Hi, Keeping this thread going as I'm hoping it proves vaguely useful, hoping Simon stays on the list even though he's indirectly taking some flak, and presuming Roger will stomp on us if we drift too far away from the SuSE schools subject matter.... On Thu, 27 Jul 2000, Frank Shute wrote:
On Thu, Jul 27, 2000 at 05:01:55PM +0100, Simon Rainey wrote:
<snip policy and politics>
< useful cracking info snipped >
Any half-decent hacker would have no problem whatsover in discovering what O/S and software is used on any given system. Giving out such information is not considered a significant risk.
Help them as little as possible is my motto.
Agreed, though presumably the membership off this list is vaguely audited? Of course having a sysadm@junior.sch.uk address doesn't make you trustworthy, but it makes you a little more trustworthy than evilhax0r@hotmail.com :)
The users in question do not wish to use SSH. We could insist on it, but there has to be a balance between security and useability. We are happy that the server is sufficiently secure. There is an obvious risk in sending plain text passwords across the Internet, but this applies just as much to FTP as to telnet.
You should insist on it. It doesn't apply `just as much' to FTP - cracking a box with telnet is a walk in the park in comparison and if you install ssh you can dump FTP aswell.
Yeah. though it's not *quite* as simple admittedly. Vague experience of SSH windows clients available on request.
I don't understand the `useability' issue with ssh that you talk about. To an end user they simply login as they would using telnet, it's a bit slower than telnet because of the encryption overhead but it means that your passwords can't be sniffed.
Also, with the right options, you can take emphasis on the authenticity of the source away from the source IP and give it to the host keys held by whatever source IP connects.
On the security issue, we recently commissioned an extensive independent audit and were assessed to be "significantly more secure than the majority of ISPs".
Go back to the people who carried out your security audit and ask for your money back!
Heh, while being "less insecure" that your digital neighbours isn't the greatest guarantee it does mean you're less likely to be attacked, however I think that comment is probably more of a comment on the ISPs than yourselves. -- Nick Drage, helping fill up the internet since 1993. Third Rule of Windows Troubleshooting: RE-INSTALL EVERYTHING.... TWICE