SqueakSource question

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

SqueakSource question

Chris Cunnington
Andreas said: 
Which is something that I'm 
absolutely not fond of because it's transmitting your password pretty 
much in plain text, obfuscated as base64. Ouch.
<rant>
This won't answer your question, but I'd like to play the Devil's Advocate and as how this is a problem? 
I hear a lot of people tout SSL and other things and get antsy about exactly what you're describing, but how do you exploit it? Are there any crackers here? 
I went to a local meeting of the 2600 (from the magazine of the same name) and I said I was concerned about security and I'd like to know how to exploit something so I can protect against it. They said, basically, that if you were trying to exploit somebody on another network then it was only really possible by blasting endless password combinations. It seems sitting on a LAN, you can watch the traffic go in and out. On the Internets plural, it's harder or impossible to do. 
I've got Fyodor's "NMAP Network Scanning" on my desk right now. OK, you can port scan. You can see what ports are open. Then what? Security seems to me to be a real area of cargo cult programming. Get SSL, or else. 
Maybe you want to ignore this, as it, again, doesn't really do anything for your question. But just once I wish somebody would convince me about efforts taken to create security from first principles and not just because Bruce Schneier raised his eyebrow. 
</rant>
Chris 




Reply | Threaded
Open this post in threaded view
|

Re: SqueakSource question

Andreas.Raab
http://www.wireshark.org/

'nuff said. An hour in promiscuous mode on a public network will likely
be enough to net you a couple of "interesting" passwords. If you write a
custom filter that just greps for "Authorization: Basic" you can watch
those passwords in real-time.

Cheers,
   - Andreas

Chris Cunnington wrote:

> Andreas said:
>
> Which is something that I'm
> absolutely not fond of because it's transmitting your password pretty
> much in plain text, obfuscated as base64. Ouch.
>
> <rant>
>
> This won't answer your question, but I'd like to play the Devil's Advocate and as how this is a problem?
>
> I hear a lot of people tout SSL and other things and get antsy about exactly what you're describing, but how do you exploit it? Are there any crackers here?
>
> I went to a local meeting of the 2600 (from the magazine of the same name) and I said I was concerned about security and I'd like to know how to exploit something so I can protect against it. They said, basically, that if you were trying to exploit somebody on another network then it was only really possible by blasting endless password combinations. It seems sitting on a LAN, you can watch the traffic go in and out. On the Internets plural, it's harder or impossible to do.
>
> I've got Fyodor's "NMAP Network Scanning" on my desk right now. OK, you can port scan. You can see what ports are open. Then what? Security seems to me to be a real area of cargo cult programming. Get SSL, or else.
>
> Maybe you want to ignore this, as it, again, doesn't really do anything for your question. But just once I wish somebody would convince me about efforts taken to create security from first principles and not just because Bruce Schneier raised his eyebrow.
>
> </rant>
>
> Chris
>
>
>
>
> ------------------------------------------------------------------------
>
>


Reply | Threaded
Open this post in threaded view
|

Re: SqueakSource question

Chris Cunnington
In reply to this post by Chris Cunnington
Well ... that shows what I know. 
Thanks for the link. This looks great. 


Reply | Threaded
Open this post in threaded view
|

Re: SqueakSource question

Frank Shearar
In reply to this post by Chris Cunnington
Chris Cunnington wrote:

> Andreas said:
>
> Which is something that I'm
> absolutely not fond of because it's transmitting your password pretty
> much in plain text, obfuscated as base64. Ouch.
>
> <rant>
>
> This won't answer your question, but I'd like to play the Devil's Advocate and as how this is a problem?
>
> I hear a lot of people tout SSL and other things and get antsy about exactly what you're describing, but how do you exploit it? Are there any crackers here?
>
> I went to a local meeting of the 2600 (from the magazine of the same name) and I said I was concerned about security and I'd like to know how to exploit something so I can protect against it. They said, basically, that if you were trying to exploit somebody on another network then it was only really possible by blasting endless password combinations. It seems sitting on a LAN, you can watch the traffic go in and out. On the Internets plural, it's harder or impossible to do.
>
> I've got Fyodor's "NMAP Network Scanning" on my desk right now. OK, you can port scan. You can see what ports are open. Then what? Security seems to me to be a real area of cargo cult programming. Get SSL, or else.
>
> Maybe you want to ignore this, as it, again, doesn't really do anything for your question. But just once I wish somebody would convince me about efforts taken to create security from first principles and not just because Bruce Schneier raised his eyebrow.
>
> </rant>


