<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
--></style>
</head>
<body class='hmmessage'>
Yes, <div><br></div><div>But he was only wrong the once. He did it purposely just to see what it felt like.<div><br></div><div><a href="http://www.schneierfacts.com/">http://www.schneierfacts.com/</a><br><br>Chris Hogan <br><br><br><br>> Date: Wed, 24 Feb 2010 14:20:32 +0100<br>> From: andreas.raab@gmx.de<br>> To: squeak-dev@lists.squeakfoundation.org<br>> Subject: [squeak-dev] Re: SqueakSource question<br>> <br>> K. K. Subramaniam wrote:<br>> > On Wednesday 24 February 2010 04:23:58 am Andreas Raab wrote:<br>> >> http://www.wireshark.org/<br>> >><br>> >> 'nuff said. An hour in promiscuous mode on a public network will likely <br>> >> be enough to net you a couple of "interesting" passwords. If you write a <br>> >> custom filter that just greps for "Authorization: Basic" you can watch <br>> >> those passwords in real-time<br>> > Please don't even try this.<br>> > <br>> > Decoding passwords on a public network without authorization could run foul of <br>> > local laws in many countries. Technical feasibility or academic interest is <br>> > not sufficient excuse.<br>> <br>> Absolutely! This was *not* an invitation to try it. It was an attempt to <br>> scare the hell out of all of you who think "basic auth is fine" by <br>> showing just how trivial it would be for an attacker in the right <br>> location to sniff your passwords.<br>> <br>> Basic auth is *not* fine. Bruce Schneier isn't always right, but that <br>> doesn't mean he's always wrong.<br>> <br>> Cheers,<br>> - Andreas<br>> <br></div></div>                                            <br /><hr />Hotmail: Powerful Free email with security by Microsoft. <a href='http://clk.atdmt.com/GBL/go/201469230/direct/01/' target='_new'>Get it now.</a></body>
</html>