Path: ...!Xl.tags.giganews.com!local-1.nntp.ord.giganews.com!nntp.earthlink.com!news.earthlink.com.POSTED!not-for-mail
NNTP-Posting-Date: Fri, 25 Oct 2024 05:09:39 +0000
Subject: Re: Torvalds Slams Theoretical Security
Newsgroups: comp.os.linux.advocacy,comp.os.linux.misc
References: <pan$26699$6602b79b$4abe425a$df32a923@gnu.rocks>
 <_OmcnZpYmdE-PYX6nZ2dnZfqn_udnZ2d@earthlink.com>
 <wwvldyfmenf.fsf@LkoBDZeT.terraraq.uk>
From: "186282@ud0s4.net" <186283@ud0s4.net>
Organization: wokiesux
Date: Fri, 25 Oct 2024 01:09:38 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.13.0
MIME-Version: 1.0
In-Reply-To: <wwvldyfmenf.fsf@LkoBDZeT.terraraq.uk>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Message-ID: <SISdnRicAKGOtYb6nZ2dnZfqnPqdnZ2d@earthlink.com>
Lines: 62
X-Usenet-Provider: http://www.giganews.com
NNTP-Posting-Host: 99.101.150.97
X-Trace: sv3-82qoEv+/KqMakW1tZeiw0+/EVWAd+nAo6toZ1mYqH7RxABUW68BvUGEA0gKUWixSrh05Q8VQ2rtRvBg!TGPKRs8sacXHmJVq7HoDQDxvb3DqSJl4qTpQ1E95xrxpgngGKlMrQ7IIy7YxjodJCW1+tM/yRQF2!6LUby+EXp0/ResNDB/lN
X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly
X-Postfilter: 1.3.40
Bytes: 3870

On 10/23/24 4:01 AM, Richard Kettlewell wrote:
> "186282@ud0s4.net" <186283@ud0s4.net> writes:
>>    The problem is State-funded actors these days and the MASSIVE
>>    computing power they can bring to bear.
> 
> Well, it’s _a_ problem, for people and organizations who are realistic
> targets of state actors. But (for example) for most private individuals
> the biggest threat is criminals trying to access their bank account or
> credit card.
> 
>>    At least SOME of those "theoretical" attack vectors CAN become real
>>    attack vectors.
>>
>>    But WHICH ???
> 
> The obvious answer is attacks on weak cryptography. RSA-1024 and DH-1024
> are probably breakable by the biggest SIGINT agencies (and anyone else
> with comparable compute resources: cloud service providers for example).
> 
> https://weakdh.org/imperfect-forward-secrecy.pdf attempted to analyse
> this (among other things) nearly a decade ago, as a concrete example.

   Um ... even weak crypto takes a lot of CPU time to
   decode.

   Direct access to corp computers, where the victim's
   system is doing all the work, via fake or compromised
   corp users - I think *that* is the "biggest problem"
   relative to data theft.

   A lot of THAT involves "human engineering" - scams
   that most ordinary workers will never detect despite
   good 'educational' efforts. Scammers are VERY sneaky.

   However poor security/auth measures and un-monitored
   external access also plays a role - corp laziness
   and/or budget limitations.

   It's not just *a* problem - but weakness at a number
   of levels.

   Vlad's boyz have the time and resources to go after
   ALL of them - over and over and over - until chinks
   in the armor are found. Victims generally do NOT
   have the resources, IQ/$$$, to defend.

   Oh, and the golden gate to bank accts and industrial
   control systems and such are all the numbers/data Vlad's
   boyz steal - the stuff you use to prove you are you.

   Oh, today's news - another health-care system finally
   admits to being severely compromised ... 100 MILLION
   detailed records stolen. Sorry, but everyone needs
   all-NEW numbers for everything, like TOMORROW.
   Otherwise when They hit the hit will be TOTAL, so
   large deep and wide there will be no good fixes.
   A nuke attack without a single mushroom cloud.

   This is the world we have (mis)-made.

   SO - Linus is *partially* correct, but also partially wrong.
   It's the "wrong" fraction that's so worrisome.