[CentOS] what percent of time are there unpatched exploits against default config?

[夜神 岩男]

On 12/30/2011 12:41 AM, Marc Deop wrote:
> On Thursday 29 December 2011 14:59:14 Reindl Harald wrote:
>> the hughe difference is: while having the same password (for the key)
>> it can not be used directly for brute-force und you need the password
>> and at least one time access to the key file
>
> Explain me how having a key protected by a password avoids brute forcing if you loose the usb stick holding that key?
>
> Technology is developing at a scary pace, have a look at this:
> http://mytechencounters.wordpress.com/2011/04/03/gpu-password-cracking-crack-a-windows-password-using-a-graphic-card/
>
> And this is with a simple card, imagine what you can do with a system with multiple paralel cards...
>
>
> Just to be clear: I'm not arguing which system is better/more secure. I'm just pointing out one downside of having the key in a usb memory.
>
> And bruteforcing against ssh servers are really difficult as some others have commented (and even more difficult if you limit failed connections...)
>

My IC card fries itself after 10 unsucessful attempts.

That is one way.

The military CACs fry themselves after 3.

They are not just disks, they are tiny 8-bit systems embedded in the 
chip. The key never actually leaves the card. The benefit is that your 
key is never exposed, even in an encrypted state. The downside is that 
signing really huge things can take a few seconds (like ~5 secs for, 
say, signing a decent sized RPM or email attachment, 15 secs or so for 
signing the a kernel RPM) because the card processor, not the host 
system, is doing the signing.

I don't know about the security of USB dongles. I've never used them 
before, but I'm sure that secured versions of them are much more than 
simple USB drives with a directory full of keys, but rather discrete USB 
devices which probably operate in the same way. I'm speculating, but I 
can't imagine this isn't the case with good USB systems.