Slashdot Mirror
How the Secret Service Cracks Encrypted Evidence
tabdelgawad writes "The Washington Post offers this writeup about how the U.S. Secret Service uses a Distributed Network Attack program to crack encryption on computers and drives seized as evidence. How can brute force still succeed with 256-bit encryption, you ask? Customized password dictionaries from the seized computer's email files and browser cache: People still use non-random passwords."
King Roland: The combination is: one . . . Dark Helmet: One. Col. Sandurz: One. King Roland: Two . . . Dark Helmet: Two. Col. Sandurz: Two. King Roland: Three . . . Dark Helmet: Three. Col. Sandurz: Three. King Roland: Four . . . Dark Helmet: Four. Col. Sandurz: Four. King Roland: Five . . . Dark Helmet: Five. Col. Sandurz: Five. Dark Helmet: So, the combination is: one, two, three, four, five. That's the stupidest combination I ever heard in my life! That's the kind of thing an idiot would have on his luggage!
Sounds pretty logical to me.
10101001
Why did they not keep their tactic of creating customized password dictionaries secret? Seems like they just gave potential criminals a big warning...
Or maybe they game them movie theater tickets
--
Want a free iPod?
Or try a free Nintendo DS, GC, PS2, Xbox. (you only need 4 referrals)
Wired article as proof
They decrypted my Paris Hilton Pr0n!!!!
My password is totally unguessable - I mean, who else has the password asdjklf;@#$#@jjdakl?
No - wait, I meant that *wasn't* my password! Hey, stop ssh'ing into my box! No - not my 20 GB of Sailor Moon music collection!
Well, guess I'll have to use my backup password of qwurf$#@ff5a` from now on - No, wait -
Damn it!
52 Weeks, 52 Religions with John Hummel
If your password is something you've ever written on your computer, its likely they'll crack it? Interesting.... moral of the story: dont use words found in the dictionary as your password. Inject spaces or numbers or punctuation into the word if you do. And dont write it down on a sticky note under your keyboard.
The Doormat
If you're not outraged, then you're not paying attention.
for having my hard drive encrypted by a key, on a flash drive, which is encrypted by a password that is generated randomly every five minutes and hased twice before I lock it in my safe deposit box.
If you're tired, sleep! Wenn Sie muede sind, schlafen!
See, that is why I use the good strong password, 'a@36fh_6^73sdv[:*4hnsSWaB1+h$j,Fennj00&QERvd"(@22 2237hk-i-h-h'. Let's see them figure that one out!
Er, oops.
HA! I just wasted some of your bandwidth with a frivolous sig!
Wouldn't the more hardened criminals use "real" passwords (such as a memorized GUID) encypted with 4096-bit encoding?
Or better yet...
Removable hard-drives!
once chinese wanted to crack Pentagon mainframe. Every chinese citizen tried a password. Third of the guesses was "Mao Tze Dun". At the try no 238 456 293 Pentagon's mainframe agreed, that password was "Mao Tze Dun".
Which kind of makes much hard for conspiracy theories that the FBI/NSA/Secret Service require all these back doors into encryption software and/or operating systems. What's the point when humans are still the weakest link?
It's always been known that a fully random password is more secure.
But it's a bitch to remember, so people use easier-to-guess passwords anyway.
Knowledge of this technique changes nothing. Any crook smart enough to use totally random passwords after this incident probably is already doing so.
retrorocket.o not found, launch anyway?
Where can i download the cracker they use?
In cases like this (and many others) security is only as strong as the person who manages it. Choose a weak password, choose weak security. I'm sure, however, if this information is public that their actual system is much more advanced. Sort of makes you wonder how sophisticated the NSA's equipment is.
shop.envescent.com - Computer hardware and more.
If your a run of the mill killer or what ever what are the odds that they are going to use 256 or 512 bit encryption? I bet most of the passwords they crack are windows LM hashes, which ware crazy weak.
Excuse me, that wasn't me. It was my stupid cousin visiting who jumped on my PC and wrote this on /. Yes, he is from Nancy, France, so what?
I use the built in crypto in Fedora (the device level encryption passed to a loopback file mounted under /enc). I doubt that, absent a key sniffer, my passwords would *ever* be discovered. I have some english words in them (most are long phrases with nonsense punctuation thrown in at several places), so I guess that could be some kind of issue. But overall, I feel pretty secure.
;)
Of course, I'm not actually defending any data that the government would care about, so it's all moot
(Unless the government has a pressing need to read my private journal about me bitching about how I can't get a date. In that case, those spooks are outta luck!)
Comment removed based on user account deletion
The U.S. Secret Service is having success with breaking keys using dictionary-attacks.
Now, reading between the lines:
The U.S. Secret Service has just perfected a brilliant new method of brute-forcing 256-bit keys in a matter of minutes using the same processing power as a pocket calculator.
Therefore the previous dictionary-attack system can safely become public knowledge.
Ripping an new rectum in the fabric of spacetime.
This ties in nicely with the "BBC Writer Tries PC Repair" thread. Most people don't understand their computer's software, even if they're criminals trying to hide evidence, apparently.
Have you read my blog lately?
"People still use non-random passwords."
What's easier to remember, Your dogs name or z*4jhDm28&:1~. Now I will wait for someone to reply with "but my dogs name is z*4jhDm28&:1~"
And you know what happens when people use a random password? They write it down and either put it in their top desk draw or on a nice post-it note on their monitor.
Computer prompt: "Please enter Password"
Decryption agent enters the word "password"
Computer prompt: "File is now open for access"
Don't blame Durga. I voted for Centauri.
How the Secret Services Cracks Encrypted Evidence
Looks like someone used Microsoft's Grammar Checker to create the headline.
Cache every website you go to, in fact, make a bot that just goes to websites and logs everything....
that'll waste their time.
Runnin' On Empty
How can brute force still succeed with 256-bit encryption, you ask? Customized password dictionaries from the seized computer's email files and browser cache: People still use non-random passwords
Okay, say I use a random password. Where am I going to store it? Likely on my computer - either as a file or as a sticky note. Either way, the SS has me hosed.
Yet, like most security systems, encryption has an Achilles' heel -- the user. That's because some of today's most common encryption applications protect keys using a password supplied by the user.
I can just picture the Secret Service cracking another case... "Aha! Another high profile mafia crime genius using his mother's name of 'mildred' as his password."
The one thing I learned from this article is that my passwords are safe from the relatively rudimentary techniques of the Secret Service.
I'm a big tall mofo.
Dictionary attacks and other brute force attacks still don't work too well on passphrases so those who use them can protect their drug money for a little while longer. It should also be noted that the DNA attack won't work unless the Secret Service has your private key file. The actual encryption can't be broken easily so they have to attack the weak encryption on the digital private key that's stored on your computer. If the key is stored in a manner that they can't get to it, then your data will still be safe. E.g. the key is stored on an IC in the computer that self destructs if it is tampered with like IBM's ultra-paranoid laptops. The IC would detect a brute force attack and destroy the key.
--
Want a free iPod?
Or try a free Nintendo DS, GC, PS2, Xbox. (you only need 4 referrals)
Wired article as proof
To really piss of the 3 letter agencies all ones has to do is double (or more) encrypt something. By using different keys or for that matter even a different encryption program would make it a lot harder to crack.
Of course I'd probably end up in Camp-XRay being tortured for the password. That's not where I want to spend my summer vacation.
There is nothing so silly as other peoples traditions, and nothing so sacred as our own.
I will always use simple passwords like 'password' or 'root' because I keep all my Assisnation/Laundering files encrypted on a RAM drive powered with a capacitor that keeps it valid for about 5 minutes.
Not long enough for the PC to make it back to their forensics lab, but, good enough to last a reboot.
The only PT Boat Journal on the web: http://www.PT171.org
"This is probably because people still have non-random memories."
Pfff. I can remember the opcode for the 6502 halt-catch-fire instruction. I can't, however, remember what I had for breakfast. How's that for random?
It's becoming increasingly clear that human language facility is mostly a giant system of cross references. Sometimes those references attach to other experiences outside the language network, like other sensations and actions. But the language itself is a highly flexible collection of weighted references. There's no intrinsic "meaning" to the words and other language elements, just our shared experiences, including our experience of language itself. These private dictionary attacks are an extremely sophisticated attack on the very human space of personal language constraints.
--
make install -not war
You know, it's amazing that Kevin Flynn had such trouble getting the info he needed to hang Ed Dillinger out to dry, considering that the password for the Master Control Program was "master".
I guess we've come a long way in the past quarter century. Except when it comes to choosing passwords.
Especially when all they have to do is offer them chocolate before they bust them;-)
If brevity is the soul of wit, then how does one explain Twitter?