Fair points, Chris. But let's not forget that the majority of security
breaks (no, I don't have references to hand) come from internal sources.
So I'd almost say it's MORE important to secure stuff on a LAN than over
the public Internet.

frank

Reply | Threaded
Open this post in threaded view
|

Re: SqueakSource question

K. K. Subramaniam
In reply to this post by Andreas.Raab
On Wednesday 24 February 2010 04:23:58 am Andreas Raab wrote:
> http://www.wireshark.org/
>
> 'nuff said. An hour in promiscuous mode on a public network will likely
> be enough to net you a couple of "interesting" passwords. If you write a
> custom filter that just greps for "Authorization: Basic" you can watch
> those passwords in real-time
Please don't even try this.

Decoding passwords on a public network without authorization could run foul of
local laws in many countries. Technical feasibility or academic interest is
not sufficient excuse.

Subbu

Reply | Threaded
Open this post in threaded view
|

Re: SqueakSource question

Andreas.Raab
K. K. Subramaniam wrote:

> On Wednesday 24 February 2010 04:23:58 am Andreas Raab wrote:
>> http://www.wireshark.org/
>>
>> 'nuff said. An hour in promiscuous mode on a public network will likely
>> be enough to net you a couple of "interesting" passwords. If you write a
>> custom filter that just greps for "Authorization: Basic" you can watch
>> those passwords in real-time
> Please don't even try this.
>
> Decoding passwords on a public network without authorization could run foul of
> local laws in many countries. Technical feasibility or academic interest is
> not sufficient excuse.

Absolutely! This was *not* an invitation to try it. It was an attempt to
scare the hell out of all of you who think "basic auth is fine" by
showing just how trivial it would be for an attacker in the right
location to sniff your passwords.

Basic auth is *not* fine. Bruce Schneier isn't always right, but that
doesn't mean he's always wrong.

Cheers,
   - Andreas

Reply | Threaded
Open this post in threaded view
|

Re: SqueakSource question

Randal L. Schwartz
>>>>> "Andreas" == Andreas Raab <[hidden email]> writes:

Andreas> Absolutely! This was *not* an invitation to try it. It was an attempt
Andreas> to scare the hell out of all of you who think "basic auth is fine" by
Andreas> showing just how trivial it would be for an attacker in the right
Andreas> location to sniff your passwords.

Even simpler, install ettercap, available in most packaging systems,
and type:

  sudo ettercap -Tzqi $INTERFACE

where $INTERFACE is your default network interface.

*All* you see is decoded passwords in the clear for any of a dozen different
protocols, for anything publicly decodable zipping by your interface.

As self defense, I run this *to verify I'm not leaking* whenever I'm connected
to a public LAN (like wifi or a conference-provided ether hub), and was amazed
at how many passwords I used to leak.  In fairness, I've been known to call
out loud to people around me phrases like "jeremyq - better change your
password when you get home", eliciting shock from someone sitting nearby. :)

--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<[hidden email]> <URL:http://www.stonehenge.com/merlyn/>
Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc.
See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion

Reply | Threaded
Open this post in threaded view
|

Re: SqueakSource question

Casey Ransberger
It might be worth noting that your packets have to make a journey
across multiple networks before arriving at their destination. Someone
sniffing traffic *anywhere on that route* should be able to see your
creds if you aren't using encryption.

I don't know this for sure, but I've head that cable Internet
providers put whole blocks of customers on the same switch. Is there a
security implication there?

On Wednesday, February 24, 2010, Randal L. Schwartz
<[hidden email]> wrote:

>>>>>> "Andreas" == Andreas Raab <[hidden email]> writes:
>
> Andreas> Absolutely! This was *not* an invitation to try it. It was an attempt
> Andreas> to scare the hell out of all of you who think "basic auth is fine" by
> Andreas> showing just how trivial it would be for an attacker in the right
> Andreas> location to sniff your passwords.
>
> Even simpler, install ettercap, available in most packaging systems,
> and type:
>
>   sudo ettercap -Tzqi $INTERFACE
>
> where $INTERFACE is your default network interface.
>
> *All* you see is decoded passwords in the clear for any of a dozen different
> protocols, for anything publicly decodable zipping by your interface.
>
> As self defense, I run this *to verify I'm not leaking* whenever I'm connected
> to a public LAN (like wifi or a conference-provided ether hub), and was amazed
> at how many passwords I used to leak.  In fairness, I've been known to call
> out loud to people around me phrases like "jeremyq - better change your
> password when you get home", eliciting shock from someone sitting nearby. :)
>
> --
> Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
> <[hidden email]> <URL:http://www.stonehenge.com/merlyn/>
> Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc.
> See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion
>
>

