lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <200509012006.QAA27456@Sparkle.Rodents.Montreal.QC.CA>
Date: Thu, 1 Sep 2005 15:50:29 -0400 (EDT)
From: devnull@...ents.Montreal.QC.CA
To: bugtraq@...urityfocus.com
Subject: Re: secure client-side platform


[As usual, the From: is a black hole, as a broken-autoresponder
defense.  Use the address in the signature if you want to reach me.]

> imagine i'm going to access an e-gold acocunt of $1M ... 
>     first [...]; then [...]; [...]
> i cannot figure out what could go wrong in the above process ...

How about a "reflash your BIOS" infection?  I've heard of malware loose
in the wild that trashes flashable BIOSes; it would take only a little
more care to build one that flashes a carefully infected image instead.

I've never liked the flashable BIOS idea, though I'm OK with it if
there's a way to disable reflashing that can't be changed by software
(eg, a jumper must be on a certain pair of pins).  I've seen boards
which "defend" against malware reflashing them by having two copies,
both flashable, which may help against getting randomly trashed but is
of no value against careful malicious reflashing; whatever the vendor
reflashing software can do, malware can do too.

> Q: can you really trust Google?

Trust Google with what?  Trust Google to do, or not do, what?

No, I don't actually myself care about the answers to those.  I'm just
trying to point out that trust is not a simple yes-or-no thing.  For
example, I trust my upstream to deliver (almost) all of the data I send
through them unchanged, but I don't trust them with my passwords on
other than their machines.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@...ents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