[nSLUG] Chebucto Security

Richard Bonner ak621 at chebucto.ns.ca
Wed Jan 21 10:19:19 AST 2009


On Mon, 19 Jan 2009, Stephen Gregory wrote:

> Richard Bonner wrote:
>> ***   Chebucto's shell server is https compliant; would it not have
>> to have security in place in order to be so?
>
> Not really. HTTPS/SSL protects the data sent between two computers. It
> does nothing to protect endpoints. There are many hardware and software
> pieces between your keyboard and when the data is encrypted. Any one of
> those pieces could be subverted. The data is not encrypted until just
> before it is sent out the the remote site. It is decrypted almost as
> soon as it arrives from the network.
(Snip)

***   OK, thanks for the information. I shall archive it.


>>     As for their volunteers, none are far enough up in the organisation
>> that they would have access to personal accounts.
>
> According to the about page all of the Chebucto staff are volunteers.
> This includes the system administrator who has access to everything.

***   Hmm, that is not how I understand it. The uppermost are paid 
positions.


> Regardless a minimally trusted volunteer would not need access to
> personal accounts. They would only need access to the system. There are
> many ways that a volunteer could gain that access. It is affectively
> impossible to keep a malicious volunteer out. Once the minimal amount of
> trust is gained to become a volunteer an attacker would have all the
> time required to slowly gain any access wanted to subvert the system.

***   I will copy this to Chebucto to see what the protection is 
regarding that.


> This is hardly unique to Chebucto. All organizations have this problem.
> At least if it is a person at the bank then the bank is liable for the
> fraud. A malicious worker at an ISP is going to have a harder time as
> the traffic seen by the ISP is already encrypted.
>
> Security is all about trade offs. By using Chebucto to access your bank
> you reduce some of the risks, but you gain other risks. When using a
> Chebucto shell account (or a computer in a library, coffee shop,
> neighbour's house, etc.) you must trust the integrity of that system.
> You must trust the system administrators. You must trust the casual
> office staff.

***   Understood. So how is a PPP connection any more secure?


>> ***   How might I get such a virus? It can't come down the shell
>> server pipe unless I manually download and run an infected executable.
>
> I naively assumed that you only used Chebucto for banking and similar.
> If you use the Chebucto shell account for all of your Internet needs and
> never connect your computer any other way to the Internet, then you need
> not worry (or worry less). Only targeted malware could effectively
> export any data from your computer.

***   That is in part why I use a shell account. However, I also 
connect via PPP and a graphic browser, but only to view a site's
graphic layout, should I need to.


> I am not looking to scare people. I use my Ubuntu Linux system to access
> my bank accounts online using Firefox. I believe it is secure enough. My
> job is to improve computer system security. I am passionate about these
> types of problems because there is a lot more to consider then the
> common problems of software bugs and viruses. Computer security problems
> are often solved with a locked door, a security camera, and better pay
> for staff.
>
> -- 
> sg

***   As the business community seems to be today, but determined 
persons still try to gain access.  )-:

  Richard.



More information about the nSLUG mailing list