rsa.com · Domains · Slashdot Mirror

83% Of Consumers Believe Personalized Ads Are Morally Wrong (forbes.com)

Yro · Privacy · 2019-02-09 14:34 · posted by EditorDavid · from the surveying-surveillance-capitalism dept. · 219 comments

An anonymous reader quotes Forbes: A massive majority of consumers believe that using their data to personalize ads is unethical. And a further 76% believe that personalization to create tailored newsfeeds -- precisely what Facebook, Twitter, and other social applications do every day -- is unethical.

At least, that's what they say on surveys.

RSA surveyed 6,000 adults in Europe and America to evaluate how our attitudes are changing towards data, privacy, and personalization. The results don't look good for surveillance capitalism, or for the free services we rely on every day for social networking, news, and information-finding. "Less than half (48 percent) of consumers believe there are ethical ways companies can use their data," RSA, a fraud prevention and security company, said when releasing the survey results. Oh, and when a compan y gets hacked? Consumers blame the company, not the hacker, the report says.

Cybercrooks May Have Stolen Billions Using Brazilian "Boletos"

Yro · Crime · 2014-07-02 14:02 · posted by samzenpus · from the making-that-money dept. · 69 comments

wiredmikey writes Researchers with RSA have discovered a Boleto malware (Bolware) ring that compromised as many as 495,753 Boleto transactions during a two-year period. Though it is not clear whether the thieves successfully collected on all of the compromised transactions, the value of those transactions is estimated to be worth as much as $3.75 billion. A Boleto is essentially a document that allows a customer to pay an exact amount to a merchant. Anyone who owns a bank account — whether a company or an individual — can issue a Boleto associated with their bank. The first signs of its existence appeared near the end of 2012 or early 2013, when it began to be reported in the local news media," according to the report (PDF). "The RSA Research Group analyzed version 17 of the malware, gathering data between March 2014 and June 2014. The main goal of Boleto malware is to infiltrate legitimate Boleto payments from individual consumers or companies and redirect those payments from victims to fraudster accounts."

Android iBanking Malware Still Fetches $5,000

It · Android · 2014-05-21 04:35 · posted by Unknown · from the malware-for-the-rich-and-famous dept. · 25 comments

itwbennett (1594911) writes "Symantec and RSA published details on their blogs on Tuesday about the iBanking Android program, which is being used by two Eastern European cybercrime groups to intercept one-time SMS passcodes used for logging into bank accounts. IBanking's source code was leaked in February, which should have caused its price to drop. But its developer has continued to develop iBanking and provide support, and the malware is still commanding $5,000 per copy, one of the highest prices seen for a type of malware, according to research from Symantec."

New Phishing Toolkit Uses Whitelisting To 'Bounce' Non-Victims

It · Security · 2013-01-16 20:03 · posted by samzenpus · from the on-to-the-next dept. · 71 comments

chicksdaddy writes "Researchers at RSA say that a new phishing toolkit allows attackers to put a velvet rope around scam web pages – bouncing all but the intended victims. The new toolkit, dubbed 'Bouncer,' was discovered in an analysis of attacks on financial institutions in South Africa, Australia and Malaysia in recent weeks. It allows attackers to generate a unique ID for each intended victim, then embed that in a URL that is sent to the victim. Outsiders attempting to access the phishing page are redirected to a '404 page not found' error message. Other phishing kits have used IP address blacklists to block anti malware companies from viewing their malicious pages, but this is the first known use of whitelisting, RSA said. The phishing attacks that RSA technicians discovered that used the Bouncer kit were designed to harvest login credentials from financial services firms. The whitelisting feature may well work, especially given the volume of potential phishing pages that security companies review each day. Getting a 404 message may be enough to get a forensic investigator or security researcher to move on to the next phishing site, rather than investigating."

