Re: [Discuss] Most common (or Most important) privacy leaks
If you're going to tell us all about how the originating company is stiffing you, at least tell us the company's name so we can steer clear of them. Mark Rosenthal On 2/20/15 10:23 PM, Peter Olson wrote: I've been mugged three times, but not recently. The first time was in Cambridge, about 40 years ago. I was walking along a street and a bunch of kids intersected my path, hit me with something, stomped my eyeglasses, and took my wallet. I got stitches to fix a scalp wound but the worst hassle was calling my credit card company and dealing with my lost social security card, etc. And getting new glasses. The second time was maybe 35 years ago. I was returning from a dinner party and got off the subway in downtown Boston walking about three blocks home and two guys stepped out on front of me, one had a knife. I opened my wallet and gave them the money. They wanted me to go back into an underground subway entrance, but I stepped around it into the road and walked quickly back to my apartment one block away. The third time was about twenty years ago. I got off the subway in Central Square, Cambridge, and was going to the bus stop when four kids started harassing me. The object of their affection was apparently my cell phone, which was attached to my belt. I believe they thought it was a Sidekick ( http://www.pcmag.com/article2/0,2817,1630991,00.asp ). They continued to harass me verbally at the bus stop. One of them played the good guy (I think he was the oldest) and I had a limited conversation with him. One of the younger ones asked to borrow my phone so he could call his mother. I declined. Later he boasted that he could mess me up. I didn't take that seriously, so I stared him down. After we all got on the bus, everyone sat down. When we got to a popular mall, the kids left, and the youngest one tried to steal my phone. Let me tell you about cell phone belt holsters. When I first got the phone, I had several near misses where the holster detached from my belt while I was walking around. So I engineered a more secure attachment with tie wraps. The kid tried to grab my phone, but it didn't come off my belt :-) He left, but the other guy was pissed at me and slapped my eyeglasses off my head. I asked fellow passengers to help me find my glasses, and they got them back for me. I then walked to the front of the bus and pointed out the kids (by then on the other side of the road) and told him they tried to steal my phone. In the days following, I wondered what my strategy would be in this situation. I didn't think of any of these ideas at the time, but now I am prepared. At the bus stop there was a police station two blocks away. (It's a community center these days.) This was before ubiquitous cell phone usage, but I have heard since that I could loudly ask for someone else at the bus stop to call the police. There were plenty of people there who didn't intervene. The worst thing I could do would be to get off at my normal stop and walk home. But I didn't have to do that, since the kids left at the mall. I could have gotten off the bus at a stop with a restaurant very close to the stop, where I could find refuge. Then call a cab, in case the kids were lurking. I could have gone to the end of the line, where the kids would have to leave the bus but I wouldn't, because I would explain the problem to the bus driver. If he was still alive ;-) j/k The fourth time was last December. Oh, wait, there was a fourth time? I don't know yet, but it involves THE INTERNET. I ordered an inexpensive 3D plastic filament printer kit, which would take about 4 or 5 weeks to deliver but which would arrive around year end. I was out of town for a week and asked the USPS to hold my mail so the delivery wouldn't sit on my front steps for days. When the hold released, I got a sizable box with a note in felt tip (from the post office) saying received without contents and a form letter apologizing for whatever happened to it. Yes, the box was empty (except for a single sheet of blank paper). The shipment was insured, so a few days elapsed and I was able to get to the post office to ask about this and they said that is the responsibility of the shipper to file a claim. The originating company has a ticket system. O frabjous joy! I filed a ticket, and four or five days later, they closed it to clear the database. I replied to the ticket which reopened it automatically, and nothing happened. I poked the ticket and got a reply that the ticket master was working on the weekend and would have to talk to Nick next week. Nothing happened. I have now asked twice for a refund. I won't bore you with the exact chronology, but repeated complaints including one citing the lack of substantive response in 28 days has resulting in having the ticket closed again in order to clear the database. My latest communication points out to the ticket master that the resolving event for closing the
Re: [Discuss] Most common (or Most important) privacy leaks
On 02/17/2015 10:15 PM, Richard Pieri wrote: So. Someone replied directly to me instead of the list suggesting that character length is an important factor in password security. Letter count is a pointless factor in password security. Four score and seven years ago is 30 characters and still trivially vulnerable to dictionary attacks. We hold these truths to be self-evident is 40 characters and it is just as weak as the first example. Password reform starts with abandoning password rules and policies. Rules and policies are bad. Every policy that you enforce makes it easier for attackers to analyze passwords. If you have a policy that enforces a 15 character minimum then an attacker knows to ignore everything that is 14 or fewer characters, and given human nature he can ignore everything over about 20 characters for most passwords. If you have a policy that enforces the use of at least one number then an attacker has 9 known possible plaintexts in every password. At least one capital letter is 26 known possible plaintexts. And so forth. LastPass was suggested as an enterprise solution. By Ghu, where do I start with this. Relying on a third party that has no obligation to maintain the integrity of your keys? Relying on a third party that has crafted its terms of service such that you have no recourse if they screw up or an attacker compromises their system and exposes your entire business to the world? And this is being floated as an enterprise solution? 'Nuff said. While I do use lastpass... Any type of cloud system, whether being used as a secure password vault, or for your personal storage has the 1 issue in that it is run by a business. A business needs to make money, but businesses can go out of business, and you could lose all the data you have stored there, While Google, Microsoft, Amazon and IBM are not going out of business any time soon, they might decide that their cloud business is unprofitable. and get rid of it, like Canonical did. Or can be shut down like Kim Dotcom's megaupload. While I agree with Richard on policies, how does a business enforce strong passwords on its employees without policies. (Personally I would prefer biometric, but as previously mentioned, it has problems too) -- Jerry Feldman g...@blu.org Boston Linux and Unix PGP key id:B7F14F2F PGP Key fingerprint: D937 A424 4836 E052 2E1B 8DC6 24D7 000F B7F1 4F2F ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
On 02/18/2015 12:30 PM, Richard Pieri wrote: On 2/18/2015 11:20 AM, Bill Bogstad wrote: And the same users are going to use Four score if you require longer passwords, so you lose anyway. I did preface that with [p]assword reform starts with Key chain managers can be a good next step. They allow the use of arbitrary, random gibberish as passwords in a way that users only need to remember one good password for unlocking the key chain. In essence they can do the same thing that heavy duty encryption systems do: they generate large random keys for actual encryption and encrypt these keys with user-provided passwords or passphrases. This way you can have strong passwords without any password reuse. Link a key chain manager to a trustworthy third party and you can have a robust password management system that is resistant to attacks. One issue I had with SecureID years ago was that it required you to log in within a certain amount of time. The number on the Secure Id was hard to read, and it would take me a couple of times before I was able to type in the number and the pin before the time out. But, I would agree that keychain managers are a viable solution. -- Jerry Feldman g...@blu.org Boston Linux and Unix PGP key id:B7F14F2F PGP Key fingerprint: D937 A424 4836 E052 2E1B 8DC6 24D7 000F B7F1 4F2F ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
On 02/18/2015 11:20 AM, Bill Bogstad wrote: On Wed, Feb 18, 2015 at 4:15 AM, Richard Pieri richard.pi...@gmail.com wrote: So. Someone replied directly to me instead of the list suggesting that character length is an important factor in password security. Letter count is a pointless factor in password security. Four score and seven years ago is 30 characters and still trivially vulnerable to dictionary attacks. We hold these truths to be self-evident is 40 characters and it is just as weak as the first example. Password reform starts with abandoning password rules and policies. Rules and policies are bad. Every policy that you enforce makes it easier for attackers to analyze passwords. If you have a policy that enforces a 15 character minimum then an attacker knows to ignore everything that is 14 or fewer characters, and given human nature he can ignore everything over about 20 characters for most passwords. If you have a policy that enforces the use of at least one number then an attacker has 9 known possible plaintexts in every password. At least one capital letter is 26 known possible plaintexts. And so forth. The problem with this that if you don't enforce a minimum length on passwords a significant number of your users will use something that is probably less than 6 characters long. Of course, many of those would fall to a dictionary attack as well. And the same users are going to use Four score if you require longer passwords, so you lose anyway. Many places have a requirement to use at least 1 upper case and 1 lower case letter and at least 1 digit. So that increases the number of possible characters in each position 62. While this along with length will defeat a simple password cracker, using smarter techniques that know this, make that rule somewhat moot. (again, Richard is correct). But it comes down to usability. Many of us have multiple systems we log into, at least 1 home computer or laptop, smart phone, work computer. My company allows us to use our personal smartphones for company email, but they require a strong password authentication on the phone as well as the ability of the company to wipe the phone in the case of what they perceive as a breach. Since I don't need to be on call 24x7, I don't want my company to have access to my phone. So, if you know the rules, then you can more easily crack a password, but if you lack rules, then you allow people to have very weak passwords. So, it is a catch-22 situation. Unfortunately I don't have a solution. -- Jerry Feldman g...@blu.org Boston Linux and Unix PGP key id:B7F14F2F PGP Key fingerprint: D937 A424 4836 E052 2E1B 8DC6 24D7 000F B7F1 4F2F ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
On 02/19/2015 11:07 AM, Gordon Marx wrote: On Thu, Feb 19, 2015 at 10:52 AM, Doug sweet...@alum.mit.edu wrote: 2. I would like to hear more about tools for plausible-deniability of the existence of secondary access codes. I don't quite know what that means. I think the idea is to give the ability to communicate to the system Yes, I'm logging in, but I'm being coerced -- but don't let on that you know, because I'm in danger if this doesn't appear to work. I agree with this. This should also be employed in home security systems also. -- Jerry Feldman g...@blu.org Boston Linux and Unix PGP key id:B7F14F2F PGP Key fingerprint: D937 A424 4836 E052 2E1B 8DC6 24D7 000F B7F1 4F2F ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of Jerry Feldman Yes, I'm logging in, but I'm being coerced -- but don't let on that you know, because I'm in danger if this doesn't appear to work. I agree with this. This should also be employed in home security systems also. Of course there's an easy countermeasure to that too - The guy with the gun says Ok, login. And if you fail to put the moneyz into my hand, blam. Anybody in the hot seat would be stupid to *use* the Yes I'm logging in but I'm being coerced password, unless there was more at stake than just their own life. Useful for national security situations - not useful for protecting your bank account. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
I've been mugged three times, but not recently. The first time was in Cambridge, about 40 years ago. I was walking along a street and a bunch of kids intersected my path, hit me with something, stomped my eyeglasses, and took my wallet. I got stitches to fix a scalp wound but the worst hassle was calling my credit card company and dealing with my lost social security card, etc. And getting new glasses. The second time was maybe 35 years ago. I was returning from a dinner party and got off the subway in downtown Boston walking about three blocks home and two guys stepped out on front of me, one had a knife. I opened my wallet and gave them the money. They wanted me to go back into an underground subway entrance, but I stepped around it into the road and walked quickly back to my apartment one block away. The third time was about twenty years ago. I got off the subway in Central Square, Cambridge, and was going to the bus stop when four kids started harassing me. The object of their affection was apparently my cell phone, which was attached to my belt. I believe they thought it was a Sidekick ( http://www.pcmag.com/article2/0,2817,1630991,00.asp ). They continued to harass me verbally at the bus stop. One of them played the good guy (I think he was the oldest) and I had a limited conversation with him. One of the younger ones asked to borrow my phone so he could call his mother. I declined. Later he boasted that he could mess me up. I didn't take that seriously, so I stared him down. After we all got on the bus, everyone sat down. When we got to a popular mall, the kids left, and the youngest one tried to steal my phone. Let me tell you about cell phone belt holsters. When I first got the phone, I had several near misses where the holster detached from my belt while I was walking around. So I engineered a more secure attachment with tie wraps. The kid tried to grab my phone, but it didn't come off my belt :-) He left, but the other guy was pissed at me and slapped my eyeglasses off my head. I asked fellow passengers to help me find my glasses, and they got them back for me. I then walked to the front of the bus and pointed out the kids (by then on the other side of the road) and told him they tried to steal my phone. In the days following, I wondered what my strategy would be in this situation. I didn't think of any of these ideas at the time, but now I am prepared. At the bus stop there was a police station two blocks away. (It's a community center these days.) This was before ubiquitous cell phone usage, but I have heard since that I could loudly ask for someone else at the bus stop to call the police. There were plenty of people there who didn't intervene. The worst thing I could do would be to get off at my normal stop and walk home. But I didn't have to do that, since the kids left at the mall. I could have gotten off the bus at a stop with a restaurant very close to the stop, where I could find refuge. Then call a cab, in case the kids were lurking. I could have gone to the end of the line, where the kids would have to leave the bus but I wouldn't, because I would explain the problem to the bus driver. If he was still alive ;-) j/k The fourth time was last December. Oh, wait, there was a fourth time? I don't know yet, but it involves THE INTERNET. I ordered an inexpensive 3D plastic filament printer kit, which would take about 4 or 5 weeks to deliver but which would arrive around year end. I was out of town for a week and asked the USPS to hold my mail so the delivery wouldn't sit on my front steps for days. When the hold released, I got a sizable box with a note in felt tip (from the post office) saying received without contents and a form letter apologizing for whatever happened to it. Yes, the box was empty (except for a single sheet of blank paper). The shipment was insured, so a few days elapsed and I was able to get to the post office to ask about this and they said that is the responsibility of the shipper to file a claim. The originating company has a ticket system. O frabjous joy! I filed a ticket, and four or five days later, they closed it to clear the database. I replied to the ticket which reopened it automatically, and nothing happened. I poked the ticket and got a reply that the ticket master was working on the weekend and would have to talk to Nick next week. Nothing happened. I have now asked twice for a refund. I won't bore you with the exact chronology, but repeated complaints including one citing the lack of substantive response in 28 days has resulting in having the ticket closed again in order to clear the database. My latest communication points out to the ticket master that the resolving event for closing the ticket is the issuance of the refund, not clearing the database. There has been no reply. This has certainly been the most time-enhanced mugging I have ever endured :-) Next step I suppose is communicating with the
Re: [Discuss] Most common (or Most important) privacy leaks
Jerry Feldman g...@blu.org writes: I think the idea is to give the ability to communicate to the system Yes, I'm logging in, but I'm being coerced -- but don't let on that you know, because I'm in danger if this doesn't appear to work. I agree with this. This should also be employed in home security systems also. Isn't that overkill? How many people get held up at gunpoint outside their house or apartment? Have any of you even been mugged on the street around Boston and suburbs? Granted I've only lived here since 1997, but it seems like a pretty safe place all in all. -- Mike Small sma...@panix.com ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
