[LINK] Wikileaks mirrors, recap and update
Ben McGinnes
ben at adversary.org
Tue Dec 7 21:41:10 AEDT 2010
On 7/12/10 8:27 PM, Rick Welykochy wrote:
> Ben McGinnes wrote:
>
>> It's worth reminding anyone considering this that the WikiLeaks
>> preferred method of updating these mirror sites involves creating a
>> shell account on this system. There is no statement from either
>> Assange or WikiLeaks saying that use of these accounts will be limited
>> to updating the mirror site.
>
> I agree that you must really know what you are doing and understand
> the security implications of allowing a WikiLeaks mirror loose on your
> own server.
Both the technical and legal implications, though I was concentrating
more on the technical ones.
> That said, I don't think they require a shell. Rather:
They don't, but all they do say is:
"Setup an account where we can upload files using RSYNC+SSH
(preferred) or FTP"
There is no mention of restricting it and I have no doubt that there
will be a lot of little Linux boxes out there which provide them shell
access simply because the end user used a default configuration.
>> Server administrators should think *very* carefully about the
>> implications of doing this before proceeding.
>
> Indeed. It is easy to misconfigure SSH to allow shell access
> unintentionally. Also, a rogue at WikiLeaks could DoS your machine
> if they wanted to, by filling up the disk. Which would not reflect
> very well their organisation.
Not to mention connecting to other systems from the network of a
mirror site or using these distributed systems to create a cluster for
cryptanalysis.
> Aside: what is this enigmatic digest?
>
> * bubblebabble digest :
I have no idea.
Regards,
Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: OpenPGP digital signature
URL: <https://mailman.anu.edu.au/pipermail/link/attachments/20101207/b55bcc61/attachment.sig>
More information about the Link
mailing list