But the point of the method is that if you use the same password several places, its possible that one of these places are clear text, which the NSA will find. Or if a password is stored by several different ways (some different bits some different hashes etc) I wonder if you can do some kinda combo attack that finds where the different methods intersect to get the password easier.
You don't have to use random passwords to be secure. Slightly modified acronym passwords tend to be almost as good as completely random passwords, and people tend not to mention the phrase that the acronym is from very often.
For example, a password 'JWfimf#aIgtVae' is about as good as random; and yet, it's simply an acronym for "Juffo-Wup fills in my fibers and I grow turgid. Violent action ensues." with a hash sign thrown in for good measure. Any Star Control II fan would have an easy time remembering it after just a couple uses.
I once listened to a Philip Glass record for an hour and a half before I realized it was skipping.
Even allowing for a 10 character word length and 4 randomizations per word (letters, numbers, spaces) that's still under a million variations.
From the article:So that's less than 25,000 seconds to crack your password.
416 minutes
approximately 7 hours
People just cannot memorize enough randomness to defeat that kind of attack.
I always wondered this: If your computer is siezed, but the incriminating data is encrypted, do you have to give the password to decrypt it? I'd imagine not, since it would be self-incrimination. But it seems like a lot of people get caught with having illegal stuff on their hard drives. Are they just not encrypting their data? I can see someone not knowing how to encrypt a cache of internet files (kiddie porn or something), but wouldn't most people who attract this kind of attention just keep stuff locked up? Anyone know how well Macs auto-encryption stands up (whenever you log out, all personal files are encrypted using a 256 bit key or something)? It's one feature I think is really neat with Mac OS X on my brand new Mini.
Most passwords aren't safe because they're short, simple and guessable. For my root password I use a 20-something character quote with an intentional typo; I could easily use 50 as well[1]. So it is a bother to type, but how many times a day do you really log in to your system? At least it won't be that easy to guess, even with a dictionary... Just don't use it as your .sig...
[1] The infamous example of Oh, Captain, my Captain, our fearful trip is done! is exactly 50 characters long; insert a typo wherever you will.
Ignore this signature. By order.
I tried viewing the WashingtonPost article in Firefox, and it did not render correctly. Then I tried viewing in IExplorer, and things were fine. (I'm running WinXP-SP2 with extra large fonts.) Did anyone else experience similarly?
It looks like they figured it out after all. I just hope Martin is OK...
... courtesy of Password Safe, http://passwordsafe.sourceforge.net/
It all comes back to the old axiom: If you rob a bank, make damn sure you pay your taxes.
The basic idea is, if you break the law, you cover every hole you can think of, no matter how trivial. Just like Al Capone should have paid his taxes, criminals (and everybody else for that matter) today need to start using better passwords.
Answer? They guess the password like everyone else.
Nothing to see here, move along.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Can they subpoena your passwords from ISPs and your email providers, online websites, etc?
Does anyone have any ideas on how well FileVault in Mac OS X would stand up to this? Seems to me that with a strong, unique password it would be pretty much unbreakable since the entire home directory is encrypted.
that the most common passwords are god, sex, love, and secret.
The Chronic *WHAT* les of Narnia!
I set up knoppix with two swap partitions. I did this so that I could take one offline and figure out how to encrypt it, put it online, then take the other one off, encrypt it, and then put both back online.
Now that I'm running Sarge installed to hard drive, I can't remember the settings in fstab that I had so that the swap partitions were encrypted. So if anyone currently has their swap set up as a loopback device and encrypted, please paste the line from fstab here, thanks. I looked a while back on google for it again but got distracted. Now that we're on the subject...
A link to setting up a reiserfs as an encrypted partition for a (in my case) second data partition would be appreciated as well.
What if someone uses non-printable characters or so-called 'leet-speak' in their passphrases. Would their software have trouble picking up on stuff like this, or would they have already anticipated it?
Works fine here. I'm smelling a troll...
Comment removed based on user account deletion
128-bit AES is used these days based on the assumption of computational infeasibility with today's equipment, even assuming millions of computers all crunching at once.
Well-financed terrorists or crime-families can easily access the same resources available to government agencies. if our privacy can easily be undermined by FBI or CIA, what keeps us safe from the Mafia attempting identity theft on millions?
Some can argue expotential growth of computational power. But even after making that assumption, and weakER (not necessarily "weak") passwords, it should still be near-impossible today (unless backdoors). And by the time computational power has grown, so will the encryption key-length. So technically, yes, a person traveling on a time-machine from the future can destroy our entire dellusion of "Internet security," but until then, I'm happy with my AES or TripleDES.
Enter a new password: ***** [penis]
Sorry, your password is not long enough.
Enter a new password:
There's no place like ~/
I can see it now, all the criminals will be recruiting the kiddies chatting on AOL to make their passwords for them.
I just changed it for you. They'll never guess this time. Neither will you, I'm afraid, but doesn't that make it even more secure, in a way?
Well, what if I keep my passwords private (hey, they're passwords) and I don't E-mail them or use them on the internet where they might be stored in the browser cache. What if I encrypt the place that the browser cache is stored so that it's not accessable without the password that you would find in it? What if I know they are coming for me and I take the aluminum discs from the HD and melt them with a blow torch...
Silence is golden... and duct tape is silver.
criminals (and everybody else for that matter) today need to start using better passwords
Well, OK, so you're talking about this in more or less academic terms... but, I'd say that what criminals really need to do (um, espcially the ones that are smart enough read up on this sort of thing) is to use their brains for, say, something other than crime.
Don't disappoint your bird dog. Go to the range.
Passphrases are the only sensible solution I've ever heard of for divising keys that are both relatively easy to remember and sufficiently random so as to be secure. A random string of characters cannot be reliably memorized. Any word, no matter in what language and no matter how obscure, can be cracked by a dictionary attack. A sequence of words chosen at random can be memorized, and if it's about six or seven words long, is probably beyond the reach of cracker software, even the Secret Service's.
One of the best ways I've seen to construct a secure passphrase is Diceware. Arnold Reinhold constructed a list of about 7500 words of up to six characters in length. Roll five dice to pick out a word in the list; do this a few times to create a passphrase, commit the phrase to memory, and burn anything you might have written down. He calculated that if you choose a passphrase consisting of seven words this way, you have about 90 bits of entropy, which a cracker probably couldn't break in this lifetime. His sample phrase is cleft cam synod lacy yr, which probably takes some practice to memorize, but it can be done.
Always keep a sapphire in your mind
True enough, but if they're not using it for what they're doing now (i.e. crime), then you can't really expect them to use it for much else, now, can you?
Least complex for the nine-and-a-half billion websites that want me to have a password
So now CmdrTaco can login to your Amazon account?
Of course I have a secure password. It's long, random, and makes use of every possible type of character. Now if I can just find the paper I wrote it down on...
This might not be new to some, but it's quite easy to create random passwords that you can remember, although, I suppose you could argue that they are not completely random. Anyway, here goes:
1. Think of a sentence that you can remember, e.g., "My two lovely kids Spike and Mary eat noodles every day!"
2. Take the first letter of each word and use some common substitutions: "M2lkS&Mened!" - Bingo, not only is it a pretty random collection of letters but it includes numbers, upper case and lower case mixed and even punctuation. All lovely stuff to blunt brute force password attacks.
3. When you type it in, say the sentence to yourself in your head. It's really quite easy to remember that way. Also, you can even just about get away with writing it down (in an office environment) and not many people will understand it. Of course, I don't recommend this but people are people.
4. Don't forget to dump the sentence every few months or so and make up a new one. It's no big deal, they're easy to remember.
Hope that helps some.
Free MacMini
1 2 3 4
Just like on space balls.
1,000,000 keys/second is nothing special. I can get over 3,000,000 at home with my own cluster! Damn they're slow! Even at 1,000,000 cracks/sec, it'd still take over 3 decades to get anywhere interesting, assuming someone picked a strong key.
Silence is golden... and duct tape is silver.
In Soviet Russia, encryption cracks YOU!
The problem is that I have 5 steel keys for my snailmailbox, for my car and for the office.
However I need to remember several hundred logins and pincodes. Each of them should be unique and difficult for others.
So what do most people do? They either choose something like 5 pincodes and passwords or start writing them down.
Also you should replace all these passwords every so often. I can imagine that there will be people who are able to do this and I also know they are the minority.
Don't fight for your country, if your country does not fight for you.
Something you can plug into a computer and which can hold a decently random key. It would of course also need a "fry me" button, or maybe a "don't fry me for the next 12 hours" button.
Security is a process, you can make it as secure as you like but you also make it a severe pain in the arse.
Government of the people, by corporate executives, for corporate profits.
