Did I give up on telnet too easily?

Discussion in 'Linux Networking' started by Jem Berkes, Sep 21, 2003.

  1. Jem Berkes

    Alan Connor Guest


    Seems like the people chanting the above have forgetten that passwords
    can be changed in a flash, and that a list of them to be used in sequence
    can cover extreme cases where some cracker has fixated on busting your box.

    Secure means? How about a direct modem-to-modem connection using minicom
    that doesn't even use the Internet? A short phone call to convey a thousand
    passwords....With simple scripts at both ends to deal with the changes.

    Glad you brought this up again. And pointed out the flaws in ssh/openssl.
    A lot of people want to believe that it is a panacea, but is sure isn't.
    If you are going to run a publice server you better know your stuff and
    stay on your toes, and relying on software that any cracker can get the
    sourcecode to, is probably a dumb move.
     
    Alan Connor, Oct 11, 2003
    #81
    1. Advertisements

  2. Jem Berkes

    Huge Guest

    [14 lines snipped]


    Not that I pay muvh attention to the "Look at me, Mum, I'm anonymous" brigade, but;
    This is bullshit. And yes, I know about switched networks. It's still bullshit.
     
    Huge, Oct 11, 2003
    #82
    1. Advertisements

  3. Jem Berkes

    Bit Twister Guest

    And that is why we are saying telnet is insecure.
    Ha, ha, ha. So a student telnets in from home to college and you are
    trying to tell me that a password sniffer on his segment will not see
    his password?

    Now that is FUD

    You are just as smart as Alan Connor.
     
    Bit Twister, Oct 11, 2003
    #83
  4. Then you are misguided. It is the student who decided to use telnet
    remotely who is insecure and telnetd is not insecure in itself. Put it
    on your network and see if anything blows up or becomes cracked! It
    offers no particular vulnerability to a cracker. You might also say
    ssh is insecure (to a person who gets root on the remote machine - it
    is, because he can snoop the tty).

    Peter
     
    Peter T. Breuer, Oct 11, 2003
    #84
  5. Jem Berkes

    Les Mikesell Guest

    And if he ssh's in from a computer other than his own, his keystrokes
    can be captured either in software or by an inexpensive device that
    goes on the keyboard cable.
     
    Les Mikesell, Oct 11, 2003
    #85
  6. Jem Berkes

    Marcus Lauer Guest

    Which is true of telnet as well.

    Note also that ssh supports an RSA authentication protocol which might deal
    with this problem. If you can put your key on the client machine, you can
    login without having to type anything which a keylogger could detect and
    use.

    -- Marcus --
     
    Marcus Lauer, Oct 11, 2003
    #86
  7. Jem Berkes

    Marcus Lauer Guest

    Yes, but they're changed over a plain-text connection, which means that any
    sniffer will see you type in each new password. And the attacker can login
    in a flash as well, can't they? Also, how do you plan to get work done
    when you're repeatedly typing in three passwords (you original one, the new
    one, and the new one again)?

    You didn't think this plan through very well, did you?

    -- Marcus --
     
    Marcus Lauer, Oct 11, 2003
    #87
  8. Jem Berkes

    Marcus Lauer Guest

    This is plainly wrong. If the sniffing takes place on a machine between
    the client and the server (e.g. some intermediate router) or on a machine
    which recieves all the same packets as the server (e.g. if the server is on
    a hub, all other machines on that hub) then the the firewall rules on the
    server are irrelevant. This is generally how sniffing is done.

    Why do I get the feeling that you've played with sniffers on your own
    machine, but never on a network?

    It's only FUD if you don't know what you're talking about. Sending secret
    information (e.g. passwords) over the Internet unencrypted is always a bad
    idea, period.

    -- Marcus --
     
    Marcus Lauer, Oct 11, 2003
    #88
  9. No they are not. Do not put words in other peoples mouths. If you
    cannot imagine how to do it without showing it in plaintext, I'll be
    happen to make up for your neural gap next post.
    No they can't. Again, I'll be happy to tell you how not if you can't
    imaine.
    No, it's YOU who can't think in this instance. Quit being annoying. AC
    may be an idiot on many things, and quite possibly on this too, but
    there's no need to act like an even bigger half-wit in reply.

