[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: Re: Have I been hacked?


On 12/01/15 16:50, Jerry Stuckle wrote:

On 1/12/2015 11:36 AM, iain@thargoid.co.uk wrote:

Forwarding to the list as I seemed to have managed to leave it off.
Apologies.



Knowledge is easier to duplicate than a physical item. You mentioned the
ATM attack.

Incorrect.  Knowledge cannot be duplicated if there is no basis for that
knowledge.

For instance, it was not possible for archeologists to decipher ancient
Egyption hieroglyphics before the discovery of the Rosetta Stone in 1799
- before this, there was no basis for knowledge of the language.

Really? Are you honestly saying that because they did not know what the
hieroglyphics  meant, they were unable to copy them?

They were unable to decipher them.  It has nothing to do with copying.


Since when is duplication not copying?

<snip>



I happen to agree with Joel here.  I don't want to know the dictionary
definition - I want to know YOUR definition of security.


Semantics is a boring argument. If you wish, tell me yours and I will
tell you mine (oooh err missus ;)


You were asked first.  How about putting up?
Not playing that game. Joel wanted a definition I gave a definition that apparently was not good enough for you. Tough! 




<snip>


) my fingerprint (being something I am)

You sure it's not something you have?

Nope - I am pretty sure it is something I am, within the context of the
above statement.


A fingerprint is something you HAVE.  It is present on your body; it is
NOT something you are.  You can leave a fingerprint on a glass, for
instance, and it doesn't affect you at all.

Jerry - just cos you shout does not mean you are more RIGHT.


And repeating something ad nauseum doesn't make you right.

Very true.




Again, within the context of the above statement it is. You may
disagree. Fair enough.
<snip>


You need to learn the difference between "is" and "has".  They are two
entirely different concepts, but you seem to have them mixed up.

Not really.
I can understand you not wanting to accept that, say, you iris scan is something you are. Surely your eye (and all it's unique properties) is something you have. I have 2 eyes. How can it be something I am?
From the point of view of authentication, this is something you are because it is unique to you. Get it now? 


is more
secure than a password.

Unless someone chops your hand off to steal your BMW.

Again - implementation. Is the hand warm? Is there a pulse?


Not part of the fingerprint - but again, these can be duplicated - a
latex glove with the fingerprint etched into it, for instance.

May or may not work, depending on the implementation.


It has been proven to work.  That's one reason fingerprints alone are
not used for government security.
If you think I meant that fingerprints alone are more secure that a password, then of course this is not the case. As well, fingerprints are an _example_ of something you are. Oh, and we all know how secure governments are.... 


Also, an ssh-key (being something I have

Now there's an interesting assertion. It seems reasonable, if one
accepts certain implicit, arbitrary boundaries between the three
classes of tokens invoked above.

-- seems reasonable --


) is more
secure than a password.

And, yet, it is no more secure than the user account on the machine in
which it is stored.

OK sure - but we are discussing how to authenticate to an account right?


We are discussing how to authenticate an account on another machine.  If
your key is on your machine, and I steal your machine, I can break the
passphrase your key uses.  It may take a while, but it will be a lot
faster than if that same passphrase were uses as a password to your
server.

Is this due to being limited over the network for the number of tries?
What if I delete
the key on the server when my machine is stolen? What if I generate new
keys every week?


It is so easy for me to prevent that it isn't even funny.  All I need to
do is copy the keyfile (or indeed, the entire disk) to another machine.
  In fact, that's what I'll probably do, anyway.  That way I can access
all of your data without even booting your machine.
Jolly good. The public key from which you have the private key and are hacking away on to brake the passphrase has been removed from all machines. It is now completely useless to you. 

Of course, if your disk is encrypted, that becomes another problem.  But
then you have to use a password to decrypt the disk...

Or a fingerprint ;)



Something you have and something you are have to be digitised, to
produce a
token that can be used to prove your identity to a computer system.
That is
part of the implementation.


Everything you have mentioned is something I "have".  I "have" knowledge
of a long, random password (not stored anywhere else).  I "have" a key
stored on my computer (protected by a password).  I "have" a fingerprint.


In your opinion. Not in mine (within the context of this discussion)


You seem to have difficulty in understanding "have" versus "is".
Not at all. I am trying to show you a different point of view. If you do not wish to view from this point of view then fair enough. Gets boring going round in circles. 


And the security of these three items are in DESCENDING order.

In your opinion. Again, shouting does not make you right.

Iain


Jerry



And once again, repeating ad nauseum doesn't make YOU right.

You should learn from some REAL security experts, not the internet.

Jerry
You love shouting don't you? So, in your opinion, who are the real security experts?
Reply to: