Feeds

* Posts by Xavier Serret

4 posts • joined 5 Mar 2008

Google mail crypto tweak makes eavesdropping harder

Xavier Serret
WTF?

TLS Session tikets invalidate Perfect Forward Security (PFS)

This looks like classical case in security: Solving problem A by moving it to B, with identical consequences and challenges.

It is obvious session tickets decryption keys must cached (long) term and shared between servers! In fine this means that some short of Master key (or its derivatives) must be kept long term.

Then master key (or derivatives) can be used then to decrypt old tickets, therefore breaking PFS benefits.

Unless more about the session tickets is disclosed Google cannot boast any real security benefit on this change!

0
2

Naked Win 7 still vulnerable to most viruses

Xavier Serret
WTF?

When people will get this: UAC is not for admin accounts!!!

UAC is for running as a normal user and been properly prompted to "Sudo" whenever an admin-permission requiring operation is executed.

This article is misleading!!!

You don't need an antivirus if you do not run as admin!!!

AND THE MORAL HAZARD IS: And if you run as admin, an anti-virus is always too late when a truly efficient worm emerges!

But the constant marketing message is that Antivirus == total protection!

0
0

Masked passwords must go

Xavier Serret
Megaphone

Of course

I fully agree!

And not only on web sites, but also for all these security management applications (typically wi-fi) where it is often the case the user is copying a hard password from a piece of paper!. How many of us felt stupid missing it again and again!

Moreover, this may have a secondary benefit as users will interiorize better the fact that passwords are not secret to the computer where they are typing it, and they may pay higher attention to the need to protect themselves from key-loggers et al.

To THE REGISTER: Please start by unmasking the password for posting comments!!!!

0
0

Tool makes mincemeat of Windows passwords

Xavier Serret

Reduce attack surface!

This is a yet another symptom of functionality creep.

Most laptops have connections that we never use... but we keep them enabled just in case...

So time ago I bios-disabled all connectors I never use: COMs LPTS, Modems... etc.... and not only this increases security (by simply applying the "reduce the attack surface" principle) but it actually it can increase performance by precluding drivers from loading...

0
0