- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Admin
Wow, great solution. Weird how the boss did not find it a weird.
Although I do not understand the reasoning why being open source would make a program less secure.
Admin
Admin
But if the source is open that means that {THE BAD GUYS} (where "The Bad Guys" can be anything from our competitors, to evil hackers, to terrorists) can use the same program we use! It won't be a proprietary trade secret anymore!!
THE HORROR.
Fucking morons. I also love the "You have a week to fix this or you're fired" threat. Because that always goes over well.
Admin
I remember using a video camera and a VHS recorder to record screen sessions, but that was in the late '80s...
Admin
Admin
That's because you understand that proper security software relies upon mathematically and computationally difficult problems, and not on "you just haven't figured out my convoluted secret yet, and I'm not telling you what it is".
Unfortunately, to non technical people, these two forms of security appear to be equivalent; they don't understand that the security of algorithms lies within the algorithm itself, and not the obscurity of the code which implements it.
Crucially, it doesn't even matter if you use any of the above sentences to explain the difference to them; they'll either disagree with you because they know better, or they'll nod in agreement with you then demonstrate that they understood the exact opposite five minutes later.
Admin
Good thing Jerry's evil twin, Jeff, wasn't as savvy and didn't catch it was the same software...
** Fixed! --ed.
Admin
Video output - tick But how is she controlling the system?
Captcha "opto" - how apt!
Admin
At least a dozen solutions for that if XP vs 7 is the only limitation. Or hell, put in a requirement for everything including the plant software to be upgraded so as to ensure security...
Admin
This smells all kinds of awesome from here.
captcha: ingenium
Admin
Admin
TRWTF is that if it's only video coming back from the plant who the F cares if it gets hacked into? Nobody can modify plant operation much less take it down via that feed.
Admin
Hell, Lindbergh f*cked her.
Admin
vmware player probably (!) isn't going to allow a hardware interface to the plant equipment, via a custom and overpriced PCI board or whatever.
Admin
Rube Goldberg would be proud!
Admin
Step #1: buy a new Windows 7 machine and attach it to the network Step #2: remote into the Windows 7 machine with SafeViewer Step #3: from the Windows 7 machine, remote into the production machine with anything
It sounds as if they didn't implement this bs with the camera. They just mocked it up and to pass it off to the idiot CEO.
Admin
The real WTF here is that they had a Professional BetaCam just lying around. Why on earth did the manufacturer have that?
Admin
“You have a week to install a closed source replacement with the same protection, or your next meeting will be an exit interview.”
“Yeah, Jerry, yours. Go fuck yourself.”
Admin
They had the Professional BetaCam for a reason. The commercial advertisements had to be proprietary. If anyone figured out their trade secret filming process, InstaPet would no longer have a marketing advantage.
Admin
eros: Nice try, TDWTF. ;-)
Admin
So basically, TRWTF is Jerry not understanding Kerckhoff's Principle, a fundamental principle of cryptography which tells us that any system that you can't trust to be secure if everything but the key is known to an attacker, can't be trusted to be secure at all.
In other words, all other things being equal, it's not possible for an open-source system to be less secure than a closed-source system. (Note: all other things being equal. Certainly there are open-source systems that are insecure and closed-source systems that are secure, but, for example, if you take a closed-source system and publish the source to it, it does not become any less secure than it was before you published the source.)
Admin
TRWTF is anonymizing the open source software name. What open source screen sharing software supports "symmetric key encryption" above and beyond what is available in commercial alternatives?
If we don't know the answer to what the software was, we will never know. Maybe that is the security?
Admin
All she really needed was something to show the boss. If he's convinced it's secure, then it IS secure. How would he ever find out otherwise? All she needed to say was that she installed a hardware encryption board in her home computer that munges up the data being sent. A quick google search probably can find such a board, in case she needs "proof" that such a thing exists.
Admin
hah. this.
Admin
Its nice to see an actual picture of the setup. So many of these stories are so edited that it's possible they're just made up; but a picture sort of proves it.
Admin
Everybody who comments about cryptography is missing a point: Many systems can be hacked by exploiting security flaws that have nothing to do with encryption.
Of course, in an open source system, anyone can find a security flaw. What Jerry is missing is that this "anyone" can just as well be a good guy, so if this software is around for long enough, someone will already have fixed all flaws.
Admin
In many respects, I rather think that's what she actually did. ;-) Only with an ancient video camera instead of a PCI card. Remember, the first rule in constructing an effective placebo is that it has to appear elaborate.
