OT handheld security

The Fate of VM was: Baby MVS 4396
the rich Didn't you say "kicking and screaming"? ;-) I read about Tiberias at supper yesterday. I had this atbreastude. Then I started trying to find...

pbuttwords and other shared-secrets paradigms

are "something you know" authentication ... out of the 3 factor authentication model

The Fate of VM was: Baby MVS 4395
Growing up in Brooklyn instills one with a rather accurate bullpoo detector, it has stood me in good stead. My problem always was that I DID know...

some number of the tokens are "something you have" authentication ... but they also use some sort of "secret" to "prove" the possession of a unique object.

the issue in the "secret" paradigms ... is that the threat models involves leakage of the secret (especially when it is stored and used in so many places) and cross-domain exploits ... i.e. pbuttwords and-or secret-based tokens require a unique value for every security domain ... as a countermeasure to enbreasties in one domain attacking another domain, a form of insider attack as opposed to various outsider attacks skimming-harvesting secret.

The Fate of VM was: Baby MVS 4397
kkt Yes, 30 seconds of bi-partizanship, followed by 3 years of denial and recriminations. I'd rather have had the Democrats vote against the war that vote for it only to spend every...

part of the requirement for frequent secret changes is that secrets can leak (guessing, skimming, evesdropping, harvesting) w-o the enbreasties being aware .. and then authentication replay attacks. this can happen with some forms of tokens (like magstripe), which may also be susceptible to evesdropping, skimming, harvesting attacks and the creation of counterfeit token for replay attacks. The issue of a purely "something you have" token, the person can notice a lost-stolen compromise and report it. However, a guessing, skimming, evesdropping, harvesting compromise might occur w-o the person being aware of it happening.

for cross-domain exploit and other reasons, there has also been a insbreastitional-centric paradigm for hardware tokens ... i.e. each insbreastution issues their own hardware tokens. I've frequently commented that if this were to ever take off ... you then would have one hardware token for every pin-pbuttword (which is scores or even on the order of hundred for some people).

The Fate of VM was: Baby MVS 4392
Tom Marchant pretty much all during cp67 ... at least tss-360 group was trying to cancel it ... since the 360-67 (w-virtual...

I've periodically drawn the analogy with the mid-80s use of unique floppy disks as a DRM paradigm for applications programs ... i.e. appearance of hard disks was evolving installation of applications. There was early use of specially coded floppy disks as a DRM countermeasure to software pirating. If this paradigm ever had a large uptake ... there could be computers with hundreds of buttociated unique floppy disks (one per application) that the person would have to continually shuffle as they switched between applications. In the case of emerging token use, having a hundred or so tokens stuffed into a (very large) pocket.

As an aside, about the time of the ibm-pc announcement there were some investigation into adding a unique serial number chip to each motherboard and a software licensing paradigm ... similar to mainframe, based on storing the cpu identifier.

there are two-factor authentication schemes using both a pin-pbuttword ("something you know") and a token ("something you have") also as a countermeasure to lost-stolen token. the issue here is an buttumption that the multi-factors are subject to independent vulnerabilities. however, you find some of the pin-magstripe implementations being vulnerable to a common skimming compromise (i.e. both the magstripe and pin is recorded at the same), invalidating the buttumption about independent vulnerabilities.

a similar infrastructure problem showed up with the two-factor chip&pin deployments (with pin as countermeasure to lost-stolen token). the chip would present some static data authentication (as proof of having the unique "something you have") and then the infrastructure would ask the token if the correct pin was entered. the attackers would skim the static data (in much the same way that magstripes are being skimmed) and use it to produce a counterfeit "yes card". once the static data had been checked by the infrastructure, the chip would be asked some number of additional questions about business processes (like whether the correct pin was entered) ... and, of course, the counterfeit "yes card" would always answer "YES" (from where the exploit got its name). Again there wasn't an independent vulnerbility for the PIN entry ... and buttumptions regarding multi-factor authentication was no longer valid.

a few past posts discussing enabling token person-centric infrastructure as an alternative to insbreastution-centric infrastructure ...

List | Previous | Next

The Fate of VM was: Baby MVS 4392

Alt Folklore Computers from Newsgroups

The #1 Usenet Provider on the Internet

old hypervisor email

PLEX86 x86- Virtual Machine (VM) Program


	CVS \| Mailing List \| Download \| Newsgroups

		OT handheld security The Fate of VM was: Baby MVS 4396 the rich Didn't you say "kicking and screaming"? ;-) I read about Tiberias at supper yesterday. I had this atbreastude. Then I started trying to find... pbuttwords and other shared-secrets paradigms are "something you know" authentication ... out of the 3 factor authentication model The Fate of VM was: Baby MVS 4395 Growing up in Brooklyn instills one with a rather accurate bullpoo detector, it has stood me in good stead. My problem always was that I DID know... some number of the tokens are "something you have" authentication ... but they also use some sort of "secret" to "prove" the possession of a unique object. the issue in the "secret" paradigms ... is that the threat models involves leakage of the secret (especially when it is stored and used in so many places) and cross-domain exploits ... i.e. pbuttwords and-or secret-based tokens require a unique value for every security domain ... as a countermeasure to enbreasties in one domain attacking another domain, a form of insider attack as opposed to various outsider attacks skimming-harvesting secret. The Fate of VM was: Baby MVS 4397 kkt Yes, 30 seconds of bi-partizanship, followed by 3 years of denial and recriminations. I'd rather have had the Democrats vote against the war that vote for it only to spend every... part of the requirement for frequent secret changes is that secrets can leak (guessing, skimming, evesdropping, harvesting) w-o the enbreasties being aware .. and then authentication replay attacks. this can happen with some forms of tokens (like magstripe), which may also be susceptible to evesdropping, skimming, harvesting attacks and the creation of counterfeit token for replay attacks. The issue of a purely "something you have" token, the person can notice a lost-stolen compromise and report it. However, a guessing, skimming, evesdropping, harvesting compromise might occur w-o the person being aware of it happening. for cross-domain exploit and other reasons, there has also been a insbreastitional-centric paradigm for hardware tokens ... i.e. each insbreastution issues their own hardware tokens. I've frequently commented that if this were to ever take off ... you then would have one hardware token for every pin-pbuttword (which is scores or even on the order of hundred for some people). The Fate of VM was: Baby MVS 4392 Tom Marchant pretty much all during cp67 ... at least tss-360 group was trying to cancel it ... since the 360-67 (w-virtual... I've periodically drawn the analogy with the mid-80s use of unique floppy disks as a DRM paradigm for applications programs ... i.e. appearance of hard disks was evolving installation of applications. There was early use of specially coded floppy disks as a DRM countermeasure to software pirating. If this paradigm ever had a large uptake ... there could be computers with hundreds of buttociated unique floppy disks (one per application) that the person would have to continually shuffle as they switched between applications. In the case of emerging token use, having a hundred or so tokens stuffed into a (very large) pocket. As an aside, about the time of the ibm-pc announcement there were some investigation into adding a unique serial number chip to each motherboard and a software licensing paradigm ... similar to mainframe, based on storing the cpu identifier. there are two-factor authentication schemes using both a pin-pbuttword ("something you know") and a token ("something you have") also as a countermeasure to lost-stolen token. the issue here is an buttumption that the multi-factors are subject to independent vulnerabilities. however, you find some of the pin-magstripe implementations being vulnerable to a common skimming compromise (i.e. both the magstripe and pin is recorded at the same), invalidating the buttumption about independent vulnerabilities. a similar infrastructure problem showed up with the two-factor chip&pin deployments (with pin as countermeasure to lost-stolen token). the chip would present some static data authentication (as proof of having the unique "something you have") and then the infrastructure would ask the token if the correct pin was entered. the attackers would skim the static data (in much the same way that magstripes are being skimmed) and use it to produce a counterfeit "yes card". once the static data had been checked by the infrastructure, the chip would be asked some number of additional questions about business processes (like whether the correct pin was entered) ... and, of course, the counterfeit "yes card" would always answer "YES" (from where the exploit got its name). Again there wasn't an independent vulnerbility for the PIN entry ... and buttumptions regarding multi-factor authentication was no longer valid. a few past posts discussing enabling token person-centric infrastructure as an alternative to insbreastution-centric infrastructure ... List \| Previous \| Next



		The Fate of VM was: Baby MVS 4392 Alt Folklore Computers from Newsgroups The #1 Usenet Provider on the Internet old hypervisor email