PJ makes a good point about ROT13 or equivalents not being sufficient to
justify being called an effective protection measure - it only counts as
obfuscation, not encryption. Meanwhile, WEP (the older and weaker form of
encryption on WiFi) probably should be considered such, because it was
designed and marketed as such and includes a passphrase, even if it is rather
easy to break these days.
My suggestion would be that if the access control
is a whitelist
based on at least one of the three long-recognised types
of "key": something
secret that you
know (a password or PIN with a
sufficiently large keyspace to be
unguessable), something you have (an
RSA token, SIM card, large
cryptographic key or codebook), or something you
are (a biometric,
eg. fingerprint or iris scan); if it needs at least
one of those three in
addition
to the algorithm or protocol itself,
then it can be considered effective
access control for the purposes of
determining whether access was
unauthorised. ROT13 doesn't need any such
thing, only the (trivial)
algorithm; WEP requires a passphrase and doesn't send
it in the clear, so it
remains secret. Chip&Pin requires both the "have"
and the "know" parts
- the bank card and the PIN.
But a public venue that
used WEP while displaying notices all over
the place with the passphrase on it
would not count, because the passphrase
is no longer a secret from anyone who
has seen one of those notices.
Likewise a SCADA system with a backdoor built
in by the manufacturer does
not have effective access control because the
backdoor will eventually cease
to be a secret. (Many a medieval fortress with
impressive walls and front
gates fell to a few determined men climbing up the
latrine pipes.)
A good way to define the MAC address and pseudonym idea is
that blocking
based on them is as a blacklist. Blacklists are
notoriously easy to
evade and thus cannot be considered effective access
control in a criminality
context, because they presume a priori that
access is permitted, and
only disallow access to entities that they can
identify as belonging to a
prohibited set. Proving a negative is much harder
than proving a positive, so
blacklists don't work very well. At best, they
provide a hint to the user that
they have overstepped some boundary, but unless
that hint is backed up by
an explicit notice, such a hint cannot be presumed as
having been taken. So
in practice they are used to reduce the burden from
malicious users in cases
where the damage they can cause is already limited
(eg. spam, flamewars,
overload rather than theft or real
damage).
Incidentally, physical access control measures might form part of
the
computer's access control - so using a fake ID (if it's one that isn't
trivial to
fake) to get into the premises might count as breaching an effective
access
control measure, as would forging or stealing a key to a physical lock
that
protects access to the required hardware, or installing a physical network
bridge (eg. a PwnPlug) that connects the "high-sec" network to the outside
world.
[ Reply to This | Parent | # ]
|