[vox] password stolen at linuxworld

Peter Jay Salzman vox@lists.lugod.org
Sun, 10 Aug 2003 08:30:01 -0700


On Sun 10 Aug 03,  8:14 AM, Bill Kendrick <nbs@sonic.net> said:
>On Sun, Aug 10, 2003 at 04:26:57AM -0700, Ryan Castellucci wrote:
>> 
>> Someone at linux world seems to have gotten ahold of my ssh user password 
>> from when I used it at linuxworld.
><snip>
>> 
>> I suspect that my password was either sholder surfed (unlikely, it'd be hard 
>> to memorize....) or someone was runnning man-in-the-middle attacks, and 
>> forced an SSHv1 session to prevent a warning, simply prompting for a new key.
> 
> Ouch!  Is this something any of the rest of us LWE volunteer folks need to
> worry about?  (I logged into my sonic account numerous times from LWE;
> mostly from Melissa's laptop,

then probably.

> but also occasionally from other people's
> laptops, I _think_...  it's all such a blur)
 
then DEFINITELY.

ssh isn't a panacea for security.  it's ONLY as secure as the system on
which you use it.  and you should trust it only as far as you trust the
the system you're using it on.

pete

-- 
GPG Instructions: http://www.dirac.org/linux/gpg
GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D