Re: Useful factoid
On 10/11/2011 05:14 PM, Jean-David Beyer wrote: Let us assume you are the bad guy Okay. Unless you have my encrypted keys, you have to access my computer (unless you have already stolen it, in which case there are much easier ways to invade the machine), you will have to try logging in through the Internet (in the case of my machine), and the first thing you will hit is the login program. Hold on a second there. You seem to be making some extremely unwarranted assumptions. If I want your secret key material, I'm not going to steal your computer. I'm going to use an exploit to bypass your login, plant a Trojaned version of GnuPG, and laugh all the way to the bank. Modern-day operating systems are frightening -- terrifyingly -- insecure. A while ago Vint Cerf estimated that about one desktop PC in five was already pwn3d. That's a number that keeps me awake at night. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Useful factoid
Hold on a second there. You seem to be making some extremely unwarranted assumptions. Take a look: Unless you have my encrypted keys, you have to access my computer (unless you have already stolen it, in which case there are much easier ways to invade the machine), you will have to try logging in through the Internet (in the case of my machine), If I want your secret key material, I'm not going to steal your computer. -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Useful factoid
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 10/13/11 7:51 AM, Jerome Baum wrote: Take a look: I did. You said I have to access your computer, to try logging in through the Internet. I don't. I just have to find an exploit. Saying my front door is locked is great, but it's not so great when you consider a good thief knows how to pick locks. Against that kind of adversary a lock isn't much of a prevention device: at best it delays the thief by a minute. -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iFYEAREIAAYFAk6W1jQACgkQI4Br5da5jhCe5ADfalUs2A9esxyUzm5PSR7jHtxA X070BaWnnBbdxwDffCSbpoq3miWq1SPMnqZ7TLaodIZTveFA6ez4dYkBHAQBAQgA BgUCTpbWNAAKCRAHLcdEK4m9RVdTB/9VHB187mWBkW1z9XLvLyp5/aN9mv4x8nsY XQyMwNCRfzpseplMaEMT7JFPsTH87xxzhhu853ebdMajN+QnPeva0ipaLwCeNXGu Y3DDJ0EgtD1Hw4CQyMeRCHI8OPuJRCgzfaVul9KFUvcUmgSDUp3DNCrPUzR+GCQZ WqDfvMlaBZjnqexwBxhWJtY3mfpm463qSgMRHuidpx7BBxe0K/jLc1AC8f2ytCCn DXmmEQt7AHIZq6jQbZ9sZAqhRR0ceu7qmXefvL6lTXealopyARgnlyU7PSHC0p0M yjwTynL85BnC89eUdlIWmVU7/FovpnLqg8lPj38jovAdsJ5Vtrn7 =/Uvi -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Useful factoid
On 2011-10-13 14:14, Robert J. Hansen wrote: On 10/13/11 7:51 AM, Jerome Baum wrote: Take a look: I did. You said I have to access your computer, to try logging in through the Internet. I don't. I just have to find an exploit. I didn't say anything (modulo Take a look). Saying my front door is locked is great, but it's not so great when you consider a good thief knows how to pick locks. Against that kind of adversary a lock isn't much of a prevention device: at best it delays the thief by a minute. You have to access my computer would be you have to enter my house. Nobody ever said you have to enter my house via the front door. Also, a thief that picks my front door would be someone who brute-forces my login (assuming the front door is my login). You probably meant a thief who just smashes a window or climbs through one that is open. -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Useful factoid
On 10/13/2011 8:29 AM, Jerome Baum wrote: I didn't say anything (modulo Take a look). At this point it seems to me you're being deliberately obtuse. Have a nice day. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Useful factoid
On 11 October 2011 22:32, Robert J. Hansen r...@sixdemonbag.org wrote: Accurate to 6%, there are 2**25 seconds in a year. Worth remembering: it makes certain kinds of computations much easier. (It follows there would be about 2**35 seconds in a thousand years, or 2**45 seconds in a million.) E.g., let's say you want to brute-force an 64-bit key on a CPU that can do a million (2**20) attempts per second. This requires, on average, 2**63 attempts. 2**63 / 2**20 = 2**43 seconds: 2**43 / 2**45 = 2**-2 = a quarter of a million years. I don't know why it took me so long to notice that: seems like the sort of thing I should've noticed a decade ago. It makes certain kinds of computations so much easier. Anyway, figured I'd throw it out on the off chance there were others who hadn't noticed it. I used to think of there being roughly 2^32 seconds in a lifetime :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Useful factoid
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert J. Hansen wrote: On 10/11/2011 05:14 PM, Jean-David Beyer wrote: Let us assume you are the bad guy Okay. Unless you have my encrypted keys, you have to access my computer (unless you have already stolen it, in which case there are much easier ways to invade the machine), you will have to try logging in through the Internet (in the case of my machine), and the first thing you will hit is the login program. Hold on a second there. You seem to be making some extremely unwarranted assumptions. Quite possibly. And unwarranted assumptions are especially pernicious because those are typically those I am unaware of making. I am not a security expert anymore. I really was never a security expert, though I was once put in charge of security for 10 VAX machines running UNIX, but this was around 30 years ago almost before the Internet. Some of us were using uucp on dialup, but that was about it. In those days it was almost impossible to get the users to use passwords on their accounts. If I want your secret key material, I'm not going to steal your computer. I'm going to use an exploit to bypass your login, plant a Trojaned version of GnuPG, and laugh all the way to the bank. I realize if you stole my computer that I would notice it. If you broke into my house skillfully enough that I did not notice it, you could install a key logger, or copy my hard drives, steal my backup tapes, ... . But you could also remove all protections by getting in as the root user (on UNIX-Linux). And I might not notice that. The trick is to do that from the Internet. I have some safeguards to protect me, and they may protect me from amateurs, but an expert might be able to defeat me. It seems to me that to do much damage to my machine, you need to get a shell with root access. And to do that, do you not pretty much need the root password? Or hijack a program that is currently running with the root privileges? I never run a web browser as root. But there are demons that run and some have root privileges. Such as the download mechanism to download updates from Red Hat. My nameserver does not run as root. I do not run telnet. ssh will talk only to specified IP addresses on my LAN. My firewall will not accept messages from outside unless in reply to something I sent out, so I believe it would take a man-in-the-middle attack to get past that unless the firewall is defective. I actually have two firewalls; a primitive one in the router that comes with Verizon's FiOS service, and another one using iptables. These, too, could have bugs, especially if I made a mistake in programming the iptables firewall. Modern-day operating systems are frightening -- terrifyingly -- insecure. A while ago Vint Cerf estimated that about one desktop PC in five was already pwn3d. That's a number that keeps me awake at night. At one extreme, the only way to be pretty safe is to have a machine that is not connected to the Internet, and have U.S.Marines to guard the hardware and access to it. I do not choose to defend myself against threats that would reasonably require that. I want my security to be weak enough that the black hats would not resort to torture to get the information they want. The friends of mine that even know what computer security might mean do not even encrypt their e-mails, though they worry about it's being intercepted. Friends complain if I digitally sign my e-mails. I assume if they could accept encrypted e-mails, that they would save them in clear form on their machines anyway. So maybe I am kidding myself. I do not think my machine has been taken over. For one thing, I can pretty much see the Internet traffic from it, and when I am not doing anything, not much goes down the Internet. A friend whose machine was hacked (Windows ME) had lots of Internet traffic and the machine got impossibly slow. The hard drives never stopped clicking. I do not have that, though the hard drives on this machine do not click, but the Xosview program shows that when nothing is going on, nothing except BOINC programs run. The demons do, but they do not use any processor time. If I ran this machine as a server, my problems would surely be worse. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 08:50:01 up 6 days, 17:23, 4 users, load average: 5.14, 4.93, 4.94 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iD8DBQFOlu/MPtu2XpovyZoRArvUAKC022RLKvUmsbM1XD5shR+xrB06kQCdEDE+ gx/6aDndO7obVhfgZVEMk6o= =yjMn -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Useful factoid
