[Gllug] Recommended Books

Christian Smith csmith at micromuse.com
Wed Dec 14 12:39:15 UTC 2005


I would post the details of my company's security issues, but I'd probably
be sacked...


On Tue, 13 Dec 2005, Nix wrote:

>On Mon, 12 Dec 2005, Greg McCarroll gibbered uncontrollably:
>
>> Security,
>> 	1) Applied Cryptography - another definitive text.
>
>Yes! If you have to do anything with crypto at work, get _Secrets &
>Lies_ as well to beat your bosses over the head with. The consequences
>of not doing so can be dire, e.g. a password-auth system at my work
>which over my protests
>
>- used AES instead of one-way hashes


Yikes. Is that using a hard-coded key in the application? Or a
per-installation instance key? Or other...


>- used unseeded rand() as the random number source
>- took no precautions against people acquiring the password after
>  that ridiculous decryption step
>- set the secret key to the nice secret entropy-filled return value
>  of getuid()


What, the key is derived from the user id? Nice.


>
>(and then they made me review the code, after ignoring my screams over
>the design!)
>
>But don't worry, the organizations using this wonderful stuff don't deal
>with more than billions of dollars per day. :/


At least your stuff isn't going to be used by the MOD. Hopefully, our
stuff will just fester and the project die, as it's being handled by EDS.


Christian

-- 
    /"\
    \ /    ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
     X                           - AGAINST MS ATTACHMENTS
    / \
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list