Announcement

Collapse
No announcement yet.

General Paranoia

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • russ
    replied
    Originally posted by c0nv3r9
    Very well articulated skroo.

    Not being a part of the government(s) myself, I can only imagine that a lot of things become "not important and worthless" with the right persuation and cash flow... or maybe we really do spend $500 a pop on toilet seats

    While crypto is cool and all to keep fuckwads from viewing information certain information I care a little about... I personally don't put a lot of faith in it, nor any of the leading crypto freaks... for all I know, Zimmerman's role is a total charade
    From a purely commercial perspective, I *CAN* say that encrypted disk technology is a must for anyone doing security assessments for organizations. I'm simply not comfortable leaving confidential or hazardous information about network vulnerabilities on a drive that isn't encrypted. I've heard too many stories about people losing their laptop or having it stolen. That doesn't generate loads of customer trust.

    Leave a comment:


  • converge
    replied
    Very well articulated skroo.

    Not being a part of the government(s) myself, I can only imagine that a lot of things become "not important and worthless" with the right persuation and cash flow... or maybe we really do spend $500 a pop on toilet seats

    While crypto is cool and all to keep fuckwads from viewing information certain information I care a little about... I personally don't put a lot of faith in it, nor any of the leading crypto freaks... for all I know, Zimmerman's role is a total charade

    Leave a comment:


  • skroo
    replied
    Originally posted by J3di
    I agree that my original statement had no tact and might have come off snide. I have tried to correct that by being thorough and direct in my response. I have a lot of respect for you (thought the talk you and grifter gave at dc10 was cool) and did not mean to get into it with you. but I suspect your response to the other comment was alot like mine: quick, off the cuff and not complete thought out.
    Glad you liked the talk. And no, I was not being considered in my reply, simply reacting to what I saw. Either way, let's just dump it and move on.


    [/B]ok, I'm cool with that, on 2 conditions: first, can you explain why you believe crypto in general is broken and second, you let me buy you a couple beers at dc11 to make it all good. either that, or a warp core breach at Quarks. [/B]
    I'll answer this in reverse: yes, thanks, either one works :)

    As for the first part: by 'broken' I didn't mean non-functional, but rather already cracked. My personal theory, based on what I've read and heard, is that pretty much all crypto we currently use is fine for keeping the casual shithead out of your business, but under a government/military level of scrutiny, it's pretty well useless.

    My reasoning for this is based on a couple of things. And again, I'm not a cryptographer by any means, so if I'm off-base on any of this I'd like to know.

    Most hardcore cryptographic algorithms rely on factoring large primes and processing the results of those factors. This is all well and good, but if the algorithm itself is flawed, the encryption scheme is as well. Granted, it'll take time to find where the breakage is, but there's a number of ways to do that: code review, pattern analysis, and, as always, brute force.

    Of course, that assumes that it's necessary to undertake any of these steps to begin with in order to derive the unencrypted data. Heavy encryption (at least in this country) is classified as a munition for good reason: it can be brought under government and military control *before* its release into the wild. In fact, there is a legal requirement for software companies to submit code dealing with heavy crypto for examination prior to an export licence being granted. And given the nature of software transfer, not having that licence is not worth the potential penalties if testing is skipped.

    In addition, we have an historical precendent for consumer-grade crypto products being backdoored. Remember the fuss over the Clipper chip? Privacy until, say, Law Enforcement wants to listen in on your calls. Same thing with the 'secure' fax machines that had to be so severely hobbled as to be useless in terms of truly protecting information.

    One other recent thing that's bothered me: for a few days last year, I heard reports on the radio of an Indian mathematics professor who may have found a shortcut to deriving large primes - meaning that all current crypto would be instantly rendered useless. It was all over the news, and then... Nothing. Yeah, it could've been that that was all there was to it and that the hype was unjustified, or it could be that the guy is now living a very comfortable life figuring out better ways of obviating private communications.

    So, while I don't consider crypto pointless, I feel that much of the sense of security it gives is just that - a feeling of well-being that it's being used, but not as much in the way of actual protection as one might think. Useful for keeping the neighbours from snooping your cordless traffic, but otherwise not so great if they *really* wanna know what you're up to.

    Leave a comment:


  • J3di
    replied
    Originally posted by skroo
    Well, great. Since we've both admitted that we've got a fairly rudimentary understanding of the topic at hand, let's drop that part of the equation. Let's focus instead on the lack of tact on your behalf that got us to this point. I don't parrticularly appreciate having someone making what seem like snide replies to a comment I post in reply to someone else.
    I agree that my original statement had no tact and might have come off snide. I have tried to correct that by being thorough and direct in my response. I have a lot of respect for you (thought the talk you and grifter gave at dc10 was cool) and did not mean to get into it with you. but I suspect your response to the other comment was alot like mine: quick, off the cuff and not complete thought out.



    Well, if there's nothing to fear, I'm sure you won't mind posting your full name, home address, any telephone numbers you may have, your social security number (or equivalent), and the numbers of any major credit cards you may hold along with their expiry dates. Personally, my evidently-overwhelming sense of paranoia unreasonably keeps me from doing things like this, but seeing as how I'm just unreasonably cautious, you'll be just dandy with showing me how wrong I am.

    [Allow me to spell it out: MODERATION.]
    again, I am not disagreeing with you. But healthy paranoia is something that you deal with in MODERATION, tempered with some common sense and experience.



    As I said before in a rather more roundabout manner: the question wasn't the problem, the tone was. Further, it seems odd that *none* of the other people participating in this thread - regardless of the technical merit of their answers or otherwise - received the reaction I did from you. Odd, that. Made me wonder somewhat how serious you really were.
    as I said before, the original tone of my response was not as it was meant. I will admit that it frustrates me when people put off the cuff answers that generalize issues that aren't that clear. hence my curiousity.


    Fair enough. Hard to tell that until you mention it, though.

    Hey, you drop it as well and use more tact in the future and I'll do you the same courtesy.
    ok, I'm cool with that, on 2 conditions: first, can you explain why you believe crypto in general is broken and second, you let me buy you a couple beers at dc11 to make it all good. either that, or a warp core breach at Quarks.

    Leave a comment:


  • J3di
    replied
    Originally posted by octalpussy
    You obviously missed the point that everyone else seemed to grasp - that statement was a general one, not about details. No matter what method you use, once it has left your hands, you can not guarantee its security. Some methods are more secure than others; most are 10x more than you'll ever need for securing transmissions about your Aunt Judy's nail fungus. The point, though, was that nothing is secure enough to become complacent over.
    no, I didn't miss the point. I agree, there is no assurance once it leaves you and there is no tool that allows you to be complacent enough to not worry. my point is that I don't agree that a generalized statement can sum up reasons why a tool is useless, just because the statement says so. and that is why I asked for more data from the person who made the statement.

    I have no beef with skroo and this is not a pissing contest. maybe the question I should have asked to him should have been: why do you believe that 'it's already broken'.
    Last edited by J3di; January 19, 2003, 17:22.

    Leave a comment:


  • skroo
    replied
    Originally posted by J3di
    And yes, I have read up on the subject, keeping up with current discussions among different technical groups and publications, including books discussing analysis and attack methods. I am by no means an expert nor do I consider myself compentent, thus my question towards you about the facts.
    Well, great. Since we've both admitted that we've got a fairly rudimentary understanding of the topic at hand, let's drop that part of the equation. Let's focus instead on the lack of tact on your behalf that got us to this point. I don't parrticularly appreciate having someone making what seem like snide replies to a comment I post in reply to someone else.

    [/B]Yes, and the boogie man is out there in the dark to get you. Let's come back to reality here.[/B]
    Well, if there's nothing to fear, I'm sure you won't mind posting your full name, home address, any telephone numbers you may have, your social security number (or equivalent), and the numbers of any major credit cards you may hold along with their expiry dates. Personally, my evidently-overwhelming sense of paranoia unreasonably keeps me from doing things like this, but seeing as how I'm just unreasonably cautious, you'll be just dandy with showing me how wrong I am.

    [Allow me to spell it out: MODERATION.]


    And I asked you to back up your idea. I already pointed out why I felt this was a technical discussion. besides, don't take the question about facts personally, like questioning your manhood or something. it was a question of facts and I was hoping someone could chime for the details. Cool?
    As I said before in a rather more roundabout manner: the question wasn't the problem, the tone was. Further, it seems odd that *none* of the other people participating in this thread - regardless of the technical merit of their answers or otherwise - received the reaction I did from you. Odd, that. Made me wonder somewhat how serious you really were.

    listen 'dad', it was a request. i'm not telling you what to do. I'm asking for answers to fill in blanks, which is what I thought a technical discussion among like-minded folk. again, I have done the research and am always looking for more data.
    Fair enough. Hard to tell that until you mention it, though.

    now, please stop the diatribe. this is a discussion about encryption and the possibility that there is no relevent use for it these days. Can you dig that?6
    Hey, you drop it as well and use more tact in the future and I'll do you the same courtesy.

    Leave a comment:


  • Gadsden
    replied
    Originally posted by blackwave
    [c]... another neat tool to use in conjunction with surfing for windows is Proxomitron: http://www.proxomitron.org/
    The nice thing about proxomitron is you can put it on a spare windoze box that you never use, and let it be a crap-filter for your *NIX boxen that you surf with also. Too bad there is not a linux version of it..

    Leave a comment:


  • blackwave
    replied
    Originally posted by che
    Do you have any good links you would like to share for free or pay SSL web proxies & IRC servers? I know of Anonymizer
    and Church of the Swimming Elephant , but does anyone have any suggestions for other good ones from a personal use standpoint?
    anonymizer rules in almost every way.. the F-secure software they offer with their subscription is pretty decent. (though it isn't required to use)

    JAP is decent and free : http://anon.inf.tu-dresden.de/index_en.html

    [c]... another neat tool to use in conjunction with surfing for windows is Proxomitron: http://www.proxomitron.org/

    Leave a comment:


  • octalpus
    replied
    Originally posted by J3di

    And I asked you to back up your idea. I already pointed out why I felt this was a technical discussion. besides, don't take the question about facts personally, like questioning your manhood or something. it was a question of facts and I was hoping someone could chime for the details. Cool?
    You obviously missed the point that everyone else seemed to grasp - that statement was a general one, not about details. No matter what method you use, once it has left your hands, you can not guarantee its security. Some methods are more secure than others; most are 10x more than you'll ever need for securing transmissions about your Aunt Judy's nail fungus. The point, though, was that nothing is secure enough to become complacent over.

