Hacking data

[Barkin]

ISBN's are different for each edition of a book, (and different in different countries). So if you're going to use one as part of an encryption-key that make sure there are several sources where you can access that ISBN.

If the book is lost you would need Internet access, (or another copy of the same edition of the book), to obtain that number, so if you are working off-line, without internet access, on encrypted data you'd be stuck.

[Edwardo]

Actually if you're really paranoid it isn't a bad idea to use a book's ISBN number for an encryption key. If the book is lost or stolen, you can find the exact same book and it will have the same ISBN number. It's easier to remember the title of a book than its ISBN number. Just be sure to choose a book that was popular, so there will be a lot of them in used book stores, but not too popular. Don't use a bible for instance, that would be too easy to guess.

Can we say 'caution' or 'common sense' in preference to paranoia. In the house in which I grew up the telephone for example was stationed in the hall, some distance from people in rooms whose doors were usually closed despite the fact the technology of the day did not permit the telephone to listen to conversations in its vicinity with its receiver in its cradle.

Recently I gave my smartphone away as I came to realize it was not the innocent toy it seemed to be. Then I ask my lady friend if she would much mind keeping her telephone in another part of the house when not in use. At first she was horrified, almost rebellious. It took a little time explaining things and now she has an excellent grasp of concepts like 'network', 'public telephone system', 'privacy', 'eavesdropping' etc. I could continue but I think there is little need for for it when addressing this sophisticated audience.

[Edwardo]

ISBN's are different for each edition of a book, (and different in different countries). So if you're going to use one as part of an encryption-key that make sure there are several sources where you can access that ISBN.

If the book is lost you would need Internet access, (or another copy of the same edition of the book), to obtain that number, so if you are working off-line, without internet access, on encrypted data you'd be stuck.

Yes, indeed. The ISBN idea was an idle thought. But I do believe the best place for the password to be kept is in one's head. Of course if someone knew it was in my head and he wanted it very badly, I would hand it to him as a gift. He would then have a most interesting reading list which hopefully would improve his mind

[Edwardo]

Re passwords, the OTP token method, one time password, gives one a deeper sense of security so long as one has faith in its manufacturer. This I have used for financial transactions with success so far. RSA is one such provider to financial institutions of these tokens whose 6 digit number changes every 60 seconds, and I believe they were hacked a couple of years ago. Probably now their security measures regarding security token internals have improved. Hopefully. On the other hand one is placing a lot of trust in a 'cloud', an indeterminate thing, in an indeterminate place, operated by unknown people.

Getting back to a Linux BIOS level password entry, can we use a dedicated USB to store and enter something really absurd, like this

nKlN2.Sl^mD={PxYBax,gxSWS$zYQeCO20/ik%23",aZa09fDUFW?w=TZubLe=lGQJ61#p@8Y*!W(O'uXjAt!lh'SxCgc*Cj')(%F^hr0B9oE}s36'x&t&41?JQP+MXsXmJ2E,nV[yLf{6fGZ}BZM1#w:U$UqeJK5J:gsWR*:^WMc2Dg:n"D6|f-/oX'tH![)L.wrrEDt86DNef&Mj[h(/MN1me17@YT=CVan)ML:tCZj|iy{W(TE9#Dvj)0S.Akniw(>GhviZq1~5tI6nU?o3*/TNmXtr/PI!BC)c=Uh2n\ER^hBT-;mG|va'LwCB4@7XAjse19VA%nVv2YuV~lfI<%}[SUL|yR)8+Eb1%kisBuQl3%CLNv|@%bAE(p8QH2fRCorGH/=#''FRR?k"s?kN=Z{!<!Q-.b&RYM$Ra@;"Q/9#BOp,j3'u!0Uo^%'sJR&6{b|nqY2oI'wV/.YgfP8rj3LmM7|PV@M3#{m1TwB^ZVE\Vcf#9m%WX#9S7u7J.jXGKs2T7k@N?@,RlCJ{lO+"Nsq9.y{5=%|5MffQedYLt;[lC~RmAgrj.@)cDE8E#&&yEd2>6HmM0FSE=dl#f/LD2{"|P;(<Yt^Mz9obF(kn@KA'#?"("|h''1()9=jeYl"D>a&f|lJ<JtJ-tI6Z~Qro=sF$~Rze3PXzr)BxMzM.mqT@T|LQiz-r7|r@2BkQh^)oD6zjS|<|CO5)"C>8(<I<U6\(|KKbu+QbVvv,/B-%{sbVOt\zjp9$-(&$d9A7!kJ|cKiR-luQ(e//"!U4hqP9s8t"f|^Y7r-

I guess for this one we'd see you in the next universe.

