Re: Torvalds Slams Theoretical Security

On 10/23/24 4:01 AM, Richard Kettlewell wrote:

"186282@ud0s4.net" <186283@ud0s4.net> writes:

   The problem is State-funded actors these days and the MASSIVE
   computing power they can bring to bear.

 Well, it’s _a_ problem, for people and organizations who are realistic
targets of state actors. But (for example) for most private individuals
the biggest threat is criminals trying to access their bank account or
credit card.
 

   At least SOME of those "theoretical" attack vectors CAN become real
   attack vectors.
>
   But WHICH ???

 The obvious answer is attacks on weak cryptography. RSA-1024 and DH-1024
are probably breakable by the biggest SIGINT agencies (and anyone else
with comparable compute resources: cloud service providers for example).
 https://weakdh.org/imperfect-forward-secrecy.pdf attempted to analyse
this (among other things) nearly a decade ago, as a concrete example.

   Um ... even weak crypto takes a lot of CPU time to
   decode.
   Direct access to corp computers, where the victim's
   system is doing all the work, via fake or compromised
   corp users - I think *that* is the "biggest problem"
   relative to data theft.
   A lot of THAT involves "human engineering" - scams
   that most ordinary workers will never detect despite
   good 'educational' efforts. Scammers are VERY sneaky.
   However poor security/auth measures and un-monitored
   external access also plays a role - corp laziness
   and/or budget limitations.
   It's not just *a* problem - but weakness at a number
   of levels.
   Vlad's boyz have the time and resources to go after
   ALL of them - over and over and over - until chinks
   in the armor are found. Victims generally do NOT
   have the resources, IQ/$$$, to defend.
   Oh, and the golden gate to bank accts and industrial
   control systems and such are all the numbers/data Vlad's
   boyz steal - the stuff you use to prove you are you.
   Oh, today's news - another health-care system finally
   admits to being severely compromised ... 100 MILLION
   detailed records stolen. Sorry, but everyone needs
   all-NEW numbers for everything, like TOMORROW.
   Otherwise when They hit the hit will be TOTAL, so
   large deep and wide there will be no good fixes.
   A nuke attack without a single mushroom cloud.
   This is the world we have (mis)-made.
   SO - Linus is *partially* correct, but also partially wrong.
   It's the "wrong" fraction that's so worrisome.