Re: Fwd: Re: Have I been hacked?
On 1/12/2015 11:36 AM, iain@thargoid.co.uk wrote:
> Forwarding to the list as I seemed to have managed to leave it off.
> Apologies.
>
>
>>
>>> Knowledge is easier to duplicate than a physical item. You mentioned the
>>> ATM attack.
>>
>> Incorrect. Knowledge cannot be duplicated if there is no basis for that
>> knowledge.
>>
>> For instance, it was not possible for archeologists to decipher ancient
>> Egyption hieroglyphics before the discovery of the Rosetta Stone in 1799
>> - before this, there was no basis for knowledge of the language.
>
> Really? Are you honestly saying that because they did not know what the
> hieroglyphics meant, they were unable to copy them?
They were unable to decipher them. It has nothing to do with copying.
>>
>> The same is true for passwords. If you don't have a basis for knowledge
>> of the password's construction, it is impossible to duplicate that
>> password in any reasonable length of time.
>>
>> For instance - let's see you duplicate the password to one of my
>> servers. You won't be able to do it, because it's random and I don't
>> have it written down anywhere. Even if you steal every one of my
>> computers, it won't help you at all, because it's not stored on any of
>> them.
>
> What if I stand over your shoulder with a video camera and video you
> typing? Or
I would shoot you.
> indeed install a keylogger on your machine?
>
You'd first have to compromise my machine. And that you can't do.
> You seem to be confusing duplicate with understand, or maybe you are
> just confusing me :)
>
>>
>>>
>>>>
>>>> How do you define security?
>>>
>>> I don't need to. There is already a definition in English for this:
>>>
>>> http://dictionary.cambridge.org/dictionary/british/security
>>
>> I happen to agree with Joel here. I don't want to know the dictionary
>> definition - I want to know YOUR definition of security.
>>
>
> Semantics is a boring argument. If you wish, tell me yours and I will
> tell you mine (oooh err missus ;)
>
You were asked first. How about putting up?
>
>> <snip>
>>
>>>>> ) my fingerprint (being something I am)
>>>>
>>>> You sure it's not something you have?
>>>
>>> Nope - I am pretty sure it is something I am, within the context of the
>>> above statement.
>>>
>>
>> A fingerprint is something you HAVE. It is present on your body; it is
>> NOT something you are. You can leave a fingerprint on a glass, for
>> instance, and it doesn't affect you at all.
>
> Jerry - just cos you shout does not mean you are more RIGHT.
>
And repeating something ad nauseum doesn't make you right.
> Again, within the context of the above statement it is. You may
> disagree. Fair enough.
> <snip>
>
You need to learn the difference between "is" and "has". They are two
entirely different concepts, but you seem to have them mixed up.
>>>>
>>>>> is more
>>>>> secure than a password.
>>>>
>>>> Unless someone chops your hand off to steal your BMW.
>>>
>>> Again - implementation. Is the hand warm? Is there a pulse?
>>>
>>
>> Not part of the fingerprint - but again, these can be duplicated - a
>> latex glove with the fingerprint etched into it, for instance.
>
> May or may not work, depending on the implementation.
>
It has been proven to work. That's one reason fingerprints alone are
not used for government security.
>>
>>>>
>>>>> Also, an ssh-key (being something I have
>>>>
>>>> Now there's an interesting assertion. It seems reasonable, if one
>>>> accepts certain implicit, arbitrary boundaries between the three
>>>> classes of tokens invoked above.
>>>>
>>>> -- seems reasonable --
>>>>
>>>>> ) is more
>>>>> secure than a password.
>>>>
>>>> And, yet, it is no more secure than the user account on the machine in
>>>> which it is stored.
>>>
>>> OK sure - but we are discussing how to authenticate to an account right?
>>>
>>
>> We are discussing how to authenticate an account on another machine. If
>> your key is on your machine, and I steal your machine, I can break the
>> passphrase your key uses. It may take a while, but it will be a lot
>> faster than if that same passphrase were uses as a password to your
>> server.
>
> Is this due to being limited over the network for the number of tries?
> What if I delete
> the key on the server when my machine is stolen? What if I generate new
> keys every week?
>
It is so easy for me to prevent that it isn't even funny. All I need to
do is copy the keyfile (or indeed, the entire disk) to another machine.
In fact, that's what I'll probably do, anyway. That way I can access
all of your data without even booting your machine.
Of course, if your disk is encrypted, that becomes another problem. But
then you have to use a password to decrypt the disk...
>>
>>>
>>> Something you have and something you are have to be digitised, to
>>> produce a
>>> token that can be used to prove your identity to a computer system.
>>> That is
>>> part of the implementation.
>>>
>>
>> Everything you have mentioned is something I "have". I "have" knowledge
>> of a long, random password (not stored anywhere else). I "have" a key
>> stored on my computer (protected by a password). I "have" a fingerprint.
>>
>
> In your opinion. Not in mine (within the context of this discussion)
>
You seem to have difficulty in understanding "have" versus "is".
>> And the security of these three items are in DESCENDING order.
>
> In your opinion. Again, shouting does not make you right.
>
> Iain
>
>>
>> Jerry
>
>
And once again, repeating ad nauseum doesn't make YOU right.
You should learn from some REAL security experts, not the internet.
Jerry
Reply to: