SqueakSource question
Locked
 
|
Andreas said: Which is something that I'm absolutely not fond of because it's transmitting your password pretty much in plain text, obfuscated as base64. Ouch. <rant> This won't answer your question, but I'd like to play the Devil's Advocate and as how this is a problem? I hear a lot of people tout SSL and other things and get antsy about exactly what you're describing, but how do you exploit it? Are there any crackers here? I went to a local meeting of the 2600 (from the magazine of the same name) and I said I was concerned about security and I'd like to know how to exploit something so I can protect against it. They said, basically, that if you were trying to exploit somebody on another network then it was only really possible by blasting endless password combinations. It seems sitting on a LAN, you can watch the traffic go in and out. On the Internets plural, it's harder or impossible to do. I've got Fyodor's "NMAP Network Scanning" on my desk right now. OK, you can port scan. You can see what ports are open. Then what? Security seems to me to be a real area of cargo cult programming. Get SSL, or else. Maybe you want to ignore this, as it, again, doesn't really do anything for your question. But just once I wish somebody would convince me about efforts taken to create security from first principles and not just because Bruce Schneier raised his eyebrow. </rant> Chris |
|
|
http://www.wireshark.org/
'nuff said. An hour in promiscuous mode on a public network will likely be enough to net you a couple of "interesting" passwords. If you write a custom filter that just greps for "Authorization: Basic" you can watch those passwords in real-time. Cheers, - Andreas Chris Cunnington wrote: > Andreas said: > > Which is something that I'm > absolutely not fond of because it's transmitting your password pretty > much in plain text, obfuscated as base64. Ouch. > > <rant> > > This won't answer your question, but I'd like to play the Devil's Advocate and as how this is a problem? > > I hear a lot of people tout SSL and other things and get antsy about exactly what you're describing, but how do you exploit it? Are there any crackers here? > > I went to a local meeting of the 2600 (from the magazine of the same name) and I said I was concerned about security and I'd like to know how to exploit something so I can protect against it. They said, basically, that if you were trying to exploit somebody on another network then it was only really possible by blasting endless password combinations. It seems sitting on a LAN, you can watch the traffic go in and out. On the Internets plural, it's harder or impossible to do. > > I've got Fyodor's "NMAP Network Scanning" on my desk right now. OK, you can port scan. You can see what ports are open. Then what? Security seems to me to be a real area of cargo cult programming. Get SSL, or else. > > Maybe you want to ignore this, as it, again, doesn't really do anything for your question. But just once I wish somebody would convince me about efforts taken to create security from first principles and not just because Bruce Schneier raised his eyebrow. > > </rant> > > Chris > > > > > ------------------------------------------------------------------------ > > |
|
|
In reply to this post by Chris Cunnington
Well ... that shows what I know.
Thanks for the link. This looks great.
|
|
|
In reply to this post by Chris Cunnington
Chris Cunnington wrote:
> Andreas said: > > Which is something that I'm > absolutely not fond of because it's transmitting your password pretty > much in plain text, obfuscated as base64. Ouch. > > <rant> > > This won't answer your question, but I'd like to play the Devil's Advocate and as how this is a problem? > > I hear a lot of people tout SSL and other things and get antsy about exactly what you're describing, but how do you exploit it? Are there any crackers here? > > I went to a local meeting of the 2600 (from the magazine of the same name) and I said I was concerned about security and I'd like to know how to exploit something so I can protect against it. They said, basically, that if you were trying to exploit somebody on another network then it was only really possible by blasting endless password combinations. It seems sitting on a LAN, you can watch the traffic go in and out. On the Internets plural, it's harder or impossible to do. > > I've got Fyodor's "NMAP Network Scanning" on my desk right now. OK, you can port scan. You can see what ports are open. Then what? Security seems to me to be a real area of cargo cult programming. Get SSL, or else. > > Maybe you want to ignore this, as it, again, doesn't really do anything for your question. But just once I wish somebody would convince me about efforts taken to create security from first principles and not just because Bruce Schneier raised his eyebrow. > > </rant> Fair points, Chris. But let's not forget that the majority of security breaks (no, I don't have references to hand) come from internal sources. So I'd almost say it's MORE important to secure stuff on a LAN than over the public Internet. frank |
|
|
In reply to this post by Andreas.Raab
On Wednesday 24 February 2010 04:23:58 am Andreas Raab wrote:
> http://www.wireshark.org/ > > 'nuff said. An hour in promiscuous mode on a public network will likely > be enough to net you a couple of "interesting" passwords. If you write a > custom filter that just greps for "Authorization: Basic" you can watch > those passwords in real-time Please don't even try this. Decoding passwords on a public network without authorization could run foul of local laws in many countries. Technical feasibility or academic interest is not sufficient excuse. Subbu |
|
|
K. K. Subramaniam wrote:
> On Wednesday 24 February 2010 04:23:58 am Andreas Raab wrote: >> http://www.wireshark.org/ >> >> 'nuff said. An hour in promiscuous mode on a public network will likely >> be enough to net you a couple of "interesting" passwords. If you write a >> custom filter that just greps for "Authorization: Basic" you can watch >> those passwords in real-time > Please don't even try this. > > Decoding passwords on a public network without authorization could run foul of > local laws in many countries. Technical feasibility or academic interest is > not sufficient excuse. Absolutely! This was *not* an invitation to try it. It was an attempt to scare the hell out of all of you who think "basic auth is fine" by showing just how trivial it would be for an attacker in the right location to sniff your passwords. Basic auth is *not* fine. Bruce Schneier isn't always right, but that doesn't mean he's always wrong. Cheers, - Andreas |
|
|
>>>>> "Andreas" == Andreas Raab <[hidden email]> writes:
Andreas> Absolutely! This was *not* an invitation to try it. It was an attempt Andreas> to scare the hell out of all of you who think "basic auth is fine" by Andreas> showing just how trivial it would be for an attacker in the right Andreas> location to sniff your passwords. Even simpler, install ettercap, available in most packaging systems, and type: sudo ettercap -Tzqi $INTERFACE where $INTERFACE is your default network interface. *All* you see is decoded passwords in the clear for any of a dozen different protocols, for anything publicly decodable zipping by your interface. As self defense, I run this *to verify I'm not leaking* whenever I'm connected to a public LAN (like wifi or a conference-provided ether hub), and was amazed at how many passwords I used to leak. In fairness, I've been known to call out loud to people around me phrases like "jeremyq - better change your password when you get home", eliciting shock from someone sitting nearby. :) -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 <[hidden email]> <URL:http://www.stonehenge.com/merlyn/> Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion |
|
|
It might be worth noting that your packets have to make a journey
across multiple networks before arriving at their destination. Someone sniffing traffic *anywhere on that route* should be able to see your creds if you aren't using encryption. I don't know this for sure, but I've head that cable Internet providers put whole blocks of customers on the same switch. Is there a security implication there? On Wednesday, February 24, 2010, Randal L. Schwartz <[hidden email]> wrote: >>>>>> "Andreas" == Andreas Raab <[hidden email]> writes: > > Andreas> Absolutely! This was *not* an invitation to try it. It was an attempt > Andreas> to scare the hell out of all of you who think "basic auth is fine" by > Andreas> showing just how trivial it would be for an attacker in the right > Andreas> location to sniff your passwords. > > Even simpler, install ettercap, available in most packaging systems, > and type: > > sudo ettercap -Tzqi $INTERFACE > > where $INTERFACE is your default network interface. > > *All* you see is decoded passwords in the clear for any of a dozen different > protocols, for anything publicly decodable zipping by your interface. > > As self defense, I run this *to verify I'm not leaking* whenever I'm connected > to a public LAN (like wifi or a conference-provided ether hub), and was amazed > at how many passwords I used to leak. In fairness, I've been known to call > out loud to people around me phrases like "jeremyq - better change your > password when you get home", eliciting shock from someone sitting nearby. :) > > -- > Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 > <[hidden email]> <URL:http://www.stonehenge.com/merlyn/> > Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. > See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion > > -- Ron |
|
|
In reply to this post by Andreas.Raab
Wireshark is one of my favorites. The real issue in plain text isn't sending over the wire. It's when you are using wireless at your local coffee shop or hotel room (at the blackhat conference) Chris Hogan > Date: Tue, 23 Feb 2010 14:53:58 -0800 > From: [hidden email] > To: [hidden email] > Subject: [squeak-dev] Re: SqueakSource question > > http://www.wireshark.org/ > > 'nuff said. An hour in promiscuous mode on a public network will likely > be enough to net you a couple of "interesting" passwords. If you write a > custom filter that just greps for "Authorization: Basic" you can watch > those passwords in real-time. > > Cheers, > - Andreas > > Chris Cunnington wrote: > > Andreas said: > > > > Which is something that I'm > > absolutely not fond of because it's transmitting your password pretty > > much in plain text, obfuscated as base64. Ouch. > > > > <rant> > > > > This won't answer your question, but I'd like to play the Devil's Advocate and as how this is a problem? > > > > I hear a lot of people tout SSL and other things and get antsy about exactly what you're describing, but how do you exploit it? Are there any crackers here? > > > > I went to a local meeting of the 2600 (from the magazine of the same name) and I said I was concerned about security and I'd like to know how to exploit something so I can protect against it. They said, basically, that if you were trying to exploit somebody on another network then it was only really possible by blasting endless password combinations. It seems sitting on a LAN, you can watch the traffic go in and out. On the Internets plural, it's harder or impossible to do. > > > > I've got Fyodor's "NMAP Network Scanning" on my desk right now. OK, you can port scan. You can see what ports are open. Then what? Security seems to me to be a real area of cargo cult programming. Get SSL, or else. > > > > Maybe you want to ignore this, as it, again, doesn't really do anything for your question. But just once I wish somebody would convince me about efforts taken to create security from first principles and not just because Bruce Schneier raised his eyebrow. > > > > </rant> > > > > Chris > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > Hotmail: Free, trusted and rich email service. Get it now. |
|
|
In reply to this post by Andreas.Raab
Yes,
But he was only wrong the once. He did it purposely just to see what it felt like. http://www.schneierfacts.com/ Chris Hogan > Date: Wed, 24 Feb 2010 14:20:32 +0100 > From: [hidden email] > To: [hidden email] > Subject: [squeak-dev] Re: SqueakSource question > > K. K. Subramaniam wrote: > > On Wednesday 24 February 2010 04:23:58 am Andreas Raab wrote: > >> http://www.wireshark.org/ > >> > >> 'nuff said. An hour in promiscuous mode on a public network will likely > >> be enough to net you a couple of "interesting" passwords. If you write a > >> custom filter that just greps for "Authorization: Basic" you can watch > >> those passwords in real-time > > Please don't even try this. > > > > Decoding passwords on a public network without authorization could run foul of > > local laws in many countries. Technical feasibility or academic interest is > > not sufficient excuse. > > Absolutely! This was *not* an invitation to try it. It was an attempt to > scare the hell out of all of you who think "basic auth is fine" by > showing just how trivial it would be for an attacker in the right > location to sniff your passwords. > > Basic auth is *not* fine. Bruce Schneier isn't always right, but that > doesn't mean he's always wrong. > > Cheers, > - Andreas > Hotmail: Powerful Free email with security by Microsoft. Get it now. |
«
Return to Squeak - Dev
|
1 view|%1 views
| Free forum by Nabble | Edit this page |