But what they cannot do is give your information to other 3rd parties without your direct consent unless its under federal mandate and/or decree (read: court order and/or the Patriot act).
Really? How do credit rating agencies get information about your credit card debt without you ever having explicitly told your bank the information is theirs to share? Where exactly do all those pre-approved credit offers come from?
Offshore data management services is simply a scarier way of saying Disaster Recovery. You want your bank to keep running even if the home office (or data center) explodes, right? Then don't start bitching about them backing up data in different places.
Not about backing up, perhaps, but fleeing the jurisdiction (off-shore backups can be done just fine in Alaska and Hawaii) offers perks in that they can do way more than just back-ups with your data.
Challenge-response isn't inherently more secure than an auto-updating number based on time. Both are basically implementations of a pseudo-random function. With the auto-updater, the current time is essentially the challenge. And not having to type/scan in an explicit challenge is a lot more usable.
With C/R the challenge can be extended with human-readable data; my bank required me to enter bank-account numbers I add to my e-banking address book as a challenge in my token. Other banks require the amount you're transferring to be entered as a second challenge for transactions above a certain amount. This prevents spy/ad/malware/a man-in-the-middle from altering the data you sent (vs. the data you see in your browser).
An even more advanced scheme would allow you to digitally sign the entire transaction on a tamper-resistant device that doesn't get infected with virusses/malware as easily as your average windows PC does.
Transaction acception codes aren't just about authentication of the user, they're about non-repudiation of the transaction itself.
However, if I can reverse engineer the bank's device and discover the algorithm in use, it becomes worse than useless, in that instills a false sense of security.
No, not if the algorithm is properly designed; it should rely on the secrecy of the key, not the algorithm. And yes, all tokens are keyed, otherwise they would be completely interchangeable, which they're not.
Strong passwords are still less hassle, don't sacrifice much to security concerns (if never expressed in clear text), and just aren't that freaking hard to create. Pre-shared keys are even better, depending on how strong they are, and how they're distributed. And how well keys are guarded/revoked-if-stolen.;)
Non-shared keys are better. Like, oh say, public key encryption.
The SecurId algorithm is here btw (from another post in this thread).
Sounds like your device just calculates a response based on two inputs; don't know why that wouldn't be just as easy in software. (You _can't_ turn a SecureID card off, so it can't get out of synch with the server, unlike software.)
Not to say that your device isn't secure - more reverse engineering would be required to determine that - but the two approaches *are* very different.
The approaches are different mostly in the way that securID can't do challenge/response. Note that most hardware tokens that can do challenge/response also use a hardware clock.
The immideately obvious benefit of challenge/response is that it offers far better protection against replay attacks - securID numbers are valid for 10 seconds, whereas a parallel login session using C/R will use a different challenge (in fact, the resolution is worse than 10 seconds since the server will usually accept the previous and next number as well, in order to resync to correct for clock drift).
Also, some e-banking authentication schemes require you to enter both a challenge AND the amount (or recipient's bankaccountnumber) you're transferring; this prevents malware on your PC (or a man-in-the-middle) altering the amount without you detecting it. This is obviously impossible to do with a non-C/R scheme like SecurID.
Example; when I add an account number to my e-banking site's address book, I'm asked for the response to a challenge that's clearly and human-readably derived from the bankaccount# (1 number is dropped) - so malware can't change the acount#s I add to my address book.
In my mind, even devices without a hardware clock that can do C/R are preferable to securID schemes that do have a clock but no C/R.
Also note that tokens that do C/R usually need to be unlocked with a PIN before use (they already come with a keypad, so why not?) - this means you get two-factor authentication basically for free, and the PIN only needs to be checked by the token itself, so it's not stored on the server, not even in a hashed form (which is trivial to brute force for 4/5 digit codes anyway).
While securID might be very well accepted in the IT world, and is easy to roll out, it's certainly not the most secure or well thought-out authentication method by a long shot. And they're damn expensive given how simple their design is! Just a clock and an LCD that shows the hash of the current_date/time_rounded_to_the_closest_10_second s and its secret key..
I've been using physical tokens to log on to e-banking for years. Not only that, but tokens that are significantly more secure than securID fobs, in that they support challenge/response and using a PIN to unlock it (two-factor security, and the PIN is only used with the token so it needn't be known at all to the bank).
In fact, most banks are now switching to keypads that you plug your existing bankcard in, so they can piggyback on the tamper-resistant chipcard that's already on there (although it's slightly less advanced than some tokens, since chipcards don't support a clock that's permanently ticking).
Most devices are from Vasco who provide a wide range of tokens (some more secure than others). They even have challenge/response tokens that don't require you to copy the challenge; they have optical sensors that can read out a code that's blipped out by flashing blocks on your screen. Way cooler devices than those RSA securIDs.
Those are all valid theories (or rather hypotheses, since they don't describe any underlying mechanisms).
But a theory isn't necessarily right.
But if it can't be disproved, you don't even need to bother trying to prove it, since it's worthless.
Scientists don't just dream up theories, they test them. If you dreamt up the above theories, you'd have to go about testing them. Measuring fish-farting, statistical modelling etc. If you were any good at that you'd be a good scientist, though probably a mentor would suggest to you to pick hypotheses that were more likely to be correct. (Although the fish-farting isn't that far out; in fact, Bovine expulsion of gasses is high on the list of sources of greenhouse gasses).
Perhaps your esteem for the status "theory" is a bit to high. It's not like scientist go around saying to each other "Woah man! You made a THEORY", it's more like "A-ha! Your model is but a worthless theory! I challenge you to prove it, scoundrel!"
Re:how about "creationism" crap?
on
Bad Science Awards
·
· Score: 5, Funny
repeat after me: creationism (or "intelligent design") is not a scientific theory. it has no predicative power, it offers no real explanation, nor can it be tested.
Well, as creationists will point out, evolution can't be tested on a multi-million year time-scale either, and multi-million-year predictions are hard to check.. As for offering no real explanation, creationists will also disagree about that; and moreover, real scientific theories sometimes don't have real explanations; like Newton's theory of gravity.
The thing with creationism is that it cannot be disproved, and that's what makes it a non-contender. It's called falsifiability. You can never prove there is NO God. Perhaps he likes it that way, and being almighty, there's no way you're gonna catch him out! Can't be sure, can you? In fact, he might be faking all them scientific resultamajigs so as to test y'all's faith in him! Nope siree, can't disprove God.
On the other hand, if the skies crack open and a thundering voice bellows "This is God. Evolution is a crock. Check out genes #43.125-43.234 in starfish and humans" and it turns out those genes contain a binary encoded (C/G=1, T/A=0) message saying "(c) YHWH, 4000BC, nobody mess with my copyrites, I rulez0rs, go forth and multiply suckas!", well, then that could quite possibly be a good way to disprove evolution..
Cell phones usually run on 4.8V, because you can only get multiples of 1.2V when you couple rechargeable batteries in series (non-rechargeables carry up to 1.5V, so that's why 3/6V is common in toys and the like).
In fact, 1.5V (or a multiple thereof) was a pretty good standard until rechargeables came along. That's also why one of them flatty squarry batteries is 9V, a multiple of 1.5..
The problem of course is that while you can easily go from 1.5V to 3V and up by coupling batteries in series, if you've got an adapter hooked up to the mains, it usually only outputs one voltage, or it would have to have a switch on it. Those things are hideously expensive for some reason, $30 for a simple adapter with not to much power.
It would be trivial to design a connector that has a socket with pins either present or missing just for the purpose of indicating which AC voltage it wants. You'd need quite some pins to cover the bases though - multiple of 1.2 or 1.5, 1,2,4 or 8x base voltage, expected number of amps, one pin per bit of information makes for brittle connectors..
I'd imagine Emergency Services are quite chuffed with GPS. E911, for example.
But hey, perhaps it's also a "good idea" to stop ambulances from going onto the streets in the aftermath of a terrorist attack. After all, the "terrrsts" might just hijack an ambulance and use it against us! Ph3ar!
I'll agree with you on one thing, I don't see them installing cell phone nodes in planes anytime soon.
Actually, that would allow them to set up their own virtual network, on which you'd roam, and they could charge you a zillion dollars per minute. Also, there's less interference, because the handsets will find the basestation much nearer by, and don't need to output as many Watts to reach it.
