Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 7 Nov 2001 15:49:30 +0100
From:      Erik Trulsson <ertr1013@student.uu.se>
To:        Anthony Atkielski <anthony@atkielski.com>
Cc:        FreeBSD Questions <freebsd-questions@FreeBSD.ORG>
Subject:   Re: Lockdown of FreeBSD machine directly on Net
Message-ID:  <20011107154930.A7915@student.uu.se>
In-Reply-To: <00ca01c16794$12a7eba0$0a00000a@atkielski.com>
References:  <000201c166a2$d2ed80c0$1401a8c0@tedm.placo.com> <001401c166a9$9b976120$0a00000a@atkielski.com> <20011106180650.A72863@student.uu.se> <00ca01c16794$12a7eba0$0a00000a@atkielski.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Nov 07, 2001 at 02:56:58PM +0100, Anthony Atkielski wrote:
> Erik writes:
> 
> > There is no such thing as 100% security.
> 
> Sure there is.  Shannon proved it.  Some spies and spooks implement it.

No, there is no such thing as 100% security.
I assume your comment about Shannon refers to such things as
unbreakable cryptos of which the One-Time-Pad is the best known.
This is not the same thing as 100% security though.
To get 100% security you also need to protect yourself against attacks
such as:

a) Somebody breaking into the office and stealing the computers.
b) Calling the sysadmin and pretending to be his boss and convince him
   to open a hole.
c) Reading the password from a Post-It note which some careless
   legitimate user left around.
d) Sweettalking the secretary into letting them in.
e) Bribing the sysadmin.
f) Kidnapping the person who knows the password and torturing him/her
   until he/she reveals it.
g) Blackmail.


Unless you are fully protected against all these (and many other
possible attacks) you do not have 100% security.
You might have very good security but not 100%.


To get a secure system it is not enough to consider things like
cryptography and network protocols although those are important.
It is also necessary to take into account attacks based on social
engineering or physical breakins.


> 
> > This is case where persistence is exactly what
> > is needed to crack the system.  One simply tries
> > every possible password until one succeeds.
> 
> With random eight-character alphanumeric passwords and five Telnet login attemps
> per second, this will take about 1.25 million years, on average, far longer than
> the lifetime of any attacker, persistent or otherwise.  In other words, the
> system is completely secure in this context through computational feasibility,
> and you can make it theoretically 100% secure as well by installing a lockout
> after a certain number of bad password attempts.

The cracker might get lucky and guess the password on the first try.
The probability of this happening is extremely low but it is non-zero.
Therefore this is not theoretically 100% secure although in practice it
is quite secure.



Note: When I say 100% security above I really do mean 100%. I do not
mean 99.99999% security which might well be obtainable (but probably
prohibitively expensive since the cost of implementing such a level of
security is likely higher than that which it is supposed to protect.)


-- 
<Insert your favourite quote here.>
Erik Trulsson
ertr1013@student.uu.se

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011107154930.A7915>