 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
Richard Pieri wrote: > On Oct 6, 2009, at 10:27 AM, Dan Ritter wrote: >> Everyone seems to be ignoring the real brute force attack: >> rubber-hose cryptanalysis. > > I did not ignore it; I simply chose not to address it. But since you > asked... :) > > Obviously, no algorithm can be proof against a rubber hose attack. > Securing against rubber hoses is a matter of implementation. One > possible mechanism is something similar to standard code signing > practice with multi-factor authentication. The user has a pass phrase > (virtual key). The site has a hard token of some sort. That token is > stored in a secured area (physical key). In military circles, they use the phrase "Something you have, and something you know". Fortunately the only secure application I developed went on SIPRNET, so once I talked to their singne-sign-on, I didn't have to worry about security much (other than the usual roles/groups authorization).
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
