Hacking data
ISBN's are different for each edition of a book, (and different in different countries). So if you're going to use one as part of an encryption-key that make sure there are several sources where you can access that ISBN.
If the book is lost you would need Internet access, (or another copy of the same edition of the book), to obtain that number, so if you are working off-line, without internet access, on encrypted data you'd be stuck.
If the book is lost you would need Internet access, (or another copy of the same edition of the book), to obtain that number, so if you are working off-line, without internet access, on encrypted data you'd be stuck.
Can we say 'caution' or 'common sense' in preference to paranoia. In the house in which I grew up the telephone for example was stationed in the hall, some distance from people in rooms whose doors were usually closed despite the fact the technology of the day did not permit the telephone to listen to conversations in its vicinity with its receiver in its cradle.Flash wrote:Actually if you're really paranoid it isn't a bad idea to use a book's ISBN number for an encryption key. If the book is lost or stolen, you can find the exact same book and it will have the same ISBN number. It's easier to remember the title of a book than its ISBN number. Just be sure to choose a book that was popular, so there will be a lot of them in used book stores, but not too popular. Don't use a bible for instance, that would be too easy to guess.
Recently I gave my smartphone away as I came to realize it was not the innocent toy it seemed to be. Then I ask my lady friend if she would much mind keeping her telephone in another part of the house when not in use. At first she was horrified, almost rebellious. It took a little time explaining things and now she has an excellent grasp of concepts like 'network', 'public telephone system', 'privacy', 'eavesdropping' etc. I could continue but I think there is little need for for it when addressing this sophisticated audience.
Last edited by Edwardo on Wed 10 Jul 2013, 15:11, edited 1 time in total.
Yes, indeed. The ISBN idea was an idle thought. But I do believe the best place for the password to be kept is in one's head. Of course if someone knew it was in my head and he wanted it very badly, I would hand it to him as a gift. He would then have a most interesting reading list which hopefully would improve his mindBarkin wrote:ISBN's are different for each edition of a book, (and different in different countries). So if you're going to use one as part of an encryption-key that make sure there are several sources where you can access that ISBN.
If the book is lost you would need Internet access, (or another copy of the same edition of the book), to obtain that number, so if you are working off-line, without internet access, on encrypted data you'd be stuck.
Re passwords, the OTP token method, one time password, gives one a deeper sense of security so long as one has faith in its manufacturer. This I have used for financial transactions with success so far. RSA is one such provider to financial institutions of these tokens whose 6 digit number changes every 60 seconds, and I believe they were hacked a couple of years ago. Probably now their security measures regarding security token internals have improved. Hopefully. On the other hand one is placing a lot of trust in a 'cloud', an indeterminate thing, in an indeterminate place, operated by unknown people.
Getting back to a Linux BIOS level password entry, can we use a dedicated USB to store and enter something really absurd, like this
nKlN2.Sl^mD={PxYBax,gxSWS$zYQeCO20/ik%23",aZa09fDUFW?w=TZubLe=lGQJ61#p@8Y*!W(O'uXjAt!lh'SxCgc*Cj')(%F^hr0B9oE}s36'x&t&41?JQP+MXsXmJ2E,nV[yLf{6fGZ}BZM1#w:U$UqeJK5J:gsWR*:^WMc2Dg:n"D6|f-/oX'tH![)L.wrrEDt86DNef&Mj[h(/MN1me17@YT=CVan)ML:tCZj|iy{W(TE9#Dvj)0S.Akniw(>GhviZq1~5tI6nU?o3*/TNmXtr/PI!BC)c=Uh2n\ER^hBT-;mG|va'LwCB4@7XAjse19VA%nVv2YuV~lfI<%}[SUL|yR)8+Eb1%kisBuQl3%CLNv|@%bAE(p8QH2fRCorGH/=#''FRR?k"s?kN=Z{!<!Q-.b&RYM$Ra@;"Q/9#BOp,j3'u!0Uo^%'sJR&6{b|nqY2oI'wV/.YgfP8rj3LmM7|PV@M3#{m1TwB^ZVE\Vcf#9m%WX#9S7u7J.jXGKs2T7k@N?@,RlCJ{lO+"Nsq9.y{5=%|5MffQedYLt;[lC~RmAgrj.@)cDE8E#&&yEd2>6HmM0FSE=dl#f/LD2{"|P;(<Yt^Mz9obF(kn@KA'#?"("|h''1()9=jeYl"D>a&f|lJ<JtJ-tI6Z~Qro=sF$~Rze3PXzr)BxMzM.mqT@T|LQiz-r7|r@2BkQh^)oD6zjS|<|CO5)"C>8(<I<U6\(|KKbu+QbVvv,/B-%{sbVOt\zjp9$-(&$d9A7!kJ|cKiR-luQ(e//"!U4hqP9s8t"f|^Y7r-
I guess for this one we'd see you in the next universe.