    Leave a comment:


  • Gadsden
    replied
    Originally posted by blackwave
    I use crypto for everything from email to surfing the net to irc.
    Do you have any good links you would like to share for free or pay SSL web proxies & IRC servers? I know of Anonymizer
    and Church of the Swimming Elephant , but does anyone have any suggestions for other good ones from a personal use standpoint?

    Leave a comment:


  • J3di
    replied
    Originally posted by skroo
    Which begs the question: if you're looking for facts, why are you doing it on a messageboard? Yes, you will get some hard-and-fast answers here, but by no means will you be anywhere near a complete understanding of the topic. Go read up on the subject from a set text.
    I'm on this message board because there are alot of technical like-minded folk who happen to have a wide exposure to the many fields that interest me. Hard and fast answers require detail, which blackwave was able to produce (indicating that this had become a technical discussion).

    And yes, I have read up on the subject, keeping up with current discussions among different technical groups and publications, including books discussing analysis and attack methods. I am by no means an expert nor do I consider myself compentent, thus my question towards you about the facts.


    Granted, but a small dose of it is healthy.
    Yes, and the boogie man is out there in the dark to get you. Let's come back to reality here.


    You are absolutely correct. I *did* generalise. Hint: this is because I am not a cryptographer, nor do I wish to give the impression that I am. All that I did was to throw another idea into the mix of a (very non-technical) discussion. Deal.
    And I asked you to back up your idea. I already pointed out why I felt this was a technical discussion. besides, don't take the question about facts personally, like questioning your manhood or something. it was a question of facts and I was hoping someone could chime for the details. Cool?


    Son, don't tell me what to do. If it's that important to you, how about you go do some research and see what you come up with instead of sitting in front of the keyboard all day hoping that the magic conversation pops up that is to your liking?
    listen 'dad', it was a request. i'm not telling you what to do. I'm asking for answers to fill in blanks, which is what I thought a technical discussion among like-minded folk. again, I have done the research and am always looking for more data.

    now, please stop the diatribe. this is a discussion about encryption and the possibility that there is no relevent use for it these days. Can you dig that?

    Leave a comment:


  • skroo
    replied
    No More Secrets

    Originally posted by Chris
    Yes!! Each and every email I send out is pure gibberish...completely indecipherable even to the intended recipient.;)
    Heh, screw factoring abnormally huge prime numbers... We'll just use the Jack Daniel's method from now on ;)

    Leave a comment:


  • skroo
    replied
    Originally posted by J3di
    yes, there is a lack of sarcasm. But I'm not trolling or looking to offend. I'm looking for the facts.
    Which begs the question: if you're looking for facts, why are you doing it on a messageboard? Yes, you will get some hard-and-fast answers here, but by no means will you be anywhere near a complete understanding of the topic. Go read up on the subject from a set text.

    paranoia to be paranoid is bad practice.
    Granted, but a small dose of it is healthy.

    and no, I take nothing for granted. but you generalize when talking about circumventing cryptographic methods in communication.
    You are absolutely correct. I *did* generalise. Hint: this is because I am not a cryptographer, nor do I wish to give the impression that I am. All that I did was to throw another idea into the mix of a (very non-technical) discussion. Deal.

    be specific. talk in details. WEP is a good example.
    Son, don't tell me what to do. If it's that important to you, how about you go do some research and see what you come up with instead of sitting in front of the keyboard all day hoping that the magic conversation pops up that is to your liking?

    Leave a comment:


  • Chris
    replied
    Originally posted by skroo
    Can you assure me that there is no method of removing or circumventing any cryptographic methods we currently consider to be 'strong'?
    Yes!! Each and every email I send out is pure gibberish...completely indecipherable even to the intended recipient.;)

    Leave a comment:


  • J3di
    replied
    Originally posted by skroo
    I see the sarcasm is lacking in this one. The inference (which is so old and taken for granted as to not even be mentioned) is that regardless of encryption, the minute so much as a single byte crosses a wire you lose control over what happens to it before it reaches its destination. Can you assure me that there is no method of removing or circumventing any cryptographic methods we currently consider to be 'strong'?
    yes, there is a lack of sarcasm. But I'm not trolling or looking to offend. I'm looking for the facts.

    no, there are no assurances in this life/existance/discihpline. but what I'm asking is for facts on the subject. theory and pratical application are 2 different things and what I'm asking for is pratical application. paranoia to be paranoid is bad practice.

    and no, I take nothing for granted. but you generalize when talking about circumventing cryptographic methods in communication. be specific. talk in details. WEP is a good example.

    Leave a comment:

Working...
X