Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Community > MacNN Lounge > I have no confidence in computers anymore

I have no confidence in computers anymore (Page 2)
Thread Tools
Addicted to MacNN
Join Date: Jan 2003
Location: Great White North
Status: Offline
Reply With Quote
Jan 2, 2013, 12:35 PM
 
I like to add password hacking is not very common, its more people putting in passwords to fake phishing sites that is the bigger problem. You could have the most complex password in the world but if you fall to a phishing site, its all over.
Blandine Bureau 1940 - 2011
Missed 2012 by 3 days, RIP Grandma :-(
     
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Online
Reply With Quote
Jan 2, 2013, 01:02 PM
 
Originally Posted by mattyb View Post
I'd be interested to see which applications actually hash or encrypt all of the 36 characters above.
There are certain UNIXes that if not configured from the default, ignore anything over 8 characters for a password. Dunno if OSX is like this.
Here's a list:

1Password

Not much else matters WRT my side of the bargain. All my other passwords are random strings.
     
Addicted to MacNN
Join Date: Aug 2006
Location: Somewhere in the Pacific Northwest
Status: Offline
Reply With Quote
Jan 8, 2013, 07:59 PM
 
Even better: PIV cards.

Card, PIN, two-factor authentication. More secure than a password and much harder to fake if you're a hacker.

It's the future, even if people don't realize it yet (or don't want to).

The OP's post is just confusing.
     
Mac Enthusiast
Join Date: Feb 2005
Status: Offline
Reply With Quote
Jan 11, 2013, 05:14 AM
 
Originally Posted by shifuimam View Post
The OP's post is just confusing.
The computers are too confusing. I've got a NASA control room here just so I can get my bank statement.
     
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status: Offline
Reply With Quote
Jan 11, 2013, 05:22 AM
 
As I've said above: This is why iPad exists.

"Computers" are quickly being relegated to specialized usage. General use is shifting to tablets *fast* (recent estimates have tablet sales surpassing notebook sales this year already. If that pans out, that's a sensational market realignment, just three years after the product category was created).

Anybody who claims that traditional computers aren't too complex really needs to get out more and deal with normal human beings.
     
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Online
Reply With Quote
Jan 11, 2013, 08:12 PM
 
Originally Posted by shifuimam View Post
Even better: PIV cards.

Card, PIN, two-factor authentication. More secure than a password and much harder to fake if you're a hacker.

It's the future, even if people don't realize it yet (or don't want to).

The OP's post is just confusing.
I still don't get how TFA is better than uncrackable, high-entropy passwords in a password locker.
     
Addicted to MacNN
Join Date: Nov 2002
Location: Rockville, MD
Status: Offline
Reply With Quote
Jan 12, 2013, 04:58 AM
 
because of phishing?
     
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status: Offline
Reply With Quote
Jan 12, 2013, 01:10 PM
 
Originally Posted by Spheric Harlot View Post
As I've said above: This is why iPad exists.
In this specific case (passwords, account security and management), tablets are even worse than computers.

Absent a 3rd party app like 1PW, password management is a huge pain in the ass on the iPad.

-t
     
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Online
Reply With Quote
Jan 12, 2013, 04:01 PM
 
Originally Posted by Uncle Skeleton View Post
because of phishing?
I'm not sure I buy that as a good reason. It's much easier to learn how not to fall for one than go through the TFA rigamarole all the time.

If you're talking a Mat Honan style attack, that was Apple and Amazon's fault. Going TFA because their security policy sucks balls is the wrong way to go about it.
     
Posting Junkie
Join Date: Oct 2005
Location: Houston, TX
Status: Offline
Reply With Quote
Jan 14, 2013, 01:20 AM
 
Originally Posted by subego View Post
I still don't get how TFA is better than uncrackable, high-entropy passwords in a password locker.
More difficult to rubber hose since you need the second factor.

Oblig xkcd:
     
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Online
Reply With Quote
Jan 14, 2013, 02:49 AM
 
I think the real crypto nerd fallacy is thinking anyone gives a shit about your seekrits.

There should be a third panel where the guy says "don't waste the drugs, hit him with your free fist, sell the laptop, go buy more drugs".
     
Moderator
Join Date: May 2001
Location: Hilbert space
Status: Offline
Reply With Quote
Jan 14, 2013, 04:46 AM
 
Encryption is just like any security measure: it can be circumvented, but it sure makes recovering the data more difficult to practically impossible. If you use proper encryption and you lose your computer with sensitive information on it, this information in all likelihood will remain safe. But of course, usually the weakest link is the human element.
I don't suffer from insanity, I enjoy every minute of it.
     
