Cryptography-Digest Digest #756, Volume #10 Fri, 17 Dec 99 15:13:01 EST
Contents:
Re: More idiot "security problems" (Xcott Craver)
Re: Keystrokes monitored/encryption useless (Stefek Zaba)
Re: Deciphering without knowing the algorithm? (Derek Bell)
Re: Euclid Algorithm ("Dann Corbit")
Re: More idiot "security problems" (Xcott Craver)
Re: More idiot "security problems" (SCOTT19U.ZIP_GUY)
Re: I was just thinking about a potential Cipher system... (Derek Bell)
Re: Keystrokes monitored/encryption useless (Liyang Hu)
Re: Off topic -- 4 year old (Liyang Hu)
Re: Keystrokes monitored/encryption useless (Johnny Bravo)
Re: Keystrokes monitored/encryption useless (Johnny Bravo)
Re: More idiot "security problems" (JPeschel)
Re: More idiot "security problems" (Johnny Bravo)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Xcott Craver)
Subject: Re: More idiot "security problems"
Date: 17 Dec 1999 19:06:14 GMT
Jeff Williams <[EMAIL PROTECTED]> wrote:
>
>Convenience does seem to be more important to Joe Average than security.
>Perhaps we need to modify the system from the ground up, so that security is
>not only built in, but transparent (or as close to transparent as possible).
>Those aspects which cannot be transparent need to be arranged such that
>they cannot be disabled or bypassed.
Luckily (?) for us, it is often the case that those non-transparent,
annoying, often-bypassed security measures could have been avoided.
Often they are there because something better could have been
implemented but wasn't, leaving a huge gaping hole that can only
be locked down completely, or at least with a disclaimer of liability
("You are about to enter the Internet. From this point on, it's
your ass. Continue? [Yes] [No]")
It is true, however, that people will want features which will
be misusable, and there's little we can do to tell them no. Any
Sufficiently cool software technology is almost surely adaptable to
destructive ends (Craver's first law of computer security:
Fireworks are made out of Gunpowder. :P )
>Jeff
-Xcott
------------------------------
From: [EMAIL PROTECTED] (Stefek Zaba)
Subject: Re: Keystrokes monitored/encryption useless
Date: Fri, 17 Dec 1999 19:06:47 GMT
In sci.crypt, Bauerda ([EMAIL PROTECTED]) wrote:
> Before I upgraded to Windows, I had my startup files set so that they traced a
> few interrupts (DOS, disk access, and keyboard) and checked most of the
> interrupt table against stored results. While this is harder under Windows, it
> is still relatively easy to get a program which looks at the devices and
> threads running (hidden or not).
Sussing which threads are running can help, but will only detect whole new
threads, not modifications to the code being executed by the "standard"
Windows handlers. Similarly, knowing that some piece of malware has not
hooked a particular low-level interrupt is nice, but doesn't tell you that
the "normal" interrupt routine, or any of the "standard" DLLs/VXDs, is
unmodified. For that you need hashes of the trusted versions (and why do
you trust the shipped versions anyway?), a non-modifiable store of the
hashes and the hash-computation code, and non-bypassable alerting when
the hash check fails.
Stefek
------------------------------
From: Derek Bell <[EMAIL PROTECTED]>
Subject: Re: Deciphering without knowing the algorithm?
Date: 17 Dec 1999 19:16:37 -0000
SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]> wrote:
: Yes I know not all the good cryptoheads live in the US
: but what makes you think the NSA would not kill or silence
: them if they are precieved as a threat. I though just this last
: year there was a strange death of a European expert.
If you mean Boris Floriciz, the case is still open - if it turns out
to be homicide, there are *many* possible suspects, including cable pirates.
Derek
--
Derek Bell [EMAIL PROTECTED] | Socrates would have loved
WWW: http://www.maths.tcd.ie/~dbell/index.html| usenet.
PGP: http://www.maths.tcd.ie/~dbell/key.asc | - [EMAIL PROTECTED]
------------------------------
From: "Dann Corbit" <[EMAIL PROTECTED]>
Subject: Re: Euclid Algorithm
Date: Fri, 17 Dec 1999 11:28:20 -0800
Here is one I wrote. It should be easy to transform it into a C++ template
so that you can use it with extended precision types.
/*****************************************************/
/* This function uses the Euclidean Algorithm to */
/* calculate the greatest common divisor of two */
/* unsigned long integers. */
/*****************************************************/
/* Programmer: Danniel R. Corbit */
/* */
/* Copyright (C) 1992 by Danniel R. Corbit */
/* All rights reserved. */
/*****************************************************/
/* Reference: "Factorization and Primality Testing", */
/* by David M. Bressoud, */
/* Springer-Verlag 1989. */
/* pages 7-12. */
/*****************************************************/
unsigned long
gcd (unsigned long a, unsigned long b)
{
int shiftcount = 0;
unsigned long tmp;
/*******************************************************************/
/* This zero testing stuff may seem odd, since zero is not likely. */
/* However, knowing that neither a nor b is zero will speed up */
/* later operations greatly by elimination of tests for zero. */
/*******************************************************************/
if (a == 0L)
{
tmp = b;
}
else if (b == 0L)
{
tmp = a;
}
else
{ /* Neither a NOR b is zero! */
/**************************************************************/
/* While all this fuss about numbers divisible by 2 may seem */
/* like quite a bother, half of the integers in the universe */
/* are evenly divisible by 2. Hence, on a random sample of */
/* input values, great benefit will be realized. The odds */
/* that at least one of a,b is even is 1 - (1/2)*(1/2) = .75 */
/* since the probability that both are odd is .25. */
/**************************************************************/
/* If the last bit is 0, the number is divisible by 2 evenly. */
/* If a & b are divisible by 2, gcd(a,b) = 2*gcd(a/2,b/2). */
/**************************************************************/
while (!(a & 1L) && !(b & 1L))
{
a >>= 1;
b >>= 1;
shiftcount++;
}
/*******************************************************/
/* If a is divisible by 2 and b is not divisible by 2, */
/* then gcd(a,b) = gcd(a/2,b). */
/*******************************************************/
while (!(a & 1L))
{
a >>= 1;
}
/*******************************************************/
/* If b is divisible by 2 and a is not divisible by 2, */
/* then gcd(a,b) = gcd(a,b/2). */
/*******************************************************/
while (!(b & 1L))
{
b >>= 1;
}
/**********************************************************************/
/* Make sure the numbers are in the proper order (swap if necessary). */
/**********************************************************************/
if (b > a)
{
tmp = a;
a = b;
b = tmp;
}
/****************************************/
/* Euclid's famous gcd algorithm: */
/* Iterate until the remainder is <= 1. */
/****************************************/
while (b > 1)
{
tmp = b;
b = a % b;
a = tmp;
}
if (b == 0)
tmp = a;
else
tmp = b;
/*******************************************************************/
/* If we divided BOTH numbers by factors of 2, we must compensate. */
/*******************************************************************/
if (shiftcount > 0 && tmp > 0L)
tmp <<= shiftcount;
}
return (tmp);
}
#ifdef TEST
#include <stdio.h>
#include <stdlib.h>
int
main (int argc, char **argv)
{
unsigned long i, j, k;
if (argc > 2)
{
i = (unsigned long) atof (argv[1]);
j = (unsigned long) atof (argv[2]);
k = gcd (i, j);
printf ("GCD of %d and %d is %d\n", i, j, k);
}
return 0;
}
#endif
--
C-FAQ: http://www.eskimo.com/~scs/C-faq/top.html
"The C-FAQ Book" ISBN 0-201-84519-9
C.A.P. Newsgroup http://www.dejanews.com/~c_a_p
C.A.P. FAQ: ftp://38.168.214.175/pub/Chess%20Analysis%20Project%20FAQ.htm
------------------------------
From: [EMAIL PROTECTED] (Xcott Craver)
Subject: Re: More idiot "security problems"
Date: 17 Dec 1999 19:24:47 GMT
Jerry Coffin <[EMAIL PROTECTED]> wrote:
>[EMAIL PROTECTED] says...
>
>> But I was looking for the more general term for a coder
>> developing a hilariously awful algorithm for a basic problem
>> that can only come from (a) complete ignorance of existing
>> algorithms; (b) the arrogance to not bother to pick up a book,
>> and sometimes (like our alt.2600 visitor) enough arrogance
>> to assume that their first attempt is a world-beater;
>> (c) the lack of some general common sense about the speed of
>> computers---what's "slow," what's "fast," what's a "large number";
>> and (d) the ethical numbness to put the technology in something
>> human beings will use.
>
>Maybe it's just me, but somehow "Marilyn Monroe encryption" has a nice
>ring to it -- that perfect combination of ignorance and just enough
>intelligence to be REALLY dangerous.
Urkel encryption ("Did I do that?")
Well-spotted! Now, can we think of a character who embodies
all four properties? I've always wanted a good term for
coders who reinvent square wheels. How about ... well, I've
exhausted most of today's creative juices. There's got to
be a million sitcoms where someone gets instant-expert syndrome
about something he doesn't understand and accidentally creates
a plotline. Who does that a lot?