--
Ron

Reply | Threaded
Open this post in threaded view
|

Re: SqueakSource question

Chris Hogan
In reply to this post by Andreas.Raab
Wireshark is one of my favorites.  The real issue in plain text isn't sending over the wire.  

It's when you are using wireless at your local coffee shop or hotel room (at the blackhat conference)

Other good sources of tools.

Originally done in Perl but recently ported to Ruby.

Great linux distro for hacking, all the latest white hat tools built in.

Chris Hogan


> Date: Tue, 23 Feb 2010 14:53:58 -0800
> From: [hidden email]
> To: [hidden email]
> Subject: [squeak-dev] Re: SqueakSource question
>
> http://www.wireshark.org/
>
> 'nuff said. An hour in promiscuous mode on a public network will likely
> be enough to net you a couple of "interesting" passwords. If you write a
> custom filter that just greps for "Authorization: Basic" you can watch
> those passwords in real-time.
>
> Cheers,
> - Andreas
>
> Chris Cunnington wrote:
> > Andreas said:
> >
> > Which is something that I'm
> > absolutely not fond of because it's transmitting your password pretty
> > much in plain text, obfuscated as base64. Ouch.
> >
> > <rant>
> >
> > This won't answer your question, but I'd like to play the Devil's Advocate and as how this is a problem?
> >
> > I hear a lot of people tout SSL and other things and get antsy about exactly what you're describing, but how do you exploit it? Are there any crackers here?
> >
> > I went to a local meeting of the 2600 (from the magazine of the same name) and I said I was concerned about security and I'd like to know how to exploit something so I can protect against it. They said, basically, that if you were trying to exploit somebody on another network then it was only really possible by blasting endless password combinations. It seems sitting on a LAN, you can watch the traffic go in and out. On the Internets plural, it's harder or impossible to do.
> >
> > I've got Fyodor's "NMAP Network Scanning" on my desk right now. OK, you can port scan. You can see what ports are open. Then what? Security seems to me to be a real area of cargo cult programming. Get SSL, or else.
> >
> > Maybe you want to ignore this, as it, again, doesn't really do anything for your question. But just once I wish somebody would convince me about efforts taken to create security from first principles and not just because Bruce Schneier raised his eyebrow.
> >
> > </rant>
> >
> > Chris
> >
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> >
>
>


Hotmail: Free, trusted and rich email service. Get it now.

Reply | Threaded
Open this post in threaded view
|

Re: SqueakSource question

Chris Hogan
In reply to this post by Andreas.Raab
Yes, 

But he was only wrong the once.  He did it purposely just to see what it felt like.

http://www.schneierfacts.com/

Chris Hogan 



> Date: Wed, 24 Feb 2010 14:20:32 +0100
> From: [hidden email]
> To: [hidden email]
> Subject: [squeak-dev] Re: SqueakSource question
>
> K. K. Subramaniam wrote:
> > On Wednesday 24 February 2010 04:23:58 am Andreas Raab wrote:
> >> http://www.wireshark.org/
> >>
> >> 'nuff said. An hour in promiscuous mode on a public network will likely
> >> be enough to net you a couple of "interesting" passwords. If you write a
> >> custom filter that just greps for "Authorization: Basic" you can watch
> >> those passwords in real-time
> > Please don't even try this.
> >
> > Decoding passwords on a public network without authorization could run foul of
> > local laws in many countries. Technical feasibility or academic interest is
> > not sufficient excuse.
>
> Absolutely! This was *not* an invitation to try it. It was an attempt to
> scare the hell out of all of you who think "basic auth is fine" by
> showing just how trivial it would be for an attacker in the right
> location to sniff your passwords.
>
> Basic auth is *not* fine. Bruce Schneier isn't always right, but that
> doesn't mean he's always wrong.
>
> Cheers,
> - Andreas
>


Hotmail: Powerful Free email with security by Microsoft. Get it now.