Mac Enthusiast
Join Date: Feb 2005
Status: Offline
Reply With Quote
Feb 1, 2013, 10:12 AM
 
And I'm done.
My DSL connection isn't working all of a sudden and they are trying to tell that it is because of my answering machine.
No more for me.
     
Addicted to MacNN
Join Date: Nov 2002
Location: Rockville, MD
Status: Offline
Reply With Quote
Feb 1, 2013, 12:48 PM
 
How did you post that?
     
Addicted to MacNN
Join Date: Jan 2003
Location: Great White North
Status: Offline
Reply With Quote
Feb 1, 2013, 01:35 PM
 
Originally Posted by tightsocks View Post
And I'm done.
My DSL connection isn't working all of a sudden and they are trying to tell that it is because of my answering machine.
No more for me.
Do you have a ADSL filter on the line between the answering machine and the phone jack? If not it can easily be the cause.
Blandine Bureau 1940 - 2011
Missed 2012 by 3 days, RIP Grandma :-(
     
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Online
Reply With Quote
Feb 2, 2013, 05:36 AM
 
I've had tech support say the problem is my wifi even though I was plugged directly into the router.
     
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status: Offline
Reply With Quote
Feb 2, 2013, 05:59 AM
 
Phone support droids are not a problem with computers.

They are a problem with companies.

FWIW, an incorrectly wired answering machine CAN cause issues with DSL. However, I've seen a number of failed frequency splitters (ADSL filters) over the years.
     
Mac Elite
Join Date: Jul 2002
Location: Toronto, Canada
Status: Offline
Reply With Quote
Feb 2, 2013, 11:11 AM
 
People still have answering machines?
     
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status: Offline
Reply With Quote
Feb 2, 2013, 12:11 PM
 
I did until last year, when I replaced it with a new wireless phone that has one integrated.
     
Addicted to MacNN
Join Date: Aug 2006
Location: Somewhere in the Pacific Northwest
Status: Offline
Reply With Quote
Feb 2, 2013, 12:31 PM
 
Originally Posted by subego View Post
I'm not sure I buy that as a good reason. It's much easier to learn how not to fall for one than go through the TFA rigamarole all the time.
And yet people who are otherwise quite intelligent fall for phishing and social engineering scams all the damn time. A single factor for authentication is inherently insecure. Once you know that one factor, you have all the information you need to gain access to something.

Not only that, but it's only a matter of time before currently-secure password hashes are broken or compromised, just like MD5 and SHA-1.

WRT to "TFA rigamarole" - have you ever used a PIV card (or similar)?

There are other methods of TFA that do suck, like RSA tokens (which are a giant freaking pain in the ass ever since the federal government implemented a new eight-digit PIN policy due to RSA's major security breach, which in turn caused private business to use the same requirement) and phone apps (battery dies, can't find phone, on the phone, can't get a signal, etc.).

PIV cards, on the other hand, are something that everyone can have - your driver's license can be a PIV card, for instance. Your company ID badge can be a PIV card. You have that card with you all the time, stick it in your smart card slot (although Macs have never had this and never will, now that OS X has completely dropped native support for smart cards), type in a six-digit PIN that never changes unless you want it to, and you're in. No username to type in, no unnecessarily long password to remember (and accidentally include typos). Just six numbers.

And, if you fall prey to a phishing scam, all the scammer has is your PIN. They don't have your certificates. They don't have your vetted identity. They just have six numbers they can't actually do anything with.

With other forms of TFA, that use an ever-changing seeded random number, it is entirely possible for someone to create a number generator to come up with the next number. That's what was such a huge deal about what happened with RSA. Once you know what the seed is for the tokens that a company purchased, you can theoretically always know every token's current number.

PIV is a much bigger technology than just authentication. It also encompasses identity verification and management. If your users have PIV or PIV-I cards, you know for a fact that they are who the say they are. Their identity as a unique individual has been vetted, so there is no question that you are giving the right person access to your systems.

Not only that, but PIV isn't a random number plus a PIN or password. It's far more secure. Rather than a dumb (as in, lacking very much logic) generator, we're talking about signed certificates, which is something that is pretty much impossible to fake, since the cert authority has to know that the certificate exists and is valid - and unless you have physical and logical access to that authority, you have no way to fake that information.