> Jerry.
-S
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: More idiot "security problems"
Date: Fri, 17 Dec 1999 20:29:56 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(JPeschel) wrote:
>[EMAIL PROTECTED] writes,in part:
>
>
>>Game makers tried all
>>kinds of tricks to stop me and my ilk, such as, e.g., encrypting their
>>encryption code with one key, then the decrypted code contained yet another
>>key to decrypt another entire block of encryption code, etc., etc., but I
>>always got my man. The reason? No program is immune to a good debugger (and
>>by
>>the end, what finally got game makers to give up on copy protection, HARDWARE
>>ASSISTED debuggers marketed at crackers were pretty darned cheap!).
>>
>>The lesson that I gained from that is that all "encryption" which relies upon
>>having a decryption key buried in the code is insecure.
>
>You'll find most commercial encryption programs, including PGP, do some
>sort of check for a correct password during decryption. Is this what you
>mean by "having a decryption key buried in the code?"
Granted the PGP key is not stucking in your face so its not totally bad.
But the very fact it does a short check at the begining of the encrypted file
to see if the user has selected the correct key is also piss poor practice.
It may be possible that these "features" are part of the reason it is
exportable. If the user enter the wrong key. It would be better not to let
the user know that the wrong key was entered at the start. Not only does
it tell the user right away that he has the wrong key it greatly helps the
attacker. The user would learn to enter the correct key more often if
he was forced to wait a little exta time. But I guess the aim of PGP
is not secure encryption from hackers but to keep your little brother
from reading the file.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website NOT FOR WIMPS
http://members.xoom.com/ecil/index.htm
Scott rejected paper for the ACM
http://members.xoom.com/ecil/dspaper.htm
Scott famous Compression Page WIMPS allowed
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
------------------------------
From: Derek Bell <[EMAIL PROTECTED]>
Subject: Re: I was just thinking about a potential Cipher system...
Date: 17 Dec 1999 19:29:04 -0000
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
: Knuth (in TAOCP Vol 2) said something like "A good random number
: generator must not be designed at random," and explained why.
He also gave a good example of a PRNG algorithm (algorithm K) that
was designed at random and was, well, not very random.
Derek
--
Derek Bell [EMAIL PROTECTED] | Socrates would have loved
WWW: http://www.maths.tcd.ie/~dbell/index.html| usenet.
PGP: http://www.maths.tcd.ie/~dbell/key.asc | - [EMAIL PROTECTED]
------------------------------
From: Liyang Hu <[EMAIL PROTECTED]>
Subject: Re: Keystrokes monitored/encryption useless
Date: Fri, 17 Dec 1999 01:14:40 -0000
At Thu, 16 Dec 1999 04:56:56 GMT, molypoly <[EMAIL PROTECTED]> said:
> Take a look at the latest article from Privacytimes.com at
> http://www.privacytimes.com/dirt_8_17.htm
> The program is called DIRT and it records all your keystrokes. When
> you're online, it sends them to the receipient.
> This means that your keystrokes made while making your encryption
> keys are now worthless! How would one get around this if this software
> got into the wrong hands?
I believe a certain program called ScramDisk (for Win9x) gets around this
little problem by implementing the password entry screen in low-level text
mode. (the same as when you get the blue screen of death :)
It may be found at http://www.scramdisk.clara.net/
It's very easy to spot those programs running, as long as you keep an eye
out for them. <shameless plug>A useful little util, which just happens to
be called Useful, has a very good process monitor. Anytime I see anything
running that I dont know the purpose of, I can just kill that process. It
sees all processes, as opposed to <ctrl+alt+del>, which only shows the
non-service processes. You can get it at http://www.nerv.cx/hcbd/ </end of
shameless plug>
hth!
--
��,����`Liyang Hu/DenseBoy����,��,����http://www.nerv.cx/`����,��
| The subspace W inherits the other 8 properties of V. |
| And there aren't even any property taxes. |
| -- J. MacKay, Mathematics 134b |
------------------------------
From: Liyang Hu <[EMAIL PROTECTED]>
Subject: Re: Off topic -- 4 year old
Date: Fri, 17 Dec 1999 01:18:50 -0000
At 15 Dec 1999 21:34:13 GMT, Sukhoi2000 <[EMAIL PROTECTED]> said:
> It is the little things in life that mean so much. If you can, please have
> everyone you know send a Christmas card to:
>
> Miss Paige Lane
> 4538 S. Creek Rd.
