On Mon, Sep 09, 2002 at 12:45:59PM -0400, WC -Sx- Jones wrote: > Given: fcjjf1CkQsV1IFCCJ25145245 > Can you devise a way to break the code? Years ago (1997) I wrote an > H/R jobs posting script which is now coming under fire (people are > saying that because I send the security bits back and forth between the > client and the server that someone can hack into the script and fiddle > with the program.)
secprog@securityfocus recently had an analysis of someone's appalling VB based protocol and simple substitution cipher. > What do you think? I would give you a better hint, but this is all a > hacker would have to go on... Erm, no. A hacker would have many messages, intercepted, and probably be able to inject messages, and watch what they do to the system in question. he might also be able to adjust messages in transit, and watch what happens when he changes things. What you are describing is security through obscurity. > PS - No one is mentioning the fact that it been used now since 1997 > with little if any problems, much less security ones. However, in the How can you say that you know what security problems there are? Has your code been peer-reviewed? Who's to say that your future attacker won't have worked for you, and therefore have a copy of the code. Kerchoff strikes again. The security is in the key, not the algorithm. > interest of security, I am looking at it again - just to be sure, ya' > know? I think you're misunderstanding a fundamental concept of what the attacker might actually be trying to do. Post details of your protocol if you want it peer reviewed. MBM -- Matthew Byng-Maddick <[EMAIL PROTECTED]> http://colondot.net/