Originally Posted by OreoCookie View Post
Encryption is just like any security measure: it can be circumvented, but it sure makes recovering the data more difficult to practically impossible. If you use proper encryption and you lose your computer with sensitive information on it, this information in all likelihood will remain safe. But of course, usually the weakest link is the human element.
THIS 1,000%. If you lose your private key for your encryption for any reason (like a failed HSM), you are completely and irrevocably screwed. Not even close to an optimal solution.
     
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status: Offline
Reply With Quote
Feb 2, 2013, 02:19 PM
 
That's what backups are for.
     
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Online
Reply With Quote
Feb 2, 2013, 08:46 PM
 
Originally Posted by shifuimam View Post
And yet people who are otherwise quite intelligent fall for phishing and social engineering scams all the damn time. A single factor for authentication is inherently insecure. Once you know that one factor, you have all the information you need to gain access to something.

Not only that, but it's only a matter of time before currently-secure password hashes are broken or compromised, just like MD5 and SHA-1.

WRT to "TFA rigamarole" - have you ever used a PIV card (or similar)?

There are other methods of TFA that do suck, like RSA tokens (which are a giant freaking pain in the ass ever since the federal government implemented a new eight-digit PIN policy due to RSA's major security breach, which in turn caused private business to use the same requirement) and phone apps (battery dies, can't find phone, on the phone, can't get a signal, etc.).

PIV cards, on the other hand, are something that everyone can have - your driver's license can be a PIV card, for instance. Your company ID badge can be a PIV card. You have that card with you all the time, stick it in your smart card slot (although Macs have never had this and never will, now that OS X has completely dropped native support for smart cards), type in a six-digit PIN that never changes unless you want it to, and you're in. No username to type in, no unnecessarily long password to remember (and accidentally include typos). Just six numbers.

And, if you fall prey to a phishing scam, all the scammer has is your PIN. They don't have your certificates. They don't have your vetted identity. They just have six numbers they can't actually do anything with.

With other forms of TFA, that use an ever-changing seeded random number, it is entirely possible for someone to create a number generator to come up with the next number. That's what was such a huge deal about what happened with RSA. Once you know what the seed is for the tokens that a company purchased, you can theoretically always know every token's current number.

PIV is a much bigger technology than just authentication. It also encompasses identity verification and management. If your users have PIV or PIV-I cards, you know for a fact that they are who the say they are. Their identity as a unique individual has been vetted, so there is no question that you are giving the right person access to your systems.

Not only that, but PIV isn't a random number plus a PIN or password. It's far more secure. Rather than a dumb (as in, lacking very much logic) generator, we're talking about signed certificates, which is something that is pretty much impossible to fake, since the cert authority has to know that the certificate exists and is valid - and unless you have physical and logical access to that authority, you have no way to fake that information.



THIS 1,000%. If you lose your private key for your encryption for any reason (like a failed HSM), you are completely and irrevocably screwed. Not even close to an optimal solution.
I'll admit, I've never used a PIV. What happens if my card gets stolen?

Losing a password locker is just like losing all your photos. It's basically impossible if you take steps to prevent it: mail a copy of the password locker to yourself which has the important passwords in it.

In my case, that's DropBox and CrashPlan.

My house burns down, I can get the locker from my email, and I have access to everything.

If DropBox chokes, and assuming I can't get a recent copy from their versioning system, I go to CrashPlan, which backs up the DropBox.
     
Addicted to MacNN
Join Date: Aug 2006
Location: Somewhere in the Pacific Northwest
Status: Offline
Reply With Quote
Feb 3, 2013, 01:15 AM
 
Here's the thing about PIV - and I should really say "smart card", since PIV is a term specifically referring to HSPD-12 cards for US federal employees, affiliates, and contractors. I'm just used to saying PIV since I worked for the government for a little while.

Anyhow.

If you lose your smart card, the card's certificates can be revoked by the issuing authority - e.g. call your company's help desk and let them know you lost your card, or call your bank, or whoever issued the card. This means that the next time someone tries to use your smart card to do anything - logical or physical access - the card's certificate will be invalid and prevent access, regardless of whether or not the person in possession of your card knows you personally and got you drunk to find out your PIN - or if you were stupid enough to write your PIN on your card.

