|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Dailydave] How T-Mobil's network was compromised
From: Chris Kuethe (chris.kuethe
gmail.com)
Date: Thu Feb 17 2005 - 15:11:14 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thu, 17 Feb 2005 14:12:33 -0600, Richard Porter <rwportergmail.com> wrote:
> That is a great point (And made me really think about it) but do you think
> it would be a back door into the PGP implementation?
Yes. You're not going to be sending huge SMS or email messages - it
wouldn't be hard to send an "archival" copy of source and dest emails
and pgp key ids and the plaintext to some log server. I mean, you'll
have to display the message sometime, unless you choose to somehow get
the ciphertext off and process it on a safer machine (maybe using
something like gnokii?)
> Or do you think logical separation between communication encryption
> and data at rest encryption can be achieved?
We already have that capability, we just don't use it.
There's the not-particularly-great A5 stream cipher sometimes used on
GSM, or the enhanced voice privacy on CDMA which is never used. If you
want to transport other encrypted bytes over it fine. The problem is
not the link layer: it's radio, it's got weak or no encryption, just
don't trust it.
The problem is at the application layer: you have a message, in a
well-defined format, supposedly correctly encrypted. One problem: the
application to encrypt and decrypt this sort of message has been
provided to you by a party with a legal requirement to assist law
enforcement with communications interception. Sure, the bytes are
secure in their transport format, but the instant you punch in your
key, the app could be phoning home. And it might be doing do without
turning on the phone-in-use indicator. Or maybe it'll hide as a
subliminal channel while you're actually talking on the phone.
Yes, it's paranoia, but I bet a lot of us have at least a little
paranoia in our job descriptions.
CK
--
GDB has a 'break' feature; why doesn't it have 'fix' too?
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
https://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]