lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: chromazine at sbcglobal.net (Steve Kudlak)
Subject: Clear text password exposure in Datakey's tokens
 and smartcards


Well here is a cute little article about someone has hacked RFID tags for
fun. So it is good that the local library never went down that path. It 
would
cause great embarrament if books had their titles hacked to be "The Sensous
Librarian  --- by L"  or little notes like :  "Mutter can the cute 
librarian at works
on such and such a schedule come out an play..."  or something racey.
Perhaps I have been talking to junior high kids and teachers too much.
Here's the link:
http://www.engadget.com/entry/6563571713524446


Have Fun,
Sends Steve


grant pew wrote:

> Steve
>
> Just a bit more info the RSA pin cards. I deal with these quite often.
> The guy "cjs" is slightly mistaken. The pin cards are really 2-factor 
> authentication.
> The card itself uses an algorithm within the card that the RSA server 
> understands,
> or can decode. The other factor is the pin that the client (human) 
> remembers.
> So if the pin card gets stolen it can't be reused. Sort of like an ATM 
> card, but
> more sophisticated. In reality the whole thing is a big pain in the 
> ass to setup and
> implement. I think RSA has come up with somewhat better schemes I just 
> hope
> they don't come my way too soon. The pin  method is a big pain in the 
> ass to
> setup, and given the new security stuff, I don't even want to look at 
> anything new.
>
> Steve Kudlak wrote:
>
>>
>> I am going to start singing  that old song from some movie made
>> before my time of "Nice Work if you can get it, and you can get
>> it if you try..."  off course I think the crooner was crooning about
>> romance, easier to convince some human that it is worth some bucks
>> to get rather than random numbers which are everywhere if you look,
>> eh?, yeah, right?;) <====said with a sneer (giggle;)
>>
>> More seriously I was looking to RFID systems vis a vis the privacy
>> orries of such and such systems and I wondered what would a store,
>> ora library want with something that with effort could tell you 
>> everywhere
>> it has been. Now I admit when I have misplaced two books I really
>> somedays want a "magic wand" to find them.
>>
>> The other problem is I have seen my local library try to handle its
>> security concerns and somethings seem reasonable to me, many seem
>> being a bit overcautious after being burnt.  I know the legends involved,
>> when I mention I am trying to solve some problem I am told I just need
>> an 11 year old to do it for me, as if they are pixies with magic power.
>> Getting your staff which is dedicated in the case of the library, but 
>> which
>> is dedicated but which several techoquestioning? (giggle trying to be 
>> polite)
>> people on it,  but which is sensitive to privacy concerns. Versus the 
>> people
>> at the Long's Drug Chain (Medium Sized US Drug Chain) where there is 
>> a big
>> taa-doo at the register to check everything out whenever I bring in 
>> an item
>> that I was overcharged $3.00 for. I look at some of the more elaborate
>> security systems that merchants have been sold as being good and I am 
>> ready
>> at least emotionally to join the "number of the beast" worry-worts. I 
>> hope
>> the Long's main office when presented with a new security plan looks 
>> at it
>> and laugh's and says it is too expensive.
>>
>> But I am sure that someone has told some ubermanager far away from 
>> Watsonville
>> California that "Your Shrinkage Problems will dissappear if you 
>> install our $5MEgabuck
>> system....which if you look at it per item, it is not that 
>> expensive...."  Of course the
>> guy selling it is far distant again from the techies who produced to 
>> earn their daily
>> bread to pay for living in the $1000US/mo apartment. The 
>> salescreature thinks the
>> idea of selling random numbers at $25.00 for a couple hundred is a 
>> good thing.
>> I mean they say: "Those are magic numbers they are produced by 
>> complicated
>> software written by people who are so bright....." You get my drift.
>>
>>
>> Have Fun,
>> Sends Steve
>>
>> P.S. The "they lock when you take them beyond the parking lot "  
>> shopping carts have
>> become great playtoys for kids in the neighborhood who like to 
>> overpower them and
>> hear them beep as they drag it along like a relcalitrant puppy.
>>
>>
>>
>> Curt Sampson wrote:
>>
>>>On Fri, 6 Aug 2004, Dana Hudes wrote:
>>>
>>>  
>>>
>>>> On Fri, 6 Aug 2004 Bart.Lansing@...ls.com wrote:
>>>>
>>>>    
>>>>
>>>>>RSA has been doing PIN cards for ages...I don't get the hangup on
>>>>>SmartCards vs "plain old" something you have/something you know two factor
>>>>>      
>>>>>
>>>>as I understand it a "PIN Card" is a card with an EEPROM on it that
>>>>contains a PIN.  Possibly encrypted but its the same effect as any other
>>>>file. The host decides if the PIN matches.
>>>>    
>>>>
>>>
>>>The RSA SecurID system is a hardware token that generates a new number
>>>every minute using a sequence generator and a seed that is effectively
>>>a shared secret between the hardware token and the authentication
>>>server. You take the current minute's number and, usually, some other
>>>authentication information (such as a PIN or password) and pass both
>>>of those back to the authentication server, which will then determine
>>>whether the authentication is valid.
>>>
>>>It's a bit expensive, but it works ok.
>>>
>>>RSA also sells "software tokens" which are the same thing, but as
>>>software that runs on a PC or handheld. This is particularly expensive
>>>for what you get, since the token is easily copied from the device, with
>>>no indication that it's been stolen. (At least with the hardware tokens
>>>you know when it's been stolen.) And it's also quite expensive: they
>>>charge $25-$80 for a "1 year" software token. I wish I had the gall to
>>>sell large quantities of 128 bit random numbers for $25 each.
>>>
>>>cjs
>>>  
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040810/e0f2cfc6/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