Schneier on Security

blowfish would be better?

About as accurate as the movie of the same name. :)

Add Social Networking to that.

For a "man in the middle" attack I guess we would have to move on to The Three Stooges?

It's "social engineering", not "social networking".

The password-based authentication protocol is insecure.

Well let's see, no one at the bar getting carded, the only woman in the joint is a picture on the wall... oh wait, but this is a speakeasy, not a place that has to play by any of society's rules.

The Marx Brothers are also responsible for creating commercial cryptography in the movie "A Day at the Races".

I think the moral of the story is that some things never change. (In this case, it looks like more of a bad thing than a good thing...)

A sticky note is one thing, but carrying around an iconic representation of the password? Does he work for Homeland Security?

One of the (recurring) themes is that (as the 419 scam shows in particular,) an individual's greed can be a strong factor in weakening any security mechanism.

Inappropriate granting of admin priveleges? Allowing an unauthorized user to change passwords

(Contributed by my husband, "Xiphias" -- who got his handle from that scene...)

"Horse Feathers", 1932, according to my "Complete Films of the Marx Brothers" book.

Sorry. My mistake it should be Social Engineering.

Trojan made possible by poor inspection of token (button), resulting in theft of massive quantities of data (jackpot). The button approximated the response protocol for access to the machine (small, round object of particular diameter, thickness and mass), and no further check was made (is it metal? &c), nor was a second authentication factor brought into play. This is like hash collision - the attack and the expected token produce like results when the system inspects them, and it accepts the attacker as an authorized user.

security software that can be preempted to obtain access without authentication, or reverse-engineered from output to discover the expected protocol and tailor input appropriately (SAMBA 'attack') - the problem isn't even so much that the password manager gave out the password, as that he responded to bad input at all. Failing silently may not be user-friendly, but it is more secure than handing out debugging context to invalid users.

Phishing attack - redirect of data (scotch) from sender (barkeep) to 'shot glass' funnel - looks like appropriate recipient, but is really a link to somewhere very different (bottle), not designed to use and discard data, but to retain it for future use at the new recipient's convenience. Pass-thru, maybe, since it can be said that the proper data did reach the proper recipient (one shot, to Harpo), but the same authentication channel did not expire, and was then used to obtain far more data from the sender for the recipient's private use.

HAHA! I'm glad someone brought that up, as well as the commenter who referenced the scene in ADATR as "commercial cryptography". I am guessing that you are referring to where Chico sells Groucho a series of interdependent books regarding the impending race. I actually had to lol.

Marx fans++

HAHA! I'm glad someone brought that up, as well as the commenter who referenced the scene in ADATR as "commercial cryptography". I am guessing that you are referring to where Chico sells Groucho a series of interdependent books regarding the impending race. I actually had to lol.

"You have to have the master codebook for that."

Three weeks ago, I used a Zombie movie to teach students about security:

The backdoor, securing points of entry, detection, "Trojans", Defense-in-depth, Access control, Don't panic, KISS, etc...

Next time I'll add Swordfish :-) It's so much better to show movies and have fun while learning, than to sit and watch the never-ending slideshows :-)

Unfortunately the video is gone now.
"This video has been removed by the user."