lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 4 Oct 2011 01:11:41 -0400
From:	Ted Ts'o <tytso@....edu>
To:	"H. Peter Anvin" <hpa@...or.com>
Cc:	Josh Triplett <josh@...htriplett.org>,
	linux-kernel@...r.kernel.org, Jiri Kosina <jkosina@...e.cz>
Subject: Re: kernel.org status: establishing a PGP web of trust

On Mon, Oct 03, 2011 at 09:52:29PM -0700, H. Peter Anvin wrote:
> On 10/03/2011 09:49 PM, Ted Ts'o wrote:
> > 
> > Note that if your laptop allows incoming ssh connections, and you
> > logged into master.kernel.org with ssh forwarding enabled, your laptop
> > may not be safe.  So be very, very careful before you assume that your
> > laptop is safe.  At least one kernel developer, after he got past the
> > belief, "surely I could have never had my machine be compromised",
> > looked carefully and found rootkits on his machines.
> > 
> By the way, I'm now pretty convinced that allowing inbound ssh on
> laptops (which is the default on all the mainline Linux distros as far
> as I know) is seriously broken... laptops get connected to *extremely*
> insecure networks on just way too regular a basis.

+1000

I'll note though that at least some Linux distributions when
customized by corporate security types tend to disable incoming ssh.
If your company doesn't, it probably should... 

... and it should definitely raise a firewall and disable NAT and
incoming ssh if you're connected to the corporate VPN.  I once heard a
story several years back when someone I knew was staying at a hotel in
Beaverton, and connected to an open WiFi access point to get internet
access.  Very shortly there afterwards, he realized he was connected
behind the Intel corporate firewall, at which point he (not being an
Intel employee, and conscious of the Business Conduct Guidelines that
he was require to sign every year) disconnected as quickly as
possible.

Oops.  :-)

						- Ted
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