Similarly, if someone tries to create a card impersonating you, the card will not have valid certificates on it. Only the certificate authority can create valid certificates for the card. So unless the person trying to fake your ID has access to the cert authority, there's no way they can even attempt to do this. Card certificates are signed with the cert authority's private key and validated with that CA's public key. In a well-designed security system, the CA's private key is stored in a way that makes it completely inaccessible to human beings, like an HSM (hardware security module) that uses an encrypted connection with a unique symmetric key that cannot be retrieved. In other words, if the HSM goes down, so does the CA. That's another story, and a good system is going to have redundancy in its HSM or other private key storage infrastructure.

At the end of the day, your smart card contains certificates issued by a trusted certificate authority, which has been thoroughly vetted and approved - much like how websites use SSL certificates from CAs like Thawte and Verisign, because your browser and operating system know that those CAs are trusted and legitimate.

With something like an RSA token, if you lose it, you call your helpdesk, and they remove your RSA token from your user account in the RSA console. This means that if someone steals your token and knows your PIN, they no longer can access the systems you were accessing with that token.

Seems like the same thing as a smart card, right? Not really. The thing is, products like RSA and SafeWord tokens are dumb devices. They don't have logic and they don't have encryption or any kind of validation between the token and the approver (e.g. the RSA appliance). Instead, the device uses a seed and an algorithm to generate a random number on a set interval. The seed and algorithm are written to the device when it is manufactured. The device and the approver have the same seed and device, so when the device's number changes, the approver's number for that device changes at the same time.

If the algorithm and the seed get compromised, your token is no longer secure. Anyone can write a program to generate random numbers using the compromised data. This exact thing happened to RSA last year. It was a huge fiasco and resulted in the aforementioned change in the federal government's RSA PIN policy, which caused a shitload of headaches for end-users.

How is your password locker secured? With a password? Are you certain that you want to place all of your trust in Dropbox to ensure that their environment will never get compromised and you'll never be at risk of data exposure? Are you using a password locker simply so that you can use arduously long and complex passwords for various websites? If you are, I hate to break it to you, but you're incredibly naive about how passwords actually work in 2012.

Passwords are stored as hashes - fixed-length, one-way translations of the text of the password. A good system is going to salt the password with some data so that when the hash is generated, it's not just your password. Remember the LinkedIn fiasco last year? They weren't salting their passwords, which meant that when their infrastructure was compromised, someone could take those password hashes and very, very easily gain access to your LinkedIn account - which, like Facebook, probably contains quite a bit of personally-identifying information.

When you put your password in a website and click "Log In", the code on the server side takes the salt, makes a hash of your inputted password, and checks it against the hash in its database. If it matches, you're logged in. The thing is, there are a finite number of hashes. "My mom is awesome" and "Your father smells of elderberries" could, theoretically, have identical hashes. This means your password isn't actually unique.

If passwords aren't being salted, liked with LinkedIn, it's trivial to start gaining access to accounts just by the password hash. As soon as the password hashes for any website are compromised, the hacker can, at their leisure, start generating millions and millions of hashes from random text. As soon as they find a matching hash, the text they used - which is gibberish - can be used as a valid password to access the account associated with that hash, because all the server cares about is the hash.

Longer does not mean better. More complex does not mean better. Using punctuation, phrases, numbers, Chinese characters, and whatever else you can think of just makes brute force attacks harder. IT security stopped caring about brute force like this more than a decade ago. It's the reason why your bank locks your account after five invalid login attempts and requires you to call them to get your account unlocked.

Account compromises today are not happening because passwords are too short or too simple. They're happening in two ways: a security breach in the system's password database, including the system's password salt...and social engineering.

Your password locker is absolutely useless if you fall prey to a phishing scam and give someone the password to your password locker. Now someone has that password, and if you're using the same password for your locker and your dropbox - since you're trying to avoid having to remember too many passwords to begin with, all that person has to do is log in to your dropbox, download your password locker, open it, and go to town on your accounts. If you managed to get a keylogger installed, or your neighbor is sniffing your network or you're the unfortunate guy at Starbucks who's being targeted by the greasy-haired geek in the corner, you're looking at a security breach. As soon as you type in your password to access your locker, you've been compromised.

On the other hand, if you're logging in to your bank with a physical card carrying a bank-issued certificate, and the only information you need to know is your PIN, it's much, much harder for someone to steal that information. They might have your PIN, but they don't have your card. They don't even have a way of making their own card that's a copy of yours.
     
