On 1/12/2015 11:36 AM, i...@thargoid.co.uk wrote: > Forwarding to the list as I seemed to have managed to leave it off. > Apologies. > > >> >>> Knowledge is easier to duplicate than a physical item. You mentioned the >>> ATM attack. >> >> Incorrect. Knowledge cannot be duplicated if there is no basis for that >> knowledge. >> >> For instance, it was not possible for archeologists to decipher ancient >> Egyption hieroglyphics before the discovery of the Rosetta Stone in 1799 >> - before this, there was no basis for knowledge of the language. > > Really? Are you honestly saying that because they did not know what the > hieroglyphics meant, they were unable to copy them?
They were unable to decipher them. It has nothing to do with copying. >> >> The same is true for passwords. If you don't have a basis for knowledge >> of the password's construction, it is impossible to duplicate that >> password in any reasonable length of time. >> >> For instance - let's see you duplicate the password to one of my >> servers. You won't be able to do it, because it's random and I don't >> have it written down anywhere. Even if you steal every one of my >> computers, it won't help you at all, because it's not stored on any of >> them. > > What if I stand over your shoulder with a video camera and video you > typing? Or I would shoot you. > indeed install a keylogger on your machine? > You'd first have to compromise my machine. And that you can't do. > You seem to be confusing duplicate with understand, or maybe you are > just confusing me :) > >> >>> >>>> >>>> How do you define security? >>> >>> I don't need to. There is already a definition in English for this: >>> >>> http://dictionary.cambridge.org/dictionary/british/security >> >> I happen to agree with Joel here. I don't want to know the dictionary >> definition - I want to know YOUR definition of security. >> > > Semantics is a boring argument. If you wish, tell me yours and I will > tell you mine (oooh err missus ;) > You were asked first. How about putting up? > >> <snip> >> >>>>> ) my fingerprint (being something I am) >>>> >>>> You sure it's not something you have? >>> >>> Nope - I am pretty sure it is something I am, within the context of the >>> above statement. >>> >> >> A fingerprint is something you HAVE. It is present on your body; it is >> NOT something you are. You can leave a fingerprint on a glass, for >> instance, and it doesn't affect you at all. > > Jerry - just cos you shout does not mean you are more RIGHT. > And repeating something ad nauseum doesn't make you right. > Again, within the context of the above statement it is. You may > disagree. Fair enough. > <snip> > You need to learn the difference between "is" and "has". They are two entirely different concepts, but you seem to have them mixed up. >>>> >>>>> is more >>>>> secure than a password. >>>> >>>> Unless someone chops your hand off to steal your BMW. >>> >>> Again - implementation. Is the hand warm? Is there a pulse? >>> >> >> Not part of the fingerprint - but again, these can be duplicated - a >> latex glove with the fingerprint etched into it, for instance. > > May or may not work, depending on the implementation. > It has been proven to work. That's one reason fingerprints alone are not used for government security. >> >>>> >>>>> Also, an ssh-key (being something I have >>>> >>>> Now there's an interesting assertion. It seems reasonable, if one >>>> accepts certain implicit, arbitrary boundaries between the three >>>> classes of tokens invoked above. >>>> >>>> -- seems reasonable -- >>>> >>>>> ) is more >>>>> secure than a password. >>>> >>>> And, yet, it is no more secure than the user account on the machine in >>>> which it is stored. >>> >>> OK sure - but we are discussing how to authenticate to an account right? >>> >> >> We are discussing how to authenticate an account on another machine. If >> your key is on your machine, and I steal your machine, I can break the >> passphrase your key uses. It may take a while, but it will be a lot >> faster than if that same passphrase were uses as a password to your >> server. > > Is this due to being limited over the network for the number of tries? > What if I delete > the key on the server when my machine is stolen? What if I generate new > keys every week? > It is so easy for me to prevent that it isn't even funny. All I need to do is copy the keyfile (or indeed, the entire disk) to another machine. In fact, that's what I'll probably do, anyway. That way I can access all of your data without even booting your machine. Of course, if your disk is encrypted, that becomes another problem. But then you have to use a password to decrypt the disk... >> >>> >>> Something you have and something you are have to be digitised, to >>> produce a >>> token that can be used to prove your identity to a computer system. >>> That is >>> part of the implementation. >>> >> >> Everything you have mentioned is something I "have". I "have" knowledge >> of a long, random password (not stored anywhere else). I "have" a key >> stored on my computer (protected by a password). I "have" a fingerprint. >> > > In your opinion. Not in mine (within the context of this discussion) > You seem to have difficulty in understanding "have" versus "is". >> And the security of these three items are in DESCENDING order. > > In your opinion. Again, shouting does not make you right. > > Iain > >> >> Jerry > > And once again, repeating ad nauseum doesn't make YOU right. You should learn from some REAL security experts, not the internet. Jerry -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b3fb71.3060...@gmail.com
