[EMAIL PROTECTED] (Thompson, Steve) writes:
You mean, should your computer (laptop) be stolen, one could then boot
using a LIVE Linux CD, and crack the wallet contents... Come to think of
it, with a LIVE Linux CD, one can crack NTFS files used by Windows....
This is why in our pursuit of security, we make ourselves unsecure
because of all the accounts we have that we have to have a userid and
password for. And if kept in that wallet, once it is hacked, what damage
could be done?
Think about this for a moment. How many web sites require you to
register before you can look at their content. This adds to the issue.
How many use the same throw-away userid across as many junk
sites/accounts as possible, but keep the same password as they use for
their banking ids? While I may have said this backwards, I think you can
see the point.
Again, I do not have a solution because the things that I would have
pointed out or pointed to have already been shown to not be so secure
after all by others on IBM-Main.
previous post in thread:
http://www.garlic.com/~lynn/2007d.html#34 Mixed Case Password on z/OS 1.7 and
ACF 2 Version 8
so the issue discussed in these recent posts
http://www.galric.com/~lynn/aadsm26.htm#35 Failure of PKI in messaging
http://www.garlic.com/~lynn/aadsm26.htm#36 New Credit Cards May Leak Personal
Information
is to transition away from shared-secret paradigm
http://www.garlic.com/~lynn/subintegrity.html#shared
an issue with (static data) shared-secret paradigm is that the same
value is used to both originate/authenticate as well as to verify.
this also leads to requirement that each unique security domain
requires unique shared-secret as countermeasure to cross-domain
attacks.
in public key paradigm, the value to originate an authentication is
different than the value to verify an authentication. also the value
being verified can be made unique for every use ... as countermeasure
to evesdropping and replay attacks.
the private key can be made sufficiently complex that it effectively
negates bute-force guessing attacks.
so threat/attack vector then starts focusing on (unauthorized)
accessing (possibly single) private key.
for some drift, archeological ('81) reference to public key proposal
http://www.garlic.com/~lynn/2006w.html#email810515 more secure communication
over the network
and old ('84) april 1st "corporate directive" password guideline proposal
http://www.garlic.com/~lynn/2001d.html#52 OT Re: A beautiful morning in AFM.
http://www.garlic.com/~lynn/2001d.html#53 April Fools Day
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
