On Sun, Nov 15, 2009 at 1:08 PM, Jason Spatafore wrote: > On Sun, 2009-11-15 at 12:53 -0700, Lisa Kachold wrote: > > I guess I still disagree with your use of the word 'broken'. > > By that > > definition, gpg is 'broken' as well as *any* encryption system > > that uses > > passwords. Just because because you can brute force a crack > > doesn't > > mean that the protocol broken. > > That is why it is important to use defense in depth...multiple layers of > security. The cracker may get through the first layer...then there's > another he has to crack...then he wonders "How many more layers?" and > oftentimes will quit. > > I thought it was hilarious when I watched Smallville a few weeks back. > Chloe, the computer hacker in the group, had to get through 100 > firewalls. She did it...and found a video of the guy mocking her. I > thought that was a very good example. If you can keep the crackers > moving in a direction that ultimately gets them nowhere, that is the > best possible route. > > So, will we see tripwire applications that ultimately just keep spawning > chroot'd jails that keep the cracker digging and digging for nothing, > ultimately driving the cracker to non-critical appliances that are > designed just to keep entertaining the crackers desires? THen, > ultimately, if the cracker can lock up the appliance, they have a false > feeling of accomplishment? > > Ultimately, a digital smoke screen. The goal: Keep them busy...discover > who/what they are. And harden your own security from the tactics you > observe. Oh, and arrest them if you can. :) > > Correct, but first for us to build the screens (or the radius servers, the puppet binary file and password shadow automatic restores, the IDS for packet analysis, switch auth controls) we must completely appreciate the limitations in the protocol, and the real threat to our complacency (WifiZoo) and get sucked out of the Security Matrix! And in case you didn't notice, I don't see the feds arresting: a) social cyber stalkers who send XSS tunnel links to girlfriends ( or pranks from antisocial colleagues) b) wifi voyeurism and theft c) irresponsible companies that fail to implement PCI compliance. They are not even currently enforcing issues of HIPPAA non-compliance. The only ownership we have is through responsibility! Being able to break security doesn't make you a hacker anymore than being able to hotwire cars makes you an automotive engineer. -Eric Raymond -- Skype: (623)239-3392 AT&T: (503)754-4452 www.it-clowns.com