[squeak-dev] Re: SqueakSource question

Randal L. Schwartz merlyn at stonehenge.com
Wed Feb 24 15:26:40 UTC 2010


>>>>> "Andreas" == Andreas Raab <andreas.raab at gmx.de> writes:

Andreas> Absolutely! This was *not* an invitation to try it. It was an attempt
Andreas> to scare the hell out of all of you who think "basic auth is fine" by
Andreas> showing just how trivial it would be for an attacker in the right
Andreas> location to sniff your passwords.

Even simpler, install ettercap, available in most packaging systems,
and type:

  sudo ettercap -Tzqi $INTERFACE

where $INTERFACE is your default network interface.

*All* you see is decoded passwords in the clear for any of a dozen different
protocols, for anything publicly decodable zipping by your interface.

As self defense, I run this *to verify I'm not leaking* whenever I'm connected
to a public LAN (like wifi or a conference-provided ether hub), and was amazed
at how many passwords I used to leak.  In fairness, I've been known to call
out loud to people around me phrases like "jeremyq - better change your
password when you get home", eliciting shock from someone sitting nearby. :)

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn at stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc.
See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion



More information about the Squeak-dev mailing list