On Friday, February 20, 2015 06:54:37 AM Jerry Feldman wrote: On 02/19/2015 11:07 AM, Gordon Marx wrote: On Thu, Feb 19, 2015 at 10:52 AM, Doug sweet...@alum.mit.edu wrote: 2. I would like to hear more about tools for plausible-deniability of the existence of secondary access codes. I don't quite know what that means. I think the idea is to give the ability to communicate to the system Yes, I'm logging in, but I'm being coerced -- but don't let on that you know, because I'm in danger if this doesn't appear to work. I agree with this. This should also be employed in home security systems also. The problem with coercion codes is that they are only a delaying tactic, and tend to lead to hostage-taking. No matter how prompt the response, the best result which might be attained is that the criminals will abandon their attack when they find out help is on the way. That leaves a property-owner in a worse situation than before: he still has the asset, to be sure, but he's also still vulnerable, and the attackers now know that he was able to trick them, which is not a good place to put a Sociopath. As a rhetorical discussion, coercion codes seem like great James Bond stuff. However, in practice, they are both dangerous and unreliable - could /you/ enter one without giving any clue? - and, truth be told, they require a degree of dedication and bravery few can measure up to. For those entrusted with other people's money or secrets, the game is over before it starts. It's not their property, no skin off their ears, and the worst penalty for cooperation is a few boring hours with police investigators and a need to find another job. Someone protecting his own fortune will almost always have other safeguards in place, from the mundane use of a secondary account which doesn't have electronic access, to the need for a business partner or other trusted third party to supply part of an access code, or even kidnap and ransom insurance that will cover the loss. Those whom lay hands on people are penalized *much* more harshly than those who commit crimes against property, and criminals know that. For the same reason that a burglar might decide to go unarmed, a cyber-attacker is likely to know a lot about my habits and routine *before* the attack, since the real wet work puts him over the line into *armed* robbery, and a minimum of six or seven more years on his sentence. Forget anything you saw in movies: nobody moves millions of dollars around, or even tens of thousands, without safeguards that obviate the need for courage-under-fire. Corporate secrets are never entrusted to a single individual, X never marks the spot, and no matter how valuable the software, design, or manufacturing technique may be, it's *always* cheaper to go around it or figure a different method, instead of entertaining thoughts of being under the thumb of thugs who will be back for more, again and again. Bill -- Bill Horne William Warren Consulting 339-364-8487 ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
I was mugged a block off of Commonwealth Ave. I had been reading some promo material from Model Mugging, a program designed to train women how to deal with the unfortunate situation. A group of three youngsters approached me. The best strategy is one used by all the animals: look for any chance to RUN. I turned and started walking the other way. They caught up and surrounded me. They wanted my backpack, so I gave it to them. I then used one of the techniques recommended by Model Mugging: I shouted as loud as I physically could, describing what was going on. THEY TOOK MY BACKPACK. IT HAS MY DIABETES SUPPLIES... I might have started another sentence, but the kids ran away. Once I saw them run, I ran the other way. I found someone with a cell phone, called the police. I got the backpack back and my glasses which were knocked off. I am prepared for mugging. Having a strategy in place was a very good thing. We kept living in the apartment for a few years. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
I have not checked in on the conversation for some time so I'm sorry if this message is no longer relevant /redundant. Malware is a huge threat. The employees are your front line troops. Training is #1. If you start with how to secure themselves personally. Any hack of an employee secondarily exposes the company to a breach. How to avoid malware, and phishing? How large and real is the threat is to them and to the company? Tell them why they should care about security. They should know what to do if a stranger that looks like they belong but they don't recognize comes walking through the office. Malware is no different. The passwords are no different than locks on the data. These are real threats to them and the company. Only in the context of introducing good practices I would give examples of what not to do. Passwords are a complex issue, and that is how my interests were piqued. I want to address some misconceptions and why minimum standards are important. *Passwords are central and important and I believe it's best to have a strong password policy. * Strong passwords are very important regardless of if two-factor authentication is used, and of course it should be used on critical systems especially by system administrators wherever possible. The point of these guidelines is to gently lead all users to choose passwords out of a large pool of permutations. You don't aim to maximize the space, you aim to lead users to use passwords out of a sufficiently large pool that meets your needs, so that the pool used in practice is a good one. In this respect, common guidelines have a sound basis in math an logic. It's easy to calculate the pool you choose with some calculations. I tend to use Python so that is what I've used in expressions. It's true that these guidelines lead users to choose from a pool that is smaller than something like *print({:,}.format(sum([62**x for x in range(1,21)])))* *715,971,350,555,965,203,672,729,121,413,359,850 * That pool is unnecessarily huge. Even the passwords up to 19 characters has a pool of 1.154793e+34 is bigger than the speed of light squared or avogadro's number. As the logic shows below that the longest passwords allowed add the most, by far, to the chosen pool and 20 is pretty long password. The point is to start with a pool that is larger than needed and then lead users to choose passwords from a sub-pool that is hard to hack at using known methods. A minimum length requirement eliminates the security risk of short passwords. People are busy and they won't take on much more hassle than they must. The assertion that requiring passwords of minimum length lowers security by eliminating the simpler passwords from the pool, but the truth is that you are requiring a password to be chosen from a much larger pool that is harder to guess. It's large enough to do a dance on the grave of the shorter password pools. Here is why. A permutation over alphabet *A *(containing *a* possible symbols) that is *n* digits long would have *a**n* possible permutations. The passwords smaller than *n* digits would be *a**(n-1) + a**(n-2)+...+a^1* Even those this seems this sum of all shorter passwords would be large, maybe even larger, it's not. The longer sequence of just the minimum number of characters has a much larger permutation space that all the previous ones combined. In fact the difference increases exponentially with n. for n,row in [(longer,all_shorter,math.log(longer-all_shorter,10)) for (longer,all_shorter) in [(26**y , sum([26**x for x in range(1,y)])) for y in range(2,16)]]: .: print(n+1,row) .[Output Improved ]..Editing... done. Executing edited code... *n q = 26**n r = sum(26**(n-1)+...26**1) log(q-r,10)* 2 676 26 2.81 3 17,576 702 4.23 4 456,976 18,278 5.64 5 11,881,376 475,254 7.06 6 308,915,776 12,356,630 8.47 7 8,031,810,176 321,272,406 9.89 8 208,827,064,576 8,353,082,582 11.30 9 5,429,503,678,976 217,180,147,158 12.72 10 *141,167,095,653,376* *5,646,683,826,134* 14.13 11 3,670,344,486,987,776 146,813,779,479,510 15.55 12 *95,428,956,661,682,176* *3,817,158,266,467,286* 16.96 13 2,481,152,873,203,736,576 99,246,114,928,149,462 18.38 14 64,509,974,703,297,150,976 2,580,398,988,131,886,038 19.79 15 1,677,259,342,285,725,925,376 67,090,373,691,429,037,014 21.21 *Seriously* don't be concerned over the loss of the shorter passwords. You are not helping hackers by eliminating them, you are improving security. Again you are discarding the number of digits
Re: [Discuss] Most common (or Most important) privacy leaks
From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of Rich Braun Please, flippant answers like that aren't helpful. No, Rich. Gordon is right. Your argument was thug gets bank statement, holds gun to head, and you want plausible deniability, which you lost at thug gets bank statement. The tiny grain of truth in your argument was that by forcing you to log into *any* password manager, they've gained access to *all* your stuff. Which is an argument against using any password manager, or anything other than memorizing different passwords for every site you ever use. So your argument was pretty much bunk and the grain of truth is completely impossible to ever satisfy ... except as Gordon said ... basically don't own anything. Plausible deniability is important in some cases. Not compatible with a password manager. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
