Fwd: Re: Have I been hacked?
Forwarding to the list as I seemed to have managed to leave it off.
Apologies.
Knowledge is easier to duplicate than a physical item. You mentioned
the
ATM attack.
Incorrect. Knowledge cannot be duplicated if there is no basis for
that
knowledge.
For instance, it was not possible for archeologists to decipher ancient
Egyption hieroglyphics before the discovery of the Rosetta Stone in
1799
- before this, there was no basis for knowledge of the language.
Really? Are you honestly saying that because they did not know what the
hieroglyphics meant, they were unable to copy them?
The same is true for passwords. If you don't have a basis for
knowledge
of the password's construction, it is impossible to duplicate that
password in any reasonable length of time.
For instance - let's see you duplicate the password to one of my
servers. You won't be able to do it, because it's random and I don't
have it written down anywhere. Even if you steal every one of my
computers, it won't help you at all, because it's not stored on any of
them.
What if I stand over your shoulder with a video camera and video you
typing? Or
indeed install a keylogger on your machine?
You seem to be confusing duplicate with understand, or maybe you are
just confusing me :)
How do you define security?
I don't need to. There is already a definition in English for this:
http://dictionary.cambridge.org/dictionary/british/security
I happen to agree with Joel here. I don't want to know the dictionary
definition - I want to know YOUR definition of security.
Semantics is a boring argument. If you wish, tell me yours and I will
tell you mine (oooh err missus ;)
<snip>
) my fingerprint (being something I am)
You sure it's not something you have?
Nope - I am pretty sure it is something I am, within the context of
the
above statement.
A fingerprint is something you HAVE. It is present on your body; it is
NOT something you are. You can leave a fingerprint on a glass, for
instance, and it doesn't affect you at all.
Jerry - just cos you shout does not mean you are more RIGHT.
Again, within the context of the above statement it is. You may
disagree. Fair enough.
<snip>
is more
secure than a password.
Unless someone chops your hand off to steal your BMW.
Again - implementation. Is the hand warm? Is there a pulse?
Not part of the fingerprint - but again, these can be duplicated - a
latex glove with the fingerprint etched into it, for instance.
May or may not work, depending on the implementation.
Also, an ssh-key (being something I have
Now there's an interesting assertion. It seems reasonable, if one
accepts certain implicit, arbitrary boundaries between the three
classes of tokens invoked above.
-- seems reasonable --
) is more
secure than a password.
And, yet, it is no more secure than the user account on the machine
in
which it is stored.
OK sure - but we are discussing how to authenticate to an account
right?
We are discussing how to authenticate an account on another machine.
If
your key is on your machine, and I steal your machine, I can break the
passphrase your key uses. It may take a while, but it will be a lot
faster than if that same passphrase were uses as a password to your
server.
Is this due to being limited over the network for the number of tries?
What if I delete
the key on the server when my machine is stolen? What if I generate new
keys every week?
Something you have and something you are have to be digitised, to
produce a
token that can be used to prove your identity to a computer system.
That is
part of the implementation.
Everything you have mentioned is something I "have". I "have"
knowledge
of a long, random password (not stored anywhere else). I "have" a key
stored on my computer (protected by a password). I "have" a
fingerprint.
In your opinion. Not in mine (within the context of this discussion)
And the security of these three items are in DESCENDING order.
In your opinion. Again, shouting does not make you right.
Iain
Jerry
Reply to: