[Novalug] PC Security (Peter Larsen)

Roger Broseus RogerB@Bronord.com
Mon Aug 11 21:25:21 EDT 2014


Peter,

Interesting points you raise.

You mentioned the breaking of code Enigma. Indeed, some of the world's first computers were used for code breaking. I recently read and highly recommend, to those interested in cryptoanalsys, the book " Codebreakers: The Inside Story of Bletchley Park" ( http://tinyurl.com/mptdjbj). There are several first person accounts by people who were involved in the effort. Published in 1994, the book out out of print but available on the used book market. It has pictures of enigma machines as well as bombes. Fascinating reading.

Your point about common phrases being repeated and leaving clues outs discussed as are errors born of laziness (I should go make some of my pwords longer, etc.).

I still trust Truecrypt. See articles on. Brazilian and FBI attempts to crack it on a criminal investigation: http://tinyurl.com/29m7f7e 

Thanks for the info.


/ Roger
RogerB@bronord.com


>From: Peter Larsen <peter@peterlarsen.org>
>To: novalug@firemountain.net
>Sent: Mon Aug 11 02:34:52 EDT 2014
>Subject: Re: [Novalug] PC Security
>
>On 08/09/2014 07:59 PM, Roger Broseus via Novalug wrote:
>> The topic of security of data on PC's came up today during Simon's
>interesting presentation. As has been said many times, it was asserted
>that if one has physical control puff a PC, they "own it." Even data on
>luks encrypted partitions because security depends on passwords. As
>Simon illustrated, it's relatively easy to change a pword.
>
>So I recall the discussion having multiple dimensions. It started by
>our
>speaker showing how to "break" common security practices for VMs by
>allowing a VM access to the root drive of the host machine. He even
>illustrated that he could change the root password that way for host
>machine. That prompted the comments about security, and I think you
>made
>the comment that encryption would make it safer.
>
>In that context encryption does nothing to protect you. Your system is
>already running and has access to the decrypted version of the disk. In
>other words, the break in is happening electronically - not physically.
>That then turned into the comment that all security starts with
>physical
>security. If you have ever visited data centers, you'll find they take
>access control to the server area very serious and even if they know
>you, they'll not grant you access unless you've followed a very
>specific
>routine to clear you. The reason is, that once you have physical access
>you can plant all kinds of nasty stuff on a computer to "spy" on it or
>even take hardware away for quite analysis somewhere else.
>
>Do you know the story of the German Enigma machines during WWII where
>the German Wehrmacht thought itself safe because "nobody could break
>the
>codes"? Turned out that it only took some very smart mathematicians to
>come up with a solution (Turing created a machine/computer (Bombe) to
>work out how the algorithms worked). It's definitely not the first time
>in history where code breaking proved vital in war and peace time, but
>it illustrates a point: Encryption only delays the "bad guy". With the
>right resources, the time to find the right key combination decreases
>to
>in some cases hours or a few days. Bad/small passwords and keys can be
>found in minutes. The reason the US government has tried to prevent
>certain types of key sizes/algorithms outside the DOD space is because
>they would be too hard to crack for our government (not trying to start
>a political discussion here - bare with me). The strategy with
>encryption is to make the time it takes to break it long enough that
>you
>do not gain benefits from the data. For instance, if it takes you 1
>week
>to crack my message cipher I use to tell my commanders in the field to
>take a bridge tomorrow, I am not too worried if you happen to come
>across my message.
>
>We're all using well known encryption protocols. We don't have the
>problem of not understanding the protocol Enigma used initially. our
>"only" problem is what the key used to encrypt is - computers can do
>this pretty fast. We know what certain parts of the HDD is supposed to
>look like - such as file system signatures, superblocks etc - and can
>look for those using keys we try. And while it may sound like there are
>so many different combinations there are overlaps and if you're just
>using 512byte keys rest assured that no government would even blink to
>be able to crack your key in a matter of minutes.
>
>I'll let the comments on this thread stand - they explain I think very
>well how LUKS and Truecrypt works. So even with the knowledge that it's
>not simple passwords that are used, if someone has your HDD in hand -
>or
>just makes a copy of it without you knowing, it's just a matter of time
>before they gain access to your data. And the amount of time depends on
>how computing capacity they have.
>
>But of course, none of this matters if your system already is running
>and your data is in the clear and gets broken into. Or if you're one of
>those using a wireless keyboard - someone setting up a receiver outside
>your house could easily listen in as you type your password - even
>without getting access to your computer in the first place. Of course
>you may have used  your birthday, your wife's name or something else
>easy to guess and there's not even the need to work on finding your key
>to gain access. I sometime wonder if the IC part of the government
>isn't
>backing or at least accessing popular sites to get a list of the
>passwords people use. That would give them a good idea to what your
>password is on your own computer.
>
>> Fallback position: Truecrypt sensitive folders or even whole
>partitions. There may be other solutions. (http://tinyurl.com/lgqko34)
>
>So given the above, it should be clear that it doesn't matter what you
>encrypt - it "suffers" from the same issues. If you have physical
>access
>to the hardware, you can gain access. But at least an encrypted file
>wouldn't immediately be decrypted/accessed on a running system.
>
>> Comments? Alternatives to get around the password vulnerability?
>
>Passwords sucks because humans suck at remembering complex combinations
>of letters, numbers, symbols etc.  We should be able to get rid of a
>technology used since the stone age. Using physical media or biometrics
>is very cheap today. At least in commercial situations I do not
>understand if other means than standard passwords aren't applied in
>normal security practices.




More information about the Novalug mailing list