|
Cocoa Crispies posted:[citation needed] cryptologic quarterly vol 26 number 4 (2006) supposedly but i dont think anyones been able to find the original article so its entirely possible its not actually a practical attack
|
#
?
Feb 16, 2015 18:53
|
|
|
|
| # ? Jun 7, 2024 08:58 |
|
|
OSI bean dip posted:
bsidessf 2012 featured a keynote by dan kaminsky who gradually became more and more drunk on free shots. i doubt he can remember the latter half of that speech; i know i can't. i think at one point he said php programmers weren't all bad so obviousy he was very very incapacitated welp thats my security fuckup
|
|
#
?
Feb 16, 2015 18:53
|
|
|
ChickenOfTomorrow posted:bsidessf 2012 featured a keynote by dan kaminsky who gradually became more and more drunk on free shots. i doubt he can remember the latter half of that speech; i know i can't. i think at one point he said php programmers weren't all bad so obviousy he was very very incapacitated i think at defcon maybe five or so years ago (before i ever did jeopardy there) his jeopardy team did real well and he had to waddle to the bathroom and get filmed the whole way
|
|
#
?
Feb 16, 2015 18:57
|
|
|
Just you guys wait until we have quantum-to-the-curb fiber networks and then everything will be information-theoretic secure and we can finally put this to rest. Any day now...
|
|
#
?
Feb 16, 2015 19:03
|
|
|
Deacon of Delicious posted:best infosec: never have anyone to communicate with x1000 unironically
|
|
#
?
Feb 16, 2015 19:10
|
|
|
btw if you really care about securely communicating with another party then you hopefully already know that doing it low-latency is going to be a bad idea
|
|
#
?
Feb 16, 2015 19:12
|
|
|
presenting for your viewing pleasure; the anthem of China's internet censorship agency: https://www.youtube.com/watch?v=kbBKPqOh6DU
|
|
#
?
Feb 16, 2015 19:39
|
|
|
Bloody posted:btw if you really care about securely communicating with another party then you hopefully already know that doing it low-latency is going to be a bad idea that's why I trained my body to communicate at the speed of farts
|
|
#
?
Feb 16, 2015 19:39
|
|
|
spankmeister posted:presenting for your viewing pleasure; the anthem of China's internet censorship agency:
|
|
#
?
Feb 16, 2015 19:46
|
|
|
Bloody posted:btw if you really care about securely communicating with another party then you hopefully already know that doing it low-latency is going to be a bad idea it depends on your threat model most people don't actually need their communications to be nsa-secure or even organized-crime-secure, maybe secure from opportunists (in which case something realtime like voice is good because they're not recorded by both parties by default; or iMessage on iOS-only because iOS has the best security stance of end-user OSes)
|
|
#
?
Feb 16, 2015 19:50
|
|
|
cheese-cube posted:are we going to encounter a reverse cyberpunk future where leet hackers are using modems with clipper chips because the government has forgotten how to decrypt them due to all knowledge being lost within the bureaucratic matrices of the master computer? Analog "encryption" is a trivial problem these days with DSP. The encryption could be modeled as additive 'noise' and you could basically use signal processing with various filter's until you recognize human speech, even better if you have recorded that human speech before hand so you have a base signal to compare to. Back in the day, it was a difficult physical problem to solve since you'd have to make a custom filter out of discrete real components. But now you can digitize the stream, and apply all the filters you want, quickly. Unfortunately that means a regressive cyber-future isn't really possible.
|
|
#
?
Feb 16, 2015 19:52
|
|
|
Cocoa Crispies posted:it depends on your threat model they were talking about child pornographers on the last page whose threat model usually is "everyone wants to murder us" so
|
|
#
?
Feb 16, 2015 19:53
|
|
|
Bloody posted:they were talking about child pornographers on the last page whose threat model usually is "everyone wants to murder us" so this is the fundamental security problem: your biggest threat to security is you mandatory thegrugq link: http://www.slideshare.net/grugq/opsec-for-hackers
|
|
#
?
Feb 16, 2015 19:55
|
|
|
Deacon of Delicious posted:best infosec: never have anyone to communicate with
|
|
#
?