NSA Targeting Domestic Computer Systems

Yro · Government · 2012-12-23 09:21 · posted by timothy · from the domestic-abuse dept. · 105 comments

The NSA was originally supposed to handle foreign intelligence, and leave the domestic spying to other agencies, but Presto Vivace writes with this bit from CNET: "'The National Security Agency's Perfect Citizen program hunts for vulnerabilities in 'large-scale' utilities, including power grid and gas pipeline controllers, new documents from EPIC show.' 'Perfect Citizen?' Who thinks up these names?" "The program is scheduled to continue through at least September 2014," says the article.

Wanted: Hackers For Large-Scale Attacks On American Banks

News · Crime · 2012-10-05 16:44 · posted by timothy · from the just-leave-the-credit-unions-alone dept. · 77 comments

Trailrunner7 writes "RSA's FraudAction research team has been monitoring underground chatter and has put together various clues to deduce that a cybercrime gang is actively recruiting up to 100 botmasters to participate in a complicated man-in-the-middle hijacking scam using a variant of the proprietary Gozi Trojan. This is the first time a private cybercrime organization has recruited outsiders to participate in a financially motivated attack, said Mor Ahuvia, cybercrime communications specialist for RSA FraudAction. The attackers are promising their recruits a cut of the profits, and are requiring an initial investment in hardware and training in how to deploy the Gozi Prinimalka Trojan, Ahuvia added. Also, the gang will only share executable files with their partners, and will not give up the Trojan's compilers, keeping the recruits dependent on the gang for updates."

Adobe Pushes Emergency Flash Player Security Fix

It · Security · 2011-09-21 09:33 · posted by samzenpus · from the slap-on-the-patch dept. · 56 comments

wiredmikey writes "As expected, Adobe today released a security update for its Flash Player. The out of cycle update addresses critical security issues in flash player as well as an important universal cross-site scripting issue. Adobe reported that one of the vulnerabilities (CVE-2011-2444) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message. To illustrate the importance of keeping systems up to date, including Adobe Flash products, the fact that the RSA cyber attack was executed using a spear phishing attack with an embedded flash file should serve as a friendly reminder. RSA was breached after an employee opened a spreadsheet that contained a zero-day exploit that installed a backdoor through an Adobe Flash vulnerability."

RSA's Servers Hacked

It · Crime · 2011-03-17 11:49 · posted by timothy · from the blame-israel-everyone-else-does dept. · 172 comments

Khopesh writes "EMC subsidiary RSA was the victim of 'an extremely sophisticated cyber attack' which resulted in the possible theft of the two-factor code used by their SecurID products." The Boston Herald has a short article on the intrusion. Update: 03/17 23:54 GMT by T : Reader rmogull adds "With all the hype that's sure the explode over this one, we decided to do a quick write-up to separate fact from speculation."

Attackers Using Social Networks For Botnet Control

News · Security · 2010-07-19 09:27 · posted by Soulskill · from the eighteen-script-kiddies-liked-this dept. · 40 comments

Trailrunner7 writes "Bot herders and the crimeware gangs behind banker Trojans have had a lot of success in the last few years with using bulletproof hosting providers as their main base of operations. But more and more, they're finding that social networks such as Twitter and Facebook are offering even more fertile and convenient grounds for controlling their malicious creations. New research from RSA shows that the gangs behind some of the targeted banker Trojans that are such a huge problem in some countries, especially Brazil and other South American nations, are moving quietly and quickly to using social networks as the command-and-control mechanisms for their malware. The company's anti-fraud researchers recently stumbled upon one such attack in progress and watched as it unfolded."

Compliance Is Wasted Money, Study Finds

News · Security · 2010-04-05 08:12 · posted by Soulskill · from the missing-the-point dept. · 196 comments

Trailrunner7 writes "Enterprises are spending huge amounts of money on compliance programs related to PCI-DSS, HIPAA and other regulations, but those funds may be misdirected in light of the priorities of most information security programs, a new study has found. A paper by Forrester Research, commissioned by Microsoft and RSA, the security division of EMC, found that even though corporate intellectual property comprises 62 percent of a given company's data assets, most of the focus of their security programs is on compliance with various regulations. The study found that enterprise security managers know what their companies' true data assets are, but find that their security programs are driven mainly by compliance, rather than protection (PDF)."

