Re: NYT Article this morning

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Perry E. Metzger: "Re: NYT Article this morning"
• Previous message: der Mouse: "Re: Hijacking tool"
• In reply to: Rick Busdiecker: "Re: NYT Article this morning"
• Next in thread: Perry E. Metzger: "Re: NYT Article this morning"

Rick Busdiecker says:
>     Even that is insufficient, actually. If you see a packet going by, you
>     can still try to jam the works up and steal the connection anyway. The
>     only permanent solution is a cryptographic security protocol for the
>     net -- one is actually in the works now in the IETF.
> 
> Morris' paper concludes with this sentence:
> 
>   A workable solution might be to only trust hosts on the same
>   physical network, and modify gateways to reject packets that claim
>   to, but do not in fact, come from directly connected networks.
> 
> Your statement as to the ``only permanent solution'' suggests that you
> disagree with Morris' hypothesis.

Yes.

> Do you believe that it's possible to use the techniques that are being
> discussed to get past a ``two wire'' firewall which ignores internal
> packets originating from the external wire?

Yes.

This won't impact people that don't allow specially authenticated
logins via their firewall, but sites using S/Key and similar methods
for authenticated firewall traversing logins can be hit. The victim
can log in to the firewall from the outside and have his session
stolen -- this is the equivalent of an ATM thief waiting for someone
to enter their PIN at a machine and then knocking them cold.

Perry

• Next message: Perry E. Metzger: "Re: NYT Article this morning"
• Previous message: der Mouse: "Re: Hijacking tool"
• In reply to: Rick Busdiecker: "Re: NYT Article this morning"
• Next in thread: Perry E. Metzger: "Re: NYT Article this morning"