Author Topic: G++  (Read 11270 times)

0 Members and 1 Guest are viewing this topic.

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: G++
« Reply #30 on: September 02, 2006, 04:40:50 pm »
It could be telnet :P.  Makes me sentimental for a time that has long passed. :'(

Haha.  I don't think the Unix machines here have telnet running, but SSH is open to the outside world on all of the lab machines.  They all have unique ip's.

Offline AntiVirus

  • Legendary
  • x86
  • Hero Member
  • *****
  • Posts: 2521
  • Best
    • View Profile
Re: G++
« Reply #31 on: September 02, 2006, 06:13:56 pm »
I mean telnet. :P
The once grove of splendor,
Aforetime crowned by lilac and lily,
Lay now forevermore slender;
And all winds that liven
Silhouette a lone existence;
A leafless oak grasping at eternity.


"They say that I must learn to kill before I can feel safe, but I rather kill myself then turn into their slave."
- The Rasmus

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: G++
« Reply #32 on: September 02, 2006, 10:18:41 pm »
Haha, all our University servers ran SSH and Telnet, but you wouldn't catch me dead with Telnet.  It's just a dumb thing to use, you're asking to get your account stolen. 

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: G++
« Reply #33 on: September 03, 2006, 12:37:32 am »

Offline deadly7

  • 42
  • x86
  • Hero Member
  • *****
  • Posts: 6496
    • View Profile
Re: G++
« Reply #34 on: September 03, 2006, 01:10:32 am »
:( ??? :( :( :( :'( ???
The many faces of sidoh.
Sad, confused, and teary-eyed.
In other words: emo and stupid.
Hehe.
[17:42:21.609] <Ergot> Kutsuju you're girlfrieds pussy must be a 403 error for you
 [17:42:25.585] <Ergot> FORBIDDEN

on IRC playing T&T++
<iago> He is unarmed
<Hitmen> he has no arms?!

on AIM with a drunk mythix:
(00:50:05) Mythix: Deadly
(00:50:11) Mythix: I'm going to fuck that red dot out of your head.
(00:50:15) Mythix: with my nine

Offline AntiVirus

  • Legendary
  • x86
  • Hero Member
  • *****
  • Posts: 2521
  • Best
    • View Profile
Re: G++
« Reply #35 on: September 03, 2006, 01:17:11 am »
Yeah, I am aware that Telnetting isn't safe, but it's what the school (as in our class) is making me do.  I suppose if anythign happens, it's their fault.  I'm not too worried if someone gets my password for my account.  I only use that password for my school E-mail account, so no harm if they do.
The once grove of splendor,
Aforetime crowned by lilac and lily,
Lay now forevermore slender;
And all winds that liven
Silhouette a lone existence;
A leafless oak grasping at eternity.


"They say that I must learn to kill before I can feel safe, but I rather kill myself then turn into their slave."
- The Rasmus

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: G++
« Reply #36 on: September 03, 2006, 01:45:22 am »
They get your password -> they log onto your account -> they hack/spam/etc -> you get in shit, expelled, etc. 

And sniffing telnet passwords is something that's reasonably common, I've heard stories about it more than once. 

Telnet should be banned, and everybody who uses it should be shot.  And, while we're at it, FTP. :)

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: G++
« Reply #37 on: September 03, 2006, 02:27:37 am »
Haha, FTP is terrible too.  It's too damn widespread to kill, though.  I really need to start using SFTP...

Offline Joe

  • B&
  • Moderator
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: G++
« Reply #38 on: September 03, 2006, 02:31:07 am »
Plus I remember iago saying something about SFTP being faster than FTP because it's encryption algorithm comes out smaller than it's input? I don't see how that's possible but eh.
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: G++
« Reply #39 on: September 03, 2006, 03:08:53 am »
Plus I remember iago saying something about SFTP being faster than FTP because it's encryption algorithm comes out smaller than it's input? I don't see how that's possible but eh.

Maybe during login, but it wouldn't be faster for the rest of the datastream to require less bandwidth.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: G++
« Reply #40 on: September 03, 2006, 03:21:13 am »
SFTP supports in-line compression:

     -C      Compression enable.  Passes the -C flag to ssh(1) to enable comĀ­
             pression.

So it can be faster, depending on the data. 

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: G++
« Reply #41 on: September 03, 2006, 03:28:04 am »
Faster transmision, slower parsing and storing.  Seems like a moot tradeoff to me, though I can see where it would be advantageous.

Offline nslay

  • Hero Member
  • *****
  • Posts: 786
  • Giraffe meat, mmm
    • View Profile
Re: G++
« Reply #42 on: September 03, 2006, 05:48:50 am »
Well, ssh is only safer once you have established the authenticity of the RSA/DSA keys of the host.
On your first connect, a man-in-middle attack can still occurr.  Scary huh?
That's why certificate authorities exist, to prevent any possible situation where man-in-middle attacks can happen.

Here's how SSH works, or something along these lines:
Client connects to Server
1) Server sends DSA or RSA public key
2) Client generates a private DSA or RSA key by using some of the parameters from the server's public key
3) Client dups a DH key from the newly generated private key and computes a secret key K with the DH key and server's pub_key
4) Client takes a cryptographic hash of the secret key K and signs with the private DSA or RSA key
5) Client sends the signature and public DSA or RSA key
6) Server, like 3, computes a secret key K
7) Server verifies the signature against client's DSA or RSA public key
8) Server, like 4, signs K and sends signature
9) Client, like 6, verifies the signature

On a first connect, man-in-middle can happen because you don't have the server's public DSA or RSA key to begin with.  Therefore, the man in the middle can forge new keys and send his public key in place of the server's and basically conduct all 8 steps thereafter.
« Last Edit: September 03, 2006, 05:52:15 am by nslay »
An adorable giant isopod!

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: G++
« Reply #43 on: September 03, 2006, 12:40:08 pm »
Faster transmision, slower parsing and storing.  Seems like a moot tradeoff to me, though I can see where it would be advantageous.
True, but when transferring a file over the Internet, the connection speed is almost always the bottleneck, unless you're going over a LAN.  Even then, I suspect that network speed is probably the bottleneck. 

Do you just like arguing with everything you read lately?  You seem more argumentative than usual :P


Well, ssh is only safer once you have established the authenticity of the RSA/DSA keys of the host.
On your first connect, a man-in-middle attack can still occurr.  Scary huh?
Not really. 

With something like a school server, you're probably connecting to it every day.  Statistically, the odds of somebody doing a MitM the very first time you connect is actually pretty low, the same way the odds of somebody sniffing your telnet/FTP/pop3 password is pretty low.  However, when you do it every day, or several times a day, the odds of being attacked steadily increase.  It's the same way as on Battle.net -- the weakest point in the War3 authentication is creating your account, since you have to send some sensitive data over the wire, but that's so rare compared to logins that the risk is fairly low. 

Yes, having a trusted CA would mitigate the risk, but CAs charge money for their services.  I don't think every University server, every home Linux user, everybody who wants to use SSH for remote access wants to pay for a CA to store their key. 

We have to remember that there is no perfect solution to security.  Security is about weighing the risks against the difficulties, and implementing controls that mitigate the risks to the point where the risks are low, but the usability is high.  If you add too much security, your network becomes unusable and users will circumvent your controls, and if you add too little security you're at risk.  A good example of that is enforcing stupid password policies, so people write them down and stick them to the monitor. 

SSH is sort of the same way.  If you start making life difficult without signing up for a CA (the same way that SSL does), then you're going to end up finding more people using telnet because of the headache caused by SSH.

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: G++
« Reply #44 on: September 03, 2006, 12:49:38 pm »
Well, ssh is only safer once you have established the authenticity of the RSA/DSA keys of the host.
On your first connect, a man-in-middle attack can still occurr.  Scary huh?
That's why certificate authorities exist, to prevent any possible situation where man-in-middle attacks can happen.

I know.  It is still invariably more secure than a plaintext protocol.

On a first connect, man-in-middle can happen because you don't have the server's public DSA or RSA key to begin with.  Therefore, the man in the middle can forge new keys and send his public key in place of the server's and basically conduct all 8 steps thereafter.

I know. ;)

True, but when transferring a file over the Internet, the connection speed is almost always the bottleneck, unless you're going over a LAN.  Even then, I suspect that network speed is probably the bottleneck. 

Do you just like arguing with everything you read lately?  You seem more argumentative than usual :P

Haha, yeah.  I know that.  That's why I said "though I can see where it would be advantageous."  I didn't bother typing out the explanation.

However, if you have a server managing a few hundred clients and you have, say, 50 of them connected constantly sending data, it's going to be a very busy CPU.  How many cycles are spent decrypting packet data?  I know it depends on the algorithm used, but how about the default one used for SFTP?  It utilizes SSL, right?  So RSA, I think.

SSH is sort of the same way.  If you start making life difficult without signing up for a CA (the same way that SSL does), then you're going to end up finding more people using telnet because of the headache caused by SSH.

Haha, that's an excellent point.  I'm not much of a paranoid person, but I don't think I could live with using telnet every day in the place of ssh.  I recognize the potential risks involved with using SSH, but like iago said, the odds of that are way lower than using telnet every day.
« Last Edit: September 03, 2006, 12:55:18 pm by Sidoh »