Tetraktys

News · 2009-07-29 06:09 · posted by samzenpus · from the read-all-about-it dept. · 216 comments

brothke writes "Imagine for a moment what his novels would read like if Dan Brown got his facts correct. The challenge Brown and similar authors face is to write a novel that is both compelling and faithful to the facts. In Tetraktys, author Ari Juels is able to weave an interesting and readable story, and stay faithful to the facts. While Brown seemingly lacks the scientific and academic background needed to write such fiction, Juels has a Ph.D. in computer science from Berkeley and is currently the Chief Scientist and director at RSA Laboratories, the research division of RSA Security." Read below for the rest of Ben's review. Tetraktys author Ari Juels pages 351 publisher Emerald Bay Books rating Excellent debut novel by Ari Juels reviewer Ben Rothke ISBN 978-0982283707 summary Intriguing cryptographic thriller The book, which might be the world's first cryptographic thriller, tells the story of Ambrose Jerusalem, a gifted computer security expert, still haunted by his father's death, a few months shy of his doctorate, who has a beautiful and loving girlfriend, and a bright future ahead of him. This is until the government gets involved and Jerusalem's plans are put on hold when the NSA asks him to join them to track down a strange and disturbing series of computer breaches.

Tetraktys, like similar thrillers, has its standard set of characters; from corrupt State Department and World Bank officials, a dashing protagonist with a long-suffering girlfriend, to mysterious and obscure terrorist groups. This terrorist group is in the book is comprised of followers of Pythagoras.

As to the title, a tetraktys is a triangular figure of ten points arranged in four rows, with one, two, three, and four points in each row. It is a mystical symbol and was most important to the followers of Pythagoras. While mainly known as the creator of the Pythagorean theorem, Pythagoras of Samos was an influential Greek mathematician and founder of the religious movement of Pythagoreanism. Those wanting more information can watch a video about the symbol.

As to the storyline, the NSA is trying to recruit Ambrose as they feel that the terrorists, who form a secret cult of followers of Pythagoras have broken the RSA public-key algorithm. Breaking RSA is something that is not expected for many decades, but if a revolution in factoring numbers were to occur sooner, RSA's demise could happen that much quicker. And if RSA was indeed broken by the antagonists, it would undermine the security of nearly every government and financial institution worldwide and create utter anarchy.

A good part of the book centers on the cult of Pythagoras. Its followers believe that truth and reality can only be understood via their system of numbers. The NSA needs Jerusalem's assistance as he is one of the few people who have the mathematical, classical and philosophical background to help them. It is he who ultimately connects the dots that the Pythagoreans have left, which leads to the books dramatic conclusion.

The book is a most enjoyable read and one is hard pressed to put it down once they start reading it. The reader gets a good understanding of who Pythagoras was and his worldview via Juels weaving of Pythagorean philosophy into the storyline.

While the book is not autobiographical, there are many similarities between Ambrose Jerusalem and Ari Juels. From identical initials, to their lives in events in Berkeley and Cambridge, to RSA and more.

For a first book of fiction, Tetraktys is a great read. As a novelist, Juels style approaches that of Umberto Eco, in that he weaves numerous areas of thought into an integrated story. Like Eco's works, Tetraktys has an arcane historical figure as part of it storyline, and an intricate plot that takes the reader on many, and some unexpected, turns. While not as complex and difficult to read as Eco, Tetraktys is a remarkable work of fiction for someone with a doctorate in computer science, not literature.

The book though does have some gaps, but that could be expected for a first novel. The reader is never sure what the Pythagoreans are really after or why they have resurfaced, and one of the characters is killed, for reasons that are not apparent. Readers who want more information can visit the Tetraktys web site.

As to the book's protagonist, Ambrose Jerusalem is to Juels what Jack Ryan is to Tom Clancy, meaning that his adventures are just beginning, and that is a good thing.

For those interested in a cryptographic thriller, Tetraktys is an enjoyable read. The book interlaces Greek philosophy, mathematics, and modern crime into a cogent theme that is a compelling read. And if the exploits of Ambrose Jerusalem continue, we may have found the successor to Umberto Eco.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Tetraktys from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Torpig Botnet Hijacked and Dissected

Tech · Security · 2009-05-03 17:41 · posted by timothy · from the why-would-you-want-to-get-rid-of-it dept. · 294 comments

An anonymous reader writes "A team of researchers at UC Santa Barbara have hijacked the infamous Torpig botnet for 10 days. They have released a report (PDF) that describes how that was done and the data they collected. They observed more than 180K infected machines (this is the number of actual bots, not just IP addresses), collected 70GB of data stolen by the Torpig trojan, extracted almost 10K bank accounts and credit card numbers worth hundreds of thousands of dollars in the underground market, and examined the privacy threats that this trojan poses to its victims. Considering that Torpig has been around at least since 2006, isn't it time to finally get rid of it?"

Researchers Find Problems With RFID Passport Cards

Yro · Privacy · 2008-10-23 21:11 · posted by timothy · from the clearly-unpossible dept. · 172 comments

An anonymous reader writes "Researchers at the University of Washington have found that RFID tags used in two new types of border-crossing documents in the US are vulnerable to snooping and copying. The information in these tags could be copied on to another, off-the-shelf tag, which might be used to impersonate the legitimate holder of the card." You can also read the summary of the researchers' report.

Quantum Cryptography Gets Nanotube Boost

Science · Encryption · 2003-09-08 18:03 · posted by timothy · from the sending-secret-stuff dept. · 209 comments

c1ay writes "In an article at the ScienceDaily News it is reported that two researchers at the University of Rochester have discovered a new property of carbon nanotubes, ideal photon emission. "The emission bandwidth is as narrow as you can get at room temperature," says Lukas Novotny, professor of optics at Rochester and co-author of the study. Such a narrow and steady emission can make such fields as quantum cryptography and single-molecule sensors a practical reality. RSA and Elliptic Curve wouldn't stand a chance against this unbreakable encryption."

Strong Token-Based Authentication w/ Open Source Software?

Ask · Security · 2001-11-02 04:08 · posted by Cliff · from the proper-security-access-is-required dept. · 87 comments

durval asks: "I'm surveying token-based (2-factor) user authentication systems,and one of my prerequisites is that it must offer good support for open-source software (i.e, apart from any code that runs in the tokens themselves, all other software must either be standard open-source code --- like the RADIUS server -- or provided in source-code form, preferably under a GPL or BSD-like license). The other atribute is that it must integrate with RADIUS authentication."

"So far I've found significant data for the following ones:

OPIE, neé S/Key: ok, it's not a token-based system, but becomes very similar to one in functionality and security when you use a Palm handheld running PalmKEY or PilOTP (except that a Palm isn't tamper-proof hardware, but this is not a prerequisite for my application). The main problem I'm having with it is that I can't find an open-source RADIUS server that supports S/Key authentication, and the project seems mostly dead (no one is contributing anything anymore); on the positive side, it's a sound system with a published design that has withstood attack over the years, and it's completelly available under free terms [free both as in freedom and as in beer].

SecurID: this is the most famous and most used token-based authentication system available. It's been around for the bigger part of 10 years, and it's very easy to use: the user has a key fob or similar device, and types the number displayed on it -- this number changes once per minute, and is time-synched with the server -- appended to a normal fixed password - called PIN is SecurID's parlance. Its main problem is that it's very open-source unfriendly: nothing is provided in source-code form, under any license, and the required ACE/Server software doesn't even run on open-source operating systems (the closest it comes to this is running on Sun Solaris, for those who consider it open-source). Also on the negative side, it's based on a "secret" (although allegedly heavily audited) hash algorithm, and there has been more than one rumour over the last years regarding vulnerabilities in the algorithm.

CRYPTOcard: these guys use a challenge-response type of authentication mechanism, which I feel is inherently more secure than a time-based one like SecurID, if only because it's not displaying useable numbers all the time -- numbers which could be collected and used to exploit an hypothetical algorithm vulnerability, or else used -- in their 60-second window -- in conjunction with the PIN to impersonate the legitimate user). Also, the challenge/response algorithm is based on DES/3DES, which are good, public algorithms that have stood well the test of time (simple DES main problem is the key length, but 3DES solves that handly). Unfortunatelly, the company's open-source policy isn't very clear: they sell their own (closed-source) easyRADIUS server, and presently support no open-source alternatives (although they have promised support for freeRADIUS "real soon now").

So, has any of you experience -- good or bad -- with token-based (or similar) strong user authentication in open-source environments? I'm specially interested in hearing from people who managed to implement RADIUS authentication using S/Key; I'm also interested in hearing people's experiences with CryptoCARD or similar systems; for the reasons exposed above, I intend to keep my distance from SecurID and similarly expensive and "black-box" closed-source systems.

Thanks in advance to everybody; If you would rather comment privately, feel free to contact me by email (just substitute the AT and DOTs with the appropriate symbol and punctuations), and if you want to send it encrypted, my PGP key is on the servers, and can also be retrieved here."

Sony PS2 To Sport Netscape and SSL

It · Encryption · 2001-05-29 23:28 · posted by Hemos · from the making-things-more-secure dept. · 88 comments

joq writes "Just when you thought you'd heard it all... RSA Security Inc. announced it will market a development tool to equip software for a PlayStation2 game console developed by Sony with Netscape and SSL. The new development tool will allow game developers to equip online games for PS2 with SSL or other encryption means to prevent such games from being copied. Sony will sell a PS2 compatible hard disk drive unit with a broadband communications capability and is expected to sport Netscape equipped with SSL. The browser would not be necessary, however, for using game software with SSL because such game software itself processes an amount of money charged with users of networked games through a credit card number securely. Full story is on NikkeiBP and also the RSA press release"

On the Commercial Use Of Apache and SSL

Ask · Apache · 2000-10-11 06:13 · posted by Cliff · from the oh-what-a-difference-a-year-makes dept. · 105 comments

Skapare asks: "A year ago, this question about using Apache and SSL in a commercial environment was asked in the Apache section of Slashdot. The RSA patent was still in force back then, and the focus was on commercial products like Raven. Since then, the RSA patent has been released and then expired. That same month a year ago, Ask Slashdot also featured a question about encumbrance of SSL/PGP. But with the RSA patent gone, and Diffie-Hellman before it, this surely opens up Apache with SSL free for commercial use. Now I'm exploring options for free SSL for Apache, and note at least two choices, Apache-SSL, and mod_ssl. What I'd like to ask is what are the fundamental and principle differences between these free versions that I should consider in deciding which I should use in a commercial environment."

Feature:Obscurity as Security

News · News · 1999-08-17 02:00 · posted by CmdrTaco · from the saaay-wait-a-minute dept. · 192 comments

Matthew Priestley has taken a break from slaving for the man to write us a piece where he takes on the convential wisdom that Security through Obscurity isn't secure at all, and tries to argue that sometimes it is. Click the link below to read it. Lots of interesting stuff and some good examples. Its worth a read. The following was written by Slashdot Reader Matthew Priestley Obscurity as Security Disclaimer: The author of this paper works for Microsoft, but his opinions may not be those of Microsoft. In fact, they aren't. The author hereby declares that nobody important is even aware of his existence and that the closest he has ever come to plotting with Bill Gates on the Master Plan was when they used adjacent urinals this one time. The author did not peek.

