| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 15 Jan 2010 19:55:01 +0100 From: Christian Sciberras <uuf6429@...il.com> To: Benji <me@...ji.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: All China, All The Time Physical keys. There's like over 100 different keys in the whole complex... Sure, helpful to know about the needle in a haystack. The question is, how much is needed to sift through that haystack. One day "evil maid" approach is ok, a couple of days "evil technician", possibly, but I doubt anyone wouldn't notice the intrusion. On Fri, Jan 15, 2010 at 7:48 PM, Benji <me@...ji.com> wrote: > I'll put it this way. > > Im an attacker in your network, trying to get access to your "most sensitive > information". Ive identified the server that stores this information and Im > looking around for keys/passwords etc etc etc. > > Are you saying it wouldnt help me to know that I needed 5 keys, thus > pointing me towards what to look for? > > > On Fri, Jan 15, 2010 at 6:44 PM, Christian Sciberras <uuf6429@...il.com> > wrote: >> >> No, that was actually configuration description; best of luck finding >> our facility. >> >> On Fri, Jan 15, 2010 at 7:42 PM, Benji <me@...ji.com> wrote: >> > Actually you were boasting, it was irrelevant to have what you have as a >> > security precausion. Infact, one could argue that you were making your >> > setup >> > insecure by telling people how you're secured from the get go. >> > >> > On Fri, Jan 15, 2010 at 6:38 PM, Christian Sciberras <uuf6429@...il.com> >> > wrote: >> >> >> >> My question was mostly rhetoric, I tried to imply the point on why >> >> computers with sensitive information were; >> >> 1. not fully up to date (=>from the top of my had, the exploit had >> >> several issues in non-standard browser versions?) >> >> 2. running internet explorer (=>more known as a target, nothing against >> >> MSIE) >> >> 3. used to surf the web (=>why else would you be using IE [rhetoric]) >> >> 4. not monitored correctly (=>our most sensitive information is stored >> >> in a server locked up 5 times, the only way to get in is either >> >> getting all the keys or through a remote exploit*) >> >> >> >> I think the above points violate a couple of rules in security >> >> auditing. >> >> >> >> * I'm not boasting about our configuration; this is very easy to >> >> achieve in a company of 5 and one server rack. >> >> >> >> >> >> On Fri, Jan 15, 2010 at 7:08 PM, Peter Besenbruch <prb@...a.net> wrote: >> >> > On Thursday 14 January 2010 21:49:05 Christian Sciberras wrote: >> >> >> "They used an IE exploit to get in." >> >> >> The people at *Google* use *IE*?!! Besides, how does an exploit in >> >> >> IE >> >> >> affect the server? >> >> > >> >> > It would affect a person with login rights to a server. >> >> > >> >> > This wasn't just an attack on Google, btw, it was an attack on 32 >> >> > different >> >> > companies. >> >> > -- >> >> > Hawaiian Astronomical Society: http://www.hawastsoc.org >> >> > HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky >> >> > >> >> > _______________________________________________ >> >> > Full-Disclosure - We believe in it. >> >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> >> > Hosted and sponsored by Secunia - http://secunia.com/ >> >> > >> >> >> >> _______________________________________________ >> >> Full-Disclosure - We believe in it. >> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> >> Hosted and sponsored by Secunia - http://secunia.com/ >> > >> > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists