A long-overdue wake up call for the information security community.
Article: http://www.securityabsurdity.com/failure.php
OK. I went through the article. And it seems to me more of a "End is
near" kinda article, then a objective view of the current security
issues. The article portrays the worst case scenarios. Worst case
scenarios is are NOT the norm.
For e.g. the author talks about MD5 and SHA being compromised. But
that is a very vague statement, and intended to mislead newbies. In
reality MD5 and SHA1 are still very secure, and the fact of the matter
is that only a collision attack (and NOT a pre-image attack) is
possible on these hashing algorithm. This distinction is very
important.
Collision attacks are possible but it is very very complex to mount a
"USEFUL" attack using Collision.
For e.g. Pre-image attack is required for tempering with arbitrary
(given) piece of code from a legitimate vendor that has been Digitally
Signed. A collision attack on code-signing will work only if the
attacker is writing both the innocuous and the malicious programs. In
that case why would you trust even a innocuous program from an
attacker (known mal-ware developer) ????
For simple hashing of passwd or digital signature, I think SHA-1 is
still more than enough.
My point is that the security is not failing. Amazon is still making
money and GMAIL is fairly safe, even without the use of 2-factor
authentication. It is just a mail system, not my bank. Infact most
online merchants have ways to re-imburse users incase of fraud. For
e.g. Google Adword.
If you are careful while on being online, you will be secure. Not
being precautious is like a driver who doesn't want to wear seat belt
and still want to survive in case of a an accident. That is just not
possible.
--
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------
