Thread: Security WAS RE: [HACKERS] Updated TODO list

Security WAS RE: [HACKERS] Updated TODO list

From

"Ansley, Michael"

Date:

16 July 1999, 06:48:44

I think the point is that you wouldn't, but the most important part is to
get it off the wire.  Let someone do that first, and then worry about what
the administrator can see.  One would hope that your administrator is more
trustworthy than joe hacker out on the network.


>> Why would you want to make it visible to anyone?  
>> 
>> Vince.

As a user, I would be extremely concerned if I knew that my password was
fairly transparent on the network, but less so if I knew that the wire was
safe, although my admin could see it.  First prize would, of course, be
total secrecy.


MikeA

Re: Security WAS RE: [HACKERS] Updated TODO list

From

"Gene Sokolov"

Date:

16 July 1999, 07:19:53

From: Ansley, Michael <Michael.Ansley@intec.co.za>
> I think the point is that you wouldn't, but the most important part is to
> get it off the wire.  Let someone do that first, and then worry about what
> the administrator can see.  One would hope that your administrator is more
> trustworthy than joe hacker out on the network.
> >> Why would you want to make it visible to anyone?
> >>
> >> Vince.
>
> As a user, I would be extremely concerned if I knew that my password was
> fairly transparent on the network, but less so if I knew that the wire was
> safe, although my admin could see it.  First prize would, of course, be
> total secrecy.

I have no idea where this misconception came from, but it's just plain
incorrect. You can do both - store hashes instead of plaintext passwords and
send logins securely over the network. Yes, the current authentication
scheme does not allow for it. But it just means that the scheme is outdated.
There are plenty of good secure solutions. It's just a matter of choosing
one.

Gene Sokolov.

RE: Security WAS RE: [HACKERS] Updated TODO list

From

"Ansley, Michael"

Date:

16 July 1999, 07:30:44

I know that you can do both.  It seemed from previous postings, however,
that there was an issue about the urgency of each, if they are actually
separate issues.  I would have thought that the two are linked, and would be
solved as such.

MikeA


>> I have no idea where this misconception came from, but it's 
>> just plain
>> incorrect. You can do both - store hashes instead of 
>> plaintext passwords and
>> send logins securely over the network. Yes, the current 
>> authentication
>> scheme does not allow for it. But it just means that the 
>> scheme is outdated.
>> There are plenty of good secure solutions. It's just a 
>> matter of choosing
>> one.
>> 
>> Gene Sokolov.
>>

RE: Security WAS RE: [HACKERS] Updated TODO list

From

Vince Vielhaber

Date:

16 July 1999, 13:25:01

On 16-Jul-99 Ansley, Michael wrote:
> I think the point is that you wouldn't, but the most important part is to
> get it off the wire.  Let someone do that first, and then worry about what
> the administrator can see.  One would hope that your administrator is more
> trustworthy than joe hacker out on the network.
> 
> 
>>> Why would you want to make it visible to anyone?  
>>> 
>>> Vince.
> 
> As a user, I would be extremely concerned if I knew that my password was
> fairly transparent on the network, but less so if I knew that the wire was
> safe, although my admin could see it.  First prize would, of course, be
> total secrecy.

But you can use something like ssh to take care of the wire.  It's alot
better than the method used by browsers for login and password.

Vince.
-- 
==========================================================================
Vince Vielhaber -- KA8CSH   email: vev@michvhf.com   flame-mail: /dev/null      # include <std/disclaimers.h>
       TEAM-OS2       Online Campground Directory    http://www.camping-usa.com      Online Giftshop Superstore
http://www.cloudninegifts.com
==========================================================================