Why Puppy's Light Encryption Option is a Joke (Educational)

For discussions about security.
Post Reply
Message
Author
User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

Why Puppy's Light Encryption Option is a Joke (Educational)

#1 Post by Pizzasgood »

Well, it should go without saying that when presented an option between light or heavy encryption, you should choose the heavy.

Since we have this security section now, I figured I'd make a post illustrating just how much of a joke the light encryption is.


The fun stuff first: Run something like this on your lightly encrypted save file:

Code: Select all

hexdump -C pup_save_cryptx.2fs | head
You will get something like this:

Code: Select all

# hexdump -C pup_save_cryptx.2fs | head
00000000  65 61 74 61 70 6f 6e 79  74 61 00 00 00 00 00 00  |eataponyta......|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  65 61 74 61 70 6f 6e 79  74 61 00 00 00 00 00 00  |eataponyta......|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000040  65 61 74 61 70 6f 6e 79  74 61 00 00 00 00 00 00  |eataponyta......|
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000060  65 61 74 61 70 6f 6e 79  74 61 00 00 00 00 00 00  |eataponyta......|
00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000080  65 61 74 61 70 6f 6e 79  74 61 00 00 00 00 00 00  |eataponyta......|
00000090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
Anybody want to guess what I used as the encryption key for that file?

Yes, it's really that simple to crack.

You may wonder, "Why is it so easy? How does it work?" That's what I'm going to explain for the rest of this post.

The basic concept of cryptography is pretty simple: You take the data you want to hide and merge it with other data (or perform a transform) so that it looks like noise. To read it, you remove the second set of data (or undo the transform) to get the original data. The second set of data is typically either a key, or data that is generated based on the key. For the encryption used in Puppy's light encryption mode, it is the key itself.

Puppy's light encryption uses XOR encryption. XOR is a boolean algebra operator, and means "exclusive or". You use it to compare two numbers. For example, if you are comparing a 1 and a 0, it gives you a 1. But if you compare two 0s or two 1s, you get a 0. In other words, it will return true if either input A or input B is true, but not if both are true.

When you are dealing with numbers bigger than 1, you just represent them in binary and take them one digit at a time:

Code: Select all

1010 XOR 0011 = 1001
So let's say B = A XOR K. If you then do C = B XOR K, you will find that C = A.

Code: Select all

1001 XOR 0011 = 1010
So that means that if you, and only you, know K, you can encrypt your data by XOR-ing it with K, and decrypt it by simply XOR-ing it with K again.

That is the way XOR encryption works. Your data is A and your key is K. Except it's a little more complicated than that. Your data is typically very long, while the key is relatively short (hopefully not too short though). So what it does is break up the data into blocks of 64 bytes, and applies K to each of those separately.

As for K, it is whatever you typed in as your key, padded with 0s to make it 64 bytes. In other words, if you type in an 8 character key, that defines the first 8 bytes of K. The rest is just 0s. This has distressing consequences.

The problem with XOR encryption is that if you XOR something with 0, it doesn't do anything. A XOR 0 = A, and also: 0 XOR K = K. So unless you use a 64 character long password, very significant chunks of your data will not be encrypted at all! Furthermore, anywhere there is a sizeable amount of 0s in your data (real 0s, not the ASCII code for the number 0), your key will be visible in the encrypted data.

Also, if the person trying to break in knows what some of the data is at a given location, he can just XOR the known data with the encrypted data to determine that portion of K.

This makes a sad situation even more pitiful: The pup_save file is a filesystem image. Filesystems typically have good amounts of known data in their headers. For example, all the pup_save.2fs files on my harddrive have 0s for the first 1024 bytes. I don't know if that particular block of zeros is standard for ext2 filesystems, but if it isn't, you could just look up the specs for ext2 and locate data that is constant.

Here is some more output from the same file I used above, but from deeper where there is actual data.

Code: Select all

00080460  0b 06 54 05 1f 18 00 59  1b 0f 20 6d 65 0d 0a 50  |..T....Y.. me..P|
00080470  72 65 73 73 69 6e 67 20  64 6f 77 6e 20 6f 6e 20  |ressing down on |
00080480  1c 0e 01 41 1e 00 4e 14  15 0f 20 61 73 6b 20 66  |...A..N... ask f|
00080490  6f 72 0d 0a 55 6e 64 65  72 20 70 72 65 73 73 75  |or..Under pressu|
000804a0  17 04 79 6b 24 07 0f 0d  54 03 75 72 6e 73 20 61  |..yk$...T.urns a|
000804b0  20 62 75 69 6c 64 69 6e  67 20 64 6f 77 6e 0d 0a  | building down..|
As you can see, large amounts of unencrypted data are visible. In this case, it's the lyrics to a song. You can convert my key into K and apply it yourself if you want to see the few bits that are actually encrypted. (The eight digits on the left are the addresses, not the data, so ignore them when applying the key). If you don't know how to translate hexidecimal to binary, and ascii-codes to text, here are some conversion tables:
http://www.ascii.cl/conversion.htm
http://ascii.cl/

Code: Select all

enc:   0b 06 54 05 1f 18 00 59  1b 0f 20 6d 65 0d 0a 50  72 65 73 73 69 6e 67 20  64 6f 77 6e 20 6f 6e 20
key:   65 61 74 61 70 6f 6e 79  74 61 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
XORed: 6e 67 20 64 6f 77 6e 20  6f 6e 20 6d 65 0d 0a 50  72 65 73 73 69 6e 67 20  64 6f 77 6e 20 6f 6e 20
ascii: n  g     d  o  w  n      o  n     m  e        P   r  e  s  s  i  n  g      d  o  w  n     o  n   
(The astute will notice that this particular text file was created way back when I used 'doze. ;))



Also, in case you wonder how to create an XOR encrypted file to play with (as opposed to rebooting a couple times to make a new pup_save_cryptx.2fs file):

Code: Select all

modprobe cryptoloop
dd if=/dev/zero of=pup_save_cryptx.2fs count=1k bs=1k
losetup-FULL -E 1 /dev/loop2 pup_save_cryptx.2fs
mke2fs -q -m 0 /dev/loop2
mkdir mount_point
mount /dev/loop2 mount_point
That will create a 1 megabyte XOR encrypted pup_save_cryptx.2fs, and mount it on the mount_point directory (which the mkdir line creates). You can unmount it like this:

Code: Select all

umount mount_point
And you can mount it again like this:

Code: Select all

losetup-FULL -E 1 /dev/loop2 pup_save_cryptx.2fs
mount /dev/loop2 mount_point
Note that only one thing can be using /dev/loop2 at a time. If you want to mount more than one filesystem image at a time, you'll have to use more than one loopback device. You can find a free one with this command:

Code: Select all

losetup -f
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

User avatar
ttuuxxx
Posts: 11171
Joined: Sat 05 May 2007, 10:00
Location: Ontario Canada,Sydney Australia
Contact:

#2 Post by ttuuxxx »

hmmmmmmmm maybe you might want to build a update for puppy and remove the lite encryption and maybe offer it to Barry or the general audience, seriously I think being secure is best.
ttuuxxx
http://audio.online-convert.com/ <-- excellent site
http://samples.mplayerhq.hu/A-codecs/ <-- Codec Test Files
http://html5games.com/ <-- excellent HTML5 games :)

User avatar
efiguy
Posts: 164
Joined: Thu 07 Sep 2006, 02:51

#3 Post by efiguy »

Very well done, Thank You - Pizzasgood

Wondered about that option, from my old C class and IBM main frame days understood that Xor has little impact on processor overhead.
One of my few Wdoze programs even capable of opening a 64 meg save file is WinVI, so went and "pawed" through the dual boot un-encrypted save sfs, excerpt below.
It took forever to load, glad it wasn't 512 plus.

Imho, you must consider the audience, I would lay odds, you have the experts knowledge and tools to probably break most any encrypting technique.
(One of my assigned old office mates broke the C - band satellite encryption '93)

Education is probbaly one of most useful things for and about "light encryption". - It might keep my brother-in-law from snooping, or my daughters boyfriend from grabbing a bank account password, or reading college grades, whatever, I personally try never to put much of anything on PC that I wouldn't want others to know, having did some forensics in the past.

But if Aunt MillyTilly passes away leaving me 16,000 dollars, - except the will is on her PC and nobody can start it up. Maybe I could ask for your help in breaking that SFS file for the Attorneys. (And few bucks for you too!) - Whew!, thank the "Main Man" for light encryption!

It was too late to do a dual reboot (you know how long doze takes too boot, heck you can eat foot long subway)

I would be interested in knowing what the performance impact for slow processors is from heavy encryption. Remember, Pup, works well on old hardware (read as - fixed income retirement)

What about the swap file, none of my late 4xx Pups will even open that partition to view? Is this partition especially protected?

Anyway - Thank you for the insight of what goes on underneath our fingers.
jay
Attachments
winvicrpd.gif
WinVI snippet from Un-encrypted sfs
(1.74 KiB) Downloaded 3400 times

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#4 Post by Pizzasgood »

XOR has low overhead because one of the basic logic gates used in constructing a processor is an XOR gate, so it can be done in hardware.

Actually I know very little about breaking encryption. I can handle a basic cipher, but haven't dealt with anything more complex. I'm taking a network security class next semester though and it seems to be pretty hands-on, so maybe I'll get into that then.

I actually expected I'd have to do more for XOR encryption than I did, like at least look up the specs for the ext2 filesystem format.

I don't know about the performance. I use heavy on my laptop and don't notice anything. It's not a very slow machine though, despite that it's about seven years old (2.4 GHz single core P4 mobility). I have an old 450 MHz computer I could theoretically test it on, but won't because the poor thing really does not like to boot up. Once booted it will run for months fine. So I use that one as a server.

In a week or so I'm going to come into possession of one of those little computers that you can mount on the back of a monitor. So I can run some benchmarks on it then.



@Ttuuxxx: No point. It's trivial to remove. You just cull out a couple lines in /etc/rc.d/rc.shutdown and adjust the dialog. There's also some code in the initrd.gz, but there's no sense removing that - leave it in for the people who are already using light encryption, and just don't offer it to any new people.

But yeah, I would be a little concerned about the performance, though I don't think it should be noticeable unless you do something really filesystem intensive inside the file, like compiling. But you could always do that sort of thing out in the open harddrive or in a ramdisk (/tmp is usually in ram if you have a pup_save.2fs file). Assuming the presence of enough disk or ram to do that.

I'll definitely do some benchmarking when I get the box.
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

User avatar
efiguy
Posts: 164
Joined: Thu 07 Sep 2006, 02:51

Why Puppy's Light Encryption Option is a Joke (Educational)

#5 Post by efiguy »

Hi all,
Look forward to finding out more about encrypting overhead. Is there any description of the SFS heavy technique published?

Oh Ya, and the swap file, thats a real prob in Doze land.

Ahh, you must have missed the snippets actual "Yoda Speak" <;) I was surprised to scroll through that.

When I worked in an IT dept, we were always being asked by some manager to undo a office file for change of personnel and the forgotten password. We were glad that it was "Light Encryption"
Our offices and work area were constantly under surprise management surveillance for any notes or paper work left out on desk and not under lock and key.
- I was "Gigged" a few times, and went and bought a cheap Walmart camp locker to dump everything into when leaving. You could open the lock with a paper clip, but it passed the "lock and key test." So much for real security, imho, most security is just perceived if not actual. <;)

Enjoy the Holidays,
Jay

PaulBx1
Posts: 2312
Joined: Sat 17 Jun 2006, 03:11
Location: Wyoming, USA

#6 Post by PaulBx1 »

Light encryption is indeed a joke. But one can think of a few uses as mentioned here. It's like it has a back door, but instead of being available to only one person, it is available to anyone. :wink:

Heavy encryption was the first one in Puppy. Then Barry added light encryption, who knows why, because nobody was complaining about heavy encryption performance. A rare case of "creeping featuritis", I guess. I have run heavy encryption on my old, slow (700MHz) Thinkpad and never noticed the difference between it and no encryption, but then I didn't go looking for it either.

As to swap, don't use it! Swap is in cleartext, in the old cryptoloop encryption utility that Puppy uses. Well, if you are using the almost transparent light encryption, hey, go ahead. Anyone smart enough to dig through swap will have no problem breaking light encryption. But for heavy encryption, don't use swap. If you do you might as well dispense with encryption altogether. This might mean buying more memory, but hardware is cheap...

Some folks have implemented loop-aes or dmcrypt-LUKS (I think I got that right) in Puppy which does have encrypted swap, but for some reason these never worked their way into standard Puppy. A bit tedious compared to cryptoloop I guess, and I have a feeling Barry is not an encryption enthusiast anyway. I keep wishing, but I'm not up to putting it in myself.

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#7 Post by Lobster »

I'll definitely do some benchmarking when I get the box.
That will be interesting for some 8)

I use no encryption
and am satisfied with that.

If I wanted to secure a folder
I would call it .log (notice the dot)
It is now invisible
Encrypt files with bcrypt (try command line)
and maybe I would save that on a windows files usb key drive rather than HD in Linux partition.
Then hide under a tin foil hat

I find whenever I encrypt or password protect
I keep out the major idiot - me :oops:
I forget where I put the directory or the password.

Knowledge is always a good thing.
As is having choices. 8)
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
efiguy
Posts: 164
Joined: Thu 07 Sep 2006, 02:51

Why Puppy's Light Encryption Option is a Joke (Educational)

#8 Post by efiguy »

- Hello PaulBx1 and all,
You make a good point, I don't have enough equipment or
experience to be of much help, maybe pieces of it or some base research, and that brings up the idea of using a debugged late distro with basically a stripped bash shell as a starting point for a serious secured Puppy, (Puppy w/a Razor Wire Leash) that is still capable of being an Office workhorse.
- I say Office, for - My "personal opinion" is that the multimedia is too internet friendly to ever be secured, and plus the "Gov" loves that, maybe even promotes the use thereof. (The huge underground centers -At least the Crays do or 48 cell beta Intels, who fronted that research cash?)

* The Why:
- The RazorEdged Puppy might be considered to do tasks like these:
a) prevent authoring plagiarism, b) encrypting banking receipts
c) writing highschool tests, d) gradebooks, e) inventors ideas and patent
documents, f) politics (especially), g) attorney, h) real estate agent, i)
anywhere a degree of privacy might be desirable in writing documents.

* A Secured Mission:
- This software should have some auto techniques to thwart laptop
thieves and home or office hardware monitoring attempts, plus a suite of
modules to encode files normally found within office softwares. It should
not be considered military grade, (unless it is just plain easy to
implement)

* The real Work:
- Pizzasgood, PaulBx1, ttuuxxx, and myself, if we started planning and
explored what needs to be done, and how it could be accomplished,
others would see that it is a serious endeavor, we could attract others to
help with the coding and polishing of the funcion of the distro. I am sure
if a logical plan of construction was created, that Barry would assist if
one of those "coding rock and a hard thing occurs", but most likely the
key in doing this is choosing proven techniques and creating the Kernel
interfaces.

* Technique Questions:
- Are there Unix & Linux versions in existance that might have a decent
swap file plus other storage encryption to be used as learning tools?
- Can public key encryption or java technique be used as an internal
module?
- Can "USB donagles" be used to disable a system?
- Can "bcrypt" be automated behind the scenes (Thanks Lobster)

* Implementation:

- Hmm, is multimedia solved with dual boot Puppy?
- Is a use of this for picture and AVI encryption or should this be
specifically avoided?
--------------------

- Honestly, this started out to be fairly short, but typing as slow as one
does, thought how useful and sometimes really needed an application that has security at it's heart.
(I've had a laptop stolen)
- I can do research, so will volunteer for that, and maybe some
secretarial work initially, if you fellas want to attempt it next year.
- The ball is over the net - Need some constuctive ideas - so everyone
have ago at helping formulate a document to describe a solidly secured
puppy
-- how would you want it to operate - What might be the use you have in
mind? Would simple wizard like menus be adequate for manual use? or
- solidly ingrained automatic encryption of everything?

jay

User avatar
ttuuxxx
Posts: 11171
Joined: Sat 05 May 2007, 10:00
Location: Ontario Canada,Sydney Australia
Contact:

Re: Why Puppy's Light Encryption Option is a Joke (Educational)

#9 Post by ttuuxxx »

efiguy wrote:-
* The real Work:
- Pizzasgood, PaulBx1, ttuuxxx, and myself, if we started planning and
explored what needs to be done, and how it could be accomplished,
others would see that it is a serious endeavor, we could attract others to
help with the coding and polishing of the funcion of the distro. I am sure
if a logical plan of construction was created, that Barry would assist if
one of those "coding rock and a hard thing occurs", but most likely the
key in doing this is choosing proven techniques and creating the Kernel
interfaces.


jay
I'm up for it as soon as I can find some time :)
ttuuxxx
http://audio.online-convert.com/ <-- excellent site
http://samples.mplayerhq.hu/A-codecs/ <-- Codec Test Files
http://html5games.com/ <-- excellent HTML5 games :)

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#10 Post by Lobster »

- Can "bcrypt" be automated behind the scenes (Thanks Lobster)
That is a good idea. You need to intercept the save commands
with a deamon? Would that be right coding gurus?

For a military grade security (why not)
I would suggest we need more than bcrypt

In Puppy 4.3.1 you might be able to swap out (but use the same name)
a more powerful encryption with this script
/usr/sbin/bcrypt_gui
that script is also in menu / personal / bcrypt file encryption - drag and drop (this is more than sufficient for school tests, bank details
and the location of your sardine stash - I keep mine behind some seaweed)

Renaming another encryting file to bcrypt
That would mean trying to decode
what is encoded differently for the potential decrypter . . .
[. . . .evil Darth Lobster laughter . . . . :twisted: ]
This works much like bcrypt but uses better encryption
http://puppylinux.org/wikka/ccrypt

I would familiarise yourself with this material
http://puppylinux.org/wikka/SecurePuppy
http://www.murga-linux.com/puppy/viewto ... 383#262854

http://en.wikipedia.org/wiki/Deniable_encryption
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
efiguy
Posts: 164
Joined: Thu 07 Sep 2006, 02:51

Why Puppy's Light Encryption Option is a Joke (Educational)

#11 Post by efiguy »

Hi all,

Wonderful !!

- Propose that at least a start of 2 documents need to be created,
a)- a Frontline document that details the operation, types of encryption used and selected, interface issues, etc,
b)- and a background "Shadow Document" tracking and identifying "Branching Decisions", listing the pros and cons of a decision choice, and listing available documentation to support the branch decision. (This drives the Frontline document modifications, - But initially there is much feedback between, an indistinct differention – essentially identifying where the branch decisions need to be made.)
Plus -
- a method of voting for or "Ranking Decisions", which leads to a "Decision Making Body"
(NOTE: I am abstaining myself from this - as I know my limitations and will support the other present GrandFathered members in this link in forming that Nucleus Group)

- Which, eventually (At this Groups Discretion) I think a "Publication of Intent" is appropriate to draw out qualified forum members (It's OK to enroll new members to help support Too)

- Perhaps, - Consider this as a great opportunity to re-establish and use puppylinux.org/ and the http://puppylinux.org/wikka/HomePage.
- Where Murga forum is an more firmer moderated upper level description place (include wikka links where necessary), and the Wikka is where pros and cons, decision ranking numbers, methods are hashed out in excruciating detail, where huge reference document pastes can be included.
(Just an idea - don't want this to dilute the distro discussion.)

And late breaking newsletter topic:
[url]https://www.ironkey.com/personal-solutions[/url]
Firefox browser included 16 g $299

Jay

PaulBx1
Posts: 2312
Joined: Sat 17 Jun 2006, 03:11
Location: Wyoming, USA

#12 Post by PaulBx1 »

Well, this is getting a little bureaucratic for my taste. Anyway, I'm more of a tester than a developer, so I don't know how I could help other than supplying a semi-informed opinion now and then.

One opinion I have, is that I don't like puplets. You make a puplet, you get 3 or 4 users, you neglect to keep the puplet up to date, after 4 months the puplet disappears. There must be a thousand puplets by now floating around out there.

A better route would be to stick with standard Puppy, and make any pets needed to create a secure Puppy, or at least point to items in the Ubuntu repository to do that (when upup arrives). Maybe a wikka article to document how to do it. That way the user stays up to date on his own, all you need to do is maintain a few pets now and then, probably not much work there.

I don't know if this makes sense, but something to think about.

User avatar
efiguy
Posts: 164
Joined: Thu 07 Sep 2006, 02:51

#13 Post by efiguy »

Morning all,

I apoligize to Pizzasgood and others, Paul, some of the old system engineer habits die slowly, and I should be reading more net etiquite articles<;)

And in a spirit of enthusiasm, did something called "Hijack a thread", not my intent,
it has happened.

Please allow me include last nights observations and i'll be quiet.

Sunday night, - Have had a rereading of Pizzasgood's Multiuser Puppy post pages, this thread, plus some other links speaking of browsers and wireless, etc.,
and conclude that "[b]IF[/b]" Pizzasgood were to "Buy In" to attempting an even more secure encrypting Puppy next year
- That his Multiuser ver R3 is very likely the best starting point for experimentation.

[url]http://www.murga-linux.com/puppy/viewto ... 59&t=47409[/url]

puppy-4.2.1-MULTIUSER-r3.iso

Jay

User avatar
8-bit
Posts: 3406
Joined: Wed 04 Apr 2007, 03:37
Location: Oregon

#14 Post by 8-bit »

I see possibly one other thing that defeats encryption.
If the encryption tool/utility is released as open source, then the source code used to make it and do the encryption is available as a kind of dummy's guide to cracking it.

I remember at one time back in the dos days, I got a utility that was used to encrypt emails with a preshared key to be able to read them.
I have since lost that file.
But I remember that some government agencies were really excited about its use as they were unable to crack it at the time and tried to outlaw its use by anyone that happened to have it.

If an encryption utility is written by a member here, you should keep the source code to yourself. Releasing it with source code is like showing just how the encryption is done and takes away from the security of it.

PaulBx1
Posts: 2312
Joined: Sat 17 Jun 2006, 03:11
Location: Wyoming, USA

#15 Post by PaulBx1 »

Well, my admittedly limited understanding is that it works the opposite way. Keeping stuff secret was "old tech", like back during WWII. Now you want things completely open so no back doors can be put in. Knowing how the algorithm works does not help any attacker. The knowledge is already general. It's the math itself that makes it impossible to crack.

User avatar
SFR
Posts: 1800
Joined: Wed 26 Oct 2011, 21:52

#16 Post by SFR »

This thread reminds me my own struggles with XOR encryption on C64, many years ago.
Right after I wrote such tool I discovered that if file contains a longer string of the same bytes, the whole encryption is worth nothing. :lol:
How hard I tried to make it more 'secret'!
Even I added tracing of $d012 cell (current raster line position) to encryption algorithm to make it more complex. :lol:
And the effect was pretty cool: eg. "aaaaaaaaaaaaa" string encrypted with "a" passphrase has produced something like "dZ@2&"{[6g]'\!" as output!

Unfortunately, I just read somewhere that even this can be cracked using "frequency analyzing" or something like that...

Anyway, this thread (again) inspired me to write another encryption tool.
Details here: http://www.murga-linux.com/puppy/viewtopic.php?t=75404
It uses openssl and AES, so I hope it's more secure..? :wink:

Greetings!
[color=red][size=75][O]bdurate [R]ules [D]estroy [E]nthusiastic [R]ebels => [C]reative [H]umans [A]lways [O]pen [S]ource[/size][/color]
[b][color=green]Omnia mea mecum porto.[/color][/b]

User avatar
Digital_Dissident
Posts: 25
Joined: Tue 02 Mar 2010, 10:49
Location: U.S.- E. Coast

NOW You Tell Me?!

#17 Post by Digital_Dissident »

Pizzasgood wrote:Well, it should go without saying that when presented an option between light or heavy encryption, you should choose the heavy.
"go without saying"?!

I came across this post just last week by accident. Thankfully, still before anyone had access to my "light encryption" save file.

The OP in this thread is dated December, 2009-- over two years ago now-- and the latest Puppy releases still suggest choosing "light encryption" when creating a save file that will be saved to a hard drive!

And this post is relegated to an "off-topic" section and a cavalier tone?!

"Educational"?

This is an essential warning! Why was it never stickied to the very top of the forum?

I am flabbergasted.

Surely there are at least some Puppy users out there who are at risk of having their sensitive data compromised and they don't even know it.

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#18 Post by Pizzasgood »

Though I posted this in 2009, the weakness had been known to the forum since not long after it was implemented, whenever that was (2005?).

If Puppy is recommending the light option, then I agree it should be changed around. It should strongly encourage the use of the heavy option. People should only use the light option if they have already tried the heavy one and actually noticed a performance hit, and even then only if they are not very concerned about their data falling into the wrong hands. The selection page should clearly state that the light option is trivial to break, with a big all caps WARNING label included.
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

Post Reply