[Gllug] Recommended Books
Nix
nix at esperi.org.uk
Thu Dec 15 14:39:28 UTC 2005
On Wed, 14 Dec 2005, Christian Smith said:
> I would post the details of my company's security issues, but I'd probably
> be sacked...
Huge gaping? Shock.
> On Tue, 13 Dec 2005, Nix wrote:
>>- used AES instead of one-way hashes
>
>
> Yikes. Is that using a hard-coded key in the application? Or a
> per-installation instance key? Or other...
That's using the return value of getuid() as the key. :/
>>- used unseeded rand() as the random number source
>>- took no precautions against people acquiring the password after
>> that ridiculous decryption step
>>- set the secret key to the nice secret entropy-filled return value
>> of getuid()
>
> What, the key is derived from the user id? Nice.
No `derivation' involved. The key *is* the user ID, zero-extended.
A nice big keyspace of less than 65536 and probably less than 1000.
2^10 bits should be enough for anyone!
>>But don't worry, the organizations using this wonderful stuff don't deal
>>with more than billions of dollars per day. :/
>
> At least your stuff isn't going to be used by the MOD.
I bloody well hope not.
> Hopefully, our
> stuff will just fester and the project die, as it's being handled by EDS.
That's if anything an advantage: even in govt people handling critical
stuff know that EDS is shit and treat their output similarly.
(This is distinct from the people who *hire* people handling critical
stuff, who *sigh* often hire EDS. Or Accenture. Gah.)
--
`I must caution that dipping fingers into molten lead
presents several serious dangers.' --- Jearl Walker
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list