From: Mok-Kong Shen on
amzoti wrote:

> Why would you think there is only one attack profile from
> <who_cares_***>_ware?
>
> For example, look at: http://www.eskimo.com/~joelm/tempest.html
>
> If it is electronic (or otherwise), it is vulnerable as the number of
> attack profiles is limitless and one only needs to get passed the
> weakest link.

You are right in that I have mentioned only one genre of vulnerability
and attack, akin to mentioning cancer while forgetting the other kinds
of severe illness. Nonetheless, attacks via software alone seems to be
in general more favourable for the attacker than ones requiring
hardware. For, once such a software is implemented, its front of attack
can be very extensive and its multiple application is almost entirely
free of additional cost and effort. Further it is much easier for the
attacker to manage to avoid being identified.

M. K. Shen
From: bill on
On Jul 11, 3:34 am, Stewart Malik <mali0...(a)gmail.com> wrote:
> One word will do enough......Linux

If you are limited to one word then OpenBSD (installed and competently
administered) has a reputation of being orders of magnitude, that is
powers of ten and how many powers depends on which other operating
system you are comparing it with, more secure than other operating
systems. Those people REALLY seem to think and care and worry about
security and correctness.

Richard Clarke, who probably knows more about computer security than
many do, gave a talk about his book "Cyber War: What It Is and How to
Fight It" on C-Span/BookTV a few weeks ago. You can watch video of
that at
http://www.booktv.org/Program/11562/Cyber+War+What+It+Is+and+How+to+Fight+It.aspx

34 minutes 10 seconds into that he gives the three laws of cyber
security:
1: Don't have a computer.
2: If you have to have a computer, don't turn it on.
3: If you have to have a computer and you have to turn it on, don't
plug it into anything, like the internet.

The complete show is certainly worth watching.
From: Mok-Kong Shen on
bill wrote:

> Richard Clarke, who probably knows more about computer security than
> many do, gave a talk about his book "Cyber War: What It Is and How to
> Fight It" on C-Span/BookTV a few weeks ago. You can watch video of
> that at
> http://www.booktv.org/Program/11562/Cyber+War+What+It+Is+and+How+to+Fight+It.aspx
>
> 34 minutes 10 seconds into that he gives the three laws of cyber
> security:
> 1: Don't have a computer.
> 2: If you have to have a computer, don't turn it on.
> 3: If you have to have a computer and you have to turn it on, don't
> plug it into anything, like the internet.
>
> The complete show is certainly worth watching.

I looked at the video. I think though that his opinion on "cyber peace"
is fundamentally faulty. He meant that international agreement could be
achieved on cyber warefare just like hitherto in arms control, e.g. of
nuclear weapons. But note that even for the conventionally understood
weapons there is an increasing difficulty of control through politics.
For individual fanatics, not related to, and hence not controlled and
control-albe by, any governments may sooner or later have feasible
means to launch some form of ABC attacks, in particular the biological
ones, for which only a cheap small lab would be necessary. Now, for
cyber wars, would it be too difficult to imagine that a single fanatic
hacker would be able to alone launch an attack as devastating as a war,
if only he has accumulated sufficient knowledge to do so? So IMHO
Clarke's notion of cyber peace is an illusion.

BTW, point 3 above recalls me of a good old time where extremely high
security in data processing was comparatively simple/trivial to
achieve: One had the sensitive software kept in a safe. When processing
was to be done, it was taken out and run under protection by guards on
a computer where it was the "single" job to be processed. There was a
special term (now certainly obsolete) for doing computation as the
single job on a main frame. It was called "times processing", if my
memory is (hopefully) correct.

M. K. Shen



From: Stewart Malik on
On Jul 12, 4:51 am, bill <bsimpson141421...(a)hotmail.com> wrote:
> If you are limited to one word then OpenBSD (installed and competently
> administered) has a reputation of being orders of magnitude, that is
> powers of ten and how many powers depends on which other operating
> system you are comparing it with, more secure than other operating
> systems.  Those people REALLY seem to think and care and worry about
> security and correctness.


Actually you are quite right, I don't use OpenBSD so I tend to forget
about it.
From: adacrypt on
On Jul 11, 7:46 pm, WTShaw <lure...(a)gmail.com> wrote:
> On Jul 11, 11:37 am, amzoti <amz...(a)gmail.com> wrote:
>
>
>
>
>
> > On Jul 11, 2:51 am, Mok-Kong Shen <mok-kong.s...(a)t-online.de> wrote:
>
> > > The race between producers of malware and producers of anti-malware is
> > > well-known. It is IMHO natural to assume that the former, being the
> > > 'active' partner, have some advantages in this race and so the computer
> > > of an average user has always a very real chance of being infected
> > > without detection, no matter how much money he invests in purchasing
> > > software to protect his computer and how careful and disciplined he
> > > does his work.
>
> > > I think it even may not be entirely foolish to question the (aboslute)
> > > safety of protection software themselves, for these are as a rule
> > > trusted based on the market reputation of the producers only, if I
> > > don't err.
>
> > > I remember the time of the first PC that I used, where a few colleagues
> > > of mine were regularly reading and adapting some parts of the operating
> > > system (CP/M), apparently with ease. Nowadays, who among the users of
> > > computers have competent knowledge (and means) to understand some
> > > details of an OS, let alone checking and modifing them? And the previous
> > > question certainly applies here as well.
>
> > > Without saying, all other foreign software downloaded are in principle
> > > (maybe more) questionable.
>
> > > BTW, a recent article on cyber warfare could serve also for looking at
> > > the matter from a different standpoint:
>
> > >    http://www.economist.com/node/16478792
>
> > > M. K. Shen
>
> > Why would you think there is only one attack profile from
> > <who_cares_***>_ware?
>
> > For example, look at:http://www.eskimo.com/~joelm/tempest.html
>
> > If it is electronic (or otherwise), it is vulnerable as the number of
> > attack profiles is limitless and one only needs to get passed the
> > weakest link.
>
> > Forgive my theft of Einstein's quote with a slight modification.
>
> > "It's not only worse than you imagine, it's worse than you can
> > imagine! "
>
> > Cyber warfare can be equated to the war on drugs - what a joke - but
> > it makes for great articles, journal and research papers.
>
> There are simple strategies that work.  Bad design can be countered
> with good protocols to isolate the weaknesses, not talking about
> endless patches but the absurd use of common sense to do the obvious.
> "The path to ruin is well trodden."- Hide quoted text -
>
> - Show quoted text -

Hi W.T,

This topic is outside of my remit and indeed my knowledge in the
context of mutual database cryptography - however, I have in mind a
free standing computer at Bob's end i.e. not connected to the internet
- the ciphertext is transmitted via a properly connected computer and
then relayed internally by Bob to this freestanding computer where it
is decrypted - a cyber attack on the freestanding computer is
impossible ? - adacrypt