Re: CRIME Re: cryptography

From: Seth Arnold (sarnold@private)
Date: Thu Apr 18 2002 - 14:08:47 PDT

Next message: Zot O'Connor: "Re: CRIME Re: cryptography"

Previous message: Jere Retzer: "CRIME Re: cryptography"
In reply to: Jere Retzer: "CRIME Re: cryptography"
Next in thread: Zot O'Connor: "Re: CRIME Re: cryptography"
Reply: Zot O'Connor: "Re: CRIME Re: cryptography"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Apr 18, 2002 at 12:39:30PM -0700, Jere Retzer wrote:
> Thanks, excellent info!  I'll use that if you don't mind.

That is why we are here. :)

> It still generally comes down to the value and exposure of the target.
> If you have a high value, highly exposed target such as the encryption
> algorithm used for DVD then yes, spend liberally on a tough algorithm
> but for day-to-day transactions over the net, especially when the
> communicating systems calculate a new session key for each session?
> Questionable, in my opinion.

Only sortof.

Consider this: almost every company I have worked at had the mindset:
"Hackers? Why would anyone hack _us_?"

There are (at least) two types of hackers: descriminate and
indescriminate. Indiscriminate hackers don't care that your secure shell
daemon only connects to a system with your vacation photos -- as long as
it has a connection, it can be used as a jumping point to other machines,
or used in distributed denail of service attacks, or used to store warez,
or do whatever else it is script kiddies do with rooted machines.

So, from your perspective, as an administrator, you can't see the value
your machine provides to hackers. Hackers don't care -- more machines
are more machines.

I am trying to explain that the attractiveness to a hacker is
proportional to the average value of the targets multiplied by the
number of targets, but failing at it. Consider, then, yet another attack
on poor crypto: password crackers, such as John The Ripper. They way
encrypted passwords are stored in /etc/shadow files (or the SAM database
on windows machines) means that while it can be incredibly expensive to
try to figure out _any specific account_'s password, trying to find _a_
password on the system is much easier -- especially when there are
hundreds or thousands of accounts on the machine.

The same logic applies to secure shell, and perhaps in the future, SSL
connections -- hijacking any single specific session is hard; getting
any is probably much, much easier, especially when some targets make
themselves so, so, easy.

I hope I have tried to make the point that thinking in terms of a single
target isn't sufficient -- the number of targets has to be taken into
account when assessing possible motives for hackers...

-- 
http://www.wirex.com/

application/pgp-signature attachment: stored

Next message: Zot O'Connor: "Re: CRIME Re: cryptography"
Previous message: Jere Retzer: "CRIME Re: cryptography"
In reply to: Jere Retzer: "CRIME Re: cryptography"
Next in thread: Zot O'Connor: "Re: CRIME Re: cryptography"
Reply: Zot O'Connor: "Re: CRIME Re: cryptography"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:41:09 PDT