Full Disclosure mailing list archives
Re: Clear text password exposure in Datakey's tokens and smartcards
From: Steve Kudlak <chromazine () sbcglobal net>
Date: Mon, 09 Aug 2004 01:45:21 -0700
I am going to start singing that old song from some movie made before my time of "Nice Work if you can get it, and you can get it if you try..." off course I think the crooner was crooning about romance, easier to convince some human that it is worth some bucks to get rather than random numbers which are everywhere if you look, eh?, yeah, right?;) <====said with a sneer (giggle;) More seriously I was looking to RFID systems vis a vis the privacy orries of such and such systems and I wondered what would a store, ora library want with something that with effort could tell you everywhere it has been. Now I admit when I have misplaced two books I really somedays want a "magic wand" to find them. The other problem is I have seen my local library try to handle its security concerns and somethings seem reasonable to me, many seem being a bit overcautious after being burnt. I know the legends involved, when I mention I am trying to solve some problem I am told I just need an 11 year old to do it for me, as if they are pixies with magic power. Getting your staff which is dedicated in the case of the library, but whichis dedicated but which several techoquestioning? (giggle trying to be polite)
people on it, but which is sensitive to privacy concerns. Versus the people at the Long's Drug Chain (Medium Sized US Drug Chain) where there is a big taa-doo at the register to check everything out whenever I bring in an item that I was overcharged $3.00 for. I look at some of the more elaborate security systems that merchants have been sold as being good and I am ready at least emotionally to join the "number of the beast" worry-worts. I hope the Long's main office when presented with a new security plan looks at it and laugh's and says it is too expensive.But I am sure that someone has told some ubermanager far away from Watsonville California that "Your Shrinkage Problems will dissappear if you install our $5MEgabuck system....which if you look at it per item, it is not that expensive...." Of course the guy selling it is far distant again from the techies who produced to earn their daily bread to pay for living in the $1000US/mo apartment. The salescreature thinks the idea of selling random numbers at $25.00 for a couple hundred is a good thing.
I mean they say: "Those are magic numbers they are produced by complicated software written by people who are so bright....." You get my drift. Have Fun, Sends SteveP.S. The "they lock when you take them beyond the parking lot " shopping carts have become great playtoys for kids in the neighborhood who like to overpower them and
hear them beep as they drag it along like a relcalitrant puppy. Curt Sampson wrote:
On Fri, 6 Aug 2004, Dana Hudes wrote:On Fri, 6 Aug 2004 Bart.Lansing () kohls com wrote:RSA has been doing PIN cards for ages...I don't get the hangup on SmartCards vs "plain old" something you have/something you know two factoras I understand it a "PIN Card" is a card with an EEPROM on it that contains a PIN. Possibly encrypted but its the same effect as any other file. The host decides if the PIN matches.The RSA SecurID system is a hardware token that generates a new number every minute using a sequence generator and a seed that is effectively a shared secret between the hardware token and the authentication server. You take the current minute's number and, usually, some other authentication information (such as a PIN or password) and pass both of those back to the authentication server, which will then determine whether the authentication is valid. It's a bit expensive, but it works ok. RSA also sells "software tokens" which are the same thing, but as software that runs on a PC or handheld. This is particularly expensive for what you get, since the token is easily copied from the device, with no indication that it's been stolen. (At least with the hardware tokens you know when it's been stolen.) And it's also quite expensive: they charge $25-$80 for a "1 year" software token. I wish I had the gall to sell large quantities of 128 bit random numbers for $25 each. cjs
Current thread:
- Clear text password exposure in Datakey's tokens and smartcards vuln (Aug 03)
- Re: Clear text password exposure in Datakey's tokens and smartcards Lionel Ferette (Aug 04)
- Re: Clear text password exposure in Datakey's tokens and smartcards Toomas Soome (Aug 04)
- Re: Clear text password exposure in Datakey's tokens and smartcards Kevin Sheldrake (Aug 05)
- Re: Clear text password exposure in Datakey's tokens and smartcards Seth Breidbart (Aug 06)
- RE: Clear text password exposure in Datakey's tokens and smartcards Israel Torres (Aug 06)
- RE: Clear text password exposure in Datakey's tokens and smartcards Lyal Collins (Aug 06)
- RE: Clear text password exposure in Datakey's tokens and smartcards Bart . Lansing (Aug 06)
- RE: Clear text password exposure in Datakey's tokens and smartcards Dana Hudes (Aug 06)
- RE: Clear text password exposure in Datakey's tokens and smartcards Curt Sampson (Aug 08)
- Re: Clear text password exposure in Datakey's tokens and smartcards Steve Kudlak (Aug 09)
- Message not available
- Re: Clear text password exposure in Datakey's tokens and smartcards Steve Kudlak (Aug 10)
- Message not available
- Re: Clear text password exposure in Datakey's tokens and smartcards Steve Kudlak (Aug 10)
- Re: Clear text password exposure in Datakey's tokens and smartcards Toomas Soome (Aug 04)
- Re: Clear text password exposure in Datakey's tokens and smartcards Lionel Ferette (Aug 04)
- Re: Clear text password exposure in Datakey's tokens and smartcards Lee Dilkie (Aug 05)