at 6:41 PM, Darrin Chandler wrote:
Was it you who said earlier that you weren't a cryptanalyst? Well,
neither am I, but I have come away with one lesson from them: be on the
attack. You are on the defense, and
On Wed, 10 Sep 2008, STeve Andre' wrote:
On Wednesday 10 September 2008 15:58:03 Kevin Neff wrote:
Hi,
Some secure protocols like SSH send encrypted keystrokes
as they're typed. By doing timing analysis you can figure
out which keys the user probably typed (keys that are
physically
Just off the top of my head (I have to check the SSH protocol yet): Why not
encipher all accumulated keystrokes up to the Enter key as a block send them
instead of sending each keystroke as it is typed? This shrouds the typist's
characteristics.
In addition, if the cipher is a block cipher,
I'd like to see what I'm typing, as I'm typing it, in my interactive
SSH session.
Andreas
2008/9/11 [EMAIL PROTECTED]:
Just off the top of my head (I have to check the SSH protocol yet): Why not
encipher all accumulated keystrokes up to the Enter key as a block send
them instead of sending
11 September 2008 G. 12:00:18 [EMAIL PROTECTED] wrote:
Just off the top of my head (I have to check the SSH protocol yet):
Why not encipher all accumulated keystrokes up to the Enter key as a
block send them instead of sending each keystroke as it is typed? This
shrouds the typist's
On Thu, Sep 11, 2008 at 10:06:27AM +0900, Hari wrote:
| On Thu, Sep 11, 2008 at 4:58 AM, Kevin Neff [EMAIL PROTECTED] wrote:
| Hi,
|
| Some secure protocols like SSH send encrypted keystrokes
| as they're typed. By doing timing analysis you can figure
| out which keys the user probably typed
On Thu, Sep 11, 2008 at 10:42 AM, Andreas Kahari
[EMAIL PROTECTED]wrote:
I'd like to see what I'm typing, as I'm typing it, in my interactive
SSH session.
Use local echo instead of remote echo then?
Reduces chattiness on the link too.
On Thursday 11 September 2008 02:28:58 Damien Miller wrote:
On Wed, 10 Sep 2008, STeve Andre' wrote:
On Wednesday 10 September 2008 15:58:03 Kevin Neff wrote:
Hi,
Some secure protocols like SSH send encrypted keystrokes
as they're typed. By doing timing analysis you can figure
STeve Andre' escreveu:
This is nearly complete bullshit. For any individual, learning
their characteristics could give rise to being able to know a
great deal about what they are doing, but hardly for the
general case.
I know people who type blindingly fast. I'm a mutant hunt
'n pecker,
Also, tab-completion won't work, top won't work, control characters
won't work, vim won't work, etc etc...
-HKS
On Thu, Sep 11, 2008 at 4:00 AM, [EMAIL PROTECTED] wrote:
Just off the top of my head (I have to check the SSH protocol yet): Why not
encipher all accumulated keystrokes up to the
On Thu, Sep 11, 2008 at 11:49:39AM -0400, (private) HKS wrote:
| Also, tab-completion won't work, top won't work, control characters
| won't work, vim won't work, etc etc...
I'm glad someone brought up this point.
Hi,
Some secure protocols like SSH send encrypted keystrokes
as they're typed. By doing timing analysis you can figure
out which keys the user probably typed (keys that are
physically close together on a keyboard can be typed
faster). A careful analysis can reveal the length of
passwords and
On Wed, 10 Sep 2008, Kevin Neff wrote:
Hi,
Some secure protocols like SSH send encrypted keystrokes
as they're typed. By doing timing analysis you can figure
out which keys the user probably typed (keys that are
physically close together on a keyboard can be typed
faster). A careful
On Thu, Sep 11, 2008 at 4:58 AM, Kevin Neff [EMAIL PROTECTED] wrote:
Hi,
Some secure protocols like SSH send encrypted keystrokes
as they're typed. By doing timing analysis you can figure
out which keys the user probably typed (keys that are
physically close together on a keyboard can be
Just wait until you see me type!
On Thu, Sep 11, 2008 at 10:06:27AM +0900, Hari wrote:
On Thu, Sep 11, 2008 at 4:58 AM, Kevin Neff [EMAIL PROTECTED] wrote:
Hi,
Some secure protocols like SSH send encrypted keystrokes
as they're typed. By doing timing analysis you can figure
out which
On Thu, Sep 11, 2008 at 10:06:27AM +0900, Hari wrote:
On Thu, Sep 11, 2008 at 4:58 AM, Kevin Neff [EMAIL PROTECTED] wrote:
Hi,
Some secure protocols like SSH send encrypted keystrokes
as they're typed. By doing timing analysis you can figure
out which keys the user probably typed (keys
On Wednesday 10 September 2008 15:58:03 Kevin Neff wrote:
Hi,
Some secure protocols like SSH send encrypted keystrokes
as they're typed. By doing timing analysis you can figure
out which keys the user probably typed (keys that are
physically close together on a keyboard can be typed
On Wed, Sep 10, 2008 at 7:56 PM, STeve Andre' [EMAIL PROTECTED] wrote:
How about people with severe physical problems? I know a C4
quadriplegic who types slowly, very slowly. Depending on how
he feels, his speed varies by probably a factor of 4 or so.
if I was trying to gank a
Hell you say. I wear glasses and have been punched. Hard. In the face.
Good to know I'll be immune from you.
On 9/10/08, Aaron Glenn [EMAIL PROTECTED] wrote:
On Wed, Sep 10, 2008 at 7:56 PM, STeve Andre' [EMAIL PROTECTED] wrote:
How about people with severe physical problems? I know a C4
57 matches
Mail list logo