Dailydave mailing list archives
Re: How T-Mobil's network was compromised
From: Chris Kuethe <chris.kuethe () gmail com>
Date: Thu, 17 Feb 2005 14:26:07 -0700
On Thu, 17 Feb 2005 21:25:57 +0100 (CET), Paul Wouters <paul () xelerance com> wrote:
But where do you end your paranioa? Do you trust RNG's on die? You cannot really ever 'fully' trust crypto hardware that does not have an open spec.
You end it wherever you do. Some people end it when they get out of bed, assuming the sky will never fall, and they get on with their day. Some people never do, and get tinfoil hat jokes made about them on slashdot. Some of us are in the middle - we don't trust protocols where we can see the plaintext, we get suspicious when we see a new key or certificate fingerprint, etc. A large part of trust measurement is action, not math. Actions speaking louder than words. Anyone using remote desktop to peek in on a windows machine trusts it. Whether or not you have good cause to believe in its security, use of remote desktop implies that, at least right now, for this instance, you believe it won't let you down too badly. I apparently fully trust the banks with my money: if I didn't trust them, I'd jump through all the hoops needed to not get paid via direct deposit, and keep loads of cash under my bed. Semantics aside, I have fully trusted the bank. I have fully trusted their closed crypto. I have fully trusted their policies and procedures. Like it or not, that is what I have done, no matter how much I might whine on a mailing list about the fact that they still use DES for things.
Whatever happened to the people chasing down the time delays in Pentium-I CPU's when executing onducmented (backdoor?) instructions to get to ring 0? Didn't one of them die? :)
News to me. Links please? consider this the obligatory reference to "reflections on trusting trust"...
If T-mobile wants to have your PGP messages, and they give you the PGP application, they can easilly use a T-mobile "Additional Decryption Key" (ADK) to ensure they can read all your messages. If you would be using a real pgp implementation on the other end, it would ask you if you want to encrypt to the ADK as well. If you'd hit another t-mobile PGP handset, this could then ofcourse happen without any notice.
Yeah, I thought about the additional key, and if I were trojanning PGP I would not use that method, on the off chance a semi-clueful user (or at least a luser with a checklist written by a clueful user) might check for additional keys. By trojanning the PGP app on the handset, the operator gets both the sent and received cleartext.
Blackbox cryptography is just always wrong.
But it still gets used to often. We avoid it where convenient, not "at all costs". (banks, satellite tv, dvd players, proprietary security tools, etc.) CK -- GDB has a 'break' feature; why doesn't it have 'fix' too? _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- How T-Mobil's network was compromised gf gf (Feb 17)
- Re: How T-Mobil's network was compromised Chris Kuethe (Feb 17)
- Re: How T-Mobil's network was compromised Richard Porter (Feb 17)
- Re: How T-Mobil's network was compromised Paul Wouters (Feb 17)
- Re: How T-Mobil's network was compromised Chris Kuethe (Feb 17)
- Re: How T-Mobil's network was compromised Paul Wouters (Feb 18)
- Re: How T-Mobil's network was compromised - Honeypots & Case Studies gf gf (Feb 19)
- Re: Re: How T-Mobil's network was compromised - Honeypots & Case Studies Peter Busser (Feb 23)
- Re: How T-Mobil's network was compromised Richard Porter (Feb 17)
- Re: How T-Mobil's network was compromised Anthony Zboralski (Feb 19)
- Re: How T-Mobil's network was compromised halvar (Feb 19)
- Re: How T-Mobil's network was compromised Anthony Zboralski (Feb 19)
- Message not available
- Re: How T-Mobil's network was compromised Anthony Zboralski (Feb 19)
- Re: How T-Mobil's network was compromised Chris Kuethe (Feb 17)
- Re: How T-Mobil's network was compromised Chris Kuethe (Feb 17)