| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
This may be a tad offtopic but I had to mention it. There actually |
| 5 |
already has been a case of people setting up faux ATM's. |
| 6 |
|
| 7 |
http://www.globetechnology.com/servlet/story/RTGAM.20030812.gtatmm0812/BNStory/Technology/ |
| 8 |
|
| 9 |
Andrew Ross wrote: |
| 10 |
| Stewart Honsberger wrote: |
| 11 |
| |
| 12 |
|> I don't send anything back to any unexpected port probes because I |
| 13 |
|> don't want to. |
| 14 |
|> |
| 15 |
|> Sure, to some extent it is security through obscurity, but the old |
| 16 |
|> addage isn't entirely correct. If not for security through obscurity |
| 17 |
|> we'd all have our PIN numbers sharpie'd on our ATM cards. |
| 18 |
| |
| 19 |
| |
| 20 |
| Actually, keeping my PIN secret isn't security through obscurity. |
| 21 |
| |
| 22 |
| The idea of security without obscurity focuses on keeping the number of |
| 23 |
| secrets at an absolute minimum. Systems designed around security through |
| 24 |
| obscurity tend to rely on the secrecy of certain procedures or |
| 25 |
| algorithms - once these are discovered by third parties, the security of |
| 26 |
| the system has been reduced. |
| 27 |
| |
| 28 |
| Moving back to the PIN/ATM example: |
| 29 |
| |
| 30 |
| Ideally, your PIN should be the ONLY secret involved - the encryption |
| 31 |
| algorithms and communication protocols could all be public. In the real |
| 32 |
| world, this isn't feasible (eg. ATMs do not authenticate themselves to |
| 33 |
| the card holder. If the algorithms and protocols were public, someone |
| 34 |
| could theoretically construct a trojan ATM and collect people's PINs and |
| 35 |
| bank cards). |
| 36 |
| |
| 37 |
| Cheers |
| 38 |
| |
| 39 |
| Andrew |
| 40 |
| |
| 41 |
| P.S It's a PIN, not a Personal Identification Number (PIN) Number :-) |
| 42 |
| Sorry, but it's one of my pet hates (just like Automatic Teller Machine |
| 43 |
| (ATM) machines). |
| 44 |
| |
| 45 |
| -- |
| 46 |
| gentoo-security@g.o mailing list |
| 47 |
| |
| 48 |
-----BEGIN PGP SIGNATURE----- |
| 49 |
Version: GnuPG v1.2.4 (GNU/Linux) |
| 50 |
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org |
| 51 |
|
| 52 |
iD8DBQFAHVS57ntAARlGIUERAgkfAJ4sil86TWGFsmkFa8UOl1QKBhrKegCgnP18 |
| 53 |
c5pvsCyRuXDWziIebvkRASc= |
| 54 |
=Ze97 |
| 55 |
-----END PGP SIGNATURE----- |
| 56 |
|
| 57 |
-- |
| 58 |
gentoo-security@g.o mailing list |
Archives