On 19/03/12 08:19 AM, Kevin Chadwick wrote:
On Sun, 18 Mar 2012 12:30:35 +1100
On the MITM - FUD or validated threat?
And, there was no outbreak of MITMing until .. when?
Sometime around the late 00s devices appeared on the market that
could do cracks in real time or near real time. There's still no
outbreak or even documented occurances to my knowledge.
That's completely irrelevent for more than one reason, do you cross the
road blindfold because there are no documented cases of someone
crossing the road blindfold and getting run over.
That's an act that is unnatural to most, so they don't do it, but in
fact blind people cross the road a lot of the time. That's why they
have those beeping sounds.
Also, consider that traffic accidents happen all the time at crossings -
but we don't stop crossing. We can stop all traffic accidents any time
we want to - but don't.
Everything is a balance of costs and opportunities and benefits.
My mate's girlfriend
was stalked by her criminal boyfriend who kept knowing what she was
doing.
That's bad. But, back to how to deal with threats: this is not a
theoretical thing you dug out of a text book. This is an actual
documented event - a clear and present danger, or a validated threat.
This obviously calls for a more focused and direct response than the
vague and handwavy "oh but there might be stalkers" thing that is
sometimes used to scare people.
My fairly computer illiterate friend dug out a document
demonstrating how to snoop and inject messages and also clone sims etc..
Sure ... this falls in an interesting grey bucket called "demos". In my
work I discount any "academic demonstration" and insist on seeing
evidence of bad guys doing it, not claims that bored students can do it
(remember the 1995 SSL breaks of random numbers and weak keys ... didn't
lead to sudden outbreaks of bad guys against SSL!) The reason is that
only bad guys can show that it is economic to do some break, bored
students can't.
What did the GSM consortium decide to do? In 1997?
Accept the risk.
Ignore the risk like the banks are currently ignoring the risk to cash
machines due to COST without any increase or sustaining of profit,
like 3G/LTE brings.
Banks - another story.
Right decision - if you know what their threat model was: papparazzi and
minute thieves.
I had no idea and am now extremely angry, it was obviously flawed and
they should have done a better job of 3G in that light. Do you have a
link at all. I'm sure the phone hacking scandal investigators would
love this considering the damage simple voicemail has caused.
The phone hacking scandal investigators have discovered that the methods
of choice of the papparazzi are hacking into voice-mail, which is
protected by a simple PIN. Which is some sort of evidence that that
they didn't listen in on phones. If you go back to the early 1990s,
you'll discover they spent a fair bit of time snooping directly on the
phones of famous celebs, including royals. That all stopped dead with
GSM's encryption, and to my knowledge hasn't re-surfaced even with the
phone hacking scandal in Britain. The only documented event I know of
is the famous Greek phone hack during the Olympics, when some major
state actor duplicated feeds of a 100 or so phones across to slave units
for recording, by hacking and reprogramming the management servers.
(Oh, and it's worth pointing out that News Corp were in trouble a few
years ago for some case of encryption cracking to do with satellites,
some Israeli court case. I don't recall the details. So it is not as
if they don't know how to download documents and clone SIMs.)
This is why evidence of bad behaviour is key - we must validate our
models before we insist that society spend a fortune on some theoretical
FUD or academic whim.
p.s. It's interesting how consortiums can decide mobiles don't
cause cancer, you find they are conducted by phone companies a month or
two after an independent researcher claims evidence that they do. And
also Apple being in the consortium that suddenly decides ogg shouldn't
be defined as the web standard for video. A phrase springs to mind "In
consort with each other" except the web standard had Google vs Apple
equals no decision.
Yes. Organisations and people are predictable. Once people inside orgs
get the idea that they can "consort" with other big organisations, the
drug enters their system. In my org, I see it all the time ... the
latest scandal was that we're being pushed into private non-documentable
talks with "lawyers" at some big company. So far we've refused, much to
the annoyance of some of the younger people who want to consort.
There's one reason only to have private non-repeatable conversations,
and that's because you're trying to hide something.
iang
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
