[cryptography] [OT] any updates on shellshock?

ianG iang at iang.org
Tue Oct 7 04:07:19 EDT 2014


On 4/10/2014 17:57 pm, Jeremy Stanley wrote:
> On 2014-10-05 10:38:38 +1000 (+1000), James A. Donald wrote:
>> On 2014-10-05 10:34, James A. Donald wrote:
>>> On 2014-10-05 07:49, Jeremy Stanley wrote:
>>>> This is pretty off-topic as it has nothing whatsoever to do with
>>>> cryptography.
>>
>>> It has everything to do with cryptography.
>>>
>>> The greatest failing of cryptographers has always been to produce a
>>> fortress with a mighty impenetrable door in two foot paling fence.
>>
>> And anyone who draws attention to the fact that the fence is only
>> two feet tall is told that the fence is out of scope.
> 
> And if random security vulnerabilities are on-topic for discussion
> here, we might as well just be reading bugtraq/fulldisc/.../4chan
> instead.


Although I don't particularly like it, I have to agree with Donald.

The value of cryptography is limited by the applicability of its benefit
to the real world.  We can probably agree that there is a valid science
in theoretical cryptography for elegance sake and pedagogical purposes.
 But almost all traffic on this list is in the domain of the practical,
the useful.

Digression.  The 1024 in 20m attack (other thread) reminds me of an
attack on a money system cerca 2000, told to me by Dani Nagy.  The
attacker announced that he had found a breach in the money system, in
which he could double his money.  He offered that anyone could send him
X, he would send back double X to prove his breach.

Which he did.  For quite some time and several events.  The company
investigated, and said it could find no bug.  Eventually, it was agreed
that there was no breach, the attacker was simply paying out the double
claim, from his pocket.

The attack was not on the system, but on the reputation of the system.
It did tremendous damage, as many people decided to mistrust the system,
and growth was stalled for a while.



Balance is a perfectly important property of a system.  There really is
little point in building a safe door into a paling fence, yet
cryptographers and security people typically fall to the 'out of scope'
bug far more often than we'd like, thus rendering their system as out of
balance as the fortress with the paling fence.

Understanding the weakness of the core & average platforms has always
been in scope for deciding balance.



iang



More information about the cryptography mailing list