[Barkin]

... Getting back to a Linux BIOS level password entry, can we use a dedicated USB to store and enter something really absurd, like this

nKlN2.Sl^mD={PxYBax,gxSWS$zYQeCO20/ik%23",aZa09fDUFW?w=TZubLe=lGQJ61#p@8Y*!W(O'uXjAt!lh'SxCgc*Cj')(%F^hr0B9oE}s36'x&t&41?JQP+MXsXmJ2E,nV[yLf{6fGZ}BZM1#w:U$UqeJK5J:gsWR*:^WMc2Dg:n"D6|f-/oX'tH![)L.wrrEDt86DNef&Mj[h(/MN1me17@YT=CVan)ML:tCZj|iy{W(TE9#Dvj)0S.Akniw(>GhviZq1~5tI6nU?o3*/TNmXtr/PI!BC)c=Uh2n\ER^hBT-;mG|va'LwCB4@7XAjse19VA%nVv2YuV~lfI<%}[SUL|yR)8+Eb1%kisBuQl3%CLNv|@%bAE(p8QH2fRCorGH/=#''FRR?k"s?kN=Z{!<!Q-.b&RYM$Ra@;"Q/9#BOp,j3'u!0Uo^%'sJR&6{b|nqY2oI'wV/.YgfP8rj3LmM7|PV@M3#{m1TwB^ZVE\Vcf#9m%WX#9S7u7J.jXGKs2T7k@N?@,RlCJ{lO+"Nsq9.y{5=%|5MffQedYLt;[lC~RmAgrj.@)cDE8E#&&yEd2>6HmM0FSE=dl#f/LD2{"|P;(<Yt^Mz9obF(kn@KA'#?"("|h''1()9=jeYl"D>a&f|lJ<JtJ-tI6Z~Qro=sF$~Rze3PXzr)BxMzM.mqT@T|LQiz-r7|r@2BkQh^)oD6zjS|<|CO5)"C>8(<I<U6\(|KKbu+QbVvv,/B-%{sbVOt\zjp9$-(&$d9A7!kJ|cKiR-luQ(e//"!U4hqP9s8t"f|^Y7r-

I guess for this one we'd see you in the next universe.

The maximum length of the encryption key determines the maximum length of password ...

http://en.wikipedia.org/wiki/Password_strength#Entropy_as_a_measure_of_password_strength

Creating a password longer than that does not increase security : a brute-force-crack will have to cover the entire search-space possible, e.g. in 256-bit encryption, in binary from

0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

to

1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111

Making the password longer than the key length permits just causes the mileometer to go around the clock, so to speak : all permutations will have been covered and the password already cracked.

https://www.grc.com/passwords.htm

[Edwardo]

What determines the length of the encryption key?

[Barkin]

What determines the length of the encryption key?

The encryption algorithm sets the maximum key length:
i.e. the maximum key length is fixed by the encryption method.

e.g. old DES has 56-bit encryption which is now crackable by brute force in days on modern computers.

Currently the industry standard is AES 256-bit , Attempting to crack it by brute force is currently "computationally infeasible" :
it would take trillions of years using state-of-the-art computers.

Each additional bit in key length doubles the number of permutations possible, and doubles the time it would take to crack by brute force.

[Edwardo]

OK. 256 bits sounds good.

If we may go back to my original question, part is still not so clear to me ...

The computer and router are inches apart. A cable connects the router to the roof antenna.
The antenna talks to the ISP several km distant. A hacker can access my router, this I know from experience.

The question is can he intercept traffic anywhere along the route between the antenna and the ISP?

[Barkin]

The computer and router are inches apart. A cable connects the router to the roof antenna.
The antenna talks to the ISP several km distant. A hacker can access my router, this I know from experience.

The question is can he intercept traffic anywhere along the route between the antenna and the ISP?

Wireless connection which use the mobile (cell)phone network would be particularly vulnerable to interception as you are literally broadcasting your data to everyone in a radius of about 1Km.
But if the channel is encrypted the intercepted transmission will be incomprehensible to eavesdroppers (scrambled).

