Actually if you "stick to the story" there's only 50 dollar bills to choose from and once chosen it's eliminated from the set so 50*49*48*.... = 3*10^64 combinations. Less if any of the bills have identical last digits, which is likely due to the birthday paradox. And if they were just counted and put in an evidence bag most the bills are in the right order. If they count the ones, either in order or reverse order and the only thing you need to figure out is where a few fivers or tens go that's cryptologically pathetically weak. And if it did disappear down some pocket, well there goes your evidence that there actually was a pile of cash making up your password. Worst, the police will probably take this as gloating on your part by showing off your perfect yet obviously constructed get-out-of-jail free card. I think the good old "I don't recall" works better.
If the pile of cash disappears down some pocket, then when you are dragged to court to produce the password, you explain the password storage method to the judge, and the fact that no pile of cash was entered into evidence shows that evidence tampering occurred. Assuming you are in a legal jurisdiction where the rule of law holds any sway, this should get the case thrown out.
If you're in a jurisdiction where this doesn't apply, you're pretty much screwed anyway, (and it's all but guaranteed that your pile of cash disappeared into a pocket rather than the evidence locker.) Granted, in a no-rule-of-law jurisdiction, I'd recommend this method only for data you would literally rather die than give up. The Powers That Be aren't going to stop torturing you once you tell them about your password method, they'll keep torturing you hoping that you're lying and you really can produce the password if they push hard enough. At some point, you'll really wish you had a way to give them the password.
An obvious variation of this is to have a pile of cash that contains 48 bills, with a password constructed from the serials as described, plus something extra you have memorized and inserted in specific spots in the sequence. Then when dragged before the judge, you say that the password was from the serials of the 50 bills you had next to the computer. "What, there's only 48 now? Well, you can try the existing sequence and brute force the remaining digits, but since there are 2 bills missing, there's no way to know for certain where in the sequence to insert the missing digits for the brute force attempt, and since the stack was obviously tampered with, there's no guarantee that the remaining bills are in the original order."
You are wrong about it being poorly implemented. The "encryption key" being printed on bills is the key here, The acual password would naturally have nothing to do with the seriel numbers that would just make it needlessly complicated.
You could have only 45 bills and claim that originally there was 50. That would give you the chance to claim corrupt investigators who ripped off the five $20 bills you had mixed in with your $1 bills. Not only would it allow you to keep the password secret but also cast the investigating team in a bad light. Tampering with the evidence and all that, the case might actually get thrown out of the court.
No one would steal your fortune cookies you know.
AC here actually gets the point of this method - you have plausible deniability - "I can't produce my password from memory because it was based on the pile of cash. A pile that is suspiciously smaller than it was before the raid."
Here's a version compatible with KeePass 2.0 databases. This version also has native support for syncing databases stored in DropBox, Gdrive, or even over FTP, (which beats my old method of using a 3rd-party file syncing app)
Forget making up your own phrase - just talk to a child under 8 for a little while. I guarantee they will say something completely random, totally memorable, and guaranteed not to show up in a phrase-based dictionary. Here's a sample of passwords I have used in the past that originated with my nephew - now 7.
I wanna be a squid when I grow up! I'm a lizard in a swimsuit with a wedgie. The backyard smells like a wombat My grandma's stinking it up!
(The last one, by the way, was shouted when Grandma had taken him into a public bathroom with her. No relevance whatsoever to picking a secure password, but just take a couple of seconds to imagine walking past a public bathroom and overhearing a kid yelling that.)
If you have a lot of people at a wedding where you are not spending a lot of money, those people are there because they care about you. That is a good thing.
If you spend a lot of money on a wedding that does not have a lot of guests, it indicates that appearances are very important to you. That is not a good thing.
Mod parent up!
For what it's worth, my wife and I have been married a bit over 15 years, dated a little over 3 years. We got married right out of college, and were therefore broke as heck. My parents paid for the rehearsal dinner, but the rest came out of our pockets. We spent somewhere around $2400, (not counting rings) with the photos making about a third of that. We had somewhere around 300 people at our wedding, which included a general invitation to everyone at the church we attended at the time. To fill in the rest of the data points, we attend church regularly, didn't live together prior to the wedding, and while I think my wife is hot, she certainly didn't marry me for my money. Oh, and we're still pretty broke.
Also, as pointed out by the article, if his Ecat worked as he claims, everyone would be dead within 10 minutes of starting the reactor, due to massive Gamma radiation leaks.
Oh, come on. Everyone knows Gamma radiation just gives people super powers. Rossi himself is the perfect example. He's been working with this device for so long, he has the superhuman ability to transform bullshit into attention.
Now that he's had a team of researchers spending a month examining this thing in a sorta-sciencey way, we should watch them for signs of super powers. I suspect they've gained the ability to smash their own credibility in one swift stroke.
This isn't about a 1959 Corvette. It's about a 1959 garbage truck.
Different people like different things. A lot of people develop true passion for the work they do, and it bleeds into their hobbies. I've lived my entire life in agricultural areas, and I've known a lot of people, including my father, who restore antique tractors as a hobby. I've been to car shows where I've seen antique school buses, semi trucks, and tow trucks that have been painstakingly restored. They tended to attract a lot more people than the rows and rows of Camaros and Mustangs. Never seen a garbage truck at a car show, but I'm sure someone's got one out there.
A few years ago, one of the long-time groundskeepers retired from my employer. At the same time, the company retired the 1970's era Cushman he'd been using, and he bought it with plans on a full restoration.
Yeah yeah, I do it all the time. My car is my primary CD ripping device.
I take my CD out, rip it, then disassemble the car's audio system and pull the hard drive. Take it to my home computer and upload the files.
Piece'o'cake, why do you think I bought my car, anyway? Driving? Hahahahahahahaha.....
That's nothing. I've set up a massive file-sharing service based around these systems. And it's completely undercover; to the casual observer, it looks like a used-car lot!
"These programs have gotten both more difficult and less rewarding: today, it can take almost a decade to get a doctorate, and, at the end of your program, you're unlikely to find a tenure-track job."
So you're talking about a people getting a degree where the only career option is teaching others so they can seek the same degree? And the MLA thinks the fix is to make that degree easier to get? I suppose it does have the benefit of people wasting less of their life pursuing a degree that is worthless out in the real world, but it looks to me like a PhD in Humanities is the academic equivalent of a Ponzi scheme.
You know, I think this is the first time I've seen Metro and professional used in the same sentence. At least, the first time where the sentence didn't end with, "my ass!"
I remember once hearing that, everywhere that golf is played, it's called golf. I'm not well-traveled enough to be able to confirm, though. Anybody who hasn't spent their entire life in midwest USA care to comment?
Steve has made some mistakes in the past and over-hyped some things...
Kind of interesting, since the linked article is basically the exact opposite of over-hype. I think the really relevant point is this:
TrueCrypt's formal code audit will continue as planned. Then the code will be forked, the product's license restructured, and it will evolve. The name will be changed because the developers wish to preserve the integrity of the name they have built. They won't allow their name to continue without them. But the world will get some future version, that runs on future operating systems, and future mass storage systems.
If we assume that the TrueCrypt announcement is a NSL warrant canary, then the question is "Why now?" "Why?" is a stupid question - of course the government would like a backdoor into TrueCrypt. But why the NSL now?
Option A is that, since the TC developers are anonymous, their identities have only recently been discovered by the government agencies that issued the warrant. I'll admit this is possible, but it seems unlikely.
Option B: Version 7.1a of TrueCrypt has a flaw that is known to government agencies, but has not yet been discovered by the community. The government is worried that the ongoing code audit will discover and remove this flaw, and they issued a NSL requiring that if the flaw is discovered, the updated version include a government-approved backdoor. TC devs made the warrant canary announcement rather than agree to comply.
Option C: At some point after the release of Version 7.1a, the TrueCrypt devs received a NSL requiring a backdoor in the next released version. TC dev team technically complied by not releasing a new version, since there were no known weaknesses in 7.1a. The code audit has uncovered a flaw and informed dev team, leading dev team to shut down the project and invoke warrant canary.
It will be interesting to see what happens with the code audit. Hopefully the audit team had the foresight to set up a warrant canary themselves. At any rate, Steve Gibson does have a point - the code is out there, and the audit will continue. TrueCrypt will be forked, and work will continue.
WTF... I heard that all TC developers are from Czech Republic, (or some other central european country)... They don't need to answer to any US NSL.
Their actual identities and locations are unknown. There's plenty of intelligence agencies around the world that would go along with a firmly-worded "request" from US intelligence agencies. I think it's safe to assume that, if this announcement is due to government threat, we're talking about legal threats rather than death threats. An agent that says "backdoor your software or we kill you" is very likely going to kill you for making the sort of announcement that popped up today.
yes but there is still the private signing key that allows for trusted uploads of new (possibly compromised) versions.
True, but it's still an open-source project. Uploading backdoored binaries would be easy enough, but compromising the code would be a lot more complicated.
I'm sure the NSA is very good at writing obfuscated code, but there are other factors in place. The TC code audit started a few month ago, and there hasn't been an update to TC in 2 years. Any new updates to TC are going to be reviewed *very* carefully - sudden updates to a 2-year-stable project right after the beginning of a code audit looks very suspicious.
I use TrueCrypt. I realize that there are other options out there, but TrueCrypt has a few advantages - namely that it allows hidden volumes and it's cross-platform, free-as-in-beer, and open-source, (even if not technically FOSS). So now what? TrueCrypt won't go away. I can save a copy of the installer for the 2012 release, and, more importantly, there are copies of the code out there - particularly in the hands of the code audit team.
If we assume that the TC dev got an NSL, it would potentially explain the announcement. The dev decided to burn the crop and salt the field rather than let it be co-opted by the NSA. And, based on what happened with LavaBit, the NSA must have anticipated at least the possibility of this response. If anything, it was probably more likely. LavaBit was a commercial operation - they had a financial incentive to go along, keep their mouth shut, and keep the business going. Instead, they decided to do the right thing and shut down.
So assuming the NSA sent a National Security Letter to the TC dev, why, and why now? NSLs have been around for years. It seems odd that the NSA would wait until now to try to force in a backdoor, particularly with the likelihood that attempting to do so would result in the "burn and salt" response. If the NSA felt it was worth forcing TC into a go-along or shut down choice, they would have done it years ago.
One possibility is that TrueCrypt has an exploit that is currently know by the NSA, but not known by TC devs. Once the code audit started, the NSA was concerned they would lose their backdoor, and issued National Security Letters to the audit team requiring they don't expose the flaw, and to the dev team requiring they don't fix it. At this point, this seems like it might be the most likely option, assuming we aren't looking at a site defacement. Hopefully we'll get some clarification soon.
Slashdot Mirror
The image in TFA shows a phone seeing the network as an AP. Chances are someone with a phone set up AP mode (fairly standard on Android devices).
That was my first thought. I know when I'm running my phone as a hot-spot, I have the SSID set to "FBI Surveillance Van 42".
Well, now that we've had 3 cases in the Dallas area, we might actually see the US-Mexico border secured... ...by the Mexican government.
Actually if you "stick to the story" there's only 50 dollar bills to choose from and once chosen it's eliminated from the set so 50*49*48*.... = 3*10^64 combinations. Less if any of the bills have identical last digits, which is likely due to the birthday paradox. And if they were just counted and put in an evidence bag most the bills are in the right order. If they count the ones, either in order or reverse order and the only thing you need to figure out is where a few fivers or tens go that's cryptologically pathetically weak. And if it did disappear down some pocket, well there goes your evidence that there actually was a pile of cash making up your password. Worst, the police will probably take this as gloating on your part by showing off your perfect yet obviously constructed get-out-of-jail free card. I think the good old "I don't recall" works better.
If the pile of cash disappears down some pocket, then when you are dragged to court to produce the password, you explain the password storage method to the judge, and the fact that no pile of cash was entered into evidence shows that evidence tampering occurred. Assuming you are in a legal jurisdiction where the rule of law holds any sway, this should get the case thrown out.
If you're in a jurisdiction where this doesn't apply, you're pretty much screwed anyway, (and it's all but guaranteed that your pile of cash disappeared into a pocket rather than the evidence locker.) Granted, in a no-rule-of-law jurisdiction, I'd recommend this method only for data you would literally rather die than give up. The Powers That Be aren't going to stop torturing you once you tell them about your password method, they'll keep torturing you hoping that you're lying and you really can produce the password if they push hard enough. At some point, you'll really wish you had a way to give them the password.
An obvious variation of this is to have a pile of cash that contains 48 bills, with a password constructed from the serials as described, plus something extra you have memorized and inserted in specific spots in the sequence. Then when dragged before the judge, you say that the password was from the serials of the 50 bills you had next to the computer. "What, there's only 48 now? Well, you can try the existing sequence and brute force the remaining digits, but since there are 2 bills missing, there's no way to know for certain where in the sequence to insert the missing digits for the brute force attempt, and since the stack was obviously tampered with, there's no guarantee that the remaining bills are in the original order."
You are wrong about it being poorly implemented. The "encryption key" being printed on bills is the key here,
The acual password would naturally have nothing to do with the seriel numbers that would just make it needlessly complicated.
You could have only 45 bills and claim that originally there was 50. That would give you the chance to claim
corrupt investigators who ripped off the five $20 bills you had mixed in with your $1 bills. Not only
would it allow you to keep the password secret but also cast the investigating team in a bad light.
Tampering with the evidence and all that, the case might actually get thrown out of the court.
No one would steal your fortune cookies you know.
AC here actually gets the point of this method - you have plausible deniability - "I can't produce my password from memory because it was based on the pile of cash. A pile that is suspiciously smaller than it was before the raid."
https://play.google.com/store/...
Here's a version compatible with KeePass 2.0 databases. This version also has native support for syncing databases stored in DropBox, Gdrive, or even over FTP, (which beats my old method of using a 3rd-party file syncing app)
Which is why you make up your own phrase.
Forget making up your own phrase - just talk to a child under 8 for a little while. I guarantee they will say something completely random, totally memorable, and guaranteed not to show up in a phrase-based dictionary. Here's a sample of passwords I have used in the past that originated with my nephew - now 7.
I wanna be a squid when I grow up!
I'm a lizard in a swimsuit with a wedgie.
The backyard smells like a wombat
My grandma's stinking it up!
(The last one, by the way, was shouted when Grandma had taken him into a public bathroom with her. No relevance whatsoever to picking a secure password, but just take a couple of seconds to imagine walking past a public bathroom and overhearing a kid yelling that.)
Additionally, quoting Monty Python on a regular basis leads to a 400% increase in divorce threats from my wife.
If you have a lot of people at a wedding where you are not spending a lot of money, those people are there because they care about you. That is a good thing.
If you spend a lot of money on a wedding that does not have a lot of guests, it indicates that appearances are very important to you. That is not a good thing.
Mod parent up!
For what it's worth, my wife and I have been married a bit over 15 years, dated a little over 3 years. We got married right out of college, and were therefore broke as heck. My parents paid for the rehearsal dinner, but the rest came out of our pockets. We spent somewhere around $2400, (not counting rings) with the photos making about a third of that. We had somewhere around 300 people at our wedding, which included a general invitation to everyone at the church we attended at the time. To fill in the rest of the data points, we attend church regularly, didn't live together prior to the wedding, and while I think my wife is hot, she certainly didn't marry me for my money. Oh, and we're still pretty broke.
Also, as pointed out by the article, if his Ecat worked as he claims, everyone would be dead within 10 minutes of starting the reactor, due to massive Gamma radiation leaks.
Oh, come on. Everyone knows Gamma radiation just gives people super powers. Rossi himself is the perfect example. He's been working with this device for so long, he has the superhuman ability to transform bullshit into attention.
Now that he's had a team of researchers spending a month examining this thing in a sorta-sciencey way, we should watch them for signs of super powers. I suspect they've gained the ability to smash their own credibility in one swift stroke.
*cough* Slashdot Beta *cough*
So the CIA developed a primitive AI as a form of psychological torture, eventually the project was scrapped as frustrating and ineffective...
This isn't about a 1959 Corvette. It's about a 1959 garbage truck.
Different people like different things. A lot of people develop true passion for the work they do, and it bleeds into their hobbies. I've lived my entire life in agricultural areas, and I've known a lot of people, including my father, who restore antique tractors as a hobby. I've been to car shows where I've seen antique school buses, semi trucks, and tow trucks that have been painstakingly restored. They tended to attract a lot more people than the rows and rows of Camaros and Mustangs. Never seen a garbage truck at a car show, but I'm sure someone's got one out there.
A few years ago, one of the long-time groundskeepers retired from my employer. At the same time, the company retired the 1970's era Cushman he'd been using, and he bought it with plans on a full restoration.
Yes, I've read that. I'm waiting for the punchline, (like, you have to use gestures to log in! C'mon it'll be fun!)
If the next version of Windows requires gestures to log in, I have a few gestures in mind.
For some reason, this makes me think of a Jedi building his own lightsaber.
Yeah yeah, I do it all the time. My car is my primary CD ripping device.
I take my CD out, rip it, then disassemble the car's audio system and pull the hard drive. Take it to my home computer and upload the files.
Piece'o'cake, why do you think I bought my car, anyway? Driving? Hahahahahahahaha.....
That's nothing. I've set up a massive file-sharing service based around these systems. And it's completely undercover; to the casual observer, it looks like a used-car lot!
I think that'll be my answer for the OS too -- Ubuntu+Wine is probably closer to Windows 7 than Windows 8+ are.
Based on this comment, I'm assuming you haven't heard of Unity.
BTW, this app does the same on a rooted Android device.
I'll add my thanks as well. The whole reason I came to this thread was because I hoped someone would post something like this.
I've already posted, so somebody please mod parent up!
The quote in the summary:
"These programs have gotten both more difficult and less rewarding: today, it can take almost a decade to get a doctorate, and, at the end of your program, you're unlikely to find a tenure-track job."
So you're talking about a people getting a degree where the only career option is teaching others so they can seek the same degree? And the MLA thinks the fix is to make that degree easier to get? I suppose it does have the benefit of people wasting less of their life pursuing a degree that is worthless out in the real world, but it looks to me like a PhD in Humanities is the academic equivalent of a Ponzi scheme.
You know, I think this is the first time I've seen Metro and professional used in the same sentence. At least, the first time where the sentence didn't end with, "my ass!"
>
I suppose this only counts if you count Pixar as professionals.
I don't know. I've seen Cars 2.
I remember once hearing that, everywhere that golf is played, it's called golf. I'm not well-traveled enough to be able to confirm, though. Anybody who hasn't spent their entire life in midwest USA care to comment?
Steve has made some mistakes in the past and over-hyped some things...
Kind of interesting, since the linked article is basically the exact opposite of over-hype. I think the really relevant point is this:
TrueCrypt's formal code audit will continue as planned. Then the code will be forked, the product's license restructured, and it will evolve. The name will be changed because the developers wish to preserve the integrity of the name they have built. They won't allow their name to continue without them. But the world will get some future version, that runs on future operating systems, and future mass storage systems.
If we assume that the TrueCrypt announcement is a NSL warrant canary, then the question is "Why now?" "Why?" is a stupid question - of course the government would like a backdoor into TrueCrypt. But why the NSL now?
Option A is that, since the TC developers are anonymous, their identities have only recently been discovered by the government agencies that issued the warrant. I'll admit this is possible, but it seems unlikely.
Option B: Version 7.1a of TrueCrypt has a flaw that is known to government agencies, but has not yet been discovered by the community. The government is worried that the ongoing code audit will discover and remove this flaw, and they issued a NSL requiring that if the flaw is discovered, the updated version include a government-approved backdoor. TC devs made the warrant canary announcement rather than agree to comply.
Option C: At some point after the release of Version 7.1a, the TrueCrypt devs received a NSL requiring a backdoor in the next released version. TC dev team technically complied by not releasing a new version, since there were no known weaknesses in 7.1a. The code audit has uncovered a flaw and informed dev team, leading dev team to shut down the project and invoke warrant canary.
It will be interesting to see what happens with the code audit. Hopefully the audit team had the foresight to set up a warrant canary themselves. At any rate, Steve Gibson does have a point - the code is out there, and the audit will continue. TrueCrypt will be forked, and work will continue.
WTF... I heard that all TC developers are from Czech Republic, (or some other central european country)... They don't need to answer to any US NSL.
Their actual identities and locations are unknown. There's plenty of intelligence agencies around the world that would go along with a firmly-worded "request" from US intelligence agencies. I think it's safe to assume that, if this announcement is due to government threat, we're talking about legal threats rather than death threats. An agent that says "backdoor your software or we kill you" is very likely going to kill you for making the sort of announcement that popped up today.
yes but there is still the private signing key that allows for trusted uploads of new (possibly compromised) versions.
True, but it's still an open-source project. Uploading backdoored binaries would be easy enough, but compromising the code would be a lot more complicated.
I'm sure the NSA is very good at writing obfuscated code, but there are other factors in place. The TC code audit started a few month ago, and there hasn't been an update to TC in 2 years. Any new updates to TC are going to be reviewed *very* carefully - sudden updates to a 2-year-stable project right after the beginning of a code audit looks very suspicious.
I use TrueCrypt. I realize that there are other options out there, but TrueCrypt has a few advantages - namely that it allows hidden volumes and it's cross-platform, free-as-in-beer, and open-source, (even if not technically FOSS). So now what? TrueCrypt won't go away. I can save a copy of the installer for the 2012 release, and, more importantly, there are copies of the code out there - particularly in the hands of the code audit team.
If we assume that the TC dev got an NSL, it would potentially explain the announcement. The dev decided to burn the crop and salt the field rather than let it be co-opted by the NSA. And, based on what happened with LavaBit, the NSA must have anticipated at least the possibility of this response. If anything, it was probably more likely. LavaBit was a commercial operation - they had a financial incentive to go along, keep their mouth shut, and keep the business going. Instead, they decided to do the right thing and shut down.
So assuming the NSA sent a National Security Letter to the TC dev, why, and why now? NSLs have been around for years. It seems odd that the NSA would wait until now to try to force in a backdoor, particularly with the likelihood that attempting to do so would result in the "burn and salt" response. If the NSA felt it was worth forcing TC into a go-along or shut down choice, they would have done it years ago.
One possibility is that TrueCrypt has an exploit that is currently know by the NSA, but not known by TC devs. Once the code audit started, the NSA was concerned they would lose their backdoor, and issued National Security Letters to the audit team requiring they don't expose the flaw, and to the dev team requiring they don't fix it. At this point, this seems like it might be the most likely option, assuming we aren't looking at a site defacement. Hopefully we'll get some clarification soon.