Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: The stupid, it hurts!

44 views
Skip to first unread message
Message has been deleted

Julian Macassey

unread,
Feb 22, 2012, 10:29:05 AM2/22/12
to
On Wed, 22 Feb 2012 11:01:26 +0100, Gallian <gal...@linuxmail.org> wrote:
> Colleague: "SSL is not authentication. Authentication is me proving my
> identity by logging in, for example using a password".
>
> And this is security consultant.

The computer security business is just a place for
chancers, con-men, and sociopaths to find work.

At their best, they make life tiresome for those in the
know and life impossible for the clueless.

Just remember this seasons bogey man is "Cyberwarfare".
Look for it on all your usual news outlets.


--
"If you have done nothing wrong, comrade, you have nothing to
fear." - Lavrenti Beria, Stalin's head of the NKVD, the secret police.
Message has been deleted

Just zis Guy, you know?

unread,
Feb 22, 2012, 1:11:54 PM2/22/12
to
On Wed, 22 Feb 2012 17:00:08 +0100, Gallian <gal...@linuxmail.org>
wrote:

>Not only does he
>make elementary mistakes like this, he also overestimates his
>Yvahk-expertise, yet expects to get a blanket root permission on all
>our customer facing boxes running NepFvtug.

The only cure for that kind of cluelessness IME is to let them make a
really spectacular fuck-up. And then hope they get sacked.

That's my real-world experience, obviously the monk in me harbours a
desire to eject them for the 42nd floor sans parachute.

Guy
--
Guy Chapman, http://www.chapmancentral.co.uk
The usenet price promise: all opinions are guaranteed
to be worth at least what you paid for them.

mlooney

unread,
Feb 22, 2012, 1:18:21 PM2/22/12
to
Julian Macassey <jul...@tele.com> wrote:
> On Wed, 22 Feb 2012 11:01:26 +0100, Gallian <gal...@linuxmail.org> wrote:
>> Colleague: "SSL is not authentication. Authentication is me proving my
>> identity by logging in, for example using a password".
>>
>> And this is security consultant.
>
> The computer security business is just a place for
> chancers, con-men, and sociopaths to find work.
>

As a diagnosed sociopath, I resent that remark.

--
I'm an aging, white, right of center, geeky, male, dyslexic, veteran,
bipolar, sociopath with Asperger syndrome and a touch of PTSD that mutters.
And you are?

Paul

unread,
Feb 22, 2012, 3:39:51 PM2/22/12
to
"Just zis Guy, you know?" <usen...@chapmancentral.co.uk> wrote in
news:lqbak7l2q0ut7fqnu...@4ax.com:

> On Wed, 22 Feb 2012 17:00:08 +0100, Gallian
> <gal...@linuxmail.org> wrote:
>
>>Not only does he
>>make elementary mistakes like this, he also overestimates his
>>Yvahk-expertise, yet expects to get a blanket root permission on
>>all our customer facing boxes running ArcSight.
>
> The only cure for that kind of cluelessness IME is to let them
> make a really spectacular fuck-up. And then hope they get sacked.

The problem is, many such folk are good at diverting blame...

--
Paul the Legacy Server
Full Recovery reached May 30, 2008
"People can be educated beyond their intelligence"
-- Marilyn vos Savant

David Cameron Staples

unread,
Feb 22, 2012, 4:01:06 PM2/22/12
to
On Wed, 22 Feb 2012 20:39:51 +0000, Paul wrote:

> "Just zis Guy, you know?" <usen...@chapmancentral.co.uk> wrote in
> news:lqbak7l2q0ut7fqnu...@4ax.com:
>
>> On Wed, 22 Feb 2012 17:00:08 +0100, Gallian <gal...@linuxmail.org>
>> wrote:
>>
>>>Not only does he
>>>make elementary mistakes like this, he also overestimates his
>>>Yvahk-expertise, yet expects to get a blanket root permission on all
>>>our customer facing boxes running ArcSight.
>>
>> The only cure for that kind of cluelessness IME is to let them make a
>> really spectacular fuck-up. And then hope they get sacked.
>
> The problem is, many such folk are good at diverting blame...

"I have vague memories that it was you who kept talking about this going
wrong... therefore it's your fault for not stopping it."

Julian Macassey

unread,
Feb 22, 2012, 6:34:26 PM2/22/12
to
On Wed, 22 Feb 2012 18:11:54 +0000, Just zis Guy, you know?
<usen...@chapmancentral.co.uk> wrote:
>
> The only cure for that kind of cluelessness IME is to let them make a
> really spectacular fuck-up. And then hope they get sacked.

My experience is those people get rewarded and often
promoted.

Then they work full time to find nits that they use to
get you fired.

A case in point? Get's your truly fired. Designs new
server room with 1. No power outlets 2. No A/C. Gets reward for
doing such a good job moving the company.

I am, as Dave Barry would say making this up.

> That's my real-world experience, obviously the monk in me harbours a
> desire to eject them for the 42nd floor sans parachute.

You live in a better world than I.

Alan J Rosenthal

unread,
Feb 23, 2012, 6:17:41 PM2/23/12
to
Gallian <gal...@linuxmail.org> writes:
>Colleague: "SSL is not authentication. [...]

My initial inclination was to agree, but actually the term "authentication"
carries no constraints as to the thoroughness of the evaluation. If someone
asks me "are you Gallian" and I answer "yes", then they have authenticated
me as you, they just haven't done a very good job (since I am not you).

