Re: LYNX-DEV More security stuff.

[Mark Mentovai]

(First, I think this doesn't really belong on lynx-dev - see below.)

On Thu, 12 Mar 1998, Matt Ackeret wrote:

> About this security stuff -- we all know that sites get hacked _into_ all the
> time, but does anyone actually have *personal experience* with their own
> web connection, or even their shell connection, being snooped on while
> they were online?

Personally, no.  But I have heard a tale of a Mr. Joe Hacker finding his
nosey way into an irresponsible site that was using unencrypted E-mail or
FTP or something to transport orders (complete with credit card numbers
and all) from the ISP that was doing their hosting to themselves.  As a
result, Mr. Hacker found all of these numbers, despite the fact that the
highest grade of security was being used on the site to ensure safe
transmission of data between the customers and the web server.

> In other words, what people seem to be complaining about is that:
> 1) Joe Schmoe uses modem to dial up to ISP's shell account
> 2) Mr. Schmoe then uses Lynx-SSL to do his banking stuff, thinking it's
> secure.
> 3) Unbenkownst to him, Mr. Schmoe's entire telnet session is being snooped on,
> so everything he types is being seen.
> 
> Is that it?  While this type of thing is possible, it seems *far* more 
> likely for the people _running_ the ISP to be doing the snooping.  Plus,
> using your credit card number over a telephone (maybe wireless phone, or
> cellular) is proportionately far far more insecure... and people do that
> all the time.

Yes and no.  Responsible ISPs would never do that, and would never employ
or entrust with high levels of access to their systems irresponsible
individuals who would even consider doing that.  Responsible ISPs would
also have a system whose security is almost uncompromisable, and would be
aware of unauthorized entry into the system.  Unfortunately, not every ISP
is as responsible as this hypothetical example.  (Well, I can say with a
high degree of certainty that mine is.)

If you're using Lynx in a setting where others access the computer, then
yes, you are putting yourself at a higher risk than most people.  Then
again, your point is valid about divulging credit information over the
phone: it's relatively simple for Mr. Hacker to attach a device to your
telephone line that lets him listen in on your conversations.  This is,
however, being extremely paranoid, in my opinion.  It's far easier to call
your credit card company and explain your situation should this ever
happen to you (which it won't) and not be faced with much more than a
small fine and a reprimand.  Consider this: it's easy enough for crooks to
snoop out credit card numbers while standing behind people on line in
department stoors, or by snooping through receipts with numbers imprinted
on them, why would they go to the trouble of trying schemes like tapping
your phone or your Internet connection?  It's just too unlikely, and too
implausible.

It's probably more profitable to Mr. Hacker to find an irresponsible site
such as the one mentioned above to tap in to and pick up a massive amount
of credit card numbers than it is for him to focus his energy on obtaining
a single credit card number.

You do bring up good points, though - I'd be interested to hear what
others have to say, but I think that the lynx-dev list is probably an
inappropriate place to carry on a discussion that's more related to
cryptography and security.  I'd be willing to subscribe to a cryptography
discussion list, though, even if it was only to participate in this
thread.

-Mox

--
Mark Mentovai
address@hidden
http://www.moxienet.com/