0 Introduction With the popularity of the open-source mindset, a general contempt has drizzled upon all forms of obscurity. The concept of security through obscurity (STO) in particu lar has been decimated. Security through obscurity, which relies on the ignorance of attackers rather than the strength of defenders, is dead in all but practic e. The victory of the opposing full disclosure approach is so complete that proposed ta ctics die at the mere hint they are a form of STO.

This paper suggests security through obscurity can and does work in certain strictly limited ways, and should not be eliminated unthinkingly from the admin's arsenal. It further implies that the boundaries between STO and 'real' security are blurry and deserve evaluation. However, this paper in no way proposes obscurity as a method for keeping secrets in the long term.

1 Full disclosure does not apply to instantiated data Instantiated data - the data used by specific instances of an algorithm - do not fall within the scope of full disclosure. Were this not so, then even the simplest password would violate the ban on security through obscurity. Passwords are secrets known only to their creators, and password entry is commonly obscured, as in the case of the 'shadow' login of UNIX. While the login protocol may be open, passwords themselves are a form of STO, with obscurity localized in the password string.

Instantiated data are exempt from full disclosure because the risk from their failure is limited. When a script cracks a password, the damage done to the secure system extends only as far as that password's scope. The cracker cannot use the compromised string to gain power directly in another system, even if that system runs the same password protocol. Nor can anything be inferred about the value of one password merely from the value of another with equal or lower permissions.

A similar example of instantiated data obscurity is the private key that forms the basis of asymmetric cryptography. So obscure is this information that it is rare for even the owner to be familiar with its precise value. But such obscurity is a necessary element of modern security schemes. Strong security does not eliminate obscurity - rather, it localizes obscurity to instantiated data. The phrase in cryptology, 'carry all security in the key' might be better phrased 'carry all obscurity in the key'.

2 Full disclosure does not apply to time-limited secrets Secrets that expire after a short lifetime can be protected by a wider array of techniques than long-standing secrets. The defense of information that will be irrelevant in a matter of hours or days may not warrant fully peer-reviewed security. Consider the famous Navajo code-talkers of World War II. Among the Americans coordinating the at tack against Japanese-held islands in the Pacific were a number of Navajo Indians, who spoke a slangy version of the complex Navajo tongue. Commands from HQ were issued through these code-talkers, who encrypted and decrypted with an alacrity that belittled the automated methods of the day. This is an excellent example of time-limited security through obscurity. Secret languages are excellent security in the short-term, but however cryptic Navajo may be, it is a code subject to human betrayal. Use of Navajo against the Japanese much beyond the 3-year window of the war would have been unwise. But because the secrets of American strategy in the Pacific were irrelevant after the conclusion of the fighting, the long-term weakness of obscure Navajo as a security measure was unimportant.

3 Obscurity serves as a tripwire Perhaps the classic example of wrongheaded STO is the administrator who modifies his web server to listen on a nonstandard port - thereby confusing attackers, as the theory goes. Considering the degree to which tasks such as port scanning can be automated, the naivete of this defense seems plain. The cracker might be forced to check all 64512 unreserved ports, but eventually the concealed web server will be found. This appears to be a weakness of STO, but if manipulated correctly, it is in fact a great strength. Imagine that our same admin had also invoked a tripwire script and set it to listen on one or more unused ports. When the tripwire is probed with a SYN packet from a cracker trying to locate the web server, instantly the system goes to full alert. The packet is logged and the admin's pager sounds like an alarm.

Such tripwire approaches work because they do not expect obscurity to keep information hidden. Rather, they obscure information as a ploy to force invaders into showing their hand. Because the obscured implementation differs on each system, crackers must resort to guess-check scanning before attacks can commence. But tripwires are deployed throughout the system, anticipating this very move. Running an automated kit suddenly becomes a risky proposition, and even talented crackers must gamble on, for example, whether 'root' is really the name of the primary account or merely a hotline to the authorities.

