* [9fans] offered without comment or judgement @ 2010-06-28 22:32 ron minnich 2010-06-28 23:10 ` Ethan Grammatikidis ` (3 more replies) 0 siblings, 4 replies; 25+ messages in thread From: ron minnich @ 2010-06-28 22:32 UTC (permalink / raw) To: Fans of the OS Plan 9 from Bell Labs not saying it is "good" or "bad", just wanted people to see it https://www.signup4.net/UPLOAD/STRA10A/DARP31E/CRASH%20Proposer%20Day%20v2.pdf ron ^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [9fans] offered without comment or judgement 2010-06-28 22:32 [9fans] offered without comment or judgement ron minnich @ 2010-06-28 23:10 ` Ethan Grammatikidis 2010-06-29 2:28 ` Wes Kussmaul ` (2 subsequent siblings) 3 siblings, 0 replies; 25+ messages in thread From: Ethan Grammatikidis @ 2010-06-28 23:10 UTC (permalink / raw) To: Fans of the OS Plan 9 from Bell Labs On 28 Jun 2010, at 23:32, ron minnich wrote: > not saying it is "good" or "bad", just wanted people to see it > > > https://www.signup4.net/UPLOAD/STRA10A/DARP31E/CRASH%20Proposer%20Day%20v2.pdf > > > ron > I really like the anti-monoculture statements. ^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [9fans] offered without comment or judgement 2010-06-28 22:32 [9fans] offered without comment or judgement ron minnich 2010-06-28 23:10 ` Ethan Grammatikidis @ 2010-06-29 2:28 ` Wes Kussmaul 2010-06-29 2:46 ` Stanley Lieber 2010-06-29 3:46 ` erik quanstrom 2010-06-29 8:07 ` Akshat Kumar 2010-06-29 13:43 ` Gabriel Díaz 3 siblings, 2 replies; 25+ messages in thread From: Wes Kussmaul @ 2010-06-29 2:28 UTC (permalink / raw) To: Fans of the OS Plan 9 from Bell Labs ron minnich wrote: > https://www.signup4.net/UPLOAD/STRA10A/DARP31E/CRASH%20Proposer%20Day%20v2.pdf > Innate or adaptive, it's all based upon the flawed premise that it's possible to determine the intentions of the sender of a stream of bits. It is not possible to determine the intentions of the sender of a stream of bits. This is the pointless electronic countermeasures race all over again. The solution was well developed, then obscured by the telephone century. http://quietenjoyment.net/slides2j.swf Wes Kussmaul -- Learn about The Authenticity Economy at http://video.google.com/videoplay?docid=-1419344994607129684&hl=en# ^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [9fans] offered without comment or judgement 2010-06-29 2:28 ` Wes Kussmaul @ 2010-06-29 2:46 ` Stanley Lieber 2010-06-29 17:13 ` Wes Kussmaul 2010-06-29 3:46 ` erik quanstrom 1 sibling, 1 reply; 25+ messages in thread From: Stanley Lieber @ 2010-06-29 2:46 UTC (permalink / raw) To: Fans of the OS Plan 9 from Bell Labs On Mon, Jun 28, 2010 at 9:28 PM, Wes Kussmaul <wes@authentrus.com> wrote: > ron minnich wrote: >> >> >> https://www.signup4.net/UPLOAD/STRA10A/DARP31E/CRASH%20Proposer%20Day%20v2.pdf >> > > Innate or adaptive, it's all based upon the flawed premise that it's > possible to determine the intentions of the sender of a stream of bits. It > is not possible to determine the intentions of the sender of a stream of > bits. > > This is the pointless electronic countermeasures race all over again. > > The solution was well developed, then obscured by the telephone century. > http://quietenjoyment.net/slides2j.swf > > Wes Kussmaul > > -- > Learn about The Authenticity Economy at > http://video.google.com/videoplay?docid=-1419344994607129684&hl=en# Anywhere legitimate identification is used, legitimate identification can be purchased. -sl ^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [9fans] offered without comment or judgement 2010-06-29 2:46 ` Stanley Lieber @ 2010-06-29 17:13 ` Wes Kussmaul 2010-06-29 17:27 ` Devon H. O'Dell 0 siblings, 1 reply; 25+ messages in thread From: Wes Kussmaul @ 2010-06-29 17:13 UTC (permalink / raw) To: Fans of the OS Plan 9 from Bell Labs Stanley Lieber wrote: > Anywhere legitimate identification is used, legitimate identification > can be purchased. There are imperfect but very good ways to protect against that vulnerability. They vary with the needs (and budgets) of relying parties. -- Learn about The Authenticity Economy at http://video.google.com/videoplay?docid=-1419344994607129684&hl=en# ^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [9fans] offered without comment or judgement 2010-06-29 17:13 ` Wes Kussmaul @ 2010-06-29 17:27 ` Devon H. O'Dell 2010-06-29 18:30 ` Steve Simon 2010-06-29 19:19 ` Wes Kussmaul 0 siblings, 2 replies; 25+ messages in thread From: Devon H. O'Dell @ 2010-06-29 17:27 UTC (permalink / raw) To: Fans of the OS Plan 9 from Bell Labs 2010/6/29 Wes Kussmaul <wes@authentrus.com>: > Stanley Lieber wrote: >> >> Anywhere legitimate identification is used, legitimate identification can >> be purchased. > > There are imperfect but very good ways to protect against that > vulnerability. They vary with the needs (and budgets) of relying parties. I'm pretty sure you can't solve the problem. At the end of the day, it boils down to client-side security and what a person is willing to defend with their life. It's perfectly feasible to assume that identity information in a PKI world can be coerced and stolen as easily as physical identity information such as drivers licenses and social security cards. The security always breaks down at the personal level, and most private individuals aren't willing to die to protect this information. But you can do at least as good as these forms of ID. PKI requires knowledge of some sort of passkey. (I just worry about identification for people who are not smart enough to pick a good key. Which, unfortunately, is also most people. --dho ^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [9fans] offered without comment or judgement 2010-06-29 17:27 ` Devon H. O'Dell @ 2010-06-29 18:30 ` Steve Simon 2010-06-29 18:41 ` Devon H. O'Dell 2010-06-29 19:19 ` Wes Kussmaul 1 sibling, 1 reply; 25+ messages in thread From: Steve Simon @ 2010-06-29 18:30 UTC (permalink / raw) To: 9fans > But you can do at least as good as these forms of ID. PKI requires > knowledge of some sort of passkey. (I just worry about identification > for people who are not smart enough to pick a good key. Which, > unfortunately, is also most people. My understanding is a passkey just needs sufficent entropy in order to be strong. This can be a few characters drawn from a larger characterset - your password must be no more than 16 chars and must contain upper and lower case numbers and punctuation. Alternatively it could be a long string made up of a restricted character set - your pass phrase can consist of any text characters but must not contain long repitations and be of at least 200 characters long (say). Thus a passphrase may be a quote from your favorite movie, a lyric or the like. This can then be hashed into a higher entropy string (is this statement true?) used for authentication. I don't understand why modern security systems have an upper limit on passphrase length. (waits for people who know better to tell him he is dumb). -Steve ^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [9fans] offered without comment or judgement 2010-06-29 18:30 ` Steve Simon @ 2010-06-29 18:41 ` Devon H. O'Dell 2010-06-29 18:57 ` erik quanstrom 0 siblings, 1 reply; 25+ messages in thread From: Devon H. O'Dell @ 2010-06-29 18:41 UTC (permalink / raw) To: Fans of the OS Plan 9 from Bell Labs 2010/6/29 Steve Simon <steve@quintile.net>: >> But you can do at least as good as these forms of ID. PKI requires >> knowledge of some sort of passkey. (I just worry about identification >> for people who are not smart enough to pick a good key. Which, >> unfortunately, is also most people. > > My understanding is a passkey just needs sufficent entropy in order to be strong. Sure. But you can still brute-force a 4-character passkey in a reasonably short time. > This can be a few characters drawn from a larger characterset - your password must > be no more than 16 chars and must contain upper and lower case numbers and punctuation. > > Alternatively it could be a long string made up of a restricted character set - your > pass phrase can consist of any text characters but must not contain long repitations > and be of at least 200 characters long (say). This works, but tends to be easy to get out of people or figure out about people if you know a bit about them. > Thus a passphrase may be a quote from your favorite movie, a lyric or the like. This > can then be hashed into a higher entropy string (is this statement true?) used for > authentication. > > I don't understand why modern security systems have an upper limit on passphrase length. Because people can't remember passwords, and companies don't like employing full-time password changers. --dho > (waits for people who know better to tell him he is dumb). > > -Steve > > ^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [9fans] offered without comment or judgement 2010-06-29 18:41 ` Devon H. O'Dell @ 2010-06-29 18:57 ` erik quanstrom 2010-06-29 19:13 ` Devon H. O'Dell 0 siblings, 1 reply; 25+ messages in thread From: erik quanstrom @ 2010-06-29 18:57 UTC (permalink / raw) To: 9fans > > I don't understand why modern security systems have an upper limit on passphrase length. > > Because people can't remember passwords, and companies don't like > employing full-time password changers. i don't understand this comment. the length of a password is only vaguely related to memorability. long english phrases are easy to remember. unfortunately, they are also easy to harvest automaticly, so "four score and seven years ago" might be a bad password. - erik ^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [9fans] offered without comment or judgement 2010-06-29 18:57 ` erik quanstrom @ 2010-06-29 19:13 ` Devon H. O'Dell 2010-06-29 19:32 ` erik quanstrom 2010-06-29 20:09 ` Wes Kussmaul 0 siblings, 2 replies; 25+ messages in thread From: Devon H. O'Dell @ 2010-06-29 19:13 UTC (permalink / raw) To: Fans of the OS Plan 9 from Bell Labs 2010/6/29 erik quanstrom <quanstro@labs.coraid.com>: >> > I don't understand why modern security systems have an upper limit on passphrase length. >> >> Because people can't remember passwords, and companies don't like >> employing full-time password changers. > > i don't understand this comment. the length of a password > is only vaguely related to memorability. long english phrases > are easy to remember. unfortunately, they are also easy to > harvest automaticly, so "four score and seven years ago" might > be a bad password. The problem is two-fold: a) Lay-people are told by all their "computer guru" friends to choose a password that is difficult to guess. Add numbers, capital letters, punctuation. Most people don't think in this sort of context, and it is difficult to remember. b) People don't regard the idea as particularly important. I know many people who routinely forget 6-8 character passwords. The length of the phrase is actually in fact tied explicitly to memory. The longer a string of characters, the more difficult it is to remember. That's just fact. You have to practice to recite a monologue; most people can't just read it once and commit it to memory. In a similar fashion, most people must either write down a password (which is dumb) or recite it for a fairly lengthy period of time to remember it. Noting that places having an upper bound on password length usually also have other password policies (like "must contain at least one of each: capital letter, lowercase letter, and number"). This either means things like initials and important dates (birthdays, anniversaries, etc) or random gibberish. People are told not to use something that can be socially engineered, so random gibberish it is. And people at large just don't get it. It's easily forgettable. When talking about symmetric cryptography, "four score and seven years ago" would probably be a great key. There is no convenient rainbow table upon which to do a hash lookup. It's sufficiently expensive to brute-force. The only thing that would give you any sort of advantage is knowing it was an english phrase and trying all of them. Misspellings, punctuation, capitalization, and the like can all throw this off. So picking something directly out of song lyrics, quotes, or a book of idioms is likely to be useless. Adding in a single period, comma, or some creative capitalization is fantastic. But we all know about passwords here. --dho > - erik > > ^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [9fans] offered without comment or judgement 2010-06-29 19:13 ` Devon H. O'Dell @ 2010-06-29 19:32 ` erik quanstrom 2010-06-29 20:00 ` Devon H. O'Dell 2010-06-29 20:09 ` Wes Kussmaul 1 sibling, 1 reply; 25+ messages in thread From: erik quanstrom @ 2010-06-29 19:32 UTC (permalink / raw) To: 9fans > The length of the phrase is actually in fact tied explicitly to > memory. The longer a string of characters, the more difficult it is to > remember. That's just fact repeating this doesn't make it true, but it does make the phrase easier to remember. so i think your argument is its own defeat. the gettysburg address is fairly easy for me to remember. but i don't think i'd have such an easy time on a randomly-choosen 285-word phrase. clearly something this long is not necessary. i'm sure you have made-up phrases with non-words you tell our dog. that should be easy to remember, not on the internet, and have the added bonus that you get to smile while typing your password. > When talking about symmetric cryptography, "four score and seven