Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

[News] Secrecy Makes Worse Security

Network Access Control: Bridging the Network Security Gap

,----[ Quote ]
| Despite the risks involved in not keeping a tight rein on the comings and 
| goings of network users, a surprising number of organisations have no 
| enforcement mechanism in place to drive compliance or to report on results. 
| This gap in corporate policy exposes the enterprise to a range of threats; 
| not simply from malware and hack attacks, but also the loss or theft of 
| intellectual property, and punishment from inadvertently flouting regulatory 
| requirements.      
`----

http://www.net-security.org/article.php?id=1116


Related:

New $2B Dutch Transport Card is Insecure

,----[ Quote ]
| Kerckhoffs’s Principle, one of the bedrock maxims of cryptography, says that 
| security should never rely on keeping an algorithm secret. It’s okay to have 
| a secret key, if the key is randomly chosen and can be changed when needed, 
| but you should never bank on an algorithm remaining secret.   
| 
| Unfortunately the designers of Mifare Classic did not follow this principle. 
| Instead, they chose to combine a secret algorithm with a relatively short 
| 48-bit key. This is a problem because once you know the algorithm it’s 
| possible for an attacker to search the entire 48-bit key space, and therefore 
| to forge cards, in a matter or days or weeks.    
| 
| [...]
| 
| Now the Dutch authorities have a mess on their hands. About $2 billion have 
| been invested in this project, but serious fraud seems likely if it is 
| deployed as designed. This kind of disaster would have been more likely had 
| the design process been more open. Secrecy was not only an engineering 
| mistake (violating Kerckhoffs’s Principle) but also a policy mistake, as it 
| allowed the project to get so far along before independent analysts had a 
| chance to critique it. A more open process, like the one the U.S. government 
| used in choosing the Advanced Encryption Standard (AES) would have been 
| safer. Governments seem to have a hard time understanding that openness can 
| make you more secure.         
`----

http://www.freedom-to-tinker.com/?p=1250


FCC ignores more than 100 years of wisdom

,----[ Quote ]
| In 1883 French cryptographer Auguste Kerckhoffs published a set of six 
| design principles for military encryption systems. The second of these
| principles is generally known today under the observation that security 
| through obscurity is not security. The Federal Communications Commission 
| (FCC) seems not to have read the history books or to be aware of how its
|  sister federal agencies develop security standards....
`----

http://www.infoworld.nl/idgns/bericht.phtml?id=002570DE00740E1800257313005EC092


Consumer-control industry and their security damnation

.-----[ Quote ]
| By some ironic fortune, proprietary vendors like Apple and
| Microsoft will likely always suffer this damnation that their
| consumer-control inspired proprietary nature always brings with
| itself: security problems - exactly the thing they claim to prevent
| by being so control obsessed. You can stay damned with them or you
| can break free.
`----

http://www.libervis.com/article/consumer_control_industry_and_their_security_damnation


Open source key to anti-terrorism efforts

,----[ Quote ]
| Open source = more security, not less. It's no surprise, then, that
| many of my own company's customers include those that place a premium 
| on safety and security (US Federal Aviation Administration, UK's 
| Ministry of Defense, French Air Force, plus others, including one
| that would surprise you...).
`----

http://weblog.infoworld.com/openresource/archives/2007/05/open_source_key.html


Adobe fixes critical Flash bugs

,----[ Quote ]
| The last time Flash Player was patched was April, when Adobe repaired the 
| Linux and Solaris plug-ins used with the Opera and Konqueror browsers. In 
| March, Apple Inc. included a Flash fix in its 2007-003 security update that 
| upped Mac OS X to Version 10.4.9.   
`----

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=operating_systems&articleId=9026824&taxonomyId=89&intsrc=kc_top


RIM unconcerned by BlackBerry bugging software

,----[ Quote ]
| As reported yesterday, the latest version of legal spying software 
| FlexiSPY enables remote third parties to bug the voice calls, log SMS 
| and mobile e-mail messages and track the location of a BlackBerry 
| user.
`----

http://www.zdnet.com.au/news/hardware/soa/RIM-unconcerned-by-BlackBerry-bugging-software/0,130061702,339279555,00.htm


Laws Threaten Security Researchers

,----[ Quote ]
| Lee Tien, a member of the working group and a senior staff attorney 
| for the Electronic Frontier Foundation, says Website vulnerabilities 
| must be exposed so people's data and identities are secured. "The 
| fewer vulnerabilities, the better."
`----

http://www.darkreading.com/document.asp?doc_id=125984&WT.svl=news1_1


Open source key to anti-terrorism efforts

,----[ Quote ]
| Open source = more security, not less. It's no surprise, then, that
| many of my own company's customers include those that place a premium 
| on safety and security (US Federal Aviation Administration, UK's 
| Ministry of Defense, French Air Force, plus others, including one
| that would surprise you...).
`----

http://weblog.infoworld.com/openresource/archives/2007/05/open_source_key.html

[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index