Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Software Security

Security Focus Interviews Damien Miller 80

Posted by ScuttleMonkey from the bread-and-butter dept.
An anonymous reader writes "The upcoming version 4.3 of OpenSSH will add support for tunneling allowing you to make a real VPN using OpenSSH without the need for any additional software. This is one of the features discussed in SecurityFocus' interview of OpenSSH developer Damien Miller. The interview touches on, among other things, public key crypto protocols details, timing based attacks and anti-worm measures."
This discussion has been archived. No new comments can be posted.

Security Focus Interviews Damien Miller More

Security Focus Interviews Damien Miller

Comments Filter:

  • Effective cryptography is a hard problem. (Score:5, Informative)

    by Sheetrock ( 152993 ) on Wednesday December 21, 2005 @02:30AM (#14306914) Homepage Journal
    As suggested in the article, the better security gets, the more it will interfere with usability.

    For example, if you create a VPN with this latest OpenSSH, a lossy network will hold up your traffic. Despite the fact that TCP/IP will try to continue operating with dropped packets, with OpenSSH if you miss one packet the loss cascades into succeeding packets until the client and server are able to resync or the packet is delivered. This accumulation of tolerances is not a problem with IPsec, which is designed cipherwise to work around occasional packet loss.

    Most experts agree the product of the best cryptography will be indistinguishable from random noise. This means that it is difficult to share the benefits of compression with file encryption because random noise compresses very poorly, as anyone who attempts to archive their MP3s of today's artists will attest. Additionally, if you accidentally store your encrypted files amongst files containing random noise you run the risk of generating new data during decryption.

    The secret is to understand the technology before you use the technology. The problem with encryption is twofold -- some people are overconfident in what they're using and either lose data or risk more than they would if they were fully informed, and others think it's too difficult a topic to broach and leave themselves open to exploitation by network explorers. Certainly when I was in the second category I became convinced of the problem once I saw tools like 'tcpdump' and 'ethereal'.

  • Thanks guys (Score:5, Informative)

    by pchan- ( 118053 ) on Wednesday December 21, 2005 @02:42AM (#14306952) Journal
    OpenSSH just keeps getting better. Not just a great shell client and server, but support for multiple streams, secure tunnels, SCP, SFTP, every authentication method you could want, and finally VPN (the next logical extension). OpenSSH ships with every Linux distribution I can name (well, except embedded ones), the BSDs, and MacOS, and is available for Windows (under Cygwin) and every other major UNIX and UNIX-like OS out there. The code is all available to anyone for any purpose with no real restrictions (other than giving some credit to the developers), so you could include it in any app you make, regardless of license (GPL included). Thanks, everyone who works on this valuable tool. I think I'll go buy a T-shirt [openbsd.org]

  • Hacker Summary (Score:5, Informative)

    by this great guy ( 922511 ) on Wednesday December 21, 2005 @03:01AM (#14307012)

    For those hackers who are already familiar with the forwarding features of ssh (-L, -R and -d options), and who are wondering what the hell is this new "support for tunneling", here is a hacker summary. Quoting TFA:

    [This] new tunneling support allows you to make a real VPN using OpenSSH without the need for any additional software. This goes well beyond the TCP port forwarding that we have supported for years - each end of a ssh connection that uses the new tunnel support gets a tun(4) interface which can pass packets between them.

    Tun(4) interfaces are indeed very convenient. That's all folks !

  • Re:Effective cryptography is a hard problem. (Score:5, Informative)

    by interiot ( 50685 ) on Wednesday December 21, 2005 @03:41AM (#14307124) Homepage
    the better security gets, the more it will interfere with usability
    What does that have to do with TCP-over-SSH? Secure or not, TCP-over-TCP is always considered harmful [sites.inka.de] (PDF [www.ispl.jp]).

    On the other hand, if TCP-over-TCP is your only option (eg. due to the lame firewall my employer set up), then SSH is a great option.

    But what does that have to do with increasing security again?

  • Re:I disagree on one point. (Score:3, Informative)

    by EngMedic ( 604629 ) on Wednesday December 21, 2005 @04:29AM (#14307239) Homepage
    for those of you in search of a solution for exactly this problem that doesn't involve iptables hackery or whatnot, check out denyhosts: http://denyhosts.sourceforge.net/> . It's a cronjob/daemon that lurks over ssh logs and updates hosts.deny based on rules you specify. simple, quick, gets rid of most of the annoying sshd bots.

  • kick arse vpn (Score:4, Informative)

    by marcushnk ( 90744 ) <{moc.liamg} {ta} {sutcenes}> on Wednesday December 21, 2005 @04:45AM (#14307285) Journal
    Anyone seen this before?:
    http://www.hamachi.cc/ [hamachi.cc]

    Loos like a better way of doing VPN.. though ssh with in built vpn is going to be nice...

  • Re:Swapping the order introduces other problems (Score:0, Informative)

    by Anonymous Coward on Wednesday December 21, 2005 @06:03AM (#14307489)
    Wrong, wrong, wrong, wrong, wrong. Please, amateurs this is one area where you can do the most harm by offering your "opinion" as fact. Please, whenever you find yourself wanting to tell people how smart you are about crypto, just post "Sorry, I'm a bit stupid about this, but I wanted to post" instead of whatever nonsense (like the above) you were going to choose.

  • Re:kick arse vpn (Score:3, Informative)

    by gfilion ( 80497 ) on Wednesday December 21, 2005 @10:35AM (#14308708) Homepage

    Anyone seen this before?: http://www.hamachi.cc/ [hamachi.cc]

    Loos like a better way of doing VPN.. though ssh with in built vpn is going to be nice...

    Here's my not so humble opinion about Hamachi:

    Software review: Hamachi [filion.org]

    In short: some good, some bad, some really great, some horrible.

  • Re:chroot (Score:3, Informative)

    by Nimrangul ( 599578 ) on Wednesday December 21, 2005 @12:48PM (#14309895) Journal
    When the code is good, clean, free and something the developers want.

  • Re:Swapping the order introduces other problems (Score:3, Informative)

    by Thundersnatch ( 671481 ) on Wednesday December 21, 2005 @03:13PM (#14311123) Journal

    You're spouting complete nonsense. A secure block cipher in a secure mode of operation revelals nothing about the similarities between files. Loock up CBC mode on Google - a large random initialization vector is used to ensure that identical (or similar) plaintext blocks encrypt completely differently. I also suggest a thorough reading of Applied Cryptography by Bruce Schneier.

    OpenPGP, for example, uses gzip compression before encryption with every file. Yet PGP is widely considered very secure. Why? Because a secure mode of operation for the cipher (AES, 3DES, whatever) is used, with a random IV that ensures even identical files produce completely different ciphertext.

  • Re:SSH is SSH and VPN is VPN (Score:1, Informative)

    by Anonymous Coward on Wednesday December 21, 2005 @08:03PM (#14313401)
    "I'd like to see something like easier tunneling of X of an SSH session"

    WHAT???

    You, "olde scholar" find too dificult just `ssh -X user@host` and then `startx`?

    Now: how can it be any easier!?

Slashdot Top Deals

Prediction is very difficult, especially of the future. - Niels Bohr

Close