Prev: digital signature without hashing?
Next: Not much from change the from 1930's
From: Mok-Kong Shen on 29 Mar 2010 08:09
The Wall Street Journal of 26-28 March says that a Frenchman having
"no training in computers" was able to hack within hours into Twitter
accounts, including that of the US President. So how much "practical"
cyber security is really there today, despite the avaiability of such
nice theoretical results as those of provable crypto security?

M. K. Shen
From: bmearns on 29 Mar 2010 09:10
On Mar 29, 8:09 am, Mok-Kong Shen <mok-kong.s...(a)t-online.de> wrote:
> The Wall Street Journal of 26-28 March says that a Frenchman having
> "no training in computers" was able to hack within hours into Twitter
> accounts, including that of the US President. So how much "practical"
> cyber security is really there today, despite the avaiability of such
> nice theoretical results as those of provable crypto security?
>
> M. K. Shen

I think calling it a "hack" is being extremely generous and pretty
misleading. He gained access to the accounts by guessing the answers
to password-reminder questions.

But to answer your question: a system is rarely any smarter than the
person who designed it, and since it's trivially easy to setup pretty
looking web applications without actually knowing anything about
crypto, security, or even networks in general, there are a large
number of disastrously insecure systems out there. The hard truth is
that the practical onus is on the user to understand what they're
getting themselves into. Unfortunately, this is rarely ever the case
and most people don't think twice about what they're doing online,
which is a big part of why identity theft has become so common in
recent years.

-Brian

From: Gordon Burditt on 29 Mar 2010 13:41
>> "no training in computers" was able to hack within hours into Twitter
>> accounts, including that of the US President. So how much "practical"
>> cyber security is really there today, despite the avaiability of such
>> nice theoretical results as those of provable crypto security?
>>
>> M. K. Shen
>
>I think calling it a "hack" is being extremely generous and pretty
>misleading. He gained access to the accounts by guessing the answers
>to password-reminder questions.

For password reminders, I think the best approach is to defeat their
purpose. Write the answers down and keep them in your safe. You
probably DON'T need them on a minute's notice, so don't carry them
with you. Perhaps keep the answers and the questions separate.
If you also keep the passwords there, you should never forget your
password.

You should make the answers type-incorrect as well as wrong, so
your answer is highly unlikely to match the answer of any human
actually responding to the question given. For example, your date
of birth answer should not be a date. Perhaps it is "The rane in
spane falls mainly in the plane". Your mother's maiden name might
be "too all poodle patties". Your pet's name might be "Colonel
Mustard, in the master dungeon, with the poisoned condom". Your
wedding anniversary might be "You have the write to remain
Demopublican." I have yet to find one of these systems that actually
insists on a date where the question asks for a date.

Never use the same answer on different systems in different
authentication domains. That is, don't use the same mother's maiden
name with your bank and your Facebook account, or with your bank
and your credit card. Of course, this means you are likely to have
several hundred passwords and answers to security questions, just
for personal use.

>But to answer your question: a system is rarely any smarter than the
>person who designed it, and since it's trivially easy to setup pretty
>looking web applications without actually knowing anything about
>crypto, security, or even networks in general, there are a large
>number of disastrously insecure systems out there.

The worst ones are those whose default password is something known
to the public, such as N digits of the social security number.

>The hard truth is
>that the practical onus is on the user to understand what they're
>getting themselves into. Unfortunately, this is rarely ever the case
>and most people don't think twice about what they're doing online,
>which is a big part of why identity theft has become so common in
>recent years.

From: Mok-Kong Shen on 30 Mar 2010 04:37
Gordon Burditt wrote:

> For password reminders, I think the best approach is to defeat their
> purpose. Write the answers down and keep them in your safe. You
> probably DON'T need them on a minute's notice, so don't carry them
> with you. Perhaps keep the answers and the questions separate.
> If you also keep the passwords there, you should never forget your
> password.
>
> You should make the answers type-incorrect as well as wrong, so
> your answer is highly unlikely to match the answer of any human
> actually responding to the question given. For example, your date
> of birth answer should not be a date. Perhaps it is "The rane in
> spane falls mainly in the plane". Your mother's maiden name might
> be "too all poodle patties". Your pet's name might be "Colonel
> Mustard, in the master dungeon, with the poisoned condom". Your
> wedding anniversary might be "You have the write to remain
> Demopublican." I have yet to find one of these systems that actually
> insists on a date where the question asks for a date.
>
> Never use the same answer on different systems in different
> authentication domains. That is, don't use the same mother's maiden
> name with your bank and your Facebook account, or with your bank
> and your credit card. Of course, this means you are likely to have
> several hundred passwords and answers to security questions, just
> for personal use.

The idea of type-incorrect wrong answers is excellent in my humble view.

M. K. Shen
From: Mok-Kong Shen on 30 Mar 2010 04:47
bmearns wrote:
> Mok-Kong Shen wrote:
>> The Wall Street Journal of 26-28 March says that a Frenchman having
>> "no training in computers" was able to hack within hours into Twitter
>> accounts, including that of the US President. So how much "practical"
>> cyber security is really there today, despite the avaiability of such
>> nice theoretical results as those of provable crypto security?

> I think calling it a "hack" is being extremely generous and pretty
> misleading. He gained access to the accounts by guessing the answers
> to password-reminder questions.
>
> But to answer your question: a system is rarely any smarter than the
> person who designed it, and since it's trivially easy to setup pretty
> looking web applications without actually knowing anything about
> crypto, security, or even networks in general, there are a large
> number of disastrously insecure systems out there. The hard truth is
> that the practical onus is on the user to understand what they're
> getting themselves into. Unfortunately, this is rarely ever the case
> and most people don't think twice about what they're doing online,
> which is a big part of why identity theft has become so common in
> recent years.

But isn't this analogous to the situation where a learned teacher in
school is very bad in pedagogy such that his pupils' performance is
poor? I mean people in the crypto field are at least to some degree
responsible for the poor "practical" security.

M. K. Shen

 |  Next  |  Last
Pages: 1 2 3 4 5 6 7
Prev: digital signature without hashing?
Next: Not much from change the from 1930's