1996-03-06 - Re: Remailer Security

Header Data

From: “David E. Smith” <dsmith@midwest.net>
To: jrochkin@cs.oberlin.edu (Jonathan Rochkind)
Message Hash: f5a8c42f2e2fc969bfafe96ca7d1b4eaa63a185d6bbcc60f73394bb70d66dd6e
Message ID: <2.2.32.19960305212904.00683828@204.248.40.2>
Reply To: N/A
UTC Datetime: 1996-03-06 01:48:25 UTC
Raw Date: Wed, 6 Mar 1996 09:48:25 +0800

Raw message

From: "David E. Smith" <dsmith@midwest.net>
Date: Wed, 6 Mar 1996 09:48:25 +0800
To: jrochkin@cs.oberlin.edu (Jonathan Rochkind)
Subject: Re: Remailer Security
Message-ID: <2.2.32.19960305212904.00683828@204.248.40.2>
MIME-Version: 1.0
Content-Type: text/plain


At 11:06 PM 3/4/96 -0500, jrochkin@cs wrote:
>At 11:06 PM 03/04/96, lmccarth@cs.umass.edu wrote:

>Um, there's no reason why your remailer's account needs to be logged into
>interactively, is there?  Seems like remailer ops should disable login to
>remailer accounts, putting '*' into the password field in /etc/passwd, or
>however unix lets you disable login (I know it does).

If I want a remailer's key, I would probably try to go after root.  Not
only will it get me that key, but there's no telling what else might
turn up in the meantime.  If you can get access to any account on the
system, odds are good you can give yourself root access anyway.  It's
almost a "freebie."

>Obviously, the general security risk of someone gaining unauthorized access
>to the remailer executable or data files is still there, and important to
>keep in mind.  But this would seem to be a fairly logical security measure.

You could always do a custom-compile of PGP that never checks for a passphrase;
it's compiled into the executable.  That's only a trivial measure at best
(heck, hex editors have been around since roughly the dawn of UNIX) but
it's a place to start.

I don't think it's possible to have too much security.

dave

-----
David E. Smith,  c/o Southeast Missouri State University
1000 Towers Circle South MS 1210 Cape Girardeau MO 63701
dsmith@midwest.net,  dave@nym.alias.net,  PGP 0x961D2B09
(573)339-3814    http://www.midwest.net/scribers/dsmith/
"Reality is only for those lacking in true imagination."





Thread