Path: ...!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: Don Y <blockedofcourse@foo.invalid>
Newsgroups: sci.electronics.design
Subject: Re: German state gov. dicthing Windows for Linux, 30k workers
 migrating.
Date: Tue, 9 Apr 2024 11:12:18 -0700
Organization: A noiseless patient Spider
Lines: 38
Message-ID: <uv40e8$cgom$2@dont-email.me>
References: <uuqirt$6kgh$1@solani.org>
 <jgp21jl76nk0c3064ss3pbfq5pboav93hp@4ax.com>
 <5qb31j9c2ia9a6h2fr50onqa2vp4d4bsfm@4ax.com>
 <3hf31j9d0uq5b9imcq94b495c3hclbjv79@4ax.com>
 <1qrnmxu.99joma1j6s84iN%liz@poppyrecords.invalid.invalid>
 <uuuto0$2vka9$1@dont-email.me>
 <1qroud8.1ot9y7y1yrh1ywN%liz@poppyrecords.invalid.invalid>
 <uv13tc$3jc5k$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Tue, 09 Apr 2024 18:12:27 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="d6b71d49a81f2c3a2b5d1b3ff8ae8c98";
	logging-data="410390"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX189yEMcCkPqppv6Ybjti/df"
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:102.0) Gecko/20100101
 Thunderbird/102.2.2
Cancel-Lock: sha1:YQ6nKuqrtudG5WsJRW+Mk/apuxA=
Content-Language: en-US
In-Reply-To: <uv13tc$3jc5k$1@dont-email.me>
Bytes: 3015

On 4/8/2024 8:53 AM, Don Y wrote:
> You also would be surprised at how much information "leaks" from naive
> encoding strategies.  E.g., if you know (or suspect) the format of the
> content, you can often deduce the coding algorithm.

This is my all-time favorite -- laughable -- take on "security":

<https://community.hpe.com/hpeb/attachments/hpeb/hpsc-46/6970/1/UserGuide.pdf>

This is (was) *sold* as "Secure Web Console".

By a "reputable" company with very deep pockets!

The product idea was excellent!  Provide a means of accessing the
serial console on a remote computer over the internet.  So, you could
troubleshoot boot problems and other issues in cases where the
server/host in question hadn't yet booted *or* had lost IP connectivity.

Essentially, you build a one-port terminal server and glue a web server
on the outfacing side.  An administrator can then access the web server
(from any web client) and have his keystrokes passed through to the
attached serial console and the output from said console painted into
his web browser's display.

Easy peasy!

But, the data stream is naively "encrypted" with a simple substitution cipher.
The cipher is stateless so characters can be decoded without regard for where
in the data stream they are encountered.  (i.e., a packet sniffer's paradise).

And, the decode operation is:
    chat cleartext = crypttext ^ 0x37;

Seriously?  What *idiot* thought to put "Secure" in the product's title???

("I locked my front door -- and put the key under the mat so I would
always know where I had left it...")