Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:18:35 ADT
mgraffam@mhv.net
Wed, 17 Jun 1998 00:34:45 -0400 (EDT)
On Wed, 17 Jun 1998, Simon R Knight wrote:
> > The reason
> > that people worry about mathematical security is because it's
> > the one piece that shared between two different systems, and
> > hence can't be "improved". Every practical system will have
> > its weakpoint. In order to prove the security of that system,
> > you have to identify and upgrade the weak point. If the math
> > is the weak point, you can't fix it without breaking interoperability.
>
> This sounds very abstract. I perceive mathematical security more
> simply in relation to the possibilities for understanding and
> attacking such security.
Uhm, I don't see this as abstract. This is a very practical point of view.
It is difficult to change algorithms. Subtle flaws in something like DES
may go unchecked because of the daunting task of changing all the DES
hardware and code. A really fatal flaw would just cause everyone to
abandon it. There is little room for fixing algorithms once they are
deployed.
On the other hand, you can play with Windows all you like on your end to
protect your swap, and prevent key capture software or whatever. This
doesn't affect me on the other end at all.
> > Modern high performance computing systems are, and are not, a problem.
> > The good news is that most modern machines feature hardware memory
> > protection, and operating systems are available that exploit those
> > features. Properly used, such systems can be highly secure.
>
> If sensitive data can *truely* be "locked" into a physically fixed
> position in memory, then encryption on a modern PC would appear to be
> reasonably secure proposition.
I am not aware of any commodity PC hardware of PC OS that can take
advantage of this sort of thing. High performance != PC :)
> Considering that in a few years time, it will become as common to
> have Windows (or Windows CE) machines connected to communications
> lines all over the world
Yeah, I know.. I believe the common term for this fate is the Apocalypse.
> > All of these threats are possible, and all have been used in the
> > past with success. It is silly to invest too much effort in increasing
> > security against one form of attack, if another form of attack is left
> > wide open. The bad guys are obviously not going to play fair.
>
> Perhaps your right ... I mean whats the point ! Why go to all the
> effort to understand what happens when you call "GlobalLock", when
> someone can just go and beat-up my shareware users with "heavy black
> rubber sticks" anyway.
this isn't the point.. Implementing locked memory and good algorithms
is useful because not all attackers can beat you. The point is the weakest
link in the system will be exploited, and against the real Bad Guys, that
may well be your skull.
> > Getting back to the computer for a moment, the first and best thing
> > you can do is to run an OS that is relatively immune to computer viruses.
>
> Over the last three years, I have spent over 2000 hours on-line,
> during which time I have downloaded tens of thousands of
> files, and never once have I experienced a problem with a virus. I
> take care to scan new files, and over where I get them, so I don't
> need "to run an OS that is relatively immune to computer viruses" (if
> such an animal exists) as the OS has me.
Yeah, well people make mistakes far more frequently than computers do.
Virus scanners only detect known viruses. Once can easily make a virus
that won't be detected, neither by a scanner or a person. The viruses
that get found are the ones that write "Screw you" over your partition
table on April Fool's day or something stupid. I know several talented
programmers that working a virus that basically does nothing but
aggressively spreads. There are no adverse reactions, and the virus
removes itself after 5 years. When completed, it will be released as
an experiment to see how long it takes a virus to be found when it
leaves no obvious symptoms. I have my money on those five years passing
first.
> > That means, unfortunately, no MacOS, no MicroSoft Word, and no
> > Windows.
>
> Is Microsoft Word an OS now ... well I suppose it loads slowly
> enough to be one.
Word macro viruses.. they exist.
> ...anyway, that list doesn't exactly leave much choice. Am I to
> understand that I should abandon my years of Delphi programming ,
> because viruses may attack Windows. What would you have me do; go
> and learn Unix or something ?
Not exactly a bad idea. Learn UNIX anyway. Happiness is Linux with
X, Wabi (Window emultor), Executor (Mac emulator), and DOSEmu (DOS
emulator).
> All I have to do is to convince my "pointum clickum" wysiwyg
> users, that all they actually want is a command-line unix interface
> after all. ... mouse ... who needs a mouse !
Want? Who the hell is talking about what people want? We're talking
security. As long as we are throwing wants around.. I want people to
be honorable and the whole world to be a utopia so that I don't need
crypto to secure my privacy. The world doesn't work that way, and
neither was Windows.
> Speaking of the NSA though, it is probably wise to assume that
> Windows is compromised, but the NSA and the CIA will never ever
> admit to it, so in practice security is maintained for the everyday
> PC user.
How in God's name is this security? In practice a bunch of clowns who
I wouldn't talk to, let alone let read my mail are, in fact, reading
my mail.
What do you call that, the MS Windows definition of security?
> The NSA and the CIA might one day learn exactly what we're
> encrypting, but they won't be able to tell anyone.
For our purposes here, security means that the only people that know my
message are me, and the reciever (in some cases, we might not want me
to know what I sent, but that is a different story). I know what I
sent. My buddy knows what I sent. The NSA knows what I sent. Hmm..
Why do I feel an Orwellian definition of security coming up somewhere?
Michael J. Graffam (mgraffam@mhv.net)
http://www.mhv.net/~mgraffam -- Philosophy, Religion, Computers, Crypto, etc
<looks around> Tell me again why Thomas Jefferson trusted the common folk?
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:18:35 ADT