Getting back to a Linux BIOS level password entry, can we use a dedicated USB to store and enter something really absurd, like this
nKlN2.Sl^mD={PxYBax,gxSWS$zYQeCO20/ik%23",aZa09fDUFW?w=TZubLe=lGQJ61#p@8Y*!W(O'uXjAt!lh'SxCgc*Cj')(%F^hr0B9oE}s36'x&t&41?JQP+MXsXmJ2E,nV[yLf{6fGZ}BZM1#w:U$UqeJK5J:gsWR*:^WMc2Dg:n"D6|f-/oX'tH![)L.wrrEDt86DNef&Mj[h(/MN1me17@YT=CVan)ML:tCZj|iy{W(TE9#Dvj)0S.Akniw(>GhviZq1~5tI6nU?o3*/TNmXtr/PI!BC)c=Uh2n\ER^hBT-;mG|va'LwCB4@7XAjse19VA%nVv2YuV~lfI<%}[SUL|yR)8+Eb1%kisBuQl3%CLNv|@%bAE(p8QH2fRCorGH/=#''FRR?k"s?kN=Z{!<!Q-.b&RYM$Ra@;"Q/9#BOp,j3'u!0Uo^%'sJR&6{b|nqY2oI'wV/.YgfP8rj3LmM7|PV@M3#{m1TwB^ZVE\Vcf#9m%WX#9S7u7J.jXGKs2T7k@N?@,RlCJ{lO+"Nsq9.y{5=%|5MffQedYLt;[lC~RmAgrj.@)cDE8E#&&yEd2>6HmM0FSE=dl#f/LD2{"|P;(<Yt^Mz9obF(kn@KA'#?"("|h''1()9=jeYl"D>a&f|lJ<JtJ-tI6Z~Qro=sF$~Rze3PXzr)BxMzM.mqT@T|LQiz-r7|r@2BkQh^)oD6zjS|<|CO5)"C>8(<I<U6\(|KKbu+QbVvv,/B-%{sbVOt\zjp9$-(&$d9A7!kJ|cKiR-luQ(e//"!U4hqP9s8t"f|^Y7r-
I guess for this one we'd see you in the next universe.
