Re: status: establishing a PGP web of trust

From: Ted Ts'o
Date: Tue Oct 04 2011 - 01:11:54 EST

On Mon, Oct 03, 2011 at 09:52:29PM -0700, H. Peter Anvin wrote:
> On 10/03/2011 09:49 PM, Ted Ts'o wrote:
> >
> > Note that if your laptop allows incoming ssh connections, and you
> > logged into with ssh forwarding enabled, your laptop
> > may not be safe. So be very, very careful before you assume that your
> > laptop is safe. At least one kernel developer, after he got past the
> > belief, "surely I could have never had my machine be compromised",
> > looked carefully and found rootkits on his machines.
> >
> By the way, I'm now pretty convinced that allowing inbound ssh on
> laptops (which is the default on all the mainline Linux distros as far
> as I know) is seriously broken... laptops get connected to *extremely*
> insecure networks on just way too regular a basis.


I'll note though that at least some Linux distributions when
customized by corporate security types tend to disable incoming ssh.
If your company doesn't, it probably should...

... and it should definitely raise a firewall and disable NAT and
incoming ssh if you're connected to the corporate VPN. I once heard a
story several years back when someone I knew was staying at a hotel in
Beaverton, and connected to an open WiFi access point to get internet
access. Very shortly there afterwards, he realized he was connected
behind the Intel corporate firewall, at which point he (not being an
Intel employee, and conscious of the Business Conduct Guidelines that
he was require to sign every year) disconnected as quickly as

Oops. :-)

- Ted
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at