|
Passing the conference 'sniff' test |
|
|
|
Source: SearchSecurity - Posted by Pax Dickinson
|
At last year's USENIX Security Symposium, Marcus Ranum was minding his own business -- checking his e-mail, updating his Web site, etc. -- when another conference attendee sent him an e-mail. In the text: Ranum's password. Ranum, known for his work in intrusion detection, later angrily confronted the sender at the conference about invading his privacy. Bill Cheswick, a well-known security expert who sent the offensive message, later chalked up his actions as just "a friendly nudge."
Cheswick then refrained from any more password-sniffing at the request of USENIX organizers. But on Thursday, a year after the incident, the chief scientist for Somerset, N.J.-based network security provider Lumeta Inc. defended the use of wired and wireless sniffers to catch passwords and other sensitive data transmitted through cleartext protocols.
"I've tried to act as ethically as I know how with a variety of experiments on the Internet," he told this year's USENIX Security Symposium audience in Baltimore. He said such acts help him gain statistical information, such as how many people still use inherently insecure FTP or Telnet to transmit data. "And I think that's a valid thing to report," he said.
Cheswick also admits his findings demonstrate an individual's or enterprise's need for stronger password policies. "One could argue I performed a valuable public service for them," he said. Others rationalize their eavesdropping as education -- by posting the passwords they teach humiliated victims a lesson and ultimately help better protect networks.
Read this full article at SearchSecurity
Powered by AkoComment! |