Ned Harvey said thus: The tiny grain of truth in your argument was that by forcing you to log into *any* password manager, they've gained access to *all* your stuff. Which is an argument against using any password manager... Plausible deniability is important in some cases. Not compatible with a password manager. I have two scenarios to describe on this point: 1) Suppose the manager you used had multiple profiles that you could select (say, a separate one for utility companies, another for brokerages, another for banks, another for low-sensitivity websites)? 2) Suppose there were many different viable password-manager tools, instead of just LastPass? Item #1 could be compared to having multiple pockets in your jacket/pants/money belt: if the robber suspects you have them, and has plenty of time to check, they'll find the money in your inside/hidden pockets. But when traveling, I put money in separate pockets/places because it's that much better-protected. Item #2 basically comes down to how well the thieves/robbers know your protection: ADT sells the most security systems, so any thief who invests the effort will familiarize himself with ADT. Today it's unlikely that a criminal is particularly familiar with LastPass, but in a few more years of market dominance, LastPass will be widely known among such folks. I'll make one final point on this before I leave it alone, because (I assume) consensus here on BLU is that I've lost my marbles and have gone off the deep end with security-protection concerns (but hopefully at least some of y'all are glad some of us in the systems-security biz contemplate worst-case scenarios --device drivers in Target POS systems were, uh, targeted but Banana Republic wasn't -- their executives have no idea who I am but are glad they've got a tighter deployment system). That point is this: why do elderly people get targeted by con artists? Shouldn't their years of wisdom protect against ordinary scams? Here's why wisdom != protection: because most of us get set in our ways and we no longer consider all the possibilities for new vulnerabilities. Older people are far easier pickings. In the future, an extortionist will no longer need a weapon in your face. New modes of attack are emerging each year. Bank robbers rob banks because that's where the money is, and the online equivalent is that hackers rob big companies because they've got more money and are easier to infiltrate. However, as corporate defenses improve, individuals will become more attractive targets. Enough said. -rich ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
Hello Rich: 1. I would make remembering a strong master password a condition for employment. Show them a video on choosing a good password. One way is to make a little non-sense sentence that can be visualized, sprinkling in numbers for words and punctuation. Explain calmly that they can be fired because security is that important. Marshmellows 4 God? Bad, Bad. 2. I would like to hear more about tools for plausible-deniability of the existence of secondary access codes. I don't quite know what that means. Doug ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
On Feb 19, 2015, at 11:07 AM, Gordon Marx gcm...@gmail.com wrote: On Thu, Feb 19, 2015 at 10:52 AM, Doug sweet...@alum.mit.edu wrote: 2. I would like to hear more about tools for plausible-deniability of the existence of secondary access codes. I don't quite know what that means. I think the idea is to give the ability to communicate to the system Yes, I'm logging in, but I'm being coerced -- but don't let on that you know, because I'm in danger if this doesn't appear to work”. That is brilliant super fun stuff to think about. I was just day dreaming about a email feature that, when I log in with a particular password would automatically fire off certain rules without notice by the party coercing me. Such as the removal of particular folders and sending an email to another server that would execute other instructions. I wish I worked in that world. Building systems like that would be fun! 007 stuff! - Eric ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
On Thu, Feb 19, 2015 at 10:52 AM, Doug sweet...@alum.mit.edu wrote: 2. I would like to hear more about tools for plausible-deniability of the existence of secondary access codes. I don't quite know what that means. I think the idea is to give the ability to communicate to the system Yes, I'm logging in, but I'm being coerced -- but don't let on that you know, because I'm in danger if this doesn't appear to work. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
On 2/19/2015 7:07 AM, Edward Ned Harvey (blu) wrote: From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of Rich Braun Please, flippant answers like that aren't helpful. No, Rich. Gordon is right. Your argument was thug gets bank statement, holds gun to head, and you want plausible deniability, which you lost at thug gets bank statement. The tiny grain of truth in your argument was that by forcing you to log into *any* password manager, they've gained access to *all* your stuff. Which is an argument against using any password manager, or anything other than memorizing different passwords for every site you ever use. So your argument was pretty much bunk and the grain of truth is completely impossible to ever satisfy ... except as Gordon said ... basically don't own anything. Plausible deniability is important in some cases. Not compatible with a password manager. Nobody likes having to deal with thugs; it's a tragedy of the modern age. I sympathize with those whom have had to bear that weight. This is the awkward place that Alice and Bob arrive at whenever we have to talk about security: cryptography-by-force is a recognized threat and must be considered. That is why bank safes have time locks, why safety-deposit boxes need two keys to open them, and why any effective computer security system must assume that any single individual can be compromised. As far as the difference between password-locker programs and having individual passwords in my head, I don't see the point of eschewing the password-locker: I'm going to give a thug anything (s)he wants when my life is threatened. FWIW. YMMV. Bill -- E. William Horne 339-364-8487 ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
Say the thug Bob has a fidelity statement of Carl. It says there is $434,211.12 in Carl's account (this is certainly not my situation). Bob is going to keep Carl kidnapped for a week, so long as the money gets transferred to Bob's island account. Carl has been worried about this type of situation. He has separate email addresses. c...@theworld.com is the real username in lastpass that goes to all the sites and allows him to work. car...@gmail.com is the address to a bogus lastpass account. It does have a username and a password. The edit page does appear to have a lot of stuff on it. But it doesn't work. Carl swears at f---ing lastpass and fidelity. It is a long password (he shows it Bob), but it doesn't work. There is a history of the passwords too, a fake one, but still, Carl and Bob spend 20 minutes using the 6 passwords without f---ing lastpass piece of crap software trying to get in, all to no avail. Bob says, go here: https://fps.fidelity.com/ftgw/Fps/Fidelity/RtlCust/Resolve/Init Last 4 digist of your SSN First Name: Last Name: Date of Birth Next We've verified your identity - Look Up Your Username https://fps.fidelity.com/ftgw/Fps/Fidelity/RtlCust/SetACI/Entry You will need to enter your current password. *Note:* If you forgot your password, please contact a representative at 800-544-0187. All the passwords will not work. You need to contact a representative. With Bob on the phone, it would then depend on how stringent the policies were to getting the login info. My money would be in Bob succeeding. If Bob was experienced at this kind of thing, he might skip the computer and do the phone call first - get people involved, not computers. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
On 2/18/2015 11:20 AM, Bill Bogstad wrote: And the same users are going to use Four score if you require longer passwords, so you lose anyway. I did preface that with [p]assword reform starts with Key chain managers can be a good next step. They allow the use of arbitrary, random gibberish as passwords in a way that users only need to remember one good password for unlocking the key chain. In essence they can do the same thing that heavy duty encryption systems do: they generate large random keys for actual encryption and encrypt these keys with user-provided passwords or passphrases. This way you can have strong passwords without any password reuse. Link a key chain manager to a trustworthy third party and you can have a robust password management system that is resistant to attacks. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
