LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-28-2013, 07:40 AM   #1
jokar.mohsen
Member
 
Registered: Jul 2008
Location: Tehran
Posts: 265

Rep: Reputation: 17
Post Sniff passwords :(


Hello Folks.
I use Pidgin and Thunderbird for checking emails, My government used some deep packet filtering, Can they sniff my password?
In pidign I enable "Connection security" is it useful?

Do you have any suggestion for improving security?

Thank you.
Regards.
 
Old 01-28-2013, 07:44 AM   #2
yooy
Senior Member
 
Registered: Dec 2009
Posts: 1,107

Rep: Reputation: 127Reputation: 127
i think they can, but will leave your user accounts intact as long you don't do anything really stupid.
 
Old 01-28-2013, 07:57 AM   #3
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,231

Rep: Reputation: 1071Reputation: 1071Reputation: 1071Reputation: 1071Reputation: 1071Reputation: 1071Reputation: 1071Reputation: 1071
Just don't do anything that a government would be interested in.
 
Old 01-28-2013, 08:06 AM   #4
jokar.mohsen
Member
 
Registered: Jul 2008
Location: Tehran
Posts: 265

Original Poster
Rep: Reputation: 17
If I use tor and change my password, Can they access it?
 
Old 01-29-2013, 11:41 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
TOR provides anonymity only to some extent. The TOR web site strongly suggests using end-to-end encryption always.
*There is an actively maintained and developed pre-configured-for-TOR Linux distribution: TAILS.
 
Old 01-31-2013, 07:35 PM   #6
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,225

Rep: Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021
Re Thunderbird, you may want to check this out http://www.enigmail.net/home/index.php
 
1 members found this post helpful.
Old 03-23-2013, 03:59 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
addendum wrt your "Gmail." thread question

TAILS in essence is only a collection of tools. And while tools may make things easier (or more difficult, depending on how you look at it) they are limited in scope. While for example a browser may warn you about the servers cert not matching its FQDN it won't prevent you from using password authentication over HTTP and then switch to HTTPS. So the real problem with your question is that you shouldn't be satisfied with any "it's OK" type of answer anymore: you have to do your own research and actively gain knowledge about what SSL actually is used for (what it protects against and what not), be able to spot implementation flaws (for example SSL-ized connection but cookies not forced over HTTPS) and get to know a little about how SSL could be attacked (https://www.ssllabs.com/downloads/SSL_Threat_Model.png and the rest of www.ssllabs.com). Next to that you have to review your personal password hygiene (re-use mostly), device use wrt flaws, software (anything from browsers auto-completion to cross-site scripting attacks), be aware constantly when facing links, login buttons, URL bar changes, etc, etc and keep abreast of any vulnerabilities always. If for example BEAST, CRIME, TIME and Lucky 13 don't ring a bell then you should really step up your research. A good stating point may be http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=openssl.
 
1 members found this post helpful.
Old 03-23-2013, 03:31 PM   #8
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
It is unlikely that anyone can sniff your passwords or decode other data that has been encrypted with current standards. As has been pointed out above, the difficult part is in ensuring that you're actually encrypting your data and talking to who you think you are.

To add a little perspective on the subject, you are the weak link in the system and if you do something to attract sufficient unwanted attention you will be the target and it won't likely result in attempts to sniff your network traffic. Instead you will probably face this: http://xkcd.com/538/
 
Old 03-23-2013, 07:02 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Not unlikely as the situation is the following: http://dailyinfographic.com/wp-conte...nfographic.jpg
 
Old 03-24-2013, 12:55 PM   #10
BlackRider
Member
 
Registered: Aug 2011
Distribution: Slackware
Posts: 261

Rep: Reputation: 82
I find the "don't piss your government off" very funny. As posted, it can be reformulated as "If you have nothing to hide, don't worry if we watch you".

VERY BIG BROTHER, MEN!

Sorry, it is just that I have just read some news about portable scanners to spy on people, haha.

Other than that, I think there is not true Internet security and privacy against global attackers. Depending on the country and the cases, the Civil Guard, the Feds or whoever can kick some doors down and confiscate the equipment which handles your data, so you see... I have heard of cases in which that is what actually happened.

I mean, c'mon, asking Google to surrender your info is likely quicker for them than setting a sniffer scenario. Just saying.
 