Feb 16, 2015 19:56
|
|
|
Also why doesn't a pre-shared secret over a sideband channel work to prevent MitM? Basically, you chat with each other over your soon to be secured/authenticated connection. You then call each other from a different phone/throw-away email address, exchange the one-time-key, Bam, enjoy your secure session. Is that the usability issue people are talking about?
|
|
#
?
Feb 16, 2015 19:57
|
|
|
spankmeister posted:presenting for your viewing pleasure; the anthem of China's internet censorship agency: was legit expecting https://www.youtube.com/watch?v=wKx1aenJK08
|
|
#
?
Feb 16, 2015 19:57
|
|
|
Powercrazy posted:Also why doesn't a pre-shared secret over a sideband channel work to prevent MitM? yes, i'm carrying my one phone, not a loving tool belt of drat gizmos in holsters like a sad middle manager in 2006
|
|
#
?
Feb 16, 2015 20:02
|
|
|
Powercrazy posted:Analog "encryption" is a trivial problem these days with DSP. The encryption could be modeled as additive 'noise' and you could basically use signal processing with various filter's until you recognize human speech, even better if you have recorded that human speech before hand so you have a base signal to compare to. Back in the day, it was a difficult physical problem to solve since you'd have to make a custom filter out of discrete real components. But now you can digitize the stream, and apply all the filters you want, quickly. excuse me but theres no way your loving dsp is anywhere near as accurate as my analog components.
|
|
#
?
Feb 16, 2015 20:04
|
|
|
Powercrazy posted:Also why doesn't a pre-shared secret over a sideband channel work to prevent MitM? yes. exchanging poo poo in advance (eg: gpg and key signing parties) is secure, but nobody wants to bother with that poo poo, and it's not really feasible in many of the circumstances where you would want to communicate secretly. plus, if you can already communicate over some other channel that you consider secure, then you dont need a new secure connection.
|
|
#
?
Feb 16, 2015 20:04
|
|
|
Powercrazy posted:Also why doesn't a pre-shared secret over a sideband channel work to prevent MitM? how do you secure the side channel?!?!
|
|
#
?
Feb 16, 2015 20:05
|
|
|
spankmeister posted:presenting for your viewing pleasure; the anthem of China's internet censorship agency: srsly these guys own we're hosed
|
|
#
?
Feb 16, 2015 20:08
|
|
|
Shaggar posted:excuse me but theres no way your loving dsp is anywhere near as accurate as my analog components. lol
|
|
#
?
Feb 16, 2015 20:14
|
|
|
Shaggar posted:excuse me but theres no way your loving dsp is anywhere near as warm as my analog components.
|
|
#
?
Feb 16, 2015 20:18
|
|
|
let's go back to one-time pads printed on rice paper so you can eat them if you're about to be captured by the axis
|
|
#
?
Feb 16, 2015 20:20
|
|
|
ChickenOfTomorrow posted:let's go back to one-time pads printed on rice paper so you can eat them if you're about to be captured by the axis or just really hungry
|
|
#
?
Feb 16, 2015 20:21
|
|
|
has anyone posted this yet? http://arstechnica.com/information-technology/2015/02/box-hands-cloud-encryption-keys-over-to-its-customers/ Featuring aws, the cloud, enterprise and: [quote] When asked if the service would prevent Box from handing data over to the government, a company spokesperson said, Unless the customer provides authorization to Box to provide the content thats asked for, Box is prevented from sharing the content. When customers use Box EKM we are not able to provide decrypted content because we dont have the encryption keys protecting the customers content. ... File uploaded to Box (encrypted in transit with TLS). We generate a Box Key to encrypt the file. We encrypt the file with the Box Key. We send the Box Key securely over to the Customer's HSM. HSM encrypts the Box Key with the Customer Key and sends it back securely to Box. ... Box needs permission from the customer when decrypting files. Before we can use our key, we need the customer to decrypt it inside the HSM, the company said. It's a layered encryption model. So while the data itself is not encrypted with the customer's key, the customer key is the gatekeeper for decrypting it. In effect, our key is useless until it's decrypted by the customer. Each time Box needs temporary access to decrypt files, we go back to the customer to request access (by sending over the document key for decryption). Each request is captured in the logs controlled exclusively by the customer. Customers can monitor that log to see how the data is accessed and how the keys are being used, and we have no way of modifying that log. [/quote[
|
|
#
?