The maximum length of the encryption key determines the maximum length of password ...Edwardo wrote: ... Getting back to a Linux BIOS level password entry, can we use a dedicated USB to store and enter something really absurd, like this
nKlN2.Sl^mD={PxYBax,gxSWS$zYQeCO20/ik%23",aZa09fDUFW?w=TZubLe=lGQJ61#p@8Y*!W(O'uXjAt!lh'SxCgc*Cj')(%F^hr0B9oE}s36'x&t&41?JQP+MXsXmJ2E,nV[yLf{6fGZ}BZM1#w:U$UqeJK5J:gsWR*:^WMc2Dg:n"D6|f-/oX'tH![)L.wrrEDt86DNef&Mj[h(/MN1me17@YT=CVan)ML:tCZj|iy{W(TE9#Dvj)0S.Akniw(>GhviZq1~5tI6nU?o3*/TNmXtr/PI!BC)c=Uh2n\ER^hBT-;mG|va'LwCB4@7XAjse19VA%nVv2YuV~lfI<%}[SUL|yR)8+Eb1%kisBuQl3%CLNv|@%bAE(p8QH2fRCorGH/=#''FRR?k"s?kN=Z{!<!Q-.b&RYM$Ra@;"Q/9#BOp,j3'u!0Uo^%'sJR&6{b|nqY2oI'wV/.YgfP8rj3LmM7|PV@M3#{m1TwB^ZVE\Vcf#9m%WX#9S7u7J.jXGKs2T7k@N?@,RlCJ{lO+"Nsq9.y{5=%|5MffQedYLt;[lC~RmAgrj.@)cDE8E#&&yEd2>6HmM0FSE=dl#f/LD2{"|P;(<Yt^Mz9obF(kn@KA'#?"("|h''1()9=jeYl"D>a&f|lJ<JtJ-tI6Z~Qro=sF$~Rze3PXzr)BxMzM.mqT@T|LQiz-r7|r@2BkQh^)oD6zjS|<|CO5)"C>8(<I<U6\(|KKbu+QbVvv,/B-%{sbVOt\zjp9$-(&$d9A7!kJ|cKiR-luQ(e//"!U4hqP9s8t"f|^Y7r-
I guess for this one we'd see you in the next universe.
http://en.wikipedia.org/wiki/Password_strength#Entropy_as_a_measure_of_password_strength
Creating a password longer than that does not increase security : a brute-force-crack will have to cover the entire search-space possible, e.g. in 256-bit encryption, in binary from
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
to
1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
Making the password longer than the key length permits just causes the mileometer to go around the clock, so to speak : all permutations will have been covered and the password already cracked.
https://www.grc.com/passwords.htm
The encryption algorithm sets the maximum key length:Edwardo wrote:What determines the length of the encryption key?
i.e. the maximum key length is fixed by the encryption method.
e.g. old DES has 56-bit encryption which is now crackable by brute force in days on modern computers.
Currently the industry standard is AES 256-bit , Attempting to crack it by brute force is currently "computationally infeasible" :
it would take trillions of years using state-of-the-art computers.
Each additional bit in key length doubles the number of permutations possible, and doubles the time it would take to crack by brute force.
OK. 256 bits sounds good.
If we may go back to my original question, part is still not so clear to me ...
The computer and router are inches apart. A cable connects the router to the roof antenna.
The antenna talks to the ISP several km distant. A hacker can access my router, this I know from experience.
The question is can he intercept traffic anywhere along the route between the antenna and the ISP?
If we may go back to my original question, part is still not so clear to me ...
The computer and router are inches apart. A cable connects the router to the roof antenna.
The antenna talks to the ISP several km distant. A hacker can access my router, this I know from experience.
The question is can he intercept traffic anywhere along the route between the antenna and the ISP?
Wireless connection which use the mobile (cell)phone network would be particularly vulnerable to interception as you are literally broadcasting your data to everyone in a radius of about 1Km.Edwardo wrote: The computer and router are inches apart. A cable connects the router to the roof antenna.
The antenna talks to the ISP several km distant. A hacker can access my router, this I know from experience.
The question is can he intercept traffic anywhere along the route between the antenna and the ISP?
But if the channel is encrypted the intercepted transmission will be incomprehensible to eavesdroppers (scrambled).
Thanks. I understand the Wi-Fi encryption at my router. This is the fourth box
the ISP techs have set up as three failed in a short time.
They think I was messing with the settings so they locked me out.
The settings are now a mystery. I admit I messed one box up, but only one.
I put the question on another security forum, they asked if the ISP encrypted
the signals at their end, something I have not heard about. I will ask.
btw, I borrowed your URL code for the Custom Search Engine. Very useful.
the ISP techs have set up as three failed in a short time.
They think I was messing with the settings so they locked me out.
The settings are now a mystery. I admit I messed one box up, but only one.
I put the question on another security forum, they asked if the ISP encrypted
the signals at their end, something I have not heard about. I will ask.
btw, I borrowed your URL code for the Custom Search Engine. Very useful.
"It is quite easy to tell however. Make another known-good copy of the USB, put them both in a known-good, isolated machine,
and make a filesystem comparison. The only files that should show differences are the ones related to the firefox configuration,
and maybe a few system logs in /var".