On 2/17/2015 8:42 AM, Edward Ned Harvey (blu) wrote: I see a lot of people and businesses out there, that just don't care about their own privacy. They email passwords to each other, W2's with salary and social security information, photocopies of drivers' licenses and passports to be used by HR to complete I-9 forms... As an IT person advising a business to be more responsible, what areas do you advocate securing most urgently? IT admin credentials? HR records? Financial records? Other stuff? Simply everything, bar none? Email is obviously a huge area of insecure information sharing. Do you also see a lot of people storing information that should be secured in other non-private services like Dropbox, Google Drive, Box, etc? People care a lot about their own privacy. The problem is that, by and large, it's /only/ their own privacy that they care about. Those on this list whom have done penetration testing will back me up on this: you can touch any corporate asset on an employee's desk, but if you touch a purse or a cellphone, they get very interested, very quickly. Purses and cellphones contain information that they feel /is/ private, and therefore they take care to protect it. I'll leave aside the fact that most of what's in a purse or cellphone is already available in databases at the various big-data vendors. What counts is that employees /think/ it's private, and so they act diligently to protect and conceal it. Their employer's privacy is another matter. We could debate passwords vs. tokens vs. biometrics vs. secret handshakes, and never come close to solving the security issue, which is, bluntly put, that most workers don't feel any connection to the corporate goal of 'security'. Very few desk jockeys have any skin in the security game, and even those who could lose their pension if a major breach occurred have a hard time connecting that Maybe, possibly, the odd are ... kind of abstract risk with their day-to-day responsibilities. Low-level employees, even though they are the ones with the most access to the most sensitive personnaly-associated information, such as SSN's or bank account numbers (remember the void check you sent in to start direct deposit?), are not concerned with abstract corporate goals. They know they'll never sit in the corner office, and they know that they'll never drive the Porsche that the executive owns, and they know that they would have to have been a lot more daring and a lot more aggressive and a whole lot more disciplined, for years, if they had ever wanted to be higher up in the corporation. They do what they have to, not what's right in the eyes of we technical weenies who mouth buzzwords and speak in gibberish while shaming them about security. Shakespeare put it best - The fault, dear Brutus, is not in our starts, but in ourselves, that we are underlings. There are, of course, exceptions: those on this list have, I'd bet, mostly come to terms with our station in life as modern-day horse-whisperers who tend to complicated and failure-prone machines and/or software instead of to leading people. In any case, the odds are that we're all well above average in IQ, in income, and in the ever-so-elusive perception of ourselves and our place in the world. The essence of the problem isn't technical; it's human. In military settings, soldiers who don't change their password on time (or whose passwords fail a complexity test) are assigned to low-status jobs, to remind them of their training. In corporate settings, it's impractical to demand that someone who has a password written on the bottom of a keyboard take a day to clean the bathroom or wash the windows, so there's no obvious way to coerce secure behavior, short of willingness to fire those employees who violate password or other security measures. So long as security must be implemented with the cooperation of men and women who resent their station in life and their poor prospects for the future, it will be a serious problem. As Bruce Schneier so aptly pointed out (when critiquing the TSA's policy of confiscating bottles of liquid) - There's no penalty for failure. In other words, so long as the consequences of lackadaisical behavior are borne by anonymous stockholders instead of the perpetrators, we lose. Bill Mister Subtlety Horne William Warren Consulting Copyright (C) 2015, E.W. Horne. All Rights Reserved. -- E. William Horne 339-364-8487 ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
My bad, here was my not-intended-to-be-private reply: My passwords are 19 characters long (if possible). Size is the important issue for making passwords strong. I don't type them in. Instead I use lastpass. If I had to keep things secure, I would consider their enterprise service. Letter count is a pointless factor in password security. I don't think the math supports you on this one. Compare these three: whom NtoU UTap to: j885DK5Q0kqy88Sqm52 uKf98RjGre1yI27a59l uKf98RjGre1yI27a59l The first three were set with a length of 4 and made pronounceable. The later three are 19 characters long. I recall an article that said quite specifically that length was more important that choosing diverse characters. Employees will be people. People's preferred passwords are password and 123456. I can be certain a dedicated attack can crack that system. Most companies don't have anyone that knows cryptography. If you do have such a person, it is hard to understand them. I suspect lastpass is full of such people who are every bit as paranoid as readers of this group. Actually, probably more so since it is their entire job. If you make enforce strong encryption policy a necessary rule, and make it convenient (even for use on the phone), then people will do it. It is so much easier to click on a button in the browser to make a password than think of one and write it down. That is how I wrote the email. You also will need to revoke passwords once the employee has left. Sounds like a good job for software. And because lastpass is making money selling to enterprise clients, they can also provide nice reports for the business types that have to pay for the service. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
Bill Horne b...@horne.net writes: ... People care a lot about their own privacy. The problem is that, by and large, it's /only/ their own privacy that they care about. ... So long as security must be implemented with the cooperation of men and women who resent their station in life and their poor prospects for the future, it will be a serious problem. As Bruce Schneier so aptly pointed out (when critiquing the TSA's policy of confiscating bottles of liquid) - There's no penalty for failure. In other words, so long as the consequences of lackadaisical behavior are borne by anonymous stockholders instead of the perpetrators, we lose. It's not confined to lower level positions in my experience, this kind of failure. I point out problems to my bosses as I see them and try to be as clear and convincing as I'm able, but at the end of the day I can do nothing more than let them know and hope some external factor prods them to remember and act on my advice some day. The company has a security policy document and a way to report problems farther up the management hierarchy but having read it I'm not convinced it can protect me from retribution or hard feelings over bypassing local authority. Nor do I have any reason to believe the institution as a whole or the top brass would respond any better (on the contrary...) or to believe their security policy is anything more than a ticked off checklist item among current management practices companies are expected to have in place before going public. I can try to do my best not to write insecure code and to fix local security bugs when I see them, but issues requiring management buy in and coordination are out of my hands. -- Mike Small sma...@panix.com ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
On 2/18/2015 2:01 PM, Doug wrote: The first three were set with a length of 4 and made pronounceable. The later three are 19 characters long. I recall an article that said quite specifically that length was more important that choosing diverse characters. The article you recall probably based it's assertion on brute force attacks. Mathematically, a brute force attack against 9 characters will take longer than it would against 8 characters but that's a very narrow-minded approach. There are other ways to attack passwords like known plaint text, dictionaries, rainbow tables and differential cryptanalysis. Any rule that you enforce to make one kind of attack more difficult will make another kind of attack less difficult. Most companies don't have anyone that knows cryptography. If you do have such a person, it is hard to understand them. I suspect lastpass is full of such people who are every bit as paranoid as readers of this group. Which means nothing in the face of the LastPass terms of service. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
