[ale] OT - New encryption technology using a piece of paper

Ron Frazier atllinuxenthinfo at c3energy.com
Sun Sep 4 00:16:48 EDT 2011 

Hi David, comments below

On 9/3/2011 11:18 PM, David Tomaschik wrote:
> On 09/03/2011 10:40 PM, Ron Frazier wrote:
>    
>> On 9/3/2011 7:25 PM, Michael Trausch wrote:
>>      
>>> On 09/03/2011 06:01 PM, Ron Frazier wrote:
>>>
>>>        
>>>>    I am
>>>> sorry to say that both my bank (which shall remain nameless)
>>>>
>>>>          
>>> Please, tell.  I want to know who NOT to go to for an account should I
>>> have to hunt in the future.  (Unless it's Chase, which I am already
>>> aware of.)
>>>
>>>
>>>        
>> I have no intention of enticing you all to hack my bank.
>>      
> This statement has blown my mind.  Your use of "you all", to me, implies
> "those involved in this conversation".  Are you suggesting that one of
> the members on this list would commit a federal crime to either get at
> you or just to prove a point?  Has anyone on this list ever said
> anything to indicate that they were interested in cracking banks, or any
> other black hat/malicious activity?  While there certainly are some on
> this list who have an interest in security, I don't think any of them
> have given any indication of malicious intent.  It's my hope that that
> when you said "you all", you were really referring to the fact that this
> list is publicly archived, and that is why you would prefer not to
> disclose the identity of your bank.
>    

I'm glad I caught this before more people saw it and perhaps 
misinterpreted it and started a firestorm.  For the record, I was not 
intending to impugn or malign or offend anyone involved in this 
discussion.  I have no reason to believe they intend malicious 
activity.  I do believe some harbor a bias against myself, whom they 
hardly know, or against Mr. Gibson, whom they probably know less than 
they do me.  I mean no offense by that either, but it is my belief.

Your last sentence is correct.  I have to assume that anything I write 
will be published worldwide.  I have to assume anyone in the world with 
an interest in these topics or keywords worldwide can and will find it.  
I have to assume that a certain percentage of the readers will be 
malicious.  And, I have to assume, in this case, that some of those 
might like to crack my bank just because they think they can.  So, I 
don't want to give them any unnecessary help.  So, again, I was not 
referring to any specific individual on the list regarding hacking banks.

I will say this.  I have heard someone at the monthly meeting, whom I 
don't know, espouse the idea of setting up fake wireless access points 
in a hot spot environment, seeing who connects, and then having that 
person see shocking images of who knows what.  I recall numerous other 
people laughing at the prospect.  I find the idea of such behavior VERY 
ethically marginal and possibly legally marginal.  It didn't do much to 
foster the attitude that the individuals in the room had my best 
interest at heart.  I'm not trying to identify who that was nor do I 
want to.  But, you can, perhaps, see how that made me doubt the good 
intentions of some in the group.  I've never been much for practical 
jokes.  Having a whoopee cushion in someone's chair is one thing.  
Dropping paint on their head from a doorway is quite another.  Once you 
start hurting someone, I think you've crossed the wrong line.

>>      
>>> It follows his usual pattern, unfortunately.  Instead of working to help
>>> improve things, he is working to solidify things the way they are.  What
>>> makes *me* curious is what sort of motivation does he have for doing so?
>>>
>>>
>>>        
>> He's always slamming corporations for storing non hashed passwords, not
>> salting, putting length restrictions on them, etc.  However, he also
>> tries to help users deal with the real world conditions they face.  I'm
>> sure that if the bank or the lab had asked Steve how to set up their
>> systems, I wouldn't have to be dealing with the limits that I do.
>>
>>      
>>> His system creates low entropy passwords, end of story.  Unless you're
>>> using 50 characters, it is really not worthwhile to attempt to use a
>>> password where the characters come from a pool of only 52 possibilities.
>>>
>>>
>>>        
>> Not universally true.  His DEFAULT procedure which he shares has 12
>> upper / lower case characters.  However, it is trivial to add more
>> length, or symbols, or numbers, or all three.  He has a web page that
>> explains how to do that.
>>
>>      
> Yes, but how many "average users" can manage to handle anything beyond
> the default?  I rather suspect that even the default would be a stretch
> for them.
>    

Many of his listeners are above average in technical ability.  They 
could probably handle something more.

>>> The page requires you to put the password INTO THE SITE?  And people
>>> ACTUALLY DO IT?  Please, stop.  You're hurting me.
>>>
>>>
>>>        
>> Wrong.  Everything is done by JavaScript on the page.  Nothing is
>> transmitted.  I'm sure that could be confirmed by examining the source
>> code or placing a sniffer on the net.
>>      
> I hope nobody ever manages to crack his box and insert some malicious
> JS.  A little AJAX is all it would take to send the passwords away.  At
> least it's served over HTTPS, making a MITM attack a tiny bit harder.
> (http://www.thoughtcrime.org/software/sslstrip/)
>    
>> <snip>
>>      
> Ron,
>
> I believe both you and Steve Gibson have good intentions.  And the
> advice and tools he offers are certainly better than what the "average
> Joe" does without them, so I'm all for it.  I have neither a personal
> vendetta nor desire one with either you or Steve Gibson.  However, I am
> a big believer in intellectual discourse, and I am convinced that a
> well-intentioned (and civil) debate can help all parties learn and
> grow.  Finding flaws in security methodologies is a GOOD thing -- if we
> don't discuss the shortcomings, you better believe there are people who
> will.  And *those* are the people who want to crack your bank.
>
>    

I think debate is good.  I'm here to learn things, and share info that 
might be useful where I can.

Sincerely,

Ron

-- 

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new messages very quickly.)

Ron Frazier

770-205-9422 (O)   Leave a message.
linuxdude AT c3energy.com

More information about the Ale mailing list