This is a read-only archive!

Ignorance is bliss

I remember the good old days of web-browsing, when I'd just zoom around the internet without a care in the world. The first time I got a small whiff of something foul was in college one day, when a professor yelled at the class because someone was using telnet to connect to remote machines. "Are you crazy? It sends everything in plaintext! Use SSH!"

Then eventually I put together a website where I had access to the server logs, and oh boy, it was not fun reading those the first time. Line after line of bots in Ukraine, trying to access vulnerable scripts that may or may not exist on my server. Then I checked some of my SSH logs, and saw the same thing. Thus my innocence was destroyed forever.

Nowadays all of my email traffic is SSL-encrypted, and FTP is disabled on every server I have root access to, in favor of SFTP. I cringe every time I set up a wireless network (even WPA is being cracked nowadays). My passwords are long, nearly impossible to remember, and legion. My browser cache is cleared daily. I reject all cookies by default, and Javascript is run on an as-needed basis.

One day I read on Slashdot about Flash cookies. So I had a really bright idea:

ln -s /dev/null ~/.macromedia

That'll teach them! No more flash cookies. (Note, don't do this if you like watching Flash movies in your browser. They stop working on certain websites. Annoying. Next best thing is a plugin to let you delete them.)

The bad thing is that I still don't know very much about network security and privacy. If I knew more, I'm sure I'd worry more. On the other hand, if I was a locksmith, I might feel bad with the quality of the lock on my front door. And yet my house has never been robbed (yet) and my computer has never been hacked (yet). People tend to worry about what's right in front of them. Maybe what you don't know can't hurt you.

But I still cringe when someone sits down in an airport or a Starbucks and logs into their bank account or work email.

October 24, 2008 @ 12:54 PM PDT
Cateogory: Rants


Quoth numerodix on October 24, 2008 @ 7:46 PM PDT

I used to run a home server, with inbound ssh on port 22. With a short password. One day it got rooted. Someone was using it to send out massive amounts of spam. I noticed it because I had set up postfix to cc all outgoing mail to my Sent directory. I also got shut down by my ISP, had to email them to explain the situation and say I had it under control. Since then I use ssh with keys, not passwords.

As for SSL, it's not as sturdy as it seems, there are lots of ways to abuse it without breaking the cipher. If you want to feel safe you really shouldn't watch talks from hacker conferences, that stuff blows my mind. Suppose you log into your bank from work. Once you authenticate, what you pass around to maintain your session is a kind of cookie, susceptible to man in the middle. So now the sysadmin in your company can browse your bank website until you log out.

Quoth JCL on December 22, 2008 @ 9:27 AM PST

At some point you need to declare 'good enough', or you won't get anything done. If someone really wants to hack you you can't stop them.