Secure VPN Gateway a new solution to InterNet Security - SSH

This is a discussion on Secure VPN Gateway a new solution to InterNet Security - SSH ; On 2006-06-06, David Gempton wrote: > 2) Using some sort of spy ware (and not one you've written just for this product) can you > automatically capture the ssh2 rsa file, username & password. Then use these to access any ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 27 of 27

Thread: Secure VPN Gateway a new solution to InterNet Security

  1. Re: Secure VPN Gateway a new solution to InterNet Security

    On 2006-06-06, David Gempton wrote:

    > 2) Using some sort of spy ware (and not one you've written just for this product) can you
    > automatically capture the ssh2 rsa file, username & password. Then use these to access any
    > network services on the VPN gateway ?


    Why the artificial restriction "not one you've written just for this product"?
    Do you think attackers don't write attacks against specific products?

    --
    Elvis Notargiacomo master AT barefaced DOT cheek
    http://www.notatla.org.uk/goen/
    One of my other 11 computers runs Minix.

  2. Re: Secure VPN Gateway a new solution to InterNet Security

    all mail refused wrote:
    > On 2006-06-06, David Gempton wrote:
    >
    >
    >>2) Using some sort of spy ware (and not one you've written just for this product) can you
    >>automatically capture the ssh2 rsa file, username & password. Then use these to access any
    >>network services on the VPN gateway ?

    >
    >
    > Why the artificial restriction "not one you've written just for this product"?
    > Do you think attackers don't write attacks against specific products?
    >

    Thats a fair point.

    I guess I was thinking along the lines of public Internet places (like Internet cafes)
    where the spyware that may be installed is going to be more general. Like key-logging
    software.

    Im sure that given a little information about how my software handles security it would
    not be difficult to write a very targeted application that could obtain a copy of the
    security details.

    This is an area that I am currently working on improving. My aim is to come up with a
    connection model that mutates every time its used. So even if you get a copy of the
    security details they will be of no use if you try and use them again.

    - David Gempton.

  3. Re: Secure VPN Gateway a new solution to InterNet Security


    "David Gempton" wrote in message
    news:4485f81b$1@clear.net.nz...
    > all mail refused wrote:
    >> On 2006-06-06, David Gempton wrote:
    >>
    >>
    >>>2) Using some sort of spy ware (and not one you've written just for this
    >>>product) can you automatically capture the ssh2 rsa file, username &
    >>>password. Then use these to access any network services on the VPN
    >>>gateway ?

    >>
    >>
    >> Why the artificial restriction "not one you've written just for this
    >> product"?
    >> Do you think attackers don't write attacks against specific products?
    >>

    > Thats a fair point.
    >
    > I guess I was thinking along the lines of public Internet places (like
    > Internet cafes) where the spyware that may be installed is going to be
    > more general. Like key-logging software.
    >
    > Im sure that given a little information about how my software handles
    > security it would not be difficult to write a very targeted application
    > that could obtain a copy of the security details.
    >
    > This is an area that I am currently working on improving. My aim is to
    > come up with a connection model that mutates every time its used. So even
    > if you get a copy of the security details they will be of no use if you
    > try and use them again.


    Ahh. Security through obscrutityy, *AND* violation of the GPL of the
    SmoothWall Express software you're pirating. (And you're blatantly in
    violation of the GPL on their software, by your own admission of using it
    and your failure to publish your source code along with your downloads.)

    And this guy wonders why no one will take it seriously as the "ABSOLUTELY
    SECURE VPN" he advertises it as. Sheesh!



  4. Re: Secure VPN Gateway a new solution to InterNet Security

    On 2006-06-06, David Gempton wrote:
    [...]
    > My reason for posting to these three news groups is that they all
    > focus on Computer security issues. I hoped that members of these
    > groups would also be focused on security, rather than GPL trivia.


    Copyright infringement and (lack of) license compliance in a product
    that you are selling is "trivia"?

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  5. Re: Secure VPN Gateway a new solution to InterNet Security

    Darren Tucker wrote:
    > On 2006-06-06, David Gempton wrote:
    > [...]
    >> My reason for posting to these three news groups is that they all
    >> focus on Computer security issues. I hoped that members of these
    >> groups would also be focused on security, rather than GPL trivia.

    >
    > Copyright infringement and (lack of) license compliance in a product
    > that you are selling is "trivia"?


    Don't forget the lack of usable documentation, installation instructions,
    and source code.



  6. Re: Secure VPN Gateway a new solution to InterNet Security

    Nico Kadel-Garcia wrote:
    > Darren Tucker wrote:
    >
    >>On 2006-06-06, David Gempton wrote:
    >>[...]
    >>
    >>>My reason for posting to these three news groups is that they all
    >>>focus on Computer security issues. I hoped that members of these
    >>>groups would also be focused on security, rather than GPL trivia.