The main problems would be the zillion different standards (not as much a problem on flights in and between Europe/Asia(excl.Japan)/MiddleEast as they're on GSM) and most of all; regulatory.. After all, it's not only licensed spectrum, but you're crossing borders!
Local exploit = a user with an account on the machine does something unauthorized Remote exploit = a user without an account on the machine takes over the machine (or some part of it)
I don't have an account on the TA's NASM machine, but I created a file on it. That's a major problem!!
The TA has an account. If I open a word document that unexpectedly creates or modifies files, that's not a remote exploit, even if I got it via e-mail. It's a local exploit without privilege elevation. A trojan horse. Simple as that.
If NASM came with a default installation that setup an e-mail account "ta@example.com" from which it would automatically pick up files and assemble them, sure, it would be a remote exploit.
The difference is, if I read about a remote exploit, I need to patch my services today. If an exploit is one that needs files to be manually gotten from somewhere and run through some program to do unexpected things, I don't need to run out and patch most of my systems; as they're only being used by one person, who doesn't do silly things like that.
If you connect an unpatched XP system to the internet, it will be compromised in a few minutes. Those are remote exploits. No user interaction required.
Until you look for security holes and actively exploit them, you won't understand the situation. Learn about it, try your hand at it, then come back and talk to me.
Yes, master, you are the expert! No one should be even allowed to post in this thread without a 6 year training in Nepal with the Shoalin security monks! How silly of me.
By all means, invent your own meaning for words, but words are for communication. When you go on exaggerating like this, it's good for a laugh, but you might end up being the boy who cried wolf.
Here's the scenario: You are the TA for a CS course. You have 700 NASM programs to grade. What do you do? Compile them and see if they run and return the expected results. Well by doing that, I just compromised your entire account. From the comfort of my own home.
So yes, it's a remote exploit.
Ok, so here's the scenario: I hire a ninja to break into your appartment, and enter a series of commands I handed him on a slip of paper. Now suddenly whatever happens is a remote exploit?
It's a local, executes arbitrary code vulnerability. Sure, if you open up the machine to remote users it becomes a remote vulnerability. And if the code in question contains some further exploits to attain higher privileges, the amalgam becomes a remote root exploit. And, as the saying goes, if my grandpa had wheels, he'd be a bus.
If you interpret "remote" in this way, then there is no distinction between local and remote anymore. I find the distinction quite useful.
Using an encrypted password list on your palm or pocketpc (or even mobile phone..) is a good idea to patch up problems with the current situation. However, as tokens, they're not so hot.
Because the secrets aren't stored in a tamper-resistant chip, the file containing the password list is subject to brute force decryption attempts, whereas a smartcard blocks after 3 tries. So, the strength of your password list depends on the strength of your master password (assuming the hash and encryption algorithms are sound). With a 3-try-PIN brute forcing is impossible; the odds are always 1000:3 of an attacker getting it right.
So it's no replacement for suitably secure tokens. Also not that tokens can also provide 2 factors of identification, while a password list still only provides the one.
Passwords are always going to be flawed. Biometrics are the wave of the near future/present.
Yeah. Unlike password biometrics are resistant to, what, 10 replay attacks? Unless you're using iris-scans, then you've got 2 passwords, maximum.
You are aware that most fingerprinting gear is resistant to the dreaded Gummy Bear attack? (That's where they us a copy of your prints - lifted off of a glass you used for example - mad out of Gummy Bear candies).
Biometrics are useless unless the biometric-taking hardware is physically secured by human guards checking to make sure you're not palming any Gummy Bears.
(As a cost-cutting measure, notice how human guards are much better at facial recognition than computers, and just issue photo-IDs..)
The best scheme is a smart device (such as a smart-card with standalone(!) cardreader), that lets you physically enter a PIN into it, which then unlocks a securid or challenge/response scheme.
The (embedded) chip is tamper-resistant (quite possibly erases the secrets inside when opened) and only lets you try 3 pins. The challenge/response scheme can then be as convoluted as you like, perhaps based on public/private key.
My bank uses the chip embedded on my regular ATM card, and a card reader with a keypad and integrated LCD readout. When logging on to e-banking, I enter a PIN, enter a challenge on-screen, and then enter the response from the LCD readout into my browser.
