lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <411739A1.1020302@sbcglobal.net>
From: chromazine at sbcglobal.net (Steve Kudlak)
Subject: Clear text password exposure in Datakey's tokens
 and smartcards


I am going to start singing  that old song from some movie made
before my time of "Nice Work if you can get it, and you can get
it if you try..."  off course I think the crooner was crooning about
romance, easier to convince some human that it is worth some bucks
to get rather than random numbers which are everywhere if you look,
eh?, yeah, right?;) <====said with a sneer (giggle;)

More seriously I was looking to RFID systems vis a vis the privacy
orries of such and such systems and I wondered what would a store,
ora library want with something that with effort could tell you everywhere
it has been. Now I admit when I have misplaced two books I really
somedays want a "magic wand" to find them.

The other problem is I have seen my local library try to handle its
security concerns and somethings seem reasonable to me, many seem
being a bit overcautious after being burnt.  I know the legends involved,
when I mention I am trying to solve some problem I am told I just need
an 11 year old to do it for me, as if they are pixies with magic power.
Getting your staff which is dedicated in the case of the library, but which
is dedicated but which several techoquestioning? (giggle trying to be 
polite)
people on it,  but which is sensitive to privacy concerns. Versus the people
at the Long's Drug Chain (Medium Sized US Drug Chain) where there is a big
taa-doo at the register to check everything out whenever I bring in an item
that I was overcharged $3.00 for. I look at some of the more elaborate
security systems that merchants have been sold as being good and I am ready
at least emotionally to join the "number of the beast" worry-worts. I hope
the Long's main office when presented with a new security plan looks at it
and laugh's and says it is too expensive.

But I am sure that someone has told some ubermanager far away from 
Watsonville
California that "Your Shrinkage Problems will dissappear if you install 
our $5MEgabuck
system....which if you look at it per item, it is not that 
expensive...."  Of course the
guy selling it is far distant again from the techies who produced to 
earn their daily
bread to pay for living in the $1000US/mo apartment. The salescreature 
thinks the
idea of selling random numbers at $25.00 for a couple hundred is a good 
thing.
I mean they say: "Those are magic numbers they are produced by complicated
software written by people who are so bright....." You get my drift.


Have Fun,
Sends Steve

P.S. The "they lock when you take them beyond the parking lot "  
shopping carts have
become great playtoys for kids in the neighborhood who like to overpower 
them and
hear them beep as they drag it along like a relcalitrant puppy.



Curt Sampson wrote:

>On Fri, 6 Aug 2004, Dana Hudes wrote:
>
>  
>
>> On Fri, 6 Aug 2004 Bart.Lansing@...ls.com wrote:
>>
>>    
>>
>>>RSA has been doing PIN cards for ages...I don't get the hangup on
>>>SmartCards vs "plain old" something you have/something you know two factor
>>>      
>>>
>>as I understand it a "PIN Card" is a card with an EEPROM on it that
>>contains a PIN.  Possibly encrypted but its the same effect as any other
>>file. The host decides if the PIN matches.
>>    
>>
>
>The RSA SecurID system is a hardware token that generates a new number
>every minute using a sequence generator and a seed that is effectively
>a shared secret between the hardware token and the authentication
>server. You take the current minute's number and, usually, some other
>authentication information (such as a PIN or password) and pass both
>of those back to the authentication server, which will then determine
>whether the authentication is valid.
>
>It's a bit expensive, but it works ok.
>
>RSA also sells "software tokens" which are the same thing, but as
>software that runs on a PC or handheld. This is particularly expensive
>for what you get, since the token is easily copied from the device, with
>no indication that it's been stolen. (At least with the hardware tokens
>you know when it's been stolen.) And it's also quite expensive: they
>charge $25-$80 for a "1 year" software token. I wish I had the gall to
>sell large quantities of 128 bit random numbers for $25 each.
>
>cjs
>  
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040809/a3a1abeb/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