Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Fwd: n3td3v has a fan
From: Valdis.Kletnieks () vt edu
Date: Mon, 14 Apr 2008 17:54:21 -0400

On Mon, 14 Apr 2008 22:17:31 BST, n3td3v said:

Ok, my comment above was slightly a drop in the sky to get attention
of the problem, but look let's concentrate more on something else,
which you seem to have purposely bypassed and snipped out, even though
it was one of the key points...

I think what you're missing here is the concept of a "realistic threat model".

As for your "key point": 

On Mon, Apr 14, 2008 at 8:04 PM, n3td3v <xploitable () gmail com> wrote:
The identify of cars belonging to employees, partners and others
connected could be used against them, be followed off-site for thier
devices to be technically eavesdropped on, or company documentation to
be obtained, by stolen laptop, by breaking into car, by breaking into
personal home space of employee.

Yeah, it *could*. Bruce Schneier calls it a "movie plot threat"....

On the other hand, a *smart* attacker would do one of two things:

1) If you don't care who the owner of license plate "IWRKYHOO" is, you don't
*need* a photo - you can just do whatever you intend to do to that car *while
it's in the parking lot*.  If that's too scary, you just park outside the
exit, follow somebody home, and do the dirty deed in their driveway instead.

2) If you're trying to do a targeted attack, a license plate doesn't really
help you much *anyhow* - if you have enough inside help at the local Motor
Vehicles office that you can ask them "who owns plate IWRKYHOO" and see if
it's somebody interesting, you can find the name of somebody interesting via
other means (note you need to do that *anyhow* in order to tell if they're
interesting or just a janitor).  And at that point, you might as well just ask
the DMV insider what license plate(s) the target, and people in his immediate
family, have registered for them.

And anyhow - if you're worried about a mole that's been there 10 years,
remember that *that* guy doesn't need a photo, because he's been there for a
decade and already *knows* that Jim drives the blue Caravan with the dent on
the left side, and Wendy has that little sports car she bought last year, and...

So - come up with a *realistic* threat model that actually *depends* on
having a photo of a car so you can tell the license plate number, and does
*not* imply already having enough info about the target that you don't need
the photo....

Attachment: _bin

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]