Re: Facebook Image Privacy

[Blue Boar <BlueBoar () thievco com>]

Dan Kaminsky wrote:
> I am saying operating systems are not like passwords.  I don't think
> this exactly controversial.

Who was talking about operating systems? That smells like at attempt to
redefine the argument. We were talking about secret URLs, keys passwords
and the like. I think that makes a much better playing fields for the
moment.

> I can quantify this with the rate of change of complexity of a system.
>  If you add one kilobyte of complexity to Windows (consuming literally
> 8192 bits extra space on the DVD), you have not done much to the
> difficulty of breaking Windows.  If you add one kilobyte of complexity
> to an RSA key (literally, adding another 4096 bits to p and q
> respectively), you most assuredly have done much to to the difficulty
> of breaking this particular RSA key.

So is it the relative change then? How about change over time?

> I will grant that we could use better words than "obscure" and
> "secret" to represent the difference. But I consider "obscure"
> fundamentally different than "utterly unknown".  An obscure band is
> not a secret band.  An obscure illness is not a secret illness.

Mixing it real-world analogies has never been terribly helpful when
dealing with purely digital security.

Let me attempt some examples:

-Is XOR'd with a 4096-bit key obscure or secure?
-Is RSA-encrypted with a 40696-bit key obscure or secure?
-Is a crypt(3) password obscure or secure? Has that changes over time?
-Is a URL with a random 4096-bit component obscure or secure?

                                        BB
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.