[ALUG] (no subject)

Andreas Tauscher ta at geuka.net
Sat Nov 5 14:01:27 EAT 2016 

On 05.11.2016 10:38, Ismail Settenda wrote:
> To add to that; I do not think any one device can really give you total
> security; I believe total security will come from a layered approach as
> it is in the strength of the combination of preventive methods that will
> offer a semblance of 100% security and even then there is also the human
> factor.

PEBKAC: Problem Exist Between Keyboard And Chair :)
Old wisdom: 100% security is impossible.
And security is always somehow inconvenient.

The problem is this strong trust people having in technology without a
at least principle understanding how it works.
Finding a balance between security and comfort is also a problem.
Entering a password (80 characters), smiling in the camera, wiping 10
finger over the scanner, pulling a 2nd factor token out of the pocket,
putting an aluminium hat on the head to measure brain waves: Is pretty
secure and nobody will do this.

When banks introduced 2 factor authentication for their online banking:
Good.
But what came then: mobile banking apps with the 2 factor auth
integrated. It is convenient but useless.
When I compromise your phone I have access to the 2nd factor.

Auth and encryption with SSL certificates is good, but when the
certificate names and the entire chain of trust is not verified:
Useless. A surprising often done mistake.
All I need is a intercepting SSL proxy and I'm in. Squid is set up to do
this in a few minutes.
But we have strong SSL encryption so it is secure.....

> Physical access coupled with fingerprint, facial or eye is secure
> however human awareness with the preventive physical access coupled with
> fingerprint, facial or eye scanners is a really good attempt at making
> things really secure.

Every additional factor is making it harder.
But when the programmer or user does not understand what was now added
then they think it is secure. In truth often security is weakened.

Last year I needed a copy of car key. Bloody expensive. Cutting and
programming this key costs 400$.
Brute forcing all 2^256 keys would need some billion years.
The RFID tag in this key has an implementation mistake how the
encryption key is verified so I had to try less than 8192 keys. Took
only 2 hours. Cutting a copy of the key and gluing in the copied tag
(free sample from the distributor): a few thousand shillings.
A 256 bit key is secure if.....

Andreas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.habari.co.tz/pipermail/linux/attachments/20161105/171d3c15/attachment.pgp>

More information about the Linux mailing list