Lighthearted implementations of this approach are a staple in the popular "Indiana Jones" films. In one scene, Jones is confronted with a hallway of lettered tiles, all seemingly alike. To cross safely he must step only on those tiles with letters corresponding to the secret word 'Jehovah'. The penalty for a misstep is to crash through the floor and plummet into a gaping pit. Attackers not privy to the password would find an exhaustive search less than optimal in this case. When traps are mingled with genuine data, STO can be a powerful disincentive. Such measures do not make a given machine resistant to breach in the long term, any more than medieval moats could ultimately protect their castles. But like moats, tripwire obscurity provides a critical buffer against attackers, allowing defenders room to breathe.

4 Asymmetric cryptography exhibits traits of STO Despite the notion that asymmetric cryptography such as RSA is 'real' security, in some aspects these methods resemble STO. Indeed, this entire class of cryptography is founded on the hopeful guess that a certain mathematical problem is intractable. The back door into cryptographic methods that rely on multiplying primes is, quite simply, to develop a swift means of factoring those multiples. This NP-time problem must be solved before a private key can b e derived from its corresponding public key, and the notorious difficulty of NP problems leads some supporters to characterize asymmetric cryptography as 'prova bly secure'. This is far from the case - there is uncertainty among mathematicia ns as to whether this problem will even prove non-trivial once approached from t he right angle. Startling progress has been made in solving similar 'impossible' problems using innovative ploys - for example, DNA computers can now solve the Traveling Salesman problem in linear time. Given that asymmetric encryption is used widely in the world's e-commerce infrastructure, the repercussions when this piece of obscurity is cracked are disturbing to contemplate.

One telling argument against STO is that it promotes a false sense of security, leading admins into complacency. But the complexity of asymmetric cryptography, combined with reports of its infallibility, can produce much the same effect. Co nsider this social-engineering exploit of digital signing. Using a tool such as m akecert, the cracker generates a root certificate with the name 'Verisign Class 1 Primary CA' and uses it to sign an end-entity certificate with the subject 'CN=Rob Malda, E=malda@slashdot.org' (CT:Please don't. I'm used to posers pretending to be me in Quake, but not on email ;) The cracker then sends the email to an enemy, using a client that does not validate e-mail addresses and spoofing the return address friendly name. The inexpert recipient, thinking all is in order and knowing that digital signatures never lie, trusts the root certificate and hence forth carries on a conversation with a false CmdrTaco. Only scrutiny of the headers will reveal the mail is actually going to a different address. The widely made claim that public-key cryptography is 'real' security and completely unrelated to 'false' STO delivers a more powerful illusion of security than anything an XOR'd password file can provide.

Even brute-force cryptanalysis has parallels in STO. Suppose we wish to conceal the passwords for a number of Swedish bank accounts. We resolve to write them to a secret location on our hard drive, perhaps a few unused bytes in a file sector. Only we, who know the lucky offset, can read the data. This form of concealment is a typical case of secruity through obscurity. The integrity of our secret depends on the ignorance of the cracker, and a trial of all 2^n possible locatio ns compromises the system. But in what way is this fundamentally different from the 'genuine' security of n-bit encryption? To break this form of security, 2^n keys are generated and tried agains t the cipher text until the result is a plain body. Is the difference between this 'true' security and the 'false' STO merely than n is considerably larger in encryption than in the case of hard drives? But this implies that our real error lay, not in reliance upon obscurity, but in having a hard drive of insufficient size!

5 Conclusions Security in the absence of obscurity is not strictly possible, but good systems both localize and advertise their points of obscurity. When the admin is fully a ware of the obscurity in a system, tripwires and instantiated data can provide a useful complement to more rigorous security techniques. Obscurity cannot keep information safe or concealed for long, but it can make attacks risky and destroy the effectiveness of automatic kits. These benefits should not be dismissed as an article of faith.