Re: kernel.org status: establishing a PGP web of trust

[Ted Ts'o]

On Mon, Oct 03, 2011 at 09:52:29PM -0700, H. Peter Anvin wrote:
> On 10/03/2011 09:49 PM, Ted Ts'o wrote:
> > 
> > Note that if your laptop allows incoming ssh connections, and you
> > logged into master.kernel.org with ssh forwarding enabled, your laptop
> > may not be safe.  So be very, very careful before you assume that your
> > laptop is safe.  At least one kernel developer, after he got past the
> > belief, "surely I could have never had my machine be compromised",
> > looked carefully and found rootkits on his machines.
> > 
> By the way, I'm now pretty convinced that allowing inbound ssh on
> laptops (which is the default on all the mainline Linux distros as far
> as I know) is seriously broken... laptops get connected to *extremely*
> insecure networks on just way too regular a basis.

+1000

I'll note though that at least some Linux distributions when
customized by corporate security types tend to disable incoming ssh.
If your company doesn't, it probably should... 

... and it should definitely raise a firewall and disable NAT and
incoming ssh if you're connected to the corporate VPN.  I once heard a
story several years back when someone I knew was staying at a hotel in
Beaverton, and connected to an open WiFi access point to get internet
access.  Very shortly there afterwards, he realized he was connected
behind the Intel corporate firewall, at which point he (not being an
Intel employee, and conscious of the Business Conduct Guidelines that
he was require to sign every year) disconnected as quickly as
possible.

Oops.  :-)

						- Ted
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/