-- aj "just wanted to make that last bit clear to any confused bystanders" r

Joe Thompson

unread,
Feb 23, 2012, 7:59:20 PM2/23/12
to
On 2012-02-23, Alan J Rosenthal <fl...@dgp.toronto.edu> wrote:
> Gallian <gal...@linuxmail.org> writes:
>>Colleague: "SSL is not authentication. [...]
>
> My initial inclination was to agree, but actually the term "authentication"
> carries no constraints as to the thoroughness of the evaluation. If someone
> asks me "are you Gallian" and I answer "yes", then they have authenticated
> me as you, they just haven't done a very good job (since I am not you).

Well, then there is the question of what is *actually* being
authenticated vs. what people *think* is being authenticated. If I ask
you "are you Gallian" and you answer "yes", you have *identified*
yourself but nobody has authenticated anything yet. If I ask someone
else "is he actually Gallian?" and *he* says yes, now we have (poor)
authentication.

E.g. with SSL the basic authentication with a self-signed cert or one
signed by an unknown CA is "I hold the private key corresponding to the
public one presented here" -- which assertion is authenticated by the
fact that SSL works. And should the presented key change in the future
or SSL simply stop working, it ought to raise suspicion that something
has happened (or alternately that something that was formerly happening
has stopped...).

If the folks presenting the cert shelled out for a third party to sign
their CSR, then you now have authentication that "the key corresponding
to the one I am presenting you was verified to exist by a third party
signing a document generated by it, whose keys you can also verify".

But lay folk assume that the color of the SSL indicator in an address
bar actually means *anything* with respect to the *identity* or
*trustworthiness* of the organization they're dealing with, and that of
course is where it all falls apart -- you only have to be good enough to
fool (or subvert) the least-trustworthy CA in a victim's browser, and
you can "be" anyone or anything you want as far as most browser software
is concerned (Google keywords: "compelled certificate creation attack",
Microsoft Security Bulletin MS01-017.)

It's worth noting that the whole point of CAs originally *was* (supposed
to be) to actually *verify the identity* of those applying for
certificates, but these days it seems they will give out pretty much
anything to anyone unless you pay extra (and the more extra you pay, the
more verified you get -- a state of affairs in which the major browser
makers appear to be complicit). -- Joe
--
Joe Thompson | Sysadmin - Scientificist
E-mail addresses in headers are valid. | http://www.orion-com.com/
"There is no way my emacs is ever getting a credit card!" -- Matthew Vernon

Kevin Goebel

unread,
Feb 24, 2012, 1:32:38 AM2/24/12
to
On Wed, 22 Feb 2012 18:11:54 +0000, "Just zis Guy, you know?"
<usen...@chapmancentral.co.uk> wrote:

>On Wed, 22 Feb 2012 17:00:08 +0100, Gallian <gal...@linuxmail.org>
>wrote:

>>Not only does he
>>make elementary mistakes like this, he also overestimates his
>>Yvahk-expertise, yet expects to get a blanket root permission on all
>>our customer facing boxes running NepFvtug.

>The only cure for that kind of cluelessness IME is to let them make a
>really spectacular fuck-up. And then hope they get sacked.

>That's my real-world experience, obviously the monk in me harbours a
>desire to eject them for the 42nd floor sans parachute.

Guy,

Please reconsider providing them with a parachute. It can be a very useful
tool in this situation.

You can pre-shroud the person with the canopy so they fall blindly (and make
it easier on the cleanup crew).

You could splice the suspension lines, secure one end to the building and
lash the other end around his neck and let them ponder for a while before
you eject them if the cord will snap their neck or if it will just start
choking them before it parts due to the strain of trying to brake their free
fall.

You could bind them with the harness, deploy and secure the canopy inside
the building, and suspend them out a window in the harness. Then play 20
questions (topic: computer security) and cut one suspension line for each
incorrect answer. "Think harder, my friend, the next round is Double
Jeopardy!"

You could paint the canopy with napalm gel and let them display your
favorite operating system logo in flames on the way down.

You could at least let them use the pilot chute - give them a sporting
chance.

Call me a bleeding-heart, softie liberal, but I would rather employ a
parachute when ejecting someone from the 42nd floor than not employ one.

Kevin Goebel

er...@rail.eu.org

unread,
Feb 24, 2012, 2:37:36 AM2/24/12
to
fl...@dgp.toronto.edu (Alan J Rosenthal) disait le 02/24/12 que :

> Gallian <gal...@linuxmail.org> writes:
>>Colleague: "SSL is not authentication. [...]
>
> My initial inclination was to agree, but actually the term "authentication"
> carries no constraints as to the thoroughness of the evaluation. If someone
> asks me "are you Gallian" and I answer "yes", then they have authenticated
> me as you, they just haven't done a very good job (since I am not you).
>

For me that's identification, not authentication.


--
Le travail n'est pas une bonne chose. Si ça l'était,
les riches l'auraient accaparé
Message has been deleted

Mike Andrews

unread,
Feb 24, 2012, 8:03:01 AM2/24/12
to
Kevin Goebel <kevi...@kevingoebel.com> wrote in <8r8ek7t2tm9rvvta0...@4ax.com>:

> Call me a bleeding-heart, softie liberal, but I would rather employ a
> parachute when ejecting someone from the 42nd floor than not employ one.
>
> Kevin Goebel

I, too, am a bleeding-heart liberal -- particularly when it's my knife
in someone else's heart.

--
"So there I was at 20,000 feet, when my ignition system - made, I should
point out, in this very factory - crapped out. Fortunately I had a
wrench with me, and it would be at least six minutes until I hit the
ground, so no pressure..." -- Roger Burton West, in the Monastery

Message has been deleted
Message has been deleted
Message has been deleted

Kenneth Brody

unread,
Feb 24, 2012, 1:46:14 PM2/24/12
to
On 2/24/2012 2:48 AM, Gallian wrote:
[...]
> Yesterday he got another zinger: a directory owned by benpyr.mumble and
> set to permissions 750 should be changed to ownership benpyr.benpyr,
> because otherwise benpyr couldn't execute scripts in it.
>
> <facepalms at cargo-cult sysadminning>

The there's this one I see all too often:

I got a "permission denied" error, so I did this:

svaq /cngu/gb/ncc -rkrp puzbq 777 {} ';'

and now I'm getting all sorts of errors. What's wrong with $APP?


--
Kenneth Brody

Zebee Johnstone

unread,
Feb 24, 2012, 3:33:26 PM2/24/12
to
In alt.sysadmin.recovery on Fri, 24 Feb 2012 08:48:07 +0100
Gallian <gal...@linuxmail.org> wrote:
> Yesterday he got another zinger: a directory owned by benpyr.mumble and
> set to permissions 750 should be changed to ownership benpyr.benpyr,
> because otherwise benpyr couldn't execute scripts in it.
>

On the other hand...

My DeadRat satellite was refusing to build boxes. Everything in
place, it was just whining it couldn't read files. The files were
there, 644 perms as one expects. Tested that any user could read any
of the files.

It still complained it coudn't read the files.

Then changed the group to apache and it could read them. say what?

I do not wish to know what muppetry was involved.

Zebee

Alan J Rosenthal

unread,
Feb 24, 2012, 9:01:03 PM2/24/12
to
Joe Thompson <sp...@orion-com.com> writes:
>If I ask
>you "are you Gallian" and you answer "yes", you have *identified*
>yourself but nobody has authenticated anything yet.

I disagree. You thought I was Gallian, and then you successfully
authenticated me with the security check.

>If I ask someone
>else "is he actually Gallian?" and *he* says yes, now we have (poor)
>authentication.

Why does it have to be someone else?

Alan J Rosenthal

unread,
Feb 24, 2012, 9:06:12 PM2/24/12
to
ab...@leftmind.net (AdB) writes:
>I'd really like to see better process around yanking browser certs of
>CAs who've been caught handing out bogus website ones.

So long as you also yank authority from CAs who give SSL certificates to
host names like micros0ft.com, I'm with you. But I think that giving
out microsoft.com to someone who isn't Microsoft is not _entirely_
different from giving out micros0ft.com to someone who isn't Microsoft.
(I admit that the former is much worse; I just think they're kinda similar,
and my interest in preventing the former wanes when there's no interest
in preventing the latter.)
Message has been deleted

EP Sporgersi

unread,
Feb 25, 2012, 5:54:39 PM2/25/12
to
On 2012-02-24, Kenneth Brody <kenb...@spamcop.net> wrote:
>
> svaq /cngu/gb/ncc -rkrp puzbq 777 {} ';'

But to make absolutely sure that any security you might have had *stays*
fucked, you need to add hznfx 000 to /rgp/cebsvyr. I have actually, in
some places, replaced chmod with a very small shellscript that gave me a
note saying, basically, "He's at it again, prepare the number 3 LART."

Isn't it lovely that someone will happily produce a twenty-page
treatise on The Security Of $APP, and then NFS-export a world-writable
directory?

Ugh.

Alan J. Wylie

unread,
Feb 26, 2012, 6:30:55 AM2/26/12
to
EP Sporgersi <fle...@xs8.xs4all.nl> writes:

> Isn't it lovely that someone will happily produce a twenty-page
> treatise on The Security Of $APP, and then NFS-export a world-writable
> directory?

Jvgubhg zbhagvat vg "-b $HV,$HV,$HV" ng obgu raqf V rkcrpg.

V tbg n cubar pnyy lrfgreqnl nsgreabba sebz n zbhagnvarre V xabj. Ur'f
orra gurer, qbar gung. Ur'f va uvf yngr friragvrf, jrag gb Arcny ol
uvzfrys ynfg lrne, n zrzore bs gur Pyvzoref' Pyho, xarj zrzoref bs gur
1953 Rirerfg rkcrqvgvba, qvq gur svefg nfprag bs n pynffvp guerr fgne HX
ebpx pyvzo, naq gura ercrngrq vg sbe gur 50gu naavirefnel.

Ur'q unq n cubar pnyy sebz fbzrbar jvgu na Vaqvna npprag gryyvat uvz
gurl jrer sebz Zvpebfbsg naq gung uvf pbzchgre arrqrq ercnve. Ur'q fcrag
gjb ubhef yrggvat gurz unir erzbgr npprff naq, whfg orsber ur jnf nobhg
gb tvir gurz uvf perqvg pneq ahzore, unq gur cerfrapr bs zvaq gb cubar
zr.

Jung vf fb qrcerffvat vf gung vg gura gbbx gjb shegure cubar pnyyf
orsber V jnf svanyyl noyr gb pbaivapr uvz, ol dhbgvat sebz n Thneqvna
negvpyr urnqyvarq "Cbyvpr penpx qbja ba pbzchgre fhccbeg cubar fpnz"
gung gurl jrer pebbxf naq ur svanyyl npprcgrq gung ur'q orra pbaarq.

