[ale] OT - New encryption technology using a piece of paper

Ron Frazier atllinuxenthinfo at c3energy.com
Sun Sep 4 01:18:48 EDT 2011


Michael,

Just a few more small replies.  Not trying to beat a dead horse.  You 
did copy your message to the group, so I am as well with this reply.

On 9/3/2011 11:37 PM, Michael Trausch wrote:
> On 09/03/2011 10:40 PM, Ron Frazier wrote:
>    
>> On 9/3/2011 7:25 PM, Michael Trausch wrote:
>>      
>>> On 09/03/2011 06:01 PM, Ron Frazier wrote:
>>>        
>> Why would I have any inclination to Google the phrase password card?
>> Nothing I've ever encountered would lead me to believe it means anything
>> other than a card with passwords on it.
>>      
> Because there was a big buzz about it on several security sites
> somewhere between six months and a year ago, as well as on a large
> number of blogs?  Because I wouldn't be so stupid as to advocate that
> someone actually put cards with actual passwords on them in their
> wallets?  Because you're curious about what I might be talking about
> that sounded like it was a better option when, as I obviously did the
> first time around, I forget to put the link in the email?
>
> I don't know.  I can think of a number of reasons.  I lean on Google a
> lot to clear things up when I think something might be slightly off or
> "smell funny".  I suppose I simply expect that others do, too.
>
>    

It simply hadn't come across my radar screen.  I use Google quite a bit, 
but it didn't occur to me to search that phrase.

>> However, since you cited the
>> link, it looks pretty cool.  I might even use it.  I'll be sure and
>> suggest to Steve that he mention it to his listeners during his
>> podcast.
>>      
> I would expect him to know about them already and not have reinvented a
> worse wheel.  Of course, nobody's perfect, but Gibson simply is not a
> security expert.
>
> The last time you sang his praises on the list I took some time to
> listen to several episodes of his podcast.  There were several things he
> discussed that were simply plain incorrect, several others that had
> kernels of truth in them, a few that were almost correct, and only a
> very few that were actually dead on.  As I've mentioned, even broken
> clocks are right twice a day.  He can't get *everything* wrong, that
> would surpass even my expectations of a human being.
>
>    

I don't know that he personally claims to be an expert, although Leo 
Laporte might say so.  From my perspective, Steve is a knowledgeable and 
passionate private entrepreneur with good experience researching and 
disseminating security information for average and somewhat above 
average computer users.  He is not an enterprise security expert, nor 
has he ever claimed to be.  I'm glad to know that you listened to some 
of the podcasts.  If you have extensive security expertise, you may not 
find much you didn't know, as you are not his target audience.  If you 
find his information to be in error, and you think the distinction is 
important to the target audience of lay people and above average lay 
people dealing with home or small office security, I would encourage you 
to submit feedback to him at http://www.grc.com/feedback.htm .  I have 
heard him, many times, make corrections when something is brought to his 
attention.  As, I've said, I find his information useful as a home user.

>> I'm sure some people will find password cards easier and others may find
>> Latin Squares easier.  Plenty to go around for everyone.
>>      
> I'm not sure how something that requires an algorithm to be correctly
> used would be easier when compared to something that can be used freely
> with little special effort.  The only thing that you need to do with a
> password card is pick a pattern.  It really is much more versatile, and
> you really don't have to even read the Web page to learn how to use it.
>
> Simpler is almost universally better.
>
>    

OK, I can accept that simpler is usually better.

>>>>    I am
>>>> sorry to say that both my bank (which shall remain nameless)
>>>>
>>>>          
>>> Please, tell.  I want to know who NOT to go to for an account should I
>>> have to hunt in the future.  (Unless it's Chase, which I am already
>>> aware of.)
>>>
>>>        
>> I have no intention of enticing you all to hack my bank.  Those
>> interested should call customer service of a prospective bank, ask for
>> help with online banking, then ask what the password criteria are.
>>
>>      
> Yes, because that's what we at ALE do.  We wait for information about
> things and break into their networks.  We don't have better things to do
> like, I don't know, service our clients and spend time with our families.
>
> It would be helpful to know what bank to avoid.  If someone was going to
> (or is going to) attempt to crack into your bank, they will do it
> regardless of what is posted on the list or not.  Oh, well.
>
>    

I did not mean to offend you or imply that you or any specific party to 
this conversation wants to crack my bank.  The bottom line is that 
everything on this list can be read by anyone in the world.  David 
Tomaschik brought up the same thing and misinterpreted my comment.  I 
gave a much more detailed reply to him.  Please see that for more info.  
If you really want the name of the bank, I'll send it to you privately, 
and I'd still prefer you don't post it on the list.

>>>> as well as
>>>> the job posting website of a major national defense lab (which shall
>>>> also remain nameless) both limit me to 8 characters.
>>>>
>>>>          
>>> Then clearly they are not a worthwhile place of employment because they
>>> either do not know what they are talking about, or they feel that they
>>> (like many other alleged security companies) are somehow above the way
>>> the world works.
>>>
>>>        
>> I don't think I'd say that a premier Federal National lab with some of
>> the most brilliant scientists in the country is not worth working for
>> just because their job board has 1990's vintage security systems.
>> However, I do find it exceedingly frustrating.
>>      
> If they are a "premier Federal National lab with some of the most
> brilliant scientists in the country" and are also a defense contractor,
> then they are expected to be in the business of knowing their stuff and
> operating with relavant and current security practices.  If a
> business---governmental entity or not---claims to know security (which
> defense is a part of), but does such things as using systems that are
> known insecure, especially when known to be insecure by design, then
> they can't be taken seriously.
>
> That's like HBGary, which claims to be an IT security firm, saying that
> they know security.  However, both the firm and the CEO were affected by
> directed attacks that, should the company's claims have been correct,
> should not have been possible.  Will anyone take HBGary seriously again?
>   Only those who buy into marketing and don't do their homework, I suspect.
>
> That's like LifeLock, which claims to be so safe and secure as to
> prevent identity theft for all of its subscribers, being taken seriously
> even though the owner (or CEO, I don't remember which) of the company
> publishes his social security number widely---and has himself been the
> victim of identity theft several times since the company was started.
>
>    

I'm simply saying that flawed implementation of one part of the IT 
department does not invalidate the dozens of other branches of research 
that go on there.  Even within IT, I think they have much better 
security on the parts related to national defense than they do on the 
job board.

>>> It follows his usual pattern, unfortunately.  Instead of working to help
>>> improve things, he is working to solidify things the way they are.  What
>>> makes *me* curious is what sort of motivation does he have for doing so?
>>>        
>> He's always slamming corporations for storing non hashed passwords, not
>> salting, putting length restrictions on them, etc.  However, he also
>>      
> He'd simply be unworthy of being called an IT professional if he didn't.
>
> One cannot commend a self-proclaimed security expert for knowing
> something that everyone in the various IT fields already knows.  Of
> course, just because everyone knows it doesn't mean that everyone
> follows it.  Everyone who doesn't seems to always have a (in their own
> eyes) valid excuse.
>
>    
>> tries to help users deal with the real world conditions they face.  I'm
>> sure that if the bank or the lab had asked Steve how to set up their
>> systems, I wouldn't have to be dealing with the limits that I do.
>>      
> Then why doesn't he encourage people to do things that have been
> historically shown to work in the past?  Move away from companies that
> are known to not care about their users' security, and so forth?  That
> would be rather more useful than not doing so.
>
>    

He always encourages people to use the strongest most effective security 
they can, or can put up with.  However, it has been my observation that 
individual consumers have very little clout when dealing with mega 
corporations like AT&T, Comcast, Bank of America, etc.  I used to deal 
with Bank of America.  I left them because I thought their fees were too 
high.  I used to deal with Dish.  I left them because they wanted a 2 
year agreement just to get HD programming.  I used to deal with Cingular 
Wireless.  I left them because they disable my cell phone service for 
being a few days late on a payment, even though I always made a double 
payment later if needed.  I also had one of the worst experiences of my 
life trying to get a phone malfunction fixed.  NONE of them give a rats 
tail about the fact that I left.  Pretty soon, I'm going to be all out 
of vendors.  Most of the time, they won't even ask why you're leaving.  
I think Steve takes a pragmatic approach to help users deal with the 
circumstances they're actually facing.  Maybe we need some kind of 
massive consumer's union in this country.  I've often lamented to anyone 
who will listen that many manufacturers will keep producing crap as long 
as it's profitable and won't stop until something hurts them enough to 
make them stop.

>>> His system creates low entropy passwords, end of story.  Unless you're
>>> using 50 characters, it is really not worthwhile to attempt to use a
>>> password where the characters come from a pool of only 52 possibilities.
>>>        
>> Not universally true.  His DEFAULT procedure which he shares has 12
>> upper / lower case characters.  However, it is trivial to add more
>> length, or symbols, or numbers, or all three.  He has a web page that
>> explains how to do that.
>>      
> Again, his system is far more complex than the password card.  That
> makes it less secure because it is more likely to be used incorrectly.
> The entropy is too low to trust that it can be used without some sort of
> algorithm to ensure at least a minimum level of validity.
>
> Any good system should work with randomness, anyway.  Using an algorithm
> keyed on the name of a domain is actually lowering entopy.  My
> calculations didn't take that into effect, namely because I don't know
> just how to accomodate that.  Mike Warfield might, though.
>
>    

He just uses the domain name to trigger the traversals within the grid, 
which is random.  I don't think it significantly hurts things.  However, 
I certainly am not an expert in number theory.

>>> The page requires you to put the password INTO THE SITE?  And people
>>> ACTUALLY DO IT?  Please, stop.  You're hurting me.
>>>        
>> Wrong.  Everything is done by JavaScript on the page.  Nothing is
>> transmitted.  I'm sure that could be confirmed by examining the source
>> code or placing a sniffer on the net.
>>      
> Unless you have read the JavaScript and can vouch for that, I'll choose
> to believe that putting a password into a Web site to check it before
> using it on another Web site is a pretty stupid thing to do.
> Universally so.  A real security expert would tell you the same thing, I
> suspect.  Why would you want to potentially seed someone's database?
> That'd be a most excellent way to do so, "please, enter your password
> here.  I'll tell you if it's strong." "..." "Hey, good password! [quick,
> save it in the database table and we'll sell it later!]".
>
> There are a number of tools that are available, and are free software,
> that can check the strength of a password without ever contacting a node
> on the Internet or running over something like the Web.  If he didn't
> have negative motivations, why wouldn't he simply recommend one of them?
>   Aside from the fact that he thinks he knows better than everyone else?
>   SpinRite, enough said.
>
>    

Just being Devil's advocate, how am I to know that I can trust any of 
those tools I download any better?  Steve frequently builds little tools 
to help people do certain things.  I totally understand your 
skepticism.  I will simply say this.  I have a mechanic who fixes my 
car.  I've built up a relationship with him over a decade.  I trust him 
implicitly with the machine, and as a result, with our lives when we're 
in it.  Now, he and his techs make mistakes on occasion, like anyone 
would.  However, I have complete trust in his motives.  If he tells me 
something is this or that way with the car, I believe it, unless I have 
reason not to.  He's not the cheapest around, but I never feel he's 
trying to gouge me.  As an example, his cost for a good quality 
catalytic converter is more than AutoZone charges for their cheap bottom 
of the line model.  So, I have to expect that my mechanic is going to 
charge more for the part.

I know Steve through 6 years of his podcasts and publications, which he 
does for free.  I have no reason to believe he any any negative motives 
with tools such as this.  I believe his desire is to help users 
understand the issues involved.

I bought SpinRite, I use it, I like it.  I feel that the data on my hard 
drives is more reliable and stable because of it.  We had a flame war 
over it a few months ago.  No need to re hash it.  We can agree to disagree.

>>>> Count of all possible passwords with this alphabet:
>>>> 99,246,114,928,149,462
>>>> Time to crack it - Online attack - 1000 guesses / second: 31.56 thousand
>>>> centuries
>>>>
>>>>          
>>> So he's off by about 38,000 quadrillion.  But that's okay, because it's
>>> not like the site knew that the pool was as limited as it was.
>>>
>>>        
>> I would imagine his numbers are right.  However, I don't have the
>> knowledge of number theory that I'd need to verify either his or your
>> numbers.
>>      
> Of course.  Well, that's fine.  I'm not here to dispute math.
>
>    

OK.  As you might have noticed, I have a tendency to speak my mind.  I 
did not mean ANY offense by that statement.  I never intentionally say 
anything here to offend.  There is somewhat of a discrepancy between the 
numbers his site quotes and yours.  I don't know the cause.  I simply 
don't have the time or knowledge to go and verify such things and 
reinvent or rediscover the science.

>>> I'm no longer interested.  I've evaluated his grid enough to see that it
>>> is worthy of his reputation, and that's really all I need to know.  I
>>> will continue going about my business and using strong passwords and
>>> passphrases because honestly, I have a system that works better and
>>> requires less time and know-how, meaning that I can focus on my work and
>>> not on useless bull like password management.
>>>        
>> You really seem eager to trash someone you barely know.  Regardless, if
>> you have a system that works for you, that's great.  I may use all or
>> parts of it myself.  If Steve passes it along to listeners, they may use
>> it too.  He likes to give users various options so they can use what
>> works for them.
>>
>>      
> I've known about Gibson longer than I've lived in Georgia.  His "work"
> speaks for itself, insofar as I can see.
>
> Calling Gibson a knowledgeable expert in security would be like calling
> Donald Knuth a veritable idiot in the fields of computer science or
> mathematics.  Why?  Because Knuth's work _also_ speaks for itself.
>
> 	--- Mike
>
>    

I think Steve is a helpful purveyor of information relating to security 
to non technical and semi technical home and small office computer 
users.  I think you're too hard on him.  I guess we'll have to agree to 
disagree on that too.

Sincerely,

Ron


-- 

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new messages very quickly.)

Ron Frazier

770-205-9422 (O)   Leave a message.
linuxdude AT c3energy.com



More information about the Ale mailing list