Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 8 Nov 2001 17:27:55 +0100
From:      Martin Karlsson <martin.karlsson@visit.se>
To:        FreeBSD Questions <freebsd-questions@FreeBSD.ORG>
Subject:   Re: Lockdown of FreeBSD machine directly on Net
Message-ID:  <20011108172755.A1542@foo31-249.visit.se>
In-Reply-To: <20011107154930.A7915@student.uu.se>; from ertr1013@student.uu.se on Wed, Nov 07, 2001 at 03:49:30PM %2B0100
References:  <000201c166a2$d2ed80c0$1401a8c0@tedm.placo.com> <001401c166a9$9b976120$0a00000a@atkielski.com> <20011106180650.A72863@student.uu.se> <00ca01c16794$12a7eba0$0a00000a@atkielski.com> <20011107154930.A7915@student.uu.se>

next in thread | previous in thread | raw e-mail | index | archive | help
Or even watching the sysadmin write in the root password through
binoculars from across the street. That's bad; I for one hate working in
a room without windows (glass ones that is ;)).

/Martin
* Erik Trulsson (ertr1013@student.uu.se) wrote:
> On Wed, Nov 07, 2001 at 02:56:58PM +0100, Anthony Atkielski wrote:
> > Erik writes:
> > 
> > > There is no such thing as 100% security.
> > 
> > Sure there is.  Shannon proved it.  Some spies and spooks implement it.
> 
> No, there is no such thing as 100% security.
> I assume your comment about Shannon refers to such things as
> unbreakable cryptos of which the One-Time-Pad is the best known.
> This is not the same thing as 100% security though.
> To get 100% security you also need to protect yourself against attacks
> such as:
> 
> a) Somebody breaking into the office and stealing the computers.
> b) Calling the sysadmin and pretending to be his boss and convince him
>    to open a hole.
> c) Reading the password from a Post-It note which some careless
>    legitimate user left around.
> d) Sweettalking the secretary into letting them in.
> e) Bribing the sysadmin.
> f) Kidnapping the person who knows the password and torturing him/her
>    until he/she reveals it.
> g) Blackmail.
> 
> 
> Unless you are fully protected against all these (and many other
> possible attacks) you do not have 100% security.
> You might have very good security but not 100%.
> 
> 
> To get a secure system it is not enough to consider things like
> cryptography and network protocols although those are important.
> It is also necessary to take into account attacks based on social
> engineering or physical breakins.
> 
> 
> > 
> > > This is case where persistence is exactly what
> > > is needed to crack the system.  One simply tries
> > > every possible password until one succeeds.
> > 
> > With random eight-character alphanumeric passwords and five Telnet login attemps
> > per second, this will take about 1.25 million years, on average, far longer than
> > the lifetime of any attacker, persistent or otherwise.  In other words, the
> > system is completely secure in this context through computational feasibility,
> > and you can make it theoretically 100% secure as well by installing a lockout
> > after a certain number of bad password attempts.
> 
> The cracker might get lucky and guess the password on the first try.
> The probability of this happening is extremely low but it is non-zero.
> Therefore this is not theoretically 100% secure although in practice it
> is quite secure.
> 
> 
> 
> Note: When I say 100% security above I really do mean 100%. I do not
> mean 99.99999% security which might well be obtainable (but probably
> prohibitively expensive since the cost of implementing such a level of
> security is likely higher than that which it is supposed to protect.)
> 
> 
> -- 
> <Insert your favourite quote here.>
> Erik Trulsson
> ertr1013@student.uu.se
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message

-- 
------------------------------------------------
Martin Karlsson		martin.karlsson@visit.se

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011108172755.A1542>