> Cookeville, TN 38506-7606
>
> She is 4 years old and is dying from cancer, and the only thing she wants for
> Christmas is cards.
>
> Thanks.
That was smart wasnt it? Posting it to a crypto ng where everyone's as
paranoid as any sane person could be. Nice try though :)
--
��,����`Liyang Hu/DenseBoy����,��,����http://www.nerv.cx/`����,��
| The subspace W inherits the other 8 properties of V. |
| And there aren't even any property taxes. |
| -- J. MacKay, Mathematics 134b |
------------------------------
From: [EMAIL PROTECTED] (Johnny Bravo)
Subject: Re: Keystrokes monitored/encryption useless
Date: Fri, 17 Dec 1999 14:45:20 GMT
On 17 Dec 1999 11:55:27 EST, [EMAIL PROTECTED] (Guy Macon) wrote:
>Back Orifice can be installed so as to be difficult to detect.
>Try again using the obfuscation methods in the manual.
That's what the firewall is for, once I know it's in the system, it
won't be hard to find and remove it. Not that I expect to end up with
it on my system in the first place.
I don't leave my system unprotected while online, not that there is
much on my system worth having (some email for Diplomacy games, my pic
collection, a few older games like Civ2 and Flight Commander 2, Star
Office). Nothing people can't easily get from the net already, I'm
more worried about a destructive attack than file theft.
Best Wishes,
Johnny Bravo
------------------------------
From: [EMAIL PROTECTED] (Johnny Bravo)
Subject: Re: Keystrokes monitored/encryption useless
Date: Fri, 17 Dec 1999 14:53:51 GMT
On Fri, 17 Dec 1999 15:23:52 GMT, [EMAIL PROTECTED]
(SCOTT19U.ZIP_GUY) wrote:
> "upgraded to Windows" if this is nat a bastardtisetion of the English
>language I don't know what is.
Speaking of mangled English...
"nat a bastardtisetion"
Hey, this reminds me of a famous poem, here is how it starts:
'Twas brillig, and the slithy toves
Did gyre and gimble in the wabe;
All mimsy were the borogoves,
And the mome raths outgrabe.
Could it be; Charles Lutwidge Dodgson is still alive?
Johnny Bravo
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: More idiot "security problems"
Date: 17 Dec 1999 20:03:45 GMT
[EMAIL PROTECTED] writes:
>Granted the PGP key is not stucking in your face so its not totally bad.
>But the very fact it does a short check at the begining of the encrypted file
>to see if the user has selected the correct key is also piss poor practice.
>It may be possible that these "features" are part of the reason it is
>exportable. If the user enter the wrong key. It would be better not to let
>the user know that the wrong key was entered at the start. Not only does
>it tell the user right away that he has the wrong key it greatly helps the
>attacker. The user would learn to enter the correct key more often if
>he was forced to wait a little exta time. But I guess the aim of PGP
>is not secure encryption from hackers but to keep your little brother
>from reading the file.
Now, Dave, you know damn-well that if you use a goodpass-phrase
your key is going to be alot more secure than you let on. :-)
Green, however, gave me the impression that he could debug and
reverse or patch any encryption program that checked for a correct
password. I contend it's not always possible.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: [EMAIL PROTECTED] (Johnny Bravo)
Subject: Re: More idiot "security problems"
Date: Fri, 17 Dec 1999 15:03:29 GMT
On Fri, 17 Dec 1999 15:30:14 GMT, [EMAIL PROTECTED]
(SCOTT19U.ZIP_GUY) wrote:
> I can see where Mr BS would make that kind of comment he thinks most
>people are stupid and that only he can ass her tain which crypto is good.
I can see where Mr DS would make that kind of comment, he thinks
everyone is stupid and that only he can ascertain which crypto is good
(his own - all other crypto is "crap").
> If people are stupid enough to think they are secure when they
>use his crap they are picking dancing pigs over security every
>time.
If people are stupid enough to think they are secure when they use
illegibly coded crypto, proposed by a illiterate hack coder who
couldn't be bothered to explain his method or the results of standard
attacks against the method, they are picking dancing pigs over
security every time.
> No wonder he has such a low opinion of every one else.
>From his point of view he is laughing all the way to the bank when
>every any one uses his crap.
No wonder Mr DS has such a low opinion of everyone else.
>From his point of view we should all be on our knees worshiping the
"One True Secure Crypto(tm)", that he has given us in his boundless
generosity. While all the other crypto in the world he has deemed
"crap", and to question his pronouncements of truth will get you
insulted by as many swear words as he can fit into the post, hopefully
without misspelling too many of them.
Johnny Bravo
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
