[lbo-talk] Internet accounts

shag carpet bomb shag at cleandraws.com
Fri Mar 23 04:42:59 PDT 2012


lol

the thing with a key is this: anyone who wants to can break into anything locked with a key. the information is out there, well known among locksmiths and thieves. there isn't one key you can buy for your door that isn't easily foiled in short order.

why do people use locks and keys on their home and believe it's secure? because the physical lock/key security community is different than the computer security community. the history of locks and keys emerged without the internet and, as such, the knowledge could be confined to locksmiths and thieves.

Matt SomethingOrOther discovered this a few years ago when he published information about how to break into the safes (and later did the same re: the locks you use on your home). The locksmiths of the world flipped out because he had violated an ethos of the physical lock/key security community: don't tell the rubes that the locks and keys they use aren't secure. if you don't tell anyone, then the opportunistic thieves won't know either and they won't go find out how to break in. it will only be persistent thieves who will keep trying and happen upon the dirty secret of the utter failure of locks and keys to work.

thus, the physical lock/key community works on the principle of "security through obscurity". If you just don't talk about it, you can have the secret right out in the open; no one will know. This is a policy that is laughed at in the internet security world: it is what microsoft tried for years. If we just keep the bugs secret, no one will know and we won't have to worry about it. The bug will be right there, for anyone to find, but only a determined few will find it. the rubes won't.

Hotmail worked off same principle for years. Anyone who poked around could find out how to break into hotmail accounts.

The internet security community never worked the way the phsycial security community worked: secrets. Instead, the argument was that because software development was so difficult (there are layers up layers of code and patches and new releases and languages and upgrades to account for) and the demands of business so intense, no company ever hired enough people or expended enough resources for the bugs to be found. thus, it is assumed that software is necessarily buggy. For instance, if you build software in an environment for six months, it can work find on the QA testing site. Not problem when 100 users test it every day. But what happenes when you test it will 1 million people a day?

What happens is that code that worked for 100 users simply breaks when you try to scale it to more users. (This is a problem with Oracle Databases we found out. A table join that works for 1 million users, is one that make sense based on resources, will no longer make sense and will break under the onslaught another quarter million users.)

Thus, even under perfect conditions, there is never a way to test software for real world conditions. The only way to test it is to release and let 1 million people use it and find the bugs.

Thus, the argument in open source software.... release it, let people use it and find bugs, and everyone contribute to the finding of the bugs and the resolution if they happen to be capable of doing so.

But such a solution doesn't go over well with private businesses. And consumers don't understand it either.

At any rate, the computer and software security business has necessarily operated in different circumstances, where the bugs were discovered and became known, regularly published to places like bugtraq and the like. The argument is that many eyeballs will find the bug and that other eyeballs and typing fingers can resolve them.

It was Matt Blaze, a prof at Penn State, <https://groups.google.com/group/alt.locksmithing/browse_thread/thread/58055b2e30923103/d196f4ebeb9ba7e3?pli=1>https://groups.google.com/group/alt.locksmithing/browse_thread/thread/58055b2e30923103/d196f4ebeb9ba7e3?pli=1

At 07:13 AM 3/23/2012, Wojtek S wrote:
>Joanna: "I have a good friend who's a security specialist where I work
>(BIG hi tech company.) He says the requirement for difficult passwords
>is terrible because in real life what people wind up doing is writing
>all of them down and pasting them to their computer. Which, kinda
>defeats the purpose." I recognize the need for security - I lock my
>front door after all - but the "national security" mentality and
>security rituals that it invokes get on my nerves.
>
>
>[WS:] Which also tells you something about the nature of this whole
>security business, doesn't it? It is all about creating illusions of
>security by making people perform security rituals that involve minor
>sacrifices. In the "good old days" this would entail sacrificing a
>chicken or burning incense but we, the modern people, are above such
>superstition. We do elaborate internet rituals, scanners, security
>protocols, electronic alarms and what not - which are just as
>effective as sacrificing a chicken but so much more hi-tech and cool.
>
>Also thanks everyone who provided suggestions about the password
>storage/retrieval. Electronic wallet is the solution that I am
>currently using, but it is not foolproof, especially if I forget to
>record a password change or if I mix up upper and lower case (this did
>not used to matter but some moron in the security business wanted to
>leave his mark and changed that, and now more and more sites
>distinguish between upper and lower case letters.)
>
>While we are at this, I have a question to the computer geeks out
>there. Why do not they implement a solution that is similar to what
>most people use in their homes - a key. Why not using, say, a USB
>memory stick with necessary encryption that stores all password and
>credentials and provides them to applications that need it? This is
>probably far more secure than writing passwords on a piece of paper,
>especially if it is write-protected and requires user consent each
>time it is accessed (the way Windows 7 requires consent each time a
>program is run). And it also does not require internet access,
>which makes it more reliable than all this "cloud" bullshit.
>
>
>Wojtek
>___________________________________
>http://mailman.lbo-talk.org/mailman/listinfo/lbo-talk

-- http://cleandraws.com Wear Clean Draws ('coz there's 5 million ways to kill a CEO)



More information about the lbo-talk mailing list