Account Hacked

78704's Avatar
  • 78704
  • 06-07-2010, 10:04 PM
PGP is pretty INSECURE. It has a known backdoor. Originally Posted by winemaker

There were some angles of attack fifteen years ago; not algorithmic, mind you. I don't know of a current vulnerability. Cite?
Adm. Bobby Inman.

Doesn't have to be algorithm. A good RNG can make a good attack,esp if you know the feistel design. Backdoors, are by definition, a way of circumventing the cipher. All you need to look for the cascade of bit flips, then off you go. Text is much easier to decrypt, since, at least for english, there are known etymological precedents which induce early discovery.

Best ciphers have rotating keys as well as rotating ciphers. Never cipher a lump of information. Break the chunks up. Different directory, different key, different cipher. RNG are not great keys, since most are not necessarily primes, but prime factored. Human interface determined keys are best ( random mouse motion, etc ). Best to have entropy > 95%. Get beyond that, and other parties will take great interest in your entropy generator.
Sensei's Avatar
Adm. Bobby Inman.

Doesn't have to be algorithm. A good RNG can make a good attack,esp if you know the feistel design. Backdoors, are by definition, a way of circumventing the cipher. All you need to look for the cascade of bit flips, then off you go. Text is much easier to decrypt, since, at least for english, there are known etymological precedents which induce early discovery.

Best ciphers have rotating keys as well as rotating ciphers. Never cipher a lump of information. Break the chunks up. Different directory, different key, different cipher. RNG are not great keys, since most are not necessarily primes, but prime factored. Human interface determined keys are best ( random mouse motion, etc ). Best to have entropy > 95%. Get beyond that, and other parties will take great interest in your entropy generator. Originally Posted by winemaker
Hmm, not to defend anyone but I have been using PGP since the early days when I had to compile my own source code. Nobody has "publicly" cracked PGP. And the backdoor is actually a feature which is optional. Unless someone has a multi million $ machine (ie N-S-A) , I would say near impossible.

Check this link for the version I use: http://www.pgpi.org/doc/faq/pgpi/en/#Crack
I gotta admit, you know your shit, Wine. So... recommendations? What do you use?
I'd honestly appreciate the advice. Besides, if memory serves me well, your number might just be in the database from back in the days of "sweetness". Don't worry, I think the PGP's got it covered, but I'm always willing to learn and improve.
rCoder's Avatar
Best to have entropy > 95%. Get beyond that, and other parties will take great interest in your entropy generator. Originally Posted by winemaker
For a few bucks of hardware you can have a pretty good random number generator (example: http://robseward.com/misc/RNG2/). I've been waiting for PC's to add a hardware random number generator as a core feature since I first heard about sampling reversed biased PN junctions 15 years ago...

For fun, picture burning a pair of DVD's with the output from the hardware RNG then using them for one time pad encryption of base data, which is then feed thru "good" key encryption before transmittal. Now it takes two pieces to break, the key and the physical one time pad. A hassle but it's layered.

Back on topic. Keep in mind that good security is layered. I.e., never depend on one security item. For example, encrypting the disk is good, but how are you controlling the keys and physical access? Are the backups encrypted and secured at a different site? Is the computer connected to anything? All unused ports (IR, bluetooth, wifi, ethernet) disabled?

My favorite T-shirt says it all: "Got root?"

Also remember that the human element is the weakest link for any security.
Damn. You folks are out of my little league. Nice info.
Rand Al'Thor's Avatar
Bottom line, there is no perfect security. The closer you get to it, the more prohibitive it becomes in terms of usage - think of the black room computer they broke into in "Mission Impossible."

Above a certain level of security, you could end up spending just as much time, if not more, following security protocol than actually using the computer, and as you tighten security, the return is diminishing from that point.

For the most part, it's enough to not be the low hanging fruit - enough security so that it makes it difficult enough so whoever is trying to break in will move on to the next (and easier) target. Of course, this won't work if you become the target of a focused attack.
GneissGuy's Avatar
Zimmerman was investigated, (i.e. harassed) by the US government back in the early 1990's. It was a publicity ploy that backfired on the government. The investigation was dropped in 1996. There was never a prosecution.

The US government classified anything crypto as a "munition" at that time, including DES which was well known to be insecure. They'd even classify pig latin as a "munition." The classification of PGP as a "munition" doesn't qualify it as good crypto.

The current version of PGP has very little to do with the 14+ year old version Zimmerman was harassed for.

There are a number of other programs with similar features, including several free, open source programs. Commercial PGP may be worth it for the non-geek or corporate types because it's packaged for ease of use and has support.

Even if the government has a secret backdoor built into the program, they probably wouldn't risk using it on small fry like us. They wouldn't want to risk letting people find out they have a back door in the program.

The more realistic risk is if you don't choose a GOOD password, or if you write down the password and keep it where someone can find it. Let's be realistic. If you're using windows, or even MAC OS or Linux, the big boys can probably compromise your PC remotely through the internet and simply steal your password with a keylogger. Even if you do have your security up to date. Or use wiretaps, bugs, etc.
Good points, GG. Personally, I think my most important security technique is a rigorous screening process. And I damn sure NEVER cut corners on that. I've learned a lot from my recent experience. I will admit my former ECCIE account password was weak, but I learned my lesson on that one. It certainly wasn't the NSA that hacked my account. I'm hoping things will chill out now, at least till I catch my breath. It's been a tough few days for me.
Whispers's Avatar
Besides, if memory serves me well, your number might just be in the database from back in the days of "sweetness". Don't worry, I think the PGP's got it covered, but I'm always willing to learn and improve. Originally Posted by AustinWildFlowers

All this talk of encryption software....

I'm surprised no one else has asked......

based on this comment it seems you keep information on clients for quite a while which is something everyone is always concerned with.....

Just how much information and what is the nature of the information you feel the need to keep and how far back are you storing it?
You wanted suggestions for more security?

Here's one: Stop storing sensitive information in your database. Period.
Thanks. Emails stored off site, phone numbers on my phone. That's all I got.
What else is there? Nothing. Number of times a client has seen us? nope? session details? no way. addresses? No.

LOOK - Wild Flowers is a legit entertainment service. Fees are for time and companionship ONLY. Nothing illegal going on here. Heaven forbid! What are you so worried about? Winemaker (not his real name, BTW) is the only person who's posted on this thread who's ever seen a WF girl. His number was deleted long ago from my phone, though it MAY still be amongst my old emails. No need for him to freak out.
Or you other guys. I take client's privacy seriously, and probably protect it as well or better than any other agency or provider around. You guys being a little... dramatic?
Amrita Lover's Avatar
How secure is the Eccie site?
Doesn't have to be algorithm. A good RNG can make a good attack,esp if you know the feistel design. Backdoors, are by definition, a way of circumventing the cipher. All you need to look for the cascade of bit flips, then off you go. Text is much easier to decrypt, since, at least for english, there are known etymological precedents which induce early discovery.

Best ciphers have rotating keys as well as rotating ciphers. Never cipher a lump of information. Break the chunks up. Different directory, different key, different cipher. RNG are not great keys, since most are not necessarily primes, but prime factored. Human interface determined keys are best ( random mouse motion, etc ). Best to have entropy > 95%. Get beyond that, and other parties will take great interest in your entropy generator.


GOODNIGHT!!! i think i will just go back to installing fences and building decks.

peace
atx
AustinBusinessTraveler's Avatar
Three quick thoughts:

1 - Keeping old e-mails for any reason other than a client whom is or was a danger to you, your girls, or the community at large is a red flag for many. I don't care about how it's stored, how it's encrypted, or anything of the like. Any system you have can, and will, be targeted if you ever were. While we know you are a legitimate entertainment service, many of those services can be targeted and harassed by authorities and those emails could compromise people.

2 - If your ECCIE account was hacked, what about the PM's? I know all of us have tons of PM's and if you keep e-mails, I would guess you keep the PM's. What info / details could be gleamed from those messages.

3 - Encryption will never beat deletion and overwriting (repeatedly). Ideally, the use of a small thumb drive (IronKey comes to mind) for your "off-site" storage is a little more ideal. Whereas IronKey will simply fry itself after bad password attempts, even a standard thumb drive will take the over-writes and do a damn good job of being hard to read.

I would go with TrueCrypt on any day over PGP. PGP's heyday was over 15 years ago at this point.

Just my thoughts and suggestions