How secure is one's computer?
in [Cryptography]
|
From: Mok-Kong Shen on 11 Jul 2010 15:35 amzoti wrote: > Why would you think there is only one attack profile from > <who_cares_***>_ware? > > For example, look at: http://www.eskimo.com/~joelm/tempest.html > > If it is electronic (or otherwise), it is vulnerable as the number of > attack profiles is limitless and one only needs to get passed the > weakest link. You are right in that I have mentioned only one genre of vulnerability and attack, akin to mentioning cancer while forgetting the other kinds of severe illness. Nonetheless, attacks via software alone seems to be in general more favourable for the attacker than ones requiring hardware. For, once such a software is implemented, its front of attack can be very extensive and its multiple application is almost entirely free of additional cost and effort. Further it is much easier for the attacker to manage to avoid being identified. M. K. Shen
From: bill on 11 Jul 2010 15:51 On Jul 11, 3:34 am, Stewart Malik <mali0...(a)gmail.com> wrote: > One word will do enough......Linux If you are limited to one word then OpenBSD (installed and competently administered) has a reputation of being orders of magnitude, that is powers of ten and how many powers depends on which other operating system you are comparing it with, more secure than other operating systems. Those people REALLY seem to think and care and worry about security and correctness. Richard Clarke, who probably knows more about computer security than many do, gave a talk about his book "Cyber War: What It Is and How to Fight It" on C-Span/BookTV a few weeks ago. You can watch video of that at http://www.booktv.org/Program/11562/Cyber+War+What+It+Is+and+How+to+Fight+It.aspx 34 minutes 10 seconds into that he gives the three laws of cyber security: 1: Don't have a computer. 2: If you have to have a computer, don't turn it on. 3: If you have to have a computer and you have to turn it on, don't plug it into anything, like the internet. The complete show is certainly worth watching.
From: Mok-Kong Shen on 11 Jul 2010 18:11 bill wrote: > Richard Clarke, who probably knows more about computer security than > many do, gave a talk about his book "Cyber War: What It Is and How to > Fight It" on C-Span/BookTV a few weeks ago. You can watch video of > that at > http://www.booktv.org/Program/11562/Cyber+War+What+It+Is+and+How+to+Fight+It.aspx > > 34 minutes 10 seconds into that he gives the three laws of cyber > security: > 1: Don't have a computer. > 2: If you have to have a computer, don't turn it on. > 3: If you have to have a computer and you have to turn it on, don't > plug it into anything, like the internet. > > The complete show is certainly worth watching. I looked at the video. I think though that his opinion on "cyber peace" is fundamentally faulty. He meant that international agreement could be achieved on cyber warefare just like hitherto in arms control, e.g. of nuclear weapons. But note that even for the conventionally understood weapons there is an increasing difficulty of control through politics. For individual fanatics, not related to, and hence not controlled and control-albe by, any governments may sooner or later have feasible means to launch some form of ABC attacks, in particular the biological ones, for which only a cheap small lab would be necessary. Now, for cyber wars, would it be too difficult to imagine that a single fanatic hacker would be able to alone launch an attack as devastating as a war, if only he has accumulated sufficient knowledge to do so? So IMHO Clarke's notion of cyber peace is an illusion. BTW, point 3 above recalls me of a good old time where extremely high security in data processing was comparatively simple/trivial to achieve: One had the sensitive software kept in a safe. When processing was to be done, it was taken out and run under protection by guards on a computer where it was the "single" job to be processed. There was a special term (now certainly obsolete) for doing computation as the single job on a main frame. It was called "times processing", if my memory is (hopefully) correct. M. K. Shen
From: Stewart Malik on 11 Jul 2010 21:42 On Jul 12, 4:51 am, bill <bsimpson141421...(a)hotmail.com> wrote: > If you are limited to one word then OpenBSD (installed and competently > administered) has a reputation of being orders of magnitude, that is > powers of ten and how many powers depends on which other operating > system you are comparing it with, more secure than other operating > systems. Those people REALLY seem to think and care and worry about > security and correctness. Actually you are quite right, I don't use OpenBSD so I tend to forget about it.
From: adacrypt on 12 Jul 2010 02:49
On Jul 11, 7:46 pm, WTShaw <lure...(a)gmail.com> wrote: > On Jul 11, 11:37 am, amzoti <amz...(a)gmail.com> wrote: > > > > > > > On Jul 11, 2:51 am, Mok-Kong Shen <mok-kong.s...(a)t-online.de> wrote: > > > > The race between producers of malware and producers of anti-malware is > > > well-known. It is IMHO natural to assume that the former, being the > > > 'active' partner, have some advantages in this race and so the computer > > > of an average user has always a very real chance of being infected > > > without detection, no matter how much money he invests in purchasing > > > software to protect his computer and how careful and disciplined he > > > does his work. > > > > I think it even may not be entirely foolish to question the (aboslute) > > > safety of protection software themselves, for these are as a rule > > > trusted based on the market reputation of the producers only, if I > > > don't err. > > > > I remember the time of the first PC that I used, where a few colleagues > > > of mine were regularly reading and adapting some parts of the operating > > > system (CP/M), apparently with ease. Nowadays, who among the users of > > > computers have competent knowledge (and means) to understand some > > > details of an OS, let alone checking and modifing them? And the previous > > > question certainly applies here as well. > > > > Without saying, all other foreign software downloaded are in principle > > > (maybe more) questionable. > > > > BTW, a recent article on cyber warfare could serve also for looking at > > > the matter from a different standpoint: > > > > http://www.economist.com/node/16478792 > > > > M. K. Shen > > > Why would you think there is only one attack profile from > > <who_cares_***>_ware? > > > For example, look at:http://www.eskimo.com/~joelm/tempest.html > > > If it is electronic (or otherwise), it is vulnerable as the number of > > attack profiles is limitless and one only needs to get passed the > > weakest link. > > > Forgive my theft of Einstein's quote with a slight modification. > > > "It's not only worse than you imagine, it's worse than you can > > imagine! " > > > Cyber warfare can be equated to the war on drugs - what a joke - but > > it makes for great articles, journal and research papers. > > There are simple strategies that work. Bad design can be countered > with good protocols to isolate the weaknesses, not talking about > endless patches but the absurd use of common sense to do the obvious. > "The path to ruin is well trodden."- Hide quoted text - > > - Show quoted text - Hi W.T, This topic is outside of my remit and indeed my knowledge in the context of mutual database cryptography - however, I have in mind a free standing computer at Bob's end i.e. not connected to the internet - the ciphertext is transmitted via a properly connected computer and then relayed internally by Bob to this freestanding computer where it is decrypted - a cyber attack on the freestanding computer is impossible ? - adacrypt |