making a home server

[MK27]

For password-based authentication however it makes nothing I said any the less valid. [...] the thing with the above-mentioned attack is that while brute force, due to the nature of the relaxed timing it often falls below the radar of the typical IDS and therefore can go on for years w/o detection. To me, the attack that you cannot even see coming, lame or not is one of the most dangerous kinds...

Yeah, but it sounds to me like this is just a product of pure ignorance, laziness, and or stupidity -- not using public/private keys. I'm not surprised at all that people get cracked that way. If you left your car parked downtown with the windows rolled down and the keys on the front seat, how many nights do you think would go by before there was a "startling security violation"?

Slow brute force attacks may be "insidious" and "undetectable", and maybe great if you are (patiently) phishing for access to someone's facebook page, but versus a 1600 byte key, who cares? They will still be plodding insidiously along when the sun burns out -- when the known universe collapses in upon itself. Etc.

Please. People. Use the keys.

[Kennedy]

you're totally insane

Dude, don't lump the paranoid into my group (insanity doesn't run in my family -- it gallops), I'm not paranoid at all.



::what was that::

[jeffcobb]

-- you're totally insane

Well I initially had that reaction to your coding style but had the tact to keep it to myself. I take the "having a sense of security is insane" and file it in the stupid folder myself. To use your unlocked car analogy, I see my level of security as locking the car door and not leaving the laptop/iPhone in plain view. The unlocked car with the windows rolled down are those exposing completely unprotected services -- now *that* I consider insane...

[Mario F.]

Kennedy's excellent suggestion some posts ago, made me think also of netbooks. You could even "Take your server with you (tm)".

I honestly can't think of a use I could give these things that seem to be all the hype. But turning them into dedicated mobile servers really looks promising.

[michaelp]

I'm pretty sure no one has mentioned this, but have you thought about using Opera Unite for this? It seems like it can fit all of your requirements.

[jeffcobb]

Kennedy's excellent suggestion some posts ago, made me think also of netbooks. You could even "Take your server with you (tm)".

I honestly can't think of a use I could give these things that seem to be all the hype. But turning them into dedicated mobile servers really looks promising.

Mario; I use mine for a ton of things: ebook reader, movie viewer, programming station, email/web, game machine and more. It is the portability of it that makes it worth it. These things (at least mine) are little larger than a book yet can hold so much more. In addition, your default OS, etc can be the productivity outlined above (I do all the above on the little 4G partition of the EEE 701) but if I need other uses for it (penetration testing, etc) I can just stick in a bootable USB key or SD card and the little computer takes on a whole different personality/use.

People complain about the screen size; I have no problem with it and its bigger than an iPhone, and the keyboard which is still bigger than an iPhone. It works for me. If you want to run Windows on it your experience will likely be worse. With a trimmed-down Linux though I can do a *lot* with mine...

[Mario F.]

If anything it would always be Linux since it would take more advantage of the limited resources. But being the owner of 2 laptops and not making the use of the net a typical netbook user is expected, I honestly don't see a need for one for myself. But this thread did make me wonder.

[MK27]

Well I initially had that reaction to your coding style but had the tact to keep it to myself.

Sigh. Not every appreciates free thinkin'. You should see what's in the pipe.

[jeffcobb]

If anything it would always be Linux since it would take more advantage of the limited resources. But being the owner of 2 laptops and not making the use of the net a typical netbook user is expected, I honestly don't see a need for one for myself. But this thread did make me wonder.

Mario you have touched upon one aspect of this conversation where the saying about "one mans meat is another mans poison" is so true. For some folks in some situation this would be as useful as a screen door on a submarine whereas in my case if was a life-line in my last job. I had to travel alot which made checking office mail, working on little ideas, reading documents, etc really easy with this form-factor of a laptop. Also because I commuted via train, carrying this little thing was easier that carrying a full laptop to work and back. So, *in my situation* this thing was just right. For others it may not be.

[laserlight]

Re: SSH. All good points and suggestions. As rarely as I need to do this (like once every other year) this crosses the pain threshold. I may still do this at some point but logging into the firewall and disabling the port forward rule takes seconds. Still not a good excuse for slothfulness but its the only one I have...

Slothfulness? Generating a key pair, uploading the public key, disabling password authentication and then reloading the SSH configuration may sound like hard work, but it is a one time thing. Once done, you no longer have to log onto the firewall and enable the rule when you need it. You just load the private key, maybe entering a passphrase if it is protected by one.

In ssh nomenclature, what you refer to as "keyless" are called keys, and they are clearly distinct from passwords. You cannot enter them on the keyboard. They are more than 1600 bytes. This is what I meant by "infeasible" by brute force. Isn't that 2^8^1600?

I do not think you can just look at the number of bytes, since that is related to how the private key is encoded to be stored as text, rather than its actual length. Nonetheless, it should still be far more infeasible to guess a private key than to guess a good password, unless you have a case like Debian's predictable random number generator security blunder that leads to weak keys.

Yeah, but it sounds to me like this is just a product of pure ignorance, laziness, and or stupidity -- not using public/private keys. I'm not surprised at all that people get cracked that way. If you left your car parked downtown with the windows rolled down and the keys on the front seat, how many nights do you think would go by before there was a "startling security violation"?

Bad analogy, since with good passwords, SSH access limited to a restricted set of users not including root, and denyhosts installed and running, brute force is also very unlikely to succeed.

[Mario F.]

unless you have a case like Debian's predictable random number generator security blunder that leads to weak keys.

I learned of this sometime last year just by chance when I was moving from Ubuntu to ArchLinux. It never was clear to me what kind of inside knowledge should the attacker possess in order to take advantage of this vulnerability. It seems they would need to know other keys from the system, so this vulnerability was only serious for inside attackers. But would like a clarification.