lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 19 Sep 2007 12:38:58 -0400
From:	Valdis.Kletnieks@...edu
To:	Kyle Moffett <mrmacman_g4@....com>
Cc:	Satyam Sharma <satyam@...radead.org>,
	Trond Myklebust <trond.myklebust@....uio.no>,
	"J. Bruce Fields" <bfields@...ldses.org>,
	Jan Engelhardt <jengelh@...putergmbh.de>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: NFS4 authentification / fsuid

On Wed, 19 Sep 2007 01:16:28 EDT, Kyle Moffett said:

> I am assuming that if the laptop has sufficiently important data on  
> it to warrant the above steps then I am also clueful enough to:
>    (A)  Not carry the laptop around unsecured areas,
>    (B)  Keep a close enough eye on it and be aware that it's gone by  
> the time they get to step 2, OR
>    (C)  Pay somebody to build me a better physical chassis for my laptop

Building a better chassis can be a challenge when the threat model really
*does* include attacks by a well-funded TLA.

http://www.epic.org/crypto/scarfo/murch_aff.pdf

The FBI did an *initial* entry to survey the hardware, and then a total of
*five* other entries before they actually installed it.  Note the technical
and legal requirements required on the KLS (it had to, among other things,
capture PGP passphrases but *not* anything that was typed online).

>                                       Besides, if some government  
> wanted the data on your laptop that bad they'd just pick you up in  
> the middle of the night and torture your password out of you.

See above.  Though I *will* note that several years ago, a Department
of Justice filing regarding the use of wiretaps and similar tools reported
that in every single case that the FBI encountered encryption, it in fact
didn't stop the FBI from getting the info it was looking for.  Presumably,
they either used Scarfo-type devices, or they rolled somebody for the key.

They never *did* break Anthony Pellicano's PGP key, as far as I know....

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