[MUD-Dev] strong encryption for authentication

Kwon Ekstrom justice at softhome.net
Sat Jul 14 01:17:44 New Zealand Standard Time 2001

From: "J C Lawrence" <claw at 2wire.com>
> Kwon Ekstrom <justice at softhome.net> wrote:

>   I did an experiment a couple days ago and installed Windows 2K
>   on a test system that had a 'net routable IP.  Suffice to say
>   that the CD was not out of the drive before the box had been
>   port scanned, cracked and a root kit installed (snort on a
>   shared net segment showed me the whole thing). Note: This is not
>   a condemnation of Windows, but an observation of 'net realities.
>   A mate recently installed Linux on a box, didn't know how to
>   secure it, and had it cracked sometime that evening (~8 hours
>   later).

>   End user systems are not only implicitly untrustworthy, but
>   (most?)  end users have no particular willingness or interest in
>   keeping their home desktops secure.

Agreed, while some OS's are secure, most users don't know or care
about security measures.  From your short description of the
installation, I can think of a dozen things to do in order to secure
the environment and prevent the hack, but I'm assuming the nature of
your experiment was to see how long before you were hacked.

>> The problem with worrying about packet sniffing is almost
>> irrelevant, 99.9% of the internet community doesn't have the
>> required knowledge or tools, even if they are in a position to
>> use them.

> The problem is that while 99% doesn't, perhaps 0.5% not only do,
> but they can trivially automate their work and thus manipulate
> large numbers of systems both automatically and autonomously.

Agreed that the few who have the tools and knowledge can easily
write scripts, etc, to do their dirty work.  The actual number of
users capable of it is likely a small fraction...  Unless you're
snooping an administrator account (even then?) the amount of
information gained isn't likely to yield a decisive advantage.

The question is still, does the end result justify the means?  Under
some circumstances, such as confidential information, the answer is

> I did an address block scan of a local ISP a couple months ago
> using nmap.  Suffice to say that out of the ~900 Windows boxes
> that nmap identified, more than 400 showed clear signs of having
> been cracked.  Typically such systems are manipulated via IRC
> messages (once cracked the systems auto-login to pre-canned IRC
> channels and then send and received instructions there).
> Extending such a system to enclude and incorporate a successful
> game system would neither be particularly difficult or
> unrewarding.

Interesting, makes me glad that I check my system for unwanted
network traffic regularly...  Along with other security precautions
on my part.

>> As for being able to take credit card information and other
>> "secure"... I think that can best be handled by a web form using
>> https.

> Note that this uses server-side authentication only and relies on
> use of secret root CA keys (verisign, baltimore, thawte, etc) to
> prevent MiM attacks.  As such its valuable for posting data to the
> central server, not for secure distribution of data to edge nodes.

True, besides the advantages of encryption, since the original
thread was about ssh via telnet, there are numerous other advantages
to a web form, including convenience and familiarity.

Overall, the purpose of encryption here, IMHO, shouldn't be the
end-all security precaution, instead it's more likely to complicate
the hacker's job.  I'm sure that of the fraction of people able to
snoop packets, only a fraction of those are capable of understanding
techniques to decrypt a worthwhile encryption system (or have a
friend who can do this for them).  For the average developer the
overhead wouldn't be worth it except in rare instances where
confidentiality is especially important.

-- Kwon Ekstrom

MUD-Dev mailing list
MUD-Dev at kanga.nu

More information about the MUD-Dev mailing list