Re: [Full-Disclosure] Sending remote procedure calls through e-mail (RPC-Mail)
From: Barrie Dempster (barrie_at_reboot-robot.net)
Date: 10/20/04
- Previous message: Home Security: "Re: [Full-Disclosure] Re: Stupid idea"
- In reply to: Abe Usher: "[Full-Disclosure] Sending remote procedure calls through e-mail (RPC-Mail)"
- Next in thread: michael williamson: "Re: [Full-Disclosure] Sending remote procedure calls through e-mail (RPC-Mail)"
- Reply: michael williamson: "Re: [Full-Disclosure] Sending remote procedure calls through e-mail (RPC-Mail)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Wed, 20 Oct 2004 12:28:50 +0100
Few points to note on this idea,
Encryption? you didn't mention it I hope you considered it though. This
detracts from the simplicity as the user will have to setup this
alongside their mail client.
Speed, email is much slower and less reliable than port-knocking. (You
have to rely on more than just the box your accessing being up, all the
intermittent email servers must be playing the game too)
IMO if the port knocking is to, say for example, open up a remote shell.
We could alias the command ssh on the users machine to a script which
runs the port-knocking command before executing ssh making the process
completely transparent to the end user.
It's as you point out a matter of convenience however I'm sure running
one command is more convenient than.....
1. Fire up the email client
2. Type the email address and message, ensuring to type the passphrase
and encrypt the mail.
3. send the mail
4. Wait a comparatively long time for a confirmation reply.
With the portknocking method if the server is down you will be notified,
how will your email server tell you this? as in your example the command
is only acted upon when the receiving server checks for incoming mail.
Or are you going to add notification of unread mail to the email server,
adding more complexity and another failure point to the mechanism.
It is a fairly good idea and I've seen it implemented before, I also did
a similar thing over IRC as an experiment which worked pretty well.
However I don't think it beats port-knocking on reliability, speed or
security, Which I consider important aspects of this kind of technology.
Kindest Regards
-- Barrie Dempster (zeedo) - Fortiter et Strenue http://www.bsrf.org.uk [ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: Home Security: "Re: [Full-Disclosure] Re: Stupid idea"
- In reply to: Abe Usher: "[Full-Disclosure] Sending remote procedure calls through e-mail (RPC-Mail)"
- Next in thread: michael williamson: "Re: [Full-Disclosure] Sending remote procedure calls through e-mail (RPC-Mail)"
- Reply: michael williamson: "Re: [Full-Disclosure] Sending remote procedure calls through e-mail (RPC-Mail)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