[Edwardo]

Thanks. I understand the Wi-Fi encryption at my router. This is the fourth box
the ISP techs have set up as three failed in a short time.
They think I was messing with the settings so they locked me out.
The settings are now a mystery. I admit I messed one box up, but only one.

I put the question on another security forum, they asked if the ISP encrypted
the signals at their end, something I have not heard about. I will ask.

btw, I borrowed your URL code for the Custom Search Engine. Very useful.

[Edwardo]

Wireless connection which use the mobile (cell)phone network would be particularly vulnerable to interception as you are literally broadcasting your data to everyone in a radius of about 1Km.

I do not use a cellphone connection. It is a regular Wi-Fi 801.xx.

[Edwardo]

"It is quite easy to tell however. Make another known-good copy of the USB, put them both in a known-good, isolated machine,
and make a filesystem comparison. The only files that should show differences are the ones related to the firefox configuration,
and maybe a few system logs in /var".

To compare before and after changes to the disk is there an app for this?

I appear to be leaning toward the forensic side of things. I have no idea why.. Curiosity I suppose. The need to know if such and such is happening or not.

[Semme]

Perhaps AIDE or Tripwire to start..

[Edwardo]

Perhaps AIDE or Tripwire to start..

I need a PhD for that. We live in the instant world. Quick things. A comparison must be almost instant. Compare this face to that. True or false. Legit or not. At 186624 [mps]

[Semme]

Hey, I've laid you the groundwork.. the GUI's are out there..

[Edwardo]

Hey, I've laid you the groundwork.. the GUI's are out there..

OK Semme, I appreciate it. This is worth putting in the time to get to know how to use the program.

I liked this explanation for how HTTPS works

1. put the "Thing" in the box, and lock it with your padlock.
2. send the locked box to the other party.
3, they put their padlock on the loop also (so that there are two locks on it), and return the double-locked box to you
4. You remove your padlock, and return the now singly-locked box to them
5. they remove their own lock and open the box.

With encryption the locks and keys are math, but the general concept is vaguely like this.

[Edwardo]

This question may seem obvious to some but I would like to be quite certain and remove any doubt. Bits and bytes travel in mysterious ways.

Say you spend the day browsing a broad range of websites exposing your system to whatever is out there. The read-write USB is plugged for the duration of the session. At the end of the session you remove the stick and do not permit the OS to save RAM to the stick.

Is there any way a snooper could write and save data to your stick during the session without your knowledge? I ask because the orange box appears about once an hour. stating 'saving RAM to savefile' Has any data been saved if the stick is removed before the black screen saving routine at shutdown?

[Barkin]

... the orange box appears about once an hour. stating 'saving RAM to savefile' Has any data been saved if the stick is removed before the black screen saving routine at shutdown?

Your system , including any newly added data/software/malware, is being saved to the stick when you see that message.
On puppy it is possible to switch off those intermittent auto-backups and decide at shutdown whether to save or not ...
http://www.google.com/cse?cx=015995643981050743583%3Aabvzbibgzxo&q=kiosk&sa=Search&cof=FORID%3A0&siteurl=www.wellminded.com%2Fpuppy%2Fpupsearch.html&ref=&ss=1636j747498j5#gsc.tab=0&gsc.q=do%20not%20save%20savefile%20shutdown%20close

[Edwardo]

Your system , including any added malware, is being saved to he stick when you see that message.
On puppy it is possible to switch off those intermittent auto-backups and decide when closing whether to save or not ...
http://www.google.com/cse?cx=015995643981050743583%3Aabvzbibgzxo&q=kiosk&sa=Search&cof=FORID%3A0&siteurl=www.wellminded.com%2Fpuppy%2Fpupsearch.html&ref=&ss=1636j747498j5#gsc.tab=0&gsc.q=do%20not%20save%20savefile%20shutdown%20close

Thanks for clearing that up, Barkin.

Now, if an attacker wishes to write & save to the stick, where is his data going, to RAM or can he bypass RAM and access the stick directly?

[Barkin]

Now, if an attacker wishes to write & save to the stick, where is his data going, to RAM or can he bypass RAM and access the stick directly?

If the savefile has heavy encryption then I don't think it is possible to modify its contents directly (i.e. the "bypass RAM" scenario).

If you run from a live CD/DVD which is not the rewritable type then it is physically impossible to modify the data on it.