years > ago" would probably be a great key. There is no convenient rainbow > table upon which to do a hash lookup. It's sufficiently expensive to > brute-force. i'm not convinced of this. here's why. i was reading yesterday about a research-project that built a machine that could try 1 billion rsa keys/sec. now consider such a machine in the possession of bad guys. for them it would make sense to harvest nearly every phrase you can find on the internet and try it. the hard part would be crawling the net. - erik ^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [9fans] offered without comment or judgement 2010-06-29 19:32 ` erik quanstrom @ 2010-06-29 20:00 ` Devon H. O'Dell 2010-06-30 11:28 ` erik quanstrom 0 siblings, 1 reply; 25+ messages in thread From: Devon H. O'Dell @ 2010-06-29 20:00 UTC (permalink / raw) To: Fans of the OS Plan 9 from Bell Labs 2010/6/29 erik quanstrom <quanstro@quanstro.net>: >> The length of the phrase is actually in fact tied explicitly to >> memory. The longer a string of characters, the more difficult it is to >> remember. That's just fact > > repeating this doesn't make it true, but it does make > the phrase easier to remember. so i think your argument > is its own defeat. the gettysburg address is fairly easy for > me to remember. but i don't think i'd have such an easy > time on a randomly-choosen 285-word phrase. > > clearly something this long is not necessary. i'm sure you > have made-up phrases with non-words you tell our dog. > that should be easy to remember, not on the internet, and > have the added bonus that you get to smile while typing your > password. You're taking this slightly out of context. I said that this is coupled with the fact that peers encourage the use of randomness in a password, and companies enforce password policies that corroborate this need. I'm not suggesting there's a set length at which point people have difficulty remembering something, but there is certainly a correlation: you certainly aren't going to argue the chances of remembering "fsd&e" are much greater than remembering "amsdagk3881((@!3ll1..dags8" are you? Similarly, you wouldn't argue that at some point you spent time learning the Gettysburg Address -- it's not simply something you read once and recalled. (If so, this is impressive, and you shouldn't argue this as "normal".) Length of the phrase is certainly tied to the ability to commit it to memory. Yes, I'm repeating this using empirical evidence as I'm slightly too lazy to go look up any of the several articles I've read about how we memorize things and how "brain storage" actually works. There are ways to bypass this to some degree: adding music or tune, creating rhyme, setting to iambic pentameter (or any "rhythmization" for that matter). As computing systems continue to get stronger, the necessity of longer passphrases will increase -- or slower secure algorithms will need to be developed. (Or possibly more fitting algorithms, given the possibility of quantum computing, which may intrinsically provide solutions to some implementation issues following PKI). >> When talking about symmetric cryptography, "four score and seven years >> ago" would probably be a great key. There is no convenient rainbow >> table upon which to do a hash lookup. It's sufficiently expensive to >> brute-force. > > i'm not convinced of this. here's why. i was reading yesterday > about a research-project that built a machine that could try 1 billion > rsa keys/sec. now consider such a machine in the possession of bad > guys. for them it would make sense to harvest nearly every phrase > you can find on the internet and try it. the hard part would be > crawling the net. I certainly have several nonsensical words / names for my cats. None of them contain numbers or punctuation or anything associated with a strong passphrase. The longest of these is probably about 12 characters. And a system that can try a billion RSA keys per second is going to quickly exhaust the relatively short combination of these, even brute forcing. And you're right -- as I also alluded above, the continued computing and mathematical advancements made by society at large will continue to obsolete any statements about what a "good pass phrase" is. Right now, it's length and perceived randomness. People have enough difficulty remembering short passwords. Or creating "good" passwords in the first place. Upper bounds along with enforcing permutations are placed to reduce peoples' likelihood of forgetting