[tw] Re: Tiddlywiki lost password recovery...
On Sunday, November 9, 2014 7:08:03 PM UTC+1, Ed Dixon wrote: Of course any encryption mechanism can be cracked given enough time That's a major topic for every encryption method. Encryption is used to protect valuable content. As long as the cost (work + resources + time) to break the encryption, is much much higher than the cost to get the information over a different channel, we can say the encryption works. As soon, as a different channel is much cheaper, it doesn't make sense to hack the encryption. So imo at the moment the best way to break TWs encryption, is to attack the workflow. eg: The node js version uses plain text passwords on the command line level. So every one, who has access to your computer just needs to do type history | grep tiddlywiki to get what's needed. You may say: Me not using unix . I may say: That doesn't matter. Windows forgets the session history... but since that's super boring, there is a good chance that some additional software is installed at a power users PC, that persists command line session histories. .. So its an easy task so search for those profiles. there is a good chance, they are not protected very well ... and so on, and so on. but, are there any known means to defeat our encryption as is TW uses the: Stanford Javascript Crypto Library That's what they say: http://bitwiseshiftleft.github.io/sjcl/ Quote: (Unforunately, this is not as great as in desktop applications because it is not feasible to completely protect against code injection, malicious servers and side-channel attacks.) The important part here is: code injections. ... IMO TiddlyWiki has a big attack vector here, with TW plugins. Plugins can be easily installed using drag and drop. So If I would want to attack your TW, I'd create a useful plugin that contains some additional functions + a little trojan, that is very well hidden. or with the added functionality to encrypt individual tiddlers as provided by Danielo's plugin? What I am working towards relies on this functionality to be rock solid? So imo rock solid at the moment is defined by your code review workflow and by your users workflow. If the users aren't aware of the rock solid workflow, it's cheaper and saver, not using encryption at all :) Since encryption may give your users the feeling of security. But there is no security if they are sloppy. have fun! mario -- You received this message because you are subscribed to the Google Groups TiddlyWiki group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+unsubscr...@googlegroups.com. To post to this group, send email to tiddlywiki@googlegroups.com. Visit this group at http://groups.google.com/group/tiddlywiki. For more options, visit https://groups.google.com/d/optout.
Re: [tw] Re: Tiddlywiki lost password recovery...
Thanks Mario! I have been holding my breath on this one. I had forgotten but did look into the Stanford Javascript Crypto Library weeks ago and did decided it was sufficient for the task planned. When I saw this post the concern was more about backdoors or other designed mechanisms to allow access if the password was forgotten. Your points regarding plain text, code injection, ease of dropping a trojan using drag and drop functionality, and code review are well thought out and expertly explained. You obviously have some experience working with computer security. I have a current security+ certification but doubt if I had researched all this myself and worked with TW for much longer, I would have done as good a job providing this explanation. I have assumed that Danielo's code also uses makes use of the library, while we are on the subject do you know if this is the case? Thanks, On Mon, Nov 10, 2014 at 5:11 AM, PMario pmari...@gmail.com wrote: On Sunday, November 9, 2014 7:08:03 PM UTC+1, Ed Dixon wrote: Of course any encryption mechanism can be cracked given enough time That's a major topic for every encryption method. Encryption is used to protect valuable content. As long as the cost (work + resources + time) to break the encryption, is much much higher than the cost to get the information over a different channel, we can say the encryption works. As soon, as a different channel is much cheaper, it doesn't make sense to hack the encryption. So imo at the moment the best way to break TWs encryption, is to attack the workflow. eg: The node js version uses plain text passwords on the command line level. So every one, who has access to your computer just needs to do type history | grep tiddlywiki to get what's needed. You may say: Me not using unix . I may say: That doesn't matter. Windows forgets the session history... but since that's super boring, there is a good chance that some additional software is installed at a power users PC, that persists command line session histories. .. So its an easy task so search for those profiles. there is a good chance, they are not protected very well ... and so on, and so on. but, are there any known means to defeat our encryption as is TW uses the: Stanford Javascript Crypto Library That's what they say: http://bitwiseshiftleft.github.io/sjcl/ Quote: (Unforunately, this is not as great as in desktop applications because it is not feasible to completely protect against code injection, malicious servers and side-channel attacks.) The important part here is: code injections. ... IMO TiddlyWiki has a big attack vector here, with TW plugins. Plugins can be easily installed using drag and drop. So If I would want to attack your TW, I'd create a useful plugin that contains some additional functions + a little trojan, that is very well hidden. or with the added functionality to encrypt individual tiddlers as provided by Danielo's plugin? What I am working towards relies on this functionality to be rock solid? So imo rock solid at the moment is defined by your code review workflow and by your users workflow. If the users aren't aware of the rock solid workflow, it's cheaper and saver, not using encryption at all :) Since encryption may give your users the feeling of security. But there is no security if they are sloppy. have fun! mario -- You received this message because you are subscribed to a topic in the Google Groups TiddlyWiki group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/tiddlywiki/mbP52rti9RU/unsubscribe. To unsubscribe from this group and all its topics, send an email to tiddlywiki+unsubscr...@googlegroups.com. To post to this group, send email to tiddlywiki@googlegroups.com. Visit this group at http://groups.google.com/group/tiddlywiki. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups TiddlyWiki group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+unsubscr...@googlegroups.com. To post to this group, send email to tiddlywiki@googlegroups.com. Visit this group at http://groups.google.com/group/tiddlywiki. For more options, visit https://groups.google.com/d/optout.
