funsec mailing list archives

Security by hiding patch cables

From: Gary Warner <gar () askgar com>
Date: Fri, 19 Jan 2007 11:02:11 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

While we're at it, network security by hiding all the patch cables.
That'll solve all our problems.


I used a bit of similar story in the Computer Security class I'm
teaching at UAB.  The portion of the lecture was on how security
decisions that are made at any given point in time are generally
designed with current technology in mind, but then get extended in time
until those assumptions are no longer valid.

For instance, Token Ring and MAC addresses.  The original assumption,
back when we daisy-chained our computers together with miles of coaxial
cable, was that all the computers were going to see all of the data,
which was fine, since we *KNEW* that you could only receive traffic that
had the MAC address of your NIC in its header.

That assumption lead to the commonly accepted behaviour of sending
passwords in plaintext (such as Telnet, TN3270, FTP, etc.)

Which again was "fine", until someone just wrote their own device driver
that said "skip all that filtering crap".


We also talked about why we change our passwords every 30 days.  In the
old days we knew that our passwords were crackable, but we thought that
as long as we changed them every thirty days we were ok, since it would
take "the average hardware available to the average hacker" longer than
30 days to "crack" our passwords.

Now most passwords fall in a couple hours with traditional cracking
tools and in a couple minutes with Rainbow Table based tools.  But we
still change our 8 character alphanumeric passwords every 30 days, even
though we no longer remember why, rather than requiring a 15 char
mixed-case upper/lower/numeric/symbol password.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFsPmTg79eYCOO6PsRAgb8AJ4pRTYFbamjafKSLXHLAk+Y1EF2BgCfSK7V
0l6ln9kN3O7c7pTo9LZX1tA=
=so68
-----END PGP SIGNATURE-----
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Re: Funsec archive publication, (continued)
- Re: Funsec archive publication Gadi Evron (Jan 18)
- RE: Funsec archive publication Alex Eckelberry (Jan 18)
  - Re: Funsec archive publication Reed Loden (Jan 18)
    - Re: Funsec archive publication Brian Loe (Jan 18)
    - Funsec, the Open List (EOT) Gary Warner (Jan 18)
    - Re: Funsec archive publication Drsolly (Jan 18)
    - Re: Funsec archive publication Brian Loe (Jan 18)
  - RE: Funsec archive publication Jeff Rosowski (Jan 18)
    - Re: Funsec archive publication Valdis . Kletnieks (Jan 19)
    - Re: Funsec archive publication Gary Warner (Jan 19)
    - Security by hiding patch cables Gary Warner (Jan 19)
    - Re: Security by hiding patch cables Paul Vixie (Jan 19)
    - Re: Security by hiding patch cables Valdis . Kletnieks (Jan 19)
    - Message not available
    - Re: Funsec archive publication Jeff Rosowski (Jan 22)
- Re: Funsec archive publication Gregory Hicks (Jan 18)
- RE: Funsec archive publication Crissup, John (MBNAP it) (Jan 19)