Re: [tlug] Is ssh as secure as pgp? . . . . . . . . . . . . . . . . . . . . . . . . .

["Stephen J. Turnbull" <stephen@example.com>]

>>>>> "essertier" == essertier  <essertier@example.com> writes:

    essertier> Okay.  I hear you and Bruno saying that if I do ssh
    essertier> right, it can be sufficiently secure.  I'd be
    essertier> connecting about 3 computers and most of my military
    essertier> secrets I wouldn't be saving on any of those machines,
    essertier> so...  (Ha!  Ha!)

No joke.  Back in the day, Microsoft's Windows NT was given the
coveted "Orange Book C2" rating, which is the highest that DoD would
give to a *software* system.  But even so, consider the conditions
under which that rating is given:

1)  No network connection.
2)  Any change to the software (including scripts) means you no longer
    have a C2-rated system.  The system that was evaluated was the OS
    only; no Word, no IE, no server software (obviously).  I'm not
    even sure FreeCell was installed. :-)

Think about (1).  Unless you are extremely judicious, connecting a
Windows box to the Internet means you are probably exposed to
keystroke loggers and other spyware that can grab your keys and
passphrases.  (It's also *possible* with Linux, of course, but I've
not yet heard of such an infection in the wild.)

Bellovin and Cheswick's _Firewalls and Internet Security_ is a good
book with lots of meat that you don't need to be know about Galois
theory to understand.  Cliff Stoll's _The Cuckoo's Egg_ was fun and
informative, too.

-- 
School of Systems and Information Engineering http://turnbull.sk.tsukuba.ac.jp
University of Tsukuba                    Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
               Ask not how you can "do" free software business;
              ask what your business can "do for" free software.