[SystemSafety] Fwd: "Protected" Environments

[Olwen Morgan]

On 12/11/2018 05:46, Bruce Hunter wrote:

<snip>

> People also are very cunning and the instigators of advanced and 
> persistent threats.

Back in the late 1980s I worked on security for one of the earliest card 
payment systems to use RSA crytptography. With a colleague, I wrote the 
security procedures for the key registry. After that, I attended a 
progress meeting at which a senior project manager raised the need for 
physical penetration testing and asked if anyone had any expertise in 
it. I raised my hand and told the meeting that I was moderately skilled 
in breaking and entering. A frisson ran around the table and the manager 
then asked me if it would be too embarrassing to ask how I had acquired 
this expertise. There was a huge audible sigh of relief around the table 
when I replied, "A mis-spent youth at a public school."

Later that week, I started arriving at work in a business suit, changing 
into a boiler suit, and then going around with what amounted to a kit of 
housebreaking tools seeing what I could break into. At one point I 
dismantled half of the wall of an allegedly secure room using just a 
Swiss army knife. I also managed to enter a computer room by removing 
floor tiles and crawling in the the floor void. Thence, via an 
air-conditioning duct, I got to a point directly beneath the key 
registry's hardware rack. I could actually put my hand on the lower 
casing of the encryption equipment. Had I been a real attacker, I could 
have burned though the casing with an acid gel and directly tapped the 
equipment's motherboard.

If Bank computer centres are still like that, you'd be safer, IMO. 
keeping your money in a sock under your bed.


Olwen



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20181112/041e3a1b/attachment-0001.html>