[nSLUG] Chebucto Security
ak621 at chebucto.ns.ca
Wed Jan 21 10:19:19 AST 2009
On Mon, 19 Jan 2009, Stephen Gregory wrote:
> Richard Bonner wrote:
>> *** Chebucto's shell server is https compliant; would it not have
>> to have security in place in order to be so?
> Not really. HTTPS/SSL protects the data sent between two computers. It
> does nothing to protect endpoints. There are many hardware and software
> pieces between your keyboard and when the data is encrypted. Any one of
> those pieces could be subverted. The data is not encrypted until just
> before it is sent out the the remote site. It is decrypted almost as
> soon as it arrives from the network.
*** OK, thanks for the information. I shall archive it.
>> As for their volunteers, none are far enough up in the organisation
>> that they would have access to personal accounts.
> According to the about page all of the Chebucto staff are volunteers.
> This includes the system administrator who has access to everything.
*** Hmm, that is not how I understand it. The uppermost are paid
> Regardless a minimally trusted volunteer would not need access to
> personal accounts. They would only need access to the system. There are
> many ways that a volunteer could gain that access. It is affectively
> impossible to keep a malicious volunteer out. Once the minimal amount of
> trust is gained to become a volunteer an attacker would have all the
> time required to slowly gain any access wanted to subvert the system.
*** I will copy this to Chebucto to see what the protection is
> This is hardly unique to Chebucto. All organizations have this problem.
> At least if it is a person at the bank then the bank is liable for the
> fraud. A malicious worker at an ISP is going to have a harder time as
> the traffic seen by the ISP is already encrypted.
> Security is all about trade offs. By using Chebucto to access your bank
> you reduce some of the risks, but you gain other risks. When using a
> Chebucto shell account (or a computer in a library, coffee shop,
> neighbour's house, etc.) you must trust the integrity of that system.
> You must trust the system administrators. You must trust the casual
> office staff.
*** Understood. So how is a PPP connection any more secure?
>> *** How might I get such a virus? It can't come down the shell
>> server pipe unless I manually download and run an infected executable.
> I naively assumed that you only used Chebucto for banking and similar.
> If you use the Chebucto shell account for all of your Internet needs and
> never connect your computer any other way to the Internet, then you need
> not worry (or worry less). Only targeted malware could effectively
> export any data from your computer.
*** That is in part why I use a shell account. However, I also
connect via PPP and a graphic browser, but only to view a site's
graphic layout, should I need to.
> I am not looking to scare people. I use my Ubuntu Linux system to access
> my bank accounts online using Firefox. I believe it is secure enough. My
> job is to improve computer system security. I am passionate about these
> types of problems because there is a lot more to consider then the
> common problems of software bugs and viruses. Computer security problems
> are often solved with a locked door, a security camera, and better pay
> for staff.
*** As the business community seems to be today, but determined
persons still try to gain access. )-:
More information about the nSLUG