V obhtug n Xbob pbcl bs gur yngrfg Oehpr Fpuarvre va cercnengvba sbe n
cbffvoyr hcpbzvat gevc gb Qraire. V'z fnivat vg sbe ernqvat ba gur
cynar, ohg V'z fher vg jvyy pbagnva n terng qrny bs vafvtug ba gur
angher bs gehfg naq thyyvovyvgl.

--
Alan J. Wylie http://www.wylie.me.uk/

David Cameron Staples

unread,
Feb 26, 2012, 6:47:34 AM2/26/12
to
My grandmother got that call once. She turned out to be immune due to two
characteristics: 1. She has had a policy of telling cold callers to go to
hell since the Second World War, and 2. she has never owned a computer,
and I wouldn't be surprised if she's never even touched one.

Sometimes, it doesn't matter how fast the con artist talks.

Chris King

unread,
Feb 26, 2012, 7:12:50 AM2/26/12
to
On 26/02/2012 11:47, David Cameron Staples wrote:

> My grandmother got that call once. She turned out to be immune due to two
> characteristics: 1. She has had a policy of telling cold callers to go to
> hell since the Second World War, and 2. she has never owned a computer,
> and I wouldn't be surprised if she's never even touched one.
>
> Sometimes, it doesn't matter how fast the con artist talks.

I got the "accident claim" slimeballs the other week, asking me if I
wanted to claim for the accident I'd had a couple of years ago...

"What accident ? I've got absolutely no recollection of it, so it must
have been a really fantastic one - please do tell me what I've missed,
the brain damage alone must be worth millions !!!"

They really don't get irony in Mumbai...

Chris

--
Chris King
(firstname@domain to reply by e-mail - or your message gets binned)

Maarten Wiltink

unread,
Feb 26, 2012, 8:05:52 AM2/26/12
to
"Alan J Rosenthal" <fl...@dgp.toronto.edu> wrote in message
news:2012Feb24....@jarvis.cs.toronto.edu...
> Joe Thompson <sp...@orion-com.com> writes:

>> If I ask
>> you "are you Gallian" and you answer "yes", you have *identified*
>> yourself but nobody has authenticated anything yet.
>
> I disagree. You thought I was Gallian, and then you successfully
> authenticated me with the security check.

That rings a bell. Identification would be to ask 'Who are you?'.


>> If I ask someone
>> else "is he actually Gallian?" and *he* says yes, now we have (poor)
>> authentication.
>
> Why does it have to be someone else?

It doesn't; it has to be someone you trust, that's all. Then again,
arguably Gallian is the only one who can say anything about his own
identity with any kind of philosophical certainty.

Tebrgwrf,
MAarten Wiltink


Peter H. Coffin

unread,
Feb 26, 2012, 1:26:43 PM2/26/12
to
On Sat, 25 Feb 2012 21:37:14 +0000 (UTC), mrob...@att.net wrote:
> Abj V whfg unir gb trg gur bgure pb-jbexre, n ybatgvzr Jvaqbjf
> qrirybcre, gb haqrefgnaq jul V qba'g jnag gb tb gb cebqhpgvba jvgu uvf
> pheerag fpurzr: fgvpx gur ncc va /hfe/ova ba gur gnetrg, gura pbcl bire
> .fb svyrf sebz gur qri obk gb /hfe/yvo ba gur gnetrg Hagvy Vg Jbexf. [0]

Onu. Nal qrirybcre obk fubhyq or abguvat ohg n ybj-qngn fancfubg bs gur
cebqhpgvba obk vafgnyyrq ba ybjre-fcrp uneqjner gb ortva jvgu. Gur vqrn
gung qrirybcref arrq NALGUVAT bgure guna pnfgbssf sebz cebqhpgvba vf
pbhagre gb tbbq, eryvnoyr qrirybczrag. (Orfvqrf, vs gurl unir nalguvat
TBBQ, ubj ner gurl tbvat gb or noyr gb xrrc hc gurve oernx gvzrf ol
nafjrevat nal "Jul nera'g lbh jbexvat?" dhrfgvbaf jvgu "jnvgvat sbe
fbzrguvat gb svavfu pbzcvyvat"?)

--
77. If I have a fit of temporary insanity and decide to give the hero
the chance to reject a job as my trusted lieutentant, I will retain
enough sanity to wait until my current trusted lieutenant is out of
earshot before making the offer. --Anspach's Evil Overlord List

Alan J Rosenthal

unread,
Feb 26, 2012, 2:36:44 PM2/26/12
to
"Maarten Wiltink" <maa...@kittensandcats.net> writes:
>"Alan J Rosenthal" <fl...@dgp.toronto.edu> wrote in message
>> Joe Thompson <sp...@orion-com.com> writes:
>
>>> If I ask someone
>>> else "is he actually Gallian?" and *he* says yes, now we have (poor)
>>> authentication.
>>
>> Why does it have to be someone else?
>
>It doesn't; it has to be someone you trust, that's all.

And you trust _me_, I'm obviously a trustable sort of guy. So when you
ask me "are you actually Gallian" and I say "yes", that's case closed,
as far as you're concerned. You've positively authenticated me as Gallian.

-- aj "and here are my banking passwords" r
Message has been deleted
Message has been deleted
Message has been deleted

Peter Corlett

unread,
Feb 26, 2012, 4:56:50 PM2/26/12
to
AdB <ab...@leftmind.net> wrote:
[...]
> Znxr 'rz qb qri ba n pynccrq-bhg 486 ba n qbqtl ovg bs guvaarg vs lbh jnag
> na nccyvpngvba gung'yy cbfvgviryl _fpernz_ ba zbqrea uneqjner naq
> erfvyvragyl unaqyr argjbex tyvgpurf.

