[3338] in bugtraq
Re: SecurID White Paper - A Comment
daemon@ATHENA.MIT.EDU (Alan Cox)
Thu Sep 12 01:25:25 1996
Date: Wed, 11 Sep 1996 10:07:28 +0100
Reply-To: Alan Cox <coxa@cableol.net>
From: Alan Cox <coxa@cableol.net>
X-To: vin@shore.net
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <v02130501ae5a3b32a10e@[204.167.109.37]> from "Vin McLellan" at
Sep 10, 96 01:37:06 pm
> Properly forging TCP packets, the essential skill for tcp-splicing,
> is still beyond the wannabes on Alt.2600. And to tap a telephone line --
> the typical OTP app is a dial-in phone connection, through a communications
> server -- requires a wholly different level of criminal commitment than
> "sniffing" on a local LAN or Internet link to which one is already
> connected. At least in the US, wiretapping is a federal felony, punishable
> by serious jail time.)
Splicing TCP packets is easy and well within the ability of all the people
you have to be most worried about. There is publically available code for it
(the Linux IP masquerade for example), and I have seen modifications of that
code to
o Drop changes into ftp data streams as they pass
o Type commands when it sees a given prompt, absorbing the
return until that string is seen again - ie you dont even
see the command reply when you are hijacked
> Peter Neuman and his ingenious automated tools for TCP splicing --
> now potentially in the hands of sundry hackers, outlaws, or crooks --
> remain (unfortunately) a threat of a different magnitude. To deal with
> that, we will all need network encyption... plus strong authentication.
Yes. secure shell like systems and stuff like hardware key authentication
systems work hand in hand. Together they are far more powerful than one alone
Alan