Grab any book off a shelf pick a random page. Use the first or last letter of every word to generate a key of any desired length. Using this method and mixing random pages you can make a unsolvable key. ie you can do 1st, 2nd ...30th word on very 2nd 3rd, 4th or 20th. Even if they had your key generator ,lets say you picked Leo Tolstoy War and Peace. No amount of distributed computing will crack the permutations that one could create using this method before our sun dies out in 4 billon years.. as long as the method for encoding was only known to you.
This method was used by a prospector to hide a fortune in gold (40 million in todays value) in the late 1800's. He left 3 messages on how to find the treasure. One message the key was based on numbering every word in the Declaration of Independence and the numerical code coresponded to looking up the appropriate numbered word. The second and third message was coded by using books in the same manner, but those books (the key) were were never discovered and to this day the hidden treasure has not been found.
DNA scours a suspect's hard drive for words and phrases located in plaintext and fetches words from Internet sites listed in the computer's Web browser logs
So, what if the entire drive is encrypted?
At my former job, one of the programs we used would return "Password is not correct" if you input the wrong password.
:P
So, for a month, my password was "correct".
Hey, at least I had a handy reminder if I ever forgot what it was.
Personally I always use 4 to 5 word phrases that I make up with some random number or symbols between each word. It's easy as hell to remember and hard as hell to crack. So you get the best of both worlds.
I once had to terminal service into our server to unlock it for a support tech. The tech hit the floor as I was entering the password and he saw how many character it was.
Why do that when I can have someone do it for me?
Yup, my new password is gonna be "Google". Let the SS try and fuck with that one!
Looks like your password is the least of your problems....
Consider that if the password was actually not correct , the computer would never say "The password is not correct", and most of the time when it did tell you that the password was "not correct", it would by lying.
Don't blame Durga. I voted for Centauri.
Oops.
Amen to this... This is the technique I use as well.
/\ (A) with shift still down
Also, the hardest password was still a word at one point... just garbled to the point it's not recognizable, even with common replacements.
You could take Toast and make: 83O?|stea
83: Ascii for T
O: The letter O
?|:
s: The letter s
tea: tea (t)
Then, just remembering Toast is usually enough to remember the actual key sequence.
The only problem is that some sites don't let you use special characters in your password. Why the hell this is, I don't know.
~D
This sig has been enciphered with a one-time pad. It could say almost anything.
Hey, SS!
W MS bDwKKMWLDYRUG88 15gzDnFVPCDgH9L/ 0Rzyh7hF1J5xm2t wZhkXjCaTR02/H9+ AQ8lDFKVDQYYAiA wGUJc/GOgAbO668a KoitTl8bwK8AmrO SpddpBa2gWgfs8lm b6KUrfCes38xSe5 b05d6LKHphwyXXb1 rrDaw2ct6Qt5lAq qIFNM+UHcIQCP6kE eIj6niRoG87m7XU mRfoYnj9H4WpHd2X PdIT6AZX23rWK84 dj+A1ee7y/w255AS JxBoteG0EKC1j8H jouJ6RdammqmHWYC sjpmATiWHEP6jfM OPb0qSCyk8DWaEt0 IZIjqS/QwVV3Ng2 GSy2D9i1P6/xiy6a ASo8qSeArFO4KZl E05enZbjjD9zuliM M09a1L9RDGwB1TQ M8AszGHfdK07+VI7 4sODIqxI46pd/aN Oftik4aRCNozbquR 0wJ+UDaX8f2Qf34 BVR0sFMO/Pw8tktG 70WC3Y6rDt02G97 nCPRIkfrZQ6GUNIQ jDhNphAkJjZQg7g IZRGRTBiSTyC4u9d fF1NLlh/iDHEwH7 l00xu9nQCt5PA+qf xIkJN4vsIidT0hD HP7FGrsEsjtrSEDE wEXjKPAltPlmQTr ms/8QXoDCJ/TGbFR b8vpes6+8ce5iiO RX0rs8uzlaDNYnP+ PSwMYBPLhLEbznV hyvtB0UxjP8VeVGY +ZIMgT+pnKyuGb/ xR7XScBtV7W4dSPu 0uiwSnoprHDY10G ZKL17aTZzxxwLgcC q0EfCKNuAR09pms q/bQw8y5OG0j96ym h5CA4YlCfJvdGVT 3z/mHqNvkddu5QPj iIn4BXsLTIUMBv0 GWlHtF9zrDZ4JO8z aubc1mOsEDI1hfE KGIGd+I0l32NbU1n OB6ju7MtqzYGgaZ kcP1uN1mKiFtMQxF QxiPU+bUJhvCI=
Go stick a pig
-----BEGIN PGP MESSAGE-----
Version: PGP 8.1
qANQR1DBw04DB6hKqQuGABkQD/4ndRFLEcpsuHpf24/Moh2
4Jap4LfE3kpiVoiHvKWpSTz2z6lxbknY8
nVF1z1EkQPgNJhk8nrzSs3fu96D9wSuLE
XI4Z1knJn+kLvXhyDOXfoyBp8htnRsG5A
HNgk/wpSGPODVb1VQ3CL8uy1F1efM1UWm
tzfZ1b0RxyeKJkkSAwJFRH9pJb3cmXfw7
Ot8+RMrUVd1w3EXEZFO2lV0NeHyWlw0V8
EbdUD8Q7rrW8ELD1MBYR/uW0paxJKClUf
GLJPRDo+1DK5JWGzCDmpCqPCk/hC6IaTY
EEgdDMGn0/7PVP221FfvUmHiEptXaOIfr
V1Vw12K2pNTt5h9oVhf0N0g1GyD4jLLmp
i6516BAAj4IEcxfYcbEyxvfyDqwkxzJ6R
ATj5YyIDe2HnX66b6z9KaJrRlStSAhKr8
glArSeHh09AKDyYOYRA3eOp6Tdlog4qua
frOd100aZXP0w5928LbQT4HSUw9pQAsIL
tvX51ONAm2hSsjkWiBO9n2TMnYYV4th1m
ZE6hbscNP2dPGk9Zn1xn0HJSzogOqOYwc
4X31KiVUuJ4LsTNrpvLwl1P+rvzrPHr3E
MdarZSX1QRgEJt/ncSvfhqHwGo21HR9lZ
YcopCBgJX61SHI+zdZkvbZ+z0NrrnTx5Q
dzMXIikb/312gs99vRUxKh+4tQlSQKlrW
7iIxoRlYaN5QcwPizj9cFy6AQBGHZGnXD
JD0YluWuDrSeGkgFtYzFSf/HPdv8jrHPd
liHKlUowBHmL7pbP5F/A348XNovPFL/YG
rRO7SHaproOa+CchbNySs2raYmqk02veb
P54a5qvTc3f3qv5MhvktHrQV6BGzBJvZP
pfRCp8Np+DUPqT7CswmULPjYlsJJjHsxa
+yPSaWVugMtoyBwruemTV9AwgE90W6nw5
LPNVSamLx1VY4rwe7yePeAredp8VuT+nJ
yiiy1f9TE3GVMogQ00c4OIpWXjNMa2GZF
=qYai
-----END PGP MESSAGE-----
and you mother, too!
M
trustedworlds.net - gaming, security, and the gunk that lives in between
...a cracker!
One of the best solutions I've seen is to use tier passwords plus a case-dependent "salt". For example your base low-security password could be the string "HB9y1a" (possible to remember when you use it for 10 different things), and then you can append the first two letters of the site you're using. So for slashdot your password would be "HB9y1asl". Of course you don't have to do exactly this; invent your own variant for extra obscurity.
And you did not even hold out for chocolate even!
During the cold war, Kennedy instituted a program to add numeric keys to nuclear security so missiles couldn't be launched. In act of defiance, McNamara had all the codes set to '000000.' No, not making this shit up.
I stole this sig.
Wait... Secret Service employees have administrator rights? This is just wrong. Their IS department should know better.
no no no, it just makes you look like an idiot for using the phrase "king george"
Akamai's crappy network goes down again. WhiteHouse.gov is non-responsive and the piss poor dhs.gov site is down. Does that mean Akamai has launched a terrorist attack?
I'm still safe as long as they don't also seize the sticky note on my tack board.
I actually have work related passwords that I cannot change. Every 3 months the password expires and I have to call through 2 admins to get it set to something else.
I don't need no stinkin' sig!
Any password based on a word is inherently flawed.
A much better way to create passwords is based on finger movements. For example, the index finger horizontal rows on the keyboard give a password such as: r f v u j m (type that password in notepad or something and you'll see what I mean)
This is a very simple example of finger movement passwords. Much more complex passwords can be created by alternating fingers (r u f j v m), or using more fingers in the pattern.
I personally use a password that is 12 characters long that I have no problem typing but I couldn't recite if my life depended on it.
Just make sure you don't inadvertently encounter a dvorak keyboard layout!
- Cary
--
Fairfax Underground: Where Fairfax County comes out to play
I use secure passwords for all sites including this one. It's easy. I can even figure out what my password is on a site I haven't visited in months by looking at the site. I use a part related to the site plus a random string of letters plus a number. These three elements are assembled to construct a valid password. The only level higher security I go is two random strings plus a rotating number from an unused old telephone number of a friend of mine that I no longer know. If they want to crack it, they will sniff me anyway.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
I am an avid reader. I was thinking what about grabbing the first sentence on a rememberable page number from a specific book. So for my passsphrase I could choose the frist sentence on page 1024 of the lord of the rings 3-in-1. I can probably remember the sentence and I can look it up, but it'd be rather difficult to brute force. For people that carry a holy book around with them anyway choose a *RANDOM* page from it and use that. Then all you have to remember at a worst case is: E-mail LotR 1024;l Linux "The Curse of Madame C" 11; and banking "Oryx and Crake" 69. I have ~200 books in my room.
Your CPU is not doing anything else, at least do something.
It's bad enough that most employers force antivirus programs to scan EVERY file (even non-executables) for viruses. If you had something like this "silently" running on a laptop, the fan would run %100 of the time with full CPU load. All that extra heat would probably wear out the laptop far sooner.
I don't understand why they would just use employees computers instead of having a server farm dedicated to this task. I'm sure they have enough money and it would be cheaper in the long run.
"Computer users often experience system lockups that are often inexplicable, and many users will uninstall programs they don't understand," Lewis said. "As the user base becomes more educated with the program and how it functions, we certainly retain the ability to make it more visible."
And they usually lock up because of some background tasks that were silently installed. Of course the user would want to uninstall it.
Call me stupid, but why isnt it possible to just cycle through every single possible combination? If they have such a powerful cluster, couldnt they just start at "a" and then "b" and so on? Why does this not work? Just how many possible combinations are there, and how long would it take to just go through them all if they have such a powerful computer network?
I use some pattern-based passwords because they are easy to remember and difficult to crack unless you've got a keysniffer. Add in some key shifting, and it gets even stronger.
By pattern-based, I mean that I make patterns on the keyboard that don't actually have meaning. They are fast to type and conducive to finger memory, and sometimes even I couldn't even tell you what they are without seeing a keyboard! How's that for secure?
XeoMage
As I just posted, I'm not advocating torture. But your example isn't valid in this case: if you are being pressed for a password, your questioner will know if you lie: with a lie the password won't work. You either know it or you don't. It's not "did you plot to commit X" it's "reveal the solution to this really hard math puzzle you created". The normal arguments against the efficacy of torture don't apply.
That being said, who cares if torture is effective and accurate? Principle forbids it on fundamental moral grouds.
For example: "master" would be ",sdyrt"
Easy to remember and much more secure.
... but this one looks the same as mine...
Ignore this signature. By order.
He then proceeds to get his golf bag and head for the links. The course is beautiful, the sun is shining, and his game is great.
Up in heaven, St. Peter asks God "Aren't you going to do something about this?" God replies, "Wait and see."
As the round of golf continues, the minister is shooting the best game of his life. On the 18th tee, The minister swings... God commands the ball and it bounces off the water, out of a bunker, and right into the cup.
St. Peter is incredulous. "Why are you REWARDING this man for shirking his duty!? I don't understand?!"
God replies "Who's he going to be able to tell about it?"
Why, oh why, didn't I take the Blue Pill?
Sorry, your password is not secure, please try another.
This is not here.
I have a 25 character MS Office 2000 CD-Key memorized, would that be considered random enough?
"With sufficient thrust, pigs fly just fine." -- RFC 1925
I think Canada should ammend the criminal code such that a search warrant that specifies seizing data is effectively a subpoena for the passphrase as well. But there should be no way to subpoena a passphrase for a key that is only used for signing.
Other countries should have similar provisions, but I was thinking of Canada because that's where I am, and the government has the "Lawful Access" consultation process right now. It would lead to much less abuse than banning encryption or requireing backdoors, which is what the council of chiefs of police want.
Sorry, your password is not secure, please try another
This is not here.
What about those who encrypt their entire hdd except for the boot partition and have no swap partitions (lots of ram). Then they further encrypt everything else in even more encrypted files. You've got to love Linux's ability to have encrypted HDDs (the only reason that I'm not including *BSD is beacause I've never used them, and so I can't speak for them).
Oh, and a lot of the newer high-density HDDs use glass plattars, so any really good impact will just shatter the plattars too, effectively destroying the data.
Personally, if I were to be doing anything that would warrant the SS's attention (and I'm not, for the record), that's what I'd do, on top of some of those insane things that IBM and the like offer up with the chips that destroy themselves when they're tampered with (I'd have a little "pull here to destroy" cord put around that thing asap, or at least a hammer nearby and a target of where to hit put on the laptop).
I teach math. Often one question will contain the answer to the previous question. It makes no difference.
So, someone will memorize 5 random words and that will give them approximately 64bit security.
But 64 bit was cracked by distributed.net a few years ago. And the machine are only getting faster.
It isn't whether you can put the randomness into a form that could be memorized. It's whether people can memorize it, without writing it down.
People still cannot remember the bad passwords they use after they've been on vacation a week. That's why everyone knows to look under the keyboard for someone's password.
For 99% of the people, if you give them 6 words from there to memorize and don't ask them what they are for a month, they'll have forgotten them.
They'll have forgotten them in 2 weeks.
They'll have forgotten them in 1 week.
They'll have forgotten them in 24 hours.
Unless they use them multiple times, every day.
And you'll still find them on sticky notes under the keyboards.
As for Chavez, he has done his share of dissent-crushing and deportations and indoctrination. Just because he is "against" the "neo-libs" doesn't excuse some of his actions. Venezuela sells a good chunk of its oil to the States -- they may be at loggerheads but they still do a lot of business together.
Sometimes seventeen/Syllables aren't enough to/Express a complete
e.g. I choose my password to be "CIrpotb,". This was the password of an intern where I used to work, he gave it to me when he left in case I needed any of his files. It is the first letter of the words in the Pearl Jam song Jeremy: "Clearly I remember picking on the boy,". This password is very memorable, as this was back in 96 or so, and I still remember it.
On to the rules...
Take your starting password, remove all vowels: Crptb,
Now invert all the uppercase/lowercase: cRPTB,
Bookend it with the first/last letters of the band in uppercase. Password is now PcRPTB,M
So let's run through it for another one:
"I've been caught stealing:once when I was five." Password is IbcsowIwf
Apply Rule 1: bcswwf
Apply Rule 2: JbcswwfN
Your password hint for this password could be: "Ritual - No vow, invert, bookend"
If you make up the rules, and have reminders to them, people aren't going to be able to figure out your password.
My beliefs do not require that you agree with them.
He said random, not retarded.
No offense intended.
"I use a Mac because I'm just better than you are."
I worked for a major retailer for a time. My first walk thru the financial auiting department found passwords post-it'd to monitors in plain sight, or just under the keyboard/in the top drawer. In the FINANCIAL AUDITING department.
The building at the time was not that secure. You could walk in off the street.
Yep.. the human factor is rarely correctable.
{} ------ When I think of a good sig, I'll put it here
Not a good idea. John the Ripper has a rule for exactly this trick.
OK, a little "Ask Slashdot" here:
I'm sure this has been discussed before somewhere, but what if you had a file that contained the list of all possible combinations for 128 or 256 bit encrption and fed that through a network similar to the one the SS is developing? Seems to me this would remove a significant part of the processsing required to break encryption. Or is this what they're doing? The article seemed unclear about this.
And, I know it's a *big* list/file, but not impossible to manange on some sort of system (mainframe?).
And I'm also curious, if this doesn't help solve the problem, why not?
This is why I love the Mac so much. I use the Keychain application to store passwords I have that need to be strong, but that I may use only once a month (if that much). If I want to see the passwords, I have to enter the password to my user account (which is also strong).
And you know what happens when people use a random password? They write it down and either put it in their top desk draw or on a nice post-it note on their monitor.
Well, so what? Physical security is more important than passwords. If you can open someone's locked desk drawer without being noticed, or even sit down at someone else's desk long enough to read their monitor, then the site isn't very physically secure.
After all, why should anyone care about "secure passwords", if you can swipe a paper copy of the same data from the filing cabinets if you really want to?
I just keep my new passwords in my wallet, and read it when no one is looking, until I've got it memorized. Most people are already in the habit of keeping their wallet out of untrusted hands; I know where mine is at all times (generally, in my right front pocket).
A good password choice will help to prevent untrusted people from accessing my data remotely; but if unwanted instruders are physically wandering about on-site, well, a lack of computer passwords isn't going to stop them.