That's BOFHly and amusing, but lousy business sense. You'll get an
application dimensioned for the crummy hardware, which won't scale up to
modern hardware.

Never mind that developers spend very little of time actually running the
application they're developing.

Shmuel Metz

unread,
Feb 25, 2012, 7:48:15 PM2/25/12
to
In <slrnjkiplf...@xs8.xs4all.nl>, on 02/25/2012
at 10:54 PM, EP Sporgersi <fle...@xs8.xs4all.nl> said:

>But to make absolutely sure that any security you might have had
>*stays* fucked, you need to add hznfx 000 to /rgp/cebsvyr.

I am the seventh son of a seventh son, born with a caul, and my
psychic powers tell me that you are not just talking theory. Qb lbh
arrq na nyvov?

>Isn't it lovely that someone will happily produce a twenty-page
>treatise on The Security Of $APP, and then NFS-export a
>world-writable directory?

No, just predictable. What's lovely is being told by your project
manager that it's okay to write the combination of a classified
container on a blackboard as long as you do it in hex. He wasn't happy
when I erased it.

--
Shmuel (Seymour J.) Metz <http://patriot.net/~shmuel> ISO position
Reply to domain Patriot dot net user shmuel+bspfh to contact me.
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

Alexander Schreiber

unread,
Feb 26, 2012, 7:24:27 PM2/26/12
to
Which is why you give the developers fast workstations[0], but crappy (the
lowest possible end of the deployment hardware list) test boxes. And the
testing/QA _has_ to be done on the crap boxes.

Kind regards,
Alex.
[0] Sure, you _can_ pay them to wait and twiddle their thumbs waiting for
$TOOL[1], but wouldn't you rather pay them to do, you know, _work_?
[1] compiler, linker, ...
--
"Opportunity is missed by most people because it is dressed in overalls and
looks like work." -- Thomas A. Edison
Message has been deleted

LP

unread,
Feb 27, 2012, 11:28:41 AM2/27/12
to
On 2012-02-27, ab...@127.0.0.1 <ab...@127.0.0.1> wrote:
>
> Which is why I <heart/> libvirt.

While that's perilously close to advocacy and/or UI, I'm glad you mentioned
it as it's given me something interesting to read. A welcome distraction
from todays batch of tedious tickets if ever I saw one.

-Paul
--
http://paulseward.com

EP Sporgersi

unread,
Feb 27, 2012, 12:10:03 PM2/27/12
to
On 2012-02-26, Shmuel Metz <spam...@library.lspace.org.invalid> wrote:
> I am the seventh son of a seventh son, born with a caul, and my
> psychic powers tell me that you are not just talking theory. Qb lbh
> arrq na nyvov?

It was in another country, and besides, the box is dead.



Joe Thompson

unread,
Feb 27, 2012, 12:21:51 PM2/27/12
to
On 2012-02-24, Zebee Johnstone <zeb...@gmail.com> wrote:
> My DeadRat satellite was refusing to build boxes. Everything in
> place, it was just whining it couldn't read files. The files were
> there, 644 perms as one expects. Tested that any user could read any
> of the files.
>
> It still complained it coudn't read the files.
>
> Then changed the group to apache and it could read them. say what?
>
> I do not wish to know what muppetry was involved.

I'll hazard a guess[0]: NPYf naq/be FRYvahk. -- Joe

[0] Technically you still won't know unless you go check. And if you go
check, clearly you changed your mind and wanted to know after all.
--
Joe Thompson | Sysadmin - Scientificist
E-mail addresses in headers are valid. | http://www.orion-com.com/
"There is no way my emacs is ever getting a credit card!" -- Matthew Vernon

Joe Thompson

unread,
Feb 27, 2012, 12:35:48 PM2/27/12
to
On 2012-02-25, Alan J Rosenthal <fl...@dgp.toronto.edu> wrote:
> Joe Thompson <sp...@orion-com.com> writes:
>>If I ask
>>you "are you Gallian" and you answer "yes", you have *identified*
>>yourself but nobody has authenticated anything yet.
>
> I disagree. You thought I was Gallian, and then you successfully
> authenticated me with the security check.

That gets into the philosophy of it a bit. If a system's method of
identifying unknown users is to ask repeatedly "are you $FOO", "are you
$BAR", etc., then is that identification or both identification and
authentication? Does it make a difference if it asks for a password
after getting a positive response?

A crypto key can both identify and authenticate because it is (supposed
to be) *unique* and never transferred, so if I present a key you know
with a fair degree of certainty that I am the user you know that key
belongs to.

>>If I ask someone
>>else "is he actually Gallian?" and *he* says yes, now we have (poor)
>>authentication.
>
> Why does it have to be someone else?

Well, it generally would be someone else or something standing in for
external approval. I say I'm Joe Thompson, but anybody could say that.
So I happen to have various things I can present that demonstrate that
other people believe that a guy looking quite a lot like me is in fact
named "Joe Thompson".