Old 03-25-2013, 09:11 PM   #11
notsure
Member
 
Registered: Jun 2012
Location: Detroit
Distribution: Arch x86_64
Posts: 107

Rep: Reputation: 8
Quote:
Originally Posted by sundialsvcs View Post
Just don't do anything that a government would be interested in.
because governments know what's best...


Get a VPN or SSH/SSL.
 
1 members found this post helpful.
Old 03-25-2013, 09:21 PM   #12
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,231

Rep: Reputation: 1071Reputation: 1071Reputation: 1071Reputation: 1071Reputation: 1071Reputation: 1071Reputation: 1071Reputation: 1071
"Yes, the government can sniff your passwords." Or, they can probably arrange for the e-mails to be transcribed and retrieved entirely without your knowledge or consent. Because, basically, that's what governments are tasked to do: to act on behalf (more or less) of hundreds of millions of people at a time. (Including you, BTW ...)

The comment, "just don't do anything that a government (or law-enforcement, etc.) would be interested in," is a perfectly-valid and appropriate statement, all things considered.

Your "expectation of privacy" with regards to e-mail in any case should be minimal. If you need to protect the content of your e-mail, you need to use PEM technologies. (And even then, you're not protecting against the guv'mint.)

I had an, shall we say, "interesting uncle." He was very expressive. One day he bought a police scanner. A few days later, he walked up to one of the local policemen (who he knew well, in his small town), and, very gravely, shook his hand. And said to him: "Thank you. I had no idea."

Last edited by sundialsvcs; 03-25-2013 at 09:25 PM.
 
Old 04-23-2013, 02:18 PM   #13
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Quote:
I use Evolution for check my email and in the "Use secure connection" I choose SSL encryption, Is it a secure way to protect my password from third person?
Yes there is. In Evolution, you will want to select use secure connection, e.g. TLS (which works over port 25 using "plain" passwords).

Also, if you are connecting to your own POP/IMAP server (e.g. Dovecot / Cyrus) you will want to do the following. Create a self signed SSL key and Certificate Authority just like you do for Apache and you can follow the instructions in many of the how-to documents. I prefer the one by Van Emery personally. You can then tell your Pop/Imap server to listen for secure connections using these keys.

Last edited by unSpawn; 04-24-2013 at 12:17 AM. Reason: //Fix quoting
 
Old 04-23-2013, 02:40 PM   #14
273
Senior Member
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64&i386, Raspbian Jessie, various VMs
Posts: 3,161

Rep: Reputation: 729Reputation: 729Reputation: 729Reputation: 729Reputation: 729Reputation: 729Reputation: 729
Quote:
Originally Posted by Noway2 View Post
Quote:
I use Evolution for check my email and in the "Use secure connection" I choose SSL encryption, Is it a secure way to protect my password from third person?
Yes there is. In Evolution, you will want to select use secure connection, e.g. TLS (which works over port 25 using "plain" passwords).
Of course this only works if your mail provider is in another country and will not take money from your government. I'm assuming that's taken for granted but though it worth pointing out in case it wasn't.
I would suggest not using encryption though and simply never saying anything that you would not say in front of a police officer.
The reason I say this is because using encryption in any country could make the government take notice and, as has been pointed out above, it could fail in a number of ways. This means that if somebody sees your email is encrypted and decides to spend time getting into it if you have said anything even vaguely illegal you will be arrested and detained simply to justify the time and money spent getting into your email.

Last edited by 273; 04-23-2013 at 02:41 PM.
 
Old 04-23-2013, 03:53 PM   #15
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Here is a simple answer for the OP: use hushmail. I think that this has been suggested before. The servers are in Canada and per the terms of service unless a warrant signed by a Canadian judge with authority in British Columbia is presented, they will not turn over your email. Access to and from the site is encrypted via HTTPS. Mail to and from them may be encrypted if desired and there are multiple ways to do this.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to convert user passwords and group passwords using pwconv? dolceinter1 Linux - Security 2 11-04-2008 10:03 PM
sniff need help yancey Linux - Wireless Networking 0 04-04-2007 08:44 AM
Sync MySQL passwords with local account passwords? turbine216 Linux - Software 2 02-18-2005 03:15 AM
Completely uninstalling MySQL and its passwords passwords...how? I locked myself out! Baix Linux - Newbie 2 01-30-2005 04:10 PM
Is there a way to sync Samba passwords with linux user passwords MarleyGPN Linux - Networking 2 09-09-2003 10:59 AM


All times are GMT -5. The time now is 01:08 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration