[Interest] Clarification on network security

[Roland Hughes]

On 6/17/19 3:22 AM, interest-request at qt-project.org wrote:
> The short answer is no. Sadly, it is what you will find in most places.
>> Neither TLS nor SSL are secure nor can they ever be. They are
>> architecturally flawed.  You can pull down software from The Dark Web
>> which when run on a hokey little $80 2-in-1 sold by Walmart can, in 15
>> minutes or less, unpackage anything sent via SSL and caught via most
>> forms of sniffing. In well under an hour using the same hokey laptop
>> it can penetrate pretty much any SSL/TLS secured access point.
>>
> This is complete and utter bullshit! Unless by "hokey little 2-in-1" you
> mean a major compute cluster (like a sizeable portion of the entire AWS
> system), by "15 minutes" you mean several days or weeks and by
> "anything" you mean encrypted with relatively weak keys on a SSL v3
> connection with unfortunate settings.

Nope. I've worked with people who watched it be demonstrated at Black Hat.

You are assuming someone takes the Neanderthal approach of trying ever 
possible value within the entire universe of possible values.

Every encryption system has at least two flaws:

1) architectural

2) humans

I've yet to encounter someone selling an encryption system/idea that 
didn't utter the phrase "It would take a Super Computer running flat out 
for N years/months/days to crack it." The phrase placates the gullible 
and deflects people from asking the first, and obvious question.

Which Super Computer?

It also stops people from considering most architectural flaws and just 
how fast someone can get in who knows of and how to exploit the 
architectural flaw.

And we all know TLS has never had any vulnerabilities.

https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/ 


>> The real question is what are you securing?
>>
>> A chat engine? Who cares? People on those things routinely give out
>> their mother's maiden name, name of their first pet and the closest
>> relative living farthest from them. In the immortal words of Ron White
>> "You can't fix stupid."
>>
> Also nonsense. Just by communicating via chat doesn't mean you are
> stupid. (The presence of A does not prove the absence of B.)

Actually it does.

On the little chat/social media site which lets people create 
pages/forums for their interest(s) someone creates a page/forum for 
Podunk, USA class of 1990 and people join.

So much for the "Where did you attend high school?" security question. 
If it is an area small enough to have only one school system they also 
have the answer to that middle school security question.

On another forum/page you utter the phrase "of course I'm Irish, my 
mother was a McGinnis!"

So much for the "Mother's maiden name" question.

People love their pets and identity thieves can't wait for you to join 
one of these forums/pages and utter something along the lines of "my 
first dog was a Rot named Mugsy and since then they've always had a 
place in my heart?"

So much for the "Name of your first/favorite pet."

A little screen scraping with a page crawler and some keyword/phrase 
searching can get all of this. If they do it slow enough it won't even 
trip any alarms.

Then there are the system managers for each and every site creating both 
draconian and dramatically different rules for passwords forcing humans 
to write them down on stickies. Don't worry now there are on-line 
password vaults to store all of your passwords with links to the login 
pages so you (and the hacker) just have to know one password to get it all.

> Also quite naive, I won't even bother to comment - it would take too long.
>
> Cats have better ideas on cat food than...;-P
>
>
>> The 2-stage is the industry finally admitting SSL/TLS are
>> architecturally flawed and can never be made secure.
>>
> It has absolutely nothing to do with SSL/TLS.

Yeah, it does. It's what you bolt on when you realize SSL/TLS isn't 
secure trying to plug a hole.

>
>> Moving up in security you create a plug-in for popular browsers
>> (Firefox/Chrome/Opera) on popular platforms (Linux/Android/forget
>> about security on Windows). After a user has created an account with
>> you they must be on a supported platform and install the browser
>> plug-in to continue.
>>
> Also nonsense. No plugin is required for most 2nd factor auth. Even
> U2F/WebAuthn is built into major browsers these days.

Who cares about most? Should only care about the custom one created for 
your app. Make them really want to penetrate it. You have a few hundred 
to maybe a few thousand users. Why bother with you when if they 
penetrate the built in U2F/WebAuthn for a given browser they can get 
everyone using that browser?


>
>> You can use standard 3rd party encryption libraries, but what you
>> cannot have are any two packets encrypted with both the same seed and
>> encryption method. Yeah, they are going to sniff your packets. Yeah,
>> there are all kinds of free tools on the Internet to peel that SSL
>> right off there. After that, they have to start from ground zero with
>> every packet. The biggest flaw in old school data transmissions was
>> the single-method-single-key for entire file or comm session. Evil
>> doers only had to crack one packet for the rest of them to be easy as
>> knocking over dominoes. Some of the older encryption libraries even
>> left tell-tale signatures in the encrypted packet so at a glance they
>> could tell what method was used. Making it an exercise of just finding
>> the proper seed. When you have a million PC bot-net at your disposal
>> it generally takes more time to distribute the work than it does to
>> get the answer.
>>
> Still, you are talking nonsense. Your critique sounds like it could
> apply to some forms of ancient CBC mode implementations or certain
> ancient stream ciphers, but it doesn't really.
No, probably just talking over your head. Sorry about that.
>
> Now you are mixing in social engineering... yay!

You know, every security system has at least 2 points of failure, 
architectural and human.

>
> [sarcasm]
>
> Wow! This is exactly how much your entire "advice" is worth.
>
> [/sarcasm]
>
>
> Roland, please keep your hands off security consulting - you'll go
> bankrupt or cause someone to do so. (Sorry for the harsh language, but
> security is a very harsh business.)
>
Yeah, because I've never had to do anything with encryption or security. 
I was just part of the tiny little team working on this when its project 
code name was IP Ghoster.

https://www.hidemyass.com/index

No, the donkey's name really isn't Jack, it's Ken. I never understood 
why he found that so funny but he does. He's also off doing this stuff now.

https://bear.systems/team/

Never worked with the third dude on the page but Mr. Keith is awesome. 
If he ever offers to let you work for him it take it. Ken, well, let's 
just say I'm Mother Theresa and Jiminy Cricket rolled into one compared 
to him. Maybe that's really what it takes to shove solutions through at 
that level all of the time? I just know I hit my limit and left. So did 
others. He might be a nicer guy now that he left Jersey?

Don't mean to sound harsh, just tired.

-- 
Roland Hughes, President
Logikal Solutions
(630)-205-1593  (cell)
http://www.theminimumyouneedtoknow.com
http://www.infiniteexposure.net
http://www.johnsmith-book.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20190618/d91ef2b9/attachment.html>