[ale] OT - New encryption technology using a piece of paper

David Tomaschik david at systemoverlord.com
Sat Sep 3 23:18:01 EDT 2011


On 09/03/2011 10:40 PM, Ron Frazier wrote:
> On 9/3/2011 7:25 PM, Michael Trausch wrote:
>> On 09/03/2011 06:01 PM, Ron Frazier wrote:
>>    
>>>   I am
>>> sorry to say that both my bank (which shall remain nameless)
>>>      
>> Please, tell.  I want to know who NOT to go to for an account should I
>> have to hunt in the future.  (Unless it's Chase, which I am already
>> aware of.)
>>
>>    
> I have no intention of enticing you all to hack my bank.  
This statement has blown my mind.  Your use of "you all", to me, implies
"those involved in this conversation".  Are you suggesting that one of
the members on this list would commit a federal crime to either get at
you or just to prove a point?  Has anyone on this list ever said
anything to indicate that they were interested in cracking banks, or any
other black hat/malicious activity?  While there certainly are some on
this list who have an interest in security, I don't think any of them
have given any indication of malicious intent.  It's my hope that that
when you said "you all", you were really referring to the fact that this
list is publicly archived, and that is why you would prefer not to
disclose the identity of your bank.
>
>> It follows his usual pattern, unfortunately.  Instead of working to help
>> improve things, he is working to solidify things the way they are.  What
>> makes *me* curious is what sort of motivation does he have for doing so?
>>
>>    
> He's always slamming corporations for storing non hashed passwords, not 
> salting, putting length restrictions on them, etc.  However, he also 
> tries to help users deal with the real world conditions they face.  I'm 
> sure that if the bank or the lab had asked Steve how to set up their 
> systems, I wouldn't have to be dealing with the limits that I do.
>
>> His system creates low entropy passwords, end of story.  Unless you're
>> using 50 characters, it is really not worthwhile to attempt to use a
>> password where the characters come from a pool of only 52 possibilities.
>>
>>    
> Not universally true.  His DEFAULT procedure which he shares has 12 
> upper / lower case characters.  However, it is trivial to add more 
> length, or symbols, or numbers, or all three.  He has a web page that 
> explains how to do that.
>
Yes, but how many "average users" can manage to handle anything beyond
the default?  I rather suspect that even the default would be a stretch
for them.
>> The page requires you to put the password INTO THE SITE?  And people
>> ACTUALLY DO IT?  Please, stop.  You're hurting me.
>>
>>    
> Wrong.  Everything is done by JavaScript on the page.  Nothing is 
> transmitted.  I'm sure that could be confirmed by examining the source 
> code or placing a sniffer on the net.
I hope nobody ever manages to crack his box and insert some malicious
JS.  A little AJAX is all it would take to send the passwords away.  At
least it's served over HTTPS, making a MITM attack a tiny bit harder.
(http://www.thoughtcrime.org/software/sslstrip/)
> <snip>
Ron,

I believe both you and Steve Gibson have good intentions.  And the
advice and tools he offers are certainly better than what the "average
Joe" does without them, so I'm all for it.  I have neither a personal
vendetta nor desire one with either you or Steve Gibson.  However, I am
a big believer in intellectual discourse, and I am convinced that a
well-intentioned (and civil) debate can help all parties learn and
grow.  Finding flaws in security methodologies is a GOOD thing -- if we
don't discuss the shortcomings, you better believe there are people who
will.  And *those* are the people who want to crack your bank.

-- 
David Tomaschik, RHCE, LPIC-1
System Administrator/Open Source Advocate
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com



More information about the Ale mailing list