| From: | Lehlan Decker <decker@****.FSU.EDU> |
|---|---|
| Subject: | Re: Hacking Security Tallies (Was Re: Weird Campaigns) |
| Date: | Thu, 21 May 1998 13:06:51 -0500 |
> Lehlan Decker wrote:
> >However, depending on exactly what the key does, you can probably
> >write code to mimic it
>
> On a PC, sure. On a multi-million nuyen piece of equipment designed by
> paranoid and clever engineers, no. The security tally and other critical
> security information can be stored in a read-only memory block (read
> only at the HARDWARE level, the write pin can be physically
> disconnected) and can be written to ONLY when the master key is in
> the lock. The chief programmer only puts the key in the lock when his
> deckers report that they are in place and ready to make the changes.
> Put the key in, reset security tally, take the key out, then look at the
> security block and make sure it still says exactly what you think it should
> (in case someone with a great deal of masking happened to be in your
> system during this critical time). If at all possible, the system should be
> Off-line during this operation, but that might not be possible with some of
> these systems.
>
Yep, I agree with this one, for the hard core ultra-secure places. But
for the less secure places, it may be a bit more painful. You have to remember
if security makes life difficult for the people who are implementing the system
they are much less likely to do so. (ex crypto cards, you should have heard
the *(&(*& at my place of work, because it would add one more step to login).
At that point, I had my shadow team physically go in, "borrow" the key, manager,
etc. And then I do my work. :)
--
--------------------------------------------------------------------
Lehlan Decker 644-4534 Systems Development
decker@****.fsu.edu http://www.scri.fsu.edu/~decker
--------------------------------------------------------------------
The universe doesn't have laws, it has habits. And habits can be broken.