"Someone else" could be (and often is, in computer security) "you in the
past". E.g. in the past you set a password on your account, and when
you later present the same password I have a high degree of certainty
that either a) the person logging in is in fact the same person or b)
you have colluded, perhaps knowingly, with the person logging in. -- Joe

Peter H. Coffin

unread,
Feb 27, 2012, 4:56:16 PM2/27/12
to
On Mon, 27 Feb 2012 17:35:48 +0000 (UTC), Joe Thompson wrote:
> On 2012-02-25, Alan J Rosenthal <fl...@dgp.toronto.edu> wrote:
>> Joe Thompson <sp...@orion-com.com> writes:
>>>If I ask
>>>you "are you Gallian" and you answer "yes", you have *identified*
>>>yourself but nobody has authenticated anything yet.
>>
>> I disagree. You thought I was Gallian, and then you successfully
>> authenticated me with the security check.
>
> That gets into the philosophy of it a bit. If a system's method of
> identifying unknown users is to ask repeatedly "are you $FOO", "are you
> $BAR", etc., then is that identification or both identification and
> authentication? Does it make a difference if it asks for a password
> after getting a positive response?
>
> A crypto key can both identify and authenticate because it is (supposed
> to be) *unique* and never transferred, so if I present a key you know
> with a fair degree of certainty that I am the user you know that key
> belongs to.

No, you know that you're talking to something that has the key. What
supplied the key? Whether the key alone is enough is a matter for
consideration. For example, the terminal is not the user. So sudo times
out and wants reassurance that the user at the terminal is still the
user that was at the terminal before. Essentially, it DOES repeatedly
ask "are you $FOO" in a way that *also* provides authentication.

>>>If I ask someone
>>>else "is he actually Gallian?" and *he* says yes, now we have (poor)
>>>authentication.
>>
>> Why does it have to be someone else?
>
> Well, it generally would be someone else or something standing in for
> external approval. I say I'm Joe Thompson, but anybody could say that.
> So I happen to have various things I can present that demonstrate that
> other people believe that a guy looking quite a lot like me is in fact
> named "Joe Thompson".
>
> "Someone else" could be (and often is, in computer security) "you in the
> past". E.g. in the past you set a password on your account, and when
> you later present the same password I have a high degree of certainty
> that either a) the person logging in is in fact the same person or b)
> you have colluded, perhaps knowingly, with the person logging in. -- Joe

.... which gets us to three-factor. And perilously close to work,
at least sometimes...

--
"... I've seen Sun monitors on fire off the side of the multimedia lab.
I've seen NTU lights glitter in the dark near the Mail Gate.
All these things will be lost in time, like the root partition last
week. Time to die...". -- Peter Gutmann in the scary.devil.monastery

Joe Thompson

unread,
Feb 27, 2012, 6:19:15 PM2/27/12
to
On 2012-02-27, Peter H. Coffin <hel...@ninehells.com> wrote:
> On Mon, 27 Feb 2012 17:35:48 +0000 (UTC), Joe Thompson wrote:
>> On 2012-02-25, Alan J Rosenthal <fl...@dgp.toronto.edu> wrote:
>>> Joe Thompson <sp...@orion-com.com> writes:
>>>>If I ask
>>>>you "are you Gallian" and you answer "yes", you have *identified*
>>>>yourself but nobody has authenticated anything yet.
>>>
>>> I disagree. You thought I was Gallian, and then you successfully
>>> authenticated me with the security check.
>>
>> That gets into the philosophy of it a bit. If a system's method of
>> identifying unknown users is to ask repeatedly "are you $FOO", "are you
>> $BAR", etc., then is that identification or both identification and
>> authentication? Does it make a difference if it asks for a password
>> after getting a positive response?
>>
>> A crypto key can both identify and authenticate because it is (supposed
>> to be) *unique* and never transferred, so if I present a key you know
>> with a fair degree of certainty that I am the user you know that key
>> belongs to.
>
> No, you know that you're talking to something that has the key. What
> supplied the key? Whether the key alone is enough is a matter for
> consideration.

Yes -- the certainty is fair, but not absolute. In legal terms I
suppose it would be called a "rebuttable presumption" -- unless I
specifically have a reason not to believe it, I consider a user logging
in with a known key to be presumptive evidence of who is logging in.
For e-mail it's probably enough; for access to TRANSLTR, not so much.
In these days of keyloggers and screen-scrapers, even the most careful
can get caught out.

> For example, the terminal is not the user. So sudo times
> out and wants reassurance that the user at the terminal is still the
> user that was at the terminal before. Essentially, it DOES repeatedly
> ask "are you $FOO" in a way that *also* provides authentication.

Well, it has reason to believe you are a specific $FOO already
(identification). So it asks you to authenticate its idea of who you
are.

I was hypothesizing a system that identifies the user by iterating
through the entire user list asking if you are each user. -- Joe

TimC

unread,
Feb 27, 2012, 11:26:00 PM2/27/12
to
On 2012-02-24, Zebee Johnstone (aka Bruce)
was almost, but not quite, entirely unlike tea:
> It still complained it coudn't read the files.
>
> Then changed the group to apache and it could read them. say what?
>
> I do not wish to know what muppetry was involved.

Ah, ACLs. My new NAS box does interesting things with them. By
default, not overridable. Until you ssh in and install hooks for
after nfs creation succeeds.

--
TimC
A bug in the code is worth two in the documentation. --unknown

Zebee Johnstone

unread,
Feb 28, 2012, 3:41:27 AM2/28/12
to
In alt.sysadmin.recovery on Tue, 28 Feb 2012 15:26:00 +1100
TimC <tcon...@rather.puzzling.no-spam-accepted-here.org> wrote:
> On 2012-02-24, Zebee Johnstone (aka Bruce)
> was almost, but not quite, entirely unlike tea:
>> It still complained it coudn't read the files.
>>
>> Then changed the group to apache and it could read them. say what?
>>
>> I do not wish to know what muppetry was involved.
>
> Ah, ACLs. My new NAS box does interesting things with them. By
> default, not overridable. Until you ssh in and install hooks for
> after nfs creation succeeds.

