[5673] in Kerberos
Re: authentication secure?
daemon@ATHENA.MIT.EDU (Art Houle)
Fri Aug 11 11:23:49 1995
Date: Fri, 11 Aug 1995 11:17:03 -0400 (EDT)
From: Art Houle <houle@acns.fsu.edu>
To: Sam Hartman <hartmans@MIT.EDU>
Cc: Sam Hartman <hartmans@MIT.EDU>, Joe Beiter <jwb@wilbur.hhisland.com>,
kerberos@MIT.EDU
In-Reply-To: <199508111459.KAA15919@tertius.mit.edu>
On Fri, 11 Aug 1995, Sam Hartman wrote:
> >>>>> "Art" == Art Houle <houle@acns.fsu.edu> writes:
>
> Art> 'tap the phone line..'
>
> Art> That is an interesting point of exposure. If this was a
> Art> voice transaction that would be simple. Since modems
> Art> negotiate the modulation scheme, it seams that connecting to
> Art> the pair of wires is the easiest part of this. Setting up a
> Art> listening modem for the correct modulation scheme would
> Art> require some archane knowledge and tools that few hackers
> Art> have access to. As someone who has hardware and software
> Art> background, I see this as the hardest part. Unless I work for
> Art> a modem manufacturer, or am willing to wirewrap my own
> Art> hardware, this seems beyond the normal modems capabilities.
>
> Art> ..comments?
>
> This used to be trivial; below 2400 baud, you can actually
> disable the carrier generator on some modems and actually get it to
> listen to the conversation. I suspect it's also fairly trivial under
> ISDN for those with sufficient clue.
>
> --Sam
We have a few old dialups at 2400 bps, more at 14.4kbps, and most at
28.8kbps, which I suspect is the usual condition. So it seems that any
dialing in at 1200 baud (can you even buy one of thoes any more?) is
suceptable to a trivial phone tap.
I suspect that 99% of dial-up users are not capable of being taped at the
phone connection, due to the integrated nature of high speed modem
technology.
This does not address the fact that one needs to either access the users
home/apartment building, be a telephone employee, or a data center employee
to access the pair of wires.
This deviates from kerberos somewhat, but is frequently cited in
conversations about security, so I wanted to follow the thread somewhat.
Thanks for the feedback.
Art Houle e-mail: houle@acns.fsu.edu
Academic Computing & Network Services Voice: 644-2591
Florida State University FAX: 644-8722
