[Dshield] password security

Dr. Daniel Carras dr.astrom42 at gmail.com
Fri Feb 6 22:56:15 GMT 2009 

"As for the part about "hacking and anti-hacking algorithm", I have no 
clue what you're talking about. Should I drink a couple of beers and try 
again ?"

An algorithm is the path (a logic with a mathematical analog) followed 
by code (all code/programs have an algorithm). If you want a better idea 
(without the classes in calculus and advanced mathematics) watch the TV 
show "Numbers". Hackers are (fundamentally) computer scientists, using 
mathematical algorithms to hack, and crack, systems. Because all 
algorithms have an opposite (anti) algorithm, hackers use their skills 
to break the code of another program. (In the encryption case), they 
aren't after the key - they are going to attack the code, the program - 
with worms and viruses. The goal is to lock you out, even with the key.

As for the camouflage recommendation, there are camouflage algorithms 
that exist. However, once an algorithm is release, it's only a matter of 
time before the anti-algorithm is found. So, I will not release what I have.

BTW - for those interested, Google, "The history of core wars." ; this 
is the origin of much of hacking. (As well, Jobs and Gates were both 
hackers.)

Stephane Grobety wrote:
> Hello,
>
> That is putting too much value in an analogy. If you protect something
> that has value, you must also make sure that your protection mechanism
> will not lock you out.
>
> In case of software lock, the solution is easy: put a backup of the
> key in a place where it is safe, difficult to access and where breach
> will be quickly detected. A bank vault is a good exemple of such a
> place.
>
> That's also why you should use "multiple stage" encryption when
> designing such systems: encrypt the data with a random key and encrypt
> that key with a password. You then keep the encrypted version of the
> key around (that you can unlock with your password) and the cleartext
> version in the vault, in case you need it later.
>
> That way, you can even change the password without affecting either
> the backup key or requiring your data to be re-encrypted.
>
> As for the part about "hacking and anti-hacking algorithm", I have no
> clue what you're talking about. Should I drink a couple of beers and
> try again ? ;)
>
> Stephane
>
> Friday, February 6, 2009, 2:56:59 AM, you wrote:
>
> DDC> I view encryption as the "locking the keys in the safe", approach to 
> DDC> security. If you loose the key to the safe, or the lock is broken, 
> DDC> you've locked all that information in with no way to get it out. From 
> DDC> what I'm seeing, new attacks are forming to break the locks (and keys) 
> DDC> in encryption. My approach is from by background in cybernetics. 1st) 
> DDC> understand the psychology of the average hacker; 2nd) understand the 
> DDC> psychology of camouflage; 3rd) develop a security protocol incorporating 
> DDC> both. Basically, if there is a hacking algorithm, then there is an 
> DDC> anti-hacking algorithm.
>
> DDC> David Brodbeck wrote:
>   
>>> Personally, I favor putting the password file on an encrypted  
>>> filesystem, or encrypting it with GPG or a similar tool.  This way I  
>>> can pick one secure passphrase to remember instead of having to  
>>> remember several.  There are ways for an attacker to get around this,  
>>> too, of course, but for me it lowers the risk to an acceptable level.
>>>
>>>
>>> On Feb 5, 2009, at 1:24 PM, Dr. Daniel Carras wrote:
>>>
>>>   
>>>       
>>>> Understanding (even
>>>> briefly) how code is written and what they look for, you can create a
>>>> password file on your system, that would not ordinarily be looked for.
>>>> It here you place your rarely used password. You may also wish to look
>>>> into the history of camouflage. This is what you want to do on your
>>>> system, create a camouflaged password file that hackers will not see.
>>>>     
>>>>         
>>>
>>>
>>>
>>> _______________________________________________
>>> Dshield mailing list
>>> Dshield at lists.sans.org
>>> To change your subscription options (or unsubscribe), see: https://lists.sans.org/mailman/listinfo/list
>>>
>>>   
>>>       
>
> DDC> _______________________________________________
> DDC> Dshield mailing list
> DDC> Dshield at lists.sans.org
> DDC> To change your subscription options (or unsubscribe), see: https://lists.sans.org/mailman/listinfo/list
>
>
>
>

More information about the Dshield mailing list