Re: How do you do this?

Jeff Fox wrote:
Marcel Kollenaar wrote:
I didn't. But If I had done it I would have solve the security issue first.
The rest is trivial and is communication.

If you have two computers connected by a wire, cable, radio link,
or network and all that happens is one sends you message to the
other, nothing else, and you wrote the code that sends the message
and you wrote the code that executes the message I fail to see
what security problem you are talking about.

I'm not sure what the exact security issues are in this case, but this description is a classic scenario for a man-in-the-middle attack.

Unless you have a dedicated line you have control over, most of the other communication media you mention can have traffic intercepted. A smart hacker could silently watch data and perhaps even rewrite messages to change them without either of the other hosts noticing.

That is, unless one took steps in the messaging protocol to obfuscate or protect content, and guard against change in transit.

Example: ATMs used to rely on dedicated lines, so your PIN was often sent in the clear. Now that ATMs are more often attached to public telephony systems (usually via hardline, but cellular is not unknown) steps have to be taken to hide the secret you share with your bank from third parties.

Various banks are now in the position of rewriting venerable ATM code to implement different types of hashing and signing algorithms in order to bring the confidence up to the level it was when they were using dedicated lines.

Since you are in charge of what is happens on each end of the wire
it should be simple. If the person writing the code on the other
end is hostile that will complicate the problem.

Right. But do you trust all the potential parties that might be listening in?

As long as you know, within reasonable bounds and risk levels, that the traffic on the wire is safe enough then all is well. Whether this safety is implicit because you trust all the intermediate links or you have implemented some security measures is the question.

Anyway, that's what I get from the Marcel's comment about security on the wire.
.

Relevant Pages

  • Re: Security updates are too slow or none existant
    ... Any discussion of the handling security issues is always going to be ... regard to how the security update process is being handled with Fedora. ... The key question of course with regard to the httpd update is what was ... the issues of guidelines and communication on how to ...
    (Fedora)
  • RE: [Packet-ninjas-syn-k1ck] Anyone know CENZIC?
    ... I don't know anyone that has used them for a pentest, ... mailing lists. ... and web application security testing company. ... This e-mail communication and any ...
    (Pen-Test)
  • Role based authorisation with .Net remoting
    ... Once the business logic components are distributed, I want to place security ... This implies I need to flow the users credentials to the server ... communication, and all DB connections are created using integrated security. ... The alternative would be to use LogonUser to impersonate a newly defined ...
    (microsoft.public.dotnet.framework.remoting)
  • RE: Bootable CD Attack disk
    ... The information contained in this communication is confidential, ... that were a bit more Security centric. ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
    (Pen-Test)
  • Super-DMCA
    ... Security Developer Snared In Legal Tar Pit ... super-DMCA laws. ... authorization of the communication service provider. ... according to the digital-rights activist group Electronic ...
    (alt.computer.security)