From owner-freebsd-questions Thu Nov 8 8:28:25 2001 Delivered-To: freebsd-questions@freebsd.org Received: from foo31-249.visit.se (foo31-249.visit.se [62.119.31.249]) by hub.freebsd.org (Postfix) with ESMTP id 72B3037B41D for ; Thu, 8 Nov 2001 08:28:18 -0800 (PST) Received: (from martin@localhost) by foo31-249.visit.se (8.11.6/8.11.6) id fA8GRt101580 for freebsd-questions@FreeBSD.ORG; Thu, 8 Nov 2001 17:27:55 +0100 (CET) (envelope-from martin) Date: Thu, 8 Nov 2001 17:27:55 +0100 From: Martin Karlsson To: FreeBSD Questions Subject: Re: Lockdown of FreeBSD machine directly on Net Message-ID: <20011108172755.A1542@foo31-249.visit.se> Mail-Followup-To: FreeBSD Questions References: <000201c166a2$d2ed80c0$1401a8c0@tedm.placo.com> <001401c166a9$9b976120$0a00000a@atkielski.com> <20011106180650.A72863@student.uu.se> <00ca01c16794$12a7eba0$0a00000a@atkielski.com> <20011107154930.A7915@student.uu.se> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011107154930.A7915@student.uu.se>; from ertr1013@student.uu.se on Wed, Nov 07, 2001 at 03:49:30PM +0100 X-Editor: Vim http://www.vim.org/ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Or even watching the sysadmin write in the root password through binoculars from across the street. That's bad; I for one hate working in a room without windows (glass ones that is ;)). /Martin * Erik Trulsson (ertr1013@student.uu.se) wrote: > On Wed, Nov 07, 2001 at 02:56:58PM +0100, Anthony Atkielski wrote: > > Erik writes: > > > > > There is no such thing as 100% security. > > > > Sure there is. Shannon proved it. Some spies and spooks implement it. > > No, there is no such thing as 100% security. > I assume your comment about Shannon refers to such things as > unbreakable cryptos of which the One-Time-Pad is the best known. > This is not the same thing as 100% security though. > To get 100% security you also need to protect yourself against attacks > such as: > > a) Somebody breaking into the office and stealing the computers. > b) Calling the sysadmin and pretending to be his boss and convince him > to open a hole. > c) Reading the password from a Post-It note which some careless > legitimate user left around. > d) Sweettalking the secretary into letting them in. > e) Bribing the sysadmin. > f) Kidnapping the person who knows the password and torturing him/her > until he/she reveals it. > g) Blackmail. > > > Unless you are fully protected against all these (and many other > possible attacks) you do not have 100% security. > You might have very good security but not 100%. > > > To get a secure system it is not enough to consider things like > cryptography and network protocols although those are important. > It is also necessary to take into account attacks based on social > engineering or physical breakins. > > > > > > > This is case where persistence is exactly what > > > is needed to crack the system. One simply tries > > > every possible password until one succeeds. > > > > With random eight-character alphanumeric passwords and five Telnet login attemps > > per second, this will take about 1.25 million years, on average, far longer than > > the lifetime of any attacker, persistent or otherwise. In other words, the > > system is completely secure in this context through computational feasibility, > > and you can make it theoretically 100% secure as well by installing a lockout > > after a certain number of bad password attempts. > > The cracker might get lucky and guess the password on the first try. > The probability of this happening is extremely low but it is non-zero. > Therefore this is not theoretically 100% secure although in practice it > is quite secure. > > > > Note: When I say 100% security above I really do mean 100%. I do not > mean 99.99999% security which might well be obtainable (but probably > prohibitively expensive since the cost of implementing such a level of > security is likely higher than that which it is supposed to protect.) > > > -- > > Erik Trulsson > ertr1013@student.uu.se > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- ------------------------------------------------ Martin Karlsson martin.karlsson@visit.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message