|
Posted by Juergen Nieveler on December 1, 2005, 4:31 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Call me crazy if you will, but I'm of the opinion that you should not
> be entering ANY password, whether asterisk protected or not, while
> someone is looking over your shoulder.
The question is wether you'd actually notice somebody looking - Tempest-
attacks exist, as do binoculars. Oh, and whatever became of that
theoretical attack where somebody wanted to use the light reflected on
the wall to read the screen?
Juergen Nieveler
--
Man who scratch ass should not bite fingernails.
|
|
Posted by nemo_outis on December 1, 2005, 9:23 am
If you were Registered and logged in, you could reply and use other advanced thread options
>
>> Call me crazy if you will, but I'm of the opinion that you should not
>> be entering ANY password, whether asterisk protected or not, while
>> someone is looking over your shoulder.
>
> The question is wether you'd actually notice somebody looking - Tempest-
> attacks exist, as do binoculars. Oh, and whatever became of that
> theoretical attack where somebody wanted to use the light reflected on
> the wall to read the screen?
>
>
> Juergen Nieveler
If you would not notice somebody looking (or other forms of surrepitious
observation and/or recording) there is something desperately wrong, either
with you or with your environment.
I take it as axiomatic that physical security of the computing environment
has been established before all else; otherwise all the other safguards, no
matter how elegant, no matter how many bits of encryption they include, are
a castle built on sand.
If, however, rather than the computing environment being insecure, it is
oneself who is oblivious, then, again, no technical tricks will rescue one
from the consequences.
Regards,
PS Yes, there can be specialized circumstances where physical security is
weak (e.g., at a public ATM) and asterisked passwords have some limited
value, but, in general, asterisked passwords are mostly frippery. In a
situation where they are not needed, they are an annoyance; in a situtation
where they might be needed, they are grossly inadequate.
And, further, there can be other situations intermediate between the two
cases (e.g., firing up your laptop in an airport lounge). However, even
here, asterisks would be a very feeble reed to rely on. No, secure the
environment first - otherwise you are gambling on the adversary's absence
or ineptitude, not the strength of your system. Like Russian roulette, it
is a gamble that you may sometimes win, but that doesn't make it any less
imprudent.
|
|
Posted by Juergen Nieveler on December 2, 2005, 4:23 am
If you were Registered and logged in, you could reply and use other advanced thread options
> If you would not notice somebody looking (or other forms of
> surrepitious observation and/or recording) there is something
> desperately wrong, either with you or with your environment.
Please note that I included Tempest-attacks. Is your house
tempest-shielded?
Juergen Nieveler
--
I don't like abuse, but I'm very good at it
|
|
Posted by nemo_outis on December 2, 2005, 1:27 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>
>> If you would not notice somebody looking (or other forms of
>> surrepitious observation and/or recording) there is something
>> desperately wrong, either with you or with your environment.
>
> Please note that I included Tempest-attacks. Is your house
> tempest-shielded?
>
> Juergen Nieveler
Nope, not required as as a result of my risk and threat assessments. Nor
is protection against laser interferometry on windows and a few other
exotic attacks.
However, I have posted on how to tackle threats such as Tempest related
attacks, including my preference for older low-MHz laptops (lesser emsec
concerns, no exposed cables, no need to isolate power supplies, possible to
use RF-shielded enclosures rather than shielded rooms, etc.). Constructing
full room-size high-MHz Faraday cages is a bear - the grounding aspects
alone present significant challenges (as do seals, conduits, air exchange,
etc.)
Despite your gibe, physical security does not mean that one must always
escalate to Fort Knox. No, it means that the level of physical security
should be commensurate with the threats, the risks they pose, and the
consequences of security breaches. However, all but the very lowest levels
of physical security require freedom from direct visual observation by
others.
But you knew that already; it's just fun to tease me :-)
Regards,
|
|
Posted by lyalc on December 3, 2005, 8:15 pm
If you were Registered and logged in, you could reply and use other advanced thread options
detect/compromise, in a tempest sense.
Signal emissions are usually the first 5-20 harmonics of the clock speed.
A clock of 100 Mhz probably needs a receiving AND PROCESSING bandwidth of
500-1000 Mhz.
A clock speed of 3 Ghz can mean a processing bandwidth (analog or digital )
exceeding 10 Ghz.
That's a fairly expensive set of kit, super-computing scale, not suitcase
sized, portable gear, especially if you are looking for near-real-time
recovery, not SETI-style post analysis.
Often, these higher frequencies have much less energy/radiated power than
lower speed clocks, for a variety of technical reasons.
So the detection range (signal over noise) is probably much less,
potentially minimising the 'volume' of risk.
Just my 20cents worth.
Lyal
>
> >
> >> If you would not notice somebody looking (or other forms of
> >> surrepitious observation and/or recording) there is something
> >> desperately wrong, either with you or with your environment.
> >
> > Please note that I included Tempest-attacks. Is your house
> > tempest-shielded?
> >
> > Juergen Nieveler
>
>
>
> Nope, not required as as a result of my risk and threat assessments. Nor
> is protection against laser interferometry on windows and a few other
> exotic attacks.
>
> However, I have posted on how to tackle threats such as Tempest related
> attacks, including my preference for older low-MHz laptops (lesser emsec
> concerns, no exposed cables, no need to isolate power supplies, possible
to
> use RF-shielded enclosures rather than shielded rooms, etc.).
Constructing
> full room-size high-MHz Faraday cages is a bear - the grounding aspects
> alone present significant challenges (as do seals, conduits, air exchange,
> etc.)
>
> Despite your gibe, physical security does not mean that one must always
> escalate to Fort Knox. No, it means that the level of physical security
> should be commensurate with the threats, the risks they pose, and the
> consequences of security breaches. However, all but the very lowest
levels
> of physical security require freedom from direct visual observation by
> others.
>
> But you knew that already; it's just fun to tease me :-)
>
> Regards,
>
>
|
| Similar Threads | Posted | | Advice needed on secure remote datacenter and secure communication | August 24, 2008, 8:36 pm |
| Secure Auditor secure your windows | April 28, 2008, 6:24 am |
| Passwords | February 6, 2006, 2:04 am |
| Boot Passwords | December 21, 2005, 7:35 am |
| Hashes and Passwords | May 21, 2006, 5:36 am |
| Bios Passwords | September 29, 2006, 5:35 pm |
| virtue of salted passwords | November 21, 2005, 12:28 am |
| Image files as passwords | February 22, 2007, 6:33 am |
| Legality of decrypting passwords | June 30, 2008, 8:48 am |
| solutions for storing passwords on a computer | November 4, 2005, 9:03 am |
|
XML site map