Admin
Because all corporate (and military) security experts know that (1) Microsoft products are the only secure ones, and (2) open source means it was written by Commie Ruskie Chinese hackers.
Admin
Er, as interesting as that is, it's completely irrelevant to the point of actual story, as what you said applies to all software (in a closed source system, anyone can find a security flaw also).
Admin
It's a bit harder without the sources.
Admin
Yes, but if the algorithm is correct then its exactly as hard with OR without the sources. E.g. your only choice it to brute force it.
In this case, the person in charge seems to think that open source means unsecured, because he clearly has no understanding of what security actually is. Assuming that it is already known that their open source implementation is secure, then a closed source alternative may only be less-than-or-equal-to the security of what it is replacing.
Admin
Windows is closed source while Linux is open source. People find security flaws in both.
Admin
You have a week to fix this or you're fired = You have a week head start on finding a better job
I'm kind of sad that she apparently didn't understand this translation.
Admin
TRWTF is using the name of a non-existent open-source program. Obfuscating the corporation's name I understand, but if this were a true story they would name an actual open-source program. There's been far too much of that here lately.
Admin
Admin
Admin
Symmetric key crypto is sort of a given, the real question is how they handle key management and how the algorithm is integrated with the software. It's very easy to make mistakes in crypto, even when using industry standard algorithms (see WEP). I guess that she could have meant "pre shared key" when she said symmetric key crypto.
Admin
Or it's the usual made up story with an interesting albeit completely unrelated picture.
Admin
But in the actual real world, there is no such thing as a 'correct algorithm', at least not when we're talking about an entire application, when the only option is to brute force it. Every application of sufficient complexity will have security vulnerabilities, no matter how well you design it. And if the vulnerability is not with the application, then it is bound to lie with the other software, hardware, or even the user that it interacts with.
So yes, in theory, it should not matter one iota whether or not you publish the source of your application. In practice, there will be things you have overlooked. And it is a hell of a lot easier to find these things when you can look at the source directly.
Admin
Years ago I read a book by someone who was involved in developing security for early Unix. They had two men who played good-guy/bad-guy: One would develop security software, and then the other would try to break it. He said that one of their early decisions was that they would give the source code to the bad guy. After all, they reasoned, if the software was out there long enough, sooner or later someone would leak a copy of the source code, or someone would de-compile it, etc. Relying for security on the idea that you could keep the source code secret forever would be naïve.ppppppppppppppppppppppppppppppppppppppprrr
Admin
Please disregard the ppppppppppppppppppprrrrrrrrr on my last post. I was scraping some piece of random gunk off my keyboard. :-)
Admin
Or they just found a strange picture on the Internet, and wrote a story to go with it.
We had exercises like that in elementary school.
Admin
look carefully at it - they bs'd the bosses: the description of the wichita computer says it's running xp and has a CRT monitor. however, the picture they supplied the bosses shows a 7 system with a flat screen... well done, i see what you did there!
Admin
Yes and no. A couple of years is a good sweet spot. People have been working at it long enough that you can be sure anything relatively obvious has been found, but you can be pretty sure that they're learned from more recent mistakes. Also, if you use a relatively recent algorithm you're more likely to get something that can extend into future requirements. (such as longer keys)
I wouldn't call it an obvious WTF to use a three year old algorithm.
Admin
Hopefully this works:
http://www.tineye.com/search/d387179df431df864b00de9ef42cc422c4496f2c/
Admin
Nice! Security through obscurity is so much better than Kerckhoffs' principle... oh wait it's the other way around isn't it.
Admin
Somewhat related, my old boss had a ban on freeware that included open source. The reasoning was that if you didn't buy it, you had no guarantee that the program would be maintained and that you could get the changes you needed (in his mind, if you paid for something, you had the right to pester the developer to add the features you wanted)
Admin
I've done something very much like this before. Needed to put a streaming demo of the software I wrote up on the projector. Seemed simple enough.
Well.. Can't VNC over the network, it sucks. Can't move the workstation, its got too much stuff plugged in and there are neither enough outlets nor enough time to move everything. Hey, heres an old-ish camcorder, miles of unused of RCA cable, and I have a tripod in my trunk.
It looked very much like the picture, only the camera was smaller and the tripod far flimsier.
Thankfully, it was only needed for a few minutes, and we never spoke of said setup again.
Admin
whoops...