How secure is one's computer?
in [Cryptography]
|
From: amzoti on 12 Jul 2010 21:49 On Jul 12, 9:54 am, unruh <un...(a)wormhole.physics.ubc.ca> wrote: > On 2010-07-12, adacrypt <austin.oby...(a)hotmail.com> wrote: > > > > > On Jul 11, 7:46?pm, WTShaw <lure...(a)gmail.com> wrote: > >> On Jul 11, 11:37?am, amzoti <amz...(a)gmail.com> wrote: > > >> > On Jul 11, 2:51?am, Mok-Kong Shen <mok-kong.s...(a)t-online.de> wrote: > > >> > > The race between producers of malware and producers of anti-malware is > >> > > well-known. It is IMHO natural to assume that the former, being the > >> > > 'active' partner, have some advantages in this race and so the computer > >> > > of an average user has always a very real chance of being infected > >> > > without detection, no matter how much money he invests in purchasing > >> > > software to protect his computer and how careful and disciplined he > >> > > does his work. > > >> > > I think it even may not be entirely foolish to question the (aboslute) > >> > > safety of protection software themselves, for these are as a rule > >> > > trusted based on the market reputation of the producers only, if I > >> > > don't err. > > >> > > I remember the time of the first PC that I used, where a few colleagues > >> > > of mine were regularly reading and adapting some parts of the operating > >> > > system (CP/M), apparently with ease. Nowadays, who among the users of > >> > > computers have competent knowledge (and means) to understand some > >> > > details of an OS, let alone checking and modifing them? And the previous > >> > > question certainly applies here as well. > > >> > > Without saying, all other foreign software downloaded are in principle > >> > > (maybe more) questionable. > > >> > > BTW, a recent article on cyber warfare could serve also for looking at > >> > > the matter from a different standpoint: > > >> > > ? ?http://www.economist.com/node/16478792 > > >> > > M. K. Shen > > >> > Why would you think there is only one attack profile from > >> > <who_cares_***>_ware? > > >> > For example, look at:http://www.eskimo.com/~joelm/tempest.html > > >> > If it is electronic (or otherwise), it is vulnerable as the number of > >> > attack profiles is limitless and one only needs to get passed the > >> > weakest link. > > >> > Forgive my theft of Einstein's quote with a slight modification. > > >> > "It's not only worse than you imagine, it's worse than you can > >> > imagine! " > > >> > Cyber warfare can be equated to the war on drugs - what a joke - but > >> > it makes for great articles, journal and research papers. > > >> There are simple strategies that work. ?Bad design can be countered > >> with good protocols to isolate the weaknesses, not talking about > >> endless patches but the absurd use of common sense to do the obvious. > >> "The path to ruin is well trodden."- Hide quoted text - > > >> - Show quoted text - > > > Hi W.T, > > > This topic is outside of my remit and indeed my knowledge in the > > context of mutual database cryptography - however, I have in mind a > > free standing computer at Bob's end i.e. not connected to the internet > > - the ciphertext is transmitted via a properly connected computer and > > then relayed internally by Bob to this freestanding computer where it > > is decrypted - a cyber attack on the freestanding computer is > > impossible ? - adacrypt > > What does "relayed internally" mean? An attack is possible via that > "internal relay". Also trojan, virus, ... attacks are all possible via > that "internal relay" Perhaps he can read: http://www.isoc.org/isoc/conferences/ndss/08/papers/20_analysis_resistant.pdf See "infiltrating significant amounts of data to a compromised host is far easier than exfiltrating data ..." Those two terms are very interesting. See: "A Multi-layered Approach to Security in High Assurance Systems1" (google that and there is a pdf) See also: www.sdrforum.org/pages/sdr07/.../Uchenik%20Security%20Intro.pdf HTH ~A
From: Gordon Burditt on 13 Jul 2010 03:34 >This topic is outside of my remit and indeed my knowledge in the >context of mutual database cryptography - however, I have in mind a >free standing computer at Bob's end i.e. not connected to the internet >- the ciphertext is transmitted via a properly connected computer and >then relayed internally by Bob to this freestanding computer where it >is decrypted - a cyber attack on the freestanding computer is >impossible ? - adacrypt Viruses being transmitted by "sneakernet" (hand-carried media such as floppy disks) were pretty well known in the old days of MS-DOS. Nowadays, USB memory sticks can also transmit viruses. If you really want a ("freestanding") system secure, maintain a good air gap (say, 10 feet) between the system and any outside connections - Ethernet, phone, or wireless connections - Any radio or infrared communication links such as Wi-Fi, Bluetooth, wireless keyboards, cell phones, etc. - Commercial power. Use batteries and solar cells or muscle power of the guy operating it. - Any media that's been touched by an outside computer (includes floppies, USB memory sticks, CD/DVD disks, recordable or not, tape, paper tape, punch cards, etc. I guess this means you pretty much have to build these yourself or do without, although you could perhaps risk bulk-erasing floppies, then formatting them and using them on the secure system.) - Preferably you put the whole thing inside a Faraday cage to limit electromagnetic radition from sending info in or out. I am not sure whether it is safe to use a digital camera inside your locked room to take a picture of the screen of the internet-connected computer 10 feet away, then have the inside computer OCR it. I doubt it.