To compare before and after changes to the disk is there an app for this?
I appear to be leaning toward the forensic side of things. I have no idea why.. Curiosity I suppose. The need to know if such and such is happening or not.
and make a filesystem comparison. The only files that should show differences are the ones related to the firefox configuration,
and maybe a few system logs in /var".
To compare before and after changes to the disk is there an app for this?
I appear to be leaning toward the forensic side of things. I have no idea why.. Curiosity I suppose. The need to know if such and such is happening or not.
OK Semme, I appreciate it. This is worth putting in the time to get to know how to use the program.Semme wrote:Hey, I've laid you the groundwork.. the GUI's are out there..
I liked this explanation for how HTTPS works
1. put the "Thing" in the box, and lock it with your padlock.
2. send the locked box to the other party.
3, they put their padlock on the loop also (so that there are two locks on it), and return the double-locked box to you
4. You remove your padlock, and return the now singly-locked box to them
5. they remove their own lock and open the box.
With encryption the locks and keys are math, but the general concept is vaguely like this.
This question may seem obvious to some but I would like to be quite certain and remove any doubt. Bits and bytes travel in mysterious ways.
Say you spend the day browsing a broad range of websites exposing your system to whatever is out there. The read-write USB is plugged for the duration of the session. At the end of the session you remove the stick and do not permit the OS to save RAM to the stick.
Is there any way a snooper could write and save data to your stick during the session without your knowledge? I ask because the orange box appears about once an hour. stating 'saving RAM to savefile' Has any data been saved if the stick is removed before the black screen saving routine at shutdown?
Say you spend the day browsing a broad range of websites exposing your system to whatever is out there. The read-write USB is plugged for the duration of the session. At the end of the session you remove the stick and do not permit the OS to save RAM to the stick.
Is there any way a snooper could write and save data to your stick during the session without your knowledge? I ask because the orange box appears about once an hour. stating 'saving RAM to savefile' Has any data been saved if the stick is removed before the black screen saving routine at shutdown?
Your system , including any newly added data/software/malware, is being saved to the stick when you see that message.Edwardo wrote: ... the orange box appears about once an hour. stating 'saving RAM to savefile' Has any data been saved if the stick is removed before the black screen saving routine at shutdown?
On puppy it is possible to switch off those intermittent auto-backups and decide at shutdown whether to save or not ...
http://www.google.com/cse?cx=015995643981050743583%3Aabvzbibgzxo&q=kiosk&sa=Search&cof=FORID%3A0&siteurl=www.wellminded.com%2Fpuppy%2Fpupsearch.html&ref=&ss=1636j747498j5#gsc.tab=0&gsc.q=do%20not%20save%20savefile%20shutdown%20close
- Attachments
-
- save interval zero (only saves to USB at closedown).gif
- no intermittent auto-save of savefile
- (28.61 KiB) Downloaded 566 times
Last edited by Barkin on Tue 16 Jul 2013, 04:12, edited 4 times in total.
Thanks for clearing that up, Barkin.Barkin wrote: Your system , including any added malware, is being saved to he stick when you see that message.
On puppy it is possible to switch off those intermittent auto-backups and decide when closing whether to save or not ...
http://www.google.com/cse?cx=015995643981050743583%3Aabvzbibgzxo&q=kiosk&sa=Search&cof=FORID%3A0&siteurl=www.wellminded.com%2Fpuppy%2Fpupsearch.html&ref=&ss=1636j747498j5#gsc.tab=0&gsc.q=do%20not%20save%20savefile%20shutdown%20close
Now, if an attacker wishes to write & save to the stick, where is his data going, to RAM or can he bypass RAM and access the stick directly?
If the savefile has heavy encryption then I don't think it is possible to modify its contents directly (i.e. the "bypass RAM" scenario).Edwardo wrote:Now, if an attacker wishes to write & save to the stick, where is his data going, to RAM or can he bypass RAM and access the stick directly?
If you run from a live CD/DVD which is not the rewritable type then it is physically impossible to modify the data on it.