Personal computing discussed

Moderators: Captain Ned, emkubed

 
just brew it!
Gold subscriber
Administrator
Topic Author
Posts: 48943
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Security is hard!

Fri Sep 22, 2017 7:23 pm

https://arstechnica.com/information-tec ... y-on-blog/

Epic fail. Not Equifax level epic fail, but epic fail nonetheless.
Nostalgia isn't what it used to be.
 
DragonDaddyBear
Gerbil Elite
Posts: 628
Joined: Fri Jan 30, 2009 8:01 am

Re: Security is hard!

Fri Sep 22, 2017 8:19 pm

The weakest part of any company, from a security perspective, is the people. It doesn't help they made the interface in such a way that human error would be more likely. One would think there would be a warning if you clicked on anything that exports your private certificate.
 
chuckula
Gold subscriber
Gerbil Jedi
Posts: 1533
Joined: Wed Jan 23, 2008 9:18 pm
Location: Probably where I don't belong.

Re: Security is hard!

Fri Sep 22, 2017 8:20 pm

It's a bad mistake but at least it's not an SSL private key that needs to be revoked via a full-bore certificate authority ;-)

Security is definitely hard though! PKI has the added pitfall that you are *supposed* to be giving out your public key to the world, and frankly there's no deep mathematical difference between the public key and the private key in every key pair. It's just a matter of remembering that one of them should be blasted out to the world at large while the other one is a deep dark secret!
4770K @ 4.7 GHz; 32GB DDR3-2133; GTX-1080; 512GB 840 Pro (2x); Fractal Define XL-R2; NZXT Kraken-X60
--Many thanks to the TR Forum for advice in getting it built.
 
Krogoth
Silver subscriber
Gerbil Elder
Posts: 5346
Joined: Tue Apr 15, 2003 3:20 pm
Location: somewhere on Core Prime
Contact:

Re: Security is hard!

Sat Sep 23, 2017 11:43 am

just brew it! wrote:
https://arstechnica.com/information-technology/2017/09/in-spectacular-fail-adobe-security-team-posts-private-pgp-key-on-blog/

Epic fail. Not Equifax level epic fail, but epic fail nonetheless.


Security is surprising difficult believe or not when you are a big visible target. The human element (mainly stupidity/laziness) makes things dicey at the best of times. The worst part is most of the "leaks" and infractions go unnoticed until it is too late.

Internet and meaningful security are almost mutually exclusive terms.
Ivy Bridge i5-3570K@4.0Ghz, Gigabyte Z77X-UD3H, 2x4GiB of PC3-12800, Sapphire RX Vega 64, Corsair CX-600 and Fractal Refined R4 (W). Kentsfield Q6600@3Ghz, HD 4850 2x2GiB PC2-6400, Gigabyte EP45-DS4P, OCZ Modstream 700W, and PC-7B.
 
Waco
Gold subscriber
Gerbil Jedi
Posts: 1974
Joined: Tue Jan 20, 2009 4:14 pm
Location: Los Alamos, NM

Re: Security is hard!

Sat Sep 23, 2017 3:32 pm

Stuff like this is why I love air-gapped networks. Stupidity is contained. :)
Z170A Gaming Pro Carbon | 6700K @ 4.5 | 16 GB | GTX Titan X | Seasonix Gold 850 | XSPC RX360 | Heatkiller R3 | D5 + RP-452X2 | Cosmos II | Samsung 4K 40" | 480 + 240 + LSI 9207-8i (128x8) SSDs
 
HAL-9000
Gerbil
Posts: 10
Joined: Fri Feb 24, 2017 2:51 pm
Location: Discovery One

Re: Security is hard!

Sat Sep 23, 2017 5:35 pm

Waco wrote:
Stuff like this is why I love air-gapped networks. Stupidity is contained. :)


It would seem that not even air-gapped networks are 100% bulletproof.

https://www.bleepingcomputer.com/news/s ... -networks/
 
just brew it!
Gold subscriber
Administrator
Topic Author
Posts: 48943
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Security is hard!

Sat Sep 23, 2017 6:08 pm

HAL-9000 wrote:
Waco wrote:
Stuff like this is why I love air-gapped networks. Stupidity is contained. :)

It would seem that not even air-gapped networks are 100% bulletproof.

https://www.bleepingcomputer.com/news/s ... -networks/

The only truly bulletproof system is a system that's turned off.

That said, this seems like a pretty far-fetched scenario. The "40 bits per second" transmission rate quoted is simply not realistic (by several orders of magnitude), and shoots down the credibility of the entire article. There is simply no way you can switch an AC system (or even a simple air baffle in a duct) on/off 40 times a second; and even if you could, thermal inertia of the ducts, air and objects in the room, and PC itself would prevent rapid temperature fluctuations from registering in a PC's temperature sensors. I'm thinking at best you might be able to get on the order of 1 or 2 bits per minute, and even that's probably wildly optimistic.

The article also makes ridiculous leaps of illogic, like "Cyber-attacks involving HVAC systems have already taken place. For example, the source of the Target data breach was a provider of HVAC systems." The HVAC contractor had login credentials on the network; those login credentials were stolen and used to attack the network. The HVAC system wasn't involved in the breach, nor was this an "air gapped" attack. It was a simple case of a careless idiot at the HVAC contractor, and sloppy network security at Target. :roll:

This article is an epic fail on bleepingcomputer's part.
Nostalgia isn't what it used to be.
 
derFunkenstein
Gold subscriber
Gerbil God
Posts: 23611
Joined: Fri Feb 21, 2003 9:13 pm
Location: Comin' to you directly from the Mothership

Re: Security is hard!

Mon Sep 25, 2017 8:57 am

I love how the guy who created PGP asked for a re-send in plain text because it's such a PITA to use that it's not workable on his iPhone (even if that was a couple years ago).
"And and if you start to bleed, stop wiping." -whm1974
 
morphine
Gold subscriber
Gerbilus Supremus
Posts: 11376
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: Security is hard!

Mon Sep 25, 2017 9:40 am

Well, here's the interesting aspect. I don't think this blunder is all that bad. Extremely embarrassing, sure, but the end effect isn't that dangerous. Thankfully, it's the PGP key for an e-mail address that's rarely used and that few end users are expecting an e-mail from. Second, the cause was human distraction, not gross incompetence. I've seen far worse, both in terms of impact and cause.
There is a fixed amount of intelligence on the planet, and the population keeps growing :(

Who is online

Users browsing this forum: Redocbew, superjawes and 4 guests