BTW, I do not think there is such a thing as absolute security, and those who think there is are fooling themselves.
Wojtek
On Fri, Mar 23, 2012 at 7:42 AM, shag carpet bomb <shag at cleandraws.com> wrote:
> lol
>
> the thing with a key is this: anyone who wants to can break into anything
> locked with a key. the information is out there, well known among locksmiths
> and thieves. there isn't one key you can buy for your door that isn't easily
> foiled in short order.
>
> why do people use locks and keys on their home and believe it's secure?
> because the physical lock/key security community is different than the
> computer security community. the history of locks and keys emerged without
> the internet and, as such, the knowledge could be confined to locksmiths and
> thieves.
>
> Matt SomethingOrOther discovered this a few years ago when he published
> information about how to break into the safes (and later did the same re:
> the locks you use on your home). The locksmiths of the world flipped out
> because he had violated an ethos of the physical lock/key security
> community: don't tell the rubes that the locks and keys they use aren't
> secure. if you don't tell anyone, then the opportunistic thieves won't know
> either and they won't go find out how to break in. it will only be
> persistent thieves who will keep trying and happen upon the dirty secret of
> the utter failure of locks and keys to work.
>
> thus, the physical lock/key community works on the principle of "security
> through obscurity". If you just don't talk about it, you can have the secret
> right out in the open; no one will know. This is a policy that is laughed at
> in the internet security world: it is what microsoft tried for years. If we
> just keep the bugs secret, no one will know and we won't have to worry about
> it. The bug will be right there, for anyone to find, but only a determined
> few will find it. the rubes won't.
>
> Hotmail worked off same principle for years. Anyone who poked around could
> find out how to break into hotmail accounts.
>
> The internet security community never worked the way the phsycial security
> community worked: secrets. Instead, the argument was that because software
> development was so difficult (there are layers up layers of code and patches
> and new releases and languages and upgrades to account for) and the demands
> of business so intense, no company ever hired enough people or expended
> enough resources for the bugs to be found. thus, it is assumed that software
> is necessarily buggy. For instance, if you build software in an environment
> for six months, it can work find on the QA testing site. Not problem when
> 100 users test it every day. But what happenes when you test it will 1
> million people a day?
>
> What happens is that code that worked for 100 users simply breaks when you
> try to scale it to more users. (This is a problem with Oracle Databases we
> found out. A table join that works for 1 million users, is one that make
> sense based on resources, will no longer make sense and will break under the
> onslaught another quarter million users.)
>
> Thus, even under perfect conditions, there is never a way to test software
> for real world conditions. The only way to test it is to release and let 1
> million people use it and find the bugs.
>
> Thus, the argument in open source software.... release it, let people use it
> and find bugs, and everyone contribute to the finding of the bugs and the
> resolution if they happen to be capable of doing so.
>
> But such a solution doesn't go over well with private businesses. And
> consumers don't understand it either.
>
> At any rate, the computer and software security business has necessarily
> operated in different circumstances, where the bugs were discovered and
> became known, regularly published to places like bugtraq and the like. The
> argument is that many eyeballs will find the bug and that other eyeballs and
> typing fingers can resolve them.
>
> It was Matt Blaze, a prof at Penn State,
> <https://groups.google.com/group/alt.locksmithing/browse_thread/thread/58055b2e30923103/d196f4ebeb9ba7e3?pli=1>https://groups.google.com/group/alt.locksmithing/browse_thread/thread/58055b2e30923103/d196f4ebeb9ba7e3?pli=1
>
> At 07:13 AM 3/23/2012, Wojtek S wrote:
>>
>> Joanna: "I have a good friend who's a security specialist where I work
>> (BIG hi tech company.) He says the requirement for difficult passwords
>> is terrible because in real life what people wind up doing is writing
>> all of them down and pasting them to their computer. Which, kinda
>> defeats the purpose." I recognize the need for security - I lock my
>> front door after all - but the "national security" mentality and
>> security rituals that it invokes get on my nerves.
>>
>>
>> [WS:] Which also tells you something about the nature of this whole
>> security business, doesn't it? It is all about creating illusions of
>> security by making people perform security rituals that involve minor
>> sacrifices. In the "good old days" this would entail sacrificing a
>> chicken or burning incense but we, the modern people, are above such
>> superstition. We do elaborate internet rituals, scanners, security
>> protocols, electronic alarms and what not - which are just as
>> effective as sacrificing a chicken but so much more hi-tech and cool.
>>
>> Also thanks everyone who provided suggestions about the password
>> storage/retrieval. Electronic wallet is the solution that I am
>> currently using, but it is not foolproof, especially if I forget to
>> record a password change or if I mix up upper and lower case (this did
>> not used to matter but some moron in the security business wanted to
>> leave his mark and changed that, and now more and more sites
>> distinguish between upper and lower case letters.)
>>
>> While we are at this, I have a question to the computer geeks out
>> there. Why do not they implement a solution that is similar to what
>> most people use in their homes - a key. Why not using, say, a USB
>> memory stick with necessary encryption that stores all password and
>> credentials and provides them to applications that need it? This is
>> probably far more secure than writing passwords on a piece of paper,
>> especially if it is write-protected and requires user consent each
>> time it is accessed (the way Windows 7 requires consent each time a
>> program is run). And it also does not require internet access,
>> which makes it more reliable than all this "cloud" bullshit.
>>
>>
>> Wojtek
>> ___________________________________
>> http://mailman.lbo-talk.org/mailman/listinfo/lbo-talk
>
>
> --
> http://cleandraws.com
> Wear Clean Draws
> ('coz there's 5 million ways to kill a CEO)
>
> ___________________________________
> http://mailman.lbo-talk.org/mailman/listinfo/lbo-talk
-- Wojtek http://wsokol.blogspot.com/