Or just edit the list of names in their favorite text-editor, and only paste it in whatever spawn-of-satan wysiwyg gui they're using (or into the xsl:fo) when the list is done already..
Unlike many people here, I do not have a problem with the grammar, punctuation, or spelling of e-mail messages. You Sir, bring out the grammar Nazi in me!;-)
To my shame, some of the management here, write e-mail with far more attention to grammar and style than I do, even though I am a professional writer as part of my work.
"Some some of the management here, to my shame,.." would have been a sentence with correct punctuation;-)
Then again, we all, make mistakes.. (Though no-one has caught me out on the spurious "that" in my previous post yet..)
Another one of my pet peeves that is when people write enormously long sentences that run over the entire width of my screen and that have a lot of subclauses even though the same message, that might actually have held my interest if it were presented more succinctly, could have been split up in multiple shorter sentences that are easier to understand.
Heh, exactly. #1 complaint I've always heard about Macs? "Oh, you have to drag the disk to the Trash to eject it, that's not intuitive."
Answer? Nothing about computers is 'intuitive' it's all learned behaviour. The fact that people actually whine and bitch about something that small makes me laugh, expecially now that in OS X the Trash turns into the Eject icon when you grab and move a removable disk.
As the saying goes; the only intuitive interface is the nipple (and even that barely qualifies, some babies have a hard time coming to grips with it). But at least a user interface can be consistent. Dragging the floppy to the trash would suggest wiping the entire floppy disk, but it doesn't do that; in fact, it makes sure your files aren't deleted!
In fact, good graphical user interfaces are user-friendly (to neophytes at least) not just because they're consistent, but because they are modeless - vim is pretty consistant, but not modeless.
I think this is a justified gripe, now matter how easily it is learnt. Other user interfaces might have more deficiencies, and ones that are harder to overcome, but mac ain't perfect either.
as long as my mom, who can be called a computer idiot but still manages to do her work with MS Office, tells me "what's that K icon where START should be", I call bullcrap on any point-and-click Linux.
While it IS extremely typical, it's not an issue that should be addressed by linux distributions changing. Even moms should learn to cope with stuff like that. It's not like fridges all have identical handles, people don't even complain as much about cars being different models (or even stick shift in stead of automatic gear), they cope and adapt, even though operating a car in the wrong way is a million times more likely to kill them. Guess what, the differenlty shaped and colored steering wheel does the same thing!
Not only does it cover the same ground, it also goes into detail a bit more about real tricky business; protocols (where most mistakes are made these days, since nearly everybody uses off-the-shelf algorithms like AES, DSA, RSA and ElGamal). This guy knows how to write, and succeeds in warning you of potential pitfalls in a humorous manner. Also, he knows his stuff; he submitted one of the AES candidates, Blowfish.
Bruce also publishes the most excellentCrypto-Gram newsletter.
Beware of not heeding Bruce's stern words of warning. You may end up in the doghouse! The humiliation! The shame upon your house!
About RSA: Current hardware means key lengths should be 1024 bits for complete security. The present generation of web browsers use 128-bit keys so cannot be considered secure against a determined and sufficiently well-resourced attack.
Certificates are 1024 or 2048 bit with SSL. On the other hand, once the key is sent and shared, a 128 bit symmetric form of encryption is used. The only thing RSA is used for is sending / receiving the symmetric encryption key, yes?
Kinda yes. The public key is used to encrypt the session key, which is used in turn to encrypt the payload using a symmetric algorithm for speed.
Certificates are a bit bigger than 1024 or 2048 bits. They contain the public key (consisting in the case of RSA, among other things, of the 1024/2048 bit modulus) the owner's identification (e.g. e-mail address, common name, url,..), validity dates, and a digital signature from a certificate authority (in some cases they're only self-signed, in other cases, dosens of people may contribute to authenticating a public key's ownership information, as in PGP).
A certificate is just that; it's to certify that a certain public key belongs to a certain entity.
If you pay enough to microsoft/opera/etc., you can certify anybody you want and all internet explorer users will take it for granted, because no one checks certificates.
Some image editing apps forget to update the tiny thumbnail in the meta information that's used by windows explorer to extract thumbnails (if present).
Which is pretty cool if people cropped the picture or added black bars to protect the "innocent".
Also, digital cameras add EXIF info containing date, time, make and model of camera, lighting conditions and settings, etc. It can freak people out when they send you a picture and you tell them "hmm.. it looks to me like a picture from a Canon Powershot A6, did you use the nightshot mode?".
Slashdot Mirror
But what they cannot do is give your information to other 3rd parties without your direct consent unless its under federal mandate and/or decree (read: court order and/or the Patriot act).
Really? How do credit rating agencies get information about your credit card debt without you ever having explicitly told your bank the information is theirs to share? Where exactly do all those pre-approved credit offers come from?
Offshore data management services is simply a scarier way of saying Disaster Recovery. You want your bank to keep running even if the home office (or data center) explodes, right? Then don't start bitching about them backing up data in different places.
Not about backing up, perhaps, but fleeing the jurisdiction (off-shore backups can be done just fine in Alaska and Hawaii) offers perks in that they can do way more than just back-ups with your data.
Challenge-response isn't inherently more secure than an auto-updating number based on time. Both are basically implementations of a pseudo-random function. With the auto-updater, the current time is essentially the challenge. And not having to type/scan in an explicit challenge is a lot more usable.
With C/R the challenge can be extended with human-readable data; my bank required me to enter bank-account numbers I add to my e-banking address book as a challenge in my token. Other banks require the amount you're transferring to be entered as a second challenge for transactions above a certain amount. This prevents spy/ad/malware/a man-in-the-middle from altering the data you sent (vs. the data you see in your browser).
An even more advanced scheme would allow you to digitally sign the entire transaction on a tamper-resistant device that doesn't get infected with virusses/malware as easily as your average windows PC does.
Transaction acception codes aren't just about authentication of the user, they're about non-repudiation of the transaction itself.
However, if I can reverse engineer the bank's device and discover the algorithm in use, it becomes worse than useless, in that instills a false sense of security.
No, not if the algorithm is properly designed; it should rely on the secrecy of the key, not the algorithm. And yes, all tokens are keyed, otherwise they would be completely interchangeable, which they're not.
Strong passwords are still less hassle, don't sacrifice much to security concerns (if never expressed in clear text), and just aren't that freaking hard to create. Pre-shared keys are even better, depending on how strong they are, and how they're distributed. And how well keys are guarded/revoked-if-stolen.
Non-shared keys are better. Like, oh say, public key encryption.
The SecurId algorithm is here btw (from another post in this thread).
Sounds like your device just calculates a response based on two inputs; don't know why that wouldn't be just as easy in software. (You _can't_ turn a SecureID card off, so it can't get out of synch with the server, unlike software.)
Not to say that your device isn't secure - more reverse engineering would be required to determine that - but the two approaches *are* very different.
The approaches are different mostly in the way that securID can't do challenge/response. Note that most hardware tokens that can do challenge/response also use a hardware clock.
The immideately obvious benefit of challenge/response is that it offers far better protection against replay attacks - securID numbers are valid for 10 seconds, whereas a parallel login session using C/R will use a different challenge (in fact, the resolution is worse than 10 seconds since the server will usually accept the previous and next number as well, in order to resync to correct for clock drift).
Also, some e-banking authentication schemes require you to enter both a challenge AND the amount (or recipient's bankaccountnumber) you're transferring; this prevents malware on your PC (or a man-in-the-middle) altering the amount without you detecting it. This is obviously impossible to do with a non-C/R scheme like SecurID.
Example; when I add an account number to my e-banking site's address book, I'm asked for the response to a challenge that's clearly and human-readably derived from the bankaccount# (1 number is dropped) - so malware can't change the acount#s I add to my address book.
In my mind, even devices without a hardware clock that can do C/R are preferable to securID schemes that do have a clock but no C/R.
Also note that tokens that do C/R usually need to be unlocked with a PIN before use (they already come with a keypad, so why not?) - this means you get two-factor authentication basically for free, and the PIN only needs to be checked by the token itself, so it's not stored on the server, not even in a hashed form (which is trivial to brute force for 4/5 digit codes anyway).
While securID might be very well accepted in the IT world, and is easy to roll out, it's certainly not the most secure or well thought-out authentication method by a long shot. And they're damn expensive given how simple their design is! Just a clock and an LCD that shows the hash of the current_date/time_rounded_to_the_closest_10_secon
I've been using physical tokens to log on to e-banking for years. Not only that, but tokens that are significantly more secure than securID fobs, in that they support challenge/response and using a PIN to unlock it (two-factor security, and the PIN is only used with the token so it needn't be known at all to the bank).
