lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <200408240145.i7O1jDVN006981@turing-police.cc.vt.edu>
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Re-write with security in mind all ops. 

On Mon, 23 Aug 2004 14:22:42 PDT, "Gregory A. Gilliss" said:

> People, believe it or not, before there was Dubya, before there were mad
> rag heads disgracing one of the world's most civilized religions, before 
> Sir Tim Berners-Lee <Gack> 'invented' the Web, there was a network of people
> who shared information pretty freely and who, occasionally, would shell
> out of an app and gain root somewhere. All in all, it wasn't bad at all.

Yes.. I was around in that day and age.  However, I'll also note that by and
large, the people who would occasionally shell out weren't the sort of people
who were actively trying to blow me up.

Also, calling them "mad rag heads" is a bad idea - considered as a purely
military matter, they managed to pull off an operation that caused 3,000+
casualties on our side and only 19 on theirs.  Militarily, we got our butts
kicked.  And 3 years later, after invading 2 countries, we still don't even
know where their leader is. They're tech-savvy, using crypto to good effect,
and ditched their use of cell phones when they learned we knew how to track
them.  Consider that a very large chunk of our info was only obtained when
we accidentally busted our own mole in the organization - what does that
tell you about relative skill levels?

ObSecurity:  Demeaning the enemy with labels may be good training for Marines,
where dehumanizing the enemy to make it easier to kill them in combat may be a
good idea. It's a bad idea when trying to out-guess a clever opponent's next
move, when you know beforehand they're at least as clever as you.

> Now we have "no unencrypted links" which is a nice way of saying "I bet
> I can keep you off my swings". Funny how someone with a citigroup.com
> email is making such bold security claims. Two words - Vladimir Levin.

On the other hand, note that Citigroup is a bank and financial services
organization.

Would *YOU* trust a bank that *didnt* say "I bet I can keep you off my
swings/vaults/account info"?  Would you trust a bank that didn't do all
reasonable steps to secure themselves (and in this day and age, there's little
to no excuse for an unencrypted link for critical data)?

Personally, if I found my bank *wasnt* making such "bold security claims",
I'd find a new bank quickly....

> In case you haven't figured it out yet from the caustic replies you've
> received, around here the only credibility is clue. Abbreviations and 
> boasting count for diddly.

One of the more ironic things I've seen on this list to date....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040823/1a0424e2/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