funsec mailing list archives
Re: Wondering
From: "steve pirk [egrep]" <steve () pirk com>
Date: Thu, 22 Oct 2009 09:53:51 -0700
On Thu, Oct 22, 2009 at 05:50, Rich Kulawiec <rsk () gsp org> wrote:
On Wed, Oct 21, 2009 at 09:20:08PM -0700, Paul Ferguson wrote:It doesn't have to be a "trusted admin" -- putting my "evil" cap on, it could certainly be someone who impersonates a "trusted admin" or "interested party".Right. So now we have an existence proof that OnStar has this capability, and the problem reduces to figuring out how to exploit it. I wonder if anyone there has considered the consequences that would ensue should someone penetrate their security and send out the signal to shut them *all* down. ---Rsk Well, there is exploiting it, and there is mitigating it. I remember when a
group was implementing a cert authority, and was fairly impressed by the checks. Master password in a safe, locked in a 5 sided cage welded to the floor. Only 2 people and one facilities director had access, and there was a "2 physical key" factor to gain access to the cage. _no_ network access out of the cage, and all servers associated with the installation were inside the cage. Could the cage be exploited? Sure, but the last piece is the safe. That takes a gun to a head methinks, and by then you probably have other issues. I am just saying that those of us that can, do what we can to protect things. I hate the phrase "disaster recovery". I much prefer disaster mitigation, which when I think about it is pretty much what a lot of us here also do. Cool. Thanks for getting me thinking about this. hmmm.... How to make it so it does not matter if an installation has been compromised...? --steve -- steve pirk refiamerica.org "father... the sleeper has awakened..." paul atreides - dune kexp.org member august '09 Sent from Bremerton, WA, United States
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Wondering chaim . rieger (Oct 21)
- Re: Wondering security curmudgeon (Oct 21)
- Re: Wondering Buhrmaster, Gary (Oct 21)
- Re: Wondering steve pirk [egrep] (Oct 21)
- Re: Wondering Paul Ferguson (Oct 21)
- Re: Wondering Rich Kulawiec (Oct 22)
- OnStar and law enforcement (was: Wondering) Young, Keith (Oct 22)
- Re: Wondering steve pirk [egrep] (Oct 22)
- Re: Wondering Rich Kulawiec (Oct 22)
- Re: Wondering Buhrmaster, Gary (Oct 21)
- Re: Wondering security curmudgeon (Oct 21)