Re: [tw] Re: Tiddlywiki lost password recovery...
On Monday, November 10, 2014 5:05:36 PM UTC+1, Ed Dixon wrote: Your points regarding plain text, code injection, ease of dropping a trojan using drag and drop functionality, and code review are well thought out and expertly explained. You obviously have some experience working with computer security. I'm very interested in computer security. I'm following the development of PGP since the `90s, when the first international version was available. ... Anyway. What I found out for me is, that its much more fun to have a closer look at how users deal with sensible information. I have assumed that Danielo's code also uses makes use of the library, while we are on the subject do you know if this is the case? Yes. Danielos code uses the library but I didn't have a closer look at the implementation. Danielos plugin leaves some fields of a tiddler untouched for convenience reasons. For some usecases this may be no problem. For others it is. eg: created 20140828081424710 creatorpmario modified 20141103103734401 modifier pmario tags plugins title test tile So if someone gets this info there are still some questions that can be answered very easily. eg: Who did the last edit and when. ... So if you need plausible deniable encryption [2] some more changes may be needed. - There is a talk from Tim Taubert about the upcoming native browser WebCrypto API [1]. This mechanism is less vulnerable against code injection into the library, since javascript doesn't have access to the crypto functions. The mechanisms used in the video are the same as used by the tw crypto library. ... The problem at the moment is browser support. But imo it is still an area to have a closer look. have fun! mario [1] https://timtaubert.de/blog/2014/10/keeping-secrets-with-javascript/ [2] http://en.wikipedia.org/wiki/Deniable_encryption -- You received this message because you are subscribed to the Google Groups TiddlyWiki group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+unsubscr...@googlegroups.com. To post to this group, send email to tiddlywiki@googlegroups.com. Visit this group at http://groups.google.com/group/tiddlywiki. For more options, visit https://groups.google.com/d/optout.
[tw] Re: Tiddlywiki lost password recovery...
I hope this helps: http://goo.gl/9hsd6u -- You received this message because you are subscribed to the Google Groups TiddlyWiki group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+unsubscr...@googlegroups.com. To post to this group, send email to tiddlywiki@googlegroups.com. Visit this group at http://groups.google.com/group/tiddlywiki. For more options, visit https://groups.google.com/d/optout.
[tw] Re: Tiddlywiki lost password recovery...
Hi, Recovering firefox passwords aside for the moment, this does bring up a very important question and one that I should have looked into on the onset. Of course any encryption mechanism can be cracked given enough time but, are there any known means to defeat our encryption as is or with the added functionality to encrypt individual tiddlers as provided by Danielo's plugin? What I am working towards relies on this functionality to be rock solid? Thanks, On Saturday, November 8, 2014 11:27:22 PM UTC-7, Nicholas Ratliff wrote: I have a rather massive tiddlywiki that I have been working on for a number of years. I no longer possess the password, and am unable to update the wiki or augment it without the password. It is linked to a computer I use rather regularly, which has the password saved on it through firefox. Is there a way to recover this password? Please advise. Otherwise, is there a way I can rapidly make a copy of this wiki so that I may assign another password without hassle? -- You received this message because you are subscribed to the Google Groups TiddlyWiki group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+unsubscr...@googlegroups.com. To post to this group, send email to tiddlywiki@googlegroups.com. Visit this group at http://groups.google.com/group/tiddlywiki. For more options, visit https://groups.google.com/d/optout.