On 02/18/2015 02:35 PM, Richard Pieri wrote: The article you recall probably based it's assertion on brute force attacks. Mathematically, a brute force attack against 9 characters will take longer than it would against 8 characters but that's a very narrow-minded approach. There are other ways to attack passwords like known plaint text, dictionaries, rainbow tables and differential cryptanalysis. Passwords are different from encryption keys. Completely different. A password is something you whisper through the little opening in the door of the speakeasy. After a couple failed attempts the guy on the other side will lose patience and tell you to get lost. (Maybe send out a heavy to make it more clear.) Okay, maybe you don't whisper the password through a door, maybe you send it off to some computerized doorkeeper that gets to consider whether it be good or not, gets to delay before answering, gets to count the number of failed attempts. But it is the same idea. A 4-digit PIN is a GREAT password--if the number of failed attempts is limited. (ATM cards are the prime example here. They do not get brute forced, even at only 4-digits. 4-digit PINs make great passwords for ATMs, really!) A 4-digit PIN is a TERRIBLE encryption key--if you are up against more than an 8-year-old. Encrypted data can be duplicated across hundreds of CPUs or worse, and billions of attempts can be made in a second against your key, for cheap. Very different from the password. The two are very different. I don't trust the systems I log into, they might be cracked or be crooked, so I don't recycle passwords. I also don't trust that they rate-limit guesses very well (Apple?), so I generate passwords that have more than 4-digits worth of entropy, but I don't get carried away (I tend to a minimum of 32-bits of entropy but not much more). I also don't trust that j-random-site is not silently truncating my password, so I frequently put a few randomly chosen hex characters at the beginning. But then I keep my passwords secret and quit worrying. Passwords don't have to be *that* strong. But that is for passwords. For encryption keys, one has to go further, possibly to extremes, but only for encryption keys. They are different. I try to keep the number of encryption keys I deal with to a minimum, because good ones are too hard to type without error. That's one of the reasons I don't do ssh keys, it requires I encrypt my keys; doing that crappy kind of defeats the whole thing and doing that well is hard. Passwords are much easier to remember and type. -kb, the Kent who has no reason for why he should trust Lastpass with anything of importance at all. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of Kent Borg Passwords are different from encryption keys. Completely different. They are not completely different. They have some characteristics that are the same, and some that are different. They are both secrets, but a password is assumed to be stored in a human brain and assumed to contain limited entropy, while an encryption key is assumed to be sufficiently long and randomly generated, and assumed to be stored on some sort of digital media. As a result of these characteristic differences, each one is suitable for different purposes, and has different best practices - such as rate limiting guesses. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
The examples I provided used lower letters, upper letters, and digits. The differences are: 62^8 = 2.2 * 10^14 62^9 = 1.3 * 10^16 62^19 = 1.1 * 10^34 The extra 10 digits get me 18 orders of magnitude. Entropy increases more efficiently with the length, as xkcd explains: http://xkcd.com/936/ On Wed, Feb 18, 2015 at 2:35 PM, Richard Pieri richard.pi...@gmail.com wrote: On 2/18/2015 2:01 PM, Doug wrote: The first three were set with a length of 4 and made pronounceable. The later three are 19 characters long. I recall an article that said quite specifically that length was more important that choosing diverse characters. The article you recall probably based it's assertion on brute force attacks. Mathematically, a brute force attack against 9 characters will take longer than it would against 8 characters but that's a very narrow-minded approach. There are other ways to attack passwords like known plaint text, dictionaries, rainbow tables and differential cryptanalysis. Any rule that you enforce to make one kind of attack more difficult will make another kind of attack less difficult. Most companies don't have anyone that knows cryptography. If you do have such a person, it is hard to understand them. I suspect lastpass is full of such people who are every bit as paranoid as readers of this group. Which means nothing in the face of the LastPass terms of service. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
On Wed, Feb 18, 2015 at 4:15 AM, Richard Pieri richard.pi...@gmail.com wrote: So. Someone replied directly to me instead of the list suggesting that character length is an important factor in password security. Letter count is a pointless factor in password security. Four score and seven years ago is 30 characters and still trivially vulnerable to dictionary attacks. We hold these truths to be self-evident is 40 characters and it is just as weak as the first example. Password reform starts with abandoning password rules and policies. Rules and policies are bad. Every policy that you enforce makes it easier for attackers to analyze passwords. If you have a policy that enforces a 15 character minimum then an attacker knows to ignore everything that is 14 or fewer characters, and given human nature he can ignore everything over about 20 characters for most passwords. If you have a policy that enforces the use of at least one number then an attacker has 9 known possible plaintexts in every password. At least one capital letter is 26 known possible plaintexts. And so forth. The problem with this that if you don't enforce a minimum length on passwords a significant number of your users will use something that is probably less than 6 characters long. Of course, many of those would fall to a dictionary attack as well. And the same users are going to use Four score if you require longer passwords, so you lose anyway. Bill Bogstad ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
On Feb 17, 2015, at 10:15 PM, Richard Pieri richard.pi...@gmail.com wrote: So. Someone replied directly to me instead of the list suggesting that character length is an important factor in password security. Letter count is a pointless factor in password security. Four score and seven years ago is 30 characters and still trivially vulnerable to dictionary attacks. We hold these truths to be self-evident is 40 characters and it is just as weak as the first example. Password reform starts with abandoning password rules and policies. Rules and policies are bad. Every policy that you enforce makes it easier for attackers to analyze passwords. If you have a policy that enforces a 15 character minimum then an attacker knows to ignore everything that is 14 or fewer characters, and given human nature he can ignore everything over about 20 characters for most passwords. If you have a policy that enforces the use of at least one number then an attacker has 9 known possible plaintexts in every password. At least one capital letter is 26 known possible plaintexts. And so forth. LastPass was suggested as an enterprise solution. By Ghu, where do I start with this. Relying on a third party that has no obligation to maintain the integrity of your keys? Relying on a third party that has crafted its terms of service such that you have no recourse if they screw up or an attacker compromises their system and exposes your entire business to the world? And this is being floated as an enterprise solution? 'Nuff said. Well said! - Eric C ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
You can lead a (pick the animal) to water but you can't make 'em drink. That's how I feel about LastPass, which suffers from two gigantic human flaws: 1) Non-sophisticated users can will forget the master password -- in short order -- regardless of how much you warn them that there's no escrow key, no forgot-password recovery link. 2) By centralizing all your passwords on a service that's got 90%+ of market-share, even a sophisticated user is vulnerable to coercion. A violent thug need only notice a Bank of America statement in your postal mail before sitting you down in front of a laptop, gun in your face, demanding your bank credentials and hence your LastPass master key. LastPass provides no tools for plausible-deniability of the existence of secondary access codes, so chances are that most of us facing a (hopefully-rare) extortion situation would be giving up the online keys to every single one of our assets at once. I haven't figured out how to solve #1 for my friends/family, and I think #2 is worth solving as cyber-crime increases over the next decade. -rich ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
On Wed, Feb 18, 2015 at 6:21 PM, Rich Braun ri...@pioneer.ci.net wrote: market-share, even a sophisticated user is vulnerable to coercion. A violent thug need only notice a Bank of America statement in your postal mail before sitting you down in front of a laptop, gun in your face, demanding your bank credentials and hence your LastPass master key. If your standard for security is must resist violent thug with gun, then you need to not do any online banking. Or own any...well...anything. Best of luck with that! ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