In fact, most banks are now switching to keypads that you plug your existing bankcard in, so they can piggyback on the tamper-resistant chipcard that's already on there (although it's slightly less advanced than some tokens, since chipcards don't support a clock that's permanently ticking).
Most devices are from Vasco who provide a wide range of tokens (some more secure than others). They even have challenge/response tokens that don't require you to copy the challenge; they have optical sensors that can read out a code that's blipped out by flashing blocks on your screen. Way cooler devices than those RSA securIDs.
Those are all valid theories (or rather hypotheses, since they don't describe any underlying mechanisms).
But a theory isn't necessarily right.
But if it can't be disproved, you don't even need to bother trying to prove it, since it's worthless.
Scientists don't just dream up theories, they test them. If you dreamt up the above theories, you'd have to go about testing them. Measuring fish-farting, statistical modelling etc. If you were any good at that you'd be a good scientist, though probably a mentor would suggest to you to pick hypotheses that were more likely to be correct. (Although the fish-farting isn't that far out; in fact, Bovine expulsion of gasses is high on the list of sources of greenhouse gasses).
Perhaps your esteem for the status "theory" is a bit to high. It's not like scientist go around saying to each other "Woah man! You made a THEORY", it's more like "A-ha! Your model is but a worthless theory! I challenge you to prove it, scoundrel!"
repeat after me: creationism (or "intelligent design") is not a scientific theory. it has no predicative power, it offers no real explanation, nor can it be tested.
Well, as creationists will point out, evolution can't be tested on a multi-million year time-scale either, and multi-million-year predictions are hard to check.. As for offering no real explanation, creationists will also disagree about that; and moreover, real scientific theories sometimes don't have real explanations; like Newton's theory of gravity.
The thing with creationism is that it cannot be disproved, and that's what makes it a non-contender. It's called falsifiability. You can never prove there is NO God. Perhaps he likes it that way, and being almighty, there's no way you're gonna catch him out! Can't be sure, can you? In fact, he might be faking all them scientific resultamajigs so as to test y'all's faith in him! Nope siree, can't disprove God.
On the other hand, if the skies crack open and a thundering voice bellows "This is God. Evolution is a crock. Check out genes #43.125-43.234 in starfish and humans" and it turns out those genes contain a binary encoded (C/G=1, T/A=0) message saying "(c) YHWH, 4000BC, nobody mess with my copyrites, I rulez0rs, go forth and multiply suckas!", well, then that could quite possibly be a good way to disprove evolution..
Cell phones usually run on 4.8V, because you can only get multiples of 1.2V when you couple rechargeable batteries in series (non-rechargeables carry up to 1.5V, so that's why 3/6V is common in toys and the like).
In fact, 1.5V (or a multiple thereof) was a pretty good standard until rechargeables came along. That's also why one of them flatty squarry batteries is 9V, a multiple of 1.5..
The problem of course is that while you can easily go from 1.5V to 3V and up by coupling batteries in series, if you've got an adapter hooked up to the mains, it usually only outputs one voltage, or it would have to have a switch on it. Those things are hideously expensive for some reason, $30 for a simple adapter with not to much power.
It would be trivial to design a connector that has a socket with pins either present or missing just for the purpose of indicating which AC voltage it wants. You'd need quite some pins to cover the bases though - multiple of 1.2 or 1.5, 1,2,4 or 8x base voltage, expected number of amps, one pin per bit of information makes for brittle connectors..
I'd imagine Emergency Services are quite chuffed with GPS. E911, for example.
But hey, perhaps it's also a "good idea" to stop ambulances from going onto the streets in the aftermath of a terrorist attack. After all, the "terrrsts" might just hijack an ambulance and use it against us! Ph3ar!
I'll agree with you on one thing, I don't see them installing cell phone nodes in planes anytime soon.
Actually, that would allow them to set up their own virtual network, on which you'd roam, and they could charge you a zillion dollars per minute. Also, there's less interference, because the handsets will find the basestation much nearer by, and don't need to output as many Watts to reach it.