And if some evil secret service agency wants my password, I'd rather they steal it straight out of my wallet rather than feeling they have to resort to "rubber hose cryptanalysis". Not being Rambo, I know I can't stand up the likes of,say, the CIA, and win.
--
AC
Someone please correct me if I'm wrong.
6 6shous e
If you are given an unlimited (or sufficiently large) permissible number of characters, than why not just use a whole sentance you can remember.
For my WPA security key I used to use:
ThisisthelocalwirelesspasswordforWhiteWolf6
Yes, I've change it now, so feel free to use that to try and log into random access points.
Fairly easy to remember, extremely long, and IIRC, not susciptible to dictionary attacks.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
Any of you read Dan Browns Digital Fortress?
;)
Basically in this novel the NSA has a secret computer called TRANSLTR, the most powerful computer in the world, that simply brute-forces anything it comes across in 6 minutes. something like 20 million processors or some such large number...
Read it, it's good for people of a paranoid frame of mind
C17H21NO4
"The effort started nearly three years ago to battle a surge in the number of cases in which savvy computer criminals have used commercial or free encryption software to safeguard stolen financial information, according to DNA program manager Al Lewis."
Oh, how the might have fallen...
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
Nah, they just need to steal more so they become revolutionaries or businessmen. "One lawyer with a briefcase can steal more than a thousand men with guns"- The Godfather.
My little site.
You are completely correct about the limitations of most people's memory.
So, the solution is to have all the login attempts LOGGED (and from where) and that a PERSON read those logs on a regular basis.
Also, limit the number of unsuccessful attempts per time period. Example, after 3 unsuccessful attempts, your account will refuse any more login attempts for 15 minutes.
That's 12 attempts per hour.
288 attempts per day.
As long as your password can withstand that until a person can review the log, you'll be fine. The attack will be noted and handled.
Of course, this will do NOTHING for the case where your equipment has been taken and the attackers can bypass the delays.
Your only real hope in that case is to physically destroy the hard drive.
Passwords are INEFFECTIVE if they are not CHANGED REGULARLY.
a station wagon full of astronony data tapes traveling down the road at 50 mph...
Seriously, is this a no persistent storage + knoppix boot scenario?
Particularly amusing is the fact that the distributed clients are designed to remain hidden from the user, apparently out of concern that users will remove them to get their computers to run faster. Which makes them potentially a pretty good black hat tool.
I wonder how long until one of these escapes from the Secret Service?
Well-financed terrorists or crime-families can easily access the same resources available to government agencies. if our privacy can easily be undermined by FBI or CIA, what keeps us safe from the Mafia attempting identity theft on millions?
For people who live in countries other than the USA, what's the fundamental difference between the mafia illegally reading our communications in order to further their power base, and the CIA doing it to further theirs?
--
AC
And exactly which line of the 1040 do I claim my "alleged" illicit activity??
This is not here.
So, I guess all the people who are concerned that protecting their privacy using PGP and such will make them targets can stop listening to cries that they are spewing "FUD".
Oh!! Thank you for the update! Now this is how we proceed. Create a file called MyPasswords.txt in each and every hard drive you have and fill it up with a million random-generated strings of characters. They will spend decades trying out every single string in the file to find out at the end no one works!!! Buhahahaha!!!!
It's called FileVault. Your home directory is an encrypted (AES, I think) sparse disk image that is transparently mounted at ~ upon login. Nifty, since they can't even get your browser cache, etc. without knowing your login password (or your emergency systemwide backdoor password that you can set). Plus it's so easy to use, you don't even look "suspicious" doing so. I think the NSA securing your Mac OS X box guide even recommends it.
that sounds familiar...
But will they be able to break my password?
It is:
i4m4v1337-4nD-1-m-u51n6-4veryd1fficU1t94ssW0rD
If you mod me down, I *will* introduce you to my sister!
"Service", not "Services". Proofread!
Think about it: this article would just encourage high profile targets to use 30+ characters of random garbage for their keychain passwords, rendering their methods next to useless. They're not that stupid.
"How did you break that 256-bit encryption so fast?"
"With our mad deadly worldwide gangster communist frankenstein distributed computing network, bitch."
Tin foil is still the best buffer.
On my linux server at home I have a 40GB filesystem that's encrypted with AES. The password is a 20 character phrase that has significance for me, it's not recorded, written down, no one else knows it. The filesystem unmounts itself after a few minutes of inactivity, which can be a pain sometimes, but stories like this give me a warm happy that I'm taking these precautions. Needless to say it's not automatically remounted on reboot.
Several people I know simply remember the feel and movement their fingers make typing their password (after a few (hundred) times). I do at least.
Especially when all they have to do is offer them chocolate before they bust them;-)
1 70-2005Mar1.html
Or especially when you can send them off to Cuba or Israel or Egypt or some other state that condones torture? We call it "rendition". (Israeli law allows torture in ticking timebomb cases and "moderate physical pressure" otherwise.)
http://www.washingtonpost.com/wp-dyn/articles/A64
A NYC lawyer blogs. http://www.chuangblog.com/
You are too obvious in that get up.
This issue is a bit more complicated than you think.
I prefer to use an encrypted file on my machine containing my passwords. 2048 bit encryption will keep out all but the most determined hacker. All you need is a very strong passcode for the password vault.
liberare massarum ex ignorantia, clausa descendit molestie.
One important technique in cryptanalysis (or intel/counter-intel) is to always keeping your target guessing. If the NSA has already broken RSA, they would be well served to keep their mouths shut about it and keep cracking away...or maybe show the public some distributed cracking system that runs on cheap commodity hardware. This way people will think that the conspiracy theories are BS (grin), and continue on (because after all, our keys are secure, so we're immune to this technique, no?).
-Turkey
my password is pretty random.
so random in fact that I don't even know what it is.. seriously.. it's about 10-12 chars long and includes alphanumeric, slash upper and lower case, slash special chars.
the only thing I know about it is how to type it, but I have no idea what I'm typing.
sometimes when I jump on a laptop or one of those split keyboards I have a tough time trying to type it out 'cause the space between keys is obviously different and I have no idea which keys to press.
the way I did it was as randomly as possible wrote out random chars on a post-it, learned how to type it out and tried my best not to memorize the actual password. I then shredded the post-it, burned it, mixed it with other shredded burned material, mixed that with water, bleach, and other chemicals..
in the bonds, ppka
Nah, they just need to steal more so they become revolutionaries or businessmen
Right, right. Of course, I forgot. Anybody that starts up a business is a criminal. I keep forgetting I'm on slashdot.
Don't disappoint your bird dog. Go to the range.
Potheads have pretty random memory.
I use random passwords. I use Keepass to save them. Now, most little things (forums and such) I use one password. That is a 20 character alphanumeric. /. can't display most of them. ¦Ä©`_U
All important passwords use non-ascii characters.
My password for the password safe (with the actual random passwords stored, I don't even know most of them.) is about 40 characters, totally random.
1. NSA visits Microsoft (circa 1997).
2. Keystroke logging now a 'secret feature' built into Microsoft operating systems and available only to NSA (circa 1999).
3. Big front put up to pretend otherwise.
Offer the suspects chocolate or free move tickets in return for their passwords.
Logic fails you.
"Criminals with enough money are businessmen" and
"Businessmen with enough money are criminals"
are two different statements. I do not agree with both. HOWEVER, often the means of accumulating large sums of money are closer to crime than should be allowed. Skirting the rules of groups as a whole and "morality" is rewarded too often within the boundaries of our current social systems. I don't particularly believe in morality but i have to sleep with my own dreams, which means I'm not rich and slightly bitter that I'm smart enough to have bad ones when I do bad things.
Quit dragging me off topic with your 'karma to burn' self.
My little site.
From http://www.irs.gov/pub/irs-pdf/i1040gi.pdf :
Line 21
Other Income
Use line 21 to report any income not reported elsehwere on your return or other schedules....
However, there is no such protection in civil cases. You can be called to testify, compelled to produce evidence and answer questions. That would presumably include passwds.
My favorite password came from my 386.
I was running on a maxtor 212MB hdd, running MS-DOS 4. The system crashed while playing a cd and running Cthugha. On reboot the drive was very unhappy. I re-sysd the HDD and managed a dos prompt, lots of stuff was missing. I ran recover just for kicks and it made me several hundred 8 character random hex named files. After opening the first 50 or so in edit and finding the text files I really wanted. I started hunting out binary files and running them. One file in particular put me in 40 column text mode then crashed leaving me there. Without the heart to delete it, but being too lazy to rename it, I kept it's name. later on when I needed mid level passwords for things this was it.
I've since started memorizing ISP/shell account default passwords and reusing them randomly as my better secure passwords. Nothing like having Caps, lowercase numbers and punctuation from a string that I wouldn't have picked.
