From: Mok-Kong Shen on 29 Mar 2010 08:09 The Wall Street Journal of 26-28 March says that a Frenchman having "no training in computers" was able to hack within hours into Twitter accounts, including that of the US President. So how much "practical" cyber security is really there today, despite the avaiability of such nice theoretical results as those of provable crypto security? M. K. Shen
From: bmearns on 29 Mar 2010 09:10 On Mar 29, 8:09 am, Mok-Kong Shen <mok-kong.s...(a)t-online.de> wrote: > The Wall Street Journal of 26-28 March says that a Frenchman having > "no training in computers" was able to hack within hours into Twitter > accounts, including that of the US President. So how much "practical" > cyber security is really there today, despite the avaiability of such > nice theoretical results as those of provable crypto security? > > M. K. Shen I think calling it a "hack" is being extremely generous and pretty misleading. He gained access to the accounts by guessing the answers to password-reminder questions. But to answer your question: a system is rarely any smarter than the person who designed it, and since it's trivially easy to setup pretty looking web applications without actually knowing anything about crypto, security, or even networks in general, there are a large number of disastrously insecure systems out there. The hard truth is that the practical onus is on the user to understand what they're getting themselves into. Unfortunately, this is rarely ever the case and most people don't think twice about what they're doing online, which is a big part of why identity theft has become so common in recent years. -Brian
From: Gordon Burditt on 29 Mar 2010 13:41 >> "no training in computers" was able to hack within hours into Twitter >> accounts, including that of the US President. So how much "practical" >> cyber security is really there today, despite the avaiability of such >> nice theoretical results as those of provable crypto security? >> >> M. K. Shen > >I think calling it a "hack" is being extremely generous and pretty >misleading. He gained access to the accounts by guessing the answers >to password-reminder questions. For password reminders, I think the best approach is to defeat their purpose. Write the answers down and keep them in your safe. You probably DON'T need them on a minute's notice, so don't carry them with you. Perhaps keep the answers and the questions separate. If you also keep the passwords there, you should never forget your password. You should make the answers type-incorrect as well as wrong, so your answer is highly unlikely to match the answer of any human actually responding to the question given. For example, your date of birth answer should not be a date. Perhaps it is "The rane in spane falls mainly in the plane". Your mother's maiden name might be "too all poodle patties". Your pet's name might be "Colonel Mustard, in the master dungeon, with the poisoned condom". Your wedding anniversary might be "You have the write to remain Demopublican." I have yet to find one of these systems that actually insists on a date where the question asks for a date. Never use the same answer on different systems in different authentication domains. That is, don't use the same mother's maiden name with your bank and your Facebook account, or with your bank and your credit card. Of course, this means you are likely to have several hundred passwords and answers to security questions, just for personal use. >But to answer your question: a system is rarely any smarter than the >person who designed it, and since it's trivially easy to setup pretty >looking web applications without actually knowing anything about >crypto, security, or even networks in general, there are a large >number of disastrously insecure systems out there. The worst ones are those whose default password is something known to the public, such as N digits of the social security number. >The hard truth is >that the practical onus is on the user to understand what they're >getting themselves into. Unfortunately, this is rarely ever the case >and most people don't think twice about what they're doing online, >which is a big part of why identity theft has become so common in >recent years.
From: Mok-Kong Shen on 30 Mar 2010 04:37 Gordon Burditt wrote: > For password reminders, I think the best approach is to defeat their > purpose. Write the answers down and keep them in your safe. You > probably DON'T need them on a minute's notice, so don't carry them > with you. Perhaps keep the answers and the questions separate. > If you also keep the passwords there, you should never forget your > password. > > You should make the answers type-incorrect as well as wrong, so > your answer is highly unlikely to match the answer of any human > actually responding to the question given. For example, your date > of birth answer should not be a date. Perhaps it is "The rane in > spane falls mainly in the plane". Your mother's maiden name might > be "too all poodle patties". Your pet's name might be "Colonel > Mustard, in the master dungeon, with the poisoned condom". Your > wedding anniversary might be "You have the write to remain > Demopublican." I have yet to find one of these systems that actually > insists on a date where the question asks for a date. > > Never use the same answer on different systems in different > authentication domains. That is, don't use the same mother's maiden > name with your bank and your Facebook account, or with your bank > and your credit card. Of course, this means you are likely to have > several hundred passwords and answers to security questions, just > for personal use. The idea of type-incorrect wrong answers is excellent in my humble view. M. K. Shen
From: Mok-Kong Shen on 30 Mar 2010 04:47 bmearns wrote: > Mok-Kong Shen wrote: >> The Wall Street Journal of 26-28 March says that a Frenchman having >> "no training in computers" was able to hack within hours into Twitter >> accounts, including that of the US President. So how much "practical" >> cyber security is really there today, despite the avaiability of such >> nice theoretical results as those of provable crypto security? > I think calling it a "hack" is being extremely generous and pretty > misleading. He gained access to the accounts by guessing the answers > to password-reminder questions. > > But to answer your question: a system is rarely any smarter than the > person who designed it, and since it's trivially easy to setup pretty > looking web applications without actually knowing anything about > crypto, security, or even networks in general, there are a large > number of disastrously insecure systems out there. The hard truth is > that the practical onus is on the user to understand what they're > getting themselves into. Unfortunately, this is rarely ever the case > and most people don't think twice about what they're doing online, > which is a big part of why identity theft has become so common in > recent years. But isn't this analogous to the situation where a learned teacher in school is very bad in pedagogy such that his pupils' performance is poor? I mean people in the crypto field are at least to some degree responsible for the poor "practical" security. M. K. Shen
|
Next
|
Last
Pages: 1 2 3 4 5 6 7 Prev: digital signature without hashing? Next: Not much from change the from 1930's |