[Interest] TLS/SSL XML encryption security
roland at logikalsolutions.com
Tue Oct 8 18:50:37 CEST 2019
On 10/8/19 5:00 AM, Thiago Macieira wrote:
> On Monday, 7 October 2019 18:08:27 PDT Roland Hughes wrote:
>> There was a time when a Gig of storage would occupy multiple floors of
>> the Sears Tower and the paper weight was unreal.
> Have you ever heard of Claude Shannon?
> Anyway, you can't get more data into storage than there are possible states of
> matter. As far as our*physics* knows, you could maybe store a byte per
> electron. That would weigh 5 billion tons to store 16 * 2^128 bytes.
The same physics, when incorrectly applied "prove" bumblebees cannot fly?
What I really loved was the science text my generation had in 4th grade
which taught kids meat naturally contained maggots. Scientists had
"proven" if you just left meat out maggots would magically grow from it.
> How about you do some math before spouting nonsense?
Considering and attempting to prove nonsense is what is required when
you are at the architect level. At the Chicago Stock Exchange when they
were running PDP machines they wanted to use 2 machines to run the
trading floor having process shared memory between them. Digital
Equipment Corporation, makers of the PDP and its operating system told
them it was nonsense, couldn't be done. They did it. Ported it to the
VAX (completely different hardware and OS), the Alpha ("same" OS,
different hardware) and the Godforsaken Itanium.
At Navistar (though it wasn't named Navistar then) they wanted the IBM
order receiving system to directly send orders to the VMS based order
processing/inventory management/picking ticket system. Both DEC and IBM
told them it was complete nonsense, couldn't be done. We did it. Long
before RJE was talked about.
>> At any rate, enough rows in the DB to achieve a 1% penetration rate
>> gives them 10,000 compromised credit cards via an automated process. A
>> tenth of a percent is 1,000. Not a bad haul.
> Sure. How many entries in the DB do you need to generate a 0.1% hit rate?
> I don't know how to calculate that, so I'm going to guess that you need one
> trillionth of the total space for that.
Depends on what you find when testing and probing. Some were richly
rewarded with the Debian bug limiting keys to a range of 32768. If the
current OpenSSL library isn't blocking keys below 32769, the database
and tools created to exploit that weakness still work for any key in
If there is a ToD sensitivity in the random generator, shouldn't be, but
on this Debian system looks like there might be, then one can
dramatically reduce the DB size needed and reduce the target range to
all traffic within a window.
> I don't doubt that there are hackers that have dedicated DCs to cracking
> credit card processor traffic they may have managed to intercept. But they are
> not doing that by attacking the encryption.
Some are and some aren't. The fact so many deny the possibility is the
Roland Hughes, President
More information about the Interest