tedm at toybox.placo.com
Wed Dec 14 18:37:20 PST 2005
>From: gwen [mailto:gwen at nvnsvch.org]
>Sent: Wednesday, December 14, 2005 12:35 PM
>To: Ted Mittelstaedt
>Cc: RW; freebsd-questions at freebsd.org; caleb
>Subject: Re: pine
>* Ted Mittelstaedt (tedm at toybox.placo.com) [051214 15:22]:
>> >> 'Can't do secure authentication with this server'
>> >If the server supports neither ssl, nor any form secure
>> >authentication, there
>> >nothing you can do to protect your password.
>> The first thing you can do is go out and shoo the crackers
>> off the telephone pole who are tapped into your phone line
>> and sniffing your passwords.
>> Then you can ask your ISP to start locking the door to his
>> NOC and kick out all the crackers who have sleeping bags in
>> the NOC and are tapped into the ISP's ethernet cable from his
>> router to his mail server.
>> But the thing that would probably put your mind at ease the most
>> is to stop going to Hollywood movies like The Net which make it appear
>> as though crackers can magically sniff your cleartext passwords
>> when they have access to the network between your
>> PC and the ISP's mailserver.
>Have you ever seen the output of tcpdump? You see anything on the
>same network as you. So any of the following *likely* situations
>leaves your non-encrypted password open for sniffing:
>1) Wireless access, *any* wireless access.
Er, WEP anyone? Do you really think if this poster is smart enough to
figure out how to turn on SSL on pine that he hasn't already thought of
>2) Cable modem pools, or any internet hookup where there's a communal
Nope either. If cable networks allowed unicast packets to flood every
subscriber then it would knock all their subscribers offline. Consider
typical cable modem is a 2-3MB device. Now compare that the the
average amount of bandwidth in use on a typical cable segment - we
are talking hundreds of mbts. Your not going to stuff all that traffic
down a cable modem.
As for other communal networks, granted if such a network was plugged
a HUB and not a SWITCH then yes. How likely do you think that scenario
Even 10/100 24 port switches are going for under $50 on Ebay these days,
so those on complete shoestring networks have no excuse for keeping an
ancient hub in service.
Granted while you can flood a switch to force it into unicast mode, the
network then crawls, lots of complaints result, miscreant soon taken
>3) public networks (OK, I know the scenario presented is for home
>usage, but it's worth it to put this point here).
Yes it is but the only public networks that fit this bill are wireless
like in an airport or coffee shop. Presumably the ISP has a SSL
on their mailserver for this. But, if you know your going into this kind
then change your password before leaving home, if you must use your pop
>4) Any network where a computer has been at all compromised.
I can insert a keyboard logger that will defeat any encryption you want.
And if the ISP is compromised then the likelihood is their mailserver,
is a much softer target, will be compromised long before any network
And once the attacker has the mailserver, he doesen't need the passwords
>5) Any ISP with untrustable SysAdmins (I've known this to happen).
How is encryption on the password channel to the mailserver, which is
admined by these untrustable sysadmins, going to help with -that-?
>6) Almost a corrolary to 5) and 3); any ISP with a compromised machine.
if you don't trust your ISP to be competent, you may as well not use
their mailserver then. Why would you use it? Email comes in off the
Internet unencrypted, if they want to read your mail they can.
>You cannot assume that there are not nasty sniffers on your line.
>I have seen passwords sniffed out in all kinds of places.
So you figured out how to run a sniffer on a public wireless node.
>And with that, I go back into lurking mode.
>* martygreene shivvers
><martygreene> why is it so damn cold?
>No virus found in this incoming message.
>Checked by AVG Free Edition.
>Version: 7.1.371 / Virus Database: 267.13.13/199 - Release
More information about the freebsd-questions