On Wednesday 18 May 2005 11:29, Duane wrote: > Ian G wrote: > > Unless you are saying that these sysadms work for > > ISPs and they are attacking the traffic passing through, > > that would be a threat. So how many of these sys > > admins are there? Is the 1/3 a proportion of the ones > > caught, or a proportion of total sys admins? > > They had been to prison prior to being employed prior to causing havoc > on someone's network...
OK, so this gets us some way forward. We now know that a) sysadms can cause havoc, and b) sysadms *do* cause havoc because at least 3 have been caught. But we need to go a few steps further forward: c) how many sysadms cause havoc? d) how much damage in costs do they do? e) what can we do to protect against them? f) how much does it cost to protect? Once we have these numbers we can work out whether it is cost-effective to protect against them. (If you don't subscribe to this analysis, then please send me $1000 and I will protect you from all meteors. This promise comes with a 100% money back guarantee.) PS: what report is this? > I consider all transit providers a threat, > especially in light of past performances of carnivore and the like... If > the FBI and Verisign can do it, why can't every other ISP in existence? Yeah, so do I. (But for different logics perhaps.) This is partly why I am strongly motivated to lower the cost of SSL / HTTPS protection to the point where it can be used cost-effectively and pro-actively. > Which brings me back to an earlier reply I seem to be getting silent > treatment about, when will the browser warn me about fingerprint > changes? At present Verisign controls a fairly well seeded bunch of root > certificates and the DNS, and has the potential to MITM most sites in > existence... The current philosophy is that all CAs are equivalent and safe and therefore there is no need to warn about a change in CA. This will change, in time. I personally think we will see a change about 2 weeks after the first phishing attack using a CA-signed cert hits the open media. (According to the theory of security, Verisign and other attacks on CAs are not currently validated, so there it is not cost-effective to secure against them.) > > OK, so this is an accidental artifact of a system, > > probably badly configured or with aspects that they > > hadn't thought out. Fixed in the beta, I would guess. > > It's still a threat having that much information and nothing to protect > a users password with... Perhaps. I don't know the system you are referring to, are you saying that they don't use SSL to protect passwords? > If this is going to be one of these arguments you try and knock down all > my points because of no test cases made public? It's security. Security is founded on economics. If there are no validated threats then don't spend a dime protecting against it, in general. IOW, if you can't show that people are losing money (or time), why are you asking others to spend their valuable money (or time) on it? If there are secret cases, then we have no data, we can't distinguish the secret cases from the made-up cases. In general, if someone presents you with a case that is "secret but I promise it's real" then you are better off not believing them. If it's true, it will reveal itself, and if it's false, you just got scammed, and parted with your money. If you've got that sort of money to throw around, then throw some my way! iang -- http://iang.org/ _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
