[Interest] TLS/SSL XML encryption security

Roland Hughes roland at logikalsolutions.com
Tue Oct 8 18:50:37 CEST 2019

On 10/8/19 5:00 AM, Thiago Macieira wrote:
> On Monday, 7 October 2019 18:08:27 PDT Roland Hughes wrote:
>> There was a time when a Gig of storage would occupy multiple floors of
>> the Sears Tower and the paper weight was unreal.
> Have you ever heard of Claude Shannon?
> Anyway, you can't get more data into storage than there are possible states of
> matter. As far as our*physics*  knows, you could maybe store a byte per
> electron. That would weigh 5 billion tons to store 16 * 2^128  bytes.

The same physics, when incorrectly applied "prove" bumblebees cannot fly?


What I really loved was the science text my generation had in 4th grade 
which taught kids meat naturally contained maggots. Scientists had 
"proven" if you just left meat out maggots would magically grow from it.


> >
> How about you do some math before spouting nonsense?

Considering and attempting to prove nonsense is what is required when 
you are at the architect level. At the Chicago Stock Exchange when they 
were running PDP machines they wanted to use 2 machines to run the 
trading floor having process shared memory between them. Digital 
Equipment Corporation, makers of the PDP and its operating system told 
them it was nonsense, couldn't be done. They did it. Ported it to the 
VAX (completely different hardware and OS), the Alpha ("same" OS, 
different hardware) and the Godforsaken Itanium.

At Navistar (though it wasn't named Navistar then) they wanted the IBM 
order receiving system to directly send orders to the VMS based order 
processing/inventory management/picking ticket system. Both DEC and IBM 
told them it was complete nonsense, couldn't be done. We did it. Long 
before RJE was talked about.

>> At any rate, enough rows in the DB to achieve a 1% penetration rate
>> gives them 10,000 compromised credit cards via an automated process. A
>> tenth of a percent is 1,000. Not a bad haul.
> Sure. How many entries in the DB do you need to generate a 0.1% hit rate?
> I don't know how to calculate that, so I'm going to guess that you need one
> trillionth of the total space for that.

Depends on what you find when testing and probing. Some were richly 
rewarded with the Debian bug limiting keys to a range of 32768. If the 
current OpenSSL library isn't blocking keys below 32769, the database 
and tools created to exploit that weakness still work for any key in 
that range.

If there is a ToD sensitivity in the random generator, shouldn't be, but 
on this Debian system looks like there might be, then one can 
dramatically reduce the DB size needed and reduce the target range to 
all traffic within a window.

> I don't doubt that there are hackers that have dedicated DCs to cracking
> credit card processor traffic they may have managed to intercept. But they are
> not doing that by attacking the encryption.
Some are and some aren't. The fact so many deny the possibility is the 

Roland Hughes, President
Logikal Solutions


More information about the Interest mailing list