Re: Security

Robert Hsiung (dr-bob@uchicago.edu)
Wed, 26 Nov 1997 14:32:37 -0600 (CST)


At 9:04 AM -0600 11/26/97, Jason Williams wrote:

>> >The typical
>> >user isn't gonna have the keys to the routers
>>
>> The physical keys to the rooms that the routers are in? Or some kind of
>> software password-type key?
>
>Both I suppose..though I guess if they own the router, they probably can
>login remotely to it.

Oh, so routers are computers, too, not just gadgets that send traffic this
way and that...

>CU-SeeMe doesn't use PGP-encrypted data...

So doing so would be possible? That sounds like it would increase the level
of security...

>> I'm wondering about a one-to-one connection, not a connection through a
>> reflector. Someone worried about security wouldn't go through a reflector,
>> I don't think! :-)
>
>Someone who knew a bit more about the internet would realize the packets
>are all going through pretty much the same routers regardless of the final
>destination..be it another individual's IP, or the IP of a reflector.

Hmm, good point, the idea of the Internet was to have packets go everywhere
so transmission would be less likely to be disrupted, right?

>the person wanting to eaves drop would have to:
>1) Have access to a packet sniffer on the router between you and your
>destination.
>4) Have a program that takes the sifted data and assembled into
>video/audio packets in REAL TIME. It wouldn't be hard to assemble the
>data later and run some sort of decoder on it to view it perhaps. But the
>hacker would be more interested in real-time data
>5) Have a program that actually displays the data acquired. (video
>routines/etc)

But:

1) What counts as "between" isn't so clear, given the fact that packets go
everywhere (or at least more than one place).

4) It wouldn't have to be in real time to be a security problem.

5) The snoop might only care about the audio. Or only the video. So he or
she wouldn't need to duplicate everything CUSM does. And what about the
chat? That, presumably, is just sent as text?

>All of this also assumes the hacker has both IP addresses as well as the
>time you're sending/receiving. If nothing else, simply using a dynamic IP
>address bypasses that problem. CU is as secure as possible I believe...
>
>If security is a big issue, perhaps you can bypass the Internet altogther
>and use CU by directly dialing the other person.

Would they really need both IP addresses? Wouldn't knowing just mine (for
example) be enough? Mine isn't exactly top secret...

I can't use dynamic IP addresses because I'm plugged into the wall. And I
want to stay plugged into the wall because I get a better connection that
way.

Calling them directly wouldn't be such a great option for the same reason,
but I didn't know that was even possible. Can I just dial someone else's
number and connect directly?

It's not "as secure as possible" if PGP (or some other) encryption would be
possible...

----

At 9:24 AM -0600 11/26/97, Eric Ochoa [NOL Staff] wrote:

>> >a packet sniffer?
>> >Well..if you want to get technical..that's always possible.
>>
>> That's what I was afraid of. :-)
>
>There really isn't much to be afraid of, you can get some usefull bits of
>information by sniffing packets.. mostly just chat or text but anything
>video related would be alot more complicated to do anything with.

That's exactly what I'm afraid of, that someone else might be able to get
"useful" bits of information! :-)

The video information would be more complicated because it's digitized (or
whatever) and would need to be undigitized (or unwhatevered)?

>I think your sessions would be secure enough, if you are that concerned
>about it you might think about setting up a secure VPN to conduct your
>transmissions through.

Well, what's "enough" is in the eye of the beholder. What's a VPN?

Bob