[vox-tech] inject false information into dns

Bill Broadley bill at broadley.org
Tue Sep 17 23:18:50 PDT 2013 

I'm going try to keep the signal to noise high.  So I'm going to avoid 
the point/counter point, especially since I agree with Rick.

I'm quite fond of ssh key pairs.  They offer numerous advantages:
* very impractical to brute force
* reduce the exposure of whatever passwords you do use
* if a server is compromised you do not need to change your user
   key pairs.
* Reduces any pressure to have a short/simple password since you
   use don't use them for logins.
* Can restrict a key to running a specific command, very handy to
   allow a user to run one and only one thing.

However as Rick pointed out they aren't magic and can be compromised if 
the client is compromised.  You are pretty much doomed with any system 
if the client is compromised.

The most important thing to start with is physical security.  If you 
eliminate your connection to the internet (often called an air gap) and 
have physical security you have the best security there is.  So even a 
piece of paper in your wallet, or say a palm pilot can be a very secure 
place to store passwords.

Personally I keep my password database encrypted on my phone and do not 
use any network sync functionality with my encrypted database.  So a 
compromise on my phone would sniff my password next time I decrypt the 
database.  I take steps to minimize the risk, but it's certainly higher 
than an offline database.  I do however avoid shoulder surfing risk 
since I can cut/paste without revealing the password to even a very 
sharp eyed attacker.

I actually had one of my users compromised because of the sourceforge 
compromise.  Sourceforge at the time used passwords for ssh access. 
They got compromised and started collecting passwords.  Then started 
logging into machines where users logged in from and compromise those 
accounts.  This is exactly what is prevented with key pairs.  As a 
result they switched from passwords to key pairs.  Exactly the same 
thing happened at kernel.org... with exactly the same result.

More information about the vox-tech mailing list