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Online
Reply With Quote
Feb 3, 2013, 08:44 AM
 
Look on the bright side shif, you'd make a shitty criminal.

If you get your hands on a set of unsalted hashes, leisure is the last thing you have. It's only a matter of time before the compromise has been detected and they start closing the hole by informing their users.

You don't take this time to brute force the hashes. You use a rainbow table and scrape the easiest ones.

Guess what? Those long-ass passwords aren't going to be in the rainbow table. What will be in there are ones like "m0nkey".

Yes, on the off chance your high-entropy password matches the hash to "m0nkey", well then yeah, you're stuck. You go on with your bad self, I'll take the risk.
     
Mac Enthusiast
Join Date: Feb 2005
Status: Offline
Reply With Quote
Feb 3, 2013, 10:16 AM
 
Originally Posted by Spheric Harlot View Post
Phone support droids are not a problem with computers.

They are a problem with companies.

FWIW, an incorrectly wired answering machine CAN cause issues with DSL. However, I've seen a number of failed frequency splitters (ADSL filters) over the years.
Turns out I just needed to adjust the tracking on the VCR. I figured that out for myself.
     
Addicted to MacNN
Join Date: Aug 2006
Location: Somewhere in the Pacific Northwest
Status: Offline
Reply With Quote
Feb 3, 2013, 11:25 AM
 
Originally Posted by subego View Post
Look on the bright side shif, you'd make a shitty criminal.

If you get your hands on a set of unsalted hashes, leisure is the last thing you have. It's only a matter of time before the compromise has been detected and they start closing the hole by informing their users.

You don't take this time to brute force the hashes. You use a rainbow table and scrape the easiest ones.

Guess what? Those long-ass passwords aren't going to be in the rainbow table. What will be in there are ones like "m0nkey".

Yes, on the off chance your high-entropy password matches the hash to "m0nkey", well then yeah, you're stuck. You go on with your bad self, I'll take the risk.
You completely missed the point. There are a finite number of hashes. A long gibberish password, when hashed using a one-way algorithm, does not have a unique hash. That hash matches other passwords. So while your gibberish password is secure to you, the resulting hash could be the same hash for anything - dictionary words, common phrases, or even another gibberish password that someone else is using.

For example, macintosh has the same MD5 hash as SLOW DOWN COWBOY!. The second one seems more secure, doesn't it? Brute force attacks are nearly impossible with passphrases because of the number of possible character combinations. Unfortunately, both use the same hash, and what we're concerned about isn't brute force. It's compromise of password hashes.

And, as stated by myself and others, social engineering is the bigger problem. Your passwords in your "password locker" are not secure if you compromise your password locker password through some clever social engineering. Think you're too smart for it? It happens to millions of people every day - even the smart ones, who aren't paying attention and accidentally put their PayPal password into a fake PayPal site one day.

The benefits of smart card technology go way, way beyond something as simple as "I don't want to remember a long password". Europe already uses smart cards for financial transaction cards - credit, debit, ATM, etc. - because it's simply more secure. The HSPD-12 program in the United States already presents a requirement that every federal agency in the United States is actively issuing smart cards to every single employee and affiliate. By 2014, every single federal agency is required to use those cards for physical access. Logical access is not far behind. Other markets - like financial institutions, which are heavily regulated by the government - are being required to move to smart cards as well. This isn't a feel-good measure because they are pretending that it's a better solution than a password locker.

In fact, in the federal government and the financial sector, if you were discovered to be using a password locker to store any authentication information, you would be fired immediately for violation of IT security policies that are enforceable by law.

Yes, your password locker is a step up from simple passwords that are easy to remember and easy to hack. It is not, however, the golden solution that will resolve account compromises. At the end of the day, if your authentication mechanism relies on a single factor - a password - it is inherently insecure. There's no such thing as a hash that won't become obsolete. SHA-2 is "uncrackable" right now. All that means is that with current technology, it's impossible to generate every single possible hash in that algorithm. It's only a matter of time before that is no longer the case and, like MD5 and SHA-1, we will not be able to rely on SHA-2 anymore.

As soon as any hashing algorithm is old enough that it's possible for current technology to generate every single possible hash, that algorithm is no longer secure. Password salting is good, but not perfect. Passphrases prevent against brute-force, but we've already been over the fact that modern authentication systems don't allow an unlimited number of logon attempts.

