Mnyb wrote: > Interesting responses, some of you must be in to encryption and such ? > this has gone very off topic but interesting.
Yes, way OT. > On the same tangent, the SBC has a limited charset, so all phassprases > are not possible to type with the controller, the same applies to the > SB Which in the grand scheme of things is not terribly important. And inside the SqueezeBox is just a commodity WiFi card, so there are hidden weak links in the chain, if you are NSA class paranoid. To secure music, its not really an issue. > How do you check your passphrase if it's good ? > To be more specific mine is 15 letters and one number. the words used > comes from rather obscure literature. What is obscure in Swedish may be off the chart in America. The real answer is that you can not tell. There are good rules of thumb, such as this: http://www.microsoft.com/protect/yourself/password/create.mspx > there my pass is judged as "resonable" with "Entropy: 48.9 bits " There is a fundamental flaw in measuring entropy in this context. The definition comes from Claude Shannon's work, which is also the basis for PCM audio, so I can make a tenuous connection back to audio, squeezeboxen, etc. and is based on probability. The usual measure is based on characters. So in theory, the information value of an eight bit character is 1/256. But in English, we use far fewer characters in "words". And as pointed out above, the character set may have other limitations. So the values may be radically different in practice. Most folks use something close to words in their native language. This is the basis for all dictionary attacks. The Microsoft paper cited above, talks about how conversions to EleetSpeak, or similar things are weak. They specifically say that "M1cr0$0ft" is not much more 'random' than "Microsoft". As the Microsoft paper says: "Avoid dictionary words in any language. Criminals use sophisticated tools that can rapidly guess passwords that are based on words in multiple dictionaries, including words spelled backwards, common misspellings, and substitutions. This includes all sorts of profanity and any word you would not say in front of your children." The problem is always social engineering, humans simply can't remember strong random things. We have not evolved to do so. So we either use something not random, like the phrase about Transporters in my posting up thread, or we write it down on yellow sticky pads and past them to the monitor. > All music in the world is aviable on any torrent tracker. The primary rule of serious security is to make the cost of the attack higher than the value of the target. So if all that is in the target is music, which is all over the torrent world, then there is little value in the attack. This could change if your music is flac and all the torrents have is over compressed MP3. Realistically, the primary value in attacks on home servers is either: 1) access to bank accounts, brokerage accounts, or identity theft enablers 2) hosts for botnets to attack other systems. What is interesting to me is that nearly all of the information for this stuff is ancient. I wrote Towards a Model of Computer Security October 1992 National Computer Security Conference, Fort Meade, MD, with William H Murray. That was nearly 15 years ago. We modeled how a machine can be used as a resource for attacks on other systems. Some folks might notice how close "Fort Meade, MD" is to a agency of interest. -- Pat Farrell http://www.pfarrell.com/ _______________________________________________ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss