tag:blogger.com,1999:blog-13756280.post5090376758923987323..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Ceding the desktop security battle, almost the warJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger16125tag:blogger.com,1999:blog-13756280.post-84233985940630024852016-12-05T03:21:19.038-08:002016-12-05T03:21:19.038-08:00You can get even more help with hacking and encryp...You can get even more help with hacking and encrypting at this source <a href="http://spying.ninja/ikeymonitor/" rel="nofollow">spying.ninja/ikeymonitor/</a>Anonymoushttps://www.blogger.com/profile/02036141162168507103noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-78145860604899252362010-05-18T08:35:48.210-07:002010-05-18T08:35:48.210-07:00@kingthorin LOL. Good catch! No comment. :)@kingthorin LOL. Good catch! No comment. :)Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-4207021746638067272010-05-18T08:23:54.265-07:002010-05-18T08:23:54.265-07:00@Jerimiah
"do they suspend all transactions a...@Jerimiah<br />"do they suspend all transactions and incur support costs to help the customer fix their PCI before allowing money to move?"<br /><br />PCI vS PC....freudian slip?kingthorinnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-14013545551474862292010-05-09T14:02:47.737-07:002010-05-09T14:02:47.737-07:00"If a person walks around with their bank URL..."If a person walks around with their bank URL and login credentials on their t-shirt, there is not much you can do to make their account secure."<br /><br />ARGH, that's exactly it. Your router knows your bank url, and can inject a keylogger into any executable or firmware update you download. T-shirt or not, there is not much you can do to make your account secure if your local network and/or desktop is compromised.<br /><br />LiveCDs aren't the way. Banks need to limit the kinds of transactions that can happen online, and we need to stop pretending that users have secure systems. <br /><br />You can do a lot with an insecure system, like email, for instance. But there is a whole class of functionality that you would just never build on email because you know it is transmitted over public networks and stored in discoverable archives.<br /><br />Banking, medical records, legal advice, intimate conversation: none of these things should really be done over the internet; or they should be strictly limited to reversible, discoverable actions.Chris Snyderhttp://chxor.chxo.com/noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-6449961670340939302010-05-08T02:27:08.100-07:002010-05-08T02:27:08.100-07:00...AND THIS IS YOUR FAULT.
When hardware, operati......AND THIS IS YOUR FAULT.<br /><br />When hardware, operating systems and security tools are purposedly designed to deceive users (translate: collect their data), you can bet that all those holes will be used.<br /><br />Let's stop this hypocrisy. It's time to admit that this culture of treachery has hidden costs.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-89843051674908886632010-05-07T13:28:49.003-07:002010-05-07T13:28:49.003-07:00A Live CD has to be loaded into memory in order to...A Live CD has to be loaded into memory in order to run, if the system is loaded into memory it is not immutable.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-44325117585108219582010-05-07T13:11:13.720-07:002010-05-07T13:11:13.720-07:00When we are talking about improving security for t...When we are talking about improving security for the masses, high assurance web site owners need to do something about the other end of the connection... they CANNOT rely on the socially engineers, non-technically savvy and non risk aware end users they typically serve.<br /><br />Regardless of the myriad of technology we may attempt to apply to the problem, the first step is for the web site owners to step up and take ownership or consider turning off their service (hint: banks save|make too much $$ from online FI to stop). Heck, they turned on HTTPS so they made a value judgment on protecting the data in transit. They just need to extend it one more step... to the desktop, as it is their brand, their cost efficiencies, etc that compels their web sites to be available in the first place.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-8047776032091956462010-05-07T11:25:27.408-07:002010-05-07T11:25:27.408-07:00A LiveCD only valid for a specific site is not an ...A LiveCD only valid for a specific site is not an option. I use a couple different financial institution sites which means I would need two CD's with me anytime I want to do financial work. It also means I have to reboot my machine each time. Of course, if you want to extend protection to credit card transactions, I now need a LiveCD mailed to me everytime I want to buy something from a new site: eBay, Amazon, Newegg, etc. You could create some sort of standardized LiveCD approved by multiple sites, but the more power you give to it, the closer it gets to a normal machine today. Not to mention there is always the option of infecting the memory each time it boots. An infected router or network could really cause problems there since updates would not come often if they have to mail you a new cd each time.