On 6/17/19 3:22 AM, interest-requ...@qt-project.org wrote:
The short answer is no. Sadly, it is what you will find in most places.
Neither TLS nor SSL are secure nor can they ever be. They are
architecturally flawed. You can pull down software from The Dark Web
which when run on a hokey little $80 2-in-1 sold by Walmart can, in 15
minutes or less, unpackage anything sent via SSL and caught via most
forms of sniffing. In well under an hour using the same hokey laptop
it can penetrate pretty much any SSL/TLS secured access point.
This is complete and utter bullshit! Unless by "hokey little 2-in-1" you
mean a major compute cluster (like a sizeable portion of the entire AWS
system), by "15 minutes" you mean several days or weeks and by
"anything" you mean encrypted with relatively weak keys on a SSL v3
connection with unfortunate settings.
Nope. I've worked with people who watched it be demonstrated at Black Hat.
You are assuming someone takes the Neanderthal approach of trying ever
possible value within the entire universe of possible values.
Every encryption system has at least two flaws:
1) architectural
2) humans
I've yet to encounter someone selling an encryption system/idea that
didn't utter the phrase "It would take a Super Computer running flat out
for N years/months/days to crack it." The phrase placates the gullible
and deflects people from asking the first, and obvious question.
Which Super Computer?
It also stops people from considering most architectural flaws and just
how fast someone can get in who knows of and how to exploit the
architectural flaw.
And we all know TLS has never had any vulnerabilities.
https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/
The real question is what are you securing?
A chat engine? Who cares? People on those things routinely give out
their mother's maiden name, name of their first pet and the closest
relative living farthest from them. In the immortal words of Ron White
"You can't fix stupid."
Also nonsense. Just by communicating via chat doesn't mean you are
stupid. (The presence of A does not prove the absence of B.)
Actually it does.
On the little chat/social media site which lets people create
pages/forums for their interest(s) someone creates a page/forum for
Podunk, USA class of 1990 and people join.
So much for the "Where did you attend high school?" security question.
If it is an area small enough to have only one school system they also
have the answer to that middle school security question.
On another forum/page you utter the phrase "of course I'm Irish, my
mother was a McGinnis!"
So much for the "Mother's maiden name" question.
People love their pets and identity thieves can't wait for you to join
one of these forums/pages and utter something along the lines of "my
first dog was a Rot named Mugsy and since then they've always had a
place in my heart?"
So much for the "Name of your first/favorite pet."
A little screen scraping with a page crawler and some keyword/phrase
searching can get all of this. If they do it slow enough it won't even
trip any alarms.
Then there are the system managers for each and every site creating both
draconian and dramatically different rules for passwords forcing humans
to write them down on stickies. Don't worry now there are on-line
password vaults to store all of your passwords with links to the login
pages so you (and the hacker) just have to know one password to get it all.
Also quite naive, I won't even bother to comment - it would take too long.
Cats have better ideas on cat food than...;-P
The 2-stage is the industry finally admitting SSL/TLS are
architecturally flawed and can never be made secure.
It has absolutely nothing to do with SSL/TLS.
Yeah, it does. It's what you bolt on when you realize SSL/TLS isn't
secure trying to plug a hole.
Moving up in security you create a plug-in for popular browsers
(Firefox/Chrome/Opera) on popular platforms (Linux/Android/forget
about security on Windows). After a user has created an account with
you they must be on a supported platform and install the browser
plug-in to continue.
Also nonsense. No plugin is required for most 2nd factor auth. Even
U2F/WebAuthn is built into major browsers these days.
Who cares about most? Should only care about the custom one created for
your app. Make them really want to penetrate it. You have a few hundred
to maybe a few thousand users. Why bother with you when if they
penetrate the built in U2F/WebAuthn for a given browser they can get
everyone using that browser?
You can use standard 3rd party encryption libraries, but what you
cannot have are any two packets encrypted with both the same seed and
encryption method. Yeah, they are going to sniff your packets. Yeah,
there are all kinds of free tools on the Internet to peel that SSL
right off there. After that, they have to start from ground zero with
every packet. The biggest flaw in old school data transmissions was
the single-method-single-key for entire file or comm session. Evil
doers only had to crack one packet for the rest of them to be easy as
knocking over dominoes. Some of the older encryption libraries even
left tell-tale signatures in the encrypted packet so at a glance they
could tell what method was used. Making it an exercise of just finding
the proper seed. When you have a million PC bot-net at your disposal
it generally takes more time to distribute the work than it does to
get the answer.
Still, you are talking nonsense. Your critique sounds like it could
apply to some forms of ancient CBC mode implementations or certain
ancient stream ciphers, but it doesn't really.
No, probably just talking over your head. Sorry about that.
Now you are mixing in social engineering... yay!
You know, every security system has at least 2 points of failure,
architectural and human.
[sarcasm]
Wow! This is exactly how much your entire "advice" is worth.
[/sarcasm]
Roland, please keep your hands off security consulting - you'll go
bankrupt or cause someone to do so. (Sorry for the harsh language, but
security is a very harsh business.)
Yeah, because I've never had to do anything with encryption or security.
I was just part of the tiny little team working on this when its project
code name was IP Ghoster.
https://www.hidemyass.com/index
No, the donkey's name really isn't Jack, it's Ken. I never understood
why he found that so funny but he does. He's also off doing this stuff now.
https://bear.systems/team/
Never worked with the third dude on the page but Mr. Keith is awesome.
If he ever offers to let you work for him it take it. Ken, well, let's
just say I'm Mother Theresa and Jiminy Cricket rolled into one compared
to him. Maybe that's really what it takes to shove solutions through at
that level all of the time? I just know I hit my limit and left. So did
others. He might be a nicer guy now that he left Jersey?
Don't mean to sound harsh, just tired.
--
Roland Hughes, President
Logikal Solutions
(630)-205-1593 (cell)
http://www.theminimumyouneedtoknow.com
http://www.infiniteexposure.net
http://www.johnsmith-book.com
_______________________________________________
Interest mailing list
Interest@qt-project.org
https://lists.qt-project.org/listinfo/interest
