lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <453FBBF9.6030304@gatech.edu>
Date: Wed, 25 Oct 2006 15:33:13 -0400
From: Matthew Flaschen <matthew.flaschen@...ech.edu>
To: Paul Schmehl <pauls@...allas.edu>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Putty Proxy login/password discolsure....

Obviously, with physical access and unlimited computing power there's no 
security.  Too bad no one has unlimited computing power (and very few 
have the power to break readily available schemes).

Matthew Flaschen

Matthew Flaschen

Paul Schmehl wrote:
> --On Wednesday, October 25, 2006 15:18:10 -0400 Matthew Flaschen 
> <matthew.flaschen@...ech.edu> wrote:
> 
>> Sorry, I shouldn't have implied that was only true of Windows.  However,
>> you CAN'T access encrypted data with physical drive access.
>>
> Not even that is true.  You can always *access* the data.  Depending 
> upon the type and complexity of the encryption, it may take a while to 
> decrypt, but once I have physical access, I have both the data and the 
> time to do just that.  *Most* of the "encryption" schemes for things 
> like passwords that used to be stored in plain text (until somebody 
> pointed it out) are fairly trivial and easily broken.
> 
> Even if they're not, I may be able to use the program itself to decrypt 
> the password and then capture it in plain text in memory.
> 
> Again, once you have physical access, it's game over, plain and simple.
> 
> Paul Schmehl (pauls@...allas.edu)
> Senior Information Security Analyst
> The University of Texas at Dallas
> http://www.utdallas.edu/ir/security/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