[LINK] Wikileaks mirrors, recap and update

Ben McGinnes ben at adversary.org
Tue Dec 7 21:41:10 AEDT 2010


On 7/12/10 8:27 PM, Rick Welykochy wrote:
> Ben McGinnes wrote:
> 
>> It's worth reminding anyone considering this that the WikiLeaks
>> preferred method of updating these mirror sites involves creating a
>> shell account on this system.  There is no statement from either
>> Assange or WikiLeaks saying that use of these accounts will be limited
>> to updating the mirror site.
> 
> I agree that you must really know what you are doing and understand
> the security implications of allowing a WikiLeaks mirror loose on your
> own server.

Both the technical and legal implications, though I was concentrating
more on the technical ones.

> That said, I don't think they require a shell. Rather:

They don't, but all they do say is:

"Setup an account where we can upload files using RSYNC+SSH
(preferred) or FTP"

There is no mention of restricting it and I have no doubt that there
will be a lot of little Linux boxes out there which provide them shell
access simply because the end user used a default configuration.

>> Server administrators should think *very* carefully about the
>> implications of doing this before proceeding.
> 
> Indeed. It is easy to misconfigure SSH to allow shell access
> unintentionally. Also, a rogue at WikiLeaks could DoS your machine
> if they wanted to, by filling up the disk. Which would not reflect
> very well their organisation.

Not to mention connecting to other systems from the network of a
mirror site or using these distributed systems to create a cluster for
cryptanalysis.

> Aside: what is this enigmatic digest?
> 
>     * bubblebabble digest :

I have no idea.


Regards,
Ben

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: OpenPGP digital signature
URL: <https://mailman.anu.edu.au/pipermail/link/attachments/20101207/b55bcc61/attachment.sig>


More information about the Link mailing list