On Tue, Feb 17, 2015, at 08:42 AM, Edward Ned Harvey (blu) wrote: I see a lot of people and businesses out there, that just don't care about their own privacy. They email passwords to each other, W2's with salary and social security information, photocopies of drivers' licenses and passports to be used by HR to complete I-9 forms... As an IT person advising a business to be more responsible, what areas do you advocate securing most urgently? IT admin credentials? HR records? Financial records? Other stuff? Simply everything, bar none? Email is obviously a huge area of insecure information sharing. Do you also see a lot of people storing information that should be secured in other non-private services like Dropbox, Google Drive, Box, etc? Training is pretty important and if you handle personally identifiable information, then your organization would fall under MA 201 CMR 17.00 if you are in Massachusetts. Part of the regulation is that you have a written security policy and in doing so it'll force you to do the due diligence to track where PII is in your organization and document it. You'd also find yourself having to deliver annual PII handling training to your organization, which usually consists of password security, clean desk / clean screen, how to handle sensitive data, etc. One of the important things in an organization is to make it so IT is a valued business partner, so that when the business wants to figure out how to do something (like transmit social security numbers) that they would come to you to help find a solution, rather than signing up for a Dropbox account. Then there's the other stuff you can do from an IT perspective: have 2FA, implement Single Sign On so people don't have a bunch of accounts to maintain and so you can cut just one account to eliminate access to everything, password security minimums, etc. -- Ryan Pugatch r...@lp0.org Boston, MA on the web: www.ryanp.com (homepage) www.lp0.org (blog) ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
Please, flippant answers like that aren't helpful. TrueCrypt gave serious thought and ambitious design to this particular threat. Not everyone is safe secure against physical threats. By a long shot. I've had three incidents in my own life since September that I'd rather not discuss here. But do NOT dismiss me lightly. Thank you Pissedly yours-- -rich Sent from my iPhone On Feb 18, 2015, at 15:39, Gordon Marx gcm...@gmail.com wrote: On Wed, Feb 18, 2015 at 6:21 PM, Rich Braun ri...@pioneer.ci.net wrote: market-share, even a sophisticated user is vulnerable to coercion. A violent thug need only notice a Bank of America statement in your postal mail before sitting you down in front of a laptop, gun in your face, demanding your bank credentials and hence your LastPass master key. If your standard for security is must resist violent thug with gun, then you need to not do any online banking. Or own any...well...anything. Best of luck with that! ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
On 2/18/2015 3:28 PM, Edward Ned Harvey (blu) wrote: They are both secrets, but a password is assumed to be stored in a human brain and assumed to contain limited entropy, while an There's a flaw with this reasoning: a typical password is stored in at least two places. The first is the human user's brain (or brain assistance device like a piece of paper). The second is on a computer somewhere behind the authentication system. It is in the second place that distinctions between passwords and keys starts to fall apart. It is in the second place where password policies are flawed designs. Simple example: how are Unix and Linux passwords stored? Used to be a password was encrypted with DES using the password itself as the key and the first two characters of the login name as the salt. Eventually DES was replaced with 3DES then MD5 and other secure hash algorithms. Regardless of the cipher or hash the password is the key for itself. This is fundamental to how traditional password authentication works (assuming that passwords aren't left in cleartext). In principle there is no reason why a Unix or web site password must be stored in a human brain (or assistance device). In principle there is no reason why it must have limited entropy. In principle there is no reason why these passwords cannot be long strings of randomly generated bits. Forget the perceived dichotomy between passwords and keys. Implement a robust, verifiable key chain system that uses long, random bit strings of arbitrary length for authentication. Move the security of this system into the physical world because while humans are terrible at digital security we are good with physical security. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
So. Someone replied directly to me instead of the list suggesting that character length is an important factor in password security. Letter count is a pointless factor in password security. Four score and seven years ago is 30 characters and still trivially vulnerable to dictionary attacks. We hold these truths to be self-evident is 40 characters and it is just as weak as the first example. Password reform starts with abandoning password rules and policies. Rules and policies are bad. Every policy that you enforce makes it easier for attackers to analyze passwords. If you have a policy that enforces a 15 character minimum then an attacker knows to ignore everything that is 14 or fewer characters, and given human nature he can ignore everything over about 20 characters for most passwords. If you have a policy that enforces the use of at least one number then an attacker has 9 known possible plaintexts in every password. At least one capital letter is 26 known possible plaintexts. And so forth. LastPass was suggested as an enterprise solution. By Ghu, where do I start with this. Relying on a third party that has no obligation to maintain the integrity of your keys? Relying on a third party that has crafted its terms of service such that you have no recourse if they screw up or an attacker compromises their system and exposes your entire business to the world? And this is being floated as an enterprise solution? 'Nuff said. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
From: Kent Borg [mailto:kentb...@borg.org] An only half facetious suggestion: write passwords down, but ONLY on $100 bills. Now guard them accordingly. LOL, I like it. Ironically, however, a tightly held $100 bill is worth precisely $0, because if you'll never spend it, then it's just fancy paper. if you can get an organization to use passwords securely, you will have solved a large part of the problem. Agreed - however - in my experience, there is a high correlation between the use of bad passwords, and the use of insecure systems. The people who choose bad passwords are the same ones who email it to other people, or stick their ssh keys in dropbox. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
On 02/17/2015 08:42 AM, Edward Ned Harvey (blu) wrote: As an IT person advising a business to be more responsible, what areas do you advocate securing most urgently? IT admin credentials? HR records? Financial records? Other stuff? Simply everything, bar none? I would lower the priority of worrying about risky e-mails with sensitive information in them. I think a higher priority would be the really big hole: insecure passwords. Insecure because they are: - Poorly chosen (12345678, password)--and passwords can't just feel random, they need components that actually are random; - Reused across different purposes; - Given to third parties to manage; - Typed in wrong places (in response to a phishing e-mail); - Typed on machines that have spyware running on them. Note that I don't worry about regularly changing passwords or writing them down. I also don't worry about whether they contain a special character. For example b3ea-griffin-tempo-opera is a great password with at least 48-bits of entropy, pretty easy to remember and type. (Like it? I've got at least 281,474,976,710,655 more.) Yet people mistakenly think it is a bad password. Grrr. An only half facetious suggestion: write passwords down, but ONLY on $100 bills. Now guard them accordingly. It would be a large and ongoing education effort, requiring high-level buyin and major cultural change, but if you can get an organization to use passwords securely, you will have solved a large part of the problem. If you can get an organization to really reform, if you can get users to really think through passwords--then you have accomplished a LOT! Congratulate them for being elite (because no one does passwords well--just ask Central Command), and then you can move on to other things. (Including that an encryption key is very different from a password and needs to be created with special care.) Doing passwords right is not exactly low-hanging fruit, but it is key to everything else. Do passwords wrong and everything else is always breaking because of the bad passwords. -kb ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
