[Gllug] Recommended Books
Christian Smith
csmith at micromuse.com
Wed Dec 14 12:39:15 UTC 2005
I would post the details of my company's security issues, but I'd probably
be sacked...
On Tue, 13 Dec 2005, Nix wrote:
>On Mon, 12 Dec 2005, Greg McCarroll gibbered uncontrollably:
>
>> Security,
>> 1) Applied Cryptography - another definitive text.
>
>Yes! If you have to do anything with crypto at work, get _Secrets &
>Lies_ as well to beat your bosses over the head with. The consequences
>of not doing so can be dire, e.g. a password-auth system at my work
>which over my protests
>
>- used AES instead of one-way hashes
Yikes. Is that using a hard-coded key in the application? Or a
per-installation instance key? Or other...
>- used unseeded rand() as the random number source
>- took no precautions against people acquiring the password after
> that ridiculous decryption step
>- set the secret key to the nice secret entropy-filled return value
> of getuid()
What, the key is derived from the user id? Nice.
>
>(and then they made me review the code, after ignoring my screams over
>the design!)
>
>But don't worry, the organizations using this wonderful stuff don't deal
>with more than billions of dollars per day. :/
At least your stuff isn't going to be used by the MOD. Hopefully, our
stuff will just fester and the project die, as it's being handled by EDS.
Christian
--
/"\
\ / ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
X - AGAINST MS ATTACHMENTS
/ \
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list