From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.4 Path: border1.nntp.dca3.giganews.com!border2.nntp.dca3.giganews.com!border4.nntp.dca.giganews.com!border2.nntp.dca.giganews.com!nntp.giganews.com!newspeer1.nac.net!us.feeder.erje.net!feeder.erje.net!eu.feeder.erje.net!gandalf.srv.welterde.de!news.jacob-sparre.dk!loke.jacob-sparre.dk!pnx.dk!.POSTED!not-for-mail From: "Randy Brukardt" Newsgroups: comp.lang.ada Subject: Re: library/binding for sftp? Date: Fri, 9 Aug 2013 15:21:12 -0500 Organization: Jacob Sparre Andersen Research & Innovation Message-ID: References: <85li4gmhrt.fsf@stephe-leake.org><2wgl8bcmdsu0$.1rs1604fzwufv.dlg@40tude.net><85vc3jfias.fsf@stephe-leake.org><1gwg87tgm2bo7$.ae7440ka6kmc.dlg@40tude.net><85bo59g6h7.fsf@stephe-leake.org><5987935c-dbce-4602-b0e6-2bb85513588b@googlegroups.com><9oo34px7j5ko$.1j7bcnxwzgcxe.dlg@40tude.net><20130808111404.5fc6ce14@hactar.xn--rombobjrn-67a.se><1nfcrgjw8vkrb.1aukq12ys882l$.dlg@40tude.net> <20130808133709.09dfef98@hactar.xn--rombobjrn-67a.se> <2d28eb38-0cbc-4f43-983c-d11318614491@googlegroups.com> NNTP-Posting-Host: static-69-95-181-76.mad.choiceone.net X-Trace: loke.gir.dk 1376079674 10191 69.95.181.76 (9 Aug 2013 20:21:14 GMT) X-Complaints-To: news@jacob-sparre.dk NNTP-Posting-Date: Fri, 9 Aug 2013 20:21:14 +0000 (UTC) X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 6.00.2900.5931 X-RFC2646: Format=Flowed; Original X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157 X-Original-Bytes: 3482 Xref: number.nntp.dca.giganews.com comp.lang.ada:182899 Date: 2013-08-09T15:21:12-05:00 List-Id: "Alan Jump" wrote in message news:2d28eb38-0cbc-4f43-983c-d11318614491@googlegroups.com... On Thursday, August 8, 2013 12:18:09 PM UTC-7, Randy Brukardt wrote: ... >> Honestly, your attitude is dangerously naive. Probably the best strategy >> of >> all is to have no secrets that need protecting, as in today's environment >> you should assume all information is being read (or could be read) by >> someone. > >Having no secrets to conceal is very close to being as impossible as >concealing >every secret one has indefinitely. True, but it ought to be the goal. One important mitigation is to use the value of time to decrease the value of secrets. If the value of a secret drops to zero aftter a short time, that makes it useless to attackers unless they get it in the appropriate time. That makes attacks much harder, and unless the secret is extremely high-value, they won't bother. (The worst thing for security is long-lived high-value secrets like credit card numbers. There is no realistic hope of securing something like that. [Yes, PCI-DSS is a load of baloney -- its all about blaming merchants for being unable to do the impossible (and forcing them to spend a lot of money to attempt to do the impossible) while saving the bankers from spending the money needed to eliminate the actual cause of the problem.]) And I'm dubious that a lot of things ought to be on-line in the first place. Why would anyone want to make their door locks or toilet attackable?? (Both recently in the news.) The former is such a high-value target that no amount of security on the software would ever be enough. Some things are better done the old-fashioned way! Randy.