<br /><br />Ultimately, you cannot help someone who does not help themselves. If a person walks around with their bank URL and login credentials on their t-shirt, there is not much you can do to make their account secure.Shawn Sparkshttps://www.blogger.com/profile/16408606894842024324noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-72344666522148452752010-05-07T11:17:20.273-07:002010-05-07T11:17:20.273-07:00Anonymous and matthew.stevens: This still does not...Anonymous and matthew.stevens: This still does not work. Low level rookit (where hackers and organized crime are going) would still be able to compromise your live CD. Only trusted computing can help here (TPM, DRTM).<br /><br />Please read about trusted computing and see ITL research (http://theinvisiblethings.blogspot.com/).<br /><br />We have to drastically change the way we do computing. Today's operating system are simply broken by design.Anonymoushttps://www.blogger.com/profile/12542398444018058192noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-66063122022863246432010-05-07T10:50:01.053-07:002010-05-07T10:50:01.053-07:00Assuming the worst case scenario is not the same a...Assuming the worst case scenario is not the same as accepting defeat. Rather, it is a necessary assumption of any successful strategy.<br /><br />This applies not only to viral infections, but literally to any mathematical estimation problem. An algorithm that is not robust to the worst case scenario is not robust in any sense of the word.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-83231105376743459232010-05-07T10:19:54.026-07:002010-05-07T10:19:54.026-07:00I would recommend shipping the customers a liveCD ...I would recommend shipping the customers a liveCD once a system has been compromised. Limit the LiveCD to interacting with the approved site and hard code everything onto that CDAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-21565627179654764522010-05-07T10:01:46.539-07:002010-05-07T10:01:46.539-07:00We could all do our banking from Live CD setup to ...We could all do our banking from Live CD setup to do a VPN into the bank with basically a client that runs from the live CD. No virus/trojans because, booted from a CD the system is immutable. Each customer could have a "customized" cd that becomes a "thing you have" authentication, along with a password "thing you know"Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-87558494143333515982010-05-06T11:28:01.471-07:002010-05-06T11:28:01.471-07:00I'm glad that the FS-ISAC etc. are finally com...I'm glad that the FS-ISAC etc. are finally coming to realize the state of things. I've been harping on about this for several years now - particularly the aspect of businesses dictating what their own customers should do/use to protect themselves.<br /><br />Back in 2008 I wrote a paper covering some of the things of how businesses can continue to operate and provide services to their customers - even if they can't trust their customers computers. The paper is called "<a href="http://www.technicalinfo.net/papers/MalwareInfectedCustomers.html" rel="nofollow">Continuing Business with Malware Infected Customers</a>" and its more valid today than it ever was.Gunter Ollmannhttps://www.blogger.com/profile/00872922499284887206noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-70379271918601725672010-05-06T10:39:33.800-07:002010-05-06T10:39:33.800-07:00Seems like this is part of a push towards authenti...Seems like this is part of a push towards authenticating the transaction instead of the session.brianlaflammehttp://www.twitter.com/brianlaflammenoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-13934785420184640952010-05-06T10:32:32.555-07:002010-05-06T10:32:32.555-07:00If ISP are to be responsible, that means we'd ...If ISP are to be responsible, that means we'd have to be willing to give a large amount of privacy in exchange. Not everyone is going to be willing, but what choice is there.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-48340014543702612032010-05-06T10:28:01.519-07:002010-05-06T10:28:01.519-07:00Jeremiah -- I don't think this can be classifi...Jeremiah -- I don't think this can be classified as FUD because it's true. Or at least it's a plausible assumption, and a good one to work with if you're designing security controls. I talked about this a little bit in one of my recent blog posts about <a href="http://www.allymiller.info/blog/risk/2010/02/63/" rel="nofollow">identity/authentication</a>.<br /><br />What I'm not sure about, though, is whether the battle for the desktop is over. I think the issue is how far an online service provider will extend their own influence/boundaries in order to keep their customers' client machines secure. Do we want ISPs, social networks, or banks to dictate the standard to which our client security is held? Open question, not rhetorical...@selenakylehttps://twitter.com/selenakylenoreply@blogger.com