    Peter
     
    Peter T. Breuer, Oct 11, 2003
    #89
  10. And you can always avoid oncoming traffic, too. Sorry, but people
    generally refuse to use such tools. And integrating such behavior into
    an FTP site, private web site access, or even internal logins for
    paperwork handlers would cause incredible shrieking.

    Now, there have been rotating or auto-generated password protection
    schemes for modem use in particular. The user is first asked for a
    challeng-response password, which they keep on a print-out of say 100
    such responses, and then logs in with their normal user password. More
    work, but when you really need to authenticate connections and keep
    people off your modem lines it's fairly handy.
    Which can be monitored by any schmuck with a modem and a clue at the
    Telco or at any place on the phone line with an entirely unencrypted
    connection. Where have you *been* the last 20 years in dial-up security?
    True, it's no panacea, but the difficulties of OpenSSH and it's peers in
    no way lends credence or support to using telnet instead....
     
    Nico Kadel-Garcia, Oct 11, 2003
    #90
  11. Jem Berkes

    Marcus Lauer Guest

    Okay, hold on. If you're saying that some process, be it a daemon or just
    some program called as part of the login process, changes a user's password
    after they login, then fine. Yes, I can see how that works. What I don't
    understand is how that would create a useable system. Are we talking about
    having one-time passwords, e.g. where the user needs a new password every
    time they login?

    I guess my problem is that I don't see that as being very useable. I also
    argued against telnet being a good replacement for ssh while acknowledging
    that in some very restricted environments, telnet might be okay. It sounds
    like this is the same sort of thing. Yes it can be done. It would also be
    a pain in the ass to use, could be done with ssh just as easily, and still
    assumes some things, e.g. that the user doesn't mistype one letter in an
    obvious password and a quick attacker doesn't take advantage of the
    situation.

    Now that I think about it, I admit that my reply wasn't very bright. But
    next time, if you must reply to a dumb post, reply with facts, not insults.
    As far as I know, you may have no idea what you're talking about either!
    If you do know what you're talking about, God forbid that you should
    actually educate me, AC, and the rest of the newsgroup rather than just
    throwing around insults. I'm hardly a half-wit, guy. In fact, if what I
    wrote in the last two paragraphs is correct, then I'm the only one here
    who's actually demonstrated any understanding at all of how automatic
    password changing could be implemented and what some of the costs and
    benefits would be.

    -- Marcus --
     
    Marcus Lauer, Oct 11, 2003
    #91
  12. Jem Berkes

    Alan Connor Guest

    No. You didn't understand what I was trying to convey. But I don't care.
    You are obviously one of the lazy security paranoids who think that some
    stock program whose sourcecode is freely available can protect you from
    the boogey-man.

    Go for it! I use telnet, and if you try to bust my box I will hammer your
    stupid ass into the ground.
     
    Alan Connor, Oct 11, 2003
    #92
  13. Jem Berkes

    Alan Connor Guest

    Here's a clue: Just because you say something, over and over again, doesn't
    make it true.

    Millions and millions of people use telnet and other allegedly 'insecure'
    applications every day, and all of us think that people with your outlook are
    paranoid morons.

    And guess what? YOU get cracked more often than we do, because you mistakenly
    assume that you can just install some program and forget about it.

    WE stay vigilante and are prepared to teach any would-be invaders a serious
    lesson: Never had one try twice.
     
    Alan Connor, Oct 11, 2003
    #93
  14. Good. You got it. Yes, the standard trick is to "sacrifice" a password
    ar each telnet login. I do it quite often, since I log in from all over
    the world sometimes from kiosks that seem to have nothing but telnet
    and no way to download putty. I prepare a second password before I
    leave and as soon as I log in via telnet I swap in the prepared "other"
    password line into /etc/passwd, using sudo with my shortly-to-be
    invalid passwd. That's enough.

    One can automate that, but I'm not as crazy as AC so I'm not going to
    pretend I do. Nor am I going to suggest other wild schemes such as
    changing the password randomly on login and leaving a url behind
    for where to mail it to with pgp.
    It's quite usable, I assure you! I have to do it quite often!
    Except that you forget that you might not have ssh. I'm not quite such
    a fool as to forget to prepare myself for that possibility. Or at least
    not such a fool as to forget the lesson of experience, when I have
    needed such a thing. I rig my mail with a one-time passwd too, that can
    be used to execute arbitary commands via mail (and if you think that's
    an AC-like fantasy I'll show you the procmail stanza). Been there, done
    that.
    That's OK. You proved you could think of the answer.
    I found that you were being insulting towards the truth, and did reply
    with facts. I pointed out that you were wrong (a fact) and told you
    that I would tell you how you could avoid the hole you set out if you
    didn't get it (another fact, which I didn't have to potentiate, since
    you got it).
    You are correct.

