On Mon, 19 Mar 2012 11:53:48 +1100 ianG wrote: > On 19/03/12 08:19 AM, Kevin Chadwick wrote: > > On Sun, 18 Mar 2012 12:30:35 +1100 > > > On the MITM - FUD or validated threat?
http://www.h-online.com/security/news/item/28C3-New-attacks-on-GSM-mobiles-and-security-measures-shown-1401668.html Note: it's easy to push a phone down to GSM. > > >> And, there was no outbreak of MITMing until .. when? > >> Sometime around the late 00s devices appeared on the market that > >> could do cracks in real time or near real time. There's still no > >> outbreak or even documented occurances to my knowledge. > > > > That's completely irrelevent for more than one reason, do you cross the > > road blindfold because there are no documented cases of someone > > crossing the road blindfold and getting run over. > > > That's an act that is unnatural to most, so they don't do it, but in > fact blind people cross the road a lot of the time. That's why they > have those beeping sounds. > > Also, consider that traffic accidents happen all the time at crossings - > but we don't stop crossing. We can stop all traffic accidents any time > we want to - but don't. > I bet you a million dollars you can't. You think everyone follows the rules or follows pre-determined patterns. > Everything is a balance of costs and opportunities and benefits. > In my experiance, good security costs next to nothing but some consideration. I guess you haven't been reading my other posts with possible solutions. Let's see you cross a busy road blindfold then. > > My mate's girlfriend > > was stalked by her criminal boyfriend who kept knowing what she was > > doing. > > That's bad. But, back to how to deal with threats: this is not a > theoretical thing you dug out of a text book. This is an actual > documented event - a clear and present danger, or a validated threat. > This obviously calls for a more focused and direct response than the > vague and handwavy "oh but there might be stalkers" thing that is > sometimes used to scare people. > So you deal in ignoring threats that have come to mind as well as all of the ones you couldn't possibly have thought of. That's not security, it's obfuscation. You show that you have never tried to get anything certified by a proper authority in security and the questions that are thrown at your technology. > > My fairly computer illiterate friend dug out a document > > demonstrating how to snoop and inject messages and also clone sims etc.. > > Sure ... this falls in an interesting grey bucket called "demos". In my > work I discount any "academic demonstration" and insist on seeing > evidence of bad guys doing it, not claims that bored students can do it > (remember the 1995 SSL breaks of random numbers and weak keys ... didn't > lead to sudden outbreaks of bad guys against SSL!) The reason is that > only bad guys can show that it is economic to do some break, bored > students can't. > > Economics of an attack will come into evaluating expense on an existing system, it has nothing to do with the design of a new system. It also shouldn't take a terrible crisis to cause a fix, at the least, stark warnings should be paid for. People like you being too liberal and blaazae are what causes these problems in the first place. The ipv6 is lovely brigade. > > >> What did the GSM consortium decide to do? In 1997? > > > >> Accept the risk. > > > > Ignore the risk like the banks are currently ignoring the risk to cash > > machines due to COST without any increase or sustaining of profit, > > like 3G/LTE brings. > > > Banks - another story. > > >> Right decision - if you know what their threat model was: papparazzi and > >> minute thieves. > > > > I had no idea and am now extremely angry, it was obviously flawed and > > they should have done a better job of 3G in that light. Do you have a > > link at all. I'm sure the phone hacking scandal investigators would > > love this considering the damage simple voicemail has caused. > > The phone hacking scandal investigators have discovered that the methods > of choice of the papparazzi are hacking into voice-mail, which is > protected by a simple PIN. Which is some sort of evidence that that > they didn't listen in on phones. If you go back to the early 1990s, > you'll discover they spent a fair bit of time snooping directly on the > phones of famous celebs, including royals. That all stopped dead with > GSM's encryption, and to my knowledge hasn't re-surfaced even with the > phone hacking scandal in Britain. The only documented event I know of > is the famous Greek phone hack during the Olympics, when some major > state actor duplicated feeds of a 100 or so phones across to slave units > for recording, by hacking and reprogramming the management servers. > > (Oh, and it's worth pointing out that News Corp were in trouble a few > years ago for some case of encryption cracking to do with satellites, > some Israeli court case. I don't recall the details. So it is not as > if they don't know how to download documents and clone SIMs.) > > This is why evidence of bad behaviour is key - we must validate our > models before we insist that society spend a fortune on some theoretical > FUD or academic whim. > Rubbish, you choose a pheasable method/technology that you know to the best of your ability will be secure in any event for the next generous x years. There's enough to deal with just on the compromised keys side. What evidence do you expect to see on a passive attack that is virtually undetectable without black helicopters around or monitoring at incident time. The reason low hanging fruit of phone hacking is found is because it is also the low hanging fruit of getting evidence for. Here we have some severe fall-out and yet still a far larger threat remains. Of course the papers will certainly be careful not to be caught now. I can't believe how little blame/attention the telcos are getting, there must be some backhanders or affiliation there. I mean setting a deny untill a password is set especially when you have lowered your encryption for bandwidth reasons, is kids stuff. A thief breaks and enters and gets caught, he's in trouble. You left the door open and your just an idiot that wastes police time which will be reflected in what the sentence the caught thief gets. 80% of businesses state online IPR theft. How many report this to any authority and/or have sufficient evidence. You obviously deal with other peoples privacy and not your own! > > iang > _______________________________________________ > dev-security mailing list > dev-security@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
