Thanks for the living hell, and question about OpenSSL

[Major Variola (ret)]

At 02:20 PM 4/25/03 -0400, someone claiming to be Patrick Chkoreff
wrote:
I was mistakenly thinking that because my sacred code did not
>in fact record any IP-based transmission logs, users were safe as far
>as anonymity and privacy were concerned.  What I missed was that if
>someone put a gun to my head

Generally in security analysis you want to list threat models and how
you resist (or not) them.
>From this you can derive a spec.  Often threats *not* considered provide
easy attacks
simply because the design didn't consider them.   You will always find
some attacks
that will work, but are expensive for the adversary.  Checked your
keyboard
for keystroke loggers recently, Mr. Scarfo?  Swept your room for video
bugs?  Got a guy
with a gun and a dog watching what gets pressed against the fingerprint
scanner?
And how much does he get paid?  (CIA CI chief Aldritch was under $2e6,
FBI CI
mole Hanssen was cheaper, but his wife wasn't included in the deal,
though his
stripper got some.)

This leads to the conclusion that security is economics + physics.  The
goal is
to make attacks more expensive to your adversary, at "reasonable" cost
to you.

Subpeonas are cheap to some.


------
_Enemy of the State_ Easter Eggs:
* In EotS, the birthdate of the evil spook (Thomas Reynolds,
played by Jon Voight) is 9-11-40. (The movie was released in 1998.)
* EotS was produced by "No Such Productions"
* The screenwriter's surname is Marconi.