Blogging, and writing web pages are non-invasive: I am not going to receive the material unless I search for it and select it. Non-invasive postings are like a newspaper in that respect. If I don't like your newspaper I don't subscribe and after that if you continue to drop it off on me that is littering.
anonymous non-invasive postings are fine
eMails, phone calls, FAXs, and executable codes are INVASIVE. If you bust through my door without identifying yourself and stating your business I like to put a boot in the seat of your pants.
we have already won on FAXs and on Caller-ID. Next will be eMails and executable codes.
NO SIGNATURE? NO EXECUTE.
I deliver a new version of the software to you (the "good" version), you certify and sign it (using MD5, unfortunately for you). I swap out the "evil" one, and next time you download it -- sure enough, the signature verifies it's fine
That shouldn't work: MD5 requires the recipient to regenerate the HASH and then check the signature. I have no idea why they think this is a performance improvement as you are going to have to scan the entire content of the messsage ( program ) in order to regenerate the hash.
so by checking the signature on the HASH instead of on the whole document all then have done is to weaken PGP signature checking capability. But not much: the odds of two source files producing the same HASH ain't real good (HASH is like a CRC ).
Use digital signatures WHEN you want to distribute data, and you want to assure recipients that it does indeed come from you. Signing data does not alter it; it simply generates a digital signature string you can bundle with the data.
(emphasis added)
If you want security it has to be in effect 100% of the time. Not just here and there WHEN we have time for it and we don't bypass it to improve performance.
the issue here is not whether MD5 is vulnerable but whether it is being used all the time like it needs to be
anything and everything that is executable needs a signature that can be verified before it is executed and until that standard is made mandatory RATS will continue to have a festival which will only get worse and fast.
NO SIGNATURE? NO EXECUTE.
Cryptography such as these digital signatures is pretty good these days: proper use will render any attack on the cryptography itself a poor choice of options.
But Bruce Schneier notes in is recent book that all too often cryptography is like putting a post in the middle of a field and hoping the attacker runs into it. If there is anyway around the post the attacker will just take the easy way out and never bother the cryptography. He's not playing your game; he's playing a different game and he is governed only by the opportunities left open to him.
Signatures should be required on all eMails as well and any eMail without a signature that you recognize and approve should go into quarantine so you can dispose of it.
as Bruce Schneier notes arresting a hacker only results in a business opportunity for the next guy
I'd like to note also that waiting on the Feds to track down hackers is TOO SLOW. A virus can do quite a bit of crime before we get to it that way.
Silicone Valley published an excellent 3 part series on this just recently, and in Part 3 there is this:
Since the outbreak of a cybercrime epidemic that has cost the American economy billions of dollars, the federal government has failed to respond with enough resources, attention and determination to combat the cyberthreat, a Mercury News investigation reveals.
it isn't going to do any of us any good to yell for the federal government to do something. Yeah, OK they nailed 8 guys but at what cost? and how long did it take?
How much damage can a virus do while we are waiting for the Feds to track down the owners and clean it out?
the answer lines in changing MS/Windows and browsers so that un-authorized code is quarantined instead of executed. we will send the authors to rehab and this can start as soon as we have changed MS/Windows and the browsers so that nothing can execute without a PGP signature
as Bruce Schneier notes arresting a hacker only results in a business opportunity for the next guy
Silicone Valley published an excellent 3 part series on this just recently, and in Part 3 there is this:
Since the outbreak of a cybercrime epidemic that has cost the American economy billions of dollars, the federal government has failed to respond with enough resources, attention and determination to combat the cyberthreat, a Mercury News investigation reveals.
it isn't going to do any of us any good to yell for the federal government to do something. Yeah, OK they nailed 8 guys but at what cost?
the answer lines in changing MS/Windows and browsers so that un-authorized code is quarrantined instead of executed. we will send the authors to rehab and this can start as soon as we have changed MS/Windoes and the browsers so that nothing can execute without a PGP signature
Slashdot Mirror
advertising
promiscuous is the word for her, I think.
Blogging, and writing web pages are non-invasive: I am not going to receive the material unless I search for it and select it. Non-invasive postings are like a newspaper in that respect. If I don't like your newspaper I don't subscribe and after that if you continue to drop it off on me that is littering. anonymous non-invasive postings are fine eMails, phone calls, FAXs, and executable codes are INVASIVE. If you bust through my door without identifying yourself and stating your business I like to put a boot in the seat of your pants. we have already won on FAXs and on Caller-ID. Next will be eMails and executable codes. NO SIGNATURE? NO EXECUTE.
from an HTML page I like a well written title
That shouldn't work: MD5 requires the recipient to regenerate the HASH and then check the signature. I have no idea why they think this is a performance improvement as you are going to have to scan the entire content of the messsage ( program ) in order to regenerate the hash.
so by checking the signature on the HASH instead of on the whole document all then have done is to weaken PGP signature checking capability. But not much: the odds of two source files producing the same HASH ain't real good (HASH is like a CRC ) .
FromMSDN Library:
(emphasis added)If you want security it has to be in effect 100% of the time. Not just here and there WHEN we have time for it and we don't bypass it to improve performance.
the issue here is not whether MD5 is vulnerable but whether it is being used all the time like it needs to be
anything and everything that is executable needs a signature that can be verified before it is executed and until that standard is made mandatory RATS will continue to have a festival which will only get worse and fast.
NO SIGNATURE? NO EXECUTE.
Cryptography such as these digital signatures is pretty good these days: proper use will render any attack on the cryptography itself a poor choice of options.
But Bruce Schneier notes in is recent book that all too often cryptography is like putting a post in the middle of a field and hoping the attacker runs into it. If there is anyway around the post the attacker will just take the easy way out and never bother the cryptography. He's not playing your game; he's playing a different game and he is governed only by the opportunities left open to him.
Signatures should be required on all eMails as well and any eMail without a signature that you recognize and approve should go into quarantine so you can dispose of it.
as Bruce Schneier notes arresting a hacker only results in a business opportunity for the next guy
I'd like to note also that waiting on the Feds to track down hackers is TOO SLOW. A virus can do quite a bit of crime before we get to it that way.
Silicone Valley published an excellent 3 part series on this just recently, and in Part 3 there is this:
it isn't going to do any of us any good to yell for the federal government to do something. Yeah, OK they nailed 8 guys but at what cost? and how long did it take?
How much damage can a virus do while we are waiting for the Feds to track down the owners and clean it out?
the answer lines in changing MS/Windows and browsers so that un-authorized code is quarantined instead of executed. we will send the authors to rehab and this can start as soon as we have changed MS/Windows and the browsers so that nothing can execute without a PGP signature
no
as Bruce Schneier notes arresting a hacker only results in a business opportunity for the next guy
Silicone Valley published an excellent 3 part series on this just recently, and in Part 3 there is this:
it isn't going to do any of us any good to yell for the federal government to do something. Yeah, OK they nailed 8 guys but at what cost?
the answer lines in changing MS/Windows and browsers so that un-authorized code is quarrantined instead of executed. we will send the authors to rehab and this can start as soon as we have changed MS/Windoes and the browsers so that nothing can execute without a PGP signature
real rednecks call 'em 'yotes