lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <22372.1208210061@turing-police.cc.vt.edu>
Date: Mon, 14 Apr 2008 17:54:21 -0400
From: Valdis.Kletnieks@...edu
To: n3td3v <xploitable@...il.com>
Cc: n3td3v <n3td3v@...glegroups.com>, full-disclosure@...ts.grok.org.uk
Subject: Re: Fwd: n3td3v has a fan

On Mon, 14 Apr 2008 22:17:31 BST, n3td3v said:

> Ok, my comment above was slightly a drop in the sky to get attention
> of the problem, but look let's concentrate more on something else,
> which you seem to have purposely bypassed and snipped out, even though
> it was one of the key points...

I think what you're missing here is the concept of a "realistic threat model".

As for your "key point": 

On Mon, Apr 14, 2008 at 8:04 PM, n3td3v <xploitable@...il.com> wrote:
> The identify of cars belonging to employees, partners and others
> connected could be used against them, be followed off-site for thier
> devices to be technically eavesdropped on, or company documentation to
> be obtained, by stolen laptop, by breaking into car, by breaking into
> personal home space of employee.

Yeah, it *could*. Bruce Schneier calls it a "movie plot threat"....

On the other hand, a *smart* attacker would do one of two things:

1) If you don't care who the owner of license plate "IWRKYHOO" is, you don't
*need* a photo - you can just do whatever you intend to do to that car *while
it's in the parking lot*.  If that's too scary, you just park outside the
exit, follow somebody home, and do the dirty deed in their driveway instead.

2) If you're trying to do a targeted attack, a license plate doesn't really
help you much *anyhow* - if you have enough inside help at the local Motor
Vehicles office that you can ask them "who owns plate IWRKYHOO" and see if
it's somebody interesting, you can find the name of somebody interesting via
other means (note you need to do that *anyhow* in order to tell if they're
interesting or just a janitor).  And at that point, you might as well just ask
the DMV insider what license plate(s) the target, and people in his immediate
family, have registered for them.

And anyhow - if you're worried about a mole that's been there 10 years,
remember that *that* guy doesn't need a photo, because he's been there for a
decade and already *knows* that Jim drives the blue Caravan with the dent on
the left side, and Wendy has that little sports car she bought last year, and...

So - come up with a *realistic* threat model that actually *depends* on
having a photo of a car so you can tell the license plate number, and does
*not* imply already having enough info about the target that you don't need
the photo....

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