The main problems would be the zillion different standards (not as much a problem on flights in and between Europe/Asia(excl.Japan)/MiddleEast as they're on GSM) and most of all; regulatory.. After all, it's not only licensed spectrum, but you're crossing borders!
Local exploit = a user with an account on the machine does something unauthorized
Remote exploit = a user without an account on the machine takes over the machine (or some part of it)
I don't have an account on the TA's NASM machine, but I created a file on it. That's a major problem!!
The TA has an account. If I open a word document that unexpectedly creates or modifies files, that's not a remote exploit, even if I got it via e-mail. It's a local exploit without privilege elevation. A trojan horse. Simple as that.
If NASM came with a default installation that setup an e-mail account "ta@example.com" from which it would automatically pick up files and assemble them, sure, it would be a remote exploit.
The difference is, if I read about a remote exploit, I need to patch my services today. If an exploit is one that needs files to be manually gotten from somewhere and run through some program to do unexpected things, I don't need to run out and patch most of my systems; as they're only being used by one person, who doesn't do silly things like that.
If you connect an unpatched XP system to the internet, it will be compromised in a few minutes. Those are remote exploits. No user interaction required.
Until you look for security holes and actively exploit them, you won't understand the situation. Learn about it, try your hand at it, then come back and talk to me.
Yes, master, you are the expert! No one should be even allowed to post in this thread without a 6 year training in Nepal with the Shoalin security monks! How silly of me.
By all means, invent your own meaning for words, but words are for communication. When you go on exaggerating like this, it's good for a laugh, but you might end up being the boy who cried wolf.
Here's the scenario: You are the TA for a CS course. You have 700 NASM programs to grade. What do you do? Compile them and see if they run and return the expected results. Well by doing that, I just compromised your entire account. From the comfort of my own home.
So yes, it's a remote exploit.
Ok, so here's the scenario: I hire a ninja to break into your appartment, and enter a series of commands I handed him on a slip of paper. Now suddenly whatever happens is a remote exploit?
It's a local, executes arbitrary code vulnerability. Sure, if you open up the machine to remote users it becomes a remote vulnerability. And if the code in question contains some further exploits to attain higher privileges, the amalgam becomes a remote root exploit. And, as the saying goes, if my grandpa had wheels, he'd be a bus.
If you interpret "remote" in this way, then there is no distinction between local and remote anymore. I find the distinction quite useful.
1) Create sourceforge project page under assumed name.
2) Post forks of programs with extra bugs inserted.
3) Profit!
You see - there's a number 2 step, thanks to open source.
I've seen a computer case that claimed netware compatibility. *sigh*
Using an encrypted password list on your palm or pocketpc (or even mobile phone..) is a good idea to patch up problems with the current situation.
However, as tokens, they're not so hot.
Because the secrets aren't stored in a tamper-resistant chip, the file containing the password list is subject to brute force decryption attempts, whereas a smartcard blocks after 3 tries. So, the strength of your password list depends on the strength of your master password (assuming the hash and encryption algorithms are sound).
With a 3-try-PIN brute forcing is impossible; the odds are always 1000:3 of an attacker getting it right.
So it's no replacement for suitably secure tokens.
Also not that tokens can also provide 2 factors of identification, while a password list still only provides the one.
Passwords are always going to be flawed. Biometrics are the wave of the near future/present.
Yeah. Unlike password biometrics are resistant to, what, 10 replay attacks? Unless you're using iris-scans, then you've got 2 passwords, maximum.
You are aware that most fingerprinting gear is resistant to the dreaded Gummy Bear attack? (That's where they us a copy of your prints - lifted off of a glass you used for example - mad out of Gummy Bear candies).
Biometrics are useless unless the biometric-taking hardware is physically secured by human guards checking to make sure you're not palming any Gummy Bears.
(As a cost-cutting measure, notice how human guards are much better at facial recognition than computers, and just issue photo-IDs..)
The best scheme is a smart device (such as a smart-card with standalone(!) cardreader), that lets you physically enter a PIN into it, which then unlocks a securid or challenge/response scheme.
The (embedded) chip is tamper-resistant (quite possibly erases the secrets inside when opened) and only lets you try 3 pins. The challenge/response scheme can then be as convoluted as you like, perhaps based on public/private key.