them while still providing some level of security. It's not the best approach, but until people start treating passwords like an ATM card with a PIN, it's not going to matter much anyway. (Ignoring that PINs for most cards are only have 9990 or fewer permutations.) --dho > - erik > > ^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [9fans] offered without comment or judgement 2010-06-29 20:00 ` Devon H. O'Dell @ 2010-06-30 11:28 ` erik quanstrom 2010-06-30 15:22 ` Wes Kussmaul 2010-06-30 16:22 ` Devon H. O'Dell 0 siblings, 2 replies; 25+ messages in thread From: erik quanstrom @ 2010-06-30 11:28 UTC (permalink / raw) To: 9fans > I certainly have several nonsensical words / names for my cats. None > of them contain numbers or punctuation or anything associated with a > strong passphrase. The longest of these is probably about 12 > characters. And a system that can try a billion RSA keys per second is > going to quickly exhaust the relatively short combination of these, > even brute forcing. And you're right -- as I also alluded above, the assuming the attackers have a dictionary of only 500000 words that contains your nonsense words and assuming unicase and no spaces or other punctuation you get 18.9 bits/word. for a neat 3 word phrase, that's 56.8 bits. for a login, that's plenty since there should be some protection against password guessers. general slowness or just a slow connection should be enough to prevent 1e9 guesses/sec. > People have enough difficulty remembering short passwords. Or creating > "good" passwords in the first place. Upper bounds along with enforcing > permutations are placed to reduce peoples' likelihood of forgetting > them while still providing some level of security. It's not the best > approach, but until people start treating passwords like an ATM card > with a PIN, it's not going to matter much anyway. (Ignoring that PINs > for most cards are only have 9990 or fewer permutations.) people will learn. real computer passwords have not been common for very long. also, an atm card is a 2-factor authentication scheme. and you get 3 guesses. assuming you can steal the card your chances of success are about 3/10000. (wiki says 6/10000 due to unused numbers http://en.wikipedia.org/wiki/Pin_number#PIN_security) a better attack might be to shoulder surf and then socially engineer the bank into sending you a card. say by stealing it out of the mailbox. - erik ^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [9fans] offered without comment or judgement 2010-06-30 11:28 ` erik quanstrom @ 2010-06-30 15:22 ` Wes Kussmaul 2010-06-30 16:22 ` Devon H. O'Dell 1 sibling, 0 replies; 25+ messages in thread From: Wes Kussmaul @ 2010-06-30 15:22 UTC (permalink / raw) To: Fans of the OS Plan 9 from Bell Labs erik quanstrom wrote: > also, an atm card is a 2-factor authentication scheme. and > you get 3 guesses. assuming you can steal the card Assuming you are a member of the main source of Net fraud, that is, a customer of one of the botnet builders doing 30 thousand victims at a time from your command center in Estonia, what are the chances of stealing 30,000 physical cards per round of theft? > a better attack might be to shoulder surf and then socially > engineer the bank into sending you a card. Onesies, how quaint. Almost a lost art. wk -- Learn about The Authenticity Economy at http://video.google.com/videoplay?docid=-1419344994607129684&hl=en# ^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [9fans] offered without comment or judgement 2010-06-30 11:28 ` erik quanstrom 2010-06-30 15:22 ` Wes Kussmaul @ 2010-06-30 16:22 ` Devon H. O'Dell 1 sibling, 0 replies; 25+ messages in thread From: Devon H. O'Dell @ 2010-06-30 16:22 UTC (permalink / raw) To: Fans of the OS Plan 9 from Bell Labs 2010/6/30 erik quanstrom <quanstro@quanstro.net>: >> I certainly have several nonsensical words / names for my cats. None >> of them contain numbers or punctuation or anything associated with a >> strong passphrase. The longest of these is probably about 12 >> characters. And a system that can try a billion RSA keys per second is >> going to quickly exhaust the relatively short combination of these, >> even brute forcing. And you're right -- as I also alluded above, the > > assuming the attackers have a dictionary of only 500000 words that > contains your nonsense words and assuming unicase and no spaces > or other punctuation you get 18.9 bits/word. for a neat 3 word phrase, > that's 56.8 bits. > > for a login, that's plenty since there should be some protection > against password guessers. general slowness or just a slow connection > should be enough to prevent 1e9 guesses/sec. As networks get faster, it becomes more of an issue. Luckily, most places that have information about you / your money will lock your account after N invalid login attempts within a certain time period. The places that don't probably don't matter. But usually there are easier ways to get that information anyway. >> People have enough difficulty remembering short passwords. Or creating >> "good" passwords in the first place. Upper bounds along with enforcing >> permutations are placed to reduce peoples' likelihood of forgetting >> them while still providing some level of security. It's not the best >> approach, but until people start treating passwords like an ATM card >> with a PIN, it's not going to matter much anyway. (Ignoring that PINs >> for most cards are only have 9990 or fewer permutations.) > > people will learn. real computer passwords have not > been common for very long. > > also, an atm card is a 2-factor authentication scheme. and > you get 3 guesses. assuming you can steal the card your chances > of success are about 3/10000. (wiki says 6/10000 due to unused > numbers http://en.wikipedia.org/wiki/Pin_number#PIN_security) > > a better attack might be to shoulder surf and then socially > engineer the bank into sending you a card. say by stealing > it out of the mailbox. What people do these days is put magnetic readers on the outside of the reader you're putting your card through. They store information about N cards, and then write their own cards based on that information. There's little guesswork involved; there are plenty of online shops that don't check CVV or shipping address, especially internationally. Then you also have keyloggers and screen scrapers. Lots of ways to get all that information, very, very easily. Social engineering, indeed, works charms. > - erik > > ^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [9fans] offered without comment or judgement 2010-06-29 19:13 ` Devon H. O'Dell 2010-06-29 19:32 ` erik quanstrom @ 2010-06-29 20:09 ` Wes Kussmaul 2010-06-29 21:34 ` Steve Simon 1 sibling, 1 reply; 25+ messages in thread From: Wes Kussmaul @ 2010-06-29 20:09 UTC (permalink / raw) To: Fans of the OS Plan 9 from Bell Labs [-- Attachment #1: Type: text/plain, Size: 1495 bytes --] Devon H. O'Dell wrote: > 2010/6/29 erik quanstrom <quanstro@labs.coraid.com>: > >>>> I don't understand why modern security systems have an upper limit on passphrase length. >>>> >>> Because people can't remember passwords, and companies don't like >>> employing full-time password changers. >>> >> i don't understand this comment. the length of a password >> is only vaguely related to memorability. long english phrases >> are easy to remember. unfortunately, they are also easy to >> harvest automaticly, so "four score and seven years ago" might >> be a bad password. >> > > The problem is two-fold: > > a) Lay-people are told by all their "computer guru" friends to choose > a password that is difficult to guess. Add numbers, capital letters, > punctuation. Most people don't think in this sort of context, and it > is difficult to remember. > > b) People don't regard the idea as particularly important. I know many > people who routinely forget 6-8 character passwords. > Many banks still use 4 digit PINs on their ATM cards, without problem. Possession is a very important factor. The token that will prevail of course is the phone - even though it denies relying parties the billboard value of a card. Now, will developers be smart enough to isolate the private key from the phone's porous OS? The jury is out on that. wk -- Learn about The Authenticity Economy at http://video.google.com/videoplay?docid=-1419344994607129684&hl=en# [-- Attachment #2: Type: text/html, Size: 2362 bytes --] ^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [9fans] offered without comment or judgement 2010-06-29 20:09 ` Wes Kussmaul @ 2010-06-29 21:34 ` Steve Simon 0 siblings, 0 replies; 25+ messages in thread From: Steve Simon @ 2010-06-29 21:34 UTC (permalink / raw) To: 9fans > Many banks still use 4 digit PINs on their ATM cards, without problem. > Possession is a very important factor. well, posscession and the fact that you only get three attempts to enter the PIN (in the UK at least), so brute force attacks are a non-starter, so limited kyspace is much less of a problem. -Steve ^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [9fans] offered without comment or judgement 2010-06-29 17:27 ` Devon H. O'Dell 2010-06-29 18:30 ` Steve Simon @ 2010-06-29 19:19 ` Wes Kussmaul 1 sibling, 0 replies; 25+ messages in thread From: Wes Kussmaul @ 2010-06-29 19:19 UTC (permalink / raw) To: Fans of the OS Plan 9 from Bell Labs [-- Attachment #1: Type: text/plain, Size: 2601 bytes --] Devon H. O'Dell wrote: > 2010/6/29 Wes Kussmaul <wes@authentrus.com>: > >> Stanley Lieber wrote: >> >>> Anywhere legitimate identification is used, legitimate identification can >>> be purchased. >>> >> There are imperfect but very good ways to protect against that >> vulnerability. They vary with the needs (and budgets) of relying parties. >> > > I'm pretty sure you can't solve the problem. At the end of the day, it > boils down to client-side security and what a person is willing to > defend with their life. It's perfectly feasible to assume that > identity information in a PKI world can be coerced and stolen as > easily as physical identity information such as drivers licenses and > social security cards. The security always breaks down at the personal > level, and most private individuals aren't willing to die to protect > this information. > > But you can do at least as good as these forms of ID. PKI requires > knowledge of some sort of passkey. (I just worry about identification > for people who are not smart enough to pick a good key. Which, > unfortunately, is also most people It's true, people give up their ATM card PINs at gunpoint. Guns are a problem, especially where people tend to still use currency. Online, not so much. Possession is still the most effective factor. As our site points out, ------------------------------------------------------------------------ After spending millions of dollars on network security, corporations still have major security problems. Meanwhile, your ATM card allows your bank to dispense cash with confidence from a machine on a city sidewalk. The technology used by your ATM card is more ancient than the floppy disk. So why are bank ATM networks generally secure, while corporate information networks, in spite of continuous investment in the latest security technology, are barely able to keep ahead of intruders? The difference is not about technology. The difference is about assumptions and architecture. Your bank's ATM network starts with the premise that knowing who you are is the foundation of security. If a trusted co-worker asked you to share your ATM card and associated PIN, what would you say? Of course, they would never ask in the first place. If that co-worker asked you for your network password, what would you say? In many companies, collaborative work gets done by sharing access credentials, in spite of rules against it. -- Learn about The Authenticity Economy at http://video.google.com/videoplay?docid=-1419344994607129684&hl=en# [-- Attachment #2: Type: text/html, Size: 3453 bytes --] ^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [9fans] offered without comment or judgement 2010-06-29 2:28 ` Wes Kussmaul 2010-06-29 2:46 ` Stanley Lieber @ 2010-06-29 3:46 ` erik quanstrom 1 sibling, 0 replies; 25+ messages in thread From: erik quanstrom @ 2010-06-29 3:46 UTC (permalink / raw) To: 9fans > http://video.google.com/videoplay?docid=-1419344994607129684&hl=en# i suppose the format string should have been %llud not %lld. - erik ^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [9fans] offered without comment or judgement 2010-06-28 22:32 [9fans] offered without comment or judgement ron minnich 2010-06-28 23:10 ` Ethan Grammatikidis 2010-06-29 2:28 ` Wes Kussmaul @ 2010-06-29 8:07 ` Akshat Kumar 2010-06-29 9:14 ` hiro 2010-06-29 13:43 ` Gabriel Díaz 3 siblings, 1 reply; 25+ messages in thread From: Akshat Kumar @ 2010-06-29 8:07 UTC (permalink / raw) To: Fans of the OS Plan 9 from Bell Labs On Mon, Jun 28, 2010 at 3:32 PM, ron minnich <rminnich@gmail.com> wrote: > not saying it is "good" or "bad", just wanted people to see it > > > https://www.signup4.net/UPLOAD/STRA10A/DARP31E/CRASH%20Proposer%20Day%20v2.pdf Perhaps I am oversimplifying, but the proposed resolution seems to be: Abstract MINIX. Best, ak ^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [9fans] offered without comment or judgement 2010-06-29 8:07 ` Akshat Kumar @ 2010-06-29 9:14 ` hiro 2010-06-29 9:17 ` erik quanstrom 2010-06-29 19:59 ` ron minnich 0 siblings, 2 replies; 25+ messages in thread From: hiro @ 2010-06-29 9:14 UTC (permalink / raw) To: Fans of the OS Plan 9 from Bell Labs > not saying it is "good" or "bad", just wanted people to see it So is it now "bad" to say what you think? If you live in a hostile environment, with rules too complex to understand, it's clever to be also unpredictable. Computer networks are different. Discrete electronics haven't been invented to create entropy... ^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [9fans] offered without comment or judgement 2010-06-29 9:14 ` hiro @ 2010-06-29 9:17 ` erik quanstrom 2010-06-29 19:59 ` ron minnich 1 sibling, 0 replies; 25+ messages in thread From: erik quanstrom @ 2010-06-29 9:17 UTC (permalink / raw) To: 9fans > Computer networks are different. Discrete electronics haven't been > invented to create entropy... my air conditioner begs to differ! - erik ^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [9fans] offered without comment or judgement 2010-06-29 9:14 ` hiro 2010-06-29 9:17 ` erik quanstrom @ 2010-06-29 19:59 ` ron minnich 1 sibling, 0 replies; 25+ messages in thread From: ron minnich @ 2010-06-29 19:59 UTC (permalink / raw) To: Fans of the OS Plan 9 from Bell Labs On Tue, Jun 29, 2010 at 2:14 AM, hiro <23hiro@googlemail.com> wrote: >> not saying it is "good" or "bad", just wanted people to see it > > So is it now "bad" to say what you think? Nope, I just have my own opinions on this but don't want to corrupt anyone :-) ron ^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [9fans] offered without comment or judgement 2010-06-28 22:32 [9fans] offered without comment or judgement ron minnich ` (2 preceding siblings ...) 2010-06-29 8:07 ` Akshat Kumar @ 2010-06-29 13:43 ` Gabriel Díaz 2010-06-29 16:54 ` hiro 3 siblings, 1 reply; 25+ messages in thread From: Gabriel Díaz @ 2010-06-29 13:43 UTC (permalink / raw) To: Fans of the OS Plan 9 from Bell Labs hello I do like their aim, let's see what they end with :), if that's disclosed someday. . . :), also seems they will end with something too complex to be of general usage slds. gabi ----- Original Message ---- From: ron minnich <rminnich@gmail.com> To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Sent: Tue, June 29, 2010 12:32:29 AM Subject: [9fans] offered without comment or judgement not saying it is "good" or "bad", just wanted people to see it https://www.signup4.net/UPLOAD/STRA10A/DARP31E/CRASH%20Proposer%20Day%20v2.pdf ron ^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [9fans] offered without comment or judgement 2010-06-29 13:43 ` Gabriel Díaz @ 2010-06-29 16:54 ` hiro 0 siblings, 0 replies; 25+ messages in thread From: hiro @ 2010-06-29 16:54 UTC (permalink / raw) To: Fans of the OS Plan 9 from Bell Labs To me it seems that their aim is complexity. On 6/29/10, Gabriel Díaz <gdiaz@rejaa.com> wrote: > hello > > > I do like their aim, let's see what they end with :), if that's disclosed > someday. . . :), > also seems they will end with something too complex to be of general usage > > slds. > > gabi > > > > ----- Original Message ---- > From: ron minnich <rminnich@gmail.com> > To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> > Sent: Tue, June 29, 2010 12:32:29 AM > Subject: [9fans] offered without comment or judgement > > not saying it is "good" or "bad", just wanted people to see it > > > https://www.signup4.net/UPLOAD/STRA10A/DARP31E/CRASH%20Proposer%20Day%20v2.pdf > > > ron > > ^ permalink raw reply [flat|nested] 25+ messages in thread
end of thread, other threads:[~2010-06-30 16:22 UTC | newest] Thread overview: 25+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2010-06-28 22:32 [9fans] offered without comment or judgement ron minnich 2010-06-28 23:10 ` Ethan Grammatikidis 2010-06-29 2:28 ` Wes Kussmaul 2010-06-29 2:46 ` Stanley Lieber 2010-06-29 17:13 ` Wes Kussmaul 2010-06-29 17:27 ` Devon H. O'Dell 2010-06-29 18:30 ` Steve Simon 2010-06-29 18:41 ` Devon H. O'Dell 2010-06-29 18:57 ` erik quanstrom 2010-06-29 19:13 ` Devon H. O'Dell 2010-06-29 19:32 ` erik quanstrom 2010-06-29 20:00 ` Devon H. O'Dell 2010-06-30 11:28 ` erik quanstrom 2010-06-30 15:22 ` Wes Kussmaul 2010-06-30 16:22 ` Devon H. O'Dell 2010-06-29 20:09 ` Wes Kussmaul 2010-06-29 21:34 ` Steve Simon 2010-06-29 19:19 ` Wes Kussmaul 2010-06-29 3:46 ` erik quanstrom 2010-06-29 8:07 ` Akshat Kumar 2010-06-29 9:14 ` hiro 2010-06-29 9:17 ` erik quanstrom 2010-06-29 19:59 ` ron minnich 2010-06-29 13:43 ` Gabriel Díaz 2010-06-29 16:54 ` hiro
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).