From: WTShaw on 14 Jul 2010 03:50 On Jul 12, 1:49 am, adacrypt <austin.oby...(a)hotmail.com> wrote: > On Jul 11, 7:46 pm, WTShaw <lure...(a)gmail.com> wrote: > > > > > > > On Jul 11, 11:37 am, amzoti <amz...(a)gmail.com> wrote: > > > > On Jul 11, 2:51 am, Mok-Kong Shen <mok-kong.s...(a)t-online.de> wrote: > > > > > The race between producers of malware and producers of anti-malware is > > > > well-known. It is IMHO natural to assume that the former, being the > > > > 'active' partner, have some advantages in this race and so the computer > > > > of an average user has always a very real chance of being infected > > > > without detection, no matter how much money he invests in purchasing > > > > software to protect his computer and how careful and disciplined he > > > > does his work. > > > > > I think it even may not be entirely foolish to question the (aboslute) > > > > safety of protection software themselves, for these are as a rule > > > > trusted based on the market reputation of the producers only, if I > > > > don't err. > > > > > I remember the time of the first PC that I used, where a few colleagues > > > > of mine were regularly reading and adapting some parts of the operating > > > > system (CP/M), apparently with ease. Nowadays, who among the users of > > > > computers have competent knowledge (and means) to understand some > > > > details of an OS, let alone checking and modifing them? And the previous > > > > question certainly applies here as well. > > > > > Without saying, all other foreign software downloaded are in principle > > > > (maybe more) questionable. > > > > > BTW, a recent article on cyber warfare could serve also for looking at > > > > the matter from a different standpoint: > > > > > http://www.economist.com/node/16478792 > > > > > M. K. Shen > > > > Why would you think there is only one attack profile from > > > <who_cares_***>_ware? > > > > For example, look at:http://www.eskimo.com/~joelm/tempest.html > > > > If it is electronic (or otherwise), it is vulnerable as the number of > > > attack profiles is limitless and one only needs to get passed the > > > weakest link. > > > > Forgive my theft of Einstein's quote with a slight modification. > > > > "It's not only worse than you imagine, it's worse than you can > > > imagine! " > > > > Cyber warfare can be equated to the war on drugs - what a joke - but > > > it makes for great articles, journal and research papers. > > > There are simple strategies that work. Bad design can be countered > > with good protocols to isolate the weaknesses, not talking about > > endless patches but the absurd use of common sense to do the obvious. > > "The path to ruin is well trodden."- Hide quoted text - > > > - Show quoted text - > > Hi W.T, > > This topic is outside of my remit and indeed my knowledge in the > context of mutual database cryptography - however, I have in mind a > free standing computer at Bob's end i.e. not connected to the internet > - the ciphertext is transmitted via a properly connected computer and > then relayed internally by Bob to this freestanding computer where it > is decrypted - a cyber attack on the freestanding computer is > impossible ? - adacrypt You have part of the possibles. Interconnection of computers online or subject to being so directly give a good path to tampering. You can however reduce by movable memory the chance of infection generally defined as anything undesired that can have some undesired effect. The least memory involved is best as contents other than desire are easier to spot. Old discs served this purpose well but they seem to be going away rapidly. Possibly we are talking of overkill and also neglecting the tools of a dedicated snoop. The question of privacy/security is that the option to obscure is not based on any generic reason per se but the simple desire to control certain information as a personal choice to whatever degree that is feasible.