    >>
    >>Copyright infringement and (lack of) license compliance in a product
    >>that you are selling is "trivia"?

    >
    >
    > Don't forget the lack of usable documentation, installation instructions,
    > and source code.
    >
    >

    Nico,

    I must thank you for your firm encouragement to get the licensing issues sorted out. I
    believe that I'm now well on the way to having it properly GPL licensed.

    I say "on the way" because at this stage nobody has reviewed my efforts to make everything
    comply with GPL Version 2.

    One of my concerns was around the distribution of SmoothWall Express 2.0 as a Vmware
    virtual machine. So far the SmoothWall community have said that this is not in breach of
    their Free Software License.

    The documentation is going to be an ongoing project. I am now starting to receive e-mails
    from some people that are using the software and this has highlighted areas where I have
    not documented things well enough.

    As always you can download the Secure VPN Gateway from http://www.ttc4it.co.nz/vpn/index.html

    Many thanks
    David Gempton.

  7. Re: Secure VPN Gateway a new solution to InterNet Security

    David Gempton wrote:
    > Nico Kadel-Garcia wrote:
    >> Darren Tucker wrote:
    >>
    >>> On 2006-06-06, David Gempton wrote:
    >>> [...]
    >>>
    >>>> My reason for posting to these three news groups is that they all
    >>>> focus on Computer security issues. I hoped that members of these
    >>>> groups would also be focused on security, rather than GPL trivia.
    >>>
    >>> Copyright infringement and (lack of) license compliance in a product
    >>> that you are selling is "trivia"?

    >>
    >>
    >> Don't forget the lack of usable documentation, installation
    >> instructions, and source code.
    >>
    >>

    > Nico,
    >
    > I must thank you for your firm encouragement to get the licensing
    > issues sorted out. I believe that I'm now well on the way to having
    > it properly GPL licensed.


    Firm encouragement? I thought I was chastising you. But getting the GPL
    straightened out is a big deal.

    > I say "on the way" because at this stage nobody has reviewed my
    > efforts to make everything comply with GPL Version 2.


    That's because you haven't published source code, unless you've stuffed it
    all inside that VMware module, and no one sane is going to install that
    without some better breakdown of what it does and what's in it. VMware
    installations can trash your system but hard! As such, they

    > One of my concerns was around the distribution of SmoothWall Express
    > 2.0 as a Vmware virtual machine. So far the SmoothWall community have
    > said that this
    > is not in breach of their Free Software License.


    But didn't you modify it? Where is your source code if you did? And where is
    the acknowledgement in your documentation of the source for the software, if
    you didn't modify it? And who exactly are you referring to as "the
    SmoothWall community"? It had better include some of the actual authors, or
    their lawyers, not just some mailing list members!

    This newsgroup from which I'm writing, comp.security.ssh, is unusual in that
    it has actual authors of OpenSSH and other utuilities on it. But you
    shouldn't take a random post from, say, *ME* as any kind of software
    copyright permission, and I hope you're being more careful with those legal
    issues than you were in your public claim of "Absolutely Secure" software.
    Seriously!

    > The documentation is going to be an ongoing project. I am now
    > starting to receive e-mails from some people that are using the
    > software and this has highlighted areas where I have not documented things
    > well enough.


    They shouldn't have to be writing this stuff! A simple white paper on how it
    works, and most especially the source code, would allow people to give some
    of that feedback you crave. But asking the OpenSSH community especially to
    review and report on the feasibility of man-in-the-middle attacks without
    even a white paper to work from is.... nuts.

    > As always you can download the Secure VPN Gateway from
    > http://www.ttc4it.co.nz/vpn/index.html
    > Many thanks
    > David Gempton.


    And the documentation is still pitiful, although it's beginning to improve.
    Instead of hiding the various files in the http://www.ttc4it.co.nz/download/
    directory and only accessing them web links from elsewhere, why not make
    that directory browseable? That way, the PDF's and binaries you put there
    can be accessed without your having to organize and maintain links to them?

    Look, David, I've got nothing personal against you or your development
    efforts. The fact that you're posting here is an indication that you're
    actually trying to get your stuff working: But that lack of source code is
    killing your credibility, in my personal opinion. It's one of the factors
    you've simply not properly addressed. Many of the best modern security
    tools, like OpenSSH and Triipwire and SELinux, rely heavily on their public
    nature to point out potential vulnerabilities. You've apparently ignored
    that and kept your code private, even though you apparently also built it on
    top of GPL based tools such as SmoothWall Express. That's not just
    dangerous, it's insulting to open source developers.

    If you won't share your code, why should they share their valuable time
    reviewing your product?



+ Reply to Thread
Page 2 of 2 FirstFirst 1 2