    Peter
     
    Peter T. Breuer, Oct 11, 2003
    #94
  15. Alan Connor wrote:

    We use telnet *as a client* to talk to other services (such as quickly
    testing out SMTP or IMAP or whatever). We also use telnet as a client on
    the telnet port to systems too stupid or old to run SSH, such as a lot
    of router boxes that won't supply SSH because of the export encryption
    regulations.
    No, we watch fools using FTP/Telnet/RSH/other unencrypted systems get
    their passwords stolen despite our best efforts.
     
    Nico Kadel-Garcia, Oct 11, 2003
    #95
  16. Jem Berkes

    Alan Connor Guest

    Myself and millions of others use the "old" protocols every day without
    being cracked.

    SSL is NOT the only way to create secure systems.

    And anyone who says it is, is someone you should not entrust the security
    of your system to.

    Talk is cheap, Nico. Why don't you try to crack my "insecure" system? After
    all, it would be a piece of cake, right? That's what you keep saying...

    I'm putting a file in my home directory right now, named "nico". It has a
    6 character string in it, all lowercase letters

    Very shortly, a friend will post the string nicoxxxxxx, obscured in a very
    simple substitution cipher, on a newsgroup.

    See? I make it easy for you: You don't even have to gain root priveleges.

    By taking me up on this challenge, you also grant me permission to access
    YOUR box or network after the fact of your attempted intrusion, and to do
    anything I want there, within 5 minutes of said attempted intrusion.

    Fair enough? I'll be netcatting all day long, as usual. Easy prey, right?
    (And I won't be taking any unusual precautions, just the usual, common
    sense routines.)
     
    Alan Connor, Oct 11, 2003
    #96
  17. Jem Berkes

    Marcus Lauer Guest

    I think you're replying to one of my other posts. This one was entirely
    about sniffers.

    John Doe claimed that:
    I responded by pointing out that any host between the client and server can
    stiff packets, as can other systems if hubs in use in the right places.
    Packets do travel between routers and can be sniffed at those routers.
    Furthermore, hubs do send packets to every machine connected to the hub,
    which means that anyone else on the same hub can sniff your telnet session.
    You can look routers and hubs up on Google if you don't believe me.

    -- Marcus --
     
    Marcus Lauer, Oct 11, 2003
    #97
  18. What is your home machine's IP address, oh brave one?

    Talk is cheap!

    Peter
     
    Peter T. Breuer, Oct 11, 2003
    #98
  19. Jem Berkes

    Marcus Lauer Guest

    You don't get to be insulted by my posts unless you actually know better,
    and when you don't say what you know, you haven't proved to anyone else
    that you know any better. Any six year old can throw around insults and
    pretend that they know the answer. So if you are insulted, you don't get
    to say anything unless you're willing to back your anger up with facts.
    You've got to prove yourself. Otherwise, you're just going around bitching
    at people, and nobody respects that kind of person. They contribute
    nothing to the discussion but background noise.

    Incidentally, using a command line password switcher gives a quick attacker
    plenty of time to login. Your system isn't half as good as the ones Nico
    Kadel-Garcia talked about. So much for your "expertise".

    -- Marcus --
     
    Marcus Lauer, Oct 11, 2003
    #99
  20. Jem Berkes

    Alan Connor Guest


    Yeh, but who can put sniffers in those locations?

    And sort MY session from the 10's of thousands of others?

    And break the one-time pad any sensitive data would be in?

    And use whatever info they've retrieved from the sniff to get into
    a box with me and some pretty complex scripts watching all my ports?

    And....

    And...

    You are talking about a major undertaking, and an expensive one. Anyone
    that was going to be able to pull it off could just get the telephone/cable
    company to tap my line.

    Or hire a private firm to do it.
     
    Alan Connor, Oct 12, 2003
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.