On Tuesday, January 23, 2007 4:57 PM [GMT+1=CET],
Dan Lewis <[EMAIL PROTECTED]> wrote:
Comments inline.
On Tuesday 23 January 2007 9:03 am, James Knott wrote:
TerryJ wrote:
Getting off topic, I've belatedly woken up to a major hole in the
"security" about which I'd been smug.
On the Linux OSs I've used, you need a password by default to log
in. You can drive a truck through that with a live cd. The one
I've got let's you log in as administrator (Linux = root) and
have your evil way with anything and everything on the hard
drive.
Please specify the live CD that you used to do this. I have a
live CD of one distribution that will not even recognize the Linux
partition on the computer at all, and the partition is the same
distribution as the live CD.
Security involves physical security. If someone has physical
access, they can do almost anything they want
I'd use top quality software to encrypt a file with some
confidence but OpenOffice is not in that category. The password
might be secure (although there's a password cracker on
www.ooomacros.org) but the encrypting can, it seems, go awry.
Please explain what you mean by the encryption going awry. On
what basis have you decided that OOo is not in the category of a top
quality encryption?
I am skeptical of your claims because I do not know what your
background is. These claims may be true or they might not be. But
without collaboration by others, there is no way to tell.
Dan
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
The password cracker macro announces itself as a dictionary attack. It comes
with these *five* passwords in its (text file) dictionary:
password
Password
PASSWORD
pass word
p4$$ w0rd!
In addition it points the user at a web site (www.openwall.com) which the
author says is a good source of dictionary files. The site has free
wordlists and also sells a CD with those lists plus a sing wordlist,
implemented as a text file, claimed to have over 40 million entries many of
which have been generated by taking ordinary words and applying "word
mangling" rules to them (capitalisation, numbers instead of letters [number
1 instead of letter l for example] etc. etc.) Seems to me you'd need to pick
quite a good password to beat that. I assume it has "passphrases" as well.
Any decent encryption scheme will allow and use pass phrases of virtually
unlimited length (unlike some half baked systems which let you choose/enter
long passwords but only really use the first 8 or 10 characters).
If the macro does 100 tries per second, 40 million tries takes about 4.63
days; 10,000 tries per second brings that down to a little more than an
hour. Of course, "on average" if the thing succeeds at all it'll succeed
after half that time.
The only real way to defeat a dictionary attack is to destroy the encrypted
document after <x> failures (x = 3, 5 ?) and hope the attack isn't lucky
within that <x>. One can also delay things considerably by saying "after <x>
failed attempts you can't try again for <n> minutes".
The algorithm used to perform the encryption is actually irrelevant. The
only things that matter are the quality of the password and the quality of
the dictionary. More complex algorithms mean each guess (and therefore the
total attack) takes longer but, against a really good dictionary, offer no
more protection than XOR. No that does *not* mean that XOR is as good as
Blowfish. It means XOR is no less susceptible to a dictionary attack than
Blowfish. Blowfish is *much* better against other forms of attack.
Harold Fuchs
London, England
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