On 10/13/11 10:03 AM, Jean-David Beyer wrote: It seems to me that to do much damage to my machine, you need to get a shell with root access. And to do that, do you not pretty much need the root password? Nope. Local exploits are enough. Take a look at the kernel.org exploit as an example. The current belief is that one of kernel.org's legitimate users was sshing in from a compromised box. That compromised box was running a keylogger. From that keylogger, the attacker discovered this user's login name and ssh credentials. The attacker then logged into kernel.org as this user and ran a local exploit to gain root access. The attacker dropped a rootkit, a Trojaned ssh/sshd that was harvesting passwords, and all other kinds of goodness. Then, since one of the users on my box sshed in from kernel.org, the attacker got a login credential on my box. The attacker logged in using this stolen credential, used a local exploit, and the next thing I know sixdemonbag.org was rooted. As you can guess, I'm not talking about some abstract theory here. This was a real attack that really compromised my web server. People tend to grossly underestimate the risks of malware and pwnage. We talk about it very little to almost none at all, and honestly, I think it's the eight hundred pound gorilla in the room that everybody is trying very hard not to notice in the hopes that if we just pretend not to see it that it will go away. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Useful factoid
On Thu, Oct 13, 2011 at 10:03:56AM -0400, Jean-David Beyer wrote: It seems to me that to do much damage to my machine, you need to get a shell with root access. Depends on what you regard as damage. Do you need root privileges to use your private gpg keys ??? I never run a web browser as root. If you run your web browser under the same account that you use for gpg, vulnerabilities in your browser *potentially* allow an attacker to access your private keys. Same is true for your mail program, PDF reader, messaging client, ... signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Useful factoid
Robert J. Hansen wrote: Accurate to 6%, there are 2**25 seconds in a year. Worth remembering: it makes certain kinds of computations much easier. (It follows there would be about 2**35 seconds in a thousand years, or 2**45 seconds in a million.) E.g., let's say you want to brute-force an 64-bit key on a CPU that can do a million (2**20) attempts per second. This requires, on average, 2**63 attempts. 2**63 / 2**20 = 2**43 seconds: 2**43 / 2**45 = 2**-2 = a quarter of a million years. Let us assume you are the bad guy and have computing power that can do an arbitrarily large number of key attempts per second. Unless you have my encrypted keys, you have to access my computer (unless you have already stolen it, in which case there are much easier ways to invade the machine), you will have to try logging in through the Internet (in the case of my machine), and the first thing you will hit is the login program. This can probably handle only a few attempts per second, and if I were serious about security, I would have it double the time to reply each time it got a failed login on that connection. In the days of dialup, I would have the machine hang up on the connection with too many failed login attempts. Of course, if you could get into my machine and login as the only user with access to my encrypted password file, you could copy that file to your high speed facility and crack it at your leisure. But if you could do that, you could already do anything you wanted with my machine -- install trojan horse keyloggers, defeat the security in the login program, etc. I don't know why it took me so long to notice that: seems like the sort of thing I should've noticed a decade ago. It makes certain kinds of computations so much easier. Anyway, figured I'd throw it out on the off chance there were others who hadn't noticed it. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 17:05:02 up 5 days, 1:38, 4 users, load average: 4.73, 4.76, 4.82 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Useful factoid
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Tuesday 11 October 2011 at 9:32:18 PM, in mid:4e94a7d2.7060...@sixdemonbag.org, Robert J. Hansen wrote: Accurate to 6%, there are 2**25 seconds in a year. [...] I don't know why it took me so long to notice that: seems like the sort of thing I should've noticed a decade ago. I suppose you didn't need to notice it because you already remembered pi seconds in a nano-century - -- Best regards MFPAmailto:expires2...@ymail.com A nod is as good as a wink to a blind bat! -BEGIN PGP SIGNATURE- iQCVAwUBTpTlNaipC46tDG5pAQo8NgP/f/etxoSVmn5rhWCc/mUxaoO4U4HD/9TB snAV8qD1mZU2dzvkzrlZXMlIgr3pYzEXTImSGfsmjBLH90Q/hGdvAvlC2smW8Ezw Net+bV/vw6r8TFKbwoF7ubIK4/27A3bSoq3up5t0PrEK2dOGIpTYnPgfEY5pIfe/ jz1JYCPJNhE= =/wzd -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users