ARP-spoofing defense

Hans Fugal hans at
Fri Mar 16 15:27:17 MDT 2007

On Thu, 15 Mar 2007 at 09:59 -0600, Levi Pearson wrote:
> Andy Bradford <amb-plug at> writes:
> > 
> > How about you just put a  known_hosts with all your host fingerprints in
> > it on  your laptop  before you connect  from offsite?  Hopefully offsite
> > doesn't mean connecting from public  computer systems... All it takes is
> > one PC that you think can be trusted that has a keylogger running on it.
> As I understand it, the host key fingerprints are more of a tripwire
> than a prevention mechanism.  The assumption is that a
> man-in-the-middle attack will not happen every time, so if one ever
> /does/ happen, you become aware of it thanks to an inconsistency in
> the host key verification process.  

That's my impression as well.

> Apparently Phil Zimmerman (of PGP fame) is planning to use this same
> model with the secure VoIP system he's creating.  If it's secure
> enough for him, it's secure enough for me.  I guess I lack the
> paranoia you guys have.

I _know_ I lack the paranoia. I mean seriously, unless you are a secret
agent nobody is sitting outside your home (in the case of wireless) or
tapped into your network poised to do an ARP spoof. 

Security is important, but not important enough to go nuts over. Today I
walked around the corner to the microwave for ten seconds without
closing my office door. Nobody came and stole my chalk and erasers.
Everypeople aren't as malicious as all that.

If you deal with sensitive data, protect it. Take basic security
measures so that you are not the low-hanging fruit (this goes equally
well for real life as cyber life). Live a life without worry.

Hans Fugal ;
There's nothing remarkable about it. All one has to do is hit the 
right keys at the right time and the instrument plays itself.
    -- Johann Sebastian Bach
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : 

More information about the PLUG mailing list