[conspire] About conditioned helplessness
Ruben Safir
ruben at mrbrklyn.com
Wed Sep 7 10:32:59 PDT 2011
On Wed, Sep 07, 2011 at 10:21:41AM -0700, Paul Zander wrote:
> Generating really random numbers his its own set of problems. Intel claims to be making it easier:
>
> Intel's New Random-Number Generator
> http://spectrum.ieee.org/semiconductors/processors/behind-intels-new-randomnumber-generator/?utm_source=techalert&utm_medium=email&utm_campaign=090111
>
That is really the NDS's and CIA's new Keyhole.
>
>
>
> --- On Sat, 9/3/11, Edward Cherlin <echerlin at gmail.com> wrote:
>
> From: Edward Cherlin <echerlin at gmail.com>
> Subject: Re: [conspire] About conditioned helplessness
> To: conspire at linuxmafia.com
> Date: Saturday, September 3, 2011, 11:30 PM
>
> On Fri, Sep 2, 2011 at 13:16, Luke S. Crawford <lsc at prgmr.com> wrote:
> > Now, I think, RSA made an absolutely boneheaded mistake that changed
> > the breakin, in their case, from being an embarrassing sidenote to
> > it meaning that all their customers were also vulnerable to compromise.
> >
> > They use shared secrets for authentication.
> >
> > Those time-based tokens? the seed is essentially a shared secret, and
> > while they provide a secure way of transmitting that secret, I believe both
> > ends need to know the secret. This means that if the attacker compromises
> > the server being authenticated to, in this case, an RSA owned server, the
> > attacker can then use those secrets to attack other servers using the same
> > authentication keys.
>
> This would be particularly bad if it were the OTP login server that
> was compromised.
>
> I have mentioned contracting at VeriSign on their security API
> documentation. I also worked on OTP token management documentation.
> Tokens and servers run a pseudo-random number generator to create
> One-Time Passwords, so both ends must know the algorithm and current
> seed value, which is changed at each iteration. (Synchronization is as
> issue that reduces the security of the system.) Initializing a token
> includes setting a pseudo-random seed while the token is physically
> under the control of the appropriate sysadmin. VeriSign's token vendor
> can do this in bulk for banks.
>
> Using six-digit OT passwords means that it would take a factor of a
> million more tries, on average, to break into accounts, except that
> the server keeps several iterations of the password algorithm on hand.
> So, a million divided by the synchronization cache size.
>
> How many passwords do you suppose hax0rs can try per second from a
> botnet, if they know enough user IDs at enough banks? Does anybody
> think that they need to break into accounts more than once each?
>
> How about carrying a laptop and its token through the airport in the same bag?
>
> But it sure beats letting users tape their passwords to their monitors. :(
>
> Most of the companies where I have done documentation work have given
> me Windows machines with Admin privileges, so that I could manage
> necessary software rather than bother IT for every utility I was going
> to run, and manage my own filesystem as needed for new projects. (Yes,
> Rick, _I_ could have used the command line, but not all of the others
> I worked with.) This left me and a lot of others having to manage
> security on our own daily-use computers, apart from the antivirus
> program and its automatic updates. I got to use Solaris once, and
> Linux a few times, where I did not have to run as Admin all day.
>
> Have I ever mentioned the NT 3.5 box I used once, that locked up to
> the point where it would not turn on _or_ off? Or the Windows Beta
> where Paint complained, "Insufficient memory to quit"? Or when the "I
> love you" Trojan nobbled much of Microsoft via Outlook and VBasic?
>
> --
> Edward Mokurai (默雷/धर्ममेघशब्दगर्ज/دھرممیگھشبدگر ج) Cherlin
> Silent Thunder is my name, and Children are my nation.
> The Cosmos is my dwelling place, the Truth my destination.
> http://wiki.sugarlabs.org/go/Replacing_Textbooks
>
> _______________________________________________
> conspire mailing list
> conspire at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/conspire
>
>
> _______________________________________________
> conspire mailing list
> conspire at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/conspire
--
http://www.mrbrklyn.com - Interesting Stuff
http://www.nylxs.com - Leadership Development in Free Software
So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998
http://fairuse.nylxs.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
"Yeah - I write Free Software...so SUE ME"
"The tremendous problem we face is that we are becoming sharecroppers to our own cultural heritage -- we need the ability to participate in our own society."
"> I'm an engineer. I choose the best tool for the job, politics be damned.<
You must be a stupid engineer then, because politcs and technology have been attached at the hip since the 1st dynasty in Ancient Egypt. I guess you missed that one."
© Copyright for the Digital Millennium
More information about the conspire
mailing list