I got the SecurePassword Generator plugin installed. You can specify all sorts of options as far as restricting password generation to punctuation, numerics, case sensitivity, even only generating passwords on either side of the keyboard so you can type it with one hand (if the other one is handy). Plus, you can specify how similar the passwords are to regular words making remembering them easier for those people that aren't interested in remembering truly random characters.
Which kind of makes much hard for conspiracy theories that the FBI/NSA/Secret Service require all these back doors into encryption software and/or operating systems. What's the point when humans are still the weakest link?
This is true. Somewhat related to the story about the golfing minister: If the NSA has all these great backdoors, who can be trusted with them.. Certainly not mainstream LEA. Certainly your local copper and most FBI agents are just everyday civil servants.. giving them the resources to backdoor major encryption schemes is as good as giving everyone the capability.
Regardless of what some top minds/admins at the NSA can do, most of LEA is in the "them" camp and must work within the same limitations as the rest of us.
you wrote: ...it was also rude, crude and content-free. "
"
Rude? To whom? And who gives a damn? Besides, it's lickspittle dittoheads such as yourself who worship at the foot of the social hierarchy. Not people like me....
Crude? Profanity is the highest and most effective form of political speech.
Here's a tip: dissent works best when it doesn't sound like it comes from a pissed-off sophomore.
You aint got the neurons to tell me about what politcal dissent is and aint. BTW, I have 2 college degrees, am in my 40s, have traveled most everywhere in America and over much of the globe, and I have probably fucked more women than you have ever jerked off to.
As for Chavez, he has done his share of dissent-crushing and deportations and indoctrination. Just because he is "against" the "neo-libs" doesn't excuse some of his actions.
So the Secret Police have the right to kill? You haven't addressed my point: the Secret Police/CIA, et al., have assassinated Leftist leaders/insurgents and have started wars. Ergo, I say: Fuck the Secret Police!
Israeli Secret Service to Prisoner: "He's not trying to throttle you. He's applying moderate physical pressure."
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Ooh, well financed terrorists"! I'm all a-scared, now!
We better let the gubmint take care of this problem for us! They will start by sending all our jobs overseas and have imported 3rd world immigrants come in to do what is left. Then we need to lower taxes on the rich to get rid of them well financed terrorists....
eat shiat and bark at the moon
If they try to crack it, slap'em with a big fat DMCA violation.
(*I'm not including trolls, karma whores and "First Post"ers, as they don't technically read what's posted.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I know it sounds a bit like 1337-speak, but it's very easy to make a common word virtually un-guessable by doing easy-to-remember substitutions like 0 for o, 1 for i, & for 8 and so forth. Take it a step further: for those passwords that require a non-letter/non-digit somewhere in the password, consider substitutions like @ for a, $ for s, ! for 1, & for 8, ( for C, etc.
And to make it a bit harder, try starting with foreign language words.
It doesn't take many weird characters to hugely amplify the cracking workload of a dictionary attack. Suddenly, every word has numerous possible misspellings.
VVhen y0u th1nk ab0ut 1t, 1t'$ n0t t00 h@rd. Those spammers are already good at this, for busting filters.
--Brandon / Split Infinity Music
The priest is quiet for a moment and then says, "are you sorry for your sins?"
The man replies, "Sins? What do you mean?"
The priest sounds concerned. "What do I mean? What kind of Catholic are you?"
The man replies, "Catholic? Father, I'm Jewish!"
The priest is incredulous. "Well then why are you telling me this?
The man replies, "are you kidding? I'm telling everybody!"
You got the first joke post.
Apple uses an encrypted disk image, mounted at the user's home directory. It IS secure (see man hdiutil.)
CAN we trust non-open encryption systems??? (does apple do something to help the gov? would creating the image manually be more safe?)
It would be quite easy to save a hidden file somewhere with the passwords.
For example, using RSA, all systems in the USA, save a hidden password file which only the gov can decrypt. This could easily by done with Apple and MS encryption. Someone needs to monitor file accesses during the process of setting it up...
Mnemonics are widely used for memorization and the learning of foreign languages. Many children remember the colours of the spectrum as "Roy G. Biv", a mad scientist. The "politically correct" way to remember star classifications is "Of Berkeley Astronomers, Few Give Kind Marks".
Mnemonics allow you to remember far more random passwords than you would otherwise, OR could be a way to generate exceedingly long and hard-to-crack passphrases. (Dictionary attacks are good against single words, but not so good against pseudo-random strings of them.)
Of course, the "ideal" would be to find a way to have "dual-key" encryption. Since an encrypted document of some length N can be decrypted by one algorithm A and key K into one acceptable text, it should be possible to find some alternative algorithm A' and key K' which will decrypt to another acceptable text.
You could then apply "social engineering" to the decryption method applied, by making sure that the "safe" decryption form was the one more likely to be tried. You could do that by deliberately "seeding" files and documents with the algorithm and key you want the decryptors to use.
Social engineering can be used by either side. It is therefore not a safe method, nor a reliable one. All the "victim" has to do is ensure the "attacker" thinks they have what they want. It's better than nothing, but you absolutely have to be 100% on guard against being manipulated by your own desires.
I think the Secret Service should use the technique as far as they can. However, any such technique is no safer than Sauron's Ring. In the end, it WILL betray the wielder, if relied upon.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Use a pass phrase--a sentence, with punctuation, spaces, etc.
Something not relevant to your daily life today.
Something you've never had occasion to write down.
Something you'd never have occasion to say to anyone.
I have not found it particularly hard to come up with memorable, but completely irrelevant statements.
"Reality is that which, when you stop believing in it, it doesn't go away." - Philip K. Dick
And the air traffic controller who let your plane slam into that other plane was just enjoying God's creation rather than some stuff old control tower. Duty before pleasure ;)
"Because Science" is one step from "Because old book". Try "Because of my experiment testing my falsifiable assertion".
Here is a way I just thought of to create secure passwords. It seems good enough. It has the benefit that you can derive your password easily without making it less secure at all.
Pick some english words. It doesn't matter at all what they are, so long as the number of repeated letters is low. It can even be a phrase. In fact, it can be your name if you like, but it is better to just pick some words that you can remember.
Pass Phrase: MikeyJohnFatDug
Now you apply a group permutation to this. There are n! different permutations for a Pass Phrase with n unique characters. So the above has 15 unique characters, there are 15! = 1307674368000 ~= 13 *10^11 different permutations.
It is possible to order the permutations in a unique way. So now you just pick a number between 1 and 13*10^11. This seems hard right? Well, maybe not. Pick an equation and then use the first however many significant digits. If you don't want to remember how many digits you used, just find an equation that has a value within the range, and chop the decimal part. Of course you need to write a short script to tell you what permutation corresponds to the number you choose.
Example Permutation: Pi^Pi^Sqrt[3] = 18878025475.0620 so the permutation is 18878025475.
Now, you apply permutation 18878025475 to MikeyJohnFatDug, and whatever that gives you is your password. Memorize it. If you forget it derive it again.
With 15 characters made from 4 words as above, there are approx. n! * (25000 choose 4) different passwords possible. This assumes the attacker knows the length of the password AND how many words are in it AND how you made it. Without this knowledge the password is basically as strong as a random string, and with this knowledge they are still in a hopeless situation.
So you have to remember a few short words in order and a simple equation, for a password that is many orders of magnitude stronger than any commonly used encryption key. They'll brute force the key before they can crack this password.
Now they might try guessing equations, but as long as you have at least 3 operations in it it will be no easier for them by doing this, since there are hundreds of constants you can choose from as well as any numbers, plus about 8 operations, so again it is stronger than the key.
Of course I may have missed something serious here, though it seems kosher to me.
At least someone remembers that Shadowfax is a _black_ horse dammit.
>_~~~
Colin? Is that you? It's me, Dr. Moore. I'm sorry I left for my vacation before calling in the refill for your Lithium prescription. Just try to lay low until I get back in 2 weeks.
"We successfully decrypted the evidence. It's all there. Exactly what we suspected. Guilty."
Wouldn't it be easy to frame a suspect using encrypted data? Judges and juries probably don't understand decryption.
Encrypted Data + Magic Decryption Wand (That Judge and Jury Doesn't Understand) = Whatever Evidence Needed
Umm.. this is the NSA we're talking about. I'm sure they're not just putting forth the raw words, but are trying all the common leet-speak variations thereof. And probably word+digit, digit+word and various popular capitalization possibilities. Even with all those variations (maybe 100 for each word) it'll still be a very significant improvement over a brute force attack.
They've been on the Internet too, you know?
