Comments for Dustin D. Trammell

Comment on ToorCon Seattle (Beta) by Laurentino

Laurentino — Fri, 10 Feb 2012 21:10:11 +0000

i went in 2008, and while it was ok, didn’t get any pualicatrr OMG moments that made me want to go this year. it seems most of the speakers ended to present their folio of past work, from university to current, which got tedious after several speakers. the most impressive ones focused on smaller areas of their careers, pualicatrr jobs and clients Reply

Comment on Metroid Security Mechanism by TJ Leeland

TJ Leeland — Wed, 09 Feb 2011 16:33:33 +0000

as security expert I can tell you why make-believe security is better than real life: make-believe users don’t call tech-support.

Seriously.

The more secure you make things, the more calls you get from users who can’t get into their systems. You add “random” anything to a login process and you will see lockouts skyrocket and calls to support will jump along with it. It’s always a balance between security and usability. They can only give you the level of security the dumbest users can handle.

Comment on Cleverbot Not So Clever by CR

CR — Tue, 30 Nov 2010 20:01:27 +0000

I think you would find this website very funny:

http://www.notsocleverbot.com

My personal favorite:

User: Hey there!
Cleverbot: How are you?
User: Pretty good.
Cleverbot: That’s good.
User: You see the new Twilight Movie?
Cleverbot: I’m not interested in any of the twilight movies or books.
User: You’re not into vampires?
Cleverbot: I’m not into humans

Comment on Four-factor Authentication by Ted Bigham

Ted Bigham — Sat, 09 Oct 2010 09:24:30 +0000

I never said foolproof. If someone tortures your password from you, then that factor is compromised; all the reason for more than one. I also never said the “data” for each factor is self identifying. If your pin number is 1234, that is not unique, but is secret and qualifies as a factor when associated with your id or card number (which is not secret and not a factor). A location is a valid point of reference especially on the fraud prevention realm, but is not a factor of identifying a person. Any person can be at that location claiming to be you, just like any person can say they their pin is 1234 claiming to be you. The differenece is that location is not secret.

Comment on SmartPhone Unlock Screens: Moving in the Wrong Direction by Judson Dicampli

Judson Dicampli — Mon, 16 Aug 2010 12:29:01 +0000

Whilst I really like a physical keyboard, after managing the Samsung Captivate for about 15 minutes, it’s hard to move back. At the moment I am debating whether to go to Verizon for the Droid X, move to Dash for the EVO, or stay with AT&T for the Captivate…selections, decisions.

Comment on Four-factor Authentication by Travis H.

Travis H. — Tue, 15 Jun 2010 11:10:12 +0000

Re: Ted Bigham and Joat

Disagree. Nobody says that a factor of authentication has to be foolproof, only identifying one person. In fact, if it did, we would never need two-factor authentication! By the same argument, “something you know” isn’t good because someone could torture it out of you, and “something you have” isn’t sufficient since it could be stolen or duplicated.

“Where you are” can also be important in situations like IFF devices, since not only do we want to know that the responder is friendly, we want to know that the challenge-response is not being proxied to a friendly at a distant location (though they don’t necessarily use that in IFF devices).

I’m actually getting a fair number of hits from this site, so I figured I’d share an updated URL:

http://www.subspacefield.org/security/security_concepts.html

Search for “Authentication Factors” to find the section on five-factor authentication; right now it is S11.8.

I don’t discuss this, but it’s worth noting that some of these authentication factors are only useful in certain circumstances. For example, the biometric authentication isn’t always useful in network security, because the adversary could simply replay a recorded biometric signature; one has no proof that one is actually getting a reading from trusted biometric equipment, unless one engages in what TCPA calls “Remote Attestation”. If one isn’t sure where one is getting the reading from, then it’s just a string of bits, and so it’s effectively “something you know”.

Comment on Advanced Persistent Threat by Brandon Dixon

Brandon Dixon — Thu, 20 May 2010 19:04:11 +0000

I thought I may have been the only one to share the same thought. It’s gotten worse than cloud computing. I am pretty certain I have heard those 3 letters more than anything in the past few months. Whitepapers, blogs, tweets…make it stop!

Comment on Four-factor Authentication by Ted Bigham

Ted Bigham — Thu, 20 May 2010 19:03:27 +0000

In fear of repeating what joat said, “where you are” is not a factor of authentication. It fails the first requirement to be factor, which is that it must work as a “single factor” authentication mechanism. Simply knowing the location where someone is accessing a system from is rarely enough to authenticate them.

For example, if I walk up to a coworker’s computer while they are away, a “where you are” auth mechanism would let me log in by simply entering their login name. This is obviously not secure. Any location can hold more than one person at different times. The type of place that “where you are” authentication would be valid is something like a prison cell, where you know for a fact that only a certain person can be in that place at the time of authentication.

Another reason most (is not all) forms of “where you are” authentication don’t qualify as factors, is because they tend to depend on one of the other factors. This also disqualifies it. An example would be ordering room service from your hotel room. Although the front desk can tell exactly where the phone call is coming from, the room itself is only secured by a key (something you have). So if someone compromises your room key, they have also compromised your location. The mechanisms need to be independent of each other.

There are still only “three” factors for authentication. Four is just marketing.

Comment on Cleverbot Not So Clever by Little Professor

Little Professor — Thu, 20 May 2010 19:02:31 +0000

I think I know why Cleverbot always says, “I’m not Cleverbot. You are!”. I think it’s because Cleverbot learns from people, and people always call it Cleverbot. Any time it says, “Hi, Cleverbot”, you say, “I’m not Cleverbot. You are!”, so it thinks that that is the correct reply to “Hi, Cleverbot”.

Comment on Metroid Security Mechanism by SmartPhone Unlock Screens: Moving in the Wrong Direction « Dustin D. Trammell

Tue, 10 Nov 2009 22:28:22 +0000

[...] Needless to say, I tend to wipe my phone’s touch-screen quite frequently. Why hasn’t anyone implemented a lock screen that uses a technique like this one? [...]