RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd

From: Behm, Jeffrey L. (
Date: 06/20/05

  • Next message: Marcus J. Ranum: "RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd"
    To: "Marcus J. Ranum" <>, "David Lang" <>
    Date: Mon, 20 Jun 2005 11:25:53 -0500

    On Sunday, June 19, 2005 4:40 PM, Marcus J. Ranum spake:

    >David Lang wrote:
    >> 2. require authentication that isn't fully contained on the
    >> remote system (i.e. a token or one-time password, a digital
    >> certificate with a passphrase is NOT good enough)
    >That doesn't work, either. If you assume that the endpoint is insecure
    >(and it is, so that's a safe assumption) the 2 factor authentication
    >only because it's harder to bypass than a password. If everyone was
    >using 2 factor authentication, you can bet hacker toolkits would be
    >full of nasty rootkits and malware that stole live sessions, or typed
    >keystrokes into live sessions once they came up (transparently, of

    True, Marcus, but not everyone _does_ use 2 factor auth. So, at this
    point, it can be effective. You don't gotta outrun the bear, just
    the guy next to you.

    firewall-wizards mailing list

  • Next message: Marcus J. Ranum: "RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd"

    Relevant Pages

    • LAP on device
      ... I'm porting an authentication application from 4.2 to 5.0 and thanks to Marcus Perryman's weblog, ... I signed my dll and application using a developpment certificate (TEST USE ONLY - Sample Privileged Root for Windows Mobile SDK) and I got no popup when registering my LAP to the system. ... The fact that the test on emulator is good makes my think of a certificate problem, but I thought with the privileged key, there won't be problem, am I right? ...
    • Re: gnome 2.8 mime associations
      ... Hi Marcus, I appologise for putting the problem in fast words. ... on it makes the window vanish, and nothing happens (because the applet ... Authentication Rejected, reason: ...
    • Re: Is it necessary to store the entire MD5, etc. hash for validation?
      ... By moving all the biometric and passphrase ... instead there are faster and cheaper methods of authentication. ... The only reason for the continued usage of these protocols would be in order ...
    • Re: SSH publickey auth
      ... > The goal of using Identity/Pubkey authentication is to remove the need ... > can prove you have the public and private key then you are granted ... You see here the mention of the "passphrase"? ... > authentication credentials 'follow' you. ...
    • Re: wvdial does not connect
      ... You may also want "noccp," as it's clear the peer doesn't implement ... Both Systems use different authentication? ... It is likely to be the incorrectly specified user name and/or ... passphrase that is causing the problem. ...