funsec mailing list archives
Security by hiding patch cables
From: Gary Warner <gar () askgar com>
Date: Fri, 19 Jan 2007 11:02:11 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
While we're at it, network security by hiding all the patch cables. That'll solve all our problems.
I used a bit of similar story in the Computer Security class I'm teaching at UAB. The portion of the lecture was on how security decisions that are made at any given point in time are generally designed with current technology in mind, but then get extended in time until those assumptions are no longer valid. For instance, Token Ring and MAC addresses. The original assumption, back when we daisy-chained our computers together with miles of coaxial cable, was that all the computers were going to see all of the data, which was fine, since we *KNEW* that you could only receive traffic that had the MAC address of your NIC in its header. That assumption lead to the commonly accepted behaviour of sending passwords in plaintext (such as Telnet, TN3270, FTP, etc.) Which again was "fine", until someone just wrote their own device driver that said "skip all that filtering crap". We also talked about why we change our passwords every 30 days. In the old days we knew that our passwords were crackable, but we thought that as long as we changed them every thirty days we were ok, since it would take "the average hardware available to the average hacker" longer than 30 days to "crack" our passwords. Now most passwords fall in a couple hours with traditional cracking tools and in a couple minutes with Rainbow Table based tools. But we still change our 8 character alphanumeric passwords every 30 days, even though we no longer remember why, rather than requiring a 15 char mixed-case upper/lower/numeric/symbol password. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFsPmTg79eYCOO6PsRAgb8AJ4pRTYFbamjafKSLXHLAk+Y1EF2BgCfSK7V 0l6ln9kN3O7c7pTo9LZX1tA= =so68 -----END PGP SIGNATURE----- _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Funsec archive publication, (continued)
- Re: Funsec archive publication Gadi Evron (Jan 18)
- RE: Funsec archive publication Alex Eckelberry (Jan 18)
- Re: Funsec archive publication Reed Loden (Jan 18)
- Re: Funsec archive publication Brian Loe (Jan 18)
- Funsec, the Open List (EOT) Gary Warner (Jan 18)
- Re: Funsec archive publication Drsolly (Jan 18)
- Re: Funsec archive publication Brian Loe (Jan 18)
- Re: Funsec archive publication Reed Loden (Jan 18)
- RE: Funsec archive publication Jeff Rosowski (Jan 18)
- Re: Funsec archive publication Valdis . Kletnieks (Jan 19)
- Re: Funsec archive publication Gary Warner (Jan 19)
- Security by hiding patch cables Gary Warner (Jan 19)
- Re: Security by hiding patch cables Paul Vixie (Jan 19)
- Re: Security by hiding patch cables Valdis . Kletnieks (Jan 19)
- Message not available
- Re: Funsec archive publication Jeff Rosowski (Jan 22)