Hire a Linux system administrator, systems engineer,
Not everyone does that... Personally, I open a text editor, enter well-mixed gibberish until I find a key sequence that "feels" comfortable to type, then type it over and over until my fingers remember it.
And what happens when the auto-save kicks in and the key sequence is saved to disk in the clear?
Well, you are screwed if the system quietly drops everything after 8 chars, then your password is something like `1234567... pretty random...
And MANY websites, mail accounts, linux boxes, etc. only care for the first 8 chars, try it out!
and if you use your fingerprint or retinal scan.........
Does the secret service just cut off your finger and/or eyeball?
lick the cancle button (at least thats what our Chinese QA says)
'Don't stop until you reach the back of his teeth'
...while the good kids are playing Peter Pan?
The revolution will not be televised... but it will have a page on Wikipedia
The IRS has teams of forensic accountants who dig through all kinds of paper work to find out things like how much income Capone was really pulling in.
[Fuck Beta]
o0t!
[1]
Breaking a 256-bit key would likely take eons using today's conventional "dictionary" and "brute force" decryption methods -- that is, trying word-based, random or sequential combinations of letters and numbers -- even on a distributed network many times the size of the Secret Service's DNA.
[2]
Hansen said AccessData has learned through feedback with its customers in law enforcement that between 40 and 50 percent of the time investigators can crack an encryption key by creating word lists from content at sites listed in the suspect's Internet browser log or Web site bookmarks.
[3]
"If we've got a suspect and we know from looking at his computer that he likes motorcycle Web sites, for example, we can pull words down off of those sites and create a unique dictionary of passwords of motorcycle terms," the Secret Service's Lewis said
Backspace.
This stopped working once login(1) implementations the world over started paying attention to the "special" characters even when in raw mode. Ah well. Fun while it lasted.
(I was inspired by a SF short story, where two robbers break into a paranoid guy's computer. They set off alarms because they had gotten the password right on the first attempt. The paranoid guy had, for years, deliberately screwed up the first attempt before giving the right one on the second try. Eventually the semi-smart programs adapted and started expecting this behavior.)
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
"I know it sounds a bit like 1337-speak, but it's very easy to make a common word virtually un-guessable by doing easy-to-remember substitutions like 0 for o, 1 for i, & for 8 and so forth."
That does not make it substantially more "un-guessable", it doesn't even increase the complexity of a brute-force attack by any significant magnitude. Neither would merely going to foreign languages.
But I suspect you know this, and you are trolling.
-fb Everything not expressly forbidden is now mandatory.
Criminals must use their brains for crime, to commit crimes, to satisfy the definition of being a criminal. (duh :-p)
-2A
The revolution will not be televised... but it will have a page on Wikipedia
Unless it's from a self-employment activity!
http://www.irs.gov/publications/p17/ch13.html
Easy password acronym for any slashdotter to remember: In Soviet Russia, Password Enters You!
-2A
The revolution will not be televised... but it will have a page on Wikipedia
There's no intrinsic "meaning" to the words and other language elements, just our shared experiences, including our experience of language itself.
... "ouch" means "ouch" because it has an "ouchy" quality, etc.
Except for onomatopoeia words, of course -- "sizzle" means "sizzle" because it sounds "sizzly"
-kgj
-kgj
every file i have on DVD is named with a rendomly generated title and is then encrypted with 4096bit GPG. every folder is given a randomly generated name and is then encrypted with 4096bit GPG . then the entire thing is encrypted with 4096bit GPg a third time and burnt to DVD.
every DVD has a alphanumeric label that corresponds to a name and description in a textfile on one of 6 CDs containing nothing but what file is where and the keys to access that file.
i torch those CDs and nobody will ever get to the files i have on the DVDs unless they are willing to spend a few decades per file without knowing what the file is beforehand. they could waste years trying to decrypt a chicken salad recipie.
That has got to be one of the stupidest things I've ever heard...lol...especially #3. I'd love to see them decrypt any of the stuff I have protected by looking at my cache...since I clear it several times a day. As for my history, my browser is set not to keep track of it. Looks like they'd be up "crap creek" with my system.
2 GB of RAM means never having to say "I'm swappy".
.thumbnails to another name and make a soft link pointing to your encrypted version, while your dismount script unlinks and moves the normal one back before unmounting. There are probably a few "holes" like this.
Sorry, couldn't resist.
I just flat out disable swap. It would only speed things up if my RAM usage was anywhere near my 2 GB of RAM, and it sure ain't.
But encrypting the swap isn't really much harder than the other stuff, and you can even have it encrypted each bootup with a new, random password.
Still, very good point.
Another thing that can catch you is that the way I do it (seperately mount a filesystem) means that anything that saves temporary stuff is vulnerable, and swap is a subset of this. For instance, if you open up your encrypted directory, GNOME will go right in there and generate a bunch of thumbnails. If you have a bunch of encrypted pictures, these thumbnails will be smaller versions of them. If they are text files, they will actually display with the first few bytes rendered (as if you were looking at the upper left corner). Anyway, for speed purposes, these are all saved under ~/.thumbnails , which is not, for me, encrypted. I don't care about this, but someone conceivably might. Solutions include having a thumbnails directory in your encrypted filesystem, and having your "mount the encrypted filesystem" script move your
Clearly, having your whole home directory encrypted saves this as being a potential security risk.
Do you want to remember the first 32 digits of Pi? (1415926535897932384626433832795).
How I want a drink, alcoholic of course, after the heavy lectures involving quantum mechanics, and if the lectures were boring or tiring, then any odd thinking was on quartic equations again
Count the number of characters in each word...
Maybe you want to remember another constant, e?
In showing a painting to probably a critical or venomous lady, anger dominates. O take guard, or she raves and shouts. (21 digits)
Here, the word "O" stands for the number 0.
(From Wolfram/Mathworld)
That's a fantastic idea, especially when you consider that brute-force password crackers have had the ability to take dictionary words and make those exact same substitutions for over a decade now.
The next logical step is to provide a free screen saver download, to lend home computing power to the Secret Service's decription effort. We might call it SecretService@Home.
To encourage participation, our agency might make the decryption process a background feature of a download more likely to be wildly popular .... maybe a game ... perhaps we could call it something appealling to young people with lots of excess computing power ... a name like "America's Army".
And if we wanted to throw scruples out the [MS]window, our agency might create a zombie net exploiting security ports (formerly known as "security holes") to allow truly huge DNAs. Our legal advisors recommend coding our zombierecruiters to target computers outside our country, whose owners may expect little in the way of protection under our Constitution.
DISCLAIMER: Our government never would do this! No, Never!
--- Attorneys Assisting Citizen-Soldiers & Families -
I was at a job and we got one of the 5 key pads for doors. Before it was changed I found out the combo. At some other point in my life I saw someone do that same combo. Appearently it seems they didn't change the default.
Why don't you guys have friends or journals?
Other income sources (this is for real)
This is not here.
http://www.irs.gov/publications/p17/ch13.html
The IRS actually covers what to do with illegal income. It depends on how you got it (bribes, kickbacks, theft, or sale of illegal merchandise).
In the case of Al Capone, they could prove that he had the money (He was spending it, and had not debts), and that he didn't pay taxes on it. They couldn't prove where it came from, however. So he got away with stealing it, and instead got hit for not paying taxes on it.
Probably the best thing is that since you're compelled to fill out your taxes, they can't be used against you in court. If the only thing the government has to show you robbed ab ank is "Bank robbery - $25,204.37" on line 21 of your 1040, they can't arrest you.
There are other cases. Brothels that get shut down not for prostitution, but for not having worker's comp insurance for their girls. It may sound fucked up, but it's true.
You have to hold down the "alt" key and type some numbers on the numeric-keypad to come up with a secure password. This shit, with the fucking "+" and "=" signs, takes them a whole ten minutes to crack. Those fuckers (at the CIA and NSA) have a fucking betting pool going for some stuff.
That is to say, it works different when you're talking about actual fucking binary, with "1" and "0", than when you're working with a 104-key keyboard.
Get real. Take Algebra II and learn about permutations.
He doesn't write it down, but writes a source file? That's like writing it down, right?
...a pass PHRASE is for your encrypted hard disk.
Dictionary attacks mean sod-all when the passphrase is nothing that might appear in any dictionary (including one compiled from your correspondence and other public clues such as browsing history and Amazon purchases).
I find a good method is to make a truly random password and then practice it for 5 minutes once or twice a day for a few days. Then it's reflex. Repeat every few months.
I rarely criticize things I don't care about.
What if all the distributed computing projects are actually working on cracking passwords?
Take SETI for example. Is there a way we can make sure that the numbers we see on the screen are related to signals and waves and frequencies.... rather than ciphers?
Perhaps the graphs they draw are just randomly generated?
It is also possible that SETI does what it says, but maybe a small part of the calculations are still dedicated to passwords.
