passwords in the clear

passwords in the clear

[Vadim]

Dave Presotto wrote:

>My heart is broken, I can't go on.  I thought I finally got
>rid of the damn things.

>Vadim, what is the property of your firewall that forces you
>to go to a scheme that anyone can break by watching packets
>go by?

If somebody can *watch* packets on Ethernet, that somebody
can also *send* them, ok?  The challenge-reply authentication
is useless on LANs, as stealing an already authenticated TCP
session is trivial.  Sending an ARP bogon is very simple, and
so is programming Pee-See cards for an arbitrary MAC address.
Been there, done that.  The only way to defeat snoopers on
Ethernet is to encrypt all data or to use filtering bridges,
or to use good application-level gateway and not bother with
protection from insiders (which you never can do anyway... as
an insider can always stick a floppy in your machine and
voila! all data is his).

Please, the false expectation of "security" is worse than
the known lack of it.  Overall, the security must be
*adequate*, not *perfect*.  If a person can walk to my
machine i won't bother protecting my files with anything
more elaborate than plaintext passwords, and the company
already has an application-level gateway.

For many of us, SNK doesn't worth the hassle (btw, i wrote
the SNK stuff for BSD, so you can't call me ignorant or
whatever).

--vadim

PS: A helpful SNK hint: to erase the memory you don't need
    to remove the batteries, just type in:

	ON
	3
	ENT
	00000000
	ENT
		
    repeat the sequence, and it'll give you the EO - prompt.

passwords in the clear

[Vadim]

"Filtering bridge" is the same as "switching hub".  Terminology :)

ATM is short for "Another Terrible Mistake" :)

--vadim

Date: 	Fri, 18 Aug 1995 21:23:10 -0400
From: "Paul D. Robertson" <proberts@clark.net>

On Fri, 18 Aug 1995, Vadim Antonov wrote:

[snip]
> Been there, done that.  The only way to defeat snoopers on
> Ethernet is to encrypt all data or to use filtering bridges,
> or to use good application-level gateway and not bother with
> protection from insiders (which you never can do anyway... as
> an insider can always stick a floppy in your machine and
> voila! all data is his).
> 

You forgot switching hubs, which negate the whole sniffing/snooping/spoofing
problem (If someone substitues a host, you've got more problems than network
security will handle).  If for no other reason, this is why some of us 
just can't wait for ATM all over the friggin place :)

Paul.


-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts@clark.net      which may have no basis whatsoever in fact."
                                                                     PSB#9280

passwords in the clear

[Paul]

On Fri, 18 Aug 1995, Vadim Antonov wrote:

[snip]
> Been there, done that.  The only way to defeat snoopers on
> Ethernet is to encrypt all data or to use filtering bridges,
> or to use good application-level gateway and not bother with
> protection from insiders (which you never can do anyway... as
> an insider can always stick a floppy in your machine and
> voila! all data is his).
> 

You forgot switching hubs, which negate the whole sniffing/snooping/spoofing
problem (If someone substitues a host, you've got more problems than network
security will handle).  If for no other reason, this is why some of us 
just can't wait for ATM all over the friggin place :)

Paul.


-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts@clark.net      which may have no basis whatsoever in fact."
                                                                     PSB#9280

passwords in the clear

[presotto]

My heart is broken, I can't go on.  I thought I finally got
rid of the damn things.

Vadim, what is the property of your firewall that forces you
to go to a scheme that anyone can break by watching packets
go by?