From: WTShaw on 14 Jul 2010 04:00 On Jul 12, 4:15 am, Mok-Kong Shen <mok-kong.s...(a)t-online.de> wrote: > adacrypt wrote: > >> - a cyber attack on the freestanding computer is > >> impossible ? > > Long time ago yes, but no longer. Look with the key phrase > "electromagnetic emanation". There are also techniques to > disrupt the proper functioning of a computer. > > M. K. Shen Including military attack I presume. Interrupting communications has been done. I remember such during the raid on Waco. I knew so because at the time I was doing work with a spectrum analyzer not too far away that produced a rather clear picture of the efforts. General EMP usages might cause general indignation in a specific area. But the stupidity of the Waco misadventure shows that when you have a hammer, all problems can look like nails.
From: WTShaw on 14 Jul 2010 04:05
On Jul 12, 11:54 am, unruh <un...(a)wormhole.physics.ubc.ca> wrote: > On 2010-07-12, adacrypt <austin.oby...(a)hotmail.com> wrote: > > > > > > > On Jul 11, 7:46?pm, WTShaw <lure...(a)gmail.com> wrote: > >> On Jul 11, 11:37?am, amzoti <amz...(a)gmail.com> wrote: > > >> > On Jul 11, 2:51?am, Mok-Kong Shen <mok-kong.s...(a)t-online.de> wrote: > > >> > > The race between producers of malware and producers of anti-malware is > >> > > well-known. It is IMHO natural to assume that the former, being the > >> > > 'active' partner, have some advantages in this race and so the computer > >> > > of an average user has always a very real chance of being infected > >> > > without detection, no matter how much money he invests in purchasing > >> > > software to protect his computer and how careful and disciplined he > >> > > does his work. > > >> > > I think it even may not be entirely foolish to question the (aboslute) > >> > > safety of protection software themselves, for these are as a rule > >> > > trusted based on the market reputation of the producers only, if I > >> > > don't err. > > >> > > I remember the time of the first PC that I used, where a few colleagues > >> > > of mine were regularly reading and adapting some parts of the operating > >> > > system (CP/M), apparently with ease. Nowadays, who among the users of > >> > > computers have competent knowledge (and means) to understand some > >> > > details of an OS, let alone checking and modifing them? And the previous > >> > > question certainly applies here as well. > > >> > > Without saying, all other foreign software downloaded are in principle > >> > > (maybe more) questionable. > > >> > > BTW, a recent article on cyber warfare could serve also for looking at > >> > > the matter from a different standpoint: > > >> > > ? ?http://www.economist.com/node/16478792 > > >> > > M. K. Shen > > >> > Why would you think there is only one attack profile from > >> > <who_cares_***>_ware? > > >> > For example, look at:http://www.eskimo.com/~joelm/tempest.html > > >> > If it is electronic (or otherwise), it is vulnerable as the number of > >> > attack profiles is limitless and one only needs to get passed the > >> > weakest link. > > >> > Forgive my theft of Einstein's quote with a slight modification. > > >> > "It's not only worse than you imagine, it's worse than you can > >> > imagine! " > > >> > Cyber warfare can be equated to the war on drugs - what a joke - but > >> > it makes for great articles, journal and research papers. > > >> There are simple strategies that work. ?Bad design can be countered > >> with good protocols to isolate the weaknesses, not talking about > >> endless patches but the absurd use of common sense to do the obvious. > >> "The path to ruin is well trodden."- Hide quoted text - > > >> - Show quoted text - > > > Hi W.T, > > > This topic is outside of my remit and indeed my knowledge in the > > context of mutual database cryptography - however, I have in mind a > > free standing computer at Bob's end i.e. not connected to the internet > > - the ciphertext is transmitted via a properly connected computer and > > then relayed internally by Bob to this freestanding computer where it > > is decrypted - a cyber attack on the freestanding computer is > > impossible ? - adacrypt > > What does "relayed internally" mean? An attack is possible via that > "internal relay". Also trojan, virus, ... attacks are all possible via > that "internal relay" I suppose that he simply means by other than what would be considered normal net means. Back to other ideas, a shared database is impractical if it is not convenient for any selected parties to easily access. |