"No, seriously"
Posts: 7324 Joined: 18-Jan-2007 Last visit: 02-Nov-2024 Location: Orion Spur
|
Ufostrahlen wrote:The Traveler wrote:That why you should have a sincere and valid Security Question/Answer with your account. That doesn't prevent the spy from reading the mail in plain text. It prevents the mail from ever been send. Kind regards, The Traveler
|
|
|
|
|
xͭ͆͝͏̮͔̜t̟̬̦̣̟͉͈̞̝ͣͫ͞,̡̼̭̘̙̜ͧ̆̀̔ͮ́ͯͯt̢̘̬͓͕̬́ͪ̽́s̢̜̠̬̘͖̠͕ͫ͗̾͋͒̃͛̚͞ͅ
Posts: 1716 Joined: 23-Apr-2012 Last visit: 23-Jan-2017
|
The Traveler wrote:It prevents the mail from ever been send. Look at your server statistics... how many password retrievals does the Nexus get? They are all sent out in plain text.
|
|
|
"No, seriously"
Posts: 7324 Joined: 18-Jan-2007 Last visit: 02-Nov-2024 Location: Orion Spur
|
Ufostrahlen wrote:The Traveler wrote:It prevents the mail from ever been send. Look at your server statistics... how many password retrievals does the Nexus get? They are all sent out in plain text. Yes, they are send out in plain text, but only after you successfully answered the security question. So if that question is not answered correcly, there is no mail send. Kind regards, The Traveler
|
|
|
xͭ͆͝͏̮͔̜t̟̬̦̣̟͉͈̞̝ͣͫ͞,̡̼̭̘̙̜ͧ̆̀̔ͮ́ͯͯt̢̘̬͓͕̬́ͪ̽́s̢̜̠̬̘͖̠͕ͫ͗̾͋͒̃͛̚͞ͅ
Posts: 1716 Joined: 23-Apr-2012 Last visit: 23-Jan-2017
|
The Traveler wrote:Yes, they are send out in plain text, but only after you successfully answered the security question. So if that question is not answered correcly, there is no mail send. No doubt about that. So let's say you have 200-300 valid password retrievals by real Nexus members in a year. If a spy monitors the Nexus mail server 24h/365d, how many mails can he read in plain text?
|
|
|
"No, seriously"
Posts: 7324 Joined: 18-Jan-2007 Last visit: 02-Nov-2024 Location: Orion Spur
|
Ufostrahlen wrote:The Traveler wrote:Yes, they are send out in plain text, but only after you successfully answered the security question. So if that question is not answered correcly, there is no mail send. No doubt about that. So let's say you have 200-300 valid password retrievals by real Nexus members in a year. If a spy monitors the Nexus mail server 24h/365d, how many mails can he read in plain text? Ah, but there you assume that the nexus mail server is compromised. Also the mails that are send are not stored anywhere on the nexus server. Kind regards, The Traveler
|
|
|
xͭ͆͝͏̮͔̜t̟̬̦̣̟͉͈̞̝ͣͫ͞,̡̼̭̘̙̜ͧ̆̀̔ͮ́ͯͯt̢̘̬͓͕̬́ͪ̽́s̢̜̠̬̘͖̠͕ͫ͗̾͋͒̃͛̚͞ͅ
Posts: 1716 Joined: 23-Apr-2012 Last visit: 23-Jan-2017
|
The Traveler wrote:Ah, but there you assume that the nexus mail server is compromised. No I don't. Not the Nexus mail server by itself, but the connection between the Nexus mail server and the recipient mail server.
|
|
|
Communications-Security Analyst
Posts: 1280 Joined: 17-Aug-2014 Last visit: 05-Feb-2024 Location: Nirvana
|
A vulnerability and zero-day interchange group I'm part of uses a forwarding system to their main server. Basically we all bounce off server A to get to our board/IRC. The server will not accept any ingress connections unless they are routed through this system (with a couple obvious exceptions). This also gives everybody the exact same out proxy. And because our IP addresses come from the same exit node, all of us, it makes a confusing mess for anyone that's infiltrated the DMZ of our network.
We have a system of relaying information when the outproxy has changed so we can all update the way we connect. If our intrusion prevention system gave us a reason to panic our primary server could move from pole to pole on this planet and all we have to do is update our forwarding script.
We highly prefer using high traffic websites [e.g. game servers] because with our unknown i dividual IP adresses and the high volume of traffic recieved to the forwarding server by its own use userbase adds another sscurity blanket.
We don't focus on passwords exclusively, we do use an 'individual key' system as well that is used to make sure that the person submiting their password is actually the person that SHOULD submit their login password. If you don't have this key then your password is useless.
Just an example, 1ce
|
|
|
"No, seriously"
Posts: 7324 Joined: 18-Jan-2007 Last visit: 02-Nov-2024 Location: Orion Spur
|
Ufostrahlen wrote:The Traveler wrote:Ah, but there you assume that the nexus mail server is compromised. No I don't. Not the Nexus mail server by itself, but the connection between the Nexus mail server and the recipient mail server. This discussion triggered a new thought with me for how to do authentication in such cases. I will work this out when I have a tad more time. Kind regards, The Traveler
|
|
|
xͭ͆͝͏̮͔̜t̟̬̦̣̟͉͈̞̝ͣͫ͞,̡̼̭̘̙̜ͧ̆̀̔ͮ́ͯͯt̢̘̬͓͕̬́ͪ̽́s̢̜̠̬̘͖̠͕ͫ͗̾͋͒̃͛̚͞ͅ
Posts: 1716 Joined: 23-Apr-2012 Last visit: 23-Jan-2017
|
The Traveler wrote:This discussion triggered a new thought with me for how to do authentication in such cases. I will work this out when I have a tad more time. Sweet, I guess that's what it's all about. Maybe 1ce has additional thoughts. Peace, Ufo. isaaczibre wrote:You guys do know that using TOR automatically makes you more suspicious, right? Yes, I know. But the more ppl use TOR, the more traffic is generated, which helps keeping other users anonymous. If you use TOR you still have a 20% chance to be anonymous. I guess that's better than nothing.
|
|
|
Communications-Security Analyst
Posts: 1280 Joined: 17-Aug-2014 Last visit: 05-Feb-2024 Location: Nirvana
|
We could always set up the mailing system in a jail (freeBSD). I've always been rather dond of connectionless data transfers (ICMP or UDP for example) to conceal an activitt as something not worth paying attention to.
A lot of very good rootkits have created hell for admins using this strategy. This works extremely well with a VPN, but anything typical requires a client and that adds an impressive challenge/unecesary security risk.
|
|
|
Communications-Security Analyst
Posts: 1280 Joined: 17-Aug-2014 Last visit: 05-Feb-2024 Location: Nirvana
|
The Traveler wrote:1ce wrote:Also, that bit about individual keys: Superb job on describing every password ever. Base 64 is still used very openly even in late 2014. Uhm, base64 is an encoding and not an encryption. So I'm not sure what you mean with this line. Kind regards, The Traveler I was referring to weak wireless security. And to the delusion that passwords keep us safe. Passwords, at least the way I feel about them, are just a big strong door. If the rest of the infrastructure is weak then they are a totally useless means of security other than a visual deterrent. If I could just open or break a window vs picking the lock and kicking the door down I'll always take that option. Another note (this time without metaphors) perhaps we can use tokens (that expire) in an email to direct users back to the nexus to view their messages. Rather than use the emails to deliver the messages themselves. There is actually quite a few scripting methods that none of the big name email providers (or web browsers) filter for we can use to do this automaticaly.
|