On Sun, Nov 24, 2002 at 12:36:13AM +0100, Bernd Eckenfels wrote:
> On Sun, Nov 24, 2002 at 10:31:46AM +1100, Brian May wrote:
> > You need to keep track (at both ends of the link) of the last
> > sequence number sent.
>
> can we perhaps set up a mailinglist or discuss this on the mailinglist of
>
On Sun, Nov 24, 2002 at 10:31:46AM +1100, Brian May wrote:
> You need to keep track (at both ends of the link) of the last
> sequence number sent.
can we perhaps set up a mailinglist or discuss this on the mailinglist of
grunt, it realy gets offtopic.
Greetings
Bernd
On Fri, Nov 22, 2002 at 06:22:53PM -0600, Adam Heath wrote:
> In case it hasn't been mentioned, one could use sequence numbers, ala tcp.
You need to keep track (at both ends of the link) of the last
sequence number sent.
Or, if you allow emails to be sent from multiple hosts, you need
to keep tra
> 1. notice that oops, the cd burning script will do something evil if
>passed a certian type of iso.
> 2. send in a fixed script
> 3. run it
Have you considered adding sequencing to the protocol? That is, if each
of those mails above had a sequence number in them, the receiver would
not execu
In other news for Sat, Nov 23, 2002 at 11:18:22AM +1100, Brian May has been
seen typing:
> The could remarkably slow the process down for slow batched based
> E-Mail systems.
> (it would appear to be a tradeoff of functionality/efficiency vs
> security).
Isn't that a fairly accurate summary of
On Fri, Nov 22, 2002 at 09:47:48AM -0600, John Goerzen wrote:
> On Fri, Nov 22, 2002 at 12:24:34AM -0500, Joey Hess wrote:
> > > After verifying the signature on the data, the receiver does some sanity
> > > checks. One of the checks is doing an md5sum over the entire file
>
On Sat, 23 Nov 2002, Brian May wrote:
> On Fri, Nov 22, 2002 at 12:43:28AM -0500, Joey Hess wrote:
> > This could me especially amusing if the first, delayed email was:
> >
> > cd /tmp
> >
> > And the second was:
> >
> > rm -rf *
> >
> > (Dumb contrived example, but you get the idea.)
>
> I th
On Fri, Nov 22, 2002 at 10:32:22AM +0100, Josselin Mouette wrote:
> That's why I suggest using either a challenge/response authentification
> (if the mail is lost, you have to ask for a new challenge and the
> previous mail won't be accepted if it is delayed), or one-time passwords
> (every time yo
On Fri, Nov 22, 2002 at 12:43:28AM -0500, Joey Hess wrote:
> This could me especially amusing if the first, delayed email was:
>
> cd /tmp
>
> And the second was:
>
> rm -rf *
>
> (Dumb contrived example, but you get the idea.)
I think the lesson here is that grunt is not a transparent
rep
John Goerzen wrote:
> Grunt doesn't preserve any notion of a session
It doesn't need to: the unix filesystem already does. I said that was a
contrived example, but I'm sure you will find some real ones eventually.
Slightly less contrived:
1. notice that oops, the cd burning script will do someth
On Thu, Nov 21, 2002 at 10:47:46PM -0700, Jason Gunthorpe wrote:
> PGP signatures have a signature ID and a date that are ment to be used to
> prevent against replay attacks. I forget the exact details but there is a
> gpg mode that prints it out. The db.debian.org gateways all make use of
> it.
On Fri, Nov 22, 2002 at 12:24:34AM -0500, Joey Hess wrote:
> > After verifying the signature on the data, the receiver does some sanity
> > checks. One of the checks is doing an md5sum over the entire file
> > (remember, this i
On Fri, Nov 22, 2002 at 12:43:28AM -0500, Joey Hess wrote:
> This is interesting. I've been planning to add play-by-mail support to
> my mooix moo, but have held off because I didn't want to tackle doing it
> securely. But if I can just use grunt and it turns out to be secure..
> that'd be sweet. I
On Fri, Nov 22, 2002 at 12:55:07AM +0100, Josselin Mouette wrote:
> message from being sent, and keep it for another day. Seeing your
> computer doesn't halt, you resend the message, and the attacker has 30
> days to use what he has stolen.
So you set the window to 2 days, or 15 minutes, or whatev
On Fri, Nov 22, 2002 at 03:35:11PM +1100, Brian May wrote:
> 30 days seems like an awfully long time...
>
> I would have though rejecting any requests, say an hour old would
> be better...
>
> So, if you did issue an halt command, the worst an attacker could do
> would be to delay execution by on
Le ven 22/11/2002 à 05:41, Brian May a écrit :
> > A secure way to handle this would be a challenge/response
> > authentification, or a system similar to SSH's one-time passwords.
>
> No, I think it is an inherent problem with using E-Mail for such things.
>
> As long as E-Mail is used, the poss
Hi,
>>"Jason" == Jason Gunthorpe <[EMAIL PROTECTED]> writes:
Jason> PGP signatures have a signature ID and a date that are ment to be used
to
Jason> prevent against replay attacks. I forget the exact details but there is
a
Jason> gpg mode that prints it out. The db.debian.org gateways all mak
On Fri, 22 Nov 2002, Joey Hess wrote:
> > After verifying the signature on the data, the receiver does some sanity
> > checks. One of the checks is doing an md5sum over the entire file
> > (remember, this includes both the headers and the payload). If it
> > has seen the same md5sum in the last
This is interesting. I've been planning to add play-by-mail support to
my mooix moo, but have held off because I didn't want to tackle doing it
securely. But if I can just use grunt and it turns out to be secure..
that'd be sweet. I hope that grunt lets you just compose commands with a
standard mai
John Goerzen wrote:
> After verifying the signature on the data, the receiver does some sanity
> checks. One of the checks is doing an md5sum over the entire file
> (remember, this includes both the headers and the payload). If it
> has seen the same md5sum in the last 60 days, it rejects the req
On Fri, Nov 22, 2002 at 12:55:07AM +0100, Josselin Mouette wrote:
> What if the attacker can intercept the messages ? He can prevent a
> message from being sent, and keep it for another day. Seeing your
> computer doesn't halt, you resend the message, and the attacker has 30
> days to use what he h
On Thu, Nov 21, 2002 at 04:12:42PM -0600, John Goerzen wrote:
> After verifying the signature on the data, the receiver does some sanity
> checks. One of the checks is doing an md5sum over the entire file
> (remember, this includes both the headers and the payload). If it
> has seen the same md5s
Le jeu 21/11/2002 à 23:12, John Goerzen a écrit :
> After verifying the signature on the data, the receiver does some sanity
> checks. One of the checks is doing an md5sum over the entire file
> (remember, this includes both the headers and the payload). If it
> has seen the same md5sum in the l
On Thu, Nov 21, 2002 at 08:36:37PM +0100, Alexander Neumann wrote:
> John Goerzen wrote:
> > GRUNT is a tool to let you execute commands remotely, offline.
> > It will also let you copy files to a remote machine.
>
> How did you solve the problem of re-sending such mails? Say, Joe Evil
> Cracker
On Fri, 2002-11-22 at 06:36, Alexander Neumann wrote:
> John Goerzen wrote:
> > GRUNT is a tool to let you execute commands remotely, offline.
> > It will also let you copy files to a remote machine.
>
> How did you solve the problem of re-sending such mails? Say, Joe Evil
> Cracker is able to c
25 matches
Mail list logo