The point is that with two-factor authentication using smart cards, you don't need a password database that you have to backup onto someone else's server (and you never did address the fact that a copy of all of your passwords is sitting on a server farm somewhere that you have zero control over, and if Dropbox gets compromised - which can happen internally by a bad employee, not just by a guy in Russia - your password database is now compromised and you have to change every single password again). All you need is a physical item - your ID or credit card or whatever else, with a smart chip in it, and a short PIN that is easy to remember.

It's retarded that you're so convinced that this is a bad thing that will never work. Fortunately, there are smarter people making the decisions that matter. You may think that smart cards are a passing fad or something that only the government is going to use. Lucky for those of us who actually care about the real risks in IT security, the people making the decisions know how weak one-factor authentication is. It is indeed only a matter of time before we're using this technology for end-users, and it's a good thing.
( Last edited by shifuimam; Feb 3, 2013 at 11:49 AM. )
     
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Online
Reply With Quote
Feb 3, 2013, 11:45 AM
 
You didn't read my post. I touched on the issue of finite hashes in my last paragraph. Ironic you're telling me I missed the point.

What's the method by which you'd phish someone's private password locker password? Hint: there is none.

The argument it's only a matter of time until my locker is brute-forceable is pretty ridiculous. The encryption used by the locker isn't meant to be eternal. We have these things called upgrades you might want to look into.

All the rest of it is just you trying to shove words in my mouth. I never said a password locker was a panacea, I never said a password locker is the best way to access your frigging bank account. The actual issue, which is causing actual problems is the 50 bajillion passwords you rack up because every site wants you to make an account. I don't see cards as being of more value than a password locker for that.
     
Addicted to MacNN
Join Date: Aug 2006
Location: Somewhere in the Pacific Northwest
Status: Offline
Reply With Quote
Feb 3, 2013, 11:50 AM
 
Whatever.

Don't store your work passwords in your precious password locker. You'll get fired if someone finds out.

And that's not just banks and government. That's any business with a shred of sense in their IT security requirements.
     
Addicted to MacNN
Join Date: Nov 2002
Location: Rockville, MD
Status: Offline
Reply With Quote
Feb 3, 2013, 12:54 PM
 
Originally Posted by subego View Post
What's the method by which you'd phish someone's private password locker password? Hint: there is none.
Dropbox gets hacked and they replace your password database with a trojan?
     
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status: Offline
Reply With Quote
Feb 3, 2013, 05:57 PM
 
Originally Posted by Uncle Skeleton View Post
Dropbox gets hacked and they replace your password database with a trojan?
How is this supposed to work ?

Database files are never executed.

-t
     
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Online
Reply With Quote
Feb 3, 2013, 08:26 PM
 
Originally Posted by Uncle Skeleton View Post
Dropbox gets hacked and they replace your password database with a trojan?
Sure, but that's not a phishing attack. It's the claim it's vulnerable to a phishing attack which I take issue with.

DropBox is definitely the weak point with the locker I use (1password). You don't have to use DropBox, but I'm taking the risk for the convienence of having it available and updated on all my computers.
     
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Online
Reply With Quote
Feb 3, 2013, 08:34 PM
 
Originally Posted by shifuimam View Post
Whatever.

Don't store your work passwords in your precious password locker. You'll get fired if someone finds out.

And that's not just banks and government. That's any business with a shred of sense in their IT security requirements.
Since you're not bothering to read my posts, and I'm bothering to read yours, I appreciate you not throwing up a wall of text full of either stuff I know and have already discussed, or just plain bullshit.
     
Moderator
Join Date: May 2001
Location: Hilbert space
Status: Offline
Reply With Quote
Feb 3, 2013, 08:38 PM
 
Originally Posted by shifuimam View Post
THIS 1,000%. If you lose your private key for your encryption for any reason (like a failed HSM), you are completely and irrevocably screwed. Not even close to an optimal solution.
As Spheric has posted already, the solution to this conundrum is to have backups. If you don't, I don't see how you can complain. As it stands now, people have to opt into encryption which, given the risk of total data "loss" that you correctly point to, is an option for expert users.

I remember the story of this one wired (?) journalist whose accounts were breached a while back, and the hackers wiped his machines in the process. I felt bad for him, because they breached his privacy. I felt bad, because he had done nothing wrong to make him vulnerable. And I hope Apple and Amazon have since plugged this loophole. But my sympathy for him losing all his precious data was limited: as a technophile, he should've known better and have a backup strategy.
I don't suffer from insanity, I enjoy every minute of it.
     