My bank uses the chip embedded on my regular ATM card, and a card reader with a keypad and integrated LCD readout. When logging on to e-banking, I enter a PIN, enter a challenge on-screen, and then enter the response from the LCD readout into my browser.
Or just edit the list of names in their favorite text-editor, and only paste it in whatever spawn-of-satan wysiwyg gui they're using (or into the xsl:fo) when the list is done already..
Unlike many people here, I do not have a problem with the grammar, punctuation, or spelling of e-mail messages. ;-)
;-)
You Sir, bring out the grammar Nazi in me!
To my shame, some of the management here, write e-mail with far more attention to grammar and style than I do, even though I am a professional writer as part of my work.
"Some some of the management here, to my shame,.." would have been a sentence with correct punctuation
Then again, we all, make mistakes.. (Though no-one has caught me out on the spurious "that" in my previous post yet..)
Another one of my pet peeves that is when people write enormously long sentences that run over the entire width of my screen and that have a lot of subclauses even though the same message, that might actually have held my interest if it were presented more succinctly, could have been split up in multiple shorter sentences that are easier to understand.
Heh, exactly. #1 complaint I've always heard about Macs? "Oh, you have to drag the disk to the Trash to eject it, that's not intuitive."
Answer? Nothing about computers is 'intuitive' it's all learned behaviour. The fact that people actually whine and bitch about something that small makes me laugh, expecially now that in OS X the Trash turns into the Eject icon when you grab and move a removable disk.
As the saying goes; the only intuitive interface is the nipple (and even that barely qualifies, some babies have a hard time coming to grips with it). But at least a user interface can be consistent. Dragging the floppy to the trash would suggest wiping the entire floppy disk, but it doesn't do that; in fact, it makes sure your files aren't deleted!
In fact, good graphical user interfaces are user-friendly (to neophytes at least) not just because they're consistent, but because they are modeless - vim is pretty consistant, but not modeless.
I think this is a justified gripe, now matter how easily it is learnt. Other user interfaces might have more deficiencies, and ones that are harder to overcome, but mac ain't perfect either.
as long as my mom, who can be called a computer idiot but still manages to do her work with MS Office, tells me "what's that K icon where START should be", I call bullcrap on any point-and-click Linux.
While it IS extremely typical, it's not an issue that should be addressed by linux distributions changing. Even moms should learn to cope with stuff like that. It's not like fridges all have identical handles, people don't even complain as much about cars being different models (or even stick shift in stead of automatic gear), they cope and adapt, even though operating a car in the wrong way is a million times more likely to kill them. Guess what, the differenlty shaped and colored steering wheel does the same thing!
I'd recommend applied crptography by Bruce Schneier instead.
Not only does it cover the same ground, it also goes into detail a bit more about real tricky business; protocols (where most mistakes are made these days, since nearly everybody uses off-the-shelf algorithms like AES, DSA, RSA and ElGamal). This guy knows how to write, and succeeds in warning you of potential pitfalls in a humorous manner. Also, he knows his stuff; he submitted one of the AES candidates, Blowfish.
Bruce also publishes the most excellent Crypto-Gram newsletter.
Beware of not heeding Bruce's stern words of warning. You may end up in the doghouse! The humiliation! The shame upon your house!
Kinda yes. The public key is used to encrypt the session key, which is used in turn to encrypt the payload using a symmetric algorithm for speed.
Certificates are a bit bigger than 1024 or 2048 bits. They contain the public key (consisting in the case of RSA, among other things, of the 1024/2048 bit modulus) the owner's identification (e.g. e-mail address, common name, url,
A certificate is just that; it's to certify that a certain public key belongs to a certain entity.
If you pay enough to microsoft/opera/etc., you can certify anybody you want and all internet explorer users will take it for granted, because no one checks certificates.
Some image editing apps forget to update the tiny thumbnail in the meta information that's used by windows explorer to extract thumbnails (if present).
Which is pretty cool if people cropped the picture or added black bars to protect the "innocent".
Also, digital cameras add EXIF info containing date, time, make and model of camera, lighting conditions and settings, etc. It can freak people out when they send you a picture and you tell them "hmm.. it looks to me like a picture from a Canon Powershot A6, did you use the nightshot mode?".