[cap-talk] use of hashcodes?

Kenton Varda kenton at google.com
Sat Feb 20 00:00:01 PST 2010 

It's a joke!

No one is suggesting that we stop using cryptography.

On Fri, Feb 19, 2010 at 8:18 PM, Bill Frantz <frantz at pwpconsult.com> wrote:

> kenton at google.com (Kenton Varda) on Friday, February 19, 2010 wrote:
>
> >“Using encryption on the Internet is the equivalent of arranging an
> armored
> >car to deliver credit card information from someone living in a cardboard
> >box to someone living on a park bench.”
> >– Gene Spafford Ph.D.
> >Professor of Computer Sciences, Purdue University
>
> While I agree with Prof. Spafford's analogy, I don't think it should be
> used as an excuse to avoid using good security in all the other areas of
> computer systems.
>
> Attackers will always attack at the weakest link. Nowadays these weakest
> links are found in the operating systems and browsers in common use and in
> network protocols such as DNS. DNS hacking is probably the easiest way to
> mount a man-in-the-middle (MITM) attack, although it is far from the only
> way. Using TLS avoids the MITM because the end points authenticate each
> other using cryptography. (I agree that there are weaknesses in the PKI
> approach commonly used by DNS. There are ways around these weaknesses.)
>
> Already using cryptography for end-to-end authentication has improved our
> security, even if we don't use it for privacy, by preventing the attacker
> from acting as a MITM.
>
> As a result, attackers most often target the end-point machines via attacks
> on software weaknesses and user weaknesses via spear fishing (among many
> others). Even given the serious architectural weaknesses in current
> systems, such as running every program with the user's full authority, the
> security on these systems continues to get better. It has been as long as
> since November when I last saw a recommendation to turn Javascript off in
> the browser from a main-stream security group. That recommendation used to
> be a weekly occurrence.
>
> As these end-point systems get better, and adopt approaches such as
> Polaris[1], the attacker's job will get harder. If we continue to use
> cryptography, perhaps we will be luck enough that our networking code and
> protocols will not become the low hanging fruit. If we don't use
> cryptography, we surely will see networking as a major attack vector.
>
> Cheers - Bill
>
> [1] <http://en.wikipedia.org/wiki/HP_Polaris_(computer_security)>
>
> -------------------------------------------------------------------------
> Bill Frantz        | Airline peanut bag: "Produced  | Periwinkle
> (408)356-8506      | in a facility that processes   | 16345 Englewood Ave
> www.pwpconsult.com | peanuts and other nuts." - Duh | Los Gatos, CA 95032
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20100220/4bdb561a/attachment.html

More information about the cap-talk mailing list