Couldn't find an acl anywhere. Not one. Not even the ghost of one,
crying lonely in the wilderness for glories long past and for
operatings systems where they were not glued on the side with library
paste.

Nah, I reckon it was some bloody muppet programmer hard coding group.

Zebee

Niklas Karlsson

unread,
Feb 28, 2012, 4:03:52 AM2/28/12
to
On 2012-02-28, TimC <tcon...@rather.puzzling.no-spam-accepted-here.org> wrote:
> Ah, ACLs. My new NAS box does interesting things with them. By
> default, not overridable. Until you ssh in and install hooks for
> after nfs creation succeeds.

For our sins we were cursed with a couple of Argtrne ErnqlANF 4300. What
the web gooey says the ACLs contain appears to bear absolutely no
relation to reality.

Niklas
--
[Sperry + Burroughs merge into Unisys under the tagline "The Power of Two"]
Their main office building here was known as the "Tower of Poo".
-- brian (Wellington, NZ)

TimC

unread,
Feb 28, 2012, 5:59:39 AM2/28/12
to
On 2012-02-28, Niklas Karlsson (aka Bruce)
was almost, but not quite, entirely unlike tea:
> On 2012-02-28, TimC <tcon...@rather.puzzling.no-spam-accepted-here.org> wrote:
>> Ah, ACLs. My new NAS box does interesting things with them. By
>> default, not overridable. Until you ssh in and install hooks for
>> after nfs creation succeeds.
>
> For our sins we were cursed with a couple of Argtrne ErnqlANF 4300. What
> the web gooey says the ACLs contain appears to bear absolutely no
> relation to reality.

I met a firmware designer tonight. I managed to suppress my instinct
to rip his throat out.

--
TimC
This message consists entirely of true bits and false bits!

Shmuel Metz

unread,
Feb 27, 2012, 2:37:15 PM2/27/12
to
In <jigetk$esj$2...@xen1.xcski.com>, on 02/27/2012
at 05:35 PM, Joe Thompson <sp...@orion-com.com> said:

>I say I'm Joe Thompson, but anybody could say that.

To complicate matters, sometimes what you want to prove is not that
you actually are Joe Thompson but rather that you are the same person
as the guy calling himself Joe Thompson last week.
Message has been deleted

John Burnham

unread,
Feb 28, 2012, 11:26:56 AM2/28/12
to
On Sun, 26 Feb 2012 12:12:50 +0000, Chris King wrote:

>
> I got the "accident claim" slimeballs the other week, asking me if I
> wanted to claim for the accident I'd had a couple of years ago...
>
<snip> Am I weird in that I don't even pick up the phone if I don't
recognise the caller id ?
I suppose picking it up and going
"もしもし。ジョンです。”
might confuse enough of the buggers to stop them calling again.
J

Maarten Wiltink

unread,
Feb 28, 2012, 12:12:02 PM2/28/12
to
"Alan J Rosenthal" <fl...@dgp.toronto.edu> wrote in message
news:2012Feb26.1...@jarvis.cs.toronto.edu...
Congratulations, you won the Turing Test.

I've never even met you in real life. Yet, yes, I would trust you.
Or anyone claiming to be you.

Tebrgwrf,
Maarten Wiltink


Alexander Schreiber

unread,
Feb 28, 2012, 5:50:53 PM2/28/12
to
ab...@127.0.0.1 <ab...@127.0.0.1> wrote:
> On 2012-02-27, Joe Thompson <sp...@orion-com.com> wrote:
>
>> That gets into the philosophy of it a bit. If a system's method of
>> identifying unknown users is to ask repeatedly "are you $FOO", "are you
>> $BAR", etc., then is that identification or both identification and
>> authentication?
>
> And furthermore, how many times do I need answer "yes I am $FOO" to
> make it come true?

Well, that is obvious: three times.

HTH,
Alex.

Alan J Rosenthal

unread,
Feb 28, 2012, 8:36:29 PM2/28/12
to
TimC <tcon...@rather.puzzling.no-spam-accepted-here.org> writes:
>I met a firmware designer tonight. I managed to suppress my instinct
>to rip his throat out.

Doesn't matter, he'll just install a new throat with next month's flash
upgrade.

Alan J Rosenthal

unread,
Feb 28, 2012, 8:37:53 PM2/28/12
to
ab...@127.0.0.1 writes:
>And furthermore, how many times do I need answer "yes I am $FOO" to
>make it come true?

Every time you don't believe you're foo, a foory dies.

Kevin Goebel

unread,
Feb 29, 2012, 1:45:46 AM2/29/12
to
On Tue, 28 Feb 2012 16:26:56 +0000, John Burnham <jo...@jaka.demon.co.uk>
wrote:

>On Sun, 26 Feb 2012 12:12:50 +0000, Chris King wrote:

>> I got the "accident claim" slimeballs the other week, asking me if I
>> wanted to claim for the accident I'd had a couple of years ago...

><snip> Am I weird in that I don't even pick up the phone if I don't
>recognise the caller id ?
>I suppose picking it up and going
>"???????????”
>might confuse enough of the buggers to stop them calling again.

My response depends upon the mood I'm in. Sometimes I'll let the answering
machine screen the call, sometimes I'll pick it up. If a stranger asks for
me by name, I'll inquire as to who's calling and after a 15 second pause let
them know that "he isn't interested in speaking to you" or engage them in
conversation. I also like to use that tactic on repeat wrong number calls.

I occasionally play with poll or information gatherers, giving incorrect or
diametrically opposing answers to the direction they appear to be fishing
in. Other times I'll instruct them to remove my phone number from their
database (fat lot of good that will do) and hang up on them before they can
reply.

Kevin Goebel

Kevin Goebel

unread,
Feb 29, 2012, 1:45:53 AM2/29/12
to
On Tue, 28 Feb 2012 21:59:39 +1100, TimC
<tcon...@rather.puzzling.no-spam-accepted-here.org> wrote:

>On 2012-02-28, Niklas Karlsson (aka Bruce)
> was almost, but not quite, entirely unlike tea:
>> On 2012-02-28, TimC <tcon...@rather.puzzling.no-spam-accepted-here.org> wrote:
>>> Ah, ACLs. My new NAS box does interesting things with them. By
>>> default, not overridable. Until you ssh in and install hooks for
>>> after nfs creation succeeds.

>> For our sins we were cursed with a couple of Argtrne ErnqlANF 4300. What
>> the web gooey says the ACLs contain appears to bear absolutely no
>> relation to reality.

>I met a firmware designer tonight. I managed to suppress my instinct
>to rip his throat out.

Shame on you! Say 10 Lorem Ipsum's and abstain from alcoholic beverages for
two weeks.

Kevin Goebel

Wojciech Derechowski

unread,
Feb 29, 2012, 2:03:19 AM2/29/12
to
On 2012-02-24, Joe Thompson <sp...@orion-com.com> wrote:
> E.g. with SSL the basic authentication with a self-signed cert or one
> signed by an unknown CA is "I hold the private key corresponding to the
> public one presented here" -- which assertion is authenticated by the
> fact that SSL works. And should the presented key change in the future
> or SSL simply stop working, it ought to raise suspicion that something
> has happened (or alternately that something that was formerly happening
> has stopped...).

Apparently, if two RSA public keys A, B have a common factor C such that A=CX
B=CY, you can use Euclid's algorithm to find C as GCD of <A, B>, and resolve
for X, Y by simple division, which was done for some available public
key databases. http://eprint.iacr.org/2012/064.pdf.

WD
--
Who is Entscheidungs and what is his problem?

mrob...@att.net

unread,
Feb 29, 2012, 4:14:26 AM2/29/12
to
TimC <tcon...@rather.puzzling.no-spam-accepted-here.org> wrote:
> On 2012-02-28, Niklas Karlsson (aka Bruce)
> was almost, but not quite, entirely unlike tea:
>
>> For our sins we were cursed with a couple of Argtrne ErnqlANF 4300.
>> What the web gooey says the ACLs contain appears to bear absolutely
>> no relation to reality.
>
> I met a firmware designer tonight. I managed to suppress my instinct
> to rip his throat out.

What did you do to him instead? Choking? Chest constriction?
Drowning?

Venom?

Matt Roberds

Robert Uhl

unread,
Feb 29, 2012, 8:59:08 AM2/29/12
to
Shmuel (Seymour J.) Metz <spam...@library.lspace.org.invalid> writes:
>
>>I say I'm Joe Thompson, but anybody could say that.
>
> To complicate matters, sometimes what you want to prove is not that
> you actually are Joe Thompson but rather that you are the same person
> as the guy calling himself Joe Thompson last week.

Ah yes, TOFU/POP, which makes a great deal of sense to me.

--
Robert A. Uhl

Cipher

unread,
Feb 29, 2012, 5:42:27 PM2/29/12
to
I was under the impression this was a long-known (read: a decade old)
issue with assymetric[1] encryption?



[1] Yes, I know it's miss spelled. I liked it better this way.
--
The word "urgent" is the moral of the story "The boy who cried wolf". As
a general rule I don't believe it until a manager comes to me almost in
tears. I like to catch them in a cup and drink them later.
-- Matt Holiab, in the Monastery

Wojciech Derechowski

unread,
Feb 29, 2012, 7:25:49 PM2/29/12
to
On 2012-02-29, Cipher <nota...@hotmail.com> wrote:
> On 2/29/2012 2:03 AM, Wojciech Derechowski wrote:
>> On 2012-02-24, Joe Thompson<sp...@orion-com.com> wrote:
>>> E.g. with SSL the basic authentication with a self-signed cert or one
>>> signed by an unknown CA is "I hold the private key corresponding to the
>>> public one presented here" -- which assertion is authenticated by the
>>> fact that SSL works. And should the presented key change in the future
>>> or SSL simply stop working, it ought to raise suspicion that something
>>> has happened (or alternately that something that was formerly happening
>>> has stopped...).
>>
>> Apparently, if two RSA public keys A, B have a common factor C such that A=CX
>> B=CY, you can use Euclid's algorithm to find C as GCD of<A, B>, and resolve
>> for X, Y by simple division, which was done for some available public
>> key databases. http://eprint.iacr.org/2012/064.pdf.
>
> I was under the impression this was a long-known (read: a decade old)
> issue with assymetric[1] encryption?

Probably much longer than that since the fact itself is trivial. However, the
article gives some perspective on how big an issue it is in the real world;
pp. 8, 14.

> [1] Yes, I know it's miss spelled. I liked it better this way.

Now that you mention it, so do I.
0 new messages