Full Disclosure mailing list archives
Re: Vulnerability Disclosure Debate
From: Aron Nimzovitch <crypto () clouddancer com>
Date: Fri, 8 Aug 2003 12:32:52 -0700 (PDT)
I must be bored today. From: Valdis.Kletnieks () vt edu Date: Fri, 08 Aug 2003 14:08:45 -0400 > Hehe, that is probably the same mechanical system that Feynman broke > over 50 years ago. Looks the same as what I once used and it is still > mechanical. Takes a couple of hours without any clues to the initial > number. Nope. The dial is only an input device, all it does is (a) provide initial power-up via a few spins to drive a generator, and (b) then the lockset just counts ticks left and right, it's actually microprocessor controlled. Ohh, it has a COMPUTER, it MUST be better! No wait, that means that the backdoors for service personnel are accessible to bit boffers. In any case, GSA specs for Class 5 require: 30 man-minutes against covert entry 10 man-minutes against forced entry 20 man-hours against surrepetitious entry Tell me that it was turned over to an outside source with motivation to crack and that those standards were met. Having written tests to pass QA and dealt with QA inspectors, I am only amused with the thought that these numbers represent reality. (surrepetitious is what Feynman was doing - opening it without leaving noticable traces. Covert basically means with a minimum of tools and noise, and forced means blowtorches drills and all the rest). Surrepetitiously picking off a couple numbers was just one of the tools in Feynmans bag. He never needed any crude tools, and was only defeated by one safe (the one that he believed to be best and never actively attacked -- turned out to have the default combo) The general idea is that security is in layers - you presumably also have an armed Marine on patrol with orders "If you hear a noise, shoot (forced entry), and check every half hour and shoot any unauthorized activity (other 2 categories)", or other schemes to make sure you don't get the requisite amount of time alone with the container. Gee, read the story of the "Guess Who" note to see how effective such security was a Los Alamos during the end phase of the war. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Vulnerability Disclosure Debate, (continued)
- Re: Vulnerability Disclosure Debate gregh (Aug 07)
- Re: Vulnerability Disclosure Debate Matthew Murphy (Aug 07)
- Re: Vulnerability Disclosure Debate Darren Bennett (Aug 07)
- Re: Vulnerability Disclosure Debate Matthew Murphy (Aug 07)
- RE: Vulnerability Disclosure Debate Jason Coombs (Aug 08)
- RE: Vulnerability Disclosure Debate Mike Fratto (Aug 08)
- RE: Vulnerability Disclosure Debate Jason Coombs (Aug 08)
- Re: Vulnerability Disclosure Debate Darren Bennett (Aug 07)
- Re: Vulnerability Disclosure Debate Valdis . Kletnieks (Aug 07)
- Re: Vulnerability Disclosure Debate Aron Nimzovitch (Aug 08)
- Re: Vulnerability Disclosure Debate Valdis . Kletnieks (Aug 08)
- Re: Vulnerability Disclosure Debate Aron Nimzovitch (Aug 08)
- Message not available
- Re: Vulnerability Disclosure Debate Aron Nimzovitch (Aug 08)
- Re: Re: Vulnerability Disclosure Debate Georgi Guninski (Aug 09)
- Re: [Security] [vendor-sec] Re: Re: Vulnerability Disclosure Debate Seth Arnold (Aug 11)