From owner-freebsd-questions  Wed Feb 18 15:33:05 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id PAA10452
          for freebsd-questions-outgoing; Wed, 18 Feb 1998 15:33:05 -0800 (PST)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from mhv.net (root@spice.mhv.net [199.0.0.21])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA10375;
          Wed, 18 Feb 1998 15:32:25 -0800 (PST)
          (envelope-from phundie@mhv.net)
Received: from localhost (phundie@port85.mhv.net [206.229.41.13]) by mhv.net (8.8.5/8.7.3) with SMTP id SAA14359; Wed, 18 Feb 1998 18:09:25 -0500
Date: Wed, 18 Feb 1998 18:03:09 -0500 (EST)
From: Michael Graffam <phundie@mhv.net>
X-Sender: phundie@localhost
To: Benedikt Stockebrand <benedikt@devnull.ruhr.de>
cc: questions@FreeBSD.ORG, isp@FreeBSD.ORG
Subject: Re: Books on security
In-Reply-To: <873ehh41z3.fsf@devnull.ruhr.de>
Message-ID: <Pine.LNX.3.96.980218175056.11414A-100000@localhost>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On 18 Feb 1998, Benedikt Stockebrand wrote:
> Actually, that can be a "big deal" if IP spoofing is a serious
> problem.

Yeah, I concede that spoofing is a problem with this method.. 

> If you need some virtual network with some machines in Peru you
> probably should consider using some crypto tunnel.

Yeah, tunneling through ssh would be my first choice, but this isn't
always possible.

> S/key is vulnerable to session hijacking, so ssh may be a better
> choice.  If you use rdist, ssh has the additional advantage that it
> allows root to do run it while plain rsh won't.

No, I don't run rdist. I do run ssh though, and when I am at a machine
that can do ssh, I use it. I do need to access my system through 
machines that can't do ssh though, and for this s/key is the next
best choice. I certainly prefer encrypted sessions, but until someone
makes, and my access points purchase a terminal server that does ssh,
I'm stuck with cleartext telnet.. hijacking my connection wouldn't
do too much good though. When on a connection like this I only log in
to a non-privy account. About the only thing they could do is read my
mail, and send mail as me. I don't consider this a big deal since anyone
can do that already by hacking my ISP (really bad security). They can't
even deny me my mail since it is all forwarded from my normal account..
I'd still have backups.. and I PGP sign all mail that I send when I
am using a secure channel, so sure.. they can get me, but they can't
do much, and being able to check my mail during the day and get to
a few files here and there greatly outweighs the security risk.

Michael J. Graffam (mgraffam@mhv.net)
http://www.mhv.net/~mgraffam -- Philosophy, Religion, Computers, Crypto, etc
"..subordination of one sex to the other is wrong in itself, and now
one of the chief hindrances to human improvement.." John Stuart Mill
"The Subjection of Women"


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message