Useful factoid

Jean-David Beyer jeandavid8 at verizon.net
Thu Oct 13 16:03:56 CEST 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robert J. Hansen wrote:
> On 10/11/2011 05:14 PM, Jean-David Beyer wrote:
>> Let us assume you are the bad guy
> 
> Okay.
> 
>> Unless you have my encrypted keys, you have to access my computer 
>> (unless you have already stolen it, in which case there are much 
>> easier ways to invade the machine), you will have to try logging in
>>  through the Internet (in the case of my machine), and the first
>> thing you will hit is the login program.
> 
> Hold on a second there.  You seem to be making some extremely 
> unwarranted assumptions.

Quite possibly. And unwarranted assumptions are especially pernicious
because those are typically those I am unaware of making.

I am not a security expert anymore. I really was never a security
expert, though I was once put in charge of security for 10 VAX machines
running UNIX, but this was around 30 years ago almost before the
Internet. Some of us were using uucp on dialup, but that was about it.
In those days it was almost impossible to get the users to use passwords
on their accounts.
> 
> If I want your secret key material, I'm not going to steal your 
> computer.  I'm going to use an exploit to bypass your login, plant a 
> Trojaned version of GnuPG, and laugh all the way to the bank.

I realize if you stole my computer that I would notice it.
If you broke into my house skillfully enough that I did not notice it,
you could install a key logger, or copy my hard drives, steal my backup
tapes, ... . But you could also remove all protections by getting in as
the root user (on UNIX-Linux). And I might not notice that.

The trick is to do that from the Internet. I have some safeguards to
protect me, and they may protect me from amateurs, but an expert might
be able to defeat me.

It seems to me that to do much damage to my machine, you need to get a
shell with root access. And to do that, do you not pretty much need the
root password? Or hijack a program that is currently running with the
root privileges?

I never run a web browser as root. But there are demons that run and
some have root privileges. Such as the download mechanism to download
updates from Red Hat. My nameserver does not run as root. I do not run
telnet. ssh will talk only to specified IP addresses on my LAN. My
firewall will not accept messages from outside unless in reply to
something I sent out, so I believe it would take a man-in-the-middle
attack to get past that unless the firewall is defective. I actually
have two firewalls; a primitive one in the router that comes with
Verizon's FiOS service, and another one using iptables. These, too,
could have bugs, especially if I made a mistake in programming the
iptables firewall.
> 
> Modern-day operating systems are frightening -- terrifyingly -- 
> insecure.  A while ago Vint Cerf estimated that about one desktop PC
> in five was already pwn3d.  That's a number that keeps me awake at
> night.
> 
At one extreme, the only way to be pretty safe is to have a machine that
is not connected to the Internet, and have U.S.Marines to guard the
hardware and access to it. I do not choose to defend myself against
threats that would reasonably require that. I want my security to be
weak enough that the black hats would not resort to torture to get the
information they want.

The friends of mine that even know what computer security might mean do
not even encrypt their e-mails, though they worry about it's being
intercepted. Friends complain if I digitally sign my e-mails. I assume
if they could accept encrypted e-mails, that they would save them in
clear form on their machines anyway. So maybe I am kidding myself.

I do not think my machine has been taken over. For one thing, I can
pretty much see the Internet traffic from it, and when I am not doing
anything, not much goes down the Internet. A friend whose machine was
hacked (Windows ME) had lots of Internet traffic and the machine got
impossibly slow. The hard drives never stopped clicking. I do not have
that, though the hard drives on this machine do not click, but the
Xosview program shows that when nothing is going on, nothing except
BOINC programs run. The demons do, but they do not use any processor time.

If I ran this machine as a server, my problems would surely be worse.

- --
  .~.  Jean-David Beyer          Registered Linux User 85642.
  /V\  PGP-Key: 9A2FC99A         Registered Machine   241939.
 /( )\ Shrewsbury, New Jersey    http://counter.li.org
 ^^-^^ 08:50:01 up 6 days, 17:23, 4 users, load average: 5.14, 4.93, 4.94
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/

iD8DBQFOlu/MPtu2XpovyZoRArvUAKC022RLKvUmsbM1XD5shR+xrB06kQCdEDE+
gx/6aDndO7obVhfgZVEMk6o=
=yjMn
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list