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Online
Reply With Quote
Feb 3, 2013, 08:42 PM
 
Mat Honan. He does write for Wired.

He's fully admitted he made several mistakes along the way for which he has no excuse considering his job.
     
Moderator
Join Date: May 2001
Location: Hilbert space
Status: Offline
Reply With Quote
Feb 3, 2013, 08:48 PM
 
Regarding two-factor authentication, of course that is more secure, but you always have to balance security with convenience. This also applies to the real world: if you pay with your credit card, you either have to sign or enter your PIN. Paying with plastic would be more secure if you required an additional form of ID. In most cases, the weak point is not technology. It's things like weak passwords which "protect" your medical files in a password. Or the PIN 1234 which password protects many points of sales. Or the various password reset forms.

Here in Japan, they have replaced PINs with a blood vessel scanner for your fingers. I don't know whether that's more secure. At least nobody can cut off my finger and withdraw money from my account. For the time being, my fingers at least are safe.
I don't suffer from insanity, I enjoy every minute of it.
     
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Online
Reply With Quote
Feb 3, 2013, 08:51 PM
 
Originally Posted by turtle777 View Post
How is this supposed to work ?

Database files are never executed.

-t
That's a good point. How would you get the database file to keylog an attempted login by the user. There's no reason for AgileBits to make that possible, and a really good reason for them to make it impossible.
     
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status: Offline
Reply With Quote
Feb 4, 2013, 12:58 AM
 
Originally Posted by subego View Post
DropBox is definitely the weak point with the locker I use (1password). You don't have to use DropBox, but I'm taking the risk for the convienence of having it available and updated on all my computers.
I don't see how it's a weak point, unless your Master Password is weak.

-t
     
Mac Elite
Join Date: Aug 2005
Location: Vancouver, BC
Status: Offline
Reply With Quote
Feb 4, 2013, 01:19 AM
 
Wow, this line of conversation sure isn't going to help the OP feel like computers are any less of a PITA than he already thinks they are. Heh.
     
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Online
Reply With Quote
Feb 4, 2013, 04:34 AM
 
Originally Posted by turtle777 View Post
I don't see how it's a weak point, unless your Master Password is weak.

-t
Anything available in the cloud is going to be inherently less secure than something which isn't.

AgileBits doesn't share their code. You have no idea if there's a hole in it.
     
Addicted to MacNN
Join Date: Nov 2002
Location: Rockville, MD
Status: Offline
Reply With Quote
Feb 4, 2013, 11:53 AM
 
Originally Posted by subego View Post
Sure, but that's not a phishing attack. It's the claim it's vulnerable to a phishing attack which I take issue with.

DropBox is definitely the weak point with the locker I use (1password). You don't have to use DropBox, but I'm taking the risk for the convienence of having it available and updated on all my computers.
I meant that the trojan would phish your password for your password locker. Does that not qualify?


Originally Posted by turtle777 View Post
How is this supposed to work ?

Database files are never executed.

-t
Wasn't the first OS X trojan disguised as an mp3? You double-click it and it opens, same for documents as for apps. All it has to do is get the system warning to ask you if you want to open "your password app" instead of "phishing attempt" and you'll probably get some bites.


Originally Posted by gradient View Post
Wow, this line of conversation sure isn't going to help the OP feel like computers are any less of a PITA than he already thinks they are. Heh.
But I bet he loves the attention
     
Addicted to MacNN
Join Date: Feb 2008
Location: Standing on the shoulders of giants
Status: Offline
Reply With Quote
Feb 4, 2013, 12:51 PM
 
Originally Posted by tightsocks View Post
Turns out I just needed to adjust the tracking on the VCR. I figured that out for myself.
So the computer stays then?
     
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Online
Reply With Quote
Feb 4, 2013, 04:46 PM
 
Originally Posted by Uncle Skeleton View Post
I meant that the trojan would phish your password for your password locker. Does that not qualify?
My understanding is it doesn't. Phishing is a social engineering attack.

That's why I'm saying a password locker is phishing resistant. How do you social engineer a master password locker password?
     
Addicted to MacNN
Join Date: Nov 2002
Location: Rockville, MD
Status: Offline
Reply With Quote
Feb 4, 2013, 05:21 PM
 
Originally Posted by subego View Post
My understanding is it doesn't. Phishing is a social engineering attack.
Yeah I'm saying the trojan tries to social-engineer you into typing in your password, by pretending to be your locker.

