Re: CRIME Article on Magic Lantern from ZDNET

From: Alan (alan@private)
Date: Sat Dec 08 2001 - 15:48:58 PST

  • Next message: Crispin Cowan: "Re: CRIME Article on Magic Lantern from ZDNET"

    On Saturday 08 December 2001 15:48, Crispin Cowan wrote:
    > Alan wrote:
    > >On Saturday 08 December 2001 14:36, Crispin Cowan wrote:
    > >>Alan wrote:
    > >>>Is 2.4.x available for it yet? (With the proper patches. I know Greg
    > >>> made one without, for testing purposes.)
    > >>
    > >>Not as such. But you can just drop a 2.4 kernel into the Immunix 7
    > >>system if you want to, and you don't want the kernel security features.
    > >
    > >Actually, I do want the kernel security features. That is why I asked.
    >
    > Immunix kernel stuff (SubDomain, NetDomain, and RaceGuard) are not
    > presently available for Linux 2.4.  When we produce them is a business
    > decision. It can be influenced by paying customers :-)
    
    Since IPTables has not been backported to 2.2.x, I figured you would want to 
    get to it sometime soon. 
    
    I am glad to see Immunix finally promoted as being for sale.  Hopefully it 
    will drive further improvements.
    
    > >What is your opinion of the grsecurity patches at
    > > http://www.grsecurity.net/ ?
    > >
    > >They look interesting, but I have not dug into them yet.
    >
    >  From the outside, it looks like a reasonable integration of various
    > best-of-breed kernel security enhancements. Nothing new or unique, but
    > they show good taste in the features they integrated.
    >
    > However, we have dug into the inside, in attempting to port some
    > features to LSM (Linux Security Module http://lsm.immunix.org/ and Chris
    > Wright reports that some of the code quality inside is not so good.
    > Numerous bugs had to be fixed, and (IIRC) we ended up going back to
    > original sources and not using grsecurity-derived code.
    
    I am glad i asked before I dug into the code.  Openwall was going to wait 
    until 2.4.10, then 2.4.15 before releasing code.  I have yet to see any sort 
    of release for the 2.4.x kernels from them.  (The patch colision problem is 
    going to get bad. I have about 4-5 kernel patch sets I want to use. The last 
    time I tried to get them all into a running kernel, it was pretty messy.  
    (FreeSWAN especially.)
    
    > >>The SecureID cards require the user to enter a PIN on the card's hexpad
    > >>keyboard. That's the kind of authentication I'm talking about. It is
    > >>more problematic with dongle-style tokens like iButtons and USB dongles,
    > >>as they (likely) will use the PC's keyboard to enter the user
    > >>authentication. That's problematic because it can be sniffed, unlike the
    > >>SecureID card's built-in keyboard.
    > >
    > >These are different than the SecureID devices I have seen in the past.
    > > They were just time based one time passwords.  (That may be the protocol
    > > I was thinking of that has been weakened.)
    >
    > There are a lot of different tokens in the world
    > http://developer.netscape.com/tech/security/certs/cards.html and I am
    > not an expert in that area. Some use time-based one-time PADs, some use
    > RSA challenge-response, some have a keypad and LCD display for entering
    > the challenge response, others use some kind of smartcard interface. One
    > of my favorite cute ideas is the Smarty, which is a smart card reader in
    > the form factor of a 3.5" floppy, so that with a little software, any PC
    > with a floppy drive can read smart cards. Unfortunately, it no longer
    > seems to be available.
    
    Probably too easy to use. ]:>
    
    There used to be a page on open source smart card development that had some 
    interesting code and pointers to development kits. Never pursued it because I 
    never had money when I had the incentive to do it.
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:36:58 PDT