From owner-freebsd-security@FreeBSD.ORG Wed Feb 11 18:07:14 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8C8E0106564A for ; Wed, 11 Feb 2009 18:07:14 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from mail16.syd.optusnet.com.au (mail16.syd.optusnet.com.au [211.29.132.197]) by mx1.freebsd.org (Postfix) with ESMTP id 194D48FC19 for ; Wed, 11 Feb 2009 18:07:13 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from server.vk2pj.dyndns.org (c122-106-216-167.belrs3.nsw.optusnet.com.au [122.106.216.167]) by mail16.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id n1BI7ANb014604 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 12 Feb 2009 05:07:12 +1100 X-Bogosity: Ham, spamicity=0.000000 Received: from server.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1]) by server.vk2pj.dyndns.org (8.14.3/8.14.3) with ESMTP id n1BI7ABA004642; Thu, 12 Feb 2009 05:07:10 +1100 (EST) (envelope-from peter@server.vk2pj.dyndns.org) Received: (from peter@localhost) by server.vk2pj.dyndns.org (8.14.3/8.14.3/Submit) id n1BI79XQ004641; Thu, 12 Feb 2009 05:07:09 +1100 (EST) (envelope-from peter) Date: Thu, 12 Feb 2009 05:07:09 +1100 From: Peter Jeremy To: Lyndon Nerenberg Message-ID: <20090211180709.GB1467@server.vk2pj.dyndns.org> References: <200902090957.27318.mail@maxlor.com> <20090209170550.GA60223@hobbes.ustdmz.roe.ch> <20090209134738.G15166@treehorn.dfmm.org> <20090209224806.GB63675@hobbes.ustdmz.roe.ch> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="m51xatjYGsM+13rf" Content-Disposition: inline In-Reply-To: X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-security@freebsd.org Subject: Re: OPIE considered insecure X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2009 18:07:15 -0000 --m51xatjYGsM+13rf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2009-Feb-09 15:30:33 -0800, Lyndon Nerenberg wrote: > From what you're describing, I would be more inclined to carry a bootable= =20 > OS on that USB stick and reboot into that. Keep in mind that libraries, internet cafes etc aren't going to be keen on you turning up with some (to them) random USB stick and wanting to reboot their pride-and-joy off it. I suspect your choices are to either use OPIE (or some adaption thereof) with ssh on an untrusted computer and assume that anything you type will be logged or carry your own trusted computer and use some form of wireless (3G, NextG etc) to communicate with your systems. Note that using very large sequence numbers should slow down an attacker (though only linerarly) since they still need to iterate MD5 by that many rounds. --=20 Peter Jeremy --m51xatjYGsM+13rf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (FreeBSD) iEYEARECAAYFAkmTE80ACgkQ/opHv/APuIf4FACdGz/PEfj14bVhQaUoM51/0Di4 AAoAniv8BiK94fTwH7v4QoJeTbR8CNsq =t+Bx -----END PGP SIGNATURE----- --m51xatjYGsM+13rf--