That's why I'm saying a password locker is phishing resistant. How do you social engineer a master password locker password?
I'm not as familiar with phishing as I pretend to be. Is there usually a master password involved? I thought it was just that they trick you into typing your non-master password into a look-alike agent, who turns around and uses it to pretend to be you (thus ends the extent of my familiarity). I don't see why that look-alike agent can't be a program running locally (that phones home what it finds) instead of a website or office macro.

Edit: oh I think I figured out this second part, it's just a reiteration of the first part.
     
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Online
Reply With Quote
Feb 4, 2013, 05:39 PM
 
Originally Posted by Uncle Skeleton View Post
Yeah I'm saying the trojan tries to social-engineer you into typing in your password, by pretending to be your locker.


I'm not as familiar with phishing as I pretend to be. Is there usually a master password involved? I thought it was just that they trick you into typing your non-master password into a look-alike agent, who turns around and uses it to pretend to be you (thus ends the extent of my familiarity). I don't see why that look-alike agent can't be a program running locally (that phones home what it finds) instead of a website or office macro.

Edit: oh I think I figured out this second part, it's just a reiteration of the first part.
Social engineering is, well, social. It's leveraging a social interaction. Code doesn't socially interact with you. Code is engineering engineering.

You are correct about phishing not involving a master password. There's no reason to give a person a master password, so a method in which you impersonate someone just isn't a valid attack vector.
     
Addicted to MacNN
Join Date: Nov 2002
Location: Rockville, MD
Status: Offline
Reply With Quote
Feb 4, 2013, 07:40 PM
 
I am under the impression that if you go to a copycat website that tricks you into entering your password, that constitutes both phishing and social engineering. That interaction is no more "social" than a program tricking you into entering your password. In both cases there is the user and the programmer, and that's it.

It is still "social" in that the exploit targets the user's social interface (their brain and senses), rather than an interface of the computer hardware or software. Code vs user is still more social than code vs code.
     
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Online
Reply With Quote
Feb 4, 2013, 08:07 PM
 
My understanding is that a fake website is a spoof. Phishing is the way you lure people to your spoofed site.

You "fish" for dupes via social contact, such as an email.
     
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status: Offline
Reply With Quote
Feb 4, 2013, 08:45 PM
 
Originally Posted by subego View Post
AgileBits doesn't share their code. You have no idea if there's a hole in it.
1Password uses open-source OpenSSL for encryption.

How Secure Is 1Password? | 1Password 3 User Guide

Find you own hole :-p

-t
     
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status: Offline
Reply With Quote
Feb 4, 2013, 08:49 PM
 
Originally Posted by Uncle Skeleton View Post
Wasn't the first OS X trojan disguised as an mp3? You double-click it and it opens, same for documents as for apps. All it has to do is get the system warning to ask you if you want to open "your password app" instead of "phishing attempt" and you'll probably get some bites.
It doesn't work that way.
You never ever have to open your 1Password database by double-clicking on it.

1Password reads the encrypted database, and decrypts it. Should someone replace the database with an executable malware, 1Password would report an error that it can't open the database.

Even most n00bs would not try to "fix" the database by double-clicking on it.

Again, we were discussing this in the context of Dropbox.
It would be much easier to put a malware app somewhere else on the dropbox, and hope some dumb user would just execute this.

The security of specifically 1Password can NOT be compromissed by access to your Dropbox.

-t
     
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Online
Reply With Quote
Feb 4, 2013, 09:39 PM
 
Originally Posted by turtle777 View Post
1Password uses open-source OpenSSL for encryption.

How Secure Is 1Password? | 1Password 3 User Guide

Find you own hole :-p

-t
That's like saying I know the engine works, therefore it is impossible for the car to be broken.

To take this analogy further, it should be noted you aren't even looking at the engine yourself, merely trusting someone else who says it works.
     
Moderator
Join Date: May 2001
Location: Hilbert space
Status: Offline
Reply With Quote
Feb 4, 2013, 10:01 PM
 
I think the idea is that if you compromise your 1Password password, all your passwords are compromised.
I don't suffer from insanity, I enjoy every minute of it.
     
 
Thread Tools
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Top
Privacy Policy
All times are GMT -4. The time now is 04:46 AM.
All contents of these forums © 1995-2015 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2015, Jelsoft Enterprises Ltd., Content Relevant URLs by vBSEO 3.3.2