Feb 16, 2015 20:25
|
|
|
pointsofdata posted:File uploaded to Box (encrypted in transit with TLS). did they just elide the part where box deletes the key they generate?
|
|
#
?
Feb 16, 2015 20:28
|
|
|
I'm not seeing what the Customer-encrypted Box Key is for. What's the point of that?
|
|
#
?
Feb 16, 2015 20:30
|
|
|
Suspicious Dish posted:I'm not seeing what the Customer-encrypted Box Key is for. What's the point of that? i think the theory is that box deletes their copy of the key and has to call the customer for it every time they need it and promise to delete it later
|
|
#
?
Feb 16, 2015 20:35
|
|
|
pointsofdata posted:has anyone posted this yet? The writeup of how it works is sort of poorly written but is this as poo poo as I think it is? It sounds like they're saying "we don't keep the encryption key, pinky swear" so it doesn't actually add anything, but maybe I'm an idiot
|
|
#
?
Feb 16, 2015 20:35
|
|
|
MORE CURLY FRIES posted:mitm doesnt just mean changing the contents of the messages but being able to intercept them the whole point of key exchanges like DH is that they're secure against passive eavesdroppers. if you use DH over a channel that can be modified and then verify the key over a modification-proof channel you're fine.
|
|
#
?
Feb 16, 2015 20:37
|
|
|
Cocoa Crispies posted:did they just elide the part where box deletes the key they generate? well if they kept the key after decrypting it and using it once they would have to tell the customer's logs, it's right there in the design 
|
|
#
?
Feb 16, 2015 20:39
|
|
|
Cocoa Crispies posted:this is the fundamental security problem: your biggest threat to security is you 
|
|
#
?
Feb 16, 2015 20:42
|
|
|
spankmeister posted:presenting for your viewing pleasure; the anthem of China's internet censorship agency: We've spent a lot of money on a choir, song writing, a stage, that drum, the lighting and a television studio, do we have any money left over for a real band? No? gently caress it, get the choir director and his Sanyo keyboard it's good enough.
|
|
#
?
Feb 16, 2015 21:46
|
|
|
Optimus_Rhyme posted:We've spent a lot of money on a choir, song writing, a stage, that drum, the lighting and a television studio, do we have any money left over for a real band? No? gently caress it, get the choir director and his Sanyo keyboard it's good enough. isn't that like US college football half-time show 101?
|
|
#
?
Feb 16, 2015 21:49
|
|
|
https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/ Kaspersky report on the equation apt group which may be the nsa quote:One of the Equation Group's malware platforms, for instance, rewrote the hard-drive firmware of infected computersa never-before-seen engineering marvel that worked on 12 drive categories from manufacturers including Western Digital, Maxtor, Samsung, IBM, Micron, Toshiba, and Seagate.
|
|
#
?
Feb 16, 2015 23:01
|
|
|
That article is amazing. Some of that is scary CSI, next-level poo poo. * A bootkit that injects code into the MBR and kernel at start * Firmware flashing that works on all major brands of hard drives and creates a basically undetectable partition * Sophisticated air gap spanning via thumbdrive with stored-commands and sniffer software * An encrypted Virtual file system that lives solely in registry entries hidden away in bits of the registry * Encapsulated modules, each with different encryption keys stored on the VFS
|
|
#
?
Feb 16, 2015 23:38
|
|
|
i remember reading about a researcher who developed a proof of concept firmware hack for western digital (iirc) hard drives, that was some really neat/scary stuff and i have his example code saved somewhere
|
|
#
?
Feb 16, 2015 23:41
|
|
|
Aleksei Vasiliev posted:https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf Read most of this and 
|
|
#
?
Feb 16, 2015 23:41
|
|
|
|
| # ? Jun 7, 2024 08:58 |
|
|
how do you know if your seagate is infected? it doesnt die after 2 years 
|
|
#
?
Feb 16, 2015 23:42
|
|