On 02/17/2015 12:25 PM, Edward Ned Harvey (blu) wrote: Agreed - however - in my experience, there is a high correlation between the use of bad passwords, and the use of insecure systems. The people who choose bad passwords are the same ones who email it to other people, or stick their ssh keys in dropbox. I think the only way to fix the password problem is to get people to discard security theater and think and understand and be disciplined. But if you can fix the password problem, I think the next problems ~start~ to fix themselves. But I don't know, because everyone does passwords wrong. -kb ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
On 02/17/2015 12:51 PM, Kent Borg wrote: I think the only way to fix the password problem is to get people to discard security theater and think and understand and be disciplined. But if you can fix the password problem, I think the next problems ~start~ to fix themselves. But I don't know, because everyone does passwords wrong. Most of the people I want to think and understand are actually the people running systems that need passwords and coming up with obnoxious requirements for passwords that essentially force you to write everything down. You can make people choose good passwords, but you can't make them have good habits. The only way to solve the password problem is to do away with them. There are all manner of physical tokens that can be used (SecurID, SmartCards, etc) in conjunction with a something you know/PIN that can actually be memorized. Apparently this isn't so far fetched. Banks in Germany (and now some in the US) give their customers SecurID tokens to use for login and ACH transfers. I would love if there were a way to marry OpenID with SmartCards/certificates... (maybe there is, I haven't paid much attention to OpenID in a while) Matt ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
On 02/17/2015 01:29 PM, Matthew Gillen wrote: Most of the people I want to think and understand are actually the people running systems that need passwords and coming up with obnoxious requirements for passwords that essentially force you to write everything down. But writing down passwords is good. The old dogma to never write down a password is obsolete. It applied when we only had one password and were worried about the guy at the next desk. These days we have scores of passwords and the guy at the next desk is the least of our worries. Yes, writing down passwords does make the loss of the paper with the passwords a worry, so take some precautions: - Have a backup copy in another location. - Obfuscate your written passwords in a simple way that you know how to decode, but so the paper isn't immediately useful to a finder. - Be careful, keep it close, don't lose it. The only way to solve the password problem is to do away with them. I like the mangling of the Churchill quote: Passwords are the worst form of authentication we have except for all the others. You are right about passwords being a problem, but wrong on the solution. All of the proposed alternatives to passwords look worse to me. There are all manner of physical tokens that can be used (SecurID, SmartCards, etc) Secure ID isn't. A few years ago every single token out there had to be replaced because RSA Security in Bedford is incompetent and the seeds for every token they had shipped were all stolen. Also, tokens don't scale; I have many passwords, how many clattering tokens am I supposed to be carrying around everywhere I go? Some (RSA these days) want us to use our smartphones as tokens. Oh wonderful: Thieves would never think to steal a smartphone, nor break into it remotely with malware. in conjunction with a something you know/PIN that can actually be memorized. So a single PIN I use everywhere again? Or am I memorizing dozens of PINs? Or maybe one token and a central login service for everything: but now we have a single point-of-failure. Know a secret question? Steal the phone that Google uses as backup verification? (Or just steal--port--the phone number without stealing the phone?) Broken. Fingerprints? Very stealable. And for the ruthless, even fingers can be stolen. Retina scans? Okay, but how big a security perimeter are you defending? Every scanner is secure? No one can steal the data and just supply the data instead of the retina? How many different organizations need to be installing scanners? And they all have your retina data? Sounds like reusing a single password to me. I have heard of many grand solutions, all that aren't as good as are passwords. -kb ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
Passwords have serious problems, but they are bit like the problems with one-time-pads: cumbersome but otherwise perfect. There is never going to be a generalized crack of the password system. Even with some fancy Quantum Cryptography, passwords are not about to suffer a catastrophic failure. Flawed as they are in use, passwords are a solid tool in principle. All the alternatives do risk major to gigantic failures. Didn't South Korea issue everyone a smartcard, universal, to be used for everything? And then we find out they used a crappy random number generator. All the alternative systems are complicated and brittle. Passwords are simple. Distributed. Robust. Our use of passwords, on the other hand, is terrible. But all the alternatives to passwords are worse, so let's start educating everyone. Including discarding ages-old dogma that is wrong: Writing down passwords is good. -kb ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On Behalf Of Kent Borg Writing down passwords is good. Well, writing down passwords for a little while until you memorize it is good. Writing it down and keeping it around changes it from something you know, to something you have. You might as well write down a 256-bit random key, if you're not going to memorize it. Generate random words and memorize them. Maximizes strength and memorizability. Only takes 11 words to have cryptographic strength of 121. Everybody is capable of memorizing eleven words. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
On 02/17/2015 04:05 PM, Edward Ned Harvey (blu) wrote: All the talk about solving the password problem is interesting - but not related to the original question - What is the most common, or most important, area that you actually see people communicating insecurely, that should be secured? Email has got to be #1, and I'm guessing Dropbox/Box/Google Drive #2. Is that it? Or is there more? Phone? How much personal and medical information (or passwords for that matter) is transmitted that way? Doctor's offices still have to use fax machines, don't they? Voice phone is hard to secure unless you're doing VOIP over TLS, but even then unless you're doing end-to-end VOIP on a closed system there's usually a few hops where it is in the clear. Matt ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
All the talk about solving the password problem is interesting - but not related to the original question - What is the most common, or most important, area that you actually see people communicating insecurely, that should be secured? Email has got to be #1, and I'm guessing Dropbox/Box/Google Drive #2. Is that it? Or is there more? ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
On 02/17/2015 04:03 PM, Edward Ned Harvey (blu) wrote: Well, writing down passwords for a little while until you memorize it is good. Writing it down and keeping it around changes it from something you know, to something you have. You might as well write down a 256-bit random key, if you're not going to memorize it. Except a 256-bit random is very difficult to type. Real words are much easier to type. I have many of my passwords memorized, but it isn't a fixed set. My memory is more of a cache. When I don't use a password for a while, I will refer to my list, when I have been using it, I can type it by memory. Only takes 11 words to have cryptographic strength of 121. Everybody is capable of memorizing eleven words. Harder than you make it sound. I have done it. It is easy to curve-fit a concept through three or four random words, but it gets a lot harder after that. It gets easy to start substituting a synonym or different form for one of the words. Also, when typing blind (ie., no echo) it is easy to make a mistake and not know where in the sequence you made it. I have a quality encryption key that I type regularly, but not every day, and it is surprisingly hard to do. There is an optimal level or rest and caffeination that I don't quite know. And speaking of encryption keys, don't confuse passwords with encryption keys. A password is something you check against some oracle that can throttle the rate of its answers. That is why an ATM PIN of only 4-digits can offer good security. But an encryption key of 4-digits is worthless for anyone who is willing to work at it. Worthless as an encryption key but good as a password. The two are very different. Don't confuse them. -kb ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Most common (or Most important) privacy leaks
On 2/17/2015 4:05 PM, Edward Ned Harvey (blu) wrote: What is the most common, or most important, area that you actually see people communicating insecurely, that should be secured? Email has got to be #1, and I'm guessing Dropbox/Box/Google Drive #2. Is that it? Or is there more? Given the embarrassment suffered by Sony Pictures and employees of Sony Pictures as a result of the recent network compromise there? Literally everything. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss