[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]

Re: Proposal: Inhibit "console down"

Greg A. Woods woods@weird.com
Tue, 25 Sep 2007 08:47:27 -0700 (PDT) 

At Fri, 21 Sep 2007 15:02:40 -0400, Chris Ross wrote:
Subject: Re: Proposal: Inhibit "console down"
> 
> 
> On Sep 21, 2007, at 14:29, Greg A. Woods wrote:
> > I admit I'm not a common user of most types of non-computing devices
> > that many conserver users may have connected to their console servers
> > for one reason or another, but I must say I've never encountered any
> > kind of device in recent years that echoed a password back to the  
> > user.
> 
>    It's very common for routers to require you to enter a new  
> password in
> into the CLI, which will be echo'd.  The password prompts don't  
> typically
> echo passwords, but passwords are sometimes used in other ways.  This
> is the first example I have thought of, but I'm sure there are others.

That's still an _extremely_ poor excuse.

Even with such a feature conserver cannot save you from accidentally
recording such a password in your console logs.

If the goal is to protect such passwords from casual observers then
having a manual hook in conserver allowing the operator to disable
logging temporarily is most definitely NOT any kind of valid solution.

A correct and secure solution will probably involve never logging any
session to any such poorly designed device, or else always protecting
all logs from such poorly designed devices from being viewed by
unauthorized persons.

-- 
						Greg A. Woods

H:+1 416 218-0098 W:+1 416 489-5852 x122 VE3TCP RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com>       Secrets of the Weird <woods@weird.com>

Attachment: pgp00002.pgp
Description: PGP signature