lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: chromazine at sbcglobal.net (Steve Kudlak)
Subject: Clear text password exposure in Datakey's tokens
 and smartcards


Hey Grant et al;

Giggle, well I am glad to hear from someone who actually has to deal
with these things. I have seen a lot of things that people go running after
as the next big thing in some industry and 3 years down the line it causes
real trouble. Also I am sure there a lots of security products that were
released during the dot-com boom by companies with clever names
like "Security  Solutrions" and at least one manager somewhere thought
it was the latest and greatest. and bought it. and now someone is caught
with it and "Security Solutions" went bust in the dot-com bust.

I have looked at the RFID stuff amd all the plans worked for it, including a
whole set of PR campaigns to calm public privacy fears. What I wondered
is why there was so much effort being exerted to track say a can of coke or
a pen or something like that. Some of the software looks very complex and
it looks like no way is it plug and play and it looks like something 
that will
go wrong way too easily. It is obvious at ther local drug chaiin that 
the computer
is not given the correct price many weeks in a row. That seems pretty 
simple to
do. If they can't get that right how are they going to get something 
more complicated
right. I might trust librarians to try to get things right, but some of 
the people
in the local stores its one more hassle for them.

Have Fun,
Sends Steve

grant pew wrote:

> Steve
>
> Just a bit more info the RSA pin cards. I deal with these quite often.
> The guy "cjs" is slightly mistaken. The pin cards are really 2-factor 
> authentication.
> The card itself uses an algorithm within the card that the RSA server 
> understands,
> or can decode. The other factor is the pin that the client (human) 
> remembers.
> So if the pin card gets stolen it can't be reused. Sort of like an ATM 
> card, but
> more sophisticated. In reality the whole thing is a big pain in the 
> ass to setup and
> implement. I think RSA has come up with somewhat better schemes I just 
> hope
> they don't come my way too soon. The pin  method is a big pain in the 
> ass to
> setup, and given the new security stuff, I don't even want to look at 
> anything new.
>
> Steve Kudlak wrote:
>
>>
>> I am going to start singing  that old song from some movie made
>> before my time of "Nice Work if you can get it, and you can get
>> it if you try..."  off course I think the crooner was crooning about
>> romance, easier to convince some human that it is worth some bucks
>> to get rather than random numbers which are everywhere if you look,
>> eh?, yeah, right?;) <====said with a sneer (giggle;)
>>
>> More seriously I was looking to RFID systems vis a vis the privacy
>> orries of such and such systems and I wondered what would a store,
>> ora library want with something that with effort could tell you 
>> everywhere
>> it has been. Now I admit when I have misplaced two books I really
>> somedays want a "magic wand" to find them.
>>
>> The other problem is I have seen my local library try to handle its
>> security concerns and somethings seem reasonable to me, many seem
>> being a bit overcautious after being burnt.  I know the legends involved,
>> when I mention I am trying to solve some problem I am told I just need
>> an 11 year old to do it for me, as if they are pixies with magic power.
>> Getting your staff which is dedicated in the case of the library, but 
>> which
>> is dedicated but which several techoquestioning? (giggle trying to be 
>> polite)
>> people on it,  but which is sensitive to privacy concerns. Versus the 
>> people
>> at the Long's Drug Chain (Medium Sized US Drug Chain) where there is 
>> a big
>> taa-doo at the register to check everything out whenever I bring in 
>> an item
>> that I was overcharged $3.00 for. I look at some of the more elaborate
>> security systems that merchants have been sold as being good and I am 
>> ready
>> at least emotionally to join the "number of the beast" worry-worts. I 
>> hope
>> the Long's main office when presented with a new security plan looks 
>> at it
>> and laugh's and says it is too expensive.
>>
>> But I am sure that someone has told some ubermanager far away from 
>> Watsonville
>> California that "Your Shrinkage Problems will dissappear if you 
>> install our $5MEgabuck
>> system....which if you look at it per item, it is not that 
>> expensive...."  Of course the
>> guy selling it is far distant again from the techies who produced to 
>> earn their daily
>> bread to pay for living in the $1000US/mo apartment. The 
>> salescreature thinks the
>> idea of selling random numbers at $25.00 for a couple hundred is a 
>> good thing.
>> I mean they say: "Those are magic numbers they are produced by 
>> complicated
>> software written by people who are so bright....." You get my drift.
>>
>>
>> Have Fun,
>> Sends Steve
>>
>> P.S. The "they lock when you take them beyond the parking lot "  
>> shopping carts have
>> become great playtoys for kids in the neighborhood who like to 
>> overpower them and
>> hear them beep as they drag it along like a relcalitrant puppy.
>>
>>
>>
>> Curt Sampson wrote:
>>
>>>On Fri, 6 Aug 2004, Dana Hudes wrote:
>>>
>>>  
>>>
>>>> On Fri, 6 Aug 2004 Bart.Lansing@...ls.com wrote:
>>>>
>>>>    
>>>>
>>>>>RSA has been doing PIN cards for ages...I don't get the hangup on
>>>>>SmartCards vs "plain old" something you have/something you know two factor
>>>>>      
>>>>>
>>>>as I understand it a "PIN Card" is a card with an EEPROM on it that
>>>>contains a PIN.  Possibly encrypted but its the same effect as any other
>>>>file. The host decides if the PIN matches.
>>>>    
>>>>
>>>
>>>The RSA SecurID system is a hardware token that generates a new number
>>>every minute using a sequence generator and a seed that is effectively
>>>a shared secret between the hardware token and the authentication
>>>server. You take the current minute's number and, usually, some other
>>>authentication information (such as a PIN or password) and pass both
>>>of those back to the authentication server, which will then determine
>>>whether the authentication is valid.
>>>
>>>It's a bit expensive, but it works ok.
>>>
>>>RSA also sells "software tokens" which are the same thing, but as
>>>software that runs on a PC or handheld. This is particularly expensive
>>>for what you get, since the token is easily copied from the device, with
>>>no indication that it's been stolen. (At least with the hardware tokens
>>>you know when it's been stolen.) And it's also quite expensive: they
>>>charge $25-$80 for a "1 year" software token. I wish I had the gall to
>>>sell large quantities of 128 bit random numbers for $25 each.
>>>
>>>cjs
>>>  
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040810/becf9889/attachment.html

Powered by blists - more mailing lists