They plan to extend their network to 10000 machines. But hey, that doesn't match the power of the internet... Do you think they would miss the opportunity to use us all?
The saddest poem
Under most juridictions law enforcements can have you reveal your passwords or face maximal charges. Thus encrypting without plausible deniability is weak. Simple setup: 1) Have a big FAT32 (say 100Gb); store some unsensitive data (say 20Gb) and defragment. 2) Now write a small script which creates an encrypting mapping (dm-crypt) inside the partition itself, with an offset > 20Gb, and either now the script by heart or put it on a USB stick. Now you can deny having encrypted date in the first place. Even better: have your script a) have a 1Mb cryptographically-random data b) ask you for a master passphrase to "decrypt" this random-data c) use 256bits sequences at a fix offset as a password. Even more perverse: in (b) use the "read -t [timeout]" command to get your master passphrase and have it use a random passphrase after the time out. Even if there are outside proofs that there is sensitive data encrypted somewhere, even if your USB key is seized with the script and the 1Mb random data, you can plausibly claim that you _do not know_ the master passphrase. Adapt to your own needs; YMMV though
I can remember my Win95 registration code, which I haven't used for years, yet I never remember when I have to go to class or work. Bah, biochemical storage is so unreliable.
I love it when math tells you proton decay is more likely than DHS cracking your password, then you use a bonehead phrase like sihtsseug (etc ad nauseam). The problem is the concept of passwords, per se, inclusive of pass phrases. What's really needed is a simple-to-use turnkey system that stores or generates your megabit secret key for you. Plug it in, and your data is readable. Remove it, and your data is incomprehensible. Step on it, and your data is irretrievable. These algorithms are trivial to implement, but apparently only IBM takes the concept seriously enough to implement it in stuff you can buy.
``Tension, apprehension & dissension have begun!'' - Duffy Wyg&, in Alfred Bester's _The Demolished Man_
If he was being stupid, he would have said "Star Star Star Star Star Star".
paintball
What happens when you try to type it on a keyboard different than yours (such as the "ergonomic keyboards" that are split in the middle)?
What if, when you have the password safe program open, your O/S feels the need to swap its memory to disk for whatever reason? Wouldn't the decrypted passwords now be on your hard drive in clear text?
sorta reminds me of drug raids and toilets, I dunno
the only permanence in existence, is the impermanence of existence.
Here're a couple of ideas which I use:
:)
- for online shopping I have seperate passwords which I store in my PDA, encrypted of course. So I only have to remember one password.
- for PINs that I use rarely, I usually have to write the PIN down before heading to the bank. But this is a case where you can do a simple ROT13 (umm ROT5) and/or change the order of the digits, since a thief would only have 3 tries to get the number right, and his first guess is likely to be the PIN just as it's written.
Incidentally, last week I noticed multiple sources trying to crack sshd on my server at home (the only port on my firewall that I'd left open). Firewall port closed, complaints sent to the relevant ISPs, end of the story. I hope. Glad I chose a good root PW.
OTOH, I have the following workaround for the annoying password policy at work which requires a new password every 30 days and no reusing the last 4 passwords: I have two phrases and 3 2-digit numbers, and every 30 days I switch the phrase and move to the next number. 6 combinations in all, and satisfies all password requirements. No, I don't have any porn at work which I need to protect.
Especially when all they have to do is offer them chocolate before they bust them;-)
That survey is almost certainly complete rubbish - if someone came up to me in the street and offered me chocolate in exchange for my password I'd just give them a bogus password so I could get my chocolate.
http://blog.nexusuk.org
They now have TSA-approved locks which have some kind of TSA symbol on them that identify them as "OK". There's a master key for the key locks and the combination locks.
Prior to this I used tie wraps (the good ones with the metal in the latching end) through the lock holes on the zippers. I stashed an ancient wire cutters in an outer pocket for opening at my destination.
I don't know 'secure' these really are, but I suppose it makes it just hard enough that the crackheads working in baggage will choose someone else's luggage to rifle. I'm sure the master key component of the TSA-approved locks is trivial as well.
But as someone said above, if someone wants it, they'll just rip the fscking thing open. But it should be good enough. People have long complained about pilfering from luggage, but the complaints REALLY went up when the TSA banned luggage locking. IMHO most of the luggage pilfered was unlocked to begin with, and once everyone's was, it was open season for luggage handlers to steal, so a trivial amount of locking ought to deny them the easy opportunities.
I just bought a pair of suits, and the little pocket you put your mobile in (inside, bottom left) has a nice "80% less radiation, in seam protection" sticker on it...
:)
Yeah, I get to look smart AND keep my balls from rotting
I don't know how any given password safe type application operates, but that is a consideration made by many such programs. There's a variety of tricks used to secure the data even in RAM, such as accessing it every 1/4 second (which should do a pretty good job of preventing that memory from ever swapping out except under *extremely* heavy loads), only retaining the actual plaintext for the duration that it's required, and destroying it immediately after, custom kernel modules that mark the memory as never permitted to swap, stuff like this.
I read a paper on techniques for this some while back, and a lot of research has gone into ways to secure sensitive data from swap. I'm not up to date on current approaches, or what the technical details of the approaches were in that paper, I found it interesting, but it's not something I personally had any direct use for.
Slay a dragon... over lunch!
I guess Mitnick taught them a thing or two while he was caged up.
Join the Slashcott! Feb 10 thru Feb 17!
Best typo ever.
There's a quote I heard a long time ago, "Don't ask a millionaire how he made his first million."
Dogma - "let's just say we'd like to avoid any empirical entanglements."
Note- if you are stuck on a Mac in a French internet cafe and cannot for the life of you log in to your home machine, set the International control panel temporarily to your home country. The keys will do what you are used to having them do- not what they are labelled, which can be a huge help in this situation...
It's psychosomatic. You need a lobotomy. I'll get a saw.
a good password to use is any random cheat code lying around in your head from back in the day, for example, um... sonic 2 cheat was 19,65,09,17 so there you have a pretty random number, and chuck something else on the end, like a word from the face of your watch! random and easy to remember. christ knows why i have all these megadrive and snes cheats stuck in my brain, concerning.. wasted youth?
...they don't access your data through normal means. First step in every computer forensic case is to duplicate your disk, sector by sector. The only way would be to booby-trap the shutdown proceedure, but a full wipe would take too long, and is very prone to accidental triggering.
Kjella
Live today, because you never know what tomorrow brings
Each computer in the DNA network contributes a sliver of its processing power to the effort, allowing the entire system to continuously hammer away at numerous encryption keys at a rate of more than a million password combinations per second.
Hmmm, figure 13 characters just for the heck of it, per password hash, would make it a 13 million characters per second on a cluster getting pounded, I think. That's not very impressive. In fact, wouldn't that translate in to an equivalent of a 1.3 gigahertz dedicated machine?
sometimes when I jump on a laptop or one of those split keyboards I have a tough time trying to type it out 'cause the space between keys is obviously different and I have no idea which keys to press.
that's what happens!
in the bonds, ppka
LOL! Somehow I completely missed the entire bottom half of your comment when initially reading it. I must have been half asleep when reading and replying.
Insert Spaceball's 1-2-3-4-5 bit here.
If brevity is the soul of wit, then how does one explain Twitter?
True, they can't use it against you in court. That doesn't mean they can't use it to begin an investigation on you, however.
I wonder what the penalty is for lying about the source? If you were a dope dealer but put down "Poker winnings - $35,000" what would they do, and when would they do it? I suppose if you were busted for dealing, and they went back to your taxes, they'd still say "hey, you didn't pay your taxes on this dope money!" You might claim "but that was what I put down so you wouldn't bust me." What would they counter with? "lying on your tax forms, 10 years!"
John
On a side note, when am I able to install the British SS DNA Fight CyberCrime screensaver?
17779 eligible voters in a district, 17779 'vote' as one. This is Russia.
Even there, it's referential to other sounds. Which is why onomatopoeia in different languages sound (and are spelled) different in different languages - like a cat's sound, for example.
... Om ... Range ...
Doc, yer impossible to rib. But let me run this by ya --
Om.
Allegedly the sound of the cosmos. If any "word" is a being in its own right, independent of our referential meanings, it's gotta be Om.
On the other hand, I think the Firesign Theater put it well when they sang:
Om
-kgj
-kgj
Some of those conspiracy theories have the benefit of being true.
The best way to keep a secret
is to tell everybody
That's funny as all hell:
I like the fact that I can deduct an "Activity not for profit" like my hobbies. I'll have to follow up on that one and see what the IRS considers a hobby.Tx for that link, the bit about bribes totally makes my day.
[Fuck Beta]
o0t!
Bzzzzzzzt! Sorry, it's 12345. Thanks for playing.