lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: crypto at clouddancer.com (Aron Nimzovitch)
Subject: Vulnerability Disclosure Debate

I must be bored today.

   From: Valdis.Kletnieks@...edu
   Date: Fri, 08 Aug 2003 14:08:45 -0400

   > Hehe, that is probably the same mechanical system that Feynman broke
   > over 50 years ago.  Looks the same as what I once used and it is still
   > mechanical.  Takes a couple of hours without any clues to the initial
   > number.

   Nope.  The dial is only an input device, all it does is (a) provide initial power-up
   via a few spins to drive a generator, and (b) then the lockset just counts ticks
   left and right, it's actually microprocessor controlled.

Ohh, it has a COMPUTER, it MUST be better!  No wait, that means that
the backdoors for service personnel are accessible to bit boffers.


   In any case, GSA specs for Class 5 require:

   30 man-minutes against covert entry
   10 man-minutes against forced entry
   20 man-hours against surrepetitious entry

Tell me that it was turned over to an outside source with motivation
to crack and that those standards were met.  Having written tests to
pass QA and dealt with QA inspectors, I am only amused with the
thought that these numbers represent reality.


   (surrepetitious is what Feynman was doing - opening it without leaving
   noticable traces. Covert basically means with a minimum of tools and noise, and
   forced means blowtorches drills and all the rest).

Surrepetitiously picking off a couple numbers was just one of the
tools in Feynmans bag.  He never needed any crude tools, and was only
defeated by one safe (the one that he believed to be best and never
actively attacked -- turned out to have the default combo)


   The general idea is that security is in layers - you presumably also have an
   armed Marine on patrol with orders "If you hear a noise, shoot (forced entry),
   and check every half hour and shoot any unauthorized activity (other 2
   categories)", or other schemes to make sure you don't get the requisite amount
   of time alone with the container.

Gee, read the story of the "Guess Who" note to see how effective such
security was a Los Alamos during the end phase of the war.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