Security Basics mailing list archives
Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."
From: "Saqib Ali" <docbook.xml () gmail com>
Date: Sun, 14 May 2006 21:02:04 -0700
A long-overdue wake up call for the information security community. Article: http://www.securityabsurdity.com/failure.php
OK. I went through the article. And it seems to me more of a "End is near" kinda article, then a objective view of the current security issues. The article portrays the worst case scenarios. Worst case scenarios is are NOT the norm. For e.g. the author talks about MD5 and SHA being compromised. But that is a very vague statement, and intended to mislead newbies. In reality MD5 and SHA1 are still very secure, and the fact of the matter is that only a collision attack (and NOT a pre-image attack) is possible on these hashing algorithm. This distinction is very important. Collision attacks are possible but it is very very complex to mount a "USEFUL" attack using Collision. For e.g. Pre-image attack is required for tempering with arbitrary (given) piece of code from a legitimate vendor that has been Digitally Signed. A collision attack on code-signing will work only if the attacker is writing both the innocuous and the malicious programs. In that case why would you trust even a innocuous program from an attacker (known mal-ware developer) ???? For simple hashing of passwd or digital signature, I think SHA-1 is still more than enough. My point is that the security is not failing. Amazon is still making money and GMAIL is fairly safe, even without the use of 2-factor authentication. It is just a mail system, not my bank. Infact most online merchants have ways to re-imburse users incase of fraud. For e.g. Google Adword. If you are careful while on being online, you will be secure. Not being precautious is like a driver who doesn't want to wear seat belt and still want to survive in case of a an accident. That is just not possible. -- Saqib Ali, CISSP, ISSAP Support http://www.capital-punishment.net ----------- "I fear, if I rebel against my Lord, the retribution of an Awful Day (The Day of Resurrection)" Al-Quran 6:15 -----------
Current thread:
- Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." email (May 10)
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Saqib Ali (May 15)
- <Possible follow-ups>
- RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Sadler, Connie (May 10)
- RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Craig Wright (May 20)
- RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Craig Wright (May 20)
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Jason Muskat (May 20)
- RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Robinson, Sonja (May 23)