Personal computing discussed

Moderators: askfranklin, renee, emkubed, Captain Ned

 
just brew it!
Administrator
Topic Author
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Security is hard!

Fri Sep 22, 2017 7:23 pm

https://arstechnica.com/information-tec ... y-on-blog/

Epic fail. Not Equifax level epic fail, but epic fail nonetheless.
Nostalgia isn't what it used to be.
 
DragonDaddyBear
Gerbil Elite
Posts: 985
Joined: Fri Jan 30, 2009 8:01 am

Re: Security is hard!

Fri Sep 22, 2017 8:19 pm

The weakest part of any company, from a security perspective, is the people. It doesn't help they made the interface in such a way that human error would be more likely. One would think there would be a warning if you clicked on anything that exports your private certificate.
 
chuckula
Minister of Gerbil Affairs
Posts: 2109
Joined: Wed Jan 23, 2008 9:18 pm
Location: Probably where I don't belong.

Re: Security is hard!

Fri Sep 22, 2017 8:20 pm

It's a bad mistake but at least it's not an SSL private key that needs to be revoked via a full-bore certificate authority ;-)

Security is definitely hard though! PKI has the added pitfall that you are *supposed* to be giving out your public key to the world, and frankly there's no deep mathematical difference between the public key and the private key in every key pair. It's just a matter of remembering that one of them should be blasted out to the world at large while the other one is a deep dark secret!
4770K @ 4.7 GHz; 32GB DDR3-2133; Officially RX-560... that's right AMD you shills!; 512GB 840 Pro (2x); Fractal Define XL-R2; NZXT Kraken-X60
--Many thanks to the TR Forum for advice in getting it built.
 
Krogoth
Emperor Gerbilius I
Posts: 6049
Joined: Tue Apr 15, 2003 3:20 pm
Location: somewhere on Core Prime
Contact:

Re: Security is hard!

Sat Sep 23, 2017 11:43 am

just brew it! wrote:
https://arstechnica.com/information-technology/2017/09/in-spectacular-fail-adobe-security-team-posts-private-pgp-key-on-blog/

Epic fail. Not Equifax level epic fail, but epic fail nonetheless.


Security is surprising difficult believe or not when you are a big visible target. The human element (mainly stupidity/laziness) makes things dicey at the best of times. The worst part is most of the "leaks" and infractions go unnoticed until it is too late.

Internet and meaningful security are almost mutually exclusive terms.
Gigabyte X670 AORUS-ELITE AX, Raphael 7950X, 2x16GiB of G.Skill TRIDENT DDR5-5600, Sapphire RX 6900XT, Seasonic GX-850 and Fractal Define 7 (W)
Ivy Bridge 3570K, 2x4GiB of G.Skill RIPSAW DDR3-1600, Gigabyte Z77X-UD3H, Corsair CX-750M V2, and PC-7B
 
Waco
Maximum Gerbil
Posts: 4850
Joined: Tue Jan 20, 2009 4:14 pm
Location: Los Alamos, NM

Re: Security is hard!

Sat Sep 23, 2017 3:32 pm

Stuff like this is why I love air-gapped networks. Stupidity is contained. :)
Victory requires no explanation. Defeat allows none.
 
HAL-9000
Gerbil
Posts: 15
Joined: Fri Feb 24, 2017 2:51 pm
Location: Discovery One

Re: Security is hard!

Sat Sep 23, 2017 5:35 pm

Waco wrote:
Stuff like this is why I love air-gapped networks. Stupidity is contained. :)


It would seem that not even air-gapped networks are 100% bulletproof.

https://www.bleepingcomputer.com/news/s ... -networks/
 
just brew it!
Administrator
Topic Author
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Security is hard!

Sat Sep 23, 2017 6:08 pm

HAL-9000 wrote:
Waco wrote:
Stuff like this is why I love air-gapped networks. Stupidity is contained. :)

It would seem that not even air-gapped networks are 100% bulletproof.

https://www.bleepingcomputer.com/news/s ... -networks/

The only truly bulletproof system is a system that's turned off.

That said, this seems like a pretty far-fetched scenario. The "40 bits per second" transmission rate quoted is simply not realistic (by several orders of magnitude), and shoots down the credibility of the entire article. There is simply no way you can switch an AC system (or even a simple air baffle in a duct) on/off 40 times a second; and even if you could, thermal inertia of the ducts, air and objects in the room, and PC itself would prevent rapid temperature fluctuations from registering in a PC's temperature sensors. I'm thinking at best you might be able to get on the order of 1 or 2 bits per minute, and even that's probably wildly optimistic.

The article also makes ridiculous leaps of illogic, like "Cyber-attacks involving HVAC systems have already taken place. For example, the source of the Target data breach was a provider of HVAC systems." The HVAC contractor had login credentials on the network; those login credentials were stolen and used to attack the network. The HVAC system wasn't involved in the breach, nor was this an "air gapped" attack. It was a simple case of a careless idiot at the HVAC contractor, and sloppy network security at Target. :roll:

This article is an epic fail on bleepingcomputer's part.
Nostalgia isn't what it used to be.
 
derFunkenstein
Gerbil God
Posts: 25427
Joined: Fri Feb 21, 2003 9:13 pm
Location: Comin' to you directly from the Mothership

Re: Security is hard!

Mon Sep 25, 2017 8:57 am

I love how the guy who created PGP asked for a re-send in plain text because it's such a PITA to use that it's not workable on his iPhone (even if that was a couple years ago).
I do not understand what I do. For what I want to do I do not do, but what I hate I do.
Twittering away the day at @TVsBen
 
morphine
TR Staff
Posts: 11600
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: Security is hard!

Mon Sep 25, 2017 9:40 am

Well, here's the interesting aspect. I don't think this blunder is all that bad. Extremely embarrassing, sure, but the end effect isn't that dangerous. Thankfully, it's the PGP key for an e-mail address that's rarely used and that few end users are expecting an e-mail from. Second, the cause was human distraction, not gross incompetence. I've seen far worse, both in terms of impact and cause.
There is a fixed amount of intelligence on the planet, and the population keeps growing :(

Who is online

Users browsing this forum: No registered users and 1 guest
GZIP: On