[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Have I been hacked?

On Mon, Jan 12, 2015 at 7:32 AM, Iain M Conochie <iain@thargoid.co.uk> wrote:
>
> On 10/01/15 20:31, Brian wrote:
>>
>> By all means advocate and use ssh keys. But at least provide some
>> substantial reason for spurning password login for that particular
>> situation. A blanket "don't use passwords" or "keys are better" doesn't cut
>> it.
>
>
> There are 3 (current) factors in authentication:

According to some models.

> 1. What the user knows

Knowledge is a thing which is had. It is potentially easy to
duplicate, in smal pieces. The choice of which piece is used is
hopefuly not so easily duplicated. This is the first assumed weakness
of passwords, that most people are lazy about the choice.

> 2. What the user has

Typical example is a bank card. Unfortunately, this is easy to
duplicate, if one is not careful about where one uses it. (ATM
machines where the front panel has been augmented by atackers, and the
reader slot has a second reader hiding in front of the real reader
provide one example.)

Physical keys, like the key to your front door or to the safe deposit
box, are another example.

> 3. What the user is

Try to define that in a way useful to authentication, without invoking
either of the above concepts.

> These increase in security as you go higher up the number.

How do prove that?

How do you define security?

> So (assuming the
> implementation is secure

Is "secure" here related to security above?

> ) my fingerprint (being something I am)

You sure it's not something you have?

> is more
> secure than a password.

Unless someone chops your hand off to steal your BMW.

> Also, an ssh-key (being something I have

Now there's an interesting assertion. It seems reasonable, if one
accepts certain implicit, arbitrary boundaries between the three
classes of tokens invoked above.

-- seems reasonable --

> ) is more
> secure than a password.

And, yet, it is no more secure than the user account on the machine in
which it is stored.

(Noting, not coincidentally, that the computer storage device acts as
a memory proxy.)

> In each case we have the _implementation_

among other things

> to let us down. #1 is up to the
> user whereas #2 and #3 are up to the programmer.

I can think of a number of ways in which what you appear to be talking
about as something you have and something you are are as much under
control of the user as under control of the programmer.

> Who do you trust ;)

I would prefer that we all learn to program.

-- 
Joel Rees

The only truly secure computer is the one that you wrote all the OS
and application code for.
Reply to: