[FoRK] DNT: another example of "you can't make this shit up"

Stephen D. Williams sdw at lig.net
Tue Oct 16 22:30:30 PDT 2012

On 10/16/12 1:24 PM, Gregory Alan Bolcer wrote:
> http://imgs.xkcd.com/comics/identity.png
> You are the same person who came in and set up the server.  Do you truly ever really know someone?

You only ever know someone to a certain level of certainty.  Truly patient and clever attackers can overcome nearly any measure, 
although success becomes increasingly unlikely with good practices and countermeasures.  It's a good thing I don't tend toward 
paranoia as I constantly see ways that I could be being gamed, monitored, etc.  I prefer to have fun with my imaginary nemesii (Hi 
guys!). The best strategies are:
   Bore (too much discussion on FoRK),
   bankrupt (too much too sophisticated traffic, far too many TB to copy or analyze quickly),
   bashful (embarrass),
   bully (deliberately bait),
   beat (know your rights and how to fight back / gain advantage when necessary),
   backup (everything, multiple ways),
   better (better tech; avoid Windows, build your own kernels/system (used to be Linux, now Android)), and
   baffle (unlimited curiosity, read everything).

The 8B security system.

> Modern PKI-based security is just kabuki theater chasing turtles all the way down a rabbit hole.

PKI itself can be very strong, however total strength depends on consistently secure practices at every level.  This seldom happens, 
although DoD, Treasury, and Justice Departments come close for some purposes.  I've used and implemented systems of the first and 
played a key but limited role in development and implementation of PKI in the latter two.  Did final IV&V for an HHS department PKI 
CA, etc.

PKI's math is strong.  If your world view fits the federated centralized authority system, the trust model is strong.  (Ideally you 
combine that with webs of trust as needed.)  Software has been slowly improving.  PKI smart cards have had enough scrutiny to be 
secure against fast or easy private key leakage.  (A presentation at the mini-BlackHat at DesignWest about reverse engineering 
secure hardware chips was awesome.  Sanding progressive layers off of chips and activating the remaining circuitry with nano-sized 
probes is amazing.  Along with strategically laser cutting traces.)

> Greg
> On 10/16/2012 12:04 AM, Stephen D. Williams wrote:
>> What is "persistence of identity"? Isn't that just a "session"?
>> Identity isn't just a name, it is a unique identity that may have some
>> degree of identification and disambiguous characteristics.  A session
>> should have its own identity.  If you want to associate some access with
>> the session, then the identity of the user may be how you choose what to
>> show but the session is what is being matched between transactions.


More information about the FoRK mailing list